From openssl at openssl.org Mon Feb 1 01:08:34 2021 From: openssl at openssl.org (OpenSSL run-checker) Date: Mon, 01 Feb 2021 01:08:34 +0000 Subject: Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-asm Message-ID: <1612141714.713911.2203242.nullmailer@run.openssl.org> Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-asm Commit log since last time: a2a5506b93 rsa_kmgmt: Return OSSL_PKEY_PARAM_DEFAULT_DIGEST for unrestricted PSS keys e947a0642d EVP: fix keygen for EVP_PKEY_RSA_PSS d744934b75 Remove superfluous EVP_KDF_CTRL_ defines. 270a5ce1d9 Fix parameter types in sshkdf 732a4d15b0 Fix cipher reinit on s390x if no key is specified 199df4a93f check_sig_alg_match(): weaken sig nid comparison to allow RSA{,PSS} key verify RSA-PSS 03f5c8930c Fix rsa_pss_asn1_meth to refert to rsa_sig_info_set 26a44ad04b obj_xref: rsassaPss must map to 'undef rsassaPss' (not 'undef rsaEncryption') 302e63cbe5 Prepare for 3.0 alpha 12 31a89254d8 Prepare for release of 3.0 alpha 11 4333b89f50 Update copyright year 92bc61e467 Update NEWS.md before alpha11 release 5ac632eed7 APPS: Restore inclusions Build log ended with (last 100 lines): 20-test_cli_fips.t ................. ok 20-test_dgst.t ..................... ok 20-test_dhparam.t .................. ok 20-test_enc.t ...................... ok 20-test_enc_more.t ................. ok 20-test_kdf.t ...................... ok 20-test_mac.t ...................... ok 20-test_passwd.t ................... ok 20-test_pkeyutl.t .................. ok 20-test_rand_config.t .............. ok 25-test_crl.t ...................... ok 25-test_d2i.t ...................... ok 25-test_eai_data.t ................. ok 25-test_pkcs7.t .................... ok 25-test_req.t ...................... ok 25-test_rusext.t ................... ok 25-test_sid.t ...................... ok 25-test_verify.t ................... ok 25-test_verify_store.t ............. ok 25-test_x509.t ..................... ok 30-test_acvp.t ..................... ok 30-test_aesgcm.t ................... ok 30-test_afalg.t .................... ok 30-test_defltfips.t ................ ok 30-test_engine.t ................... ok 30-test_evp.t ...................... ok 30-test_evp_extra.t ................ ok 30-test_evp_fetch_prov.t ........... ok 30-test_evp_kdf.t .................. ok 30-test_evp_libctx.t ............... ok 30-test_evp_pkey_dparam.t .......... ok 30-test_evp_pkey_provided.t ........ ok 30-test_pbelu.t .................... ok 30-test_pkey_meth.t ................ ok 30-test_pkey_meth_kdf.t ............ ok 30-test_provider_status.t .......... ok 40-test_rehash.t ................... ok 60-test_x509_check_cert_pkey.t ..... ok 60-test_x509_dup_cert.t ............ ok 60-test_x509_store.t ............... ok 60-test_x509_time.t ................ ok 61-test_bio_prefix.t ............... ok 65-test_cmp_asn.t .................. ok 65-test_cmp_client.t ............... ok 65-test_cmp_ctx.t .................. ok 65-test_cmp_hdr.t .................. ok 65-test_cmp_msg.t .................. ok 65-test_cmp_protect.t .............. ok 65-test_cmp_server.t ............... ok 65-test_cmp_status.t ............... ok 65-test_cmp_vfy.t .................. ok 66-test_ossl_store.t ............... ok 70-test_asyncio.t .................. ok 70-test_bad_dtls.t ................. ok 70-test_clienthello.t .............. ok 70-test_comp.t ..................... ok 70-test_key_share.t ................ ok 70-test_packet.t ................... ok 70-test_recordlen.t ................ ok 70-test_renegotiation.t ............ ok 70-test_servername.t ............... ok 70-test_sslcbcpadding.t ............ ok 70-test_sslcertstatus.t ............ ok 70-test_sslextension.t ............. ok 70-test_sslmessages.t .............. ok 70-test_sslrecords.t ............... ok 70-test_sslsessiontick.t ........... ok 70-test_sslsigalgs.t ............... ok 70-test_sslsignature.t ............. ok 70-test_sslskewith0p.t ............. ok 70-test_sslversions.t .............. ok 70-test_sslvertol.t ................ ok 70-test_tls13alerts.t .............. ok 70-test_tls13cookie.t .............. ok 70-test_tls13downgrade.t ........... ok 70-test_tls13hrr.t ................. ok 70-test_tls13kexmodes.t ............ ok 70-test_tls13messages.t ............ ok 70-test_tls13psk.t ................. ok 70-test_tlsextms.t ................. ok 70-test_verify_extra.t ............. ok 70-test_wpacket.t .................. ok 71-test_ssl_ctx.t .................. ok 80-test_ca.t ....................... ok 80-test_cipherbytes.t .............. ok 80-test_cipherlist.t ............... ok 80-test_ciphername.t ............... ok # 80-test_cms.t ...................... ok 80-test_cmsapi.t ................... ok 80-test_ct.t ....................... ok 80-test_dane.t ..................... ok 80-test_dtls.t ..................... ok 80-test_dtls_mtu.t ................. ok 80-test_dtlsv1listen.t ............. ok 80-test_http.t ..................... ok 80-test_ocsp.t ..................... ok 80-test_pkcs12.t ................... ok 80-test_ssl_new.t .................. ok make[1]: *** [Makefile:3272: _tests] Terminated From openssl at openssl.org Mon Feb 1 02:00:41 2021 From: openssl at openssl.org (OpenSSL run-checker) Date: Mon, 01 Feb 2021 02:00:41 +0000 Subject: Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-autoerrinit Message-ID: <1612144841.569367.2315504.nullmailer@run.openssl.org> Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-autoerrinit Commit log since last time: a2a5506b93 rsa_kmgmt: Return OSSL_PKEY_PARAM_DEFAULT_DIGEST for unrestricted PSS keys e947a0642d EVP: fix keygen for EVP_PKEY_RSA_PSS d744934b75 Remove superfluous EVP_KDF_CTRL_ defines. 270a5ce1d9 Fix parameter types in sshkdf 732a4d15b0 Fix cipher reinit on s390x if no key is specified 199df4a93f check_sig_alg_match(): weaken sig nid comparison to allow RSA{,PSS} key verify RSA-PSS 03f5c8930c Fix rsa_pss_asn1_meth to refert to rsa_sig_info_set 26a44ad04b obj_xref: rsassaPss must map to 'undef rsassaPss' (not 'undef rsaEncryption') 302e63cbe5 Prepare for 3.0 alpha 12 31a89254d8 Prepare for release of 3.0 alpha 11 4333b89f50 Update copyright year 92bc61e467 Update NEWS.md before alpha11 release 5ac632eed7 APPS: Restore inclusions Build log ended with (last 100 lines): 70-test_sslcbcpadding.t ............ ok 70-test_sslcertstatus.t ............ ok 70-test_sslextension.t ............. ok 70-test_sslmessages.t .............. ok 70-test_sslrecords.t ............... ok 70-test_sslsessiontick.t ........... ok 70-test_sslsigalgs.t ............... ok 70-test_sslsignature.t ............. ok 70-test_sslskewith0p.t ............. ok 70-test_sslversions.t .............. ok 70-test_sslvertol.t ................ ok 70-test_tls13alerts.t .............. ok 70-test_tls13cookie.t .............. ok 70-test_tls13downgrade.t ........... ok 70-test_tls13hrr.t ................. ok 70-test_tls13kexmodes.t ............ ok 70-test_tls13messages.t ............ ok 70-test_tls13psk.t ................. ok 70-test_tlsextms.t ................. ok 70-test_verify_extra.t ............. ok 70-test_wpacket.t .................. ok 71-test_ssl_ctx.t .................. ok 80-test_ca.t ....................... ok 80-test_cipherbytes.t .............. ok 80-test_cipherlist.t ............... ok 80-test_ciphername.t ............... ok # 80-test_cms.t ...................... ok 80-test_cmsapi.t ................... ok 80-test_ct.t ....................... ok 80-test_dane.t ..................... ok 80-test_dtls.t ..................... ok 80-test_dtls_mtu.t ................. ok 80-test_dtlsv1listen.t ............. ok 80-test_http.t ..................... ok 80-test_ocsp.t ..................... ok 80-test_pkcs12.t ................... ok 80-test_ssl_new.t .................. ok 80-test_ssl_old.t .................. ok 80-test_ssl_test_ctx.t ............. ok 80-test_sslcorrupt.t ............... ok 80-test_tsa.t ...................... ok 80-test_x509aux.t .................. ok # 81-test_cmp_cli.t .................. ok 90-test_asn1_time.t ................ ok 90-test_async.t .................... ok 90-test_bio_enc.t .................. ok 90-test_bio_memleak.t .............. ok 90-test_constant_time.t ............ ok 90-test_fatalerr.t ................. ok 90-test_fipsload.t ................. ok 90-test_gmdiff.t ................... ok 90-test_gost.t ..................... ok 90-test_ige.t ...................... ok 90-test_includes.t ................. ok 90-test_memleak.t .................. ok 90-test_overhead.t ................. ok 90-test_secmem.t ................... ok 90-test_shlibload.t ................ ok 90-test_srp.t ...................... ok 90-test_sslapi.t ................... ok 90-test_sslbuffers.t ............... ok 90-test_store.t .................... ok 90-test_sysdefault.t ............... ok 90-test_threads.t .................. ok 90-test_time_offset.t .............. ok 90-test_tls13ccs.t ................. ok 90-test_tls13encryption.t .......... ok 90-test_tls13secrets.t ............. ok 90-test_v3name.t ................... ok 91-test_pkey_check.t ............... ok 95-test_external_boringssl.t ....... skipped: No external tests in this configuration 95-test_external_gost_engine.t ..... skipped: No external tests in this configuration 95-test_external_krb5.t ............ skipped: No external tests in this configuration 95-test_external_pyca.t ............ skipped: No external tests in this configuration 99-test_ecstress.t ................. ok 99-test_fuzz_asn1.t ................ ok 99-test_fuzz_asn1parse.t ........... ok 99-test_fuzz_bignum.t .............. ok 99-test_fuzz_bndiv.t ............... ok 99-test_fuzz_client.t .............. ok 99-test_fuzz_cmp.t ................. ok 99-test_fuzz_cms.t ................. ok 99-test_fuzz_conf.t ................ ok 99-test_fuzz_crl.t ................. ok 99-test_fuzz_ct.t .................. ok 99-test_fuzz_server.t .............. ok 99-test_fuzz_x509.t ................ ok Test Summary Report ------------------- 04-test_err.t (Wstat: 256 Tests: 1 Failed: 1) Failed test: 1 Non-zero exit status: 1 Files=228, Tests=3072, 930 wallclock secs (14.15 usr 1.27 sys + 841.89 cusr 80.77 csys = 938.08 CPU) Result: FAIL make[1]: *** [Makefile:3267: _tests] Error 1 make[1]: Leaving directory '/home/openssl/run-checker/no-autoerrinit' make: *** [Makefile:3264: tests] Error 2 From openssl at openssl.org Mon Feb 1 07:41:12 2021 From: openssl at openssl.org (OpenSSL run-checker) Date: Mon, 01 Feb 2021 07:41:12 +0000 Subject: Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-des Message-ID: <1612165272.930349.3043913.nullmailer@run.openssl.org> Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-des Commit log since last time: a2a5506b93 rsa_kmgmt: Return OSSL_PKEY_PARAM_DEFAULT_DIGEST for unrestricted PSS keys e947a0642d EVP: fix keygen for EVP_PKEY_RSA_PSS d744934b75 Remove superfluous EVP_KDF_CTRL_ defines. 270a5ce1d9 Fix parameter types in sshkdf 732a4d15b0 Fix cipher reinit on s390x if no key is specified 199df4a93f check_sig_alg_match(): weaken sig nid comparison to allow RSA{,PSS} key verify RSA-PSS 03f5c8930c Fix rsa_pss_asn1_meth to refert to rsa_sig_info_set 26a44ad04b obj_xref: rsassaPss must map to 'undef rsassaPss' (not 'undef rsaEncryption') 302e63cbe5 Prepare for 3.0 alpha 12 31a89254d8 Prepare for release of 3.0 alpha 11 4333b89f50 Update copyright year 92bc61e467 Update NEWS.md before alpha11 release 5ac632eed7 APPS: Restore inclusions Build log ended with (last 100 lines): 70-test_sslmessages.t .............. ok 70-test_sslrecords.t ............... ok 70-test_sslsessiontick.t ........... ok 70-test_sslsigalgs.t ............... ok 70-test_sslsignature.t ............. ok 70-test_sslskewith0p.t ............. ok 70-test_sslversions.t .............. ok 70-test_sslvertol.t ................ ok 70-test_tls13alerts.t .............. ok 70-test_tls13cookie.t .............. ok 70-test_tls13downgrade.t ........... ok 70-test_tls13hrr.t ................. ok 70-test_tls13kexmodes.t ............ ok 70-test_tls13messages.t ............ ok 70-test_tls13psk.t ................. ok 70-test_tlsextms.t ................. ok 70-test_verify_extra.t ............. ok 70-test_wpacket.t .................. ok 71-test_ssl_ctx.t .................. ok 80-test_ca.t ....................... ok 80-test_cipherbytes.t .............. ok 80-test_cipherlist.t ............... ok 80-test_ciphername.t ............... ok # 80-test_cms.t ...................... ok 80-test_cmsapi.t ................... ok 80-test_ct.t ....................... ok 80-test_dane.t ..................... ok 80-test_dtls.t ..................... ok 80-test_dtls_mtu.t ................. ok 80-test_dtlsv1listen.t ............. ok 80-test_http.t ..................... ok 80-test_ocsp.t ..................... ok 80-test_pkcs12.t ................... skipped: The PKCS12 command line utility is not supported by this OpenSSL build 80-test_ssl_new.t .................. ok 80-test_ssl_old.t .................. ok 80-test_ssl_test_ctx.t ............. ok 80-test_sslcorrupt.t ............... ok 80-test_tsa.t ...................... ok 80-test_x509aux.t .................. ok # 81-test_cmp_cli.t .................. ok 90-test_asn1_time.t ................ ok 90-test_async.t .................... ok 90-test_bio_enc.t .................. ok 90-test_bio_memleak.t .............. ok 90-test_constant_time.t ............ ok 90-test_fatalerr.t ................. ok 90-test_fipsload.t ................. ok 90-test_gmdiff.t ................... ok 90-test_gost.t ..................... ok 90-test_ige.t ...................... ok 90-test_includes.t ................. ok 90-test_memleak.t .................. ok 90-test_overhead.t ................. ok 90-test_secmem.t ................... ok 90-test_shlibload.t ................ ok 90-test_srp.t ...................... ok 90-test_sslapi.t ................... ok 90-test_sslbuffers.t ............... ok 90-test_store.t .................... ok 90-test_sysdefault.t ............... ok 90-test_threads.t .................. ok 90-test_time_offset.t .............. ok 90-test_tls13ccs.t ................. ok 90-test_tls13encryption.t .......... ok 90-test_tls13secrets.t ............. ok 90-test_v3name.t ................... ok 91-test_pkey_check.t ............... ok 95-test_external_boringssl.t ....... skipped: No external tests in this configuration 95-test_external_gost_engine.t ..... skipped: No external tests in this configuration 95-test_external_krb5.t ............ skipped: No external tests in this configuration 95-test_external_pyca.t ............ skipped: No external tests in this configuration 99-test_ecstress.t ................. ok 99-test_fuzz_asn1.t ................ ok 99-test_fuzz_asn1parse.t ........... ok 99-test_fuzz_bignum.t .............. ok 99-test_fuzz_bndiv.t ............... ok 99-test_fuzz_client.t .............. ok 99-test_fuzz_cmp.t ................. ok 99-test_fuzz_cms.t ................. ok 99-test_fuzz_conf.t ................ ok 99-test_fuzz_crl.t ................. ok 99-test_fuzz_ct.t .................. ok 99-test_fuzz_server.t .............. ok 99-test_fuzz_x509.t ................ ok Test Summary Report ------------------- 30-test_evp.t (Wstat: 512 Tests: 90 Failed: 2) Failed tests: 14, 40 Non-zero exit status: 2 30-test_evp_kdf.t (Wstat: 256 Tests: 1 Failed: 1) Failed test: 1 Non-zero exit status: 1 Files=228, Tests=3074, 935 wallclock secs (14.51 usr 1.48 sys + 838.56 cusr 92.53 csys = 947.08 CPU) Result: FAIL make[1]: *** [Makefile:3218: _tests] Error 1 make[1]: Leaving directory '/home/openssl/run-checker/no-des' make: *** [Makefile:3215: tests] Error 2 From matt at openssl.org Mon Feb 1 09:11:30 2021 From: matt at openssl.org (Matt Caswell) Date: Mon, 01 Feb 2021 09:11:30 +0000 Subject: [openssl] master update Message-ID: <1612170690.407901.27263.nullmailer@dev.openssl.org> The branch master has been updated via b8a1272d57e144dfac97006477a68f9948ebb595 (commit) via ec7aef3356336012f77101f5c97e2e736e0c61ee (commit) from a2a5506b9329b978a2a5b11a518b9789446ad310 (commit) - Log ----------------------------------------------------------------- commit b8a1272d57e144dfac97006477a68f9948ebb595 Author: Matt Caswell Date: Thu Jan 21 15:14:15 2021 +0000 Test that EC keys without a public key in them work as expected We create EC keys via both the "fromdata" and legacy key routes to make sure that they can be used without a public key. Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/13922) commit ec7aef3356336012f77101f5c97e2e736e0c61ee Author: Matt Caswell Date: Thu Jan 21 15:12:30 2021 +0000 Ensure EC keys with a private key but without a public key can be created In 1.1.1 and earlier it was possible to create EC_KEYs that did not have the public key in it. We need to ensure that this continues to work in 3.0. Fixes #12612 Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/13922) ----------------------------------------------------------------------- Summary of changes: providers/implementations/keymgmt/ec_kmgmt.c | 8 +- test/evp_extra_test.c | 233 ++++++++++++++++++++++----- 2 files changed, 199 insertions(+), 42 deletions(-) diff --git a/providers/implementations/keymgmt/ec_kmgmt.c b/providers/implementations/keymgmt/ec_kmgmt.c index 8b020711fb..fc49aad1b9 100644 --- a/providers/implementations/keymgmt/ec_kmgmt.c +++ b/providers/implementations/keymgmt/ec_kmgmt.c @@ -353,7 +353,7 @@ int common_import(void *keydata, int selection, const OSSL_PARAM params[], * following combinations: * - domain parameters (+optional other params) * - public key with associated domain parameters (+optional other params) - * - private key with associated public key and domain parameters + * - private key with associated domain parameters and optional public key * (+optional other params) * * This means: @@ -363,12 +363,8 @@ int common_import(void *keydata, int selection, const OSSL_PARAM params[], */ if ((selection & OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS) == 0) return 0; - if ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0 - && (selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) == 0) - return 0; - if ((selection & OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS) != 0) - ok = ok && ec_group_fromdata(ec, params); + ok = ok && ec_group_fromdata(ec, params); /* * sm2_curve: import the keys or domparams only on SM2 Curve diff --git a/test/evp_extra_test.c b/test/evp_extra_test.c index 6cca821cf1..223a8db6f1 100644 --- a/test/evp_extra_test.c +++ b/test/evp_extra_test.c @@ -487,26 +487,48 @@ err: return res; } -#if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_DSA) +#if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_DSA) || !defined(OPENSSL_NO_EC) +static int test_fromdata(char *keytype, OSSL_PARAM *params) +{ + EVP_PKEY_CTX *pctx = NULL; + EVP_PKEY *pkey = NULL; + int testresult = 0; + + if (!TEST_ptr(pctx = EVP_PKEY_CTX_new_from_name(testctx, keytype, NULL))) + goto err; + if (!TEST_int_gt(EVP_PKEY_key_fromdata_init(pctx), 0) + || !TEST_int_gt(EVP_PKEY_fromdata(pctx, &pkey, params), 0)) + goto err; + + if (!TEST_ptr(pkey)) + goto err; + + testresult = 1; + err: + EVP_PKEY_free(pkey); + EVP_PKEY_CTX_free(pctx); + + return testresult; +} +#endif /* !OPENSSL_NO_DH || !OPENSSL_NO_DSA || !OPENSSL_NO_EC */ + /* * Test combinations of private, public, missing and private + public key * params to ensure they are all accepted */ +#if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_DSA) static int test_EVP_PKEY_ffc_priv_pub(char *keytype) { OSSL_PARAM_BLD *bld = NULL; OSSL_PARAM *params = NULL; BIGNUM *p = NULL, *q = NULL, *g = NULL, *pub = NULL, *priv = NULL; - EVP_PKEY_CTX *pctx = NULL; - EVP_PKEY *pkey = NULL; int ret = 0; /* * Setup the parameters for our pkey object. For our purposes they don't * have to actually be *valid* parameters. We just need to set something. */ - if (!TEST_ptr(pctx = EVP_PKEY_CTX_new_from_name(testctx, keytype, NULL)) - || !TEST_ptr(p = BN_new()) + if (!TEST_ptr(p = BN_new()) || !TEST_ptr(q = BN_new()) || !TEST_ptr(g = BN_new()) || !TEST_ptr(pub = BN_new()) @@ -522,15 +544,8 @@ static int test_EVP_PKEY_ffc_priv_pub(char *keytype) if (!TEST_ptr(params = OSSL_PARAM_BLD_to_param(bld))) goto err; - if (!TEST_int_gt(EVP_PKEY_key_fromdata_init(pctx), 0) - || !TEST_int_gt(EVP_PKEY_fromdata(pctx, &pkey, params), 0)) - goto err; - - if (!TEST_ptr(pkey)) + if (!test_fromdata(keytype, params)) goto err; - - EVP_PKEY_free(pkey); - pkey = NULL; OSSL_PARAM_BLD_free_params(params); OSSL_PARAM_BLD_free(bld); @@ -545,15 +560,8 @@ static int test_EVP_PKEY_ffc_priv_pub(char *keytype) if (!TEST_ptr(params = OSSL_PARAM_BLD_to_param(bld))) goto err; - if (!TEST_int_gt(EVP_PKEY_key_fromdata_init(pctx), 0) - || !TEST_int_gt(EVP_PKEY_fromdata(pctx, &pkey, params), 0)) - goto err; - - if (!TEST_ptr(pkey)) + if (!test_fromdata(keytype, params)) goto err; - - EVP_PKEY_free(pkey); - pkey = NULL; OSSL_PARAM_BLD_free_params(params); OSSL_PARAM_BLD_free(bld); @@ -568,15 +576,8 @@ static int test_EVP_PKEY_ffc_priv_pub(char *keytype) if (!TEST_ptr(params = OSSL_PARAM_BLD_to_param(bld))) goto err; - if (!TEST_int_gt(EVP_PKEY_key_fromdata_init(pctx), 0) - || !TEST_int_gt(EVP_PKEY_fromdata(pctx, &pkey, params), 0)) - goto err; - - if (!TEST_ptr(pkey)) + if (!test_fromdata(keytype, params)) goto err; - - EVP_PKEY_free(pkey); - pkey = NULL; OSSL_PARAM_BLD_free_params(params); OSSL_PARAM_BLD_free(bld); @@ -593,17 +594,11 @@ static int test_EVP_PKEY_ffc_priv_pub(char *keytype) if (!TEST_ptr(params = OSSL_PARAM_BLD_to_param(bld))) goto err; - if (!TEST_int_gt(EVP_PKEY_key_fromdata_init(pctx), 0) - || !TEST_int_gt(EVP_PKEY_fromdata(pctx, &pkey, params), 0)) - goto err; - - if (!TEST_ptr(pkey)) + if (!test_fromdata(keytype, params)) goto err; ret = 1; err: - EVP_PKEY_free(pkey); - EVP_PKEY_CTX_free(pctx); OSSL_PARAM_BLD_free_params(params); OSSL_PARAM_BLD_free(bld); BN_free(p); @@ -616,6 +611,166 @@ static int test_EVP_PKEY_ffc_priv_pub(char *keytype) } #endif /* !OPENSSL_NO_DH || !OPENSSL_NO_DSA */ +/* + * Test combinations of private, public, missing and private + public key + * params to ensure they are all accepted for EC keys + */ +#ifndef OPENSSL_NO_EC +static unsigned char ec_priv[] = { + 0xe9, 0x25, 0xf7, 0x66, 0x58, 0xa4, 0xdd, 0x99, 0x61, 0xe7, 0xe8, 0x23, + 0x85, 0xc2, 0xe8, 0x33, 0x27, 0xc5, 0x5c, 0xeb, 0xdb, 0x43, 0x9f, 0xd5, + 0xf2, 0x5a, 0x75, 0x55, 0xd0, 0x2e, 0x6d, 0x16 +}; +static unsigned char ec_pub[] = { + 0x04, 0xad, 0x11, 0x90, 0x77, 0x4b, 0x46, 0xee, 0x72, 0x51, 0x15, 0x97, + 0x4a, 0x6a, 0xa7, 0xaf, 0x59, 0xfa, 0x4b, 0xf2, 0x41, 0xc8, 0x3a, 0x81, + 0x23, 0xb6, 0x90, 0x04, 0x6c, 0x67, 0x66, 0xd0, 0xdc, 0xf2, 0x15, 0x1d, + 0x41, 0x61, 0xb7, 0x95, 0x85, 0x38, 0x5a, 0x84, 0x56, 0xe8, 0xb3, 0x0e, + 0xf5, 0xc6, 0x5d, 0xa4, 0x54, 0x26, 0xb0, 0xf7, 0xa5, 0x4a, 0x33, 0xf1, + 0x08, 0x09, 0xb8, 0xdb, 0x03 +}; + +static int test_EC_priv_pub(void) +{ + OSSL_PARAM_BLD *bld = NULL; + OSSL_PARAM *params = NULL; + BIGNUM *priv = NULL; + int ret = 0; + + /* + * Setup the parameters for our pkey object. For our purposes they don't + * have to actually be *valid* parameters. We just need to set something. + */ + if (!TEST_ptr(priv = BN_bin2bn(ec_priv, sizeof(ec_priv), NULL))) + goto err; + + /* Test !priv and !pub */ + if (!TEST_ptr(bld = OSSL_PARAM_BLD_new()) + || !TEST_true(OSSL_PARAM_BLD_push_utf8_string(bld, + OSSL_PKEY_PARAM_GROUP_NAME, + "P-256", 0))) + goto err; + if (!TEST_ptr(params = OSSL_PARAM_BLD_to_param(bld))) + goto err; + + if (!test_fromdata("EC", params)) + goto err; + OSSL_PARAM_BLD_free_params(params); + OSSL_PARAM_BLD_free(bld); + + /* Test priv and !pub */ + if (!TEST_ptr(bld = OSSL_PARAM_BLD_new()) + || !TEST_true(OSSL_PARAM_BLD_push_utf8_string(bld, + OSSL_PKEY_PARAM_GROUP_NAME, + "P-256", 0)) + || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_PRIV_KEY, + priv))) + goto err; + if (!TEST_ptr(params = OSSL_PARAM_BLD_to_param(bld))) + goto err; + + if (!test_fromdata("EC", params)) + goto err; + OSSL_PARAM_BLD_free_params(params); + OSSL_PARAM_BLD_free(bld); + + /* Test !priv and pub */ + if (!TEST_ptr(bld = OSSL_PARAM_BLD_new()) + || !TEST_true(OSSL_PARAM_BLD_push_utf8_string(bld, + OSSL_PKEY_PARAM_GROUP_NAME, + "P-256", 0)) + || !TEST_true(OSSL_PARAM_BLD_push_octet_string(bld, + OSSL_PKEY_PARAM_PUB_KEY, + ec_pub, sizeof(ec_pub)))) + goto err; + if (!TEST_ptr(params = OSSL_PARAM_BLD_to_param(bld))) + goto err; + + if (!test_fromdata("EC", params)) + goto err; + OSSL_PARAM_BLD_free_params(params); + OSSL_PARAM_BLD_free(bld); + + /* Test priv and pub */ + if (!TEST_ptr(bld = OSSL_PARAM_BLD_new()) + || !TEST_true(OSSL_PARAM_BLD_push_utf8_string(bld, + OSSL_PKEY_PARAM_GROUP_NAME, + "P-256", 0)) + || !TEST_true(OSSL_PARAM_BLD_push_octet_string(bld, + OSSL_PKEY_PARAM_PUB_KEY, + ec_pub, sizeof(ec_pub))) + || !TEST_true(OSSL_PARAM_BLD_push_octet_string(bld, + OSSL_PKEY_PARAM_PUB_KEY, + ec_pub, sizeof(ec_pub)))) + goto err; + if (!TEST_ptr(params = OSSL_PARAM_BLD_to_param(bld))) + goto err; + + if (!test_fromdata("EC", params)) + goto err; + + ret = 1; + err: + OSSL_PARAM_BLD_free_params(params); + OSSL_PARAM_BLD_free(bld); + BN_free(priv); + + return ret; +} + +/* Test that using a legacy EC key with only a private key in it works */ +# ifndef OPENSSL_NO_DEPRECATED_3_0 +static int test_EC_priv_only_legacy(void) +{ + BIGNUM *priv = NULL; + int ret = 0; + EC_KEY *eckey = NULL; + EVP_PKEY *pkey = NULL; + EVP_MD_CTX *ctx = NULL; + + /* Create the low level EC_KEY */ + if (!TEST_ptr(priv = BN_bin2bn(ec_priv, sizeof(ec_priv), NULL))) + goto err; + + eckey = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); + if (!TEST_ptr(eckey)) + goto err; + + if (!TEST_true(EC_KEY_set_private_key(eckey, priv))) + goto err; + + pkey = EVP_PKEY_new(); + if (!TEST_ptr(pkey)) + goto err; + + if (!TEST_true(EVP_PKEY_assign_EC_KEY(pkey, eckey))) + goto err; + eckey = NULL; + + ctx = EVP_MD_CTX_new(); + if (!TEST_ptr(ctx)) + goto err; + + /* + * The EVP_DigestSignInit function should create the key on the provider + * side which is sufficient for this test. + */ + if (!TEST_true(EVP_DigestSignInit(ctx, NULL, NULL, NULL, pkey))) + goto err; + + ret = 1; + + err: + EVP_MD_CTX_free(ctx); + EVP_PKEY_free(pkey); + EC_KEY_free(eckey); + BN_free(priv); + + return ret; +} +# endif /* OPENSSL_NO_DEPRECATED_3_0 */ +#endif /* OPENSSL_NO_EC */ + static int test_EVP_Enveloped(void) { int ret = 0; @@ -2341,6 +2496,12 @@ int setup_tests(void) # ifndef OPENSSL_NO_DEPRECATED_3_0 ADD_TEST(test_EVP_PKEY_set1_DH); # endif +#endif +#ifndef OPENSSL_NO_EC + ADD_TEST(test_EC_priv_pub); +# ifndef OPENSSL_NO_DEPRECATED_3_0 + ADD_TEST(test_EC_priv_only_legacy); +# endif #endif ADD_ALL_TESTS(test_keygen_with_empty_template, 2); ADD_ALL_TESTS(test_pkey_ctx_fail_without_provider, 2); From openssl at openssl.org Mon Feb 1 10:00:24 2021 From: openssl at openssl.org (OpenSSL run-checker) Date: Mon, 01 Feb 2021 10:00:24 +0000 Subject: FAILED build of OpenSSL branch master with options -d --strict-warnings no-ec Message-ID: <1612173624.601410.3326851.nullmailer@run.openssl.org> Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-ec Commit log since last time: a2a5506b93 rsa_kmgmt: Return OSSL_PKEY_PARAM_DEFAULT_DIGEST for unrestricted PSS keys e947a0642d EVP: fix keygen for EVP_PKEY_RSA_PSS d744934b75 Remove superfluous EVP_KDF_CTRL_ defines. 270a5ce1d9 Fix parameter types in sshkdf 732a4d15b0 Fix cipher reinit on s390x if no key is specified 199df4a93f check_sig_alg_match(): weaken sig nid comparison to allow RSA{,PSS} key verify RSA-PSS 03f5c8930c Fix rsa_pss_asn1_meth to refert to rsa_sig_info_set 26a44ad04b obj_xref: rsassaPss must map to 'undef rsassaPss' (not 'undef rsaEncryption') 302e63cbe5 Prepare for 3.0 alpha 12 31a89254d8 Prepare for release of 3.0 alpha 11 4333b89f50 Update copyright year 92bc61e467 Update NEWS.md before alpha11 release 5ac632eed7 APPS: Restore inclusions Build log ended with (last 100 lines): 70-test_tlsextms.t ................. ok 70-test_verify_extra.t ............. ok 70-test_wpacket.t .................. ok 71-test_ssl_ctx.t .................. ok 80-test_ca.t ....................... ok 80-test_cipherbytes.t .............. ok 80-test_cipherlist.t ............... ok 80-test_ciphername.t ............... ok # # CMD: openssl cms -provider-path ../../providers -config ../../../openssl/test/fips-and-base.cnf -provider fips -encrypt -in ../../../openssl/test/smcont.txt -stream -out cms2cms-mod-13.cms -recip ../../../openssl/test/smime-certs/smdh.pem -aes128 Using configuration from ../../../openssl/test/fips-and-base.cnf ../../util/wrap.pl ../../apps/openssl cms -provider-path ../../providers -config ../../../openssl/test/fips-and-base.cnf -provider fips -encrypt -in ../../../openssl/test/smcont.txt -stream -out cms2cms-mod-13.cms -recip ../../../openssl/test/smime-certs/smdh.pem -aes128 => 0 # CMD: openssl cms -provider-path ../../providers -config ../../../openssl/test/fips-and-base.cnf -provider fips -decrypt -recip ../../../openssl/test/smime-certs/smdh.pem -in cms2cms-mod-13.cms -out cms2cms-mod-13.txt Using configuration from ../../../openssl/test/fips-and-base.cnf Error decrypting CMS using private key 802252D86A7F0000:error:1700006C:CMS routines:cms_get0_signed:content type not signed data:../openssl/crypto/cms/cms_sd.c:30: 802252D86A7F0000:error:02800066:Diffie-Hellman routines:dh_buf2key:invalid public key:../openssl/crypto/dh/dh_key.c:392: 802252D86A7F0000:error:170000BC:CMS routines:dh_cms_decrypt:peer key error:../openssl/crypto/cms/cms_dh.c:173: ../../util/wrap.pl ../../apps/openssl cms -provider-path ../../providers -config ../../../openssl/test/fips-and-base.cnf -provider fips -decrypt -recip ../../../openssl/test/smime-certs/smdh.pem -in cms2cms-mod-13.cms -out cms2cms-mod-13.txt => 4 not ok 13 - enveloped content test streaming S/MIME format, X9.42 DH # ------------------------------------------------------------------------------ # Looks like you failed 1 test of 14. not ok 5 - CMS <=> CMS consistency tests, modified key parameters # ------------------------------------------------------------------------------ # # Looks like you failed 1 test of 11.80-test_cms.t ...................... Dubious, test returned 1 (wstat 256, 0x100) Failed 1/11 subtests 80-test_cmsapi.t ................... ok 80-test_ct.t ....................... skipped: ct and ec are not supported by this OpenSSL build 80-test_dane.t ..................... skipped: test_dane uses ec which is not supported by this OpenSSL build 80-test_dtls.t ..................... ok 80-test_dtls_mtu.t ................. ok 80-test_dtlsv1listen.t ............. ok 80-test_http.t ..................... ok 80-test_ocsp.t ..................... ok 80-test_pkcs12.t ................... ok 80-test_ssl_new.t .................. ok 80-test_ssl_old.t .................. ok 80-test_ssl_test_ctx.t ............. ok 80-test_sslcorrupt.t ............... ok 80-test_tsa.t ...................... ok 80-test_x509aux.t .................. skipped: test_dane uses ec which is not supported by this OpenSSL build 81-test_cmp_cli.t .................. skipped: These tests are not supported in a no-ec build 90-test_asn1_time.t ................ ok 90-test_async.t .................... ok 90-test_bio_enc.t .................. ok 90-test_bio_memleak.t .............. ok 90-test_constant_time.t ............ ok 90-test_fatalerr.t ................. ok 90-test_fipsload.t ................. ok 90-test_gmdiff.t ................... ok 90-test_gost.t ..................... skipped: GOST support is disabled in this OpenSSL build 90-test_ige.t ...................... ok 90-test_includes.t ................. ok 90-test_memleak.t .................. ok 90-test_overhead.t ................. ok 90-test_secmem.t ................... ok 90-test_shlibload.t ................ ok 90-test_srp.t ...................... ok 90-test_sslapi.t ................... ok 90-test_sslbuffers.t ............... ok 90-test_store.t .................... ok 90-test_sysdefault.t ............... ok 90-test_threads.t .................. ok 90-test_time_offset.t .............. ok 90-test_tls13ccs.t ................. ok 90-test_tls13encryption.t .......... ok 90-test_tls13secrets.t ............. ok 90-test_v3name.t ................... ok 91-test_pkey_check.t ............... skipped: No tests within the current enabled feature set 95-test_external_boringssl.t ....... skipped: No external tests in this configuration 95-test_external_gost_engine.t ..... skipped: No external tests in this configuration 95-test_external_krb5.t ............ skipped: No external tests in this configuration 95-test_external_pyca.t ............ skipped: No external tests in this configuration 99-test_ecstress.t ................. ok 99-test_fuzz_asn1.t ................ ok 99-test_fuzz_asn1parse.t ........... ok 99-test_fuzz_bignum.t .............. ok 99-test_fuzz_bndiv.t ............... ok 99-test_fuzz_client.t .............. ok 99-test_fuzz_cmp.t ................. ok 99-test_fuzz_cms.t ................. ok 99-test_fuzz_conf.t ................ ok 99-test_fuzz_crl.t ................. ok 99-test_fuzz_ct.t .................. ok 99-test_fuzz_server.t .............. ok 99-test_fuzz_x509.t ................ ok Test Summary Report ------------------- 80-test_cms.t (Wstat: 256 Tests: 11 Failed: 1) Failed test: 5 Non-zero exit status: 1 Files=228, Tests=1899, 717 wallclock secs (11.20 usr 1.26 sys + 665.25 cusr 57.70 csys = 735.41 CPU) Result: FAIL make[1]: *** [Makefile:3134: _tests] Error 1 make[1]: Leaving directory '/home/openssl/run-checker/no-ec' make: *** [Makefile:3131: tests] Error 2 From no-reply at appveyor.com Mon Feb 1 10:08:51 2021 From: no-reply at appveyor.com (AppVeyor) Date: Mon, 01 Feb 2021 10:08:51 +0000 Subject: Build failed: openssl master.39494 Message-ID: <20210201100851.1.F6771F977D8211B3@appveyor.com> An HTML attachment was scrubbed... URL: From openssl at openssl.org Mon Feb 1 11:39:18 2021 From: openssl at openssl.org (OpenSSL run-checker) Date: Mon, 01 Feb 2021 11:39:18 +0000 Subject: FAILED build of OpenSSL branch master with options -d --strict-warnings enable-ec_nistp_64_gcc_128 Message-ID: <1612179558.619273.3530053.nullmailer@run.openssl.org> Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings enable-ec_nistp_64_gcc_128 Commit log since last time: a2a5506b93 rsa_kmgmt: Return OSSL_PKEY_PARAM_DEFAULT_DIGEST for unrestricted PSS keys e947a0642d EVP: fix keygen for EVP_PKEY_RSA_PSS d744934b75 Remove superfluous EVP_KDF_CTRL_ defines. 270a5ce1d9 Fix parameter types in sshkdf 732a4d15b0 Fix cipher reinit on s390x if no key is specified 199df4a93f check_sig_alg_match(): weaken sig nid comparison to allow RSA{,PSS} key verify RSA-PSS 03f5c8930c Fix rsa_pss_asn1_meth to refert to rsa_sig_info_set 26a44ad04b obj_xref: rsassaPss must map to 'undef rsassaPss' (not 'undef rsaEncryption') 302e63cbe5 Prepare for 3.0 alpha 12 31a89254d8 Prepare for release of 3.0 alpha 11 4333b89f50 Update copyright year 92bc61e467 Update NEWS.md before alpha11 release 5ac632eed7 APPS: Restore inclusions Build log ended with (last 100 lines): 70-test_tlsextms.t ................. ok 70-test_verify_extra.t ............. ok 70-test_wpacket.t .................. ok 71-test_ssl_ctx.t .................. ok 80-test_ca.t ....................... ok 80-test_cipherbytes.t .............. ok 80-test_cipherlist.t ............... ok 80-test_ciphername.t ............... ok # CMD: openssl cms -provider-path ../../providers -config ../../../openssl/test/fips-and-base.cnf -provider fips -encrypt -in ../../../openssl/test/smcont.txt -stream -out cms2cms-mod-13.cms -recip ../../../openssl/test/smime-certs/smdh.pem -aes128 Using configuration from ../../../openssl/test/fips-and-base.cnf ../../util/wrap.pl ../../apps/openssl cms -provider-path ../../providers -config ../../../openssl/test/fips-and-base.cnf -provider fips -encrypt -in ../../../openssl/test/smcont.txt -stream -out cms2cms-mod-13.cms -recip ../../../openssl/test/smime-certs/smdh.pem -aes128 => 0 # CMD: openssl cms -provider-path ../../providers -config ../../../openssl/test/fips-and-base.cnf -provider fips -decrypt -recip ../../../openssl/test/smime-certs/smdh.pem -in cms2cms-mod-13.cms -out cms2cms-mod-13.txt Using configuration from ../../../openssl/test/fips-and-base.cnf Error decrypting CMS using private key 8002349BB07F0000:error:1700006C:CMS routines:cms_get0_signed:content type not signed data:../openssl/crypto/cms/cms_sd.c:30: 8002349BB07F0000:error:02800066:Diffie-Hellman routines:dh_buf2key:invalid public key:../openssl/crypto/dh/dh_key.c:392: 8002349BB07F0000:error:170000BC:CMS routines:dh_cms_decrypt:peer key error:../openssl/crypto/cms/cms_dh.c:173: ../../util/wrap.pl ../../apps/openssl cms -provider-path ../../providers -config ../../../openssl/test/fips-and-base.cnf -provider fips -decrypt -recip ../../../openssl/test/smime-certs/smdh.pem -in cms2cms-mod-13.cms -out cms2cms-mod-13.txt => 4 not ok 13 - enveloped content test streaming S/MIME format, X9.42 DH # ------------------------------------------------------------------------------ # Looks like you failed 1 test of 14. not ok 5 - CMS <=> CMS consistency tests, modified key parameters # ------------------------------------------------------------------------------ # # Looks like you failed 1 test of 11.80-test_cms.t ...................... Dubious, test returned 1 (wstat 256, 0x100) Failed 1/11 subtests 80-test_cmsapi.t ................... ok 80-test_ct.t ....................... ok 80-test_dane.t ..................... ok 80-test_dtls.t ..................... ok 80-test_dtls_mtu.t ................. ok 80-test_dtlsv1listen.t ............. ok 80-test_http.t ..................... ok 80-test_ocsp.t ..................... ok 80-test_pkcs12.t ................... ok 80-test_ssl_new.t .................. ok 80-test_ssl_old.t .................. ok 80-test_ssl_test_ctx.t ............. ok 80-test_sslcorrupt.t ............... ok 80-test_tsa.t ...................... ok 80-test_x509aux.t .................. ok # 81-test_cmp_cli.t .................. ok 90-test_asn1_time.t ................ ok 90-test_async.t .................... ok 90-test_bio_enc.t .................. ok 90-test_bio_memleak.t .............. ok 90-test_constant_time.t ............ ok 90-test_fatalerr.t ................. ok 90-test_fipsload.t ................. ok 90-test_gmdiff.t ................... ok 90-test_gost.t ..................... ok 90-test_ige.t ...................... ok 90-test_includes.t ................. ok 90-test_memleak.t .................. ok 90-test_overhead.t ................. ok 90-test_secmem.t ................... ok 90-test_shlibload.t ................ ok 90-test_srp.t ...................... ok 90-test_sslapi.t ................... ok 90-test_sslbuffers.t ............... ok 90-test_store.t .................... ok 90-test_sysdefault.t ............... ok 90-test_threads.t .................. ok 90-test_time_offset.t .............. ok 90-test_tls13ccs.t ................. ok 90-test_tls13encryption.t .......... ok 90-test_tls13secrets.t ............. ok 90-test_v3name.t ................... ok 91-test_pkey_check.t ............... ok 95-test_external_boringssl.t ....... skipped: No external tests in this configuration 95-test_external_gost_engine.t ..... skipped: No external tests in this configuration 95-test_external_krb5.t ............ skipped: No external tests in this configuration 95-test_external_pyca.t ............ skipped: No external tests in this configuration 99-test_ecstress.t ................. ok 99-test_fuzz_asn1.t ................ ok 99-test_fuzz_asn1parse.t ........... ok 99-test_fuzz_bignum.t .............. ok 99-test_fuzz_bndiv.t ............... ok 99-test_fuzz_client.t .............. ok 99-test_fuzz_cmp.t ................. ok 99-test_fuzz_cms.t ................. ok 99-test_fuzz_conf.t ................ ok 99-test_fuzz_crl.t ................. ok 99-test_fuzz_ct.t .................. ok 99-test_fuzz_server.t .............. ok 99-test_fuzz_x509.t ................ ok Test Summary Report ------------------- 80-test_cms.t (Wstat: 256 Tests: 11 Failed: 1) Failed test: 5 Non-zero exit status: 1 Files=228, Tests=3209, 886 wallclock secs (14.57 usr 1.36 sys + 783.57 cusr 95.37 csys = 894.87 CPU) Result: FAIL make[1]: *** [Makefile:3279: _tests] Error 1 make[1]: Leaving directory '/home/openssl/run-checker/enable-ec_nistp_64_gcc_128' make: *** [Makefile:3276: tests] Error 2 From builds at travis-ci.com Mon Feb 1 12:19:22 2021 From: builds at travis-ci.com (Travis CI) Date: Mon, 01 Feb 2021 12:19:22 +0000 Subject: Failed: akhand2222/openssl#1 (OpenSSL_1_0_2-stable - cebb31f) In-Reply-To: Message-ID: <6017f1ca43b7a_13fc7d140dd046714c3@travis-pro-tasks-54d8c674d6-wnln6.mail> Build Update for akhand2222/openssl ------------------------------------- Build: #1 Status: Failed Duration: 2 mins and 46 secs Commit: cebb31f (OpenSSL_1_0_2-stable) Author: akhand2222 Message: Update .travis.yml View the changeset: https://github.com/akhand2222/openssl/compare/3392f4d53d7b...cebb31faf7df View the full build log and details: https://travis-ci.com/github/akhand2222/openssl/builds/215587979?utm_medium=notification&utm_source=email -- You can unsubscribe from build emails from the akhand2222/openssl repository going to https://travis-ci.com/account/preferences/unsubscribe?repository=18031544&utm_medium=notification&utm_source=email. Or unsubscribe from *all* email updating your settings at https://travis-ci.com/account/preferences/unsubscribe?utm_medium=notification&utm_source=email. Or configure specific recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications. -------------- next part -------------- An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Mon Feb 1 12:54:00 2021 From: no-reply at appveyor.com (AppVeyor) Date: Mon, 01 Feb 2021 12:54:00 +0000 Subject: Build completed: openssl master.39495 Message-ID: <20210201125400.1.35AA5CF2CF97C144@appveyor.com> An HTML attachment was scrubbed... URL: From levitte at openssl.org Mon Feb 1 22:03:23 2021 From: levitte at openssl.org (Richard Levitte) Date: Mon, 01 Feb 2021 22:03:23 +0000 Subject: [openssl] master update Message-ID: <1612217003.868757.16699.nullmailer@dev.openssl.org> The branch master has been updated via f2db0528d8d7015ba39faca78a16e5e820db9df6 (commit) via 58f422f6f481ec7961fe762c97121b53abad3eb4 (commit) from b8a1272d57e144dfac97006477a68f9948ebb595 (commit) - Log ----------------------------------------------------------------- commit f2db0528d8d7015ba39faca78a16e5e820db9df6 Author: Richard Levitte Date: Thu Jan 28 08:22:09 2021 +0100 PROV: Add SM2 encoders and decoders, as well as support functionality The EC KEYMGMT implementation handled SM2 as well, except what's needed to support decoding: loading functions for both EC and SM2 that checks for the presence or absence of the SM2 curve the same way as the EC / SM2 import functions. Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/14028) commit 58f422f6f481ec7961fe762c97121b53abad3eb4 Author: Richard Levitte Date: Thu Jan 28 08:01:52 2021 +0100 Fix some odd names in our provider source code ecossl_dh_keyexch_functions -> ossl_ecdh_keyexch_functions ecossl_dsa_signature_functions -> ossl_ecdsa_signature_functions sm2_asym_cipher_functions -> ossl_sm2_asym_cipher_functions sm2_keymgmt_functions -> ossl_sm2_keymgmt_functions sm2_signature_functions -> ossl_sm2_signature_functions Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/14028) ----------------------------------------------------------------------- Summary of changes: providers/decoders.inc | 4 ++ providers/defltprov.c | 10 ++--- providers/encoders.inc | 14 +++++++ providers/fips/fipsprov.c | 4 +- providers/implementations/asymciphers/sm2_enc.c | 2 +- .../implementations/encode_decode/decode_der2key.c | 14 +++++++ .../implementations/encode_decode/encode_key2any.c | 26 ++++++++++++ .../encode_decode/encode_key2text.c | 7 ++++ providers/implementations/exchange/ecdh_exch.c | 2 +- .../implementations/include/prov/implementations.h | 27 +++++++++--- providers/implementations/keymgmt/ec_kmgmt.c | 48 +++++++++++++++++----- providers/implementations/signature/ecdsa.c | 2 +- providers/implementations/signature/sm2sig.c | 2 +- 13 files changed, 136 insertions(+), 26 deletions(-) diff --git a/providers/decoders.inc b/providers/decoders.inc index c9f0dea638..4dc687c76f 100644 --- a/providers/decoders.inc +++ b/providers/decoders.inc @@ -65,6 +65,10 @@ DECODER_w_structure("X25519", der, PKCS8, x25519, yes), DECODER_w_structure("X25519", der, SubjectPublicKeyInfo, x25519, yes), DECODER_w_structure("X448", der, PKCS8, x448, yes), DECODER_w_structure("X448", der, SubjectPublicKeyInfo, x448, yes), +# ifndef OPENSSL_NO_SM2 +DECODER_w_structure("SM2", der, PKCS8, sm2, yes), +DECODER_w_structure("SM2", der, SubjectPublicKeyInfo, sm2, yes), +# endif #endif DECODER_w_structure("RSA", der, PKCS8, rsa, yes), DECODER_w_structure("RSA", der, SubjectPublicKeyInfo, rsa, yes), diff --git a/providers/defltprov.c b/providers/defltprov.c index 3cd7dffee8..2a1ebb6218 100644 --- a/providers/defltprov.c +++ b/providers/defltprov.c @@ -347,7 +347,7 @@ static const OSSL_ALGORITHM deflt_keyexch[] = { { "DH:dhKeyAgreement", "provider=default", ossl_dh_keyexch_functions }, #endif #ifndef OPENSSL_NO_EC - { "ECDH", "provider=default", ecossl_dh_keyexch_functions }, + { "ECDH", "provider=default", ossl_ecdh_keyexch_functions }, { "X25519", "provider=default", ossl_x25519_keyexch_functions }, { "X448", "provider=default", ossl_x448_keyexch_functions }, #endif @@ -375,9 +375,9 @@ static const OSSL_ALGORITHM deflt_signature[] = { #ifndef OPENSSL_NO_EC { "ED25519", "provider=default", ossl_ed25519_signature_functions }, { "ED448", "provider=default", ossl_ed448_signature_functions }, - { "ECDSA", "provider=default", ecossl_dsa_signature_functions }, + { "ECDSA", "provider=default", ossl_ecdsa_signature_functions }, # ifndef OPENSSL_NO_SM2 - { "SM2", "provider=default", sm2_signature_functions }, + { "SM2", "provider=default", ossl_sm2_signature_functions }, # endif #endif { "HMAC", "provider=default", ossl_mac_legacy_hmac_signature_functions }, @@ -396,7 +396,7 @@ static const OSSL_ALGORITHM deflt_signature[] = { static const OSSL_ALGORITHM deflt_asym_cipher[] = { { "RSA:rsaEncryption", "provider=default", ossl_rsa_asym_cipher_functions }, #ifndef OPENSSL_NO_SM2 - { "SM2", "provider=default", sm2_asym_cipher_functions }, + { "SM2", "provider=default", ossl_sm2_asym_cipher_functions }, #endif { NULL, NULL, NULL } }; @@ -436,7 +436,7 @@ static const OSSL_ALGORITHM deflt_keymgmt[] = { { "CMAC", "provider=default", ossl_cossl_mac_legacy_keymgmt_functions }, #endif #ifndef OPENSSL_NO_SM2 - { "SM2", "provider=default", sm2_keymgmt_functions }, + { "SM2", "provider=default", ossl_sm2_keymgmt_functions }, #endif { NULL, NULL, NULL } }; diff --git a/providers/encoders.inc b/providers/encoders.inc index c8032799b8..f2b59e0846 100644 --- a/providers/encoders.inc +++ b/providers/encoders.inc @@ -60,6 +60,9 @@ ENCODER_TEXT("ED25519", ed25519, yes), ENCODER_TEXT("ED448", ed448, yes), ENCODER_TEXT("X25519", x25519, yes), ENCODER_TEXT("X448", x448, yes), +# ifndef OPENSSL_NO_SM2 +ENCODER_TEXT("SM2", sm2, yes), +# endif #endif /* @@ -104,6 +107,10 @@ ENCODER_w_structure("DSA", dsa, yes, pem, type_specific), /* EC only supports keypair and parameters output. */ ENCODER_w_structure("EC", ec, yes, der, type_specific_no_pub), ENCODER_w_structure("EC", ec, yes, pem, type_specific_no_pub), +# ifndef OPENSSL_NO_SM2 +ENCODER_w_structure("SM2", sm2, yes, der, type_specific_no_pub), +ENCODER_w_structure("SM2", sm2, yes, pem, type_specific_no_pub), +# endif #endif /* @@ -177,6 +184,13 @@ ENCODER_w_structure("ED448", ed448, yes, der, PKCS8), ENCODER_w_structure("ED448", ed448, yes, pem, PKCS8), ENCODER_w_structure("ED448", ed448, yes, der, SubjectPublicKeyInfo), ENCODER_w_structure("ED448", ed448, yes, pem, SubjectPublicKeyInfo), + +# ifndef OPENSSL_NO_SM2 +ENCODER_w_structure("SM2", sm2, yes, der, PKCS8), +ENCODER_w_structure("SM2", sm2, yes, pem, PKCS8), +ENCODER_w_structure("SM2", sm2, yes, der, SubjectPublicKeyInfo), +ENCODER_w_structure("SM2", sm2, yes, pem, SubjectPublicKeyInfo), +# endif #endif /* diff --git a/providers/fips/fipsprov.c b/providers/fips/fipsprov.c index ba9363bf2e..deffb88ba6 100644 --- a/providers/fips/fipsprov.c +++ b/providers/fips/fipsprov.c @@ -350,7 +350,7 @@ static const OSSL_ALGORITHM fips_keyexch[] = { { "DH:dhKeyAgreement", FIPS_DEFAULT_PROPERTIES, ossl_dh_keyexch_functions }, #endif #ifndef OPENSSL_NO_EC - { "ECDH", FIPS_DEFAULT_PROPERTIES, ecossl_dh_keyexch_functions }, + { "ECDH", FIPS_DEFAULT_PROPERTIES, ossl_ecdh_keyexch_functions }, { "X25519", FIPS_DEFAULT_PROPERTIES, ossl_x25519_keyexch_functions }, { "X448", FIPS_DEFAULT_PROPERTIES, ossl_x448_keyexch_functions }, #endif @@ -370,7 +370,7 @@ static const OSSL_ALGORITHM fips_signature[] = { #ifndef OPENSSL_NO_EC { "ED25519", FIPS_DEFAULT_PROPERTIES, ossl_ed25519_signature_functions }, { "ED448", FIPS_DEFAULT_PROPERTIES, ossl_ed448_signature_functions }, - { "ECDSA", FIPS_DEFAULT_PROPERTIES, ecossl_dsa_signature_functions }, + { "ECDSA", FIPS_DEFAULT_PROPERTIES, ossl_ecdsa_signature_functions }, #endif { "HMAC", FIPS_DEFAULT_PROPERTIES, ossl_mac_legacy_hmac_signature_functions }, diff --git a/providers/implementations/asymciphers/sm2_enc.c b/providers/implementations/asymciphers/sm2_enc.c index 913c36fcfd..3dd4d83838 100644 --- a/providers/implementations/asymciphers/sm2_enc.c +++ b/providers/implementations/asymciphers/sm2_enc.c @@ -207,7 +207,7 @@ static const OSSL_PARAM *sm2_settable_ctx_params(ossl_unused void *provctx) return known_settable_ctx_params; } -const OSSL_DISPATCH sm2_asym_cipher_functions[] = { +const OSSL_DISPATCH ossl_sm2_asym_cipher_functions[] = { { OSSL_FUNC_ASYM_CIPHER_NEWCTX, (void (*)(void))sm2_newctx }, { OSSL_FUNC_ASYM_CIPHER_ENCRYPT_INIT, (void (*)(void))sm2_init }, { OSSL_FUNC_ASYM_CIPHER_ENCRYPT, (void (*)(void))sm2_asym_encrypt }, diff --git a/providers/implementations/encode_decode/decode_der2key.c b/providers/implementations/encode_decode/decode_der2key.c index a91bd3b7b8..6611e808d1 100644 --- a/providers/implementations/encode_decode/decode_der2key.c +++ b/providers/implementations/encode_decode/decode_der2key.c @@ -504,6 +504,16 @@ static void ecx_key_adjust(void *key, struct der2key_ctx_st *ctx) # define x448_d2i_key_params NULL # define x448_free (free_key_fn *)ecx_key_free # define x448_adjust ecx_key_adjust + +# ifndef OPENSSL_NO_SM2 +# define sm2_evp_type EVP_PKEY_SM2 +# define sm2_evp_extract (extract_key_fn *)EVP_PKEY_get1_EC_KEY +# define sm2_d2i_private_key (d2i_of_void *)d2i_ECPrivateKey +# define sm2_d2i_public_key NULL +# define sm2_d2i_key_params (d2i_of_void *)d2i_ECParameters +# define sm2_free (free_key_fn *)EC_KEY_free +# define sm2_adjust ec_adjust +# endif #endif /* ---------------------------------------------------------------------- */ @@ -762,6 +772,10 @@ MAKE_DECODER("ED25519", ed25519, ecx, PKCS8); MAKE_DECODER("ED25519", ed25519, ecx, SubjectPublicKeyInfo); MAKE_DECODER("ED448", ed448, ecx, PKCS8); MAKE_DECODER("ED448", ed448, ecx, SubjectPublicKeyInfo); +# ifndef OPENSSL_NO_SM2 +MAKE_DECODER("SM2", sm2, ec, PKCS8); +MAKE_DECODER("SM2", sm2, ec, SubjectPublicKeyInfo); +# endif #endif MAKE_DECODER("RSA", rsa, rsa, PKCS8); MAKE_DECODER("RSA", rsa, rsa, SubjectPublicKeyInfo); diff --git a/providers/implementations/encode_decode/encode_key2any.c b/providers/implementations/encode_decode/encode_key2any.c index ee2930852e..7af53cca96 100644 --- a/providers/implementations/encode_decode/encode_key2any.c +++ b/providers/implementations/encode_decode/encode_key2any.c @@ -655,6 +655,12 @@ static int ec_pkcs8_priv_to_der(const void *veckey, unsigned char **pder) # define ec_evp_type EVP_PKEY_EC # define ec_input_type "EC" # define ec_pem_type "EC" + +# ifndef OPENSSL_NO_SM2 +# define sm2_evp_type EVP_PKEY_SM2 +# define sm2_input_type "SM2" +# define sm2_pem_type "SM2" +# endif #endif /* ---------------------------------------------------------------------- */ @@ -1139,6 +1145,10 @@ static int key2any_encode(struct key2any_ctx_st *ctx, OSSL_CORE_BIO *cout, #define DO_EC_selection_mask DO_type_specific_selection_mask #define DO_EC(impl, type, output) DO_type_specific(impl, type, output) +#define SM2_output_structure "sm2" +#define DO_SM2_selection_mask DO_type_specific_selection_mask +#define DO_SM2(impl, type, output) DO_type_specific(impl, type, output) + /* PKCS#1 defines a structure for RSA private and public keys */ #define PKCS1_output_structure "pkcs1" #define DO_PKCS1_selection_mask DO_RSA_selection_mask @@ -1280,6 +1290,9 @@ MAKE_ENCODER(dsa, dsa, EVP_PKEY_DSA, type_specific, der); #endif #ifndef OPENSSL_NO_EC MAKE_ENCODER(ec, ec, EVP_PKEY_EC, type_specific_no_pub, der); +# ifndef OPENSSL_NO_SM2 +MAKE_ENCODER(sm2, ec, EVP_PKEY_EC, type_specific_no_pub, der); +# endif #endif /* @@ -1296,6 +1309,9 @@ MAKE_ENCODER(dsa, dsa, EVP_PKEY_DSA, type_specific, pem); #endif #ifndef OPENSSL_NO_EC MAKE_ENCODER(ec, ec, EVP_PKEY_EC, type_specific_no_pub, pem); +# ifndef OPENSSL_NO_SM2 +MAKE_ENCODER(sm2, ec, EVP_PKEY_EC, type_specific_no_pub, pem); +# endif #endif /* @@ -1335,6 +1351,12 @@ MAKE_ENCODER(ec, ec, EVP_PKEY_EC, PKCS8, der); MAKE_ENCODER(ec, ec, EVP_PKEY_EC, PKCS8, pem); MAKE_ENCODER(ec, ec, EVP_PKEY_EC, SubjectPublicKeyInfo, der); MAKE_ENCODER(ec, ec, EVP_PKEY_EC, SubjectPublicKeyInfo, pem); +# ifndef OPENSSL_NO_SM2 +MAKE_ENCODER(sm2, ec, EVP_PKEY_EC, PKCS8, der); +MAKE_ENCODER(sm2, ec, EVP_PKEY_EC, PKCS8, pem); +MAKE_ENCODER(sm2, ec, EVP_PKEY_EC, SubjectPublicKeyInfo, der); +MAKE_ENCODER(sm2, ec, EVP_PKEY_EC, SubjectPublicKeyInfo, pem); +# endif MAKE_ENCODER(ed25519, ecx, EVP_PKEY_ED25519, PKCS8, der); MAKE_ENCODER(ed25519, ecx, EVP_PKEY_ED25519, PKCS8, pem); MAKE_ENCODER(ed25519, ecx, EVP_PKEY_ED25519, SubjectPublicKeyInfo, der); @@ -1376,6 +1398,10 @@ MAKE_ENCODER(dsa, dsa, EVP_PKEY_DSA, DSA, pem); #ifndef OPENSSL_NO_EC MAKE_ENCODER(ec, ec, EVP_PKEY_EC, EC, der); MAKE_ENCODER(ec, ec, EVP_PKEY_EC, EC, pem); +# ifndef OPENSSL_NO_SM2 +MAKE_ENCODER(sm2, ec, EVP_PKEY_EC, SM2, der); +MAKE_ENCODER(sm2, ec, EVP_PKEY_EC, SM2, pem); +# endif #endif /* Convenience structure names */ diff --git a/providers/implementations/encode_decode/encode_key2text.c b/providers/implementations/encode_decode/encode_key2text.c index 49bbf8c2af..21cedbb0dd 100644 --- a/providers/implementations/encode_decode/encode_key2text.c +++ b/providers/implementations/encode_decode/encode_key2text.c @@ -547,6 +547,10 @@ err: } # define ec_input_type "EC" + +# ifndef OPENSSL_NO_SM2 +# define sm2_input_type "SM2" +# endif #endif /* ---------------------------------------------------------------------- */ @@ -906,6 +910,9 @@ MAKE_TEXT_ENCODER(dsa, dsa); #endif #ifndef OPENSSL_NO_EC MAKE_TEXT_ENCODER(ec, ec); +# ifndef OPENSSL_NO_SM2 +MAKE_TEXT_ENCODER(sm2, ec); +# endif MAKE_TEXT_ENCODER(ed25519, ecx); MAKE_TEXT_ENCODER(ed448, ecx); MAKE_TEXT_ENCODER(x25519, ecx); diff --git a/providers/implementations/exchange/ecdh_exch.c b/providers/implementations/exchange/ecdh_exch.c index d5f4859733..a1b17443ba 100644 --- a/providers/implementations/exchange/ecdh_exch.c +++ b/providers/implementations/exchange/ecdh_exch.c @@ -530,7 +530,7 @@ int ecdh_derive(void *vpecdhctx, unsigned char *secret, return 0; } -const OSSL_DISPATCH ecossl_dh_keyexch_functions[] = { +const OSSL_DISPATCH ossl_ecdh_keyexch_functions[] = { { OSSL_FUNC_KEYEXCH_NEWCTX, (void (*)(void))ecdh_newctx }, { OSSL_FUNC_KEYEXCH_INIT, (void (*)(void))ecdh_init }, { OSSL_FUNC_KEYEXCH_DERIVE, (void (*)(void))ecdh_derive }, diff --git a/providers/implementations/include/prov/implementations.h b/providers/implementations/include/prov/implementations.h index 936e825e33..bdd0c243d6 100644 --- a/providers/implementations/include/prov/implementations.h +++ b/providers/implementations/include/prov/implementations.h @@ -286,14 +286,14 @@ extern const OSSL_DISPATCH ossl_kdf_keymgmt_functions[]; extern const OSSL_DISPATCH ossl_mac_legacy_keymgmt_functions[]; extern const OSSL_DISPATCH ossl_cossl_mac_legacy_keymgmt_functions[]; #ifndef OPENSSL_NO_SM2 -extern const OSSL_DISPATCH sm2_keymgmt_functions[]; +extern const OSSL_DISPATCH ossl_sm2_keymgmt_functions[]; #endif /* Key Exchange */ extern const OSSL_DISPATCH ossl_dh_keyexch_functions[]; extern const OSSL_DISPATCH ossl_x25519_keyexch_functions[]; extern const OSSL_DISPATCH ossl_x448_keyexch_functions[]; -extern const OSSL_DISPATCH ecossl_dh_keyexch_functions[]; +extern const OSSL_DISPATCH ossl_ecdh_keyexch_functions[]; extern const OSSL_DISPATCH ossl_kdf_tls1_prf_keyexch_functions[]; extern const OSSL_DISPATCH ossl_kdf_hkdf_keyexch_functions[]; extern const OSSL_DISPATCH ossl_kdf_scrypt_keyexch_functions[]; @@ -303,17 +303,17 @@ extern const OSSL_DISPATCH ossl_dsa_signature_functions[]; extern const OSSL_DISPATCH ossl_rsa_signature_functions[]; extern const OSSL_DISPATCH ossl_ed25519_signature_functions[]; extern const OSSL_DISPATCH ossl_ed448_signature_functions[]; -extern const OSSL_DISPATCH ecossl_dsa_signature_functions[]; +extern const OSSL_DISPATCH ossl_ecdsa_signature_functions[]; extern const OSSL_DISPATCH ossl_mac_legacy_hmac_signature_functions[]; extern const OSSL_DISPATCH ossl_mac_legacy_siphash_signature_functions[]; extern const OSSL_DISPATCH ossl_mac_legacy_poly1305_signature_functions[]; extern const OSSL_DISPATCH ossl_mac_legacy_cmac_signature_functions[]; -extern const OSSL_DISPATCH sm2_signature_functions[]; +extern const OSSL_DISPATCH ossl_sm2_signature_functions[]; /* Asym Cipher */ extern const OSSL_DISPATCH ossl_rsa_asym_cipher_functions[]; #ifndef OPENSSL_NO_SM2 -extern const OSSL_DISPATCH sm2_asym_cipher_functions[]; +extern const OSSL_DISPATCH ossl_sm2_asym_cipher_functions[]; #endif /* Asym Key encapsulation */ @@ -390,6 +390,18 @@ extern const OSSL_DISPATCH ossl_ec_to_type_specific_no_pub_pem_encoder_functions extern const OSSL_DISPATCH ossl_ec_to_type_specific_no_pub_der_encoder_functions[]; extern const OSSL_DISPATCH ossl_ec_to_text_encoder_functions[]; +#ifndef OPENSSL_NO_SM2 +extern const OSSL_DISPATCH ossl_sm2_to_SM2_der_encoder_functions[]; +extern const OSSL_DISPATCH ossl_sm2_to_SM2_pem_encoder_functions[]; +extern const OSSL_DISPATCH ossl_sm2_to_PKCS8_der_encoder_functions[]; +extern const OSSL_DISPATCH ossl_sm2_to_PKCS8_pem_encoder_functions[]; +extern const OSSL_DISPATCH ossl_sm2_to_SubjectPublicKeyInfo_der_encoder_functions[]; +extern const OSSL_DISPATCH ossl_sm2_to_SubjectPublicKeyInfo_pem_encoder_functions[]; +extern const OSSL_DISPATCH ossl_sm2_to_type_specific_no_pub_pem_encoder_functions[]; +extern const OSSL_DISPATCH ossl_sm2_to_type_specific_no_pub_der_encoder_functions[]; +extern const OSSL_DISPATCH ossl_sm2_to_text_encoder_functions[]; +#endif + extern const OSSL_DISPATCH ossl_ed25519_to_PKCS8_der_encoder_functions[]; extern const OSSL_DISPATCH ossl_ed25519_to_PKCS8_pem_encoder_functions[]; extern const OSSL_DISPATCH ossl_ed25519_to_SubjectPublicKeyInfo_der_encoder_functions[]; @@ -453,6 +465,11 @@ extern const OSSL_DISPATCH ossl_SubjectPublicKeyInfo_der_to_ed25519_decoder_func extern const OSSL_DISPATCH ossl_PKCS8_der_to_ed448_decoder_functions[]; extern const OSSL_DISPATCH ossl_SubjectPublicKeyInfo_der_to_ed448_decoder_functions[]; +#ifndef OPENSSL_NO_SM2 +extern const OSSL_DISPATCH ossl_PKCS8_der_to_sm2_decoder_functions[]; +extern const OSSL_DISPATCH ossl_SubjectPublicKeyInfo_der_to_sm2_decoder_functions[]; +#endif + extern const OSSL_DISPATCH ossl_PKCS8_der_to_rsa_decoder_functions[]; extern const OSSL_DISPATCH ossl_SubjectPublicKeyInfo_der_to_rsa_decoder_functions[]; extern const OSSL_DISPATCH ossl_type_specific_keypair_der_to_rsa_decoder_functions[]; diff --git a/providers/implementations/keymgmt/ec_kmgmt.c b/providers/implementations/keymgmt/ec_kmgmt.c index fc49aad1b9..3a58d9e4dc 100644 --- a/providers/implementations/keymgmt/ec_kmgmt.c +++ b/providers/implementations/keymgmt/ec_kmgmt.c @@ -337,12 +337,25 @@ static int ec_match(const void *keydata1, const void *keydata2, int selection) return ok; } +static int common_check_sm2(const EC_KEY *ec, int sm2_wanted) +{ + const EC_GROUP *ecg = NULL; + + /* + * sm2_wanted: import the keys or domparams only on SM2 Curve + * !sm2_wanted: import the keys or domparams only not on SM2 Curve + */ + if ((ecg = EC_KEY_get0_group(ec)) == NULL + || (sm2_wanted ^ (EC_GROUP_get_curve_name(ecg) == NID_sm2))) + return 0; + return 1; +} + static int common_import(void *keydata, int selection, const OSSL_PARAM params[], - int sm2_curve) + int sm2_wanted) { EC_KEY *ec = keydata; - const EC_GROUP *ecg = NULL; int ok = 1; if (!ossl_prov_is_running() || ec == NULL) @@ -366,12 +379,7 @@ int common_import(void *keydata, int selection, const OSSL_PARAM params[], ok = ok && ec_group_fromdata(ec, params); - /* - * sm2_curve: import the keys or domparams only on SM2 Curve - * !sm2_curve: import the keys or domparams only not on SM2 Curve - */ - if ((ecg = EC_KEY_get0_group(ec)) == NULL - || (sm2_curve ^ (EC_GROUP_get_curve_name(ecg) == NID_sm2))) + if (!common_check_sm2(ec, sm2_wanted)) return 0; if ((selection & OSSL_KEYMGMT_SELECT_KEYPAIR) != 0) { @@ -1267,13 +1275,18 @@ static void ec_gen_cleanup(void *genctx) OPENSSL_free(gctx); } -void *ec_load(const void *reference, size_t reference_sz) +static void *common_load(const void *reference, size_t reference_sz, + int sm2_wanted) { EC_KEY *ec = NULL; if (ossl_prov_is_running() && reference_sz == sizeof(ec)) { /* The contents of the reference is the address to our object */ ec = *(EC_KEY **)reference; + + if (!common_check_sm2(ec, sm2_wanted)) + return NULL; + /* We grabbed, so we detach it */ *(EC_KEY **)reference = NULL; return ec; @@ -1281,6 +1294,20 @@ void *ec_load(const void *reference, size_t reference_sz) return NULL; } +static void *ec_load(const void *reference, size_t reference_sz) +{ + return common_load(reference, reference_sz, 0); +} + +#ifndef FIPS_MODULE +# ifndef OPENSSL_NO_SM2 +static void *sm2_load(const void *reference, size_t reference_sz) +{ + return common_load(reference, reference_sz, 1); +} +# endif +#endif + const OSSL_DISPATCH ossl_ec_keymgmt_functions[] = { { OSSL_FUNC_KEYMGMT_NEW, (void (*)(void))ec_newdata }, { OSSL_FUNC_KEYMGMT_GEN_INIT, (void (*)(void))ec_gen_init }, @@ -1311,7 +1338,7 @@ const OSSL_DISPATCH ossl_ec_keymgmt_functions[] = { #ifndef FIPS_MODULE # ifndef OPENSSL_NO_SM2 -const OSSL_DISPATCH sm2_keymgmt_functions[] = { +const OSSL_DISPATCH ossl_sm2_keymgmt_functions[] = { { OSSL_FUNC_KEYMGMT_NEW, (void (*)(void))ec_newdata }, { OSSL_FUNC_KEYMGMT_GEN_INIT, (void (*)(void))ec_gen_init }, { OSSL_FUNC_KEYMGMT_GEN_SET_TEMPLATE, @@ -1321,6 +1348,7 @@ const OSSL_DISPATCH sm2_keymgmt_functions[] = { (void (*)(void))ec_gen_settable_params }, { OSSL_FUNC_KEYMGMT_GEN, (void (*)(void))sm2_gen }, { OSSL_FUNC_KEYMGMT_GEN_CLEANUP, (void (*)(void))ec_gen_cleanup }, + { OSSL_FUNC_KEYMGMT_LOAD, (void (*)(void))sm2_load }, { OSSL_FUNC_KEYMGMT_FREE, (void (*)(void))ec_freedata }, { OSSL_FUNC_KEYMGMT_GET_PARAMS, (void (*) (void))sm2_get_params }, { OSSL_FUNC_KEYMGMT_GETTABLE_PARAMS, (void (*) (void))sm2_gettable_params }, diff --git a/providers/implementations/signature/ecdsa.c b/providers/implementations/signature/ecdsa.c index 28e8b46ac7..e8e8e8d143 100644 --- a/providers/implementations/signature/ecdsa.c +++ b/providers/implementations/signature/ecdsa.c @@ -534,7 +534,7 @@ static const OSSL_PARAM *ecdsa_settable_ctx_md_params(void *vctx) return EVP_MD_settable_ctx_params(ctx->md); } -const OSSL_DISPATCH ecossl_dsa_signature_functions[] = { +const OSSL_DISPATCH ossl_ecdsa_signature_functions[] = { { OSSL_FUNC_SIGNATURE_NEWCTX, (void (*)(void))ecdsa_newctx }, { OSSL_FUNC_SIGNATURE_SIGN_INIT, (void (*)(void))ecdsa_sign_init }, { OSSL_FUNC_SIGNATURE_SIGN, (void (*)(void))ecdsa_sign }, diff --git a/providers/implementations/signature/sm2sig.c b/providers/implementations/signature/sm2sig.c index 6bd27d9d38..45fd70ef40 100644 --- a/providers/implementations/signature/sm2sig.c +++ b/providers/implementations/signature/sm2sig.c @@ -496,7 +496,7 @@ static const OSSL_PARAM *sm2sig_settable_ctx_md_params(void *vpsm2ctx) return EVP_MD_settable_ctx_params(psm2ctx->md); } -const OSSL_DISPATCH sm2_signature_functions[] = { +const OSSL_DISPATCH ossl_sm2_signature_functions[] = { { OSSL_FUNC_SIGNATURE_NEWCTX, (void (*)(void))sm2sig_newctx }, { OSSL_FUNC_SIGNATURE_SIGN_INIT, (void (*)(void))sm2sig_signature_init }, { OSSL_FUNC_SIGNATURE_SIGN, (void (*)(void))sm2sig_sign }, From openssl at openssl.org Mon Feb 1 23:56:01 2021 From: openssl at openssl.org (OpenSSL run-checker) Date: Mon, 01 Feb 2021 23:56:01 +0000 Subject: Still FAILED build of OpenSSL branch master with options -d enable-fuzz-afl no-shared no-module Message-ID: <1612223761.579704.850676.nullmailer@run.openssl.org> Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=afl-clang-fast ../openssl/config -d enable-fuzz-afl no-shared no-module Commit log since last time: a2a5506b93 rsa_kmgmt: Return OSSL_PKEY_PARAM_DEFAULT_DIGEST for unrestricted PSS keys e947a0642d EVP: fix keygen for EVP_PKEY_RSA_PSS d744934b75 Remove superfluous EVP_KDF_CTRL_ defines. 270a5ce1d9 Fix parameter types in sshkdf 732a4d15b0 Fix cipher reinit on s390x if no key is specified 199df4a93f check_sig_alg_match(): weaken sig nid comparison to allow RSA{,PSS} key verify RSA-PSS 03f5c8930c Fix rsa_pss_asn1_meth to refert to rsa_sig_info_set 26a44ad04b obj_xref: rsassaPss must map to 'undef rsassaPss' (not 'undef rsaEncryption') 302e63cbe5 Prepare for 3.0 alpha 12 31a89254d8 Prepare for release of 3.0 alpha 11 4333b89f50 Update copyright year 92bc61e467 Update NEWS.md before alpha11 release 5ac632eed7 APPS: Restore inclusions Build log ended with (last 100 lines): # setup_client_ctx:../openssl/apps/cmp.c:2001:CMP info: will contact http://127.0.0.1:1700/pkix/ # send_receive_check:../openssl/crypto/cmp/cmp_client.c:165:CMP info: sending IR # send_receive_check:../openssl/crypto/cmp/cmp_client.c:183:CMP info: received IP # send_receive_check:../openssl/crypto/cmp/cmp_client.c:165:CMP info: sending CERTCONF # send_receive_check:../openssl/crypto/cmp/cmp_client.c:183:CMP info: received PKICONF # save_free_certs:../openssl/apps/cmp.c:2051:CMP info: received 1 enrolled certificate(s), saving to file '../../../../../enable-fuzz-afl/test-runs/test_cmp_cli/test.certout_popo1.pem' ../../../../../enable-fuzz-afl/util/wrap.pl ../../../../../enable-fuzz-afl/apps/openssl cmp -config ../Mock/test.cnf -section 'Mock enrollment' -certout ../../../../../enable-fuzz-afl/test-runs/test_cmp_cli/test.cert.pem -proxy '' -no_proxy 127.0.0.1 -cmd ir -newkey new.key -newkeypass 'pass:' -popo 0 -certout ../../../../../enable-fuzz-afl/test-runs/test_cmp_cli/test.certout_popo1.pem -out_trusted root.crt => 0 not ok 43 - popo RAVERIFIED # ------------------------------------------------------------------------------ # cmp_main:../openssl/apps/cmp.c:2685:CMP info: using section(s) 'Mock enrollment' of OpenSSL configuration file '../Mock/test.cnf' # opt_str:../openssl/apps/cmp.c:2284:CMP warning: argument of -proxy option is empty string, resetting option # warn_cert_msg:../openssl/apps/cmp.c:694:CMP warning: certificate from 'trusted.crt' with subject '/O=openssl_cmp' is not a CA cert # setup_client_ctx:../openssl/apps/cmp.c:2001:CMP info: will contact http://127.0.0.1:1700/pkix/ # send_receive_check:../openssl/crypto/cmp/cmp_client.c:165:CMP info: sending IR # send_receive_check:../openssl/crypto/cmp/cmp_client.c:183:CMP info: received IP # send_receive_check:../openssl/crypto/cmp/cmp_client.c:165:CMP info: sending CERTCONF # send_receive_check:../openssl/crypto/cmp/cmp_client.c:183:CMP info: received PKICONF # save_free_certs:../openssl/apps/cmp.c:2051:CMP info: received 1 enrolled certificate(s), saving to file '../../../../../enable-fuzz-afl/test-runs/test_cmp_cli/test.certout_popo5.pem' ../../../../../enable-fuzz-afl/util/wrap.pl ../../../../../enable-fuzz-afl/apps/openssl cmp -config ../Mock/test.cnf -section 'Mock enrollment' -certout ../../../../../enable-fuzz-afl/test-runs/test_cmp_cli/test.cert.pem -proxy '' -no_proxy 127.0.0.1 -cmd ir -newkey new.key -newkeypass 'pass:' -popo -1 -certout ../../../../../enable-fuzz-afl/test-runs/test_cmp_cli/test.certout_popo5.pem -out_trusted root.crt => 0 not ok 47 - popo NONE # ------------------------------------------------------------------------------ # Failed test 'popo NONE' # at ../openssl/test/recipes/81-test_cmp_cli.t line 183. # cmp_main:../openssl/apps/cmp.c:2685:CMP info: using section(s) 'Mock enrollment' of OpenSSL configuration file '../Mock/test.cnf' # opt_str:../openssl/apps/cmp.c:2284:CMP warning: argument of -proxy option is empty string, resetting option # warn_cert_msg:../openssl/apps/cmp.c:694:CMP warning: certificate from 'trusted.crt' with subject '/O=openssl_cmp' is not a CA cert # setup_client_ctx:../openssl/apps/cmp.c:2001:CMP info: will contact http://127.0.0.1:1700/pkix/ # send_receive_check:../openssl/crypto/cmp/cmp_client.c:165:CMP info: sending IR # send_receive_check:../openssl/crypto/cmp/cmp_client.c:183:CMP info: received IP # send_receive_check:../openssl/crypto/cmp/cmp_client.c:165:CMP info: sending CERTCONF # send_receive_check:../openssl/crypto/cmp/cmp_client.c:183:CMP info: received PKICONF # save_free_certs:../openssl/apps/cmp.c:2051:CMP info: received 1 enrolled certificate(s), saving to file '../../../../../enable-fuzz-afl/test-runs/test_cmp_cli/test.certout_popo6.pem' ../../../../../enable-fuzz-afl/util/wrap.pl ../../../../../enable-fuzz-afl/apps/openssl cmp -config ../Mock/test.cnf -section 'Mock enrollment' -certout ../../../../../enable-fuzz-afl/test-runs/test_cmp_cli/test.cert.pem -proxy '' -no_proxy 127.0.0.1 -cmd ir -newkey new.key -newkeypass 'pass:' -popo 2 -certout ../../../../../enable-fuzz-afl/test-runs/test_cmp_cli/test.certout_popo6.pem -out_trusted root.crt => 0 not ok 48 - popo KEYENC not supported # ------------------------------------------------------------------------------ # Looks like you failed 3 tests of 92. not ok 7 - CMP app CLI Mock enrollment # ------------------------------------------------------------------------------ # # Failed test 'CMP app CLI Mock enrollment # ' # at /home/openssl/run-checker/enable-fuzz-afl/../openssl/util/perl/OpenSSL/Test.pm line 1335. # Looks like you failed 3 tests of 7.81-test_cmp_cli.t .................. Dubious, test returned 3 (wstat 768, 0x300) Failed 3/7 subtests 90-test_asn1_time.t ................ ok 90-test_async.t .................... ok 90-test_bio_enc.t .................. ok 90-test_bio_memleak.t .............. ok 90-test_constant_time.t ............ ok 90-test_fatalerr.t ................. ok 90-test_fipsload.t ................. skipped: Test only supported in a shared build 90-test_gmdiff.t ................... ok 90-test_gost.t ..................... skipped: GOST support is disabled in this OpenSSL build 90-test_ige.t ...................... ok 90-test_includes.t ................. ok 90-test_memleak.t .................. ok 90-test_overhead.t ................. ok 90-test_secmem.t ................... ok 90-test_shlibload.t ................ skipped: Test only supported in a shared build 90-test_srp.t ...................... ok 90-test_sslapi.t ................... ok 90-test_sslbuffers.t ............... ok 90-test_store.t .................... ok 90-test_sysdefault.t ............... ok 90-test_threads.t .................. ok 90-test_time_offset.t .............. ok 90-test_tls13ccs.t ................. ok 90-test_tls13encryption.t .......... ok 90-test_tls13secrets.t ............. skipped: tls13secrets is not supported in this build 90-test_v3name.t ................... ok 91-test_pkey_check.t ............... ok 95-test_external_boringssl.t ....... skipped: No external tests in this configuration 95-test_external_gost_engine.t ..... skipped: No external tests in this configuration 95-test_external_krb5.t ............ skipped: No external tests in this configuration 95-test_external_pyca.t ............ skipped: No external tests in this configuration 99-test_ecstress.t ................. ok 99-test_fuzz_asn1.t ................ ok 99-test_fuzz_asn1parse.t ........... ok 99-test_fuzz_bignum.t .............. ok 99-test_fuzz_bndiv.t ............... ok 99-test_fuzz_client.t .............. ok 99-test_fuzz_cmp.t ................. ok 99-test_fuzz_cms.t ................. ok 99-test_fuzz_conf.t ................ ok 99-test_fuzz_crl.t ................. ok 99-test_fuzz_ct.t .................. ok 99-test_fuzz_server.t .............. ok 99-test_fuzz_x509.t ................ ok Test Summary Report ------------------- 81-test_cmp_cli.t (Wstat: 768 Tests: 7 Failed: 3) Failed tests: 4-5, 7 Non-zero exit status: 3 Files=228, Tests=2644, 701 wallclock secs (10.11 usr 1.40 sys + 613.39 cusr 75.75 csys = 700.65 CPU) Result: FAIL make[1]: *** [Makefile:2482: _tests] Error 1 make[1]: Leaving directory '/home/openssl/run-checker/enable-fuzz-afl' make: *** [Makefile:2479: tests] Error 2 From levitte at openssl.org Tue Feb 2 05:03:02 2021 From: levitte at openssl.org (Richard Levitte) Date: Tue, 02 Feb 2021 05:03:02 +0000 Subject: [web] master update Message-ID: <1612242182.375506.14279.nullmailer@dev.openssl.org> The branch master has been updated via d2b610bc453351c8b9dd50a7da2c2fcbe03c58d5 (commit) from 15c3d9188ef04d9d3d4b98088d641163390a5e03 (commit) - Log ----------------------------------------------------------------- commit d2b610bc453351c8b9dd50a7da2c2fcbe03c58d5 Author: Richard Levitte Date: Mon Jan 25 14:11:13 2021 +0100 Fix bin/mk-manpages3 to handle spurious & in the description We have some pages that emit < and > in the NAMES description in the HTML output. However, we're using sed to massage a template with that description, and & happens to be significant. Therefore, it needs being explicitly escaped. Partially fixes openssl/openssl#13949 Reviewed-by: Paul Dale Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/web/pull/214) ----------------------------------------------------------------------- Summary of changes: bin/mk-manpages3 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bin/mk-manpages3 b/bin/mk-manpages3 index dba2772..5c83583 100755 --- a/bin/mk-manpages3 +++ b/bin/mk-manpages3 @@ -18,7 +18,7 @@ srcdir=tmp/doc/html $HERE/strip-man-html < $srcdir/$F > $destdir/$G section=$(basename $Dn | sed -e 's|^man||') - description="$($HERE/all-html-man-names < $destdir/$G | sed 's|^.* - ||')" + description="$($HERE/all-html-man-names < $destdir/$G | sed -e 's|^.* - ||' -e 's|\&|\\\&|g')" names="$($HERE/all-html-man-names < $destdir/$G | sed -e 's| - .*||' -e 's|, *| |g' -e 's|/|-|g')" for name in $names; do G=$Dn/$name.html From dev at ddvo.net Tue Feb 2 06:55:33 2021 From: dev at ddvo.net (dev at ddvo.net) Date: Tue, 02 Feb 2021 06:55:33 +0000 Subject: [openssl] master update Message-ID: <1612248933.296099.18650.nullmailer@dev.openssl.org> The branch master has been updated via 6aab42c39060c7aa39d96c7a265ddc661cea2ed8 (commit) via 4d190f99ef1b6fa8c49ca1fd9bda872e5f51ec93 (commit) via a6d40689ecfb5246c67feee3b8aa5698bb062e90 (commit) via d337af18919a5c24c6f1d0ceb9fdb7aaf1beaef4 (commit) via 8e716147971971beb9ce747c74822abd24c6be13 (commit) via 673474b1640a0265530ad42868d1c8b7d33bef77 (commit) from f2db0528d8d7015ba39faca78a16e5e820db9df6 (commit) - Log ----------------------------------------------------------------- commit 6aab42c39060c7aa39d96c7a265ddc661cea2ed8 Author: Dr. David von Oheimb Date: Mon Jan 25 20:44:39 2021 +0100 OSSL_HTTP_REQ_CTX.pod and OSSL_HTTP_transfer.pod: various improvements Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/13960) commit 4d190f99ef1b6fa8c49ca1fd9bda872e5f51ec93 Author: Dr. David von Oheimb Date: Fri Jan 29 19:08:45 2021 +0100 Constify OSSL_HTTP_REQ_CTX_get0_mem_bio() Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/13960) commit a6d40689ecfb5246c67feee3b8aa5698bb062e90 Author: Dr. David von Oheimb Date: Mon Jan 25 22:54:17 2021 +0100 HTTP: add more error detection to low-level API Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/13960) commit d337af18919a5c24c6f1d0ceb9fdb7aaf1beaef4 Author: Dr. David von Oheimb Date: Mon Jan 25 19:49:58 2021 +0100 HTTP: Fix mistakes and unclarities on maxline and max_resp_len params Also rename internal structure fields iobuf(len) to readbuf(len) for clarity Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/13960) commit 8e716147971971beb9ce747c74822abd24c6be13 Author: Dr. David von Oheimb Date: Mon Jan 25 19:25:18 2021 +0100 Fix not backwards-compat X509_http_nbio() and X509_CRL_http_nbio() Provides partial fix of #13127. Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/13960) commit 673474b1640a0265530ad42868d1c8b7d33bef77 Author: Dr. David von Oheimb Date: Mon Jan 25 16:18:40 2021 +0100 OSSL_HTTP_REQ_CTX_nbio(): Revert to having state var that keeps req len still to send Otherwise, sending goes wrong in case BIO_write(rctx->wbio, ...) is incomplete at first. Fixes #13938 Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/13960) ----------------------------------------------------------------------- Summary of changes: crypto/err/openssl.txt | 1 + crypto/http/http_client.c | 82 +++++++++++++++++++++++------------------ crypto/http/http_err.c | 2 + doc/man3/OSSL_HTTP_REQ_CTX.pod | 47 ++++++++++++++--------- doc/man3/OSSL_HTTP_transfer.pod | 13 ++++--- doc/man3/X509_load_http.pod | 4 +- include/openssl/http.h | 5 ++- include/openssl/httperr.h | 1 + include/openssl/x509.h.in | 8 +++- 9 files changed, 100 insertions(+), 63 deletions(-) diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt index 8418463fc7..9bc59a4bfb 100644 --- a/crypto/err/openssl.txt +++ b/crypto/err/openssl.txt @@ -2641,6 +2641,7 @@ HTTP_R_ERROR_PARSING_CONTENT_LENGTH:119:error parsing content length HTTP_R_ERROR_PARSING_URL:101:error parsing url HTTP_R_ERROR_RECEIVING:103:error receiving HTTP_R_ERROR_SENDING:102:error sending +HTTP_R_FAILED_READING_DATA:128:failed reading data HTTP_R_INCONSISTENT_CONTENT_LENGTH:120:inconsistent content length HTTP_R_INVALID_PORT_NUMBER:123:invalid port number HTTP_R_INVALID_URL_PATH:125:invalid url path diff --git a/crypto/http/http_client.c b/crypto/http/http_client.c index 6b627e15b0..56fb876ee6 100644 --- a/crypto/http/http_client.c +++ b/crypto/http/http_client.c @@ -42,23 +42,21 @@ struct ossl_http_req_ctx_st { int state; /* Current I/O state */ - unsigned char *iobuf; /* Line buffer */ - int iobuflen; /* Line buffer length */ + unsigned char *readbuf; /* Buffer for reading response by line */ + int readbuflen; /* Buffer length, equals maxline */ BIO *wbio; /* BIO to send request to */ BIO *rbio; /* BIO to read response from */ BIO *mem; /* Memory BIO response is built into */ int method_POST; /* HTTP method is "POST" (else "GET") */ const char *expected_ct; /* expected Content-Type, or NULL */ int expect_asn1; /* response must be ASN.1-encoded */ + long len_to_send; /* number of bytes in request still to send */ unsigned long resp_len; /* length of response */ unsigned long max_resp_len; /* Maximum length of response */ time_t max_time; /* Maximum end time of the transfer, or 0 */ char *redirection_url; /* Location given with HTTP status 301/302 */ }; -#define HTTP_DEFAULT_MAX_LINE_LENGTH (4 * 1024) -#define HTTP_DEFAULT_MAX_RESP_LEN (100 * 1024) - /* HTTP states */ #define OHS_NOREAD 0x1000 /* If set no reading should be performed */ @@ -68,7 +66,7 @@ struct ossl_http_req_ctx_st { #define OHS_HEADERS 2 /* MIME headers being read */ #define OHS_ASN1_HEADER 3 /* HTTP initial header (tag+length) being read */ #define OHS_CONTENT 4 /* HTTP content octets being read */ -#define OHS_WRITE_INIT (5 | OHS_NOREAD) /* 1st call: ready to start I/O */ +#define OHS_WRITE_INIT (5 | OHS_NOREAD) /* 1st call: ready to start send */ #define OHS_WRITE (6 | OHS_NOREAD) /* Request being sent */ #define OHS_FLUSH (7 | OHS_NOREAD) /* Request being flushed */ #define OHS_DONE (8 | OHS_NOREAD) /* Completed */ @@ -91,13 +89,12 @@ OSSL_HTTP_REQ_CTX *OSSL_HTTP_REQ_CTX_new(BIO *wbio, BIO *rbio, if ((rctx = OPENSSL_zalloc(sizeof(*rctx))) == NULL) return NULL; rctx->state = OHS_ERROR; - rctx->iobuflen = maxline > 0 ? maxline : HTTP_DEFAULT_MAX_LINE_LENGTH; - rctx->iobuf = OPENSSL_malloc(rctx->iobuflen); + rctx->readbuflen = maxline > 0 ? maxline : HTTP_DEFAULT_MAX_LINE_LENGTH; + rctx->readbuf = OPENSSL_malloc(rctx->readbuflen); rctx->wbio = wbio; rctx->rbio = rbio; - rctx->mem = BIO_new(BIO_s_mem()); - if (rctx->iobuf == NULL || rctx->mem == NULL) { - OSSL_HTTP_REQ_CTX_free(rctx); + if (rctx->readbuf == NULL) { + OPENSSL_free(rctx); return NULL; } rctx->method_POST = method_POST; @@ -106,6 +103,7 @@ OSSL_HTTP_REQ_CTX *OSSL_HTTP_REQ_CTX_new(BIO *wbio, BIO *rbio, rctx->resp_len = 0; OSSL_HTTP_REQ_CTX_set_max_response_length(rctx, max_resp_len); rctx->max_time = timeout > 0 ? time(NULL) + timeout : 0; + /* everything else is 0, e.g. rctx->len_to_send, or NULL, e.g. rctx->mem */ return rctx; } @@ -114,11 +112,11 @@ void OSSL_HTTP_REQ_CTX_free(OSSL_HTTP_REQ_CTX *rctx) if (rctx == NULL) return; BIO_free(rctx->mem); /* this may indirectly call ERR_clear_error() */ - OPENSSL_free(rctx->iobuf); + OPENSSL_free(rctx->readbuf); OPENSSL_free(rctx); } -BIO *OSSL_HTTP_REQ_CTX_get0_mem_bio(OSSL_HTTP_REQ_CTX *rctx) +BIO *OSSL_HTTP_REQ_CTX_get0_mem_bio(const OSSL_HTTP_REQ_CTX *rctx) { if (rctx == NULL) { ERR_raise(ERR_LIB_HTTP, ERR_R_PASSED_NULL_PARAMETER); @@ -149,6 +147,9 @@ int OSSL_HTTP_REQ_CTX_set_request_line(OSSL_HTTP_REQ_CTX *rctx, ERR_raise(ERR_LIB_HTTP, ERR_R_PASSED_NULL_PARAMETER); return 0; } + BIO_free(rctx->mem); + if ((rctx->mem = BIO_new(BIO_s_mem())) == NULL) + return 0; if (BIO_printf(rctx->mem, "%s ", rctx->method_POST ? "POST" : "GET") <= 0) return 0; @@ -183,6 +184,10 @@ int OSSL_HTTP_REQ_CTX_add1_header(OSSL_HTTP_REQ_CTX *rctx, ERR_raise(ERR_LIB_HTTP, ERR_R_PASSED_NULL_PARAMETER); return 0; } + if (rctx->mem == NULL) { + ERR_raise(ERR_LIB_HTTP, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); + return 0; + } if (BIO_puts(rctx->mem, name) <= 0) return 0; @@ -198,8 +203,8 @@ int OSSL_HTTP_REQ_CTX_add1_header(OSSL_HTTP_REQ_CTX *rctx, return 1; } -static int OSSL_HTTP_REQ_CTX_content(OSSL_HTTP_REQ_CTX *rctx, - const char *content_type, BIO *req_mem) +static int OSSL_HTTP_REQ_CTX_set_content(OSSL_HTTP_REQ_CTX *rctx, + const char *content_type, BIO *req_mem) { const unsigned char *req; long req_len; @@ -208,7 +213,7 @@ static int OSSL_HTTP_REQ_CTX_content(OSSL_HTTP_REQ_CTX *rctx, ERR_raise(ERR_LIB_HTTP, ERR_R_PASSED_NULL_PARAMETER); return 0; } - if (!rctx->method_POST) { + if (rctx->mem == NULL || !rctx->method_POST) { ERR_raise(ERR_LIB_HTTP, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); return 0; } @@ -255,7 +260,7 @@ int OSSL_HTTP_REQ_CTX_i2d(OSSL_HTTP_REQ_CTX *rctx, const char *content_type, } res = (mem = HTTP_asn1_item2bio(it, req)) != NULL - && OSSL_HTTP_REQ_CTX_content(rctx, content_type, mem); + && OSSL_HTTP_REQ_CTX_set_content(rctx, content_type, mem); BIO_free(mem); return res; } @@ -315,7 +320,7 @@ OSSL_HTTP_REQ_CTX *HTTP_REQ_CTX_new(BIO *wbio, BIO *rbio, int use_http_proxy, path) && OSSL_HTTP_REQ_CTX_add1_headers(rctx, headers, server) && (req_mem == NULL - || OSSL_HTTP_REQ_CTX_content(rctx, content_type, req_mem))) + || OSSL_HTTP_REQ_CTX_set_content(rctx, content_type, req_mem))) return rctx; OSSL_HTTP_REQ_CTX_free(rctx); @@ -408,7 +413,8 @@ static int check_set_resp_len(OSSL_HTTP_REQ_CTX *rctx, unsigned long len) "length=%lu, max=%lu", len, rctx->max_resp_len); if (rctx->resp_len != 0 && rctx->resp_len != len) ERR_raise_data(ERR_LIB_HTTP, HTTP_R_INCONSISTENT_CONTENT_LENGTH, - "length=%lu, before=%lu", len, rctx->resp_len); + "ASN.1 length=%lu, Content-Length=%lu", + len, rctx->resp_len); rctx->resp_len = len; return 1; } @@ -420,7 +426,7 @@ static int check_set_resp_len(OSSL_HTTP_REQ_CTX *rctx, unsigned long len) int OSSL_HTTP_REQ_CTX_nbio(OSSL_HTTP_REQ_CTX *rctx) { int i; - long n, n_to_send = 0; + long n; unsigned long resp_len; const unsigned char *p; char *key, *value, *line_end = NULL; @@ -429,19 +435,24 @@ int OSSL_HTTP_REQ_CTX_nbio(OSSL_HTTP_REQ_CTX *rctx) ERR_raise(ERR_LIB_HTTP, ERR_R_PASSED_NULL_PARAMETER); return 0; } + if (rctx->mem == NULL || rctx->wbio == NULL || rctx->rbio == NULL) { + ERR_raise(ERR_LIB_HTTP, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); + return 0; + } rctx->redirection_url = NULL; next_io: if ((rctx->state & OHS_NOREAD) == 0) { - n = BIO_read(rctx->rbio, rctx->iobuf, rctx->iobuflen); + n = BIO_read(rctx->rbio, rctx->readbuf, rctx->readbuflen); if (n <= 0) { if (BIO_should_retry(rctx->rbio)) return -1; + ERR_raise(ERR_LIB_HTTP, HTTP_R_FAILED_READING_DATA); return 0; } /* Write data to memory BIO */ - if (BIO_write(rctx->mem, rctx->iobuf, n) != n) + if (BIO_write(rctx->mem, rctx->readbuf, n) != n) return 0; } @@ -456,14 +467,13 @@ int OSSL_HTTP_REQ_CTX_nbio(OSSL_HTTP_REQ_CTX *rctx) /* fall thru */ case OHS_WRITE_INIT: - n_to_send = BIO_get_mem_data(rctx->mem, NULL); + rctx->len_to_send = BIO_get_mem_data(rctx->mem, NULL); rctx->state = OHS_WRITE; /* fall thru */ case OHS_WRITE: - n = BIO_get_mem_data(rctx->mem, &p); - - i = BIO_write(rctx->wbio, p + (n - n_to_send), n_to_send); + n = BIO_get_mem_data(rctx->mem, &p) - rctx->len_to_send; + i = BIO_write(rctx->wbio, p + n, rctx->len_to_send); if (i <= 0) { if (BIO_should_retry(rctx->wbio)) @@ -472,9 +482,9 @@ int OSSL_HTTP_REQ_CTX_nbio(OSSL_HTTP_REQ_CTX *rctx) return 0; } - n_to_send -= i; + rctx->len_to_send -= i; - if (n_to_send > 0) + if (rctx->len_to_send > 0) goto next_io; rctx->state = OHS_FLUSH; @@ -513,13 +523,13 @@ int OSSL_HTTP_REQ_CTX_nbio(OSSL_HTTP_REQ_CTX *rctx) */ n = BIO_get_mem_data(rctx->mem, &p); if (n <= 0 || memchr(p, '\n', n) == 0) { - if (n >= rctx->iobuflen) { + if (n >= rctx->readbuflen) { rctx->state = OHS_ERROR; return 0; } goto next_io; } - n = BIO_gets(rctx->mem, (char *)rctx->iobuf, rctx->iobuflen); + n = BIO_gets(rctx->mem, (char *)rctx->readbuf, rctx->readbuflen); if (n <= 0) { if (BIO_should_retry(rctx->mem)) @@ -529,7 +539,7 @@ int OSSL_HTTP_REQ_CTX_nbio(OSSL_HTTP_REQ_CTX *rctx) } /* Don't allow excessive lines */ - if (n == rctx->iobuflen) { + if (n == rctx->readbuflen) { ERR_raise(ERR_LIB_HTTP, HTTP_R_RESPONSE_LINE_TOO_LONG); rctx->state = OHS_ERROR; return 0; @@ -537,7 +547,7 @@ int OSSL_HTTP_REQ_CTX_nbio(OSSL_HTTP_REQ_CTX *rctx) /* First line */ if (rctx->state == OHS_FIRSTLINE) { - switch (parse_http_line1((char *)rctx->iobuf)) { + switch (parse_http_line1((char *)rctx->readbuf)) { case HTTP_STATUS_CODE_OK: rctx->state = OHS_HEADERS; goto next_line; @@ -555,7 +565,7 @@ int OSSL_HTTP_REQ_CTX_nbio(OSSL_HTTP_REQ_CTX *rctx) return 0; } } - key = (char *)rctx->iobuf; + key = (char *)rctx->readbuf; value = strchr(key, ':'); if (value != NULL) { *(value++) = '\0'; @@ -596,8 +606,8 @@ int OSSL_HTTP_REQ_CTX_nbio(OSSL_HTTP_REQ_CTX *rctx) } } - /* Look for blank line: end of headers */ - for (p = rctx->iobuf; *p != '\0'; p++) { + /* Look for blank line indicating end of headers */ + for (p = rctx->readbuf; *p != '\0'; p++) { if (*p != '\r' && *p != '\n') break; } @@ -1177,7 +1187,7 @@ int OSSL_HTTP_proxy_connect(BIO *bio, const char *server, const char *port, BIO_printf(fbio, "Proxy-Authorization: Basic %s\r\n", proxyauthenc); OPENSSL_clear_free(proxyauthenc, strlen(proxyauthenc)); } - proxy_end: + proxy_end: OPENSSL_clear_free(proxyauth, len); if (proxyauthenc == NULL) goto end; diff --git a/crypto/http/http_err.c b/crypto/http/http_err.c index ec46fb9304..49e56bedbf 100644 --- a/crypto/http/http_err.c +++ b/crypto/http/http_err.c @@ -25,6 +25,8 @@ static const ERR_STRING_DATA HTTP_str_reasons[] = { {ERR_PACK(ERR_LIB_HTTP, 0, HTTP_R_ERROR_PARSING_URL), "error parsing url"}, {ERR_PACK(ERR_LIB_HTTP, 0, HTTP_R_ERROR_RECEIVING), "error receiving"}, {ERR_PACK(ERR_LIB_HTTP, 0, HTTP_R_ERROR_SENDING), "error sending"}, + {ERR_PACK(ERR_LIB_HTTP, 0, HTTP_R_FAILED_READING_DATA), + "failed reading data"}, {ERR_PACK(ERR_LIB_HTTP, 0, HTTP_R_INCONSISTENT_CONTENT_LENGTH), "inconsistent content length"}, {ERR_PACK(ERR_LIB_HTTP, 0, HTTP_R_INVALID_PORT_NUMBER), diff --git a/doc/man3/OSSL_HTTP_REQ_CTX.pod b/doc/man3/OSSL_HTTP_REQ_CTX.pod index 3955359978..0b730b4e17 100644 --- a/doc/man3/OSSL_HTTP_REQ_CTX.pod +++ b/doc/man3/OSSL_HTTP_REQ_CTX.pod @@ -40,7 +40,7 @@ OSSL_HTTP_REQ_CTX_set_max_response_length ASN1_VALUE *OSSL_HTTP_REQ_CTX_sendreq_d2i(OSSL_HTTP_REQ_CTX *rctx, const ASN1_ITEM *it); - BIO *OSSL_HTTP_REQ_CTX_get0_mem_bio(OSSL_HTTP_REQ_CTX *rctx); + BIO *OSSL_HTTP_REQ_CTX_get0_mem_bio(const OSSL_HTTP_REQ_CTX *rctx); void OSSL_HTTP_REQ_CTX_set_max_response_length(OSSL_HTTP_REQ_CTX *rctx, unsigned long len); @@ -56,10 +56,13 @@ should be preferred. OSSL_HTTP_REQ_CTX_new() allocates a new HTTP request context structure, which gets populated with the B to send the request to (I), the B to read the response from (I, which may be equal to I), +the maximum expected response header line length (I, where a value <= 0 +indicates that the B of 4KiB should be used; +this length is also used as the number of content bytes read at a time), the request method (I, which may be 1 to indicate that the C method is to be used, or 0 to indicate that the C method is to be used), -the maximum expected response header length (I, -where any zero or less indicates the default of 4KiB), +the maximum allowed response content length (I, where 0 means +that the B is used, which currently is 100 KiB), a response timeout measure in seconds (I, where 0 indicates no timeout, i.e., waiting indefinitely), the expected MIME content type of the response (I, @@ -87,31 +90,38 @@ For example, to add a C header for C you would call: OSSL_HTTP_REQ_CTX_add1_header(ctx, "Host", "example.com"); -OSSL_HTTP_REQ_CTX_i2d() finalizes the HTTP request context by adding the DER -encoding of I, using the ASN.1 template I to do the encoding. The -HTTP header C is automatically filled out, and if +OSSL_HTTP_REQ_CTX_i2d() finalizes the HTTP request context by adding +the DER encoding of I, using the ASN.1 template I to do the encoding. +The HTTP header C is automatically filled out, and if I isn't NULL, the HTTP header C is also added with its content as value. All of this ends up in the internal memory B. This requires that I was 1 in the OSSL_HTTP_REQ_CTX_new() call. -OSSL_HTTP_REQ_CTX_nbio() attempts the exchange of request and response via HTTP, -using the I and I that were given in the OSSL_HTTP_REQ_CTX_new() -call. When successful, the contents of the internal memory B is replaced -with the contents of the HTTP response, without the response headers. +OSSL_HTTP_REQ_CTX_nbio() attempts to send the request prepared I +and gathering the response via HTTP, using the I and I +that were given when calling OSSL_HTTP_REQ_CTX_new(). +When successful, the contents of the internal memory B contains +the contents of the HTTP response, without the response headers. It may need to be called again if its result is -1, which indicates L. In such a case it is advisable to sleep a little in -between to prevent a busy loop. +between using L on the read BIO to prevent a busy loop. OSSL_HTTP_REQ_CTX_sendreq_d2i() calls OSSL_HTTP_REQ_CTX_nbio(), possibly several times until a timeout is reached, and DER decodes the received response using the ASN.1 template I. -OSSL_HTTP_REQ_CTX_set_max_response_length() sets the maximum response length -for I to I. If the response exceeds this length an error occurs. -If not set a default value of 100k is used. - -OSSL_HTTP_REQ_CTX_get0_mem_bio() returns the internal memory B. This can -be used to affect the HTTP request text. I +OSSL_HTTP_REQ_CTX_get0_mem_bio() returns the internal memory B. +Before sending the request, this could used to modify the HTTP request text. +I +After receiving a response via HTTP, the BIO represents +the current state of reading the response headers and contents. + +OSSL_HTTP_REQ_CTX_set_max_response_length() sets the maximum allowed +response content length for I to I. If not set or I is 0 +then the B is used, which currently is 100 KiB. +If the C header is present and exceeds this value or +the content is an ASN.1 encoded structure with a length exceeding this value +or both length indications are present but disagree then an error occurs. =head1 WARNINGS @@ -167,6 +177,9 @@ OSSL_HTTP_REQ_CTX_get0_mem_bio() returns the internal memory B. =head1 SEE ALSO +L, +L, +L, L =head1 COPYRIGHT diff --git a/doc/man3/OSSL_HTTP_transfer.pod b/doc/man3/OSSL_HTTP_transfer.pod index dda59201cf..cb38d0124f 100644 --- a/doc/man3/OSSL_HTTP_transfer.pod +++ b/doc/man3/OSSL_HTTP_transfer.pod @@ -123,9 +123,11 @@ while using a proxy for HTTPS connections requires a suitable callback function such as OSSL_HTTP_proxy_connect(), described below. The I parameter specifies the response header maximum line length, -where 0 indicates the default value, which currently is 4k. +where a value <= 0 indicates that the B of 4KiB +should be used. +This length is also used as the number of content bytes that are read at a time. The I parameter specifies the maximum response length, -where 0 indicates the default value, which currently is 100k. +where 0 indicates B, which currently is 100 KiB. An ASN.1-encoded response is expected by OSSL_HTTP_get_asn1() and OSSL_HTTP_post_asn1(), while for OSSL_HTTP_get() or OSSL_HTTP_transfer() @@ -217,9 +219,10 @@ other HTTP client implementations such as wget, curl, and git. =head1 RETURN VALUES -OSSL_HTTP_get(), OSSL_HTTP_get_asn1(), OSSL_HTTP_post_asn1(), and -OSSL_HTTP_transfer() return on success the data received via HTTP, else NULL. -Error conditions include connection/transfer timeout, parse errors, etc. +On success, OSSL_HTTP_get(), OSSL_HTTP_get_asn1(), OSSL_HTTP_post_asn1(), and +OSSL_HTTP_transfer() return a memory BIO containing the data received via HTTP. +This must be freed by the caller. On failure, NULL is returned. +Failure conditions include connection/transfer timeout, parse errors, etc. OSSL_HTTP_proxy_connect() and OSSL_HTTP_parse_url() return 1 on success, 0 on error. diff --git a/doc/man3/X509_load_http.pod b/doc/man3/X509_load_http.pod index 483597b5b8..47a0e74760 100644 --- a/doc/man3/X509_load_http.pod +++ b/doc/man3/X509_load_http.pod @@ -15,8 +15,8 @@ X509_CRL_http_nbio X509 *X509_load_http(const char *url, BIO *bio, BIO *rbio, int timeout); X509_CRL *X509_CRL_load_http(const char *url, BIO *bio, BIO *rbio, int timeout); - #define X509_http_nbio(url) - #define X509_CRL_http_nbio(url) + #define X509_http_nbio(rctx, pcert) + #define X509_CRL_http_nbio(rctx, pcrl) =head1 DESCRIPTION diff --git a/include/openssl/http.h b/include/openssl/http.h index b35302289f..6c3ddd8ce8 100644 --- a/include/openssl/http.h +++ b/include/openssl/http.h @@ -35,6 +35,9 @@ typedef BIO *(*OSSL_HTTP_bio_cb_t)(BIO *bio, void *arg, int connect, int detail) # define OPENSSL_HTTP_PROXY "HTTP_PROXY" # define OPENSSL_HTTPS_PROXY "HTTPS_PROXY" +#define HTTP_DEFAULT_MAX_LINE_LENGTH (4 * 1024) +#define HTTP_DEFAULT_MAX_RESP_LEN (100 * 1024) + OSSL_HTTP_REQ_CTX *OSSL_HTTP_REQ_CTX_new(BIO *wbio, BIO *rbio, int method_GET, int maxline, unsigned long max_resp_len, @@ -52,7 +55,7 @@ int OSSL_HTTP_REQ_CTX_i2d(OSSL_HTTP_REQ_CTX *rctx, const char *content_type, int OSSL_HTTP_REQ_CTX_nbio(OSSL_HTTP_REQ_CTX *rctx); ASN1_VALUE *OSSL_HTTP_REQ_CTX_sendreq_d2i(OSSL_HTTP_REQ_CTX *rctx, const ASN1_ITEM *it); -BIO *OSSL_HTTP_REQ_CTX_get0_mem_bio(OSSL_HTTP_REQ_CTX *rctx); +BIO *OSSL_HTTP_REQ_CTX_get0_mem_bio(const OSSL_HTTP_REQ_CTX *rctx); void OSSL_HTTP_REQ_CTX_set_max_response_length(OSSL_HTTP_REQ_CTX *rctx, unsigned long len); diff --git a/include/openssl/httperr.h b/include/openssl/httperr.h index 4bf52bacb9..716feac39b 100644 --- a/include/openssl/httperr.h +++ b/include/openssl/httperr.h @@ -34,6 +34,7 @@ # define HTTP_R_ERROR_PARSING_URL 101 # define HTTP_R_ERROR_RECEIVING 103 # define HTTP_R_ERROR_SENDING 102 +# define HTTP_R_FAILED_READING_DATA 128 # define HTTP_R_INCONSISTENT_CONTENT_LENGTH 120 # define HTTP_R_INVALID_PORT_NUMBER 123 # define HTTP_R_INVALID_URL_PATH 125 diff --git a/include/openssl/x509.h.in b/include/openssl/x509.h.in index bb22abef6b..8a3cb2e4d0 100644 --- a/include/openssl/x509.h.in +++ b/include/openssl/x509.h.in @@ -403,9 +403,13 @@ int X509_NAME_digest(const X509_NAME *data, const EVP_MD *type, unsigned char *md, unsigned int *len); X509 *X509_load_http(const char *url, BIO *bio, BIO *rbio, int timeout); -# define X509_http_nbio(url) X509_load_http(url, NULL, NULL, 0) +# define X509_http_nbio(rctx, pcert) \ + OSSL_HTTP_REQ_CTX_sendreq_d2i(rctx, (ASN1_VALUE **)(pcert), \ + ASN1_ITEM_rptr(X509)) X509_CRL *X509_CRL_load_http(const char *url, BIO *bio, BIO *rbio, int timeout); -# define X509_CRL_http_nbio(url) X509_CRL_load_http(url, NULL, NULL, 0) +# define X509_CRL_http_nbio(rctx, pcrl) \ + OSSL_HTTP_REQ_CTX_sendreq_d2i(rctx, (ASN1_VALUE **)(pcrl), \ + ASN1_ITEM_rptr(X509_CRL)) # ifndef OPENSSL_NO_STDIO X509 *d2i_X509_fp(FILE *fp, X509 **x509); From beldmit at gmail.com Tue Feb 2 09:34:06 2021 From: beldmit at gmail.com (beldmit at gmail.com) Date: Tue, 02 Feb 2021 09:34:06 +0000 Subject: [openssl] master update Message-ID: <1612258446.256778.31036.nullmailer@dev.openssl.org> The branch master has been updated via d3372c2f35495d0c61ab09daf7fba3ecbbb595aa (commit) from 6aab42c39060c7aa39d96c7a265ddc661cea2ed8 (commit) - Log ----------------------------------------------------------------- commit d3372c2f35495d0c61ab09daf7fba3ecbbb595aa Author: Job Snijders Date: Sun Jan 24 14:00:02 2021 +0000 Add some PKIX-RPKI objects References: RFC6482 - A Profile for Route Origin Authorizations (ROAs) RFC6484 - Certificate Policy (CP) for the RPKI RFC6493 - The RPKI Ghostbusters Record RFC8182 - The RPKI Repository Delta Protocol (RRDP) RFC8360 - RPKI Validation Reconsidered draft-ietf-sidrops-rpki-rta - A profile for RTAs CLA: trivial Reviewed-by: Paul Dale Reviewed-by: Dmitry Belyavskiy (Merged from https://github.com/openssl/openssl/pull/13948) ----------------------------------------------------------------------- Summary of changes: crypto/objects/obj_dat.h | 70 ++++++++++++++++++++++++++++++++++++++++++---- crypto/objects/obj_mac.num | 12 ++++++++ crypto/objects/objects.txt | 15 +++++++++- fuzz/oids.txt | 12 ++++++++ include/openssl/obj_mac.h | 51 +++++++++++++++++++++++++++++++++ 5 files changed, 154 insertions(+), 6 deletions(-) diff --git a/crypto/objects/obj_dat.h b/crypto/objects/obj_dat.h index 1b852e6dfa..697cd527b3 100644 --- a/crypto/objects/obj_dat.h +++ b/crypto/objects/obj_dat.h @@ -10,7 +10,7 @@ */ /* Serialized OID's */ -static const unsigned char so[7947] = { +static const unsigned char so[8054] = { 0x2A,0x86,0x48,0x86,0xF7,0x0D, /* [ 0] OBJ_rsadsi */ 0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01, /* [ 6] OBJ_pkcs */ 0x2A,0x86,0x48,0x86,0xF7,0x0D,0x02,0x02, /* [ 13] OBJ_md2 */ @@ -1101,9 +1101,21 @@ static const unsigned char so[7947] = { 0x2A,0x85,0x03,0x64,0x71,0x04, /* [ 7928] OBJ_classSignToolKB1 */ 0x2A,0x85,0x03,0x64,0x71,0x05, /* [ 7934] OBJ_classSignToolKB2 */ 0x2A,0x85,0x03,0x64,0x71,0x06, /* [ 7940] OBJ_classSignToolKA1 */ + 0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x01,0x18, /* [ 7946] OBJ_id_ct_routeOriginAuthz */ + 0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x01,0x1A, /* [ 7957] OBJ_id_ct_rpkiManifest */ + 0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x01,0x23, /* [ 7968] OBJ_id_ct_rpkiGhostbusters */ + 0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x01,0x24, /* [ 7979] OBJ_id_ct_resourceTaggedAttest */ + 0x2B,0x06,0x01,0x05,0x05,0x07,0x0E, /* [ 7990] OBJ_id_cp */ + 0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x1C, /* [ 7997] OBJ_sbgp_ipAddrBlockv2 */ + 0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x1D, /* [ 8005] OBJ_sbgp_autonomousSysNumv2 */ + 0x2B,0x06,0x01,0x05,0x05,0x07,0x0E,0x02, /* [ 8013] OBJ_ipAddr_asNumber */ + 0x2B,0x06,0x01,0x05,0x05,0x07,0x0E,0x03, /* [ 8021] OBJ_ipAddr_asNumberv2 */ + 0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x0A, /* [ 8029] OBJ_rpkiManifest */ + 0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x0B, /* [ 8037] OBJ_signedObject */ + 0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x0D, /* [ 8045] OBJ_rpkiNotify */ }; -#define NUM_NID 1234 +#define NUM_NID 1246 static const ASN1_OBJECT nid_objs[NUM_NID] = { {"UNDEF", "undefined", NID_undef}, {"rsadsi", "RSA Data Security, Inc.", NID_rsadsi, 6, &so[0]}, @@ -2339,9 +2351,21 @@ static const ASN1_OBJECT nid_objs[NUM_NID] = { {"classSignToolKB1", "Class of Signing Tool KB1", NID_classSignToolKB1, 6, &so[7928]}, {"classSignToolKB2", "Class of Signing Tool KB2", NID_classSignToolKB2, 6, &so[7934]}, {"classSignToolKA1", "Class of Signing Tool KA1", NID_classSignToolKA1, 6, &so[7940]}, + {"id-ct-routeOriginAuthz", "id-ct-routeOriginAuthz", NID_id_ct_routeOriginAuthz, 11, &so[7946]}, + {"id-ct-rpkiManifest", "id-ct-rpkiManifest", NID_id_ct_rpkiManifest, 11, &so[7957]}, + {"id-ct-rpkiGhostbusters", "id-ct-rpkiGhostbusters", NID_id_ct_rpkiGhostbusters, 11, &so[7968]}, + {"id-ct-resourceTaggedAttest", "id-ct-resourceTaggedAttest", NID_id_ct_resourceTaggedAttest, 11, &so[7979]}, + {"id-cp", "id-cp", NID_id_cp, 7, &so[7990]}, + {"sbgp-ipAddrBlockv2", "sbgp-ipAddrBlockv2", NID_sbgp_ipAddrBlockv2, 8, &so[7997]}, + {"sbgp-autonomousSysNumv2", "sbgp-autonomousSysNumv2", NID_sbgp_autonomousSysNumv2, 8, &so[8005]}, + {"ipAddr-asNumber", "ipAddr-asNumber", NID_ipAddr_asNumber, 8, &so[8013]}, + {"ipAddr-asNumberv2", "ipAddr-asNumberv2", NID_ipAddr_asNumberv2, 8, &so[8021]}, + {"rpkiManifest", "RPKI Manifest", NID_rpkiManifest, 8, &so[8029]}, + {"signedObject", "Signed Object", NID_signedObject, 8, &so[8037]}, + {"rpkiNotify", "RPKI Notify", NID_rpkiNotify, 8, &so[8045]}, }; -#define NUM_SN 1225 +#define NUM_SN 1237 static const unsigned int sn_objs[NUM_SN] = { 364, /* "AD_DVCS" */ 419, /* "AES-128-CBC" */ @@ -2951,7 +2975,12 @@ static const unsigned int sn_objs[NUM_SN] = { 332, /* "id-cmc-senderNonce" */ 327, /* "id-cmc-statusInfo" */ 331, /* "id-cmc-transactionId" */ + 1238, /* "id-cp" */ 787, /* "id-ct-asciiTextWithCRLF" */ + 1237, /* "id-ct-resourceTaggedAttest" */ + 1234, /* "id-ct-routeOriginAuthz" */ + 1236, /* "id-ct-rpkiGhostbusters" */ + 1235, /* "id-ct-rpkiManifest" */ 1060, /* "id-ct-xml" */ 1108, /* "id-dsa-with-sha3-224" */ 1109, /* "id-dsa-with-sha3-256" */ @@ -3167,6 +3196,8 @@ static const unsigned int sn_objs[NUM_SN] = { 647, /* "international-organizations" */ 869, /* "internationaliSDNNumber" */ 142, /* "invalidityDate" */ + 1241, /* "ipAddr-asNumber" */ + 1242, /* "ipAddr-asNumberv2" */ 294, /* "ipsecEndSystem" */ 1022, /* "ipsecIKE" */ 295, /* "ipsecTunnel" */ @@ -3317,6 +3348,8 @@ static const unsigned int sn_objs[NUM_SN] = { 877, /* "roleOccupant" */ 448, /* "room" */ 463, /* "roomNumber" */ + 1243, /* "rpkiManifest" */ + 1245, /* "rpkiNotify" */ 6, /* "rsaEncryption" */ 644, /* "rsaOAEPEncryptionSET" */ 377, /* "rsaSignature" */ @@ -3324,7 +3357,9 @@ static const unsigned int sn_objs[NUM_SN] = { 482, /* "sOARecord" */ 155, /* "safeContentsBag" */ 291, /* "sbgp-autonomousSysNum" */ + 1240, /* "sbgp-autonomousSysNumv2" */ 290, /* "sbgp-ipAddrBlock" */ + 1239, /* "sbgp-ipAddrBlockv2" */ 292, /* "sbgp-routerIdentifier" */ 159, /* "sdsiCertificate" */ 859, /* "searchGuide" */ @@ -3503,6 +3538,7 @@ static const unsigned int sn_objs[NUM_SN] = { 604, /* "setext-pinAny" */ 603, /* "setext-pinSecure" */ 605, /* "setext-track2" */ + 1244, /* "signedObject" */ 52, /* "signingTime" */ 454, /* "simpleSecurityObject" */ 496, /* "singleLevelQuality" */ @@ -3570,7 +3606,7 @@ static const unsigned int sn_objs[NUM_SN] = { 1093, /* "x509ExtAdmission" */ }; -#define NUM_LN 1225 +#define NUM_LN 1237 static const unsigned int ln_objs[NUM_LN] = { 363, /* "AD Time Stamping" */ 405, /* "ANSI X9.62" */ @@ -3731,6 +3767,8 @@ static const unsigned int ln_objs[NUM_LN] = { 385, /* "Private" */ 1093, /* "Professional Information or basis for Admission" */ 663, /* "Proxy Certificate Information" */ + 1243, /* "RPKI Manifest" */ + 1245, /* "RPKI Notify" */ 1, /* "RSA Data Security, Inc." */ 2, /* "RSA Data Security, Inc. PKCS" */ 1116, /* "RSA-SHA3-224" */ @@ -3752,6 +3790,7 @@ static const unsigned int ln_objs[NUM_LN] = { 1030, /* "Send Proxied Owner" */ 1028, /* "Send Proxied Router" */ 1027, /* "Send Router" */ + 1244, /* "Signed Object" */ 1033, /* "Signing KDC Response" */ 1008, /* "Signing Tool of Issuer" */ 1007, /* "Signing Tool of Subject" */ @@ -4195,7 +4234,12 @@ static const unsigned int ln_objs[NUM_LN] = { 332, /* "id-cmc-senderNonce" */ 327, /* "id-cmc-statusInfo" */ 331, /* "id-cmc-transactionId" */ + 1238, /* "id-cp" */ 787, /* "id-ct-asciiTextWithCRLF" */ + 1237, /* "id-ct-resourceTaggedAttest" */ + 1234, /* "id-ct-routeOriginAuthz" */ + 1236, /* "id-ct-rpkiGhostbusters" */ + 1235, /* "id-ct-rpkiManifest" */ 1060, /* "id-ct-xml" */ 408, /* "id-ecPublicKey" */ 508, /* "id-hex-multipart-message" */ @@ -4366,6 +4410,8 @@ static const unsigned int ln_objs[NUM_LN] = { 461, /* "info" */ 101, /* "initials" */ 869, /* "internationaliSDNNumber" */ + 1241, /* "ipAddr-asNumber" */ + 1242, /* "ipAddr-asNumberv2" */ 1022, /* "ipsec Internet Key Exchange" */ 749, /* "ipsec3" */ 750, /* "ipsec4" */ @@ -4547,7 +4593,9 @@ static const unsigned int ln_objs[NUM_LN] = { 482, /* "sOARecord" */ 155, /* "safeContentsBag" */ 291, /* "sbgp-autonomousSysNum" */ + 1240, /* "sbgp-autonomousSysNumv2" */ 290, /* "sbgp-ipAddrBlock" */ + 1239, /* "sbgp-ipAddrBlockv2" */ 292, /* "sbgp-routerIdentifier" */ 973, /* "scrypt" */ 159, /* "sdsiCertificate" */ @@ -4799,7 +4847,7 @@ static const unsigned int ln_objs[NUM_LN] = { 125, /* "zlib compression" */ }; -#define NUM_OBJ 1096 +#define NUM_OBJ 1108 static const unsigned int obj_objs[NUM_OBJ] = { 0, /* OBJ_undef 0 */ 181, /* OBJ_iso 1 */ @@ -5241,6 +5289,7 @@ static const unsigned int obj_objs[NUM_OBJ] = { 266, /* OBJ_id_aca 1 3 6 1 5 5 7 10 */ 267, /* OBJ_id_qcs 1 3 6 1 5 5 7 11 */ 268, /* OBJ_id_cct 1 3 6 1 5 5 7 12 */ + 1238, /* OBJ_id_cp 1 3 6 1 5 5 7 14 */ 662, /* OBJ_id_ppl 1 3 6 1 5 5 7 21 */ 176, /* OBJ_id_ad 1 3 6 1 5 5 7 48 */ 507, /* OBJ_id_hex_partial_message 1 3 6 1 7 1 1 1 */ @@ -5389,6 +5438,8 @@ static const unsigned int obj_objs[NUM_OBJ] = { 398, /* OBJ_sinfo_access 1 3 6 1 5 5 7 1 11 */ 663, /* OBJ_proxyCertInfo 1 3 6 1 5 5 7 1 14 */ 1020, /* OBJ_tlsfeature 1 3 6 1 5 5 7 1 24 */ + 1239, /* OBJ_sbgp_ipAddrBlockv2 1 3 6 1 5 5 7 1 28 */ + 1240, /* OBJ_sbgp_autonomousSysNumv2 1 3 6 1 5 5 7 1 29 */ 164, /* OBJ_id_qt_cps 1 3 6 1 5 5 7 2 1 */ 165, /* OBJ_id_qt_unotice 1 3 6 1 5 5 7 2 2 */ 293, /* OBJ_textNotice 1 3 6 1 5 5 7 2 3 */ @@ -5483,6 +5534,8 @@ static const unsigned int obj_objs[NUM_OBJ] = { 360, /* OBJ_id_cct_crs 1 3 6 1 5 5 7 12 1 */ 361, /* OBJ_id_cct_PKIData 1 3 6 1 5 5 7 12 2 */ 362, /* OBJ_id_cct_PKIResponse 1 3 6 1 5 5 7 12 3 */ + 1241, /* OBJ_ipAddr_asNumber 1 3 6 1 5 5 7 14 2 */ + 1242, /* OBJ_ipAddr_asNumberv2 1 3 6 1 5 5 7 14 3 */ 664, /* OBJ_id_ppl_anyLanguage 1 3 6 1 5 5 7 21 0 */ 665, /* OBJ_id_ppl_inheritAll 1 3 6 1 5 5 7 21 1 */ 667, /* OBJ_Independent 1 3 6 1 5 5 7 21 2 */ @@ -5491,6 +5544,9 @@ static const unsigned int obj_objs[NUM_OBJ] = { 363, /* OBJ_ad_timeStamping 1 3 6 1 5 5 7 48 3 */ 364, /* OBJ_ad_dvcs 1 3 6 1 5 5 7 48 4 */ 785, /* OBJ_caRepository 1 3 6 1 5 5 7 48 5 */ + 1243, /* OBJ_rpkiManifest 1 3 6 1 5 5 7 48 10 */ + 1244, /* OBJ_signedObject 1 3 6 1 5 5 7 48 11 */ + 1245, /* OBJ_rpkiNotify 1 3 6 1 5 5 7 48 13 */ 780, /* OBJ_hmac_md5 1 3 6 1 5 5 8 1 1 */ 781, /* OBJ_hmac_sha1 1 3 6 1 5 5 8 1 2 */ 913, /* OBJ_aes_128_xts 1 3 111 2 1619 0 1 1 */ @@ -5824,8 +5880,12 @@ static const unsigned int obj_objs[NUM_OBJ] = { 786, /* OBJ_id_smime_ct_compressedData 1 2 840 113549 1 9 16 1 9 */ 1058, /* OBJ_id_smime_ct_contentCollection 1 2 840 113549 1 9 16 1 19 */ 1059, /* OBJ_id_smime_ct_authEnvelopedData 1 2 840 113549 1 9 16 1 23 */ + 1234, /* OBJ_id_ct_routeOriginAuthz 1 2 840 113549 1 9 16 1 24 */ + 1235, /* OBJ_id_ct_rpkiManifest 1 2 840 113549 1 9 16 1 26 */ 787, /* OBJ_id_ct_asciiTextWithCRLF 1 2 840 113549 1 9 16 1 27 */ 1060, /* OBJ_id_ct_xml 1 2 840 113549 1 9 16 1 28 */ + 1236, /* OBJ_id_ct_rpkiGhostbusters 1 2 840 113549 1 9 16 1 35 */ + 1237, /* OBJ_id_ct_resourceTaggedAttest 1 2 840 113549 1 9 16 1 36 */ 212, /* OBJ_id_smime_aa_receiptRequest 1 2 840 113549 1 9 16 2 1 */ 213, /* OBJ_id_smime_aa_securityLabel 1 2 840 113549 1 9 16 2 2 */ 214, /* OBJ_id_smime_aa_mlExpandHistory 1 2 840 113549 1 9 16 2 3 */ diff --git a/crypto/objects/obj_mac.num b/crypto/objects/obj_mac.num index 7d1d70ea28..9f9636f818 100644 --- a/crypto/objects/obj_mac.num +++ b/crypto/objects/obj_mac.num @@ -1231,3 +1231,15 @@ classSignToolKC3 1230 classSignToolKB1 1231 classSignToolKB2 1232 classSignToolKA1 1233 +id_ct_routeOriginAuthz 1234 +id_ct_rpkiManifest 1235 +id_ct_rpkiGhostbusters 1236 +id_ct_resourceTaggedAttest 1237 +id_cp 1238 +sbgp_ipAddrBlockv2 1239 +sbgp_autonomousSysNumv2 1240 +ipAddr_asNumber 1241 +ipAddr_asNumberv2 1242 +rpkiManifest 1243 +signedObject 1244 +rpkiNotify 1245 diff --git a/crypto/objects/objects.txt b/crypto/objects/objects.txt index 8aef90d952..62bc8c1a8e 100644 --- a/crypto/objects/objects.txt +++ b/crypto/objects/objects.txt @@ -274,8 +274,12 @@ id-smime-ct 8 : id-smime-ct-DVCSResponseData id-smime-ct 9 : id-smime-ct-compressedData id-smime-ct 19 : id-smime-ct-contentCollection id-smime-ct 23 : id-smime-ct-authEnvelopedData +id-smime-ct 24 : id-ct-routeOriginAuthz +id-smime-ct 26 : id-ct-rpkiManifest id-smime-ct 27 : id-ct-asciiTextWithCRLF id-smime-ct 28 : id-ct-xml +id-smime-ct 35 : id-ct-rpkiGhostbusters +id-smime-ct 36 : id-ct-resourceTaggedAttest # S/MIME Attributes id-smime-aa 1 : id-smime-aa-receiptRequest @@ -465,6 +469,7 @@ id-pkix 8 : id-on id-pkix 9 : id-pda id-pkix 10 : id-aca id-pkix 11 : id-qcs +id-pkix 14 : id-cp id-pkix 12 : id-cct id-pkix 21 : id-ppl id-pkix 48 : id-ad @@ -503,6 +508,8 @@ id-pe 10 : ac-proxying id-pe 11 : subjectInfoAccess : Subject Information Access id-pe 14 : proxyCertInfo : Proxy Certificate Information id-pe 24 : tlsfeature : TLS Feature +id-pe 28 : sbgp-ipAddrBlockv2 +id-pe 29 : sbgp-autonomousSysNumv2 # PKIX policyQualifiers for Internet policy qualifiers id-qt 1 : id-qt-cps : Policy Qualifier CPS @@ -642,6 +649,10 @@ id-aca 6 : id-aca-encAttrs # qualified certificate statements id-qcs 1 : id-qcs-pkixQCSyntax-v1 +# PKIX Certificate Policies +id-cp 2 : ipAddr-asNumber +id-cp 3 : ipAddr-asNumberv2 + # CMC content types id-cct 1 : id-cct-crs id-cct 2 : id-cct-PKIData @@ -662,7 +673,9 @@ id-ad 3 : ad_timestamping : AD Time Stamping !Cname ad-dvcs id-ad 4 : AD_DVCS : ad dvcs id-ad 5 : caRepository : CA Repository - +id-ad 10 : rpkiManifest : RPKI Manifest +id-ad 11 : signedObject : Signed Object +id-ad 13 : rpkiNotify : RPKI Notify !Alias id-pkix-OCSP ad-OCSP !module id-pkix-OCSP diff --git a/fuzz/oids.txt b/fuzz/oids.txt index efbcaa416c..cc3f1f1401 100644 --- a/fuzz/oids.txt +++ b/fuzz/oids.txt @@ -1088,3 +1088,15 @@ OBJ_classSignToolKC3="\x2A\x85\x03\x64\x71\x03" OBJ_classSignToolKB1="\x2A\x85\x03\x64\x71\x04" OBJ_classSignToolKB2="\x2A\x85\x03\x64\x71\x05" OBJ_classSignToolKA1="\x2A\x85\x03\x64\x71\x06" +OBJ_id_ct_routeOriginAuthz="\x2A\x86\x48\x86\xF7\x0D\x01\x09\x10\x01\x18" +OBJ_id_ct_rpkiManifest="\x2A\x86\x48\x86\xF7\x0D\x01\x09\x10\x01\x1A" +OBJ_id_ct_rpkiGhostbusters="\x2A\x86\x48\x86\xF7\x0D\x01\x09\x10\x01\x23" +OBJ_id_ct_resourceTaggedAttest="\x2A\x86\x48\x86\xF7\x0D\x01\x09\x10\x01\x24" +OBJ_id_cp="\x2B\x06\x01\x05\x05\x07\x0E" +OBJ_sbgp_ipAddrBlockv2="\x2B\x06\x01\x05\x05\x07\x01\x1C" +OBJ_sbgp_autonomousSysNumv2="\x2B\x06\x01\x05\x05\x07\x01\x1D" +OBJ_ipAddr_asNumber="\x2B\x06\x01\x05\x05\x07\x0E\x02" +OBJ_ipAddr_asNumberv2="\x2B\x06\x01\x05\x05\x07\x0E\x03" +OBJ_rpkiManifest="\x2B\x06\x01\x05\x05\x07\x30\x0A" +OBJ_signedObject="\x2B\x06\x01\x05\x05\x07\x30\x0B" +OBJ_rpkiNotify="\x2B\x06\x01\x05\x05\x07\x30\x0D" diff --git a/include/openssl/obj_mac.h b/include/openssl/obj_mac.h index 89b449037f..9bf4e3b86f 100644 --- a/include/openssl/obj_mac.h +++ b/include/openssl/obj_mac.h @@ -850,6 +850,14 @@ #define NID_id_smime_ct_authEnvelopedData 1059 #define OBJ_id_smime_ct_authEnvelopedData OBJ_id_smime_ct,23L +#define SN_id_ct_routeOriginAuthz "id-ct-routeOriginAuthz" +#define NID_id_ct_routeOriginAuthz 1234 +#define OBJ_id_ct_routeOriginAuthz OBJ_id_smime_ct,24L + +#define SN_id_ct_rpkiManifest "id-ct-rpkiManifest" +#define NID_id_ct_rpkiManifest 1235 +#define OBJ_id_ct_rpkiManifest OBJ_id_smime_ct,26L + #define SN_id_ct_asciiTextWithCRLF "id-ct-asciiTextWithCRLF" #define NID_id_ct_asciiTextWithCRLF 787 #define OBJ_id_ct_asciiTextWithCRLF OBJ_id_smime_ct,27L @@ -858,6 +866,14 @@ #define NID_id_ct_xml 1060 #define OBJ_id_ct_xml OBJ_id_smime_ct,28L +#define SN_id_ct_rpkiGhostbusters "id-ct-rpkiGhostbusters" +#define NID_id_ct_rpkiGhostbusters 1236 +#define OBJ_id_ct_rpkiGhostbusters OBJ_id_smime_ct,35L + +#define SN_id_ct_resourceTaggedAttest "id-ct-resourceTaggedAttest" +#define NID_id_ct_resourceTaggedAttest 1237 +#define OBJ_id_ct_resourceTaggedAttest OBJ_id_smime_ct,36L + #define SN_id_smime_aa_receiptRequest "id-smime-aa-receiptRequest" #define NID_id_smime_aa_receiptRequest 212 #define OBJ_id_smime_aa_receiptRequest OBJ_id_smime_aa,1L @@ -1395,6 +1411,10 @@ #define NID_id_qcs 267 #define OBJ_id_qcs OBJ_id_pkix,11L +#define SN_id_cp "id-cp" +#define NID_id_cp 1238 +#define OBJ_id_cp OBJ_id_pkix,14L + #define SN_id_cct "id-cct" #define NID_id_cct 268 #define OBJ_id_cct OBJ_id_pkix,12L @@ -1528,6 +1548,14 @@ #define NID_tlsfeature 1020 #define OBJ_tlsfeature OBJ_id_pe,24L +#define SN_sbgp_ipAddrBlockv2 "sbgp-ipAddrBlockv2" +#define NID_sbgp_ipAddrBlockv2 1239 +#define OBJ_sbgp_ipAddrBlockv2 OBJ_id_pe,28L + +#define SN_sbgp_autonomousSysNumv2 "sbgp-autonomousSysNumv2" +#define NID_sbgp_autonomousSysNumv2 1240 +#define OBJ_sbgp_autonomousSysNumv2 OBJ_id_pe,29L + #define SN_id_qt_cps "id-qt-cps" #define LN_id_qt_cps "Policy Qualifier CPS" #define NID_id_qt_cps 164 @@ -1956,6 +1984,14 @@ #define NID_id_qcs_pkixQCSyntax_v1 359 #define OBJ_id_qcs_pkixQCSyntax_v1 OBJ_id_qcs,1L +#define SN_ipAddr_asNumber "ipAddr-asNumber" +#define NID_ipAddr_asNumber 1241 +#define OBJ_ipAddr_asNumber OBJ_id_cp,2L + +#define SN_ipAddr_asNumberv2 "ipAddr-asNumberv2" +#define NID_ipAddr_asNumberv2 1242 +#define OBJ_ipAddr_asNumberv2 OBJ_id_cp,3L + #define SN_id_cct_crs "id-cct-crs" #define NID_id_cct_crs 360 #define OBJ_id_cct_crs OBJ_id_cct,1L @@ -2008,6 +2044,21 @@ #define NID_caRepository 785 #define OBJ_caRepository OBJ_id_ad,5L +#define SN_rpkiManifest "rpkiManifest" +#define LN_rpkiManifest "RPKI Manifest" +#define NID_rpkiManifest 1243 +#define OBJ_rpkiManifest OBJ_id_ad,10L + +#define SN_signedObject "signedObject" +#define LN_signedObject "Signed Object" +#define NID_signedObject 1244 +#define OBJ_signedObject OBJ_id_ad,11L + +#define SN_rpkiNotify "rpkiNotify" +#define LN_rpkiNotify "RPKI Notify" +#define NID_rpkiNotify 1245 +#define OBJ_rpkiNotify OBJ_id_ad,13L + #define OBJ_id_pkix_OCSP OBJ_ad_OCSP #define SN_id_pkix_OCSP_basic "basicOCSPResponse" From tmraz at fedoraproject.org Tue Feb 2 10:48:08 2021 From: tmraz at fedoraproject.org (tmraz at fedoraproject.org) Date: Tue, 02 Feb 2021 10:48:08 +0000 Subject: [openssl] master update Message-ID: <1612262888.234285.12621.nullmailer@dev.openssl.org> The branch master has been updated via 7ff9fdd4b31757f70080bd3fa2e633ca080408a4 (commit) from d3372c2f35495d0c61ab09daf7fba3ecbbb595aa (commit) - Log ----------------------------------------------------------------- commit 7ff9fdd4b31757f70080bd3fa2e633ca080408a4 Author: Rich Salz Date: Thu Jan 28 10:17:13 2021 -0500 Deprecate X509_certificate_type Fixes: #13997 Reviewed-by: David von Oheimb Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14002) ----------------------------------------------------------------------- Summary of changes: CHANGES.md | 6 ++++++ crypto/x509/build.info | 6 +++++- include/openssl/evp.h | 22 ++++++++++++---------- include/openssl/x509.h.in | 3 ++- util/libcrypto.num | 2 +- 5 files changed, 26 insertions(+), 13 deletions(-) diff --git a/CHANGES.md b/CHANGES.md index e512b080c7..c10593c327 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -23,6 +23,12 @@ OpenSSL 3.0 ### Changes between 1.1.1 and 3.0 [xx XXX xxxx] + * The undocumented function X509_certificate_type() has been deprecated; + applications can use X509_get0_pubkey() and X509_get0_signature() to + get the same information. + + *Rich Salz* + * Deprecated the obsolete X9.31 RSA key generation related functions BN_X931_generate_Xpq(), BN_X931_derive_prime_ex(), and BN_X931_generate_prime_ex(). diff --git a/crypto/x509/build.info b/crypto/x509/build.info index 93019cc5e6..05c8e3003b 100644 --- a/crypto/x509/build.info +++ b/crypto/x509/build.info @@ -4,7 +4,7 @@ SOURCE[../../libcrypto]=\ x509_obj.c x509_req.c x509spki.c x509_vfy.c \ x509_set.c x509cset.c x509rset.c x509_err.c \ x509name.c x509_v3.c x509_ext.c x509_att.c \ - x509type.c x509_meth.c x509_lu.c x_all.c x509_txt.c \ + x509_meth.c x509_lu.c x_all.c x509_txt.c \ x509_trs.c by_file.c by_dir.c by_store.c x509_vpm.c \ x_crl.c t_crl.c x_req.c t_req.c x_x509.c t_x509.c \ x_pubkey.c x_x509a.c x_attrib.c x_exten.c x_name.c \ @@ -15,3 +15,7 @@ SOURCE[../../libcrypto]=\ v3_pcia.c v3_pci.c v3_ist.c \ pcy_cache.c pcy_node.c pcy_data.c pcy_map.c pcy_tree.c pcy_lib.c \ v3_asid.c v3_addr.c v3_tlsf.c v3_admis.c + +IF[{- !$disabled{'deprecated-3.0'} -}] + SOURCE[../../libcrypto]=x509type.c +ENDIF diff --git a/include/openssl/evp.h b/include/openssl/evp.h index 68f2543a60..3b967202da 100644 --- a/include/openssl/evp.h +++ b/include/openssl/evp.h @@ -37,16 +37,18 @@ # include -# define EVP_PK_RSA 0x0001 -# define EVP_PK_DSA 0x0002 -# define EVP_PK_DH 0x0004 -# define EVP_PK_EC 0x0008 -# define EVP_PKT_SIGN 0x0010 -# define EVP_PKT_ENC 0x0020 -# define EVP_PKT_EXCH 0x0040 -# define EVP_PKS_RSA 0x0100 -# define EVP_PKS_DSA 0x0200 -# define EVP_PKS_EC 0x0400 +# ifndef OPENSSL_NO_DEPRECATED_3_0 +# define EVP_PK_RSA 0x0001 +# define EVP_PK_DSA 0x0002 +# define EVP_PK_DH 0x0004 +# define EVP_PK_EC 0x0008 +# define EVP_PKT_SIGN 0x0010 +# define EVP_PKT_ENC 0x0020 +# define EVP_PKT_EXCH 0x0040 +# define EVP_PKS_RSA 0x0100 +# define EVP_PKS_DSA 0x0200 +# define EVP_PKS_EC 0x0400 +# endif # define EVP_PKEY_NONE NID_undef # define EVP_PKEY_RSA NID_rsaEncryption diff --git a/include/openssl/x509.h.in b/include/openssl/x509.h.in index 8a3cb2e4d0..7aef798e5b 100644 --- a/include/openssl/x509.h.in +++ b/include/openssl/x509.h.in @@ -726,7 +726,6 @@ const X509_ALGOR *X509_get0_tbs_sigalg(const X509 *x); EVP_PKEY *X509_get0_pubkey(const X509 *x); EVP_PKEY *X509_get_pubkey(X509 *x); ASN1_BIT_STRING *X509_get0_pubkey_bitstr(const X509 *x); -int X509_certificate_type(const X509 *x, const EVP_PKEY *pubkey); long X509_REQ_get_version(const X509_REQ *req); int X509_REQ_set_version(X509_REQ *x, long version); @@ -838,6 +837,8 @@ int X509_cmp(const X509 *a, const X509 *b); int X509_NAME_cmp(const X509_NAME *a, const X509_NAME *b); #ifndef OPENSSL_NO_DEPRECATED_3_0 # define X509_NAME_hash(x) X509_NAME_hash_ex(x, NULL, NULL, NULL) +OSSL_DEPRECATEDIN_3_0 int X509_certificate_type(const X509 *x, + const EVP_PKEY *pubkey); #endif unsigned long X509_NAME_hash_ex(const X509_NAME *x, OSSL_LIB_CTX *libctx, const char *propq, int *ok); diff --git a/util/libcrypto.num b/util/libcrypto.num index f519518395..77612218c7 100644 --- a/util/libcrypto.num +++ b/util/libcrypto.num @@ -693,7 +693,7 @@ X509_add1_reject_object 710 3_0_0 EXIST::FUNCTION: ERR_set_mark 711 3_0_0 EXIST::FUNCTION: d2i_ASN1_VISIBLESTRING 712 3_0_0 EXIST::FUNCTION: X509_NAME_ENTRY_dup 714 3_0_0 EXIST::FUNCTION: -X509_certificate_type 715 3_0_0 EXIST::FUNCTION: +X509_certificate_type 715 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0 PKCS7_add_signature 716 3_0_0 EXIST::FUNCTION: OBJ_ln2nid 717 3_0_0 EXIST::FUNCTION: CRYPTO_128_unwrap 718 3_0_0 EXIST::FUNCTION: From openssl at openssl.org Tue Feb 2 12:03:48 2021 From: openssl at openssl.org (OpenSSL run-checker) Date: Tue, 02 Feb 2021 12:03:48 +0000 Subject: SUCCESSFUL build of OpenSSL branch master with options -d --strict-warnings no-sock Message-ID: <1612267428.373077.2342352.nullmailer@run.openssl.org> Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-sock Commit log since last time: a2a5506b93 rsa_kmgmt: Return OSSL_PKEY_PARAM_DEFAULT_DIGEST for unrestricted PSS keys e947a0642d EVP: fix keygen for EVP_PKEY_RSA_PSS d744934b75 Remove superfluous EVP_KDF_CTRL_ defines. 270a5ce1d9 Fix parameter types in sshkdf 732a4d15b0 Fix cipher reinit on s390x if no key is specified 199df4a93f check_sig_alg_match(): weaken sig nid comparison to allow RSA{,PSS} key verify RSA-PSS 03f5c8930c Fix rsa_pss_asn1_meth to refert to rsa_sig_info_set 26a44ad04b obj_xref: rsassaPss must map to 'undef rsassaPss' (not 'undef rsaEncryption') 302e63cbe5 Prepare for 3.0 alpha 12 31a89254d8 Prepare for release of 3.0 alpha 11 4333b89f50 Update copyright year 92bc61e467 Update NEWS.md before alpha11 release 5ac632eed7 APPS: Restore inclusions From matt at openssl.org Tue Feb 2 14:00:22 2021 From: matt at openssl.org (Matt Caswell) Date: Tue, 02 Feb 2021 14:00:22 +0000 Subject: [openssl] master update Message-ID: <1612274422.666106.9940.nullmailer@dev.openssl.org> The branch master has been updated via f94a91698b82a1986b553a1f46e4cd51219d0223 (commit) via 0b07db6f56e0240de6cc2ea122eee6431459ef20 (commit) via 40994605140b9fcbe98a786dc75bdc1b9e9fee3f (commit) via 04b9435a991585d0f9a775a203cc3986d4872a6e (commit) via b233ea82765e80038e4884564153f9c8543d9396 (commit) via cd4e6a351201270cd2769e1e2af7e9fb875a3f80 (commit) via a0134d293e907672e2717fe54ce6a4b3ae425388 (commit) from 7ff9fdd4b31757f70080bd3fa2e633ca080408a4 (commit) - Log ----------------------------------------------------------------- commit f94a91698b82a1986b553a1f46e4cd51219d0223 Author: Matt Caswell Date: Wed Jan 27 17:23:13 2021 +0000 Add a CI job to run the threads test with threads sanitizer on Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/13987) commit 0b07db6f56e0240de6cc2ea122eee6431459ef20 Author: Matt Caswell Date: Wed Jan 27 17:18:27 2021 +0000 Ensure the EVP_PKEY operation_cache is appropriately locked The EVP_PKEY operation_cache caches references to provider side key objects that have previously been exported for this EVP_PKEY, and their associated key managers. The cache may be updated from time to time as the EVP_PKEY is exported to more providers. Since an EVP_PKEY may be shared by multiple threads simultaneously we must be careful to ensure the cache updates are locked. Fixes #13818 Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/13987) commit 40994605140b9fcbe98a786dc75bdc1b9e9fee3f Author: Matt Caswell Date: Wed Jan 27 15:51:48 2021 +0000 Ensure access to FIPS_state and rate_limit is appropriately locked These variables can be accessed concurrently from multiple threads so we ensure that we properly lock them before read or write. Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/13987) commit 04b9435a991585d0f9a775a203cc3986d4872a6e Author: Matt Caswell Date: Tue Jan 26 17:00:25 2021 +0000 Always ensure we hold ctx->lock when calling CRYPTO_get_ex_data() Otherwise we can get data races. Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/13987) commit b233ea82765e80038e4884564153f9c8543d9396 Author: Matt Caswell Date: Tue Jan 26 15:23:19 2021 +0000 Avoid races by caching exported ciphers in the init function TSAN was reporting a race of the exported ciphers cache that we create in the default and fips providers. This was because we cached it in the query function rather than the init function, so this would cause a race if multiple threads queried at the same time. In practice it probably wouldn't make much difference since different threads should come up with the same answer. Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/13987) commit cd4e6a351201270cd2769e1e2af7e9fb875a3f80 Author: Matt Caswell Date: Tue Jan 26 15:14:02 2021 +0000 Refactor RAND_get0_primary() locking Make sure we never read or write to dgbl->primary outside of a lock. Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/13987) commit a0134d293e907672e2717fe54ce6a4b3ae425388 Author: Matt Caswell Date: Tue Jan 26 13:30:06 2021 +0000 Add a multi-thread test for shared EVP_PKEYs EVP_PKEYs may be shared across mutliple threads. For example this is common for users of libssl who provide a single EVP_PKEY private key for an SSL_CTX, which is then shared between multiple threads for each SSL object. Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/13987) ----------------------------------------------------------------------- Summary of changes: .github/workflows/ci.yml | 11 +++ crypto/context.c | 22 ++++-- crypto/evp/keymgmt_lib.c | 39 +++++++++- crypto/evp/p_lib.c | 22 +++++- crypto/ex_data.c | 13 +++- crypto/rand/rand_lib.c | 64 ++++++++++------- .../man3/evp_keymgmt_util_export_to_provider.pod | 16 +++-- include/crypto/cryptlib.h | 3 + include/crypto/evp.h | 2 +- providers/defltprov.c | 2 +- providers/fips/fipsprov.c | 4 +- providers/fips/self_test.c | 46 ++++++++---- test/recipes/90-test_threads.t | 6 +- .../90-test_threads_data/rsakey.pem} | 0 test/threadstest.c | 82 +++++++++++++++++++++- 15 files changed, 267 insertions(+), 65 deletions(-) copy test/{certs/serverkey.pem => recipes/90-test_threads_data/rsakey.pem} (100%) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 9e99a9b97b..b057eb1d5b 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -91,6 +91,17 @@ jobs: - name: make test run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} OPENSSL_TEST_RAND_ORDER=0 + threads_sanitizer: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout at v2 + - name: config + run: CC=clang ./config --strict-warnings -fsanitize=thread && perl configdata.pm --dump + - name: make + run: make -s -j4 + - name: make test + run: make TESTS=test_threads test HARNESS_JOBS=${HARNESS_JOBS:-4} + enable_non-default_options: runs-on: ubuntu-latest steps: diff --git a/crypto/context.c b/crypto/context.c index 7efe475b70..5a46921778 100644 --- a/crypto/context.c +++ b/crypto/context.c @@ -283,7 +283,9 @@ void *ossl_lib_ctx_get_data(OSSL_LIB_CTX *ctx, int index, if (dynidx != -1) { CRYPTO_THREAD_read_lock(ctx->index_locks[index]); + CRYPTO_THREAD_read_lock(ctx->lock); data = CRYPTO_get_ex_data(&ctx->data, dynidx); + CRYPTO_THREAD_unlock(ctx->lock); CRYPTO_THREAD_unlock(ctx->index_locks[index]); return data; } @@ -293,8 +295,8 @@ void *ossl_lib_ctx_get_data(OSSL_LIB_CTX *ctx, int index, dynidx = ctx->dyn_indexes[index]; if (dynidx != -1) { - CRYPTO_THREAD_unlock(ctx->lock); data = CRYPTO_get_ex_data(&ctx->data, dynidx); + CRYPTO_THREAD_unlock(ctx->lock); CRYPTO_THREAD_unlock(ctx->index_locks[index]); return data; } @@ -307,10 +309,22 @@ void *ossl_lib_ctx_get_data(OSSL_LIB_CTX *ctx, int index, CRYPTO_THREAD_unlock(ctx->lock); - /* The alloc call ensures there's a value there */ - if (CRYPTO_alloc_ex_data(CRYPTO_EX_INDEX_OSSL_LIB_CTX, NULL, - &ctx->data, ctx->dyn_indexes[index])) + /* + * The alloc call ensures there's a value there. We release the ctx->lock + * for this, because the allocation itself may recursively call + * ossl_lib_ctx_get_data for other indexes (never this one). The allocation + * will itself aquire the ctx->lock when it actually comes to store the + * allocated data (see ossl_lib_ctx_generic_new() above). We call + * ossl_crypto_alloc_ex_data_intern() here instead of CRYPTO_alloc_ex_data(). + * They do the same thing except that the latter calls CRYPTO_get_ex_data() + * as well - which we must not do without holding the ctx->lock. + */ + if (ossl_crypto_alloc_ex_data_intern(CRYPTO_EX_INDEX_OSSL_LIB_CTX, NULL, + &ctx->data, ctx->dyn_indexes[index])) { + CRYPTO_THREAD_read_lock(ctx->lock); data = CRYPTO_get_ex_data(&ctx->data, ctx->dyn_indexes[index]); + CRYPTO_THREAD_unlock(ctx->lock); + } CRYPTO_THREAD_unlock(ctx->index_locks[index]); diff --git a/crypto/evp/keymgmt_lib.c b/crypto/evp/keymgmt_lib.c index 763982e58f..0c643b3b49 100644 --- a/crypto/evp/keymgmt_lib.c +++ b/crypto/evp/keymgmt_lib.c @@ -102,10 +102,16 @@ void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt) return pk->keydata; /* If this key is already exported to |keymgmt|, no more to do */ + CRYPTO_THREAD_read_lock(pk->lock); i = evp_keymgmt_util_find_operation_cache_index(pk, keymgmt); if (i < OSSL_NELEM(pk->operation_cache) - && pk->operation_cache[i].keymgmt != NULL) - return pk->operation_cache[i].keydata; + && pk->operation_cache[i].keymgmt != NULL) { + void *ret = pk->operation_cache[i].keydata; + + CRYPTO_THREAD_unlock(pk->lock); + return ret; + } + CRYPTO_THREAD_unlock(pk->lock); /* If the "origin" |keymgmt| doesn't support exporting, give up */ /* @@ -153,20 +159,42 @@ void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt) return NULL; } + CRYPTO_THREAD_write_lock(pk->lock); + /* Check to make sure some other thread didn't get there first */ + i = evp_keymgmt_util_find_operation_cache_index(pk, keymgmt); + if (i < OSSL_NELEM(pk->operation_cache) + && pk->operation_cache[i].keymgmt != NULL) { + void *ret = pk->operation_cache[i].keydata; + + CRYPTO_THREAD_unlock(pk->lock); + + /* + * Another thread seemms to have already exported this so we abandon + * all the work we just did. + */ + evp_keymgmt_freedata(keymgmt, import_data.keydata); + + return ret; + } + /* Add the new export to the operation cache */ if (!evp_keymgmt_util_cache_keydata(pk, i, keymgmt, import_data.keydata)) { evp_keymgmt_freedata(keymgmt, import_data.keydata); return NULL; } + CRYPTO_THREAD_unlock(pk->lock); + return import_data.keydata; } -void evp_keymgmt_util_clear_operation_cache(EVP_PKEY *pk) +int evp_keymgmt_util_clear_operation_cache(EVP_PKEY *pk, int locking) { size_t i, end = OSSL_NELEM(pk->operation_cache); if (pk != NULL) { + if (locking && pk->lock != NULL && !CRYPTO_THREAD_write_lock(pk->lock)) + return 0; for (i = 0; i < end && pk->operation_cache[i].keymgmt != NULL; i++) { EVP_KEYMGMT *keymgmt = pk->operation_cache[i].keymgmt; void *keydata = pk->operation_cache[i].keydata; @@ -176,7 +204,11 @@ void evp_keymgmt_util_clear_operation_cache(EVP_PKEY *pk) evp_keymgmt_freedata(keymgmt, keydata); EVP_KEYMGMT_free(keymgmt); } + if (locking && pk->lock != NULL) + CRYPTO_THREAD_unlock(pk->lock); } + + return 1; } size_t evp_keymgmt_util_find_operation_cache_index(EVP_PKEY *pk, @@ -198,6 +230,7 @@ int evp_keymgmt_util_cache_keydata(EVP_PKEY *pk, size_t index, if (keydata != NULL) { if (!EVP_KEYMGMT_up_ref(keymgmt)) return 0; + pk->operation_cache[index].keydata = keydata; pk->operation_cache[index].keymgmt = keymgmt; } diff --git a/crypto/evp/p_lib.c b/crypto/evp/p_lib.c index 5df9b19eae..21ce51d573 100644 --- a/crypto/evp/p_lib.c +++ b/crypto/evp/p_lib.c @@ -1621,7 +1621,7 @@ static void evp_pkey_free_it(EVP_PKEY *x) { /* internal function; x is never NULL */ - evp_keymgmt_util_clear_operation_cache(x); + evp_keymgmt_util_clear_operation_cache(x, 1); #ifndef FIPS_MODULE evp_pkey_free_legacy(x); #endif @@ -1735,6 +1735,8 @@ void *evp_pkey_export_to_provider(EVP_PKEY *pk, OSSL_LIB_CTX *libctx, * |i| remains zero, and we will clear the cache further down. */ if (pk->ameth->dirty_cnt(pk) == pk->dirty_cnt_copy) { + if (!CRYPTO_THREAD_read_lock(pk->lock)) + goto end; i = evp_keymgmt_util_find_operation_cache_index(pk, tmp_keymgmt); /* @@ -1746,8 +1748,10 @@ void *evp_pkey_export_to_provider(EVP_PKEY *pk, OSSL_LIB_CTX *libctx, if (i < OSSL_NELEM(pk->operation_cache) && pk->operation_cache[i].keymgmt != NULL) { keydata = pk->operation_cache[i].keydata; + CRYPTO_THREAD_unlock(pk->lock); goto end; } + CRYPTO_THREAD_unlock(pk->lock); } /* @@ -1782,12 +1786,22 @@ void *evp_pkey_export_to_provider(EVP_PKEY *pk, OSSL_LIB_CTX *libctx, keydata = NULL; goto end; } - if (pk->ameth->dirty_cnt(pk) != pk->dirty_cnt_copy) - evp_keymgmt_util_clear_operation_cache(pk); + + if (!CRYPTO_THREAD_write_lock(pk->lock)) + goto end; + if (pk->ameth->dirty_cnt(pk) != pk->dirty_cnt_copy + && !evp_keymgmt_util_clear_operation_cache(pk, 0)) { + CRYPTO_THREAD_unlock(pk->lock); + evp_keymgmt_freedata(tmp_keymgmt, keydata); + keydata = NULL; + EVP_KEYMGMT_free(tmp_keymgmt); + goto end; + } EVP_KEYMGMT_free(tmp_keymgmt); /* refcnt-- */ /* Add the new export to the operation cache */ if (!evp_keymgmt_util_cache_keydata(pk, i, tmp_keymgmt, keydata)) { + CRYPTO_THREAD_unlock(pk->lock); evp_keymgmt_freedata(tmp_keymgmt, keydata); keydata = NULL; goto end; @@ -1795,6 +1809,8 @@ void *evp_pkey_export_to_provider(EVP_PKEY *pk, OSSL_LIB_CTX *libctx, /* Synchronize the dirty count */ pk->dirty_cnt_copy = pk->ameth->dirty_cnt(pk); + + CRYPTO_THREAD_unlock(pk->lock); goto end; } #endif /* FIPS_MODULE */ diff --git a/crypto/ex_data.c b/crypto/ex_data.c index 5de99b4735..0d87ea7f0e 100644 --- a/crypto/ex_data.c +++ b/crypto/ex_data.c @@ -392,16 +392,23 @@ void CRYPTO_free_ex_data(int class_index, void *obj, CRYPTO_EX_DATA *ad) int CRYPTO_alloc_ex_data(int class_index, void *obj, CRYPTO_EX_DATA *ad, int idx) { - EX_CALLBACK *f; - EX_CALLBACKS *ip; void *curval; - OSSL_EX_DATA_GLOBAL *global; curval = CRYPTO_get_ex_data(ad, idx); /* Already there, no need to allocate */ if (curval != NULL) return 1; + return ossl_crypto_alloc_ex_data_intern(class_index, obj, ad, idx); +} + +int ossl_crypto_alloc_ex_data_intern(int class_index, void *obj, + CRYPTO_EX_DATA *ad, int idx) +{ + EX_CALLBACK *f; + EX_CALLBACKS *ip; + OSSL_EX_DATA_GLOBAL *global; + global = ossl_lib_ctx_get_ex_data_global(ad->ctx); if (global == NULL) return 0; diff --git a/crypto/rand/rand_lib.c b/crypto/rand/rand_lib.c index 4e561568cd..69afa9d2ea 100644 --- a/crypto/rand/rand_lib.c +++ b/crypto/rand/rand_lib.c @@ -553,38 +553,52 @@ static EVP_RAND_CTX *rand_new_drbg(OSSL_LIB_CTX *libctx, EVP_RAND_CTX *parent, EVP_RAND_CTX *RAND_get0_primary(OSSL_LIB_CTX *ctx) { RAND_GLOBAL *dgbl = rand_get_global(ctx); + EVP_RAND_CTX *ret; if (dgbl == NULL) return NULL; - if (dgbl->primary == NULL) { - if (!CRYPTO_THREAD_write_lock(dgbl->lock)) - return NULL; + if (!CRYPTO_THREAD_read_lock(dgbl->lock)) + return NULL; + + ret = dgbl->primary; + CRYPTO_THREAD_unlock(dgbl->lock); + + if (ret != NULL) + return ret; + + if (!CRYPTO_THREAD_write_lock(dgbl->lock)) + return NULL; + + ret = dgbl->primary; + if (ret != NULL) { + CRYPTO_THREAD_unlock(dgbl->lock); + return ret; + } + #ifndef FIPS_MODULE - if (dgbl->seed == NULL) { - ERR_set_mark(); - dgbl->seed = rand_new_seed(ctx); - ERR_pop_to_mark(); - } + if (dgbl->seed == NULL) { + ERR_set_mark(); + dgbl->seed = rand_new_seed(ctx); + ERR_pop_to_mark(); + } #endif - if (dgbl->primary == NULL) - dgbl->primary = rand_new_drbg(ctx, dgbl->seed, - PRIMARY_RESEED_INTERVAL, - PRIMARY_RESEED_TIME_INTERVAL); - /* - * The primary DRBG may be shared between multiple threads so we must - * enable locking. - */ - if (dgbl->primary != NULL && !EVP_RAND_enable_locking(dgbl->primary)) { - ERR_raise(ERR_LIB_EVP, EVP_R_UNABLE_TO_ENABLE_LOCKING); - EVP_RAND_CTX_free(dgbl->primary); - dgbl->primary = NULL; - CRYPTO_THREAD_lock_free(dgbl->lock); - return NULL; - } - CRYPTO_THREAD_unlock(dgbl->lock); + + ret = dgbl->primary = rand_new_drbg(ctx, dgbl->seed, + PRIMARY_RESEED_INTERVAL, + PRIMARY_RESEED_TIME_INTERVAL); + /* + * The primary DRBG may be shared between multiple threads so we must + * enable locking. + */ + if (ret != NULL && !EVP_RAND_enable_locking(ret)) { + ERR_raise(ERR_LIB_EVP, EVP_R_UNABLE_TO_ENABLE_LOCKING); + EVP_RAND_CTX_free(ret); + ret = dgbl->primary = NULL; } - return dgbl->primary; + CRYPTO_THREAD_unlock(dgbl->lock); + + return ret; } /* diff --git a/doc/internal/man3/evp_keymgmt_util_export_to_provider.pod b/doc/internal/man3/evp_keymgmt_util_export_to_provider.pod index bb2ad9ba8e..31f8b00e47 100644 --- a/doc/internal/man3/evp_keymgmt_util_export_to_provider.pod +++ b/doc/internal/man3/evp_keymgmt_util_export_to_provider.pod @@ -20,9 +20,9 @@ evp_keymgmt_util_fromdata void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt); size_t evp_keymgmt_util_find_operation_cache_index(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt); - void evp_keymgmt_util_clear_operation_cache(EVP_PKEY *pk); - void evp_keymgmt_util_cache_keydata(EVP_PKEY *pk, size_t index, - EVP_KEYMGMT *keymgmt, void *keydata); + int evp_keymgmt_util_clear_operation_cache(EVP_PKEY *pk, int locking); + int evp_keymgmt_util_cache_keydata(EVP_PKEY *pk, size_t index, + EVP_KEYMGMT *keymgmt, void *keydata); void evp_keymgmt_util_cache_keyinfo(EVP_PKEY *pk); void *evp_keymgmt_util_fromdata(EVP_PKEY *target, EVP_KEYMGMT *keymgmt, int selection, const OSSL_PARAM params[]); @@ -44,10 +44,13 @@ as this function ignores any legacy key data. evp_keymgmt_util_find_operation_cache_index() finds the location if I in I's cache of provided keys for operations. If I is NULL or couldn't be found in the cache, it finds the -first empty slot instead if there is any. +first empty slot instead if there is any. It should only be called while +holding I's lock (read or write). evp_keymgmt_util_clear_operation_cache() can be used to explicitly -clear the cache of operation key references. +clear the cache of operation key references. If I is set to 1 then +then I's lock will be obtained while doing the clear. Otherwise it will be +assumed that the lock has already been obtained or is not required. evp_keymgmt_util_cache_keydata() can be used to assign a provider key object to a specific cache slot in the given I. @@ -72,6 +75,9 @@ operation cache slot. If I is NULL, or if there is no slot with a match for I, the index of the first empty slot is returned, or the maximum number of slots if there isn't an empty one. +evp_keymgmt_util_cache_keydata() and evp_keymgmt_util_clear_operation_cache() +return 1 on success or 0 otherwise. + =head1 NOTES "Legacy key" is the term used for any key that has been assigned to an diff --git a/include/crypto/cryptlib.h b/include/crypto/cryptlib.h index 69d94be54a..8fd04fa16f 100644 --- a/include/crypto/cryptlib.h +++ b/include/crypto/cryptlib.h @@ -29,3 +29,6 @@ void ossl_ctx_thread_stop(void *arg); void ossl_trace_cleanup(void); void ossl_malloc_setup_failures(void); + +int ossl_crypto_alloc_ex_data_intern(int class_index, void *obj, + CRYPTO_EX_DATA *ad, int idx); diff --git a/include/crypto/evp.h b/include/crypto/evp.h index 20335e9a32..bed75f406c 100644 --- a/include/crypto/evp.h +++ b/include/crypto/evp.h @@ -729,7 +729,7 @@ int evp_keymgmt_util_export(const EVP_PKEY *pk, int selection, void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt); size_t evp_keymgmt_util_find_operation_cache_index(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt); -void evp_keymgmt_util_clear_operation_cache(EVP_PKEY *pk); +int evp_keymgmt_util_clear_operation_cache(EVP_PKEY *pk, int locking); int evp_keymgmt_util_cache_keydata(EVP_PKEY *pk, size_t index, EVP_KEYMGMT *keymgmt, void *keydata); void evp_keymgmt_util_cache_keyinfo(EVP_PKEY *pk); diff --git a/providers/defltprov.c b/providers/defltprov.c index 2a1ebb6218..c246ed42be 100644 --- a/providers/defltprov.c +++ b/providers/defltprov.c @@ -472,7 +472,6 @@ static const OSSL_ALGORITHM *deflt_query(void *provctx, int operation_id, case OSSL_OP_DIGEST: return deflt_digests; case OSSL_OP_CIPHER: - ossl_prov_cache_exported_algorithms(deflt_ciphers, exported_ciphers); return exported_ciphers; case OSSL_OP_MAC: return deflt_macs; @@ -570,6 +569,7 @@ int ossl_default_provider_init(const OSSL_CORE_HANDLE *handle, ossl_prov_ctx_set0_core_bio_method(*provctx, corebiometh); *out = deflt_dispatch_table; + ossl_prov_cache_exported_algorithms(deflt_ciphers, exported_ciphers); return 1; } diff --git a/providers/fips/fipsprov.c b/providers/fips/fipsprov.c index deffb88ba6..dc1bd7b472 100644 --- a/providers/fips/fipsprov.c +++ b/providers/fips/fipsprov.c @@ -434,8 +434,6 @@ static const OSSL_ALGORITHM *fips_query(void *provctx, int operation_id, case OSSL_OP_DIGEST: return fips_digests; case OSSL_OP_CIPHER: - ossl_prov_cache_exported_algorithms(fips_ciphers, - exported_fips_ciphers); return exported_fips_ciphers; case OSSL_OP_MAC: return fips_macs; @@ -626,6 +624,8 @@ int OSSL_provider_init(const OSSL_CORE_HANDLE *handle, fgbl->handle = handle; + ossl_prov_cache_exported_algorithms(fips_ciphers, exported_fips_ciphers); + selftest_params.libctx = libctx; if (!SELF_TEST_post(&selftest_params, 0)) { ERR_raise(ERR_LIB_PROV, PROV_R_SELF_TEST_POST_FAILURE); diff --git a/providers/fips/self_test.c b/providers/fips/self_test.c index 4d8e640c38..a3dd621262 100644 --- a/providers/fips/self_test.c +++ b/providers/fips/self_test.c @@ -47,18 +47,19 @@ static int FIPS_conditional_error_check = 1; static int FIPS_state = FIPS_STATE_INIT; static CRYPTO_RWLOCK *self_test_lock = NULL; +static CRYPTO_RWLOCK *fips_state_lock = NULL; static unsigned char fixed_key[32] = { FIPS_KEY_ELEMENTS }; static CRYPTO_ONCE fips_self_test_init = CRYPTO_ONCE_STATIC_INIT; DEFINE_RUN_ONCE_STATIC(do_fips_self_test_init) { /* - * This lock gets freed in platform specific ways that may occur after we + * These locks get freed in platform specific ways that may occur after we * do mem leak checking. If we don't know how to free it for a particular - * platform then we just leak it deliberately. So we temporarily disable the - * mem leak checking while we allocate this. + * platform then we just leak it deliberately. */ self_test_lock = CRYPTO_THREAD_lock_new(); + fips_state_lock = CRYPTO_THREAD_lock_new(); return self_test_lock != NULL; } @@ -150,6 +151,7 @@ DEP_INIT_ATTRIBUTE void init(void) DEP_FINI_ATTRIBUTE void cleanup(void) { CRYPTO_THREAD_lock_free(self_test_lock); + CRYPTO_THREAD_lock_free(fips_state_lock); } #endif @@ -212,6 +214,13 @@ err: return ret; } +static void set_fips_state(int state) +{ + CRYPTO_THREAD_write_lock(fips_state_lock); + FIPS_state = state; + CRYPTO_THREAD_unlock(fips_state_lock); +} + /* This API is triggered either on loading of the FIPS module or on demand */ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test) { @@ -227,9 +236,9 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test) if (!RUN_ONCE(&fips_self_test_init, do_fips_self_test_init)) return 0; - CRYPTO_THREAD_read_lock(self_test_lock); + CRYPTO_THREAD_read_lock(fips_state_lock); loclstate = FIPS_state; - CRYPTO_THREAD_unlock(self_test_lock); + CRYPTO_THREAD_unlock(fips_state_lock); if (loclstate == FIPS_STATE_RUNNING) { if (!on_demand_test) @@ -240,17 +249,23 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test) } CRYPTO_THREAD_write_lock(self_test_lock); + CRYPTO_THREAD_read_lock(fips_state_lock); if (FIPS_state == FIPS_STATE_RUNNING) { + CRYPTO_THREAD_unlock(fips_state_lock); if (!on_demand_test) { CRYPTO_THREAD_unlock(self_test_lock); return 1; } - FIPS_state = FIPS_STATE_SELFTEST; + set_fips_state(FIPS_STATE_SELFTEST); } else if (FIPS_state != FIPS_STATE_SELFTEST) { + CRYPTO_THREAD_unlock(fips_state_lock); CRYPTO_THREAD_unlock(self_test_lock); ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_STATE); return 0; + } else { + CRYPTO_THREAD_unlock(fips_state_lock); } + if (st == NULL || st->module_checksum_data == NULL) { ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_CONFIG_DATA); @@ -328,7 +343,7 @@ end: (*st->bio_free_cb)(bio_module); } if (ok) - FIPS_state = FIPS_STATE_RUNNING; + set_fips_state(FIPS_STATE_RUNNING); else ossl_set_error_state(OSSL_SELF_TEST_TYPE_NONE); CRYPTO_THREAD_unlock(self_test_lock); @@ -346,7 +361,7 @@ void ossl_set_error_state(const char *type) int cond_test = (type != NULL && strcmp(type, OSSL_SELF_TEST_TYPE_PCT) == 0); if (!cond_test || (FIPS_conditional_error_check == 1)) { - FIPS_state = FIPS_STATE_ERROR; + set_fips_state(FIPS_STATE_ERROR); ERR_raise(ERR_LIB_PROV, PROV_R_FIPS_MODULE_ENTERING_ERROR_STATE); } else { ERR_raise(ERR_LIB_PROV, PROV_R_FIPS_MODULE_CONDITIONAL_ERROR); @@ -355,15 +370,20 @@ void ossl_set_error_state(const char *type) int ossl_prov_is_running(void) { - const int res = FIPS_state == FIPS_STATE_RUNNING - || FIPS_state == FIPS_STATE_SELFTEST; + int res; static unsigned int rate_limit = 0; - if (res) { - rate_limit = 0; - } else if (FIPS_state == FIPS_STATE_ERROR) { + if (!CRYPTO_THREAD_read_lock(fips_state_lock)) + return 0; + res = FIPS_state == FIPS_STATE_RUNNING + || FIPS_state == FIPS_STATE_SELFTEST; + if (FIPS_state == FIPS_STATE_ERROR) { + CRYPTO_THREAD_unlock(fips_state_lock); + if (!CRYPTO_THREAD_write_lock(fips_state_lock)) + return 0; if (rate_limit++ < FIPS_ERROR_REPORTING_RATE_LIMIT) ERR_raise(ERR_LIB_PROV, PROV_R_FIPS_MODULE_IN_ERROR_STATE); } + CRYPTO_THREAD_unlock(fips_state_lock); return res; } diff --git a/test/recipes/90-test_threads.t b/test/recipes/90-test_threads.t index f46121a751..0410cd8007 100644 --- a/test/recipes/90-test_threads.t +++ b/test/recipes/90-test_threads.t @@ -8,7 +8,7 @@ use OpenSSL::Test::Simple; -use OpenSSL::Test qw/:DEFAULT srctop_file srctop_dir bldtop_dir bldtop_file/; +use OpenSSL::Test qw/:DEFAULT srctop_file srctop_dir bldtop_dir bldtop_file data_dir/; use OpenSSL::Test::Utils; use Cwd qw(abs_path); @@ -35,8 +35,8 @@ if (!$no_fips) { if ($no_fips) { $ENV{OPENSSL_CONF} = abs_path(srctop_file("test", "default.cnf")); - ok(run(test(["threadstest"])), "running test_threads"); + ok(run(test(["threadstest", data_dir()])), "running test_threads"); } else { $ENV{OPENSSL_CONF} = abs_path(srctop_file("test", "default-and-fips.cnf")); - ok(run(test(["threadstest", "-fips"])), "running test_threads"); + ok(run(test(["threadstest", "-fips", data_dir()])), "running test_threads"); } diff --git a/test/certs/serverkey.pem b/test/recipes/90-test_threads_data/rsakey.pem similarity index 100% copy from test/certs/serverkey.pem copy to test/recipes/90-test_threads_data/rsakey.pem diff --git a/test/threadstest.c b/test/threadstest.c index 2b9afa7d47..9c8e2181d0 100644 --- a/test/threadstest.c +++ b/test/threadstest.c @@ -19,6 +19,7 @@ #include "testutil.h" static int do_fips = 0; +static char *privkey; #if !defined(OPENSSL_THREADS) || defined(CRYPTO_TDEBUG) @@ -352,17 +353,66 @@ static void thread_multi_simple_fetch(void) multi_success = 0; } +static EVP_PKEY *shared_evp_pkey = NULL; + +static void thread_shared_evp_pkey(void) +{ + char *msg = "Hello World"; + unsigned char ctbuf[256]; + unsigned char ptbuf[256]; + size_t ptlen = sizeof(ptbuf), ctlen = sizeof(ctbuf); + EVP_PKEY_CTX *ctx = NULL; + int success = 0; + int i; + + for (i = 0; i < 1 + do_fips; i++) { + if (i > 0) + EVP_PKEY_CTX_free(ctx); + ctx = EVP_PKEY_CTX_new_from_pkey(multi_libctx, shared_evp_pkey, + i == 0 ? "provider=default" + : "provider=fips"); + if (!TEST_ptr(ctx)) + goto err; + + if (!TEST_int_ge(EVP_PKEY_encrypt_init(ctx), 0) + || !TEST_int_ge(EVP_PKEY_encrypt(ctx, ctbuf, &ctlen, + (unsigned char *)msg, strlen(msg)), + 0)) + goto err; + + EVP_PKEY_CTX_free(ctx); + ctx = EVP_PKEY_CTX_new_from_pkey(multi_libctx, shared_evp_pkey, NULL); + + if (!TEST_ptr(ctx)) + goto err; + + if (!TEST_int_ge(EVP_PKEY_decrypt_init(ctx), 0) + || !TEST_int_ge(EVP_PKEY_decrypt(ctx, ptbuf, &ptlen, ctbuf, ctlen), + 0) + || !TEST_mem_eq(msg, strlen(msg), ptbuf, ptlen)) + goto err; + } + + success = 1; + + err: + EVP_PKEY_CTX_free(ctx); + if (!success) + multi_success = 0; +} + /* * Do work in multiple worker threads at the same time. * Test 0: General worker, using the default provider * Test 1: General worker, using the fips provider * Test 2: Simple fetch worker + * Test 3: Worker using a shared EVP_PKEY */ static int test_multi(int idx) { thread_t thread1, thread2; int testresult = 0; - OSSL_PROVIDER *prov = NULL; + OSSL_PROVIDER *prov = NULL, *prov2 = NULL; void (*worker)(void); if (idx == 1 && !do_fips) @@ -384,6 +434,18 @@ static int test_multi(int idx) case 2: worker = thread_multi_simple_fetch; break; + case 3: + /* + * If available we have both the default and fips providers for this + * test + */ + if (do_fips + && !TEST_ptr(prov2 = OSSL_PROVIDER_load(multi_libctx, "fips"))) + goto err; + if (!TEST_ptr(shared_evp_pkey = load_pkey_pem(privkey, multi_libctx))) + goto err; + worker = thread_shared_evp_pkey; + break; default: TEST_error("Invalid test index"); goto err; @@ -404,7 +466,10 @@ static int test_multi(int idx) err: OSSL_PROVIDER_unload(prov); + OSSL_PROVIDER_unload(prov2); OSSL_LIB_CTX_free(multi_libctx); + EVP_PKEY_free(shared_evp_pkey); + shared_evp_pkey = NULL; return testresult; } @@ -428,6 +493,7 @@ const OPTIONS *test_get_options(void) int setup_tests(void) { OPTION_CHOICE o; + char *datadir; while ((o = opt_next()) != OPT_EOF) { switch (o) { @@ -441,10 +507,22 @@ int setup_tests(void) } } + if (!TEST_ptr(datadir = test_get_argument(0))) + return 0; + + privkey = test_mk_file_path(datadir, "rsakey.pem"); + if (!TEST_ptr(privkey)) + return 0; + ADD_TEST(test_lock); ADD_TEST(test_once); ADD_TEST(test_thread_local); ADD_TEST(test_atomic); - ADD_ALL_TESTS(test_multi, 3); + ADD_ALL_TESTS(test_multi, 4); return 1; } + +void cleanup_tests(void) +{ + OPENSSL_free(privkey); +} From matthias.st.pierre at ncp-e.com Tue Feb 2 15:46:01 2021 From: matthias.st.pierre at ncp-e.com (matthias.st.pierre at ncp-e.com) Date: Tue, 02 Feb 2021 15:46:01 +0000 Subject: [openssl] master update Message-ID: <1612280761.100585.9608.nullmailer@dev.openssl.org> The branch master has been updated via af403db090ee66715e81f0062d1ef614e8d921b5 (commit) from f94a91698b82a1986b553a1f46e4cd51219d0223 (commit) - Log ----------------------------------------------------------------- commit af403db090ee66715e81f0062d1ef614e8d921b5 Author: Dr. Matthias St. Pierre Date: Sun Jan 31 22:08:33 2021 +0100 Add some missing committers to the AUTHORS list Fixes #13815 Reviewed-by: Richard Levitte Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/14029) ----------------------------------------------------------------------- Summary of changes: AUTHORS.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/AUTHORS.md b/AUTHORS.md index af72f43b08..dc6b534b82 100644 --- a/AUTHORS.md +++ b/AUTHORS.md @@ -22,6 +22,8 @@ Individuals * Bernd Edlinger * Bodo M?ller * David Benjamin + * David von Oheimb + * Dmitry Belyavskiy (??????? ?????????) * Emilia K?sper * Eric Young * Geoff Thorpe @@ -31,14 +33,19 @@ Individuals * Mark J. Cox * Matt Caswell * Matthias St. Pierre + * Nicola Tuveri * Nils Larsch + * Patrick Steuer * Paul Dale * Paul C. Sutton + * Paul Yang * Ralf S. Engelschall * Rich Salz * Richard Levitte + * Shane Lontis * Stephen Henson * Steve Marquess * Tim Hudson + * Tom?? Mr?z * Ulf M?ller * Viktor Dukhovni From tmraz at fedoraproject.org Tue Feb 2 15:50:50 2021 From: tmraz at fedoraproject.org (tmraz at fedoraproject.org) Date: Tue, 02 Feb 2021 15:50:50 +0000 Subject: [openssl] master update Message-ID: <1612281050.667558.11175.nullmailer@dev.openssl.org> The branch master has been updated via 6a1a6498ac4ecfb95331e30fc52d6e25cafbba43 (commit) from af403db090ee66715e81f0062d1ef614e8d921b5 (commit) - Log ----------------------------------------------------------------- commit 6a1a6498ac4ecfb95331e30fc52d6e25cafbba43 Author: Tomas Mraz Date: Mon Jan 25 19:12:43 2021 +0100 dh_cms_set_peerkey: Pad the public key to p size Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/13958) ----------------------------------------------------------------------- Summary of changes: crypto/cms/cms_dh.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/crypto/cms/cms_dh.c b/crypto/cms/cms_dh.c index 52bce12c73..e55b4a062f 100644 --- a/crypto/cms/cms_dh.c +++ b/crypto/cms/cms_dh.c @@ -48,7 +48,11 @@ static int dh_cms_set_peerkey(EVP_PKEY_CTX *pctx, if ((public_key = d2i_ASN1_INTEGER(NULL, &p, plen)) == NULL) goto err; - plen = ASN1_STRING_length((ASN1_STRING *)public_key); + /* + * Pad to full p parameter size as that is checked by + * EVP_PKEY_set1_encoded_public_key() + */ + plen = EVP_PKEY_size(pk); if ((bnpub = ASN1_INTEGER_to_BN(public_key, NULL)) == NULL) goto err; if ((buf = OPENSSL_malloc(plen)) == NULL) From matthias.st.pierre at ncp-e.com Tue Feb 2 15:50:59 2021 From: matthias.st.pierre at ncp-e.com (matthias.st.pierre at ncp-e.com) Date: Tue, 02 Feb 2021 15:50:59 +0000 Subject: [openssl] OpenSSL_1_1_1-stable update Message-ID: <1612281059.248130.12043.nullmailer@dev.openssl.org> The branch OpenSSL_1_1_1-stable has been updated via 2d8109f5f8205ac247630f397582727b9682be38 (commit) from c2fc1115eac53d2043e09bfa43ac5407f87fe417 (commit) - Log ----------------------------------------------------------------- commit 2d8109f5f8205ac247630f397582727b9682be38 Author: Dr. Matthias St. Pierre Date: Sun Jan 31 22:08:33 2021 +0100 Add some missing committers to the AUTHORS list Fixes #13815 Reviewed-by: Richard Levitte Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/14029) (cherry picked from commit af403db090ee66715e81f0062d1ef614e8d921b5) ----------------------------------------------------------------------- Summary of changes: AUTHORS | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/AUTHORS b/AUTHORS index ac93b2e7b9..dac46f8b7e 100644 --- a/AUTHORS +++ b/AUTHORS @@ -13,6 +13,8 @@ Ben Kaduk Bernd Edlinger Bodo M?ller David Benjamin +David von Oheimb +Dmitry Belyavskiy (??????? ?????????) Emilia K?sper Eric Young Geoff Thorpe @@ -22,14 +24,19 @@ Lutz J?nicke Mark J. Cox Matt Caswell Matthias St. Pierre +Nicola Tuveri Nils Larsch +Patrick Steuer Paul Dale Paul C. Sutton +Paul Yang Ralf S. Engelschall Rich Salz Richard Levitte +Shane Lontis Stephen Henson Steve Marquess Tim Hudson +Tom?? Mr?z Ulf M?ller Viktor Dukhovni From no-reply at appveyor.com Tue Feb 2 20:27:47 2021 From: no-reply at appveyor.com (AppVeyor) Date: Tue, 02 Feb 2021 20:27:47 +0000 Subject: Build failed: openssl master.39541 Message-ID: <20210202202747.1.84A6B744FC2A07B6@appveyor.com> An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Tue Feb 2 21:52:39 2021 From: no-reply at appveyor.com (AppVeyor) Date: Tue, 02 Feb 2021 21:52:39 +0000 Subject: Build failed: openssl master.39542 Message-ID: <20210202215239.1.AD9BDDBEF197FEF5@appveyor.com> An HTML attachment was scrubbed... URL: From openssl at openssl.org Tue Feb 2 22:07:33 2021 From: openssl at openssl.org (OpenSSL run-checker) Date: Tue, 02 Feb 2021 22:07:33 +0000 Subject: Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-dtls1_2 Message-ID: <1612303653.239506.3552034.nullmailer@run.openssl.org> Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-dtls1_2 Commit log since last time: a2a5506b93 rsa_kmgmt: Return OSSL_PKEY_PARAM_DEFAULT_DIGEST for unrestricted PSS keys e947a0642d EVP: fix keygen for EVP_PKEY_RSA_PSS d744934b75 Remove superfluous EVP_KDF_CTRL_ defines. 270a5ce1d9 Fix parameter types in sshkdf 732a4d15b0 Fix cipher reinit on s390x if no key is specified 199df4a93f check_sig_alg_match(): weaken sig nid comparison to allow RSA{,PSS} key verify RSA-PSS 03f5c8930c Fix rsa_pss_asn1_meth to refert to rsa_sig_info_set 26a44ad04b obj_xref: rsassaPss must map to 'undef rsassaPss' (not 'undef rsaEncryption') 302e63cbe5 Prepare for 3.0 alpha 12 31a89254d8 Prepare for release of 3.0 alpha 11 4333b89f50 Update copyright year 92bc61e467 Update NEWS.md before alpha11 release 5ac632eed7 APPS: Restore inclusions Build log ended with (last 100 lines): # SSL_accept() failed -1, 1 # 80811CD2567F0000:error:0A000076:SSL routines:tls_choose_sigalg:no suitable signature algorithm:../openssl/ssl/t1_lib.c:3309: # INFO: @ ../openssl/test/helpers/ssltestlib.c:942 # SSL_connect() failed -1, 1 # 80811CD2567F0000:error:0A000438:SSL routines:dtls1_read_bytes:tlsv1 alert internal error:../openssl/ssl/record/rec_layer_d1.c:613:SSL alert number 80 # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:6567 # false not ok 2 - iteration 2 # ------------------------------------------------------------------------------ not ok 54 - test_ssl_pending # ------------------------------------------------------------------------------ ../../util/wrap.pl ../../test/sslapitest ../../../openssl/test/certs ../../../openssl/test/recipes/90-test_sslapi_data/passwd.txt /tmp/Lx8Yw_1ht6 default ../../../openssl/test/default.cnf => 1 not ok 1 - running sslapitest # ------------------------------------------------------------------------------ # INFO: @ ../openssl/test/helpers/ssltestlib.c:942 # SSL_connect() failed -1, 1 # 802177FB137F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # INFO: @ ../openssl/test/helpers/ssltestlib.c:960 # SSL_accept() failed -1, 1 # 802177FB137F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:937 # false not ok 3 - test_large_message_dtls # ------------------------------------------------------------------------------ # INFO: @ ../openssl/test/helpers/ssltestlib.c:942 # SSL_connect() failed -1, 1 # 802177FB137F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # INFO: @ ../openssl/test/helpers/ssltestlib.c:960 # SSL_accept() failed -1, 1 # 802177FB137F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:1418 # false # ERROR: (bool) 'execute_cleanse_plaintext(DTLS_server_method(), DTLS_client_method(), DTLS1_VERSION, 0) == true' failed @ ../openssl/test/sslapitest.c:1496 # false not ok 4 - test_cleanse_plaintext # ------------------------------------------------------------------------------ # INFO: @ ../openssl/test/helpers/ssltestlib.c:942 # SSL_connect() failed -1, 1 # 802177FB137F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # INFO: @ ../openssl/test/helpers/ssltestlib.c:960 # SSL_accept() failed -1, 1 # 802177FB137F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:6567 # false not ok 2 - iteration 2 # ------------------------------------------------------------------------------ not ok 54 - test_ssl_pending # ------------------------------------------------------------------------------ ../../util/wrap.pl ../../test/sslapitest ../../../openssl/test/certs ../../../openssl/test/recipes/90-test_sslapi_data/passwd.txt /tmp/Lx8Yw_1ht6 fips ../../../openssl/test/fips-and-base.cnf => 1 not ok 3 - running sslapitest # ------------------------------------------------------------------------------ # Failed test 'running sslapitest' # at ../openssl/test/recipes/90-test_sslapi.t line 45. # Looks like you failed 2 tests of 3.90-test_sslapi.t ................... Dubious, test returned 2 (wstat 512, 0x200) Failed 2/3 subtests 90-test_sslbuffers.t ............... ok 90-test_store.t .................... ok 90-test_sysdefault.t ............... ok 90-test_threads.t .................. ok 90-test_time_offset.t .............. ok 90-test_tls13ccs.t ................. ok 90-test_tls13encryption.t .......... ok 90-test_tls13secrets.t ............. ok 90-test_v3name.t ................... ok 91-test_pkey_check.t ............... ok 95-test_external_boringssl.t ....... skipped: No external tests in this configuration 95-test_external_gost_engine.t ..... skipped: No external tests in this configuration 95-test_external_krb5.t ............ skipped: No external tests in this configuration 95-test_external_pyca.t ............ skipped: No external tests in this configuration 99-test_ecstress.t ................. ok 99-test_fuzz_asn1.t ................ ok 99-test_fuzz_asn1parse.t ........... ok 99-test_fuzz_bignum.t .............. ok 99-test_fuzz_bndiv.t ............... ok 99-test_fuzz_client.t .............. ok 99-test_fuzz_cmp.t ................. ok 99-test_fuzz_cms.t ................. ok 99-test_fuzz_conf.t ................ ok 99-test_fuzz_crl.t ................. ok 99-test_fuzz_ct.t .................. ok 99-test_fuzz_server.t .............. ok 99-test_fuzz_x509.t ................ ok Test Summary Report ------------------- 80-test_dtls.t (Wstat: 256 Tests: 1 Failed: 1) Failed test: 1 Non-zero exit status: 1 80-test_ssl_new.t (Wstat: 768 Tests: 31 Failed: 3) Failed tests: 8, 17, 19 Non-zero exit status: 3 90-test_sslapi.t (Wstat: 512 Tests: 3 Failed: 2) Failed tests: 1, 3 Non-zero exit status: 2 Files=228, Tests=3208, 1027 wallclock secs (14.27 usr 1.37 sys + 930.70 cusr 91.70 csys = 1038.04 CPU) Result: FAIL make[1]: *** [Makefile:3259: _tests] Error 1 make[1]: Leaving directory '/home/openssl/run-checker/no-dtls1_2' make: *** [Makefile:3256: tests] Error 2 From openssl at openssl.org Wed Feb 3 00:33:18 2021 From: openssl at openssl.org (OpenSSL run-checker) Date: Wed, 03 Feb 2021 00:33:18 +0000 Subject: Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-dtls1_2-method Message-ID: <1612312398.592183.3863324.nullmailer@run.openssl.org> Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-dtls1_2-method Commit log since last time: a2a5506b93 rsa_kmgmt: Return OSSL_PKEY_PARAM_DEFAULT_DIGEST for unrestricted PSS keys e947a0642d EVP: fix keygen for EVP_PKEY_RSA_PSS d744934b75 Remove superfluous EVP_KDF_CTRL_ defines. 270a5ce1d9 Fix parameter types in sshkdf 732a4d15b0 Fix cipher reinit on s390x if no key is specified 199df4a93f check_sig_alg_match(): weaken sig nid comparison to allow RSA{,PSS} key verify RSA-PSS 03f5c8930c Fix rsa_pss_asn1_meth to refert to rsa_sig_info_set 26a44ad04b obj_xref: rsassaPss must map to 'undef rsassaPss' (not 'undef rsaEncryption') 302e63cbe5 Prepare for 3.0 alpha 12 31a89254d8 Prepare for release of 3.0 alpha 11 4333b89f50 Update copyright year 92bc61e467 Update NEWS.md before alpha11 release 5ac632eed7 APPS: Restore inclusions Build log ended with (last 100 lines): # SSL_accept() failed -1, 1 # 8021E565D47F0000:error:0A000076:SSL routines:tls_choose_sigalg:no suitable signature algorithm:../openssl/ssl/t1_lib.c:3309: # INFO: @ ../openssl/test/helpers/ssltestlib.c:942 # SSL_connect() failed -1, 1 # 8021E565D47F0000:error:0A000438:SSL routines:dtls1_read_bytes:tlsv1 alert internal error:../openssl/ssl/record/rec_layer_d1.c:613:SSL alert number 80 # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:6567 # false not ok 2 - iteration 2 # ------------------------------------------------------------------------------ not ok 54 - test_ssl_pending # ------------------------------------------------------------------------------ ../../util/wrap.pl ../../test/sslapitest ../../../openssl/test/certs ../../../openssl/test/recipes/90-test_sslapi_data/passwd.txt /tmp/zy0avbUIu4 default ../../../openssl/test/default.cnf => 1 not ok 1 - running sslapitest # ------------------------------------------------------------------------------ # INFO: @ ../openssl/test/helpers/ssltestlib.c:942 # SSL_connect() failed -1, 1 # 80B1C6B81E7F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # INFO: @ ../openssl/test/helpers/ssltestlib.c:960 # SSL_accept() failed -1, 1 # 80B1C6B81E7F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:937 # false not ok 3 - test_large_message_dtls # ------------------------------------------------------------------------------ # INFO: @ ../openssl/test/helpers/ssltestlib.c:942 # SSL_connect() failed -1, 1 # 80B1C6B81E7F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # INFO: @ ../openssl/test/helpers/ssltestlib.c:960 # SSL_accept() failed -1, 1 # 80B1C6B81E7F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:1418 # false # ERROR: (bool) 'execute_cleanse_plaintext(DTLS_server_method(), DTLS_client_method(), DTLS1_VERSION, 0) == true' failed @ ../openssl/test/sslapitest.c:1496 # false not ok 4 - test_cleanse_plaintext # ------------------------------------------------------------------------------ # INFO: @ ../openssl/test/helpers/ssltestlib.c:942 # SSL_connect() failed -1, 1 # 80B1C6B81E7F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # INFO: @ ../openssl/test/helpers/ssltestlib.c:960 # SSL_accept() failed -1, 1 # 80B1C6B81E7F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:6567 # false not ok 2 - iteration 2 # ------------------------------------------------------------------------------ not ok 54 - test_ssl_pending # ------------------------------------------------------------------------------ ../../util/wrap.pl ../../test/sslapitest ../../../openssl/test/certs ../../../openssl/test/recipes/90-test_sslapi_data/passwd.txt /tmp/zy0avbUIu4 fips ../../../openssl/test/fips-and-base.cnf => 1 not ok 3 - running sslapitest # ------------------------------------------------------------------------------ # Failed test 'running sslapitest' # at ../openssl/test/recipes/90-test_sslapi.t line 45. # Looks like you failed 2 tests of 3.90-test_sslapi.t ................... Dubious, test returned 2 (wstat 512, 0x200) Failed 2/3 subtests 90-test_sslbuffers.t ............... ok 90-test_store.t .................... ok 90-test_sysdefault.t ............... ok 90-test_threads.t .................. ok 90-test_time_offset.t .............. ok 90-test_tls13ccs.t ................. ok 90-test_tls13encryption.t .......... ok 90-test_tls13secrets.t ............. ok 90-test_v3name.t ................... ok 91-test_pkey_check.t ............... ok 95-test_external_boringssl.t ....... skipped: No external tests in this configuration 95-test_external_gost_engine.t ..... skipped: No external tests in this configuration 95-test_external_krb5.t ............ skipped: No external tests in this configuration 95-test_external_pyca.t ............ skipped: No external tests in this configuration 99-test_ecstress.t ................. ok 99-test_fuzz_asn1.t ................ ok 99-test_fuzz_asn1parse.t ........... ok 99-test_fuzz_bignum.t .............. ok 99-test_fuzz_bndiv.t ............... ok 99-test_fuzz_client.t .............. ok 99-test_fuzz_cmp.t ................. ok 99-test_fuzz_cms.t ................. ok 99-test_fuzz_conf.t ................ ok 99-test_fuzz_crl.t ................. ok 99-test_fuzz_ct.t .................. ok 99-test_fuzz_server.t .............. ok 99-test_fuzz_x509.t ................ ok Test Summary Report ------------------- 80-test_dtls.t (Wstat: 256 Tests: 1 Failed: 1) Failed test: 1 Non-zero exit status: 1 80-test_ssl_new.t (Wstat: 768 Tests: 31 Failed: 3) Failed tests: 8, 17, 19 Non-zero exit status: 3 90-test_sslapi.t (Wstat: 512 Tests: 3 Failed: 2) Failed tests: 1, 3 Non-zero exit status: 2 Files=228, Tests=3208, 892 wallclock secs (14.52 usr 1.26 sys + 793.93 cusr 93.60 csys = 903.31 CPU) Result: FAIL make[1]: *** [Makefile:3276: _tests] Error 1 make[1]: Leaving directory '/home/openssl/run-checker/no-dtls1_2-method' make: *** [Makefile:3273: tests] Error 2 From tmraz at fedoraproject.org Wed Feb 3 09:20:58 2021 From: tmraz at fedoraproject.org (tmraz at fedoraproject.org) Date: Wed, 03 Feb 2021 09:20:58 +0000 Subject: [openssl] master update Message-ID: <1612344058.458930.6454.nullmailer@dev.openssl.org> The branch master has been updated via 66194839fe9ae48cff51a4cdac25760a13b3868c (commit) from 6a1a6498ac4ecfb95331e30fc52d6e25cafbba43 (commit) - Log ----------------------------------------------------------------- commit 66194839fe9ae48cff51a4cdac25760a13b3868c Author: Tomas Mraz Date: Mon Feb 1 22:07:17 2021 +0100 Add diacritics to my name in CHANGES.md Reviewed-by: Richard Levitte Reviewed-by: Matthias St. Pierre Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/14044) ----------------------------------------------------------------------- Summary of changes: CHANGES.md | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/CHANGES.md b/CHANGES.md index c10593c327..6877e8ad94 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -33,7 +33,7 @@ OpenSSL 3.0 BN_X931_generate_Xpq(), BN_X931_derive_prime_ex(), and BN_X931_generate_prime_ex(). - *Tomas Mraz* + *Tom?? Mr?z* * Deprecated the type OCSP_REQ_CTX and the functions OCSP_REQ_CTX_new(), OCSP_REQ_CTX_free(), OCSP_REQ_CTX_http(), OCSP_REQ_CTX_add1_header(), @@ -116,7 +116,7 @@ OpenSSL 3.0 read or write an EVP_PKEY directly using the OSSL_DECODER and OSSL_ENCODER APIs. Or load an EVP_PKEY directly from EC data using EVP_PKEY_fromdata(). - *Shane Lontis, Paul Dale, Richard Levitte, and Tomas Mraz* + *Shane Lontis, Paul Dale, Richard Levitte, and Tom?? Mr?z* * Deprecated all the libcrypto and libssl error string loading functions: ERR_load_ASN1_strings(), ERR_load_ASYNC_strings(), @@ -312,7 +312,7 @@ OpenSSL 3.0 * Handshake now fails if Extended Master Secret extension is dropped on renegotiation. - *Tomas Mraz* + *Tom?? Mr?z* * Dropped interactive mode from the `openssl` program. From now on, running it without arguments is equivalent to `openssl help`. @@ -1015,7 +1015,7 @@ OpenSSL 3.0 * Certificate verification using `X509_verify_cert()` meanwhile rejects EC keys with explicit curve parameters (specifiedCurve) as required by RFC 5480. - *Tomas Mraz* + *Tom?? Mr?z* * For built-in EC curves, ensure an EC_GROUP built from the curve name is used even when parsing explicit parameters, when loading a encoded key @@ -1162,7 +1162,7 @@ OpenSSL 3.0 * Use SHA256 as the default digest for TS query in the `ts` app. - *Tomas Mraz* + *Tom?? Mr?z* * Change PBKDF2 to conform to SP800-132 instead of the older PKCS5 RFC2898. This checks that the salt length is at least 128 bits, the derived key @@ -1471,7 +1471,7 @@ OpenSSL 1.1.1 * Certificates with explicit curve parameters are now disallowed in verification chains if the X509_V_FLAG_X509_STRICT flag is used. - *Tomas Mraz* + *Tom?? Mr?z* * The 'MinProtocol' and 'MaxProtocol' configuration commands now silently ignore TLS protocol version bounds when configuring DTLS-based contexts, and @@ -1492,7 +1492,7 @@ OpenSSL 1.1.1 * Handshake now fails if Extended Master Secret extension is dropped on renegotiation. - *Tomas Mraz* + *Tom?? Mr?z* * The Oracle Developer Studio compiler will start reporting deprecated APIs @@ -1527,7 +1527,7 @@ OpenSSL 1.1.1 reporting the EOF via SSL_ERROR_SSL is kept on the current development branch and will be present in the 3.0 release. - *Tomas Mraz* + *Tom?? Mr?z* * Revised BN_generate_prime_ex to not avoid factors 3..17863 in p-1 when primes for RSA keys are computed. @@ -2271,7 +2271,7 @@ OpenSSL 1.1.1 * Ignore the '-named_curve auto' value for compatibility of applications with OpenSSL 1.0.2. - *Tomas Mraz * + *Tom?? Mr?z * * Fragmented SSL/TLS alerts are no longer accepted. An alert message is 2 bytes long. In theory it is permissible in SSLv3 - TLSv1.2 to fragment such From tmraz at fedoraproject.org Wed Feb 3 10:12:35 2021 From: tmraz at fedoraproject.org (tmraz at fedoraproject.org) Date: Wed, 03 Feb 2021 10:12:35 +0000 Subject: [openssl] master update Message-ID: <1612347155.294424.15848.nullmailer@dev.openssl.org> The branch master has been updated via 1409b5f664f21a52d23d7b9d0e0f962e2bde2b9e (commit) from 66194839fe9ae48cff51a4cdac25760a13b3868c (commit) - Log ----------------------------------------------------------------- commit 1409b5f664f21a52d23d7b9d0e0f962e2bde2b9e Author: Rich Salz Date: Thu Jan 28 15:47:53 2021 -0500 Deprecate EVP_MD_CTX_{set_}update_fn() They are still used internally in legacy code. Also fixed up some minor things in EVP_DigestInit.pod Fixes: #14003 Reviewed-by: Richard Levitte Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14008) ----------------------------------------------------------------------- Summary of changes: CHANGES.md | 5 +++++ doc/man3/EVP_DigestInit.pod | 24 ++++++++++++++++-------- include/openssl/evp.h | 4 ++++ util/libcrypto.num | 4 ++-- 4 files changed, 27 insertions(+), 10 deletions(-) diff --git a/CHANGES.md b/CHANGES.md index 6877e8ad94..d80016560e 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -35,6 +35,11 @@ OpenSSL 3.0 *Tom?? Mr?z* + * Deprecate EVP_MD_CTX_set_update_fn() and EVP_MD_CTX_update_fn() + as they are not useful with non-deprecated functions. + + *Rich Salz* + * Deprecated the type OCSP_REQ_CTX and the functions OCSP_REQ_CTX_new(), OCSP_REQ_CTX_free(), OCSP_REQ_CTX_http(), OCSP_REQ_CTX_add1_header(), OCSP_REQ_CTX_i2d(), OCSP_REQ_CTX_nbio(), OCSP_REQ_CTX_nbio_d2i(), diff --git a/doc/man3/EVP_DigestInit.pod b/doc/man3/EVP_DigestInit.pod index 082f26370c..3a17243976 100644 --- a/doc/man3/EVP_DigestInit.pod +++ b/doc/man3/EVP_DigestInit.pod @@ -80,11 +80,6 @@ EVP_MD_do_all_provided int EVP_MD_CTX_block_size(const EVP_MD_CTX *ctx); int EVP_MD_CTX_type(const EVP_MD_CTX *ctx); void *EVP_MD_CTX_md_data(const EVP_MD_CTX *ctx); - int (*EVP_MD_CTX_update_fn(EVP_MD_CTX *ctx))(EVP_MD_CTX *ctx, - const void *data, size_t count); - void EVP_MD_CTX_set_update_fn(EVP_MD_CTX *ctx, - int (*update)(EVP_MD_CTX *ctx, - const void *data, size_t count)); const EVP_MD *EVP_md_null(void); @@ -99,6 +94,17 @@ EVP_MD_do_all_provided void (*fn)(EVP_MD *mac, void *arg), void *arg); +Deprecated since OpenSSL 3.0, can be hidden entirely by defining +B with a suitable version value, see +L: + + int (*EVP_MD_CTX_update_fn(EVP_MD_CTX *ctx))(EVP_MD_CTX *ctx, + const void *data, size_t count); + + void EVP_MD_CTX_set_update_fn(EVP_MD_CTX *ctx, + int (*update)(EVP_MD_CTX *ctx, + const void *data, size_t count)); + =head1 DESCRIPTION The EVP digest routines are a high-level interface to message digests, @@ -325,7 +331,7 @@ should not be used after the EVP_MD_CTX is freed. =item EVP_MD_CTX_set_update_fn() Sets the update function for I to I. -This is the function that is called by EVP_DigestUpdate. If not set, the +This is the function that is called by EVP_DigestUpdate(). If not set, the update function from the B type specified at initialization is used. =item EVP_MD_CTX_update_fn() @@ -645,10 +651,12 @@ later, so now EVP_sha1() can be used with RSA and DSA. The EVP_dss1() function was removed in OpenSSL 1.1.0. -The EVP_MD_CTX_set_pkey_ctx() function was added in 1.1.1. +The EVP_MD_CTX_set_pkey_ctx() function was added in OpenSSL 1.1.1. The EVP_MD_fetch(), EVP_MD_free(), EVP_MD_up_ref(), EVP_MD_CTX_set_params() -and EVP_MD_CTX_get_params() functions were added in 3.0. +and EVP_MD_CTX_get_params() functions were added in OpenSSL 3.0. +The EVP_MD_CTX_update_fn() and EVP_MD_CTX_set_update_fn() were deprecated +in OpenSSL 3.0. =head1 COPYRIGHT diff --git a/include/openssl/evp.h b/include/openssl/evp.h index 3b967202da..f5e3592c30 100644 --- a/include/openssl/evp.h +++ b/include/openssl/evp.h @@ -533,11 +533,15 @@ int EVP_MD_block_size(const EVP_MD *md); unsigned long EVP_MD_flags(const EVP_MD *md); const EVP_MD *EVP_MD_CTX_md(const EVP_MD_CTX *ctx); +# ifndef OPENSSL_NO_DEPRECATED_3_0 +OSSL_DEPRECATEDIN_3_0 int (*EVP_MD_CTX_update_fn(EVP_MD_CTX *ctx))(EVP_MD_CTX *ctx, const void *data, size_t count); +OSSL_DEPRECATEDIN_3_0 void EVP_MD_CTX_set_update_fn(EVP_MD_CTX *ctx, int (*update) (EVP_MD_CTX *ctx, const void *data, size_t count)); +# endif # define EVP_MD_CTX_name(e) EVP_MD_name(EVP_MD_CTX_md(e)) # define EVP_MD_CTX_size(e) EVP_MD_size(EVP_MD_CTX_md(e)) # define EVP_MD_CTX_block_size(e) EVP_MD_block_size(EVP_MD_CTX_md(e)) diff --git a/util/libcrypto.num b/util/libcrypto.num index 77612218c7..cbba0768b1 100644 --- a/util/libcrypto.num +++ b/util/libcrypto.num @@ -2524,7 +2524,7 @@ EVP_PKEY_meth_new 2577 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_ RSA_padding_check_PKCS1_OAEP 2578 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0 OCSP_SERVICELOC_it 2579 3_0_0 EXIST::FUNCTION:OCSP PKCS12_SAFEBAG_get_nid 2580 3_0_0 EXIST::FUNCTION: -EVP_MD_CTX_set_update_fn 2581 3_0_0 EXIST::FUNCTION: +EVP_MD_CTX_set_update_fn 2581 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0 BIO_f_asn1 2582 3_0_0 EXIST::FUNCTION: BIO_dump 2583 3_0_0 EXIST::FUNCTION: ENGINE_load_ssl_client_cert 2584 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,ENGINE @@ -3106,7 +3106,7 @@ IDEA_cfb64_encrypt 3170 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_ BN_mod_sub 3171 3_0_0 EXIST::FUNCTION: ASN1_NULL_new 3172 3_0_0 EXIST::FUNCTION: HMAC_Init 3173 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_1_1_0 -EVP_MD_CTX_update_fn 3174 3_0_0 EXIST::FUNCTION: +EVP_MD_CTX_update_fn 3174 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0 EVP_aes_128_ecb 3175 3_0_0 EXIST::FUNCTION: i2d_PKCS7_bio_stream 3176 3_0_0 EXIST::FUNCTION: i2a_ACCESS_DESCRIPTION 3178 3_0_0 EXIST::FUNCTION: From tmraz at fedoraproject.org Wed Feb 3 10:27:50 2021 From: tmraz at fedoraproject.org (tmraz at fedoraproject.org) Date: Wed, 03 Feb 2021 10:27:50 +0000 Subject: [openssl] OpenSSL_1_1_1-stable update Message-ID: <1612348070.326748.6702.nullmailer@dev.openssl.org> The branch OpenSSL_1_1_1-stable has been updated via dabea5447dc487983a50a40856f731db0db17a8e (commit) from 2d8109f5f8205ac247630f397582727b9682be38 (commit) - Log ----------------------------------------------------------------- commit dabea5447dc487983a50a40856f731db0db17a8e Author: Armin Fuerst Date: Fri Jan 29 19:16:14 2021 +0100 apps/ca: Properly handle certificate expiration times in do_updatedb Fixes #13944 + changed ASN1_UTCTIME to ASN1_TIME + removed all Y2K code from do_updatedb + changed compare to ASN1_TIME_compare Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14026) ----------------------------------------------------------------------- Summary of changes: apps/ca.c | 51 ++++++++++++++++++++------------------------------- 1 file changed, 20 insertions(+), 31 deletions(-) diff --git a/apps/ca.c b/apps/ca.c index 6c9b1e57bc..3346042aa8 100755 --- a/apps/ca.c +++ b/apps/ca.c @@ -2223,62 +2223,51 @@ static int get_certificate_status(const char *serial, CA_DB *db) static int do_updatedb(CA_DB *db) { - ASN1_UTCTIME *a_tm = NULL; + ASN1_TIME *a_tm = NULL; int i, cnt = 0; - int db_y2k, a_y2k; /* flags = 1 if y >= 2000 */ - char **rrow, *a_tm_s; + char **rrow; - a_tm = ASN1_UTCTIME_new(); + a_tm = ASN1_TIME_new(); if (a_tm == NULL) return -1; - /* get actual time and make a string */ + /* get actual time */ if (X509_gmtime_adj(a_tm, 0) == NULL) { - ASN1_UTCTIME_free(a_tm); + ASN1_TIME_free(a_tm); return -1; } - a_tm_s = app_malloc(a_tm->length + 1, "time string"); - - memcpy(a_tm_s, a_tm->data, a_tm->length); - a_tm_s[a_tm->length] = '\0'; - - if (strncmp(a_tm_s, "49", 2) <= 0) - a_y2k = 1; - else - a_y2k = 0; for (i = 0; i < sk_OPENSSL_PSTRING_num(db->db->data); i++) { rrow = sk_OPENSSL_PSTRING_value(db->db->data, i); if (rrow[DB_type][0] == DB_TYPE_VAL) { /* ignore entries that are not valid */ - if (strncmp(rrow[DB_exp_date], "49", 2) <= 0) - db_y2k = 1; - else - db_y2k = 0; + ASN1_TIME *exp_date = NULL; - if (db_y2k == a_y2k) { - /* all on the same y2k side */ - if (strcmp(rrow[DB_exp_date], a_tm_s) <= 0) { - rrow[DB_type][0] = DB_TYPE_EXP; - rrow[DB_type][1] = '\0'; - cnt++; + exp_date = ASN1_TIME_new(); + if (exp_date == NULL) { + ASN1_TIME_free(a_tm); + return -1; + } - BIO_printf(bio_err, "%s=Expired\n", rrow[DB_serial]); - } - } else if (db_y2k < a_y2k) { + if (!ASN1_TIME_set_string(exp_date, rrow[DB_exp_date])) { + ASN1_TIME_free(a_tm); + ASN1_TIME_free(exp_date); + return -1; + } + + if (ASN1_TIME_compare(exp_date, a_tm) <= 0) { rrow[DB_type][0] = DB_TYPE_EXP; rrow[DB_type][1] = '\0'; cnt++; BIO_printf(bio_err, "%s=Expired\n", rrow[DB_serial]); } - + ASN1_TIME_free(exp_date); } } - ASN1_UTCTIME_free(a_tm); - OPENSSL_free(a_tm_s); + ASN1_TIME_free(a_tm); return cnt; } From tmraz at fedoraproject.org Wed Feb 3 10:29:14 2021 From: tmraz at fedoraproject.org (tmraz at fedoraproject.org) Date: Wed, 03 Feb 2021 10:29:14 +0000 Subject: [openssl] master update Message-ID: <1612348154.507897.7826.nullmailer@dev.openssl.org> The branch master has been updated via 963a65bfb41562909d1800339f7b1e3cfc0a39bf (commit) from 1409b5f664f21a52d23d7b9d0e0f962e2bde2b9e (commit) - Log ----------------------------------------------------------------- commit 963a65bfb41562909d1800339f7b1e3cfc0a39bf Author: Armin Fuerst Date: Fri Jan 29 19:16:14 2021 +0100 apps/ca: Properly handle certificate expiration times in do_updatedb Fixes #13944 + changed ASN1_UTCTIME to ASN1_TIME + removed all Y2K code from do_updatedb + changed compare to ASN1_TIME_compare Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14026) (cherry picked from commit dabea5447dc487983a50a40856f731db0db17a8e) ----------------------------------------------------------------------- Summary of changes: apps/ca.c | 51 ++++++++++++++++++++------------------------------- 1 file changed, 20 insertions(+), 31 deletions(-) diff --git a/apps/ca.c b/apps/ca.c index 304e4a58ae..61e49336d0 100755 --- a/apps/ca.c +++ b/apps/ca.c @@ -2268,62 +2268,51 @@ static int get_certificate_status(const char *serial, CA_DB *db) static int do_updatedb(CA_DB *db) { - ASN1_UTCTIME *a_tm = NULL; + ASN1_TIME *a_tm = NULL; int i, cnt = 0; - int db_y2k, a_y2k; /* flags = 1 if y >= 2000 */ - char **rrow, *a_tm_s; + char **rrow; - a_tm = ASN1_UTCTIME_new(); + a_tm = ASN1_TIME_new(); if (a_tm == NULL) return -1; - /* get actual time and make a string */ + /* get actual time */ if (X509_gmtime_adj(a_tm, 0) == NULL) { - ASN1_UTCTIME_free(a_tm); + ASN1_TIME_free(a_tm); return -1; } - a_tm_s = app_malloc(a_tm->length + 1, "time string"); - - memcpy(a_tm_s, a_tm->data, a_tm->length); - a_tm_s[a_tm->length] = '\0'; - - if (strncmp(a_tm_s, "49", 2) <= 0) - a_y2k = 1; - else - a_y2k = 0; for (i = 0; i < sk_OPENSSL_PSTRING_num(db->db->data); i++) { rrow = sk_OPENSSL_PSTRING_value(db->db->data, i); if (rrow[DB_type][0] == DB_TYPE_VAL) { /* ignore entries that are not valid */ - if (strncmp(rrow[DB_exp_date], "49", 2) <= 0) - db_y2k = 1; - else - db_y2k = 0; + ASN1_TIME *exp_date = NULL; - if (db_y2k == a_y2k) { - /* all on the same y2k side */ - if (strcmp(rrow[DB_exp_date], a_tm_s) <= 0) { - rrow[DB_type][0] = DB_TYPE_EXP; - rrow[DB_type][1] = '\0'; - cnt++; + exp_date = ASN1_TIME_new(); + if (exp_date == NULL) { + ASN1_TIME_free(a_tm); + return -1; + } - BIO_printf(bio_err, "%s=Expired\n", rrow[DB_serial]); - } - } else if (db_y2k < a_y2k) { + if (!ASN1_TIME_set_string(exp_date, rrow[DB_exp_date])) { + ASN1_TIME_free(a_tm); + ASN1_TIME_free(exp_date); + return -1; + } + + if (ASN1_TIME_compare(exp_date, a_tm) <= 0) { rrow[DB_type][0] = DB_TYPE_EXP; rrow[DB_type][1] = '\0'; cnt++; BIO_printf(bio_err, "%s=Expired\n", rrow[DB_serial]); } - + ASN1_TIME_free(exp_date); } } - ASN1_UTCTIME_free(a_tm); - OPENSSL_free(a_tm_s); + ASN1_TIME_free(a_tm); return cnt; } From tmraz at fedoraproject.org Wed Feb 3 11:09:54 2021 From: tmraz at fedoraproject.org (tmraz at fedoraproject.org) Date: Wed, 03 Feb 2021 11:09:54 +0000 Subject: [openssl] master update Message-ID: <1612350594.796479.15017.nullmailer@dev.openssl.org> The branch master has been updated via 28e1904250183c25faad1744fead96f205559270 (commit) from 963a65bfb41562909d1800339f7b1e3cfc0a39bf (commit) - Log ----------------------------------------------------------------- commit 28e1904250183c25faad1744fead96f205559270 Author: Tomas Mraz Date: Mon Feb 1 15:15:43 2021 +0100 apps/ecparam: Avoid crash when parameters fail to load Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/14043) ----------------------------------------------------------------------- Summary of changes: apps/ecparam.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apps/ecparam.c b/apps/ecparam.c index 33b24781e3..762da3f2c9 100644 --- a/apps/ecparam.c +++ b/apps/ecparam.c @@ -238,7 +238,7 @@ int ecparam_main(int argc, char **argv) } } else { params_key = load_keyparams(infile, 1, "EC", "EC parameters"); - if (!EVP_PKEY_is_a(params_key, "EC")) + if (params_key == NULL || !EVP_PKEY_is_a(params_key, "EC")) goto end; if (point_format && !EVP_PKEY_set_utf8_string_param( From no-reply at appveyor.com Wed Feb 3 16:17:56 2021 From: no-reply at appveyor.com (AppVeyor) Date: Wed, 03 Feb 2021 16:17:56 +0000 Subject: Build completed: openssl master.39562 Message-ID: <20210203161756.1.AE1AB363D9806964@appveyor.com> An HTML attachment was scrubbed... URL: From levitte at openssl.org Wed Feb 3 16:19:43 2021 From: levitte at openssl.org (Richard Levitte) Date: Wed, 03 Feb 2021 16:19:43 +0000 Subject: [openssl] master update Message-ID: <1612369183.804122.30810.nullmailer@dev.openssl.org> The branch master has been updated via 8ce04db808dd1799a4051d938112b7d591fc5fc2 (commit) from 28e1904250183c25faad1744fead96f205559270 (commit) - Log ----------------------------------------------------------------- commit 8ce04db808dd1799a4051d938112b7d591fc5fc2 Author: Richard Levitte Date: Tue Feb 2 13:42:55 2021 +0100 CORE & PROV: clean away OSSL_FUNC_mac_size() There was a remaining function signature declaration, but no OSSL_DISPATCH number for it nor any way it's ever used. It did exist once, but was replaced with an OSSL_PARAM item to retrieve. Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/14048) ----------------------------------------------------------------------- Summary of changes: include/crypto/evp.h | 1 - include/openssl/core_dispatch.h | 1 - providers/implementations/macs/blake2_mac_impl.c | 16 +++++++--------- providers/implementations/macs/gmac_prov.c | 12 +++++------- providers/implementations/macs/hmac_prov.c | 2 -- providers/implementations/macs/kmac_prov.c | 15 +++++++-------- providers/implementations/macs/poly1305_prov.c | 2 -- providers/implementations/macs/siphash_prov.c | 3 +-- 8 files changed, 20 insertions(+), 32 deletions(-) diff --git a/include/crypto/evp.h b/include/crypto/evp.h index bed75f406c..8e86bb94df 100644 --- a/include/crypto/evp.h +++ b/include/crypto/evp.h @@ -196,7 +196,6 @@ struct evp_mac_st { OSSL_FUNC_mac_newctx_fn *newctx; OSSL_FUNC_mac_dupctx_fn *dupctx; OSSL_FUNC_mac_freectx_fn *freectx; - OSSL_FUNC_mac_size_fn *size; OSSL_FUNC_mac_init_fn *init; OSSL_FUNC_mac_update_fn *update; OSSL_FUNC_mac_final_fn *final; diff --git a/include/openssl/core_dispatch.h b/include/openssl/core_dispatch.h index bbd0429718..a8e9e52151 100644 --- a/include/openssl/core_dispatch.h +++ b/include/openssl/core_dispatch.h @@ -331,7 +331,6 @@ OSSL_CORE_MAKE_FUNC(const OSSL_PARAM *, cipher_gettable_ctx_params, OSSL_CORE_MAKE_FUNC(void *, mac_newctx, (void *provctx)) OSSL_CORE_MAKE_FUNC(void *, mac_dupctx, (void *src)) OSSL_CORE_MAKE_FUNC(void, mac_freectx, (void *mctx)) -OSSL_CORE_MAKE_FUNC(size_t, mac_size, (void *mctx)) OSSL_CORE_MAKE_FUNC(int, mac_init, (void *mctx)) OSSL_CORE_MAKE_FUNC(int, mac_update, (void *mctx, const unsigned char *in, size_t inl)) diff --git a/providers/implementations/macs/blake2_mac_impl.c b/providers/implementations/macs/blake2_mac_impl.c index f7b6bd3e4f..542595efa1 100644 --- a/providers/implementations/macs/blake2_mac_impl.c +++ b/providers/implementations/macs/blake2_mac_impl.c @@ -39,8 +39,6 @@ struct blake2_mac_data_st { unsigned char key[BLAKE2_KEYBYTES]; }; -static size_t blake2_mac_size(void *vmacctx); - static void *blake2_mac_new(void *unused_provctx) { struct blake2_mac_data_st *macctx; @@ -82,6 +80,13 @@ static void blake2_mac_free(void *vmacctx) } } +static size_t blake2_mac_size(void *vmacctx) +{ + struct blake2_mac_data_st *macctx = vmacctx; + + return macctx->params.digest_length; +} + static int blake2_mac_init(void *vmacctx) { struct blake2_mac_data_st *macctx = vmacctx; @@ -214,13 +219,6 @@ static int blake2_mac_set_ctx_params(void *vmacctx, const OSSL_PARAM params[]) return 1; } -static size_t blake2_mac_size(void *vmacctx) -{ - struct blake2_mac_data_st *macctx = vmacctx; - - return macctx->params.digest_length; -} - const OSSL_DISPATCH BLAKE2_FUNCTIONS[] = { { OSSL_FUNC_MAC_NEWCTX, (void (*)(void))blake2_mac_new }, { OSSL_FUNC_MAC_DUPCTX, (void (*)(void))blake2_mac_dup }, diff --git a/providers/implementations/macs/gmac_prov.c b/providers/implementations/macs/gmac_prov.c index d9790dcd6c..fe4d2c3c8a 100644 --- a/providers/implementations/macs/gmac_prov.c +++ b/providers/implementations/macs/gmac_prov.c @@ -45,8 +45,6 @@ struct gmac_data_st { PROV_CIPHER cipher; }; -static size_t gmac_size(void); - static void gmac_free(void *vmacctx) { struct gmac_data_st *macctx = vmacctx; @@ -95,6 +93,11 @@ static void *gmac_dup(void *vsrc) return dst; } +static size_t gmac_size(void) +{ + return EVP_GCM_TLS_TAG_LEN; +} + static int gmac_init(void *vmacctx) { return ossl_prov_is_running(); @@ -141,11 +144,6 @@ static int gmac_final(void *vmacctx, unsigned char *out, size_t *outl, return 1; } -static size_t gmac_size(void) -{ - return EVP_GCM_TLS_TAG_LEN; -} - static const OSSL_PARAM known_gettable_params[] = { OSSL_PARAM_size_t(OSSL_MAC_PARAM_SIZE, NULL), OSSL_PARAM_END diff --git a/providers/implementations/macs/hmac_prov.c b/providers/implementations/macs/hmac_prov.c index b5d3f110f4..993e36ae34 100644 --- a/providers/implementations/macs/hmac_prov.c +++ b/providers/implementations/macs/hmac_prov.c @@ -71,8 +71,6 @@ int ssl3_cbc_digest_record(const EVP_MD *md, const unsigned char *mac_secret, size_t mac_secret_length, char is_sslv3); -static size_t hmac_size(void *vmacctx); - static void *hmac_new(void *provctx) { struct hmac_data_st *macctx; diff --git a/providers/implementations/macs/kmac_prov.c b/providers/implementations/macs/kmac_prov.c index 940fe7eb3d..b9a6318e12 100644 --- a/providers/implementations/macs/kmac_prov.c +++ b/providers/implementations/macs/kmac_prov.c @@ -73,7 +73,6 @@ static OSSL_FUNC_mac_gettable_ctx_params_fn kmac_gettable_ctx_params; static OSSL_FUNC_mac_get_ctx_params_fn kmac_get_ctx_params; static OSSL_FUNC_mac_settable_ctx_params_fn kmac_settable_ctx_params; static OSSL_FUNC_mac_set_ctx_params_fn kmac_set_ctx_params; -static OSSL_FUNC_mac_size_fn kmac_size; static OSSL_FUNC_mac_init_fn kmac_init; static OSSL_FUNC_mac_update_fn kmac_update; static OSSL_FUNC_mac_final_fn kmac_final; @@ -235,6 +234,13 @@ static void *kmac_dup(void *vsrc) return dst; } +static size_t kmac_size(void *vmacctx) +{ + struct kmac_data_st *kctx = vmacctx; + + return kctx->out_len; +} + /* * The init() assumes that any ctrl methods are set beforehand for * md, key and custom. Setting the fields afterwards will have no @@ -278,13 +284,6 @@ static int kmac_init(void *vmacctx) && EVP_DigestUpdate(ctx, kctx->key, kctx->key_len); } -static size_t kmac_size(void *vmacctx) -{ - struct kmac_data_st *kctx = vmacctx; - - return kctx->out_len; -} - static int kmac_update(void *vmacctx, const unsigned char *data, size_t datalen) { diff --git a/providers/implementations/macs/poly1305_prov.c b/providers/implementations/macs/poly1305_prov.c index 1b248f141e..a3bc47253c 100644 --- a/providers/implementations/macs/poly1305_prov.c +++ b/providers/implementations/macs/poly1305_prov.c @@ -40,8 +40,6 @@ struct poly1305_data_st { POLY1305 poly1305; /* Poly1305 data */ }; -static size_t poly1305_size(void); - static void *poly1305_new(void *provctx) { struct poly1305_data_st *ctx; diff --git a/providers/implementations/macs/siphash_prov.c b/providers/implementations/macs/siphash_prov.c index 01100b51d6..1a79ae0c6a 100644 --- a/providers/implementations/macs/siphash_prov.c +++ b/providers/implementations/macs/siphash_prov.c @@ -38,7 +38,6 @@ static OSSL_FUNC_mac_gettable_ctx_params_fn siphash_gettable_ctx_params; static OSSL_FUNC_mac_get_ctx_params_fn siphash_get_ctx_params; static OSSL_FUNC_mac_settable_ctx_params_fn siphash_settable_params; static OSSL_FUNC_mac_set_ctx_params_fn siphash_set_params; -static OSSL_FUNC_mac_size_fn siphash_size; static OSSL_FUNC_mac_init_fn siphash_init; static OSSL_FUNC_mac_update_fn siphash_update; static OSSL_FUNC_mac_final_fn siphash_final; @@ -94,7 +93,7 @@ static int siphash_init(void *vmacctx) } static int siphash_update(void *vmacctx, const unsigned char *data, - size_t datalen) + size_t datalen) { struct siphash_data_st *ctx = vmacctx; From levitte at openssl.org Wed Feb 3 16:21:59 2021 From: levitte at openssl.org (Richard Levitte) Date: Wed, 03 Feb 2021 16:21:59 +0000 Subject: [openssl] master update Message-ID: <1612369319.811975.32292.nullmailer@dev.openssl.org> The branch master has been updated via 9db6af922c48c5cab5398ef9f37e425e382f9440 (commit) via 977e95b912138d02bae86d829a990d81c2bbcca0 (commit) via 60488d2434c5be15dc14e1fa2a8733f076d9ccf4 (commit) from 8ce04db808dd1799a4051d938112b7d591fc5fc2 (commit) - Log ----------------------------------------------------------------- commit 9db6af922c48c5cab5398ef9f37e425e382f9440 Author: Richard Levitte Date: Wed Jan 27 14:55:28 2021 +0100 EC: Reverse the default asn1_flag in a new EC_GROUP The default was OPENSSL_EC_NAMED_CURVE, but that's not true until a curve name has been set, so we change the initial value to OPENSSL_EC_EXPLICIT_CURVE and let EC_GROUP_set_curve_name() change it to OPENSSL_EC_NAMED_CURVE. Submitted by Matt Caswell Reviewed-by: Dmitry Belyavskiy (Merged from https://github.com/openssl/openssl/pull/13973) commit 977e95b912138d02bae86d829a990d81c2bbcca0 Author: Richard Levitte Date: Wed Jan 27 11:07:38 2021 +0100 EVP: Fix evp_pkey_ctx_store_cached_data() to handle provider backed EVP_PKEY_CTX It assumed there would always be a non-NULL ctx->pmeth, leading to a crash when that isn't the case. Since it needs to check 'keytype' when that one isn't -1, we also add a corresponding check for the provider backed EVP_PKEY_CTX case. Reviewed-by: Dmitry Belyavskiy (Merged from https://github.com/openssl/openssl/pull/13973) commit 60488d2434c5be15dc14e1fa2a8733f076d9ccf4 Author: Richard Levitte Date: Tue Jan 26 17:01:15 2021 +0100 EVP: Don't find standard EVP_PKEY_METHODs automatically EVP_PKEY_meth_find() got called automatically any time a new EVP_PKEY_CTX allocator was called with some sort of key type data. Since we have now moved all our standard algorithms to our providers, this is no longer necessary. We do retain looking up EVP_PKEY_METHODs that are added by the calling application. Fixes #11424 Reviewed-by: Dmitry Belyavskiy (Merged from https://github.com/openssl/openssl/pull/13973) ----------------------------------------------------------------------- Summary of changes: crypto/ec/ec_lib.c | 6 +++- crypto/evp/p_lib.c | 95 ++++++++++++++++++++++++++------------------------ crypto/evp/pmeth_lib.c | 60 ++++++++++++++++++++++++------- include/crypto/evp.h | 1 + 4 files changed, 104 insertions(+), 58 deletions(-) diff --git a/crypto/ec/ec_lib.c b/crypto/ec/ec_lib.c index 325e11f9f1..71cb45ca19 100644 --- a/crypto/ec/ec_lib.c +++ b/crypto/ec/ec_lib.c @@ -63,7 +63,7 @@ EC_GROUP *ec_group_new_ex(OSSL_LIB_CTX *libctx, const char *propq, if (ret->cofactor == NULL) goto err; } - ret->asn1_flag = OPENSSL_EC_NAMED_CURVE; + ret->asn1_flag = OPENSSL_EC_EXPLICIT_CURVE; ret->asn1_form = POINT_CONVERSION_UNCOMPRESSED; if (!meth->group_init(ret)) goto err; @@ -481,6 +481,10 @@ const BIGNUM *EC_GROUP_get0_cofactor(const EC_GROUP *group) void EC_GROUP_set_curve_name(EC_GROUP *group, int nid) { group->curve_name = nid; + group->asn1_flag = + (nid != NID_undef) + ? OPENSSL_EC_NAMED_CURVE + : OPENSSL_EC_EXPLICIT_CURVE; } int EC_GROUP_get_curve_name(const EC_GROUP *group) diff --git a/crypto/evp/p_lib.c b/crypto/evp/p_lib.c index 21ce51d573..558f378168 100644 --- a/crypto/evp/p_lib.c +++ b/crypto/evp/p_lib.c @@ -906,53 +906,58 @@ int EVP_PKEY_base_id(const EVP_PKEY *pkey) } #ifndef FIPS_MODULE +/* + * These hard coded cases are pure hackery to get around the fact + * that names in crypto/objects/objects.txt are a mess. There is + * no "EC", and "RSA" leads to the NID for 2.5.8.1.1, an OID that's + * fallen out in favor of { pkcs-1 1 }, i.e. 1.2.840.113549.1.1.1, + * the NID of which is used for EVP_PKEY_RSA. Strangely enough, + * "DSA" is accurate... but still, better be safe and hard-code + * names that we know. + * On a similar topic, EVP_PKEY_type(EVP_PKEY_SM2) will result in + * EVP_PKEY_EC, because of aliasing. + * TODO Clean this away along with all other #legacy support. + */ +static const OSSL_ITEM standard_name2type[] = { + { EVP_PKEY_RSA, "RSA" }, + { EVP_PKEY_RSA_PSS, "RSA-PSS" }, + { EVP_PKEY_EC, "EC" }, + { EVP_PKEY_ED25519, "ED25519" }, + { EVP_PKEY_ED448, "ED448" }, + { EVP_PKEY_X25519, "X25519" }, + { EVP_PKEY_X448, "X448" }, + { EVP_PKEY_SM2, "SM2" }, + { EVP_PKEY_DH, "DH" }, + { EVP_PKEY_DHX, "X9.42 DH" }, + { EVP_PKEY_DHX, "DHX" }, + { EVP_PKEY_DSA, "DSA" }, +}; + int evp_pkey_name2type(const char *name) { - /* - * These hard coded cases are pure hackery to get around the fact - * that names in crypto/objects/objects.txt are a mess. There is - * no "EC", and "RSA" leads to the NID for 2.5.8.1.1, an OID that's - * fallen out in favor of { pkcs-1 1 }, i.e. 1.2.840.113549.1.1.1, - * the NID of which is used for EVP_PKEY_RSA. Strangely enough, - * "DSA" is accurate... but still, better be safe and hard-code - * names that we know. - * On a similar topic, EVP_PKEY_type(EVP_PKEY_SM2) will result in - * EVP_PKEY_EC, because of aliasing. - * TODO Clean this away along with all other #legacy support. - */ - int type = NID_undef; - - if (strcasecmp(name, "RSA") == 0) - type = EVP_PKEY_RSA; - else if (strcasecmp(name, "RSA-PSS") == 0) - type = EVP_PKEY_RSA_PSS; - else if (strcasecmp(name, "EC") == 0) - type = EVP_PKEY_EC; - else if (strcasecmp(name, "ED25519") == 0) - type = EVP_PKEY_ED25519; - else if (strcasecmp(name, "ED448") == 0) - type = EVP_PKEY_ED448; - else if (strcasecmp(name, "X25519") == 0) - type = EVP_PKEY_X25519; - else if (strcasecmp(name, "X448") == 0) - type = EVP_PKEY_X448; - else if (strcasecmp(name, "SM2") == 0) - type = EVP_PKEY_SM2; - else if (strcasecmp(name, "DH") == 0) - type = EVP_PKEY_DH; - else if (strcasecmp(name, "X9.42 DH") == 0) - type = EVP_PKEY_DHX; - else if (strcasecmp(name, "DHX") == 0) - type = EVP_PKEY_DHX; - else if (strcasecmp(name, "DSA") == 0) - type = EVP_PKEY_DSA; - - if (type == NID_undef) - type = EVP_PKEY_type(OBJ_sn2nid(name)); - if (type == NID_undef) - type = EVP_PKEY_type(OBJ_ln2nid(name)); - - return type; + int type; + size_t i; + + for (i = 0; i < OSSL_NELEM(standard_name2type); i++) { + if (strcasecmp(name, standard_name2type[i].ptr) == 0) + return (int)standard_name2type[i].id; + } + + if ((type = EVP_PKEY_type(OBJ_sn2nid(name))) != NID_undef) + return type; + return EVP_PKEY_type(OBJ_ln2nid(name)); +} + +const char *evp_pkey_type2name(int type) +{ + size_t i; + + for (i = 0; i < OSSL_NELEM(standard_name2type); i++) { + if (type == (int)standard_name2type[i].id) + return standard_name2type[i].ptr; + } + + return OBJ_nid2sn(type); } #endif diff --git a/crypto/evp/pmeth_lib.c b/crypto/evp/pmeth_lib.c index 7fb32df86a..91d892ec34 100644 --- a/crypto/evp/pmeth_lib.c +++ b/crypto/evp/pmeth_lib.c @@ -88,22 +88,33 @@ static int pmeth_cmp(const EVP_PKEY_METHOD *const *a, return ((*a)->pkey_id - (*b)->pkey_id); } -const EVP_PKEY_METHOD *EVP_PKEY_meth_find(int type) +static const EVP_PKEY_METHOD *evp_pkey_meth_find_added_by_application(int type) { - pmeth_fn *ret; - EVP_PKEY_METHOD tmp; - const EVP_PKEY_METHOD *t = &tmp; - - tmp.pkey_id = type; - if (app_pkey_methods) { + if (app_pkey_methods != NULL) { int idx; + EVP_PKEY_METHOD tmp; + + tmp.pkey_id = type; idx = sk_EVP_PKEY_METHOD_find(app_pkey_methods, &tmp); if (idx >= 0) return sk_EVP_PKEY_METHOD_value(app_pkey_methods, idx); } + return NULL; +} + +const EVP_PKEY_METHOD *EVP_PKEY_meth_find(int type) +{ + pmeth_fn *ret; + EVP_PKEY_METHOD tmp; + const EVP_PKEY_METHOD *t; + + if ((t = evp_pkey_meth_find_added_by_application(type)) != NULL) + return t; + + tmp.pkey_id = type; + t = &tmp; ret = OBJ_bsearch_pmeth_func(&t, standard_methods, - sizeof(standard_methods) / - sizeof(pmeth_fn)); + OSSL_NELEM(standard_methods)); if (ret == NULL || *ret == NULL) return NULL; return (**ret)(); @@ -245,7 +256,7 @@ static EVP_PKEY_CTX *int_ctx_new(OSSL_LIB_CTX *libctx, pmeth = ENGINE_get_pkey_meth(e, id); else # endif - pmeth = EVP_PKEY_meth_find(id); + pmeth = evp_pkey_meth_find_added_by_application(id); /* END legacy */ #endif /* FIPS_MODULE */ @@ -1673,8 +1684,33 @@ static int evp_pkey_ctx_store_cached_data(EVP_PKEY_CTX *ctx, int cmd, const char *name, const void *data, size_t data_len) { - if ((keytype != -1 && ctx->pmeth->pkey_id != keytype) - || ((optype != -1) && !(ctx->operation & optype))) { + if (keytype != -1) { + switch (evp_pkey_ctx_state(ctx)) { + case EVP_PKEY_STATE_PROVIDER: + if (ctx->keymgmt == NULL) { + ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED); + return -2; + } + if (!EVP_KEYMGMT_is_a(ctx->keymgmt, + evp_pkey_type2name(keytype))) { + ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_OPERATION); + return -1; + } + break; + case EVP_PKEY_STATE_UNKNOWN: + case EVP_PKEY_STATE_LEGACY: + if (ctx->pmeth == NULL) { + ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED); + return -2; + } + if (ctx->pmeth->pkey_id != keytype) { + ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_OPERATION); + return -1; + } + break; + } + } + if (optype != -1 && (ctx->operation & optype) == 0) { ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_OPERATION); return -1; } diff --git a/include/crypto/evp.h b/include/crypto/evp.h index 8e86bb94df..7b3c4bfd2f 100644 --- a/include/crypto/evp.h +++ b/include/crypto/evp.h @@ -827,6 +827,7 @@ int evp_pkey_ctx_get_params_strict(EVP_PKEY_CTX *ctx, OSSL_PARAM *params); EVP_MD_CTX *evp_md_ctx_new_ex(EVP_PKEY *pkey, const ASN1_OCTET_STRING *id, OSSL_LIB_CTX *libctx, const char *propq); int evp_pkey_name2type(const char *name); +const char *evp_pkey_type2name(int type); int evp_pkey_ctx_set1_id_prov(EVP_PKEY_CTX *ctx, const void *id, int len); int evp_pkey_ctx_get1_id_prov(EVP_PKEY_CTX *ctx, void *id); From builds at travis-ci.com Wed Feb 3 17:22:14 2021 From: builds at travis-ci.com (Travis CI) Date: Wed, 03 Feb 2021 17:22:14 +0000 Subject: Errored: openssl/openssl#38805 (master - 172daa7) In-Reply-To: Message-ID: <601adbc5e016e_13ff5e2fb7684124094@travis-pro-tasks-585658c49c-nz49f.mail> Build Update for openssl/openssl ------------------------------------- Build: #38805 Status: Errored Duration: 1564 hrs, 57 mins, and 7 secs Commit: 172daa7 (master) Author: Richard Levitte Message: RSA: correct digestinfo_ripemd160_der[] A couple of numbers were incorrect. Fixes #13559 Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/13562) View the changeset: https://github.com/openssl/openssl/compare/26217510d21c...172daa7fc7d8 View the full build log and details: https://travis-ci.com/github/openssl/openssl/builds/205342930?utm_medium=notification&utm_source=email -- You can unsubscribe from build emails from the openssl/openssl repository going to https://travis-ci.com/account/preferences/unsubscribe?repository=13885459&utm_medium=notification&utm_source=email. Or unsubscribe from *all* email updating your settings at https://travis-ci.com/account/preferences/unsubscribe?utm_medium=notification&utm_source=email. Or configure specific recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications. -------------- next part -------------- An HTML attachment was scrubbed... URL: From openssl at openssl.org Thu Feb 4 01:08:47 2021 From: openssl at openssl.org (OpenSSL run-checker) Date: Thu, 04 Feb 2021 01:08:47 +0000 Subject: Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-asm Message-ID: <1612400927.475159.204104.nullmailer@run.openssl.org> Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-asm Commit log since last time: 9db6af922c EC: Reverse the default asn1_flag in a new EC_GROUP 977e95b912 EVP: Fix evp_pkey_ctx_store_cached_data() to handle provider backed EVP_PKEY_CTX 60488d2434 EVP: Don't find standard EVP_PKEY_METHODs automatically 8ce04db808 CORE & PROV: clean away OSSL_FUNC_mac_size() 28e1904250 apps/ecparam: Avoid crash when parameters fail to load 963a65bfb4 apps/ca: Properly handle certificate expiration times in do_updatedb 1409b5f664 Deprecate EVP_MD_CTX_{set_}update_fn() 66194839fe Add diacritics to my name in CHANGES.md 6a1a6498ac dh_cms_set_peerkey: Pad the public key to p size af403db090 Add some missing committers to the AUTHORS list f94a91698b Add a CI job to run the threads test with threads sanitizer on 0b07db6f56 Ensure the EVP_PKEY operation_cache is appropriately locked 4099460514 Ensure access to FIPS_state and rate_limit is appropriately locked 04b9435a99 Always ensure we hold ctx->lock when calling CRYPTO_get_ex_data() b233ea8276 Avoid races by caching exported ciphers in the init function cd4e6a3512 Refactor RAND_get0_primary() locking a0134d293e Add a multi-thread test for shared EVP_PKEYs 7ff9fdd4b3 Deprecate X509_certificate_type d3372c2f35 Add some PKIX-RPKI objects 6aab42c390 OSSL_HTTP_REQ_CTX.pod and OSSL_HTTP_transfer.pod: various improvements 4d190f99ef Constify OSSL_HTTP_REQ_CTX_get0_mem_bio() a6d40689ec HTTP: add more error detection to low-level API d337af1891 HTTP: Fix mistakes and unclarities on maxline and max_resp_len params 8e71614797 Fix not backwards-compat X509_http_nbio() and X509_CRL_http_nbio() 673474b164 OSSL_HTTP_REQ_CTX_nbio(): Revert to having state var that keeps req len still to send f2db0528d8 PROV: Add SM2 encoders and decoders, as well as support functionality 58f422f6f4 Fix some odd names in our provider source code b8a1272d57 Test that EC keys without a public key in them work as expected ec7aef3356 Ensure EC keys with a private key but without a public key can be created Build log ended with (last 100 lines): ${LDCMD:-clang} -pthread -m64 -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -L. \ -o test/tls13ccstest \ test/helpers/tls13ccstest-bin-ssltestlib.o \ test/tls13ccstest-bin-tls13ccstest.o \ -lssl test/libtestutil.a -lcrypto -ldl -pthread rm -f test/tls13secretstest ${LDCMD:-clang} -pthread -m64 -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -L. \ -o test/tls13secretstest \ crypto/tls13secretstest-bin-packet.o \ ssl/tls13secretstest-bin-tls13_enc.o \ test/tls13secretstest-bin-tls13secretstest.o \ -lssl test/libtestutil.a -lcrypto -ldl -pthread rm -f test/uitest ${LDCMD:-clang} -pthread -m64 -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -L. \ -o test/uitest \ apps/lib/uitest-bin-apps_ui.o test/uitest-bin-uitest.o \ -lssl test/libtestutil.a -lcrypto -ldl -pthread make[1]: Leaving directory '/home/openssl/run-checker/no-asm' $ make test make depend && make _tests make[1]: Entering directory '/home/openssl/run-checker/no-asm' make[1]: Leaving directory '/home/openssl/run-checker/no-asm' make[1]: Entering directory '/home/openssl/run-checker/no-asm' ( SRCTOP=../openssl \ BLDTOP=. \ PERL="/usr/bin/perl" \ FIPSKEY="f4556650ac31d35461610bac4ed81b1a181b2d8a43ea2854cbae22ca74560813" \ EXE_EXT= \ /usr/bin/perl ../openssl/test/run_tests.pl ) 01-test_abort.t .................... ok 01-test_sanity.t ................... ok 01-test_symbol_presence.t .......... ok 01-test_test.t ..................... ok 02-test_errstr.t ................... ok 02-test_internal_context.t ......... ok 02-test_internal_ctype.t ........... ok 02-test_internal_keymgmt.t ......... ok 02-test_internal_provider.t ........ ok 02-test_lhash.t .................... ok 02-test_ordinals.t ................. ok 02-test_sparse_array.t ............. ok 02-test_stack.t .................... ok 03-test_exdata.t ................... ok 03-test_fipsinstall.t .............. ok 03-test_internal_asn1.t ............ ok 03-test_internal_asn1_dsa.t ........ ok 03-test_internal_bn.t .............. ok 03-test_internal_chacha.t .......... ok 03-test_internal_curve448.t ........ ok 03-test_internal_ec.t .............. ok 03-test_internal_ffc.t ............. ok 03-test_internal_mdc2.t ............ ok 03-test_internal_modes.t ........... ok 03-test_internal_namemap.t ......... ok 03-test_internal_poly1305.t ........ ok 03-test_internal_rsa_sp800_56b.t ... ok 03-test_internal_siphash.t ......... ok 03-test_internal_sm2.t ............. ok 03-test_internal_sm4.t ............. ok 03-test_internal_ssl_cert_table.t .. ok 03-test_internal_x509.t ............ ok 03-test_params_api.t ............... ok 03-test_property.t ................. ok 03-test_ui.t ....................... ok 04-test_asn1_decode.t .............. ok 04-test_asn1_encode.t .............. ok 04-test_asn1_string_table.t ........ ok 04-test_bio_callback.t ............. ok 04-test_bioprint.t ................. ok 04-test_conf.t ..................... ok 04-test_encoder_decoder.t .......... ok 04-test_encoder_decoder_legacy.t ... ok 04-test_err.t ...................... ok 04-test_hexstring.t ................ ok 04-test_param_build.t .............. ok 04-test_params.t ................... ok 04-test_params_conversion.t ........ ok 04-test_pem.t ...................... ok 04-test_pem_read_depr.t ............ ok 04-test_provider.t ................. ok 04-test_provider_fallback.t ........ ok 05-test_bf.t ....................... ok 05-test_cast.t ..................... ok 05-test_cmac.t ..................... ok 05-test_des.t ...................... ok 05-test_hmac.t ..................... ok 05-test_idea.t ..................... ok 05-test_rand.t ..................... ok 05-test_rc2.t ...................... ok 05-test_rc4.t ...................... ok 05-test_rc5.t ...................... skipped: rc5 is not supported by this OpenSSL build 06-test-rdrand.t ................... ok 10-test_bn.t ....................... ok 10-test_exp.t ...................... ok 15-test_dh.t ....................... ok 15-test_dsa.t ...................... ok 15-test_ec.t ....................... ok 15-test_ecdsa.t .................... ok make: *** [Makefile:3267: tests] Terminated make[1]: *** [Makefile:3270: _tests] Terminated From openssl at openssl.org Thu Feb 4 01:56:59 2021 From: openssl at openssl.org (OpenSSL run-checker) Date: Thu, 04 Feb 2021 01:56:59 +0000 Subject: Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-autoerrinit Message-ID: <1612403819.285547.316172.nullmailer@run.openssl.org> Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-autoerrinit Commit log since last time: 9db6af922c EC: Reverse the default asn1_flag in a new EC_GROUP 977e95b912 EVP: Fix evp_pkey_ctx_store_cached_data() to handle provider backed EVP_PKEY_CTX 60488d2434 EVP: Don't find standard EVP_PKEY_METHODs automatically 8ce04db808 CORE & PROV: clean away OSSL_FUNC_mac_size() 28e1904250 apps/ecparam: Avoid crash when parameters fail to load 963a65bfb4 apps/ca: Properly handle certificate expiration times in do_updatedb 1409b5f664 Deprecate EVP_MD_CTX_{set_}update_fn() 66194839fe Add diacritics to my name in CHANGES.md 6a1a6498ac dh_cms_set_peerkey: Pad the public key to p size af403db090 Add some missing committers to the AUTHORS list f94a91698b Add a CI job to run the threads test with threads sanitizer on 0b07db6f56 Ensure the EVP_PKEY operation_cache is appropriately locked 4099460514 Ensure access to FIPS_state and rate_limit is appropriately locked 04b9435a99 Always ensure we hold ctx->lock when calling CRYPTO_get_ex_data() b233ea8276 Avoid races by caching exported ciphers in the init function cd4e6a3512 Refactor RAND_get0_primary() locking a0134d293e Add a multi-thread test for shared EVP_PKEYs 7ff9fdd4b3 Deprecate X509_certificate_type d3372c2f35 Add some PKIX-RPKI objects 6aab42c390 OSSL_HTTP_REQ_CTX.pod and OSSL_HTTP_transfer.pod: various improvements 4d190f99ef Constify OSSL_HTTP_REQ_CTX_get0_mem_bio() a6d40689ec HTTP: add more error detection to low-level API d337af1891 HTTP: Fix mistakes and unclarities on maxline and max_resp_len params 8e71614797 Fix not backwards-compat X509_http_nbio() and X509_CRL_http_nbio() 673474b164 OSSL_HTTP_REQ_CTX_nbio(): Revert to having state var that keeps req len still to send f2db0528d8 PROV: Add SM2 encoders and decoders, as well as support functionality 58f422f6f4 Fix some odd names in our provider source code b8a1272d57 Test that EC keys without a public key in them work as expected ec7aef3356 Ensure EC keys with a private key but without a public key can be created Build log ended with (last 100 lines): 70-test_sslcbcpadding.t ............ ok 70-test_sslcertstatus.t ............ ok 70-test_sslextension.t ............. ok 70-test_sslmessages.t .............. ok 70-test_sslrecords.t ............... ok 70-test_sslsessiontick.t ........... ok 70-test_sslsigalgs.t ............... ok 70-test_sslsignature.t ............. ok 70-test_sslskewith0p.t ............. ok 70-test_sslversions.t .............. ok 70-test_sslvertol.t ................ ok 70-test_tls13alerts.t .............. ok 70-test_tls13cookie.t .............. ok 70-test_tls13downgrade.t ........... ok 70-test_tls13hrr.t ................. ok 70-test_tls13kexmodes.t ............ ok 70-test_tls13messages.t ............ ok 70-test_tls13psk.t ................. ok 70-test_tlsextms.t ................. ok 70-test_verify_extra.t ............. ok 70-test_wpacket.t .................. ok 71-test_ssl_ctx.t .................. ok 80-test_ca.t ....................... ok 80-test_cipherbytes.t .............. ok 80-test_cipherlist.t ............... ok 80-test_ciphername.t ............... ok # 80-test_cms.t ...................... ok 80-test_cmsapi.t ................... ok 80-test_ct.t ....................... ok 80-test_dane.t ..................... ok 80-test_dtls.t ..................... ok 80-test_dtls_mtu.t ................. ok 80-test_dtlsv1listen.t ............. ok 80-test_http.t ..................... ok 80-test_ocsp.t ..................... ok 80-test_pkcs12.t ................... ok 80-test_ssl_new.t .................. ok 80-test_ssl_old.t .................. ok 80-test_ssl_test_ctx.t ............. ok 80-test_sslcorrupt.t ............... ok 80-test_tsa.t ...................... ok 80-test_x509aux.t .................. ok # 81-test_cmp_cli.t .................. ok 90-test_asn1_time.t ................ ok 90-test_async.t .................... ok 90-test_bio_enc.t .................. ok 90-test_bio_memleak.t .............. ok 90-test_constant_time.t ............ ok 90-test_fatalerr.t ................. ok 90-test_fipsload.t ................. ok 90-test_gmdiff.t ................... ok 90-test_gost.t ..................... ok 90-test_ige.t ...................... ok 90-test_includes.t ................. ok 90-test_memleak.t .................. ok 90-test_overhead.t ................. ok 90-test_secmem.t ................... ok 90-test_shlibload.t ................ ok 90-test_srp.t ...................... ok 90-test_sslapi.t ................... ok 90-test_sslbuffers.t ............... ok 90-test_store.t .................... ok 90-test_sysdefault.t ............... ok 90-test_threads.t .................. ok 90-test_time_offset.t .............. ok 90-test_tls13ccs.t ................. ok 90-test_tls13encryption.t .......... ok 90-test_tls13secrets.t ............. ok 90-test_v3name.t ................... ok 91-test_pkey_check.t ............... ok 95-test_external_boringssl.t ....... skipped: No external tests in this configuration 95-test_external_gost_engine.t ..... skipped: No external tests in this configuration 95-test_external_krb5.t ............ skipped: No external tests in this configuration 95-test_external_pyca.t ............ skipped: No external tests in this configuration 99-test_ecstress.t ................. ok 99-test_fuzz_asn1.t ................ ok 99-test_fuzz_asn1parse.t ........... ok 99-test_fuzz_bignum.t .............. ok 99-test_fuzz_bndiv.t ............... ok 99-test_fuzz_client.t .............. ok 99-test_fuzz_cmp.t ................. ok 99-test_fuzz_cms.t ................. ok 99-test_fuzz_conf.t ................ ok 99-test_fuzz_crl.t ................. ok 99-test_fuzz_ct.t .................. ok 99-test_fuzz_server.t .............. ok 99-test_fuzz_x509.t ................ ok Test Summary Report ------------------- 04-test_err.t (Wstat: 256 Tests: 1 Failed: 1) Failed test: 1 Non-zero exit status: 1 Files=228, Tests=3072, 822 wallclock secs (13.49 usr 1.36 sys + 729.33 cusr 89.29 csys = 833.47 CPU) Result: FAIL make[1]: *** [Makefile:3271: _tests] Error 1 make[1]: Leaving directory '/home/openssl/run-checker/no-autoerrinit' make: *** [Makefile:3268: tests] Error 2 From pauli at openssl.org Thu Feb 4 04:35:52 2021 From: pauli at openssl.org (Dr. Paul Dale) Date: Thu, 04 Feb 2021 04:35:52 +0000 Subject: [openssl] master update Message-ID: <1612413352.148239.26263.nullmailer@dev.openssl.org> The branch master has been updated via 8549b97214ce1b4ba61eae893c80d9b0ed7e35f0 (commit) from 9db6af922c48c5cab5398ef9f37e425e382f9440 (commit) - Log ----------------------------------------------------------------- commit 8549b97214ce1b4ba61eae893c80d9b0ed7e35f0 Author: Pauli Date: Wed Feb 3 17:47:38 2021 +1000 Fix a use after free issue when a provider context is being used and isn't cached Reviewed-by: Richard Levitte Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14053) ----------------------------------------------------------------------- Summary of changes: crypto/evp/digest.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/crypto/evp/digest.c b/crypto/evp/digest.c index 46f4d201d9..e89b591978 100644 --- a/crypto/evp/digest.c +++ b/crypto/evp/digest.c @@ -25,12 +25,8 @@ void evp_md_ctx_clear_digest(EVP_MD_CTX *ctx, int force) { - EVP_MD_free(ctx->fetched_digest); - ctx->fetched_digest = NULL; - ctx->reqdigest = NULL; - if (ctx->provctx != NULL) { - if (ctx->digest->freectx != NULL) + if (ctx->digest != NULL && ctx->digest->freectx != NULL) ctx->digest->freectx(ctx->provctx); ctx->provctx = NULL; EVP_MD_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_CLEANED); @@ -55,6 +51,11 @@ void evp_md_ctx_clear_digest(EVP_MD_CTX *ctx, int force) ENGINE_finish(ctx->engine); ctx->engine = NULL; #endif + + /* Non legacy code, this has to be later than the ctx->digest cleaning */ + EVP_MD_free(ctx->fetched_digest); + ctx->fetched_digest = NULL; + ctx->reqdigest = NULL; } /* This call frees resources associated with the context */ From dev at ddvo.net Thu Feb 4 06:25:52 2021 From: dev at ddvo.net (dev at ddvo.net) Date: Thu, 04 Feb 2021 06:25:52 +0000 Subject: [openssl] master update Message-ID: <1612419952.857670.20144.nullmailer@dev.openssl.org> The branch master has been updated via b91a13f429570512bfee290e8ec50096b0667e45 (commit) via c87bcdbde40eece72e81d8bf2c9219ce271d56e6 (commit) via 03da39a768467a4ce493502f20503079853282a3 (commit) via acfccbd5ee09e453ac5e8f39744540907b0cac2b (commit) from 8549b97214ce1b4ba61eae893c80d9b0ed7e35f0 (commit) - Log ----------------------------------------------------------------- commit b91a13f429570512bfee290e8ec50096b0667e45 Author: Dr. David von Oheimb Date: Wed Dec 2 09:05:22 2020 +0100 run_tests.pl: Improve diagnostics on the use of HARNESS_JOBS Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13551) commit c87bcdbde40eece72e81d8bf2c9219ce271d56e6 Author: Dr. David von Oheimb Date: Fri Nov 27 10:08:31 2020 +0100 test/recipes: split 81_test_cmp_cli.t, add test using -engine loader_attic The HTTP-based tests are now in 80_test_cmp_http.t, to start a little earlier. This should decrease total test run time due to better parallelization. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13551) commit 03da39a768467a4ce493502f20503079853282a3 Author: Dr. David von Oheimb Date: Fri Nov 27 20:45:21 2020 +0100 apps/cmp.c: check and exit on engine load error Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13551) commit acfccbd5ee09e453ac5e8f39744540907b0cac2b Author: Dr. David von Oheimb Date: Fri Nov 27 14:09:22 2020 +0100 openssl.pod: Add documentation for using the loader_attic engine Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13551) ----------------------------------------------------------------------- Summary of changes: apps/cmp.c | 7 +- doc/man1/openssl.pod | 6 + .../{81-test_cmp_cli.t => 80-test_cmp_http.t} | 81 ++---- .../Mock/12345.txt | 0 .../Mock/big_issuing.crt | 0 .../Mock/big_root.crt | 0 .../Mock/big_server.crt | 0 .../Mock/big_trusted.crt | 0 .../Mock/csr.pem | 0 .../Mock/empty.txt | 0 .../Mock/issuing.crt | 0 .../Mock/new.key | 0 .../Mock/new_pass_12345.key | 0 .../Mock/random.bin | Bin .../Mock/root.crt | 0 .../Mock/server.cnf | 0 .../Mock/server.crt | 0 .../Mock/server.key | 0 .../Mock/signer.crt | 0 .../Mock/signer.key | 0 .../Mock/signer.p12 | Bin .../Mock/signer_issuing.crt | 0 .../Mock/signer_only.crt | 0 .../Mock/signer_root.crt | 0 .../Mock/test.cnf | 0 .../Mock/trusted.crt | 0 .../Mock/wrong_csr.pem | 0 .../test_commands.csv | 0 .../test_connection.csv | 0 .../test_credentials.csv | 0 .../test_enrollment.csv | 0 .../test_verification.csv | 0 test/recipes/81-test_cmp_cli.t | 323 +++------------------ test/run_tests.pl | 5 +- 34 files changed, 69 insertions(+), 353 deletions(-) copy test/recipes/{81-test_cmp_cli.t => 80-test_cmp_http.t} (78%) rename test/recipes/{81-test_cmp_cli_data => 80-test_cmp_http_data}/Mock/12345.txt (100%) rename test/recipes/{81-test_cmp_cli_data => 80-test_cmp_http_data}/Mock/big_issuing.crt (100%) rename test/recipes/{81-test_cmp_cli_data => 80-test_cmp_http_data}/Mock/big_root.crt (100%) rename test/recipes/{81-test_cmp_cli_data => 80-test_cmp_http_data}/Mock/big_server.crt (100%) rename test/recipes/{81-test_cmp_cli_data => 80-test_cmp_http_data}/Mock/big_trusted.crt (100%) rename test/recipes/{81-test_cmp_cli_data => 80-test_cmp_http_data}/Mock/csr.pem (100%) rename test/recipes/{81-test_cmp_cli_data => 80-test_cmp_http_data}/Mock/empty.txt (100%) rename test/recipes/{81-test_cmp_cli_data => 80-test_cmp_http_data}/Mock/issuing.crt (100%) rename test/recipes/{81-test_cmp_cli_data => 80-test_cmp_http_data}/Mock/new.key (100%) mode change 100755 => 100644 rename test/recipes/{81-test_cmp_cli_data => 80-test_cmp_http_data}/Mock/new_pass_12345.key (100%) rename test/recipes/{81-test_cmp_cli_data => 80-test_cmp_http_data}/Mock/random.bin (100%) rename test/recipes/{81-test_cmp_cli_data => 80-test_cmp_http_data}/Mock/root.crt (100%) rename test/recipes/{81-test_cmp_cli_data => 80-test_cmp_http_data}/Mock/server.cnf (100%) rename test/recipes/{81-test_cmp_cli_data => 80-test_cmp_http_data}/Mock/server.crt (100%) rename test/recipes/{81-test_cmp_cli_data => 80-test_cmp_http_data}/Mock/server.key (100%) rename test/recipes/{81-test_cmp_cli_data => 80-test_cmp_http_data}/Mock/signer.crt (100%) rename test/recipes/{81-test_cmp_cli_data => 80-test_cmp_http_data}/Mock/signer.key (100%) mode change 100755 => 100644 rename test/recipes/{81-test_cmp_cli_data => 80-test_cmp_http_data}/Mock/signer.p12 (100%) rename test/recipes/{81-test_cmp_cli_data => 80-test_cmp_http_data}/Mock/signer_issuing.crt (100%) rename test/recipes/{81-test_cmp_cli_data => 80-test_cmp_http_data}/Mock/signer_only.crt (100%) mode change 100755 => 100644 rename test/recipes/{81-test_cmp_cli_data => 80-test_cmp_http_data}/Mock/signer_root.crt (100%) rename test/recipes/{81-test_cmp_cli_data => 80-test_cmp_http_data}/Mock/test.cnf (100%) rename test/recipes/{81-test_cmp_cli_data => 80-test_cmp_http_data}/Mock/trusted.crt (100%) rename test/recipes/{81-test_cmp_cli_data => 80-test_cmp_http_data}/Mock/wrong_csr.pem (100%) rename test/recipes/{81-test_cmp_cli_data => 80-test_cmp_http_data}/test_commands.csv (100%) rename test/recipes/{81-test_cmp_cli_data => 80-test_cmp_http_data}/test_connection.csv (100%) rename test/recipes/{81-test_cmp_cli_data => 80-test_cmp_http_data}/test_credentials.csv (100%) rename test/recipes/{81-test_cmp_cli_data => 80-test_cmp_http_data}/test_enrollment.csv (100%) rename test/recipes/{81-test_cmp_cli_data => 80-test_cmp_http_data}/test_verification.csv (100%) diff --git a/apps/cmp.c b/apps/cmp.c index 66c4b702d6..1dbd1f7339 100644 --- a/apps/cmp.c +++ b/apps/cmp.c @@ -2716,8 +2716,13 @@ int cmp_main(int argc, char **argv) if (opt_batch) set_base_ui_method(UI_null()); - if (opt_engine != NULL) + if (opt_engine != NULL) { engine = setup_engine_methods(opt_engine, 0 /* not: ENGINE_METHOD_ALL */, 0); + if (engine == NULL) { + CMP_err1("cannot load engine %s", opt_engine); + goto err; + } + } if (opt_port != NULL) { if (opt_use_mock_srv) { diff --git a/doc/man1/openssl.pod b/doc/man1/openssl.pod index 16b7769ae3..3176c19eee 100644 --- a/doc/man1/openssl.pod +++ b/doc/man1/openssl.pod @@ -615,6 +615,12 @@ L. The engine will be used for key ids specified with B<-key> and similar options when an option like B<-keyform engine> is given. +A special case is the C engine, which +is meant just for internal OpenSSL testing purposes and +supports loading keys, parameters, certificates, and CRLs from files. +When this engine is used, files with such credentials are read via this engine. +Using the C schema is optional; a plain file (path) name will do. + =back Options specifying keys, like B<-key> and similar, can use the generic diff --git a/test/recipes/81-test_cmp_cli.t b/test/recipes/80-test_cmp_http.t similarity index 78% copy from test/recipes/81-test_cmp_cli.t copy to test/recipes/80-test_cmp_http.t index 2a89093446..1dc76e5fd3 100644 --- a/test/recipes/81-test_cmp_cli.t +++ b/test/recipes/80-test_cmp_http.t @@ -12,14 +12,11 @@ use strict; use warnings; use POSIX; -use File::Spec::Functions qw/catfile/; -use File::Compare qw/compare_text/; -use OpenSSL::Test qw/:DEFAULT with data_file data_dir srctop_dir bldtop_dir result_dir result_file/; +use OpenSSL::Test qw/:DEFAULT with data_file data_dir srctop_dir bldtop_dir result_dir/; use OpenSSL::Test::Utils; -use Data::Dumper; # for debugging purposes only BEGIN { - setup("test_cmp_cli"); + setup("test_cmp_http"); } use lib srctop_dir('Configurations'); use lib bldtop_dir('.'); @@ -32,16 +29,16 @@ plan skip_all => "These tests are not supported in a no-cmp build" plan skip_all => "These tests are not supported in a no-ec build" if disabled("ec"); -plan skip_all => "Tests involving CMP server not available on Windows or VMS" +plan skip_all => "Tests involving local HTTP server not available on Windows or VMS" if $^O =~ /^(VMS|MSWin32)$/; -plan skip_all => "Tests involving CMP server not available in cross-compile builds" +plan skip_all => "Tests involving local HTTP server not available in cross-compile builds" if defined $ENV{EXE_SHELL}; -plan skip_all => "Tests involving CMP server require 'kill' command" +plan skip_all => "Tests involving local HTTP server require 'kill' command" if system("which kill"); -plan skip_all => "Tests involving CMP server require 'lsof' command" +plan skip_all => "Tests involving local HTTP server require 'lsof' command" if system("which lsof"); # this typically excludes Solaris -sub chop_dblquot { # chop any leading & trailing '"' (needed for Windows) +sub chop_dblquot { # chop any leading and trailing '"' (needed for Windows) my $str = shift; $str =~ s/^\"(.*?)\"$/$1/; return $str; @@ -54,41 +51,6 @@ my $no_proxy = $ENV{no_proxy} // $ENV{NO_PROXY}; my $app = "apps/openssl cmp"; -my @cmp_basic_tests = ( - [ "show help", [ "-config", '""', "-help" ], 0 ], - [ "CLI option not starting with '-'", [ "-config", '""', "days", "1" ], 1 ], - [ "unknown CLI option", [ "-config", '""', "-dayss" ], 1 ], - [ "bad int syntax: non-digit", [ "-config", '""', "-days", "a/" ], 1 ], - [ "bad int syntax: float", [ "-config", '""', "-days", "3.14" ], 1 ], - [ "bad int syntax: trailing garbage", [ "-config", '""', "-days", "314_+" ], 1 ], - [ "bad int: out of range", [ "-config", '""', "-days", "2147483648" ], 1 ], -); - -# this uses the mock server directly in the cmp app, without TCP -sub use_mock_srv_internally -{ - my $secret = "pass:test"; - my $rsp_cert = "signer_only.crt"; - my $outfile = result_file("test.certout.pem"); - ok(run(cmd([bldtop_dir($app), - "-config", '""', - "-use_mock_srv", "-srv_ref", "mock server", - "-srv_cert", "server.crt", # used for setting sender - "-srv_secret", $secret, - "-poll_count", "1", - "-rsp_cert", $rsp_cert, - "-cmd", "cr", - "-subject", "/CN=any", - "-newkey", "signer.key", - "-recipient", "/O=openssl_cmp", # if given must be consistent with sender - "-secret", $secret, - "-ref", "client under test", - "-certout", $outfile])) - && compare_text($outfile, $rsp_cert) == 0, - "CMP app with -use_mock_srv and -poll_count 1"); - # not unlinking $outfile -} - # the CMP server configuration consists of: my $ca_dn; # The CA's Distinguished Name my $server_dn; # The server's Distinguished Name @@ -155,12 +117,12 @@ my @all_aspects = ("connection", "verification", "credentials", "commands", "enr # set env variable, e.g., OPENSSL_CMP_ASPECTS="commands enrollment" to select specific aspects my $faillog; -if ($ENV{HARNESS_FAILLOG}) { - my $file = $ENV{HARNESS_FAILLOG}; +my $file = $ENV{HARNESS_FAILLOG}; # pathname relative to result_dir +if ($file) { open($faillog, ">", $file) or die "Cannot open $file for writing: $!"; } -sub test_cmp_cli { +sub test_cmp_http { my $server_name = shift; my $aspect = shift; my $n = shift; @@ -184,7 +146,7 @@ sub test_cmp_cli { $title); }); } -sub test_cmp_cli_aspect { +sub test_cmp_http_aspect { my $server_name = shift; my $aspect = shift; my $tests = shift; @@ -193,10 +155,8 @@ sub test_cmp_cli_aspect { plan tests => $n; my $i = 1; foreach (@$tests) { - SKIP: { - test_cmp_cli($server_name, $aspect, $n, $i++, $$_[0], $$_[1], $$_[2]); - sleep($sleep); - } + test_cmp_http($server_name, $aspect, $n, $i++, $$_[0], $$_[1], $$_[2]); + sleep($sleep); } }; # not unlinking test.certout*.pem, test.cacerts.pem, and test.extracerts.pem @@ -209,23 +169,16 @@ sub test_cmp_cli_aspect { # Moreover the tests use much greater variety of input files than output files. # Therefore we chose the current directory as a subdirectory of $SRCTOP and it # was simpler to prepend the output file names by BLDTOP than doing the tests -# from $BLDTOP/test-runs/test_cmp_cli and prepending the input files by SRCTOP. +# from $BLDTOP/test-runs/test_cmp_http and prepending the input files by SRCTOP. indir data_dir() => sub { - plan tests => 1 + @server_configurations * @all_aspects + plan tests => @server_configurations * @all_aspects + (grep(/^Mock$/, @server_configurations) - && grep(/^certstatus$/, @all_aspects) ? 0 : 1); - - test_cmp_cli_aspect("basic", "options", \@cmp_basic_tests); - - indir "Mock" => sub { - use_mock_srv_internally(); - }; + && grep(/^certstatus$/, @all_aspects)); foreach my $server_name (@server_configurations) { $server_name = chop_dblquot($server_name); load_config($server_name, $server_name); - SKIP: { my $pid; if ($server_name eq "Mock") { @@ -241,7 +194,7 @@ indir data_dir() => sub { load_config($server_name, $aspect); # update with any aspect-specific settings indir $server_name => sub { my $tests = load_tests($server_name, $aspect); - test_cmp_cli_aspect($server_name, $aspect, $tests); + test_cmp_http_aspect($server_name, $aspect, $tests); }; }; stop_mock_server($pid) if $pid; diff --git a/test/recipes/81-test_cmp_cli_data/Mock/12345.txt b/test/recipes/80-test_cmp_http_data/Mock/12345.txt similarity index 100% rename from test/recipes/81-test_cmp_cli_data/Mock/12345.txt rename to test/recipes/80-test_cmp_http_data/Mock/12345.txt diff --git a/test/recipes/81-test_cmp_cli_data/Mock/big_issuing.crt b/test/recipes/80-test_cmp_http_data/Mock/big_issuing.crt similarity index 100% rename from test/recipes/81-test_cmp_cli_data/Mock/big_issuing.crt rename to test/recipes/80-test_cmp_http_data/Mock/big_issuing.crt diff --git a/test/recipes/81-test_cmp_cli_data/Mock/big_root.crt b/test/recipes/80-test_cmp_http_data/Mock/big_root.crt similarity index 100% rename from test/recipes/81-test_cmp_cli_data/Mock/big_root.crt rename to test/recipes/80-test_cmp_http_data/Mock/big_root.crt diff --git a/test/recipes/81-test_cmp_cli_data/Mock/big_server.crt b/test/recipes/80-test_cmp_http_data/Mock/big_server.crt similarity index 100% rename from test/recipes/81-test_cmp_cli_data/Mock/big_server.crt rename to test/recipes/80-test_cmp_http_data/Mock/big_server.crt diff --git a/test/recipes/81-test_cmp_cli_data/Mock/big_trusted.crt b/test/recipes/80-test_cmp_http_data/Mock/big_trusted.crt similarity index 100% rename from test/recipes/81-test_cmp_cli_data/Mock/big_trusted.crt rename to test/recipes/80-test_cmp_http_data/Mock/big_trusted.crt diff --git a/test/recipes/81-test_cmp_cli_data/Mock/csr.pem b/test/recipes/80-test_cmp_http_data/Mock/csr.pem similarity index 100% rename from test/recipes/81-test_cmp_cli_data/Mock/csr.pem rename to test/recipes/80-test_cmp_http_data/Mock/csr.pem diff --git a/test/recipes/81-test_cmp_cli_data/Mock/empty.txt b/test/recipes/80-test_cmp_http_data/Mock/empty.txt similarity index 100% rename from test/recipes/81-test_cmp_cli_data/Mock/empty.txt rename to test/recipes/80-test_cmp_http_data/Mock/empty.txt diff --git a/test/recipes/81-test_cmp_cli_data/Mock/issuing.crt b/test/recipes/80-test_cmp_http_data/Mock/issuing.crt similarity index 100% rename from test/recipes/81-test_cmp_cli_data/Mock/issuing.crt rename to test/recipes/80-test_cmp_http_data/Mock/issuing.crt diff --git a/test/recipes/81-test_cmp_cli_data/Mock/new.key b/test/recipes/80-test_cmp_http_data/Mock/new.key old mode 100755 new mode 100644 similarity index 100% rename from test/recipes/81-test_cmp_cli_data/Mock/new.key rename to test/recipes/80-test_cmp_http_data/Mock/new.key diff --git a/test/recipes/81-test_cmp_cli_data/Mock/new_pass_12345.key b/test/recipes/80-test_cmp_http_data/Mock/new_pass_12345.key similarity index 100% rename from test/recipes/81-test_cmp_cli_data/Mock/new_pass_12345.key rename to test/recipes/80-test_cmp_http_data/Mock/new_pass_12345.key diff --git a/test/recipes/81-test_cmp_cli_data/Mock/random.bin b/test/recipes/80-test_cmp_http_data/Mock/random.bin similarity index 100% rename from test/recipes/81-test_cmp_cli_data/Mock/random.bin rename to test/recipes/80-test_cmp_http_data/Mock/random.bin diff --git a/test/recipes/81-test_cmp_cli_data/Mock/root.crt b/test/recipes/80-test_cmp_http_data/Mock/root.crt similarity index 100% rename from test/recipes/81-test_cmp_cli_data/Mock/root.crt rename to test/recipes/80-test_cmp_http_data/Mock/root.crt diff --git a/test/recipes/81-test_cmp_cli_data/Mock/server.cnf b/test/recipes/80-test_cmp_http_data/Mock/server.cnf similarity index 100% rename from test/recipes/81-test_cmp_cli_data/Mock/server.cnf rename to test/recipes/80-test_cmp_http_data/Mock/server.cnf diff --git a/test/recipes/81-test_cmp_cli_data/Mock/server.crt b/test/recipes/80-test_cmp_http_data/Mock/server.crt similarity index 100% rename from test/recipes/81-test_cmp_cli_data/Mock/server.crt rename to test/recipes/80-test_cmp_http_data/Mock/server.crt diff --git a/test/recipes/81-test_cmp_cli_data/Mock/server.key b/test/recipes/80-test_cmp_http_data/Mock/server.key similarity index 100% rename from test/recipes/81-test_cmp_cli_data/Mock/server.key rename to test/recipes/80-test_cmp_http_data/Mock/server.key diff --git a/test/recipes/81-test_cmp_cli_data/Mock/signer.crt b/test/recipes/80-test_cmp_http_data/Mock/signer.crt similarity index 100% rename from test/recipes/81-test_cmp_cli_data/Mock/signer.crt rename to test/recipes/80-test_cmp_http_data/Mock/signer.crt diff --git a/test/recipes/81-test_cmp_cli_data/Mock/signer.key b/test/recipes/80-test_cmp_http_data/Mock/signer.key old mode 100755 new mode 100644 similarity index 100% rename from test/recipes/81-test_cmp_cli_data/Mock/signer.key rename to test/recipes/80-test_cmp_http_data/Mock/signer.key diff --git a/test/recipes/81-test_cmp_cli_data/Mock/signer.p12 b/test/recipes/80-test_cmp_http_data/Mock/signer.p12 similarity index 100% rename from test/recipes/81-test_cmp_cli_data/Mock/signer.p12 rename to test/recipes/80-test_cmp_http_data/Mock/signer.p12 diff --git a/test/recipes/81-test_cmp_cli_data/Mock/signer_issuing.crt b/test/recipes/80-test_cmp_http_data/Mock/signer_issuing.crt similarity index 100% rename from test/recipes/81-test_cmp_cli_data/Mock/signer_issuing.crt rename to test/recipes/80-test_cmp_http_data/Mock/signer_issuing.crt diff --git a/test/recipes/81-test_cmp_cli_data/Mock/signer_only.crt b/test/recipes/80-test_cmp_http_data/Mock/signer_only.crt old mode 100755 new mode 100644 similarity index 100% rename from test/recipes/81-test_cmp_cli_data/Mock/signer_only.crt rename to test/recipes/80-test_cmp_http_data/Mock/signer_only.crt diff --git a/test/recipes/81-test_cmp_cli_data/Mock/signer_root.crt b/test/recipes/80-test_cmp_http_data/Mock/signer_root.crt similarity index 100% rename from test/recipes/81-test_cmp_cli_data/Mock/signer_root.crt rename to test/recipes/80-test_cmp_http_data/Mock/signer_root.crt diff --git a/test/recipes/81-test_cmp_cli_data/Mock/test.cnf b/test/recipes/80-test_cmp_http_data/Mock/test.cnf similarity index 100% rename from test/recipes/81-test_cmp_cli_data/Mock/test.cnf rename to test/recipes/80-test_cmp_http_data/Mock/test.cnf diff --git a/test/recipes/81-test_cmp_cli_data/Mock/trusted.crt b/test/recipes/80-test_cmp_http_data/Mock/trusted.crt similarity index 100% rename from test/recipes/81-test_cmp_cli_data/Mock/trusted.crt rename to test/recipes/80-test_cmp_http_data/Mock/trusted.crt diff --git a/test/recipes/81-test_cmp_cli_data/Mock/wrong_csr.pem b/test/recipes/80-test_cmp_http_data/Mock/wrong_csr.pem similarity index 100% rename from test/recipes/81-test_cmp_cli_data/Mock/wrong_csr.pem rename to test/recipes/80-test_cmp_http_data/Mock/wrong_csr.pem diff --git a/test/recipes/81-test_cmp_cli_data/test_commands.csv b/test/recipes/80-test_cmp_http_data/test_commands.csv similarity index 100% rename from test/recipes/81-test_cmp_cli_data/test_commands.csv rename to test/recipes/80-test_cmp_http_data/test_commands.csv diff --git a/test/recipes/81-test_cmp_cli_data/test_connection.csv b/test/recipes/80-test_cmp_http_data/test_connection.csv similarity index 100% rename from test/recipes/81-test_cmp_cli_data/test_connection.csv rename to test/recipes/80-test_cmp_http_data/test_connection.csv diff --git a/test/recipes/81-test_cmp_cli_data/test_credentials.csv b/test/recipes/80-test_cmp_http_data/test_credentials.csv similarity index 100% rename from test/recipes/81-test_cmp_cli_data/test_credentials.csv rename to test/recipes/80-test_cmp_http_data/test_credentials.csv diff --git a/test/recipes/81-test_cmp_cli_data/test_enrollment.csv b/test/recipes/80-test_cmp_http_data/test_enrollment.csv similarity index 100% rename from test/recipes/81-test_cmp_cli_data/test_enrollment.csv rename to test/recipes/80-test_cmp_http_data/test_enrollment.csv diff --git a/test/recipes/81-test_cmp_cli_data/test_verification.csv b/test/recipes/80-test_cmp_http_data/test_verification.csv similarity index 100% rename from test/recipes/81-test_cmp_cli_data/test_verification.csv rename to test/recipes/80-test_cmp_http_data/test_verification.csv diff --git a/test/recipes/81-test_cmp_cli.t b/test/recipes/81-test_cmp_cli.t index 2a89093446..667cd55236 100644 --- a/test/recipes/81-test_cmp_cli.t +++ b/test/recipes/81-test_cmp_cli.t @@ -12,11 +12,9 @@ use strict; use warnings; use POSIX; -use File::Spec::Functions qw/catfile/; use File::Compare qw/compare_text/; -use OpenSSL::Test qw/:DEFAULT with data_file data_dir srctop_dir bldtop_dir result_dir result_file/; +use OpenSSL::Test qw/:DEFAULT with srctop_file srctop_dir bldtop_dir result_file/; use OpenSSL::Test::Utils; -use Data::Dumper; # for debugging purposes only BEGIN { setup("test_cmp_cli"); @@ -29,303 +27,56 @@ plan skip_all => "These tests are not supported in a fuzz build" plan skip_all => "These tests are not supported in a no-cmp build" if disabled("cmp"); -plan skip_all => "These tests are not supported in a no-ec build" - if disabled("ec"); -plan skip_all => "Tests involving CMP server not available on Windows or VMS" - if $^O =~ /^(VMS|MSWin32)$/; -plan skip_all => "Tests involving CMP server not available in cross-compile builds" - if defined $ENV{EXE_SHELL}; -plan skip_all => "Tests involving CMP server require 'kill' command" - if system("which kill"); -plan skip_all => "Tests involving CMP server require 'lsof' command" - if system("which lsof"); # this typically excludes Solaris - -sub chop_dblquot { # chop any leading & trailing '"' (needed for Windows) - my $str = shift; - $str =~ s/^\"(.*?)\"$/$1/; - return $str; -} - -my $proxy = ""; -$proxy = chop_dblquot($ENV{http_proxy} // $ENV{HTTP_PROXY} // $proxy); -$proxy =~ s{^https?://}{}i; -my $no_proxy = $ENV{no_proxy} // $ENV{NO_PROXY}; - -my $app = "apps/openssl cmp"; +my $app = bldtop_dir("apps/openssl cmp"); my @cmp_basic_tests = ( - [ "show help", [ "-config", '""', "-help" ], 0 ], - [ "CLI option not starting with '-'", [ "-config", '""', "days", "1" ], 1 ], - [ "unknown CLI option", [ "-config", '""', "-dayss" ], 1 ], - [ "bad int syntax: non-digit", [ "-config", '""', "-days", "a/" ], 1 ], - [ "bad int syntax: float", [ "-config", '""', "-days", "3.14" ], 1 ], - [ "bad int syntax: trailing garbage", [ "-config", '""', "-days", "314_+" ], 1 ], - [ "bad int: out of range", [ "-config", '""', "-days", "2147483648" ], 1 ], -); + [ "show help", [ "-help" ], 1 ], + [ "CLI option not starting with '-'", [ "days", "1" ], 0 ], + [ "unknown CLI option", [ "-dayss" ], 0 ], + [ "bad int syntax: non-digit", [ "-days", "a/" ], 0 ], + [ "bad int syntax: float", [ "-days", "3.14" ], 0 ], + [ "bad int syntax: trailing garbage", [ "-days", "314_+" ], 0 ], + [ "bad int: out of range", [ "-days", "2147483648" ], 0 ], + ); + +my @cmp_server_tests = ( + [ "with polling", [ "-poll_count", "1" ], 1 ], + [ "with loader_attic engine", [ "-engine", "loader_attic"], + !disabled('dynamic-engine') && + !disabled("deprecated-3.0") ] + ); + +plan tests => @cmp_basic_tests + @cmp_server_tests; + +foreach (@cmp_basic_tests) { + my $title = $$_[0]; + my $params = $$_[1]; + my $expected = $$_[2]; + ok($expected == run(cmd([$app, "-config", '""', @$params])), + $title); +} -# this uses the mock server directly in the cmp app, without TCP -sub use_mock_srv_internally -{ +# these use the mock server directly in the cmp app, without TCP +foreach (@cmp_server_tests) { + my $title = $$_[0]; + my $extra_args = $$_[1]; + my $expected = $$_[2]; my $secret = "pass:test"; - my $rsp_cert = "signer_only.crt"; + my $rsp_cert = srctop_file('test', 'certs', 'ee-cert-1024.pem'); my $outfile = result_file("test.certout.pem"); - ok(run(cmd([bldtop_dir($app), - "-config", '""', + ok($expected == + run(cmd([$app, "-config", '""', @$extra_args, "-use_mock_srv", "-srv_ref", "mock server", - "-srv_cert", "server.crt", # used for setting sender "-srv_secret", $secret, - "-poll_count", "1", "-rsp_cert", $rsp_cert, "-cmd", "cr", "-subject", "/CN=any", - "-newkey", "signer.key", - "-recipient", "/O=openssl_cmp", # if given must be consistent with sender + "-newkey", srctop_file('test', 'certs', 'ee-key-1024.pem'), "-secret", $secret, "-ref", "client under test", "-certout", $outfile])) && compare_text($outfile, $rsp_cert) == 0, - "CMP app with -use_mock_srv and -poll_count 1"); + $title); # not unlinking $outfile } - -# the CMP server configuration consists of: -my $ca_dn; # The CA's Distinguished Name -my $server_dn; # The server's Distinguished Name -my $server_host;# The server's host name or IP address -my $server_port;# The server's port -my $server_tls; # The server's TLS port, if any, or 0 -my $server_path;# The server's CMP alias -my $server_cert;# The server's cert -my $kur_port; # The server's port for kur (cert update) -my $pbm_port; # The server port to be used for PBM -my $pbm_ref; # The reference for PBM -my $pbm_secret; # The secret for PBM -my $column; # The column number of the expected result -my $sleep = 0; # The time to sleep between two requests - -# The local $server_name variables below are among others taken as the name of a -# sub-directory with server-specific certs etc. and CA-specific config section. - -sub load_config { - my $server_name = shift; - my $section = shift; - my $test_config = $ENV{OPENSSL_CMP_CONFIG} // "$server_name/test.cnf"; - open (CH, $test_config) or die "Cannot open $test_config: $!"; - my $active = 0; - while () { - if (m/\[\s*$section\s*\]/) { - $active = 1; - } elsif (m/\[\s*.*?\s*\]/) { - $active = 0; - } elsif ($active) { - $ca_dn = $1 eq "" ? '""""' : $1 if m/^\s*ca_dn\s*=\s*(.*)?\s*$/; - $server_dn = $1 eq "" ? '""""' : $1 if m/^\s*server_dn\s*=\s*(.*)?\s*$/; - $server_host = $1 eq "" ? '""""' : $1 if m/^\s*server_host\s*=\s*(\S*)?\s*(\#.*)?$/; - $server_port = $1 eq "" ? '""""' : $1 if m/^\s*server_port\s*=\s*(.*)?\s*$/; - $server_tls = $1 eq "" ? '""""' : $1 if m/^\s*server_tls\s*=\s*(.*)?\s*$/; - $server_path = $1 eq "" ? '""""' : $1 if m/^\s*server_path\s*=\s*(.*)?\s*$/; - $server_cert = $1 eq "" ? '""""' : $1 if m/^\s*server_cert\s*=\s*(.*)?\s*$/; - $kur_port = $1 eq "" ? '""""' : $1 if m/^\s*kur_port\s*=\s*(.*)?\s*$/; - $pbm_port = $1 eq "" ? '""""' : $1 if m/^\s*pbm_port\s*=\s*(.*)?\s*$/; - $pbm_ref = $1 eq "" ? '""""' : $1 if m/^\s*pbm_ref\s*=\s*(.*)?\s*$/; - $pbm_secret = $1 eq "" ? '""""' : $1 if m/^\s*pbm_secret\s*=\s*(.*)?\s*$/; - $column = $1 eq "" ? '""""' : $1 if m/^\s*column\s*=\s*(.*)?\s*$/; - $sleep = $1 eq "" ? '""""' : $1 if m/^\s*sleep\s*=\s*(.*)?\s*$/; - } - } - close CH; - die "Cannot find all CMP server config values in $test_config section [$section]\n" - if !defined $ca_dn - || !defined $server_dn || !defined $server_host - || !defined $server_port || !defined $server_tls - || !defined $server_path || !defined $server_cert - || !defined $kur_port || !defined $pbm_port - || !defined $pbm_ref || !defined $pbm_secret - || !defined $column || !defined $sleep; - $server_dn = $server_dn // $ca_dn; -} - -my @server_configurations = ("Mock"); - at server_configurations = split /\s+/, $ENV{OPENSSL_CMP_SERVER} if $ENV{OPENSSL_CMP_SERVER}; -# set env variable, e.g., OPENSSL_CMP_SERVER="Mock Insta" to include further CMP servers - -my @all_aspects = ("connection", "verification", "credentials", "commands", "enrollment"); - at all_aspects = split /\s+/, $ENV{OPENSSL_CMP_ASPECTS} if $ENV{OPENSSL_CMP_ASPECTS}; -# set env variable, e.g., OPENSSL_CMP_ASPECTS="commands enrollment" to select specific aspects - -my $faillog; -if ($ENV{HARNESS_FAILLOG}) { - my $file = $ENV{HARNESS_FAILLOG}; - open($faillog, ">", $file) or die "Cannot open $file for writing: $!"; -} - -sub test_cmp_cli { - my $server_name = shift; - my $aspect = shift; - my $n = shift; - my $i = shift; - my $title = shift; - my $params = shift; - my $expected_exit = shift; - my $path_app = bldtop_dir($app); - with({ exit_checker => sub { - my $actual_exit = shift; - my $OK = $actual_exit == $expected_exit; - if ($faillog && !$OK) { - my $quote_spc_empty = sub { $_ eq "" ? '""' : $_ =~ m/ / ? '"'.$_.'"' : $_ }; - my $invocation = "$path_app ".join(' ', map $quote_spc_empty->($_), @$params); - print $faillog "$server_name $aspect \"$title\" ($i/$n)". - " expected=$expected_exit actual=$actual_exit\n"; - print $faillog "$invocation\n\n"; - } - return $OK; } }, - sub { ok(run(cmd([$path_app, @$params,])), - $title); }); -} - -sub test_cmp_cli_aspect { - my $server_name = shift; - my $aspect = shift; - my $tests = shift; - subtest "CMP app CLI $server_name $aspect\n" => sub { - my $n = scalar @$tests; - plan tests => $n; - my $i = 1; - foreach (@$tests) { - SKIP: { - test_cmp_cli($server_name, $aspect, $n, $i++, $$_[0], $$_[1], $$_[2]); - sleep($sleep); - } - } - }; - # not unlinking test.certout*.pem, test.cacerts.pem, and test.extracerts.pem -} - -# The input files for the tests done here dynamically depend on the test server -# selected (where the Mock server used by default is just one possibility). -# On the other hand the main test configuration file test.cnf, which references -# several server-dependent input files by relative file names, is static. -# Moreover the tests use much greater variety of input files than output files. -# Therefore we chose the current directory as a subdirectory of $SRCTOP and it -# was simpler to prepend the output file names by BLDTOP than doing the tests -# from $BLDTOP/test-runs/test_cmp_cli and prepending the input files by SRCTOP. - -indir data_dir() => sub { - plan tests => 1 + @server_configurations * @all_aspects - + (grep(/^Mock$/, @server_configurations) - && grep(/^certstatus$/, @all_aspects) ? 0 : 1); - - test_cmp_cli_aspect("basic", "options", \@cmp_basic_tests); - - indir "Mock" => sub { - use_mock_srv_internally(); - }; - - foreach my $server_name (@server_configurations) { - $server_name = chop_dblquot($server_name); - load_config($server_name, $server_name); - SKIP: - { - my $pid; - if ($server_name eq "Mock") { - indir "Mock" => sub { - $pid = start_mock_server(""); - skip "Cannot start or find the started CMP mock server", - scalar @all_aspects unless $pid; - } - } - foreach my $aspect (@all_aspects) { - $aspect = chop_dblquot($aspect); - next if $server_name eq "Mock" && $aspect eq "certstatus"; - load_config($server_name, $aspect); # update with any aspect-specific settings - indir $server_name => sub { - my $tests = load_tests($server_name, $aspect); - test_cmp_cli_aspect($server_name, $aspect, $tests); - }; - }; - stop_mock_server($pid) if $pid; - } - }; -}; - -close($faillog) if $faillog; - -sub load_tests { - my $server_name = shift; - my $aspect = shift; - my $test_config = $ENV{OPENSSL_CMP_CONFIG} // "$server_name/test.cnf"; - my $file = data_file("test_$aspect.csv"); - my $result_dir = result_dir(); - my @result; - - open(my $data, '<', $file) || die "Cannot open $file for reading: $!"; - LOOP: - while (my $line = <$data>) { - chomp $line; - $line =~ s{\r\n}{\n}g; # adjust line endings - $line =~ s{_CA_DN}{$ca_dn}g; - $line =~ s{_SERVER_DN}{$server_dn}g; - $line =~ s{_SERVER_HOST}{$server_host}g; - $line =~ s{_SERVER_PORT}{$server_port}g; - $line =~ s{_SERVER_TLS}{$server_tls}g; - $line =~ s{_SERVER_PATH}{$server_path}g; - $line =~ s{_SERVER_CERT}{$server_cert}g; - $line =~ s{_KUR_PORT}{$kur_port}g; - $line =~ s{_PBM_PORT}{$pbm_port}g; - $line =~ s{_PBM_REF}{$pbm_ref}g; - $line =~ s{_PBM_SECRET}{$pbm_secret}g; - $line =~ s{_RESULT_DIR}{$result_dir}g; - - next LOOP if $server_tls == 0 && $line =~ m/,\s*-tls_used\s*,/; - my $noproxy = $no_proxy; - if ($line =~ m/,\s*-no_proxy\s*,(.*?)(,|$)/) { - $noproxy = $1; - } elsif ($server_host eq "127.0.0.1") { - # do connections to localhost (e.g., Mock server) without proxy - $line =~ s{-section,,}{-section,,-no_proxy,127.0.0.1,} ; - } - if ($line =~ m/,\s*-proxy\s*,/) { - next LOOP if $no_proxy && ($noproxy =~ $server_host); - } else { - $line =~ s{-section,,}{-section,,-proxy,$proxy,}; - } - $line =~ s{-section,,}{-section,,-certout,$result_dir/test.cert.pem,}; - $line =~ s{-section,,}{-config,../$test_config,-section,$server_name $aspect,}; - - my @fields = grep /\S/, split ",", $line; - s/^$// for (@fields); # used for proxy="" - s/^\s+// for (@fields); # remove leading whitespace from elements - s/\s+$// for (@fields); # remove trailing whitespace from elements - s/^\"(\".*?\")\"$/$1/ for (@fields); # remove escaping from quotation marks from elements - my $expected_exit = $fields[$column]; - my $description = 1; - my $title = $fields[$description]; - next LOOP if (!defined($expected_exit) - || ($expected_exit ne 0 && $expected_exit ne 1)); - @fields = grep {$_ ne 'BLANK'} @fields[$description + 1 .. @fields - 1]; - push @result, [$title, \@fields, $expected_exit]; - } - close($data); - return \@result; -} - -sub mock_server_pid { - return `lsof -iTCP:$server_port` =~ m/\n\S+\s+(\d+)\s+[^\n]+LISTEN/s ? $1 : 0; -} - -sub start_mock_server { - my $args = $_[0]; # optional further CLI arguments - my $dir = bldtop_dir(""); - my $cmd = "LD_LIBRARY_PATH=$dir DYLD_LIBRARY_PATH=$dir " . - bldtop_dir($app) . " -config server.cnf $args"; - my $pid = mock_server_pid(); - return $pid if $pid; # already running - return system("$cmd &") == 0 # start in background, check for success - ? (sleep 1, mock_server_pid()) : 0; -} - -sub stop_mock_server { - my $pid = $_[0]; - system("kill $pid") if $pid; -} diff --git a/test/run_tests.pl b/test/run_tests.pl index 8a9e156a54..2be4e607a0 100644 --- a/test/run_tests.pl +++ b/test/run_tests.pl @@ -47,6 +47,7 @@ my %tapargs = ); $tapargs{jobs} = $jobs if $jobs > 1; +print "Using HARNESS_JOBS=$jobs\n" if $jobs > 1; # Additional OpenSSL special TAP arguments. Because we can't pass them via # TAP::Harness->new(), they will be accessed directly, see the @@ -57,7 +58,7 @@ $openssl_args{'failure_verbosity'} = $ENV{HARNESS_VERBOSE} ? 0 : $ENV{HARNESS_VERBOSE_FAILURE_PROGRESS} ? 2 : 1; # $ENV{HARNESS_VERBOSE_FAILURE} print "Warning: HARNESS_JOBS > 1 overrides HARNESS_VERBOSE\n" - if $jobs > 1; + if $jobs > 1 && $ENV{HARNESS_VERBOSE}; print "Warning: HARNESS_VERBOSE overrides HARNESS_VERBOSE_FAILURE*\n" if ($ENV{HARNESS_VERBOSE} && ($ENV{HARNESS_VERBOSE_FAILURE} || $ENV{HARNESS_VERBOSE_FAILURE_PROGRESS})); @@ -76,7 +77,7 @@ sub reorder { my $key = pop; # for parallel test runs, do slow tests first - if (defined $jobs && $jobs > 1 && $key =~ m/test_ssl_new|test_fuzz/) { + if ($jobs > 1 && $key =~ m/test_ssl_new|test_fuzz/) { $key =~ s/(\d+)-/00-/; } return $key; From dev at ddvo.net Thu Feb 4 06:28:34 2021 From: dev at ddvo.net (dev at ddvo.net) Date: Thu, 04 Feb 2021 06:28:34 +0000 Subject: [openssl] master update Message-ID: <1612420114.868123.18914.nullmailer@dev.openssl.org> The branch master has been updated via d53b437f9992f974c1623e9b9b9bdf053aefbcc3 (commit) from b91a13f429570512bfee290e8ec50096b0667e45 (commit) - Log ----------------------------------------------------------------- commit d53b437f9992f974c1623e9b9b9bdf053aefbcc3 Author: Dr. David von Oheimb Date: Wed Dec 23 19:33:03 2020 +0100 Allow NULL arg to OPENSSL_sk_{dup,deep_copy} returning empty stack This simplifies many usages Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14040) ----------------------------------------------------------------------- Summary of changes: crypto/cmp/cmp_ctx.c | 27 +++++++--------------- crypto/ocsp/ocsp_vfy.c | 10 ++++----- crypto/stack/stack.c | 53 +++++++++++++++++++++++++++----------------- crypto/ts/ts_rsp_sign.c | 9 +------- crypto/x509/x509_cmp.c | 7 ++++-- crypto/x509/x509_vfy.c | 2 +- doc/man3/DEFINE_STACK_OF.pod | 12 +++++----- doc/man3/X509_new.pod | 13 +++++------ test/stack_test.c | 8 +++++++ 9 files changed, 73 insertions(+), 68 deletions(-) diff --git a/crypto/cmp/cmp_ctx.c b/crypto/cmp/cmp_ctx.c index e1b4e50ea9..ccca282721 100644 --- a/crypto/cmp/cmp_ctx.c +++ b/crypto/cmp/cmp_ctx.c @@ -462,8 +462,6 @@ STACK_OF(X509) *OSSL_CMP_CTX_get1_newChain(const OSSL_CMP_CTX *ctx) ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT); return NULL; } - if (ctx->newChain == NULL) - return sk_X509_new_null(); return X509_chain_up_ref(ctx->newChain); } @@ -477,10 +475,9 @@ int ossl_cmp_ctx_set1_newChain(OSSL_CMP_CTX *ctx, STACK_OF(X509) *newChain) return 0; sk_X509_pop_free(ctx->newChain, X509_free); - ctx->newChain= NULL; - if (newChain == NULL) - return 1; - return (ctx->newChain = X509_chain_up_ref(newChain)) != NULL; + ctx->newChain = NULL; + return newChain == NULL || + (ctx->newChain = X509_chain_up_ref(newChain)) != NULL; } /* Returns the stack of extraCerts received in CertRepMessage, NULL on error */ @@ -490,8 +487,6 @@ STACK_OF(X509) *OSSL_CMP_CTX_get1_extraCertsIn(const OSSL_CMP_CTX *ctx) ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT); return NULL; } - if (ctx->extraCertsIn == NULL) - return sk_X509_new_null(); return X509_chain_up_ref(ctx->extraCertsIn); } @@ -507,9 +502,8 @@ int ossl_cmp_ctx_set1_extraCertsIn(OSSL_CMP_CTX *ctx, sk_X509_pop_free(ctx->extraCertsIn, X509_free); ctx->extraCertsIn = NULL; - if (extraCertsIn == NULL) - return 1; - return (ctx->extraCertsIn = X509_chain_up_ref(extraCertsIn)) != NULL; + return extraCertsIn == NULL + || (ctx->extraCertsIn = X509_chain_up_ref(extraCertsIn)) != NULL; } /* @@ -526,9 +520,8 @@ int OSSL_CMP_CTX_set1_extraCertsOut(OSSL_CMP_CTX *ctx, sk_X509_pop_free(ctx->extraCertsOut, X509_free); ctx->extraCertsOut = NULL; - if (extraCertsOut == NULL) - return 1; - return (ctx->extraCertsOut = X509_chain_up_ref(extraCertsOut)) != NULL; + return extraCertsOut == NULL + || (ctx->extraCertsOut = X509_chain_up_ref(extraCertsOut)) != NULL; } /* @@ -580,8 +573,6 @@ STACK_OF(X509) *OSSL_CMP_CTX_get1_caPubs(const OSSL_CMP_CTX *ctx) ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT); return NULL; } - if (ctx->caPubs == NULL) - return sk_X509_new_null(); return X509_chain_up_ref(ctx->caPubs); } @@ -596,9 +587,7 @@ int ossl_cmp_ctx_set1_caPubs(OSSL_CMP_CTX *ctx, STACK_OF(X509) *caPubs) sk_X509_pop_free(ctx->caPubs, X509_free); ctx->caPubs = NULL; - if (caPubs == NULL) - return 1; - return (ctx->caPubs = X509_chain_up_ref(caPubs)) != NULL; + return caPubs == NULL || (ctx->caPubs = X509_chain_up_ref(caPubs)) != NULL; } #define char_dup OPENSSL_strdup diff --git a/crypto/ocsp/ocsp_vfy.c b/crypto/ocsp/ocsp_vfy.c index f49f651007..56b9261640 100644 --- a/crypto/ocsp/ocsp_vfy.c +++ b/crypto/ocsp/ocsp_vfy.c @@ -113,10 +113,9 @@ int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs, goto end; if ((flags & OCSP_NOVERIFY) == 0) { ret = -1; - if ((flags & OCSP_NOCHAIN) != 0) { - untrusted = NULL; - } else if (bs->certs != NULL && certs != NULL) { - untrusted = sk_X509_dup(bs->certs); + if ((flags & OCSP_NOCHAIN) == 0) { + if ((untrusted = sk_X509_dup(bs->certs)) == NULL) + goto end; if (!X509_add_certs(untrusted, certs, X509_ADD_FLAG_DEFAULT)) goto end; } else if (certs != NULL) { @@ -159,8 +158,7 @@ int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs, end: sk_X509_pop_free(chain, X509_free); - if (bs->certs && certs) - sk_X509_free(untrusted); + sk_X509_free(untrusted); return ret; } diff --git a/crypto/stack/stack.c b/crypto/stack/stack.c index e38efad022..c50a55da14 100644 --- a/crypto/stack/stack.c +++ b/crypto/stack/stack.c @@ -45,26 +45,33 @@ OPENSSL_STACK *OPENSSL_sk_dup(const OPENSSL_STACK *sk) { OPENSSL_STACK *ret; - if ((ret = OPENSSL_malloc(sizeof(*ret))) == NULL) { - ERR_raise(ERR_LIB_CRYPTO, ERR_R_MALLOC_FAILURE); - return NULL; - } + if ((ret = OPENSSL_malloc(sizeof(*ret))) == NULL) + goto err; - /* direct structure assignment */ - *ret = *sk; + if (sk == NULL) { + ret->num = 0; + ret->sorted = 0; + ret->comp = NULL; + } else { + /* direct structure assignment */ + *ret = *sk; + } - if (sk->num == 0) { + if (sk == NULL || sk->num == 0) { /* postpone |ret->data| allocation */ ret->data = NULL; ret->num_alloc = 0; return ret; } + /* duplicate |sk->data| content */ if ((ret->data = OPENSSL_malloc(sizeof(*ret->data) * sk->num_alloc)) == NULL) goto err; memcpy(ret->data, sk->data, sizeof(void *) * sk->num); return ret; + err: + ERR_raise(ERR_LIB_CRYPTO, ERR_R_MALLOC_FAILURE); OPENSSL_sk_free(ret); return NULL; } @@ -76,15 +83,19 @@ OPENSSL_STACK *OPENSSL_sk_deep_copy(const OPENSSL_STACK *sk, OPENSSL_STACK *ret; int i; - if ((ret = OPENSSL_malloc(sizeof(*ret))) == NULL) { - ERR_raise(ERR_LIB_CRYPTO, ERR_R_MALLOC_FAILURE); - return NULL; - } + if ((ret = OPENSSL_malloc(sizeof(*ret))) == NULL) + goto err; - /* direct structure assignment */ - *ret = *sk; + if (sk == NULL) { + ret->num = 0; + ret->sorted = 0; + ret->comp = NULL; + } else { + /* direct structure assignment */ + *ret = *sk; + } - if (sk->num == 0) { + if (sk == NULL || sk->num == 0) { /* postpone |ret| data allocation */ ret->data = NULL; ret->num_alloc = 0; @@ -93,10 +104,8 @@ OPENSSL_STACK *OPENSSL_sk_deep_copy(const OPENSSL_STACK *sk, ret->num_alloc = sk->num > min_nodes ? sk->num : min_nodes; ret->data = OPENSSL_zalloc(sizeof(*ret->data) * ret->num_alloc); - if (ret->data == NULL) { - OPENSSL_free(ret); - return NULL; - } + if (ret->data == NULL) + goto err; for (i = 0; i < ret->num; ++i) { if (sk->data[i] == NULL) @@ -105,11 +114,15 @@ OPENSSL_STACK *OPENSSL_sk_deep_copy(const OPENSSL_STACK *sk, while (--i >= 0) if (ret->data[i] != NULL) free_func((void *)ret->data[i]); - OPENSSL_sk_free(ret); - return NULL; + goto err; } } return ret; + + err: + ERR_raise(ERR_LIB_CRYPTO, ERR_R_MALLOC_FAILURE); + OPENSSL_sk_free(ret); + return NULL; } OPENSSL_STACK *OPENSSL_sk_new_null(void) diff --git a/crypto/ts/ts_rsp_sign.c b/crypto/ts/ts_rsp_sign.c index 9ae584ff12..17024ea7bb 100644 --- a/crypto/ts/ts_rsp_sign.c +++ b/crypto/ts/ts_rsp_sign.c @@ -183,17 +183,10 @@ int TS_RESP_CTX_set_def_policy(TS_RESP_CTX *ctx, const ASN1_OBJECT *def_policy) int TS_RESP_CTX_set_certs(TS_RESP_CTX *ctx, STACK_OF(X509) *certs) { - sk_X509_pop_free(ctx->certs, X509_free); ctx->certs = NULL; - if (!certs) - return 1; - if ((ctx->certs = X509_chain_up_ref(certs)) == NULL) { - ERR_raise(ERR_LIB_TS, ERR_R_MALLOC_FAILURE); - return 0; - } - return 1; + return certs == NULL || (ctx->certs = X509_chain_up_ref(certs)) != NULL; } int TS_RESP_CTX_add_policy(TS_RESP_CTX *ctx, const ASN1_OBJECT *policy) diff --git a/crypto/x509/x509_cmp.c b/crypto/x509/x509_cmp.c index 1192527125..8e525a3815 100644 --- a/crypto/x509/x509_cmp.c +++ b/crypto/x509/x509_cmp.c @@ -531,6 +531,7 @@ int X509_CRL_check_suiteb(X509_CRL *crl, EVP_PKEY *pk, unsigned long flags) } #endif + /* * Not strictly speaking an "up_ref" as a STACK doesn't have a reference * count but it has the same effect by duping the STACK and upping the ref of @@ -538,17 +539,19 @@ int X509_CRL_check_suiteb(X509_CRL *crl, EVP_PKEY *pk, unsigned long flags) */ STACK_OF(X509) *X509_chain_up_ref(STACK_OF(X509) *chain) { - STACK_OF(X509) *ret; + STACK_OF(X509) *ret = sk_X509_dup(chain); int i; - ret = sk_X509_dup(chain); + if (ret == NULL) return NULL; for (i = 0; i < sk_X509_num(ret); i++) { X509 *x = sk_X509_value(ret, i); + if (!X509_up_ref(x)) goto err; } return ret; + err: while (i-- > 0) X509_free(sk_X509_value(ret, i)); diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c index 29ccc0ecb1..8e78c13b8e 100644 --- a/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c @@ -3004,7 +3004,7 @@ static int build_chain(X509_STORE_CTX *ctx) * typically the content of the peer's certificate message) so can make * multiple passes over it, while free to remove elements as we go. */ - if (ctx->untrusted && (sktmp = sk_X509_dup(ctx->untrusted)) == NULL) { + if ((sktmp = sk_X509_dup(ctx->untrusted)) == NULL) { ERR_raise(ERR_LIB_X509, ERR_R_MALLOC_FAILURE); ctx->error = X509_V_ERR_OUT_OF_MEM; return 0; diff --git a/doc/man3/DEFINE_STACK_OF.pod b/doc/man3/DEFINE_STACK_OF.pod index 9088dc040b..b5908fead5 100644 --- a/doc/man3/DEFINE_STACK_OF.pod +++ b/doc/man3/DEFINE_STACK_OF.pod @@ -182,12 +182,14 @@ B_sort>() sorts I using the supplied comparison function. B_is_sorted>() returns B<1> if I is sorted and B<0> otherwise. -B_dup>() returns a copy of I. Note the pointers in the copy -are identical to the original. +B_dup>() returns a shallow copy of I +or an empty stack if the passed stack is NULL. +Note the pointers in the copy are identical to the original. B_deep_copy>() returns a new stack where each element has been -copied. Copying is performed by the supplied copyfunc() and freeing by -freefunc(). The function freefunc() is only called if an error occurs. +copied or an empty stack if the passed stack is NULL. +Copying is performed by the supplied copyfunc() and freeing by freefunc(). +The function freefunc() is only called if an error occurs. =head1 NOTES @@ -258,7 +260,7 @@ B_is_sorted>() returns B<1> if the stack is sorted and B<0> if it is not. B_dup>() and B_deep_copy>() return a pointer to the copy -of the stack. +of the stack or NULL on error. =head1 HISTORY diff --git a/doc/man3/X509_new.pod b/doc/man3/X509_new.pod index b40715bddf..ab310bff57 100644 --- a/doc/man3/X509_new.pod +++ b/doc/man3/X509_new.pod @@ -2,9 +2,9 @@ =head1 NAME -X509_chain_up_ref, X509_new, X509_new_ex, -X509_free, X509_up_ref - X509 certificate ASN1 allocation functions +X509_free, X509_up_ref, +X509_chain_up_ref - X509 certificate ASN1 allocation functions =head1 SYNOPSIS @@ -37,7 +37,7 @@ frees it up if the reference count is zero. If B is NULL nothing is done. X509_up_ref() increments the reference count of B. X509_chain_up_ref() increases the reference count of all certificates in -chain B and returns a copy of the stack. +chain B and returns a copy of the stack, or an empty stack if B is NULL. =head1 NOTES @@ -46,20 +46,19 @@ used by several different operations each of which will free it up after use: this avoids the need to duplicate the entire certificate structure. The function X509_chain_up_ref() doesn't just up the reference count of -each certificate it also returns a copy of the stack, using sk_X509_dup(), +each certificate. It also returns a copy of the stack, using sk_X509_dup(), but it serves a similar purpose: the returned chain persists after the original has been freed. =head1 RETURN VALUES -If the allocation fails, X509_new() returns B and sets an error +If the allocation fails, X509_new() returns NULL and sets an error code that can be obtained by L. Otherwise it returns a pointer to the newly allocated structure. X509_up_ref() returns 1 for success and 0 for failure. -X509_chain_up_ref() returns a copy of the stack or B if an error -occurred. +X509_chain_up_ref() returns a copy of the stack or NULL if an error occurred. =head1 SEE ALSO diff --git a/test/stack_test.c b/test/stack_test.c index 0c1648da77..e59acd353b 100644 --- a/test/stack_test.c +++ b/test/stack_test.c @@ -195,6 +195,10 @@ static int test_uchar_stack(int reserve) goto end; /* dup */ + r = sk_uchar_dup(NULL); + if (sk_uchar_num(r) != 0) + goto end; + sk_uchar_free(r); r = sk_uchar_dup(s); if (!TEST_int_eq(sk_uchar_num(r), n)) goto end; @@ -291,6 +295,10 @@ static int test_SS_stack(void) goto end; /* deepcopy */ + r = sk_SS_deep_copy(NULL, &SS_copy, &SS_free); + if (sk_SS_num(r) != 0) + goto end; + sk_SS_free(r); r = sk_SS_deep_copy(s, &SS_copy, &SS_free); if (!TEST_ptr(r)) goto end; From bernd.edlinger at hotmail.de Thu Feb 4 07:03:25 2021 From: bernd.edlinger at hotmail.de (bernd.edlinger at hotmail.de) Date: Thu, 04 Feb 2021 07:03:25 +0000 Subject: [openssl] OpenSSL_1_1_1-stable update Message-ID: <1612422205.095803.4096.nullmailer@dev.openssl.org> The branch OpenSSL_1_1_1-stable has been updated via 8d5ace52d923f596ebfb8e0997efaa067ee73bba (commit) from dabea5447dc487983a50a40856f731db0db17a8e (commit) - Log ----------------------------------------------------------------- commit 8d5ace52d923f596ebfb8e0997efaa067ee73bba Author: Bernd Edlinger Date: Sun Jan 31 19:35:42 2021 +0100 Prevent creating empty folder "../apps/include" This folder "../apps/include" is accidentally created. This prevents this glitch. Fixes 19b4fe5844b ("Add a CMAC test") Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14051) ----------------------------------------------------------------------- Summary of changes: test/build.info | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/build.info b/test/build.info index 56ac14eabd..7830ae1b7e 100644 --- a/test/build.info +++ b/test/build.info @@ -499,7 +499,7 @@ INCLUDE_MAIN___test_libtestutil_OLB = /INCLUDE=MAIN IF[{- !$disabled{cmac} -}] SOURCE[cmactest]=cmactest.c - INCLUDE[cmactest]=../include ../apps/include + INCLUDE[cmactest]=../include DEPEND[cmactest]=../libcrypto.a libtestutil.a ENDIF From openssl at openssl.org Thu Feb 4 07:41:37 2021 From: openssl at openssl.org (OpenSSL run-checker) Date: Thu, 04 Feb 2021 07:41:37 +0000 Subject: Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-des Message-ID: <1612424497.724289.1044255.nullmailer@run.openssl.org> Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-des Commit log since last time: 9db6af922c EC: Reverse the default asn1_flag in a new EC_GROUP 977e95b912 EVP: Fix evp_pkey_ctx_store_cached_data() to handle provider backed EVP_PKEY_CTX 60488d2434 EVP: Don't find standard EVP_PKEY_METHODs automatically 8ce04db808 CORE & PROV: clean away OSSL_FUNC_mac_size() 28e1904250 apps/ecparam: Avoid crash when parameters fail to load 963a65bfb4 apps/ca: Properly handle certificate expiration times in do_updatedb 1409b5f664 Deprecate EVP_MD_CTX_{set_}update_fn() 66194839fe Add diacritics to my name in CHANGES.md 6a1a6498ac dh_cms_set_peerkey: Pad the public key to p size af403db090 Add some missing committers to the AUTHORS list f94a91698b Add a CI job to run the threads test with threads sanitizer on 0b07db6f56 Ensure the EVP_PKEY operation_cache is appropriately locked 4099460514 Ensure access to FIPS_state and rate_limit is appropriately locked 04b9435a99 Always ensure we hold ctx->lock when calling CRYPTO_get_ex_data() b233ea8276 Avoid races by caching exported ciphers in the init function cd4e6a3512 Refactor RAND_get0_primary() locking a0134d293e Add a multi-thread test for shared EVP_PKEYs 7ff9fdd4b3 Deprecate X509_certificate_type d3372c2f35 Add some PKIX-RPKI objects 6aab42c390 OSSL_HTTP_REQ_CTX.pod and OSSL_HTTP_transfer.pod: various improvements 4d190f99ef Constify OSSL_HTTP_REQ_CTX_get0_mem_bio() a6d40689ec HTTP: add more error detection to low-level API d337af1891 HTTP: Fix mistakes and unclarities on maxline and max_resp_len params 8e71614797 Fix not backwards-compat X509_http_nbio() and X509_CRL_http_nbio() 673474b164 OSSL_HTTP_REQ_CTX_nbio(): Revert to having state var that keeps req len still to send f2db0528d8 PROV: Add SM2 encoders and decoders, as well as support functionality 58f422f6f4 Fix some odd names in our provider source code b8a1272d57 Test that EC keys without a public key in them work as expected ec7aef3356 Ensure EC keys with a private key but without a public key can be created Build log ended with (last 100 lines): 70-test_sslmessages.t .............. ok 70-test_sslrecords.t ............... ok 70-test_sslsessiontick.t ........... ok 70-test_sslsigalgs.t ............... ok 70-test_sslsignature.t ............. ok 70-test_sslskewith0p.t ............. ok 70-test_sslversions.t .............. ok 70-test_sslvertol.t ................ ok 70-test_tls13alerts.t .............. ok 70-test_tls13cookie.t .............. ok 70-test_tls13downgrade.t ........... ok 70-test_tls13hrr.t ................. ok 70-test_tls13kexmodes.t ............ ok 70-test_tls13messages.t ............ ok 70-test_tls13psk.t ................. ok 70-test_tlsextms.t ................. ok 70-test_verify_extra.t ............. ok 70-test_wpacket.t .................. ok 71-test_ssl_ctx.t .................. ok 80-test_ca.t ....................... ok 80-test_cipherbytes.t .............. ok 80-test_cipherlist.t ............... ok 80-test_ciphername.t ............... ok # 80-test_cms.t ...................... ok 80-test_cmsapi.t ................... ok 80-test_ct.t ....................... ok 80-test_dane.t ..................... ok 80-test_dtls.t ..................... ok 80-test_dtls_mtu.t ................. ok 80-test_dtlsv1listen.t ............. ok 80-test_http.t ..................... ok 80-test_ocsp.t ..................... ok 80-test_pkcs12.t ................... skipped: The PKCS12 command line utility is not supported by this OpenSSL build 80-test_ssl_new.t .................. ok 80-test_ssl_old.t .................. ok 80-test_ssl_test_ctx.t ............. ok 80-test_sslcorrupt.t ............... ok 80-test_tsa.t ...................... ok 80-test_x509aux.t .................. ok # 81-test_cmp_cli.t .................. ok 90-test_asn1_time.t ................ ok 90-test_async.t .................... ok 90-test_bio_enc.t .................. ok 90-test_bio_memleak.t .............. ok 90-test_constant_time.t ............ ok 90-test_fatalerr.t ................. ok 90-test_fipsload.t ................. ok 90-test_gmdiff.t ................... ok 90-test_gost.t ..................... ok 90-test_ige.t ...................... ok 90-test_includes.t ................. ok 90-test_memleak.t .................. ok 90-test_overhead.t ................. ok 90-test_secmem.t ................... ok 90-test_shlibload.t ................ ok 90-test_srp.t ...................... ok 90-test_sslapi.t ................... ok 90-test_sslbuffers.t ............... ok 90-test_store.t .................... ok 90-test_sysdefault.t ............... ok 90-test_threads.t .................. ok 90-test_time_offset.t .............. ok 90-test_tls13ccs.t ................. ok 90-test_tls13encryption.t .......... ok 90-test_tls13secrets.t ............. ok 90-test_v3name.t ................... ok 91-test_pkey_check.t ............... ok 95-test_external_boringssl.t ....... skipped: No external tests in this configuration 95-test_external_gost_engine.t ..... skipped: No external tests in this configuration 95-test_external_krb5.t ............ skipped: No external tests in this configuration 95-test_external_pyca.t ............ skipped: No external tests in this configuration 99-test_ecstress.t ................. ok 99-test_fuzz_asn1.t ................ ok 99-test_fuzz_asn1parse.t ........... ok 99-test_fuzz_bignum.t .............. ok 99-test_fuzz_bndiv.t ............... ok 99-test_fuzz_client.t .............. ok 99-test_fuzz_cmp.t ................. ok 99-test_fuzz_cms.t ................. ok 99-test_fuzz_conf.t ................ ok 99-test_fuzz_crl.t ................. ok 99-test_fuzz_ct.t .................. ok 99-test_fuzz_server.t .............. ok 99-test_fuzz_x509.t ................ ok Test Summary Report ------------------- 30-test_evp.t (Wstat: 512 Tests: 90 Failed: 2) Failed tests: 14, 40 Non-zero exit status: 2 30-test_evp_kdf.t (Wstat: 256 Tests: 1 Failed: 1) Failed test: 1 Non-zero exit status: 1 Files=228, Tests=3074, 863 wallclock secs (13.86 usr 1.32 sys + 781.45 cusr 79.30 csys = 875.93 CPU) Result: FAIL make[1]: *** [Makefile:3212: _tests] Error 1 make[1]: Leaving directory '/home/openssl/run-checker/no-des' make: *** [Makefile:3209: tests] Error 2 From beldmit at gmail.com Thu Feb 4 08:35:46 2021 From: beldmit at gmail.com (beldmit at gmail.com) Date: Thu, 04 Feb 2021 08:35:46 +0000 Subject: [openssl] master update Message-ID: <1612427746.014209.20328.nullmailer@dev.openssl.org> The branch master has been updated via a7246ea645b5d4c5ca7bde3dad4fcd6e63e11896 (commit) from d53b437f9992f974c1623e9b9b9bdf053aefbcc3 (commit) - Log ----------------------------------------------------------------- commit a7246ea645b5d4c5ca7bde3dad4fcd6e63e11896 Author: Dmitry Belyavskiy Date: Fri Jan 22 14:54:09 2021 +0100 DH/DHX parameter check using pkeyparam Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/13930) ----------------------------------------------------------------------- Summary of changes: test/recipes/20-test_dhparam_check.t | 84 ++++++++++++++++++++++ .../20-test_dhparam_check_data/valid/dh5114_1.pem | 8 +++ .../20-test_dhparam_check_data/valid/dh5114_2.pem | 14 ++++ .../20-test_dhparam_check_data/valid/dh5114_3.pem | 14 ++++ .../valid/dh_p1024_t1862.pem | 8 +++ .../valid/dh_p2048_t1862.pem | 13 ++++ .../valid/dh_p2048_t1864.pem | 13 ++++ .../valid/dh_p3072_t1862.pem | 19 +++++ .../valid/dhx_p1024_q160_t1862.pem | 9 +++ .../valid/dhx_p1024_q160_t1864.pem | 9 +++ .../valid/dhx_p1024_q224_t1862.pem | 9 +++ .../valid/dhx_p1024_q256_t1862.pem | 10 +++ .../valid/dhx_p2048_q160_t1862.pem | 15 ++++ .../valid/dhx_p2048_q224_t1862.pem | 15 ++++ .../valid/dhx_p2048_q224_t1864.pem | 15 ++++ .../valid/dhx_p2048_q256_t1862.pem | 15 ++++ .../valid/dhx_p2048_q256_t1864.pem | 15 ++++ .../valid/dhx_p3072_q160_t1862.pem | 20 ++++++ .../valid/dhx_p3072_q224_t1862.pem | 20 ++++++ .../valid/dhx_p3072_q256_t1862.pem | 20 ++++++ 20 files changed, 345 insertions(+) create mode 100644 test/recipes/20-test_dhparam_check.t create mode 100644 test/recipes/20-test_dhparam_check_data/valid/dh5114_1.pem create mode 100644 test/recipes/20-test_dhparam_check_data/valid/dh5114_2.pem create mode 100644 test/recipes/20-test_dhparam_check_data/valid/dh5114_3.pem create mode 100644 test/recipes/20-test_dhparam_check_data/valid/dh_p1024_t1862.pem create mode 100644 test/recipes/20-test_dhparam_check_data/valid/dh_p2048_t1862.pem create mode 100644 test/recipes/20-test_dhparam_check_data/valid/dh_p2048_t1864.pem create mode 100644 test/recipes/20-test_dhparam_check_data/valid/dh_p3072_t1862.pem create mode 100644 test/recipes/20-test_dhparam_check_data/valid/dhx_p1024_q160_t1862.pem create mode 100644 test/recipes/20-test_dhparam_check_data/valid/dhx_p1024_q160_t1864.pem create mode 100644 test/recipes/20-test_dhparam_check_data/valid/dhx_p1024_q224_t1862.pem create mode 100644 test/recipes/20-test_dhparam_check_data/valid/dhx_p1024_q256_t1862.pem create mode 100644 test/recipes/20-test_dhparam_check_data/valid/dhx_p2048_q160_t1862.pem create mode 100644 test/recipes/20-test_dhparam_check_data/valid/dhx_p2048_q224_t1862.pem create mode 100644 test/recipes/20-test_dhparam_check_data/valid/dhx_p2048_q224_t1864.pem create mode 100644 test/recipes/20-test_dhparam_check_data/valid/dhx_p2048_q256_t1862.pem create mode 100644 test/recipes/20-test_dhparam_check_data/valid/dhx_p2048_q256_t1864.pem create mode 100644 test/recipes/20-test_dhparam_check_data/valid/dhx_p3072_q160_t1862.pem create mode 100644 test/recipes/20-test_dhparam_check_data/valid/dhx_p3072_q224_t1862.pem create mode 100644 test/recipes/20-test_dhparam_check_data/valid/dhx_p3072_q256_t1862.pem diff --git a/test/recipes/20-test_dhparam_check.t b/test/recipes/20-test_dhparam_check.t new file mode 100644 index 0000000000..97e1506d8a --- /dev/null +++ b/test/recipes/20-test_dhparam_check.t @@ -0,0 +1,84 @@ +#! /usr/bin/env perl +# Copyright 2017-2020 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the Apache License 2.0 (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + + +use strict; +use warnings; + +use File::Spec; +use OpenSSL::Glob; +use OpenSSL::Test qw/:DEFAULT data_file/; +use OpenSSL::Test::Utils; + +setup("test_dhparam_check"); + +plan skip_all => "DH isn't supported in this build" + if disabled("dh"); + +=pod Generation script + +#!/bin/sh + +TESTDIR=test/recipes/20-test_dhparam_check_data/valid +rm -rf $TESTDIR +mkdir -p $TESTDIR + +./util/opensslwrap.sh genpkey -genparam -algorithm DH -pkeyopt dh_rfc5114:1 -out $TESTDIR/dh5114_1.pem +./util/opensslwrap.sh genpkey -genparam -algorithm DH -pkeyopt dh_rfc5114:2 -out $TESTDIR/dh5114_2.pem +./util/opensslwrap.sh genpkey -genparam -algorithm DH -pkeyopt dh_rfc5114:3 -out $TESTDIR/dh5114_3.pem + +./util/opensslwrap.sh genpkey -genparam -algorithm DH -pkeyopt pbits:1024 -pkeyopt type:fips186_2 -out $TESTDIR/dh_p1024_t1862.pem +./util/opensslwrap.sh genpkey -genparam -algorithm DH -pkeyopt pbits:2048 -pkeyopt type:fips186_2 -out $TESTDIR/dh_p2048_t1862.pem +./util/opensslwrap.sh genpkey -genparam -algorithm DH -pkeyopt pbits:2048 -pkeyopt type:fips186_4 -out $TESTDIR/dh_p2048_t1864.pem +./util/opensslwrap.sh genpkey -genparam -algorithm DH -pkeyopt pbits:3072 -pkeyopt type:fips186_2 -out $TESTDIR/dh_p3072_t1862.pem + +./util/opensslwrap.sh genpkey -genparam -algorithm DHX -pkeyopt pbits:1024 -pkeyopt qbits:160 -pkeyopt type:fips186_2 -out $TESTDIR/dhx_p1024_q160_t1862.pem +./util/opensslwrap.sh genpkey -genparam -algorithm DHX -pkeyopt pbits:1024 -pkeyopt qbits:224 -pkeyopt type:fips186_2 -out $TESTDIR/dhx_p1024_q224_t1862.pem +./util/opensslwrap.sh genpkey -genparam -algorithm DHX -pkeyopt pbits:1024 -pkeyopt qbits:256 -pkeyopt type:fips186_2 -out $TESTDIR/dhx_p1024_q256_t1862.pem + +./util/opensslwrap.sh genpkey -genparam -algorithm DHX -pkeyopt pbits:1024 -pkeyopt qbits:160 -pkeyopt type:fips186_4 -out $TESTDIR/dhx_p1024_q160_t1864.pem + +./util/opensslwrap.sh genpkey -genparam -algorithm DHX -pkeyopt pbits:2048 -pkeyopt qbits:160 -pkeyopt type:fips186_2 -out $TESTDIR/dhx_p2048_q160_t1862.pem +./util/opensslwrap.sh genpkey -genparam -algorithm DHX -pkeyopt pbits:2048 -pkeyopt qbits:224 -pkeyopt type:fips186_2 -out $TESTDIR/dhx_p2048_q224_t1862.pem +./util/opensslwrap.sh genpkey -genparam -algorithm DHX -pkeyopt pbits:2048 -pkeyopt qbits:256 -pkeyopt type:fips186_2 -out $TESTDIR/dhx_p2048_q256_t1862.pem + +./util/opensslwrap.sh genpkey -genparam -algorithm DHX -pkeyopt pbits:2048 -pkeyopt qbits:224 -pkeyopt type:fips186_4 -out $TESTDIR/dhx_p2048_q224_t1864.pem +./util/opensslwrap.sh genpkey -genparam -algorithm DHX -pkeyopt pbits:2048 -pkeyopt qbits:256 -pkeyopt type:fips186_4 -out $TESTDIR/dhx_p2048_q256_t1864.pem + +./util/opensslwrap.sh genpkey -genparam -algorithm DHX -pkeyopt pbits:3072 -pkeyopt qbits:160 -pkeyopt type:fips186_2 -out $TESTDIR/dhx_p3072_q160_t1862.pem +./util/opensslwrap.sh genpkey -genparam -algorithm DHX -pkeyopt pbits:3072 -pkeyopt qbits:224 -pkeyopt type:fips186_2 -out $TESTDIR/dhx_p3072_q224_t1862.pem +./util/opensslwrap.sh genpkey -genparam -algorithm DHX -pkeyopt pbits:3072 -pkeyopt qbits:256 -pkeyopt type:fips186_2 -out $TESTDIR/dhx_p3072_q256_t1862.pem + +=cut + +my @valid = glob(data_file("valid", "*.pem")); +#my @invalid = glob(data_file("invalid", "*.pem")); + +my $num_tests = scalar @valid;# + scalar @invalid; +plan tests => 2 * $num_tests; + + SKIP: { + skip "Skipping DH tests", $num_tests + if disabled('deprecated-3.0'); + + foreach (@valid) { + ok(run(app([qw{openssl dhparam -noout -check -in}, $_]))); + } + +# foreach (@invalid) { +# ok(!run(app([qw{openssl dhparam -noout -check -in}, $_]))); +# } +} + +foreach (@valid) { + ok(run(app([qw{openssl pkeyparam -noout -check -in}, $_]))); +} + +#foreach (@invalid) { +# ok(!run(app([qw{openssl pkeyparam -noout -check -in}, $_]))); +#} diff --git a/test/recipes/20-test_dhparam_check_data/valid/dh5114_1.pem b/test/recipes/20-test_dhparam_check_data/valid/dh5114_1.pem new file mode 100644 index 0000000000..abc5225db8 --- /dev/null +++ b/test/recipes/20-test_dhparam_check_data/valid/dh5114_1.pem @@ -0,0 +1,8 @@ +-----BEGIN DH PARAMETERS----- +MIIBDAKBgQCxC4+WoIDgHd6S3l6uXVTsUsmfvPsGo8aaap3KUtI7YWBz4oZ1oj0Y +mDjvHi7mUsAT7LSuqQYRIySXXDzUm4O/rMvdfZDEvXCYSI6cIZpzck7/1vrlZEc4 ++qMaT/VbzMChUa9fDci0vUW/N982XBpl5oz9p21NpwjfH7K8LkpDcQKBgQCk0cvV +w/00EmdlpELvuZkF+BBN0lisUH/WQGz/FCZtMSZv6h5cQVZLd35pD1UE8hMWAhe0 +sBuIal6RVH+eJ0n01/vX07mpLuGQnQ0iY/gKdqaiTAh6CR9THb8KAWm2oorWYqTR +jnOvoy13nVkY0IvIhY9Nzvl8KiSFXm7rIrOy5QICAKA= +-----END DH PARAMETERS----- diff --git a/test/recipes/20-test_dhparam_check_data/valid/dh5114_2.pem b/test/recipes/20-test_dhparam_check_data/valid/dh5114_2.pem new file mode 100644 index 0000000000..d1fadc1a90 --- /dev/null +++ b/test/recipes/20-test_dhparam_check_data/valid/dh5114_2.pem @@ -0,0 +1,14 @@ +-----BEGIN DH PARAMETERS----- +MIICDgKCAQEArRB+HpEjqdDWYPqnlVnFH6INZOVoO5/RtUsVl7YdCnXm+hQd+VpW +26+aPEB7od8V6z1oijCcGA4d5rhaEnSgpm0/gVKtasISkDfJ7e/aTfjZHo/vVbc5 +S3rVt9C2wSIHyfmNEe002/bGugssi7wnvmoA4KC5xJcIs7+KMXCRiDaBKGEwvImF +2xYC5xRBXZMwJ4Jzx94x79xzEPcSH9WgdBWYfZrcCkhtzfk6zEQyg4cxXXXhmMZB +pIDNhqG55YfovmDmnMkosrnFIXLkEwQumyPxCw4W55djybU9z0uoCinj+3PBa451 +uX7zY+L/ox9xz53lOE5xuBwKxN/+DBDmTwKCAQEArEAy708tmuOd8wtcj/2sUGze +vnuJmYyvdIZqCM/k/+OmgkpOELmm8N2SHwGnDEr6q3OddwDCn1LFfbF8YgqGUr5e +kAGo1mrXwXZpEBmZAkr00CcnWsE0i7inYtBSG8mK4kcVBCLqHtQJk51U2nRgzbX2 +xrJQcXy+8YDrNBGOmNEZUppF1vg0Vm4wJeMWozDvu3eobwwasVsFGuPUKMj4rLcK +gTcVC47rEOGD7dGZY93Z4mPkdwWJ72qiHn9fL/OBtTnM40CdE81Wavu0jWwBkYHh +vP6UswJp7f5y/ptqpL17Wg8ccc//TBnEGOH27AF5gbwIfypwZbOEuJDTGR8r+gIC +AOA= +-----END DH PARAMETERS----- diff --git a/test/recipes/20-test_dhparam_check_data/valid/dh5114_3.pem b/test/recipes/20-test_dhparam_check_data/valid/dh5114_3.pem new file mode 100644 index 0000000000..514f7a9bcd --- /dev/null +++ b/test/recipes/20-test_dhparam_check_data/valid/dh5114_3.pem @@ -0,0 +1,14 @@ +-----BEGIN DH PARAMETERS----- +MIICDQKCAQEAh6jmHbS2Zjz/u9GcZRlZmYzu9ghmDdDyXSzu1ENeOwDgDfjx1hlX +1Pr330VhsqowFsPZETQJb6o79Cltgw6afCCeDGSXUXq9WoqdMGvPZ+2R+eZyW0dY +wCLgse9Cdb97bFv8EdRfkIi5QfVOseWbuLw5oL8SMH9cT9twxYGyP3a2Osrhyqa3 +kC1SUmc1SIoO8TxtmlG/pKs62DR3llJNjvahZ7WkGCXZZ+FE5RQFZCUcysuD5rSG +9rPKP3lxUGAmwLhX9omWKFbe1AEKvQvmIcOjlgpU5xDDdfJjddcBQQOktUMwwZiv +EmEW0iduEXFfaTh3+tfvCcrbCUrpHhoVlwKCAQA/syybcxNNCy53UGZg7b1ITKex +jyHvIFQH9Hk6GguhJRDbwVB3vkY//0/tSqwLtVW+OmwbDGtHsbw3c79+jG9ikBIo ++MKMuxilWuMTQQAKZQGW+THHelfy3fRj5ensFEt3feYqqrioYorDdtKC1u04ZOZ5 +gkKOvIMdFDSPby+Rk7UEWvJ2cWTh38lnwfs/LlWkvRv/6DucgNBSuYXRguoK2yo7 +cxPT/hTISEseBSWIubfSu9LfAWGZ7NBuFVfNCRWzNTu7ZODsN3/QKDcN+StSx4kU +KM3GfrYYS1I9HbJGwy9jB4SQ8A741kfRSNR5VFFeIyfP75jFgmZLTA9sxBZZAgIB +AA== +-----END DH PARAMETERS----- diff --git a/test/recipes/20-test_dhparam_check_data/valid/dh_p1024_t1862.pem b/test/recipes/20-test_dhparam_check_data/valid/dh_p1024_t1862.pem new file mode 100644 index 0000000000..2104af26e4 --- /dev/null +++ b/test/recipes/20-test_dhparam_check_data/valid/dh_p1024_t1862.pem @@ -0,0 +1,8 @@ +-----BEGIN DH PARAMETERS----- +MIIBBwKBgQCZn3UjXAFcQBMoIQ3eldBiGymdAHBv4IFlzPlpPln2Lh80Ut0vJ/XF +JjMWglpQgiZBt14Tt/hCirnsjGAJ/sdCybUSfrgynCvfnangtYUiejWbkjriFrAD +4fc1UJeZaYh0LFE2KoDbj1WYEatllkAv1YN59Va2BDqhKibRppPvwQKBgCiB+ihI +wZhXIj77B2uKFXx0fPUgHWmG31X3IZg6qTZhZZ/IhKrwkic/ZDTQ3Sg8xh6X41iB +oSNrh29uJOV5XQKu1p53jUcnBT4ziA/Z6Sljdjqmisd81RK0ZEj3mBV7gpFId4xX +mHDqT0234ZAzjd4GutIrnYhr15ysfYG5lPtT +-----END DH PARAMETERS----- diff --git a/test/recipes/20-test_dhparam_check_data/valid/dh_p2048_t1862.pem b/test/recipes/20-test_dhparam_check_data/valid/dh_p2048_t1862.pem new file mode 100644 index 0000000000..c8a9b6bbee --- /dev/null +++ b/test/recipes/20-test_dhparam_check_data/valid/dh_p2048_t1862.pem @@ -0,0 +1,13 @@ +-----BEGIN DH PARAMETERS----- +MIICCgKCAQEA9UZoeQZMPSABt+d35BkXukDZ/sobtVEGpOTCh2xpP4yu+A0fWzc7 +pK25D/JcIsMbx4g1rHTjJCXw0MXZ0r7x3ws7J5UGAC9/XcfrWtFoDMt+8lYLe+uF ++jvx/1T5FOSn/DnJZPriW038lsKvZ4DmBOn1RTniikEfxNdgMRH+tMf0QAMpnep1 +S3DGADLw/NDGdqXbjj27pa0vNEgZkOxsMjlwepaB0GmkyViqY56RM46ZLveYp4BR +124XaaS5woIF+5oou9HpvR2Zq/4D5b3rXviSfLzWscpWwLpD4qpLcy3CaqzXpMfc +xOeh27Bke7An3qjkuCu62eB7Oq8+hdQaSQKCAQEAy/tatWepC98OD5Qz1+UExQ4Y +fRMQma7tdaJ1eCvcuo1hmvxBMl6uYPluIiaoru6LUt+u2GaDPvSKytph7uidTRH4 +kL6NdmHnCU/rpSsEESLmeu5BmkzoCfrFVC7NGTS4rVgQn4kee4LXeBkjqEICstzh +4+1Zuo0klEYCpKjbgQNJP153vdQpPxfdgyaJf6a8UhAl/NgOzskMb4Ae0v4FjXFu +tGnJpClSpWwVl5xakDI/P3TFH5fbcEjlsKqLjetUD7bSP78F+toltrzWEgh7+VMS +rmXmAKV+hC6GGYBl4JwIaQa6cL5hlD+2ZHYKkPAOlDap6uAHQK9KnnuAxeUXZg== +-----END DH PARAMETERS----- diff --git a/test/recipes/20-test_dhparam_check_data/valid/dh_p2048_t1864.pem b/test/recipes/20-test_dhparam_check_data/valid/dh_p2048_t1864.pem new file mode 100644 index 0000000000..98940db55f --- /dev/null +++ b/test/recipes/20-test_dhparam_check_data/valid/dh_p2048_t1864.pem @@ -0,0 +1,13 @@ +-----BEGIN DH PARAMETERS----- +MIICCQKCAQEAhBkJVh18GbakvREWoFdHcM1zTvUqoPWIS0EKHpipndD8ePM2ZvxC +ikSpr/DThX15eUODyaXbxusyx+05gnEu6TeNVtA1EUKWXerX3km1aXGv61MqMG1a +Uobe04AT4wAxH7+pQk1c1GPmMNA1PYA4jzn/oTSvyaM0p+o9g17Uv1I8cTOcPGlL +CkjumnixrMSBPfIkiqoyeTQiNK+IxzIN34RHQlltzwJrSJhJXz0JGG132zQXVRur +0A/Bc6YdaszGujg2POhtgueHoK3qatL0jmCwQEbwFx+8dvVVF+5UIO8m70b+WyT5 +WFiBHL3SRO77HMWg12Yj3ZX3/zhoOZ1cuQKCAQB2OF9MwGboK34QjRrptBzfGQc1 +lX82JTwYi7VTvLRKZI9ln6PkVCXaaGV68D6CN+Otz8mfXQdC9I9voMRAMoKBIvQh +3ySkYLuRy4wcOJC5msj9wnnfXoIhS0rvbjBwmvCiuCTYCRlGBboVI9ZWv7fXj949 +oF4P7CQffyTc/4bZv9CgtODUum+HYKRYsvAsF9OKY62yg4GbSfIN08mAZ9u03YWa +qPYclJKTRvo4IGZy65f23Jo79Yx4o9jvxnMIstBYrFJLitKqxB6dlNZEu4mv56Sk +OuCzMwh2Vd4kmNgahBiTlID0UySQqsVHNzFpW/AmQ2D1OmqW5MffWOWLOBDj +-----END DH PARAMETERS----- diff --git a/test/recipes/20-test_dhparam_check_data/valid/dh_p3072_t1862.pem b/test/recipes/20-test_dhparam_check_data/valid/dh_p3072_t1862.pem new file mode 100644 index 0000000000..3aec9ff44d --- /dev/null +++ b/test/recipes/20-test_dhparam_check_data/valid/dh_p3072_t1862.pem @@ -0,0 +1,19 @@ +-----BEGIN DH PARAMETERS----- +MIIDCQKCAYEApg6MBQ/pnZf8LsfYoktwBPjROBuBye90r2l/nhUo1WBeatdkRB09 +6VfxvLw4W67mDOFkRuL8jSJq4qg0J96NfHsTYIl3rN+AWYcT5jz3Jeg0cNRbpdP/ +LCn9EQx1WhYVsym2klhgy58TyaE10jMu6GOfAxqBuBuT2Goq35F2xLYZOTlBNogW +GdLpa2IT7DB6rb0Q8n0EQzxlgbJv8gUHnYaEj9TVGLxFknQMRB40cxXBOYQelMgw +VMZvZJrZdQOH8lB6tf8KtGtSJWpILy3kKeSa+1PXQfVDxjeb+Us28YkYw1zFsFMV +6RbUz6L53E04VZgrgoKo2bO5V6LYbHUINvNqto/ut3EuRZp/uhfGo0KpAfrd7fvU +R7GadmWmsMJtSEK/qneSEsvd8W4SeQpuGoua6E/lFIGSdG2hjjKrFoaNDJnBcazk +MkWn+zuDJqheQujmr1HJ+3F6tX8rqfyN1XrYkU1xVTibaVyiGMAYioTFsOiYyFhp +IzIVfF70kjHfAoIBgA9sS8DTB52/ShiCpYkCW98iIcdYvNSqGTSWmVLMRA2zV1Gq +clc6Zrxe62BFb8Y/2extYHvbpNdrHryIOdJYnEq6GjTiiDoU0do8y/mTLmyYkKuD +wYzxtVhQh5Pn0l/3Eq1bfLlseDzo4NrDAJ2BwvAcHuuX0EIA5vG9Hnz0zD18UZb7 +EN1H1dKh1jmKWK/HEB317tPYNbOs9433yecdXwt6i+asEN6NAbBG5qKQrMq9s/UE +I5R1PRvvPhujTuM4Pkn1tbUcs5psxYafeH8aGipWIHd8faJ0kcG3k/aY3jMRTR/h +0gpT8ERwx4HnFCfxXKNMnok/YhU5Y1wq/PeFK3v8XQdFQnZHo2DZWuAxVGI7EuP2 +GeHYbzqoMHoh1dq5ePuzRbIZgs+7ah2G+GptfeeUoU8Wxbk25nGLBimPu9PA7nfa +QzxJP7yvQD7SCm6C6ASY71dN786B8WIbsyG5XOxoEJj1MTjjhMdE1SeSFbPpn1ih +XeCuEdNLx1dKYfi5VQ== +-----END DH PARAMETERS----- diff --git a/test/recipes/20-test_dhparam_check_data/valid/dhx_p1024_q160_t1862.pem b/test/recipes/20-test_dhparam_check_data/valid/dhx_p1024_q160_t1862.pem new file mode 100644 index 0000000000..fbd6a81860 --- /dev/null +++ b/test/recipes/20-test_dhparam_check_data/valid/dhx_p1024_q160_t1862.pem @@ -0,0 +1,9 @@ +-----BEGIN X9.42 DH PARAMETERS----- +MIIBOwKBgQDspvt+lBKshK2dJm1ouMYnWvlxV68lrTd8OsJe05BhqM3OCX+WPaZj +K3YpCfeGDjF3XvCnR546Bwa/XF5/ox0psRhY5yeKn/CHtOerHcYAjFMFZy1I6K7Z +TZCDsVNNyIzx955tJHsel2B2rWKPXX2cZ9nQf1Zpkpj6vOg7ujw6/QKBgQDPtKmW +TssY3SmGBQmWkzP73mpZU/x5sV7BWWHR0JJeDjTiVzO40BA9zeQgsI6iJmYNit8t +d7M25maoMk/7LRochsyFGxgu69kjX5LuTaeVvH1W3sl4kfBDyGckYhFmWWtdfQuf +VYiWhIe7hjBcP5MMhKZr7Ic66fKrofpUzaLuVQIVANfIaraDgTJH8J3BnR0W3Sq7 +/6N3MBoDFQAmmc91MkRP1Lolw5MzKe/S8C1gyAIBEg== +-----END X9.42 DH PARAMETERS----- diff --git a/test/recipes/20-test_dhparam_check_data/valid/dhx_p1024_q160_t1864.pem b/test/recipes/20-test_dhparam_check_data/valid/dhx_p1024_q160_t1864.pem new file mode 100644 index 0000000000..242487f46a --- /dev/null +++ b/test/recipes/20-test_dhparam_check_data/valid/dhx_p1024_q160_t1864.pem @@ -0,0 +1,9 @@ +-----BEGIN X9.42 DH PARAMETERS----- +MIIBOwKBgQCDjSjO0qRsv2C6jEOrtaR5xuVptCVLb6ft5U26tPOCA1efTnAdbJ50 +88sKeMjWuXjPGuyKaPSW55NZe57ggyPLdu1Frp6OmK1Odxlit316wfTWwbIC9nZH +G0TdsvXvyOKMUOV6nSq3wwVv4hQi/6ExRNEhSgqFnHz3zjmR+s2fFwKBgF0uZFhZ +uqjT6efnMTbEFboZJ7/dQRvkxQzFuQJXAATK/zvJ69BB+LQ3AqT/Nic/UpGAajpl +9iOtwbDzOVaMRS25/wM9+wNGSYbsI2x1+JAG06EWq8+Mdq3pPdn2VBuPdXK5+VGk +cf4XMul9XE+dMU/mpeUuWgjcuVnRqIVq5JUsAhUArW8on8uZ0Tob8bb0LBXnLGBR +zJ0wGwMVAKgAShO77Ko9HVjhcMfQRClGMckAAgICCQ== +-----END X9.42 DH PARAMETERS----- diff --git a/test/recipes/20-test_dhparam_check_data/valid/dhx_p1024_q224_t1862.pem b/test/recipes/20-test_dhparam_check_data/valid/dhx_p1024_q224_t1862.pem new file mode 100644 index 0000000000..3f0b3d8b8e --- /dev/null +++ b/test/recipes/20-test_dhparam_check_data/valid/dhx_p1024_q224_t1862.pem @@ -0,0 +1,9 @@ +-----BEGIN X9.42 DH PARAMETERS----- +MIIBSgKBgQDEd2y1+pvNNsQ1Wki/LuaTTvkCIdt2QX/UDxV6vWVuJ/rS1hyQhvtd +sRUM04BkyUzsnzqXWK/Cg/Rw6/J++sMK7jcbs2IDLcBk9s3ukwM1tfyhfAdzappG +2FGM2jThA91ie+F5NO+Tr+R7mE8SqR/wsIPq9c2Qbll1dDlAitwaHwKBgCk6/NWH +zinsV7PA0BvIm0nx8JfvjjoghDiGFq4xLKzFszFYcEKyqagAbds/1RmPC8AtVl9b +deXs7JQOwv+nbYTHyATEFptwV9VnaL+3+Q7TIHmIUgbmpetubZ+7FhfZHZCObOIo +r/jTpaqAjmSE4yK71sjnEL7m5MthKI0dcnfnAh0A3GFAymHgoouMbaxZ/gxPIHZ6 +66JF1b7doWihyzAiAx0AaAMOgPvnS+AvlCCzdggc3Z2/eLAg5AQOgjpZygIBBA== +-----END X9.42 DH PARAMETERS----- diff --git a/test/recipes/20-test_dhparam_check_data/valid/dhx_p1024_q256_t1862.pem b/test/recipes/20-test_dhparam_check_data/valid/dhx_p1024_q256_t1862.pem new file mode 100644 index 0000000000..9f7ab4645f --- /dev/null +++ b/test/recipes/20-test_dhparam_check_data/valid/dhx_p1024_q256_t1862.pem @@ -0,0 +1,10 @@ +-----BEGIN X9.42 DH PARAMETERS----- +MIIBUwKBgQDaVuQ2SUrfZoS1h0/vzCqyih6A+fNOVAEyD6TWsHzuzwroJF6Uak/Q +f9xit78vsr+yOlIIECyKU/ojzJMvQ2PPgOEcV/HyIofDWup3oRlKduxzMH2nfDCi +fcgY57BF/j1zx77gb61VqUAsv3QBAgYfRI1cV+8rrvYDkOcWsNeRKwKBgGDf2te/ +h28IFmR7vRufuRjNASmw/3sc+CZo4T5/aeYQPKyxAnUgn3wwcZYwUSxrCrBDDb+Z +vLe7gaNb3pmixFDyzicRC2zvvzvP3mcyjMhOWwFhEaZy+IOP668g28YFvCPEmsyH +KpiMdrkMu7TUkomrN3la4m1dAHYO5ykR4XDNAiEAnbBbOFKmm5s8ocuLdw+AotyD +jG5C84mxNrXGs6s+uh0wJwMhAPKGQPS+FuidlXISBx8acOd7v/hDawBOcwE1WRsB +BbjpAgICGA== +-----END X9.42 DH PARAMETERS----- diff --git a/test/recipes/20-test_dhparam_check_data/valid/dhx_p2048_q160_t1862.pem b/test/recipes/20-test_dhparam_check_data/valid/dhx_p2048_q160_t1862.pem new file mode 100644 index 0000000000..0f6bdb0956 --- /dev/null +++ b/test/recipes/20-test_dhparam_check_data/valid/dhx_p2048_q160_t1862.pem @@ -0,0 +1,15 @@ +-----BEGIN X9.42 DH PARAMETERS----- +MIICPQKCAQEA3PeBtOvlR5Kz7WCTOLcEKruVv1gdXrA7KsqEZm5hr0Ods0C3OV+g +2J4Z5MNQuuIcfVHNxqSmEc2cEM6hMZHu350IJ4uLygmjk8zATmreP0+f/1wBaSXV +aOZAYXAN3ppzhl2XwPwfDa1KTwBom7xLNW1BsK+ptM+D6RjBdbfBWtrnk9sPj6+X +ajPL0bJ48S8AoqJonRIc3RMVe6//DabaADeT3udnGUcWh0QyrtfP6gRCDROR/cEU +2qR2GSAaevUzHkTDmPTY++V3UeZf5CnEQ2x8iuTctcmLA7ZB8u1Lu7WW5X+1Wx8h +ulBeAUvLcnvPKchhY9Qgo2BNE6DFy+8ibwKCAQBbmZxQzpVC94EnHq4CrS5ebAMZ +suMan9H92P6mk90XR4AJAfuPRBvbVv3qki5qmjuS0Rf/R+oJ4FqS8HyR7CpoSK79 +HFfkdNQYe0WSPh5ZFQy1P+aE1BVhApsJVEW+DADSM5AWPybmcQXSbfqfTZoKR8ML +w8ofyPF+tacUaMG5azIHP5mj1h9qdaSOcbFNiWrvp6yM0Ybzgq7IhkCajv22zhPx +MVAhlIoTiNlMYDcA6Opg3R0LrPM3mENUjB1LuKZFWkSaEE7u0YoBdiA9kZR0d+pp +bLtOrVjgjHzTGHo1WcK0ssqD4VkGfXYHyMexpgF3vcM4HjEmqWIj/rkS3QZAAhUA +u4LBDAAJwMZS9lRrtF10hr1QGQEwGwMVAAihPYRyZpRQLB0qWZytlUduGlCAAgII +xw== +-----END X9.42 DH PARAMETERS----- diff --git a/test/recipes/20-test_dhparam_check_data/valid/dhx_p2048_q224_t1862.pem b/test/recipes/20-test_dhparam_check_data/valid/dhx_p2048_q224_t1862.pem new file mode 100644 index 0000000000..ec0b67068e --- /dev/null +++ b/test/recipes/20-test_dhparam_check_data/valid/dhx_p2048_q224_t1862.pem @@ -0,0 +1,15 @@ +-----BEGIN X9.42 DH PARAMETERS----- +MIICTAKCAQEAq3N0G07RbPMxaYSamWfQHLetFXbsNie7On4NvC7uL1KmfaTHNkxr +EZv/chhTKUlQRX4nTYryheQRvZpi9xp5cDnv14nzle3kA6hEjAA79cf9xJqCHunf +AL9so9PI7VY7SBr8ANsY6vXB6FNxg2JPCHaQfkGgTSIwqfehroaJicUSG6DkKHu5 +RtKniaRDfQoVwxS7nvBpqG8dhZuP8Xei2c8dIqof6Hw+Z0vGANC/lskVNflaTjKl +qV2DG9VPcJuXpmGQUzxBQ5uXCYkMYZpO7GI7w0KwCq/kBOduLcuFB2A8/qodyyID +xr2fP/oWZtQ464HcagGEE4Hy90LenUvVXQKCAQBW/V2Yark/X+Mmq9HJeGEk5OaG +g55qxV9HDYreH0QsOgAVMVzm126uy77ODdn8qR4fPoWZMVUoThgol54XscBrdM/D +RRWoqrdocyOdkPOloM4bzdYiazd0bn1+C+xjD42lLxo4StaSvBmIakb7kPt1pQ73 +AgRCRZy0j6OE5gZLZb+fLYvjJOcT2n7AJuzk2/Q0/k2o9owC28dGDwdWBn/CvzBj +oMF/2R2zbX2lc51rfDzV0qdsplu5SU57b1x8gdjw5kKJgi+kwK7K0fGB5liPb6Pb +w0eWFpRgUskqIOxVFsQgxwkcL3mqDJnIWlF1WboJqfvN++/oKBasojTrUIBkAh0A +3Q1tuu//NF8fksO+3IJDkBGZdzM6oCa9Vwc18TAiAx0ADOyRLiKTe0HDW8feHEXt +HWPv+S5quqP11wlJPAIBPw== +-----END X9.42 DH PARAMETERS----- diff --git a/test/recipes/20-test_dhparam_check_data/valid/dhx_p2048_q224_t1864.pem b/test/recipes/20-test_dhparam_check_data/valid/dhx_p2048_q224_t1864.pem new file mode 100644 index 0000000000..b30aa9a4ef --- /dev/null +++ b/test/recipes/20-test_dhparam_check_data/valid/dhx_p2048_q224_t1864.pem @@ -0,0 +1,15 @@ +-----BEGIN X9.42 DH PARAMETERS----- +MIICTgKCAQEAyWH5+SPDEuhevGc7dh4iVF8ZJO0fryDA1fn2LMbNK5A4N/VPMd7p +qq9go7ydaEbbPEyOd7xApIaQdn/fmUBL6Xp2X4HW/MkYbnebI+2oZgpt2QmAxsuN +1KTa6SqAz9ROi7SrSm0aAFAtbzP1vVDnngkjONXo/LU6yy9Smfa5IMSbrow933kk +EDbgos5inebY7R1owiJhEENL+haib0Axz0rrEQIAg5CtGoc3B8FMvMuAXMHnGS+r +8uinxeuI+cblyqM0nEKVcPwXYQEgDI6+wO21gXuhTjKOL7C5Qlqyb4W21+w3TZ/U +TD9Tb2kMi8x33MQPrbqh65Gq+MuX5CStCwKCAQEAog0NkDcZyPFILLucriUqlO9J +XkthvuaA1SiAiLT22hCSFdkyxLOq2ml7sAUQTfMD0FDjdzZ01CS5yQhEXPOUBXfz +SyJc0PylVbfmZLqS6s8a37wE0K9QYrPdCR+DK7/hy1d9nlAPiMd41/vEfE0ISbTF +szg+Lz5Q8eeWaaVaj52iZzy3zTkfAtzlQn1O0dSQ6StnASfeM7EIwPEihoSblX8w +FqYIaGqg3RHXd5YBwMT72o8Dz1dYc9idL8D+Eb/i5CXW4eogSF1dPE8GjumJ2M2k +ch5UNb6t/s8PqxjsE36aIGJ9kYVE1IJrtq5VZuiPKHZaNqDXsZRXsWfEL9l9eQId +AOhB7sFh9bzTxnNxCWhmUWnCDfw5o/q2unO8+y0wIwMdAI+6LavN7KvTx/hjMS8m +oqA6C+1IhgwGtFlmitACAgEC +-----END X9.42 DH PARAMETERS----- diff --git a/test/recipes/20-test_dhparam_check_data/valid/dhx_p2048_q256_t1862.pem b/test/recipes/20-test_dhparam_check_data/valid/dhx_p2048_q256_t1862.pem new file mode 100644 index 0000000000..1cfe9c86b8 --- /dev/null +++ b/test/recipes/20-test_dhparam_check_data/valid/dhx_p2048_q256_t1862.pem @@ -0,0 +1,15 @@ +-----BEGIN X9.42 DH PARAMETERS----- +MIICVQKCAQEAhxMwtOxNyUmeaageg/mNU2eOSXQR8EOo/i3kf7KimKu7L0rb0hDb +8jT6r1jzkLCHjwleD7eAUxMMXbR5e6gBeKy5MbCUL84k2Gu67rgD+DF6SXn0m5or +wpBRcDBjEaUQE9m0TdS4BGJc+EwYYnjWIKIMtjOscwrx0M9QjmAiMwQN6IdAl3zF +9nmWFy8Cs0+uLRI4Q4WPRR/iPGQxtxTVtXKL5jMaPYiEdAR2RGkBo+kdi3gKKvIB +JxP0DlqQTqZcwrVJ5neRw+ZL+UqurKZeSVD5LLhoFgxJNTEy8EhnG5RibhSoFkVN +AQ2NAITvkudCMOti7WRPD9+NhkakF8GT2QKCAQAiNQFdNwtfvwqhVVdZM4kp+dDg +driyDQssF1YFL+RJ8wxlanaMs8yPUJ6raANoVKKbJm7LwSJ2uVnXcTWzKIxIa92a +XK2ZFkXYhLz84/gEikrDU0OHhswy5NkJEIeHJwg9aWBHZTrSTXGY3yTmBqrU81SY +RC+yoPxS8CInuhYg2fyglpuZCRgqlZXkdlzQUocQ/LwpQS4+4RDrUAEg9xxiTRGx +qD6CCnsKSPds3AbazBdlplOQ9gkjPbyM3or7f/4i17zuqucTFpZyvwmWGDGzwpWe ++Xw28Hp5gNCNQDQZ+PfQlENvGxfuoOSiKHd1JBN4bMG98HSUtT7v+C0qAh5OAiEA +iRpMLXg4tQhUO3d9x3NhkzDVbDpizcuXT+iLat186pswJwMhAPo+HQsTrhHlHfND +TPB8hXdpDowZTe2Hnn2OzTUSD4QLAgIBDQ== +-----END X9.42 DH PARAMETERS----- diff --git a/test/recipes/20-test_dhparam_check_data/valid/dhx_p2048_q256_t1864.pem b/test/recipes/20-test_dhparam_check_data/valid/dhx_p2048_q256_t1864.pem new file mode 100644 index 0000000000..92ec657d6a --- /dev/null +++ b/test/recipes/20-test_dhparam_check_data/valid/dhx_p2048_q256_t1864.pem @@ -0,0 +1,15 @@ +-----BEGIN X9.42 DH PARAMETERS----- +MIICVQKCAQEAzO57ZqbU71+lYMO5SkCWyVKTb5/+LdGauH060+pY7FmbpItnCOIj +Af5kgruMsrRFYpP6cUyulMTmsO56yhuJpJICoEo4kgCmDtWsiSAbfya6TlemR/pE +/sK0AjrnPEs7/shm8f3FsTzOxxRfyjG+awNNaIAd0WrjlRreUdh3iIQfL/SsyAoP ++oAJxkCe8uUfUkYze+jYE7NiDh20LtkIl1WU7M7TDaiYFu/Eu2HBQFoBhVaD+lik +/3TWj2qR4GrVa/DyiXScGizXJBoLdQ3eN48xaXz4dLqJWaEvmmtjfqKc1HCsnLH/ ++8pcCm2YlyDlTEpQEampcMV6S1c+wcbk/QKCAQAdDMAoe1++MBQH6kLZUhykild4 +IyEjegCi5WCHQI0ebmsC/YxxaXcr0U4xETJFU/cd00p8GLJ9YviT20qJ5iEktmPc +dahijKGOVll+4dN93a6KmYQ47Lcu+tKHgr8yyje5m114XiapmgXwFLvI4PSIW8DP +ez3iekoZihpvugR1RfuvUIFdR0N8leiW+/J0EvBZRTupUyvBLlT8la/rbhiBBxvB +xu0Suoz+jzUO9HxKVRvnGA44yR5NMMv49Md4LZZ3EHiMMFBzyVdUh3WlOW9aBLwm +xDuZXhCd45Iv4gOj+emLgHhmFgObYKwyomohBoKTOr7NQvra7I95v6w7tF6lAiEA +uHUPOaAMRZBDNqplV4m3RlP1RGz+X6Vl0SPWYx8M0nkwJwMhABYon3NiVQGHX79/ +jyrQpVMxdvlA7NV+Oy8HXv6h/s9NAgIBEA== +-----END X9.42 DH PARAMETERS----- diff --git a/test/recipes/20-test_dhparam_check_data/valid/dhx_p3072_q160_t1862.pem b/test/recipes/20-test_dhparam_check_data/valid/dhx_p3072_q160_t1862.pem new file mode 100644 index 0000000000..3ced35c67b --- /dev/null +++ b/test/recipes/20-test_dhparam_check_data/valid/dhx_p3072_q160_t1862.pem @@ -0,0 +1,20 @@ +-----BEGIN X9.42 DH PARAMETERS----- +MIIDPQKCAYEArnFPoASvJ9zWvwV6HUX4gATE2M2R4aAyV0dTikh8bNZb9sg6JNdd +zlvRKIRc2aRcoVIrdDMa3GlMOhFW3+7jV3Z/y0/GGn3qxQeVPDMcsE7dqiaEnESw +FQ+BmRo3G+s/UvjvzekHtd17MEKvGWH8n/BIHJNiP8LYov5DhyHy+TGrUZPDuXCb +ycIwMM/0adaA5SkAr1GRviK5rPxEeqBj9pWk4iNEg5KTPfEyYVAOYE2O5KSaPYXJ +rKGpAHuS18QlWmoEVIzOp50KyS6a7hoiFYmE8sE2QwFCoG6UCxpEVpBfmax6KA5L +H653mR+A+VBg8pnkRb/9nUTXXMyATmQ5F10EdXh5rHhLYqF5IRdluOjEE9Lc5GeE +P5OMMM0w/KrpnP3gDeB3jzEBUm2+vphQWFypq8mNVQKDhuxVljQjE7iHE/E8P7F3 +I+6TiFOSkrKh7RZ6AOgjaD4yiYj+clv4+J5mdnpBVI+UXwwb8X1K74sVQgw++umk +F61XvQf9/jT1AoIBgBZT7QTh5UoexXm5rFripXwN70uNMPO5ugveHH9kR4aU95SY +Qc6mK7sZLoF4DXwZaqtqmh8gGkUtwONTY/fbsq5U4Ezs12RuwQTojoJuDTb3z2zM +ug1DfCuvVFzJylRjb3JYlABCxeE5Kid7anueC5mhVfj6mWWXxLheKh3OHYLVP5Az +Xt5BpYlJqKanD414yfubI56aBVSxluzCNtHv/dwwPiTBG1JLsucqxlSo1eKfOMAN +dr8sE01yNe+CUgmDUruMeYTZaO9LZXm1ZomQcRaEV37q92HnaK66BeY3DdNcStEQ +DHT9HL+qzpQU/x+gbLib5nie5RbxZLVGLVmb5iQRk4fc1n86dyYP2YlaY/1e9t1x +UL9FYH3FIQIoBR7AKc0EFOEg98cujhSqVuH1mKN1yCfHuB/bPVA/JjYS2sC+LltZ +80xjOUchfT8vCLyuZhuQJDIvP0EcSBIdzHS04Tu1PNhj+777g+9rwLMNcArC5dqL +h5rq7nqE7F2kf8JBVQIVAP/F0VeodM/n4piNkZkZeVz9lf2DMBsDFQAbVeBR/9Wo +2e2/qzEzqPKni9XgIgICBpw= +-----END X9.42 DH PARAMETERS----- diff --git a/test/recipes/20-test_dhparam_check_data/valid/dhx_p3072_q224_t1862.pem b/test/recipes/20-test_dhparam_check_data/valid/dhx_p3072_q224_t1862.pem new file mode 100644 index 0000000000..cc68515a6d --- /dev/null +++ b/test/recipes/20-test_dhparam_check_data/valid/dhx_p3072_q224_t1862.pem @@ -0,0 +1,20 @@ +-----BEGIN X9.42 DH PARAMETERS----- +MIIDTgKCAYEAyXngTh3fkOAbcHwvYZ0vfRF6KEZRXVcZtgeYjnKuu3KPa6v+Uqq1 +z9U50V4MLHFAbO1f0hbWGlFUYTFqVwMaKTcKJZH7xkNpHsmZxiElWVTXmGOigdfi +mu4awQdE+N4E7/9DFBXnnqUzpPRkBP5V0zOUePqYQhpisTKct6OvSJojAiLJb8Jj +6mO0Oa9t+RIC1Lz6Cum+k3Yidxu/kOGW4WBxIKMML9o6cEMRnU+HZyzXskgL2pZB +1DXe4OgPU9qvAnUnve0tbwPDUpD66khN/Z1Kaxb2NhTc2xx4d2guucGIP7VsyCbs +luf3KtOiYPC+LOlgcZDkqDc0N2F6LdXcO0XA/8dI5UiC8L9Pr8Qnu8JaqrxG9PA2 +VQT4GbWvjnNe/e7cZE5XQGRZkdEEVYuxcgFKeW+QAKcRn+fRaWW8RDDnIH6aX+yg +abLXrmZW1bE3FnLFS3wDcERooaXrpnJ6RcbLPEPJszHV7Nc5LnIpT98rGg0AwYzh +poHXYcZ1bFkTAoIBgQCgq5PGWWYX2kWvavUaBXrnUihvhvYA57P1onBTYvy3XWx+ +rbVmIFLQsDHKF2HvtpfdZlMLuszfpc0jJN0V5M8e1cZzPwD9adVab2/D07MB5h2+ +R5zzvY6hYJ8fwt5cSBKTdnFzOctmpGe8IXp4704HGGHWlkVJV60VCbkk1a2FfTro +/CK7RHFilQc16TlHl82M3lRwFxl9nbt79SdmAnHXagWhXk+dU15oYfAD4qS6qiyv +5gpQEdDas0pfKqBBbkVRojjRE8W7Z4Wg8ShESDkeMvaAKnyug4FDVAV8t/l5F9Ce +jUhrdtMLsI/gTEP8PrpeikaY+0MFU/Hvjs0yE71sk3PwD1K6VaXUfpoWD1OroMiB +6Xfpjda/SlYHBACNUkuQTVvjO05rN3ki49cBEXE0MZ1UKLL1ongXMwTBQSODitrB +HKNEEz87yqQZps2323fw9645aWdnBjbhn2/4lVfBU80mhWj1vz/HP99Lei+cVyjT +qlQ0OBqIK8y4Tas1tvYCHQDJ8eJhb5zmsjLBxS4l1maNV3l41n9dXMp7PMetMCMD +HQDiXe5AjJCogFwJ+h/2wRbz953nokPQcY8/pzLCAgICZQ== +-----END X9.42 DH PARAMETERS----- diff --git a/test/recipes/20-test_dhparam_check_data/valid/dhx_p3072_q256_t1862.pem b/test/recipes/20-test_dhparam_check_data/valid/dhx_p3072_q256_t1862.pem new file mode 100644 index 0000000000..b8b691e54c --- /dev/null +++ b/test/recipes/20-test_dhparam_check_data/valid/dhx_p3072_q256_t1862.pem @@ -0,0 +1,20 @@ +-----BEGIN X9.42 DH PARAMETERS----- +MIIDVgKCAYEA7vFyaD61/aB6D3DnJ0zyPm+OjB8fQgP/2CXCPjoISCXzgVZ8JISE +Sv0OwXTUIG4F9135mFkp3/V3/yx5RqZnzPdHuPM3btQSUHDKYjEjMG2dWFdg7V2d +Fy4RwQreMfUW+rDH2b8wJPhOj+xvhd7FJ6LQ7m17TmtPW3c9POW4Tl+UwqpNoeMm +p8kVkWrapeGfNFIJR0xXhZ7BMwlaq+Pbc2PaVX/hBClohpmgsxBtqAU5Ou4Tmmpt +1LEUxCqJH6w96+uPmpk1Hl3zst7W1ZHkGMPS0ndnHop3FHoojdME4FZdwYhsvTIk +g/8qY8sLfp0SFx4RutG1tRVda8iVXmDVj6wwKQh7/g3MgEegNnf+tkxUoxW08ExT +xjgjblzsTuBlOcDOelX5kshZPSdYowGwQT5b/wlOT0iH92CHNZhjQktxqxbA02Du +HmsdhFSEAirxZUpS4c0xcbaWeb1rSpVRl3HpF/DLSwsRlwg0/tPpo8KjwPogOBST +kZURpnBweLRlAoIBgQDJu6LVBnp9P5HfzqO0gX4zWxYIl9I9ZFe235KJmyqIDk6g +njmTlhMKgdF+WUKeI3u3wjZF+TOTQ1tV0CdU3fFd83pAwW5nSiFIEwhbKF8drV55 +H6D17GBVh8bYUyDZvFT6HPbaRCH1/tfoMYZ5QGlusHzGjObkPBNc77CDtfE3XVyT +iDAXRbmkAMrR9vQ45hJO02vQs+ugtsuwc4p2aR9ctvnqwuBUrHAXbXFHJA63R76a +Qwl/A2nxNMbH/JWrtObGwdGVLir8/cVBKiyKB83ruCbLa9Mxwlv1pRX5B2mFI4I2 +bfa/E1+w2c66aBcG5dXchxfA0klwb2kKHb6ZOVJkdnrOW04hXxbpdwda9aXn5Hzi +xFtNogsLeOVKyNRyeknFtNKhGcFTjNYrZErTtL+LCN8et6KrAw5H7ca6b1VoYOGV +zniFr5zjeVCLP/tur76lzwEbR5zwO3h4h8+Ng8wdvvXXEToewhfhYOwvPsl+BVxC +iD0F++0jhHSByedZyqYCIQCeC+q7jPwO8lv400d+z03nNgPTGOPXBTPf47M6tMyt +YTAnAyEAjBNHdTwkQRtyDm9si3a+eaQ6Su8RJx77eChqv6mU9x8CAgHv +-----END X9.42 DH PARAMETERS----- From openssl at openssl.org Thu Feb 4 09:58:48 2021 From: openssl at openssl.org (OpenSSL run-checker) Date: Thu, 04 Feb 2021 09:58:48 +0000 Subject: SUCCESSFUL build of OpenSSL branch master with options -d --strict-warnings no-ec Message-ID: <1612432728.996298.1326366.nullmailer@run.openssl.org> Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-ec Commit log since last time: 9db6af922c EC: Reverse the default asn1_flag in a new EC_GROUP 977e95b912 EVP: Fix evp_pkey_ctx_store_cached_data() to handle provider backed EVP_PKEY_CTX 60488d2434 EVP: Don't find standard EVP_PKEY_METHODs automatically 8ce04db808 CORE & PROV: clean away OSSL_FUNC_mac_size() 28e1904250 apps/ecparam: Avoid crash when parameters fail to load 963a65bfb4 apps/ca: Properly handle certificate expiration times in do_updatedb 1409b5f664 Deprecate EVP_MD_CTX_{set_}update_fn() 66194839fe Add diacritics to my name in CHANGES.md 6a1a6498ac dh_cms_set_peerkey: Pad the public key to p size af403db090 Add some missing committers to the AUTHORS list f94a91698b Add a CI job to run the threads test with threads sanitizer on 0b07db6f56 Ensure the EVP_PKEY operation_cache is appropriately locked 4099460514 Ensure access to FIPS_state and rate_limit is appropriately locked 04b9435a99 Always ensure we hold ctx->lock when calling CRYPTO_get_ex_data() b233ea8276 Avoid races by caching exported ciphers in the init function cd4e6a3512 Refactor RAND_get0_primary() locking a0134d293e Add a multi-thread test for shared EVP_PKEYs 7ff9fdd4b3 Deprecate X509_certificate_type d3372c2f35 Add some PKIX-RPKI objects 6aab42c390 OSSL_HTTP_REQ_CTX.pod and OSSL_HTTP_transfer.pod: various improvements 4d190f99ef Constify OSSL_HTTP_REQ_CTX_get0_mem_bio() a6d40689ec HTTP: add more error detection to low-level API d337af1891 HTTP: Fix mistakes and unclarities on maxline and max_resp_len params 8e71614797 Fix not backwards-compat X509_http_nbio() and X509_CRL_http_nbio() 673474b164 OSSL_HTTP_REQ_CTX_nbio(): Revert to having state var that keeps req len still to send f2db0528d8 PROV: Add SM2 encoders and decoders, as well as support functionality 58f422f6f4 Fix some odd names in our provider source code b8a1272d57 Test that EC keys without a public key in them work as expected ec7aef3356 Ensure EC keys with a private key but without a public key can be created From openssl at openssl.org Thu Feb 4 11:34:32 2021 From: openssl at openssl.org (OpenSSL run-checker) Date: Thu, 04 Feb 2021 11:34:32 +0000 Subject: SUCCESSFUL build of OpenSSL branch master with options -d --strict-warnings enable-ec_nistp_64_gcc_128 Message-ID: <1612438472.539372.1529672.nullmailer@run.openssl.org> Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings enable-ec_nistp_64_gcc_128 Commit log since last time: 9db6af922c EC: Reverse the default asn1_flag in a new EC_GROUP 977e95b912 EVP: Fix evp_pkey_ctx_store_cached_data() to handle provider backed EVP_PKEY_CTX 60488d2434 EVP: Don't find standard EVP_PKEY_METHODs automatically 8ce04db808 CORE & PROV: clean away OSSL_FUNC_mac_size() 28e1904250 apps/ecparam: Avoid crash when parameters fail to load 963a65bfb4 apps/ca: Properly handle certificate expiration times in do_updatedb 1409b5f664 Deprecate EVP_MD_CTX_{set_}update_fn() 66194839fe Add diacritics to my name in CHANGES.md 6a1a6498ac dh_cms_set_peerkey: Pad the public key to p size af403db090 Add some missing committers to the AUTHORS list f94a91698b Add a CI job to run the threads test with threads sanitizer on 0b07db6f56 Ensure the EVP_PKEY operation_cache is appropriately locked 4099460514 Ensure access to FIPS_state and rate_limit is appropriately locked 04b9435a99 Always ensure we hold ctx->lock when calling CRYPTO_get_ex_data() b233ea8276 Avoid races by caching exported ciphers in the init function cd4e6a3512 Refactor RAND_get0_primary() locking a0134d293e Add a multi-thread test for shared EVP_PKEYs 7ff9fdd4b3 Deprecate X509_certificate_type d3372c2f35 Add some PKIX-RPKI objects 6aab42c390 OSSL_HTTP_REQ_CTX.pod and OSSL_HTTP_transfer.pod: various improvements 4d190f99ef Constify OSSL_HTTP_REQ_CTX_get0_mem_bio() a6d40689ec HTTP: add more error detection to low-level API d337af1891 HTTP: Fix mistakes and unclarities on maxline and max_resp_len params 8e71614797 Fix not backwards-compat X509_http_nbio() and X509_CRL_http_nbio() 673474b164 OSSL_HTTP_REQ_CTX_nbio(): Revert to having state var that keeps req len still to send f2db0528d8 PROV: Add SM2 encoders and decoders, as well as support functionality 58f422f6f4 Fix some odd names in our provider source code b8a1272d57 Test that EC keys without a public key in them work as expected ec7aef3356 Ensure EC keys with a private key but without a public key can be created From matt at openssl.org Thu Feb 4 12:29:43 2021 From: matt at openssl.org (Matt Caswell) Date: Thu, 04 Feb 2021 12:29:43 +0000 Subject: [openssl] master update Message-ID: <1612441783.920308.1554.nullmailer@dev.openssl.org> The branch master has been updated via af4d6c26af0bfaa837589b4fe39ec4942dd4c5b3 (commit) via 08cea586c9d0fd2fcf99ec1eacb7736a34139d8b (commit) from a7246ea645b5d4c5ca7bde3dad4fcd6e63e11896 (commit) - Log ----------------------------------------------------------------- commit af4d6c26af0bfaa837589b4fe39ec4942dd4c5b3 Author: Matt Caswell Date: Mon Feb 1 17:31:05 2021 +0000 Remove a DSA related TODO There are no instances of the macros that this comment is referring to being used anywhere within current master. All of the macros were deprecated by commit f41ac0e. Therefore this TODO should just be removed. Fixes #13020 Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/14038) commit 08cea586c9d0fd2fcf99ec1eacb7736a34139d8b Author: Matt Caswell Date: Mon Feb 1 15:45:44 2021 +0000 Remove some TODO(OpenSSL1.2) references We had a couple of stray references to OpenSSL1.2 in libssl. We just reword the comments to remove those references without changing any behaviour. The first one in t1_lib.c is a technical non-compliance in the TLSv1.3 spec where, under some circumstances, we offer DSA sigalgs even in a ClientHello that eventually negotiates TLSv1.3. We explicitly chose to accept this behaviour in 1.1.1 and we're not planning to change it for 3.0. The second one in s3_lib.c is regarnding the behaviour of SSL_set_tlsext_host_name(). Technically you shouldn't be able to call this from a server - but we allow it and just ignore it rather than raising an error. The TODO suggest we consider raising an error instead. However, with 3.0 we are trying to minimise breaking changes so I suggest not making this change now. Fixes #13161 Reviewed-by: Matthias St. Pierre (Merged from https://github.com/openssl/openssl/pull/14037) ----------------------------------------------------------------------- Summary of changes: include/openssl/dsa.h | 4 ---- ssl/s3_lib.c | 1 - ssl/t1_lib.c | 5 ++++- 3 files changed, 4 insertions(+), 6 deletions(-) diff --git a/include/openssl/dsa.h b/include/openssl/dsa.h index 681058597b..eacc6caa28 100644 --- a/include/openssl/dsa.h +++ b/include/openssl/dsa.h @@ -98,10 +98,6 @@ int DSA_SIG_set0(DSA_SIG *sig, BIGNUM *r, BIGNUM *s); /* typedef struct dsa_st DSA; */ /* typedef struct dsa_method DSA_METHOD; */ -/* - * TODO(3.0): consider removing the ASN.1 encoding and decoding when - * deserialization is completed elsewhere. - */ # define d2i_DSAparams_fp(fp, x) \ (DSA *)ASN1_d2i_fp((char *(*)())DSA_new, \ (char *(*)())d2i_DSAparams, (fp), \ diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c index ae27add6df..a6c87ad75d 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c @@ -3491,7 +3491,6 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) #endif case SSL_CTRL_SET_TLSEXT_HOSTNAME: /* - * TODO(OpenSSL1.2) * This API is only used for a client to set what SNI it will request * from the server, but we currently allow it to be used on servers * as well, which is a programming error. Currently we just clear diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index c777a86eb7..7328c8e2b1 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -2036,7 +2036,10 @@ static int tls12_sigalg_allowed(const SSL *s, int op, const SIGALG_LOOKUP *lu) /* DSA is not allowed in TLS 1.3 */ if (SSL_IS_TLS13(s) && lu->sig == EVP_PKEY_DSA) return 0; - /* TODO(OpenSSL1.2) fully axe DSA/etc. in ClientHello per TLS 1.3 spec */ + /* + * At some point we should fully axe DSA/etc. in ClientHello as per TLS 1.3 + * spec + */ if (!s->server && !SSL_IS_DTLS(s) && s->s3.tmp.min_ver >= TLS1_3_VERSION && (lu->sig == EVP_PKEY_DSA || lu->hash_idx == SSL_MD_SHA1_IDX || lu->hash_idx == SSL_MD_MD5_IDX From dev at ddvo.net Thu Feb 4 15:43:39 2021 From: dev at ddvo.net (dev at ddvo.net) Date: Thu, 04 Feb 2021 15:43:39 +0000 Subject: [openssl] master update Message-ID: <1612453419.914303.20893.nullmailer@dev.openssl.org> The branch master has been updated via 88444854affe31ce08a5daaf4b6afc86e6972c63 (commit) from af4d6c26af0bfaa837589b4fe39ec4942dd4c5b3 (commit) - Log ----------------------------------------------------------------- commit 88444854affe31ce08a5daaf4b6afc86e6972c63 Author: Dr. David von Oheimb Date: Sun Oct 4 21:55:49 2020 +0200 x509_vfy.c: Improve coding style and comments all over the file No changes in semantics. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13070) ----------------------------------------------------------------------- Summary of changes: crypto/x509/x509_vfy.c | 680 ++++++++++++++++++++++--------------------------- 1 file changed, 301 insertions(+), 379 deletions(-) diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c index 8e78c13b8e..ec7df5caa6 100644 --- a/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c @@ -29,41 +29,16 @@ /* CRL score values */ -/* No unhandled critical extensions */ - -#define CRL_SCORE_NOCRITICAL 0x100 - -/* certificate is within CRL scope */ - -#define CRL_SCORE_SCOPE 0x080 - -/* CRL times valid */ - -#define CRL_SCORE_TIME 0x040 - -/* Issuer name matches certificate */ - -#define CRL_SCORE_ISSUER_NAME 0x020 - -/* If this score or above CRL is probably valid */ - -#define CRL_SCORE_VALID (CRL_SCORE_NOCRITICAL|CRL_SCORE_TIME|CRL_SCORE_SCOPE) - -/* CRL issuer is certificate issuer */ - -#define CRL_SCORE_ISSUER_CERT 0x018 - -/* CRL issuer is on certificate path */ - -#define CRL_SCORE_SAME_PATH 0x008 - -/* CRL issuer matches CRL AKID */ - -#define CRL_SCORE_AKID 0x004 - -/* Have a delta CRL with valid times */ - -#define CRL_SCORE_TIME_DELTA 0x002 +#define CRL_SCORE_NOCRITICAL 0x100 /* No unhandled critical extensions */ +#define CRL_SCORE_SCOPE 0x080 /* certificate is within CRL scope */ +#define CRL_SCORE_TIME 0x040 /* CRL times valid */ +#define CRL_SCORE_ISSUER_NAME 0x020 /* Issuer name matches certificate */ +#define CRL_SCORE_VALID /* If this score or above CRL is probably valid */ \ + (CRL_SCORE_NOCRITICAL | CRL_SCORE_TIME | CRL_SCORE_SCOPE) +#define CRL_SCORE_ISSUER_CERT 0x018 /* CRL issuer is certificate issuer */ +#define CRL_SCORE_SAME_PATH 0x008 /* CRL issuer is on certificate path */ +#define CRL_SCORE_AKID 0x004 /* CRL issuer matches CRL AKID */ +#define CRL_SCORE_TIME_DELTA 0x002 /* Have a delta CRL with valid times */ static int build_chain(X509_STORE_CTX *ctx); static int verify_chain(X509_STORE_CTX *ctx); @@ -137,6 +112,7 @@ static X509 *lookup_cert_match(X509_STORE_CTX *ctx, X509 *x) STACK_OF(X509) *certs; X509 *xtmp = NULL; int i; + /* Lookup all certs with matching subject name */ ERR_set_mark(); certs = ctx->lookup_certs(ctx, X509_get_subject_name(x)); @@ -233,26 +209,26 @@ static int verify_chain(X509_STORE_CTX *ctx) (ok = check_id(ctx)) == 0 || 1) X509_get_pubkey_parameters(NULL, ctx->chain); if (ok == 0 || (ok = ctx->check_revocation(ctx)) == 0) - return ok; + return 0; err = X509_chain_check_suiteb(&ctx->error_depth, NULL, ctx->chain, ctx->param->flags); CB_FAIL_IF(err != X509_V_OK, ctx, NULL, ctx->error_depth, err); /* Verify chain signatures and expiration times */ - ok = (ctx->verify != NULL) ? ctx->verify(ctx) : internal_verify(ctx); + ok = ctx->verify != NULL ? ctx->verify(ctx) : internal_verify(ctx); if (!ok) - return ok; + return 0; if ((ok = check_name_constraints(ctx)) == 0) - return ok; + return 0; #ifndef OPENSSL_NO_RFC3779 /* RFC 3779 path validation, now that CRL check has been done */ if ((ok = X509v3_asid_validate_path(ctx)) == 0) - return ok; + return 0; if ((ok = X509v3_addr_validate_path(ctx)) == 0) - return ok; + return 0; #endif /* If we get this far evaluate policies */ @@ -292,10 +268,7 @@ int X509_verify_cert(X509_STORE_CTX *ctx) CB_FAIL_IF(!check_key_level(ctx, ctx->cert), ctx, ctx->cert, 0, X509_V_ERR_EE_KEY_TOO_SMALL); - if (DANETLS_ENABLED(dane)) - ret = dane_verify(ctx); - else - ret = verify_chain(ctx); + ret = DANETLS_ENABLED(dane) ? dane_verify(ctx) : verify_chain(ctx); /* * Safety-net. If we are returning an error, we must also set ctx->error, @@ -353,13 +326,9 @@ static int check_issued(ossl_unused X509_STORE_CTX *ctx, X509 *x, X509 *issuer) static int get_issuer_sk(X509 **issuer, X509_STORE_CTX *ctx, X509 *x) { *issuer = find_issuer(ctx, ctx->other_ctx, x); + if (*issuer != NULL && X509_up_ref(*issuer)) + return 1; - if (*issuer == NULL || !X509_up_ref(*issuer)) - goto err; - - return 1; - - err: *issuer = NULL; return 0; } @@ -440,10 +409,8 @@ static int check_chain(X509_STORE_CTX *ctx) { int i, must_be_ca, plen = 0; X509 *x; - int proxy_path_length = 0; - int purpose; - int allow_proxy_certs; - int num = sk_X509_num(ctx->chain); + int ret, proxy_path_length = 0; + int purpose, allow_proxy_certs, num = sk_X509_num(ctx->chain); /*- * must_be_ca can have 1 of 3 values: @@ -457,23 +424,21 @@ static int check_chain(X509_STORE_CTX *ctx) must_be_ca = -1; /* CRL path validation */ - if (ctx->parent) { + if (ctx->parent != NULL) { allow_proxy_certs = 0; purpose = X509_PURPOSE_CRL_SIGN; } else { allow_proxy_certs = - ! !(ctx->param->flags & X509_V_FLAG_ALLOW_PROXY_CERTS); + (ctx->param->flags & X509_V_FLAG_ALLOW_PROXY_CERTS) != 0; purpose = ctx->param->purpose; } for (i = 0; i < num; i++) { - int ret; - x = sk_X509_value(ctx->chain, i); CB_FAIL_IF((ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL) == 0 && (x->ex_flags & EXFLAG_CRITICAL) != 0, ctx, x, i, X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION); - CB_FAIL_IF(!allow_proxy_certs && (x->ex_flags & EXFLAG_PROXY), + CB_FAIL_IF(!allow_proxy_certs && (x->ex_flags & EXFLAG_PROXY) != 0, ctx, x, i, X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED); ret = X509_check_ca(x); switch (must_be_ca) { @@ -489,7 +454,7 @@ static int check_chain(X509_STORE_CTX *ctx) /* X509_V_FLAG_X509_STRICT is implicit for intermediate CAs */ CB_FAIL_IF(ret == 0 || ((i + 1 < num - || ctx->param->flags & X509_V_FLAG_X509_STRICT) + || (ctx->param->flags & X509_V_FLAG_X509_STRICT) != 0) && ret != 1), ctx, x, i, X509_V_ERR_INVALID_CA); break; } @@ -607,8 +572,9 @@ static int check_chain(X509_STORE_CTX *ctx) } proxy_path_length++; must_be_ca = 0; - } else + } else { must_be_ca = 1; + } } return 1; } @@ -644,7 +610,7 @@ static int check_name_constraints(X509_STORE_CTX *ctx) int j; /* Ignore self-issued certs unless last in chain */ - if (i && (x->ex_flags & EXFLAG_SI)) + if (i != 0 && (x->ex_flags & EXFLAG_SI) != 0) continue; /* @@ -653,16 +619,16 @@ static int check_name_constraints(X509_STORE_CTX *ctx) * added. * (RFC 3820: 3.4, 4.1.3 (a)(4)) */ - if (x->ex_flags & EXFLAG_PROXY) { + if ((x->ex_flags & EXFLAG_PROXY) != 0) { X509_NAME *tmpsubject = X509_get_subject_name(x); X509_NAME *tmpissuer = X509_get_issuer_name(x); X509_NAME_ENTRY *tmpentry = NULL; - int last_object_nid = 0; + int last_nid = 0; int err = X509_V_OK; - int last_object_loc = X509_NAME_entry_count(tmpsubject) - 1; + int last_loc = X509_NAME_entry_count(tmpsubject) - 1; /* Check that there are at least two RDNs */ - if (last_object_loc < 1) { + if (last_loc < 1) { err = X509_V_ERR_PROXY_SUBJECT_NAME_VIOLATION; goto proxy_name_done; } @@ -681,10 +647,9 @@ static int check_name_constraints(X509_STORE_CTX *ctx) * Check that the last subject component isn't part of a * multi-valued RDN */ - if (X509_NAME_ENTRY_set(X509_NAME_get_entry(tmpsubject, - last_object_loc)) + if (X509_NAME_ENTRY_set(X509_NAME_get_entry(tmpsubject, last_loc)) == X509_NAME_ENTRY_set(X509_NAME_get_entry(tmpsubject, - last_object_loc - 1))) { + last_loc - 1))) { err = X509_V_ERR_PROXY_SUBJECT_NAME_VIOLATION; goto proxy_name_done; } @@ -700,12 +665,10 @@ static int check_name_constraints(X509_STORE_CTX *ctx) return 0; } - tmpentry = - X509_NAME_delete_entry(tmpsubject, last_object_loc); - last_object_nid = - OBJ_obj2nid(X509_NAME_ENTRY_get_object(tmpentry)); + tmpentry = X509_NAME_delete_entry(tmpsubject, last_loc); + last_nid = OBJ_obj2nid(X509_NAME_ENTRY_get_object(tmpentry)); - if (last_object_nid != NID_commonName + if (last_nid != NID_commonName || X509_NAME_cmp(tmpsubject, tmpissuer) != 0) { err = X509_V_ERR_PROXY_SUBJECT_NAME_VIOLATION; } @@ -713,7 +676,7 @@ static int check_name_constraints(X509_STORE_CTX *ctx) X509_NAME_ENTRY_free(tmpentry); X509_NAME_free(tmpsubject); - proxy_name_done: + proxy_name_done: CB_FAIL_IF(err != X509_V_OK, ctx, x, i, err); } @@ -780,15 +743,17 @@ static int check_id(X509_STORE_CTX *ctx) { X509_VERIFY_PARAM *vpm = ctx->param; X509 *x = ctx->cert; - if (vpm->hosts && check_hosts(x, vpm) <= 0) { + + if (vpm->hosts != NULL && check_hosts(x, vpm) <= 0) { if (!check_id_error(ctx, X509_V_ERR_HOSTNAME_MISMATCH)) return 0; } - if (vpm->email && X509_check_email(x, vpm->email, vpm->emaillen, 0) <= 0) { + if (vpm->email != NULL + && X509_check_email(x, vpm->email, vpm->emaillen, 0) <= 0) { if (!check_id_error(ctx, X509_V_ERR_EMAIL_MISMATCH)) return 0; } - if (vpm->ip && X509_check_ip(x, vpm->ip, vpm->iplen, 0) <= 0) { + if (vpm->ip != NULL && X509_check_ip(x, vpm->ip, vpm->iplen, 0) <= 0) { if (!check_id_error(ctx, X509_V_ERR_IP_ADDRESS_MISMATCH)) return 0; } @@ -850,7 +815,7 @@ static int check_trust(X509_STORE_CTX *ctx, int num_untrusted) i = 0; x = sk_X509_value(ctx->chain, i); mx = lookup_cert_match(ctx, x); - if (!mx) + if (mx == NULL) return X509_TRUST_UNTRUSTED; /* @@ -864,7 +829,7 @@ static int check_trust(X509_STORE_CTX *ctx, int num_untrusted) } /* Replace leaf with trusted match */ - (void) sk_X509_set(ctx->chain, 0, mx); + (void)sk_X509_set(ctx->chain, 0, mx); X509_free(x); ctx->num_untrusted = 0; goto trusted; @@ -894,11 +859,12 @@ static int check_trust(X509_STORE_CTX *ctx, int num_untrusted) static int check_revocation(X509_STORE_CTX *ctx) { int i = 0, last = 0, ok = 0; - if (!(ctx->param->flags & X509_V_FLAG_CRL_CHECK)) + + if ((ctx->param->flags & X509_V_FLAG_CRL_CHECK) == 0) return 1; - if (ctx->param->flags & X509_V_FLAG_CRL_CHECK_ALL) + if ((ctx->param->flags & X509_V_FLAG_CRL_CHECK_ALL) != 0) { last = sk_X509_num(ctx->chain) - 1; - else { + } else { /* If checking CRL paths this isn't the EE certificate */ if (ctx->parent) return 1; @@ -925,14 +891,14 @@ static int check_cert(X509_STORE_CTX *ctx) ctx->current_crl_score = 0; ctx->current_reasons = 0; - if (x->ex_flags & EXFLAG_PROXY) + if ((x->ex_flags & EXFLAG_PROXY) != 0) return 1; while (ctx->current_reasons != CRLDP_ALL_REASONS) { unsigned int last_reasons = ctx->current_reasons; /* Try to retrieve relevant CRL */ - if (ctx->get_crl) + if (ctx->get_crl != NULL) ok = ctx->get_crl(ctx, &crl, x); else ok = get_crl_delta(ctx, &crl, &dcrl, x); @@ -946,15 +912,16 @@ static int check_cert(X509_STORE_CTX *ctx) if (!ok) goto done; - if (dcrl) { + if (dcrl != NULL) { ok = ctx->check_crl(ctx, dcrl); if (!ok) goto done; ok = ctx->cert_crl(ctx, dcrl, x); if (!ok) goto done; - } else + } else { ok = 1; + } /* Don't look in full CRL if delta reason is removefromCRL */ if (ok != 2) { @@ -992,9 +959,9 @@ static int check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify) if (notify) ctx->current_crl = crl; - if (ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME) + if ((ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME) != 0) ptime = &ctx->param->check_time; - else if (ctx->param->flags & X509_V_FLAG_NO_CHECK_TIME) + else if ((ctx->param->flags & X509_V_FLAG_NO_CHECK_TIME) != 0) return 1; else ptime = NULL; @@ -1024,10 +991,8 @@ static int check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify) return 0; } /* Ignore expiration of base CRL is delta is valid */ - if ((i < 0) && !(ctx->current_crl_score & CRL_SCORE_TIME_DELTA)) { - if (!notify) - return 0; - if (!verify_cb_crl(ctx, X509_V_ERR_CRL_HAS_EXPIRED)) + if (i < 0 && (ctx->current_crl_score & CRL_SCORE_TIME_DELTA) == 0) { + if (!notify || !verify_cb_crl(ctx, X509_V_ERR_CRL_HAS_EXPIRED)) return 0; } } @@ -1057,6 +1022,7 @@ static int get_crl_sk(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509_CRL **pdcrl, /* If current CRL is equivalent use it if it is newer */ if (crl_score == best_score && best_crl != NULL) { int day, sec; + if (ASN1_TIME_diff(&day, &sec, X509_CRL_get0_lastUpdate(best_crl), X509_CRL_get0_lastUpdate(crl)) == 0) continue; @@ -1073,7 +1039,7 @@ static int get_crl_sk(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509_CRL **pdcrl, best_reasons = reasons; } - if (best_crl) { + if (best_crl != NULL) { X509_CRL_free(*pcrl); *pcrl = best_crl; *pissuer = best_crl_issuer; @@ -1097,50 +1063,44 @@ static int get_crl_sk(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509_CRL **pdcrl, */ static int crl_extension_match(X509_CRL *a, X509_CRL *b, int nid) { - ASN1_OCTET_STRING *exta, *extb; - int i; - i = X509_CRL_get_ext_by_NID(a, nid, -1); + ASN1_OCTET_STRING *exta = NULL, *extb = NULL; + int i = X509_CRL_get_ext_by_NID(a, nid, -1); + if (i >= 0) { /* Can't have multiple occurrences */ if (X509_CRL_get_ext_by_NID(a, nid, i) != -1) return 0; exta = X509_EXTENSION_get_data(X509_CRL_get_ext(a, i)); - } else - exta = NULL; + } i = X509_CRL_get_ext_by_NID(b, nid, -1); - if (i >= 0) { - if (X509_CRL_get_ext_by_NID(b, nid, i) != -1) return 0; extb = X509_EXTENSION_get_data(X509_CRL_get_ext(b, i)); - } else - extb = NULL; + } - if (!exta && !extb) + if (exta == NULL && extb == NULL) return 1; - if (!exta || !extb) - return 0; - - if (ASN1_OCTET_STRING_cmp(exta, extb)) + if (exta == NULL || extb == NULL) return 0; - return 1; + return ASN1_OCTET_STRING_cmp(exta, extb) == 0; } /* See if a base and delta are compatible */ static int check_delta_base(X509_CRL *delta, X509_CRL *base) { /* Delta CRL must be a delta */ - if (!delta->base_crl_number) + if (delta->base_crl_number == NULL) return 0; /* Base must have a CRL number */ - if (!base->crl_number) + if (base->crl_number == NULL) return 0; /* Issuer names must match */ - if (X509_NAME_cmp(X509_CRL_get_issuer(base), X509_CRL_get_issuer(delta))) + if (X509_NAME_cmp(X509_CRL_get_issuer(base), + X509_CRL_get_issuer(delta)) != 0) return 0; /* AKID and IDP must match */ if (!crl_extension_match(delta, base, NID_authority_key_identifier)) @@ -1151,9 +1111,7 @@ static int check_delta_base(X509_CRL *delta, X509_CRL *base) if (ASN1_INTEGER_cmp(delta->base_crl_number, base->crl_number) > 0) return 0; /* Delta CRL number must exceed full CRL number */ - if (ASN1_INTEGER_cmp(delta->crl_number, base->crl_number) > 0) - return 1; - return 0; + return ASN1_INTEGER_cmp(delta->crl_number, base->crl_number) > 0; } /* @@ -1165,9 +1123,10 @@ static void get_delta_sk(X509_STORE_CTX *ctx, X509_CRL **dcrl, int *pscore, { X509_CRL *delta; int i; - if (!(ctx->param->flags & X509_V_FLAG_USE_DELTAS)) + + if ((ctx->param->flags & X509_V_FLAG_USE_DELTAS) == 0) return; - if (!((ctx->current_cert->ex_flags | base->flags) & EXFLAG_FRESHEST)) + if (((ctx->current_cert->ex_flags | base->flags) & EXFLAG_FRESHEST) == 0) return; for (i = 0; i < sk_X509_CRL_num(crls); i++) { delta = sk_X509_CRL_value(crls, i); @@ -1192,35 +1151,35 @@ static void get_delta_sk(X509_STORE_CTX *ctx, X509_CRL **dcrl, int *pscore, static int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer, unsigned int *preasons, X509_CRL *crl, X509 *x) { - int crl_score = 0; unsigned int tmp_reasons = *preasons, crl_reasons; /* First see if we can reject CRL straight away */ /* Invalid IDP cannot be processed */ - if (crl->idp_flags & IDP_INVALID) + if ((crl->idp_flags & IDP_INVALID) != 0) return 0; /* Reason codes or indirect CRLs need extended CRL support */ - if (!(ctx->param->flags & X509_V_FLAG_EXTENDED_CRL_SUPPORT)) { + if ((ctx->param->flags & X509_V_FLAG_EXTENDED_CRL_SUPPORT) == 0) { if (crl->idp_flags & (IDP_INDIRECT | IDP_REASONS)) return 0; - } else if (crl->idp_flags & IDP_REASONS) { + } else if ((crl->idp_flags & IDP_REASONS) != 0) { /* If no new reasons reject */ - if (!(crl->idp_reasons & ~tmp_reasons)) + if ((crl->idp_reasons & ~tmp_reasons) == 0) return 0; } /* Don't process deltas at this stage */ - else if (crl->base_crl_number) + else if (crl->base_crl_number != NULL) return 0; /* If issuer name doesn't match certificate need indirect CRL */ - if (X509_NAME_cmp(X509_get_issuer_name(x), X509_CRL_get_issuer(crl))) { - if (!(crl->idp_flags & IDP_INDIRECT)) + if (X509_NAME_cmp(X509_get_issuer_name(x), X509_CRL_get_issuer(crl)) != 0) { + if ((crl->idp_flags & IDP_INDIRECT) == 0) return 0; - } else + } else { crl_score |= CRL_SCORE_ISSUER_NAME; + } - if (!(crl->flags & EXFLAG_CRITICAL)) + if ((crl->flags & EXFLAG_CRITICAL) == 0) crl_score |= CRL_SCORE_NOCRITICAL; /* Check expiration */ @@ -1231,14 +1190,13 @@ static int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer, crl_akid_check(ctx, crl, pissuer, &crl_score); /* If we can't locate certificate issuer at this point forget it */ - if (!(crl_score & CRL_SCORE_AKID)) + if ((crl_score & CRL_SCORE_AKID) == 0) return 0; /* Check cert for matching CRL distribution points */ - if (crl_crldp_check(x, crl, crl_score, &crl_reasons)) { /* If no new reasons reject */ - if (!(crl_reasons & ~tmp_reasons)) + if ((crl_reasons & ~tmp_reasons) == 0) return 0; tmp_reasons |= crl_reasons; crl_score |= CRL_SCORE_SCOPE; @@ -1283,7 +1241,7 @@ static void crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl, } /* Anything else needs extended CRL support */ - if (!(ctx->param->flags & X509_V_FLAG_EXTENDED_CRL_SUPPORT)) + if ((ctx->param->flags & X509_V_FLAG_EXTENDED_CRL_SUPPORT) == 0) return; /* @@ -1292,7 +1250,7 @@ static void crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl, */ for (i = 0; i < sk_X509_num(ctx->untrusted); i++) { crl_issuer = sk_X509_value(ctx->untrusted, i); - if (X509_NAME_cmp(X509_get_subject_name(crl_issuer), cnm)) + if (X509_NAME_cmp(X509_get_subject_name(crl_issuer), cnm) != 0) continue; if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK) { *pissuer = crl_issuer; @@ -1314,7 +1272,7 @@ static int check_crl_path(X509_STORE_CTX *ctx, X509 *x) int ret; /* Don't allow recursive CRL path validation */ - if (ctx->parent) + if (ctx->parent != NULL) return 0; if (!X509_STORE_CTX_init(&crl_ctx, ctx->store, x, ctx->untrusted)) return -1; @@ -1350,12 +1308,10 @@ static int check_crl_chain(X509_STORE_CTX *ctx, STACK_OF(X509) *cert_path, STACK_OF(X509) *crl_path) { - X509 *cert_ta, *crl_ta; - cert_ta = sk_X509_value(cert_path, sk_X509_num(cert_path) - 1); - crl_ta = sk_X509_value(crl_path, sk_X509_num(crl_path) - 1); - if (!X509_cmp(cert_ta, crl_ta)) - return 1; - return 0; + X509 *cert_ta = sk_X509_value(cert_path, sk_X509_num(cert_path) - 1); + X509 *crl_ta = sk_X509_value(crl_path, sk_X509_num(crl_path) - 1); + + return X509_cmp(cert_ta, crl_ta) == 0; } /*- @@ -1371,25 +1327,23 @@ static int idp_check_dp(DIST_POINT_NAME *a, DIST_POINT_NAME *b) GENERAL_NAMES *gens = NULL; GENERAL_NAME *gena, *genb; int i, j; - if (!a || !b) + + if (a == NULL || b == NULL) return 1; if (a->type == 1) { - if (!a->dpname) + if (a->dpname == NULL) return 0; /* Case 1: two X509_NAME */ if (b->type == 1) { - if (!b->dpname) - return 0; - if (!X509_NAME_cmp(a->dpname, b->dpname)) - return 1; - else + if (b->dpname == NULL) return 0; + return X509_NAME_cmp(a->dpname, b->dpname) == 0; } /* Case 2: set name and GENERAL_NAMES appropriately */ nm = a->dpname; gens = b->name.fullname; } else if (b->type == 1) { - if (!b->dpname) + if (b->dpname == NULL) return 0; /* Case 2: set name and GENERAL_NAMES appropriately */ gens = a->name.fullname; @@ -1397,12 +1351,12 @@ static int idp_check_dp(DIST_POINT_NAME *a, DIST_POINT_NAME *b) } /* Handle case 2 with one GENERAL_NAMES and one X509_NAME */ - if (nm) { + if (nm != NULL) { for (i = 0; i < sk_GENERAL_NAME_num(gens); i++) { gena = sk_GENERAL_NAME_value(gens, i); if (gena->type != GEN_DIRNAME) continue; - if (!X509_NAME_cmp(nm, gena->d.directoryName)) + if (X509_NAME_cmp(nm, gena->d.directoryName) == 0) return 1; } return 0; @@ -1414,7 +1368,7 @@ static int idp_check_dp(DIST_POINT_NAME *a, DIST_POINT_NAME *b) gena = sk_GENERAL_NAME_value(a->name.fullname, i); for (j = 0; j < sk_GENERAL_NAME_num(b->name.fullname); j++) { genb = sk_GENERAL_NAME_value(b->name.fullname, j); - if (!GENERAL_NAME_cmp(gena, genb)) + if (GENERAL_NAME_cmp(gena, genb) == 0) return 1; } } @@ -1427,14 +1381,16 @@ static int crldp_check_crlissuer(DIST_POINT *dp, X509_CRL *crl, int crl_score) { int i; const X509_NAME *nm = X509_CRL_get_issuer(crl); + /* If no CRLissuer return is successful iff don't need a match */ - if (!dp->CRLissuer) - return ! !(crl_score & CRL_SCORE_ISSUER_NAME); + if (dp->CRLissuer == NULL) + return (crl_score & CRL_SCORE_ISSUER_NAME) != 0; for (i = 0; i < sk_GENERAL_NAME_num(dp->CRLissuer); i++) { GENERAL_NAME *gen = sk_GENERAL_NAME_value(dp->CRLissuer, i); + if (gen->type != GEN_DIRNAME) continue; - if (!X509_NAME_cmp(gen->d.directoryName, nm)) + if (X509_NAME_cmp(gen->d.directoryName, nm) == 0) return 1; } return 0; @@ -1445,29 +1401,30 @@ static int crl_crldp_check(X509 *x, X509_CRL *crl, int crl_score, unsigned int *preasons) { int i; - if (crl->idp_flags & IDP_ONLYATTR) + + if ((crl->idp_flags & IDP_ONLYATTR) != 0) return 0; - if (x->ex_flags & EXFLAG_CA) { - if (crl->idp_flags & IDP_ONLYUSER) + if ((x->ex_flags & EXFLAG_CA) != 0) { + if ((crl->idp_flags & IDP_ONLYUSER) != 0) return 0; } else { - if (crl->idp_flags & IDP_ONLYCA) + if ((crl->idp_flags & IDP_ONLYCA) != 0) return 0; } *preasons = crl->idp_reasons; for (i = 0; i < sk_DIST_POINT_num(x->crldp); i++) { DIST_POINT *dp = sk_DIST_POINT_value(x->crldp, i); + if (crldp_check_crlissuer(dp, crl, crl_score)) { - if (!crl->idp || idp_check_dp(dp->distpoint, crl->idp->distpoint)) { + if (crl->idp == NULL + || idp_check_dp(dp->distpoint, crl->idp->distpoint)) { *preasons &= dp->dp_reasons; return 1; } } } - if ((!crl->idp || !crl->idp->distpoint) - && (crl_score & CRL_SCORE_ISSUER_NAME)) - return 1; - return 0; + return (crl->idp == NULL || crl->idp->distpoint == NULL) + && (crl_score & CRL_SCORE_ISSUER_NAME) != 0; } /* @@ -1495,7 +1452,7 @@ static int get_crl_delta(X509_STORE_CTX *ctx, skcrl = ctx->lookup_crls(ctx, nm); /* If no CRLs found and a near match from get_crl_sk use that */ - if (!skcrl && crl) + if (skcrl == NULL && crl != NULL) goto done; get_crl_sk(ctx, &crl, &dcrl, &issuer, &crl_score, &reasons, skcrl); @@ -1504,7 +1461,7 @@ static int get_crl_delta(X509_STORE_CTX *ctx, done: /* If we got any kind of CRL use it and return success */ - if (crl) { + if (crl != NULL) { ctx->current_issuer = issuer; ctx->current_crl_score = crl_score; ctx->current_reasons = reasons; @@ -1524,15 +1481,15 @@ static int check_crl(X509_STORE_CTX *ctx, X509_CRL *crl) int chnum = sk_X509_num(ctx->chain) - 1; /* If we have an alternative CRL issuer cert use that */ - if (ctx->current_issuer) + if (ctx->current_issuer != NULL) { issuer = ctx->current_issuer; /* * Else find CRL issuer: if not last certificate then issuer is next * certificate in chain. */ - else if (cnum < chnum) + } else if (cnum < chnum) { issuer = sk_X509_value(ctx->chain, cnum + 1); - else { + } else { issuer = sk_X509_value(ctx->chain, chnum); /* If not self-issued, can't check signature */ if (!ctx->check_issued(ctx, issuer, issuer) && @@ -1546,39 +1503,38 @@ static int check_crl(X509_STORE_CTX *ctx, X509_CRL *crl) /* * Skip most tests for deltas because they have already been done */ - if (!crl->base_crl_number) { + if (crl->base_crl_number == NULL) { /* Check for cRLSign bit if keyUsage present */ - if ((issuer->ex_flags & EXFLAG_KUSAGE) && - !(issuer->ex_kusage & KU_CRL_SIGN) && + if ((issuer->ex_flags & EXFLAG_KUSAGE) != 0 && + (issuer->ex_kusage & KU_CRL_SIGN) == 0 && !verify_cb_crl(ctx, X509_V_ERR_KEYUSAGE_NO_CRL_SIGN)) return 0; - if (!(ctx->current_crl_score & CRL_SCORE_SCOPE) && + if ((ctx->current_crl_score & CRL_SCORE_SCOPE) == 0 && !verify_cb_crl(ctx, X509_V_ERR_DIFFERENT_CRL_SCOPE)) return 0; - if (!(ctx->current_crl_score & CRL_SCORE_SAME_PATH) && + if ((ctx->current_crl_score & CRL_SCORE_SAME_PATH) == 0 && check_crl_path(ctx, ctx->current_issuer) <= 0 && !verify_cb_crl(ctx, X509_V_ERR_CRL_PATH_VALIDATION_ERROR)) return 0; - if ((crl->idp_flags & IDP_INVALID) && + if ((crl->idp_flags & IDP_INVALID) != 0 && !verify_cb_crl(ctx, X509_V_ERR_INVALID_EXTENSION)) return 0; } - if (!(ctx->current_crl_score & CRL_SCORE_TIME) && + if ((ctx->current_crl_score & CRL_SCORE_TIME) == 0 && !check_crl_time(ctx, crl, 1)) return 0; /* Attempt to get issuer certificate public key */ ikey = X509_get0_pubkey(issuer); - - if (!ikey && + if (ikey == NULL && !verify_cb_crl(ctx, X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY)) return 0; - if (ikey) { + if (ikey != NULL) { int rv = X509_CRL_check_suiteb(crl, ikey, ctx->param->flags); if (rv != X509_V_OK && !verify_cb_crl(ctx, rv)) @@ -1602,8 +1558,8 @@ static int cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x) * was revoked. This has since been changed since critical extensions can * change the meaning of CRL entries. */ - if (!(ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL) - && (crl->flags & EXFLAG_CRITICAL) && + if ((ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL) == 0 + && (crl->flags & EXFLAG_CRITICAL) != 0 && !verify_cb_crl(ctx, X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION)) return 0; /* @@ -1675,7 +1631,7 @@ static int check_policy(X509_STORE_CTX *ctx) return 0; } - if (ctx->param->flags & X509_V_FLAG_NOTIFY_POLICY) { + if ((ctx->param->flags & X509_V_FLAG_NOTIFY_POLICY) != 0) { ctx->current_cert = NULL; /* * Verification errors need to be "sticky", a callback may have allowed @@ -1702,9 +1658,9 @@ int x509_check_cert_time(X509_STORE_CTX *ctx, X509 *x, int depth) time_t *ptime; int i; - if (ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME) + if ((ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME) != 0) ptime = &ctx->param->check_time; - else if (ctx->param->flags & X509_V_FLAG_NO_CHECK_TIME) + else if ((ctx->param->flags & X509_V_FLAG_NO_CHECK_TIME) != 0) return 1; else ptime = NULL; @@ -1728,55 +1684,54 @@ static int internal_verify(X509_STORE_CTX *ctx) { int n = sk_X509_num(ctx->chain) - 1; X509 *xi = sk_X509_value(ctx->chain, n); - X509 *xs; + X509 *xs = xi; - /* - * With DANE-verified bare public key TA signatures, it remains only to - * check the timestamps of the top certificate. We report the issuer as - * NULL, since all we have is a bare key. - */ + ctx->error_depth = n; if (ctx->bare_ta_signed) { - xs = xi; + /* + * With DANE-verified bare public key TA signatures, + * on the top certificate we check only the timestamps. + * We report the issuer as NULL because all we have is a bare key. + */ xi = NULL; - goto check_cert_time; - } - - if (ctx->check_issued(ctx, xi, xi)) - xs = xi; /* The typical case: last cert in the chain is self-issued */ - else { - if (ctx->param->flags & X509_V_FLAG_PARTIAL_CHAIN) { - xs = xi; - goto check_cert_time; - } - if (n <= 0) { - CB_FAIL_IF(1, ctx, xi, 0, X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE); - - xs = xi; - goto check_cert_time; + } else if (!ctx->check_issued(ctx, xi, xi) + /* exceptional case: last cert in the chain is not self-issued */ + && ((ctx->param->flags & X509_V_FLAG_PARTIAL_CHAIN) == 0)) { + if (n > 0) { + n--; + ctx->error_depth = n; + xs = sk_X509_value(ctx->chain, n); + } else { + CB_FAIL_IF(1, ctx, xi, 0, + X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE); } - - n--; - ctx->error_depth = n; - xs = sk_X509_value(ctx->chain, n); + /* + * The below code will certainly not do a + * self-signature check on xi because it is not self-issued. + */ } /* - * Do not clear ctx->error=0, it must be "sticky", only the user's callback - * is allowed to reset errors (at its own peril). + * Do not clear ctx->error = 0, it must be "sticky", + * only the user's callback is allowed to reset errors (at its own peril). */ while (n >= 0) { /*- * For each iteration of this loop: * n is the subject depth * xs is the subject cert, for which the signature is to be checked - * xi is the supposed issuer cert containing the public key to use + * xi is NULL for DANE-verified bare public key TA signatures + * else the supposed issuer cert containing the public key to use * Initially xs == xi if the last cert in the chain is self-issued. - * - * Skip signature check for self-signed certificates unless explicitly + */ + /* + * Do signature check for self-signed certificates only if explicitly * asked for because it does not add any security and just wastes time. */ - if (xs != xi || ((ctx->param->flags & X509_V_FLAG_CHECK_SS_SIGNATURE) - && (xi->ex_flags & EXFLAG_SS) != 0)) { + if (xi != NULL + && (xs != xi + || ((ctx->param->flags & X509_V_FLAG_CHECK_SS_SIGNATURE) + && (xi->ex_flags & EXFLAG_SS) != 0))) { EVP_PKEY *pkey; /* * If the issuer's public key is not available or its key usage @@ -1810,7 +1765,7 @@ static int internal_verify(X509_STORE_CTX *ctx) } } - check_cert_time: /* in addition to RFC 5280, do also for trusted (root) cert */ + /* in addition to RFC 5280, do also for trusted (root) cert */ /* Calls verify callback as needed */ if (!x509_check_cert_time(ctx, xs, n)) return 0; @@ -1849,6 +1804,7 @@ int X509_cmp_time(const ASN1_TIME *ctm, time_t *cmp_time) #else const char upper_z = 'Z'; #endif + /*- * Note that ASN.1 allows much more slack in the time format than RFC5280. * In RFC5280, the representation is fixed: @@ -1893,7 +1849,7 @@ int X509_cmp_time(const ASN1_TIME *ctm, time_t *cmp_time) asn1_cmp_time = X509_time_adj(NULL, 0, cmp_time); if (asn1_cmp_time == NULL) goto err; - if (!ASN1_TIME_diff(&day, &sec, ctm, asn1_cmp_time)) + if (ASN1_TIME_diff(&day, &sec, ctm, asn1_cmp_time) == 0) goto err; /* @@ -1952,7 +1908,7 @@ ASN1_TIME *X509_time_adj_ex(ASN1_TIME *s, else time(&t); - if (s && !(s->flags & ASN1_STRING_FLAG_MSTRING)) { + if (s != NULL && (s->flags & ASN1_STRING_FLAG_MSTRING) == 0) { if (s->type == V_ASN1_UTCTIME) return ASN1_UTCTIME_adj(s, t, offset_day, offset_sec); if (s->type == V_ASN1_GENERALIZEDTIME) @@ -2000,19 +1956,21 @@ X509_CRL *X509_CRL_diff(X509_CRL *base, X509_CRL *newer, { X509_CRL *crl = NULL; int i; + STACK_OF(X509_REVOKED) *revs = NULL; /* CRLs can't be delta already */ - if (base->base_crl_number || newer->base_crl_number) { + if (base->base_crl_number != NULL || newer->base_crl_number != NULL) { ERR_raise(ERR_LIB_X509, X509_R_CRL_ALREADY_DELTA); return NULL; } /* Base and new CRL must have a CRL number */ - if (!base->crl_number || !newer->crl_number) { + if (base->crl_number == NULL || newer->crl_number == NULL) { ERR_raise(ERR_LIB_X509, X509_R_NO_CRL_NUMBER); return NULL; } /* Issuer names must match */ - if (X509_NAME_cmp(X509_CRL_get_issuer(base), X509_CRL_get_issuer(newer))) { + if (X509_NAME_cmp(X509_CRL_get_issuer(base), + X509_CRL_get_issuer(newer)) != 0) { ERR_raise(ERR_LIB_X509, X509_R_ISSUER_MISMATCH); return NULL; } @@ -2031,8 +1989,8 @@ X509_CRL *X509_CRL_diff(X509_CRL *base, X509_CRL *newer, return NULL; } /* CRLs must verify */ - if (skey && (X509_CRL_verify(base, skey) <= 0 || - X509_CRL_verify(newer, skey) <= 0)) { + if (skey != NULL && (X509_CRL_verify(base, skey) <= 0 || + X509_CRL_verify(newer, skey) <= 0)) { ERR_raise(ERR_LIB_X509, X509_R_CRL_VERIFY_FAILURE); return NULL; } @@ -2058,8 +2016,8 @@ X509_CRL *X509_CRL_diff(X509_CRL *base, X509_CRL *newer, * number to correct value too. */ for (i = 0; i < X509_CRL_get_ext_count(newer); i++) { - X509_EXTENSION *ext; - ext = X509_CRL_get_ext(newer, i); + X509_EXTENSION *ext = X509_CRL_get_ext(newer, i); + if (!X509_CRL_add_ext(crl, ext, -1)) goto memerr; } @@ -2069,6 +2027,7 @@ X509_CRL *X509_CRL_diff(X509_CRL *base, X509_CRL *newer, for (i = 0; i < sk_X509_REVOKED_num(revs); i++) { X509_REVOKED *rvn, *rvtmp; + rvn = sk_X509_REVOKED_value(revs, i); /* * Add only if not also in base. TODO: need something cleverer here @@ -2076,7 +2035,7 @@ X509_CRL *X509_CRL_diff(X509_CRL *base, X509_CRL *newer, */ if (!X509_CRL_get0_by_serial(base, &rvtmp, &rvn->serialNumber)) { rvtmp = X509_REVOKED_dup(rvn); - if (!rvtmp) + if (rvtmp == NULL) goto memerr; if (!X509_CRL_add0_revoked(crl, rvtmp)) { X509_REVOKED_free(rvtmp); @@ -2086,7 +2045,7 @@ X509_CRL *X509_CRL_diff(X509_CRL *base, X509_CRL *newer, } /* TODO: optionally prune deleted entries */ - if (skey && md && !X509_CRL_sign(crl, skey, md)) + if (skey != NULL && md != NULL && !X509_CRL_sign(crl, skey, md)) goto memerr; return crl; @@ -2144,7 +2103,7 @@ STACK_OF(X509) *X509_STORE_CTX_get0_chain(const X509_STORE_CTX *ctx) STACK_OF(X509) *X509_STORE_CTX_get1_chain(const X509_STORE_CTX *ctx) { - if (!ctx->chain) + if (ctx->chain == NULL) return NULL; return X509_chain_up_ref(ctx->chain); } @@ -2208,12 +2167,14 @@ int X509_STORE_CTX_purpose_inherit(X509_STORE_CTX *ctx, int def_purpose, int purpose, int trust) { int idx; + /* If purpose not set use default */ if (purpose == 0) purpose = def_purpose; /* If we have a purpose then check it is valid */ if (purpose != 0) { X509_PURPOSE *ptmp; + idx = X509_PURPOSE_get_by_id(purpose); if (idx == -1) { ERR_raise(ERR_LIB_X509, X509_R_UNKNOWN_PURPOSE_ID); @@ -2234,10 +2195,10 @@ int X509_STORE_CTX_purpose_inherit(X509_STORE_CTX *ctx, int def_purpose, ptmp = X509_PURPOSE_get0(idx); } /* If trust not set then get from purpose default */ - if (!trust) + if (trust == 0) trust = ptmp->trust; } - if (trust) { + if (trust != 0) { idx = X509_TRUST_get_by_id(trust); if (idx == -1) { ERR_raise(ERR_LIB_X509, X509_R_UNKNOWN_TRUST_ID); @@ -2245,9 +2206,9 @@ int X509_STORE_CTX_purpose_inherit(X509_STORE_CTX *ctx, int def_purpose, } } - if (purpose && !ctx->param->purpose) + if (ctx->param->purpose == 0 && purpose != 0) ctx->param->purpose = purpose; - if (trust && !ctx->param->trust) + if (ctx->param->trust == 0 && trust != 0) ctx->param->trust = trust; return 1; } @@ -2279,7 +2240,6 @@ X509_STORE_CTX *X509_STORE_CTX_new(void) return X509_STORE_CTX_new_ex(NULL, NULL); } - void X509_STORE_CTX_free(X509_STORE_CTX *ctx) { if (ctx == NULL) @@ -2289,7 +2249,6 @@ void X509_STORE_CTX_free(X509_STORE_CTX *ctx) /* libctx and propq survive X509_STORE_CTX_cleanup() */ OPENSSL_free(ctx->propq); - OPENSSL_free(ctx); } @@ -2322,62 +2281,62 @@ int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509, memset(&ctx->ex_data, 0, sizeof(ctx->ex_data)); /* store->cleanup is always 0 in OpenSSL, if set must be idempotent */ - if (store) + if (store != NULL) ctx->cleanup = store->cleanup; else ctx->cleanup = 0; - if (store && store->check_issued) + if (store != NULL && store->check_issued != NULL) ctx->check_issued = store->check_issued; else ctx->check_issued = check_issued; - if (store && store->get_issuer) + if (store != NULL && store->get_issuer != NULL) ctx->get_issuer = store->get_issuer; else ctx->get_issuer = X509_STORE_CTX_get1_issuer; - if (store && store->verify_cb) + if (store != NULL && store->verify_cb != NULL) ctx->verify_cb = store->verify_cb; else ctx->verify_cb = null_callback; - if (store && store->verify) + if (store != NULL && store->verify != NULL) ctx->verify = store->verify; else ctx->verify = internal_verify; - if (store && store->check_revocation) + if (store != NULL && store->check_revocation != NULL) ctx->check_revocation = store->check_revocation; else ctx->check_revocation = check_revocation; - if (store && store->get_crl) + if (store != NULL && store->get_crl != NULL) ctx->get_crl = store->get_crl; else ctx->get_crl = NULL; - if (store && store->check_crl) + if (store != NULL && store->check_crl != NULL) ctx->check_crl = store->check_crl; else ctx->check_crl = check_crl; - if (store && store->cert_crl) + if (store != NULL && store->cert_crl != NULL) ctx->cert_crl = store->cert_crl; else ctx->cert_crl = cert_crl; - if (store && store->check_policy) + if (store != NULL && store->check_policy != NULL) ctx->check_policy = store->check_policy; else ctx->check_policy = check_policy; - if (store && store->lookup_certs) + if (store != NULL && store->lookup_certs != NULL) ctx->lookup_certs = store->lookup_certs; else ctx->lookup_certs = X509_STORE_CTX_get1_certs; - if (store && store->lookup_crls) + if (store != NULL && store->lookup_crls != NULL) ctx->lookup_crls = store->lookup_crls; else ctx->lookup_crls = X509_STORE_CTX_get1_crls; @@ -2389,7 +2348,7 @@ int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509, } /* Inherit callbacks and flags from X509_STORE if not set use defaults. */ - if (store) + if (store != NULL) ret = X509_VERIFY_PARAM_inherit(ctx->param, store->param); else ctx->param->inh_flags |= X509_VP_FLAG_DEFAULT | X509_VP_FLAG_ONCE; @@ -2525,19 +2484,20 @@ X509_STORE_CTX_verify_fn X509_STORE_CTX_get_verify(const X509_STORE_CTX *ctx) return ctx->verify; } -X509_STORE_CTX_get_issuer_fn X509_STORE_CTX_get_get_issuer(const X509_STORE_CTX *ctx) +X509_STORE_CTX_get_issuer_fn +X509_STORE_CTX_get_get_issuer(const X509_STORE_CTX *ctx) { return ctx->get_issuer; } X509_STORE_CTX_check_issued_fn - X509_STORE_CTX_get_check_issued(const X509_STORE_CTX *ctx) +X509_STORE_CTX_get_check_issued(const X509_STORE_CTX *ctx) { return ctx->check_issued; } X509_STORE_CTX_check_revocation_fn - X509_STORE_CTX_get_check_revocation(const X509_STORE_CTX *ctx) +X509_STORE_CTX_get_check_revocation(const X509_STORE_CTX *ctx) { return ctx->check_revocation; } @@ -2547,30 +2507,32 @@ X509_STORE_CTX_get_crl_fn X509_STORE_CTX_get_get_crl(const X509_STORE_CTX *ctx) return ctx->get_crl; } -X509_STORE_CTX_check_crl_fn X509_STORE_CTX_get_check_crl(const X509_STORE_CTX *ctx) +X509_STORE_CTX_check_crl_fn +X509_STORE_CTX_get_check_crl(const X509_STORE_CTX *ctx) { return ctx->check_crl; } -X509_STORE_CTX_cert_crl_fn X509_STORE_CTX_get_cert_crl(const X509_STORE_CTX *ctx) +X509_STORE_CTX_cert_crl_fn +X509_STORE_CTX_get_cert_crl(const X509_STORE_CTX *ctx) { return ctx->cert_crl; } X509_STORE_CTX_check_policy_fn - X509_STORE_CTX_get_check_policy(const X509_STORE_CTX *ctx) +X509_STORE_CTX_get_check_policy(const X509_STORE_CTX *ctx) { return ctx->check_policy; } X509_STORE_CTX_lookup_certs_fn - X509_STORE_CTX_get_lookup_certs(const X509_STORE_CTX *ctx) +X509_STORE_CTX_get_lookup_certs(const X509_STORE_CTX *ctx) { return ctx->lookup_certs; } X509_STORE_CTX_lookup_crls_fn - X509_STORE_CTX_get_lookup_crls(const X509_STORE_CTX *ctx) +X509_STORE_CTX_get_lookup_crls(const X509_STORE_CTX *ctx) { return ctx->lookup_crls; } @@ -2621,10 +2583,8 @@ void X509_STORE_CTX_set0_dane(X509_STORE_CTX *ctx, SSL_DANE *dane) ctx->dane = dane; } -static unsigned char *dane_i2d( - X509 *cert, - uint8_t selector, - unsigned int *i2dlen) +static unsigned char *dane_i2d(X509 *cert, uint8_t selector, + unsigned int *i2dlen) { unsigned char *buf = NULL; int len; @@ -2653,7 +2613,7 @@ static unsigned char *dane_i2d( return buf; } -#define DANETLS_NONE 256 /* impossible uint8_t */ +#define DANETLS_NONE 256 /* impossible uint8_t */ static int dane_match(X509_STORE_CTX *ctx, X509 *cert, int depth) { @@ -2715,7 +2675,7 @@ static int dane_match(X509_STORE_CTX *ctx, X509 *cert, int depth) * exhausting all DANE-?? records, we've matched a PKIX-?? record, which is * sufficient for DANE, and what remains to do is ordinary PKIX validation. */ - recnum = (dane->umask & mask) ? sk_danetls_record_num(dane->trecs) : 0; + recnum = (dane->umask & mask) != 0 ? sk_danetls_record_num(dane->trecs) : 0; for (i = 0; matched == 0 && i < recnum; ++i) { t = sk_danetls_record_value(dane->trecs, i); if ((DANETLS_USAGE_BIT(t->usage) & mask) == 0) @@ -2759,6 +2719,7 @@ static int dane_match(X509_STORE_CTX *ctx, X509 *cert, int depth) */ if (t->mtype != mtype) { const EVP_MD *md = dane->dctx->mdevp[mtype = t->mtype]; + cmpbuf = i2dbuf; cmplen = i2dlen; @@ -2803,7 +2764,7 @@ static int check_dane_issuer(X509_STORE_CTX *ctx, int depth) X509 *cert; if (!DANETLS_HAS_TA(dane) || depth == 0) - return X509_TRUST_UNTRUSTED; + return X509_TRUST_UNTRUSTED; /* * Record any DANE trust anchor matches, for the first depth to test, if @@ -2815,10 +2776,10 @@ static int check_dane_issuer(X509_STORE_CTX *ctx, int depth) return X509_TRUST_REJECTED; if (matched > 0) { ctx->num_untrusted = depth - 1; - return X509_TRUST_TRUSTED; + return X509_TRUST_TRUSTED; } - return X509_TRUST_UNTRUSTED; + return X509_TRUST_UNTRUSTED; } static int check_dane_pkeys(X509_STORE_CTX *ctx) @@ -2955,9 +2916,9 @@ static int build_chain(X509_STORE_CTX *ctx) { SSL_DANE *dane = ctx->dane; int num = sk_X509_num(ctx->chain); - X509 *cert = sk_X509_value(ctx->chain, num - 1); - int self_signed; - STACK_OF(X509) *sktmp = NULL; + X509 *curr = sk_X509_value(ctx->chain, num - 1); /* current end of chain */ + int self_signed = X509_self_signed(curr, 0); /* always refers to curr */ + STACK_OF(X509) *sk_untrusted = NULL; unsigned int search; int may_trusted = 0; int may_alternate = 0; @@ -2968,21 +2929,14 @@ static int build_chain(X509_STORE_CTX *ctx) int i; /* Our chain starts with a single untrusted element. */ - if (!ossl_assert(num == 1 && ctx->num_untrusted == num)) { - ERR_raise(ERR_LIB_X509, ERR_R_INTERNAL_ERROR); - ctx->error = X509_V_ERR_UNSPECIFIED; - return 0; - } - - self_signed = X509_self_signed(cert, 0); - if (self_signed < 0) { - ctx->error = X509_V_ERR_UNSPECIFIED; - return 0; - } - -#define S_DOUNTRUSTED (1 << 0) /* Search untrusted chain */ -#define S_DOTRUSTED (1 << 1) /* Search trusted store */ -#define S_DOALTERNATE (1 << 2) /* Retry with pruned alternate chain */ + if (!ossl_assert(num == 1 && ctx->num_untrusted == num)) + goto int_err; + if (self_signed < 0) + goto int_err; + +#define S_DOUNTRUSTED (1 << 0) /* Search untrusted chain */ +#define S_DOTRUSTED (1 << 1) /* Search trusted store */ +#define S_DOALTERNATE (1 << 2) /* Retry with pruned alternate chain */ /* * Set up search policy, untrusted if possible, trusted-first if enabled. * If we're doing DANE and not doing PKIX-TA/PKIX-EE, we never look in the @@ -2992,7 +2946,7 @@ static int build_chain(X509_STORE_CTX *ctx) */ search = (ctx->untrusted != NULL) ? S_DOUNTRUSTED : 0; if (DANETLS_HAS_PKIX(dane) || !DANETLS_HAS_DANE(dane)) { - if (search == 0 || ctx->param->flags & X509_V_FLAG_TRUSTED_FIRST) + if (search == 0 || (ctx->param->flags & X509_V_FLAG_TRUSTED_FIRST) != 0) search |= S_DOTRUSTED; else if (!(ctx->param->flags & X509_V_FLAG_NO_ALT_CHAINS)) may_alternate = 1; @@ -3004,7 +2958,7 @@ static int build_chain(X509_STORE_CTX *ctx) * typically the content of the peer's certificate message) so can make * multiple passes over it, while free to remove elements as we go. */ - if ((sktmp = sk_X509_dup(ctx->untrusted)) == NULL) { + if ((sk_untrusted = sk_X509_dup(ctx->untrusted)) == NULL) { ERR_raise(ERR_LIB_X509, ERR_R_MALLOC_FAILURE); ctx->error = X509_V_ERR_OUT_OF_MEM; return 0; @@ -3021,13 +2975,13 @@ static int build_chain(X509_STORE_CTX *ctx) * this to change. ] */ if (DANETLS_ENABLED(dane) && dane->certs != NULL) { - if (sktmp == NULL && (sktmp = sk_X509_new_null()) == NULL) { + if (sk_untrusted == NULL && (sk_untrusted = sk_X509_new_null()) == NULL) { ERR_raise(ERR_LIB_X509, ERR_R_MALLOC_FAILURE); ctx->error = X509_V_ERR_OUT_OF_MEM; return 0; } - if (!X509_add_certs(sktmp, dane->certs, X509_ADD_FLAG_DEFAULT)) { - sk_X509_free(sktmp); + if (!X509_add_certs(sk_untrusted, dane->certs, X509_ADD_FLAG_DEFAULT)) { + sk_X509_free(sk_untrusted); ctx->error = X509_V_ERR_OUT_OF_MEM; return 0; } @@ -3037,8 +2991,8 @@ static int build_chain(X509_STORE_CTX *ctx) * Still absurdly large, but arithmetically safe, a lower hard upper bound * might be reasonable. */ - if (ctx->param->depth > INT_MAX/2) - ctx->param->depth = INT_MAX/2; + if (ctx->param->depth > INT_MAX / 2) + ctx->param->depth = INT_MAX / 2; /* * Try to extend the chain until we reach an ultimately trusted issuer. @@ -3048,8 +3002,7 @@ static int build_chain(X509_STORE_CTX *ctx) depth = ctx->param->depth + 1; while (search != 0) { - X509 *x; - X509 *xtmp = NULL; + X509 *issuer = NULL; /* * Look in the trust store if enabled for first lookup, or we've run @@ -3085,15 +3038,14 @@ static int build_chain(X509_STORE_CTX *ctx) */ i = alt_untrusted; } - x = sk_X509_value(ctx->chain, i-1); + curr = sk_X509_value(ctx->chain, i - 1); - ok = (depth < num) ? 0 : get_issuer(&xtmp, ctx, x); + ok = depth < num ? 0 : get_issuer(&issuer, ctx, curr); if (ok < 0) { trust = X509_TRUST_REJECTED; ctx->error = X509_V_ERR_STORE_LOOKUP; - search = 0; - continue; + break; } if (ok > 0) { @@ -3114,11 +3066,10 @@ static int build_chain(X509_STORE_CTX *ctx) if ((search & S_DOALTERNATE) != 0) { if (!ossl_assert(num > i && i > 0 && !self_signed)) { ERR_raise(ERR_LIB_X509, ERR_R_INTERNAL_ERROR); - X509_free(xtmp); + X509_free(issuer); trust = X509_TRUST_REJECTED; ctx->error = X509_V_ERR_UNSPECIFIED; - search = 0; - continue; + break; } search &= ~S_DOALTERNATE; for (; num > i; --num) @@ -3141,19 +3092,15 @@ static int build_chain(X509_STORE_CTX *ctx) * trusted matching issuer. Otherwise, grow the chain. */ if (!self_signed) { - if (!sk_X509_push(ctx->chain, x = xtmp)) { - X509_free(xtmp); + curr = issuer; + if ((self_signed = X509_self_signed(curr, 0)) < 0) + goto int_err; + if (!sk_X509_push(ctx->chain, curr)) { + X509_free(issuer); ERR_raise(ERR_LIB_X509, ERR_R_MALLOC_FAILURE); trust = X509_TRUST_REJECTED; ctx->error = X509_V_ERR_OUT_OF_MEM; - search = 0; - continue; - } - self_signed = X509_self_signed(x, 0); - if (self_signed < 0) { - sk_X509_free(sktmp); - ctx->error = X509_V_ERR_UNSPECIFIED; - return 0; + break; } } else if (num == ctx->num_untrusted) { /* @@ -3162,14 +3109,16 @@ static int build_chain(X509_STORE_CTX *ctx) * a trust anchor. We must have an exact match to avoid * possible impersonation via key substitution etc. */ - if (X509_cmp(x, xtmp) != 0) { + if (X509_cmp(curr, issuer) != 0) { /* Self-signed untrusted mimic. */ - X509_free(xtmp); + X509_free(issuer); ok = 0; - } else { - X509_free(x); + } else { /* curr "==" issuer */ + X509_free(curr); ctx->num_untrusted = --num; - (void) sk_X509_set(ctx->chain, num, x = xtmp); + (void)sk_X509_set(ctx->chain, num, issuer); + curr = issuer; + /* no need to update self_signed */ } } @@ -3187,20 +3136,13 @@ static int build_chain(X509_STORE_CTX *ctx) * certificate with ctx->num_untrusted <= num. */ if (ok) { - if (!ossl_assert(ctx->num_untrusted <= num)) { - ERR_raise(ERR_LIB_X509, ERR_R_INTERNAL_ERROR); - trust = X509_TRUST_REJECTED; - ctx->error = X509_V_ERR_UNSPECIFIED; - search = 0; - continue; - } + if (!ossl_assert(ctx->num_untrusted <= num)) + goto int_err; search &= ~S_DOUNTRUSTED; - switch (trust = check_trust(ctx, num)) { - case X509_TRUST_TRUSTED: - case X509_TRUST_REJECTED: - search = 0; - continue; - } + trust = check_trust(ctx, num); + if (trust == X509_TRUST_TRUSTED + || trust == X509_TRUST_REJECTED) + break; if (!self_signed) continue; } @@ -3228,26 +3170,21 @@ static int build_chain(X509_STORE_CTX *ctx) } /* - * Extend chain with peer-provided certificates + * Extend chain with peer-provided untrusted certificates */ if ((search & S_DOUNTRUSTED) != 0) { num = sk_X509_num(ctx->chain); - if (!ossl_assert(num == ctx->num_untrusted)) { - ERR_raise(ERR_LIB_X509, ERR_R_INTERNAL_ERROR); - trust = X509_TRUST_REJECTED; - ctx->error = X509_V_ERR_UNSPECIFIED; - search = 0; - continue; - } - x = sk_X509_value(ctx->chain, num-1); - - /* - * Once we run out of untrusted issuers, we stop looking for more - * and start looking only in the trust store if enabled. - */ - xtmp = (self_signed || depth < num) ? NULL - : find_issuer(ctx, sktmp, x); - if (xtmp == NULL) { + if (!ossl_assert(num == ctx->num_untrusted)) + goto int_err; + curr = sk_X509_value(ctx->chain, num - 1); + issuer = (self_signed || depth < num) ? + NULL : find_issuer(ctx, sk_untrusted, curr); + if (issuer == NULL) { + /* + * Once we have reached a self-signed cert or num exceeds depth + * or can't find an issuer in the untrusted list we stop looking + * there and start looking only in the trust store if enabled. + */ search &= ~S_DOUNTRUSTED; if (may_trusted) search |= S_DOTRUSTED; @@ -3255,44 +3192,23 @@ static int build_chain(X509_STORE_CTX *ctx) } /* Drop this issuer from future consideration */ - (void) sk_X509_delete_ptr(sktmp, xtmp); + (void)sk_X509_delete_ptr(sk_untrusted, issuer); - if (!X509_up_ref(xtmp)) { - ERR_raise(ERR_LIB_X509, ERR_R_INTERNAL_ERROR); - trust = X509_TRUST_REJECTED; - ctx->error = X509_V_ERR_UNSPECIFIED; - search = 0; - continue; - } - - if (!sk_X509_push(ctx->chain, xtmp)) { - X509_free(xtmp); - ERR_raise(ERR_LIB_X509, ERR_R_MALLOC_FAILURE); - trust = X509_TRUST_REJECTED; - ctx->error = X509_V_ERR_OUT_OF_MEM; - search = 0; - continue; - } + if (!X509_add_cert(ctx->chain, issuer, X509_ADD_FLAG_UP_REF)) + goto int_err; - x = xtmp; ++ctx->num_untrusted; - self_signed = X509_self_signed(x, 0); - if (self_signed < 0) { - sk_X509_free(sktmp); - ctx->error = X509_V_ERR_UNSPECIFIED; - return 0; - } + curr = issuer; + if ((self_signed = X509_self_signed(curr, 0)) < 0) + goto int_err; /* Check for DANE-TA trust of the topmost untrusted certificate. */ - switch (trust = check_dane_issuer(ctx, ctx->num_untrusted - 1)) { - case X509_TRUST_TRUSTED: - case X509_TRUST_REJECTED: - search = 0; - continue; - } + trust = check_dane_issuer(ctx, ctx->num_untrusted - 1); + if (trust == X509_TRUST_TRUSTED || trust == X509_TRUST_REJECTED) + break; } } - sk_X509_free(sktmp); + sk_X509_free(sk_untrusted); /* * Last chance to make a trusted chain, either bare DANE-TA public-key @@ -3316,20 +3232,26 @@ static int build_chain(X509_STORE_CTX *ctx) default: num = sk_X509_num(ctx->chain); CB_FAIL_IF(num > depth, - ctx, NULL, num-1, X509_V_ERR_CERT_CHAIN_TOO_LONG); + ctx, NULL, num - 1, X509_V_ERR_CERT_CHAIN_TOO_LONG); CB_FAIL_IF(DANETLS_ENABLED(dane) && (!DANETLS_HAS_PKIX(dane) || dane->pdpth >= 0), - ctx, NULL, num-1, X509_V_ERR_DANE_NO_MATCH); + ctx, NULL, num - 1, X509_V_ERR_DANE_NO_MATCH); if (self_signed) - return verify_cb_cert(ctx, NULL, num-1, + return verify_cb_cert(ctx, NULL, num - 1, sk_X509_num(ctx->chain) == 1 ? X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT : X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN); - return verify_cb_cert(ctx, NULL, num-1, + return verify_cb_cert(ctx, NULL, num - 1, ctx->num_untrusted < num ? X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT : X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY); } + + int_err: + sk_X509_free(sk_untrusted); + ERR_raise(ERR_LIB_X509, ERR_R_INTERNAL_ERROR); + ctx->error = X509_V_ERR_UNSPECIFIED; + return 0; } static const int minbits_table[] = { 80, 112, 128, 192, 256 }; From no-reply at appveyor.com Thu Feb 4 18:17:31 2021 From: no-reply at appveyor.com (AppVeyor) Date: Thu, 04 Feb 2021 18:17:31 +0000 Subject: Build failed: openssl master.39600 Message-ID: <20210204181731.1.4F0F511DF4368483@appveyor.com> An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Thu Feb 4 19:35:30 2021 From: no-reply at appveyor.com (AppVeyor) Date: Thu, 04 Feb 2021 19:35:30 +0000 Subject: Build completed: openssl master.39601 Message-ID: <20210204193530.1.D3B99EEF417E7908@appveyor.com> An HTML attachment was scrubbed... URL: From openssl at openssl.org Fri Feb 5 00:08:26 2021 From: openssl at openssl.org (OpenSSL run-checker) Date: Fri, 05 Feb 2021 00:08:26 +0000 Subject: Still FAILED build of OpenSSL branch master with options -d enable-fuzz-afl no-shared no-module Message-ID: <1612483706.379523.3047107.nullmailer@run.openssl.org> Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=afl-clang-fast ../openssl/config -d enable-fuzz-afl no-shared no-module Commit log since last time: 9db6af922c EC: Reverse the default asn1_flag in a new EC_GROUP 977e95b912 EVP: Fix evp_pkey_ctx_store_cached_data() to handle provider backed EVP_PKEY_CTX 60488d2434 EVP: Don't find standard EVP_PKEY_METHODs automatically 8ce04db808 CORE & PROV: clean away OSSL_FUNC_mac_size() 28e1904250 apps/ecparam: Avoid crash when parameters fail to load 963a65bfb4 apps/ca: Properly handle certificate expiration times in do_updatedb 1409b5f664 Deprecate EVP_MD_CTX_{set_}update_fn() 66194839fe Add diacritics to my name in CHANGES.md 6a1a6498ac dh_cms_set_peerkey: Pad the public key to p size af403db090 Add some missing committers to the AUTHORS list f94a91698b Add a CI job to run the threads test with threads sanitizer on 0b07db6f56 Ensure the EVP_PKEY operation_cache is appropriately locked 4099460514 Ensure access to FIPS_state and rate_limit is appropriately locked 04b9435a99 Always ensure we hold ctx->lock when calling CRYPTO_get_ex_data() b233ea8276 Avoid races by caching exported ciphers in the init function cd4e6a3512 Refactor RAND_get0_primary() locking a0134d293e Add a multi-thread test for shared EVP_PKEYs 7ff9fdd4b3 Deprecate X509_certificate_type d3372c2f35 Add some PKIX-RPKI objects 6aab42c390 OSSL_HTTP_REQ_CTX.pod and OSSL_HTTP_transfer.pod: various improvements 4d190f99ef Constify OSSL_HTTP_REQ_CTX_get0_mem_bio() a6d40689ec HTTP: add more error detection to low-level API d337af1891 HTTP: Fix mistakes and unclarities on maxline and max_resp_len params 8e71614797 Fix not backwards-compat X509_http_nbio() and X509_CRL_http_nbio() 673474b164 OSSL_HTTP_REQ_CTX_nbio(): Revert to having state var that keeps req len still to send f2db0528d8 PROV: Add SM2 encoders and decoders, as well as support functionality 58f422f6f4 Fix some odd names in our provider source code b8a1272d57 Test that EC keys without a public key in them work as expected ec7aef3356 Ensure EC keys with a private key but without a public key can be created Build log ended with (last 100 lines): # setup_client_ctx:../openssl/apps/cmp.c:2001:CMP info: will contact http://127.0.0.1:1700/pkix/ # send_receive_check:../openssl/crypto/cmp/cmp_client.c:165:CMP info: sending IR # send_receive_check:../openssl/crypto/cmp/cmp_client.c:183:CMP info: received IP # send_receive_check:../openssl/crypto/cmp/cmp_client.c:165:CMP info: sending CERTCONF # send_receive_check:../openssl/crypto/cmp/cmp_client.c:183:CMP info: received PKICONF # save_free_certs:../openssl/apps/cmp.c:2051:CMP info: received 1 enrolled certificate(s), saving to file '../../../../../enable-fuzz-afl/test-runs/test_cmp_cli/test.certout_popo1.pem' ../../../../../enable-fuzz-afl/util/wrap.pl ../../../../../enable-fuzz-afl/apps/openssl cmp -config ../Mock/test.cnf -section 'Mock enrollment' -certout ../../../../../enable-fuzz-afl/test-runs/test_cmp_cli/test.cert.pem -proxy '' -no_proxy 127.0.0.1 -cmd ir -newkey new.key -newkeypass 'pass:' -popo 0 -certout ../../../../../enable-fuzz-afl/test-runs/test_cmp_cli/test.certout_popo1.pem -out_trusted root.crt => 0 not ok 43 - popo RAVERIFIED # ------------------------------------------------------------------------------ # cmp_main:../openssl/apps/cmp.c:2685:CMP info: using section(s) 'Mock enrollment' of OpenSSL configuration file '../Mock/test.cnf' # opt_str:../openssl/apps/cmp.c:2284:CMP warning: argument of -proxy option is empty string, resetting option # warn_cert_msg:../openssl/apps/cmp.c:694:CMP warning: certificate from 'trusted.crt' with subject '/O=openssl_cmp' is not a CA cert # setup_client_ctx:../openssl/apps/cmp.c:2001:CMP info: will contact http://127.0.0.1:1700/pkix/ # send_receive_check:../openssl/crypto/cmp/cmp_client.c:165:CMP info: sending IR # send_receive_check:../openssl/crypto/cmp/cmp_client.c:183:CMP info: received IP # send_receive_check:../openssl/crypto/cmp/cmp_client.c:165:CMP info: sending CERTCONF # send_receive_check:../openssl/crypto/cmp/cmp_client.c:183:CMP info: received PKICONF # save_free_certs:../openssl/apps/cmp.c:2051:CMP info: received 1 enrolled certificate(s), saving to file '../../../../../enable-fuzz-afl/test-runs/test_cmp_cli/test.certout_popo5.pem' ../../../../../enable-fuzz-afl/util/wrap.pl ../../../../../enable-fuzz-afl/apps/openssl cmp -config ../Mock/test.cnf -section 'Mock enrollment' -certout ../../../../../enable-fuzz-afl/test-runs/test_cmp_cli/test.cert.pem -proxy '' -no_proxy 127.0.0.1 -cmd ir -newkey new.key -newkeypass 'pass:' -popo -1 -certout ../../../../../enable-fuzz-afl/test-runs/test_cmp_cli/test.certout_popo5.pem -out_trusted root.crt => 0 not ok 47 - popo NONE # ------------------------------------------------------------------------------ # Failed test 'popo NONE' # at ../openssl/test/recipes/81-test_cmp_cli.t line 183. # cmp_main:../openssl/apps/cmp.c:2685:CMP info: using section(s) 'Mock enrollment' of OpenSSL configuration file '../Mock/test.cnf' # opt_str:../openssl/apps/cmp.c:2284:CMP warning: argument of -proxy option is empty string, resetting option # warn_cert_msg:../openssl/apps/cmp.c:694:CMP warning: certificate from 'trusted.crt' with subject '/O=openssl_cmp' is not a CA cert # setup_client_ctx:../openssl/apps/cmp.c:2001:CMP info: will contact http://127.0.0.1:1700/pkix/ # send_receive_check:../openssl/crypto/cmp/cmp_client.c:165:CMP info: sending IR # send_receive_check:../openssl/crypto/cmp/cmp_client.c:183:CMP info: received IP # send_receive_check:../openssl/crypto/cmp/cmp_client.c:165:CMP info: sending CERTCONF # send_receive_check:../openssl/crypto/cmp/cmp_client.c:183:CMP info: received PKICONF # save_free_certs:../openssl/apps/cmp.c:2051:CMP info: received 1 enrolled certificate(s), saving to file '../../../../../enable-fuzz-afl/test-runs/test_cmp_cli/test.certout_popo6.pem' ../../../../../enable-fuzz-afl/util/wrap.pl ../../../../../enable-fuzz-afl/apps/openssl cmp -config ../Mock/test.cnf -section 'Mock enrollment' -certout ../../../../../enable-fuzz-afl/test-runs/test_cmp_cli/test.cert.pem -proxy '' -no_proxy 127.0.0.1 -cmd ir -newkey new.key -newkeypass 'pass:' -popo 2 -certout ../../../../../enable-fuzz-afl/test-runs/test_cmp_cli/test.certout_popo6.pem -out_trusted root.crt => 0 not ok 48 - popo KEYENC not supported # ------------------------------------------------------------------------------ # Looks like you failed 3 tests of 92. not ok 7 - CMP app CLI Mock enrollment # ------------------------------------------------------------------------------ # # Failed test 'CMP app CLI Mock enrollment # ' # at /home/openssl/run-checker/enable-fuzz-afl/../openssl/util/perl/OpenSSL/Test.pm line 1335. # Looks like you failed 3 tests of 7.81-test_cmp_cli.t .................. Dubious, test returned 3 (wstat 768, 0x300) Failed 3/7 subtests 90-test_asn1_time.t ................ ok 90-test_async.t .................... ok 90-test_bio_enc.t .................. ok 90-test_bio_memleak.t .............. ok 90-test_constant_time.t ............ ok 90-test_fatalerr.t ................. ok 90-test_fipsload.t ................. skipped: Test only supported in a shared build 90-test_gmdiff.t ................... ok 90-test_gost.t ..................... skipped: GOST support is disabled in this OpenSSL build 90-test_ige.t ...................... ok 90-test_includes.t ................. ok 90-test_memleak.t .................. ok 90-test_overhead.t ................. ok 90-test_secmem.t ................... ok 90-test_shlibload.t ................ skipped: Test only supported in a shared build 90-test_srp.t ...................... ok 90-test_sslapi.t ................... ok 90-test_sslbuffers.t ............... ok 90-test_store.t .................... ok 90-test_sysdefault.t ............... ok 90-test_threads.t .................. ok 90-test_time_offset.t .............. ok 90-test_tls13ccs.t ................. ok 90-test_tls13encryption.t .......... ok 90-test_tls13secrets.t ............. skipped: tls13secrets is not supported in this build 90-test_v3name.t ................... ok 91-test_pkey_check.t ............... ok 95-test_external_boringssl.t ....... skipped: No external tests in this configuration 95-test_external_gost_engine.t ..... skipped: No external tests in this configuration 95-test_external_krb5.t ............ skipped: No external tests in this configuration 95-test_external_pyca.t ............ skipped: No external tests in this configuration 99-test_ecstress.t ................. ok 99-test_fuzz_asn1.t ................ ok 99-test_fuzz_asn1parse.t ........... ok 99-test_fuzz_bignum.t .............. ok 99-test_fuzz_bndiv.t ............... ok 99-test_fuzz_client.t .............. ok 99-test_fuzz_cmp.t ................. ok 99-test_fuzz_cms.t ................. ok 99-test_fuzz_conf.t ................ ok 99-test_fuzz_crl.t ................. ok 99-test_fuzz_ct.t .................. ok 99-test_fuzz_server.t .............. ok 99-test_fuzz_x509.t ................ ok Test Summary Report ------------------- 81-test_cmp_cli.t (Wstat: 768 Tests: 7 Failed: 3) Failed tests: 4-5, 7 Non-zero exit status: 3 Files=228, Tests=2644, 707 wallclock secs (10.41 usr 1.31 sys + 621.97 cusr 75.25 csys = 708.94 CPU) Result: FAIL make[1]: *** [Makefile:2473: _tests] Error 1 make[1]: Leaving directory '/home/openssl/run-checker/enable-fuzz-afl' make: *** [Makefile:2470: tests] Error 2 From pauli at openssl.org Fri Feb 5 00:24:25 2021 From: pauli at openssl.org (Dr. Paul Dale) Date: Fri, 05 Feb 2021 00:24:25 +0000 Subject: [openssl] master update Message-ID: <1612484665.896335.16958.nullmailer@dev.openssl.org> The branch master has been updated via 7dc67708c8ae6ec06c7fec34781225ed60b5e68d (commit) from 88444854affe31ce08a5daaf4b6afc86e6972c63 (commit) - Log ----------------------------------------------------------------- commit 7dc67708c8ae6ec06c7fec34781225ed60b5e68d Author: Petr Gotthard Date: Sat Dec 26 21:32:14 2020 +0100 apps/openssl: add -propquery command line option Fixes #13656. Right now all openssl commands use a NULL propq. This patch adds a possibility to specify a custom propq. The implementation follows the example of set_nameopt/get_nameopt. Various tools had to be modified to call app_get0_propq after it has been populated. Otherwise the -propquery has no effect. The tests then verify the -propquery affects the tool behaviour by requesting a non-existing property. Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/13707) ----------------------------------------------------------------------- Summary of changes: apps/cms.c | 26 ++++++++++++-------------- apps/genpkey.c | 5 ++--- apps/include/apps.h | 1 + apps/include/opt.h | 8 +++++--- apps/lib/app_provider.c | 2 ++ apps/lib/apps.c | 11 +++++++++-- apps/mac.c | 2 +- apps/pkcs7.c | 3 +-- apps/pkeyutl.c | 12 ++++++------ apps/smime.c | 7 +++---- apps/storeutl.c | 11 +++++------ doc/man1/openssl.pod | 20 ++++++++++++++++++++ doc/perlvars.pm | 5 ++++- test/recipes/15-test_genrsa.t | 5 ++++- test/recipes/20-test_mac.t | 5 +++++ 15 files changed, 80 insertions(+), 43 deletions(-) diff --git a/apps/cms.c b/apps/cms.c index e8254cb85c..36fb88e15c 100644 --- a/apps/cms.c +++ b/apps/cms.c @@ -28,7 +28,7 @@ static int cms_cb(int ok, X509_STORE_CTX *ctx); static void receipt_request_print(CMS_ContentInfo *cms); static CMS_ReceiptRequest *make_receipt_request( STACK_OF(OPENSSL_STRING) *rr_to, int rr_allorfirst, - STACK_OF(OPENSSL_STRING) *rr_from, OSSL_LIB_CTX *libctx, const char *propq); + STACK_OF(OPENSSL_STRING) *rr_from, OSSL_LIB_CTX *libctx); static int cms_set_pkey_param(EVP_PKEY_CTX *pctx, STACK_OF(OPENSSL_STRING) *param); @@ -303,7 +303,6 @@ int cms_main(int argc, char **argv) const char *mime_eol = "\n"; OPTION_CHOICE o; OSSL_LIB_CTX *libctx = app_get0_libctx(); - const char *propq = app_get0_propq(); if ((vpm = X509_VERIFY_PARAM_new()) == NULL) return 1; @@ -457,7 +456,7 @@ int cms_main(int argc, char **argv) goto opthelp; } else { rcms = load_content_info(rctformat, rctin, NULL, "recipient", - libctx, propq); + libctx, app_get0_propq()); } break; case OPT_CERTFILE: @@ -870,7 +869,7 @@ int cms_main(int argc, char **argv) goto end; if (operation & SMIME_IP) { - cms = load_content_info(informat, in, &indata, "SMIME", libctx, propq); + cms = load_content_info(informat, in, &indata, "SMIME", libctx, app_get0_propq()); if (cms == NULL) goto end; if (contfile != NULL) { @@ -901,7 +900,7 @@ int cms_main(int argc, char **argv) } rcms = load_content_info(rctformat, rctin, NULL, "recipient", libctx, - propq); + app_get0_propq()); if (rcms == NULL) goto end; } @@ -922,15 +921,15 @@ int cms_main(int argc, char **argv) ret = 3; if (operation == SMIME_DATA_CREATE) { - cms = CMS_data_create_ex(in, flags, libctx, propq); + cms = CMS_data_create_ex(in, flags, libctx, app_get0_propq()); } else if (operation == SMIME_DIGEST_CREATE) { - cms = CMS_digest_create_ex(in, sign_md, flags, libctx, propq); + cms = CMS_digest_create_ex(in, sign_md, flags, libctx, app_get0_propq()); } else if (operation == SMIME_COMPRESS) { cms = CMS_compress(in, -1, flags); } else if (operation == SMIME_ENCRYPT) { int i; flags |= CMS_PARTIAL; - cms = CMS_encrypt_ex(NULL, in, cipher, flags, libctx, propq); + cms = CMS_encrypt_ex(NULL, in, cipher, flags, libctx, app_get0_propq()); if (cms == NULL) goto end; for (i = 0; i < sk_X509_num(encerts); i++) { @@ -996,7 +995,7 @@ int cms_main(int argc, char **argv) } } else if (operation == SMIME_ENCRYPTED_ENCRYPT) { cms = CMS_EncryptedData_encrypt_ex(in, cipher, secret_key, - secret_keylen, flags, libctx, propq); + secret_keylen, flags, libctx, app_get0_propq()); } else if (operation == SMIME_SIGN_RECEIPT) { CMS_ContentInfo *srcms = NULL; @@ -1024,15 +1023,14 @@ int cms_main(int argc, char **argv) flags |= CMS_STREAM; } flags |= CMS_PARTIAL; - cms = CMS_sign_ex(NULL, NULL, other, in, flags, libctx, propq); + cms = CMS_sign_ex(NULL, NULL, other, in, flags, libctx, app_get0_propq()); if (cms == NULL) goto end; if (econtent_type != NULL) CMS_set1_eContentType(cms, econtent_type); if (rr_to != NULL) { - rr = make_receipt_request(rr_to, rr_allorfirst, rr_from, libctx, - propq); + rr = make_receipt_request(rr_to, rr_allorfirst, rr_from, libctx); if (rr == NULL) { BIO_puts(bio_err, "Signed Receipt Request Creation Error\n"); @@ -1389,7 +1387,7 @@ static STACK_OF(GENERAL_NAMES) *make_names_stack(STACK_OF(OPENSSL_STRING) *ns) static CMS_ReceiptRequest *make_receipt_request( STACK_OF(OPENSSL_STRING) *rr_to, int rr_allorfirst, STACK_OF(OPENSSL_STRING) *rr_from, - OSSL_LIB_CTX *libctx, const char *propq) + OSSL_LIB_CTX *libctx) { STACK_OF(GENERAL_NAMES) *rct_to = NULL, *rct_from = NULL; CMS_ReceiptRequest *rr; @@ -1404,7 +1402,7 @@ static CMS_ReceiptRequest *make_receipt_request( rct_from = NULL; } rr = CMS_ReceiptRequest_create0_ex(NULL, -1, rr_allorfirst, rct_from, - rct_to, libctx, propq); + rct_to, libctx, app_get0_propq()); return rr; err: sk_GENERAL_NAMES_pop_free(rct_to, GENERAL_NAMES_free); diff --git a/apps/genpkey.c b/apps/genpkey.c index 83af5ec88f..bdd8b43e47 100644 --- a/apps/genpkey.c +++ b/apps/genpkey.c @@ -68,7 +68,6 @@ int genpkey_main(int argc, char **argv) int outformat = FORMAT_PEM, text = 0, ret = 1, rv, do_param = 0; int private = 0; OSSL_LIB_CTX *libctx = app_get0_libctx(); - const char *propq = app_get0_propq(); prog = opt_init(argc, argv, genpkey_options); while ((o = opt_next()) != OPT_EOF) { @@ -98,11 +97,11 @@ int genpkey_main(int argc, char **argv) case OPT_PARAMFILE: if (do_param == 1) goto opthelp; - if (!init_keygen_file(&ctx, opt_arg(), e, libctx, propq)) + if (!init_keygen_file(&ctx, opt_arg(), e, libctx, app_get0_propq())) goto end; break; case OPT_ALGORITHM: - if (!init_gen_str(&ctx, opt_arg(), e, do_param, libctx, propq)) + if (!init_gen_str(&ctx, opt_arg(), e, do_param, libctx, app_get0_propq())) goto end; break; case OPT_PKEYOPT: diff --git a/apps/include/apps.h b/apps/include/apps.h index c0e351b3b9..d4241fa61e 100644 --- a/apps/include/apps.h +++ b/apps/include/apps.h @@ -323,6 +323,7 @@ int app_provider_load(OSSL_LIB_CTX *libctx, const char *provider_name); void app_providers_cleanup(void); OSSL_LIB_CTX *app_get0_libctx(void); +int app_set_propq(const char *arg); const char *app_get0_propq(void); #endif diff --git a/apps/include/opt.h b/apps/include/opt.h index 5f3efe5105..d23bf262fc 100644 --- a/apps/include/opt.h +++ b/apps/include/opt.h @@ -270,7 +270,7 @@ */ # define OPT_PROV_ENUM \ OPT_PROV__FIRST=1600, \ - OPT_PROV_PROVIDER, OPT_PROV_PROVIDER_PATH, \ + OPT_PROV_PROVIDER, OPT_PROV_PROVIDER_PATH, OPT_PROV_PROPQUERY, \ OPT_PROV__LAST # define OPT_CONFIG_OPTION \ @@ -279,12 +279,14 @@ # define OPT_PROV_OPTIONS \ OPT_SECTION("Provider"), \ { "provider-path", OPT_PROV_PROVIDER_PATH, 's', "Provider load path (must be before 'provider' argument if required)" }, \ - { "provider", OPT_PROV_PROVIDER, 's', "Provider to load (can be specified multiple times)" } + { "provider", OPT_PROV_PROVIDER, 's', "Provider to load (can be specified multiple times)" }, \ + { "propquery", OPT_PROV_PROPQUERY, 's', "Property query used when fetching algorithms" } # define OPT_PROV_CASES \ OPT_PROV__FIRST: case OPT_PROV__LAST: break; \ case OPT_PROV_PROVIDER: \ - case OPT_PROV_PROVIDER_PATH + case OPT_PROV_PROVIDER_PATH: \ + case OPT_PROV_PROPQUERY /* * Option parsing. diff --git a/apps/lib/app_provider.c b/apps/lib/app_provider.c index 490960521c..1a1757a5bd 100644 --- a/apps/lib/app_provider.c +++ b/apps/lib/app_provider.c @@ -70,6 +70,8 @@ int opt_provider(int opt) return app_provider_load(app_get0_libctx(), opt_arg()); case OPT_PROV_PROVIDER_PATH: return opt_provider_path(opt_arg()); + case OPT_PROV_PROPQUERY: + return app_set_propq(opt_arg()); } return 0; } diff --git a/apps/lib/apps.c b/apps/lib/apps.c index 51c7c82eae..f53f1b2003 100644 --- a/apps/lib/apps.c +++ b/apps/lib/apps.c @@ -331,10 +331,17 @@ OSSL_LIB_CTX *app_get0_libctx(void) return app_libctx; } -/* TODO(3.0): Make this an environment variable if required */ +static const char *app_propq = NULL; + +int app_set_propq(const char *arg) +{ + app_propq = arg; + return 1; +} + const char *app_get0_propq(void) { - return NULL; + return app_propq; } OSSL_LIB_CTX *app_create_libctx(void) diff --git a/apps/mac.c b/apps/mac.c index ea75b33623..ce00ff92e0 100644 --- a/apps/mac.c +++ b/apps/mac.c @@ -105,7 +105,7 @@ opthelp: if (argc != 1) goto opthelp; - mac = EVP_MAC_fetch(NULL, argv[0], NULL); + mac = EVP_MAC_fetch(app_get0_libctx(), argv[0], app_get0_propq()); if (mac == NULL) { BIO_printf(bio_err, "Invalid MAC name %s\n", argv[0]); goto opthelp; diff --git a/apps/pkcs7.c b/apps/pkcs7.c index efc58b10c9..d970feb30e 100644 --- a/apps/pkcs7.c +++ b/apps/pkcs7.c @@ -61,7 +61,6 @@ int pkcs7_main(int argc, char **argv) int i, print_certs = 0, text = 0, noout = 0, p7_print = 0, ret = 1; OPTION_CHOICE o; OSSL_LIB_CTX *libctx = app_get0_libctx(); - const char *propq = app_get0_propq(); prog = opt_init(argc, argv, pkcs7_options); while ((o = opt_next()) != OPT_EOF) { @@ -120,7 +119,7 @@ int pkcs7_main(int argc, char **argv) if (in == NULL) goto end; - p7 = PKCS7_new_ex(libctx, propq); + p7 = PKCS7_new_ex(libctx, app_get0_propq()); if (p7 == NULL) { BIO_printf(bio_err, "unable to allocate PKCS7 object\n"); ERR_print_errors(bio_err); diff --git a/apps/pkeyutl.c b/apps/pkeyutl.c index a88a6ca7a3..4eb15c30f4 100644 --- a/apps/pkeyutl.c +++ b/apps/pkeyutl.c @@ -24,7 +24,7 @@ static EVP_PKEY_CTX *init_ctx(const char *kdfalg, int *pkeysize, const char *keyfile, int keyform, int key_type, char *passinarg, int pkey_op, ENGINE *e, const int impl, int rawin, EVP_PKEY **ppkey, - OSSL_LIB_CTX *libctx, const char *propq); + OSSL_LIB_CTX *libctx); static int setup_peer(EVP_PKEY_CTX *ctx, int peerform, const char *file, ENGINE *e); @@ -125,7 +125,6 @@ int pkeyutl_main(int argc, char **argv) const EVP_MD *md = NULL; int filesize = -1; OSSL_LIB_CTX *libctx = app_get0_libctx(); - const char *propq = NULL; prog = opt_init(argc, argv, pkeyutl_options); while ((o = opt_next()) != OPT_EOF) { @@ -293,7 +292,7 @@ int pkeyutl_main(int argc, char **argv) } ctx = init_ctx(kdfalg, &keysize, inkey, keyform, key_type, passinarg, pkey_op, e, engine_impl, rawin, &pkey, - libctx, propq); + libctx); if (ctx == NULL) { BIO_printf(bio_err, "%s: Error initializing context\n", prog); ERR_print_errors(bio_err); @@ -514,7 +513,7 @@ static EVP_PKEY_CTX *init_ctx(const char *kdfalg, int *pkeysize, char *passinarg, int pkey_op, ENGINE *e, const int engine_impl, int rawin, EVP_PKEY **ppkey, - OSSL_LIB_CTX *libctx, const char *propq) + OSSL_LIB_CTX *libctx) { EVP_PKEY *pkey = NULL; EVP_PKEY_CTX *ctx = NULL; @@ -522,6 +521,7 @@ static EVP_PKEY_CTX *init_ctx(const char *kdfalg, int *pkeysize, char *passin = NULL; int rv = -1; X509 *x; + if (((pkey_op == EVP_PKEY_OP_SIGN) || (pkey_op == EVP_PKEY_OP_DECRYPT) || (pkey_op == EVP_PKEY_OP_DERIVE)) && (key_type != KEY_PRIVKEY && kdfalg == NULL)) { @@ -573,7 +573,7 @@ static EVP_PKEY_CTX *init_ctx(const char *kdfalg, int *pkeysize, if (impl != NULL) ctx = EVP_PKEY_CTX_new_id(kdfnid, impl); else - ctx = EVP_PKEY_CTX_new_from_name(libctx, kdfalg, propq); + ctx = EVP_PKEY_CTX_new_from_name(libctx, kdfalg, app_get0_propq()); } else { if (pkey == NULL) goto end; @@ -582,7 +582,7 @@ static EVP_PKEY_CTX *init_ctx(const char *kdfalg, int *pkeysize, if (impl != NULL) ctx = EVP_PKEY_CTX_new(pkey, impl); else - ctx = EVP_PKEY_CTX_new_from_pkey(libctx, pkey, propq); + ctx = EVP_PKEY_CTX_new_from_pkey(libctx, pkey, app_get0_propq()); if (ppkey != NULL) *ppkey = pkey; EVP_PKEY_free(pkey); diff --git a/apps/smime.c b/apps/smime.c index 2e35009709..2a9ee27a34 100644 --- a/apps/smime.c +++ b/apps/smime.c @@ -155,7 +155,6 @@ int smime_main(int argc, char **argv) ENGINE *e = NULL; const char *mime_eol = "\n"; OSSL_LIB_CTX *libctx = app_get0_libctx(); - const char *propq = app_get0_propq(); if ((vpm = X509_VERIFY_PARAM_new()) == NULL) return 1; @@ -487,7 +486,7 @@ int smime_main(int argc, char **argv) if (operation & SMIME_IP) { PKCS7 *p7_in = NULL; - p7 = PKCS7_new_ex(libctx, propq); + p7 = PKCS7_new_ex(libctx, app_get0_propq()); if (p7 == NULL) { BIO_printf(bio_err, "Error allocating PKCS7 object\n"); goto end; @@ -534,7 +533,7 @@ int smime_main(int argc, char **argv) if (operation == SMIME_ENCRYPT) { if (indef) flags |= PKCS7_STREAM; - p7 = PKCS7_encrypt_ex(encerts, in, cipher, flags, libctx, propq); + p7 = PKCS7_encrypt_ex(encerts, in, cipher, flags, libctx, app_get0_propq()); } else if (operation & SMIME_SIGNERS) { int i; /* @@ -549,7 +548,7 @@ int smime_main(int argc, char **argv) flags |= PKCS7_STREAM; } flags |= PKCS7_PARTIAL; - p7 = PKCS7_sign_ex(NULL, NULL, other, in, flags, libctx, propq); + p7 = PKCS7_sign_ex(NULL, NULL, other, in, flags, libctx, app_get0_propq()); if (p7 == NULL) goto end; if (flags & PKCS7_NOCERTS) { diff --git a/apps/storeutl.c b/apps/storeutl.c index 0ec65ab047..9333c478f2 100644 --- a/apps/storeutl.c +++ b/apps/storeutl.c @@ -19,7 +19,7 @@ static int process(const char *uri, const UI_METHOD *uimeth, PW_CB_DATA *uidata, int expected, int criterion, OSSL_STORE_SEARCH *search, int text, int noout, int recursive, int indent, BIO *out, - const char *prog, OSSL_LIB_CTX *libctx, const char *propq); + const char *prog, OSSL_LIB_CTX *libctx); typedef enum OPTION_choice { OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, OPT_ENGINE, OPT_OUT, OPT_PASSIN, @@ -85,7 +85,6 @@ int storeutl_main(int argc, char *argv[]) OSSL_STORE_SEARCH *search = NULL; const EVP_MD *digest = NULL; OSSL_LIB_CTX *libctx = app_get0_libctx(); - const char *propq = app_get0_propq(); while ((o = opt_next()) != OPT_EOF) { switch (o) { @@ -315,7 +314,7 @@ int storeutl_main(int argc, char *argv[]) ret = process(argv[0], get_ui_method(), &pw_cb_data, expected, criterion, search, - text, noout, recursive, 0, out, prog, libctx, propq); + text, noout, recursive, 0, out, prog, libctx); end: OPENSSL_free(fingerprint); @@ -346,12 +345,12 @@ static int indent_printf(int indent, BIO *bio, const char *format, ...) static int process(const char *uri, const UI_METHOD *uimeth, PW_CB_DATA *uidata, int expected, int criterion, OSSL_STORE_SEARCH *search, int text, int noout, int recursive, int indent, BIO *out, - const char *prog, OSSL_LIB_CTX *libctx, const char *propq) + const char *prog, OSSL_LIB_CTX *libctx) { OSSL_STORE_CTX *store_ctx = NULL; int ret = 1, items = 0; - if ((store_ctx = OSSL_STORE_open_ex(uri, libctx, propq, uimeth, uidata, + if ((store_ctx = OSSL_STORE_open_ex(uri, libctx, app_get0_propq(), uimeth, uidata, NULL, NULL)) == NULL) { BIO_printf(bio_err, "Couldn't open file or uri %s\n", uri); @@ -436,7 +435,7 @@ static int process(const char *uri, const UI_METHOD *uimeth, PW_CB_DATA *uidata, ret += process(suburi, uimeth, uidata, expected, criterion, search, text, noout, recursive, indent + 2, out, prog, - libctx, propq); + libctx); } break; case OSSL_STORE_INFO_PARAMS: diff --git a/doc/man1/openssl.pod b/doc/man1/openssl.pod index 3176c19eee..8e30f81fe9 100644 --- a/doc/man1/openssl.pod +++ b/doc/man1/openssl.pod @@ -645,6 +645,26 @@ the PKCS#11 URI as defined in RFC 7512 should be possible to use directly: -key pkcs11:object=some-private-key;pin-value=1234 +=head2 Provider Options + +=over 4 + +=item B<-provider> I + +Load and initialize the provider identified by I. + +=item B<-provider-path> I + +Specifies the search path that is to be used for looking for providers. + +=item B<-propquery> I + +Specifies the I to be used when fetching algorithms +from the loaded providers. +See L for a more detailed description. + +=back + =head1 ENVIRONMENT The OpenSSL library can be take some configuration parameters from the diff --git a/doc/perlvars.pm b/doc/perlvars.pm index d4fbba9a64..47f813d51e 100644 --- a/doc/perlvars.pm +++ b/doc/perlvars.pm @@ -93,12 +93,15 @@ $OpenSSL::safe::opt_r_item = "" # Provider options $OpenSSL::safe::opt_provider_synopsis = "" . "[B<-provider> I]\n" -. "[B<-provider-path> I]"; +. "[B<-provider-path> I]\n" +. "[B<-propquery> I]"; $OpenSSL::safe::opt_provider_item = "" . "=item B<-provider> I\n" . "\n" . "=item B<-provider-path> I\n" . "\n" +. "=item B<-propquery> I\n" +. "\n" . "See L."; # Configuration option diff --git a/test/recipes/15-test_genrsa.t b/test/recipes/15-test_genrsa.t index ffa334f15e..16bad16d65 100644 --- a/test/recipes/15-test_genrsa.t +++ b/test/recipes/15-test_genrsa.t @@ -26,7 +26,7 @@ my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0); plan tests => ($no_fips ? 0 : 2) # FIPS install test + fips related test - + 12; + + 13; # We want to know that an absurdly small number of bits isn't support if (disabled("deprecated-3.0")) { @@ -101,6 +101,9 @@ ok(!run(app([ 'openssl', 'genpkey', '-algorithm', 'RSA', '-pkeyopt', 'e:65538', '-out', 'genrsatest.pem' ])), "genpkey with a even public exponent should fail"); +ok(!run(app([ 'openssl', 'genpkey', '-propquery', 'unknown', + '-algorithm', 'RSA' ])), + "genpkey requesting unknown=yes property should fail"); SKIP: { diff --git a/test/recipes/20-test_mac.t b/test/recipes/20-test_mac.t index e34381c025..61f6161b0c 100644 --- a/test/recipes/20-test_mac.t +++ b/test/recipes/20-test_mac.t @@ -78,6 +78,11 @@ my @mac_fail_tests = ( input => '00', err => 'EVP_MAC_Init', desc => 'KMAC128 Fail no key' }, + { cmd => [qw{openssl mac -propquery unknown -macopt hexkey:404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F}], + type => 'KMAC128', + input => '00', + err => 'Invalid MAC name KMAC128', + desc => 'KMAC128 Fail unknown property' }, ); my @siphash_fail_tests = ( From pauli at openssl.org Fri Feb 5 05:54:47 2021 From: pauli at openssl.org (Dr. Paul Dale) Date: Fri, 05 Feb 2021 05:54:47 +0000 Subject: [openssl] master update Message-ID: <1612504487.737489.18255.nullmailer@dev.openssl.org> The branch master has been updated via 76624df15fef0725f28a8b9d0f31256946669b1a (commit) via d82c7f3dba44b190eac80e5ddffac9a00cefd47d (commit) via 13e85fb3214fc5c84e30258ed56add1275b0fde3 (commit) via f4a3799cc45cb986d5920403b3e0471678fee020 (commit) from 7dc67708c8ae6ec06c7fec34781225ed60b5e68d (commit) - Log ----------------------------------------------------------------- commit 76624df15fef0725f28a8b9d0f31256946669b1a Author: Richard Levitte Date: Wed Feb 3 16:48:21 2021 +0100 EVP: Adapt EVP_PKEY_{set1,get1}_encoded_public_key() These functions are modified to use EVP_PKEY_set_octet_string_param() and EVP_PKEY_get_octet_string_param() instead of evp_keymgmt_set_params() and evp_keymgmt_get_params(). To accomplish this fully, EVP_PKEY_get_octet_string_param() is changed slightly to populate |*out_sz| with the return size, even if getting the params resulted in an error. We also modify EVP_PKEY_get_utf8_string_param() to match EVP_PKEY_get_octet_string_param() Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/14056) commit d82c7f3dba44b190eac80e5ddffac9a00cefd47d Author: Richard Levitte Date: Wed Feb 3 14:10:08 2021 +0100 EVP: Modify the checks in EVP_PKEY_{set,get}_xxx_param() functions The checks of the type of EVP_PKEY were from before we had the macro evp_pkey_is_provided(). Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/14056) commit 13e85fb3214fc5c84e30258ed56add1275b0fde3 Author: Richard Levitte Date: Wed Feb 3 13:55:30 2021 +0100 EVP: Adapt the other EVP_PKEY_set_xxx_param() functions They were calling evp_keymgmt_set_params() directly. Those calls are changed to go through EVP_PKEY_set_params(). We take the opportunity to constify these functions. They have to unconstify internally for the compiler to stop complaining when placing those pointers in an OSSL_PARAM element, but that's still better than forcing the callers to do that cast. Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/14056) commit f4a3799cc45cb986d5920403b3e0471678fee020 Author: Richard Levitte Date: Wed Feb 3 13:50:23 2021 +0100 EVP: Make EVP_PKEY_set_params() increment the dirty count When the internal key is changed, we must count it as muted, so that next time the affected key is considered for an operation, it gets re-exported to the signing provider. In other words, this will clear the EVP_PKEY export cache when the next export attempt occurs. This also updates evp_keymgmt_util_export_to_provider() to actually look at the dirty count for provider native origin keys, and act appropriately. Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/14056) ----------------------------------------------------------------------- Summary of changes: crypto/evp/keymgmt_lib.c | 31 +++-- crypto/evp/p_lib.c | 207 +++++++++++++++------------------- doc/man3/EVP_PKEY_gettable_params.pod | 11 +- doc/man3/EVP_PKEY_settable_params.pod | 9 +- include/openssl/evp.h | 10 +- util/libcrypto.num | 1 + 6 files changed, 134 insertions(+), 135 deletions(-) diff --git a/crypto/evp/keymgmt_lib.c b/crypto/evp/keymgmt_lib.c index 0c643b3b49..0112036263 100644 --- a/crypto/evp/keymgmt_lib.c +++ b/crypto/evp/keymgmt_lib.c @@ -101,15 +101,22 @@ void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt) if (pk->keymgmt == keymgmt) return pk->keydata; - /* If this key is already exported to |keymgmt|, no more to do */ CRYPTO_THREAD_read_lock(pk->lock); - i = evp_keymgmt_util_find_operation_cache_index(pk, keymgmt); - if (i < OSSL_NELEM(pk->operation_cache) - && pk->operation_cache[i].keymgmt != NULL) { - void *ret = pk->operation_cache[i].keydata; + /* + * If the provider native "origin" hasn't changed since last time, we + * try to find our keymgmt in the operation cache. If it has changed, + * |i| remains zero, and we will clear the cache further down. + */ + if (pk->dirty_cnt == pk->dirty_cnt_copy) { + /* If this key is already exported to |keymgmt|, no more to do */ + i = evp_keymgmt_util_find_operation_cache_index(pk, keymgmt); + if (i < OSSL_NELEM(pk->operation_cache) + && pk->operation_cache[i].keymgmt != NULL) { + void *ret = pk->operation_cache[i].keydata; - CRYPTO_THREAD_unlock(pk->lock); - return ret; + CRYPTO_THREAD_unlock(pk->lock); + return ret; + } } CRYPTO_THREAD_unlock(pk->lock); @@ -177,12 +184,22 @@ void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt) return ret; } + /* + * If the dirty counter changed since last time, then clear the + * operation cache. In that case, we know that |i| is zero. + */ + if (pk->dirty_cnt != pk->dirty_cnt_copy) + evp_keymgmt_util_clear_operation_cache(pk, 0); + /* Add the new export to the operation cache */ if (!evp_keymgmt_util_cache_keydata(pk, i, keymgmt, import_data.keydata)) { evp_keymgmt_freedata(keymgmt, import_data.keydata); return NULL; } + /* Synchronize the dirty count */ + pk->dirty_cnt_copy = pk->dirty_cnt; + CRYPTO_THREAD_unlock(pk->lock); return import_data.keydata; diff --git a/crypto/evp/p_lib.c b/crypto/evp/p_lib.c index 558f378168..106830bfbb 100644 --- a/crypto/evp/p_lib.c +++ b/crypto/evp/p_lib.c @@ -1298,17 +1298,11 @@ int EVP_PKEY_supports_digest_nid(EVP_PKEY *pkey, int nid) int EVP_PKEY_set1_encoded_public_key(EVP_PKEY *pkey, const unsigned char *pub, size_t publen) { - if (pkey->ameth == NULL) { - OSSL_PARAM params[2] = { OSSL_PARAM_END, OSSL_PARAM_END }; - - if (pkey->keymgmt == NULL || pkey->keydata == NULL) - return 0; - - params[0] = - OSSL_PARAM_construct_octet_string(OSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY, - (unsigned char *)pub, publen); - return evp_keymgmt_set_params(pkey->keymgmt, pkey->keydata, params); - } + if (pkey != NULL && evp_pkey_is_provided(pkey)) + return + EVP_PKEY_set_octet_string_param(pkey, + OSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY, + (unsigned char *)pub, publen); if (publen > INT_MAX) return 0; @@ -1323,29 +1317,28 @@ size_t EVP_PKEY_get1_encoded_public_key(EVP_PKEY *pkey, unsigned char **ppub) { int rv; - if (pkey->ameth == NULL) { - OSSL_PARAM params[2] = { OSSL_PARAM_END, OSSL_PARAM_END }; - - if (pkey->keymgmt == NULL || pkey->keydata == NULL) - return 0; + if (pkey != NULL && evp_pkey_is_provided(pkey)) { + size_t return_size = OSSL_PARAM_UNMODIFIED; - params[0] = - OSSL_PARAM_construct_octet_string(OSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY, - NULL, 0); - if (!evp_keymgmt_get_params(pkey->keymgmt, pkey->keydata, params)) + /* + * We know that this is going to fail, but it will give us a size + * to allocate. + */ + EVP_PKEY_get_octet_string_param(pkey, + OSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY, + NULL, 0, &return_size); + if (return_size == OSSL_PARAM_UNMODIFIED) return 0; - *ppub = OPENSSL_malloc(params[0].return_size); + *ppub = OPENSSL_malloc(return_size); if (*ppub == NULL) return 0; - params[0] = - OSSL_PARAM_construct_octet_string(OSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY, - *ppub, params[0].return_size); - if (!evp_keymgmt_get_params(pkey->keymgmt, pkey->keydata, params)) + if (!EVP_PKEY_get_octet_string_param(pkey, + OSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY, + *ppub, return_size, NULL)) return 0; - - return params[0].return_size; + return return_size; } @@ -1995,15 +1988,6 @@ int evp_pkey_downgrade(EVP_PKEY *pk) } #endif /* FIPS_MODULE */ -const OSSL_PARAM *EVP_PKEY_gettable_params(const EVP_PKEY *pkey) -{ - if (pkey == NULL - || pkey->keymgmt == NULL - || pkey->keydata == NULL) - return 0; - return EVP_KEYMGMT_gettable_params(pkey->keymgmt); -} - int EVP_PKEY_get_bn_param(const EVP_PKEY *pkey, const char *key_name, BIGNUM **bn) { @@ -2013,17 +1997,16 @@ int EVP_PKEY_get_bn_param(const EVP_PKEY *pkey, const char *key_name, unsigned char *buf = NULL; size_t buf_sz = 0; - if (pkey == NULL - || pkey->keymgmt == NULL - || pkey->keydata == NULL - || key_name == NULL - || bn == NULL) + if (key_name == NULL + || bn == NULL + || pkey == NULL + || !evp_pkey_is_provided(pkey)) return 0; memset(buffer, 0, sizeof(buffer)); params[0] = OSSL_PARAM_construct_BN(key_name, buffer, sizeof(buffer)); params[1] = OSSL_PARAM_construct_end(); - if (!evp_keymgmt_get_params(pkey->keymgmt, pkey->keydata, params)) { + if (!EVP_PKEY_get_params(pkey, params)) { if (!OSSL_PARAM_modified(params) || params[0].return_size == 0) return 0; buf_sz = params[0].return_size; @@ -2037,7 +2020,7 @@ int EVP_PKEY_get_bn_param(const EVP_PKEY *pkey, const char *key_name, params[0].data = buf; params[0].data_size = buf_sz; - if (!evp_keymgmt_get_params(pkey->keymgmt, pkey->keydata, params)) + if (!EVP_PKEY_get_params(pkey, params)) goto err; } /* Fail if the param was not found */ @@ -2054,21 +2037,20 @@ int EVP_PKEY_get_octet_string_param(const EVP_PKEY *pkey, const char *key_name, size_t *out_sz) { OSSL_PARAM params[2]; + int ret1 = 0, ret2 = 0; - if (pkey == NULL - || pkey->keymgmt == NULL - || pkey->keydata == NULL - || key_name == NULL) + if (key_name == NULL + || pkey == NULL + || !evp_pkey_is_provided(pkey)) return 0; params[0] = OSSL_PARAM_construct_octet_string(key_name, buf, max_buf_sz); params[1] = OSSL_PARAM_construct_end(); - if (!evp_keymgmt_get_params(pkey->keymgmt, pkey->keydata, params) - || !OSSL_PARAM_modified(params)) - return 0; - if (out_sz != NULL) + if ((ret1 = EVP_PKEY_get_params(pkey, params))) + ret2 = OSSL_PARAM_modified(params); + if (ret2 && out_sz != NULL) *out_sz = params[0].return_size; - return 1; + return ret1 && ret2; } int EVP_PKEY_get_utf8_string_param(const EVP_PKEY *pkey, const char *key_name, @@ -2076,21 +2058,18 @@ int EVP_PKEY_get_utf8_string_param(const EVP_PKEY *pkey, const char *key_name, size_t *out_sz) { OSSL_PARAM params[2]; + int ret1 = 0, ret2 = 0; - if (pkey == NULL - || pkey->keymgmt == NULL - || pkey->keydata == NULL - || key_name == NULL) + if (key_name == NULL) return 0; params[0] = OSSL_PARAM_construct_utf8_string(key_name, str, max_buf_sz); params[1] = OSSL_PARAM_construct_end(); - if (!evp_keymgmt_get_params(pkey->keymgmt, pkey->keydata, params) - || !OSSL_PARAM_modified(params)) - return 0; - if (out_sz != NULL) + if ((ret1 = EVP_PKEY_get_params(pkey, params))) + ret2 = OSSL_PARAM_modified(params); + if (ret2 && out_sz != NULL) *out_sz = params[0].return_size; - return 1; + return ret1 && ret2; } int EVP_PKEY_get_int_param(const EVP_PKEY *pkey, const char *key_name, @@ -2098,18 +2077,13 @@ int EVP_PKEY_get_int_param(const EVP_PKEY *pkey, const char *key_name, { OSSL_PARAM params[2]; - if (pkey == NULL - || pkey->keymgmt == NULL - || pkey->keydata == NULL - || key_name == NULL) + if (key_name == NULL) return 0; params[0] = OSSL_PARAM_construct_int(key_name, out); params[1] = OSSL_PARAM_construct_end(); - if (!evp_keymgmt_get_params(pkey->keymgmt, pkey->keydata, params) - || !OSSL_PARAM_modified(params)) - return 0; - return 1; + return EVP_PKEY_get_params(pkey, params) + && OSSL_PARAM_modified(params); } int EVP_PKEY_get_size_t_param(const EVP_PKEY *pkey, const char *key_name, @@ -2117,61 +2091,50 @@ int EVP_PKEY_get_size_t_param(const EVP_PKEY *pkey, const char *key_name, { OSSL_PARAM params[2]; - if (pkey == NULL - || pkey->keymgmt == NULL - || pkey->keydata == NULL - || key_name == NULL) + if (key_name == NULL) return 0; params[0] = OSSL_PARAM_construct_size_t(key_name, out); params[1] = OSSL_PARAM_construct_end(); - if (!evp_keymgmt_get_params(pkey->keymgmt, pkey->keydata, params) - || !OSSL_PARAM_modified(params)) - return 0; - return 1; + return EVP_PKEY_get_params(pkey, params) + && OSSL_PARAM_modified(params); } int EVP_PKEY_set_int_param(EVP_PKEY *pkey, const char *key_name, int in) { OSSL_PARAM params[2]; - if (pkey == NULL - || pkey->keymgmt == NULL - || pkey->keydata == NULL - || key_name == NULL) + if (key_name == NULL) return 0; params[0] = OSSL_PARAM_construct_int(key_name, &in); params[1] = OSSL_PARAM_construct_end(); - return evp_keymgmt_set_params(pkey->keymgmt, pkey->keydata, params); + return EVP_PKEY_set_params(pkey, params); } int EVP_PKEY_set_size_t_param(EVP_PKEY *pkey, const char *key_name, size_t in) { OSSL_PARAM params[2]; - if (pkey == NULL - || pkey->keymgmt == NULL - || pkey->keydata == NULL - || key_name == NULL) + if (key_name == NULL) return 0; params[0] = OSSL_PARAM_construct_size_t(key_name, &in); params[1] = OSSL_PARAM_construct_end(); - return evp_keymgmt_set_params(pkey->keymgmt, pkey->keydata, params); + return EVP_PKEY_set_params(pkey, params); } -int EVP_PKEY_set_bn_param(EVP_PKEY *pkey, const char *key_name, BIGNUM *bn) +int EVP_PKEY_set_bn_param(EVP_PKEY *pkey, const char *key_name, + const BIGNUM *bn) { OSSL_PARAM params[2]; unsigned char buffer[2048]; int bsize = 0; - if (pkey == NULL - || pkey->keymgmt == NULL - || pkey->keydata == NULL - || key_name == NULL - || bn == NULL) + if (key_name == NULL + || bn == NULL + || pkey == NULL + || !evp_pkey_is_provided(pkey)) return 0; bsize = BN_num_bytes(bn); @@ -2182,57 +2145,65 @@ int EVP_PKEY_set_bn_param(EVP_PKEY *pkey, const char *key_name, BIGNUM *bn) return 0; params[0] = OSSL_PARAM_construct_BN(key_name, buffer, bsize); params[1] = OSSL_PARAM_construct_end(); - return evp_keymgmt_set_params(pkey->keymgmt, pkey->keydata, params); + return EVP_PKEY_set_params(pkey, params); } int EVP_PKEY_set_utf8_string_param(EVP_PKEY *pkey, const char *key_name, - char *str) + const char *str) { OSSL_PARAM params[2]; - if (pkey == NULL - || pkey->keymgmt == NULL - || pkey->keydata == NULL - || key_name == NULL) + if (key_name == NULL) return 0; - params[0] = OSSL_PARAM_construct_utf8_string(key_name, str, 0); + params[0] = OSSL_PARAM_construct_utf8_string(key_name, (char *)str, 0); params[1] = OSSL_PARAM_construct_end(); - return evp_keymgmt_set_params(pkey->keymgmt, pkey->keydata, params); + return EVP_PKEY_set_params(pkey, params); } int EVP_PKEY_set_octet_string_param(EVP_PKEY *pkey, const char *key_name, - unsigned char *buf, size_t bsize) + const unsigned char *buf, size_t bsize) { OSSL_PARAM params[2]; - if (pkey == NULL - || pkey->keymgmt == NULL - || pkey->keydata == NULL - || key_name == NULL) + if (key_name == NULL) return 0; - params[0] = OSSL_PARAM_construct_octet_string(key_name, buf, bsize); + params[0] = OSSL_PARAM_construct_octet_string(key_name, + (unsigned char *)buf, bsize); params[1] = OSSL_PARAM_construct_end(); - return evp_keymgmt_set_params(pkey->keymgmt, pkey->keydata, params); + return EVP_PKEY_set_params(pkey, params); } -const OSSL_PARAM *EVP_PKEY_settable_params(EVP_PKEY *pkey) +const OSSL_PARAM *EVP_PKEY_settable_params(const EVP_PKEY *pkey) { - if (pkey == NULL - || pkey->keymgmt == NULL - || pkey->keydata == NULL) - return 0; - return EVP_KEYMGMT_settable_params(pkey->keymgmt); + return (pkey != NULL && evp_pkey_is_provided(pkey)) + ? EVP_KEYMGMT_settable_params(pkey->keymgmt) + : NULL; } int EVP_PKEY_set_params(EVP_PKEY *pkey, OSSL_PARAM params[]) { - if (pkey == NULL - || pkey->keymgmt == NULL - || pkey->keydata == NULL) + if (pkey == NULL) return 0; - return evp_keymgmt_set_params(pkey->keymgmt, pkey->keydata, params); + + pkey->dirty_cnt++; + return evp_pkey_is_provided(pkey) + && evp_keymgmt_set_params(pkey->keymgmt, pkey->keydata, params); +} + +const OSSL_PARAM *EVP_PKEY_gettable_params(const EVP_PKEY *pkey) +{ + return (pkey != NULL && evp_pkey_is_provided(pkey)) + ? EVP_KEYMGMT_gettable_params(pkey->keymgmt) + : NULL; +} + +int EVP_PKEY_get_params(const EVP_PKEY *pkey, OSSL_PARAM params[]) +{ + return pkey != NULL + && evp_pkey_is_provided(pkey) + && evp_keymgmt_get_params(pkey->keymgmt, pkey->keydata, params); } #ifndef FIPS_MODULE diff --git a/doc/man3/EVP_PKEY_gettable_params.pod b/doc/man3/EVP_PKEY_gettable_params.pod index 8b176f0819..7a1eaaa548 100644 --- a/doc/man3/EVP_PKEY_gettable_params.pod +++ b/doc/man3/EVP_PKEY_gettable_params.pod @@ -2,7 +2,8 @@ =head1 NAME -EVP_PKEY_gettable_params, EVP_PKEY_get_int_param, EVP_PKEY_get_size_t_param, +EVP_PKEY_gettable_params, EVP_PKEY_get_params, +EVP_PKEY_get_int_param, EVP_PKEY_get_size_t_param, EVP_PKEY_get_bn_param, EVP_PKEY_get_utf8_string_param, EVP_PKEY_get_octet_string_param - retrieve key parameters from a key @@ -12,6 +13,7 @@ EVP_PKEY_get_octet_string_param #include const OSSL_PARAM *EVP_PKEY_gettable_params(EVP_PKEY *pkey); + int EVP_PKEY_get_params(const EVP_PKEY *pkey, OSSL_PARAM params[]); int EVP_PKEY_get_int_param(const EVP_PKEY *pkey, const char *key_name, int *out); int EVP_PKEY_get_size_t_param(const EVP_PKEY *pkey, const char *key_name, @@ -27,6 +29,10 @@ EVP_PKEY_get_octet_string_param =head1 DESCRIPTION +EVP_PKEY_get_params() retrieves parameters from the key I, according to +the contents of I. +See L for information about parameters. + EVP_PKEY_gettable_params() returns a constant list of I indicating the names and types of key parameters that can be retrieved. See L for information about parameters. @@ -61,7 +67,8 @@ All other methods return 1 if a value associated with the key's I was successfully returned, or 0 if there was an error. An error may be returned by methods EVP_PKEY_get_utf8_string_param() and EVP_PKEY_get_octet_string_param() if I is not big enough to hold the -value. +value. If I is not NULL, I<*out_sz> will be assigned the required +buffer size to hold the value. =head1 EXAMPLES diff --git a/doc/man3/EVP_PKEY_settable_params.pod b/doc/man3/EVP_PKEY_settable_params.pod index a33eadc8fc..6760818cda 100644 --- a/doc/man3/EVP_PKEY_settable_params.pod +++ b/doc/man3/EVP_PKEY_settable_params.pod @@ -11,15 +11,16 @@ EVP_PKEY_set_utf8_string_param, EVP_PKEY_set_octet_string_param #include - const OSSL_PARAM *EVP_PKEY_settable_params(EVP_PKEY *pkey); + const OSSL_PARAM *EVP_PKEY_settable_params(const EVP_PKEY *pkey); int EVP_PKEY_set_params(EVP_PKEY *pkey, OSSL_PARAM params[]); int EVP_PKEY_set_int_param(EVP_PKEY *pkey, const char *key_name, int in); int EVP_PKEY_set_size_t_param(EVP_PKEY *pkey, const char *key_name, size_t in); - int EVP_PKEY_set_bn_param(EVP_PKEY *pkey, const char *key_name, BIGNUM *bn); + int EVP_PKEY_set_bn_param(EVP_PKEY *pkey, const char *key_name, + const BIGNUM *bn); int EVP_PKEY_set_utf8_string_param(EVP_PKEY *pkey, const char *key_name, - char *str); + const char *str); int EVP_PKEY_set_octet_string_param(EVP_PKEY *pkey, const char *key_name, - unsigned char *buf, size_t bsize); + const unsigned char *buf, size_t bsize); =head1 DESCRIPTION diff --git a/include/openssl/evp.h b/include/openssl/evp.h index f5e3592c30..239b107833 100644 --- a/include/openssl/evp.h +++ b/include/openssl/evp.h @@ -1796,6 +1796,7 @@ int EVP_PKEY_fromdata(EVP_PKEY_CTX *ctx, EVP_PKEY **ppkey, OSSL_PARAM param[]); const OSSL_PARAM *EVP_PKEY_param_fromdata_settable(EVP_PKEY_CTX *ctx); const OSSL_PARAM *EVP_PKEY_key_fromdata_settable(EVP_PKEY_CTX *ctx); const OSSL_PARAM *EVP_PKEY_gettable_params(const EVP_PKEY *pkey); +int EVP_PKEY_get_params(const EVP_PKEY *pkey, OSSL_PARAM params[]); int EVP_PKEY_get_int_param(const EVP_PKEY *pkey, const char *key_name, int *out); int EVP_PKEY_get_size_t_param(const EVP_PKEY *pkey, const char *key_name, @@ -1808,15 +1809,16 @@ int EVP_PKEY_get_octet_string_param(const EVP_PKEY *pkey, const char *key_name, unsigned char *buf, size_t max_buf_sz, size_t *out_sz); -const OSSL_PARAM *EVP_PKEY_settable_params(EVP_PKEY *pkey); +const OSSL_PARAM *EVP_PKEY_settable_params(const EVP_PKEY *pkey); int EVP_PKEY_set_params(EVP_PKEY *pkey, OSSL_PARAM params[]); int EVP_PKEY_set_int_param(EVP_PKEY *pkey, const char *key_name, int in); int EVP_PKEY_set_size_t_param(EVP_PKEY *pkey, const char *key_name, size_t in); -int EVP_PKEY_set_bn_param(EVP_PKEY *pkey, const char *key_name, BIGNUM *bn); +int EVP_PKEY_set_bn_param(EVP_PKEY *pkey, const char *key_name, + const BIGNUM *bn); int EVP_PKEY_set_utf8_string_param(EVP_PKEY *pkey, const char *key_name, - char *str); + const char *str); int EVP_PKEY_set_octet_string_param(EVP_PKEY *pkey, const char *key_name, - unsigned char *buf, size_t bsize); + const unsigned char *buf, size_t bsize); int EVP_PKEY_get_ec_point_conv_form(const EVP_PKEY *pkey); int EVP_PKEY_get_field_type(const EVP_PKEY *pkey); diff --git a/util/libcrypto.num b/util/libcrypto.num index cbba0768b1..32e7779bce 100644 --- a/util/libcrypto.num +++ b/util/libcrypto.num @@ -5298,3 +5298,4 @@ EVP_PKEY_set_utf8_string_param ? 3_0_0 EXIST::FUNCTION: EVP_PKEY_set_octet_string_param ? 3_0_0 EXIST::FUNCTION: EVP_PKEY_get_ec_point_conv_form ? 3_0_0 EXIST::FUNCTION: EVP_PKEY_get_field_type ? 3_0_0 EXIST::FUNCTION: +EVP_PKEY_get_params ? 3_0_0 EXIST::FUNCTION: From shane.lontis at oracle.com Fri Feb 5 08:08:55 2021 From: shane.lontis at oracle.com (shane.lontis at oracle.com) Date: Fri, 05 Feb 2021 08:08:55 +0000 Subject: [openssl] master update Message-ID: <1612512535.712688.26042.nullmailer@dev.openssl.org> The branch master has been updated via 05f41859ddfff9b19f6599e545607f3d49630ce0 (commit) from 76624df15fef0725f28a8b9d0f31256946669b1a (commit) - Log ----------------------------------------------------------------- commit 05f41859ddfff9b19f6599e545607f3d49630ce0 Author: Jon Spillett Date: Thu Feb 4 15:13:18 2021 +1000 Switch to BIO_snprintf to avoid missing symbol problems on Windows Reviewed-by: Ben Kaduk Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/14063) ----------------------------------------------------------------------- Summary of changes: apps/lib/opt.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apps/lib/opt.c b/apps/lib/opt.c index 99499193e4..8cc520daec 100644 --- a/apps/lib/opt.c +++ b/apps/lib/opt.c @@ -143,7 +143,7 @@ char *opt_appname(const char *arg0) size_t len = strlen(prog); if (arg0 != NULL) - snprintf(prog + len, sizeof(prog) - len - 1, " %s", arg0); + BIO_snprintf(prog + len, sizeof(prog) - len - 1, " %s", arg0); return prog; } From matt at openssl.org Fri Feb 5 10:44:30 2021 From: matt at openssl.org (Matt Caswell) Date: Fri, 05 Feb 2021 10:44:30 +0000 Subject: [openssl] master update Message-ID: <1612521870.883209.12569.nullmailer@dev.openssl.org> The branch master has been updated via e60147fe74c202ef3ce5d36115252b7c3c504cd7 (commit) from 05f41859ddfff9b19f6599e545607f3d49630ce0 (commit) - Log ----------------------------------------------------------------- commit e60147fe74c202ef3ce5d36115252b7c3c504cd7 Author: Rich Salz Date: Thu Jan 21 12:32:27 2021 -0500 Don't make pthreads mutexes recursive. Reviewed-by: Paul Dale Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/13924) ----------------------------------------------------------------------- Summary of changes: crypto/threads_pthread.c | 25 +++++++++++++++++-------- 1 file changed, 17 insertions(+), 8 deletions(-) diff --git a/crypto/threads_pthread.c b/crypto/threads_pthread.c index 22ba793161..68ec5dc1df 100644 --- a/crypto/threads_pthread.c +++ b/crypto/threads_pthread.c @@ -51,12 +51,15 @@ CRYPTO_RWLOCK *CRYPTO_THREAD_lock_new(void) return NULL; } + /* + * We don't use recursive mutexes, but try to catch errors if we do. + */ pthread_mutexattr_init(&attr); - #if defined(__TANDEM) && defined(_SPT_MODEL_) - pthread_mutexattr_setkind_np(&attr,MUTEX_RECURSIVE_NP); - #else - pthread_mutexattr_settype(&attr, PTHREAD_MUTEX_RECURSIVE); - #endif +# if defined(NDEBUG) && defined(PTHREAD_MUTEX_ERRORCHECK) + pthread_mutexattr_settype(&attr, PTHREAD_MUTEX_ERRORCHECK); +# else + pthread_mutexattr_settype(&attr, PTHREAD_MUTEX_NORMAL); +# endif if (pthread_mutex_init(lock, &attr) != 0) { pthread_mutexattr_destroy(&attr); @@ -76,8 +79,10 @@ int CRYPTO_THREAD_read_lock(CRYPTO_RWLOCK *lock) if (pthread_rwlock_rdlock(lock) != 0) return 0; # else - if (pthread_mutex_lock(lock) != 0) + if (pthread_mutex_lock(lock) != 0) { + assert(errno != EDEADLK && errno != EBUSY); return 0; + } # endif return 1; @@ -89,8 +94,10 @@ int CRYPTO_THREAD_write_lock(CRYPTO_RWLOCK *lock) if (pthread_rwlock_wrlock(lock) != 0) return 0; # else - if (pthread_mutex_lock(lock) != 0) + if (pthread_mutex_lock(lock) != 0) { + assert(errno != EDEADLK && errno != EBUSY); return 0; + } # endif return 1; @@ -102,8 +109,10 @@ int CRYPTO_THREAD_unlock(CRYPTO_RWLOCK *lock) if (pthread_rwlock_unlock(lock) != 0) return 0; # else - if (pthread_mutex_unlock(lock) != 0) + if (pthread_mutex_unlock(lock) != 0) { + assert(errno != EPERM); return 0; + } # endif return 1; From tmraz at fedoraproject.org Fri Feb 5 13:05:20 2021 From: tmraz at fedoraproject.org (tmraz at fedoraproject.org) Date: Fri, 05 Feb 2021 13:05:20 +0000 Subject: [openssl] master update Message-ID: <1612530320.117736.32636.nullmailer@dev.openssl.org> The branch master has been updated via bbde8566191e5851f4418cbb8acb0d50b16170d8 (commit) via 26372a4d44f0b4ef5423228b8bf975a5a7c814cb (commit) from e60147fe74c202ef3ce5d36115252b7c3c504cd7 (commit) - Log ----------------------------------------------------------------- commit bbde8566191e5851f4418cbb8acb0d50b16170d8 Author: Tomas Mraz Date: Fri Jan 29 17:02:32 2021 +0100 RSA: properly generate algorithm identifier for RSA-PSS signatures Fixes #13969 - properly handle the mandatory RSA-PSS key parameters - improve parameter checking when setting the parameters - compute the algorithm id at the time it is requested so it reflects the actual parameters set - when generating keys do not override previously set parameters with defaults - tests added to the test_req recipe that should cover the PSS signature handling Reviewed-by: Richard Levitte Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/13988) commit 26372a4d44f0b4ef5423228b8bf975a5a7c814cb Author: Tomas Mraz Date: Wed Jan 27 10:22:41 2021 +0100 provider-signature.pod: Fix formatting. Reviewed-by: Richard Levitte Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/13988) ----------------------------------------------------------------------- Summary of changes: crypto/rsa/rsa_ameth.c | 4 +- crypto/rsa/rsa_backend.c | 8 +- crypto/rsa/rsa_pss.c | 4 +- doc/man7/provider-signature.pod | 8 +- include/crypto/rsa.h | 1 + providers/common/der/der_rsa.h.in | 5 +- providers/common/der/der_rsa_key.c | 32 +-- providers/common/der/der_rsa_sig.c | 2 +- providers/implementations/keymgmt/rsa_kmgmt.c | 17 +- providers/implementations/signature/rsa.c | 295 +++++++++++++++++--------- test/recipes/25-test_req.t | 54 ++++- test/testrsapssmandatory.pem | 29 +++ 12 files changed, 322 insertions(+), 137 deletions(-) create mode 100644 test/testrsapssmandatory.pem diff --git a/crypto/rsa/rsa_ameth.c b/crypto/rsa/rsa_ameth.c index 852facf577..e2dec1c98d 100644 --- a/crypto/rsa/rsa_ameth.c +++ b/crypto/rsa/rsa_ameth.c @@ -943,6 +943,7 @@ static int rsa_int_import_from(const OSSL_PARAM params[], void *vpctx, EVP_PKEY *pkey = EVP_PKEY_CTX_get0_pkey(pctx); RSA *rsa = ossl_rsa_new_with_ctx(pctx->libctx); RSA_PSS_PARAMS_30 rsa_pss_params = { 0, }; + int pss_defaults_set = 0; int ok = 0; if (rsa == NULL) { @@ -953,7 +954,8 @@ static int rsa_int_import_from(const OSSL_PARAM params[], void *vpctx, RSA_clear_flags(rsa, RSA_FLAG_TYPE_MASK); RSA_set_flags(rsa, rsa_type); - if (!ossl_rsa_pss_params_30_fromdata(&rsa_pss_params, params, pctx->libctx)) + if (!ossl_rsa_pss_params_30_fromdata(&rsa_pss_params, &pss_defaults_set, + params, pctx->libctx)) goto err; switch (rsa_type) { diff --git a/crypto/rsa/rsa_backend.c b/crypto/rsa/rsa_backend.c index 2f430b34d4..84f070a7ce 100644 --- a/crypto/rsa/rsa_backend.c +++ b/crypto/rsa/rsa_backend.c @@ -217,6 +217,7 @@ int ossl_rsa_pss_params_30_todata(const RSA_PSS_PARAMS_30 *pss, } int ossl_rsa_pss_params_30_fromdata(RSA_PSS_PARAMS_30 *pss_params, + int *defaults_set, const OSSL_PARAM params[], OSSL_LIB_CTX *libctx) { @@ -249,10 +250,13 @@ int ossl_rsa_pss_params_30_fromdata(RSA_PSS_PARAMS_30 *pss_params, * restrictions, so we start by setting default values, and let each * parameter override their specific restriction data. */ - if (param_md != NULL || param_mgf != NULL || param_mgf1md != NULL - || param_saltlen != NULL) + if (!*defaults_set + && (param_md != NULL || param_mgf != NULL || param_mgf1md != NULL + || param_saltlen != NULL)) { if (!ossl_rsa_pss_params_30_set_defaults(pss_params)) return 0; + *defaults_set = 1; + } if (param_mgf != NULL) { int default_maskgenalg_nid = ossl_rsa_pss_params_30_maskgenalg(NULL); diff --git a/crypto/rsa/rsa_pss.c b/crypto/rsa/rsa_pss.c index 1b73cbb0f6..3a92ed04dd 100644 --- a/crypto/rsa/rsa_pss.c +++ b/crypto/rsa/rsa_pss.c @@ -113,7 +113,9 @@ int RSA_verify_PKCS1_PSS_mgf1(RSA *rsa, const unsigned char *mHash, goto err; } if (sLen != RSA_PSS_SALTLEN_AUTO && (maskedDBLen - i) != sLen) { - ERR_raise(ERR_LIB_RSA, RSA_R_SLEN_CHECK_FAILED); + ERR_raise_data(ERR_LIB_RSA, RSA_R_SLEN_CHECK_FAILED, + "expected: %d retrieved: %d", sLen, + maskedDBLen - i); goto err; } if (!EVP_DigestInit_ex(ctx, Hash, NULL) diff --git a/doc/man7/provider-signature.pod b/doc/man7/provider-signature.pod index bf10b6572c..222693854f 100644 --- a/doc/man7/provider-signature.pod +++ b/doc/man7/provider-signature.pod @@ -323,10 +323,10 @@ follows. =item "digest" (B) -Get or sets the name of the digest algorithm used for the input to the signature -functions. It is required in order to calculate the "algorithm-id". +Get or sets the name of the digest algorithm used for the input to the +signature functions. It is required in order to calculate the "algorithm-id". -= item "properties" (B) +=item "properties" (B) Sets the name of the property query associated with the "digest" algorithm. NULL is used if this optional value is not set. @@ -337,7 +337,7 @@ Gets or sets the output size of the digest algorithm used for the input to the signature functions. The length of the "digest-size" parameter should not exceed that of a B. -= item "algorithm-id" (B) +=item "algorithm-id" (B) Gets the DER encoded AlgorithmIdentifier that corresponds to the combination of signature algorithm and digest algorithm for the signature operation. diff --git a/include/crypto/rsa.h b/include/crypto/rsa.h index cb53b5dde6..599978dc3b 100644 --- a/include/crypto/rsa.h +++ b/include/crypto/rsa.h @@ -65,6 +65,7 @@ int ossl_rsa_fromdata(RSA *rsa, const OSSL_PARAM params[]); int ossl_rsa_pss_params_30_todata(const RSA_PSS_PARAMS_30 *pss, OSSL_PARAM_BLD *bld, OSSL_PARAM params[]); int ossl_rsa_pss_params_30_fromdata(RSA_PSS_PARAMS_30 *pss_params, + int *defaults_set, const OSSL_PARAM params[], OSSL_LIB_CTX *libctx); diff --git a/providers/common/der/der_rsa.h.in b/providers/common/der/der_rsa.h.in index 412d5bbe7f..733b9d60d6 100644 --- a/providers/common/der/der_rsa.h.in +++ b/providers/common/der/der_rsa.h.in @@ -23,6 +23,9 @@ int ossl_DER_w_RSASSA_PSS_params(WPACKET *pkt, int tag, const RSA_PSS_PARAMS_30 *pss); /* Subject Public Key Info */ int ossl_DER_w_algorithmIdentifier_RSA(WPACKET *pkt, int tag, RSA *rsa); +int ossl_DER_w_algorithmIdentifier_RSA_PSS(WPACKET *pkt, int tag, + int rsa_type, + const RSA_PSS_PARAMS_30 *pss); /* Signature */ int ossl_DER_w_algorithmIdentifier_MDWithRSAEncryption(WPACKET *pkt, int tag, - RSA *rsa, int mdnid); + int mdnid); diff --git a/providers/common/der/der_rsa_key.c b/providers/common/der/der_rsa_key.c index 1cc5874290..70b8edb63b 100644 --- a/providers/common/der/der_rsa_key.c +++ b/providers/common/der/der_rsa_key.c @@ -52,18 +52,16 @@ * around that, we make them non-static, and declare them an extra time to * avoid compilers complaining about definitions without declarations. */ -#if 0 /* Currently unused */ #define DER_AID_V_sha1Identifier \ DER_P_SEQUENCE|DER_F_CONSTRUCTED, \ DER_OID_SZ_id_sha1 + DER_SZ_NULL, \ DER_OID_V_id_sha1, \ DER_V_NULL -extern const unsigned char der_aid_sha1Identifier[]; -const unsigned char der_aid_sha1Identifier[] = { +extern const unsigned char ossl_der_aid_sha1Identifier[]; +const unsigned char ossl_der_aid_sha1Identifier[] = { DER_AID_V_sha1Identifier }; -#define DER_AID_SZ_sha1Identifier sizeof(der_aid_sha1Identifier) -#endif +#define DER_AID_SZ_sha1Identifier sizeof(ossl_der_aid_sha1Identifier) #define DER_AID_V_sha224Identifier \ DER_P_SEQUENCE|DER_F_CONSTRUCTED, \ @@ -277,8 +275,8 @@ static int DER_w_MaskGenAlgorithm(WPACKET *pkt, int tag, #define OAEP_PSS_MD_CASE(name, var) \ case NID_##name: \ - var = ossl_der_oid_id_##name; \ - var##_sz = sizeof(ossl_der_oid_id_##name); \ + var = ossl_der_aid_##name##Identifier; \ + var##_sz = sizeof(ossl_der_aid_##name##Identifier); \ break; int ossl_DER_w_RSASSA_PSS_params(WPACKET *pkt, int tag, @@ -356,14 +354,15 @@ int ossl_DER_w_RSASSA_PSS_params(WPACKET *pkt, int tag, var##_oid_sz = sizeof(ossl_der_oid_##name); \ break; -int ossl_DER_w_algorithmIdentifier_RSA(WPACKET *pkt, int tag, RSA *rsa) +int ossl_DER_w_algorithmIdentifier_RSA_PSS(WPACKET *pkt, int tag, + int rsa_type, + const RSA_PSS_PARAMS_30 *pss) { int rsa_nid = NID_undef; const unsigned char *rsa_oid = NULL; size_t rsa_oid_sz = 0; - RSA_PSS_PARAMS_30 *pss_params = ossl_rsa_get0_pss_params_30(rsa); - switch (RSA_test_flags(rsa, RSA_FLAG_TYPE_MASK)) { + switch (rsa_type) { case RSA_FLAG_TYPE_RSA: RSA_CASE(rsaEncryption, rsa); case RSA_FLAG_TYPE_RSASSAPSS: @@ -375,8 +374,17 @@ int ossl_DER_w_algorithmIdentifier_RSA(WPACKET *pkt, int tag, RSA *rsa) return ossl_DER_w_begin_sequence(pkt, tag) && (rsa_nid != NID_rsassaPss - || ossl_rsa_pss_params_30_is_unrestricted(pss_params) - || ossl_DER_w_RSASSA_PSS_params(pkt, -1, pss_params)) + || ossl_rsa_pss_params_30_is_unrestricted(pss) + || ossl_DER_w_RSASSA_PSS_params(pkt, -1, pss)) && ossl_DER_w_precompiled(pkt, -1, rsa_oid, rsa_oid_sz) && ossl_DER_w_end_sequence(pkt, tag); } + +int ossl_DER_w_algorithmIdentifier_RSA(WPACKET *pkt, int tag, RSA *rsa) +{ + int rsa_type = RSA_test_flags(rsa, RSA_FLAG_TYPE_MASK); + RSA_PSS_PARAMS_30 *pss_params = ossl_rsa_get0_pss_params_30(rsa); + + return ossl_DER_w_algorithmIdentifier_RSA_PSS(pkt, tag, rsa_type, + pss_params); +} diff --git a/providers/common/der/der_rsa_sig.c b/providers/common/der/der_rsa_sig.c index 1ff9bf789b..94ed60b69f 100644 --- a/providers/common/der/der_rsa_sig.c +++ b/providers/common/der/der_rsa_sig.c @@ -29,7 +29,7 @@ break; int ossl_DER_w_algorithmIdentifier_MDWithRSAEncryption(WPACKET *pkt, int tag, - RSA *rsa, int mdnid) + int mdnid) { const unsigned char *precompiled = NULL; size_t precompiled_sz = 0; diff --git a/providers/implementations/keymgmt/rsa_kmgmt.c b/providers/implementations/keymgmt/rsa_kmgmt.c index 9f783c56d8..64779ca6be 100644 --- a/providers/implementations/keymgmt/rsa_kmgmt.c +++ b/providers/implementations/keymgmt/rsa_kmgmt.c @@ -56,11 +56,12 @@ static OSSL_FUNC_keymgmt_query_operation_name_fn rsa_query_operation_name; DEFINE_STACK_OF(BIGNUM) DEFINE_SPECIAL_STACK_OF_CONST(BIGNUM_const, BIGNUM) -static int pss_params_fromdata(RSA_PSS_PARAMS_30 *pss_params, +static int pss_params_fromdata(RSA_PSS_PARAMS_30 *pss_params, int *defaults_set, const OSSL_PARAM params[], int rsa_type, OSSL_LIB_CTX *libctx) { - if (!ossl_rsa_pss_params_30_fromdata(pss_params, params, libctx)) + if (!ossl_rsa_pss_params_30_fromdata(pss_params, defaults_set, + params, libctx)) return 0; /* If not a PSS type RSA, sending us PSS parameters is wrong */ @@ -153,6 +154,7 @@ static int rsa_import(void *keydata, int selection, const OSSL_PARAM params[]) RSA *rsa = keydata; int rsa_type; int ok = 1; + int pss_defaults_set = 0; if (!ossl_prov_is_running() || rsa == NULL) return 0; @@ -165,8 +167,10 @@ static int rsa_import(void *keydata, int selection, const OSSL_PARAM params[]) /* TODO(3.0) OAEP should bring on parameters as well */ if ((selection & OSSL_KEYMGMT_SELECT_OTHER_PARAMETERS) != 0) - ok = ok && pss_params_fromdata(ossl_rsa_get0_pss_params_30(rsa), params, - rsa_type, ossl_rsa_get0_libctx(rsa)); + ok = ok && pss_params_fromdata(ossl_rsa_get0_pss_params_30(rsa), + &pss_defaults_set, + params, rsa_type, + ossl_rsa_get0_libctx(rsa)); if ((selection & OSSL_KEYMGMT_SELECT_KEYPAIR) != 0) ok = ok && ossl_rsa_fromdata(rsa, params); @@ -391,6 +395,7 @@ struct rsa_gen_ctx { /* For PSS */ RSA_PSS_PARAMS_30 pss_params; + int pss_defaults_set; /* For generation callback */ OSSL_CALLBACK *cb; @@ -470,8 +475,8 @@ static int rsa_gen_set_params(void *genctx, const OSSL_PARAM params[]) return 0; /* Only attempt to get PSS parameters when generating an RSA-PSS key */ if (gctx->rsa_type == RSA_FLAG_TYPE_RSASSAPSS - && !pss_params_fromdata(&gctx->pss_params, params, gctx->rsa_type, - gctx->libctx)) + && !pss_params_fromdata(&gctx->pss_params, &gctx->pss_defaults_set, params, + gctx->rsa_type, gctx->libctx)) return 0; #if defined(FIPS_MODULE) && !defined(OPENSSL_NO_ACVP_TESTS) /* Any ACVP test related parameters are copied into a params[] */ diff --git a/providers/implementations/signature/rsa.c b/providers/implementations/signature/rsa.c index 98ebf6b243..e61d8ab04e 100644 --- a/providers/implementations/signature/rsa.c +++ b/providers/implementations/signature/rsa.c @@ -13,6 +13,7 @@ */ #include "internal/deprecated.h" +#include "e_os.h" /* strcasecmp */ #include #include #include @@ -86,11 +87,7 @@ typedef struct { * by their Final function. */ unsigned int flag_allow_md : 1; - - /* The Algorithm Identifier of the combined signature algorithm */ - unsigned char aid_buf[128]; - unsigned char *aid; - size_t aid_len; + unsigned int mgf1_md_set : 1; /* main digest */ EVP_MD *md; @@ -102,6 +99,7 @@ typedef struct { int pad_mode; /* message digest for MGF1 */ EVP_MD *mgf1_md; + int mgf1_mdnid; char mgf1_mdname[OSSL_MAX_NAME_SIZE]; /* Purely informational */ /* PSS salt length */ int saltlen; @@ -113,6 +111,9 @@ typedef struct { } PROV_RSA_CTX; +/* True if PSS parameters are restricted */ +#define rsa_pss_restricted(prsactx) (prsactx->min_saltlen != -1) + static size_t rsa_get_md_size(const PROV_RSA_CTX *prsactx) { if (prsactx->md != NULL) @@ -120,24 +121,37 @@ static size_t rsa_get_md_size(const PROV_RSA_CTX *prsactx) return 0; } -static int rsa_check_padding(int mdnid, int padding) +static int rsa_check_padding(const PROV_RSA_CTX *prsactx, + const char *mdname, const char *mgf1_mdname, + int mdnid) { - if (padding == RSA_NO_PADDING) { - ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_PADDING_MODE); - return 0; - } - - if (padding == RSA_X931_PADDING) { - if (RSA_X931_hash_id(mdnid) == -1) { - ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_X931_DIGEST); + switch(prsactx->pad_mode) { + case RSA_NO_PADDING: + ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_PADDING_MODE); return 0; - } + case RSA_X931_PADDING: + if (RSA_X931_hash_id(mdnid) == -1) { + ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_X931_DIGEST); + return 0; + } + break; + case RSA_PKCS1_PSS_PADDING: + if (rsa_pss_restricted(prsactx)) + if ((mdname != NULL && !EVP_MD_is_a(prsactx->md, mdname)) + || (mgf1_mdname != NULL + && !EVP_MD_is_a(prsactx->mgf1_md, mgf1_mdname))) { + ERR_raise(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED); + return 0; + } + break; + default: + break; } return 1; } -static int rsa_check_parameters(PROV_RSA_CTX *prsactx) +static int rsa_check_parameters(PROV_RSA_CTX *prsactx, int min_saltlen) { if (prsactx->pad_mode == RSA_PKCS1_PSS_PADDING) { int max_saltlen; @@ -146,10 +160,11 @@ static int rsa_check_parameters(PROV_RSA_CTX *prsactx) max_saltlen = RSA_size(prsactx->rsa) - EVP_MD_size(prsactx->md); if ((RSA_bits(prsactx->rsa) & 0x7) == 1) max_saltlen--; - if (prsactx->min_saltlen < 0 || prsactx->min_saltlen > max_saltlen) { + if (min_saltlen < 0 || min_saltlen > max_saltlen) { ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_SALT_LENGTH); return 0; } + prsactx->min_saltlen = min_saltlen; } return 1; } @@ -176,8 +191,81 @@ static void *rsa_newctx(void *provctx, const char *propq) return prsactx; } -/* True if PSS parameters are restricted */ -#define rsa_pss_restricted(prsactx) (prsactx->min_saltlen != -1) +static int rsa_pss_compute_saltlen(PROV_RSA_CTX *ctx) +{ + int saltlen = ctx->saltlen; + + if (saltlen == RSA_PSS_SALTLEN_DIGEST) { + saltlen = EVP_MD_size(ctx->md); + } else if (saltlen == RSA_PSS_SALTLEN_AUTO || saltlen == RSA_PSS_SALTLEN_MAX) { + saltlen = RSA_size(ctx->rsa) - EVP_MD_size(ctx->md) - 2; + if ((RSA_bits(ctx->rsa) & 0x7) == 1) + saltlen--; + } + if (saltlen < 0) { + ERR_raise(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR); + return -1; + } else if (saltlen < ctx->min_saltlen) { + ERR_raise_data(ERR_LIB_PROV, PROV_R_PSS_SALTLEN_TOO_SMALL, + "minimum salt length: %d, actual salt length: %d", + ctx->min_saltlen, saltlen); + return -1; + } + return saltlen; +} + +static unsigned char *rsa_generate_signature_aid(PROV_RSA_CTX *ctx, + unsigned char *aid_buf, + size_t buf_len, + size_t *aid_len) +{ + WPACKET pkt; + unsigned char *aid = NULL; + int saltlen; + RSA_PSS_PARAMS_30 pss_params; + + if (!WPACKET_init_der(&pkt, aid_buf, buf_len)) { + ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE); + return NULL; + } + + switch(ctx->pad_mode) { + case RSA_PKCS1_PADDING: + if (!ossl_DER_w_algorithmIdentifier_MDWithRSAEncryption(&pkt, -1, + ctx->mdnid)) { + ERR_raise(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR); + goto cleanup; + } + break; + case RSA_PKCS1_PSS_PADDING: + saltlen = rsa_pss_compute_saltlen(ctx); + if (saltlen < 0) + goto cleanup; + if (!ossl_rsa_pss_params_30_set_defaults(&pss_params) + || !ossl_rsa_pss_params_30_set_hashalg(&pss_params, ctx->mdnid) + || !ossl_rsa_pss_params_30_set_maskgenhashalg(&pss_params, + ctx->mgf1_mdnid) + || !ossl_rsa_pss_params_30_set_saltlen(&pss_params, saltlen) + || !ossl_DER_w_algorithmIdentifier_RSA_PSS(&pkt, -1, + RSA_FLAG_TYPE_RSASSAPSS, + &pss_params)) { + ERR_raise(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR); + goto cleanup; + } + break; + default: + ERR_raise_data(ERR_LIB_PROV, ERR_R_UNSUPPORTED, + "Algorithm ID generation"); + goto cleanup; + } + if (WPACKET_finish(&pkt)) { + WPACKET_get_total_written(&pkt, aid_len); + aid = WPACKET_get_curr(&pkt); + } + cleanup: + WPACKET_cleanup(&pkt); + return aid; +} static int rsa_setup_md(PROV_RSA_CTX *ctx, const char *mdname, const char *mdprops) @@ -186,7 +274,6 @@ static int rsa_setup_md(PROV_RSA_CTX *ctx, const char *mdname, mdprops = ctx->propq; if (mdname != NULL) { - WPACKET pkt; EVP_MD *md = EVP_MD_fetch(ctx->libctx, mdname, mdprops); int sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN); int md_nid = digest_rsa_sign_get_md_nid(md, sha1_allowed); @@ -194,7 +281,7 @@ static int rsa_setup_md(PROV_RSA_CTX *ctx, const char *mdname, if (md == NULL || md_nid == NID_undef - || !rsa_check_padding(md_nid, ctx->pad_mode) + || !rsa_check_padding(ctx, mdname, NULL, md_nid) || mdname_len >= sizeof(ctx->mdname)) { if (md == NULL) ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST, @@ -209,27 +296,20 @@ static int rsa_setup_md(PROV_RSA_CTX *ctx, const char *mdname, return 0; } + if (!ctx->mgf1_md_set) { + if (!EVP_MD_up_ref(md)) { + EVP_MD_free(md); + return 0; + } + EVP_MD_free(ctx->mgf1_md); + ctx->mgf1_md = md; + ctx->mgf1_mdnid = md_nid; + OPENSSL_strlcpy(ctx->mgf1_mdname, mdname, sizeof(ctx->mgf1_mdname)); + } + EVP_MD_CTX_free(ctx->mdctx); EVP_MD_free(ctx->md); - /* - * TODO(3.0) Should we care about DER writing errors? - * All it really means is that for some reason, there's no - * AlgorithmIdentifier to be had (consider RSA with MD5-SHA1), - * but the operation itself is still valid, just as long as it's - * not used to construct anything that needs an AlgorithmIdentifier. - */ - ctx->aid_len = 0; - if (WPACKET_init_der(&pkt, ctx->aid_buf, sizeof(ctx->aid_buf)) - && ossl_DER_w_algorithmIdentifier_MDWithRSAEncryption(&pkt, -1, - ctx->rsa, - md_nid) - && WPACKET_finish(&pkt)) { - WPACKET_get_total_written(&pkt, &ctx->aid_len); - ctx->aid = WPACKET_get_curr(&pkt); - } - WPACKET_cleanup(&pkt); - ctx->mdctx = NULL; ctx->md = md; ctx->mdnid = md_nid; @@ -244,33 +324,37 @@ static int rsa_setup_mgf1_md(PROV_RSA_CTX *ctx, const char *mdname, { size_t len; EVP_MD *md = NULL; + int mdnid; if (mdprops == NULL) mdprops = ctx->propq; - if (ctx->mgf1_mdname[0] != '\0') - EVP_MD_free(ctx->mgf1_md); - if ((md = EVP_MD_fetch(ctx->libctx, mdname, mdprops)) == NULL) { ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST, "%s could not be fetched", mdname); return 0; } /* The default for mgf1 is SHA1 - so allow SHA1 */ - if (digest_rsa_sign_get_md_nid(md, 1) == NID_undef) { - ERR_raise_data(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED, - "digest=%s", mdname); + if ((mdnid = digest_rsa_sign_get_md_nid(md, 1)) == NID_undef + || !rsa_check_padding(ctx, NULL, mdname, mdnid)) { + if (mdnid == NID_undef) + ERR_raise_data(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED, + "digest=%s", mdname); EVP_MD_free(md); return 0; } - ctx->mgf1_md = md; len = OPENSSL_strlcpy(ctx->mgf1_mdname, mdname, sizeof(ctx->mgf1_mdname)); if (len >= sizeof(ctx->mgf1_mdname)) { ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST, "%s exceeds name buffer length", mdname); + EVP_MD_free(md); return 0; } + EVP_MD_free(ctx->mgf1_md); + ctx->mgf1_md = md; + ctx->mgf1_mdnid = mdnid; + ctx->mgf1_md_set = 1; return 1; } @@ -317,7 +401,6 @@ static int rsa_signverify_init(void *vprsactx, void *vrsa, int operation) mdname = ossl_rsa_oaeppss_nid2name(md_nid); mgf1mdname = ossl_rsa_oaeppss_nid2name(mgf1md_nid); - prsactx->min_saltlen = min_saltlen; if (mdname == NULL) { ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST, @@ -346,9 +429,10 @@ static int rsa_signverify_init(void *vprsactx, void *vrsa, int operation) } prsactx->saltlen = min_saltlen; - return rsa_setup_md(prsactx, mdname, prsactx->propq) - && rsa_setup_mgf1_md(prsactx, mgf1mdname, prsactx->propq) - && rsa_check_parameters(prsactx); + /* call rsa_setup_mgf1_md before rsa_setup_md to avoid duplication */ + return rsa_setup_mgf1_md(prsactx, mgf1mdname, prsactx->propq) + && rsa_setup_md(prsactx, mdname, prsactx->propq) + && rsa_check_parameters(prsactx, min_saltlen); } } @@ -727,8 +811,12 @@ static int rsa_digest_signverify_init(void *vprsactx, const char *mdname, if (prsactx != NULL) prsactx->flag_allow_md = 0; - if (!rsa_signverify_init(vprsactx, vrsa, operation) - || !rsa_setup_md(prsactx, mdname, NULL)) /* TODO RL */ + if (!rsa_signverify_init(vprsactx, vrsa, operation)) + return 0; + if (mdname != NULL + /* was rsa_setup_md already called in rsa_signverify_init()? */ + && (mdname[0] == '\0' || strcasecmp(prsactx->mdname, mdname) != 0) + && !rsa_setup_md(prsactx, mdname, prsactx->propq)) return 0; prsactx->mdctx = EVP_MD_CTX_new(); @@ -912,9 +1000,17 @@ static int rsa_get_ctx_params(void *vprsactx, OSSL_PARAM *params) return 0; p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_ALGORITHM_ID); - if (p != NULL - && !OSSL_PARAM_set_octet_string(p, prsactx->aid, prsactx->aid_len)) - return 0; + if (p != NULL) { + /* The Algorithm Identifier of the combined signature algorithm */ + unsigned char aid_buf[128]; + unsigned char *aid; + size_t aid_len; + + aid = rsa_generate_signature_aid(prsactx, aid_buf, + sizeof(aid_buf), &aid_len); + if (aid == NULL || !OSSL_PARAM_set_octet_string(p, aid, aid_len)) + return 0; + } p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_PAD_MODE); if (p != NULL) @@ -1011,6 +1107,12 @@ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[]) { PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; const OSSL_PARAM *p; + int pad_mode = prsactx->pad_mode; + int saltlen = prsactx->saltlen; + char mdname[OSSL_MAX_NAME_SIZE] = "", *pmdname = NULL; + char mdprops[OSSL_MAX_PROPQUERY_SIZE] = "", *pmdprops = NULL; + char mgf1mdname[OSSL_MAX_NAME_SIZE] = "", *pmgf1mdname = NULL; + char mgf1mdprops[OSSL_MAX_PROPQUERY_SIZE] = "", *pmgf1mdprops = NULL; if (prsactx == NULL || params == NULL) return 0; @@ -1020,37 +1122,24 @@ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[]) if (p != NULL && !prsactx->flag_allow_md) return 0; if (p != NULL) { - char mdname[OSSL_MAX_NAME_SIZE] = "", *pmdname = mdname; - char mdprops[OSSL_MAX_PROPQUERY_SIZE] = "", *pmdprops = mdprops; const OSSL_PARAM *propsp = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_PROPERTIES); + pmdname = mdname; if (!OSSL_PARAM_get_utf8_string(p, &pmdname, sizeof(mdname))) return 0; - if (propsp == NULL) - pmdprops = NULL; - else if (!OSSL_PARAM_get_utf8_string(propsp, - &pmdprops, sizeof(mdprops))) - return 0; - - if (rsa_pss_restricted(prsactx)) { - /* TODO(3.0) figure out what to do for prsactx->md == NULL */ - if (prsactx->md == NULL || EVP_MD_is_a(prsactx->md, mdname)) - return 1; - ERR_raise(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED); - return 0; + if (propsp != NULL) { + pmdprops = mdprops; + if (!OSSL_PARAM_get_utf8_string(propsp, + &pmdprops, sizeof(mdprops))) + return 0; } - - /* non-PSS code follows */ - if (!rsa_setup_md(prsactx, mdname, pmdprops)) - return 0; } p = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_PAD_MODE); if (p != NULL) { - int pad_mode = 0; const char *err_extra_text = NULL; switch (p->data_type) { @@ -1092,10 +1181,6 @@ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[]) "PSS padding only allowed for sign and verify operations"; goto bad_pad; } - if (prsactx->md == NULL - && !rsa_setup_md(prsactx, RSA_DEFAULT_DIGEST_NAME, NULL)) { - return 0; - } break; case RSA_PKCS1_PADDING: err_extra_text = "PKCS#1 padding not allowed with RSA-PSS"; @@ -1124,16 +1209,11 @@ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[]) err_extra_text); return 0; } - if (!rsa_check_padding(prsactx->mdnid, pad_mode)) - return 0; - prsactx->pad_mode = pad_mode; } p = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_PSS_SALTLEN); if (p != NULL) { - int saltlen; - - if (prsactx->pad_mode != RSA_PKCS1_PSS_PADDING) { + if (pad_mode != RSA_PKCS1_PSS_PADDING) { ERR_raise_data(ERR_LIB_PROV, PROV_R_NOT_SUPPORTED, "PSS saltlen can only be specified if " "PSS padding has been specified first"); @@ -1199,46 +1279,49 @@ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[]) } } } - - prsactx->saltlen = saltlen; } p = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_MGF1_DIGEST); if (p != NULL) { - char mdname[OSSL_MAX_NAME_SIZE] = "", *pmdname = mdname; - char mdprops[OSSL_MAX_PROPQUERY_SIZE] = "", *pmdprops = mdprops; const OSSL_PARAM *propsp = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_MGF1_PROPERTIES); - if (!OSSL_PARAM_get_utf8_string(p, &pmdname, sizeof(mdname))) + pmgf1mdname = mgf1mdname; + if (!OSSL_PARAM_get_utf8_string(p, &pmgf1mdname, sizeof(mgf1mdname))) return 0; - if (propsp == NULL) - pmdprops = NULL; - else if (!OSSL_PARAM_get_utf8_string(propsp, - &pmdprops, sizeof(mdprops))) - return 0; + if (propsp != NULL) { + pmgf1mdprops = mgf1mdprops; + if (!OSSL_PARAM_get_utf8_string(propsp, + &pmgf1mdprops, sizeof(mgf1mdprops))) + return 0; + } - if (prsactx->pad_mode != RSA_PKCS1_PSS_PADDING) { + if (pad_mode != RSA_PKCS1_PSS_PADDING) { ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_MGF1_MD); return 0; } + } - if (rsa_pss_restricted(prsactx)) { - /* TODO(3.0) figure out what to do for prsactx->mgf1_md == NULL */ - if (prsactx->mgf1_md == NULL - || EVP_MD_is_a(prsactx->mgf1_md, mdname)) - return 1; - ERR_raise(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED); - return 0; - } + prsactx->saltlen = saltlen; + prsactx->pad_mode = pad_mode; + + if (prsactx->md == NULL && pmdname == NULL + && pad_mode == RSA_PKCS1_PSS_PADDING) + pmdname = RSA_DEFAULT_DIGEST_NAME; - /* non-PSS code follows */ - if (!rsa_setup_mgf1_md(prsactx, mdname, pmdprops)) + if (pmgf1mdname != NULL + && !rsa_setup_mgf1_md(prsactx, pmgf1mdname, pmgf1mdprops)) + return 0; + + if (pmdname != NULL) { + if (!rsa_setup_md(prsactx, pmdname, pmdprops)) + return 0; + } else { + if (!rsa_check_padding(prsactx, NULL, NULL, prsactx->mdnid)) return 0; } - return 1; } diff --git a/test/recipes/25-test_req.t b/test/recipes/25-test_req.t index 3f0d9f59e7..ab6c6e681b 100644 --- a/test/recipes/25-test_req.t +++ b/test/recipes/25-test_req.t @@ -93,7 +93,7 @@ subtest "generating certificate requests with RSA" => sub { }; subtest "generating certificate requests with RSA-PSS" => sub { - plan tests => 4; + plan tests => 12; SKIP: { skip "RSA is not supported by this OpenSSL build", 2 @@ -104,7 +104,6 @@ subtest "generating certificate requests with RSA-PSS" => sub { "-new", "-out", "testreq-rsapss.pem", "-utf8", "-key", srctop_file("test", "testrsapss.pem")])), "Generating request"); - ok(run(app(["openssl", "req", "-config", srctop_file("test", "test.cnf"), "-verify", "-in", "testreq-rsapss.pem", "-noout"])), @@ -117,11 +116,60 @@ subtest "generating certificate requests with RSA-PSS" => sub { "-sigopt", "rsa_pss_saltlen:-1", "-key", srctop_file("test", "testrsapss.pem")])), "Generating request"); - ok(run(app(["openssl", "req", "-config", srctop_file("test", "test.cnf"), "-verify", "-in", "testreq-rsapss2.pem", "-noout"])), "Verifying signature on request"); + + ok(run(app(["openssl", "req", + "-config", srctop_file("test", "test.cnf"), + "-new", "-out", "testreq-rsapssmand.pem", "-utf8", + "-sigopt", "rsa_padding_mode:pss", + "-key", srctop_file("test", "testrsapssmandatory.pem")])), + "Generating request"); + ok(run(app(["openssl", "req", + "-config", srctop_file("test", "test.cnf"), + "-verify", "-in", "testreq-rsapssmand.pem", "-noout"])), + "Verifying signature on request"); + + ok(run(app(["openssl", "req", + "-config", srctop_file("test", "test.cnf"), + "-new", "-out", "testreq-rsapssmand2.pem", "-utf8", + "-sigopt", "rsa_pss_saltlen:100", + "-key", srctop_file("test", "testrsapssmandatory.pem")])), + "Generating request"); + ok(run(app(["openssl", "req", + "-config", srctop_file("test", "test.cnf"), + "-verify", "-in", "testreq-rsapssmand2.pem", "-noout"])), + "Verifying signature on request"); + + ok(!run(app(["openssl", "req", + "-config", srctop_file("test", "test.cnf"), + "-new", "-out", "testreq-rsapss3.pem", "-utf8", + "-sigopt", "rsa_padding_mode:pkcs1", + "-key", srctop_file("test", "testrsapss.pem")])), + "Generating request with expected failure"); + + ok(!run(app(["openssl", "req", + "-config", srctop_file("test", "test.cnf"), + "-new", "-out", "testreq-rsapss3.pem", "-utf8", + "-sigopt", "rsa_pss_saltlen:-4", + "-key", srctop_file("test", "testrsapss.pem")])), + "Generating request with expected failure"); + + ok(!run(app(["openssl", "req", + "-config", srctop_file("test", "test.cnf"), + "-new", "-out", "testreq-rsapssmand3.pem", "-utf8", + "-sigopt", "rsa_pss_saltlen:10", + "-key", srctop_file("test", "testrsapssmandatory.pem")])), + "Generating request with expected failure"); + + ok(!run(app(["openssl", "req", + "-config", srctop_file("test", "test.cnf"), + "-new", "-out", "testreq-rsapssmand3.pem", "-utf8", + "-sha256", + "-key", srctop_file("test", "testrsapssmandatory.pem")])), + "Generating request with expected failure"); } }; diff --git a/test/testrsapssmandatory.pem b/test/testrsapssmandatory.pem new file mode 100644 index 0000000000..d01ae82c88 --- /dev/null +++ b/test/testrsapssmandatory.pem @@ -0,0 +1,29 @@ +-----BEGIN PRIVATE KEY----- +MIIE7gIBADA9BgkqhkiG9w0BAQowMKANMAsGCWCGSAFlAwQCA6EaMBgGCSqGSIb3 +DQEBCDALBglghkgBZQMEAgOiAwIBQASCBKgwggSkAgEAAoIBAQDdiLMYj8fgrXKB +dEC704hcfmeJebCyaZbYHBE/1YthJOptbhisBbNk4onKMITO6hkYOoH12rNxqwY5 +d9J1Ray6SJETVHxYCKftJ1LlrUJGqpyRCAAff1LYjjGRyqcMzVItWffy2iCgKGud +uUqs9Og3wsVxUeXfTSGnLo1UevVc1qTKZJuDRWD2EItuwnFt7GA89IgGx8/liLsg +cdlnm81gGdDmNKxNGi3VeOaJqFWnP9CpL8iXybG7F32U9mgEdE+EYt8GhQfNLzjL +j17xfLl5K0SMqL8q+phas6Md0OmTl3Xg8Tupdoo/okAoYGXrv/sHDiV1YBSkXD4i +dbV42aUfAgMBAAECggEAEyEJrfZEYR85Avqh2FYksS/tCs7qNg2uC80opCVxWpsQ +bxCRqtD3M5/oHABih2dpcVEkBbGzyv3klLPHBX9VseQwOsYR0pw0u+KoYtK6JVX4 +HQHe2Nlqsu5cU2V3VUCpducM5Ph21r2GxWDJlPO01ZPI7scOnWCQpln7tC7F3xU0 +jNQ0SnFZ6SO4FrrBxOMjnIFiNMexxZt0fU7khy/dGck9aN4DtmQENcQkGdXj5xRv +lInh92mQ16yMCbEU8cslWaAwqRF/k/5QxoIwTXr8PqaWshH9TIAht0rvTilWpHPg +zpW6Pog/wGzVat3NeU3vBDYIUayHc6n3gbfJZDNxmQKBgQD41lAkxNsA89mYY7S9 +5NkDJ1N1hKNwg+iEyCZJkjxUk+SymdO7U/iD27Hgn/XyXm4RC5aHYpXJSnuiOk7R +Z1Az1jjqLzPxsP72sWLORzGq82smYrK+iV2rhozWNlfVyazDkBcRRz2bLSESzgvO +JWD3K3pjvj8U9ZSUhz+zXo4sUwKBgQDj6TBTKGDb8Au8sUOC916GrIrUEq5SkMDT +A4CiD4fmvbdNs90AhD/mmqBw/dP3TbCPNmP8tGMUT0BDev6BoRKYOt+1XGYXt2de +P38teVU/ZUcAO2RGdMNSdWT5o9BCWQZ18qSoOR/QanckOnkhKCgU/wqSdIvBBRMQ +5e4qdI0qhQKBgB2MJTwYfADi88WaoU2jLPmo48oik926bBPISHOX/73zScbDaVbn +I61UmwyXMfczq1Iu1BMDa9HZHFEpJ07KO8XL/DoinMJoR/43Fgp0fbtU6DZIpfzm +Bs9lTLfrAAcMyYz3QSX2FaSleTXobZJu8dKnwQKzBn6QorH4VWIRKkStAoGBAIYL +M1nlaLpSf4S2OT/A376Ton9CkXaMHmy9JZ2rRsHmGPZBcB0Kq06k6PIrx8wuzEYe +tkX9jjx2tBQ8NY3mPzp7ffF766vNOaWL8O+86e+EUHMJe1uY9vv7gaz1tNog5BTg +5gjuuBBrXbFYFr/yj0hyDDTBCSU4J9OLeD1OGWzFAoGBAMGc9h8oLyA3rQEjIuVA +CuzgvZxOFPbtODFPcL4EQgAKLiKS+oZK0jONfCHaQB1AhIq8/nT/4suw7tWqYoKp +KGH/+8tKNodKZfZLjVp0k8gsehyMDz1002/RLMJyFRIJWa1BqEJs7v7XgWW3RcmC +PWznhdpNx3BYDSao5Ibl7I5E +-----END PRIVATE KEY----- From levitte at openssl.org Fri Feb 5 13:09:25 2021 From: levitte at openssl.org (Richard Levitte) Date: Fri, 05 Feb 2021 13:09:25 +0000 Subject: [openssl] master update Message-ID: <1612530565.806972.21483.nullmailer@dev.openssl.org> The branch master has been updated via e337b82410a031f0ff60ebf6744b97da2a276e51 (commit) via b14c8465c0899c3c2b2acc3d01472941de4c318e (commit) from bbde8566191e5851f4418cbb8acb0d50b16170d8 (commit) - Log ----------------------------------------------------------------- commit e337b82410a031f0ff60ebf6744b97da2a276e51 Author: Richard Levitte Date: Thu Nov 12 11:36:38 2020 +0100 ERR: Rebuild all generated error headers and source files This is the result of 'make errors ERROR_REBUILD=-rebuild' Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13392) commit b14c8465c0899c3c2b2acc3d01472941de4c318e Author: Richard Levitte Date: Thu Nov 12 09:21:05 2020 +0100 ERR: clean away everything related to _F_ macros from util/mkerr.pl Instead, we preserve all the pre-3.0 _F_ macros in the backward compatibility headers include/openssl/cryptoerr_legacy.h and include/openssl/sslerr_legacy.h Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13392) ----------------------------------------------------------------------- Summary of changes: crypto/err/openssl.txt | 1890 --------------------- engines/e_afalg.txt | 9 - engines/e_afalg_err.h | 12 - engines/e_capi.txt | 22 - engines/e_capi_err.h | 26 - engines/e_dasync.txt | 13 - engines/e_dasync_err.h | 17 - engines/e_loader_attic.txt | 2 - engines/e_loader_attic_err.h | 6 - engines/e_ossltest.txt | 4 - engines/e_ossltest_err.h | 8 - include/crypto/sm2err.h | 24 - include/internal/dsoerr.h | 41 - include/internal/propertyerr.h | 14 - include/openssl/asn1err.h | 121 -- include/openssl/asyncerr.h | 13 - include/openssl/bioerr.h | 62 - include/openssl/bnerr.h | 56 - include/openssl/buffererr.h | 9 - include/openssl/cmperr.h | 6 - include/openssl/cmserr.h | 98 -- include/openssl/comperr.h | 11 - include/openssl/conferr.h | 29 - include/openssl/crmferr.h | 25 - include/openssl/cryptoerr.h | 54 - include/openssl/cryptoerr_legacy.h | 1381 +++++++++++++++ include/openssl/cterr.h | 33 - include/openssl/decodererr.h | 6 - include/openssl/dherr.h | 34 - include/openssl/dsaerr.h | 29 - include/openssl/ecerr.h | 196 --- include/openssl/encodererr.h | 6 - include/openssl/engineerr.h | 46 - include/openssl/esserr.h | 12 - include/openssl/evperr.h | 137 -- include/openssl/httperr.h | 6 - include/openssl/objectserr.h | 15 - include/openssl/ocsperr.h | 20 - include/openssl/pemerr.h | 48 - include/openssl/pkcs12err.h | 36 - include/openssl/pkcs7err.h | 40 - include/openssl/randerr.h | 30 - include/openssl/rsaerr.h | 69 - include/openssl/sslerr.h | 437 ----- include/openssl/sslerr_legacy.h | 434 ++++- include/openssl/storeerr.h | 44 - include/openssl/tserr.h | 57 - include/openssl/uierr.h | 27 - include/openssl/x509err.h | 74 - include/openssl/x509v3err.h | 76 - providers/common/include/prov/providercommonerr.h | 26 - util/mkerr.pl | 222 +-- 52 files changed, 1824 insertions(+), 4289 deletions(-) diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt index 9bc59a4bfb..d64b356044 100644 --- a/crypto/err/openssl.txt +++ b/crypto/err/openssl.txt @@ -5,1896 +5,6 @@ # in the file LICENSE in the source distribution or at # https://www.openssl.org/source/license.html -# Function codes -ASN1_F_A2D_ASN1_OBJECT:100:a2d_ASN1_OBJECT -ASN1_F_A2I_ASN1_INTEGER:102:a2i_ASN1_INTEGER -ASN1_F_A2I_ASN1_STRING:103:a2i_ASN1_STRING -ASN1_F_APPEND_EXP:176:append_exp -ASN1_F_ASN1_BIO_INIT:113:asn1_bio_init -ASN1_F_ASN1_BIT_STRING_SET_BIT:183:ASN1_BIT_STRING_set_bit -ASN1_F_ASN1_CB:177:asn1_cb -ASN1_F_ASN1_CHECK_TLEN:104:asn1_check_tlen -ASN1_F_ASN1_COLLECT:106:asn1_collect -ASN1_F_ASN1_D2I_EX_PRIMITIVE:108:asn1_d2i_ex_primitive -ASN1_F_ASN1_D2I_FP:109:ASN1_d2i_fp -ASN1_F_ASN1_D2I_READ_BIO:107:asn1_d2i_read_bio -ASN1_F_ASN1_DIGEST:184:ASN1_digest -ASN1_F_ASN1_DO_ADB:110:asn1_do_adb -ASN1_F_ASN1_DO_LOCK:233:asn1_do_lock -ASN1_F_ASN1_DUP:111:ASN1_dup -ASN1_F_ASN1_ENC_SAVE:115:asn1_enc_save -ASN1_F_ASN1_EX_C2I:204:asn1_ex_c2i -ASN1_F_ASN1_FIND_END:190:asn1_find_end -ASN1_F_ASN1_GENERALIZEDTIME_ADJ:216:ASN1_GENERALIZEDTIME_adj -ASN1_F_ASN1_GENERATE_V3:178:ASN1_generate_v3 -ASN1_F_ASN1_GET_INT64:224:asn1_get_int64 -ASN1_F_ASN1_GET_OBJECT:114:ASN1_get_object -ASN1_F_ASN1_GET_UINT64:225:asn1_get_uint64 -ASN1_F_ASN1_I2D_BIO:116:ASN1_i2d_bio -ASN1_F_ASN1_I2D_FP:117:ASN1_i2d_fp -ASN1_F_ASN1_ITEM_D2I_FP:206:ASN1_item_d2i_fp -ASN1_F_ASN1_ITEM_DUP:191:ASN1_item_dup -ASN1_F_ASN1_ITEM_EMBED_D2I:120:asn1_item_embed_d2i -ASN1_F_ASN1_ITEM_EMBED_NEW:121:asn1_item_embed_new -ASN1_F_ASN1_ITEM_FLAGS_I2D:118:asn1_item_flags_i2d -ASN1_F_ASN1_ITEM_I2D_BIO:192:ASN1_item_i2d_bio -ASN1_F_ASN1_ITEM_I2D_FP:193:ASN1_item_i2d_fp -ASN1_F_ASN1_ITEM_PACK:198:ASN1_item_pack -ASN1_F_ASN1_ITEM_SIGN_CTX:220:ASN1_item_sign_ctx -ASN1_F_ASN1_ITEM_UNPACK:199:ASN1_item_unpack -ASN1_F_ASN1_ITEM_VERIFY:197:ASN1_item_verify -ASN1_F_ASN1_MBSTRING_NCOPY:122:ASN1_mbstring_ncopy -ASN1_F_ASN1_OBJECT_NEW:123:ASN1_OBJECT_new -ASN1_F_ASN1_OUTPUT_DATA:214:asn1_output_data -ASN1_F_ASN1_PCTX_NEW:205:ASN1_PCTX_new -ASN1_F_ASN1_PRIMITIVE_NEW:119:asn1_primitive_new -ASN1_F_ASN1_SCTX_NEW:221:ASN1_SCTX_new -ASN1_F_ASN1_SIGN:128:ASN1_sign -ASN1_F_ASN1_STR2TYPE:179:asn1_str2type -ASN1_F_ASN1_STRING_GET_INT64:227:asn1_string_get_int64 -ASN1_F_ASN1_STRING_GET_UINT64:230:asn1_string_get_uint64 -ASN1_F_ASN1_STRING_SET:186:ASN1_STRING_set -ASN1_F_ASN1_STRING_TABLE_ADD:129:ASN1_STRING_TABLE_add -ASN1_F_ASN1_STRING_TO_BN:228:asn1_string_to_bn -ASN1_F_ASN1_STRING_TYPE_NEW:130:ASN1_STRING_type_new -ASN1_F_ASN1_TEMPLATE_EX_D2I:132:asn1_template_ex_d2i -ASN1_F_ASN1_TEMPLATE_NEW:133:asn1_template_new -ASN1_F_ASN1_TEMPLATE_NOEXP_D2I:131:asn1_template_noexp_d2i -ASN1_F_ASN1_TIME_ADJ:217:ASN1_TIME_adj -ASN1_F_ASN1_TYPE_GET_INT_OCTETSTRING:134:ASN1_TYPE_get_int_octetstring -ASN1_F_ASN1_TYPE_GET_OCTETSTRING:135:ASN1_TYPE_get_octetstring -ASN1_F_ASN1_TYPE_GET_OCTETSTRING_INT:146: -ASN1_F_ASN1_UTCTIME_ADJ:218:ASN1_UTCTIME_adj -ASN1_F_ASN1_VERIFY:137:ASN1_verify -ASN1_F_B64_READ_ASN1:209:b64_read_asn1 -ASN1_F_B64_WRITE_ASN1:210:B64_write_ASN1 -ASN1_F_BIO_NEW_NDEF:208:BIO_new_NDEF -ASN1_F_BITSTR_CB:180:bitstr_cb -ASN1_F_BN_TO_ASN1_STRING:229:bn_to_asn1_string -ASN1_F_C2I_ASN1_BIT_STRING:189:c2i_ASN1_BIT_STRING -ASN1_F_C2I_ASN1_INTEGER:194:c2i_ASN1_INTEGER -ASN1_F_C2I_ASN1_OBJECT:196:c2i_ASN1_OBJECT -ASN1_F_C2I_IBUF:226:c2i_ibuf -ASN1_F_C2I_UINT64_INT:101:c2i_uint64_int -ASN1_F_COLLECT_DATA:140:collect_data -ASN1_F_D2I_ASN1_OBJECT:147:d2i_ASN1_OBJECT -ASN1_F_D2I_ASN1_UINTEGER:150:d2i_ASN1_UINTEGER -ASN1_F_D2I_AUTOPRIVATEKEY:207:d2i_AutoPrivateKey -ASN1_F_D2I_KEYPARAMS:144:d2i_KeyParams -ASN1_F_D2I_PRIVATEKEY:154:d2i_PrivateKey -ASN1_F_D2I_PUBLICKEY:155:d2i_PublicKey -ASN1_F_DO_BUF:142:do_buf -ASN1_F_DO_CREATE:124:do_create -ASN1_F_DO_DUMP:125:do_dump -ASN1_F_DO_TCREATE:222:do_tcreate -ASN1_F_I2A_ASN1_OBJECT:126:i2a_ASN1_OBJECT -ASN1_F_I2D_ASN1_BIO_STREAM:211:i2d_ASN1_bio_stream -ASN1_F_I2D_ASN1_OBJECT:143:i2d_ASN1_OBJECT -ASN1_F_I2D_DSA_PUBKEY:161:i2d_DSA_PUBKEY -ASN1_F_I2D_EC_PUBKEY:181:i2d_EC_PUBKEY -ASN1_F_I2D_KEYPARAMS:145:i2d_KeyParams -ASN1_F_I2D_PRIVATEKEY:163:i2d_PrivateKey -ASN1_F_I2D_PUBLICKEY:164:i2d_PublicKey -ASN1_F_I2D_RSA_PUBKEY:165:i2d_RSA_PUBKEY -ASN1_F_LONG_C2I:166:long_c2i -ASN1_F_NDEF_PREFIX:127:ndef_prefix -ASN1_F_NDEF_SUFFIX:136:ndef_suffix -ASN1_F_OID_MODULE_INIT:174:oid_module_init -ASN1_F_PARSE_TAGGING:182:parse_tagging -ASN1_F_PKCS5_PBE2_SET_IV:167:PKCS5_pbe2_set_iv -ASN1_F_PKCS5_PBE2_SET_SCRYPT:231:PKCS5_pbe2_set_scrypt -ASN1_F_PKCS5_PBE_SET:202:PKCS5_pbe_set -ASN1_F_PKCS5_PBE_SET0_ALGOR:215:PKCS5_pbe_set0_algor -ASN1_F_PKCS5_PBKDF2_SET:219:PKCS5_pbkdf2_set -ASN1_F_PKCS5_SCRYPT_SET:232:pkcs5_scrypt_set -ASN1_F_SMIME_READ_ASN1:212:SMIME_read_ASN1 -ASN1_F_SMIME_TEXT:213:SMIME_text -ASN1_F_STABLE_GET:138:stable_get -ASN1_F_STBL_MODULE_INIT:223:stbl_module_init -ASN1_F_UINT32_C2I:105:uint32_c2i -ASN1_F_UINT32_NEW:139:uint32_new -ASN1_F_UINT64_C2I:112:uint64_c2i -ASN1_F_UINT64_NEW:141:uint64_new -ASN1_F_X509_CRL_ADD0_REVOKED:169:X509_CRL_add0_revoked -ASN1_F_X509_INFO_NEW:170:X509_INFO_new -ASN1_F_X509_NAME_ENCODE:203:x509_name_encode -ASN1_F_X509_NAME_EX_D2I:158:x509_name_ex_d2i -ASN1_F_X509_NAME_EX_NEW:171:x509_name_ex_new -ASN1_F_X509_PKEY_NEW:173:X509_PKEY_new -ASYNC_F_ASYNC_CTX_NEW:100:async_ctx_new -ASYNC_F_ASYNC_INIT_THREAD:101:ASYNC_init_thread -ASYNC_F_ASYNC_JOB_NEW:102:async_job_new -ASYNC_F_ASYNC_PAUSE_JOB:103:ASYNC_pause_job -ASYNC_F_ASYNC_START_FUNC:104:async_start_func -ASYNC_F_ASYNC_START_JOB:105:ASYNC_start_job -ASYNC_F_ASYNC_WAIT_CTX_SET_WAIT_FD:106:ASYNC_WAIT_CTX_set_wait_fd -BIO_F_ACPT_STATE:100:acpt_state -BIO_F_ADDRINFO_WRAP:148:addrinfo_wrap -BIO_F_ADDR_STRINGS:134:addr_strings -BIO_F_BIO_ACCEPT:101:BIO_accept -BIO_F_BIO_ACCEPT_EX:137:BIO_accept_ex -BIO_F_BIO_ACCEPT_NEW:152:BIO_ACCEPT_new -BIO_F_BIO_ADDR_NEW:144:BIO_ADDR_new -BIO_F_BIO_BIND:147:BIO_bind -BIO_F_BIO_CALLBACK_CTRL:131:BIO_callback_ctrl -BIO_F_BIO_CONNECT:138:BIO_connect -BIO_F_BIO_CONNECT_NEW:153:BIO_CONNECT_new -BIO_F_BIO_CTRL:103:BIO_ctrl -BIO_F_BIO_GETS:104:BIO_gets -BIO_F_BIO_GET_HOST_IP:106:BIO_get_host_ip -BIO_F_BIO_GET_NEW_INDEX:102:BIO_get_new_index -BIO_F_BIO_GET_PORT:107:BIO_get_port -BIO_F_BIO_LISTEN:139:BIO_listen -BIO_F_BIO_LOOKUP:135:BIO_lookup -BIO_F_BIO_LOOKUP_EX:143:BIO_lookup_ex -BIO_F_BIO_MAKE_PAIR:121:bio_make_pair -BIO_F_BIO_METH_NEW:146:BIO_meth_new -BIO_F_BIO_NEW:108:BIO_new -BIO_F_BIO_NEW_DGRAM_SCTP:145:BIO_new_dgram_sctp -BIO_F_BIO_NEW_FILE:109:BIO_new_file -BIO_F_BIO_NEW_MEM_BUF:126:BIO_new_mem_buf -BIO_F_BIO_NREAD:123:BIO_nread -BIO_F_BIO_NREAD0:124:BIO_nread0 -BIO_F_BIO_NWRITE:125:BIO_nwrite -BIO_F_BIO_NWRITE0:122:BIO_nwrite0 -BIO_F_BIO_PARSE_HOSTSERV:136:BIO_parse_hostserv -BIO_F_BIO_PUTS:110:BIO_puts -BIO_F_BIO_READ:111:BIO_read -BIO_F_BIO_READ_EX:105:BIO_read_ex -BIO_F_BIO_READ_INTERN:120:bio_read_intern -BIO_F_BIO_SOCKET:140:BIO_socket -BIO_F_BIO_SOCKET_NBIO:142:BIO_socket_nbio -BIO_F_BIO_SOCK_INFO:141:BIO_sock_info -BIO_F_BIO_SOCK_INIT:112:BIO_sock_init -BIO_F_BIO_WRITE:113:BIO_write -BIO_F_BIO_WRITE_EX:119:BIO_write_ex -BIO_F_BIO_WRITE_INTERN:128:bio_write_intern -BIO_F_BUFFER_CTRL:114:buffer_ctrl -BIO_F_CONN_CTRL:127:conn_ctrl -BIO_F_CONN_STATE:115:conn_state -BIO_F_DGRAM_SCTP_NEW:149:dgram_sctp_new -BIO_F_DGRAM_SCTP_READ:132:dgram_sctp_read -BIO_F_DGRAM_SCTP_WRITE:133:dgram_sctp_write -BIO_F_DOAPR_OUTCH:150:doapr_outch -BIO_F_FILE_CTRL:116:file_ctrl -BIO_F_FILE_READ:130:file_read -BIO_F_LINEBUFFER_CTRL:129:linebuffer_ctrl -BIO_F_LINEBUFFER_NEW:151:linebuffer_new -BIO_F_MEM_WRITE:117:mem_write -BIO_F_NBIOF_NEW:154:nbiof_new -BIO_F_SLG_WRITE:155:slg_write -BIO_F_SSL_NEW:118:SSL_new -BN_F_BNRAND:127:bnrand -BN_F_BNRAND_RANGE:138:bnrand_range -BN_F_BN_BLINDING_CONVERT_EX:100:BN_BLINDING_convert_ex -BN_F_BN_BLINDING_CREATE_PARAM:128:BN_BLINDING_create_param -BN_F_BN_BLINDING_INVERT_EX:101:BN_BLINDING_invert_ex -BN_F_BN_BLINDING_NEW:102:BN_BLINDING_new -BN_F_BN_BLINDING_UPDATE:103:BN_BLINDING_update -BN_F_BN_BN2DEC:104:BN_bn2dec -BN_F_BN_BN2HEX:105:BN_bn2hex -BN_F_BN_COMPUTE_WNAF:142:bn_compute_wNAF -BN_F_BN_CTX_GET:116:BN_CTX_get -BN_F_BN_CTX_NEW:106:BN_CTX_new -BN_F_BN_CTX_NEW_EX:151:BN_CTX_new_ex -BN_F_BN_CTX_START:129:BN_CTX_start -BN_F_BN_DIV:107:BN_div -BN_F_BN_DIV_RECP:130:BN_div_recp -BN_F_BN_EXP:123:BN_exp -BN_F_BN_EXPAND_INTERNAL:120:bn_expand_internal -BN_F_BN_GENCB_NEW:143:BN_GENCB_new -BN_F_BN_GENERATE_DSA_NONCE:140:BN_generate_dsa_nonce -BN_F_BN_GENERATE_PRIME_EX:141:BN_generate_prime_ex -BN_F_BN_GENERATE_PRIME_EX2:152:BN_generate_prime_ex2 -BN_F_BN_GF2M_MOD:131:BN_GF2m_mod -BN_F_BN_GF2M_MOD_EXP:132:BN_GF2m_mod_exp -BN_F_BN_GF2M_MOD_MUL:133:BN_GF2m_mod_mul -BN_F_BN_GF2M_MOD_SOLVE_QUAD:134:BN_GF2m_mod_solve_quad -BN_F_BN_GF2M_MOD_SOLVE_QUAD_ARR:135:BN_GF2m_mod_solve_quad_arr -BN_F_BN_GF2M_MOD_SQR:136:BN_GF2m_mod_sqr -BN_F_BN_GF2M_MOD_SQRT:137:BN_GF2m_mod_sqrt -BN_F_BN_LSHIFT:145:BN_lshift -BN_F_BN_MOD_EXP2_MONT:118:BN_mod_exp2_mont -BN_F_BN_MOD_EXP_MONT:109:BN_mod_exp_mont -BN_F_BN_MOD_EXP_MONT_CONSTTIME:124:BN_mod_exp_mont_consttime -BN_F_BN_MOD_EXP_MONT_WORD:117:BN_mod_exp_mont_word -BN_F_BN_MOD_EXP_RECP:125:BN_mod_exp_recp -BN_F_BN_MOD_EXP_SIMPLE:126:BN_mod_exp_simple -BN_F_BN_MOD_INVERSE:110:BN_mod_inverse -BN_F_BN_MOD_LSHIFT_QUICK:119:BN_mod_lshift_quick -BN_F_BN_MOD_SQRT:121:BN_mod_sqrt -BN_F_BN_MONT_CTX_NEW:149:BN_MONT_CTX_new -BN_F_BN_MPI2BN:112:BN_mpi2bn -BN_F_BN_NEW:113:BN_new -BN_F_BN_POOL_GET:147:BN_POOL_get -BN_F_BN_RAND:114:BN_rand -BN_F_BN_RAND_RANGE:122:BN_rand_range -BN_F_BN_RECP_CTX_NEW:150:BN_RECP_CTX_new -BN_F_BN_RSHIFT:146:BN_rshift -BN_F_BN_SET_WORDS:144:bn_set_words -BN_F_BN_STACK_PUSH:148:BN_STACK_push -BN_F_BN_USUB:115:BN_usub -BUF_F_BUF_MEM_GROW:100:BUF_MEM_grow -BUF_F_BUF_MEM_GROW_CLEAN:105:BUF_MEM_grow_clean -BUF_F_BUF_MEM_NEW:101:BUF_MEM_new -CMS_F_CHECK_CONTENT:99:check_content -CMS_F_CMS_ADD0_CERT:164:CMS_add0_cert -CMS_F_CMS_ADD0_RECIPIENT_KEY:100:CMS_add0_recipient_key -CMS_F_CMS_ADD0_RECIPIENT_PASSWORD:165:CMS_add0_recipient_password -CMS_F_CMS_ADD1_RECEIPTREQUEST:158:CMS_add1_ReceiptRequest -CMS_F_CMS_ADD1_RECIPIENT:184: -CMS_F_CMS_ADD1_RECIPIENT_CERT:101:CMS_add1_recipient_cert -CMS_F_CMS_ADD1_SIGNER:102:CMS_add1_signer -CMS_F_CMS_ADD1_SIGNINGTIME:103:cms_add1_signingTime -CMS_F_CMS_ADD1_SIGNING_CERT:181:cms_add1_signing_cert -CMS_F_CMS_ADD1_SIGNING_CERT_V2:182:cms_add1_signing_cert_v2 -CMS_F_CMS_COMPRESS:104:CMS_compress -CMS_F_CMS_COMPRESSEDDATA_CREATE:105:cms_CompressedData_create -CMS_F_CMS_COMPRESSEDDATA_INIT_BIO:106:cms_CompressedData_init_bio -CMS_F_CMS_COPY_CONTENT:107:cms_copy_content -CMS_F_CMS_COPY_MESSAGEDIGEST:108:cms_copy_messageDigest -CMS_F_CMS_DATA:109:CMS_data -CMS_F_CMS_DATAFINAL:110:CMS_dataFinal -CMS_F_CMS_DATAINIT:111:CMS_dataInit -CMS_F_CMS_DECRYPT:112:CMS_decrypt -CMS_F_CMS_DECRYPT_SET1_KEY:113:CMS_decrypt_set1_key -CMS_F_CMS_DECRYPT_SET1_PASSWORD:166:CMS_decrypt_set1_password -CMS_F_CMS_DECRYPT_SET1_PKEY:114:CMS_decrypt_set1_pkey -CMS_F_CMS_DECRYPT_SET1_PKEY_AND_PEER:185: -CMS_F_CMS_DIGESTALGORITHM_FIND_CTX:115:cms_DigestAlgorithm_find_ctx -CMS_F_CMS_DIGESTALGORITHM_INIT_BIO:116:cms_DigestAlgorithm_init_bio -CMS_F_CMS_DIGESTEDDATA_DO_FINAL:117:cms_DigestedData_do_final -CMS_F_CMS_DIGEST_VERIFY:118:CMS_digest_verify -CMS_F_CMS_ENCODE_RECEIPT:161:cms_encode_Receipt -CMS_F_CMS_ENCRYPT:119:CMS_encrypt -CMS_F_CMS_ENCRYPTEDCONTENT_INIT:179:cms_EncryptedContent_init -CMS_F_CMS_ENCRYPTEDCONTENT_INIT_BIO:120:cms_EncryptedContent_init_bio -CMS_F_CMS_ENCRYPTEDDATA_DECRYPT:121:CMS_EncryptedData_decrypt -CMS_F_CMS_ENCRYPTEDDATA_ENCRYPT:122:CMS_EncryptedData_encrypt -CMS_F_CMS_ENCRYPTEDDATA_SET1_KEY:123:CMS_EncryptedData_set1_key -CMS_F_CMS_ENVELOPEDDATA_CREATE:124:CMS_EnvelopedData_create -CMS_F_CMS_ENVELOPEDDATA_ENCRYPTION_INIT_BIO:186: -CMS_F_CMS_ENVELOPEDDATA_FINAL:187: -CMS_F_CMS_ENVELOPEDDATA_INIT_BIO:125:cms_EnvelopedData_init_bio -CMS_F_CMS_ENVELOPED_DATA_INIT:126:cms_enveloped_data_init -CMS_F_CMS_ENV_ASN1_CTRL:171:cms_env_asn1_ctrl -CMS_F_CMS_FINAL:127:CMS_final -CMS_F_CMS_GET0_CERTIFICATE_CHOICES:128:cms_get0_certificate_choices -CMS_F_CMS_GET0_CONTENT:129:CMS_get0_content -CMS_F_CMS_GET0_ECONTENT_TYPE:130:cms_get0_econtent_type -CMS_F_CMS_GET0_ENVELOPED:131:cms_get0_enveloped -CMS_F_CMS_GET0_REVOCATION_CHOICES:132:cms_get0_revocation_choices -CMS_F_CMS_GET0_SIGNED:133:cms_get0_signed -CMS_F_CMS_MSGSIGDIGEST_ADD1:162:cms_msgSigDigest_add1 -CMS_F_CMS_RECEIPTREQUEST_CREATE0:159:CMS_ReceiptRequest_create0 -CMS_F_CMS_RECEIPT_VERIFY:160:cms_Receipt_verify -CMS_F_CMS_RECIPIENTINFO_DECRYPT:134:CMS_RecipientInfo_decrypt -CMS_F_CMS_RECIPIENTINFO_ENCRYPT:169:CMS_RecipientInfo_encrypt -CMS_F_CMS_RECIPIENTINFO_KARI_DECRYPT:188: -CMS_F_CMS_RECIPIENTINFO_KARI_ENCRYPT:178:cms_RecipientInfo_kari_encrypt -CMS_F_CMS_RECIPIENTINFO_KARI_GET0_ALG:175:CMS_RecipientInfo_kari_get0_alg -CMS_F_CMS_RECIPIENTINFO_KARI_GET0_ORIG_ID:173:\ - CMS_RecipientInfo_kari_get0_orig_id -CMS_F_CMS_RECIPIENTINFO_KARI_GET0_REKS:172:CMS_RecipientInfo_kari_get0_reks -CMS_F_CMS_RECIPIENTINFO_KARI_ORIG_ID_CMP:174:CMS_RecipientInfo_kari_orig_id_cmp -CMS_F_CMS_RECIPIENTINFO_KEKRI_DECRYPT:135:cms_RecipientInfo_kekri_decrypt -CMS_F_CMS_RECIPIENTINFO_KEKRI_ENCRYPT:136:cms_RecipientInfo_kekri_encrypt -CMS_F_CMS_RECIPIENTINFO_KEKRI_GET0_ID:137:CMS_RecipientInfo_kekri_get0_id -CMS_F_CMS_RECIPIENTINFO_KEKRI_ID_CMP:138:CMS_RecipientInfo_kekri_id_cmp -CMS_F_CMS_RECIPIENTINFO_KTRI_CERT_CMP:139:CMS_RecipientInfo_ktri_cert_cmp -CMS_F_CMS_RECIPIENTINFO_KTRI_DECRYPT:140:cms_RecipientInfo_ktri_decrypt -CMS_F_CMS_RECIPIENTINFO_KTRI_ENCRYPT:141:cms_RecipientInfo_ktri_encrypt -CMS_F_CMS_RECIPIENTINFO_KTRI_GET0_ALGS:142:CMS_RecipientInfo_ktri_get0_algs -CMS_F_CMS_RECIPIENTINFO_KTRI_GET0_SIGNER_ID:143:\ - CMS_RecipientInfo_ktri_get0_signer_id -CMS_F_CMS_RECIPIENTINFO_PWRI_CRYPT:167:cms_RecipientInfo_pwri_crypt -CMS_F_CMS_RECIPIENTINFO_SET0_KEY:144:CMS_RecipientInfo_set0_key -CMS_F_CMS_RECIPIENTINFO_SET0_PASSWORD:168:CMS_RecipientInfo_set0_password -CMS_F_CMS_RECIPIENTINFO_SET0_PKEY:145:CMS_RecipientInfo_set0_pkey -CMS_F_CMS_SD_ASN1_CTRL:170:cms_sd_asn1_ctrl -CMS_F_CMS_SET1_IAS:176:cms_set1_ias -CMS_F_CMS_SET1_KEYID:177:cms_set1_keyid -CMS_F_CMS_SET1_SIGNERIDENTIFIER:146:cms_set1_SignerIdentifier -CMS_F_CMS_SET_DETACHED:147:CMS_set_detached -CMS_F_CMS_SIGN:148:CMS_sign -CMS_F_CMS_SIGNED_DATA_INIT:149:cms_signed_data_init -CMS_F_CMS_SIGNERINFO_CONTENT_SIGN:150:cms_SignerInfo_content_sign -CMS_F_CMS_SIGNERINFO_GET_CHAIN:184:cms_signerinfo_get_chain -CMS_F_CMS_SIGNERINFO_SIGN:151:CMS_SignerInfo_sign -CMS_F_CMS_SIGNERINFO_VERIFY:152:CMS_SignerInfo_verify -CMS_F_CMS_SIGNERINFO_VERIFY_CERT:153:cms_signerinfo_verify_cert -CMS_F_CMS_SIGNERINFO_VERIFY_CONTENT:154:CMS_SignerInfo_verify_content -CMS_F_CMS_SIGN_RECEIPT:163:CMS_sign_receipt -CMS_F_CMS_SI_CHECK_ATTRIBUTES:183:CMS_si_check_attributes -CMS_F_CMS_STREAM:155:CMS_stream -CMS_F_CMS_UNCOMPRESS:156:CMS_uncompress -CMS_F_CMS_VERIFY:157:CMS_verify -CMS_F_ESS_CHECK_SIGNING_CERTS:185:ess_check_signing_certs -CMS_F_KEK_UNWRAP_KEY:180:kek_unwrap_key -COMP_F_BIO_ZLIB_FLUSH:99:bio_zlib_flush -COMP_F_BIO_ZLIB_NEW:100:bio_zlib_new -COMP_F_BIO_ZLIB_READ:101:bio_zlib_read -COMP_F_BIO_ZLIB_WRITE:102:bio_zlib_write -COMP_F_COMP_CTX_NEW:103:COMP_CTX_new -CONF_F_CONF_DUMP_FP:104:CONF_dump_fp -CONF_F_CONF_LOAD:100:CONF_load -CONF_F_CONF_LOAD_FP:103:CONF_load_fp -CONF_F_CONF_PARSE_LIST:119:CONF_parse_list -CONF_F_DEF_LOAD:120:def_load -CONF_F_DEF_LOAD_BIO:121:def_load_bio -CONF_F_GET_NEXT_FILE:107:get_next_file -CONF_F_MODULE_ADD:122:module_add -CONF_F_MODULE_INIT:115:module_init -CONF_F_MODULE_LOAD_DSO:117:module_load_dso -CONF_F_MODULE_RUN:118:module_run -CONF_F_NCONF_DUMP_BIO:105:NCONF_dump_bio -CONF_F_NCONF_DUMP_FP:106:NCONF_dump_fp -CONF_F_NCONF_GET_NUMBER_E:112:NCONF_get_number_e -CONF_F_NCONF_GET_SECTION:108:NCONF_get_section -CONF_F_NCONF_GET_STRING:109:NCONF_get_string -CONF_F_NCONF_LOAD:113:NCONF_load -CONF_F_NCONF_LOAD_BIO:110:NCONF_load_bio -CONF_F_NCONF_LOAD_FP:114:NCONF_load_fp -CONF_F_NCONF_NEW:111:NCONF_new -CONF_F_PROCESS_INCLUDE:116:process_include -CONF_F_SSL_MODULE_INIT:123:ssl_module_init -CONF_F_STR_COPY:101:str_copy -CRMF_F_CRMF_POPOSIGNINGKEY_INIT:100:CRMF_poposigningkey_init -CRMF_F_OSSL_CRMF_CERTID_GEN:101:OSSL_CRMF_CERTID_gen -CRMF_F_OSSL_CRMF_CERTTEMPLATE_FILL:102:OSSL_CRMF_CERTTEMPLATE_fill -CRMF_F_OSSL_CRMF_ENCRYPTEDVALUE_GET1_ENCCERT:103:\ - OSSL_CRMF_ENCRYPTEDVALUE_get1_encCert -CRMF_F_OSSL_CRMF_MSGS_VERIFY_POPO:104:OSSL_CRMF_MSGS_verify_popo -CRMF_F_OSSL_CRMF_MSG_CREATE_POPO:105:OSSL_CRMF_MSG_create_popo -CRMF_F_OSSL_CRMF_MSG_GET0_TMPL:106:OSSL_CRMF_MSG_get0_tmpl -CRMF_F_OSSL_CRMF_MSG_GET_CERTREQID:107:OSSL_CRMF_MSG_get_certReqId -CRMF_F_OSSL_CRMF_MSG_PKIPUBLICATIONINFO_PUSH0_SINGLEPUBINFO:108:\ - OSSL_CRMF_MSG_PKIPublicationInfo_push0_SinglePubInfo -CRMF_F_OSSL_CRMF_MSG_PUSH0_EXTENSION:109:OSSL_CRMF_MSG_push0_extension -CRMF_F_OSSL_CRMF_MSG_PUSH0_REGCTRL:110:OSSL_CRMF_MSG_push0_regCtrl -CRMF_F_OSSL_CRMF_MSG_PUSH0_REGINFO:111:OSSL_CRMF_MSG_push0_regInfo -CRMF_F_OSSL_CRMF_MSG_SET0_EXTENSIONS:112:OSSL_CRMF_MSG_set0_extensions -CRMF_F_OSSL_CRMF_MSG_SET0_SINGLEPUBINFO:113:OSSL_CRMF_MSG_set0_SinglePubInfo -CRMF_F_OSSL_CRMF_MSG_SET0_VALIDITY:116:OSSL_CRMF_MSG_set0_validity -CRMF_F_OSSL_CRMF_MSG_SET_CERTREQID:114:OSSL_CRMF_MSG_set_certReqId -CRMF_F_OSSL_CRMF_MSG_SET_PKIPUBLICATIONINFO_ACTION:115:\ - OSSL_CRMF_MSG_set_PKIPublicationInfo_action -CRMF_F_OSSL_CRMF_PBMP_NEW:117:OSSL_CRMF_pbmp_new -CRMF_F_OSSL_CRMF_PBM_NEW:118:OSSL_CRMF_pbm_new -CRYPTO_F_CMAC_CTX_NEW:120:CMAC_CTX_new -CRYPTO_F_CRYPTO_DUP_EX_DATA:110:CRYPTO_dup_ex_data -CRYPTO_F_CRYPTO_FREE_EX_DATA:111:CRYPTO_free_ex_data -CRYPTO_F_CRYPTO_GET_EX_NEW_INDEX:100:CRYPTO_get_ex_new_index -CRYPTO_F_CRYPTO_GET_EX_NEW_INDEX_EX:141:crypto_get_ex_new_index_ex -CRYPTO_F_CRYPTO_MEMDUP:115:CRYPTO_memdup -CRYPTO_F_CRYPTO_NEW_EX_DATA:112:CRYPTO_new_ex_data -CRYPTO_F_CRYPTO_NEW_EX_DATA_EX:142:crypto_new_ex_data_ex -CRYPTO_F_CRYPTO_OCB128_COPY_CTX:121:CRYPTO_ocb128_copy_ctx -CRYPTO_F_CRYPTO_OCB128_INIT:122:CRYPTO_ocb128_init -CRYPTO_F_CRYPTO_SET_EX_DATA:102:CRYPTO_set_ex_data -CRYPTO_F_FIPS_MODE_SET:109:FIPS_mode_set -CRYPTO_F_GET_AND_LOCK:113:get_and_lock -CRYPTO_F_GET_PROVIDER_STORE:133:get_provider_store -CRYPTO_F_OPENSSL_ATEXIT:114:OPENSSL_atexit -CRYPTO_F_OPENSSL_BUF2HEXSTR:117:OPENSSL_buf2hexstr -CRYPTO_F_OPENSSL_BUF2HEXSTR_EX:153: -CRYPTO_F_OPENSSL_FOPEN:119:openssl_fopen -CRYPTO_F_OPENSSL_HEXSTR2BUF:118:OPENSSL_hexstr2buf -CRYPTO_F_OPENSSL_HEXSTR2BUF_EX:154: -CRYPTO_F_OPENSSL_INIT_CRYPTO:116:OPENSSL_init_crypto -CRYPTO_F_OPENSSL_LH_NEW:126:OPENSSL_LH_new -CRYPTO_F_OPENSSL_SK_DEEP_COPY:127:OPENSSL_sk_deep_copy -CRYPTO_F_OPENSSL_SK_DUP:128:OPENSSL_sk_dup -CRYPTO_F_OSSL_PARAM_BLD_PUSH_BN:143: -CRYPTO_F_OSSL_PARAM_BLD_PUSH_OCTET_PTR:144: -CRYPTO_F_OSSL_PARAM_BLD_PUSH_OCTET_STRING:145: -CRYPTO_F_OSSL_PARAM_BLD_PUSH_UTF8_PTR:146: -CRYPTO_F_OSSL_PARAM_BLD_PUSH_UTF8_STRING:147: -CRYPTO_F_OSSL_PARAM_BLD_TO_PARAM:148: -CRYPTO_F_OSSL_PARAM_BLD_TO_PARAM_EX:149: -CRYPTO_F_OSSL_PARAM_TYPE_TO_PARAM:150: -CRYPTO_F_OSSL_PROVIDER_ACTIVATE:130:ossl_provider_activate -CRYPTO_F_OSSL_PROVIDER_ADD_BUILTIN:132:OSSL_PROVIDER_add_builtin -CRYPTO_F_OSSL_PROVIDER_ADD_PARAMETER:139:ossl_provider_add_parameter -CRYPTO_F_OSSL_PROVIDER_NEW:131:ossl_provider_new -CRYPTO_F_OSSL_PROVIDER_SET_MODULE_PATH:140:ossl_provider_set_module_path -CRYPTO_F_PARAM_PUSH:151: -CRYPTO_F_PARAM_PUSH_NUM:152: -CRYPTO_F_PKEY_HMAC_INIT:123:pkey_hmac_init -CRYPTO_F_PKEY_POLY1305_INIT:124:pkey_poly1305_init -CRYPTO_F_PKEY_SIPHASH_INIT:125:pkey_siphash_init -CRYPTO_F_PROVIDER_ACTIVATE:134:provider_activate -CRYPTO_F_PROVIDER_CONF_INIT:137:provider_conf_init -CRYPTO_F_PROVIDER_CONF_LOAD:138:provider_conf_load -CRYPTO_F_PROVIDER_NEW:135:provider_new -CRYPTO_F_PROVIDER_STORE_NEW:136:provider_store_new -CRYPTO_F_SK_RESERVE:129:sk_reserve -CT_F_CTLOG_NEW:117:CTLOG_new -CT_F_CTLOG_NEW_FROM_BASE64:118:CTLOG_new_from_base64 -CT_F_CTLOG_NEW_FROM_CONF:119:ctlog_new_from_conf -CT_F_CTLOG_STORE_LOAD_CTX_NEW:122:ctlog_store_load_ctx_new -CT_F_CTLOG_STORE_LOAD_FILE:123:CTLOG_STORE_load_file -CT_F_CTLOG_STORE_LOAD_LOG:130:ctlog_store_load_log -CT_F_CTLOG_STORE_NEW:131:CTLOG_STORE_new -CT_F_CT_BASE64_DECODE:124:ct_base64_decode -CT_F_CT_POLICY_EVAL_CTX_NEW:133:CT_POLICY_EVAL_CTX_new -CT_F_CT_V1_LOG_ID_FROM_PKEY:125:ct_v1_log_id_from_pkey -CT_F_I2O_SCT:107:i2o_SCT -CT_F_I2O_SCT_LIST:108:i2o_SCT_LIST -CT_F_I2O_SCT_SIGNATURE:109:i2o_SCT_signature -CT_F_O2I_SCT:110:o2i_SCT -CT_F_O2I_SCT_LIST:111:o2i_SCT_LIST -CT_F_O2I_SCT_SIGNATURE:112:o2i_SCT_signature -CT_F_SCT_CTX_NEW:126:SCT_CTX_new -CT_F_SCT_CTX_VERIFY:128:SCT_CTX_verify -CT_F_SCT_NEW:100:SCT_new -CT_F_SCT_NEW_FROM_BASE64:127:SCT_new_from_base64 -CT_F_SCT_SET0_LOG_ID:101:SCT_set0_log_id -CT_F_SCT_SET1_EXTENSIONS:114:SCT_set1_extensions -CT_F_SCT_SET1_LOG_ID:115:SCT_set1_log_id -CT_F_SCT_SET1_SIGNATURE:116:SCT_set1_signature -CT_F_SCT_SET_LOG_ENTRY_TYPE:102:SCT_set_log_entry_type -CT_F_SCT_SET_SIGNATURE_NID:103:SCT_set_signature_nid -CT_F_SCT_SET_VERSION:104:SCT_set_version -DH_F_COMPUTE_KEY:102:compute_key -DH_F_DHPARAMS_PRINT_FP:101:DHparams_print_fp -DH_F_DH_BUF2KEY:126:dh_buf2key -DH_F_DH_BUILTIN_GENPARAMS:106:dh_builtin_genparams -DH_F_DH_CHECK_EX:121:DH_check_ex -DH_F_DH_CHECK_PARAMS_EX:122:DH_check_params_ex -DH_F_DH_CHECK_PUB_KEY_EX:123:DH_check_pub_key_ex -DH_F_DH_CMS_DECRYPT:114:dh_cms_decrypt -DH_F_DH_CMS_SET_PEERKEY:115:dh_cms_set_peerkey -DH_F_DH_CMS_SET_SHARED_INFO:116:dh_cms_set_shared_info -DH_F_DH_KEY2BUF:127:dh_key2buf -DH_F_DH_METH_DUP:117:DH_meth_dup -DH_F_DH_METH_NEW:118:DH_meth_new -DH_F_DH_METH_SET1_NAME:119:DH_meth_set1_name -DH_F_DH_NEW_BY_NID:104:DH_new_by_nid -DH_F_DH_NEW_METHOD:105:DH_new_method -DH_F_DH_PARAM_DECODE:107:dh_param_decode -DH_F_DH_PKEY_PUBLIC_CHECK:124:dh_pkey_public_check -DH_F_DH_PRIV_DECODE:110:dh_priv_decode -DH_F_DH_PRIV_ENCODE:111:dh_priv_encode -DH_F_DH_PUB_DECODE:108:dh_pub_decode -DH_F_DH_PUB_ENCODE:109:dh_pub_encode -DH_F_DO_DH_PRINT:100:do_dh_print -DH_F_GENERATE_KEY:103:generate_key -DH_F_PKEY_DH_CTRL_STR:120:pkey_dh_ctrl_str -DH_F_PKEY_DH_DERIVE:112:pkey_dh_derive -DH_F_PKEY_DH_INIT:125:pkey_dh_init -DH_F_PKEY_DH_KEYGEN:113:pkey_dh_keygen -DSA_F_DSAPARAMS_PRINT:100:DSAparams_print -DSA_F_DSAPARAMS_PRINT_FP:101:DSAparams_print_fp -DSA_F_DSA_BUILTIN_PARAMGEN:125:dsa_builtin_paramgen -DSA_F_DSA_BUILTIN_PARAMGEN2:126:dsa_builtin_paramgen2 -DSA_F_DSA_DO_SIGN:112:DSA_do_sign -DSA_F_DSA_DO_VERIFY:113:DSA_do_verify -DSA_F_DSA_METH_DUP:127:DSA_meth_dup -DSA_F_DSA_METH_NEW:128:DSA_meth_new -DSA_F_DSA_METH_SET1_NAME:129:DSA_meth_set1_name -DSA_F_DSA_NEW_METHOD:103:DSA_new_method -DSA_F_DSA_PARAM_DECODE:119:dsa_param_decode -DSA_F_DSA_PRINT_FP:105:DSA_print_fp -DSA_F_DSA_PRIV_DECODE:115:dsa_priv_decode -DSA_F_DSA_PRIV_ENCODE:116:dsa_priv_encode -DSA_F_DSA_PUB_DECODE:117:dsa_pub_decode -DSA_F_DSA_PUB_ENCODE:118:dsa_pub_encode -DSA_F_DSA_SIGN:106:DSA_sign -DSA_F_DSA_SIGN_SETUP:107:DSA_sign_setup -DSA_F_DSA_SIG_NEW:102:DSA_SIG_new -DSA_F_OLD_DSA_PRIV_DECODE:122:old_dsa_priv_decode -DSA_F_PKEY_DSA_CTRL:120:pkey_dsa_ctrl -DSA_F_PKEY_DSA_CTRL_STR:104:pkey_dsa_ctrl_str -DSA_F_PKEY_DSA_KEYGEN:121:pkey_dsa_keygen -DSO_F_DLFCN_BIND_FUNC:100:dlfcn_bind_func -DSO_F_DLFCN_LOAD:102:dlfcn_load -DSO_F_DLFCN_MERGER:130:dlfcn_merger -DSO_F_DLFCN_NAME_CONVERTER:123:dlfcn_name_converter -DSO_F_DLFCN_UNLOAD:103:dlfcn_unload -DSO_F_DL_BIND_FUNC:104:dl_bind_func -DSO_F_DL_LOAD:106:dl_load -DSO_F_DL_MERGER:131:dl_merger -DSO_F_DL_NAME_CONVERTER:124:dl_name_converter -DSO_F_DL_UNLOAD:107:dl_unload -DSO_F_DSO_BIND_FUNC:108:DSO_bind_func -DSO_F_DSO_CONVERT_FILENAME:126:DSO_convert_filename -DSO_F_DSO_CTRL:110:DSO_ctrl -DSO_F_DSO_FREE:111:DSO_free -DSO_F_DSO_GET_FILENAME:127:DSO_get_filename -DSO_F_DSO_GLOBAL_LOOKUP:139:DSO_global_lookup -DSO_F_DSO_LOAD:112:DSO_load -DSO_F_DSO_MERGE:132:DSO_merge -DSO_F_DSO_NEW_METHOD:113:DSO_new_method -DSO_F_DSO_PATHBYADDR:105:DSO_pathbyaddr -DSO_F_DSO_SET_FILENAME:129:DSO_set_filename -DSO_F_DSO_UP_REF:114:DSO_up_ref -DSO_F_VMS_BIND_SYM:115:vms_bind_sym -DSO_F_VMS_LOAD:116:vms_load -DSO_F_VMS_MERGER:133:vms_merger -DSO_F_VMS_UNLOAD:117:vms_unload -DSO_F_WIN32_BIND_FUNC:101:win32_bind_func -DSO_F_WIN32_GLOBALLOOKUP:142:win32_globallookup -DSO_F_WIN32_JOINER:135:win32_joiner -DSO_F_WIN32_LOAD:120:win32_load -DSO_F_WIN32_MERGER:134:win32_merger -DSO_F_WIN32_NAME_CONVERTER:125:win32_name_converter -DSO_F_WIN32_PATHBYADDR:109:* -DSO_F_WIN32_SPLITTER:136:win32_splitter -DSO_F_WIN32_UNLOAD:121:win32_unload -EC_F_BN_TO_FELEM:224:BN_to_felem -EC_F_D2I_ECPARAMETERS:144:d2i_ECParameters -EC_F_D2I_ECPKPARAMETERS:145:d2i_ECPKParameters -EC_F_D2I_ECPRIVATEKEY:146:d2i_ECPrivateKey -EC_F_DO_EC_KEY_PRINT:221:do_EC_KEY_print -EC_F_ECDH_CMS_DECRYPT:238:ecdh_cms_decrypt -EC_F_ECDH_CMS_SET_SHARED_INFO:239:ecdh_cms_set_shared_info -EC_F_ECDH_COMPUTE_KEY:246:ECDH_compute_key -EC_F_ECDH_SIMPLE_COMPUTE_KEY:257:ecdh_simple_compute_key -EC_F_ECDSA_DO_SIGN_EX:251:ECDSA_do_sign_ex -EC_F_ECDSA_DO_VERIFY:252:ECDSA_do_verify -EC_F_ECDSA_S390X_NISTP_SIGN_SIG:313:ecdsa_s390x_nistp_sign_sig -EC_F_ECDSA_S390X_NISTP_VERIFY_SIG:314:ecdsa_s390x_nistp_verify_sig -EC_F_ECDSA_SIGN_EX:254:ECDSA_sign_ex -EC_F_ECDSA_SIGN_SETUP:248:ECDSA_sign_setup -EC_F_ECDSA_SIG_NEW:265:ECDSA_SIG_new -EC_F_ECDSA_SIMPLE_SIGN_SETUP:310:ecdsa_simple_sign_setup -EC_F_ECDSA_SIMPLE_SIGN_SIG:311:ecdsa_simple_sign_sig -EC_F_ECDSA_SIMPLE_VERIFY_SIG:312:ecdsa_simple_verify_sig -EC_F_ECDSA_VERIFY:253:ECDSA_verify -EC_F_ECD_ITEM_VERIFY:270:ecd_item_verify -EC_F_ECKEY_PARAM2TYPE:223:eckey_param2type -EC_F_ECKEY_PARAM_DECODE:212:eckey_param_decode -EC_F_ECKEY_PRIV_DECODE:213:eckey_priv_decode -EC_F_ECKEY_PRIV_ENCODE:214:eckey_priv_encode -EC_F_ECKEY_PUB_DECODE:215:eckey_pub_decode -EC_F_ECKEY_PUB_ENCODE:216:eckey_pub_encode -EC_F_ECKEY_TYPE2PARAM:220:eckey_type2param -EC_F_ECPARAMETERS_PRINT:147:ECParameters_print -EC_F_ECPARAMETERS_PRINT_FP:148:ECParameters_print_fp -EC_F_ECPKPARAMETERS_PRINT:149:ECPKParameters_print -EC_F_ECPKPARAMETERS_PRINT_FP:150:ECPKParameters_print_fp -EC_F_ECP_NISTZ256_GET_AFFINE:240:ecp_nistz256_get_affine -EC_F_ECP_NISTZ256_INV_MOD_ORD:275:ecp_nistz256_inv_mod_ord -EC_F_ECP_NISTZ256_MULT_PRECOMPUTE:243:ecp_nistz256_mult_precompute -EC_F_ECP_NISTZ256_POINTS_MUL:241:ecp_nistz256_points_mul -EC_F_ECP_NISTZ256_PRE_COMP_NEW:244:ecp_nistz256_pre_comp_new -EC_F_ECP_NISTZ256_WINDOWED_MUL:242:ecp_nistz256_windowed_mul -EC_F_ECX_KEY_OP:266:ecx_key_op -EC_F_ECX_PRIV_ENCODE:267:ecx_priv_encode -EC_F_ECX_PUB_ENCODE:268:ecx_pub_encode -EC_F_EC_ASN1_GROUP2CURVE:153:ec_asn1_group2curve -EC_F_EC_ASN1_GROUP2FIELDID:154:ec_asn1_group2fieldid -EC_F_EC_GF2M_MONTGOMERY_POINT_MULTIPLY:208:ec_GF2m_montgomery_point_multiply -EC_F_EC_GF2M_SIMPLE_FIELD_INV:296:ec_GF2m_simple_field_inv -EC_F_EC_GF2M_SIMPLE_GROUP_CHECK_DISCRIMINANT:159:\ - ec_GF2m_simple_group_check_discriminant -EC_F_EC_GF2M_SIMPLE_GROUP_SET_CURVE:195:ec_GF2m_simple_group_set_curve -EC_F_EC_GF2M_SIMPLE_LADDER_POST:285:ec_GF2m_simple_ladder_post -EC_F_EC_GF2M_SIMPLE_LADDER_PRE:288:ec_GF2m_simple_ladder_pre -EC_F_EC_GF2M_SIMPLE_OCT2POINT:160:ec_GF2m_simple_oct2point -EC_F_EC_GF2M_SIMPLE_POINT2OCT:161:ec_GF2m_simple_point2oct -EC_F_EC_GF2M_SIMPLE_POINTS_MUL:289:ec_GF2m_simple_points_mul -EC_F_EC_GF2M_SIMPLE_POINT_GET_AFFINE_COORDINATES:162:\ - ec_GF2m_simple_point_get_affine_coordinates -EC_F_EC_GF2M_SIMPLE_POINT_SET_AFFINE_COORDINATES:163:\ - ec_GF2m_simple_point_set_affine_coordinates -EC_F_EC_GF2M_SIMPLE_SET_COMPRESSED_COORDINATES:164:\ - ec_GF2m_simple_set_compressed_coordinates -EC_F_EC_GFP_MONT_FIELD_DECODE:133:ec_GFp_mont_field_decode -EC_F_EC_GFP_MONT_FIELD_ENCODE:134:ec_GFp_mont_field_encode -EC_F_EC_GFP_MONT_FIELD_INV:297:ec_GFp_mont_field_inv -EC_F_EC_GFP_MONT_FIELD_MUL:131:ec_GFp_mont_field_mul -EC_F_EC_GFP_MONT_FIELD_SET_TO_ONE:209:ec_GFp_mont_field_set_to_one -EC_F_EC_GFP_MONT_FIELD_SQR:132:ec_GFp_mont_field_sqr -EC_F_EC_GFP_MONT_GROUP_SET_CURVE:189:ec_GFp_mont_group_set_curve -EC_F_EC_GFP_NISTP224_GROUP_SET_CURVE:225:ec_GFp_nistp224_group_set_curve -EC_F_EC_GFP_NISTP224_POINTS_MUL:228:ec_GFp_nistp224_points_mul -EC_F_EC_GFP_NISTP224_POINT_GET_AFFINE_COORDINATES:226:\ - ec_GFp_nistp224_point_get_affine_coordinates -EC_F_EC_GFP_NISTP256_GROUP_SET_CURVE:230:ec_GFp_nistp256_group_set_curve -EC_F_EC_GFP_NISTP256_POINTS_MUL:231:ec_GFp_nistp256_points_mul -EC_F_EC_GFP_NISTP256_POINT_GET_AFFINE_COORDINATES:232:\ - ec_GFp_nistp256_point_get_affine_coordinates -EC_F_EC_GFP_NISTP521_GROUP_SET_CURVE:233:ec_GFp_nistp521_group_set_curve -EC_F_EC_GFP_NISTP521_POINTS_MUL:234:ec_GFp_nistp521_points_mul -EC_F_EC_GFP_NISTP521_POINT_GET_AFFINE_COORDINATES:235:\ - ec_GFp_nistp521_point_get_affine_coordinates -EC_F_EC_GFP_NIST_FIELD_MUL:200:ec_GFp_nist_field_mul -EC_F_EC_GFP_NIST_FIELD_SQR:201:ec_GFp_nist_field_sqr -EC_F_EC_GFP_NIST_GROUP_SET_CURVE:202:ec_GFp_nist_group_set_curve -EC_F_EC_GFP_SIMPLE_BLIND_COORDINATES:287:ec_GFp_simple_blind_coordinates -EC_F_EC_GFP_SIMPLE_FIELD_INV:298:ec_GFp_simple_field_inv -EC_F_EC_GFP_SIMPLE_GROUP_CHECK_DISCRIMINANT:165:\ - ec_GFp_simple_group_check_discriminant -EC_F_EC_GFP_SIMPLE_GROUP_SET_CURVE:166:ec_GFp_simple_group_set_curve -EC_F_EC_GFP_SIMPLE_MAKE_AFFINE:102:ec_GFp_simple_make_affine -EC_F_EC_GFP_SIMPLE_OCT2POINT:103:ec_GFp_simple_oct2point -EC_F_EC_GFP_SIMPLE_POINT2OCT:104:ec_GFp_simple_point2oct -EC_F_EC_GFP_SIMPLE_POINTS_MAKE_AFFINE:137:ec_GFp_simple_points_make_affine -EC_F_EC_GFP_SIMPLE_POINT_GET_AFFINE_COORDINATES:167:\ - ec_GFp_simple_point_get_affine_coordinates -EC_F_EC_GFP_SIMPLE_POINT_SET_AFFINE_COORDINATES:168:\ - ec_GFp_simple_point_set_affine_coordinates -EC_F_EC_GFP_SIMPLE_SET_COMPRESSED_COORDINATES:169:\ - ec_GFp_simple_set_compressed_coordinates -EC_F_EC_GROUP_CHECK:170:EC_GROUP_check -EC_F_EC_GROUP_CHECK_DISCRIMINANT:171:EC_GROUP_check_discriminant -EC_F_EC_GROUP_CHECK_NAMED_CURVE:299:EC_GROUP_check_named_curve -EC_F_EC_GROUP_COPY:106:EC_GROUP_copy -EC_F_EC_GROUP_GET_CURVE:291:EC_GROUP_get_curve -EC_F_EC_GROUP_GET_CURVE_GF2M:172:EC_GROUP_get_curve_GF2m -EC_F_EC_GROUP_GET_CURVE_GFP:130:EC_GROUP_get_curve_GFp -EC_F_EC_GROUP_GET_DEGREE:173:EC_GROUP_get_degree -EC_F_EC_GROUP_GET_ECPARAMETERS:261:EC_GROUP_get_ecparameters -EC_F_EC_GROUP_GET_ECPKPARAMETERS:262:EC_GROUP_get_ecpkparameters -EC_F_EC_GROUP_GET_PENTANOMIAL_BASIS:193:EC_GROUP_get_pentanomial_basis -EC_F_EC_GROUP_GET_TRINOMIAL_BASIS:194:EC_GROUP_get_trinomial_basis -EC_F_EC_GROUP_NEW:108:EC_GROUP_new -EC_F_EC_GROUP_NEW_BY_CURVE_NAME:174:EC_GROUP_new_by_curve_name -EC_F_EC_GROUP_NEW_EX:302:EC_GROUP_new_ex -EC_F_EC_GROUP_NEW_FROM_DATA:175:ec_group_new_from_data -EC_F_EC_GROUP_NEW_FROM_ECPARAMETERS:263:EC_GROUP_new_from_ecparameters -EC_F_EC_GROUP_NEW_FROM_ECPKPARAMETERS:264:EC_GROUP_new_from_ecpkparameters -EC_F_EC_GROUP_SET_CURVE:292:EC_GROUP_set_curve -EC_F_EC_GROUP_SET_CURVE_GF2M:176:EC_GROUP_set_curve_GF2m -EC_F_EC_GROUP_SET_CURVE_GFP:109:EC_GROUP_set_curve_GFp -EC_F_EC_GROUP_SET_GENERATOR:111:EC_GROUP_set_generator -EC_F_EC_GROUP_SET_SEED:286:EC_GROUP_set_seed -EC_F_EC_KEY_CHECK_KEY:177:EC_KEY_check_key -EC_F_EC_KEY_COPY:178:EC_KEY_copy -EC_F_EC_KEY_GENERATE_KEY:179:EC_KEY_generate_key -EC_F_EC_KEY_NEW:182:EC_KEY_new -EC_F_EC_KEY_NEW_METHOD:245:EC_KEY_new_method -EC_F_EC_KEY_NEW_METHOD_INT:300:ec_key_new_method_int -EC_F_EC_KEY_OCT2PRIV:255:EC_KEY_oct2priv -EC_F_EC_KEY_PRINT:180:EC_KEY_print -EC_F_EC_KEY_PRINT_FP:181:EC_KEY_print_fp -EC_F_EC_KEY_PRIV2BUF:279:EC_KEY_priv2buf -EC_F_EC_KEY_PRIV2OCT:256:EC_KEY_priv2oct -EC_F_EC_KEY_SET_PUBLIC_KEY_AFFINE_COORDINATES:229:\ - EC_KEY_set_public_key_affine_coordinates -EC_F_EC_KEY_SIMPLE_CHECK_KEY:258:ec_key_simple_check_key -EC_F_EC_KEY_SIMPLE_OCT2PRIV:259:ec_key_simple_oct2priv -EC_F_EC_KEY_SIMPLE_PRIV2OCT:260:ec_key_simple_priv2oct -EC_F_EC_PKEY_CHECK:273:ec_pkey_check -EC_F_EC_PKEY_PARAM_CHECK:274:ec_pkey_param_check -EC_F_EC_POINTS_MAKE_AFFINE:136:EC_POINTs_make_affine -EC_F_EC_POINTS_MUL:290:EC_POINTs_mul -EC_F_EC_POINT_ADD:112:EC_POINT_add -EC_F_EC_POINT_BN2POINT:280:EC_POINT_bn2point -EC_F_EC_POINT_CMP:113:EC_POINT_cmp -EC_F_EC_POINT_COPY:114:EC_POINT_copy -EC_F_EC_POINT_DBL:115:EC_POINT_dbl -EC_F_EC_POINT_GET_AFFINE_COORDINATES:293:EC_POINT_get_affine_coordinates -EC_F_EC_POINT_GET_AFFINE_COORDINATES_GF2M:183:\ - EC_POINT_get_affine_coordinates_GF2m -EC_F_EC_POINT_GET_AFFINE_COORDINATES_GFP:116:EC_POINT_get_affine_coordinates_GFp -EC_F_EC_POINT_GET_JPROJECTIVE_COORDINATES_GFP:117:\ - EC_POINT_get_Jprojective_coordinates_GFp -EC_F_EC_POINT_INVERT:210:EC_POINT_invert -EC_F_EC_POINT_IS_AT_INFINITY:118:EC_POINT_is_at_infinity -EC_F_EC_POINT_IS_ON_CURVE:119:EC_POINT_is_on_curve -EC_F_EC_POINT_MAKE_AFFINE:120:EC_POINT_make_affine -EC_F_EC_POINT_MUL:309: -EC_F_EC_POINT_NEW:121:EC_POINT_new -EC_F_EC_POINT_OCT2POINT:122:EC_POINT_oct2point -EC_F_EC_POINT_POINT2BUF:281:EC_POINT_point2buf -EC_F_EC_POINT_POINT2OCT:123:EC_POINT_point2oct -EC_F_EC_POINT_SET_AFFINE_COORDINATES:294:EC_POINT_set_affine_coordinates -EC_F_EC_POINT_SET_AFFINE_COORDINATES_GF2M:185:\ - EC_POINT_set_affine_coordinates_GF2m -EC_F_EC_POINT_SET_AFFINE_COORDINATES_GFP:124:EC_POINT_set_affine_coordinates_GFp -EC_F_EC_POINT_SET_COMPRESSED_COORDINATES:295:EC_POINT_set_compressed_coordinates -EC_F_EC_POINT_SET_COMPRESSED_COORDINATES_GF2M:186:\ - EC_POINT_set_compressed_coordinates_GF2m -EC_F_EC_POINT_SET_COMPRESSED_COORDINATES_GFP:125:\ - EC_POINT_set_compressed_coordinates_GFp -EC_F_EC_POINT_SET_JPROJECTIVE_COORDINATES_GFP:126:\ - EC_POINT_set_Jprojective_coordinates_GFp -EC_F_EC_POINT_SET_TO_INFINITY:127:EC_POINT_set_to_infinity -EC_F_EC_PRE_COMP_NEW:196:ec_pre_comp_new -EC_F_EC_SCALAR_MUL_LADDER:284:ec_scalar_mul_ladder -EC_F_EC_WNAF_MUL:187:ec_wNAF_mul -EC_F_EC_WNAF_PRECOMPUTE_MULT:188:ec_wNAF_precompute_mult -EC_F_I2D_ECPARAMETERS:190:i2d_ECParameters -EC_F_I2D_ECPKPARAMETERS:191:i2d_ECPKParameters -EC_F_I2D_ECPRIVATEKEY:192:i2d_ECPrivateKey -EC_F_I2O_ECPUBLICKEY:151:i2o_ECPublicKey -EC_F_NISTP224_PRE_COMP_NEW:227:nistp224_pre_comp_new -EC_F_NISTP256_PRE_COMP_NEW:236:nistp256_pre_comp_new -EC_F_NISTP521_PRE_COMP_NEW:237:nistp521_pre_comp_new -EC_F_O2I_ECPUBLICKEY:152:o2i_ECPublicKey -EC_F_OLD_EC_PRIV_DECODE:222:old_ec_priv_decode -EC_F_OSSL_ECDH_COMPUTE_KEY:247:ossl_ecdh_compute_key -EC_F_OSSL_ECDSA_SIGN_SETUP:300:ossl_ecdsa_sign_setup -EC_F_OSSL_ECDSA_SIGN_SIG:249:ossl_ecdsa_sign_sig -EC_F_OSSL_ECDSA_VERIFY_SIG:250:ossl_ecdsa_verify_sig -EC_F_PKEY_ECD_CTRL:271:pkey_ecd_ctrl -EC_F_PKEY_ECD_DIGESTSIGN:272:pkey_ecd_digestsign -EC_F_PKEY_ECD_DIGESTSIGN25519:276:pkey_ecd_digestsign25519 -EC_F_PKEY_ECD_DIGESTSIGN448:277:pkey_ecd_digestsign448 -EC_F_PKEY_ECX_DERIVE:269:pkey_ecx_derive -EC_F_PKEY_EC_CTRL:197:pkey_ec_ctrl -EC_F_PKEY_EC_CTRL_STR:198:pkey_ec_ctrl_str -EC_F_PKEY_EC_DERIVE:217:pkey_ec_derive -EC_F_PKEY_EC_INIT:282:pkey_ec_init -EC_F_PKEY_EC_KDF_DERIVE:283:pkey_ec_kdf_derive -EC_F_PKEY_EC_KEYGEN:199:pkey_ec_keygen -EC_F_PKEY_EC_PARAMGEN:219:pkey_ec_paramgen -EC_F_PKEY_EC_SIGN:218:pkey_ec_sign -EC_F_S390X_PKEY_ECD_DIGESTSIGN25519:303:s390x_pkey_ecd_digestsign25519 -EC_F_S390X_PKEY_ECD_DIGESTSIGN448:304:s390x_pkey_ecd_digestsign448 -EC_F_S390X_PKEY_ECD_KEYGEN25519:305:s390x_pkey_ecd_keygen25519 -EC_F_S390X_PKEY_ECD_KEYGEN448:306:s390x_pkey_ecd_keygen448 -EC_F_S390X_PKEY_ECX_KEYGEN25519:307:s390x_pkey_ecx_keygen25519 -EC_F_S390X_PKEY_ECX_KEYGEN448:308:s390x_pkey_ecx_keygen448 -EC_F_VALIDATE_ECX_DERIVE:278:validate_ecx_derive -ENGINE_F_DIGEST_UPDATE:198:digest_update -ENGINE_F_DYNAMIC_CTRL:180:dynamic_ctrl -ENGINE_F_DYNAMIC_GET_DATA_CTX:181:dynamic_get_data_ctx -ENGINE_F_DYNAMIC_LOAD:182:dynamic_load -ENGINE_F_DYNAMIC_SET_DATA_CTX:183:dynamic_set_data_ctx -ENGINE_F_ENGINE_ADD:105:ENGINE_add -ENGINE_F_ENGINE_BY_ID:106:ENGINE_by_id -ENGINE_F_ENGINE_CMD_IS_EXECUTABLE:170:ENGINE_cmd_is_executable -ENGINE_F_ENGINE_CTRL:142:ENGINE_ctrl -ENGINE_F_ENGINE_CTRL_CMD:178:ENGINE_ctrl_cmd -ENGINE_F_ENGINE_CTRL_CMD_STRING:171:ENGINE_ctrl_cmd_string -ENGINE_F_ENGINE_FINISH:107:ENGINE_finish -ENGINE_F_ENGINE_GET_CIPHER:185:ENGINE_get_cipher -ENGINE_F_ENGINE_GET_DIGEST:186:ENGINE_get_digest -ENGINE_F_ENGINE_GET_FIRST:195:ENGINE_get_first -ENGINE_F_ENGINE_GET_LAST:196:ENGINE_get_last -ENGINE_F_ENGINE_GET_NEXT:115:ENGINE_get_next -ENGINE_F_ENGINE_GET_PKEY_ASN1_METH:193:ENGINE_get_pkey_asn1_meth -ENGINE_F_ENGINE_GET_PKEY_METH:192:ENGINE_get_pkey_meth -ENGINE_F_ENGINE_GET_PREV:116:ENGINE_get_prev -ENGINE_F_ENGINE_INIT:119:ENGINE_init -ENGINE_F_ENGINE_LIST_ADD:120:engine_list_add -ENGINE_F_ENGINE_LIST_REMOVE:121:engine_list_remove -ENGINE_F_ENGINE_LOAD_PRIVATE_KEY:150:ENGINE_load_private_key -ENGINE_F_ENGINE_LOAD_PUBLIC_KEY:151:ENGINE_load_public_key -ENGINE_F_ENGINE_LOAD_SSL_CLIENT_CERT:194:ENGINE_load_ssl_client_cert -ENGINE_F_ENGINE_NEW:122:ENGINE_new -ENGINE_F_ENGINE_PKEY_ASN1_FIND_STR:197:ENGINE_pkey_asn1_find_str -ENGINE_F_ENGINE_REMOVE:123:ENGINE_remove -ENGINE_F_ENGINE_SET_DEFAULT_STRING:189:ENGINE_set_default_string -ENGINE_F_ENGINE_SET_ID:129:ENGINE_set_id -ENGINE_F_ENGINE_SET_NAME:130:ENGINE_set_name -ENGINE_F_ENGINE_TABLE_REGISTER:184:engine_table_register -ENGINE_F_ENGINE_UNLOCKED_FINISH:191:engine_unlocked_finish -ENGINE_F_ENGINE_UP_REF:190:ENGINE_up_ref -ENGINE_F_INT_CLEANUP_ITEM:199:int_cleanup_item -ENGINE_F_INT_CTRL_HELPER:172:int_ctrl_helper -ENGINE_F_INT_ENGINE_CONFIGURE:188:int_engine_configure -ENGINE_F_INT_ENGINE_MODULE_INIT:187:int_engine_module_init -ENGINE_F_OSSL_HMAC_INIT:200:ossl_hmac_init -ESS_F_ESS_CERT_ID_NEW_INIT:100:ESS_CERT_ID_new_init -ESS_F_ESS_CERT_ID_V2_NEW_INIT:101:ESS_CERT_ID_V2_new_init -ESS_F_ESS_SIGNING_CERT_ADD:104:ESS_SIGNING_CERT_add -ESS_F_ESS_SIGNING_CERT_NEW_INIT:102:ESS_SIGNING_CERT_new_init -ESS_F_ESS_SIGNING_CERT_V2_ADD:105:ESS_SIGNING_CERT_V2_add -ESS_F_ESS_SIGNING_CERT_V2_NEW_INIT:103:ESS_SIGNING_CERT_V2_new_init -EVP_F_AESNI_INIT_KEY:165:aesni_init_key -EVP_F_AESNI_XTS_INIT_KEY:233:aesni_xts_init_key -EVP_F_AES_GCM_CTRL:196:aes_gcm_ctrl -EVP_F_AES_GCM_TLS_CIPHER:207:aes_gcm_tls_cipher -EVP_F_AES_INIT_KEY:133:aes_init_key -EVP_F_AES_OCB_CIPHER:169:aes_ocb_cipher -EVP_F_AES_T4_INIT_KEY:178:aes_t4_init_key -EVP_F_AES_T4_XTS_INIT_KEY:234:aes_t4_xts_init_key -EVP_F_AES_WRAP_CIPHER:170:aes_wrap_cipher -EVP_F_AES_XTS_CIPHER:229:aes_xts_cipher -EVP_F_AES_XTS_INIT_KEY:235:aes_xts_init_key -EVP_F_ALG_MODULE_INIT:177:alg_module_init -EVP_F_ARIA_CCM_INIT_KEY:175:aria_ccm_init_key -EVP_F_ARIA_GCM_CTRL:197:aria_gcm_ctrl -EVP_F_ARIA_GCM_INIT_KEY:176:aria_gcm_init_key -EVP_F_ARIA_INIT_KEY:185:aria_init_key -EVP_F_B64_NEW:198:b64_new -EVP_F_CAMELLIA_INIT_KEY:159:camellia_init_key -EVP_F_CHACHA20_POLY1305_CTRL:182:chacha20_poly1305_ctrl -EVP_F_CMLL_T4_INIT_KEY:179:cmll_t4_init_key -EVP_F_DES_EDE3_WRAP_CIPHER:171:des_ede3_wrap_cipher -EVP_F_DO_SIGVER_INIT:161:do_sigver_init -EVP_F_ENC_NEW:199:enc_new -EVP_F_EVP_CIPHERINIT_EX:123:EVP_CipherInit_ex -EVP_F_EVP_CIPHER_ASN1_TO_PARAM:204:EVP_CIPHER_asn1_to_param -EVP_F_EVP_CIPHER_CTX_COPY:163:EVP_CIPHER_CTX_copy -EVP_F_EVP_CIPHER_CTX_CTRL:124:EVP_CIPHER_CTX_ctrl -EVP_F_EVP_CIPHER_CTX_SET_KEY_LENGTH:122:EVP_CIPHER_CTX_set_key_length -EVP_F_EVP_CIPHER_CTX_SET_PADDING:237:EVP_CIPHER_CTX_set_padding -EVP_F_EVP_CIPHER_FROM_DISPATCH:238:evp_cipher_from_dispatch -EVP_F_EVP_CIPHER_MODE:239:EVP_CIPHER_mode -EVP_F_EVP_CIPHER_PARAM_TO_ASN1:205:EVP_CIPHER_param_to_asn1 -EVP_F_EVP_DECRYPTFINAL_EX:101:EVP_DecryptFinal_ex -EVP_F_EVP_DECRYPTUPDATE:166:EVP_DecryptUpdate -EVP_F_EVP_DIGESTFINALXOF:174:EVP_DigestFinalXOF -EVP_F_EVP_DIGESTFINAL_EX:230:EVP_DigestFinal_ex -EVP_F_EVP_DIGESTINIT_EX:128:EVP_DigestInit_ex -EVP_F_EVP_DIGESTUPDATE:231:EVP_DigestUpdate -EVP_F_EVP_ENCRYPTDECRYPTUPDATE:219:evp_EncryptDecryptUpdate -EVP_F_EVP_ENCRYPTFINAL_EX:127:EVP_EncryptFinal_ex -EVP_F_EVP_ENCRYPTUPDATE:167:EVP_EncryptUpdate -EVP_F_EVP_KDF_CTX_DUP:220: -EVP_F_EVP_KDF_CTX_NEW:221: -EVP_F_EVP_KEYEXCH_FETCH:245:EVP_KEYEXCH_fetch -EVP_F_EVP_KEYEXCH_FROM_DISPATCH:244:evp_keyexch_from_dispatch -EVP_F_EVP_MAC_CTRL:209:EVP_MAC_ctrl -EVP_F_EVP_MAC_CTRL_STR:210:EVP_MAC_ctrl_str -EVP_F_EVP_MAC_CTX_DUP:211:EVP_MAC_CTX_dup -EVP_F_EVP_MAC_CTX_NEW:213:EVP_MAC_CTX_new -EVP_F_EVP_MAC_INIT:212:EVP_MAC_init -EVP_F_EVP_MD_BLOCK_SIZE:232:EVP_MD_block_size -EVP_F_EVP_MD_CTX_COPY_EX:110:EVP_MD_CTX_copy_ex -EVP_F_EVP_MD_SIZE:162:EVP_MD_size -EVP_F_EVP_OPENINIT:102:EVP_OpenInit -EVP_F_EVP_PBE_ALG_ADD:115:EVP_PBE_alg_add -EVP_F_EVP_PBE_ALG_ADD_TYPE:160:EVP_PBE_alg_add_type -EVP_F_EVP_PBE_CIPHERINIT:116:EVP_PBE_CipherInit -EVP_F_EVP_PBE_SCRYPT:181:EVP_PBE_scrypt -EVP_F_EVP_PKCS82PKEY:111:EVP_PKCS82PKEY -EVP_F_EVP_PKEY2PKCS8:113:EVP_PKEY2PKCS8 -EVP_F_EVP_PKEY_ASN1_ADD0:188:EVP_PKEY_asn1_add0 -EVP_F_EVP_PKEY_CHECK:186:EVP_PKEY_check -EVP_F_EVP_PKEY_COPY_PARAMETERS:103:EVP_PKEY_copy_parameters -EVP_F_EVP_PKEY_CTX_CTRL:137:EVP_PKEY_CTX_ctrl -EVP_F_EVP_PKEY_CTX_CTRL_STR:150:EVP_PKEY_CTX_ctrl_str -EVP_F_EVP_PKEY_CTX_DUP:156:EVP_PKEY_CTX_dup -EVP_F_EVP_PKEY_CTX_MD:168:EVP_PKEY_CTX_md -EVP_F_EVP_PKEY_DECRYPT:104:EVP_PKEY_decrypt -EVP_F_EVP_PKEY_DECRYPT_INIT:138:EVP_PKEY_decrypt_init -EVP_F_EVP_PKEY_DECRYPT_OLD:151:EVP_PKEY_decrypt_old -EVP_F_EVP_PKEY_DERIVE:153:EVP_PKEY_derive -EVP_F_EVP_PKEY_DERIVE_INIT:154:EVP_PKEY_derive_init -EVP_F_EVP_PKEY_DERIVE_INIT_EX:243:EVP_PKEY_derive_init_ex -EVP_F_EVP_PKEY_DERIVE_SET_PEER:155:EVP_PKEY_derive_set_peer -EVP_F_EVP_PKEY_ENCRYPT:105:EVP_PKEY_encrypt -EVP_F_EVP_PKEY_ENCRYPT_INIT:139:EVP_PKEY_encrypt_init -EVP_F_EVP_PKEY_ENCRYPT_OLD:152:EVP_PKEY_encrypt_old -EVP_F_EVP_PKEY_GET0_DH:119:EVP_PKEY_get0_DH -EVP_F_EVP_PKEY_GET0_DSA:120:EVP_PKEY_get0_DSA -EVP_F_EVP_PKEY_GET0_ECX_KEY:222: -EVP_F_EVP_PKEY_GET0_EC_KEY:131:EVP_PKEY_get0_EC_KEY -EVP_F_EVP_PKEY_GET0_HMAC:183:EVP_PKEY_get0_hmac -EVP_F_EVP_PKEY_GET0_POLY1305:184:EVP_PKEY_get0_poly1305 -EVP_F_EVP_PKEY_GET0_RSA:121:EVP_PKEY_get0_RSA -EVP_F_EVP_PKEY_GET0_SIPHASH:172:EVP_PKEY_get0_siphash -EVP_F_EVP_PKEY_GET_RAW_PRIVATE_KEY:202:EVP_PKEY_get_raw_private_key -EVP_F_EVP_PKEY_GET_RAW_PUBLIC_KEY:203:EVP_PKEY_get_raw_public_key -EVP_F_EVP_PKEY_KEYGEN:146:EVP_PKEY_keygen -EVP_F_EVP_PKEY_KEYGEN_INIT:147:EVP_PKEY_keygen_init -EVP_F_EVP_PKEY_METH_ADD0:194:EVP_PKEY_meth_add0 -EVP_F_EVP_PKEY_METH_NEW:195:EVP_PKEY_meth_new -EVP_F_EVP_PKEY_NEW:106:EVP_PKEY_new -EVP_F_EVP_PKEY_NEW_CMAC_KEY:193:EVP_PKEY_new_CMAC_key -EVP_F_EVP_PKEY_NEW_RAW_PRIVATE_KEY:191:EVP_PKEY_new_raw_private_key -EVP_F_EVP_PKEY_NEW_RAW_PUBLIC_KEY:192:EVP_PKEY_new_raw_public_key -EVP_F_EVP_PKEY_PARAMGEN:148:EVP_PKEY_paramgen -EVP_F_EVP_PKEY_PARAMGEN_INIT:149:EVP_PKEY_paramgen_init -EVP_F_EVP_PKEY_PARAM_CHECK:189:EVP_PKEY_param_check -EVP_F_EVP_PKEY_PUBLIC_CHECK:190:EVP_PKEY_public_check -EVP_F_EVP_PKEY_SET1_ENGINE:187:EVP_PKEY_set1_engine -EVP_F_EVP_PKEY_SET_ALIAS_TYPE:206:EVP_PKEY_set_alias_type -EVP_F_EVP_PKEY_SIGN:140:EVP_PKEY_sign -EVP_F_EVP_PKEY_SIGN_INIT:141:EVP_PKEY_sign_init -EVP_F_EVP_PKEY_VERIFY:142:EVP_PKEY_verify -EVP_F_EVP_PKEY_VERIFY_INIT:143:EVP_PKEY_verify_init -EVP_F_EVP_PKEY_VERIFY_RECOVER:144:EVP_PKEY_verify_recover -EVP_F_EVP_PKEY_VERIFY_RECOVER_INIT:145:EVP_PKEY_verify_recover_init -EVP_F_EVP_SET_DEFAULT_PROPERTIES:236:EVP_set_default_properties -EVP_F_EVP_SIGNFINAL:107:EVP_SignFinal -EVP_F_EVP_VERIFYFINAL:108:EVP_VerifyFinal -EVP_F_GMAC_CTRL:215:gmac_ctrl -EVP_F_INT_CTX_NEW:157:int_ctx_new -EVP_F_KMAC_CTRL:217:kmac_ctrl -EVP_F_KMAC_INIT:218:kmac_init -EVP_F_OK_NEW:200:ok_new -EVP_F_PKCS5_PBE_KEYIVGEN:117:PKCS5_PBE_keyivgen -EVP_F_PKCS5_V2_PBE_KEYIVGEN:118:PKCS5_v2_PBE_keyivgen -EVP_F_PKCS5_V2_PBKDF2_KEYIVGEN:164:PKCS5_v2_PBKDF2_keyivgen -EVP_F_PKCS5_V2_SCRYPT_KEYIVGEN:180:PKCS5_v2_scrypt_keyivgen -EVP_F_PKEY_KDF_CTRL:227:pkey_kdf_ctrl -EVP_F_PKEY_MAC_COPY:241:pkey_mac_copy -EVP_F_PKEY_MAC_INIT:214:pkey_mac_init -EVP_F_PKEY_SET_TYPE:158:pkey_set_type -EVP_F_POLY1305_CTRL:216:poly1305_ctrl -EVP_F_RC2_MAGIC_TO_METH:109:rc2_magic_to_meth -EVP_F_RC5_CTRL:125:rc5_ctrl -EVP_F_R_32_12_16_INIT_KEY:242:r_32_12_16_init_key -EVP_F_S390X_AES_GCM_CTRL:201:s390x_aes_gcm_ctrl -EVP_F_S390X_AES_GCM_TLS_CIPHER:208:s390x_aes_gcm_tls_cipher -EVP_F_SCRYPT_ALG:228:scrypt_alg -EVP_F_UPDATE:173:update -OBJ_F_OBJ_ADD_OBJECT:105:OBJ_add_object -OBJ_F_OBJ_ADD_SIGID:107:OBJ_add_sigid -OBJ_F_OBJ_CREATE:100:OBJ_create -OBJ_F_OBJ_DUP:101:OBJ_dup -OBJ_F_OBJ_NAME_NEW_INDEX:106:OBJ_NAME_new_index -OBJ_F_OBJ_NID2LN:102:OBJ_nid2ln -OBJ_F_OBJ_NID2OBJ:103:OBJ_nid2obj -OBJ_F_OBJ_NID2SN:104:OBJ_nid2sn -OBJ_F_OBJ_TXT2OBJ:108:OBJ_txt2obj -OCSP_F_D2I_OCSP_NONCE:102:d2i_ocsp_nonce -OCSP_F_OCSP_BASIC_ADD1_STATUS:103:OCSP_basic_add1_status -OCSP_F_OCSP_BASIC_SIGN:104:OCSP_basic_sign -OCSP_F_OCSP_BASIC_SIGN_CTX:119:OCSP_basic_sign_ctx -OCSP_F_OCSP_BASIC_VERIFY:105:OCSP_basic_verify -OCSP_F_OCSP_CERT_ID_NEW:101:OCSP_cert_id_new -OCSP_F_OCSP_CHECK_DELEGATED:106:ocsp_check_delegated -OCSP_F_OCSP_CHECK_IDS:107:ocsp_check_ids -OCSP_F_OCSP_CHECK_ISSUER:108:ocsp_check_issuer -OCSP_F_OCSP_CHECK_VALIDITY:115:OCSP_check_validity -OCSP_F_OCSP_MATCH_ISSUERID:109:ocsp_match_issuerid -OCSP_F_OCSP_REQUEST_SIGN:110:OCSP_request_sign -OCSP_F_OCSP_REQUEST_VERIFY:116:OCSP_request_verify -OCSP_F_OCSP_RESPONSE_GET1_BASIC:111:OCSP_response_get1_basic -OSSL_STORE_F_FILE_ATTACH:128: -OSSL_STORE_F_FILE_CTRL:129:file_ctrl -OSSL_STORE_F_FILE_FIND:138:file_find -OSSL_STORE_F_FILE_GET_PASS:118:file_get_pass -OSSL_STORE_F_FILE_LOAD:119:file_load -OSSL_STORE_F_FILE_LOAD_TRY_DECODE:124:file_load_try_decode -OSSL_STORE_F_FILE_NAME_TO_URI:126:file_name_to_uri -OSSL_STORE_F_FILE_OPEN:120:file_open -OSSL_STORE_F_OSSL_STORE_ATTACH:127: -OSSL_STORE_F_OSSL_STORE_EXPECT:130:OSSL_STORE_expect -OSSL_STORE_F_OSSL_STORE_FIND:131:OSSL_STORE_find -OSSL_STORE_F_OSSL_STORE_GET0_LOADER_INT:100:ossl_store_get0_loader_int -OSSL_STORE_F_OSSL_STORE_INFO_GET1_CERT:101:OSSL_STORE_INFO_get1_CERT -OSSL_STORE_F_OSSL_STORE_INFO_GET1_CRL:102:OSSL_STORE_INFO_get1_CRL -OSSL_STORE_F_OSSL_STORE_INFO_GET1_NAME:103:OSSL_STORE_INFO_get1_NAME -OSSL_STORE_F_OSSL_STORE_INFO_GET1_NAME_DESCRIPTION:135:\ - OSSL_STORE_INFO_get1_NAME_description -OSSL_STORE_F_OSSL_STORE_INFO_GET1_PARAMS:104:OSSL_STORE_INFO_get1_PARAMS -OSSL_STORE_F_OSSL_STORE_INFO_GET1_PKEY:105:OSSL_STORE_INFO_get1_PKEY -OSSL_STORE_F_OSSL_STORE_INFO_NEW_CERT:106:OSSL_STORE_INFO_new_CERT -OSSL_STORE_F_OSSL_STORE_INFO_NEW_CRL:107:OSSL_STORE_INFO_new_CRL -OSSL_STORE_F_OSSL_STORE_INFO_NEW_EMBEDDED:123:ossl_store_info_new_EMBEDDED -OSSL_STORE_F_OSSL_STORE_INFO_NEW_NAME:109:OSSL_STORE_INFO_new_NAME -OSSL_STORE_F_OSSL_STORE_INFO_NEW_PARAMS:110:OSSL_STORE_INFO_new_PARAMS -OSSL_STORE_F_OSSL_STORE_INFO_NEW_PKEY:111:OSSL_STORE_INFO_new_PKEY -OSSL_STORE_F_OSSL_STORE_INFO_SET0_NAME_DESCRIPTION:134:\ - OSSL_STORE_INFO_set0_NAME_description -OSSL_STORE_F_OSSL_STORE_INIT_ONCE:112:ossl_store_init_once -OSSL_STORE_F_OSSL_STORE_LOADER_NEW:113:OSSL_STORE_LOADER_new -OSSL_STORE_F_OSSL_STORE_OPEN:114:OSSL_STORE_open -OSSL_STORE_F_OSSL_STORE_OPEN_INT:115:* -OSSL_STORE_F_OSSL_STORE_REGISTER_LOADER_INT:117:ossl_store_register_loader_int -OSSL_STORE_F_OSSL_STORE_SEARCH_BY_ALIAS:132:OSSL_STORE_SEARCH_by_alias -OSSL_STORE_F_OSSL_STORE_SEARCH_BY_ISSUER_SERIAL:133:\ - OSSL_STORE_SEARCH_by_issuer_serial -OSSL_STORE_F_OSSL_STORE_SEARCH_BY_KEY_FINGERPRINT:136:\ - OSSL_STORE_SEARCH_by_key_fingerprint -OSSL_STORE_F_OSSL_STORE_SEARCH_BY_NAME:137:OSSL_STORE_SEARCH_by_name -OSSL_STORE_F_OSSL_STORE_UNREGISTER_LOADER_INT:116:\ - ossl_store_unregister_loader_int -OSSL_STORE_F_TRY_DECODE_PARAMS:121:try_decode_params -OSSL_STORE_F_TRY_DECODE_PKCS12:122:try_decode_PKCS12 -OSSL_STORE_F_TRY_DECODE_PKCS8ENCRYPTED:125:try_decode_PKCS8Encrypted -PEM_F_B2I_DSS:127:b2i_dss -PEM_F_B2I_PVK_BIO:128:b2i_PVK_bio -PEM_F_B2I_RSA:129:b2i_rsa -PEM_F_CHECK_BITLEN_DSA:130:check_bitlen_dsa -PEM_F_CHECK_BITLEN_RSA:131:check_bitlen_rsa -PEM_F_D2I_PKCS8PRIVATEKEY_BIO:120:d2i_PKCS8PrivateKey_bio -PEM_F_D2I_PKCS8PRIVATEKEY_FP:121:d2i_PKCS8PrivateKey_fp -PEM_F_DO_B2I:132:do_b2i -PEM_F_DO_B2I_BIO:133:do_b2i_bio -PEM_F_DO_I2B:146:do_i2b -PEM_F_DO_PK8PKEY:126:do_pk8pkey -PEM_F_DO_PK8PKEY_FP:125:do_pk8pkey_fp -PEM_F_DO_PVK_BODY:135:do_PVK_body -PEM_F_GET_HEADER_AND_DATA:143:get_header_and_data -PEM_F_GET_NAME:144:get_name -PEM_F_I2B_PVK:137:i2b_PVK -PEM_F_I2B_PVK_BIO:138:i2b_PVK_bio -PEM_F_LOAD_IV:101:load_iv -PEM_F_OSSL_DO_BLOB_HEADER:134:ossl_do_blob_header -PEM_F_OSSL_DO_PVK_HEADER:136:ossl_do_PVK_header -PEM_F_PEM_ASN1_READ:102:PEM_ASN1_read -PEM_F_PEM_ASN1_READ_BIO:103:PEM_ASN1_read_bio -PEM_F_PEM_ASN1_WRITE:104:PEM_ASN1_write -PEM_F_PEM_ASN1_WRITE_BIO:105:PEM_ASN1_write_bio -PEM_F_PEM_DEF_CALLBACK:100:PEM_def_callback -PEM_F_PEM_DO_HEADER:106:PEM_do_header -PEM_F_PEM_GET_EVP_CIPHER_INFO:107:PEM_get_EVP_CIPHER_INFO -PEM_F_PEM_READ:108:PEM_read -PEM_F_PEM_READ_BIO:109:PEM_read_bio -PEM_F_PEM_READ_BIO_DHPARAMS:141:PEM_read_bio_DHparams -PEM_F_PEM_READ_BIO_EX:145:PEM_read_bio_ex -PEM_F_PEM_READ_BIO_PARAMETERS:140:PEM_read_bio_Parameters -PEM_F_PEM_READ_BIO_PRIVATEKEY:123:PEM_read_bio_PrivateKey -PEM_F_PEM_READ_DHPARAMS:142:PEM_read_DHparams -PEM_F_PEM_READ_PRIVATEKEY:124:PEM_read_PrivateKey -PEM_F_PEM_SIGNFINAL:112:PEM_SignFinal -PEM_F_PEM_WRITE:113:PEM_write -PEM_F_PEM_WRITE_BIO:114:PEM_write_bio -PEM_F_PEM_WRITE_PRIVATEKEY:139:PEM_write_PrivateKey -PEM_F_PEM_X509_INFO_READ:115:PEM_X509_INFO_read -PEM_F_PEM_X509_INFO_READ_BIO:116:PEM_X509_INFO_read_bio -PEM_F_PEM_X509_INFO_WRITE_BIO:117:PEM_X509_INFO_write_bio -PKCS12_F_OPENSSL_ASC2UNI:121:OPENSSL_asc2uni -PKCS12_F_OPENSSL_UNI2ASC:124:OPENSSL_uni2asc -PKCS12_F_OPENSSL_UNI2UTF8:127:OPENSSL_uni2utf8 -PKCS12_F_OPENSSL_UTF82UNI:129:OPENSSL_utf82uni -PKCS12_F_PKCS12_CREATE:105:PKCS12_create -PKCS12_F_PKCS12_GEN_MAC:107:PKCS12_gen_mac -PKCS12_F_PKCS12_INIT:109:PKCS12_init -PKCS12_F_PKCS12_ITEM_DECRYPT_D2I:106:PKCS12_item_decrypt_d2i -PKCS12_F_PKCS12_ITEM_I2D_ENCRYPT:108:PKCS12_item_i2d_encrypt -PKCS12_F_PKCS12_ITEM_PACK_SAFEBAG:117:PKCS12_item_pack_safebag -PKCS12_F_PKCS12_KEY_GEN_ASC:110:PKCS12_key_gen_asc -PKCS12_F_PKCS12_KEY_GEN_UNI:111:PKCS12_key_gen_uni -PKCS12_F_PKCS12_KEY_GEN_UTF8:116:PKCS12_key_gen_utf8 -PKCS12_F_PKCS12_NEWPASS:128:PKCS12_newpass -PKCS12_F_PKCS12_PACK_P7DATA:114:PKCS12_pack_p7data -PKCS12_F_PKCS12_PACK_P7ENCDATA:115:PKCS12_pack_p7encdata -PKCS12_F_PKCS12_PARSE:118:PKCS12_parse -PKCS12_F_PKCS12_PBE_CRYPT:119:PKCS12_pbe_crypt -PKCS12_F_PKCS12_PBE_KEYIVGEN:120:PKCS12_PBE_keyivgen -PKCS12_F_PKCS12_SAFEBAG_CREATE0_P8INF:112:PKCS12_SAFEBAG_create0_p8inf -PKCS12_F_PKCS12_SAFEBAG_CREATE0_PKCS8:113:PKCS12_SAFEBAG_create0_pkcs8 -PKCS12_F_PKCS12_SAFEBAG_CREATE_PKCS8_ENCRYPT:133:\ - PKCS12_SAFEBAG_create_pkcs8_encrypt -PKCS12_F_PKCS12_SAFEBAG_CREATE_SECRET:134: -PKCS12_F_PKCS12_SETUP_MAC:122:PKCS12_setup_mac -PKCS12_F_PKCS12_SET_MAC:123:PKCS12_set_mac -PKCS12_F_PKCS12_UNPACK_AUTHSAFES:130:PKCS12_unpack_authsafes -PKCS12_F_PKCS12_UNPACK_P7DATA:131:PKCS12_unpack_p7data -PKCS12_F_PKCS12_VERIFY_MAC:126:PKCS12_verify_mac -PKCS12_F_PKCS8_ENCRYPT:125:PKCS8_encrypt -PKCS12_F_PKCS8_SET0_PBE:132:PKCS8_set0_pbe -PKCS7_F_DO_PKCS7_SIGNED_ATTRIB:136:do_pkcs7_signed_attrib -PKCS7_F_PKCS7_ADD0_ATTRIB_SIGNING_TIME:135:PKCS7_add0_attrib_signing_time -PKCS7_F_PKCS7_ADD_ATTRIB_SMIMECAP:118:PKCS7_add_attrib_smimecap -PKCS7_F_PKCS7_ADD_CERTIFICATE:100:PKCS7_add_certificate -PKCS7_F_PKCS7_ADD_CRL:101:PKCS7_add_crl -PKCS7_F_PKCS7_ADD_RECIPIENT_INFO:102:PKCS7_add_recipient_info -PKCS7_F_PKCS7_ADD_SIGNATURE:131:PKCS7_add_signature -PKCS7_F_PKCS7_ADD_SIGNER:103:PKCS7_add_signer -PKCS7_F_PKCS7_BIO_ADD_DIGEST:125:PKCS7_bio_add_digest -PKCS7_F_PKCS7_COPY_EXISTING_DIGEST:138:pkcs7_copy_existing_digest -PKCS7_F_PKCS7_CTRL:104:PKCS7_ctrl -PKCS7_F_PKCS7_DATADECODE:112:PKCS7_dataDecode -PKCS7_F_PKCS7_DATAFINAL:128:PKCS7_dataFinal -PKCS7_F_PKCS7_DATAINIT:105:PKCS7_dataInit -PKCS7_F_PKCS7_DATAVERIFY:107:PKCS7_dataVerify -PKCS7_F_PKCS7_DECRYPT:114:PKCS7_decrypt -PKCS7_F_PKCS7_DECRYPT_RINFO:133:pkcs7_decrypt_rinfo -PKCS7_F_PKCS7_ENCODE_RINFO:132:pkcs7_encode_rinfo -PKCS7_F_PKCS7_ENCRYPT:115:PKCS7_encrypt -PKCS7_F_PKCS7_FINAL:134:PKCS7_final -PKCS7_F_PKCS7_FIND_DIGEST:127:PKCS7_find_digest -PKCS7_F_PKCS7_GET0_SIGNERS:124:PKCS7_get0_signers -PKCS7_F_PKCS7_RECIP_INFO_SET:130:PKCS7_RECIP_INFO_set -PKCS7_F_PKCS7_SET_CIPHER:108:PKCS7_set_cipher -PKCS7_F_PKCS7_SET_CONTENT:109:PKCS7_set_content -PKCS7_F_PKCS7_SET_DIGEST:126:PKCS7_set_digest -PKCS7_F_PKCS7_SET_TYPE:110:PKCS7_set_type -PKCS7_F_PKCS7_SIGN:116:PKCS7_sign -PKCS7_F_PKCS7_SIGNATUREVERIFY:113:PKCS7_signatureVerify -PKCS7_F_PKCS7_SIGNER_INFO_SET:129:PKCS7_SIGNER_INFO_set -PKCS7_F_PKCS7_SIGNER_INFO_SIGN:139:PKCS7_SIGNER_INFO_sign -PKCS7_F_PKCS7_SIGN_ADD_SIGNER:137:PKCS7_sign_add_signer -PKCS7_F_PKCS7_SIMPLE_SMIMECAP:119:PKCS7_simple_smimecap -PKCS7_F_PKCS7_VERIFY:117:PKCS7_verify -PROP_F_OSSL_PARSE_PROPERTY:100:ossl_parse_property -PROP_F_OSSL_PARSE_QUERY:101:ossl_parse_query -PROP_F_PARSE_HEX:102:parse_hex -PROP_F_PARSE_NAME:103:parse_name -PROP_F_PARSE_NUMBER:104:parse_number -PROP_F_PARSE_OCT:105:parse_oct -PROP_F_PARSE_STRING:106:parse_string -PROP_F_PARSE_UNQUOTED:107:parse_unquoted -PROV_F_AESNI_INIT_KEY:101:aesni_init_key -PROV_F_AES_BLOCK_FINAL:102:aes_block_final -PROV_F_AES_BLOCK_UPDATE:103:aes_block_update -PROV_F_AES_CIPHER:104:aes_cipher -PROV_F_AES_DINIT:107:aes_dinit -PROV_F_AES_DUPCTX:108:aes_dupctx -PROV_F_AES_EINIT:109:aes_einit -PROV_F_AES_GET_CTX_PARAMS:105:aes_get_ctx_params -PROV_F_AES_INIT_KEY:110:aes_init_key -PROV_F_AES_SET_CTX_PARAMS:106:aes_set_ctx_params -PROV_F_AES_STREAM_UPDATE:111:aes_stream_update -PROV_F_AES_T4_INIT_KEY:112:aes_t4_init_key -PROV_F_BLAKE2_MAC_INIT:115:blake2_mac_init -PROV_F_BLAKE2_MAC_SET_PARAMS:116:blake2_mac_set_params -PROV_F_GMAC_SET_PARAMS:117:gmac_set_params -PROV_F_KMAC_SET_PARAMS:118:kmac_set_params -PROV_F_POLY1305_SET_PARAMS:119:poly1305_set_params -PROV_F_PROV_AES_KEY_GENERIC_INIT:113:PROV_AES_KEY_generic_init -PROV_F_TRAILINGDATA:114:trailingdata -PROV_F_UNPADBLOCK:100:unpadblock -RAND_F_DRBG_BYTES:101:drbg_bytes -RAND_F_DRBG_CTR_INIT:125:drbg_ctr_init -RAND_F_DRBG_GET_ENTROPY:105:drbg_get_entropy -RAND_F_DRBG_SETUP:117:drbg_setup -RAND_F_GET_ENTROPY:106:get_entropy -RAND_F_RAND_BYTES:100:RAND_bytes -RAND_F_RAND_BYTES_EX:126:rand_bytes_ex -RAND_F_RAND_DRBG_ENABLE_LOCKING:119:rand_drbg_enable_locking -RAND_F_RAND_DRBG_GET_ENTROPY:120:rand_drbg_get_entropy -RAND_F_RAND_DRBG_GET_NONCE:123:rand_drbg_get_nonce -RAND_F_RAND_DRBG_INIT_METHOD:130: -RAND_F_RAND_DRBG_RESTART:102:rand_drbg_restart -RAND_F_RAND_LOAD_FILE:111:RAND_load_file -RAND_F_RAND_POOL_ACQUIRE_ENTROPY:122:rand_pool_acquire_entropy -RAND_F_RAND_POOL_ADD:103:rand_pool_add -RAND_F_RAND_POOL_ADD_BEGIN:113:rand_pool_add_begin -RAND_F_RAND_POOL_ADD_END:114:rand_pool_add_end -RAND_F_RAND_POOL_ATTACH:124:rand_pool_attach -RAND_F_RAND_POOL_BYTES_NEEDED:115:rand_pool_bytes_needed -RAND_F_RAND_POOL_GROW:127: -RAND_F_RAND_POOL_NEW:116:rand_pool_new -RAND_F_RAND_PRIV_BYTES_EX:128: -RAND_F_RAND_PSEUDO_BYTES:129: -RAND_F_RAND_WRITE_FILE:112:RAND_write_file -RSA_F_CHECK_PADDING_MD:140:check_padding_md -RSA_F_ENCODE_PKCS1:146:encode_pkcs1 -RSA_F_INT_RSA_VERIFY:145:int_rsa_verify -RSA_F_OLD_RSA_PRIV_DECODE:147:old_rsa_priv_decode -RSA_F_PKEY_PSS_INIT:165:pkey_pss_init -RSA_F_PKEY_RSA_CTRL:143:pkey_rsa_ctrl -RSA_F_PKEY_RSA_CTRL_STR:144:pkey_rsa_ctrl_str -RSA_F_PKEY_RSA_SIGN:142:pkey_rsa_sign -RSA_F_PKEY_RSA_VERIFY:149:pkey_rsa_verify -RSA_F_PKEY_RSA_VERIFYRECOVER:141:pkey_rsa_verifyrecover -RSA_F_RSA_ALGOR_TO_MD:156:rsa_algor_to_md -RSA_F_RSA_BUILTIN_KEYGEN:129:rsa_builtin_keygen -RSA_F_RSA_CHECK_KEY:123:RSA_check_key -RSA_F_RSA_CHECK_KEY_EX:160:RSA_check_key_ex -RSA_F_RSA_CMS_DECRYPT:159:rsa_cms_decrypt -RSA_F_RSA_CMS_VERIFY:158:rsa_cms_verify -RSA_F_RSA_ITEM_VERIFY:148:rsa_item_verify -RSA_F_RSA_METH_DUP:161:RSA_meth_dup -RSA_F_RSA_METH_NEW:162:RSA_meth_new -RSA_F_RSA_METH_SET1_NAME:163:RSA_meth_set1_name -RSA_F_RSA_MGF1_TO_MD:157:* -RSA_F_RSA_MULTIP_INFO_NEW:166:rsa_multip_info_new -RSA_F_RSA_NEW_METHOD:106:RSA_new_method -RSA_F_RSA_NULL:124:* -RSA_F_RSA_NULL_PRIVATE_DECRYPT:132:* -RSA_F_RSA_NULL_PRIVATE_ENCRYPT:133:* -RSA_F_RSA_NULL_PUBLIC_DECRYPT:134:* -RSA_F_RSA_NULL_PUBLIC_ENCRYPT:135:* -RSA_F_RSA_OSSL_PRIVATE_DECRYPT:101:rsa_ossl_private_decrypt -RSA_F_RSA_OSSL_PRIVATE_ENCRYPT:102:rsa_ossl_private_encrypt -RSA_F_RSA_OSSL_PUBLIC_DECRYPT:103:rsa_ossl_public_decrypt -RSA_F_RSA_OSSL_PUBLIC_ENCRYPT:104:rsa_ossl_public_encrypt -RSA_F_RSA_PADDING_ADD_NONE:107:RSA_padding_add_none -RSA_F_RSA_PADDING_ADD_PKCS1_OAEP:121:RSA_padding_add_PKCS1_OAEP -RSA_F_RSA_PADDING_ADD_PKCS1_OAEP_MGF1:154:RSA_padding_add_PKCS1_OAEP_mgf1 -RSA_F_RSA_PADDING_ADD_PKCS1_PSS:125:RSA_padding_add_PKCS1_PSS -RSA_F_RSA_PADDING_ADD_PKCS1_PSS_MGF1:152:RSA_padding_add_PKCS1_PSS_mgf1 -RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_1:108:RSA_padding_add_PKCS1_type_1 -RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_2:109:RSA_padding_add_PKCS1_type_2 -RSA_F_RSA_PADDING_ADD_SSLV23:110:RSA_padding_add_SSLv23 -RSA_F_RSA_PADDING_ADD_X931:127:RSA_padding_add_X931 -RSA_F_RSA_PADDING_CHECK_NONE:111:RSA_padding_check_none -RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP:122:RSA_padding_check_PKCS1_OAEP -RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP_MGF1:153:RSA_padding_check_PKCS1_OAEP_mgf1 -RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1:112:RSA_padding_check_PKCS1_type_1 -RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2:113:RSA_padding_check_PKCS1_type_2 -RSA_F_RSA_PADDING_CHECK_SSLV23:114:RSA_padding_check_SSLv23 -RSA_F_RSA_PADDING_CHECK_X931:128:RSA_padding_check_X931 -RSA_F_RSA_PARAM_DECODE:164:rsa_param_decode -RSA_F_RSA_PRINT:115:RSA_print -RSA_F_RSA_PRINT_FP:116:RSA_print_fp -RSA_F_RSA_PRIV_DECODE:150:rsa_priv_decode -RSA_F_RSA_PRIV_ENCODE:138:rsa_priv_encode -RSA_F_RSA_PSS_GET_PARAM:151:rsa_pss_get_param -RSA_F_RSA_PSS_TO_CTX:155:rsa_pss_to_ctx -RSA_F_RSA_PUB_DECODE:139:rsa_pub_decode -RSA_F_RSA_SETUP_BLINDING:136:RSA_setup_blinding -RSA_F_RSA_SIGN:117:RSA_sign -RSA_F_RSA_SIGN_ASN1_OCTET_STRING:118:RSA_sign_ASN1_OCTET_STRING -RSA_F_RSA_VERIFY:119:RSA_verify -RSA_F_RSA_VERIFY_ASN1_OCTET_STRING:120:RSA_verify_ASN1_OCTET_STRING -RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1:126:RSA_verify_PKCS1_PSS_mgf1 -RSA_F_SETUP_TBUF:167:setup_tbuf -SM2_F_PKEY_SM2_COPY:115:pkey_sm2_copy -SM2_F_PKEY_SM2_CTRL:109:pkey_sm2_ctrl -SM2_F_PKEY_SM2_CTRL_STR:110:pkey_sm2_ctrl_str -SM2_F_PKEY_SM2_DIGEST_CUSTOM:114:pkey_sm2_digest_custom -SM2_F_PKEY_SM2_INIT:111:pkey_sm2_init -SM2_F_PKEY_SM2_SIGN:112:pkey_sm2_sign -SM2_F_SM2_COMPUTE_MSG_HASH:100:sm2_compute_msg_hash -SM2_F_SM2_COMPUTE_USERID_DIGEST:101:sm2_compute_userid_digest -SM2_F_SM2_COMPUTE_Z_DIGEST:113:sm2_compute_z_digest -SM2_F_SM2_DECRYPT:102:sm2_decrypt -SM2_F_SM2_ENCRYPT:103:sm2_encrypt -SM2_F_SM2_INTERNAL_SIGN:116: -SM2_F_SM2_INTERNAL_VERIFY:117: -SM2_F_SM2_PLAINTEXT_SIZE:104:sm2_plaintext_size -SM2_F_SM2_SIGN:105:sm2_sign -SM2_F_SM2_SIG_GEN:106:sm2_sig_gen -SM2_F_SM2_SIG_VERIFY:107:sm2_sig_verify -SM2_F_SM2_VERIFY:108:sm2_verify -SSL_F_ADD_CLIENT_KEY_SHARE_EXT:438:* -SSL_F_ADD_KEY_SHARE:512:add_key_share -SSL_F_BYTES_TO_CIPHER_LIST:519:bytes_to_cipher_list -SSL_F_CHECK_SUITEB_CIPHER_LIST:331:check_suiteb_cipher_list -SSL_F_CIPHERSUITE_CB:622:ciphersuite_cb -SSL_F_CONSTRUCT_CA_NAMES:552:construct_ca_names -SSL_F_CONSTRUCT_KEY_EXCHANGE_TBS:553:construct_key_exchange_tbs -SSL_F_CONSTRUCT_STATEFUL_TICKET:636:construct_stateful_ticket -SSL_F_CONSTRUCT_STATELESS_TICKET:637:construct_stateless_ticket -SSL_F_CREATE_SYNTHETIC_MESSAGE_HASH:539:create_synthetic_message_hash -SSL_F_CREATE_TICKET_PREQUEL:638:create_ticket_prequel -SSL_F_CT_MOVE_SCTS:345:ct_move_scts -SSL_F_CT_STRICT:349:ct_strict -SSL_F_CUSTOM_EXT_ADD:554:custom_ext_add -SSL_F_CUSTOM_EXT_PARSE:555:custom_ext_parse -SSL_F_D2I_SSL_SESSION:103:d2i_SSL_SESSION -SSL_F_DANE_CTX_ENABLE:347:dane_ctx_enable -SSL_F_DANE_MTYPE_SET:393:dane_mtype_set -SSL_F_DANE_TLSA_ADD:394:dane_tlsa_add -SSL_F_DERIVE_SECRET_KEY_AND_IV:514:derive_secret_key_and_iv -SSL_F_DO_DTLS1_WRITE:245:do_dtls1_write -SSL_F_DO_SSL3_WRITE:104:do_ssl3_write -SSL_F_DTLS1_BUFFER_RECORD:247:dtls1_buffer_record -SSL_F_DTLS1_CHECK_TIMEOUT_NUM:318:dtls1_check_timeout_num -SSL_F_DTLS1_HM_FRAGMENT_NEW:623:dtls1_hm_fragment_new -SSL_F_DTLS1_PREPROCESS_FRAGMENT:288:dtls1_preprocess_fragment -SSL_F_DTLS1_PROCESS_BUFFERED_RECORDS:424:dtls1_process_buffered_records -SSL_F_DTLS1_PROCESS_RECORD:257:dtls1_process_record -SSL_F_DTLS1_READ_BYTES:258:dtls1_read_bytes -SSL_F_DTLS1_READ_FAILED:339:dtls1_read_failed -SSL_F_DTLS1_RETRANSMIT_MESSAGE:390:dtls1_retransmit_message -SSL_F_DTLS1_WRITE_APP_DATA_BYTES:268:dtls1_write_app_data_bytes -SSL_F_DTLS1_WRITE_BYTES:545:dtls1_write_bytes -SSL_F_DTLSV1_LISTEN:350:DTLSv1_listen -SSL_F_DTLS_CONSTRUCT_CHANGE_CIPHER_SPEC:371:dtls_construct_change_cipher_spec -SSL_F_DTLS_CONSTRUCT_HELLO_VERIFY_REQUEST:385:\ - dtls_construct_hello_verify_request -SSL_F_DTLS_GET_REASSEMBLED_MESSAGE:370:dtls_get_reassembled_message -SSL_F_DTLS_PROCESS_HELLO_VERIFY:386:dtls_process_hello_verify -SSL_F_DTLS_RECORD_LAYER_NEW:635:DTLS_RECORD_LAYER_new -SSL_F_DTLS_WAIT_FOR_DRY:592:dtls_wait_for_dry -SSL_F_EARLY_DATA_COUNT_OK:532:early_data_count_ok -SSL_F_FINAL_EARLY_DATA:556:final_early_data -SSL_F_FINAL_EC_PT_FORMATS:485:final_ec_pt_formats -SSL_F_FINAL_EMS:486:final_ems -SSL_F_FINAL_KEY_SHARE:503:final_key_share -SSL_F_FINAL_MAXFRAGMENTLEN:557:final_maxfragmentlen -SSL_F_FINAL_RENEGOTIATE:483:final_renegotiate -SSL_F_FINAL_SERVER_NAME:558:final_server_name -SSL_F_FINAL_SIG_ALGS:497:final_sig_algs -SSL_F_GET_CERT_VERIFY_TBS_DATA:588:get_cert_verify_tbs_data -SSL_F_NSS_KEYLOG_INT:500:nss_keylog_int -SSL_F_OPENSSL_INIT_SSL:342:OPENSSL_init_ssl -SSL_F_OSSL_STATEM_CLIENT13_READ_TRANSITION:436:* -SSL_F_OSSL_STATEM_CLIENT13_WRITE_TRANSITION:598:\ - ossl_statem_client13_write_transition -SSL_F_OSSL_STATEM_CLIENT_CONSTRUCT_MESSAGE:430:* -SSL_F_OSSL_STATEM_CLIENT_POST_PROCESS_MESSAGE:593:\ - ossl_statem_client_post_process_message -SSL_F_OSSL_STATEM_CLIENT_PROCESS_MESSAGE:594:ossl_statem_client_process_message -SSL_F_OSSL_STATEM_CLIENT_READ_TRANSITION:417:ossl_statem_client_read_transition -SSL_F_OSSL_STATEM_CLIENT_WRITE_TRANSITION:599:\ - ossl_statem_client_write_transition -SSL_F_OSSL_STATEM_SERVER13_READ_TRANSITION:437:* -SSL_F_OSSL_STATEM_SERVER13_WRITE_TRANSITION:600:\ - ossl_statem_server13_write_transition -SSL_F_OSSL_STATEM_SERVER_CONSTRUCT_MESSAGE:431:* -SSL_F_OSSL_STATEM_SERVER_POST_PROCESS_MESSAGE:601:\ - ossl_statem_server_post_process_message -SSL_F_OSSL_STATEM_SERVER_POST_WORK:602:ossl_statem_server_post_work -SSL_F_OSSL_STATEM_SERVER_PRE_WORK:640: -SSL_F_OSSL_STATEM_SERVER_PROCESS_MESSAGE:603:ossl_statem_server_process_message -SSL_F_OSSL_STATEM_SERVER_READ_TRANSITION:418:ossl_statem_server_read_transition -SSL_F_OSSL_STATEM_SERVER_WRITE_TRANSITION:604:\ - ossl_statem_server_write_transition -SSL_F_PARSE_CA_NAMES:541:parse_ca_names -SSL_F_PITEM_NEW:624:pitem_new -SSL_F_PQUEUE_NEW:625:pqueue_new -SSL_F_PROCESS_KEY_SHARE_EXT:439:* -SSL_F_READ_STATE_MACHINE:352:read_state_machine -SSL_F_SET_CLIENT_CIPHERSUITE:540:set_client_ciphersuite -SSL_F_SRP_GENERATE_CLIENT_MASTER_SECRET:595:srp_generate_client_master_secret -SSL_F_SRP_GENERATE_SERVER_MASTER_SECRET:589:srp_generate_server_master_secret -SSL_F_SRP_VERIFY_SERVER_PARAM:596:srp_verify_server_param -SSL_F_SSL3_CHANGE_CIPHER_STATE:129:ssl3_change_cipher_state -SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM:130:ssl3_check_cert_and_algorithm -SSL_F_SSL3_CTRL:213:ssl3_ctrl -SSL_F_SSL3_CTX_CTRL:133:ssl3_ctx_ctrl -SSL_F_SSL3_DIGEST_CACHED_RECORDS:293:ssl3_digest_cached_records -SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC:292:ssl3_do_change_cipher_spec -SSL_F_SSL3_ENC:608:ssl3_enc -SSL_F_SSL3_FINAL_FINISH_MAC:285:ssl3_final_finish_mac -SSL_F_SSL3_FINISH_MAC:587:ssl3_finish_mac -SSL_F_SSL3_GENERATE_KEY_BLOCK:238:ssl3_generate_key_block -SSL_F_SSL3_GENERATE_MASTER_SECRET:388:ssl3_generate_master_secret -SSL_F_SSL3_GET_RECORD:143:ssl3_get_record -SSL_F_SSL3_INIT_FINISHED_MAC:397:ssl3_init_finished_mac -SSL_F_SSL3_OUTPUT_CERT_CHAIN:147:ssl3_output_cert_chain -SSL_F_SSL3_READ_BYTES:148:ssl3_read_bytes -SSL_F_SSL3_READ_N:149:ssl3_read_n -SSL_F_SSL3_SETUP_KEY_BLOCK:157:ssl3_setup_key_block -SSL_F_SSL3_SETUP_READ_BUFFER:156:ssl3_setup_read_buffer -SSL_F_SSL3_SETUP_WRITE_BUFFER:291:ssl3_setup_write_buffer -SSL_F_SSL3_WRITE_BYTES:158:ssl3_write_bytes -SSL_F_SSL3_WRITE_PENDING:159:ssl3_write_pending -SSL_F_SSL_ADD_CERT_CHAIN:316:ssl_add_cert_chain -SSL_F_SSL_ADD_CERT_TO_BUF:319:* -SSL_F_SSL_ADD_CERT_TO_WPACKET:493:ssl_add_cert_to_wpacket -SSL_F_SSL_ADD_CLIENTHELLO_RENEGOTIATE_EXT:298:* -SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT:277:* -SSL_F_SSL_ADD_CLIENTHELLO_USE_SRTP_EXT:307:* -SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK:215:SSL_add_dir_cert_subjects_to_stack -SSL_F_SSL_ADD_FILE_CERT_SUBJECTS_TO_STACK:216:\ - SSL_add_file_cert_subjects_to_stack -SSL_F_SSL_ADD_SERVERHELLO_RENEGOTIATE_EXT:299:* -SSL_F_SSL_ADD_SERVERHELLO_TLSEXT:278:* -SSL_F_SSL_ADD_SERVERHELLO_USE_SRTP_EXT:308:* -SSL_F_SSL_BAD_METHOD:160:ssl_bad_method -SSL_F_SSL_BUILD_CERT_CHAIN:332:ssl_build_cert_chain -SSL_F_SSL_BYTES_TO_CIPHER_LIST:161:SSL_bytes_to_cipher_list -SSL_F_SSL_CACHE_CIPHERLIST:520:ssl_cache_cipherlist -SSL_F_SSL_CERT_ADD0_CHAIN_CERT:346:ssl_cert_add0_chain_cert -SSL_F_SSL_CERT_DUP:221:ssl_cert_dup -SSL_F_SSL_CERT_NEW:162:ssl_cert_new -SSL_F_SSL_CERT_SET0_CHAIN:340:ssl_cert_set0_chain -SSL_F_SSL_CHECK_PRIVATE_KEY:163:SSL_check_private_key -SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT:280:* -SSL_F_SSL_CHECK_SRP_EXT_CLIENTHELLO:606:ssl_check_srp_ext_ClientHello -SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG:279:ssl_check_srvr_ecc_cert_and_alg -SSL_F_SSL_CHOOSE_CLIENT_VERSION:607:ssl_choose_client_version -SSL_F_SSL_CIPHER_DESCRIPTION:626:SSL_CIPHER_description -SSL_F_SSL_CIPHER_LIST_TO_BYTES:425:ssl_cipher_list_to_bytes -SSL_F_SSL_CIPHER_PROCESS_RULESTR:230:ssl_cipher_process_rulestr -SSL_F_SSL_CIPHER_STRENGTH_SORT:231:ssl_cipher_strength_sort -SSL_F_SSL_CLEAR:164:SSL_clear -SSL_F_SSL_CLIENT_HELLO_GET1_EXTENSIONS_PRESENT:627:\ - SSL_client_hello_get1_extensions_present -SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD:165:SSL_COMP_add_compression_method -SSL_F_SSL_CONF_CMD:334:SSL_CONF_cmd -SSL_F_SSL_CREATE_CIPHER_LIST:166:ssl_create_cipher_list -SSL_F_SSL_CTRL:232:SSL_ctrl -SSL_F_SSL_CTX_CHECK_PRIVATE_KEY:168:SSL_CTX_check_private_key -SSL_F_SSL_CTX_ENABLE_CT:398:SSL_CTX_enable_ct -SSL_F_SSL_CTX_MAKE_PROFILES:309:ssl_ctx_make_profiles -SSL_F_SSL_CTX_NEW:169:SSL_CTX_new -SSL_F_SSL_CTX_SET_ALPN_PROTOS:343:SSL_CTX_set_alpn_protos -SSL_F_SSL_CTX_SET_CIPHER_LIST:269:SSL_CTX_set_cipher_list -SSL_F_SSL_CTX_SET_CLIENT_CERT_ENGINE:290:SSL_CTX_set_client_cert_engine -SSL_F_SSL_CTX_SET_CT_VALIDATION_CALLBACK:396:SSL_CTX_set_ct_validation_callback -SSL_F_SSL_CTX_SET_SESSION_ID_CONTEXT:219:SSL_CTX_set_session_id_context -SSL_F_SSL_CTX_SET_SSL_VERSION:170:SSL_CTX_set_ssl_version -SSL_F_SSL_CTX_SET_TLSEXT_MAX_FRAGMENT_LENGTH:551:\ - SSL_CTX_set_tlsext_max_fragment_length -SSL_F_SSL_CTX_USE_CERTIFICATE:171:SSL_CTX_use_certificate -SSL_F_SSL_CTX_USE_CERTIFICATE_ASN1:172:SSL_CTX_use_certificate_ASN1 -SSL_F_SSL_CTX_USE_CERTIFICATE_FILE:173:SSL_CTX_use_certificate_file -SSL_F_SSL_CTX_USE_PRIVATEKEY:174:SSL_CTX_use_PrivateKey -SSL_F_SSL_CTX_USE_PRIVATEKEY_ASN1:175:SSL_CTX_use_PrivateKey_ASN1 -SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE:176:SSL_CTX_use_PrivateKey_file -SSL_F_SSL_CTX_USE_PSK_IDENTITY_HINT:272:SSL_CTX_use_psk_identity_hint -SSL_F_SSL_CTX_USE_RSAPRIVATEKEY:177:SSL_CTX_use_RSAPrivateKey -SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_ASN1:178:SSL_CTX_use_RSAPrivateKey_ASN1 -SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE:179:SSL_CTX_use_RSAPrivateKey_file -SSL_F_SSL_CTX_USE_SERVERINFO:336:SSL_CTX_use_serverinfo -SSL_F_SSL_CTX_USE_SERVERINFO_EX:543:SSL_CTX_use_serverinfo_ex -SSL_F_SSL_CTX_USE_SERVERINFO_FILE:337:SSL_CTX_use_serverinfo_file -SSL_F_SSL_DANE_DUP:403:ssl_dane_dup -SSL_F_SSL_DANE_ENABLE:395:SSL_dane_enable -SSL_F_SSL_DECAPSULATE:643: -SSL_F_SSL_DERIVE:590:ssl_derive -SSL_F_SSL_DO_CONFIG:391:ssl_do_config -SSL_F_SSL_DO_HANDSHAKE:180:SSL_do_handshake -SSL_F_SSL_DUP_CA_LIST:408:SSL_dup_CA_list -SSL_F_SSL_ENABLE_CT:402:SSL_enable_ct -SSL_F_SSL_ENCAPSULATE:644: -SSL_F_SSL_GENERATE_PKEY_GROUP:559:ssl_generate_pkey_group -SSL_F_SSL_GENERATE_SESSION_ID:547:ssl_generate_session_id -SSL_F_SSL_GET_NEW_SESSION:181:ssl_get_new_session -SSL_F_SSL_GET_PREV_SESSION:217:ssl_get_prev_session -SSL_F_SSL_GET_SERVER_CERT_INDEX:322:* -SSL_F_SSL_GET_SIGN_PKEY:183:* -SSL_F_SSL_HANDSHAKE_HASH:560:ssl_handshake_hash -SSL_F_SSL_INIT_WBIO_BUFFER:184:ssl_init_wbio_buffer -SSL_F_SSL_KEY_UPDATE:515:SSL_key_update -SSL_F_SSL_LOAD_CLIENT_CA_FILE:185:SSL_load_client_CA_file -SSL_F_SSL_LOG_MASTER_SECRET:498:* -SSL_F_SSL_LOG_RSA_CLIENT_KEY_EXCHANGE:499:ssl_log_rsa_client_key_exchange -SSL_F_SSL_MODULE_INIT:392:ssl_module_init -SSL_F_SSL_NEW:186:SSL_new -SSL_F_SSL_NEXT_PROTO_VALIDATE:565:ssl_next_proto_validate -SSL_F_SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT:300:* -SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT:302:* -SSL_F_SSL_PARSE_CLIENTHELLO_USE_SRTP_EXT:310:* -SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT:301:* -SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT:303:* -SSL_F_SSL_PARSE_SERVERHELLO_USE_SRTP_EXT:311:* -SSL_F_SSL_PEEK:270:SSL_peek -SSL_F_SSL_PEEK_EX:432:SSL_peek_ex -SSL_F_SSL_PEEK_INTERNAL:522:ssl_peek_internal -SSL_F_SSL_READ:223:SSL_read -SSL_F_SSL_READ_EARLY_DATA:529:SSL_read_early_data -SSL_F_SSL_READ_EX:434:SSL_read_ex -SSL_F_SSL_READ_INTERNAL:523:ssl_read_internal -SSL_F_SSL_RENEGOTIATE:516:SSL_renegotiate -SSL_F_SSL_RENEGOTIATE_ABBREVIATED:546:SSL_renegotiate_abbreviated -SSL_F_SSL_SCAN_CLIENTHELLO_TLSEXT:320:* -SSL_F_SSL_SCAN_SERVERHELLO_TLSEXT:321:* -SSL_F_SSL_SENDFILE:639:SSL_sendfile -SSL_F_SSL_SESSION_DUP:348:ssl_session_dup -SSL_F_SSL_SESSION_NEW:189:SSL_SESSION_new -SSL_F_SSL_SESSION_PRINT_FP:190:SSL_SESSION_print_fp -SSL_F_SSL_SESSION_SET1_ID:423:SSL_SESSION_set1_id -SSL_F_SSL_SESSION_SET1_ID_CONTEXT:312:SSL_SESSION_set1_id_context -SSL_F_SSL_SET_ALPN_PROTOS:344:SSL_set_alpn_protos -SSL_F_SSL_SET_CERT:191:ssl_set_cert -SSL_F_SSL_SET_CERT_AND_KEY:621:ssl_set_cert_and_key -SSL_F_SSL_SET_CIPHER_LIST:271:SSL_set_cipher_list -SSL_F_SSL_SET_CT_VALIDATION_CALLBACK:399:SSL_set_ct_validation_callback -SSL_F_SSL_SET_FD:192:SSL_set_fd -SSL_F_SSL_SET_PKEY:193:ssl_set_pkey -SSL_F_SSL_SET_RFD:194:SSL_set_rfd -SSL_F_SSL_SET_SESSION:195:SSL_set_session -SSL_F_SSL_SET_SESSION_ID_CONTEXT:218:SSL_set_session_id_context -SSL_F_SSL_SET_SESSION_TICKET_EXT:294:SSL_set_session_ticket_ext -SSL_F_SSL_SET_TLSEXT_MAX_FRAGMENT_LENGTH:550:SSL_set_tlsext_max_fragment_length -SSL_F_SSL_SET_WFD:196:SSL_set_wfd -SSL_F_SSL_SHUTDOWN:224:SSL_shutdown -SSL_F_SSL_SRP_CTX_INIT:313:SSL_SRP_CTX_init -SSL_F_SSL_START_ASYNC_JOB:389:ssl_start_async_job -SSL_F_SSL_UNDEFINED_FUNCTION:197:ssl_undefined_function -SSL_F_SSL_UNDEFINED_VOID_FUNCTION:244:ssl_undefined_void_function -SSL_F_SSL_USE_CERTIFICATE:198:SSL_use_certificate -SSL_F_SSL_USE_CERTIFICATE_ASN1:199:SSL_use_certificate_ASN1 -SSL_F_SSL_USE_CERTIFICATE_FILE:200:SSL_use_certificate_file -SSL_F_SSL_USE_PRIVATEKEY:201:SSL_use_PrivateKey -SSL_F_SSL_USE_PRIVATEKEY_ASN1:202:SSL_use_PrivateKey_ASN1 -SSL_F_SSL_USE_PRIVATEKEY_FILE:203:SSL_use_PrivateKey_file -SSL_F_SSL_USE_PSK_IDENTITY_HINT:273:SSL_use_psk_identity_hint -SSL_F_SSL_USE_RSAPRIVATEKEY:204:SSL_use_RSAPrivateKey -SSL_F_SSL_USE_RSAPRIVATEKEY_ASN1:205:SSL_use_RSAPrivateKey_ASN1 -SSL_F_SSL_USE_RSAPRIVATEKEY_FILE:206:SSL_use_RSAPrivateKey_file -SSL_F_SSL_VALIDATE_CT:400:ssl_validate_ct -SSL_F_SSL_VERIFY_CERT_CHAIN:207:ssl_verify_cert_chain -SSL_F_SSL_VERIFY_CLIENT_POST_HANDSHAKE:616:SSL_verify_client_post_handshake -SSL_F_SSL_WRITE:208:SSL_write -SSL_F_SSL_WRITE_EARLY_DATA:526:SSL_write_early_data -SSL_F_SSL_WRITE_EARLY_FINISH:527:* -SSL_F_SSL_WRITE_EX:433:SSL_write_ex -SSL_F_SSL_WRITE_INTERNAL:524:ssl_write_internal -SSL_F_STATE_MACHINE:353:state_machine -SSL_F_TLS12_CHECK_PEER_SIGALG:333:tls12_check_peer_sigalg -SSL_F_TLS12_COPY_SIGALGS:533:tls12_copy_sigalgs -SSL_F_TLS13_CHANGE_CIPHER_STATE:440:tls13_change_cipher_state -SSL_F_TLS13_ENC:609:tls13_enc -SSL_F_TLS13_FINAL_FINISH_MAC:605:tls13_final_finish_mac -SSL_F_TLS13_GENERATE_SECRET:591:tls13_generate_secret -SSL_F_TLS13_HKDF_EXPAND:561:tls13_hkdf_expand -SSL_F_TLS13_RESTORE_HANDSHAKE_DIGEST_FOR_PHA:617:\ - tls13_restore_handshake_digest_for_pha -SSL_F_TLS13_SAVE_HANDSHAKE_DIGEST_FOR_PHA:618:\ - tls13_save_handshake_digest_for_pha -SSL_F_TLS13_SETUP_KEY_BLOCK:441:tls13_setup_key_block -SSL_F_TLS1_CHANGE_CIPHER_STATE:209:tls1_change_cipher_state -SSL_F_TLS1_CHECK_DUPLICATE_EXTENSIONS:341:* -SSL_F_TLS1_ENC:401:tls1_enc -SSL_F_TLS1_EXPORT_KEYING_MATERIAL:314:tls1_export_keying_material -SSL_F_TLS1_GET_CURVELIST:338:tls1_get_curvelist -SSL_F_TLS1_PRF:284:tls1_PRF -SSL_F_TLS1_SAVE_U16:628:tls1_save_u16 -SSL_F_TLS1_SETUP_KEY_BLOCK:211:tls1_setup_key_block -SSL_F_TLS1_SET_GROUPS:629:tls1_set_groups -SSL_F_TLS1_SET_RAW_SIGALGS:630:tls1_set_raw_sigalgs -SSL_F_TLS1_SET_SERVER_SIGALGS:335:tls1_set_server_sigalgs -SSL_F_TLS1_SET_SHARED_SIGALGS:631:tls1_set_shared_sigalgs -SSL_F_TLS1_SET_SIGALGS:632:tls1_set_sigalgs -SSL_F_TLS_CHOOSE_SIGALG:513:tls_choose_sigalg -SSL_F_TLS_CLIENT_KEY_EXCHANGE_POST_WORK:354:tls_client_key_exchange_post_work -SSL_F_TLS_COLLECT_EXTENSIONS:435:tls_collect_extensions -SSL_F_TLS_CONSTRUCT_CERTIFICATE_AUTHORITIES:542:\ - tls_construct_certificate_authorities -SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST:372:tls_construct_certificate_request -SSL_F_TLS_CONSTRUCT_CERT_STATUS:429:* -SSL_F_TLS_CONSTRUCT_CERT_STATUS_BODY:494:tls_construct_cert_status_body -SSL_F_TLS_CONSTRUCT_CERT_VERIFY:496:tls_construct_cert_verify -SSL_F_TLS_CONSTRUCT_CHANGE_CIPHER_SPEC:427:tls_construct_change_cipher_spec -SSL_F_TLS_CONSTRUCT_CKE_DHE:404:tls_construct_cke_dhe -SSL_F_TLS_CONSTRUCT_CKE_ECDHE:405:tls_construct_cke_ecdhe -SSL_F_TLS_CONSTRUCT_CKE_GOST:406:tls_construct_cke_gost -SSL_F_TLS_CONSTRUCT_CKE_GOST18:641: -SSL_F_TLS_CONSTRUCT_CKE_PSK_PREAMBLE:407:tls_construct_cke_psk_preamble -SSL_F_TLS_CONSTRUCT_CKE_RSA:409:tls_construct_cke_rsa -SSL_F_TLS_CONSTRUCT_CKE_SRP:410:tls_construct_cke_srp -SSL_F_TLS_CONSTRUCT_CLIENT_CERTIFICATE:484:tls_construct_client_certificate -SSL_F_TLS_CONSTRUCT_CLIENT_HELLO:487:tls_construct_client_hello -SSL_F_TLS_CONSTRUCT_CLIENT_KEY_EXCHANGE:488:tls_construct_client_key_exchange -SSL_F_TLS_CONSTRUCT_CLIENT_VERIFY:489:* -SSL_F_TLS_CONSTRUCT_CTOS_ALPN:466:tls_construct_ctos_alpn -SSL_F_TLS_CONSTRUCT_CTOS_CERTIFICATE:355:* -SSL_F_TLS_CONSTRUCT_CTOS_COOKIE:535:tls_construct_ctos_cookie -SSL_F_TLS_CONSTRUCT_CTOS_EARLY_DATA:530:tls_construct_ctos_early_data -SSL_F_TLS_CONSTRUCT_CTOS_EC_PT_FORMATS:467:tls_construct_ctos_ec_pt_formats -SSL_F_TLS_CONSTRUCT_CTOS_EMS:468:tls_construct_ctos_ems -SSL_F_TLS_CONSTRUCT_CTOS_ETM:469:tls_construct_ctos_etm -SSL_F_TLS_CONSTRUCT_CTOS_HELLO:356:* -SSL_F_TLS_CONSTRUCT_CTOS_KEY_EXCHANGE:357:* -SSL_F_TLS_CONSTRUCT_CTOS_KEY_SHARE:470:tls_construct_ctos_key_share -SSL_F_TLS_CONSTRUCT_CTOS_MAXFRAGMENTLEN:549:tls_construct_ctos_maxfragmentlen -SSL_F_TLS_CONSTRUCT_CTOS_NPN:471:tls_construct_ctos_npn -SSL_F_TLS_CONSTRUCT_CTOS_PADDING:472:tls_construct_ctos_padding -SSL_F_TLS_CONSTRUCT_CTOS_POST_HANDSHAKE_AUTH:619:\ - tls_construct_ctos_post_handshake_auth -SSL_F_TLS_CONSTRUCT_CTOS_PSK:501:tls_construct_ctos_psk -SSL_F_TLS_CONSTRUCT_CTOS_PSK_KEX_MODES:509:tls_construct_ctos_psk_kex_modes -SSL_F_TLS_CONSTRUCT_CTOS_RENEGOTIATE:473:tls_construct_ctos_renegotiate -SSL_F_TLS_CONSTRUCT_CTOS_SCT:474:tls_construct_ctos_sct -SSL_F_TLS_CONSTRUCT_CTOS_SERVER_NAME:475:tls_construct_ctos_server_name -SSL_F_TLS_CONSTRUCT_CTOS_SESSION_TICKET:476:tls_construct_ctos_session_ticket -SSL_F_TLS_CONSTRUCT_CTOS_SIG_ALGS:477:tls_construct_ctos_sig_algs -SSL_F_TLS_CONSTRUCT_CTOS_SRP:478:tls_construct_ctos_srp -SSL_F_TLS_CONSTRUCT_CTOS_STATUS_REQUEST:479:tls_construct_ctos_status_request -SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_GROUPS:480:\ - tls_construct_ctos_supported_groups -SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_VERSIONS:481:\ - tls_construct_ctos_supported_versions -SSL_F_TLS_CONSTRUCT_CTOS_USE_SRTP:482:tls_construct_ctos_use_srtp -SSL_F_TLS_CONSTRUCT_CTOS_VERIFY:358:* -SSL_F_TLS_CONSTRUCT_ENCRYPTED_EXTENSIONS:443:tls_construct_encrypted_extensions -SSL_F_TLS_CONSTRUCT_END_OF_EARLY_DATA:536:tls_construct_end_of_early_data -SSL_F_TLS_CONSTRUCT_EXTENSIONS:447:tls_construct_extensions -SSL_F_TLS_CONSTRUCT_FINISHED:359:tls_construct_finished -SSL_F_TLS_CONSTRUCT_HELLO_REQUEST:373:* -SSL_F_TLS_CONSTRUCT_HELLO_RETRY_REQUEST:510:tls_construct_hello_retry_request -SSL_F_TLS_CONSTRUCT_KEY_UPDATE:517:tls_construct_key_update -SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET:428:tls_construct_new_session_ticket -SSL_F_TLS_CONSTRUCT_NEXT_PROTO:426:tls_construct_next_proto -SSL_F_TLS_CONSTRUCT_SERVER_CERTIFICATE:490:tls_construct_server_certificate -SSL_F_TLS_CONSTRUCT_SERVER_HELLO:491:tls_construct_server_hello -SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE:492:tls_construct_server_key_exchange -SSL_F_TLS_CONSTRUCT_STOC_ALPN:451:tls_construct_stoc_alpn -SSL_F_TLS_CONSTRUCT_STOC_CERTIFICATE:374:* -SSL_F_TLS_CONSTRUCT_STOC_COOKIE:613:tls_construct_stoc_cookie -SSL_F_TLS_CONSTRUCT_STOC_CRYPTOPRO_BUG:452:tls_construct_stoc_cryptopro_bug -SSL_F_TLS_CONSTRUCT_STOC_DONE:375:* -SSL_F_TLS_CONSTRUCT_STOC_EARLY_DATA:531:tls_construct_stoc_early_data -SSL_F_TLS_CONSTRUCT_STOC_EARLY_DATA_INFO:525:* -SSL_F_TLS_CONSTRUCT_STOC_EC_PT_FORMATS:453:tls_construct_stoc_ec_pt_formats -SSL_F_TLS_CONSTRUCT_STOC_EMS:454:tls_construct_stoc_ems -SSL_F_TLS_CONSTRUCT_STOC_ETM:455:tls_construct_stoc_etm -SSL_F_TLS_CONSTRUCT_STOC_HELLO:376:* -SSL_F_TLS_CONSTRUCT_STOC_KEY_EXCHANGE:377:* -SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE:456:tls_construct_stoc_key_share -SSL_F_TLS_CONSTRUCT_STOC_MAXFRAGMENTLEN:548:tls_construct_stoc_maxfragmentlen -SSL_F_TLS_CONSTRUCT_STOC_NEXT_PROTO_NEG:457:tls_construct_stoc_next_proto_neg -SSL_F_TLS_CONSTRUCT_STOC_PSK:504:tls_construct_stoc_psk -SSL_F_TLS_CONSTRUCT_STOC_RENEGOTIATE:458:tls_construct_stoc_renegotiate -SSL_F_TLS_CONSTRUCT_STOC_SERVER_NAME:459:tls_construct_stoc_server_name -SSL_F_TLS_CONSTRUCT_STOC_SESSION_TICKET:460:tls_construct_stoc_session_ticket -SSL_F_TLS_CONSTRUCT_STOC_STATUS_REQUEST:461:tls_construct_stoc_status_request -SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS:544:\ - tls_construct_stoc_supported_groups -SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_VERSIONS:611:\ - tls_construct_stoc_supported_versions -SSL_F_TLS_CONSTRUCT_STOC_USE_SRTP:462:tls_construct_stoc_use_srtp -SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO:521:\ - tls_early_post_process_client_hello -SSL_F_TLS_FINISH_HANDSHAKE:597:tls_finish_handshake -SSL_F_TLS_GET_MESSAGE_BODY:351:tls_get_message_body -SSL_F_TLS_GET_MESSAGE_HEADER:387:tls_get_message_header -SSL_F_TLS_HANDLE_ALPN:562:tls_handle_alpn -SSL_F_TLS_HANDLE_STATUS_REQUEST:563:tls_handle_status_request -SSL_F_TLS_PARSE_CERTIFICATE_AUTHORITIES:566:tls_parse_certificate_authorities -SSL_F_TLS_PARSE_CLIENTHELLO_TLSEXT:449:* -SSL_F_TLS_PARSE_CTOS_ALPN:567:tls_parse_ctos_alpn -SSL_F_TLS_PARSE_CTOS_COOKIE:614:tls_parse_ctos_cookie -SSL_F_TLS_PARSE_CTOS_EARLY_DATA:568:tls_parse_ctos_early_data -SSL_F_TLS_PARSE_CTOS_EC_PT_FORMATS:569:tls_parse_ctos_ec_pt_formats -SSL_F_TLS_PARSE_CTOS_EMS:570:tls_parse_ctos_ems -SSL_F_TLS_PARSE_CTOS_KEY_SHARE:463:tls_parse_ctos_key_share -SSL_F_TLS_PARSE_CTOS_MAXFRAGMENTLEN:571:tls_parse_ctos_maxfragmentlen -SSL_F_TLS_PARSE_CTOS_POST_HANDSHAKE_AUTH:620:tls_parse_ctos_post_handshake_auth -SSL_F_TLS_PARSE_CTOS_PSK:505:tls_parse_ctos_psk -SSL_F_TLS_PARSE_CTOS_PSK_KEX_MODES:572:tls_parse_ctos_psk_kex_modes -SSL_F_TLS_PARSE_CTOS_RENEGOTIATE:464:tls_parse_ctos_renegotiate -SSL_F_TLS_PARSE_CTOS_SERVER_NAME:573:tls_parse_ctos_server_name -SSL_F_TLS_PARSE_CTOS_SESSION_TICKET:574:tls_parse_ctos_session_ticket -SSL_F_TLS_PARSE_CTOS_SIG_ALGS:575:tls_parse_ctos_sig_algs -SSL_F_TLS_PARSE_CTOS_SIG_ALGS_CERT:615:tls_parse_ctos_sig_algs_cert -SSL_F_TLS_PARSE_CTOS_SRP:576:tls_parse_ctos_srp -SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST:577:tls_parse_ctos_status_request -SSL_F_TLS_PARSE_CTOS_SUPPORTED_GROUPS:578:tls_parse_ctos_supported_groups -SSL_F_TLS_PARSE_CTOS_USE_SRTP:465:tls_parse_ctos_use_srtp -SSL_F_TLS_PARSE_STOC_ALPN:579:tls_parse_stoc_alpn -SSL_F_TLS_PARSE_STOC_COOKIE:534:tls_parse_stoc_cookie -SSL_F_TLS_PARSE_STOC_EARLY_DATA:538:tls_parse_stoc_early_data -SSL_F_TLS_PARSE_STOC_EARLY_DATA_INFO:528:* -SSL_F_TLS_PARSE_STOC_EC_PT_FORMATS:580:tls_parse_stoc_ec_pt_formats -SSL_F_TLS_PARSE_STOC_KEY_SHARE:445:tls_parse_stoc_key_share -SSL_F_TLS_PARSE_STOC_MAXFRAGMENTLEN:581:tls_parse_stoc_maxfragmentlen -SSL_F_TLS_PARSE_STOC_NPN:582:tls_parse_stoc_npn -SSL_F_TLS_PARSE_STOC_PSK:502:tls_parse_stoc_psk -SSL_F_TLS_PARSE_STOC_RENEGOTIATE:448:tls_parse_stoc_renegotiate -SSL_F_TLS_PARSE_STOC_SCT:564:tls_parse_stoc_sct -SSL_F_TLS_PARSE_STOC_SERVER_NAME:583:tls_parse_stoc_server_name -SSL_F_TLS_PARSE_STOC_SESSION_TICKET:584:tls_parse_stoc_session_ticket -SSL_F_TLS_PARSE_STOC_STATUS_REQUEST:585:tls_parse_stoc_status_request -SSL_F_TLS_PARSE_STOC_SUPPORTED_VERSIONS:612:tls_parse_stoc_supported_versions -SSL_F_TLS_PARSE_STOC_USE_SRTP:446:tls_parse_stoc_use_srtp -SSL_F_TLS_POST_PROCESS_CLIENT_HELLO:378:tls_post_process_client_hello -SSL_F_TLS_POST_PROCESS_CLIENT_KEY_EXCHANGE:384:\ - tls_post_process_client_key_exchange -SSL_F_TLS_PREPARE_CLIENT_CERTIFICATE:360:tls_prepare_client_certificate -SSL_F_TLS_PROCESS_AS_HELLO_RETRY_REQUEST:610:tls_process_as_hello_retry_request -SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST:361:tls_process_certificate_request -SSL_F_TLS_PROCESS_CERT_STATUS:362:* -SSL_F_TLS_PROCESS_CERT_STATUS_BODY:495:tls_process_cert_status_body -SSL_F_TLS_PROCESS_CERT_VERIFY:379:tls_process_cert_verify -SSL_F_TLS_PROCESS_CHANGE_CIPHER_SPEC:363:tls_process_change_cipher_spec -SSL_F_TLS_PROCESS_CKE_DHE:411:tls_process_cke_dhe -SSL_F_TLS_PROCESS_CKE_ECDHE:412:tls_process_cke_ecdhe -SSL_F_TLS_PROCESS_CKE_GOST:413:tls_process_cke_gost -SSL_F_TLS_PROCESS_CKE_GOST18:642: -SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE:414:tls_process_cke_psk_preamble -SSL_F_TLS_PROCESS_CKE_RSA:415:tls_process_cke_rsa -SSL_F_TLS_PROCESS_CKE_SRP:416:tls_process_cke_srp -SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE:380:tls_process_client_certificate -SSL_F_TLS_PROCESS_CLIENT_HELLO:381:tls_process_client_hello -SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE:382:tls_process_client_key_exchange -SSL_F_TLS_PROCESS_ENCRYPTED_EXTENSIONS:444:tls_process_encrypted_extensions -SSL_F_TLS_PROCESS_END_OF_EARLY_DATA:537:tls_process_end_of_early_data -SSL_F_TLS_PROCESS_FINISHED:364:tls_process_finished -SSL_F_TLS_PROCESS_HELLO_REQ:507:tls_process_hello_req -SSL_F_TLS_PROCESS_HELLO_RETRY_REQUEST:511:tls_process_hello_retry_request -SSL_F_TLS_PROCESS_INITIAL_SERVER_FLIGHT:442:tls_process_initial_server_flight -SSL_F_TLS_PROCESS_KEY_EXCHANGE:365:tls_process_key_exchange -SSL_F_TLS_PROCESS_KEY_UPDATE:518:tls_process_key_update -SSL_F_TLS_PROCESS_NEW_SESSION_TICKET:366:tls_process_new_session_ticket -SSL_F_TLS_PROCESS_NEXT_PROTO:383:tls_process_next_proto -SSL_F_TLS_PROCESS_SERVER_CERTIFICATE:367:tls_process_server_certificate -SSL_F_TLS_PROCESS_SERVER_DONE:368:tls_process_server_done -SSL_F_TLS_PROCESS_SERVER_HELLO:369:tls_process_server_hello -SSL_F_TLS_PROCESS_SKE_DHE:419:tls_process_ske_dhe -SSL_F_TLS_PROCESS_SKE_ECDHE:420:tls_process_ske_ecdhe -SSL_F_TLS_PROCESS_SKE_PSK_PREAMBLE:421:tls_process_ske_psk_preamble -SSL_F_TLS_PROCESS_SKE_SRP:422:tls_process_ske_srp -SSL_F_TLS_PSK_DO_BINDER:506:tls_psk_do_binder -SSL_F_TLS_SCAN_CLIENTHELLO_TLSEXT:450:* -SSL_F_TLS_SETUP_HANDSHAKE:508:tls_setup_handshake -SSL_F_USE_CERTIFICATE_CHAIN_FILE:220:use_certificate_chain_file -SSL_F_WPACKET_INTERN_INIT_LEN:633:wpacket_intern_init_len -SSL_F_WPACKET_START_SUB_PACKET_LEN__:634:WPACKET_start_sub_packet_len__ -SSL_F_WRITE_STATE_MACHINE:586:write_state_machine -TS_F_DEF_SERIAL_CB:110:def_serial_cb -TS_F_DEF_TIME_CB:111:def_time_cb -TS_F_INT_TS_RESP_VERIFY_TOKEN:149:int_ts_RESP_verify_token -TS_F_PKCS7_TO_TS_TST_INFO:148:PKCS7_to_TS_TST_INFO -TS_F_TS_ACCURACY_SET_MICROS:115:TS_ACCURACY_set_micros -TS_F_TS_ACCURACY_SET_MILLIS:116:TS_ACCURACY_set_millis -TS_F_TS_ACCURACY_SET_SECONDS:117:TS_ACCURACY_set_seconds -TS_F_TS_CHECK_IMPRINTS:100:ts_check_imprints -TS_F_TS_CHECK_NONCES:101:ts_check_nonces -TS_F_TS_CHECK_POLICY:102:ts_check_policy -TS_F_TS_CHECK_SIGNING_CERTS:103:ts_check_signing_certs -TS_F_TS_CHECK_STATUS_INFO:104:ts_check_status_info -TS_F_TS_COMPUTE_IMPRINT:145:ts_compute_imprint -TS_F_TS_CONF_INVALID:151:ts_CONF_invalid -TS_F_TS_CONF_LOAD_CERT:153:TS_CONF_load_cert -TS_F_TS_CONF_LOAD_CERTS:154:TS_CONF_load_certs -TS_F_TS_CONF_LOAD_KEY:155:TS_CONF_load_key -TS_F_TS_CONF_LOOKUP_FAIL:152:ts_CONF_lookup_fail -TS_F_TS_CONF_SET_DEFAULT_ENGINE:146:TS_CONF_set_default_engine -TS_F_TS_GET_STATUS_TEXT:105:ts_get_status_text -TS_F_TS_MSG_IMPRINT_SET_ALGO:118:TS_MSG_IMPRINT_set_algo -TS_F_TS_REQ_SET_MSG_IMPRINT:119:TS_REQ_set_msg_imprint -TS_F_TS_REQ_SET_NONCE:120:TS_REQ_set_nonce -TS_F_TS_REQ_SET_POLICY_ID:121:TS_REQ_set_policy_id -TS_F_TS_RESP_CREATE_RESPONSE:122:TS_RESP_create_response -TS_F_TS_RESP_CREATE_TST_INFO:123:ts_RESP_create_tst_info -TS_F_TS_RESP_CTX_ADD_FAILURE_INFO:124:TS_RESP_CTX_add_failure_info -TS_F_TS_RESP_CTX_ADD_MD:125:TS_RESP_CTX_add_md -TS_F_TS_RESP_CTX_ADD_POLICY:126:TS_RESP_CTX_add_policy -TS_F_TS_RESP_CTX_NEW:127:TS_RESP_CTX_new -TS_F_TS_RESP_CTX_SET_ACCURACY:128:TS_RESP_CTX_set_accuracy -TS_F_TS_RESP_CTX_SET_CERTS:129:TS_RESP_CTX_set_certs -TS_F_TS_RESP_CTX_SET_DEF_POLICY:130:TS_RESP_CTX_set_def_policy -TS_F_TS_RESP_CTX_SET_SIGNER_CERT:131:TS_RESP_CTX_set_signer_cert -TS_F_TS_RESP_CTX_SET_STATUS_INFO:132:TS_RESP_CTX_set_status_info -TS_F_TS_RESP_GET_POLICY:133:ts_RESP_get_policy -TS_F_TS_RESP_SET_GENTIME_WITH_PRECISION:134:TS_RESP_set_genTime_with_precision -TS_F_TS_RESP_SET_STATUS_INFO:135:TS_RESP_set_status_info -TS_F_TS_RESP_SET_TST_INFO:150:TS_RESP_set_tst_info -TS_F_TS_RESP_SIGN:136:ts_RESP_sign -TS_F_TS_RESP_VERIFY_SIGNATURE:106:TS_RESP_verify_signature -TS_F_TS_TST_INFO_SET_ACCURACY:137:TS_TST_INFO_set_accuracy -TS_F_TS_TST_INFO_SET_MSG_IMPRINT:138:TS_TST_INFO_set_msg_imprint -TS_F_TS_TST_INFO_SET_NONCE:139:TS_TST_INFO_set_nonce -TS_F_TS_TST_INFO_SET_POLICY_ID:140:TS_TST_INFO_set_policy_id -TS_F_TS_TST_INFO_SET_SERIAL:141:TS_TST_INFO_set_serial -TS_F_TS_TST_INFO_SET_TIME:142:TS_TST_INFO_set_time -TS_F_TS_TST_INFO_SET_TSA:143:TS_TST_INFO_set_tsa -TS_F_TS_VERIFY:108:* -TS_F_TS_VERIFY_CERT:109:ts_verify_cert -TS_F_TS_VERIFY_CTX_NEW:144:TS_VERIFY_CTX_new -UI_F_CLOSE_CONSOLE:115:close_console -UI_F_ECHO_CONSOLE:116:echo_console -UI_F_GENERAL_ALLOCATE_BOOLEAN:108:general_allocate_boolean -UI_F_GENERAL_ALLOCATE_PROMPT:109:general_allocate_prompt -UI_F_NOECHO_CONSOLE:117:noecho_console -UI_F_OPEN_CONSOLE:114:open_console -UI_F_UI_CONSTRUCT_PROMPT:121:UI_construct_prompt -UI_F_UI_CREATE_METHOD:112:UI_create_method -UI_F_UI_CTRL:111:UI_ctrl -UI_F_UI_DUP_ERROR_STRING:101:UI_dup_error_string -UI_F_UI_DUP_INFO_STRING:102:UI_dup_info_string -UI_F_UI_DUP_INPUT_BOOLEAN:110:UI_dup_input_boolean -UI_F_UI_DUP_INPUT_STRING:103:UI_dup_input_string -UI_F_UI_DUP_USER_DATA:118:UI_dup_user_data -UI_F_UI_DUP_VERIFY_STRING:106:UI_dup_verify_string -UI_F_UI_GET0_RESULT:107:UI_get0_result -UI_F_UI_GET_RESULT_LENGTH:119:UI_get_result_length -UI_F_UI_NEW_METHOD:104:UI_new_method -UI_F_UI_PROCESS:113:UI_process -UI_F_UI_SET_RESULT:105:UI_set_result -UI_F_UI_SET_RESULT_EX:120:UI_set_result_ex -X509V3_F_A2I_GENERAL_NAME:164:a2i_GENERAL_NAME -X509V3_F_ADDR_VALIDATE_PATH_INTERNAL:166:addr_validate_path_internal -X509V3_F_ASIDENTIFIERCHOICE_CANONIZE:161:ASIdentifierChoice_canonize -X509V3_F_ASIDENTIFIERCHOICE_IS_CANONICAL:162:ASIdentifierChoice_is_canonical -X509V3_F_BIGNUM_TO_STRING:167:bignum_to_string -X509V3_F_COPY_EMAIL:122:copy_email -X509V3_F_COPY_ISSUER:123:copy_issuer -X509V3_F_DO_DIRNAME:144:do_dirname -X509V3_F_DO_EXT_I2D:135:do_ext_i2d -X509V3_F_DO_EXT_NCONF:151:do_ext_nconf -X509V3_F_GNAMES_FROM_SECTNAME:156:gnames_from_sectname -X509V3_F_I2R_ISSUER_SIGN_TOOL:176: -X509V3_F_I2S_ASN1_ENUMERATED:121:i2s_ASN1_ENUMERATED -X509V3_F_I2S_ASN1_IA5STRING:149:i2s_ASN1_IA5STRING -X509V3_F_I2S_ASN1_INTEGER:120:i2s_ASN1_INTEGER -X509V3_F_I2S_ASN1_UTF8STRING:173: -X509V3_F_I2V_AUTHORITY_INFO_ACCESS:138:i2v_AUTHORITY_INFO_ACCESS -X509V3_F_LEVEL_ADD_NODE:168:level_add_node -X509V3_F_NOTICE_SECTION:132:notice_section -X509V3_F_NREF_NOS:133:nref_nos -X509V3_F_POLICY_CACHE_CREATE:169:policy_cache_create -X509V3_F_POLICY_CACHE_NEW:170:policy_cache_new -X509V3_F_POLICY_DATA_NEW:171:policy_data_new -X509V3_F_POLICY_SECTION:131:policy_section -X509V3_F_PROCESS_PCI_VALUE:150:process_pci_value -X509V3_F_R2I_CERTPOL:130:r2i_certpol -X509V3_F_R2I_PCI:155:r2i_pci -X509V3_F_S2I_ASN1_IA5STRING:100:s2i_ASN1_IA5STRING -X509V3_F_S2I_ASN1_INTEGER:108:s2i_ASN1_INTEGER -X509V3_F_S2I_ASN1_OCTET_STRING:112:s2i_ASN1_OCTET_STRING -X509V3_F_S2I_ASN1_UTF8STRING:174: -X509V3_F_S2I_SKEY_ID:115:s2i_skey_id -X509V3_F_SET_DIST_POINT_NAME:158:set_dist_point_name -X509V3_F_SXNET_ADD_ID_ASC:125:SXNET_add_id_asc -X509V3_F_SXNET_ADD_ID_INTEGER:126:SXNET_add_id_INTEGER -X509V3_F_SXNET_ADD_ID_ULONG:127:SXNET_add_id_ulong -X509V3_F_SXNET_GET_ID_ASC:128:SXNET_get_id_asc -X509V3_F_SXNET_GET_ID_ULONG:129:SXNET_get_id_ulong -X509V3_F_TREE_INIT:172:tree_init -X509V3_F_V2I_ASIDENTIFIERS:163:v2i_ASIdentifiers -X509V3_F_V2I_ASN1_BIT_STRING:101:v2i_ASN1_BIT_STRING -X509V3_F_V2I_AUTHORITY_INFO_ACCESS:139:v2i_AUTHORITY_INFO_ACCESS -X509V3_F_V2I_AUTHORITY_KEYID:119:v2i_AUTHORITY_KEYID -X509V3_F_V2I_BASIC_CONSTRAINTS:102:v2i_BASIC_CONSTRAINTS -X509V3_F_V2I_CRLD:134:v2i_crld -X509V3_F_V2I_EXTENDED_KEY_USAGE:103:v2i_EXTENDED_KEY_USAGE -X509V3_F_V2I_GENERAL_NAMES:118:v2i_GENERAL_NAMES -X509V3_F_V2I_GENERAL_NAME_EX:117:v2i_GENERAL_NAME_ex -X509V3_F_V2I_IDP:157:v2i_idp -X509V3_F_V2I_IPADDRBLOCKS:159:v2i_IPAddrBlocks -X509V3_F_V2I_ISSUER_ALT:153:v2i_issuer_alt -X509V3_F_V2I_ISSUER_SIGN_TOOL:175: -X509V3_F_V2I_NAME_CONSTRAINTS:147:v2i_NAME_CONSTRAINTS -X509V3_F_V2I_POLICY_CONSTRAINTS:146:v2i_POLICY_CONSTRAINTS -X509V3_F_V2I_POLICY_MAPPINGS:145:v2i_POLICY_MAPPINGS -X509V3_F_V2I_SUBJECT_ALT:154:v2i_subject_alt -X509V3_F_V2I_TLS_FEATURE:165:v2i_TLS_FEATURE -X509V3_F_V3_GENERIC_EXTENSION:116:v3_generic_extension -X509V3_F_X509V3_ADD1_I2D:140:X509V3_add1_i2d -X509V3_F_X509V3_ADD_VALUE:105:X509V3_add_value -X509V3_F_X509V3_EXT_ADD:104:X509V3_EXT_add -X509V3_F_X509V3_EXT_ADD_ALIAS:106:X509V3_EXT_add_alias -X509V3_F_X509V3_EXT_I2D:136:X509V3_EXT_i2d -X509V3_F_X509V3_EXT_NCONF:152:X509V3_EXT_nconf -X509V3_F_X509V3_GET_SECTION:142:X509V3_get_section -X509V3_F_X509V3_GET_STRING:143:X509V3_get_string -X509V3_F_X509V3_GET_VALUE_BOOL:110:X509V3_get_value_bool -X509V3_F_X509V3_PARSE_LIST:109:X509V3_parse_list -X509V3_F_X509_PURPOSE_ADD:137:X509_PURPOSE_add -X509V3_F_X509_PURPOSE_SET:141:X509_PURPOSE_set -X509_F_ADD_CERT_DIR:100:add_cert_dir -X509_F_BUILD_CHAIN:106:build_chain -X509_F_BY_FILE_CTRL:101:by_file_ctrl -X509_F_CACHE_OBJECTS:163:cache_objects -X509_F_CHECK_NAME_CONSTRAINTS:149:check_name_constraints -X509_F_CHECK_POLICY:145:check_policy -X509_F_COMMON_VERIFY_SM2:165:common_verify_sm2 -X509_F_DANE_I2D:107:dane_i2d -X509_F_DIR_CTRL:102:dir_ctrl -X509_F_GET_CERT_BY_SUBJECT:103:get_cert_by_subject -X509_F_I2D_X509_AUX:151:i2d_X509_AUX -X509_F_LOOKUP_CERTS_SK:152:lookup_certs_sk -X509_F_NETSCAPE_SPKI_B64_DECODE:129:NETSCAPE_SPKI_b64_decode -X509_F_NETSCAPE_SPKI_B64_ENCODE:130:NETSCAPE_SPKI_b64_encode -X509_F_NEW_DIR:153:new_dir -X509_F_X509AT_ADD1_ATTR:135:X509at_add1_attr -X509_F_X509V3_ADD_EXT:104:X509v3_add_ext -X509_F_X509_ATTRIBUTE_CREATE_BY_NID:136:X509_ATTRIBUTE_create_by_NID -X509_F_X509_ATTRIBUTE_CREATE_BY_OBJ:137:X509_ATTRIBUTE_create_by_OBJ -X509_F_X509_ATTRIBUTE_CREATE_BY_TXT:140:X509_ATTRIBUTE_create_by_txt -X509_F_X509_ATTRIBUTE_GET0_DATA:139:X509_ATTRIBUTE_get0_data -X509_F_X509_ATTRIBUTE_SET1_DATA:138:X509_ATTRIBUTE_set1_data -X509_F_X509_CHECK_PRIVATE_KEY:128:X509_check_private_key -X509_F_X509_CRL_DIFF:105:X509_CRL_diff -X509_F_X509_CRL_METHOD_NEW:154:X509_CRL_METHOD_new -X509_F_X509_CRL_PRINT_FP:147:X509_CRL_print_fp -X509_F_X509_EXTENSION_CREATE_BY_NID:108:X509_EXTENSION_create_by_NID -X509_F_X509_EXTENSION_CREATE_BY_OBJ:109:X509_EXTENSION_create_by_OBJ -X509_F_X509_GET_PUBKEY_PARAMETERS:110:X509_get_pubkey_parameters -X509_F_X509_LOAD_CERT_CRL_FILE:132:X509_load_cert_crl_file -X509_F_X509_LOAD_CERT_FILE:111:X509_load_cert_file -X509_F_X509_LOAD_CRL_FILE:112:X509_load_crl_file -X509_F_X509_LOOKUP_METH_NEW:160:X509_LOOKUP_meth_new -X509_F_X509_LOOKUP_NEW:155:X509_LOOKUP_new -X509_F_X509_NAME_ADD_ENTRY:113:X509_NAME_add_entry -X509_F_X509_NAME_CANON:156:x509_name_canon -X509_F_X509_NAME_ENTRY_CREATE_BY_NID:114:X509_NAME_ENTRY_create_by_NID -X509_F_X509_NAME_ENTRY_CREATE_BY_TXT:131:X509_NAME_ENTRY_create_by_txt -X509_F_X509_NAME_ENTRY_SET_OBJECT:115:X509_NAME_ENTRY_set_object -X509_F_X509_NAME_ONELINE:116:X509_NAME_oneline -X509_F_X509_NAME_PRINT:117:X509_NAME_print -X509_F_X509_OBJECT_NEW:150:X509_OBJECT_new -X509_F_X509_PRINT_EX_FP:118:X509_print_ex_fp -X509_F_X509_PUBKEY_DECODE:148:x509_pubkey_decode -X509_F_X509_PUBKEY_GET:166:X509_PUBKEY_get -X509_F_X509_PUBKEY_GET0:119:X509_PUBKEY_get0 -X509_F_X509_PUBKEY_SET:120:X509_PUBKEY_set -X509_F_X509_REQ_CHECK_PRIVATE_KEY:144:X509_REQ_check_private_key -X509_F_X509_REQ_PRINT_EX:121:X509_REQ_print_ex -X509_F_X509_REQ_PRINT_FP:122:X509_REQ_print_fp -X509_F_X509_REQ_TO_X509:123:X509_REQ_to_X509 -X509_F_X509_REQ_VERIFY:163:X509_REQ_verify -X509_F_X509_REQ_VERIFY_SM2:164:x509_req_verify_sm2 -X509_F_X509_STORE_ADD_CERT:124:X509_STORE_add_cert -X509_F_X509_STORE_ADD_CRL:125:X509_STORE_add_crl -X509_F_X509_STORE_ADD_LOOKUP:157:X509_STORE_add_lookup -X509_F_X509_STORE_CTX_GET1_ISSUER:146:X509_STORE_CTX_get1_issuer -X509_F_X509_STORE_CTX_INIT:143:X509_STORE_CTX_init -X509_F_X509_STORE_CTX_NEW:142:X509_STORE_CTX_new -X509_F_X509_STORE_CTX_PURPOSE_INHERIT:134:X509_STORE_CTX_purpose_inherit -X509_F_X509_STORE_NEW:158:X509_STORE_new -X509_F_X509_TO_X509_REQ:126:X509_to_X509_REQ -X509_F_X509_TRUST_ADD:133:X509_TRUST_add -X509_F_X509_TRUST_SET:141:X509_TRUST_set -X509_F_X509_VERIFY:161:X509_verify -X509_F_X509_VERIFY_CERT:127:X509_verify_cert -X509_F_X509_VERIFY_PARAM_NEW:159:X509_VERIFY_PARAM_new -X509_F_X509_VERIFY_SM2:162:x509_verify_sm2 - #Reason codes ASN1_R_ADDING_OBJECT:171:adding object ASN1_R_ASN1_PARSE_ERROR:203:asn1 parse error diff --git a/engines/e_afalg.txt b/engines/e_afalg.txt index 70d2d8b819..1126d74b98 100644 --- a/engines/e_afalg.txt +++ b/engines/e_afalg.txt @@ -5,15 +5,6 @@ # in the file LICENSE in the source distribution or at # https://www.openssl.org/source/license.html -# Function codes -AFALG_F_AFALG_CHK_PLATFORM:100:afalg_chk_platform -AFALG_F_AFALG_CREATE_SK:101:afalg_create_sk -AFALG_F_AFALG_INIT_AIO:102:afalg_init_aio -AFALG_F_AFALG_SETUP_ASYNC_EVENT_NOTIFICATION:103:\ - afalg_setup_async_event_notification -AFALG_F_AFALG_SET_KEY:104:afalg_set_key -AFALG_F_BIND_AFALG:105:bind_afalg - #Reason codes AFALG_R_EVENTFD_FAILED:108:eventfd failed AFALG_R_FAILED_TO_GET_PLATFORM_INFO:111:failed to get platform info diff --git a/engines/e_afalg_err.h b/engines/e_afalg_err.h index 08f2d54da5..e15f50d6cc 100644 --- a/engines/e_afalg_err.h +++ b/engines/e_afalg_err.h @@ -19,18 +19,6 @@ # define AFALGerr(f, r) ERR_AFALG_error(0, (r), OPENSSL_FILE, OPENSSL_LINE) -/* - * AFALG function codes. - */ -# ifndef OPENSSL_NO_DEPRECATED_3_0 -# define AFALG_F_AFALG_CHK_PLATFORM 0 -# define AFALG_F_AFALG_CREATE_SK 0 -# define AFALG_F_AFALG_INIT_AIO 0 -# define AFALG_F_AFALG_SETUP_ASYNC_EVENT_NOTIFICATION 0 -# define AFALG_F_AFALG_SET_KEY 0 -# define AFALG_F_BIND_AFALG 0 -# endif - /* * AFALG reason codes. */ diff --git a/engines/e_capi.txt b/engines/e_capi.txt index 942a6d9769..731452d845 100644 --- a/engines/e_capi.txt +++ b/engines/e_capi.txt @@ -5,28 +5,6 @@ # in the file LICENSE in the source distribution or at # https://www.openssl.org/source/license.html -# Function codes -CAPI_F_CAPI_CERT_GET_FNAME:99:capi_cert_get_fname -CAPI_F_CAPI_CTRL:100:capi_ctrl -CAPI_F_CAPI_CTX_NEW:101:capi_ctx_new -CAPI_F_CAPI_CTX_SET_PROVNAME:102:capi_ctx_set_provname -CAPI_F_CAPI_DSA_DO_SIGN:114:capi_dsa_do_sign -CAPI_F_CAPI_GET_KEY:103:capi_get_key -CAPI_F_CAPI_GET_PKEY:115:capi_get_pkey -CAPI_F_CAPI_GET_PROVNAME:104:capi_get_provname -CAPI_F_CAPI_GET_PROV_INFO:105:capi_get_prov_info -CAPI_F_CAPI_INIT:106:capi_init -CAPI_F_CAPI_LIST_CONTAINERS:107:capi_list_containers -CAPI_F_CAPI_LOAD_PRIVKEY:108:capi_load_privkey -CAPI_F_CAPI_OPEN_STORE:109:capi_open_store -CAPI_F_CAPI_RSA_PRIV_DEC:110:capi_rsa_priv_dec -CAPI_F_CAPI_RSA_PRIV_ENC:111:capi_rsa_priv_enc -CAPI_F_CAPI_RSA_SIGN:112:capi_rsa_sign -CAPI_F_CAPI_VTRACE:118:capi_vtrace -CAPI_F_CERT_SELECT_DIALOG:117:cert_select_dialog -CAPI_F_CLIENT_CERT_SELECT:116:* -CAPI_F_WIDE_TO_ASC:113:wide_to_asc - #Reason codes CAPI_R_CANT_CREATE_HASH_OBJECT:100:cant create hash object CAPI_R_CANT_FIND_CAPI_CONTEXT:101:cant find capi context diff --git a/engines/e_capi_err.h b/engines/e_capi_err.h index d075373755..2531e4586b 100644 --- a/engines/e_capi_err.h +++ b/engines/e_capi_err.h @@ -19,32 +19,6 @@ # define CAPIerr(f, r) ERR_CAPI_error(0, (r), OPENSSL_FILE, OPENSSL_LINE) -/* - * CAPI function codes. - */ -# ifndef OPENSSL_NO_DEPRECATED_3_0 -# define CAPI_F_CAPI_CERT_GET_FNAME 0 -# define CAPI_F_CAPI_CTRL 0 -# define CAPI_F_CAPI_CTX_NEW 0 -# define CAPI_F_CAPI_CTX_SET_PROVNAME 0 -# define CAPI_F_CAPI_DSA_DO_SIGN 0 -# define CAPI_F_CAPI_GET_KEY 0 -# define CAPI_F_CAPI_GET_PKEY 0 -# define CAPI_F_CAPI_GET_PROVNAME 0 -# define CAPI_F_CAPI_GET_PROV_INFO 0 -# define CAPI_F_CAPI_INIT 0 -# define CAPI_F_CAPI_LIST_CONTAINERS 0 -# define CAPI_F_CAPI_LOAD_PRIVKEY 0 -# define CAPI_F_CAPI_OPEN_STORE 0 -# define CAPI_F_CAPI_RSA_PRIV_DEC 0 -# define CAPI_F_CAPI_RSA_PRIV_ENC 0 -# define CAPI_F_CAPI_RSA_SIGN 0 -# define CAPI_F_CAPI_VTRACE 0 -# define CAPI_F_CERT_SELECT_DIALOG 0 -# define CAPI_F_CLIENT_CERT_SELECT 0 -# define CAPI_F_WIDE_TO_ASC 0 -# endif - /* * CAPI reason codes. */ diff --git a/engines/e_dasync.txt b/engines/e_dasync.txt index c503a7a667..bd8d0a881b 100644 --- a/engines/e_dasync.txt +++ b/engines/e_dasync.txt @@ -5,18 +5,5 @@ # in the file LICENSE in the source distribution or at # https://www.openssl.org/source/license.html -# Function codes -DASYNC_F_BIND_DASYNC:107:bind_dasync -DASYNC_F_CIPHER_AES_128_CBC_CODE:100:* -DASYNC_F_DASYNC_AES128_CBC_HMAC_SHA1_INIT_KEY:109:* -DASYNC_F_DASYNC_AES128_INIT_KEY:108:* -DASYNC_F_DASYNC_BN_MOD_EXP:101:* -DASYNC_F_DASYNC_CIPHER_INIT_KEY_HELPER:110:dasync_cipher_init_key_helper -DASYNC_F_DASYNC_MOD_EXP:102:* -DASYNC_F_DASYNC_PRIVATE_DECRYPT:103:* -DASYNC_F_DASYNC_PRIVATE_ENCRYPT:104:* -DASYNC_F_DASYNC_PUBLIC_DECRYPT:105:* -DASYNC_F_DASYNC_PUBLIC_ENCRYPT:106:* - #Reason codes DASYNC_R_INIT_FAILED:100:init failed diff --git a/engines/e_dasync_err.h b/engines/e_dasync_err.h index 71c8d9916d..17fef2ee0a 100644 --- a/engines/e_dasync_err.h +++ b/engines/e_dasync_err.h @@ -19,23 +19,6 @@ # define DASYNCerr(f, r) ERR_DASYNC_error(0, (r), OPENSSL_FILE, OPENSSL_LINE) -/* - * DASYNC function codes. - */ -# ifndef OPENSSL_NO_DEPRECATED_3_0 -# define DASYNC_F_BIND_DASYNC 0 -# define DASYNC_F_CIPHER_AES_128_CBC_CODE 0 -# define DASYNC_F_DASYNC_AES128_CBC_HMAC_SHA1_INIT_KEY 0 -# define DASYNC_F_DASYNC_AES128_INIT_KEY 0 -# define DASYNC_F_DASYNC_BN_MOD_EXP 0 -# define DASYNC_F_DASYNC_CIPHER_INIT_KEY_HELPER 0 -# define DASYNC_F_DASYNC_MOD_EXP 0 -# define DASYNC_F_DASYNC_PRIVATE_DECRYPT 0 -# define DASYNC_F_DASYNC_PRIVATE_ENCRYPT 0 -# define DASYNC_F_DASYNC_PUBLIC_DECRYPT 0 -# define DASYNC_F_DASYNC_PUBLIC_ENCRYPT 0 -# endif - /* * DASYNC reason codes. */ diff --git a/engines/e_loader_attic.txt b/engines/e_loader_attic.txt index db1a996a33..63e43d1511 100644 --- a/engines/e_loader_attic.txt +++ b/engines/e_loader_attic.txt @@ -5,8 +5,6 @@ # in the file LICENSE in the source distribution or at # https://www.openssl.org/source/license.html -# Function codes - #Reason codes ATTIC_R_AMBIGUOUS_CONTENT_TYPE:100:ambiguous content type ATTIC_R_BAD_PASSWORD_READ:101:bad password read diff --git a/engines/e_loader_attic_err.h b/engines/e_loader_attic_err.h index 6f30ae3d0c..3dd7557402 100644 --- a/engines/e_loader_attic_err.h +++ b/engines/e_loader_attic_err.h @@ -19,12 +19,6 @@ # define ATTICerr(f, r) ERR_ATTIC_error(0, (r), OPENSSL_FILE, OPENSSL_LINE) -/* - * ATTIC function codes. - */ -# ifndef OPENSSL_NO_DEPRECATED_3_0 -# endif - /* * ATTIC reason codes. */ diff --git a/engines/e_ossltest.txt b/engines/e_ossltest.txt index ab36940699..c6450ce582 100644 --- a/engines/e_ossltest.txt +++ b/engines/e_ossltest.txt @@ -5,9 +5,5 @@ # in the file LICENSE in the source distribution or at # https://www.openssl.org/source/license.html -# Function codes -OSSLTEST_F_BIND_OSSLTEST:100:bind_ossltest -OSSLTEST_F_OSSLTEST_AES128_INIT_KEY:101:* - #Reason codes OSSLTEST_R_INIT_FAILED:100:init failed diff --git a/engines/e_ossltest_err.h b/engines/e_ossltest_err.h index 1405a30af8..d1748e7427 100644 --- a/engines/e_ossltest_err.h +++ b/engines/e_ossltest_err.h @@ -19,14 +19,6 @@ # define OSSLTESTerr(f, r) ERR_OSSLTEST_error(0, (r), OPENSSL_FILE, OPENSSL_LINE) -/* - * OSSLTEST function codes. - */ -# ifndef OPENSSL_NO_DEPRECATED_3_0 -# define OSSLTEST_F_BIND_OSSLTEST 0 -# define OSSLTEST_F_OSSLTEST_AES128_INIT_KEY 0 -# endif - /* * OSSLTEST reason codes. */ diff --git a/include/crypto/sm2err.h b/include/crypto/sm2err.h index 082e04eb1c..d24ff32a7e 100644 --- a/include/crypto/sm2err.h +++ b/include/crypto/sm2err.h @@ -23,30 +23,6 @@ extern "C" { int err_load_SM2_strings_int(void); -/* - * SM2 function codes. - */ -# ifndef OPENSSL_NO_DEPRECATED_3_0 -# define SM2_F_PKEY_SM2_COPY 0 -# define SM2_F_PKEY_SM2_CTRL 0 -# define SM2_F_PKEY_SM2_CTRL_STR 0 -# define SM2_F_PKEY_SM2_DIGEST_CUSTOM 0 -# define SM2_F_PKEY_SM2_INIT 0 -# define SM2_F_PKEY_SM2_SIGN 0 -# define SM2_F_SM2_COMPUTE_MSG_HASH 0 -# define SM2_F_SM2_COMPUTE_USERID_DIGEST 0 -# define SM2_F_SM2_COMPUTE_Z_DIGEST 0 -# define SM2_F_SM2_DECRYPT 0 -# define SM2_F_SM2_ENCRYPT 0 -# define SM2_F_SM2_INTERNAL_SIGN 0 -# define SM2_F_SM2_INTERNAL_VERIFY 0 -# define SM2_F_SM2_PLAINTEXT_SIZE 0 -# define SM2_F_SM2_SIGN 0 -# define SM2_F_SM2_SIG_GEN 0 -# define SM2_F_SM2_SIG_VERIFY 0 -# define SM2_F_SM2_VERIFY 0 -# endif - /* * SM2 reason codes. */ diff --git a/include/internal/dsoerr.h b/include/internal/dsoerr.h index eb76dd64ab..b503ae96a7 100644 --- a/include/internal/dsoerr.h +++ b/include/internal/dsoerr.h @@ -21,47 +21,6 @@ extern "C" { int err_load_DSO_strings_int(void); -/* - * DSO function codes. - */ -# ifndef OPENSSL_NO_DEPRECATED_3_0 -# define DSO_F_DLFCN_BIND_FUNC 0 -# define DSO_F_DLFCN_LOAD 0 -# define DSO_F_DLFCN_MERGER 0 -# define DSO_F_DLFCN_NAME_CONVERTER 0 -# define DSO_F_DLFCN_UNLOAD 0 -# define DSO_F_DL_BIND_FUNC 0 -# define DSO_F_DL_LOAD 0 -# define DSO_F_DL_MERGER 0 -# define DSO_F_DL_NAME_CONVERTER 0 -# define DSO_F_DL_UNLOAD 0 -# define DSO_F_DSO_BIND_FUNC 0 -# define DSO_F_DSO_CONVERT_FILENAME 0 -# define DSO_F_DSO_CTRL 0 -# define DSO_F_DSO_FREE 0 -# define DSO_F_DSO_GET_FILENAME 0 -# define DSO_F_DSO_GLOBAL_LOOKUP 0 -# define DSO_F_DSO_LOAD 0 -# define DSO_F_DSO_MERGE 0 -# define DSO_F_DSO_NEW_METHOD 0 -# define DSO_F_DSO_PATHBYADDR 0 -# define DSO_F_DSO_SET_FILENAME 0 -# define DSO_F_DSO_UP_REF 0 -# define DSO_F_VMS_BIND_SYM 0 -# define DSO_F_VMS_LOAD 0 -# define DSO_F_VMS_MERGER 0 -# define DSO_F_VMS_UNLOAD 0 -# define DSO_F_WIN32_BIND_FUNC 0 -# define DSO_F_WIN32_GLOBALLOOKUP 0 -# define DSO_F_WIN32_JOINER 0 -# define DSO_F_WIN32_LOAD 0 -# define DSO_F_WIN32_MERGER 0 -# define DSO_F_WIN32_NAME_CONVERTER 0 -# define DSO_F_WIN32_PATHBYADDR 0 -# define DSO_F_WIN32_SPLITTER 0 -# define DSO_F_WIN32_UNLOAD 0 -# endif - /* * DSO reason codes. */ diff --git a/include/internal/propertyerr.h b/include/internal/propertyerr.h index 3a2d0ff1c8..3c009619eb 100644 --- a/include/internal/propertyerr.h +++ b/include/internal/propertyerr.h @@ -21,20 +21,6 @@ extern "C" { int err_load_PROP_strings_int(void); -/* - * PROP function codes. - */ -# ifndef OPENSSL_NO_DEPRECATED_3_0 -# define PROP_F_OSSL_PARSE_PROPERTY 0 -# define PROP_F_OSSL_PARSE_QUERY 0 -# define PROP_F_PARSE_HEX 0 -# define PROP_F_PARSE_NAME 0 -# define PROP_F_PARSE_NUMBER 0 -# define PROP_F_PARSE_OCT 0 -# define PROP_F_PARSE_STRING 0 -# define PROP_F_PARSE_UNQUOTED 0 -# endif - /* * PROP reason codes. */ diff --git a/include/openssl/asn1err.h b/include/openssl/asn1err.h index afae7c3a51..b7bca90c44 100644 --- a/include/openssl/asn1err.h +++ b/include/openssl/asn1err.h @@ -18,127 +18,6 @@ -/* - * ASN1 function codes. - */ -# ifndef OPENSSL_NO_DEPRECATED_3_0 -# define ASN1_F_A2D_ASN1_OBJECT 0 -# define ASN1_F_A2I_ASN1_INTEGER 0 -# define ASN1_F_A2I_ASN1_STRING 0 -# define ASN1_F_APPEND_EXP 0 -# define ASN1_F_ASN1_BIO_INIT 0 -# define ASN1_F_ASN1_BIT_STRING_SET_BIT 0 -# define ASN1_F_ASN1_CB 0 -# define ASN1_F_ASN1_CHECK_TLEN 0 -# define ASN1_F_ASN1_COLLECT 0 -# define ASN1_F_ASN1_D2I_EX_PRIMITIVE 0 -# define ASN1_F_ASN1_D2I_FP 0 -# define ASN1_F_ASN1_D2I_READ_BIO 0 -# define ASN1_F_ASN1_DIGEST 0 -# define ASN1_F_ASN1_DO_ADB 0 -# define ASN1_F_ASN1_DO_LOCK 0 -# define ASN1_F_ASN1_DUP 0 -# define ASN1_F_ASN1_ENC_SAVE 0 -# define ASN1_F_ASN1_EX_C2I 0 -# define ASN1_F_ASN1_FIND_END 0 -# define ASN1_F_ASN1_GENERALIZEDTIME_ADJ 0 -# define ASN1_F_ASN1_GENERATE_V3 0 -# define ASN1_F_ASN1_GET_INT64 0 -# define ASN1_F_ASN1_GET_OBJECT 0 -# define ASN1_F_ASN1_GET_UINT64 0 -# define ASN1_F_ASN1_I2D_BIO 0 -# define ASN1_F_ASN1_I2D_FP 0 -# define ASN1_F_ASN1_ITEM_D2I_FP 0 -# define ASN1_F_ASN1_ITEM_DUP 0 -# define ASN1_F_ASN1_ITEM_EMBED_D2I 0 -# define ASN1_F_ASN1_ITEM_EMBED_NEW 0 -# define ASN1_F_ASN1_ITEM_FLAGS_I2D 0 -# define ASN1_F_ASN1_ITEM_I2D_BIO 0 -# define ASN1_F_ASN1_ITEM_I2D_FP 0 -# define ASN1_F_ASN1_ITEM_PACK 0 -# define ASN1_F_ASN1_ITEM_SIGN_CTX 0 -# define ASN1_F_ASN1_ITEM_UNPACK 0 -# define ASN1_F_ASN1_ITEM_VERIFY 0 -# define ASN1_F_ASN1_MBSTRING_NCOPY 0 -# define ASN1_F_ASN1_OBJECT_NEW 0 -# define ASN1_F_ASN1_OUTPUT_DATA 0 -# define ASN1_F_ASN1_PCTX_NEW 0 -# define ASN1_F_ASN1_PRIMITIVE_NEW 0 -# define ASN1_F_ASN1_SCTX_NEW 0 -# define ASN1_F_ASN1_SIGN 0 -# define ASN1_F_ASN1_STR2TYPE 0 -# define ASN1_F_ASN1_STRING_GET_INT64 0 -# define ASN1_F_ASN1_STRING_GET_UINT64 0 -# define ASN1_F_ASN1_STRING_SET 0 -# define ASN1_F_ASN1_STRING_TABLE_ADD 0 -# define ASN1_F_ASN1_STRING_TO_BN 0 -# define ASN1_F_ASN1_STRING_TYPE_NEW 0 -# define ASN1_F_ASN1_TEMPLATE_EX_D2I 0 -# define ASN1_F_ASN1_TEMPLATE_NEW 0 -# define ASN1_F_ASN1_TEMPLATE_NOEXP_D2I 0 -# define ASN1_F_ASN1_TIME_ADJ 0 -# define ASN1_F_ASN1_TYPE_GET_INT_OCTETSTRING 0 -# define ASN1_F_ASN1_TYPE_GET_OCTETSTRING 0 -# define ASN1_F_ASN1_TYPE_GET_OCTETSTRING_INT 0 -# define ASN1_F_ASN1_UTCTIME_ADJ 0 -# define ASN1_F_ASN1_VERIFY 0 -# define ASN1_F_B64_READ_ASN1 0 -# define ASN1_F_B64_WRITE_ASN1 0 -# define ASN1_F_BIO_NEW_NDEF 0 -# define ASN1_F_BITSTR_CB 0 -# define ASN1_F_BN_TO_ASN1_STRING 0 -# define ASN1_F_C2I_ASN1_BIT_STRING 0 -# define ASN1_F_C2I_ASN1_INTEGER 0 -# define ASN1_F_C2I_ASN1_OBJECT 0 -# define ASN1_F_C2I_IBUF 0 -# define ASN1_F_C2I_UINT64_INT 0 -# define ASN1_F_COLLECT_DATA 0 -# define ASN1_F_D2I_ASN1_OBJECT 0 -# define ASN1_F_D2I_ASN1_UINTEGER 0 -# define ASN1_F_D2I_AUTOPRIVATEKEY 0 -# define ASN1_F_D2I_KEYPARAMS 0 -# define ASN1_F_D2I_PRIVATEKEY 0 -# define ASN1_F_D2I_PUBLICKEY 0 -# define ASN1_F_DO_BUF 0 -# define ASN1_F_DO_CREATE 0 -# define ASN1_F_DO_DUMP 0 -# define ASN1_F_DO_TCREATE 0 -# define ASN1_F_I2A_ASN1_OBJECT 0 -# define ASN1_F_I2D_ASN1_BIO_STREAM 0 -# define ASN1_F_I2D_ASN1_OBJECT 0 -# define ASN1_F_I2D_DSA_PUBKEY 0 -# define ASN1_F_I2D_EC_PUBKEY 0 -# define ASN1_F_I2D_KEYPARAMS 0 -# define ASN1_F_I2D_PRIVATEKEY 0 -# define ASN1_F_I2D_PUBLICKEY 0 -# define ASN1_F_I2D_RSA_PUBKEY 0 -# define ASN1_F_LONG_C2I 0 -# define ASN1_F_NDEF_PREFIX 0 -# define ASN1_F_NDEF_SUFFIX 0 -# define ASN1_F_OID_MODULE_INIT 0 -# define ASN1_F_PARSE_TAGGING 0 -# define ASN1_F_PKCS5_PBE2_SET_IV 0 -# define ASN1_F_PKCS5_PBE2_SET_SCRYPT 0 -# define ASN1_F_PKCS5_PBE_SET 0 -# define ASN1_F_PKCS5_PBE_SET0_ALGOR 0 -# define ASN1_F_PKCS5_PBKDF2_SET 0 -# define ASN1_F_PKCS5_SCRYPT_SET 0 -# define ASN1_F_SMIME_READ_ASN1 0 -# define ASN1_F_SMIME_TEXT 0 -# define ASN1_F_STABLE_GET 0 -# define ASN1_F_STBL_MODULE_INIT 0 -# define ASN1_F_UINT32_C2I 0 -# define ASN1_F_UINT32_NEW 0 -# define ASN1_F_UINT64_C2I 0 -# define ASN1_F_UINT64_NEW 0 -# define ASN1_F_X509_CRL_ADD0_REVOKED 0 -# define ASN1_F_X509_INFO_NEW 0 -# define ASN1_F_X509_NAME_ENCODE 0 -# define ASN1_F_X509_NAME_EX_D2I 0 -# define ASN1_F_X509_NAME_EX_NEW 0 -# define ASN1_F_X509_PKEY_NEW 0 -# endif - /* * ASN1 reason codes. */ diff --git a/include/openssl/asyncerr.h b/include/openssl/asyncerr.h index e69ed42433..1d9e79a850 100644 --- a/include/openssl/asyncerr.h +++ b/include/openssl/asyncerr.h @@ -18,19 +18,6 @@ -/* - * ASYNC function codes. - */ -# ifndef OPENSSL_NO_DEPRECATED_3_0 -# define ASYNC_F_ASYNC_CTX_NEW 0 -# define ASYNC_F_ASYNC_INIT_THREAD 0 -# define ASYNC_F_ASYNC_JOB_NEW 0 -# define ASYNC_F_ASYNC_PAUSE_JOB 0 -# define ASYNC_F_ASYNC_START_FUNC 0 -# define ASYNC_F_ASYNC_START_JOB 0 -# define ASYNC_F_ASYNC_WAIT_CTX_SET_WAIT_FD 0 -# endif - /* * ASYNC reason codes. */ diff --git a/include/openssl/bioerr.h b/include/openssl/bioerr.h index f7923cca97..787b30afce 100644 --- a/include/openssl/bioerr.h +++ b/include/openssl/bioerr.h @@ -18,68 +18,6 @@ -/* - * BIO function codes. - */ -# ifndef OPENSSL_NO_DEPRECATED_3_0 -# define BIO_F_ACPT_STATE 0 -# define BIO_F_ADDRINFO_WRAP 0 -# define BIO_F_ADDR_STRINGS 0 -# define BIO_F_BIO_ACCEPT 0 -# define BIO_F_BIO_ACCEPT_EX 0 -# define BIO_F_BIO_ACCEPT_NEW 0 -# define BIO_F_BIO_ADDR_NEW 0 -# define BIO_F_BIO_BIND 0 -# define BIO_F_BIO_CALLBACK_CTRL 0 -# define BIO_F_BIO_CONNECT 0 -# define BIO_F_BIO_CONNECT_NEW 0 -# define BIO_F_BIO_CTRL 0 -# define BIO_F_BIO_GETS 0 -# define BIO_F_BIO_GET_HOST_IP 0 -# define BIO_F_BIO_GET_NEW_INDEX 0 -# define BIO_F_BIO_GET_PORT 0 -# define BIO_F_BIO_LISTEN 0 -# define BIO_F_BIO_LOOKUP 0 -# define BIO_F_BIO_LOOKUP_EX 0 -# define BIO_F_BIO_MAKE_PAIR 0 -# define BIO_F_BIO_METH_NEW 0 -# define BIO_F_BIO_NEW 0 -# define BIO_F_BIO_NEW_DGRAM_SCTP 0 -# define BIO_F_BIO_NEW_FILE 0 -# define BIO_F_BIO_NEW_MEM_BUF 0 -# define BIO_F_BIO_NREAD 0 -# define BIO_F_BIO_NREAD0 0 -# define BIO_F_BIO_NWRITE 0 -# define BIO_F_BIO_NWRITE0 0 -# define BIO_F_BIO_PARSE_HOSTSERV 0 -# define BIO_F_BIO_PUTS 0 -# define BIO_F_BIO_READ 0 -# define BIO_F_BIO_READ_EX 0 -# define BIO_F_BIO_READ_INTERN 0 -# define BIO_F_BIO_SOCKET 0 -# define BIO_F_BIO_SOCKET_NBIO 0 -# define BIO_F_BIO_SOCK_INFO 0 -# define BIO_F_BIO_SOCK_INIT 0 -# define BIO_F_BIO_WRITE 0 -# define BIO_F_BIO_WRITE_EX 0 -# define BIO_F_BIO_WRITE_INTERN 0 -# define BIO_F_BUFFER_CTRL 0 -# define BIO_F_CONN_CTRL 0 -# define BIO_F_CONN_STATE 0 -# define BIO_F_DGRAM_SCTP_NEW 0 -# define BIO_F_DGRAM_SCTP_READ 0 -# define BIO_F_DGRAM_SCTP_WRITE 0 -# define BIO_F_DOAPR_OUTCH 0 -# define BIO_F_FILE_CTRL 0 -# define BIO_F_FILE_READ 0 -# define BIO_F_LINEBUFFER_CTRL 0 -# define BIO_F_LINEBUFFER_NEW 0 -# define BIO_F_MEM_WRITE 0 -# define BIO_F_NBIOF_NEW 0 -# define BIO_F_SLG_WRITE 0 -# define BIO_F_SSL_NEW 0 -# endif - /* * BIO reason codes. */ diff --git a/include/openssl/bnerr.h b/include/openssl/bnerr.h index 59f3e6fae4..fb7a574290 100644 --- a/include/openssl/bnerr.h +++ b/include/openssl/bnerr.h @@ -18,62 +18,6 @@ -/* - * BN function codes. - */ -# ifndef OPENSSL_NO_DEPRECATED_3_0 -# define BN_F_BNRAND 0 -# define BN_F_BNRAND_RANGE 0 -# define BN_F_BN_BLINDING_CONVERT_EX 0 -# define BN_F_BN_BLINDING_CREATE_PARAM 0 -# define BN_F_BN_BLINDING_INVERT_EX 0 -# define BN_F_BN_BLINDING_NEW 0 -# define BN_F_BN_BLINDING_UPDATE 0 -# define BN_F_BN_BN2DEC 0 -# define BN_F_BN_BN2HEX 0 -# define BN_F_BN_COMPUTE_WNAF 0 -# define BN_F_BN_CTX_GET 0 -# define BN_F_BN_CTX_NEW 0 -# define BN_F_BN_CTX_NEW_EX 0 -# define BN_F_BN_CTX_START 0 -# define BN_F_BN_DIV 0 -# define BN_F_BN_DIV_RECP 0 -# define BN_F_BN_EXP 0 -# define BN_F_BN_EXPAND_INTERNAL 0 -# define BN_F_BN_GENCB_NEW 0 -# define BN_F_BN_GENERATE_DSA_NONCE 0 -# define BN_F_BN_GENERATE_PRIME_EX 0 -# define BN_F_BN_GENERATE_PRIME_EX2 0 -# define BN_F_BN_GF2M_MOD 0 -# define BN_F_BN_GF2M_MOD_EXP 0 -# define BN_F_BN_GF2M_MOD_MUL 0 -# define BN_F_BN_GF2M_MOD_SOLVE_QUAD 0 -# define BN_F_BN_GF2M_MOD_SOLVE_QUAD_ARR 0 -# define BN_F_BN_GF2M_MOD_SQR 0 -# define BN_F_BN_GF2M_MOD_SQRT 0 -# define BN_F_BN_LSHIFT 0 -# define BN_F_BN_MOD_EXP2_MONT 0 -# define BN_F_BN_MOD_EXP_MONT 0 -# define BN_F_BN_MOD_EXP_MONT_CONSTTIME 0 -# define BN_F_BN_MOD_EXP_MONT_WORD 0 -# define BN_F_BN_MOD_EXP_RECP 0 -# define BN_F_BN_MOD_EXP_SIMPLE 0 -# define BN_F_BN_MOD_INVERSE 0 -# define BN_F_BN_MOD_LSHIFT_QUICK 0 -# define BN_F_BN_MOD_SQRT 0 -# define BN_F_BN_MONT_CTX_NEW 0 -# define BN_F_BN_MPI2BN 0 -# define BN_F_BN_NEW 0 -# define BN_F_BN_POOL_GET 0 -# define BN_F_BN_RAND 0 -# define BN_F_BN_RAND_RANGE 0 -# define BN_F_BN_RECP_CTX_NEW 0 -# define BN_F_BN_RSHIFT 0 -# define BN_F_BN_SET_WORDS 0 -# define BN_F_BN_STACK_PUSH 0 -# define BN_F_BN_USUB 0 -# endif - /* * BN reason codes. */ diff --git a/include/openssl/buffererr.h b/include/openssl/buffererr.h index 27222edc32..1db678ac2f 100644 --- a/include/openssl/buffererr.h +++ b/include/openssl/buffererr.h @@ -18,15 +18,6 @@ -/* - * BUF function codes. - */ -# ifndef OPENSSL_NO_DEPRECATED_3_0 -# define BUF_F_BUF_MEM_GROW 0 -# define BUF_F_BUF_MEM_GROW_CLEAN 0 -# define BUF_F_BUF_MEM_NEW 0 -# endif - /* * BUF reason codes. */ diff --git a/include/openssl/cmperr.h b/include/openssl/cmperr.h index d875f906d7..1aef080ce8 100644 --- a/include/openssl/cmperr.h +++ b/include/openssl/cmperr.h @@ -20,12 +20,6 @@ # ifndef OPENSSL_NO_CMP -/* - * CMP function codes. - */ -# ifndef OPENSSL_NO_DEPRECATED_3_0 -# endif - /* * CMP reason codes. */ diff --git a/include/openssl/cmserr.h b/include/openssl/cmserr.h index 68e40f880f..8bf62ee628 100644 --- a/include/openssl/cmserr.h +++ b/include/openssl/cmserr.h @@ -20,104 +20,6 @@ # ifndef OPENSSL_NO_CMS -/* - * CMS function codes. - */ -# ifndef OPENSSL_NO_DEPRECATED_3_0 -# define CMS_F_CHECK_CONTENT 0 -# define CMS_F_CMS_ADD0_CERT 0 -# define CMS_F_CMS_ADD0_RECIPIENT_KEY 0 -# define CMS_F_CMS_ADD0_RECIPIENT_PASSWORD 0 -# define CMS_F_CMS_ADD1_RECEIPTREQUEST 0 -# define CMS_F_CMS_ADD1_RECIPIENT 0 -# define CMS_F_CMS_ADD1_RECIPIENT_CERT 0 -# define CMS_F_CMS_ADD1_SIGNER 0 -# define CMS_F_CMS_ADD1_SIGNINGTIME 0 -# define CMS_F_CMS_ADD1_SIGNING_CERT 0 -# define CMS_F_CMS_ADD1_SIGNING_CERT_V2 0 -# define CMS_F_CMS_COMPRESS 0 -# define CMS_F_CMS_COMPRESSEDDATA_CREATE 0 -# define CMS_F_CMS_COMPRESSEDDATA_INIT_BIO 0 -# define CMS_F_CMS_COPY_CONTENT 0 -# define CMS_F_CMS_COPY_MESSAGEDIGEST 0 -# define CMS_F_CMS_DATA 0 -# define CMS_F_CMS_DATAFINAL 0 -# define CMS_F_CMS_DATAINIT 0 -# define CMS_F_CMS_DECRYPT 0 -# define CMS_F_CMS_DECRYPT_SET1_KEY 0 -# define CMS_F_CMS_DECRYPT_SET1_PASSWORD 0 -# define CMS_F_CMS_DECRYPT_SET1_PKEY 0 -# define CMS_F_CMS_DECRYPT_SET1_PKEY_AND_PEER 0 -# define CMS_F_CMS_DIGESTALGORITHM_FIND_CTX 0 -# define CMS_F_CMS_DIGESTALGORITHM_INIT_BIO 0 -# define CMS_F_CMS_DIGESTEDDATA_DO_FINAL 0 -# define CMS_F_CMS_DIGEST_VERIFY 0 -# define CMS_F_CMS_ENCODE_RECEIPT 0 -# define CMS_F_CMS_ENCRYPT 0 -# define CMS_F_CMS_ENCRYPTEDCONTENT_INIT 0 -# define CMS_F_CMS_ENCRYPTEDCONTENT_INIT_BIO 0 -# define CMS_F_CMS_ENCRYPTEDDATA_DECRYPT 0 -# define CMS_F_CMS_ENCRYPTEDDATA_ENCRYPT 0 -# define CMS_F_CMS_ENCRYPTEDDATA_SET1_KEY 0 -# define CMS_F_CMS_ENVELOPEDDATA_CREATE 0 -# define CMS_F_CMS_ENVELOPEDDATA_ENCRYPTION_INIT_BIO 0 -# define CMS_F_CMS_ENVELOPEDDATA_FINAL 0 -# define CMS_F_CMS_ENVELOPEDDATA_INIT_BIO 0 -# define CMS_F_CMS_ENVELOPED_DATA_INIT 0 -# define CMS_F_CMS_ENV_ASN1_CTRL 0 -# define CMS_F_CMS_FINAL 0 -# define CMS_F_CMS_GET0_CERTIFICATE_CHOICES 0 -# define CMS_F_CMS_GET0_CONTENT 0 -# define CMS_F_CMS_GET0_ECONTENT_TYPE 0 -# define CMS_F_CMS_GET0_ENVELOPED 0 -# define CMS_F_CMS_GET0_REVOCATION_CHOICES 0 -# define CMS_F_CMS_GET0_SIGNED 0 -# define CMS_F_CMS_MSGSIGDIGEST_ADD1 0 -# define CMS_F_CMS_RECEIPTREQUEST_CREATE0 0 -# define CMS_F_CMS_RECEIPT_VERIFY 0 -# define CMS_F_CMS_RECIPIENTINFO_DECRYPT 0 -# define CMS_F_CMS_RECIPIENTINFO_ENCRYPT 0 -# define CMS_F_CMS_RECIPIENTINFO_KARI_DECRYPT 0 -# define CMS_F_CMS_RECIPIENTINFO_KARI_ENCRYPT 0 -# define CMS_F_CMS_RECIPIENTINFO_KARI_GET0_ALG 0 -# define CMS_F_CMS_RECIPIENTINFO_KARI_GET0_ORIG_ID 0 -# define CMS_F_CMS_RECIPIENTINFO_KARI_GET0_REKS 0 -# define CMS_F_CMS_RECIPIENTINFO_KARI_ORIG_ID_CMP 0 -# define CMS_F_CMS_RECIPIENTINFO_KEKRI_DECRYPT 0 -# define CMS_F_CMS_RECIPIENTINFO_KEKRI_ENCRYPT 0 -# define CMS_F_CMS_RECIPIENTINFO_KEKRI_GET0_ID 0 -# define CMS_F_CMS_RECIPIENTINFO_KEKRI_ID_CMP 0 -# define CMS_F_CMS_RECIPIENTINFO_KTRI_CERT_CMP 0 -# define CMS_F_CMS_RECIPIENTINFO_KTRI_DECRYPT 0 -# define CMS_F_CMS_RECIPIENTINFO_KTRI_ENCRYPT 0 -# define CMS_F_CMS_RECIPIENTINFO_KTRI_GET0_ALGS 0 -# define CMS_F_CMS_RECIPIENTINFO_KTRI_GET0_SIGNER_ID 0 -# define CMS_F_CMS_RECIPIENTINFO_PWRI_CRYPT 0 -# define CMS_F_CMS_RECIPIENTINFO_SET0_KEY 0 -# define CMS_F_CMS_RECIPIENTINFO_SET0_PASSWORD 0 -# define CMS_F_CMS_RECIPIENTINFO_SET0_PKEY 0 -# define CMS_F_CMS_SD_ASN1_CTRL 0 -# define CMS_F_CMS_SET1_IAS 0 -# define CMS_F_CMS_SET1_KEYID 0 -# define CMS_F_CMS_SET1_SIGNERIDENTIFIER 0 -# define CMS_F_CMS_SET_DETACHED 0 -# define CMS_F_CMS_SIGN 0 -# define CMS_F_CMS_SIGNED_DATA_INIT 0 -# define CMS_F_CMS_SIGNERINFO_CONTENT_SIGN 0 -# define CMS_F_CMS_SIGNERINFO_GET_CHAIN 0 -# define CMS_F_CMS_SIGNERINFO_SIGN 0 -# define CMS_F_CMS_SIGNERINFO_VERIFY 0 -# define CMS_F_CMS_SIGNERINFO_VERIFY_CERT 0 -# define CMS_F_CMS_SIGNERINFO_VERIFY_CONTENT 0 -# define CMS_F_CMS_SIGN_RECEIPT 0 -# define CMS_F_CMS_SI_CHECK_ATTRIBUTES 0 -# define CMS_F_CMS_STREAM 0 -# define CMS_F_CMS_UNCOMPRESS 0 -# define CMS_F_CMS_VERIFY 0 -# define CMS_F_ESS_CHECK_SIGNING_CERTS 0 -# define CMS_F_KEK_UNWRAP_KEY 0 -# endif - /* * CMS reason codes. */ diff --git a/include/openssl/comperr.h b/include/openssl/comperr.h index 7933e372a0..8eff2d1d43 100644 --- a/include/openssl/comperr.h +++ b/include/openssl/comperr.h @@ -20,17 +20,6 @@ # ifndef OPENSSL_NO_COMP -/* - * COMP function codes. - */ -# ifndef OPENSSL_NO_DEPRECATED_3_0 -# define COMP_F_BIO_ZLIB_FLUSH 0 -# define COMP_F_BIO_ZLIB_NEW 0 -# define COMP_F_BIO_ZLIB_READ 0 -# define COMP_F_BIO_ZLIB_WRITE 0 -# define COMP_F_COMP_CTX_NEW 0 -# endif - /* * COMP reason codes. */ diff --git a/include/openssl/conferr.h b/include/openssl/conferr.h index f16d65daa8..76e2b925e2 100644 --- a/include/openssl/conferr.h +++ b/include/openssl/conferr.h @@ -18,35 +18,6 @@ -/* - * CONF function codes. - */ -# ifndef OPENSSL_NO_DEPRECATED_3_0 -# define CONF_F_CONF_DUMP_FP 0 -# define CONF_F_CONF_LOAD 0 -# define CONF_F_CONF_LOAD_FP 0 -# define CONF_F_CONF_PARSE_LIST 0 -# define CONF_F_DEF_LOAD 0 -# define CONF_F_DEF_LOAD_BIO 0 -# define CONF_F_GET_NEXT_FILE 0 -# define CONF_F_MODULE_ADD 0 -# define CONF_F_MODULE_INIT 0 -# define CONF_F_MODULE_LOAD_DSO 0 -# define CONF_F_MODULE_RUN 0 -# define CONF_F_NCONF_DUMP_BIO 0 -# define CONF_F_NCONF_DUMP_FP 0 -# define CONF_F_NCONF_GET_NUMBER_E 0 -# define CONF_F_NCONF_GET_SECTION 0 -# define CONF_F_NCONF_GET_STRING 0 -# define CONF_F_NCONF_LOAD 0 -# define CONF_F_NCONF_LOAD_BIO 0 -# define CONF_F_NCONF_LOAD_FP 0 -# define CONF_F_NCONF_NEW 0 -# define CONF_F_PROCESS_INCLUDE 0 -# define CONF_F_SSL_MODULE_INIT 0 -# define CONF_F_STR_COPY 0 -# endif - /* * CONF reason codes. */ diff --git a/include/openssl/crmferr.h b/include/openssl/crmferr.h index 47bf3e41ff..c84e919935 100644 --- a/include/openssl/crmferr.h +++ b/include/openssl/crmferr.h @@ -20,31 +20,6 @@ # ifndef OPENSSL_NO_CRMF -/* - * CRMF function codes. - */ -# ifndef OPENSSL_NO_DEPRECATED_3_0 -# define CRMF_F_CRMF_POPOSIGNINGKEY_INIT 0 -# define CRMF_F_OSSL_CRMF_CERTID_GEN 0 -# define CRMF_F_OSSL_CRMF_CERTTEMPLATE_FILL 0 -# define CRMF_F_OSSL_CRMF_ENCRYPTEDVALUE_GET1_ENCCERT 0 -# define CRMF_F_OSSL_CRMF_MSGS_VERIFY_POPO 0 -# define CRMF_F_OSSL_CRMF_MSG_CREATE_POPO 0 -# define CRMF_F_OSSL_CRMF_MSG_GET0_TMPL 0 -# define CRMF_F_OSSL_CRMF_MSG_GET_CERTREQID 0 -# define CRMF_F_OSSL_CRMF_MSG_PKIPUBLICATIONINFO_PUSH0_SINGLEPUBINFO 0 -# define CRMF_F_OSSL_CRMF_MSG_PUSH0_EXTENSION 0 -# define CRMF_F_OSSL_CRMF_MSG_PUSH0_REGCTRL 0 -# define CRMF_F_OSSL_CRMF_MSG_PUSH0_REGINFO 0 -# define CRMF_F_OSSL_CRMF_MSG_SET0_EXTENSIONS 0 -# define CRMF_F_OSSL_CRMF_MSG_SET0_SINGLEPUBINFO 0 -# define CRMF_F_OSSL_CRMF_MSG_SET0_VALIDITY 0 -# define CRMF_F_OSSL_CRMF_MSG_SET_CERTREQID 0 -# define CRMF_F_OSSL_CRMF_MSG_SET_PKIPUBLICATIONINFO_ACTION 0 -# define CRMF_F_OSSL_CRMF_PBMP_NEW 0 -# define CRMF_F_OSSL_CRMF_PBM_NEW 0 -# endif - /* * CRMF reason codes. */ diff --git a/include/openssl/cryptoerr.h b/include/openssl/cryptoerr.h index c7371124aa..96141e75a2 100644 --- a/include/openssl/cryptoerr.h +++ b/include/openssl/cryptoerr.h @@ -18,60 +18,6 @@ -/* - * CRYPTO function codes. - */ -# ifndef OPENSSL_NO_DEPRECATED_3_0 -# define CRYPTO_F_CMAC_CTX_NEW 0 -# define CRYPTO_F_CRYPTO_DUP_EX_DATA 0 -# define CRYPTO_F_CRYPTO_FREE_EX_DATA 0 -# define CRYPTO_F_CRYPTO_GET_EX_NEW_INDEX 0 -# define CRYPTO_F_CRYPTO_GET_EX_NEW_INDEX_EX 0 -# define CRYPTO_F_CRYPTO_MEMDUP 0 -# define CRYPTO_F_CRYPTO_NEW_EX_DATA 0 -# define CRYPTO_F_CRYPTO_NEW_EX_DATA_EX 0 -# define CRYPTO_F_CRYPTO_OCB128_COPY_CTX 0 -# define CRYPTO_F_CRYPTO_OCB128_INIT 0 -# define CRYPTO_F_CRYPTO_SET_EX_DATA 0 -# define CRYPTO_F_FIPS_MODE_SET 0 -# define CRYPTO_F_GET_AND_LOCK 0 -# define CRYPTO_F_GET_PROVIDER_STORE 0 -# define CRYPTO_F_OPENSSL_ATEXIT 0 -# define CRYPTO_F_OPENSSL_BUF2HEXSTR 0 -# define CRYPTO_F_OPENSSL_BUF2HEXSTR_EX 0 -# define CRYPTO_F_OPENSSL_FOPEN 0 -# define CRYPTO_F_OPENSSL_HEXSTR2BUF 0 -# define CRYPTO_F_OPENSSL_HEXSTR2BUF_EX 0 -# define CRYPTO_F_OPENSSL_INIT_CRYPTO 0 -# define CRYPTO_F_OPENSSL_LH_NEW 0 -# define CRYPTO_F_OPENSSL_SK_DEEP_COPY 0 -# define CRYPTO_F_OPENSSL_SK_DUP 0 -# define CRYPTO_F_OSSL_PARAM_BLD_PUSH_BN 0 -# define CRYPTO_F_OSSL_PARAM_BLD_PUSH_OCTET_PTR 0 -# define CRYPTO_F_OSSL_PARAM_BLD_PUSH_OCTET_STRING 0 -# define CRYPTO_F_OSSL_PARAM_BLD_PUSH_UTF8_PTR 0 -# define CRYPTO_F_OSSL_PARAM_BLD_PUSH_UTF8_STRING 0 -# define CRYPTO_F_OSSL_PARAM_BLD_TO_PARAM 0 -# define CRYPTO_F_OSSL_PARAM_BLD_TO_PARAM_EX 0 -# define CRYPTO_F_OSSL_PARAM_TYPE_TO_PARAM 0 -# define CRYPTO_F_OSSL_PROVIDER_ACTIVATE 0 -# define CRYPTO_F_OSSL_PROVIDER_ADD_BUILTIN 0 -# define CRYPTO_F_OSSL_PROVIDER_ADD_PARAMETER 0 -# define CRYPTO_F_OSSL_PROVIDER_NEW 0 -# define CRYPTO_F_OSSL_PROVIDER_SET_MODULE_PATH 0 -# define CRYPTO_F_PARAM_PUSH 0 -# define CRYPTO_F_PARAM_PUSH_NUM 0 -# define CRYPTO_F_PKEY_HMAC_INIT 0 -# define CRYPTO_F_PKEY_POLY1305_INIT 0 -# define CRYPTO_F_PKEY_SIPHASH_INIT 0 -# define CRYPTO_F_PROVIDER_ACTIVATE 0 -# define CRYPTO_F_PROVIDER_CONF_INIT 0 -# define CRYPTO_F_PROVIDER_CONF_LOAD 0 -# define CRYPTO_F_PROVIDER_NEW 0 -# define CRYPTO_F_PROVIDER_STORE_NEW 0 -# define CRYPTO_F_SK_RESERVE 0 -# endif - /* * CRYPTO reason codes. */ diff --git a/include/openssl/cryptoerr_legacy.h b/include/openssl/cryptoerr_legacy.h index 2729afde70..b928e1d4b7 100644 --- a/include/openssl/cryptoerr_legacy.h +++ b/include/openssl/cryptoerr_legacy.h @@ -73,6 +73,1387 @@ OSSL_DEPRECATEDIN_3_0 int ERR_load_TS_strings(void); OSSL_DEPRECATEDIN_3_0 int ERR_load_UI_strings(void); OSSL_DEPRECATEDIN_3_0 int ERR_load_X509_strings(void); OSSL_DEPRECATEDIN_3_0 int ERR_load_X509V3_strings(void); + +/* Collected _F_ macros from OpenSSL 1.1.1 */ + +/* + * ASN1 function codes. + */ +# define ASN1_F_A2D_ASN1_OBJECT 0 +# define ASN1_F_A2I_ASN1_INTEGER 0 +# define ASN1_F_A2I_ASN1_STRING 0 +# define ASN1_F_APPEND_EXP 0 +# define ASN1_F_ASN1_BIO_INIT 0 +# define ASN1_F_ASN1_BIT_STRING_SET_BIT 0 +# define ASN1_F_ASN1_CB 0 +# define ASN1_F_ASN1_CHECK_TLEN 0 +# define ASN1_F_ASN1_COLLECT 0 +# define ASN1_F_ASN1_D2I_EX_PRIMITIVE 0 +# define ASN1_F_ASN1_D2I_FP 0 +# define ASN1_F_ASN1_D2I_READ_BIO 0 +# define ASN1_F_ASN1_DIGEST 0 +# define ASN1_F_ASN1_DO_ADB 0 +# define ASN1_F_ASN1_DO_LOCK 0 +# define ASN1_F_ASN1_DUP 0 +# define ASN1_F_ASN1_ENC_SAVE 0 +# define ASN1_F_ASN1_EX_C2I 0 +# define ASN1_F_ASN1_FIND_END 0 +# define ASN1_F_ASN1_GENERALIZEDTIME_ADJ 0 +# define ASN1_F_ASN1_GENERATE_V3 0 +# define ASN1_F_ASN1_GET_INT64 0 +# define ASN1_F_ASN1_GET_OBJECT 0 +# define ASN1_F_ASN1_GET_UINT64 0 +# define ASN1_F_ASN1_I2D_BIO 0 +# define ASN1_F_ASN1_I2D_FP 0 +# define ASN1_F_ASN1_ITEM_D2I_FP 0 +# define ASN1_F_ASN1_ITEM_DUP 0 +# define ASN1_F_ASN1_ITEM_EMBED_D2I 0 +# define ASN1_F_ASN1_ITEM_EMBED_NEW 0 +# define ASN1_F_ASN1_ITEM_FLAGS_I2D 0 +# define ASN1_F_ASN1_ITEM_I2D_BIO 0 +# define ASN1_F_ASN1_ITEM_I2D_FP 0 +# define ASN1_F_ASN1_ITEM_PACK 0 +# define ASN1_F_ASN1_ITEM_SIGN 0 +# define ASN1_F_ASN1_ITEM_SIGN_CTX 0 +# define ASN1_F_ASN1_ITEM_UNPACK 0 +# define ASN1_F_ASN1_ITEM_VERIFY 0 +# define ASN1_F_ASN1_MBSTRING_NCOPY 0 +# define ASN1_F_ASN1_OBJECT_NEW 0 +# define ASN1_F_ASN1_OUTPUT_DATA 0 +# define ASN1_F_ASN1_PCTX_NEW 0 +# define ASN1_F_ASN1_PRIMITIVE_NEW 0 +# define ASN1_F_ASN1_SCTX_NEW 0 +# define ASN1_F_ASN1_SIGN 0 +# define ASN1_F_ASN1_STR2TYPE 0 +# define ASN1_F_ASN1_STRING_GET_INT64 0 +# define ASN1_F_ASN1_STRING_GET_UINT64 0 +# define ASN1_F_ASN1_STRING_SET 0 +# define ASN1_F_ASN1_STRING_TABLE_ADD 0 +# define ASN1_F_ASN1_STRING_TO_BN 0 +# define ASN1_F_ASN1_STRING_TYPE_NEW 0 +# define ASN1_F_ASN1_TEMPLATE_EX_D2I 0 +# define ASN1_F_ASN1_TEMPLATE_NEW 0 +# define ASN1_F_ASN1_TEMPLATE_NOEXP_D2I 0 +# define ASN1_F_ASN1_TIME_ADJ 0 +# define ASN1_F_ASN1_TYPE_GET_INT_OCTETSTRING 0 +# define ASN1_F_ASN1_TYPE_GET_OCTETSTRING 0 +# define ASN1_F_ASN1_UTCTIME_ADJ 0 +# define ASN1_F_ASN1_VERIFY 0 +# define ASN1_F_B64_READ_ASN1 0 +# define ASN1_F_B64_WRITE_ASN1 0 +# define ASN1_F_BIO_NEW_NDEF 0 +# define ASN1_F_BITSTR_CB 0 +# define ASN1_F_BN_TO_ASN1_STRING 0 +# define ASN1_F_C2I_ASN1_BIT_STRING 0 +# define ASN1_F_C2I_ASN1_INTEGER 0 +# define ASN1_F_C2I_ASN1_OBJECT 0 +# define ASN1_F_C2I_IBUF 0 +# define ASN1_F_C2I_UINT64_INT 0 +# define ASN1_F_COLLECT_DATA 0 +# define ASN1_F_D2I_ASN1_OBJECT 0 +# define ASN1_F_D2I_ASN1_UINTEGER 0 +# define ASN1_F_D2I_AUTOPRIVATEKEY 0 +# define ASN1_F_D2I_PRIVATEKEY 0 +# define ASN1_F_D2I_PUBLICKEY 0 +# define ASN1_F_DO_BUF 0 +# define ASN1_F_DO_CREATE 0 +# define ASN1_F_DO_DUMP 0 +# define ASN1_F_DO_TCREATE 0 +# define ASN1_F_I2A_ASN1_OBJECT 0 +# define ASN1_F_I2D_ASN1_BIO_STREAM 0 +# define ASN1_F_I2D_ASN1_OBJECT 0 +# define ASN1_F_I2D_DSA_PUBKEY 0 +# define ASN1_F_I2D_EC_PUBKEY 0 +# define ASN1_F_I2D_PRIVATEKEY 0 +# define ASN1_F_I2D_PUBLICKEY 0 +# define ASN1_F_I2D_RSA_PUBKEY 0 +# define ASN1_F_LONG_C2I 0 +# define ASN1_F_NDEF_PREFIX 0 +# define ASN1_F_NDEF_SUFFIX 0 +# define ASN1_F_OID_MODULE_INIT 0 +# define ASN1_F_PARSE_TAGGING 0 +# define ASN1_F_PKCS5_PBE2_SET_IV 0 +# define ASN1_F_PKCS5_PBE2_SET_SCRYPT 0 +# define ASN1_F_PKCS5_PBE_SET 0 +# define ASN1_F_PKCS5_PBE_SET0_ALGOR 0 +# define ASN1_F_PKCS5_PBKDF2_SET 0 +# define ASN1_F_PKCS5_SCRYPT_SET 0 +# define ASN1_F_SMIME_READ_ASN1 0 +# define ASN1_F_SMIME_TEXT 0 +# define ASN1_F_STABLE_GET 0 +# define ASN1_F_STBL_MODULE_INIT 0 +# define ASN1_F_UINT32_C2I 0 +# define ASN1_F_UINT32_NEW 0 +# define ASN1_F_UINT64_C2I 0 +# define ASN1_F_UINT64_NEW 0 +# define ASN1_F_X509_CRL_ADD0_REVOKED 0 +# define ASN1_F_X509_INFO_NEW 0 +# define ASN1_F_X509_NAME_ENCODE 0 +# define ASN1_F_X509_NAME_EX_D2I 0 +# define ASN1_F_X509_NAME_EX_NEW 0 +# define ASN1_F_X509_PKEY_NEW 0 + +/* + * ASYNC function codes. + */ +# define ASYNC_F_ASYNC_CTX_NEW 0 +# define ASYNC_F_ASYNC_INIT_THREAD 0 +# define ASYNC_F_ASYNC_JOB_NEW 0 +# define ASYNC_F_ASYNC_PAUSE_JOB 0 +# define ASYNC_F_ASYNC_START_FUNC 0 +# define ASYNC_F_ASYNC_START_JOB 0 +# define ASYNC_F_ASYNC_WAIT_CTX_SET_WAIT_FD 0 + +/* + * BIO function codes. + */ +# define BIO_F_ACPT_STATE 0 +# define BIO_F_ADDRINFO_WRAP 0 +# define BIO_F_ADDR_STRINGS 0 +# define BIO_F_BIO_ACCEPT 0 +# define BIO_F_BIO_ACCEPT_EX 0 +# define BIO_F_BIO_ACCEPT_NEW 0 +# define BIO_F_BIO_ADDR_NEW 0 +# define BIO_F_BIO_BIND 0 +# define BIO_F_BIO_CALLBACK_CTRL 0 +# define BIO_F_BIO_CONNECT 0 +# define BIO_F_BIO_CONNECT_NEW 0 +# define BIO_F_BIO_CTRL 0 +# define BIO_F_BIO_GETS 0 +# define BIO_F_BIO_GET_HOST_IP 0 +# define BIO_F_BIO_GET_NEW_INDEX 0 +# define BIO_F_BIO_GET_PORT 0 +# define BIO_F_BIO_LISTEN 0 +# define BIO_F_BIO_LOOKUP 0 +# define BIO_F_BIO_LOOKUP_EX 0 +# define BIO_F_BIO_MAKE_PAIR 0 +# define BIO_F_BIO_METH_NEW 0 +# define BIO_F_BIO_NEW 0 +# define BIO_F_BIO_NEW_DGRAM_SCTP 0 +# define BIO_F_BIO_NEW_FILE 0 +# define BIO_F_BIO_NEW_MEM_BUF 0 +# define BIO_F_BIO_NREAD 0 +# define BIO_F_BIO_NREAD0 0 +# define BIO_F_BIO_NWRITE 0 +# define BIO_F_BIO_NWRITE0 0 +# define BIO_F_BIO_PARSE_HOSTSERV 0 +# define BIO_F_BIO_PUTS 0 +# define BIO_F_BIO_READ 0 +# define BIO_F_BIO_READ_EX 0 +# define BIO_F_BIO_READ_INTERN 0 +# define BIO_F_BIO_SOCKET 0 +# define BIO_F_BIO_SOCKET_NBIO 0 +# define BIO_F_BIO_SOCK_INFO 0 +# define BIO_F_BIO_SOCK_INIT 0 +# define BIO_F_BIO_WRITE 0 +# define BIO_F_BIO_WRITE_EX 0 +# define BIO_F_BIO_WRITE_INTERN 0 +# define BIO_F_BUFFER_CTRL 0 +# define BIO_F_CONN_CTRL 0 +# define BIO_F_CONN_STATE 0 +# define BIO_F_DGRAM_SCTP_NEW 0 +# define BIO_F_DGRAM_SCTP_READ 0 +# define BIO_F_DGRAM_SCTP_WRITE 0 +# define BIO_F_DOAPR_OUTCH 0 +# define BIO_F_FILE_CTRL 0 +# define BIO_F_FILE_READ 0 +# define BIO_F_LINEBUFFER_CTRL 0 +# define BIO_F_LINEBUFFER_NEW 0 +# define BIO_F_MEM_WRITE 0 +# define BIO_F_NBIOF_NEW 0 +# define BIO_F_SLG_WRITE 0 +# define BIO_F_SSL_NEW 0 + +/* + * BN function codes. + */ +# define BN_F_BNRAND 0 +# define BN_F_BNRAND_RANGE 0 +# define BN_F_BN_BLINDING_CONVERT_EX 0 +# define BN_F_BN_BLINDING_CREATE_PARAM 0 +# define BN_F_BN_BLINDING_INVERT_EX 0 +# define BN_F_BN_BLINDING_NEW 0 +# define BN_F_BN_BLINDING_UPDATE 0 +# define BN_F_BN_BN2DEC 0 +# define BN_F_BN_BN2HEX 0 +# define BN_F_BN_COMPUTE_WNAF 0 +# define BN_F_BN_CTX_GET 0 +# define BN_F_BN_CTX_NEW 0 +# define BN_F_BN_CTX_START 0 +# define BN_F_BN_DIV 0 +# define BN_F_BN_DIV_RECP 0 +# define BN_F_BN_EXP 0 +# define BN_F_BN_EXPAND_INTERNAL 0 +# define BN_F_BN_GENCB_NEW 0 +# define BN_F_BN_GENERATE_DSA_NONCE 0 +# define BN_F_BN_GENERATE_PRIME_EX 0 +# define BN_F_BN_GF2M_MOD 0 +# define BN_F_BN_GF2M_MOD_EXP 0 +# define BN_F_BN_GF2M_MOD_MUL 0 +# define BN_F_BN_GF2M_MOD_SOLVE_QUAD 0 +# define BN_F_BN_GF2M_MOD_SOLVE_QUAD_ARR 0 +# define BN_F_BN_GF2M_MOD_SQR 0 +# define BN_F_BN_GF2M_MOD_SQRT 0 +# define BN_F_BN_LSHIFT 0 +# define BN_F_BN_MOD_EXP2_MONT 0 +# define BN_F_BN_MOD_EXP_MONT 0 +# define BN_F_BN_MOD_EXP_MONT_CONSTTIME 0 +# define BN_F_BN_MOD_EXP_MONT_WORD 0 +# define BN_F_BN_MOD_EXP_RECP 0 +# define BN_F_BN_MOD_EXP_SIMPLE 0 +# define BN_F_BN_MOD_INVERSE 0 +# define BN_F_BN_MOD_INVERSE_NO_BRANCH 0 +# define BN_F_BN_MOD_LSHIFT_QUICK 0 +# define BN_F_BN_MOD_SQRT 0 +# define BN_F_BN_MONT_CTX_NEW 0 +# define BN_F_BN_MPI2BN 0 +# define BN_F_BN_NEW 0 +# define BN_F_BN_POOL_GET 0 +# define BN_F_BN_RAND 0 +# define BN_F_BN_RAND_RANGE 0 +# define BN_F_BN_RECP_CTX_NEW 0 +# define BN_F_BN_RSHIFT 0 +# define BN_F_BN_SET_WORDS 0 +# define BN_F_BN_STACK_PUSH 0 +# define BN_F_BN_USUB 0 + +/* + * BUF function codes. + */ +# define BUF_F_BUF_MEM_GROW 0 +# define BUF_F_BUF_MEM_GROW_CLEAN 0 +# define BUF_F_BUF_MEM_NEW 0 + +# ifndef OPENSSL_NO_CMS +/* + * CMS function codes. + */ +# define CMS_F_CHECK_CONTENT 0 +# define CMS_F_CMS_ADD0_CERT 0 +# define CMS_F_CMS_ADD0_RECIPIENT_KEY 0 +# define CMS_F_CMS_ADD0_RECIPIENT_PASSWORD 0 +# define CMS_F_CMS_ADD1_RECEIPTREQUEST 0 +# define CMS_F_CMS_ADD1_RECIPIENT_CERT 0 +# define CMS_F_CMS_ADD1_SIGNER 0 +# define CMS_F_CMS_ADD1_SIGNINGTIME 0 +# define CMS_F_CMS_COMPRESS 0 +# define CMS_F_CMS_COMPRESSEDDATA_CREATE 0 +# define CMS_F_CMS_COMPRESSEDDATA_INIT_BIO 0 +# define CMS_F_CMS_COPY_CONTENT 0 +# define CMS_F_CMS_COPY_MESSAGEDIGEST 0 +# define CMS_F_CMS_DATA 0 +# define CMS_F_CMS_DATAFINAL 0 +# define CMS_F_CMS_DATAINIT 0 +# define CMS_F_CMS_DECRYPT 0 +# define CMS_F_CMS_DECRYPT_SET1_KEY 0 +# define CMS_F_CMS_DECRYPT_SET1_PASSWORD 0 +# define CMS_F_CMS_DECRYPT_SET1_PKEY 0 +# define CMS_F_CMS_DIGESTALGORITHM_FIND_CTX 0 +# define CMS_F_CMS_DIGESTALGORITHM_INIT_BIO 0 +# define CMS_F_CMS_DIGESTEDDATA_DO_FINAL 0 +# define CMS_F_CMS_DIGEST_VERIFY 0 +# define CMS_F_CMS_ENCODE_RECEIPT 0 +# define CMS_F_CMS_ENCRYPT 0 +# define CMS_F_CMS_ENCRYPTEDCONTENT_INIT 0 +# define CMS_F_CMS_ENCRYPTEDCONTENT_INIT_BIO 0 +# define CMS_F_CMS_ENCRYPTEDDATA_DECRYPT 0 +# define CMS_F_CMS_ENCRYPTEDDATA_ENCRYPT 0 +# define CMS_F_CMS_ENCRYPTEDDATA_SET1_KEY 0 +# define CMS_F_CMS_ENVELOPEDDATA_CREATE 0 +# define CMS_F_CMS_ENVELOPEDDATA_INIT_BIO 0 +# define CMS_F_CMS_ENVELOPED_DATA_INIT 0 +# define CMS_F_CMS_ENV_ASN1_CTRL 0 +# define CMS_F_CMS_FINAL 0 +# define CMS_F_CMS_GET0_CERTIFICATE_CHOICES 0 +# define CMS_F_CMS_GET0_CONTENT 0 +# define CMS_F_CMS_GET0_ECONTENT_TYPE 0 +# define CMS_F_CMS_GET0_ENVELOPED 0 +# define CMS_F_CMS_GET0_REVOCATION_CHOICES 0 +# define CMS_F_CMS_GET0_SIGNED 0 +# define CMS_F_CMS_MSGSIGDIGEST_ADD1 0 +# define CMS_F_CMS_RECEIPTREQUEST_CREATE0 0 +# define CMS_F_CMS_RECEIPT_VERIFY 0 +# define CMS_F_CMS_RECIPIENTINFO_DECRYPT 0 +# define CMS_F_CMS_RECIPIENTINFO_ENCRYPT 0 +# define CMS_F_CMS_RECIPIENTINFO_KARI_ENCRYPT 0 +# define CMS_F_CMS_RECIPIENTINFO_KARI_GET0_ALG 0 +# define CMS_F_CMS_RECIPIENTINFO_KARI_GET0_ORIG_ID 0 +# define CMS_F_CMS_RECIPIENTINFO_KARI_GET0_REKS 0 +# define CMS_F_CMS_RECIPIENTINFO_KARI_ORIG_ID_CMP 0 +# define CMS_F_CMS_RECIPIENTINFO_KEKRI_DECRYPT 0 +# define CMS_F_CMS_RECIPIENTINFO_KEKRI_ENCRYPT 0 +# define CMS_F_CMS_RECIPIENTINFO_KEKRI_GET0_ID 0 +# define CMS_F_CMS_RECIPIENTINFO_KEKRI_ID_CMP 0 +# define CMS_F_CMS_RECIPIENTINFO_KTRI_CERT_CMP 0 +# define CMS_F_CMS_RECIPIENTINFO_KTRI_DECRYPT 0 +# define CMS_F_CMS_RECIPIENTINFO_KTRI_ENCRYPT 0 +# define CMS_F_CMS_RECIPIENTINFO_KTRI_GET0_ALGS 0 +# define CMS_F_CMS_RECIPIENTINFO_KTRI_GET0_SIGNER_ID 0 +# define CMS_F_CMS_RECIPIENTINFO_PWRI_CRYPT 0 +# define CMS_F_CMS_RECIPIENTINFO_SET0_KEY 0 +# define CMS_F_CMS_RECIPIENTINFO_SET0_PASSWORD 0 +# define CMS_F_CMS_RECIPIENTINFO_SET0_PKEY 0 +# define CMS_F_CMS_SD_ASN1_CTRL 0 +# define CMS_F_CMS_SET1_IAS 0 +# define CMS_F_CMS_SET1_KEYID 0 +# define CMS_F_CMS_SET1_SIGNERIDENTIFIER 0 +# define CMS_F_CMS_SET_DETACHED 0 +# define CMS_F_CMS_SIGN 0 +# define CMS_F_CMS_SIGNED_DATA_INIT 0 +# define CMS_F_CMS_SIGNERINFO_CONTENT_SIGN 0 +# define CMS_F_CMS_SIGNERINFO_SIGN 0 +# define CMS_F_CMS_SIGNERINFO_VERIFY 0 +# define CMS_F_CMS_SIGNERINFO_VERIFY_CERT 0 +# define CMS_F_CMS_SIGNERINFO_VERIFY_CONTENT 0 +# define CMS_F_CMS_SIGN_RECEIPT 0 +# define CMS_F_CMS_SI_CHECK_ATTRIBUTES 0 +# define CMS_F_CMS_STREAM 0 +# define CMS_F_CMS_UNCOMPRESS 0 +# define CMS_F_CMS_VERIFY 0 +# define CMS_F_KEK_UNWRAP_KEY 0 +# endif + +# ifndef OPENSSL_NO_COMP +/* + * COMP function codes. + */ +# define COMP_F_BIO_ZLIB_FLUSH 0 +# define COMP_F_BIO_ZLIB_NEW 0 +# define COMP_F_BIO_ZLIB_READ 0 +# define COMP_F_BIO_ZLIB_WRITE 0 +# define COMP_F_COMP_CTX_NEW 0 +# endif + +/* + * CONF function codes. + */ +# define CONF_F_CONF_DUMP_FP 0 +# define CONF_F_CONF_LOAD 0 +# define CONF_F_CONF_LOAD_FP 0 +# define CONF_F_CONF_PARSE_LIST 0 +# define CONF_F_DEF_LOAD 0 +# define CONF_F_DEF_LOAD_BIO 0 +# define CONF_F_GET_NEXT_FILE 0 +# define CONF_F_MODULE_ADD 0 +# define CONF_F_MODULE_INIT 0 +# define CONF_F_MODULE_LOAD_DSO 0 +# define CONF_F_MODULE_RUN 0 +# define CONF_F_NCONF_DUMP_BIO 0 +# define CONF_F_NCONF_DUMP_FP 0 +# define CONF_F_NCONF_GET_NUMBER_E 0 +# define CONF_F_NCONF_GET_SECTION 0 +# define CONF_F_NCONF_GET_STRING 0 +# define CONF_F_NCONF_LOAD 0 +# define CONF_F_NCONF_LOAD_BIO 0 +# define CONF_F_NCONF_LOAD_FP 0 +# define CONF_F_NCONF_NEW 0 +# define CONF_F_PROCESS_INCLUDE 0 +# define CONF_F_SSL_MODULE_INIT 0 +# define CONF_F_STR_COPY 0 + +/* + * CRYPTO function codes. + */ +# define CRYPTO_F_CMAC_CTX_NEW 0 +# define CRYPTO_F_CRYPTO_DUP_EX_DATA 0 +# define CRYPTO_F_CRYPTO_FREE_EX_DATA 0 +# define CRYPTO_F_CRYPTO_GET_EX_NEW_INDEX 0 +# define CRYPTO_F_CRYPTO_MEMDUP 0 +# define CRYPTO_F_CRYPTO_NEW_EX_DATA 0 +# define CRYPTO_F_CRYPTO_OCB128_COPY_CTX 0 +# define CRYPTO_F_CRYPTO_OCB128_INIT 0 +# define CRYPTO_F_CRYPTO_SET_EX_DATA 0 +# define CRYPTO_F_FIPS_MODE_SET 0 +# define CRYPTO_F_GET_AND_LOCK 0 +# define CRYPTO_F_OPENSSL_ATEXIT 0 +# define CRYPTO_F_OPENSSL_BUF2HEXSTR 0 +# define CRYPTO_F_OPENSSL_FOPEN 0 +# define CRYPTO_F_OPENSSL_HEXSTR2BUF 0 +# define CRYPTO_F_OPENSSL_INIT_CRYPTO 0 +# define CRYPTO_F_OPENSSL_LH_NEW 0 +# define CRYPTO_F_OPENSSL_SK_DEEP_COPY 0 +# define CRYPTO_F_OPENSSL_SK_DUP 0 +# define CRYPTO_F_PKEY_HMAC_INIT 0 +# define CRYPTO_F_PKEY_POLY1305_INIT 0 +# define CRYPTO_F_PKEY_SIPHASH_INIT 0 +# define CRYPTO_F_SK_RESERVE 0 + +# ifndef OPENSSL_NO_CT +/* + * CT function codes. + */ +# define CT_F_CTLOG_NEW 0 +# define CT_F_CTLOG_NEW_FROM_BASE64 0 +# define CT_F_CTLOG_NEW_FROM_CONF 0 +# define CT_F_CTLOG_STORE_LOAD_CTX_NEW 0 +# define CT_F_CTLOG_STORE_LOAD_FILE 0 +# define CT_F_CTLOG_STORE_LOAD_LOG 0 +# define CT_F_CTLOG_STORE_NEW 0 +# define CT_F_CT_BASE64_DECODE 0 +# define CT_F_CT_POLICY_EVAL_CTX_NEW 0 +# define CT_F_CT_V1_LOG_ID_FROM_PKEY 0 +# define CT_F_I2O_SCT 0 +# define CT_F_I2O_SCT_LIST 0 +# define CT_F_I2O_SCT_SIGNATURE 0 +# define CT_F_O2I_SCT 0 +# define CT_F_O2I_SCT_LIST 0 +# define CT_F_O2I_SCT_SIGNATURE 0 +# define CT_F_SCT_CTX_NEW 0 +# define CT_F_SCT_CTX_VERIFY 0 +# define CT_F_SCT_NEW 0 +# define CT_F_SCT_NEW_FROM_BASE64 0 +# define CT_F_SCT_SET0_LOG_ID 0 +# define CT_F_SCT_SET1_EXTENSIONS 0 +# define CT_F_SCT_SET1_LOG_ID 0 +# define CT_F_SCT_SET1_SIGNATURE 0 +# define CT_F_SCT_SET_LOG_ENTRY_TYPE 0 +# define CT_F_SCT_SET_SIGNATURE_NID 0 +# define CT_F_SCT_SET_VERSION 0 +# endif + +# ifndef OPENSSL_NO_DH +/* + * DH function codes. + */ +# define DH_F_COMPUTE_KEY 0 +# define DH_F_DHPARAMS_PRINT_FP 0 +# define DH_F_DH_BUILTIN_GENPARAMS 0 +# define DH_F_DH_CHECK_EX 0 +# define DH_F_DH_CHECK_PARAMS_EX 0 +# define DH_F_DH_CHECK_PUB_KEY_EX 0 +# define DH_F_DH_CMS_DECRYPT 0 +# define DH_F_DH_CMS_SET_PEERKEY 0 +# define DH_F_DH_CMS_SET_SHARED_INFO 0 +# define DH_F_DH_METH_DUP 0 +# define DH_F_DH_METH_NEW 0 +# define DH_F_DH_METH_SET1_NAME 0 +# define DH_F_DH_NEW_BY_NID 0 +# define DH_F_DH_NEW_METHOD 0 +# define DH_F_DH_PARAM_DECODE 0 +# define DH_F_DH_PKEY_PUBLIC_CHECK 0 +# define DH_F_DH_PRIV_DECODE 0 +# define DH_F_DH_PRIV_ENCODE 0 +# define DH_F_DH_PUB_DECODE 0 +# define DH_F_DH_PUB_ENCODE 0 +# define DH_F_DO_DH_PRINT 0 +# define DH_F_GENERATE_KEY 0 +# define DH_F_PKEY_DH_CTRL_STR 0 +# define DH_F_PKEY_DH_DERIVE 0 +# define DH_F_PKEY_DH_INIT 0 +# define DH_F_PKEY_DH_KEYGEN 0 +# endif + +# ifndef OPENSSL_NO_DSA +/* + * DSA function codes. + */ +# define DSA_F_DSAPARAMS_PRINT 0 +# define DSA_F_DSAPARAMS_PRINT_FP 0 +# define DSA_F_DSA_BUILTIN_PARAMGEN 0 +# define DSA_F_DSA_BUILTIN_PARAMGEN2 0 +# define DSA_F_DSA_DO_SIGN 0 +# define DSA_F_DSA_DO_VERIFY 0 +# define DSA_F_DSA_METH_DUP 0 +# define DSA_F_DSA_METH_NEW 0 +# define DSA_F_DSA_METH_SET1_NAME 0 +# define DSA_F_DSA_NEW_METHOD 0 +# define DSA_F_DSA_PARAM_DECODE 0 +# define DSA_F_DSA_PRINT_FP 0 +# define DSA_F_DSA_PRIV_DECODE 0 +# define DSA_F_DSA_PRIV_ENCODE 0 +# define DSA_F_DSA_PUB_DECODE 0 +# define DSA_F_DSA_PUB_ENCODE 0 +# define DSA_F_DSA_SIGN 0 +# define DSA_F_DSA_SIGN_SETUP 0 +# define DSA_F_DSA_SIG_NEW 0 +# define DSA_F_OLD_DSA_PRIV_DECODE 0 +# define DSA_F_PKEY_DSA_CTRL 0 +# define DSA_F_PKEY_DSA_CTRL_STR 0 +# define DSA_F_PKEY_DSA_KEYGEN 0 +# endif + +# ifndef OPENSSL_NO_EC +/* + * EC function codes. + */ +# define EC_F_BN_TO_FELEM 0 +# define EC_F_D2I_ECPARAMETERS 0 +# define EC_F_D2I_ECPKPARAMETERS 0 +# define EC_F_D2I_ECPRIVATEKEY 0 +# define EC_F_DO_EC_KEY_PRINT 0 +# define EC_F_ECDH_CMS_DECRYPT 0 +# define EC_F_ECDH_CMS_SET_SHARED_INFO 0 +# define EC_F_ECDH_COMPUTE_KEY 0 +# define EC_F_ECDH_SIMPLE_COMPUTE_KEY 0 +# define EC_F_ECDSA_DO_SIGN_EX 0 +# define EC_F_ECDSA_DO_VERIFY 0 +# define EC_F_ECDSA_SIGN_EX 0 +# define EC_F_ECDSA_SIGN_SETUP 0 +# define EC_F_ECDSA_SIG_NEW 0 +# define EC_F_ECDSA_VERIFY 0 +# define EC_F_ECD_ITEM_VERIFY 0 +# define EC_F_ECKEY_PARAM2TYPE 0 +# define EC_F_ECKEY_PARAM_DECODE 0 +# define EC_F_ECKEY_PRIV_DECODE 0 +# define EC_F_ECKEY_PRIV_ENCODE 0 +# define EC_F_ECKEY_PUB_DECODE 0 +# define EC_F_ECKEY_PUB_ENCODE 0 +# define EC_F_ECKEY_TYPE2PARAM 0 +# define EC_F_ECPARAMETERS_PRINT 0 +# define EC_F_ECPARAMETERS_PRINT_FP 0 +# define EC_F_ECPKPARAMETERS_PRINT 0 +# define EC_F_ECPKPARAMETERS_PRINT_FP 0 +# define EC_F_ECP_NISTZ256_GET_AFFINE 0 +# define EC_F_ECP_NISTZ256_INV_MOD_ORD 0 +# define EC_F_ECP_NISTZ256_MULT_PRECOMPUTE 0 +# define EC_F_ECP_NISTZ256_POINTS_MUL 0 +# define EC_F_ECP_NISTZ256_PRE_COMP_NEW 0 +# define EC_F_ECP_NISTZ256_WINDOWED_MUL 0 +# define EC_F_ECX_KEY_OP 0 +# define EC_F_ECX_PRIV_ENCODE 0 +# define EC_F_ECX_PUB_ENCODE 0 +# define EC_F_EC_ASN1_GROUP2CURVE 0 +# define EC_F_EC_ASN1_GROUP2FIELDID 0 +# define EC_F_EC_GF2M_MONTGOMERY_POINT_MULTIPLY 0 +# define EC_F_EC_GF2M_SIMPLE_FIELD_INV 0 +# define EC_F_EC_GF2M_SIMPLE_GROUP_CHECK_DISCRIMINANT 0 +# define EC_F_EC_GF2M_SIMPLE_GROUP_SET_CURVE 0 +# define EC_F_EC_GF2M_SIMPLE_LADDER_POST 0 +# define EC_F_EC_GF2M_SIMPLE_LADDER_PRE 0 +# define EC_F_EC_GF2M_SIMPLE_OCT2POINT 0 +# define EC_F_EC_GF2M_SIMPLE_POINT2OCT 0 +# define EC_F_EC_GF2M_SIMPLE_POINTS_MUL 0 +# define EC_F_EC_GF2M_SIMPLE_POINT_GET_AFFINE_COORDINATES 0 +# define EC_F_EC_GF2M_SIMPLE_POINT_SET_AFFINE_COORDINATES 0 +# define EC_F_EC_GF2M_SIMPLE_SET_COMPRESSED_COORDINATES 0 +# define EC_F_EC_GFP_MONT_FIELD_DECODE 0 +# define EC_F_EC_GFP_MONT_FIELD_ENCODE 0 +# define EC_F_EC_GFP_MONT_FIELD_INV 0 +# define EC_F_EC_GFP_MONT_FIELD_MUL 0 +# define EC_F_EC_GFP_MONT_FIELD_SET_TO_ONE 0 +# define EC_F_EC_GFP_MONT_FIELD_SQR 0 +# define EC_F_EC_GFP_MONT_GROUP_SET_CURVE 0 +# define EC_F_EC_GFP_NISTP224_GROUP_SET_CURVE 0 +# define EC_F_EC_GFP_NISTP224_POINTS_MUL 0 +# define EC_F_EC_GFP_NISTP224_POINT_GET_AFFINE_COORDINATES 0 +# define EC_F_EC_GFP_NISTP256_GROUP_SET_CURVE 0 +# define EC_F_EC_GFP_NISTP256_POINTS_MUL 0 +# define EC_F_EC_GFP_NISTP256_POINT_GET_AFFINE_COORDINATES 0 +# define EC_F_EC_GFP_NISTP521_GROUP_SET_CURVE 0 +# define EC_F_EC_GFP_NISTP521_POINTS_MUL 0 +# define EC_F_EC_GFP_NISTP521_POINT_GET_AFFINE_COORDINATES 0 +# define EC_F_EC_GFP_NIST_FIELD_MUL 0 +# define EC_F_EC_GFP_NIST_FIELD_SQR 0 +# define EC_F_EC_GFP_NIST_GROUP_SET_CURVE 0 +# define EC_F_EC_GFP_SIMPLE_BLIND_COORDINATES 0 +# define EC_F_EC_GFP_SIMPLE_FIELD_INV 0 +# define EC_F_EC_GFP_SIMPLE_GROUP_CHECK_DISCRIMINANT 0 +# define EC_F_EC_GFP_SIMPLE_GROUP_SET_CURVE 0 +# define EC_F_EC_GFP_SIMPLE_MAKE_AFFINE 0 +# define EC_F_EC_GFP_SIMPLE_OCT2POINT 0 +# define EC_F_EC_GFP_SIMPLE_POINT2OCT 0 +# define EC_F_EC_GFP_SIMPLE_POINTS_MAKE_AFFINE 0 +# define EC_F_EC_GFP_SIMPLE_POINT_GET_AFFINE_COORDINATES 0 +# define EC_F_EC_GFP_SIMPLE_POINT_SET_AFFINE_COORDINATES 0 +# define EC_F_EC_GFP_SIMPLE_SET_COMPRESSED_COORDINATES 0 +# define EC_F_EC_GROUP_CHECK 0 +# define EC_F_EC_GROUP_CHECK_DISCRIMINANT 0 +# define EC_F_EC_GROUP_COPY 0 +# define EC_F_EC_GROUP_GET_CURVE 0 +# define EC_F_EC_GROUP_GET_CURVE_GF2M 0 +# define EC_F_EC_GROUP_GET_CURVE_GFP 0 +# define EC_F_EC_GROUP_GET_DEGREE 0 +# define EC_F_EC_GROUP_GET_ECPARAMETERS 0 +# define EC_F_EC_GROUP_GET_ECPKPARAMETERS 0 +# define EC_F_EC_GROUP_GET_PENTANOMIAL_BASIS 0 +# define EC_F_EC_GROUP_GET_TRINOMIAL_BASIS 0 +# define EC_F_EC_GROUP_NEW 0 +# define EC_F_EC_GROUP_NEW_BY_CURVE_NAME 0 +# define EC_F_EC_GROUP_NEW_FROM_DATA 0 +# define EC_F_EC_GROUP_NEW_FROM_ECPARAMETERS 0 +# define EC_F_EC_GROUP_NEW_FROM_ECPKPARAMETERS 0 +# define EC_F_EC_GROUP_SET_CURVE 0 +# define EC_F_EC_GROUP_SET_CURVE_GF2M 0 +# define EC_F_EC_GROUP_SET_CURVE_GFP 0 +# define EC_F_EC_GROUP_SET_GENERATOR 0 +# define EC_F_EC_GROUP_SET_SEED 0 +# define EC_F_EC_KEY_CHECK_KEY 0 +# define EC_F_EC_KEY_COPY 0 +# define EC_F_EC_KEY_GENERATE_KEY 0 +# define EC_F_EC_KEY_NEW 0 +# define EC_F_EC_KEY_NEW_METHOD 0 +# define EC_F_EC_KEY_OCT2PRIV 0 +# define EC_F_EC_KEY_PRINT 0 +# define EC_F_EC_KEY_PRINT_FP 0 +# define EC_F_EC_KEY_PRIV2BUF 0 +# define EC_F_EC_KEY_PRIV2OCT 0 +# define EC_F_EC_KEY_SET_PUBLIC_KEY_AFFINE_COORDINATES 0 +# define EC_F_EC_KEY_SIMPLE_CHECK_KEY 0 +# define EC_F_EC_KEY_SIMPLE_OCT2PRIV 0 +# define EC_F_EC_KEY_SIMPLE_PRIV2OCT 0 +# define EC_F_EC_PKEY_CHECK 0 +# define EC_F_EC_PKEY_PARAM_CHECK 0 +# define EC_F_EC_POINTS_MAKE_AFFINE 0 +# define EC_F_EC_POINTS_MUL 0 +# define EC_F_EC_POINT_ADD 0 +# define EC_F_EC_POINT_BN2POINT 0 +# define EC_F_EC_POINT_CMP 0 +# define EC_F_EC_POINT_COPY 0 +# define EC_F_EC_POINT_DBL 0 +# define EC_F_EC_POINT_GET_AFFINE_COORDINATES 0 +# define EC_F_EC_POINT_GET_AFFINE_COORDINATES_GF2M 0 +# define EC_F_EC_POINT_GET_AFFINE_COORDINATES_GFP 0 +# define EC_F_EC_POINT_GET_JPROJECTIVE_COORDINATES_GFP 0 +# define EC_F_EC_POINT_INVERT 0 +# define EC_F_EC_POINT_IS_AT_INFINITY 0 +# define EC_F_EC_POINT_IS_ON_CURVE 0 +# define EC_F_EC_POINT_MAKE_AFFINE 0 +# define EC_F_EC_POINT_NEW 0 +# define EC_F_EC_POINT_OCT2POINT 0 +# define EC_F_EC_POINT_POINT2BUF 0 +# define EC_F_EC_POINT_POINT2OCT 0 +# define EC_F_EC_POINT_SET_AFFINE_COORDINATES 0 +# define EC_F_EC_POINT_SET_AFFINE_COORDINATES_GF2M 0 +# define EC_F_EC_POINT_SET_AFFINE_COORDINATES_GFP 0 +# define EC_F_EC_POINT_SET_COMPRESSED_COORDINATES 0 +# define EC_F_EC_POINT_SET_COMPRESSED_COORDINATES_GF2M 0 +# define EC_F_EC_POINT_SET_COMPRESSED_COORDINATES_GFP 0 +# define EC_F_EC_POINT_SET_JPROJECTIVE_COORDINATES_GFP 0 +# define EC_F_EC_POINT_SET_TO_INFINITY 0 +# define EC_F_EC_PRE_COMP_NEW 0 +# define EC_F_EC_SCALAR_MUL_LADDER 0 +# define EC_F_EC_WNAF_MUL 0 +# define EC_F_EC_WNAF_PRECOMPUTE_MULT 0 +# define EC_F_I2D_ECPARAMETERS 0 +# define EC_F_I2D_ECPKPARAMETERS 0 +# define EC_F_I2D_ECPRIVATEKEY 0 +# define EC_F_I2O_ECPUBLICKEY 0 +# define EC_F_NISTP224_PRE_COMP_NEW 0 +# define EC_F_NISTP256_PRE_COMP_NEW 0 +# define EC_F_NISTP521_PRE_COMP_NEW 0 +# define EC_F_O2I_ECPUBLICKEY 0 +# define EC_F_OLD_EC_PRIV_DECODE 0 +# define EC_F_OSSL_ECDH_COMPUTE_KEY 0 +# define EC_F_OSSL_ECDSA_SIGN_SIG 0 +# define EC_F_OSSL_ECDSA_VERIFY_SIG 0 +# define EC_F_PKEY_ECD_CTRL 0 +# define EC_F_PKEY_ECD_DIGESTSIGN 0 +# define EC_F_PKEY_ECD_DIGESTSIGN25519 0 +# define EC_F_PKEY_ECD_DIGESTSIGN448 0 +# define EC_F_PKEY_ECX_DERIVE 0 +# define EC_F_PKEY_EC_CTRL 0 +# define EC_F_PKEY_EC_CTRL_STR 0 +# define EC_F_PKEY_EC_DERIVE 0 +# define EC_F_PKEY_EC_INIT 0 +# define EC_F_PKEY_EC_KDF_DERIVE 0 +# define EC_F_PKEY_EC_KEYGEN 0 +# define EC_F_PKEY_EC_PARAMGEN 0 +# define EC_F_PKEY_EC_SIGN 0 +# define EC_F_VALIDATE_ECX_DERIVE 0 +# endif + +# ifndef OPENSSL_NO_ENGINE +/* + * ENGINE function codes. + */ +# define ENGINE_F_DIGEST_UPDATE 0 +# define ENGINE_F_DYNAMIC_CTRL 0 +# define ENGINE_F_DYNAMIC_GET_DATA_CTX 0 +# define ENGINE_F_DYNAMIC_LOAD 0 +# define ENGINE_F_DYNAMIC_SET_DATA_CTX 0 +# define ENGINE_F_ENGINE_ADD 0 +# define ENGINE_F_ENGINE_BY_ID 0 +# define ENGINE_F_ENGINE_CMD_IS_EXECUTABLE 0 +# define ENGINE_F_ENGINE_CTRL 0 +# define ENGINE_F_ENGINE_CTRL_CMD 0 +# define ENGINE_F_ENGINE_CTRL_CMD_STRING 0 +# define ENGINE_F_ENGINE_FINISH 0 +# define ENGINE_F_ENGINE_GET_CIPHER 0 +# define ENGINE_F_ENGINE_GET_DIGEST 0 +# define ENGINE_F_ENGINE_GET_FIRST 0 +# define ENGINE_F_ENGINE_GET_LAST 0 +# define ENGINE_F_ENGINE_GET_NEXT 0 +# define ENGINE_F_ENGINE_GET_PKEY_ASN1_METH 0 +# define ENGINE_F_ENGINE_GET_PKEY_METH 0 +# define ENGINE_F_ENGINE_GET_PREV 0 +# define ENGINE_F_ENGINE_INIT 0 +# define ENGINE_F_ENGINE_LIST_ADD 0 +# define ENGINE_F_ENGINE_LIST_REMOVE 0 +# define ENGINE_F_ENGINE_LOAD_PRIVATE_KEY 0 +# define ENGINE_F_ENGINE_LOAD_PUBLIC_KEY 0 +# define ENGINE_F_ENGINE_LOAD_SSL_CLIENT_CERT 0 +# define ENGINE_F_ENGINE_NEW 0 +# define ENGINE_F_ENGINE_PKEY_ASN1_FIND_STR 0 +# define ENGINE_F_ENGINE_REMOVE 0 +# define ENGINE_F_ENGINE_SET_DEFAULT_STRING 0 +# define ENGINE_F_ENGINE_SET_ID 0 +# define ENGINE_F_ENGINE_SET_NAME 0 +# define ENGINE_F_ENGINE_TABLE_REGISTER 0 +# define ENGINE_F_ENGINE_UNLOCKED_FINISH 0 +# define ENGINE_F_ENGINE_UP_REF 0 +# define ENGINE_F_INT_CLEANUP_ITEM 0 +# define ENGINE_F_INT_CTRL_HELPER 0 +# define ENGINE_F_INT_ENGINE_CONFIGURE 0 +# define ENGINE_F_INT_ENGINE_MODULE_INIT 0 +# define ENGINE_F_OSSL_HMAC_INIT 0 +# endif + +/* + * EVP function codes. + */ +# define EVP_F_AESNI_INIT_KEY 0 +# define EVP_F_AESNI_XTS_INIT_KEY 0 +# define EVP_F_AES_GCM_CTRL 0 +# define EVP_F_AES_INIT_KEY 0 +# define EVP_F_AES_OCB_CIPHER 0 +# define EVP_F_AES_T4_INIT_KEY 0 +# define EVP_F_AES_T4_XTS_INIT_KEY 0 +# define EVP_F_AES_WRAP_CIPHER 0 +# define EVP_F_AES_XTS_INIT_KEY 0 +# define EVP_F_ALG_MODULE_INIT 0 +# define EVP_F_ARIA_CCM_INIT_KEY 0 +# define EVP_F_ARIA_GCM_CTRL 0 +# define EVP_F_ARIA_GCM_INIT_KEY 0 +# define EVP_F_ARIA_INIT_KEY 0 +# define EVP_F_B64_NEW 0 +# define EVP_F_CAMELLIA_INIT_KEY 0 +# define EVP_F_CHACHA20_POLY1305_CTRL 0 +# define EVP_F_CMLL_T4_INIT_KEY 0 +# define EVP_F_DES_EDE3_WRAP_CIPHER 0 +# define EVP_F_DO_SIGVER_INIT 0 +# define EVP_F_ENC_NEW 0 +# define EVP_F_EVP_CIPHERINIT_EX 0 +# define EVP_F_EVP_CIPHER_ASN1_TO_PARAM 0 +# define EVP_F_EVP_CIPHER_CTX_COPY 0 +# define EVP_F_EVP_CIPHER_CTX_CTRL 0 +# define EVP_F_EVP_CIPHER_CTX_SET_KEY_LENGTH 0 +# define EVP_F_EVP_CIPHER_PARAM_TO_ASN1 0 +# define EVP_F_EVP_DECRYPTFINAL_EX 0 +# define EVP_F_EVP_DECRYPTUPDATE 0 +# define EVP_F_EVP_DIGESTFINALXOF 0 +# define EVP_F_EVP_DIGESTINIT_EX 0 +# define EVP_F_EVP_ENCRYPTDECRYPTUPDATE 0 +# define EVP_F_EVP_ENCRYPTFINAL_EX 0 +# define EVP_F_EVP_ENCRYPTUPDATE 0 +# define EVP_F_EVP_MD_CTX_COPY_EX 0 +# define EVP_F_EVP_MD_SIZE 0 +# define EVP_F_EVP_OPENINIT 0 +# define EVP_F_EVP_PBE_ALG_ADD 0 +# define EVP_F_EVP_PBE_ALG_ADD_TYPE 0 +# define EVP_F_EVP_PBE_CIPHERINIT 0 +# define EVP_F_EVP_PBE_SCRYPT 0 +# define EVP_F_EVP_PKCS82PKEY 0 +# define EVP_F_EVP_PKEY2PKCS8 0 +# define EVP_F_EVP_PKEY_ASN1_ADD0 0 +# define EVP_F_EVP_PKEY_CHECK 0 +# define EVP_F_EVP_PKEY_COPY_PARAMETERS 0 +# define EVP_F_EVP_PKEY_CTX_CTRL 0 +# define EVP_F_EVP_PKEY_CTX_CTRL_STR 0 +# define EVP_F_EVP_PKEY_CTX_DUP 0 +# define EVP_F_EVP_PKEY_CTX_MD 0 +# define EVP_F_EVP_PKEY_DECRYPT 0 +# define EVP_F_EVP_PKEY_DECRYPT_INIT 0 +# define EVP_F_EVP_PKEY_DECRYPT_OLD 0 +# define EVP_F_EVP_PKEY_DERIVE 0 +# define EVP_F_EVP_PKEY_DERIVE_INIT 0 +# define EVP_F_EVP_PKEY_DERIVE_SET_PEER 0 +# define EVP_F_EVP_PKEY_ENCRYPT 0 +# define EVP_F_EVP_PKEY_ENCRYPT_INIT 0 +# define EVP_F_EVP_PKEY_ENCRYPT_OLD 0 +# define EVP_F_EVP_PKEY_GET0_DH 0 +# define EVP_F_EVP_PKEY_GET0_DSA 0 +# define EVP_F_EVP_PKEY_GET0_EC_KEY 0 +# define EVP_F_EVP_PKEY_GET0_HMAC 0 +# define EVP_F_EVP_PKEY_GET0_POLY1305 0 +# define EVP_F_EVP_PKEY_GET0_RSA 0 +# define EVP_F_EVP_PKEY_GET0_SIPHASH 0 +# define EVP_F_EVP_PKEY_GET_RAW_PRIVATE_KEY 0 +# define EVP_F_EVP_PKEY_GET_RAW_PUBLIC_KEY 0 +# define EVP_F_EVP_PKEY_KEYGEN 0 +# define EVP_F_EVP_PKEY_KEYGEN_INIT 0 +# define EVP_F_EVP_PKEY_METH_ADD0 0 +# define EVP_F_EVP_PKEY_METH_NEW 0 +# define EVP_F_EVP_PKEY_NEW 0 +# define EVP_F_EVP_PKEY_NEW_CMAC_KEY 0 +# define EVP_F_EVP_PKEY_NEW_RAW_PRIVATE_KEY 0 +# define EVP_F_EVP_PKEY_NEW_RAW_PUBLIC_KEY 0 +# define EVP_F_EVP_PKEY_PARAMGEN 0 +# define EVP_F_EVP_PKEY_PARAMGEN_INIT 0 +# define EVP_F_EVP_PKEY_PARAM_CHECK 0 +# define EVP_F_EVP_PKEY_PUBLIC_CHECK 0 +# define EVP_F_EVP_PKEY_SET1_ENGINE 0 +# define EVP_F_EVP_PKEY_SET_ALIAS_TYPE 0 +# define EVP_F_EVP_PKEY_SIGN 0 +# define EVP_F_EVP_PKEY_SIGN_INIT 0 +# define EVP_F_EVP_PKEY_VERIFY 0 +# define EVP_F_EVP_PKEY_VERIFY_INIT 0 +# define EVP_F_EVP_PKEY_VERIFY_RECOVER 0 +# define EVP_F_EVP_PKEY_VERIFY_RECOVER_INIT 0 +# define EVP_F_EVP_SIGNFINAL 0 +# define EVP_F_EVP_VERIFYFINAL 0 +# define EVP_F_INT_CTX_NEW 0 +# define EVP_F_OK_NEW 0 +# define EVP_F_PKCS5_PBE_KEYIVGEN 0 +# define EVP_F_PKCS5_V2_PBE_KEYIVGEN 0 +# define EVP_F_PKCS5_V2_PBKDF2_KEYIVGEN 0 +# define EVP_F_PKCS5_V2_SCRYPT_KEYIVGEN 0 +# define EVP_F_PKEY_SET_TYPE 0 +# define EVP_F_RC2_MAGIC_TO_METH 0 +# define EVP_F_RC5_CTRL 0 +# define EVP_F_R_32_12_16_INIT_KEY 0 +# define EVP_F_S390X_AES_GCM_CTRL 0 +# define EVP_F_UPDATE 0 + +/* + * KDF function codes. + */ +# define KDF_F_PKEY_HKDF_CTRL_STR 0 +# define KDF_F_PKEY_HKDF_DERIVE 0 +# define KDF_F_PKEY_HKDF_INIT 0 +# define KDF_F_PKEY_SCRYPT_CTRL_STR 0 +# define KDF_F_PKEY_SCRYPT_CTRL_UINT64 0 +# define KDF_F_PKEY_SCRYPT_DERIVE 0 +# define KDF_F_PKEY_SCRYPT_INIT 0 +# define KDF_F_PKEY_SCRYPT_SET_MEMBUF 0 +# define KDF_F_PKEY_TLS1_PRF_CTRL_STR 0 +# define KDF_F_PKEY_TLS1_PRF_DERIVE 0 +# define KDF_F_PKEY_TLS1_PRF_INIT 0 +# define KDF_F_TLS1_PRF_ALG 0 + +/* + * KDF reason codes. + */ +# define KDF_R_INVALID_DIGEST 0 +# define KDF_R_MISSING_ITERATION_COUNT 0 +# define KDF_R_MISSING_KEY 0 +# define KDF_R_MISSING_MESSAGE_DIGEST 0 +# define KDF_R_MISSING_PARAMETER 0 +# define KDF_R_MISSING_PASS 0 +# define KDF_R_MISSING_SALT 0 +# define KDF_R_MISSING_SECRET 0 +# define KDF_R_MISSING_SEED 0 +# define KDF_R_UNKNOWN_PARAMETER_TYPE 0 +# define KDF_R_VALUE_ERROR 0 +# define KDF_R_VALUE_MISSING 0 + +/* + * OBJ function codes. + */ +# define OBJ_F_OBJ_ADD_OBJECT 0 +# define OBJ_F_OBJ_ADD_SIGID 0 +# define OBJ_F_OBJ_CREATE 0 +# define OBJ_F_OBJ_DUP 0 +# define OBJ_F_OBJ_NAME_NEW_INDEX 0 +# define OBJ_F_OBJ_NID2LN 0 +# define OBJ_F_OBJ_NID2OBJ 0 +# define OBJ_F_OBJ_NID2SN 0 +# define OBJ_F_OBJ_TXT2OBJ 0 + +# ifndef OPENSSL_NO_OCSP +/* + * OCSP function codes. + */ +# define OCSP_F_D2I_OCSP_NONCE 0 +# define OCSP_F_OCSP_BASIC_ADD1_STATUS 0 +# define OCSP_F_OCSP_BASIC_SIGN 0 +# define OCSP_F_OCSP_BASIC_SIGN_CTX 0 +# define OCSP_F_OCSP_BASIC_VERIFY 0 +# define OCSP_F_OCSP_CERT_ID_NEW 0 +# define OCSP_F_OCSP_CHECK_DELEGATED 0 +# define OCSP_F_OCSP_CHECK_IDS 0 +# define OCSP_F_OCSP_CHECK_ISSUER 0 +# define OCSP_F_OCSP_CHECK_VALIDITY 0 +# define OCSP_F_OCSP_MATCH_ISSUERID 0 +# define OCSP_F_OCSP_PARSE_URL 0 +# define OCSP_F_OCSP_REQUEST_SIGN 0 +# define OCSP_F_OCSP_REQUEST_VERIFY 0 +# define OCSP_F_OCSP_RESPONSE_GET1_BASIC 0 +# define OCSP_F_PARSE_HTTP_LINE1 0 +# endif + +/* + * PEM function codes. + */ +# define PEM_F_B2I_DSS 0 +# define PEM_F_B2I_PVK_BIO 0 +# define PEM_F_B2I_RSA 0 +# define PEM_F_CHECK_BITLEN_DSA 0 +# define PEM_F_CHECK_BITLEN_RSA 0 +# define PEM_F_D2I_PKCS8PRIVATEKEY_BIO 0 +# define PEM_F_D2I_PKCS8PRIVATEKEY_FP 0 +# define PEM_F_DO_B2I 0 +# define PEM_F_DO_B2I_BIO 0 +# define PEM_F_DO_BLOB_HEADER 0 +# define PEM_F_DO_I2B 0 +# define PEM_F_DO_PK8PKEY 0 +# define PEM_F_DO_PK8PKEY_FP 0 +# define PEM_F_DO_PVK_BODY 0 +# define PEM_F_DO_PVK_HEADER 0 +# define PEM_F_GET_HEADER_AND_DATA 0 +# define PEM_F_GET_NAME 0 +# define PEM_F_I2B_PVK 0 +# define PEM_F_I2B_PVK_BIO 0 +# define PEM_F_LOAD_IV 0 +# define PEM_F_PEM_ASN1_READ 0 +# define PEM_F_PEM_ASN1_READ_BIO 0 +# define PEM_F_PEM_ASN1_WRITE 0 +# define PEM_F_PEM_ASN1_WRITE_BIO 0 +# define PEM_F_PEM_DEF_CALLBACK 0 +# define PEM_F_PEM_DO_HEADER 0 +# define PEM_F_PEM_GET_EVP_CIPHER_INFO 0 +# define PEM_F_PEM_READ 0 +# define PEM_F_PEM_READ_BIO 0 +# define PEM_F_PEM_READ_BIO_DHPARAMS 0 +# define PEM_F_PEM_READ_BIO_EX 0 +# define PEM_F_PEM_READ_BIO_PARAMETERS 0 +# define PEM_F_PEM_READ_BIO_PRIVATEKEY 0 +# define PEM_F_PEM_READ_DHPARAMS 0 +# define PEM_F_PEM_READ_PRIVATEKEY 0 +# define PEM_F_PEM_SIGNFINAL 0 +# define PEM_F_PEM_WRITE 0 +# define PEM_F_PEM_WRITE_BIO 0 +# define PEM_F_PEM_WRITE_BIO_PRIVATEKEY_TRADITIONAL 0 +# define PEM_F_PEM_WRITE_PRIVATEKEY 0 +# define PEM_F_PEM_X509_INFO_READ 0 +# define PEM_F_PEM_X509_INFO_READ_BIO 0 +# define PEM_F_PEM_X509_INFO_WRITE_BIO 0 + +/* + * PKCS12 function codes. + */ +# define PKCS12_F_OPENSSL_ASC2UNI 0 +# define PKCS12_F_OPENSSL_UNI2ASC 0 +# define PKCS12_F_OPENSSL_UNI2UTF8 0 +# define PKCS12_F_OPENSSL_UTF82UNI 0 +# define PKCS12_F_PKCS12_CREATE 0 +# define PKCS12_F_PKCS12_GEN_MAC 0 +# define PKCS12_F_PKCS12_INIT 0 +# define PKCS12_F_PKCS12_ITEM_DECRYPT_D2I 0 +# define PKCS12_F_PKCS12_ITEM_I2D_ENCRYPT 0 +# define PKCS12_F_PKCS12_ITEM_PACK_SAFEBAG 0 +# define PKCS12_F_PKCS12_KEY_GEN_ASC 0 +# define PKCS12_F_PKCS12_KEY_GEN_UNI 0 +# define PKCS12_F_PKCS12_KEY_GEN_UTF8 0 +# define PKCS12_F_PKCS12_NEWPASS 0 +# define PKCS12_F_PKCS12_PACK_P7DATA 0 +# define PKCS12_F_PKCS12_PACK_P7ENCDATA 0 +# define PKCS12_F_PKCS12_PARSE 0 +# define PKCS12_F_PKCS12_PBE_CRYPT 0 +# define PKCS12_F_PKCS12_PBE_KEYIVGEN 0 +# define PKCS12_F_PKCS12_SAFEBAG_CREATE0_P8INF 0 +# define PKCS12_F_PKCS12_SAFEBAG_CREATE0_PKCS8 0 +# define PKCS12_F_PKCS12_SAFEBAG_CREATE_PKCS8_ENCRYPT 0 +# define PKCS12_F_PKCS12_SETUP_MAC 0 +# define PKCS12_F_PKCS12_SET_MAC 0 +# define PKCS12_F_PKCS12_UNPACK_AUTHSAFES 0 +# define PKCS12_F_PKCS12_UNPACK_P7DATA 0 +# define PKCS12_F_PKCS12_VERIFY_MAC 0 +# define PKCS12_F_PKCS8_ENCRYPT 0 +# define PKCS12_F_PKCS8_SET0_PBE 0 + +/* + * PKCS7 function codes. + */ +# define PKCS7_F_DO_PKCS7_SIGNED_ATTRIB 0 +# define PKCS7_F_PKCS7_ADD0_ATTRIB_SIGNING_TIME 0 +# define PKCS7_F_PKCS7_ADD_ATTRIB_SMIMECAP 0 +# define PKCS7_F_PKCS7_ADD_CERTIFICATE 0 +# define PKCS7_F_PKCS7_ADD_CRL 0 +# define PKCS7_F_PKCS7_ADD_RECIPIENT_INFO 0 +# define PKCS7_F_PKCS7_ADD_SIGNATURE 0 +# define PKCS7_F_PKCS7_ADD_SIGNER 0 +# define PKCS7_F_PKCS7_BIO_ADD_DIGEST 0 +# define PKCS7_F_PKCS7_COPY_EXISTING_DIGEST 0 +# define PKCS7_F_PKCS7_CTRL 0 +# define PKCS7_F_PKCS7_DATADECODE 0 +# define PKCS7_F_PKCS7_DATAFINAL 0 +# define PKCS7_F_PKCS7_DATAINIT 0 +# define PKCS7_F_PKCS7_DATAVERIFY 0 +# define PKCS7_F_PKCS7_DECRYPT 0 +# define PKCS7_F_PKCS7_DECRYPT_RINFO 0 +# define PKCS7_F_PKCS7_ENCODE_RINFO 0 +# define PKCS7_F_PKCS7_ENCRYPT 0 +# define PKCS7_F_PKCS7_FINAL 0 +# define PKCS7_F_PKCS7_FIND_DIGEST 0 +# define PKCS7_F_PKCS7_GET0_SIGNERS 0 +# define PKCS7_F_PKCS7_RECIP_INFO_SET 0 +# define PKCS7_F_PKCS7_SET_CIPHER 0 +# define PKCS7_F_PKCS7_SET_CONTENT 0 +# define PKCS7_F_PKCS7_SET_DIGEST 0 +# define PKCS7_F_PKCS7_SET_TYPE 0 +# define PKCS7_F_PKCS7_SIGN 0 +# define PKCS7_F_PKCS7_SIGNATUREVERIFY 0 +# define PKCS7_F_PKCS7_SIGNER_INFO_SET 0 +# define PKCS7_F_PKCS7_SIGNER_INFO_SIGN 0 +# define PKCS7_F_PKCS7_SIGN_ADD_SIGNER 0 +# define PKCS7_F_PKCS7_SIMPLE_SMIMECAP 0 +# define PKCS7_F_PKCS7_VERIFY 0 + +/* + * RAND function codes. + */ +# define RAND_F_DATA_COLLECT_METHOD 0 +# define RAND_F_DRBG_BYTES 0 +# define RAND_F_DRBG_GET_ENTROPY 0 +# define RAND_F_DRBG_SETUP 0 +# define RAND_F_GET_ENTROPY 0 +# define RAND_F_RAND_BYTES 0 +# define RAND_F_RAND_DRBG_ENABLE_LOCKING 0 +# define RAND_F_RAND_DRBG_GENERATE 0 +# define RAND_F_RAND_DRBG_GET_ENTROPY 0 +# define RAND_F_RAND_DRBG_GET_NONCE 0 +# define RAND_F_RAND_DRBG_INSTANTIATE 0 +# define RAND_F_RAND_DRBG_NEW 0 +# define RAND_F_RAND_DRBG_RESEED 0 +# define RAND_F_RAND_DRBG_RESTART 0 +# define RAND_F_RAND_DRBG_SET 0 +# define RAND_F_RAND_DRBG_SET_DEFAULTS 0 +# define RAND_F_RAND_DRBG_UNINSTANTIATE 0 +# define RAND_F_RAND_LOAD_FILE 0 +# define RAND_F_RAND_POOL_ACQUIRE_ENTROPY 0 +# define RAND_F_RAND_POOL_ADD 0 +# define RAND_F_RAND_POOL_ADD_BEGIN 0 +# define RAND_F_RAND_POOL_ADD_END 0 +# define RAND_F_RAND_POOL_ATTACH 0 +# define RAND_F_RAND_POOL_BYTES_NEEDED 0 +# define RAND_F_RAND_POOL_GROW 0 +# define RAND_F_RAND_POOL_NEW 0 +# define RAND_F_RAND_PSEUDO_BYTES 0 +# define RAND_F_RAND_WRITE_FILE 0 + +/* + * RSA function codes. + */ +# define RSA_F_CHECK_PADDING_MD 0 +# define RSA_F_ENCODE_PKCS1 0 +# define RSA_F_INT_RSA_VERIFY 0 +# define RSA_F_OLD_RSA_PRIV_DECODE 0 +# define RSA_F_PKEY_PSS_INIT 0 +# define RSA_F_PKEY_RSA_CTRL 0 +# define RSA_F_PKEY_RSA_CTRL_STR 0 +# define RSA_F_PKEY_RSA_SIGN 0 +# define RSA_F_PKEY_RSA_VERIFY 0 +# define RSA_F_PKEY_RSA_VERIFYRECOVER 0 +# define RSA_F_RSA_ALGOR_TO_MD 0 +# define RSA_F_RSA_BUILTIN_KEYGEN 0 +# define RSA_F_RSA_CHECK_KEY 0 +# define RSA_F_RSA_CHECK_KEY_EX 0 +# define RSA_F_RSA_CMS_DECRYPT 0 +# define RSA_F_RSA_CMS_VERIFY 0 +# define RSA_F_RSA_ITEM_VERIFY 0 +# define RSA_F_RSA_METH_DUP 0 +# define RSA_F_RSA_METH_NEW 0 +# define RSA_F_RSA_METH_SET1_NAME 0 +# define RSA_F_RSA_MGF1_TO_MD 0 +# define RSA_F_RSA_MULTIP_INFO_NEW 0 +# define RSA_F_RSA_NEW_METHOD 0 +# define RSA_F_RSA_NULL 0 +# define RSA_F_RSA_NULL_PRIVATE_DECRYPT 0 +# define RSA_F_RSA_NULL_PRIVATE_ENCRYPT 0 +# define RSA_F_RSA_NULL_PUBLIC_DECRYPT 0 +# define RSA_F_RSA_NULL_PUBLIC_ENCRYPT 0 +# define RSA_F_RSA_OSSL_PRIVATE_DECRYPT 0 +# define RSA_F_RSA_OSSL_PRIVATE_ENCRYPT 0 +# define RSA_F_RSA_OSSL_PUBLIC_DECRYPT 0 +# define RSA_F_RSA_OSSL_PUBLIC_ENCRYPT 0 +# define RSA_F_RSA_PADDING_ADD_NONE 0 +# define RSA_F_RSA_PADDING_ADD_PKCS1_OAEP 0 +# define RSA_F_RSA_PADDING_ADD_PKCS1_OAEP_MGF1 0 +# define RSA_F_RSA_PADDING_ADD_PKCS1_PSS 0 +# define RSA_F_RSA_PADDING_ADD_PKCS1_PSS_MGF1 0 +# define RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_1 0 +# define RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_2 0 +# define RSA_F_RSA_PADDING_ADD_SSLV23 0 +# define RSA_F_RSA_PADDING_ADD_X931 0 +# define RSA_F_RSA_PADDING_CHECK_NONE 0 +# define RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP 0 +# define RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP_MGF1 0 +# define RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1 0 +# define RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2 0 +# define RSA_F_RSA_PADDING_CHECK_SSLV23 0 +# define RSA_F_RSA_PADDING_CHECK_X931 0 +# define RSA_F_RSA_PARAM_DECODE 0 +# define RSA_F_RSA_PRINT 0 +# define RSA_F_RSA_PRINT_FP 0 +# define RSA_F_RSA_PRIV_DECODE 0 +# define RSA_F_RSA_PRIV_ENCODE 0 +# define RSA_F_RSA_PSS_GET_PARAM 0 +# define RSA_F_RSA_PSS_TO_CTX 0 +# define RSA_F_RSA_PUB_DECODE 0 +# define RSA_F_RSA_SETUP_BLINDING 0 +# define RSA_F_RSA_SIGN 0 +# define RSA_F_RSA_SIGN_ASN1_OCTET_STRING 0 +# define RSA_F_RSA_VERIFY 0 +# define RSA_F_RSA_VERIFY_ASN1_OCTET_STRING 0 +# define RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1 0 +# define RSA_F_SETUP_TBUF 0 + +/* + * OSSL_STORE function codes. + */ +# define OSSL_STORE_F_FILE_CTRL 0 +# define OSSL_STORE_F_FILE_FIND 0 +# define OSSL_STORE_F_FILE_GET_PASS 0 +# define OSSL_STORE_F_FILE_LOAD 0 +# define OSSL_STORE_F_FILE_LOAD_TRY_DECODE 0 +# define OSSL_STORE_F_FILE_NAME_TO_URI 0 +# define OSSL_STORE_F_FILE_OPEN 0 +# define OSSL_STORE_F_OSSL_STORE_ATTACH_PEM_BIO 0 +# define OSSL_STORE_F_OSSL_STORE_EXPECT 0 +# define OSSL_STORE_F_OSSL_STORE_FILE_ATTACH_PEM_BIO_INT 0 +# define OSSL_STORE_F_OSSL_STORE_FIND 0 +# define OSSL_STORE_F_OSSL_STORE_GET0_LOADER_INT 0 +# define OSSL_STORE_F_OSSL_STORE_INFO_GET1_CERT 0 +# define OSSL_STORE_F_OSSL_STORE_INFO_GET1_CRL 0 +# define OSSL_STORE_F_OSSL_STORE_INFO_GET1_NAME 0 +# define OSSL_STORE_F_OSSL_STORE_INFO_GET1_NAME_DESCRIPTION 0 +# define OSSL_STORE_F_OSSL_STORE_INFO_GET1_PARAMS 0 +# define OSSL_STORE_F_OSSL_STORE_INFO_GET1_PKEY 0 +# define OSSL_STORE_F_OSSL_STORE_INFO_NEW_CERT 0 +# define OSSL_STORE_F_OSSL_STORE_INFO_NEW_CRL 0 +# define OSSL_STORE_F_OSSL_STORE_INFO_NEW_EMBEDDED 0 +# define OSSL_STORE_F_OSSL_STORE_INFO_NEW_NAME 0 +# define OSSL_STORE_F_OSSL_STORE_INFO_NEW_PARAMS 0 +# define OSSL_STORE_F_OSSL_STORE_INFO_NEW_PKEY 0 +# define OSSL_STORE_F_OSSL_STORE_INFO_SET0_NAME_DESCRIPTION 0 +# define OSSL_STORE_F_OSSL_STORE_INIT_ONCE 0 +# define OSSL_STORE_F_OSSL_STORE_LOADER_NEW 0 +# define OSSL_STORE_F_OSSL_STORE_OPEN 0 +# define OSSL_STORE_F_OSSL_STORE_OPEN_INT 0 +# define OSSL_STORE_F_OSSL_STORE_REGISTER_LOADER_INT 0 +# define OSSL_STORE_F_OSSL_STORE_SEARCH_BY_ALIAS 0 +# define OSSL_STORE_F_OSSL_STORE_SEARCH_BY_ISSUER_SERIAL 0 +# define OSSL_STORE_F_OSSL_STORE_SEARCH_BY_KEY_FINGERPRINT 0 +# define OSSL_STORE_F_OSSL_STORE_SEARCH_BY_NAME 0 +# define OSSL_STORE_F_OSSL_STORE_UNREGISTER_LOADER_INT 0 +# define OSSL_STORE_F_TRY_DECODE_PARAMS 0 +# define OSSL_STORE_F_TRY_DECODE_PKCS12 0 +# define OSSL_STORE_F_TRY_DECODE_PKCS8ENCRYPTED 0 + +# ifndef OPENSSL_NO_TS +/* + * TS function codes. + */ +# define TS_F_DEF_SERIAL_CB 0 +# define TS_F_DEF_TIME_CB 0 +# define TS_F_ESS_ADD_SIGNING_CERT 0 +# define TS_F_ESS_ADD_SIGNING_CERT_V2 0 +# define TS_F_ESS_CERT_ID_NEW_INIT 0 +# define TS_F_ESS_CERT_ID_V2_NEW_INIT 0 +# define TS_F_ESS_SIGNING_CERT_NEW_INIT 0 +# define TS_F_ESS_SIGNING_CERT_V2_NEW_INIT 0 +# define TS_F_INT_TS_RESP_VERIFY_TOKEN 0 +# define TS_F_PKCS7_TO_TS_TST_INFO 0 +# define TS_F_TS_ACCURACY_SET_MICROS 0 +# define TS_F_TS_ACCURACY_SET_MILLIS 0 +# define TS_F_TS_ACCURACY_SET_SECONDS 0 +# define TS_F_TS_CHECK_IMPRINTS 0 +# define TS_F_TS_CHECK_NONCES 0 +# define TS_F_TS_CHECK_POLICY 0 +# define TS_F_TS_CHECK_SIGNING_CERTS 0 +# define TS_F_TS_CHECK_STATUS_INFO 0 +# define TS_F_TS_COMPUTE_IMPRINT 0 +# define TS_F_TS_CONF_INVALID 0 +# define TS_F_TS_CONF_LOAD_CERT 0 +# define TS_F_TS_CONF_LOAD_CERTS 0 +# define TS_F_TS_CONF_LOAD_KEY 0 +# define TS_F_TS_CONF_LOOKUP_FAIL 0 +# define TS_F_TS_CONF_SET_DEFAULT_ENGINE 0 +# define TS_F_TS_GET_STATUS_TEXT 0 +# define TS_F_TS_MSG_IMPRINT_SET_ALGO 0 +# define TS_F_TS_REQ_SET_MSG_IMPRINT 0 +# define TS_F_TS_REQ_SET_NONCE 0 +# define TS_F_TS_REQ_SET_POLICY_ID 0 +# define TS_F_TS_RESP_CREATE_RESPONSE 0 +# define TS_F_TS_RESP_CREATE_TST_INFO 0 +# define TS_F_TS_RESP_CTX_ADD_FAILURE_INFO 0 +# define TS_F_TS_RESP_CTX_ADD_MD 0 +# define TS_F_TS_RESP_CTX_ADD_POLICY 0 +# define TS_F_TS_RESP_CTX_NEW 0 +# define TS_F_TS_RESP_CTX_SET_ACCURACY 0 +# define TS_F_TS_RESP_CTX_SET_CERTS 0 +# define TS_F_TS_RESP_CTX_SET_DEF_POLICY 0 +# define TS_F_TS_RESP_CTX_SET_SIGNER_CERT 0 +# define TS_F_TS_RESP_CTX_SET_STATUS_INFO 0 +# define TS_F_TS_RESP_GET_POLICY 0 +# define TS_F_TS_RESP_SET_GENTIME_WITH_PRECISION 0 +# define TS_F_TS_RESP_SET_STATUS_INFO 0 +# define TS_F_TS_RESP_SET_TST_INFO 0 +# define TS_F_TS_RESP_SIGN 0 +# define TS_F_TS_RESP_VERIFY_SIGNATURE 0 +# define TS_F_TS_TST_INFO_SET_ACCURACY 0 +# define TS_F_TS_TST_INFO_SET_MSG_IMPRINT 0 +# define TS_F_TS_TST_INFO_SET_NONCE 0 +# define TS_F_TS_TST_INFO_SET_POLICY_ID 0 +# define TS_F_TS_TST_INFO_SET_SERIAL 0 +# define TS_F_TS_TST_INFO_SET_TIME 0 +# define TS_F_TS_TST_INFO_SET_TSA 0 +# define TS_F_TS_VERIFY 0 +# define TS_F_TS_VERIFY_CERT 0 +# define TS_F_TS_VERIFY_CTX_NEW 0 +# endif + +/* + * UI function codes. + */ +# define UI_F_CLOSE_CONSOLE 0 +# define UI_F_ECHO_CONSOLE 0 +# define UI_F_GENERAL_ALLOCATE_BOOLEAN 0 +# define UI_F_GENERAL_ALLOCATE_PROMPT 0 +# define UI_F_NOECHO_CONSOLE 0 +# define UI_F_OPEN_CONSOLE 0 +# define UI_F_UI_CONSTRUCT_PROMPT 0 +# define UI_F_UI_CREATE_METHOD 0 +# define UI_F_UI_CTRL 0 +# define UI_F_UI_DUP_ERROR_STRING 0 +# define UI_F_UI_DUP_INFO_STRING 0 +# define UI_F_UI_DUP_INPUT_BOOLEAN 0 +# define UI_F_UI_DUP_INPUT_STRING 0 +# define UI_F_UI_DUP_USER_DATA 0 +# define UI_F_UI_DUP_VERIFY_STRING 0 +# define UI_F_UI_GET0_RESULT 0 +# define UI_F_UI_GET_RESULT_LENGTH 0 +# define UI_F_UI_NEW_METHOD 0 +# define UI_F_UI_PROCESS 0 +# define UI_F_UI_SET_RESULT 0 +# define UI_F_UI_SET_RESULT_EX 0 + +/* + * X509 function codes. + */ +# define X509_F_ADD_CERT_DIR 0 +# define X509_F_BUILD_CHAIN 0 +# define X509_F_BY_FILE_CTRL 0 +# define X509_F_CHECK_NAME_CONSTRAINTS 0 +# define X509_F_CHECK_POLICY 0 +# define X509_F_DANE_I2D 0 +# define X509_F_DIR_CTRL 0 +# define X509_F_GET_CERT_BY_SUBJECT 0 +# define X509_F_I2D_X509_AUX 0 +# define X509_F_LOOKUP_CERTS_SK 0 +# define X509_F_NETSCAPE_SPKI_B64_DECODE 0 +# define X509_F_NETSCAPE_SPKI_B64_ENCODE 0 +# define X509_F_NEW_DIR 0 +# define X509_F_X509AT_ADD1_ATTR 0 +# define X509_F_X509V3_ADD_EXT 0 +# define X509_F_X509_ATTRIBUTE_CREATE_BY_NID 0 +# define X509_F_X509_ATTRIBUTE_CREATE_BY_OBJ 0 +# define X509_F_X509_ATTRIBUTE_CREATE_BY_TXT 0 +# define X509_F_X509_ATTRIBUTE_GET0_DATA 0 +# define X509_F_X509_ATTRIBUTE_SET1_DATA 0 +# define X509_F_X509_CHECK_PRIVATE_KEY 0 +# define X509_F_X509_CRL_DIFF 0 +# define X509_F_X509_CRL_METHOD_NEW 0 +# define X509_F_X509_CRL_PRINT_FP 0 +# define X509_F_X509_EXTENSION_CREATE_BY_NID 0 +# define X509_F_X509_EXTENSION_CREATE_BY_OBJ 0 +# define X509_F_X509_GET_PUBKEY_PARAMETERS 0 +# define X509_F_X509_LOAD_CERT_CRL_FILE 0 +# define X509_F_X509_LOAD_CERT_FILE 0 +# define X509_F_X509_LOAD_CRL_FILE 0 +# define X509_F_X509_LOOKUP_METH_NEW 0 +# define X509_F_X509_LOOKUP_NEW 0 +# define X509_F_X509_NAME_ADD_ENTRY 0 +# define X509_F_X509_NAME_CANON 0 +# define X509_F_X509_NAME_ENTRY_CREATE_BY_NID 0 +# define X509_F_X509_NAME_ENTRY_CREATE_BY_TXT 0 +# define X509_F_X509_NAME_ENTRY_SET_OBJECT 0 +# define X509_F_X509_NAME_ONELINE 0 +# define X509_F_X509_NAME_PRINT 0 +# define X509_F_X509_OBJECT_NEW 0 +# define X509_F_X509_PRINT_EX_FP 0 +# define X509_F_X509_PUBKEY_DECODE 0 +# define X509_F_X509_PUBKEY_GET 0 +# define X509_F_X509_PUBKEY_GET0 0 +# define X509_F_X509_PUBKEY_SET 0 +# define X509_F_X509_REQ_CHECK_PRIVATE_KEY 0 +# define X509_F_X509_REQ_PRINT_EX 0 +# define X509_F_X509_REQ_PRINT_FP 0 +# define X509_F_X509_REQ_TO_X509 0 +# define X509_F_X509_STORE_ADD_CERT 0 +# define X509_F_X509_STORE_ADD_CRL 0 +# define X509_F_X509_STORE_ADD_LOOKUP 0 +# define X509_F_X509_STORE_CTX_GET1_ISSUER 0 +# define X509_F_X509_STORE_CTX_INIT 0 +# define X509_F_X509_STORE_CTX_NEW 0 +# define X509_F_X509_STORE_CTX_PURPOSE_INHERIT 0 +# define X509_F_X509_STORE_NEW 0 +# define X509_F_X509_TO_X509_REQ 0 +# define X509_F_X509_TRUST_ADD 0 +# define X509_F_X509_TRUST_SET 0 +# define X509_F_X509_VERIFY_CERT 0 +# define X509_F_X509_VERIFY_PARAM_NEW 0 + +/* + * X509V3 function codes. + */ +# define X509V3_F_A2I_GENERAL_NAME 0 +# define X509V3_F_ADDR_VALIDATE_PATH_INTERNAL 0 +# define X509V3_F_ASIDENTIFIERCHOICE_CANONIZE 0 +# define X509V3_F_ASIDENTIFIERCHOICE_IS_CANONICAL 0 +# define X509V3_F_BIGNUM_TO_STRING 0 +# define X509V3_F_COPY_EMAIL 0 +# define X509V3_F_COPY_ISSUER 0 +# define X509V3_F_DO_DIRNAME 0 +# define X509V3_F_DO_EXT_I2D 0 +# define X509V3_F_DO_EXT_NCONF 0 +# define X509V3_F_GNAMES_FROM_SECTNAME 0 +# define X509V3_F_I2S_ASN1_ENUMERATED 0 +# define X509V3_F_I2S_ASN1_IA5STRING 0 +# define X509V3_F_I2S_ASN1_INTEGER 0 +# define X509V3_F_I2V_AUTHORITY_INFO_ACCESS 0 +# define X509V3_F_LEVEL_ADD_NODE 0 +# define X509V3_F_NOTICE_SECTION 0 +# define X509V3_F_NREF_NOS 0 +# define X509V3_F_POLICY_CACHE_CREATE 0 +# define X509V3_F_POLICY_CACHE_NEW 0 +# define X509V3_F_POLICY_DATA_NEW 0 +# define X509V3_F_POLICY_SECTION 0 +# define X509V3_F_PROCESS_PCI_VALUE 0 +# define X509V3_F_R2I_CERTPOL 0 +# define X509V3_F_R2I_PCI 0 +# define X509V3_F_S2I_ASN1_IA5STRING 0 +# define X509V3_F_S2I_ASN1_INTEGER 0 +# define X509V3_F_S2I_ASN1_OCTET_STRING 0 +# define X509V3_F_S2I_SKEY_ID 0 +# define X509V3_F_SET_DIST_POINT_NAME 0 +# define X509V3_F_SXNET_ADD_ID_ASC 0 +# define X509V3_F_SXNET_ADD_ID_INTEGER 0 +# define X509V3_F_SXNET_ADD_ID_ULONG 0 +# define X509V3_F_SXNET_GET_ID_ASC 0 +# define X509V3_F_SXNET_GET_ID_ULONG 0 +# define X509V3_F_TREE_INIT 0 +# define X509V3_F_V2I_ASIDENTIFIERS 0 +# define X509V3_F_V2I_ASN1_BIT_STRING 0 +# define X509V3_F_V2I_AUTHORITY_INFO_ACCESS 0 +# define X509V3_F_V2I_AUTHORITY_KEYID 0 +# define X509V3_F_V2I_BASIC_CONSTRAINTS 0 +# define X509V3_F_V2I_CRLD 0 +# define X509V3_F_V2I_EXTENDED_KEY_USAGE 0 +# define X509V3_F_V2I_GENERAL_NAMES 0 +# define X509V3_F_V2I_GENERAL_NAME_EX 0 +# define X509V3_F_V2I_IDP 0 +# define X509V3_F_V2I_IPADDRBLOCKS 0 +# define X509V3_F_V2I_ISSUER_ALT 0 +# define X509V3_F_V2I_NAME_CONSTRAINTS 0 +# define X509V3_F_V2I_POLICY_CONSTRAINTS 0 +# define X509V3_F_V2I_POLICY_MAPPINGS 0 +# define X509V3_F_V2I_SUBJECT_ALT 0 +# define X509V3_F_V2I_TLS_FEATURE 0 +# define X509V3_F_V3_GENERIC_EXTENSION 0 +# define X509V3_F_X509V3_ADD1_I2D 0 +# define X509V3_F_X509V3_ADD_VALUE 0 +# define X509V3_F_X509V3_EXT_ADD 0 +# define X509V3_F_X509V3_EXT_ADD_ALIAS 0 +# define X509V3_F_X509V3_EXT_I2D 0 +# define X509V3_F_X509V3_EXT_NCONF 0 +# define X509V3_F_X509V3_GET_SECTION 0 +# define X509V3_F_X509V3_GET_STRING 0 +# define X509V3_F_X509V3_GET_VALUE_BOOL 0 +# define X509V3_F_X509V3_PARSE_LIST 0 +# define X509V3_F_X509_PURPOSE_ADD 0 +# define X509V3_F_X509_PURPOSE_SET 0 + # endif # ifdef __cplusplus diff --git a/include/openssl/cterr.h b/include/openssl/cterr.h index 439e8b8363..8ffff3b53a 100644 --- a/include/openssl/cterr.h +++ b/include/openssl/cterr.h @@ -20,39 +20,6 @@ # ifndef OPENSSL_NO_CT -/* - * CT function codes. - */ -# ifndef OPENSSL_NO_DEPRECATED_3_0 -# define CT_F_CTLOG_NEW 0 -# define CT_F_CTLOG_NEW_FROM_BASE64 0 -# define CT_F_CTLOG_NEW_FROM_CONF 0 -# define CT_F_CTLOG_STORE_LOAD_CTX_NEW 0 -# define CT_F_CTLOG_STORE_LOAD_FILE 0 -# define CT_F_CTLOG_STORE_LOAD_LOG 0 -# define CT_F_CTLOG_STORE_NEW 0 -# define CT_F_CT_BASE64_DECODE 0 -# define CT_F_CT_POLICY_EVAL_CTX_NEW 0 -# define CT_F_CT_V1_LOG_ID_FROM_PKEY 0 -# define CT_F_I2O_SCT 0 -# define CT_F_I2O_SCT_LIST 0 -# define CT_F_I2O_SCT_SIGNATURE 0 -# define CT_F_O2I_SCT 0 -# define CT_F_O2I_SCT_LIST 0 -# define CT_F_O2I_SCT_SIGNATURE 0 -# define CT_F_SCT_CTX_NEW 0 -# define CT_F_SCT_CTX_VERIFY 0 -# define CT_F_SCT_NEW 0 -# define CT_F_SCT_NEW_FROM_BASE64 0 -# define CT_F_SCT_SET0_LOG_ID 0 -# define CT_F_SCT_SET1_EXTENSIONS 0 -# define CT_F_SCT_SET1_LOG_ID 0 -# define CT_F_SCT_SET1_SIGNATURE 0 -# define CT_F_SCT_SET_LOG_ENTRY_TYPE 0 -# define CT_F_SCT_SET_SIGNATURE_NID 0 -# define CT_F_SCT_SET_VERSION 0 -# endif - /* * CT reason codes. */ diff --git a/include/openssl/decodererr.h b/include/openssl/decodererr.h index a82fc7bd0d..bead95c06c 100644 --- a/include/openssl/decodererr.h +++ b/include/openssl/decodererr.h @@ -18,12 +18,6 @@ -/* - * OSSL_DECODER function codes. - */ -# ifndef OPENSSL_NO_DEPRECATED_3_0 -# endif - /* * OSSL_DECODER reason codes. */ diff --git a/include/openssl/dherr.h b/include/openssl/dherr.h index 17910ef541..0783a9dc5f 100644 --- a/include/openssl/dherr.h +++ b/include/openssl/dherr.h @@ -20,40 +20,6 @@ # ifndef OPENSSL_NO_DH -/* - * DH function codes. - */ -# ifndef OPENSSL_NO_DEPRECATED_3_0 -# define DH_F_COMPUTE_KEY 0 -# define DH_F_DHPARAMS_PRINT_FP 0 -# define DH_F_DH_BUF2KEY 0 -# define DH_F_DH_BUILTIN_GENPARAMS 0 -# define DH_F_DH_CHECK_EX 0 -# define DH_F_DH_CHECK_PARAMS_EX 0 -# define DH_F_DH_CHECK_PUB_KEY_EX 0 -# define DH_F_DH_CMS_DECRYPT 0 -# define DH_F_DH_CMS_SET_PEERKEY 0 -# define DH_F_DH_CMS_SET_SHARED_INFO 0 -# define DH_F_DH_KEY2BUF 0 -# define DH_F_DH_METH_DUP 0 -# define DH_F_DH_METH_NEW 0 -# define DH_F_DH_METH_SET1_NAME 0 -# define DH_F_DH_NEW_BY_NID 0 -# define DH_F_DH_NEW_METHOD 0 -# define DH_F_DH_PARAM_DECODE 0 -# define DH_F_DH_PKEY_PUBLIC_CHECK 0 -# define DH_F_DH_PRIV_DECODE 0 -# define DH_F_DH_PRIV_ENCODE 0 -# define DH_F_DH_PUB_DECODE 0 -# define DH_F_DH_PUB_ENCODE 0 -# define DH_F_DO_DH_PRINT 0 -# define DH_F_GENERATE_KEY 0 -# define DH_F_PKEY_DH_CTRL_STR 0 -# define DH_F_PKEY_DH_DERIVE 0 -# define DH_F_PKEY_DH_INIT 0 -# define DH_F_PKEY_DH_KEYGEN 0 -# endif - /* * DH reason codes. */ diff --git a/include/openssl/dsaerr.h b/include/openssl/dsaerr.h index 0c60171263..49dabbf575 100644 --- a/include/openssl/dsaerr.h +++ b/include/openssl/dsaerr.h @@ -20,35 +20,6 @@ # ifndef OPENSSL_NO_DSA -/* - * DSA function codes. - */ -# ifndef OPENSSL_NO_DEPRECATED_3_0 -# define DSA_F_DSAPARAMS_PRINT 0 -# define DSA_F_DSAPARAMS_PRINT_FP 0 -# define DSA_F_DSA_BUILTIN_PARAMGEN 0 -# define DSA_F_DSA_BUILTIN_PARAMGEN2 0 -# define DSA_F_DSA_DO_SIGN 0 -# define DSA_F_DSA_DO_VERIFY 0 -# define DSA_F_DSA_METH_DUP 0 -# define DSA_F_DSA_METH_NEW 0 -# define DSA_F_DSA_METH_SET1_NAME 0 -# define DSA_F_DSA_NEW_METHOD 0 -# define DSA_F_DSA_PARAM_DECODE 0 -# define DSA_F_DSA_PRINT_FP 0 -# define DSA_F_DSA_PRIV_DECODE 0 -# define DSA_F_DSA_PRIV_ENCODE 0 -# define DSA_F_DSA_PUB_DECODE 0 -# define DSA_F_DSA_PUB_ENCODE 0 -# define DSA_F_DSA_SIGN 0 -# define DSA_F_DSA_SIGN_SETUP 0 -# define DSA_F_DSA_SIG_NEW 0 -# define DSA_F_OLD_DSA_PRIV_DECODE 0 -# define DSA_F_PKEY_DSA_CTRL 0 -# define DSA_F_PKEY_DSA_CTRL_STR 0 -# define DSA_F_PKEY_DSA_KEYGEN 0 -# endif - /* * DSA reason codes. */ diff --git a/include/openssl/ecerr.h b/include/openssl/ecerr.h index 64037fd81b..0ebee3cf88 100644 --- a/include/openssl/ecerr.h +++ b/include/openssl/ecerr.h @@ -20,202 +20,6 @@ # ifndef OPENSSL_NO_EC -/* - * EC function codes. - */ -# ifndef OPENSSL_NO_DEPRECATED_3_0 -# define EC_F_BN_TO_FELEM 0 -# define EC_F_D2I_ECPARAMETERS 0 -# define EC_F_D2I_ECPKPARAMETERS 0 -# define EC_F_D2I_ECPRIVATEKEY 0 -# define EC_F_DO_EC_KEY_PRINT 0 -# define EC_F_ECDH_CMS_DECRYPT 0 -# define EC_F_ECDH_CMS_SET_SHARED_INFO 0 -# define EC_F_ECDH_COMPUTE_KEY 0 -# define EC_F_ECDH_SIMPLE_COMPUTE_KEY 0 -# define EC_F_ECDSA_DO_SIGN_EX 0 -# define EC_F_ECDSA_DO_VERIFY 0 -# define EC_F_ECDSA_S390X_NISTP_SIGN_SIG 0 -# define EC_F_ECDSA_S390X_NISTP_VERIFY_SIG 0 -# define EC_F_ECDSA_SIGN_EX 0 -# define EC_F_ECDSA_SIGN_SETUP 0 -# define EC_F_ECDSA_SIG_NEW 0 -# define EC_F_ECDSA_SIMPLE_SIGN_SETUP 0 -# define EC_F_ECDSA_SIMPLE_SIGN_SIG 0 -# define EC_F_ECDSA_SIMPLE_VERIFY_SIG 0 -# define EC_F_ECDSA_VERIFY 0 -# define EC_F_ECD_ITEM_VERIFY 0 -# define EC_F_ECKEY_PARAM2TYPE 0 -# define EC_F_ECKEY_PARAM_DECODE 0 -# define EC_F_ECKEY_PRIV_DECODE 0 -# define EC_F_ECKEY_PRIV_ENCODE 0 -# define EC_F_ECKEY_PUB_DECODE 0 -# define EC_F_ECKEY_PUB_ENCODE 0 -# define EC_F_ECKEY_TYPE2PARAM 0 -# define EC_F_ECPARAMETERS_PRINT 0 -# define EC_F_ECPARAMETERS_PRINT_FP 0 -# define EC_F_ECPKPARAMETERS_PRINT 0 -# define EC_F_ECPKPARAMETERS_PRINT_FP 0 -# define EC_F_ECP_NISTZ256_GET_AFFINE 0 -# define EC_F_ECP_NISTZ256_INV_MOD_ORD 0 -# define EC_F_ECP_NISTZ256_MULT_PRECOMPUTE 0 -# define EC_F_ECP_NISTZ256_POINTS_MUL 0 -# define EC_F_ECP_NISTZ256_PRE_COMP_NEW 0 -# define EC_F_ECP_NISTZ256_WINDOWED_MUL 0 -# define EC_F_ECX_KEY_OP 0 -# define EC_F_ECX_PRIV_ENCODE 0 -# define EC_F_ECX_PUB_ENCODE 0 -# define EC_F_EC_ASN1_GROUP2CURVE 0 -# define EC_F_EC_ASN1_GROUP2FIELDID 0 -# define EC_F_EC_GF2M_MONTGOMERY_POINT_MULTIPLY 0 -# define EC_F_EC_GF2M_SIMPLE_FIELD_INV 0 -# define EC_F_EC_GF2M_SIMPLE_GROUP_CHECK_DISCRIMINANT 0 -# define EC_F_EC_GF2M_SIMPLE_GROUP_SET_CURVE 0 -# define EC_F_EC_GF2M_SIMPLE_LADDER_POST 0 -# define EC_F_EC_GF2M_SIMPLE_LADDER_PRE 0 -# define EC_F_EC_GF2M_SIMPLE_OCT2POINT 0 -# define EC_F_EC_GF2M_SIMPLE_POINT2OCT 0 -# define EC_F_EC_GF2M_SIMPLE_POINTS_MUL 0 -# define EC_F_EC_GF2M_SIMPLE_POINT_GET_AFFINE_COORDINATES 0 -# define EC_F_EC_GF2M_SIMPLE_POINT_SET_AFFINE_COORDINATES 0 -# define EC_F_EC_GF2M_SIMPLE_SET_COMPRESSED_COORDINATES 0 -# define EC_F_EC_GFP_MONT_FIELD_DECODE 0 -# define EC_F_EC_GFP_MONT_FIELD_ENCODE 0 -# define EC_F_EC_GFP_MONT_FIELD_INV 0 -# define EC_F_EC_GFP_MONT_FIELD_MUL 0 -# define EC_F_EC_GFP_MONT_FIELD_SET_TO_ONE 0 -# define EC_F_EC_GFP_MONT_FIELD_SQR 0 -# define EC_F_EC_GFP_MONT_GROUP_SET_CURVE 0 -# define EC_F_EC_GFP_NISTP224_GROUP_SET_CURVE 0 -# define EC_F_EC_GFP_NISTP224_POINTS_MUL 0 -# define EC_F_EC_GFP_NISTP224_POINT_GET_AFFINE_COORDINATES 0 -# define EC_F_EC_GFP_NISTP256_GROUP_SET_CURVE 0 -# define EC_F_EC_GFP_NISTP256_POINTS_MUL 0 -# define EC_F_EC_GFP_NISTP256_POINT_GET_AFFINE_COORDINATES 0 -# define EC_F_EC_GFP_NISTP521_GROUP_SET_CURVE 0 -# define EC_F_EC_GFP_NISTP521_POINTS_MUL 0 -# define EC_F_EC_GFP_NISTP521_POINT_GET_AFFINE_COORDINATES 0 -# define EC_F_EC_GFP_NIST_FIELD_MUL 0 -# define EC_F_EC_GFP_NIST_FIELD_SQR 0 -# define EC_F_EC_GFP_NIST_GROUP_SET_CURVE 0 -# define EC_F_EC_GFP_SIMPLE_BLIND_COORDINATES 0 -# define EC_F_EC_GFP_SIMPLE_FIELD_INV 0 -# define EC_F_EC_GFP_SIMPLE_GROUP_CHECK_DISCRIMINANT 0 -# define EC_F_EC_GFP_SIMPLE_GROUP_SET_CURVE 0 -# define EC_F_EC_GFP_SIMPLE_MAKE_AFFINE 0 -# define EC_F_EC_GFP_SIMPLE_OCT2POINT 0 -# define EC_F_EC_GFP_SIMPLE_POINT2OCT 0 -# define EC_F_EC_GFP_SIMPLE_POINTS_MAKE_AFFINE 0 -# define EC_F_EC_GFP_SIMPLE_POINT_GET_AFFINE_COORDINATES 0 -# define EC_F_EC_GFP_SIMPLE_POINT_SET_AFFINE_COORDINATES 0 -# define EC_F_EC_GFP_SIMPLE_SET_COMPRESSED_COORDINATES 0 -# define EC_F_EC_GROUP_CHECK 0 -# define EC_F_EC_GROUP_CHECK_DISCRIMINANT 0 -# define EC_F_EC_GROUP_CHECK_NAMED_CURVE 0 -# define EC_F_EC_GROUP_COPY 0 -# define EC_F_EC_GROUP_GET_CURVE 0 -# define EC_F_EC_GROUP_GET_CURVE_GF2M 0 -# define EC_F_EC_GROUP_GET_CURVE_GFP 0 -# define EC_F_EC_GROUP_GET_DEGREE 0 -# define EC_F_EC_GROUP_GET_ECPARAMETERS 0 -# define EC_F_EC_GROUP_GET_ECPKPARAMETERS 0 -# define EC_F_EC_GROUP_GET_PENTANOMIAL_BASIS 0 -# define EC_F_EC_GROUP_GET_TRINOMIAL_BASIS 0 -# define EC_F_EC_GROUP_NEW 0 -# define EC_F_EC_GROUP_NEW_BY_CURVE_NAME 0 -# define EC_F_EC_GROUP_NEW_EX 0 -# define EC_F_EC_GROUP_NEW_FROM_DATA 0 -# define EC_F_EC_GROUP_NEW_FROM_ECPARAMETERS 0 -# define EC_F_EC_GROUP_NEW_FROM_ECPKPARAMETERS 0 -# define EC_F_EC_GROUP_SET_CURVE 0 -# define EC_F_EC_GROUP_SET_CURVE_GF2M 0 -# define EC_F_EC_GROUP_SET_CURVE_GFP 0 -# define EC_F_EC_GROUP_SET_GENERATOR 0 -# define EC_F_EC_GROUP_SET_SEED 0 -# define EC_F_EC_KEY_CHECK_KEY 0 -# define EC_F_EC_KEY_COPY 0 -# define EC_F_EC_KEY_GENERATE_KEY 0 -# define EC_F_EC_KEY_NEW 0 -# define EC_F_EC_KEY_NEW_METHOD 0 -# define EC_F_EC_KEY_NEW_METHOD_INT 0 -# define EC_F_EC_KEY_OCT2PRIV 0 -# define EC_F_EC_KEY_PRINT 0 -# define EC_F_EC_KEY_PRINT_FP 0 -# define EC_F_EC_KEY_PRIV2BUF 0 -# define EC_F_EC_KEY_PRIV2OCT 0 -# define EC_F_EC_KEY_SET_PUBLIC_KEY_AFFINE_COORDINATES 0 -# define EC_F_EC_KEY_SIMPLE_CHECK_KEY 0 -# define EC_F_EC_KEY_SIMPLE_OCT2PRIV 0 -# define EC_F_EC_KEY_SIMPLE_PRIV2OCT 0 -# define EC_F_EC_PKEY_CHECK 0 -# define EC_F_EC_PKEY_PARAM_CHECK 0 -# define EC_F_EC_POINTS_MAKE_AFFINE 0 -# define EC_F_EC_POINTS_MUL 0 -# define EC_F_EC_POINT_ADD 0 -# define EC_F_EC_POINT_BN2POINT 0 -# define EC_F_EC_POINT_CMP 0 -# define EC_F_EC_POINT_COPY 0 -# define EC_F_EC_POINT_DBL 0 -# define EC_F_EC_POINT_GET_AFFINE_COORDINATES 0 -# define EC_F_EC_POINT_GET_AFFINE_COORDINATES_GF2M 0 -# define EC_F_EC_POINT_GET_AFFINE_COORDINATES_GFP 0 -# define EC_F_EC_POINT_GET_JPROJECTIVE_COORDINATES_GFP 0 -# define EC_F_EC_POINT_INVERT 0 -# define EC_F_EC_POINT_IS_AT_INFINITY 0 -# define EC_F_EC_POINT_IS_ON_CURVE 0 -# define EC_F_EC_POINT_MAKE_AFFINE 0 -# define EC_F_EC_POINT_MUL 0 -# define EC_F_EC_POINT_NEW 0 -# define EC_F_EC_POINT_OCT2POINT 0 -# define EC_F_EC_POINT_POINT2BUF 0 -# define EC_F_EC_POINT_POINT2OCT 0 -# define EC_F_EC_POINT_SET_AFFINE_COORDINATES 0 -# define EC_F_EC_POINT_SET_AFFINE_COORDINATES_GF2M 0 -# define EC_F_EC_POINT_SET_AFFINE_COORDINATES_GFP 0 -# define EC_F_EC_POINT_SET_COMPRESSED_COORDINATES 0 -# define EC_F_EC_POINT_SET_COMPRESSED_COORDINATES_GF2M 0 -# define EC_F_EC_POINT_SET_COMPRESSED_COORDINATES_GFP 0 -# define EC_F_EC_POINT_SET_JPROJECTIVE_COORDINATES_GFP 0 -# define EC_F_EC_POINT_SET_TO_INFINITY 0 -# define EC_F_EC_PRE_COMP_NEW 0 -# define EC_F_EC_SCALAR_MUL_LADDER 0 -# define EC_F_EC_WNAF_MUL 0 -# define EC_F_EC_WNAF_PRECOMPUTE_MULT 0 -# define EC_F_I2D_ECPARAMETERS 0 -# define EC_F_I2D_ECPKPARAMETERS 0 -# define EC_F_I2D_ECPRIVATEKEY 0 -# define EC_F_I2O_ECPUBLICKEY 0 -# define EC_F_NISTP224_PRE_COMP_NEW 0 -# define EC_F_NISTP256_PRE_COMP_NEW 0 -# define EC_F_NISTP521_PRE_COMP_NEW 0 -# define EC_F_O2I_ECPUBLICKEY 0 -# define EC_F_OLD_EC_PRIV_DECODE 0 -# define EC_F_OSSL_ECDH_COMPUTE_KEY 0 -# define EC_F_OSSL_ECDSA_SIGN_SETUP 0 -# define EC_F_OSSL_ECDSA_SIGN_SIG 0 -# define EC_F_OSSL_ECDSA_VERIFY_SIG 0 -# define EC_F_PKEY_ECD_CTRL 0 -# define EC_F_PKEY_ECD_DIGESTSIGN 0 -# define EC_F_PKEY_ECD_DIGESTSIGN25519 0 -# define EC_F_PKEY_ECD_DIGESTSIGN448 0 -# define EC_F_PKEY_ECX_DERIVE 0 -# define EC_F_PKEY_EC_CTRL 0 -# define EC_F_PKEY_EC_CTRL_STR 0 -# define EC_F_PKEY_EC_DERIVE 0 -# define EC_F_PKEY_EC_INIT 0 -# define EC_F_PKEY_EC_KDF_DERIVE 0 -# define EC_F_PKEY_EC_KEYGEN 0 -# define EC_F_PKEY_EC_PARAMGEN 0 -# define EC_F_PKEY_EC_SIGN 0 -# define EC_F_S390X_PKEY_ECD_DIGESTSIGN25519 0 -# define EC_F_S390X_PKEY_ECD_DIGESTSIGN448 0 -# define EC_F_S390X_PKEY_ECD_KEYGEN25519 0 -# define EC_F_S390X_PKEY_ECD_KEYGEN448 0 -# define EC_F_S390X_PKEY_ECX_KEYGEN25519 0 -# define EC_F_S390X_PKEY_ECX_KEYGEN448 0 -# define EC_F_VALIDATE_ECX_DERIVE 0 -# endif - /* * EC reason codes. */ diff --git a/include/openssl/encodererr.h b/include/openssl/encodererr.h index bef68d3adb..4f594c48f3 100644 --- a/include/openssl/encodererr.h +++ b/include/openssl/encodererr.h @@ -18,12 +18,6 @@ -/* - * OSSL_ENCODER function codes. - */ -# ifndef OPENSSL_NO_DEPRECATED_3_0 -# endif - /* * OSSL_ENCODER reason codes. */ diff --git a/include/openssl/engineerr.h b/include/openssl/engineerr.h index 718882603d..1a1798fb17 100644 --- a/include/openssl/engineerr.h +++ b/include/openssl/engineerr.h @@ -20,52 +20,6 @@ # ifndef OPENSSL_NO_ENGINE -/* - * ENGINE function codes. - */ -# ifndef OPENSSL_NO_DEPRECATED_3_0 -# define ENGINE_F_DIGEST_UPDATE 0 -# define ENGINE_F_DYNAMIC_CTRL 0 -# define ENGINE_F_DYNAMIC_GET_DATA_CTX 0 -# define ENGINE_F_DYNAMIC_LOAD 0 -# define ENGINE_F_DYNAMIC_SET_DATA_CTX 0 -# define ENGINE_F_ENGINE_ADD 0 -# define ENGINE_F_ENGINE_BY_ID 0 -# define ENGINE_F_ENGINE_CMD_IS_EXECUTABLE 0 -# define ENGINE_F_ENGINE_CTRL 0 -# define ENGINE_F_ENGINE_CTRL_CMD 0 -# define ENGINE_F_ENGINE_CTRL_CMD_STRING 0 -# define ENGINE_F_ENGINE_FINISH 0 -# define ENGINE_F_ENGINE_GET_CIPHER 0 -# define ENGINE_F_ENGINE_GET_DIGEST 0 -# define ENGINE_F_ENGINE_GET_FIRST 0 -# define ENGINE_F_ENGINE_GET_LAST 0 -# define ENGINE_F_ENGINE_GET_NEXT 0 -# define ENGINE_F_ENGINE_GET_PKEY_ASN1_METH 0 -# define ENGINE_F_ENGINE_GET_PKEY_METH 0 -# define ENGINE_F_ENGINE_GET_PREV 0 -# define ENGINE_F_ENGINE_INIT 0 -# define ENGINE_F_ENGINE_LIST_ADD 0 -# define ENGINE_F_ENGINE_LIST_REMOVE 0 -# define ENGINE_F_ENGINE_LOAD_PRIVATE_KEY 0 -# define ENGINE_F_ENGINE_LOAD_PUBLIC_KEY 0 -# define ENGINE_F_ENGINE_LOAD_SSL_CLIENT_CERT 0 -# define ENGINE_F_ENGINE_NEW 0 -# define ENGINE_F_ENGINE_PKEY_ASN1_FIND_STR 0 -# define ENGINE_F_ENGINE_REMOVE 0 -# define ENGINE_F_ENGINE_SET_DEFAULT_STRING 0 -# define ENGINE_F_ENGINE_SET_ID 0 -# define ENGINE_F_ENGINE_SET_NAME 0 -# define ENGINE_F_ENGINE_TABLE_REGISTER 0 -# define ENGINE_F_ENGINE_UNLOCKED_FINISH 0 -# define ENGINE_F_ENGINE_UP_REF 0 -# define ENGINE_F_INT_CLEANUP_ITEM 0 -# define ENGINE_F_INT_CTRL_HELPER 0 -# define ENGINE_F_INT_ENGINE_CONFIGURE 0 -# define ENGINE_F_INT_ENGINE_MODULE_INIT 0 -# define ENGINE_F_OSSL_HMAC_INIT 0 -# endif - /* * ENGINE reason codes. */ diff --git a/include/openssl/esserr.h b/include/openssl/esserr.h index ec69b56dfe..e8f031f634 100644 --- a/include/openssl/esserr.h +++ b/include/openssl/esserr.h @@ -18,18 +18,6 @@ -/* - * ESS function codes. - */ -# ifndef OPENSSL_NO_DEPRECATED_3_0 -# define ESS_F_ESS_CERT_ID_NEW_INIT 0 -# define ESS_F_ESS_CERT_ID_V2_NEW_INIT 0 -# define ESS_F_ESS_SIGNING_CERT_ADD 0 -# define ESS_F_ESS_SIGNING_CERT_NEW_INIT 0 -# define ESS_F_ESS_SIGNING_CERT_V2_ADD 0 -# define ESS_F_ESS_SIGNING_CERT_V2_NEW_INIT 0 -# endif - /* * ESS reason codes. */ diff --git a/include/openssl/evperr.h b/include/openssl/evperr.h index 29a373d4c2..48aa10b84a 100644 --- a/include/openssl/evperr.h +++ b/include/openssl/evperr.h @@ -18,143 +18,6 @@ -/* - * EVP function codes. - */ -# ifndef OPENSSL_NO_DEPRECATED_3_0 -# define EVP_F_AESNI_INIT_KEY 0 -# define EVP_F_AESNI_XTS_INIT_KEY 0 -# define EVP_F_AES_GCM_CTRL 0 -# define EVP_F_AES_GCM_TLS_CIPHER 0 -# define EVP_F_AES_INIT_KEY 0 -# define EVP_F_AES_OCB_CIPHER 0 -# define EVP_F_AES_T4_INIT_KEY 0 -# define EVP_F_AES_T4_XTS_INIT_KEY 0 -# define EVP_F_AES_WRAP_CIPHER 0 -# define EVP_F_AES_XTS_CIPHER 0 -# define EVP_F_AES_XTS_INIT_KEY 0 -# define EVP_F_ALG_MODULE_INIT 0 -# define EVP_F_ARIA_CCM_INIT_KEY 0 -# define EVP_F_ARIA_GCM_CTRL 0 -# define EVP_F_ARIA_GCM_INIT_KEY 0 -# define EVP_F_ARIA_INIT_KEY 0 -# define EVP_F_B64_NEW 0 -# define EVP_F_CAMELLIA_INIT_KEY 0 -# define EVP_F_CHACHA20_POLY1305_CTRL 0 -# define EVP_F_CMLL_T4_INIT_KEY 0 -# define EVP_F_DES_EDE3_WRAP_CIPHER 0 -# define EVP_F_DO_SIGVER_INIT 0 -# define EVP_F_ENC_NEW 0 -# define EVP_F_EVP_CIPHERINIT_EX 0 -# define EVP_F_EVP_CIPHER_ASN1_TO_PARAM 0 -# define EVP_F_EVP_CIPHER_CTX_COPY 0 -# define EVP_F_EVP_CIPHER_CTX_CTRL 0 -# define EVP_F_EVP_CIPHER_CTX_SET_KEY_LENGTH 0 -# define EVP_F_EVP_CIPHER_CTX_SET_PADDING 0 -# define EVP_F_EVP_CIPHER_FROM_DISPATCH 0 -# define EVP_F_EVP_CIPHER_MODE 0 -# define EVP_F_EVP_CIPHER_PARAM_TO_ASN1 0 -# define EVP_F_EVP_DECRYPTFINAL_EX 0 -# define EVP_F_EVP_DECRYPTUPDATE 0 -# define EVP_F_EVP_DIGESTFINALXOF 0 -# define EVP_F_EVP_DIGESTFINAL_EX 0 -# define EVP_F_EVP_DIGESTINIT_EX 0 -# define EVP_F_EVP_DIGESTUPDATE 0 -# define EVP_F_EVP_ENCRYPTDECRYPTUPDATE 0 -# define EVP_F_EVP_ENCRYPTFINAL_EX 0 -# define EVP_F_EVP_ENCRYPTUPDATE 0 -# define EVP_F_EVP_KDF_CTX_DUP 0 -# define EVP_F_EVP_KDF_CTX_NEW 0 -# define EVP_F_EVP_KEYEXCH_FETCH 0 -# define EVP_F_EVP_KEYEXCH_FROM_DISPATCH 0 -# define EVP_F_EVP_MAC_CTRL 0 -# define EVP_F_EVP_MAC_CTRL_STR 0 -# define EVP_F_EVP_MAC_CTX_DUP 0 -# define EVP_F_EVP_MAC_CTX_NEW 0 -# define EVP_F_EVP_MAC_INIT 0 -# define EVP_F_EVP_MD_BLOCK_SIZE 0 -# define EVP_F_EVP_MD_CTX_COPY_EX 0 -# define EVP_F_EVP_MD_SIZE 0 -# define EVP_F_EVP_OPENINIT 0 -# define EVP_F_EVP_PBE_ALG_ADD 0 -# define EVP_F_EVP_PBE_ALG_ADD_TYPE 0 -# define EVP_F_EVP_PBE_CIPHERINIT 0 -# define EVP_F_EVP_PBE_SCRYPT 0 -# define EVP_F_EVP_PKCS82PKEY 0 -# define EVP_F_EVP_PKEY2PKCS8 0 -# define EVP_F_EVP_PKEY_ASN1_ADD0 0 -# define EVP_F_EVP_PKEY_CHECK 0 -# define EVP_F_EVP_PKEY_COPY_PARAMETERS 0 -# define EVP_F_EVP_PKEY_CTX_CTRL 0 -# define EVP_F_EVP_PKEY_CTX_CTRL_STR 0 -# define EVP_F_EVP_PKEY_CTX_DUP 0 -# define EVP_F_EVP_PKEY_CTX_MD 0 -# define EVP_F_EVP_PKEY_DECRYPT 0 -# define EVP_F_EVP_PKEY_DECRYPT_INIT 0 -# define EVP_F_EVP_PKEY_DECRYPT_OLD 0 -# define EVP_F_EVP_PKEY_DERIVE 0 -# define EVP_F_EVP_PKEY_DERIVE_INIT 0 -# define EVP_F_EVP_PKEY_DERIVE_INIT_EX 0 -# define EVP_F_EVP_PKEY_DERIVE_SET_PEER 0 -# define EVP_F_EVP_PKEY_ENCRYPT 0 -# define EVP_F_EVP_PKEY_ENCRYPT_INIT 0 -# define EVP_F_EVP_PKEY_ENCRYPT_OLD 0 -# define EVP_F_EVP_PKEY_GET0_DH 0 -# define EVP_F_EVP_PKEY_GET0_DSA 0 -# define EVP_F_EVP_PKEY_GET0_ECX_KEY 0 -# define EVP_F_EVP_PKEY_GET0_EC_KEY 0 -# define EVP_F_EVP_PKEY_GET0_HMAC 0 -# define EVP_F_EVP_PKEY_GET0_POLY1305 0 -# define EVP_F_EVP_PKEY_GET0_RSA 0 -# define EVP_F_EVP_PKEY_GET0_SIPHASH 0 -# define EVP_F_EVP_PKEY_GET_RAW_PRIVATE_KEY 0 -# define EVP_F_EVP_PKEY_GET_RAW_PUBLIC_KEY 0 -# define EVP_F_EVP_PKEY_KEYGEN 0 -# define EVP_F_EVP_PKEY_KEYGEN_INIT 0 -# define EVP_F_EVP_PKEY_METH_ADD0 0 -# define EVP_F_EVP_PKEY_METH_NEW 0 -# define EVP_F_EVP_PKEY_NEW 0 -# define EVP_F_EVP_PKEY_NEW_CMAC_KEY 0 -# define EVP_F_EVP_PKEY_NEW_RAW_PRIVATE_KEY 0 -# define EVP_F_EVP_PKEY_NEW_RAW_PUBLIC_KEY 0 -# define EVP_F_EVP_PKEY_PARAMGEN 0 -# define EVP_F_EVP_PKEY_PARAMGEN_INIT 0 -# define EVP_F_EVP_PKEY_PARAM_CHECK 0 -# define EVP_F_EVP_PKEY_PUBLIC_CHECK 0 -# define EVP_F_EVP_PKEY_SET1_ENGINE 0 -# define EVP_F_EVP_PKEY_SET_ALIAS_TYPE 0 -# define EVP_F_EVP_PKEY_SIGN 0 -# define EVP_F_EVP_PKEY_SIGN_INIT 0 -# define EVP_F_EVP_PKEY_VERIFY 0 -# define EVP_F_EVP_PKEY_VERIFY_INIT 0 -# define EVP_F_EVP_PKEY_VERIFY_RECOVER 0 -# define EVP_F_EVP_PKEY_VERIFY_RECOVER_INIT 0 -# define EVP_F_EVP_SET_DEFAULT_PROPERTIES 0 -# define EVP_F_EVP_SIGNFINAL 0 -# define EVP_F_EVP_VERIFYFINAL 0 -# define EVP_F_GMAC_CTRL 0 -# define EVP_F_INT_CTX_NEW 0 -# define EVP_F_KMAC_CTRL 0 -# define EVP_F_KMAC_INIT 0 -# define EVP_F_OK_NEW 0 -# define EVP_F_PKCS5_PBE_KEYIVGEN 0 -# define EVP_F_PKCS5_V2_PBE_KEYIVGEN 0 -# define EVP_F_PKCS5_V2_PBKDF2_KEYIVGEN 0 -# define EVP_F_PKCS5_V2_SCRYPT_KEYIVGEN 0 -# define EVP_F_PKEY_KDF_CTRL 0 -# define EVP_F_PKEY_MAC_COPY 0 -# define EVP_F_PKEY_MAC_INIT 0 -# define EVP_F_PKEY_SET_TYPE 0 -# define EVP_F_POLY1305_CTRL 0 -# define EVP_F_RC2_MAGIC_TO_METH 0 -# define EVP_F_RC5_CTRL 0 -# define EVP_F_R_32_12_16_INIT_KEY 0 -# define EVP_F_S390X_AES_GCM_CTRL 0 -# define EVP_F_S390X_AES_GCM_TLS_CIPHER 0 -# define EVP_F_SCRYPT_ALG 0 -# define EVP_F_UPDATE 0 -# endif - /* * EVP reason codes. */ diff --git a/include/openssl/httperr.h b/include/openssl/httperr.h index 716feac39b..2ea4fa6c13 100644 --- a/include/openssl/httperr.h +++ b/include/openssl/httperr.h @@ -18,12 +18,6 @@ -/* - * HTTP function codes. - */ -# ifndef OPENSSL_NO_DEPRECATED_3_0 -# endif - /* * HTTP reason codes. */ diff --git a/include/openssl/objectserr.h b/include/openssl/objectserr.h index aa61f83115..82aaa99c03 100644 --- a/include/openssl/objectserr.h +++ b/include/openssl/objectserr.h @@ -18,21 +18,6 @@ -/* - * OBJ function codes. - */ -# ifndef OPENSSL_NO_DEPRECATED_3_0 -# define OBJ_F_OBJ_ADD_OBJECT 0 -# define OBJ_F_OBJ_ADD_SIGID 0 -# define OBJ_F_OBJ_CREATE 0 -# define OBJ_F_OBJ_DUP 0 -# define OBJ_F_OBJ_NAME_NEW_INDEX 0 -# define OBJ_F_OBJ_NID2LN 0 -# define OBJ_F_OBJ_NID2OBJ 0 -# define OBJ_F_OBJ_NID2SN 0 -# define OBJ_F_OBJ_TXT2OBJ 0 -# endif - /* * OBJ reason codes. */ diff --git a/include/openssl/ocsperr.h b/include/openssl/ocsperr.h index fc25908cf9..3fb7aca7c4 100644 --- a/include/openssl/ocsperr.h +++ b/include/openssl/ocsperr.h @@ -20,26 +20,6 @@ # ifndef OPENSSL_NO_OCSP -/* - * OCSP function codes. - */ -# ifndef OPENSSL_NO_DEPRECATED_3_0 -# define OCSP_F_D2I_OCSP_NONCE 0 -# define OCSP_F_OCSP_BASIC_ADD1_STATUS 0 -# define OCSP_F_OCSP_BASIC_SIGN 0 -# define OCSP_F_OCSP_BASIC_SIGN_CTX 0 -# define OCSP_F_OCSP_BASIC_VERIFY 0 -# define OCSP_F_OCSP_CERT_ID_NEW 0 -# define OCSP_F_OCSP_CHECK_DELEGATED 0 -# define OCSP_F_OCSP_CHECK_IDS 0 -# define OCSP_F_OCSP_CHECK_ISSUER 0 -# define OCSP_F_OCSP_CHECK_VALIDITY 0 -# define OCSP_F_OCSP_MATCH_ISSUERID 0 -# define OCSP_F_OCSP_REQUEST_SIGN 0 -# define OCSP_F_OCSP_REQUEST_VERIFY 0 -# define OCSP_F_OCSP_RESPONSE_GET1_BASIC 0 -# endif - /* * OCSP reason codes. */ diff --git a/include/openssl/pemerr.h b/include/openssl/pemerr.h index f9b9853431..57387aee31 100644 --- a/include/openssl/pemerr.h +++ b/include/openssl/pemerr.h @@ -18,54 +18,6 @@ -/* - * PEM function codes. - */ -# ifndef OPENSSL_NO_DEPRECATED_3_0 -# define PEM_F_B2I_DSS 0 -# define PEM_F_B2I_PVK_BIO 0 -# define PEM_F_B2I_RSA 0 -# define PEM_F_CHECK_BITLEN_DSA 0 -# define PEM_F_CHECK_BITLEN_RSA 0 -# define PEM_F_D2I_PKCS8PRIVATEKEY_BIO 0 -# define PEM_F_D2I_PKCS8PRIVATEKEY_FP 0 -# define PEM_F_DO_B2I 0 -# define PEM_F_DO_B2I_BIO 0 -# define PEM_F_DO_I2B 0 -# define PEM_F_DO_PK8PKEY 0 -# define PEM_F_DO_PK8PKEY_FP 0 -# define PEM_F_DO_PVK_BODY 0 -# define PEM_F_GET_HEADER_AND_DATA 0 -# define PEM_F_GET_NAME 0 -# define PEM_F_I2B_PVK 0 -# define PEM_F_I2B_PVK_BIO 0 -# define PEM_F_LOAD_IV 0 -# define PEM_F_OSSL_DO_BLOB_HEADER 0 -# define PEM_F_OSSL_DO_PVK_HEADER 0 -# define PEM_F_PEM_ASN1_READ 0 -# define PEM_F_PEM_ASN1_READ_BIO 0 -# define PEM_F_PEM_ASN1_WRITE 0 -# define PEM_F_PEM_ASN1_WRITE_BIO 0 -# define PEM_F_PEM_DEF_CALLBACK 0 -# define PEM_F_PEM_DO_HEADER 0 -# define PEM_F_PEM_GET_EVP_CIPHER_INFO 0 -# define PEM_F_PEM_READ 0 -# define PEM_F_PEM_READ_BIO 0 -# define PEM_F_PEM_READ_BIO_DHPARAMS 0 -# define PEM_F_PEM_READ_BIO_EX 0 -# define PEM_F_PEM_READ_BIO_PARAMETERS 0 -# define PEM_F_PEM_READ_BIO_PRIVATEKEY 0 -# define PEM_F_PEM_READ_DHPARAMS 0 -# define PEM_F_PEM_READ_PRIVATEKEY 0 -# define PEM_F_PEM_SIGNFINAL 0 -# define PEM_F_PEM_WRITE 0 -# define PEM_F_PEM_WRITE_BIO 0 -# define PEM_F_PEM_WRITE_PRIVATEKEY 0 -# define PEM_F_PEM_X509_INFO_READ 0 -# define PEM_F_PEM_X509_INFO_READ_BIO 0 -# define PEM_F_PEM_X509_INFO_WRITE_BIO 0 -# endif - /* * PEM reason codes. */ diff --git a/include/openssl/pkcs12err.h b/include/openssl/pkcs12err.h index d5e902e14c..491194f01f 100644 --- a/include/openssl/pkcs12err.h +++ b/include/openssl/pkcs12err.h @@ -18,42 +18,6 @@ -/* - * PKCS12 function codes. - */ -# ifndef OPENSSL_NO_DEPRECATED_3_0 -# define PKCS12_F_OPENSSL_ASC2UNI 0 -# define PKCS12_F_OPENSSL_UNI2ASC 0 -# define PKCS12_F_OPENSSL_UNI2UTF8 0 -# define PKCS12_F_OPENSSL_UTF82UNI 0 -# define PKCS12_F_PKCS12_CREATE 0 -# define PKCS12_F_PKCS12_GEN_MAC 0 -# define PKCS12_F_PKCS12_INIT 0 -# define PKCS12_F_PKCS12_ITEM_DECRYPT_D2I 0 -# define PKCS12_F_PKCS12_ITEM_I2D_ENCRYPT 0 -# define PKCS12_F_PKCS12_ITEM_PACK_SAFEBAG 0 -# define PKCS12_F_PKCS12_KEY_GEN_ASC 0 -# define PKCS12_F_PKCS12_KEY_GEN_UNI 0 -# define PKCS12_F_PKCS12_KEY_GEN_UTF8 0 -# define PKCS12_F_PKCS12_NEWPASS 0 -# define PKCS12_F_PKCS12_PACK_P7DATA 0 -# define PKCS12_F_PKCS12_PACK_P7ENCDATA 0 -# define PKCS12_F_PKCS12_PARSE 0 -# define PKCS12_F_PKCS12_PBE_CRYPT 0 -# define PKCS12_F_PKCS12_PBE_KEYIVGEN 0 -# define PKCS12_F_PKCS12_SAFEBAG_CREATE0_P8INF 0 -# define PKCS12_F_PKCS12_SAFEBAG_CREATE0_PKCS8 0 -# define PKCS12_F_PKCS12_SAFEBAG_CREATE_PKCS8_ENCRYPT 0 -# define PKCS12_F_PKCS12_SAFEBAG_CREATE_SECRET 0 -# define PKCS12_F_PKCS12_SETUP_MAC 0 -# define PKCS12_F_PKCS12_SET_MAC 0 -# define PKCS12_F_PKCS12_UNPACK_AUTHSAFES 0 -# define PKCS12_F_PKCS12_UNPACK_P7DATA 0 -# define PKCS12_F_PKCS12_VERIFY_MAC 0 -# define PKCS12_F_PKCS8_ENCRYPT 0 -# define PKCS12_F_PKCS8_SET0_PBE 0 -# endif - /* * PKCS12 reason codes. */ diff --git a/include/openssl/pkcs7err.h b/include/openssl/pkcs7err.h index f212c5f308..8b65aa0670 100644 --- a/include/openssl/pkcs7err.h +++ b/include/openssl/pkcs7err.h @@ -18,46 +18,6 @@ -/* - * PKCS7 function codes. - */ -# ifndef OPENSSL_NO_DEPRECATED_3_0 -# define PKCS7_F_DO_PKCS7_SIGNED_ATTRIB 0 -# define PKCS7_F_PKCS7_ADD0_ATTRIB_SIGNING_TIME 0 -# define PKCS7_F_PKCS7_ADD_ATTRIB_SMIMECAP 0 -# define PKCS7_F_PKCS7_ADD_CERTIFICATE 0 -# define PKCS7_F_PKCS7_ADD_CRL 0 -# define PKCS7_F_PKCS7_ADD_RECIPIENT_INFO 0 -# define PKCS7_F_PKCS7_ADD_SIGNATURE 0 -# define PKCS7_F_PKCS7_ADD_SIGNER 0 -# define PKCS7_F_PKCS7_BIO_ADD_DIGEST 0 -# define PKCS7_F_PKCS7_COPY_EXISTING_DIGEST 0 -# define PKCS7_F_PKCS7_CTRL 0 -# define PKCS7_F_PKCS7_DATADECODE 0 -# define PKCS7_F_PKCS7_DATAFINAL 0 -# define PKCS7_F_PKCS7_DATAINIT 0 -# define PKCS7_F_PKCS7_DATAVERIFY 0 -# define PKCS7_F_PKCS7_DECRYPT 0 -# define PKCS7_F_PKCS7_DECRYPT_RINFO 0 -# define PKCS7_F_PKCS7_ENCODE_RINFO 0 -# define PKCS7_F_PKCS7_ENCRYPT 0 -# define PKCS7_F_PKCS7_FINAL 0 -# define PKCS7_F_PKCS7_FIND_DIGEST 0 -# define PKCS7_F_PKCS7_GET0_SIGNERS 0 -# define PKCS7_F_PKCS7_RECIP_INFO_SET 0 -# define PKCS7_F_PKCS7_SET_CIPHER 0 -# define PKCS7_F_PKCS7_SET_CONTENT 0 -# define PKCS7_F_PKCS7_SET_DIGEST 0 -# define PKCS7_F_PKCS7_SET_TYPE 0 -# define PKCS7_F_PKCS7_SIGN 0 -# define PKCS7_F_PKCS7_SIGNATUREVERIFY 0 -# define PKCS7_F_PKCS7_SIGNER_INFO_SET 0 -# define PKCS7_F_PKCS7_SIGNER_INFO_SIGN 0 -# define PKCS7_F_PKCS7_SIGN_ADD_SIGNER 0 -# define PKCS7_F_PKCS7_SIMPLE_SMIMECAP 0 -# define PKCS7_F_PKCS7_VERIFY 0 -# endif - /* * PKCS7 reason codes. */ diff --git a/include/openssl/randerr.h b/include/openssl/randerr.h index 34da4ec231..fb378b9fc8 100644 --- a/include/openssl/randerr.h +++ b/include/openssl/randerr.h @@ -18,36 +18,6 @@ -/* - * RAND function codes. - */ -# ifndef OPENSSL_NO_DEPRECATED_3_0 -# define RAND_F_DRBG_BYTES 0 -# define RAND_F_DRBG_CTR_INIT 0 -# define RAND_F_DRBG_GET_ENTROPY 0 -# define RAND_F_DRBG_SETUP 0 -# define RAND_F_GET_ENTROPY 0 -# define RAND_F_RAND_BYTES 0 -# define RAND_F_RAND_BYTES_EX 0 -# define RAND_F_RAND_DRBG_ENABLE_LOCKING 0 -# define RAND_F_RAND_DRBG_GET_ENTROPY 0 -# define RAND_F_RAND_DRBG_GET_NONCE 0 -# define RAND_F_RAND_DRBG_INIT_METHOD 0 -# define RAND_F_RAND_DRBG_RESTART 0 -# define RAND_F_RAND_LOAD_FILE 0 -# define RAND_F_RAND_POOL_ACQUIRE_ENTROPY 0 -# define RAND_F_RAND_POOL_ADD 0 -# define RAND_F_RAND_POOL_ADD_BEGIN 0 -# define RAND_F_RAND_POOL_ADD_END 0 -# define RAND_F_RAND_POOL_ATTACH 0 -# define RAND_F_RAND_POOL_BYTES_NEEDED 0 -# define RAND_F_RAND_POOL_GROW 0 -# define RAND_F_RAND_POOL_NEW 0 -# define RAND_F_RAND_PRIV_BYTES_EX 0 -# define RAND_F_RAND_PSEUDO_BYTES 0 -# define RAND_F_RAND_WRITE_FILE 0 -# endif - /* * RAND reason codes. */ diff --git a/include/openssl/rsaerr.h b/include/openssl/rsaerr.h index c1b983e2e4..456082a60d 100644 --- a/include/openssl/rsaerr.h +++ b/include/openssl/rsaerr.h @@ -18,75 +18,6 @@ -/* - * RSA function codes. - */ -# ifndef OPENSSL_NO_DEPRECATED_3_0 -# define RSA_F_CHECK_PADDING_MD 0 -# define RSA_F_ENCODE_PKCS1 0 -# define RSA_F_INT_RSA_VERIFY 0 -# define RSA_F_OLD_RSA_PRIV_DECODE 0 -# define RSA_F_PKEY_PSS_INIT 0 -# define RSA_F_PKEY_RSA_CTRL 0 -# define RSA_F_PKEY_RSA_CTRL_STR 0 -# define RSA_F_PKEY_RSA_SIGN 0 -# define RSA_F_PKEY_RSA_VERIFY 0 -# define RSA_F_PKEY_RSA_VERIFYRECOVER 0 -# define RSA_F_RSA_ALGOR_TO_MD 0 -# define RSA_F_RSA_BUILTIN_KEYGEN 0 -# define RSA_F_RSA_CHECK_KEY 0 -# define RSA_F_RSA_CHECK_KEY_EX 0 -# define RSA_F_RSA_CMS_DECRYPT 0 -# define RSA_F_RSA_CMS_VERIFY 0 -# define RSA_F_RSA_ITEM_VERIFY 0 -# define RSA_F_RSA_METH_DUP 0 -# define RSA_F_RSA_METH_NEW 0 -# define RSA_F_RSA_METH_SET1_NAME 0 -# define RSA_F_RSA_MGF1_TO_MD 0 -# define RSA_F_RSA_MULTIP_INFO_NEW 0 -# define RSA_F_RSA_NEW_METHOD 0 -# define RSA_F_RSA_NULL 0 -# define RSA_F_RSA_NULL_PRIVATE_DECRYPT 0 -# define RSA_F_RSA_NULL_PRIVATE_ENCRYPT 0 -# define RSA_F_RSA_NULL_PUBLIC_DECRYPT 0 -# define RSA_F_RSA_NULL_PUBLIC_ENCRYPT 0 -# define RSA_F_RSA_OSSL_PRIVATE_DECRYPT 0 -# define RSA_F_RSA_OSSL_PRIVATE_ENCRYPT 0 -# define RSA_F_RSA_OSSL_PUBLIC_DECRYPT 0 -# define RSA_F_RSA_OSSL_PUBLIC_ENCRYPT 0 -# define RSA_F_RSA_PADDING_ADD_NONE 0 -# define RSA_F_RSA_PADDING_ADD_PKCS1_OAEP 0 -# define RSA_F_RSA_PADDING_ADD_PKCS1_OAEP_MGF1 0 -# define RSA_F_RSA_PADDING_ADD_PKCS1_PSS 0 -# define RSA_F_RSA_PADDING_ADD_PKCS1_PSS_MGF1 0 -# define RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_1 0 -# define RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_2 0 -# define RSA_F_RSA_PADDING_ADD_SSLV23 0 -# define RSA_F_RSA_PADDING_ADD_X931 0 -# define RSA_F_RSA_PADDING_CHECK_NONE 0 -# define RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP 0 -# define RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP_MGF1 0 -# define RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1 0 -# define RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2 0 -# define RSA_F_RSA_PADDING_CHECK_SSLV23 0 -# define RSA_F_RSA_PADDING_CHECK_X931 0 -# define RSA_F_RSA_PARAM_DECODE 0 -# define RSA_F_RSA_PRINT 0 -# define RSA_F_RSA_PRINT_FP 0 -# define RSA_F_RSA_PRIV_DECODE 0 -# define RSA_F_RSA_PRIV_ENCODE 0 -# define RSA_F_RSA_PSS_GET_PARAM 0 -# define RSA_F_RSA_PSS_TO_CTX 0 -# define RSA_F_RSA_PUB_DECODE 0 -# define RSA_F_RSA_SETUP_BLINDING 0 -# define RSA_F_RSA_SIGN 0 -# define RSA_F_RSA_SIGN_ASN1_OCTET_STRING 0 -# define RSA_F_RSA_VERIFY 0 -# define RSA_F_RSA_VERIFY_ASN1_OCTET_STRING 0 -# define RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1 0 -# define RSA_F_SETUP_TBUF 0 -# endif - /* * RSA reason codes. */ diff --git a/include/openssl/sslerr.h b/include/openssl/sslerr.h index 574fe146fe..27664afd58 100644 --- a/include/openssl/sslerr.h +++ b/include/openssl/sslerr.h @@ -18,443 +18,6 @@ -/* - * SSL function codes. - */ -# ifndef OPENSSL_NO_DEPRECATED_3_0 -# define SSL_F_ADD_CLIENT_KEY_SHARE_EXT 0 -# define SSL_F_ADD_KEY_SHARE 0 -# define SSL_F_BYTES_TO_CIPHER_LIST 0 -# define SSL_F_CHECK_SUITEB_CIPHER_LIST 0 -# define SSL_F_CIPHERSUITE_CB 0 -# define SSL_F_CONSTRUCT_CA_NAMES 0 -# define SSL_F_CONSTRUCT_KEY_EXCHANGE_TBS 0 -# define SSL_F_CONSTRUCT_STATEFUL_TICKET 0 -# define SSL_F_CONSTRUCT_STATELESS_TICKET 0 -# define SSL_F_CREATE_SYNTHETIC_MESSAGE_HASH 0 -# define SSL_F_CREATE_TICKET_PREQUEL 0 -# define SSL_F_CT_MOVE_SCTS 0 -# define SSL_F_CT_STRICT 0 -# define SSL_F_CUSTOM_EXT_ADD 0 -# define SSL_F_CUSTOM_EXT_PARSE 0 -# define SSL_F_D2I_SSL_SESSION 0 -# define SSL_F_DANE_CTX_ENABLE 0 -# define SSL_F_DANE_MTYPE_SET 0 -# define SSL_F_DANE_TLSA_ADD 0 -# define SSL_F_DERIVE_SECRET_KEY_AND_IV 0 -# define SSL_F_DO_DTLS1_WRITE 0 -# define SSL_F_DO_SSL3_WRITE 0 -# define SSL_F_DTLS1_BUFFER_RECORD 0 -# define SSL_F_DTLS1_CHECK_TIMEOUT_NUM 0 -# define SSL_F_DTLS1_HM_FRAGMENT_NEW 0 -# define SSL_F_DTLS1_PREPROCESS_FRAGMENT 0 -# define SSL_F_DTLS1_PROCESS_BUFFERED_RECORDS 0 -# define SSL_F_DTLS1_PROCESS_RECORD 0 -# define SSL_F_DTLS1_READ_BYTES 0 -# define SSL_F_DTLS1_READ_FAILED 0 -# define SSL_F_DTLS1_RETRANSMIT_MESSAGE 0 -# define SSL_F_DTLS1_WRITE_APP_DATA_BYTES 0 -# define SSL_F_DTLS1_WRITE_BYTES 0 -# define SSL_F_DTLSV1_LISTEN 0 -# define SSL_F_DTLS_CONSTRUCT_CHANGE_CIPHER_SPEC 0 -# define SSL_F_DTLS_CONSTRUCT_HELLO_VERIFY_REQUEST 0 -# define SSL_F_DTLS_GET_REASSEMBLED_MESSAGE 0 -# define SSL_F_DTLS_PROCESS_HELLO_VERIFY 0 -# define SSL_F_DTLS_RECORD_LAYER_NEW 0 -# define SSL_F_DTLS_WAIT_FOR_DRY 0 -# define SSL_F_EARLY_DATA_COUNT_OK 0 -# define SSL_F_FINAL_EARLY_DATA 0 -# define SSL_F_FINAL_EC_PT_FORMATS 0 -# define SSL_F_FINAL_EMS 0 -# define SSL_F_FINAL_KEY_SHARE 0 -# define SSL_F_FINAL_MAXFRAGMENTLEN 0 -# define SSL_F_FINAL_RENEGOTIATE 0 -# define SSL_F_FINAL_SERVER_NAME 0 -# define SSL_F_FINAL_SIG_ALGS 0 -# define SSL_F_GET_CERT_VERIFY_TBS_DATA 0 -# define SSL_F_NSS_KEYLOG_INT 0 -# define SSL_F_OPENSSL_INIT_SSL 0 -# define SSL_F_OSSL_STATEM_CLIENT13_READ_TRANSITION 0 -# define SSL_F_OSSL_STATEM_CLIENT13_WRITE_TRANSITION 0 -# define SSL_F_OSSL_STATEM_CLIENT_CONSTRUCT_MESSAGE 0 -# define SSL_F_OSSL_STATEM_CLIENT_POST_PROCESS_MESSAGE 0 -# define SSL_F_OSSL_STATEM_CLIENT_PROCESS_MESSAGE 0 -# define SSL_F_OSSL_STATEM_CLIENT_READ_TRANSITION 0 -# define SSL_F_OSSL_STATEM_CLIENT_WRITE_TRANSITION 0 -# define SSL_F_OSSL_STATEM_SERVER13_READ_TRANSITION 0 -# define SSL_F_OSSL_STATEM_SERVER13_WRITE_TRANSITION 0 -# define SSL_F_OSSL_STATEM_SERVER_CONSTRUCT_MESSAGE 0 -# define SSL_F_OSSL_STATEM_SERVER_POST_PROCESS_MESSAGE 0 -# define SSL_F_OSSL_STATEM_SERVER_POST_WORK 0 -# define SSL_F_OSSL_STATEM_SERVER_PRE_WORK 0 -# define SSL_F_OSSL_STATEM_SERVER_PROCESS_MESSAGE 0 -# define SSL_F_OSSL_STATEM_SERVER_READ_TRANSITION 0 -# define SSL_F_OSSL_STATEM_SERVER_WRITE_TRANSITION 0 -# define SSL_F_PARSE_CA_NAMES 0 -# define SSL_F_PITEM_NEW 0 -# define SSL_F_PQUEUE_NEW 0 -# define SSL_F_PROCESS_KEY_SHARE_EXT 0 -# define SSL_F_READ_STATE_MACHINE 0 -# define SSL_F_SET_CLIENT_CIPHERSUITE 0 -# define SSL_F_SRP_GENERATE_CLIENT_MASTER_SECRET 0 -# define SSL_F_SRP_GENERATE_SERVER_MASTER_SECRET 0 -# define SSL_F_SRP_VERIFY_SERVER_PARAM 0 -# define SSL_F_SSL3_CHANGE_CIPHER_STATE 0 -# define SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM 0 -# define SSL_F_SSL3_CTRL 0 -# define SSL_F_SSL3_CTX_CTRL 0 -# define SSL_F_SSL3_DIGEST_CACHED_RECORDS 0 -# define SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC 0 -# define SSL_F_SSL3_ENC 0 -# define SSL_F_SSL3_FINAL_FINISH_MAC 0 -# define SSL_F_SSL3_FINISH_MAC 0 -# define SSL_F_SSL3_GENERATE_KEY_BLOCK 0 -# define SSL_F_SSL3_GENERATE_MASTER_SECRET 0 -# define SSL_F_SSL3_GET_RECORD 0 -# define SSL_F_SSL3_INIT_FINISHED_MAC 0 -# define SSL_F_SSL3_OUTPUT_CERT_CHAIN 0 -# define SSL_F_SSL3_READ_BYTES 0 -# define SSL_F_SSL3_READ_N 0 -# define SSL_F_SSL3_SETUP_KEY_BLOCK 0 -# define SSL_F_SSL3_SETUP_READ_BUFFER 0 -# define SSL_F_SSL3_SETUP_WRITE_BUFFER 0 -# define SSL_F_SSL3_WRITE_BYTES 0 -# define SSL_F_SSL3_WRITE_PENDING 0 -# define SSL_F_SSL_ADD_CERT_CHAIN 0 -# define SSL_F_SSL_ADD_CERT_TO_BUF 0 -# define SSL_F_SSL_ADD_CERT_TO_WPACKET 0 -# define SSL_F_SSL_ADD_CLIENTHELLO_RENEGOTIATE_EXT 0 -# define SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT 0 -# define SSL_F_SSL_ADD_CLIENTHELLO_USE_SRTP_EXT 0 -# define SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK 0 -# define SSL_F_SSL_ADD_FILE_CERT_SUBJECTS_TO_STACK 0 -# define SSL_F_SSL_ADD_SERVERHELLO_RENEGOTIATE_EXT 0 -# define SSL_F_SSL_ADD_SERVERHELLO_TLSEXT 0 -# define SSL_F_SSL_ADD_SERVERHELLO_USE_SRTP_EXT 0 -# define SSL_F_SSL_BAD_METHOD 0 -# define SSL_F_SSL_BUILD_CERT_CHAIN 0 -# define SSL_F_SSL_BYTES_TO_CIPHER_LIST 0 -# define SSL_F_SSL_CACHE_CIPHERLIST 0 -# define SSL_F_SSL_CERT_ADD0_CHAIN_CERT 0 -# define SSL_F_SSL_CERT_DUP 0 -# define SSL_F_SSL_CERT_NEW 0 -# define SSL_F_SSL_CERT_SET0_CHAIN 0 -# define SSL_F_SSL_CHECK_PRIVATE_KEY 0 -# define SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT 0 -# define SSL_F_SSL_CHECK_SRP_EXT_CLIENTHELLO 0 -# define SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG 0 -# define SSL_F_SSL_CHOOSE_CLIENT_VERSION 0 -# define SSL_F_SSL_CIPHER_DESCRIPTION 0 -# define SSL_F_SSL_CIPHER_LIST_TO_BYTES 0 -# define SSL_F_SSL_CIPHER_PROCESS_RULESTR 0 -# define SSL_F_SSL_CIPHER_STRENGTH_SORT 0 -# define SSL_F_SSL_CLEAR 0 -# define SSL_F_SSL_CLIENT_HELLO_GET1_EXTENSIONS_PRESENT 0 -# define SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD 0 -# define SSL_F_SSL_CONF_CMD 0 -# define SSL_F_SSL_CREATE_CIPHER_LIST 0 -# define SSL_F_SSL_CTRL 0 -# define SSL_F_SSL_CTX_CHECK_PRIVATE_KEY 0 -# define SSL_F_SSL_CTX_ENABLE_CT 0 -# define SSL_F_SSL_CTX_MAKE_PROFILES 0 -# define SSL_F_SSL_CTX_NEW 0 -# define SSL_F_SSL_CTX_SET_ALPN_PROTOS 0 -# define SSL_F_SSL_CTX_SET_CIPHER_LIST 0 -# define SSL_F_SSL_CTX_SET_CLIENT_CERT_ENGINE 0 -# define SSL_F_SSL_CTX_SET_CT_VALIDATION_CALLBACK 0 -# define SSL_F_SSL_CTX_SET_SESSION_ID_CONTEXT 0 -# define SSL_F_SSL_CTX_SET_SSL_VERSION 0 -# define SSL_F_SSL_CTX_SET_TLSEXT_MAX_FRAGMENT_LENGTH 0 -# define SSL_F_SSL_CTX_USE_CERTIFICATE 0 -# define SSL_F_SSL_CTX_USE_CERTIFICATE_ASN1 0 -# define SSL_F_SSL_CTX_USE_CERTIFICATE_FILE 0 -# define SSL_F_SSL_CTX_USE_PRIVATEKEY 0 -# define SSL_F_SSL_CTX_USE_PRIVATEKEY_ASN1 0 -# define SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE 0 -# define SSL_F_SSL_CTX_USE_PSK_IDENTITY_HINT 0 -# define SSL_F_SSL_CTX_USE_RSAPRIVATEKEY 0 -# define SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_ASN1 0 -# define SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE 0 -# define SSL_F_SSL_CTX_USE_SERVERINFO 0 -# define SSL_F_SSL_CTX_USE_SERVERINFO_EX 0 -# define SSL_F_SSL_CTX_USE_SERVERINFO_FILE 0 -# define SSL_F_SSL_DANE_DUP 0 -# define SSL_F_SSL_DANE_ENABLE 0 -# define SSL_F_SSL_DECAPSULATE 0 -# define SSL_F_SSL_DERIVE 0 -# define SSL_F_SSL_DO_CONFIG 0 -# define SSL_F_SSL_DO_HANDSHAKE 0 -# define SSL_F_SSL_DUP_CA_LIST 0 -# define SSL_F_SSL_ENABLE_CT 0 -# define SSL_F_SSL_ENCAPSULATE 0 -# define SSL_F_SSL_GENERATE_PKEY_GROUP 0 -# define SSL_F_SSL_GENERATE_SESSION_ID 0 -# define SSL_F_SSL_GET_NEW_SESSION 0 -# define SSL_F_SSL_GET_PREV_SESSION 0 -# define SSL_F_SSL_GET_SERVER_CERT_INDEX 0 -# define SSL_F_SSL_GET_SIGN_PKEY 0 -# define SSL_F_SSL_HANDSHAKE_HASH 0 -# define SSL_F_SSL_INIT_WBIO_BUFFER 0 -# define SSL_F_SSL_KEY_UPDATE 0 -# define SSL_F_SSL_LOAD_CLIENT_CA_FILE 0 -# define SSL_F_SSL_LOG_MASTER_SECRET 0 -# define SSL_F_SSL_LOG_RSA_CLIENT_KEY_EXCHANGE 0 -# define SSL_F_SSL_MODULE_INIT 0 -# define SSL_F_SSL_NEW 0 -# define SSL_F_SSL_NEXT_PROTO_VALIDATE 0 -# define SSL_F_SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT 0 -# define SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT 0 -# define SSL_F_SSL_PARSE_CLIENTHELLO_USE_SRTP_EXT 0 -# define SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT 0 -# define SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT 0 -# define SSL_F_SSL_PARSE_SERVERHELLO_USE_SRTP_EXT 0 -# define SSL_F_SSL_PEEK 0 -# define SSL_F_SSL_PEEK_EX 0 -# define SSL_F_SSL_PEEK_INTERNAL 0 -# define SSL_F_SSL_READ 0 -# define SSL_F_SSL_READ_EARLY_DATA 0 -# define SSL_F_SSL_READ_EX 0 -# define SSL_F_SSL_READ_INTERNAL 0 -# define SSL_F_SSL_RENEGOTIATE 0 -# define SSL_F_SSL_RENEGOTIATE_ABBREVIATED 0 -# define SSL_F_SSL_SCAN_CLIENTHELLO_TLSEXT 0 -# define SSL_F_SSL_SCAN_SERVERHELLO_TLSEXT 0 -# define SSL_F_SSL_SENDFILE 0 -# define SSL_F_SSL_SESSION_DUP 0 -# define SSL_F_SSL_SESSION_NEW 0 -# define SSL_F_SSL_SESSION_PRINT_FP 0 -# define SSL_F_SSL_SESSION_SET1_ID 0 -# define SSL_F_SSL_SESSION_SET1_ID_CONTEXT 0 -# define SSL_F_SSL_SET_ALPN_PROTOS 0 -# define SSL_F_SSL_SET_CERT 0 -# define SSL_F_SSL_SET_CERT_AND_KEY 0 -# define SSL_F_SSL_SET_CIPHER_LIST 0 -# define SSL_F_SSL_SET_CT_VALIDATION_CALLBACK 0 -# define SSL_F_SSL_SET_FD 0 -# define SSL_F_SSL_SET_PKEY 0 -# define SSL_F_SSL_SET_RFD 0 -# define SSL_F_SSL_SET_SESSION 0 -# define SSL_F_SSL_SET_SESSION_ID_CONTEXT 0 -# define SSL_F_SSL_SET_SESSION_TICKET_EXT 0 -# define SSL_F_SSL_SET_TLSEXT_MAX_FRAGMENT_LENGTH 0 -# define SSL_F_SSL_SET_WFD 0 -# define SSL_F_SSL_SHUTDOWN 0 -# define SSL_F_SSL_SRP_CTX_INIT 0 -# define SSL_F_SSL_START_ASYNC_JOB 0 -# define SSL_F_SSL_UNDEFINED_FUNCTION 0 -# define SSL_F_SSL_UNDEFINED_VOID_FUNCTION 0 -# define SSL_F_SSL_USE_CERTIFICATE 0 -# define SSL_F_SSL_USE_CERTIFICATE_ASN1 0 -# define SSL_F_SSL_USE_CERTIFICATE_FILE 0 -# define SSL_F_SSL_USE_PRIVATEKEY 0 -# define SSL_F_SSL_USE_PRIVATEKEY_ASN1 0 -# define SSL_F_SSL_USE_PRIVATEKEY_FILE 0 -# define SSL_F_SSL_USE_PSK_IDENTITY_HINT 0 -# define SSL_F_SSL_USE_RSAPRIVATEKEY 0 -# define SSL_F_SSL_USE_RSAPRIVATEKEY_ASN1 0 -# define SSL_F_SSL_USE_RSAPRIVATEKEY_FILE 0 -# define SSL_F_SSL_VALIDATE_CT 0 -# define SSL_F_SSL_VERIFY_CERT_CHAIN 0 -# define SSL_F_SSL_VERIFY_CLIENT_POST_HANDSHAKE 0 -# define SSL_F_SSL_WRITE 0 -# define SSL_F_SSL_WRITE_EARLY_DATA 0 -# define SSL_F_SSL_WRITE_EARLY_FINISH 0 -# define SSL_F_SSL_WRITE_EX 0 -# define SSL_F_SSL_WRITE_INTERNAL 0 -# define SSL_F_STATE_MACHINE 0 -# define SSL_F_TLS12_CHECK_PEER_SIGALG 0 -# define SSL_F_TLS12_COPY_SIGALGS 0 -# define SSL_F_TLS13_CHANGE_CIPHER_STATE 0 -# define SSL_F_TLS13_ENC 0 -# define SSL_F_TLS13_FINAL_FINISH_MAC 0 -# define SSL_F_TLS13_GENERATE_SECRET 0 -# define SSL_F_TLS13_HKDF_EXPAND 0 -# define SSL_F_TLS13_RESTORE_HANDSHAKE_DIGEST_FOR_PHA 0 -# define SSL_F_TLS13_SAVE_HANDSHAKE_DIGEST_FOR_PHA 0 -# define SSL_F_TLS13_SETUP_KEY_BLOCK 0 -# define SSL_F_TLS1_CHANGE_CIPHER_STATE 0 -# define SSL_F_TLS1_CHECK_DUPLICATE_EXTENSIONS 0 -# define SSL_F_TLS1_ENC 0 -# define SSL_F_TLS1_EXPORT_KEYING_MATERIAL 0 -# define SSL_F_TLS1_GET_CURVELIST 0 -# define SSL_F_TLS1_PRF 0 -# define SSL_F_TLS1_SAVE_U16 0 -# define SSL_F_TLS1_SETUP_KEY_BLOCK 0 -# define SSL_F_TLS1_SET_GROUPS 0 -# define SSL_F_TLS1_SET_RAW_SIGALGS 0 -# define SSL_F_TLS1_SET_SERVER_SIGALGS 0 -# define SSL_F_TLS1_SET_SHARED_SIGALGS 0 -# define SSL_F_TLS1_SET_SIGALGS 0 -# define SSL_F_TLS_CHOOSE_SIGALG 0 -# define SSL_F_TLS_CLIENT_KEY_EXCHANGE_POST_WORK 0 -# define SSL_F_TLS_COLLECT_EXTENSIONS 0 -# define SSL_F_TLS_CONSTRUCT_CERTIFICATE_AUTHORITIES 0 -# define SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST 0 -# define SSL_F_TLS_CONSTRUCT_CERT_STATUS 0 -# define SSL_F_TLS_CONSTRUCT_CERT_STATUS_BODY 0 -# define SSL_F_TLS_CONSTRUCT_CERT_VERIFY 0 -# define SSL_F_TLS_CONSTRUCT_CHANGE_CIPHER_SPEC 0 -# define SSL_F_TLS_CONSTRUCT_CKE_DHE 0 -# define SSL_F_TLS_CONSTRUCT_CKE_ECDHE 0 -# define SSL_F_TLS_CONSTRUCT_CKE_GOST 0 -# define SSL_F_TLS_CONSTRUCT_CKE_GOST18 0 -# define SSL_F_TLS_CONSTRUCT_CKE_PSK_PREAMBLE 0 -# define SSL_F_TLS_CONSTRUCT_CKE_RSA 0 -# define SSL_F_TLS_CONSTRUCT_CKE_SRP 0 -# define SSL_F_TLS_CONSTRUCT_CLIENT_CERTIFICATE 0 -# define SSL_F_TLS_CONSTRUCT_CLIENT_HELLO 0 -# define SSL_F_TLS_CONSTRUCT_CLIENT_KEY_EXCHANGE 0 -# define SSL_F_TLS_CONSTRUCT_CLIENT_VERIFY 0 -# define SSL_F_TLS_CONSTRUCT_CTOS_ALPN 0 -# define SSL_F_TLS_CONSTRUCT_CTOS_CERTIFICATE 0 -# define SSL_F_TLS_CONSTRUCT_CTOS_COOKIE 0 -# define SSL_F_TLS_CONSTRUCT_CTOS_EARLY_DATA 0 -# define SSL_F_TLS_CONSTRUCT_CTOS_EC_PT_FORMATS 0 -# define SSL_F_TLS_CONSTRUCT_CTOS_EMS 0 -# define SSL_F_TLS_CONSTRUCT_CTOS_ETM 0 -# define SSL_F_TLS_CONSTRUCT_CTOS_HELLO 0 -# define SSL_F_TLS_CONSTRUCT_CTOS_KEY_EXCHANGE 0 -# define SSL_F_TLS_CONSTRUCT_CTOS_KEY_SHARE 0 -# define SSL_F_TLS_CONSTRUCT_CTOS_MAXFRAGMENTLEN 0 -# define SSL_F_TLS_CONSTRUCT_CTOS_NPN 0 -# define SSL_F_TLS_CONSTRUCT_CTOS_PADDING 0 -# define SSL_F_TLS_CONSTRUCT_CTOS_POST_HANDSHAKE_AUTH 0 -# define SSL_F_TLS_CONSTRUCT_CTOS_PSK 0 -# define SSL_F_TLS_CONSTRUCT_CTOS_PSK_KEX_MODES 0 -# define SSL_F_TLS_CONSTRUCT_CTOS_RENEGOTIATE 0 -# define SSL_F_TLS_CONSTRUCT_CTOS_SCT 0 -# define SSL_F_TLS_CONSTRUCT_CTOS_SERVER_NAME 0 -# define SSL_F_TLS_CONSTRUCT_CTOS_SESSION_TICKET 0 -# define SSL_F_TLS_CONSTRUCT_CTOS_SIG_ALGS 0 -# define SSL_F_TLS_CONSTRUCT_CTOS_SRP 0 -# define SSL_F_TLS_CONSTRUCT_CTOS_STATUS_REQUEST 0 -# define SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_GROUPS 0 -# define SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_VERSIONS 0 -# define SSL_F_TLS_CONSTRUCT_CTOS_USE_SRTP 0 -# define SSL_F_TLS_CONSTRUCT_CTOS_VERIFY 0 -# define SSL_F_TLS_CONSTRUCT_ENCRYPTED_EXTENSIONS 0 -# define SSL_F_TLS_CONSTRUCT_END_OF_EARLY_DATA 0 -# define SSL_F_TLS_CONSTRUCT_EXTENSIONS 0 -# define SSL_F_TLS_CONSTRUCT_FINISHED 0 -# define SSL_F_TLS_CONSTRUCT_HELLO_REQUEST 0 -# define SSL_F_TLS_CONSTRUCT_HELLO_RETRY_REQUEST 0 -# define SSL_F_TLS_CONSTRUCT_KEY_UPDATE 0 -# define SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET 0 -# define SSL_F_TLS_CONSTRUCT_NEXT_PROTO 0 -# define SSL_F_TLS_CONSTRUCT_SERVER_CERTIFICATE 0 -# define SSL_F_TLS_CONSTRUCT_SERVER_HELLO 0 -# define SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE 0 -# define SSL_F_TLS_CONSTRUCT_STOC_ALPN 0 -# define SSL_F_TLS_CONSTRUCT_STOC_CERTIFICATE 0 -# define SSL_F_TLS_CONSTRUCT_STOC_COOKIE 0 -# define SSL_F_TLS_CONSTRUCT_STOC_CRYPTOPRO_BUG 0 -# define SSL_F_TLS_CONSTRUCT_STOC_DONE 0 -# define SSL_F_TLS_CONSTRUCT_STOC_EARLY_DATA 0 -# define SSL_F_TLS_CONSTRUCT_STOC_EARLY_DATA_INFO 0 -# define SSL_F_TLS_CONSTRUCT_STOC_EC_PT_FORMATS 0 -# define SSL_F_TLS_CONSTRUCT_STOC_EMS 0 -# define SSL_F_TLS_CONSTRUCT_STOC_ETM 0 -# define SSL_F_TLS_CONSTRUCT_STOC_HELLO 0 -# define SSL_F_TLS_CONSTRUCT_STOC_KEY_EXCHANGE 0 -# define SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE 0 -# define SSL_F_TLS_CONSTRUCT_STOC_MAXFRAGMENTLEN 0 -# define SSL_F_TLS_CONSTRUCT_STOC_NEXT_PROTO_NEG 0 -# define SSL_F_TLS_CONSTRUCT_STOC_PSK 0 -# define SSL_F_TLS_CONSTRUCT_STOC_RENEGOTIATE 0 -# define SSL_F_TLS_CONSTRUCT_STOC_SERVER_NAME 0 -# define SSL_F_TLS_CONSTRUCT_STOC_SESSION_TICKET 0 -# define SSL_F_TLS_CONSTRUCT_STOC_STATUS_REQUEST 0 -# define SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS 0 -# define SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_VERSIONS 0 -# define SSL_F_TLS_CONSTRUCT_STOC_USE_SRTP 0 -# define SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO 0 -# define SSL_F_TLS_FINISH_HANDSHAKE 0 -# define SSL_F_TLS_GET_MESSAGE_BODY 0 -# define SSL_F_TLS_GET_MESSAGE_HEADER 0 -# define SSL_F_TLS_HANDLE_ALPN 0 -# define SSL_F_TLS_HANDLE_STATUS_REQUEST 0 -# define SSL_F_TLS_PARSE_CERTIFICATE_AUTHORITIES 0 -# define SSL_F_TLS_PARSE_CLIENTHELLO_TLSEXT 0 -# define SSL_F_TLS_PARSE_CTOS_ALPN 0 -# define SSL_F_TLS_PARSE_CTOS_COOKIE 0 -# define SSL_F_TLS_PARSE_CTOS_EARLY_DATA 0 -# define SSL_F_TLS_PARSE_CTOS_EC_PT_FORMATS 0 -# define SSL_F_TLS_PARSE_CTOS_EMS 0 -# define SSL_F_TLS_PARSE_CTOS_KEY_SHARE 0 -# define SSL_F_TLS_PARSE_CTOS_MAXFRAGMENTLEN 0 -# define SSL_F_TLS_PARSE_CTOS_POST_HANDSHAKE_AUTH 0 -# define SSL_F_TLS_PARSE_CTOS_PSK 0 -# define SSL_F_TLS_PARSE_CTOS_PSK_KEX_MODES 0 -# define SSL_F_TLS_PARSE_CTOS_RENEGOTIATE 0 -# define SSL_F_TLS_PARSE_CTOS_SERVER_NAME 0 -# define SSL_F_TLS_PARSE_CTOS_SESSION_TICKET 0 -# define SSL_F_TLS_PARSE_CTOS_SIG_ALGS 0 -# define SSL_F_TLS_PARSE_CTOS_SIG_ALGS_CERT 0 -# define SSL_F_TLS_PARSE_CTOS_SRP 0 -# define SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST 0 -# define SSL_F_TLS_PARSE_CTOS_SUPPORTED_GROUPS 0 -# define SSL_F_TLS_PARSE_CTOS_USE_SRTP 0 -# define SSL_F_TLS_PARSE_STOC_ALPN 0 -# define SSL_F_TLS_PARSE_STOC_COOKIE 0 -# define SSL_F_TLS_PARSE_STOC_EARLY_DATA 0 -# define SSL_F_TLS_PARSE_STOC_EARLY_DATA_INFO 0 -# define SSL_F_TLS_PARSE_STOC_EC_PT_FORMATS 0 -# define SSL_F_TLS_PARSE_STOC_KEY_SHARE 0 -# define SSL_F_TLS_PARSE_STOC_MAXFRAGMENTLEN 0 -# define SSL_F_TLS_PARSE_STOC_NPN 0 -# define SSL_F_TLS_PARSE_STOC_PSK 0 -# define SSL_F_TLS_PARSE_STOC_RENEGOTIATE 0 -# define SSL_F_TLS_PARSE_STOC_SCT 0 -# define SSL_F_TLS_PARSE_STOC_SERVER_NAME 0 -# define SSL_F_TLS_PARSE_STOC_SESSION_TICKET 0 -# define SSL_F_TLS_PARSE_STOC_STATUS_REQUEST 0 -# define SSL_F_TLS_PARSE_STOC_SUPPORTED_VERSIONS 0 -# define SSL_F_TLS_PARSE_STOC_USE_SRTP 0 -# define SSL_F_TLS_POST_PROCESS_CLIENT_HELLO 0 -# define SSL_F_TLS_POST_PROCESS_CLIENT_KEY_EXCHANGE 0 -# define SSL_F_TLS_PREPARE_CLIENT_CERTIFICATE 0 -# define SSL_F_TLS_PROCESS_AS_HELLO_RETRY_REQUEST 0 -# define SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST 0 -# define SSL_F_TLS_PROCESS_CERT_STATUS 0 -# define SSL_F_TLS_PROCESS_CERT_STATUS_BODY 0 -# define SSL_F_TLS_PROCESS_CERT_VERIFY 0 -# define SSL_F_TLS_PROCESS_CHANGE_CIPHER_SPEC 0 -# define SSL_F_TLS_PROCESS_CKE_DHE 0 -# define SSL_F_TLS_PROCESS_CKE_ECDHE 0 -# define SSL_F_TLS_PROCESS_CKE_GOST 0 -# define SSL_F_TLS_PROCESS_CKE_GOST18 0 -# define SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE 0 -# define SSL_F_TLS_PROCESS_CKE_RSA 0 -# define SSL_F_TLS_PROCESS_CKE_SRP 0 -# define SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE 0 -# define SSL_F_TLS_PROCESS_CLIENT_HELLO 0 -# define SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE 0 -# define SSL_F_TLS_PROCESS_ENCRYPTED_EXTENSIONS 0 -# define SSL_F_TLS_PROCESS_END_OF_EARLY_DATA 0 -# define SSL_F_TLS_PROCESS_FINISHED 0 -# define SSL_F_TLS_PROCESS_HELLO_REQ 0 -# define SSL_F_TLS_PROCESS_HELLO_RETRY_REQUEST 0 -# define SSL_F_TLS_PROCESS_INITIAL_SERVER_FLIGHT 0 -# define SSL_F_TLS_PROCESS_KEY_EXCHANGE 0 -# define SSL_F_TLS_PROCESS_KEY_UPDATE 0 -# define SSL_F_TLS_PROCESS_NEW_SESSION_TICKET 0 -# define SSL_F_TLS_PROCESS_NEXT_PROTO 0 -# define SSL_F_TLS_PROCESS_SERVER_CERTIFICATE 0 -# define SSL_F_TLS_PROCESS_SERVER_DONE 0 -# define SSL_F_TLS_PROCESS_SERVER_HELLO 0 -# define SSL_F_TLS_PROCESS_SKE_DHE 0 -# define SSL_F_TLS_PROCESS_SKE_ECDHE 0 -# define SSL_F_TLS_PROCESS_SKE_PSK_PREAMBLE 0 -# define SSL_F_TLS_PROCESS_SKE_SRP 0 -# define SSL_F_TLS_PSK_DO_BINDER 0 -# define SSL_F_TLS_SCAN_CLIENTHELLO_TLSEXT 0 -# define SSL_F_TLS_SETUP_HANDSHAKE 0 -# define SSL_F_USE_CERTIFICATE_CHAIN_FILE 0 -# define SSL_F_WPACKET_INTERN_INIT_LEN 0 -# define SSL_F_WPACKET_START_SUB_PACKET_LEN__ 0 -# define SSL_F_WRITE_STATE_MACHINE 0 -# endif - /* * SSL reason codes. */ diff --git a/include/openssl/sslerr_legacy.h b/include/openssl/sslerr_legacy.h index 1607b4e7dc..b687bf7d63 100644 --- a/include/openssl/sslerr_legacy.h +++ b/include/openssl/sslerr_legacy.h @@ -27,10 +27,442 @@ extern "C" { # ifndef OPENSSL_NO_DEPRECATED_3_0 OSSL_DEPRECATEDIN_3_0 int ERR_load_SSL_strings(void); + +/* Collected _F_ macros from OpenSSL 1.1.1 */ + +/* + * SSL function codes. + */ +# define SSL_F_ADD_CLIENT_KEY_SHARE_EXT 0 +# define SSL_F_ADD_KEY_SHARE 0 +# define SSL_F_BYTES_TO_CIPHER_LIST 0 +# define SSL_F_CHECK_SUITEB_CIPHER_LIST 0 +# define SSL_F_CIPHERSUITE_CB 0 +# define SSL_F_CONSTRUCT_CA_NAMES 0 +# define SSL_F_CONSTRUCT_KEY_EXCHANGE_TBS 0 +# define SSL_F_CONSTRUCT_STATEFUL_TICKET 0 +# define SSL_F_CONSTRUCT_STATELESS_TICKET 0 +# define SSL_F_CREATE_SYNTHETIC_MESSAGE_HASH 0 +# define SSL_F_CREATE_TICKET_PREQUEL 0 +# define SSL_F_CT_MOVE_SCTS 0 +# define SSL_F_CT_STRICT 0 +# define SSL_F_CUSTOM_EXT_ADD 0 +# define SSL_F_CUSTOM_EXT_PARSE 0 +# define SSL_F_D2I_SSL_SESSION 0 +# define SSL_F_DANE_CTX_ENABLE 0 +# define SSL_F_DANE_MTYPE_SET 0 +# define SSL_F_DANE_TLSA_ADD 0 +# define SSL_F_DERIVE_SECRET_KEY_AND_IV 0 +# define SSL_F_DO_DTLS1_WRITE 0 +# define SSL_F_DO_SSL3_WRITE 0 +# define SSL_F_DTLS1_BUFFER_RECORD 0 +# define SSL_F_DTLS1_CHECK_TIMEOUT_NUM 0 +# define SSL_F_DTLS1_HEARTBEAT 0 +# define SSL_F_DTLS1_HM_FRAGMENT_NEW 0 +# define SSL_F_DTLS1_PREPROCESS_FRAGMENT 0 +# define SSL_F_DTLS1_PROCESS_BUFFERED_RECORDS 0 +# define SSL_F_DTLS1_PROCESS_RECORD 0 +# define SSL_F_DTLS1_READ_BYTES 0 +# define SSL_F_DTLS1_READ_FAILED 0 +# define SSL_F_DTLS1_RETRANSMIT_MESSAGE 0 +# define SSL_F_DTLS1_WRITE_APP_DATA_BYTES 0 +# define SSL_F_DTLS1_WRITE_BYTES 0 +# define SSL_F_DTLSV1_LISTEN 0 +# define SSL_F_DTLS_CONSTRUCT_CHANGE_CIPHER_SPEC 0 +# define SSL_F_DTLS_CONSTRUCT_HELLO_VERIFY_REQUEST 0 +# define SSL_F_DTLS_GET_REASSEMBLED_MESSAGE 0 +# define SSL_F_DTLS_PROCESS_HELLO_VERIFY 0 +# define SSL_F_DTLS_RECORD_LAYER_NEW 0 +# define SSL_F_DTLS_WAIT_FOR_DRY 0 +# define SSL_F_EARLY_DATA_COUNT_OK 0 +# define SSL_F_FINAL_EARLY_DATA 0 +# define SSL_F_FINAL_EC_PT_FORMATS 0 +# define SSL_F_FINAL_EMS 0 +# define SSL_F_FINAL_KEY_SHARE 0 +# define SSL_F_FINAL_MAXFRAGMENTLEN 0 +# define SSL_F_FINAL_RENEGOTIATE 0 +# define SSL_F_FINAL_SERVER_NAME 0 +# define SSL_F_FINAL_SIG_ALGS 0 +# define SSL_F_GET_CERT_VERIFY_TBS_DATA 0 +# define SSL_F_NSS_KEYLOG_INT 0 +# define SSL_F_OPENSSL_INIT_SSL 0 +# define SSL_F_OSSL_STATEM_CLIENT13_READ_TRANSITION 0 +# define SSL_F_OSSL_STATEM_CLIENT13_WRITE_TRANSITION 0 +# define SSL_F_OSSL_STATEM_CLIENT_CONSTRUCT_MESSAGE 0 +# define SSL_F_OSSL_STATEM_CLIENT_POST_PROCESS_MESSAGE 0 +# define SSL_F_OSSL_STATEM_CLIENT_PROCESS_MESSAGE 0 +# define SSL_F_OSSL_STATEM_CLIENT_READ_TRANSITION 0 +# define SSL_F_OSSL_STATEM_CLIENT_WRITE_TRANSITION 0 +# define SSL_F_OSSL_STATEM_SERVER13_READ_TRANSITION 0 +# define SSL_F_OSSL_STATEM_SERVER13_WRITE_TRANSITION 0 +# define SSL_F_OSSL_STATEM_SERVER_CONSTRUCT_MESSAGE 0 +# define SSL_F_OSSL_STATEM_SERVER_POST_PROCESS_MESSAGE 0 +# define SSL_F_OSSL_STATEM_SERVER_POST_WORK 0 +# define SSL_F_OSSL_STATEM_SERVER_PRE_WORK 0 +# define SSL_F_OSSL_STATEM_SERVER_PROCESS_MESSAGE 0 +# define SSL_F_OSSL_STATEM_SERVER_READ_TRANSITION 0 +# define SSL_F_OSSL_STATEM_SERVER_WRITE_TRANSITION 0 +# define SSL_F_PARSE_CA_NAMES 0 +# define SSL_F_PITEM_NEW 0 +# define SSL_F_PQUEUE_NEW 0 +# define SSL_F_PROCESS_KEY_SHARE_EXT 0 +# define SSL_F_READ_STATE_MACHINE 0 +# define SSL_F_SET_CLIENT_CIPHERSUITE 0 +# define SSL_F_SRP_GENERATE_CLIENT_MASTER_SECRET 0 +# define SSL_F_SRP_GENERATE_SERVER_MASTER_SECRET 0 +# define SSL_F_SRP_VERIFY_SERVER_PARAM 0 +# define SSL_F_SSL3_CHANGE_CIPHER_STATE 0 +# define SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM 0 +# define SSL_F_SSL3_CTRL 0 +# define SSL_F_SSL3_CTX_CTRL 0 +# define SSL_F_SSL3_DIGEST_CACHED_RECORDS 0 +# define SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC 0 +# define SSL_F_SSL3_ENC 0 +# define SSL_F_SSL3_FINAL_FINISH_MAC 0 +# define SSL_F_SSL3_FINISH_MAC 0 +# define SSL_F_SSL3_GENERATE_KEY_BLOCK 0 +# define SSL_F_SSL3_GENERATE_MASTER_SECRET 0 +# define SSL_F_SSL3_GET_RECORD 0 +# define SSL_F_SSL3_INIT_FINISHED_MAC 0 +# define SSL_F_SSL3_OUTPUT_CERT_CHAIN 0 +# define SSL_F_SSL3_READ_BYTES 0 +# define SSL_F_SSL3_READ_N 0 +# define SSL_F_SSL3_SETUP_KEY_BLOCK 0 +# define SSL_F_SSL3_SETUP_READ_BUFFER 0 +# define SSL_F_SSL3_SETUP_WRITE_BUFFER 0 +# define SSL_F_SSL3_WRITE_BYTES 0 +# define SSL_F_SSL3_WRITE_PENDING 0 +# define SSL_F_SSL_ADD_CERT_CHAIN 0 +# define SSL_F_SSL_ADD_CERT_TO_BUF 0 +# define SSL_F_SSL_ADD_CERT_TO_WPACKET 0 +# define SSL_F_SSL_ADD_CLIENTHELLO_RENEGOTIATE_EXT 0 +# define SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT 0 +# define SSL_F_SSL_ADD_CLIENTHELLO_USE_SRTP_EXT 0 +# define SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK 0 +# define SSL_F_SSL_ADD_FILE_CERT_SUBJECTS_TO_STACK 0 +# define SSL_F_SSL_ADD_SERVERHELLO_RENEGOTIATE_EXT 0 +# define SSL_F_SSL_ADD_SERVERHELLO_TLSEXT 0 +# define SSL_F_SSL_ADD_SERVERHELLO_USE_SRTP_EXT 0 +# define SSL_F_SSL_BAD_METHOD 0 +# define SSL_F_SSL_BUILD_CERT_CHAIN 0 +# define SSL_F_SSL_BYTES_TO_CIPHER_LIST 0 +# define SSL_F_SSL_CACHE_CIPHERLIST 0 +# define SSL_F_SSL_CERT_ADD0_CHAIN_CERT 0 +# define SSL_F_SSL_CERT_DUP 0 +# define SSL_F_SSL_CERT_NEW 0 +# define SSL_F_SSL_CERT_SET0_CHAIN 0 +# define SSL_F_SSL_CHECK_PRIVATE_KEY 0 +# define SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT 0 +# define SSL_F_SSL_CHECK_SRP_EXT_CLIENTHELLO 0 +# define SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG 0 +# define SSL_F_SSL_CHOOSE_CLIENT_VERSION 0 +# define SSL_F_SSL_CIPHER_DESCRIPTION 0 +# define SSL_F_SSL_CIPHER_LIST_TO_BYTES 0 +# define SSL_F_SSL_CIPHER_PROCESS_RULESTR 0 +# define SSL_F_SSL_CIPHER_STRENGTH_SORT 0 +# define SSL_F_SSL_CLEAR 0 +# define SSL_F_SSL_CLIENT_HELLO_GET1_EXTENSIONS_PRESENT 0 +# define SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD 0 +# define SSL_F_SSL_CONF_CMD 0 +# define SSL_F_SSL_CREATE_CIPHER_LIST 0 +# define SSL_F_SSL_CTRL 0 +# define SSL_F_SSL_CTX_CHECK_PRIVATE_KEY 0 +# define SSL_F_SSL_CTX_ENABLE_CT 0 +# define SSL_F_SSL_CTX_MAKE_PROFILES 0 +# define SSL_F_SSL_CTX_NEW 0 +# define SSL_F_SSL_CTX_SET_ALPN_PROTOS 0 +# define SSL_F_SSL_CTX_SET_CIPHER_LIST 0 +# define SSL_F_SSL_CTX_SET_CLIENT_CERT_ENGINE 0 +# define SSL_F_SSL_CTX_SET_CT_VALIDATION_CALLBACK 0 +# define SSL_F_SSL_CTX_SET_SESSION_ID_CONTEXT 0 +# define SSL_F_SSL_CTX_SET_SSL_VERSION 0 +# define SSL_F_SSL_CTX_SET_TLSEXT_MAX_FRAGMENT_LENGTH 0 +# define SSL_F_SSL_CTX_USE_CERTIFICATE 0 +# define SSL_F_SSL_CTX_USE_CERTIFICATE_ASN1 0 +# define SSL_F_SSL_CTX_USE_CERTIFICATE_FILE 0 +# define SSL_F_SSL_CTX_USE_PRIVATEKEY 0 +# define SSL_F_SSL_CTX_USE_PRIVATEKEY_ASN1 0 +# define SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE 0 +# define SSL_F_SSL_CTX_USE_PSK_IDENTITY_HINT 0 +# define SSL_F_SSL_CTX_USE_RSAPRIVATEKEY 0 +# define SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_ASN1 0 +# define SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE 0 +# define SSL_F_SSL_CTX_USE_SERVERINFO 0 +# define SSL_F_SSL_CTX_USE_SERVERINFO_EX 0 +# define SSL_F_SSL_CTX_USE_SERVERINFO_FILE 0 +# define SSL_F_SSL_DANE_DUP 0 +# define SSL_F_SSL_DANE_ENABLE 0 +# define SSL_F_SSL_DERIVE 0 +# define SSL_F_SSL_DO_CONFIG 0 +# define SSL_F_SSL_DO_HANDSHAKE 0 +# define SSL_F_SSL_DUP_CA_LIST 0 +# define SSL_F_SSL_ENABLE_CT 0 +# define SSL_F_SSL_GENERATE_PKEY_GROUP 0 +# define SSL_F_SSL_GENERATE_SESSION_ID 0 +# define SSL_F_SSL_GET_NEW_SESSION 0 +# define SSL_F_SSL_GET_PREV_SESSION 0 +# define SSL_F_SSL_GET_SERVER_CERT_INDEX 0 +# define SSL_F_SSL_GET_SIGN_PKEY 0 +# define SSL_F_SSL_HANDSHAKE_HASH 0 +# define SSL_F_SSL_INIT_WBIO_BUFFER 0 +# define SSL_F_SSL_KEY_UPDATE 0 +# define SSL_F_SSL_LOAD_CLIENT_CA_FILE 0 +# define SSL_F_SSL_LOG_MASTER_SECRET 0 +# define SSL_F_SSL_LOG_RSA_CLIENT_KEY_EXCHANGE 0 +# define SSL_F_SSL_MODULE_INIT 0 +# define SSL_F_SSL_NEW 0 +# define SSL_F_SSL_NEXT_PROTO_VALIDATE 0 +# define SSL_F_SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT 0 +# define SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT 0 +# define SSL_F_SSL_PARSE_CLIENTHELLO_USE_SRTP_EXT 0 +# define SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT 0 +# define SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT 0 +# define SSL_F_SSL_PARSE_SERVERHELLO_USE_SRTP_EXT 0 +# define SSL_F_SSL_PEEK 0 +# define SSL_F_SSL_PEEK_EX 0 +# define SSL_F_SSL_PEEK_INTERNAL 0 +# define SSL_F_SSL_READ 0 +# define SSL_F_SSL_READ_EARLY_DATA 0 +# define SSL_F_SSL_READ_EX 0 +# define SSL_F_SSL_READ_INTERNAL 0 +# define SSL_F_SSL_RENEGOTIATE 0 +# define SSL_F_SSL_RENEGOTIATE_ABBREVIATED 0 +# define SSL_F_SSL_SCAN_CLIENTHELLO_TLSEXT 0 +# define SSL_F_SSL_SCAN_SERVERHELLO_TLSEXT 0 +# define SSL_F_SSL_SESSION_DUP 0 +# define SSL_F_SSL_SESSION_NEW 0 +# define SSL_F_SSL_SESSION_PRINT_FP 0 +# define SSL_F_SSL_SESSION_SET1_ID 0 +# define SSL_F_SSL_SESSION_SET1_ID_CONTEXT 0 +# define SSL_F_SSL_SET_ALPN_PROTOS 0 +# define SSL_F_SSL_SET_CERT 0 +# define SSL_F_SSL_SET_CERT_AND_KEY 0 +# define SSL_F_SSL_SET_CIPHER_LIST 0 +# define SSL_F_SSL_SET_CT_VALIDATION_CALLBACK 0 +# define SSL_F_SSL_SET_FD 0 +# define SSL_F_SSL_SET_PKEY 0 +# define SSL_F_SSL_SET_RFD 0 +# define SSL_F_SSL_SET_SESSION 0 +# define SSL_F_SSL_SET_SESSION_ID_CONTEXT 0 +# define SSL_F_SSL_SET_SESSION_TICKET_EXT 0 +# define SSL_F_SSL_SET_TLSEXT_MAX_FRAGMENT_LENGTH 0 +# define SSL_F_SSL_SET_WFD 0 +# define SSL_F_SSL_SHUTDOWN 0 +# define SSL_F_SSL_SRP_CTX_INIT 0 +# define SSL_F_SSL_START_ASYNC_JOB 0 +# define SSL_F_SSL_UNDEFINED_FUNCTION 0 +# define SSL_F_SSL_UNDEFINED_VOID_FUNCTION 0 +# define SSL_F_SSL_USE_CERTIFICATE 0 +# define SSL_F_SSL_USE_CERTIFICATE_ASN1 0 +# define SSL_F_SSL_USE_CERTIFICATE_FILE 0 +# define SSL_F_SSL_USE_PRIVATEKEY 0 +# define SSL_F_SSL_USE_PRIVATEKEY_ASN1 0 +# define SSL_F_SSL_USE_PRIVATEKEY_FILE 0 +# define SSL_F_SSL_USE_PSK_IDENTITY_HINT 0 +# define SSL_F_SSL_USE_RSAPRIVATEKEY 0 +# define SSL_F_SSL_USE_RSAPRIVATEKEY_ASN1 0 +# define SSL_F_SSL_USE_RSAPRIVATEKEY_FILE 0 +# define SSL_F_SSL_VALIDATE_CT 0 +# define SSL_F_SSL_VERIFY_CERT_CHAIN 0 +# define SSL_F_SSL_VERIFY_CLIENT_POST_HANDSHAKE 0 +# define SSL_F_SSL_WRITE 0 +# define SSL_F_SSL_WRITE_EARLY_DATA 0 +# define SSL_F_SSL_WRITE_EARLY_FINISH 0 +# define SSL_F_SSL_WRITE_EX 0 +# define SSL_F_SSL_WRITE_INTERNAL 0 +# define SSL_F_STATE_MACHINE 0 +# define SSL_F_TLS12_CHECK_PEER_SIGALG 0 +# define SSL_F_TLS12_COPY_SIGALGS 0 +# define SSL_F_TLS13_CHANGE_CIPHER_STATE 0 +# define SSL_F_TLS13_ENC 0 +# define SSL_F_TLS13_FINAL_FINISH_MAC 0 +# define SSL_F_TLS13_GENERATE_SECRET 0 +# define SSL_F_TLS13_HKDF_EXPAND 0 +# define SSL_F_TLS13_RESTORE_HANDSHAKE_DIGEST_FOR_PHA 0 +# define SSL_F_TLS13_SAVE_HANDSHAKE_DIGEST_FOR_PHA 0 +# define SSL_F_TLS13_SETUP_KEY_BLOCK 0 +# define SSL_F_TLS1_CHANGE_CIPHER_STATE 0 +# define SSL_F_TLS1_CHECK_DUPLICATE_EXTENSIONS 0 +# define SSL_F_TLS1_ENC 0 +# define SSL_F_TLS1_EXPORT_KEYING_MATERIAL 0 +# define SSL_F_TLS1_GET_CURVELIST 0 +# define SSL_F_TLS1_PRF 0 +# define SSL_F_TLS1_SAVE_U16 0 +# define SSL_F_TLS1_SETUP_KEY_BLOCK 0 +# define SSL_F_TLS1_SET_GROUPS 0 +# define SSL_F_TLS1_SET_RAW_SIGALGS 0 +# define SSL_F_TLS1_SET_SERVER_SIGALGS 0 +# define SSL_F_TLS1_SET_SHARED_SIGALGS 0 +# define SSL_F_TLS1_SET_SIGALGS 0 +# define SSL_F_TLS_CHOOSE_SIGALG 0 +# define SSL_F_TLS_CLIENT_KEY_EXCHANGE_POST_WORK 0 +# define SSL_F_TLS_COLLECT_EXTENSIONS 0 +# define SSL_F_TLS_CONSTRUCT_CERTIFICATE_AUTHORITIES 0 +# define SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST 0 +# define SSL_F_TLS_CONSTRUCT_CERT_STATUS 0 +# define SSL_F_TLS_CONSTRUCT_CERT_STATUS_BODY 0 +# define SSL_F_TLS_CONSTRUCT_CERT_VERIFY 0 +# define SSL_F_TLS_CONSTRUCT_CHANGE_CIPHER_SPEC 0 +# define SSL_F_TLS_CONSTRUCT_CKE_DHE 0 +# define SSL_F_TLS_CONSTRUCT_CKE_ECDHE 0 +# define SSL_F_TLS_CONSTRUCT_CKE_GOST 0 +# define SSL_F_TLS_CONSTRUCT_CKE_PSK_PREAMBLE 0 +# define SSL_F_TLS_CONSTRUCT_CKE_RSA 0 +# define SSL_F_TLS_CONSTRUCT_CKE_SRP 0 +# define SSL_F_TLS_CONSTRUCT_CLIENT_CERTIFICATE 0 +# define SSL_F_TLS_CONSTRUCT_CLIENT_HELLO 0 +# define SSL_F_TLS_CONSTRUCT_CLIENT_KEY_EXCHANGE 0 +# define SSL_F_TLS_CONSTRUCT_CLIENT_VERIFY 0 +# define SSL_F_TLS_CONSTRUCT_CTOS_ALPN 0 +# define SSL_F_TLS_CONSTRUCT_CTOS_CERTIFICATE 0 +# define SSL_F_TLS_CONSTRUCT_CTOS_COOKIE 0 +# define SSL_F_TLS_CONSTRUCT_CTOS_EARLY_DATA 0 +# define SSL_F_TLS_CONSTRUCT_CTOS_EC_PT_FORMATS 0 +# define SSL_F_TLS_CONSTRUCT_CTOS_EMS 0 +# define SSL_F_TLS_CONSTRUCT_CTOS_ETM 0 +# define SSL_F_TLS_CONSTRUCT_CTOS_HELLO 0 +# define SSL_F_TLS_CONSTRUCT_CTOS_KEY_EXCHANGE 0 +# define SSL_F_TLS_CONSTRUCT_CTOS_KEY_SHARE 0 +# define SSL_F_TLS_CONSTRUCT_CTOS_MAXFRAGMENTLEN 0 +# define SSL_F_TLS_CONSTRUCT_CTOS_NPN 0 +# define SSL_F_TLS_CONSTRUCT_CTOS_PADDING 0 +# define SSL_F_TLS_CONSTRUCT_CTOS_POST_HANDSHAKE_AUTH 0 +# define SSL_F_TLS_CONSTRUCT_CTOS_PSK 0 +# define SSL_F_TLS_CONSTRUCT_CTOS_PSK_KEX_MODES 0 +# define SSL_F_TLS_CONSTRUCT_CTOS_RENEGOTIATE 0 +# define SSL_F_TLS_CONSTRUCT_CTOS_SCT 0 +# define SSL_F_TLS_CONSTRUCT_CTOS_SERVER_NAME 0 +# define SSL_F_TLS_CONSTRUCT_CTOS_SESSION_TICKET 0 +# define SSL_F_TLS_CONSTRUCT_CTOS_SIG_ALGS 0 +# define SSL_F_TLS_CONSTRUCT_CTOS_SRP 0 +# define SSL_F_TLS_CONSTRUCT_CTOS_STATUS_REQUEST 0 +# define SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_GROUPS 0 +# define SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_VERSIONS 0 +# define SSL_F_TLS_CONSTRUCT_CTOS_USE_SRTP 0 +# define SSL_F_TLS_CONSTRUCT_CTOS_VERIFY 0 +# define SSL_F_TLS_CONSTRUCT_ENCRYPTED_EXTENSIONS 0 +# define SSL_F_TLS_CONSTRUCT_END_OF_EARLY_DATA 0 +# define SSL_F_TLS_CONSTRUCT_EXTENSIONS 0 +# define SSL_F_TLS_CONSTRUCT_FINISHED 0 +# define SSL_F_TLS_CONSTRUCT_HELLO_REQUEST 0 +# define SSL_F_TLS_CONSTRUCT_HELLO_RETRY_REQUEST 0 +# define SSL_F_TLS_CONSTRUCT_KEY_UPDATE 0 +# define SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET 0 +# define SSL_F_TLS_CONSTRUCT_NEXT_PROTO 0 +# define SSL_F_TLS_CONSTRUCT_SERVER_CERTIFICATE 0 +# define SSL_F_TLS_CONSTRUCT_SERVER_HELLO 0 +# define SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE 0 +# define SSL_F_TLS_CONSTRUCT_STOC_ALPN 0 +# define SSL_F_TLS_CONSTRUCT_STOC_CERTIFICATE 0 +# define SSL_F_TLS_CONSTRUCT_STOC_COOKIE 0 +# define SSL_F_TLS_CONSTRUCT_STOC_CRYPTOPRO_BUG 0 +# define SSL_F_TLS_CONSTRUCT_STOC_DONE 0 +# define SSL_F_TLS_CONSTRUCT_STOC_EARLY_DATA 0 +# define SSL_F_TLS_CONSTRUCT_STOC_EARLY_DATA_INFO 0 +# define SSL_F_TLS_CONSTRUCT_STOC_EC_PT_FORMATS 0 +# define SSL_F_TLS_CONSTRUCT_STOC_EMS 0 +# define SSL_F_TLS_CONSTRUCT_STOC_ETM 0 +# define SSL_F_TLS_CONSTRUCT_STOC_HELLO 0 +# define SSL_F_TLS_CONSTRUCT_STOC_KEY_EXCHANGE 0 +# define SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE 0 +# define SSL_F_TLS_CONSTRUCT_STOC_MAXFRAGMENTLEN 0 +# define SSL_F_TLS_CONSTRUCT_STOC_NEXT_PROTO_NEG 0 +# define SSL_F_TLS_CONSTRUCT_STOC_PSK 0 +# define SSL_F_TLS_CONSTRUCT_STOC_RENEGOTIATE 0 +# define SSL_F_TLS_CONSTRUCT_STOC_SERVER_NAME 0 +# define SSL_F_TLS_CONSTRUCT_STOC_SESSION_TICKET 0 +# define SSL_F_TLS_CONSTRUCT_STOC_STATUS_REQUEST 0 +# define SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS 0 +# define SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_VERSIONS 0 +# define SSL_F_TLS_CONSTRUCT_STOC_USE_SRTP 0 +# define SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO 0 +# define SSL_F_TLS_FINISH_HANDSHAKE 0 +# define SSL_F_TLS_GET_MESSAGE_BODY 0 +# define SSL_F_TLS_GET_MESSAGE_HEADER 0 +# define SSL_F_TLS_HANDLE_ALPN 0 +# define SSL_F_TLS_HANDLE_STATUS_REQUEST 0 +# define SSL_F_TLS_PARSE_CERTIFICATE_AUTHORITIES 0 +# define SSL_F_TLS_PARSE_CLIENTHELLO_TLSEXT 0 +# define SSL_F_TLS_PARSE_CTOS_ALPN 0 +# define SSL_F_TLS_PARSE_CTOS_COOKIE 0 +# define SSL_F_TLS_PARSE_CTOS_EARLY_DATA 0 +# define SSL_F_TLS_PARSE_CTOS_EC_PT_FORMATS 0 +# define SSL_F_TLS_PARSE_CTOS_EMS 0 +# define SSL_F_TLS_PARSE_CTOS_KEY_SHARE 0 +# define SSL_F_TLS_PARSE_CTOS_MAXFRAGMENTLEN 0 +# define SSL_F_TLS_PARSE_CTOS_POST_HANDSHAKE_AUTH 0 +# define SSL_F_TLS_PARSE_CTOS_PSK 0 +# define SSL_F_TLS_PARSE_CTOS_PSK_KEX_MODES 0 +# define SSL_F_TLS_PARSE_CTOS_RENEGOTIATE 0 +# define SSL_F_TLS_PARSE_CTOS_SERVER_NAME 0 +# define SSL_F_TLS_PARSE_CTOS_SESSION_TICKET 0 +# define SSL_F_TLS_PARSE_CTOS_SIG_ALGS 0 +# define SSL_F_TLS_PARSE_CTOS_SIG_ALGS_CERT 0 +# define SSL_F_TLS_PARSE_CTOS_SRP 0 +# define SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST 0 +# define SSL_F_TLS_PARSE_CTOS_SUPPORTED_GROUPS 0 +# define SSL_F_TLS_PARSE_CTOS_USE_SRTP 0 +# define SSL_F_TLS_PARSE_STOC_ALPN 0 +# define SSL_F_TLS_PARSE_STOC_COOKIE 0 +# define SSL_F_TLS_PARSE_STOC_EARLY_DATA 0 +# define SSL_F_TLS_PARSE_STOC_EARLY_DATA_INFO 0 +# define SSL_F_TLS_PARSE_STOC_EC_PT_FORMATS 0 +# define SSL_F_TLS_PARSE_STOC_KEY_SHARE 0 +# define SSL_F_TLS_PARSE_STOC_MAXFRAGMENTLEN 0 +# define SSL_F_TLS_PARSE_STOC_NPN 0 +# define SSL_F_TLS_PARSE_STOC_PSK 0 +# define SSL_F_TLS_PARSE_STOC_RENEGOTIATE 0 +# define SSL_F_TLS_PARSE_STOC_SCT 0 +# define SSL_F_TLS_PARSE_STOC_SERVER_NAME 0 +# define SSL_F_TLS_PARSE_STOC_SESSION_TICKET 0 +# define SSL_F_TLS_PARSE_STOC_STATUS_REQUEST 0 +# define SSL_F_TLS_PARSE_STOC_SUPPORTED_VERSIONS 0 +# define SSL_F_TLS_PARSE_STOC_USE_SRTP 0 +# define SSL_F_TLS_POST_PROCESS_CLIENT_HELLO 0 +# define SSL_F_TLS_POST_PROCESS_CLIENT_KEY_EXCHANGE 0 +# define SSL_F_TLS_PREPARE_CLIENT_CERTIFICATE 0 +# define SSL_F_TLS_PROCESS_AS_HELLO_RETRY_REQUEST 0 +# define SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST 0 +# define SSL_F_TLS_PROCESS_CERT_STATUS 0 +# define SSL_F_TLS_PROCESS_CERT_STATUS_BODY 0 +# define SSL_F_TLS_PROCESS_CERT_VERIFY 0 +# define SSL_F_TLS_PROCESS_CHANGE_CIPHER_SPEC 0 +# define SSL_F_TLS_PROCESS_CKE_DHE 0 +# define SSL_F_TLS_PROCESS_CKE_ECDHE 0 +# define SSL_F_TLS_PROCESS_CKE_GOST 0 +# define SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE 0 +# define SSL_F_TLS_PROCESS_CKE_RSA 0 +# define SSL_F_TLS_PROCESS_CKE_SRP 0 +# define SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE 0 +# define SSL_F_TLS_PROCESS_CLIENT_HELLO 0 +# define SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE 0 +# define SSL_F_TLS_PROCESS_ENCRYPTED_EXTENSIONS 0 +# define SSL_F_TLS_PROCESS_END_OF_EARLY_DATA 0 +# define SSL_F_TLS_PROCESS_FINISHED 0 +# define SSL_F_TLS_PROCESS_HELLO_REQ 0 +# define SSL_F_TLS_PROCESS_HELLO_RETRY_REQUEST 0 +# define SSL_F_TLS_PROCESS_INITIAL_SERVER_FLIGHT 0 +# define SSL_F_TLS_PROCESS_KEY_EXCHANGE 0 +# define SSL_F_TLS_PROCESS_KEY_UPDATE 0 +# define SSL_F_TLS_PROCESS_NEW_SESSION_TICKET 0 +# define SSL_F_TLS_PROCESS_NEXT_PROTO 0 +# define SSL_F_TLS_PROCESS_SERVER_CERTIFICATE 0 +# define SSL_F_TLS_PROCESS_SERVER_DONE 0 +# define SSL_F_TLS_PROCESS_SERVER_HELLO 0 +# define SSL_F_TLS_PROCESS_SKE_DHE 0 +# define SSL_F_TLS_PROCESS_SKE_ECDHE 0 +# define SSL_F_TLS_PROCESS_SKE_PSK_PREAMBLE 0 +# define SSL_F_TLS_PROCESS_SKE_SRP 0 +# define SSL_F_TLS_PSK_DO_BINDER 0 +# define SSL_F_TLS_SCAN_CLIENTHELLO_TLSEXT 0 +# define SSL_F_TLS_SETUP_HANDSHAKE 0 +# define SSL_F_USE_CERTIFICATE_CHAIN_FILE 0 +# define SSL_F_WPACKET_INTERN_INIT_LEN 0 +# define SSL_F_WPACKET_START_SUB_PACKET_LEN__ 0 +# define SSL_F_WRITE_STATE_MACHINE 0 # endif # ifdef __cplusplus } # endif #endif - diff --git a/include/openssl/storeerr.h b/include/openssl/storeerr.h index e895e082c7..397c143616 100644 --- a/include/openssl/storeerr.h +++ b/include/openssl/storeerr.h @@ -18,50 +18,6 @@ -/* - * OSSL_STORE function codes. - */ -# ifndef OPENSSL_NO_DEPRECATED_3_0 -# define OSSL_STORE_F_FILE_ATTACH 0 -# define OSSL_STORE_F_FILE_CTRL 0 -# define OSSL_STORE_F_FILE_FIND 0 -# define OSSL_STORE_F_FILE_GET_PASS 0 -# define OSSL_STORE_F_FILE_LOAD 0 -# define OSSL_STORE_F_FILE_LOAD_TRY_DECODE 0 -# define OSSL_STORE_F_FILE_NAME_TO_URI 0 -# define OSSL_STORE_F_FILE_OPEN 0 -# define OSSL_STORE_F_OSSL_STORE_ATTACH 0 -# define OSSL_STORE_F_OSSL_STORE_EXPECT 0 -# define OSSL_STORE_F_OSSL_STORE_FIND 0 -# define OSSL_STORE_F_OSSL_STORE_GET0_LOADER_INT 0 -# define OSSL_STORE_F_OSSL_STORE_INFO_GET1_CERT 0 -# define OSSL_STORE_F_OSSL_STORE_INFO_GET1_CRL 0 -# define OSSL_STORE_F_OSSL_STORE_INFO_GET1_NAME 0 -# define OSSL_STORE_F_OSSL_STORE_INFO_GET1_NAME_DESCRIPTION 0 -# define OSSL_STORE_F_OSSL_STORE_INFO_GET1_PARAMS 0 -# define OSSL_STORE_F_OSSL_STORE_INFO_GET1_PKEY 0 -# define OSSL_STORE_F_OSSL_STORE_INFO_NEW_CERT 0 -# define OSSL_STORE_F_OSSL_STORE_INFO_NEW_CRL 0 -# define OSSL_STORE_F_OSSL_STORE_INFO_NEW_EMBEDDED 0 -# define OSSL_STORE_F_OSSL_STORE_INFO_NEW_NAME 0 -# define OSSL_STORE_F_OSSL_STORE_INFO_NEW_PARAMS 0 -# define OSSL_STORE_F_OSSL_STORE_INFO_NEW_PKEY 0 -# define OSSL_STORE_F_OSSL_STORE_INFO_SET0_NAME_DESCRIPTION 0 -# define OSSL_STORE_F_OSSL_STORE_INIT_ONCE 0 -# define OSSL_STORE_F_OSSL_STORE_LOADER_NEW 0 -# define OSSL_STORE_F_OSSL_STORE_OPEN 0 -# define OSSL_STORE_F_OSSL_STORE_OPEN_INT 0 -# define OSSL_STORE_F_OSSL_STORE_REGISTER_LOADER_INT 0 -# define OSSL_STORE_F_OSSL_STORE_SEARCH_BY_ALIAS 0 -# define OSSL_STORE_F_OSSL_STORE_SEARCH_BY_ISSUER_SERIAL 0 -# define OSSL_STORE_F_OSSL_STORE_SEARCH_BY_KEY_FINGERPRINT 0 -# define OSSL_STORE_F_OSSL_STORE_SEARCH_BY_NAME 0 -# define OSSL_STORE_F_OSSL_STORE_UNREGISTER_LOADER_INT 0 -# define OSSL_STORE_F_TRY_DECODE_PARAMS 0 -# define OSSL_STORE_F_TRY_DECODE_PKCS12 0 -# define OSSL_STORE_F_TRY_DECODE_PKCS8ENCRYPTED 0 -# endif - /* * OSSL_STORE reason codes. */ diff --git a/include/openssl/tserr.h b/include/openssl/tserr.h index 6e46c45e12..4b46bb83e8 100644 --- a/include/openssl/tserr.h +++ b/include/openssl/tserr.h @@ -20,63 +20,6 @@ # ifndef OPENSSL_NO_TS -/* - * TS function codes. - */ -# ifndef OPENSSL_NO_DEPRECATED_3_0 -# define TS_F_DEF_SERIAL_CB 0 -# define TS_F_DEF_TIME_CB 0 -# define TS_F_INT_TS_RESP_VERIFY_TOKEN 0 -# define TS_F_PKCS7_TO_TS_TST_INFO 0 -# define TS_F_TS_ACCURACY_SET_MICROS 0 -# define TS_F_TS_ACCURACY_SET_MILLIS 0 -# define TS_F_TS_ACCURACY_SET_SECONDS 0 -# define TS_F_TS_CHECK_IMPRINTS 0 -# define TS_F_TS_CHECK_NONCES 0 -# define TS_F_TS_CHECK_POLICY 0 -# define TS_F_TS_CHECK_SIGNING_CERTS 0 -# define TS_F_TS_CHECK_STATUS_INFO 0 -# define TS_F_TS_COMPUTE_IMPRINT 0 -# define TS_F_TS_CONF_INVALID 0 -# define TS_F_TS_CONF_LOAD_CERT 0 -# define TS_F_TS_CONF_LOAD_CERTS 0 -# define TS_F_TS_CONF_LOAD_KEY 0 -# define TS_F_TS_CONF_LOOKUP_FAIL 0 -# define TS_F_TS_CONF_SET_DEFAULT_ENGINE 0 -# define TS_F_TS_GET_STATUS_TEXT 0 -# define TS_F_TS_MSG_IMPRINT_SET_ALGO 0 -# define TS_F_TS_REQ_SET_MSG_IMPRINT 0 -# define TS_F_TS_REQ_SET_NONCE 0 -# define TS_F_TS_REQ_SET_POLICY_ID 0 -# define TS_F_TS_RESP_CREATE_RESPONSE 0 -# define TS_F_TS_RESP_CREATE_TST_INFO 0 -# define TS_F_TS_RESP_CTX_ADD_FAILURE_INFO 0 -# define TS_F_TS_RESP_CTX_ADD_MD 0 -# define TS_F_TS_RESP_CTX_ADD_POLICY 0 -# define TS_F_TS_RESP_CTX_NEW 0 -# define TS_F_TS_RESP_CTX_SET_ACCURACY 0 -# define TS_F_TS_RESP_CTX_SET_CERTS 0 -# define TS_F_TS_RESP_CTX_SET_DEF_POLICY 0 -# define TS_F_TS_RESP_CTX_SET_SIGNER_CERT 0 -# define TS_F_TS_RESP_CTX_SET_STATUS_INFO 0 -# define TS_F_TS_RESP_GET_POLICY 0 -# define TS_F_TS_RESP_SET_GENTIME_WITH_PRECISION 0 -# define TS_F_TS_RESP_SET_STATUS_INFO 0 -# define TS_F_TS_RESP_SET_TST_INFO 0 -# define TS_F_TS_RESP_SIGN 0 -# define TS_F_TS_RESP_VERIFY_SIGNATURE 0 -# define TS_F_TS_TST_INFO_SET_ACCURACY 0 -# define TS_F_TS_TST_INFO_SET_MSG_IMPRINT 0 -# define TS_F_TS_TST_INFO_SET_NONCE 0 -# define TS_F_TS_TST_INFO_SET_POLICY_ID 0 -# define TS_F_TS_TST_INFO_SET_SERIAL 0 -# define TS_F_TS_TST_INFO_SET_TIME 0 -# define TS_F_TS_TST_INFO_SET_TSA 0 -# define TS_F_TS_VERIFY 0 -# define TS_F_TS_VERIFY_CERT 0 -# define TS_F_TS_VERIFY_CTX_NEW 0 -# endif - /* * TS reason codes. */ diff --git a/include/openssl/uierr.h b/include/openssl/uierr.h index edccfd58bb..692b480030 100644 --- a/include/openssl/uierr.h +++ b/include/openssl/uierr.h @@ -18,33 +18,6 @@ -/* - * UI function codes. - */ -# ifndef OPENSSL_NO_DEPRECATED_3_0 -# define UI_F_CLOSE_CONSOLE 0 -# define UI_F_ECHO_CONSOLE 0 -# define UI_F_GENERAL_ALLOCATE_BOOLEAN 0 -# define UI_F_GENERAL_ALLOCATE_PROMPT 0 -# define UI_F_NOECHO_CONSOLE 0 -# define UI_F_OPEN_CONSOLE 0 -# define UI_F_UI_CONSTRUCT_PROMPT 0 -# define UI_F_UI_CREATE_METHOD 0 -# define UI_F_UI_CTRL 0 -# define UI_F_UI_DUP_ERROR_STRING 0 -# define UI_F_UI_DUP_INFO_STRING 0 -# define UI_F_UI_DUP_INPUT_BOOLEAN 0 -# define UI_F_UI_DUP_INPUT_STRING 0 -# define UI_F_UI_DUP_USER_DATA 0 -# define UI_F_UI_DUP_VERIFY_STRING 0 -# define UI_F_UI_GET0_RESULT 0 -# define UI_F_UI_GET_RESULT_LENGTH 0 -# define UI_F_UI_NEW_METHOD 0 -# define UI_F_UI_PROCESS 0 -# define UI_F_UI_SET_RESULT 0 -# define UI_F_UI_SET_RESULT_EX 0 -# endif - /* * UI reason codes. */ diff --git a/include/openssl/x509err.h b/include/openssl/x509err.h index 10021b6444..d3ecbf978e 100644 --- a/include/openssl/x509err.h +++ b/include/openssl/x509err.h @@ -18,80 +18,6 @@ -/* - * X509 function codes. - */ -# ifndef OPENSSL_NO_DEPRECATED_3_0 -# define X509_F_ADD_CERT_DIR 0 -# define X509_F_BUILD_CHAIN 0 -# define X509_F_BY_FILE_CTRL 0 -# define X509_F_CACHE_OBJECTS 0 -# define X509_F_CHECK_NAME_CONSTRAINTS 0 -# define X509_F_CHECK_POLICY 0 -# define X509_F_COMMON_VERIFY_SM2 0 -# define X509_F_DANE_I2D 0 -# define X509_F_DIR_CTRL 0 -# define X509_F_GET_CERT_BY_SUBJECT 0 -# define X509_F_I2D_X509_AUX 0 -# define X509_F_LOOKUP_CERTS_SK 0 -# define X509_F_NETSCAPE_SPKI_B64_DECODE 0 -# define X509_F_NETSCAPE_SPKI_B64_ENCODE 0 -# define X509_F_NEW_DIR 0 -# define X509_F_X509AT_ADD1_ATTR 0 -# define X509_F_X509V3_ADD_EXT 0 -# define X509_F_X509_ATTRIBUTE_CREATE_BY_NID 0 -# define X509_F_X509_ATTRIBUTE_CREATE_BY_OBJ 0 -# define X509_F_X509_ATTRIBUTE_CREATE_BY_TXT 0 -# define X509_F_X509_ATTRIBUTE_GET0_DATA 0 -# define X509_F_X509_ATTRIBUTE_SET1_DATA 0 -# define X509_F_X509_CHECK_PRIVATE_KEY 0 -# define X509_F_X509_CRL_DIFF 0 -# define X509_F_X509_CRL_METHOD_NEW 0 -# define X509_F_X509_CRL_PRINT_FP 0 -# define X509_F_X509_EXTENSION_CREATE_BY_NID 0 -# define X509_F_X509_EXTENSION_CREATE_BY_OBJ 0 -# define X509_F_X509_GET_PUBKEY_PARAMETERS 0 -# define X509_F_X509_LOAD_CERT_CRL_FILE 0 -# define X509_F_X509_LOAD_CERT_FILE 0 -# define X509_F_X509_LOAD_CRL_FILE 0 -# define X509_F_X509_LOOKUP_METH_NEW 0 -# define X509_F_X509_LOOKUP_NEW 0 -# define X509_F_X509_NAME_ADD_ENTRY 0 -# define X509_F_X509_NAME_CANON 0 -# define X509_F_X509_NAME_ENTRY_CREATE_BY_NID 0 -# define X509_F_X509_NAME_ENTRY_CREATE_BY_TXT 0 -# define X509_F_X509_NAME_ENTRY_SET_OBJECT 0 -# define X509_F_X509_NAME_ONELINE 0 -# define X509_F_X509_NAME_PRINT 0 -# define X509_F_X509_OBJECT_NEW 0 -# define X509_F_X509_PRINT_EX_FP 0 -# define X509_F_X509_PUBKEY_DECODE 0 -# define X509_F_X509_PUBKEY_GET 0 -# define X509_F_X509_PUBKEY_GET0 0 -# define X509_F_X509_PUBKEY_SET 0 -# define X509_F_X509_REQ_CHECK_PRIVATE_KEY 0 -# define X509_F_X509_REQ_PRINT_EX 0 -# define X509_F_X509_REQ_PRINT_FP 0 -# define X509_F_X509_REQ_TO_X509 0 -# define X509_F_X509_REQ_VERIFY 0 -# define X509_F_X509_REQ_VERIFY_SM2 0 -# define X509_F_X509_STORE_ADD_CERT 0 -# define X509_F_X509_STORE_ADD_CRL 0 -# define X509_F_X509_STORE_ADD_LOOKUP 0 -# define X509_F_X509_STORE_CTX_GET1_ISSUER 0 -# define X509_F_X509_STORE_CTX_INIT 0 -# define X509_F_X509_STORE_CTX_NEW 0 -# define X509_F_X509_STORE_CTX_PURPOSE_INHERIT 0 -# define X509_F_X509_STORE_NEW 0 -# define X509_F_X509_TO_X509_REQ 0 -# define X509_F_X509_TRUST_ADD 0 -# define X509_F_X509_TRUST_SET 0 -# define X509_F_X509_VERIFY 0 -# define X509_F_X509_VERIFY_CERT 0 -# define X509_F_X509_VERIFY_PARAM_NEW 0 -# define X509_F_X509_VERIFY_SM2 0 -# endif - /* * X509 reason codes. */ diff --git a/include/openssl/x509v3err.h b/include/openssl/x509v3err.h index a3324e6e2c..5a6f9c3e8c 100644 --- a/include/openssl/x509v3err.h +++ b/include/openssl/x509v3err.h @@ -18,82 +18,6 @@ -/* - * X509V3 function codes. - */ -# ifndef OPENSSL_NO_DEPRECATED_3_0 -# define X509V3_F_A2I_GENERAL_NAME 0 -# define X509V3_F_ADDR_VALIDATE_PATH_INTERNAL 0 -# define X509V3_F_ASIDENTIFIERCHOICE_CANONIZE 0 -# define X509V3_F_ASIDENTIFIERCHOICE_IS_CANONICAL 0 -# define X509V3_F_BIGNUM_TO_STRING 0 -# define X509V3_F_COPY_EMAIL 0 -# define X509V3_F_COPY_ISSUER 0 -# define X509V3_F_DO_DIRNAME 0 -# define X509V3_F_DO_EXT_I2D 0 -# define X509V3_F_DO_EXT_NCONF 0 -# define X509V3_F_GNAMES_FROM_SECTNAME 0 -# define X509V3_F_I2R_ISSUER_SIGN_TOOL 0 -# define X509V3_F_I2S_ASN1_ENUMERATED 0 -# define X509V3_F_I2S_ASN1_IA5STRING 0 -# define X509V3_F_I2S_ASN1_INTEGER 0 -# define X509V3_F_I2S_ASN1_UTF8STRING 0 -# define X509V3_F_I2V_AUTHORITY_INFO_ACCESS 0 -# define X509V3_F_LEVEL_ADD_NODE 0 -# define X509V3_F_NOTICE_SECTION 0 -# define X509V3_F_NREF_NOS 0 -# define X509V3_F_POLICY_CACHE_CREATE 0 -# define X509V3_F_POLICY_CACHE_NEW 0 -# define X509V3_F_POLICY_DATA_NEW 0 -# define X509V3_F_POLICY_SECTION 0 -# define X509V3_F_PROCESS_PCI_VALUE 0 -# define X509V3_F_R2I_CERTPOL 0 -# define X509V3_F_R2I_PCI 0 -# define X509V3_F_S2I_ASN1_IA5STRING 0 -# define X509V3_F_S2I_ASN1_INTEGER 0 -# define X509V3_F_S2I_ASN1_OCTET_STRING 0 -# define X509V3_F_S2I_ASN1_UTF8STRING 0 -# define X509V3_F_S2I_SKEY_ID 0 -# define X509V3_F_SET_DIST_POINT_NAME 0 -# define X509V3_F_SXNET_ADD_ID_ASC 0 -# define X509V3_F_SXNET_ADD_ID_INTEGER 0 -# define X509V3_F_SXNET_ADD_ID_ULONG 0 -# define X509V3_F_SXNET_GET_ID_ASC 0 -# define X509V3_F_SXNET_GET_ID_ULONG 0 -# define X509V3_F_TREE_INIT 0 -# define X509V3_F_V2I_ASIDENTIFIERS 0 -# define X509V3_F_V2I_ASN1_BIT_STRING 0 -# define X509V3_F_V2I_AUTHORITY_INFO_ACCESS 0 -# define X509V3_F_V2I_AUTHORITY_KEYID 0 -# define X509V3_F_V2I_BASIC_CONSTRAINTS 0 -# define X509V3_F_V2I_CRLD 0 -# define X509V3_F_V2I_EXTENDED_KEY_USAGE 0 -# define X509V3_F_V2I_GENERAL_NAMES 0 -# define X509V3_F_V2I_GENERAL_NAME_EX 0 -# define X509V3_F_V2I_IDP 0 -# define X509V3_F_V2I_IPADDRBLOCKS 0 -# define X509V3_F_V2I_ISSUER_ALT 0 -# define X509V3_F_V2I_ISSUER_SIGN_TOOL 0 -# define X509V3_F_V2I_NAME_CONSTRAINTS 0 -# define X509V3_F_V2I_POLICY_CONSTRAINTS 0 -# define X509V3_F_V2I_POLICY_MAPPINGS 0 -# define X509V3_F_V2I_SUBJECT_ALT 0 -# define X509V3_F_V2I_TLS_FEATURE 0 -# define X509V3_F_V3_GENERIC_EXTENSION 0 -# define X509V3_F_X509V3_ADD1_I2D 0 -# define X509V3_F_X509V3_ADD_VALUE 0 -# define X509V3_F_X509V3_EXT_ADD 0 -# define X509V3_F_X509V3_EXT_ADD_ALIAS 0 -# define X509V3_F_X509V3_EXT_I2D 0 -# define X509V3_F_X509V3_EXT_NCONF 0 -# define X509V3_F_X509V3_GET_SECTION 0 -# define X509V3_F_X509V3_GET_STRING 0 -# define X509V3_F_X509V3_GET_VALUE_BOOL 0 -# define X509V3_F_X509V3_PARSE_LIST 0 -# define X509V3_F_X509_PURPOSE_ADD 0 -# define X509V3_F_X509_PURPOSE_SET 0 -# endif - /* * X509V3 reason codes. */ diff --git a/providers/common/include/prov/providercommonerr.h b/providers/common/include/prov/providercommonerr.h index ac87f190cb..e59ee36abb 100644 --- a/providers/common/include/prov/providercommonerr.h +++ b/providers/common/include/prov/providercommonerr.h @@ -21,32 +21,6 @@ extern "C" { int err_load_PROV_strings_int(void); -/* - * PROV function codes. - */ -# ifndef OPENSSL_NO_DEPRECATED_3_0 -# define PROV_F_AESNI_INIT_KEY 0 -# define PROV_F_AES_BLOCK_FINAL 0 -# define PROV_F_AES_BLOCK_UPDATE 0 -# define PROV_F_AES_CIPHER 0 -# define PROV_F_AES_DINIT 0 -# define PROV_F_AES_DUPCTX 0 -# define PROV_F_AES_EINIT 0 -# define PROV_F_AES_GET_CTX_PARAMS 0 -# define PROV_F_AES_INIT_KEY 0 -# define PROV_F_AES_SET_CTX_PARAMS 0 -# define PROV_F_AES_STREAM_UPDATE 0 -# define PROV_F_AES_T4_INIT_KEY 0 -# define PROV_F_BLAKE2_MAC_INIT 0 -# define PROV_F_BLAKE2_MAC_SET_PARAMS 0 -# define PROV_F_GMAC_SET_PARAMS 0 -# define PROV_F_KMAC_SET_PARAMS 0 -# define PROV_F_POLY1305_SET_PARAMS 0 -# define PROV_F_PROV_AES_KEY_GENERIC_INIT 0 -# define PROV_F_TRAILINGDATA 0 -# define PROV_F_UNPADBLOCK 0 -# endif - /* * PROV reason codes. */ diff --git a/util/mkerr.pl b/util/mkerr.pl index d7c72af14c..7d912477b8 100755 --- a/util/mkerr.pl +++ b/util/mkerr.pl @@ -125,24 +125,17 @@ if ( $internal ) { } # Data parsed out of the config and state files. -# We always map function-code values to zero, so items marked below with -# an asterisk could eventually be removed. TODO(4.0) my %hpubinc; # lib -> public header my %libpubinc; # public header -> lib my %hprivinc; # lib -> private header my %libprivinc; # private header -> lib my %cskip; # error_file -> lib my %errorfile; # lib -> error file name -my %fmax; # lib -> max assigned function code* my %rmax; # lib -> max assigned reason code -my %fassigned; # lib -> colon-separated list of assigned function codes* my %rassigned; # lib -> colon-separated list of assigned reason codes -my %fnew; # lib -> count of new function codes* my %rnew; # lib -> count of new reason codes my %rextra; # "extra" reason code -> lib my %rcodes; # reason-name -> value -my %ftrans; # old name -> #define-friendly name (all caps)* -my %fcodes; # function-name -> value* my $statefile; # state file with assigned reason and function codes my %strings; # define -> text @@ -162,11 +155,8 @@ while ( ) { $cskip{$err} = $lib; $errorfile{$lib} = $err; next if $err eq 'NONE'; - $fmax{$lib} = 100; $rmax{$lib} = 100; - $fassigned{$lib} = ":"; $rassigned{$lib} = ":"; - $fnew{$lib} = 0; $rnew{$lib} = 0; die "Public header file must be in include/openssl ($pubhdr is not)\n" if ($internal @@ -235,9 +225,7 @@ if ( ! $reindex && $statefile ) { } $rcodes{$name} = $code; } elsif ( $name =~ /^(?:OSSL_|OPENSSL_)?[A-Z0-9]{2,}_F_/ ) { - $fassigned{$lib} .= "$code:"; - $fmax{$lib} = $code if $code > $fmax{$lib}; - $fcodes{$name} = $code; + # We do nothing with the function codes, just let them go away } else { die "Bad line in $statefile:\n$_\n"; } @@ -254,131 +242,19 @@ if ( ! $reindex && $statefile ) { print STDERR " --none--\n"; } } - print STDERR "\n"; - foreach my $lib ( sort keys %fmax ) { - print STDERR "Function codes for ${lib}:\n"; - if ( $fassigned{$lib} =~ m/^:(.*):$/ ) { - my @fassigned = sort { $a <=> $b } split( ":", $1 ); - print STDERR " ", join(' ', @fassigned), "\n"; - } else { - print STDERR " --none--\n"; - } - } } } -# Scan each public header file and make a list of function codes and names -&phase("Scanning headers"); -while ( ( my $hdr, my $lib ) = each %libpubinc ) { - next if $hdr eq "NONE"; - print STDERR " ." if $debug; - my $line = ""; - my $def = ""; - my $linenr = 0; - my $cpp = 0; - - open(IN, "<$hdr") - || open(IN, "<$hdr.in") - || die "Can't open $hdr or $hdr.in, $!,"; - while ( ) { - $linenr++; - - if ( $line ne '' ) { - $_ = $line . $_; - $line = ''; - } - - if ( /\\$/ ) { - $line = $_; - next; - } - - if ( /\/\*/ ) { - if ( not /\*\// ) { # multiline comment... - $line = $_; # ... just accumulate - next; - } else { - s/\/\*.*?\*\///gs; # wipe it - } - } - - if ( $cpp ) { - $cpp++ if /^#\s*if/; - $cpp-- if /^#\s*endif/; - next; - } - $cpp = 1 if /^#.*ifdef.*cplusplus/; # skip "C" declaration - - next if /^\#/; # skip preprocessor directives - - s/{[^{}]*}//gs; # ignore {} blocks - - if ( /\{|\/\*/ ) { # Add a so editor works... - $line = $_; - } else { - $def .= $_; - } - } - - # Delete any DECLARE_ macros - my $defnr = 0; - $def =~ s/DECLARE_\w+\([\w,\s]+\)//gs; - foreach ( split /;/, $def ) { - $defnr++; - # The goal is to collect function names from function declarations. - - s/^[\n\s]*//g; - s/[\n\s]*$//g; - - # Skip over recognized non-function declarations - next if /typedef\W/; - - # Remove STACK_OF(foo) - s/STACK_OF\(\w+\)/void/; - - # Reduce argument lists to empty () - # fold round brackets recursively: (t(*v)(t),t) -> (t{}{},t) -> {} - while ( /\(.*\)/s ) { - s/\([^\(\)]+\)/\{\}/gs; - s/\(\s*\*\s*(\w+)\s*\{\}\s*\)/$1/gs; #(*f{}) -> f - } - - # pretend as we didn't use curly braces: {} -> () - s/\{\}/\(\)/gs; - - # Last token just before the first () is a function name. - if ( /(\w+)\s*\(\).*/s ) { - my $name = $1; - $name =~ tr/[a-z]/[A-Z]/; - $ftrans{$name} = $1; - } elsif ( /[\(\)]/ and not(/=/) ) { - print STDERR "Header $hdr: cannot parse: $_;\n"; - } - } - - next if $reindex; - - if ( $lib eq "SSL" && $rmax{$lib} >= 1000 ) { - print STDERR "SSL error codes 1000+ are reserved for alerts.\n"; - print STDERR "Any new alerts must be added to $config.\n"; - $errors++; - } - close IN; -} -print STDERR "\n" if $debug; - -# Scan each C source file and look for function and reason codes -# This is done by looking for strings that "look like" function or -# reason codes: basically anything consisting of all upper case and -# numerics which has _F_ or _R_ in it and which has the name of an -# error library at the start. This seems to work fine except for the -# oddly named structure BIO_F_CTX which needs to be ignored. +# Scan each C source file and look for reason codes. This is done by +# looking for strings that "look like" reason codes: basically anything +# consisting of all upper case and numerics which _R_ in it and which has +# the name of an error library at the start. Should there be anything else, +# such as a type name, we add exceptions here. # If a code doesn't exist in list compiled from headers then mark it # with the value "X" as a place holder to give it a value later. -# Store all function and reason codes found in %usedfuncs and %usedreasons -# so all those unreferenced can be printed out. +# Store all reason codes found in and %usedreasons so all those unreferenced +# can be printed out. &phase("Scanning source"); -my %usedfuncs; my %usedreasons; foreach my $file ( @source ) { # Don't parse the error source file. @@ -392,26 +268,7 @@ foreach my $file ( @source ) { # skip obsoleted source files entirely! last if /^#error\s+obsolete/; $linenr++; - if ( !/;$/ && /^\**([a-zA-Z_].*[\s*])?([A-Za-z_0-9]+)\(.*([),]|$)/ ) { - /^([^()]*(\([^()]*\)[^()]*)*)\(/; - $1 =~ /([A-Za-z_0-9]*)$/; - $func = $1; - } - if ( /(((?:OSSL_|OPENSSL_)?[A-Z0-9]{2,})_F_([A-Z0-9_]+))/ ) { - next unless exists $errorfile{$2}; - next if $errorfile{$2} eq 'NONE'; - next if $1 eq "BIO_F_BUFFER_CTX"; - $usedfuncs{$1} = 1; - if ( !exists $fcodes{$1} ) { - print STDERR " New function $1\n" if $debug; - $fcodes{$1} = "X"; - $fnew{$2}++; - } - $ftrans{$3} = $func unless exists $ftrans{$3}; - print STDERR " Function $1 = $fcodes{$1}\n" - if $debug; - } if ( /(((?:OSSL_|OPENSSL_)?[A-Z0-9]{2,})_R_[A-Z0-9_]+)/ ) { next unless exists $errorfile{$2}; next if $errorfile{$2} eq 'NONE'; @@ -432,10 +289,9 @@ print STDERR "\n" if $debug; &phase("Writing files"); my $newstate = 0; foreach my $lib ( keys %errorfile ) { - next if ! $fnew{$lib} && ! $rnew{$lib} && ! $rebuild; + next if ! $rnew{$lib} && ! $rebuild; next if scalar keys %modules > 0 && !$modules{$lib}; next if $nowrite; - print STDERR "$lib: $fnew{$lib} new functions\n" if $fnew{$lib}; print STDERR "$lib: $rnew{$lib} new reasons\n" if $rnew{$lib}; $newstate = 1; @@ -443,7 +299,6 @@ foreach my $lib ( keys %errorfile ) { # need to rebuild the header file and C file. # Make a sorted list of error and reason codes for later use. - my @function = sort grep( /^${lib}_/, keys %fcodes ); my @reasons = sort grep( /^${lib}_/, keys %rcodes ); # indent level for innermost preprocessor lines @@ -509,26 +364,6 @@ EOF # If this library doesn't have a public header file, we write all # definitions that would end up there here instead if ($hpubinc{$lib} eq 'NONE') { - print OUT "\n/*\n * $lib function codes.\n */\n"; - print OUT "#${indent}ifndef OPENSSL_NO_DEPRECATED_3_0\n"; - foreach my $i ( @function ) { - my $z = 48 - length($i); - $z = 0 if $z < 0; - if ( $fcodes{$i} eq "X" ) { - $fassigned{$lib} =~ m/^:([^:]*):/; - my $findcode = $1; - $findcode = $fmax{$lib} if !defined $findcode; - while ( $fassigned{$lib} =~ m/:$findcode:/ ) { - $findcode++; - } - $fcodes{$i} = $findcode; - $fassigned{$lib} .= "$findcode:"; - print STDERR "New Function code $i\n" if $debug; - } - printf OUT "#${indent} define $i%s 0\n", " " x $z; - } - print OUT "#${indent}endif\n"; - print OUT "\n/*\n * $lib reason codes.\n */\n"; foreach my $i ( @reasons ) { my $z = 48 - length($i); @@ -632,26 +467,6 @@ EOF } } - print OUT "\n/*\n * $lib function codes.\n */\n"; - print OUT "#${indent}ifndef OPENSSL_NO_DEPRECATED_3_0\n"; - foreach my $i ( @function ) { - my $z = 48 - length($i); - $z = 0 if $z < 0; - if ( $fcodes{$i} eq "X" ) { - $fassigned{$lib} =~ m/^:([^:]*):/; - my $findcode = $1; - $findcode = $fmax{$lib} if !defined $findcode; - while ( $fassigned{$lib} =~ m/:$findcode:/ ) { - $findcode++; - } - $fcodes{$i} = $findcode; - $fassigned{$lib} .= "$findcode:"; - print STDERR "New Function code $i\n" if $debug; - } - printf OUT "#${indent} define $i%s 0\n", " " x $z; - } - print OUT "#${indent}endif\n"; - print OUT "\n/*\n * $lib reason codes.\n */\n"; foreach my $i ( @reasons ) { my $z = 48 - length($i); @@ -833,22 +648,12 @@ EOF } &phase("Ending"); -# Make a list of unreferenced function and reason codes +# Make a list of unreferenced reason codes if ( $unref ) { - my @funref; - foreach ( keys %fcodes ) { - push( @funref, $_ ) unless exists $usedfuncs{$_}; - } my @runref; foreach ( keys %rcodes ) { push( @runref, $_ ) unless exists $usedreasons{$_}; } - if ( @funref ) { - print STDERR "The following function codes were not referenced:\n"; - foreach ( sort @funref ) { - print STDERR " $_\n"; - } - } if ( @runref ) { print STDERR "The following reason codes were not referenced:\n"; foreach ( sort @runref ) { @@ -871,13 +676,6 @@ if ( $newstate ) { # in the file LICENSE in the source distribution or at # https://www.openssl.org/source/license.html EOF - print OUT "\n# Function codes\n"; - foreach my $i ( sort keys %fcodes ) { - my $short = "$i:$fcodes{$i}:"; - my $t = exists $strings{$i} ? $strings{$i} : ""; - $t = "\\\n\t" . $t if length($short) + length($t) > 80; - print OUT "$short$t\n"; - } print OUT "\n#Reason codes\n"; foreach my $i ( sort keys %rcodes ) { my $short = "$i:$rcodes{$i}:"; From levitte at openssl.org Fri Feb 5 13:12:01 2021 From: levitte at openssl.org (Richard Levitte) Date: Fri, 05 Feb 2021 13:12:01 +0000 Subject: [openssl] master update Message-ID: <1612530721.311693.22838.nullmailer@dev.openssl.org> The branch master has been updated via 1e3affbbcd85856c78e50c6bf56144bf9bc0eb23 (commit) from e337b82410a031f0ff60ebf6744b97da2a276e51 (commit) - Log ----------------------------------------------------------------- commit 1e3affbbcd85856c78e50c6bf56144bf9bc0eb23 Author: Richard Levitte Date: Fri Nov 20 11:07:35 2020 +0100 Remove the old DEPRECATEDIN macros They serve no purpose any more Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13461) ----------------------------------------------------------------------- Summary of changes: include/openssl/macros.h | 21 --------------------- util/perl/OpenSSL/ParseC.pm | 12 ------------ 2 files changed, 33 deletions(-) diff --git a/include/openssl/macros.h b/include/openssl/macros.h index 87cfde4920..d22bab91dc 100644 --- a/include/openssl/macros.h +++ b/include/openssl/macros.h @@ -179,99 +179,78 @@ # ifndef OPENSSL_NO_DEPRECATED # define OSSL_DEPRECATEDIN_3_0 OSSL_DEPRECATED(3.0) # define OSSL_DEPRECATEDIN_3_0_FOR(msg) OSSL_DEPRECATED_FOR(3.0, msg) -# define DEPRECATEDIN_3_0(f) OSSL_DEPRECATEDIN_3_0 f; # else # define OPENSSL_NO_DEPRECATED_3_0 -# define DEPRECATEDIN_3_0(f) # endif # else # define OSSL_DEPRECATEDIN_3_0 # define OSSL_DEPRECATEDIN_3_0_FOR(msg) -# define DEPRECATEDIN_3_0(f) f; # endif # if OPENSSL_API_LEVEL >= 10101 # ifndef OPENSSL_NO_DEPRECATED # define OSSL_DEPRECATEDIN_1_1_1 OSSL_DEPRECATED(1.1.1) # define OSSL_DEPRECATEDIN_1_1_1_FOR(msg) OSSL_DEPRECATED_FOR(1.1.1, msg) -# define DEPRECATEDIN_1_1_1(f) OSSL_DEPRECATEDIN_1_1_1 f; # else # define OPENSSL_NO_DEPRECATED_1_1_1 -# define DEPRECATEDIN_1_1_1(f) # endif # else # define OSSL_DEPRECATEDIN_1_1_1 # define OSSL_DEPRECATEDIN_1_1_1_FOR(msg) -# define DEPRECATEDIN_1_1_1(f) f; # endif # if OPENSSL_API_LEVEL >= 10100 # ifndef OPENSSL_NO_DEPRECATED # define OSSL_DEPRECATEDIN_1_1_0 OSSL_DEPRECATED(1.1.0) # define OSSL_DEPRECATEDIN_1_1_0_FOR(msg) OSSL_DEPRECATED_FOR(1.1.0, msg) -# define DEPRECATEDIN_1_1_0(f) OSSL_DEPRECATEDIN_1_1_0 f; # else # define OPENSSL_NO_DEPRECATED_1_1_0 -# define DEPRECATEDIN_1_1_0(f) # endif # else # define OSSL_DEPRECATEDIN_1_1_0 # define OSSL_DEPRECATEDIN_1_1_0_FOR(msg) -# define DEPRECATEDIN_1_1_0(f) f; # endif # if OPENSSL_API_LEVEL >= 10002 # ifndef OPENSSL_NO_DEPRECATED # define OSSL_DEPRECATEDIN_1_0_2 OSSL_DEPRECATED(1.0.2) # define OSSL_DEPRECATEDIN_1_0_2_FOR(msg) OSSL_DEPRECATED_FOR(1.0.2, msg) -# define DEPRECATEDIN_1_0_2(f) OSSL_DEPRECATEDIN_1_0_2 f; # else # define OPENSSL_NO_DEPRECATED_1_0_2 -# define DEPRECATEDIN_1_0_2(f) # endif # else # define OSSL_DEPRECATEDIN_1_0_2 # define OSSL_DEPRECATEDIN_1_0_2_FOR(msg) -# define DEPRECATEDIN_1_0_2(f) f; # endif # if OPENSSL_API_LEVEL >= 10001 # ifndef OPENSSL_NO_DEPRECATED # define OSSL_DEPRECATEDIN_1_0_1 OSSL_DEPRECATED(1.0.1) # define OSSL_DEPRECATEDIN_1_0_1_FOR(msg) OSSL_DEPRECATED_FOR(1.0.1, msg) -# define DEPRECATEDIN_1_0_1(f) OSSL_DEPRECATEDIN_1_0_1 f; # else # define OPENSSL_NO_DEPRECATED_1_0_1 -# define DEPRECATEDIN_1_0_1(f) # endif # else # define OSSL_DEPRECATEDIN_1_0_1 # define OSSL_DEPRECATEDIN_1_0_1_FOR(msg) -# define DEPRECATEDIN_1_0_1(f) f; # endif # if OPENSSL_API_LEVEL >= 10000 # ifndef OPENSSL_NO_DEPRECATED # define OSSL_DEPRECATEDIN_1_0_0 OSSL_DEPRECATED(1.0.0) # define OSSL_DEPRECATEDIN_1_0_0_FOR(msg) OSSL_DEPRECATED_FOR(1.0.0, msg) -# define DEPRECATEDIN_1_0_0(f) OSSL_DEPRECATEDIN_1_0_0 f; # else # define OPENSSL_NO_DEPRECATED_1_0_0 -# define DEPRECATEDIN_1_0_0(f) # endif # else # define OSSL_DEPRECATEDIN_1_0_0 # define OSSL_DEPRECATEDIN_1_0_0_FOR(msg) -# define DEPRECATEDIN_1_0_0(f) f; # endif # if OPENSSL_API_LEVEL >= 908 # ifndef OPENSSL_NO_DEPRECATED # define OSSL_DEPRECATEDIN_0_9_8 OSSL_DEPRECATED(0.9.8) # define OSSL_DEPRECATEDIN_0_9_8_FOR(msg) OSSL_DEPRECATED_FOR(0.9.8, msg) -# define DEPRECATEDIN_0_9_8(f) OSSL_DEPRECATEDIN_0_9_8 f; # else # define OPENSSL_NO_DEPRECATED_0_9_8 -# define DEPRECATEDIN_0_9_8(f) # endif # else # define OSSL_DEPRECATEDIN_0_9_8 # define OSSL_DEPRECATEDIN_0_9_8_FOR(msg) -# define DEPRECATEDIN_0_9_8(f) f; # endif /* diff --git a/util/perl/OpenSSL/ParseC.pm b/util/perl/OpenSSL/ParseC.pm index f4e5783e98..0abb469d9a 100644 --- a/util/perl/OpenSSL/ParseC.pm +++ b/util/perl/OpenSSL/ParseC.pm @@ -261,18 +261,6 @@ my @opensslchandlers = ( ##### # Deprecated stuff, by OpenSSL release. - # We trick the parser by pretending that the declaration is wrapped in a - # check if the OPENSSL_NO_DEPRECATEDIN_x_y[_z] macro is defined or not. - # Callers of parse() will have to decide what to do with it. - { regexp => qr/(DEPRECATEDIN_\d+_\d+(?:_\d+)?)<<<\((.*)\)>>>/, - massager => sub { return (<<"EOF"); -#ifndef OPENSSL_NO_$1 -$2; -#endif -EOF - }, - }, - # OSSL_DEPRECATEDIN_x_y[_z] is simply ignored. Such declarations are # supposed to be guarded with an '#ifdef OPENSSL_NO_DEPRECATED_x_y[_z]' { regexp => qr/OSSL_DEPRECATEDIN_\d+_\d+(?:_\d+)?\s+(.*)/, From levitte at openssl.org Fri Feb 5 13:15:06 2021 From: levitte at openssl.org (Richard Levitte) Date: Fri, 05 Feb 2021 13:15:06 +0000 Subject: [openssl] master update Message-ID: <1612530906.868014.25024.nullmailer@dev.openssl.org> The branch master has been updated via 93bae03abfdb1cb8047c2bef85e48b60891ecf54 (commit) from 1e3affbbcd85856c78e50c6bf56144bf9bc0eb23 (commit) - Log ----------------------------------------------------------------- commit 93bae03abfdb1cb8047c2bef85e48b60891ecf54 Author: Richard Levitte Date: Mon Nov 9 08:39:39 2020 +0100 dev/release.sh: Fix typo tagley -> tagkey Reviewed-by: Paul Dale Reviewed-by: Matthias St. Pierre (Merged from https://github.com/openssl/openssl/pull/14061) ----------------------------------------------------------------------- Summary of changes: dev/release.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dev/release.sh b/dev/release.sh index be8c89bb69..f3b8e09ee0 100755 --- a/dev/release.sh +++ b/dev/release.sh @@ -121,7 +121,7 @@ while true; do ;; --local-user ) shift - tagley=" -u $1" + tagkey=" -u $1" gpgkey=" -u $1" shift ;; From levitte at openssl.org Fri Feb 5 13:16:50 2021 From: levitte at openssl.org (Richard Levitte) Date: Fri, 05 Feb 2021 13:16:50 +0000 Subject: [openssl] master update Message-ID: <1612531010.724336.26207.nullmailer@dev.openssl.org> The branch master has been updated via 93d6132a79d85127dffa1ce4e62b264cf38c296d (commit) from 93bae03abfdb1cb8047c2bef85e48b60891ecf54 (commit) - Log ----------------------------------------------------------------- commit 93d6132a79d85127dffa1ce4e62b264cf38c296d Author: Richard Levitte Date: Sat Nov 7 11:31:35 2020 +0100 EVP: use evp_pkey_copy_downgraded() in EVP_PKEY_copy_parameters() We used evp_pkey_downgrade() on 'from', which permanently converts 'from' to have a legacy internal key. Now that we have evp_pkey_copy_downgraded(), it's better to use that (and thereby restore the constness contract). Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/13341) ----------------------------------------------------------------------- Summary of changes: crypto/evp/p_lib.c | 53 +++++++++++++++++++++++++++++++---------------------- 1 file changed, 31 insertions(+), 22 deletions(-) diff --git a/crypto/evp/p_lib.c b/crypto/evp/p_lib.c index 106830bfbb..95cc15e9d7 100644 --- a/crypto/evp/p_lib.c +++ b/crypto/evp/p_lib.c @@ -117,13 +117,18 @@ int EVP_PKEY_copy_parameters(EVP_PKEY *to, const EVP_PKEY *from) * Clean up legacy stuff from this function when legacy support is gone. */ + EVP_PKEY *downgraded_from = NULL; + int ok = 0; + /* - * If |to| is a legacy key and |from| isn't, we must downgrade |from|. - * If that fails, this function fails. + * If |to| is a legacy key and |from| isn't, we must make a downgraded + * copy of |from|. If that fails, this function fails. */ - if (evp_pkey_is_legacy(to) && evp_pkey_is_provided(from)) - if (!evp_pkey_downgrade((EVP_PKEY *)from)) - return 0; + if (evp_pkey_is_legacy(to) && evp_pkey_is_provided(from)) { + if (!evp_pkey_copy_downgraded(&downgraded_from, from)) + goto end; + from = downgraded_from; + } /* * Make sure |to| is typed. Content is less important at this early @@ -140,33 +145,36 @@ int EVP_PKEY_copy_parameters(EVP_PKEY *to, const EVP_PKEY *from) if (evp_pkey_is_blank(to)) { if (evp_pkey_is_legacy(from)) { if (EVP_PKEY_set_type(to, from->type) == 0) - return 0; + goto end; } else { if (EVP_PKEY_set_type_by_keymgmt(to, from->keymgmt) == 0) - return 0; + goto end; } } else if (evp_pkey_is_legacy(to)) { if (to->type != from->type) { ERR_raise(ERR_LIB_EVP, EVP_R_DIFFERENT_KEY_TYPES); - goto err; + goto end; } } if (EVP_PKEY_missing_parameters(from)) { ERR_raise(ERR_LIB_EVP, EVP_R_MISSING_PARAMETERS); - goto err; + goto end; } if (!EVP_PKEY_missing_parameters(to)) { if (EVP_PKEY_parameters_eq(to, from) == 1) - return 1; - ERR_raise(ERR_LIB_EVP, EVP_R_DIFFERENT_PARAMETERS); - return 0; + ok = 1; + else + ERR_raise(ERR_LIB_EVP, EVP_R_DIFFERENT_PARAMETERS); + goto end; } /* For purely provided keys, we just call the keymgmt utility */ - if (to->keymgmt != NULL && from->keymgmt != NULL) - return evp_keymgmt_util_copy(to, (EVP_PKEY *)from, SELECT_PARAMETERS); + if (to->keymgmt != NULL && from->keymgmt != NULL) { + ok = evp_keymgmt_util_copy(to, (EVP_PKEY *)from, SELECT_PARAMETERS); + goto end; + } /* * If |to| is provided, we know that |from| is legacy at this point. @@ -183,19 +191,20 @@ int EVP_PKEY_copy_parameters(EVP_PKEY *to, const EVP_PKEY *from) * If we get a NULL, it could be an internal error, or it could be * that there's a key mismatch. We're pretending the latter... */ - if (from_keydata == NULL) { + if (from_keydata == NULL) ERR_raise(ERR_LIB_EVP, EVP_R_DIFFERENT_KEY_TYPES); - return 0; - } - return evp_keymgmt_copy(to->keymgmt, to->keydata, from_keydata, - SELECT_PARAMETERS); + else + ok = evp_keymgmt_copy(to->keymgmt, to->keydata, from_keydata, + SELECT_PARAMETERS); + goto end; } /* Both keys are legacy */ if (from->ameth != NULL && from->ameth->param_copy != NULL) - return from->ameth->param_copy(to, from); - err: - return 0; + ok = from->ameth->param_copy(to, from); + end: + EVP_PKEY_free(downgraded_from); + return ok; } int EVP_PKEY_missing_parameters(const EVP_PKEY *pkey) From levitte at openssl.org Fri Feb 5 14:45:17 2021 From: levitte at openssl.org (Richard Levitte) Date: Fri, 05 Feb 2021 14:45:17 +0000 Subject: [openssl] master update Message-ID: <1612536317.720183.12657.nullmailer@dev.openssl.org> The branch master has been updated via 388eb0d9709b4edf0fe4edf207b23d924fde2649 (commit) from 93d6132a79d85127dffa1ce4e62b264cf38c296d (commit) - Log ----------------------------------------------------------------- commit 388eb0d9709b4edf0fe4edf207b23d924fde2649 Author: Richard Levitte Date: Tue Feb 2 15:13:08 2021 +0100 TEST: Add an algorithm ID tester for libcrypto vs provider Providers produce algorithm IDs of their own, and we need to compare them against the same thing produced by libcrypto's ASN.1 code and with legacy keys. This tester can compare algorithm IDs for signatures and for keys, given certificates that hold such data. To verify key algorithm IDs, only one certificate is necessary, and its public key is used. To verify certificate algorithm IDs, we need to launch the signature operation that would verify a certificate against the public key of its signing CA, so that test needs two files. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14049) ----------------------------------------------------------------------- Summary of changes: test/algorithmid_test.c | 338 +++++++++++++++++++++++++++++++++++++ test/build.info | 5 + test/recipes/06-test_algorithmid.t | 60 +++++++ 3 files changed, 403 insertions(+) create mode 100644 test/algorithmid_test.c create mode 100644 test/recipes/06-test_algorithmid.t diff --git a/test/algorithmid_test.c b/test/algorithmid_test.c new file mode 100644 index 0000000000..b1b579b40d --- /dev/null +++ b/test/algorithmid_test.c @@ -0,0 +1,338 @@ +/* + * Copyright 2021 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include +#include +#include "internal/sizes.h" +#include "crypto/evp.h" +#include "testutil.h" + +/* Collected arguments */ +static const char *eecert_filename = NULL; /* For test_x509_file() */ +static const char *cacert_filename = NULL; /* For test_x509_file() */ +static const char *pubkey_filename = NULL; /* For test_spki_file() */ + +#define ALGORITHMID_NAME "algorithm-id" + +static int test_spki_aid(X509_PUBKEY *pubkey, const char *filename) +{ + const ASN1_OBJECT *oid; + X509_ALGOR *alg = NULL; + EVP_PKEY *pkey = NULL; + EVP_KEYMGMT *keymgmt = NULL; + void *keydata = NULL; + char name[OSSL_MAX_NAME_SIZE] = ""; + unsigned char *algid_legacy = NULL; + int algid_legacy_len = 0; + static unsigned char algid_prov[OSSL_MAX_ALGORITHM_ID_SIZE]; + size_t algid_prov_len = 0; + const OSSL_PARAM *gettable_params = NULL; + OSSL_PARAM params[] = { + OSSL_PARAM_octet_string(ALGORITHMID_NAME, + &algid_prov, sizeof(algid_prov)), + OSSL_PARAM_END + }; + int ret = 0; + + if (!TEST_true(X509_PUBKEY_get0_param(NULL, NULL, NULL, &alg, pubkey)) + || !TEST_ptr(pkey = X509_PUBKEY_get0(pubkey))) + goto end; + + if (!TEST_int_ge(algid_legacy_len = i2d_X509_ALGOR(alg, &algid_legacy), 0)) + goto end; + + X509_ALGOR_get0(&oid, NULL, NULL, alg); + if (!TEST_true(OBJ_obj2txt(name, sizeof(name), oid, 0))) + goto end; + + /* + * We use an internal functions to ensure we have a provided key. + * Note that |keydata| should not be freed, as it's cached in |pkey|. + * The |keymgmt|, however, should, as its reference count is incremented + * in this function. + */ + if ((keydata = evp_pkey_export_to_provider(pkey, NULL, + &keymgmt, NULL)) == NULL) { + TEST_info("The public key found in '%s' doesn't have provider support." + " Skipping...", + filename); + ret = 1; + goto end; + } + + if (!TEST_true(EVP_KEYMGMT_is_a(keymgmt, name))) { + TEST_info("The AlgorithmID key type (%s) for the public key found in" + " '%s' doesn't match the key type of the extracted public" + " key.", + name, filename); + ret = 1; + goto end; + } + + if (!TEST_ptr(gettable_params = EVP_KEYMGMT_gettable_params(keymgmt)) + || !TEST_ptr(OSSL_PARAM_locate_const(gettable_params, ALGORITHMID_NAME))) { + TEST_info("The %s provider keymgmt appears to lack support for algorithm-id." + " Skipping...", + name); + ret = 1; + goto end; + } + + algid_prov[0] = '\0'; + if (!TEST_true(evp_keymgmt_get_params(keymgmt, keydata, params))) + goto end; + algid_prov_len = params[0].return_size; + + /* We now have all the algorithm IDs we need, let's compare them */ + if (TEST_mem_eq(algid_legacy, algid_legacy_len, + algid_prov, algid_prov_len)) + ret = 1; + + end: + EVP_KEYMGMT_free(keymgmt); + OPENSSL_free(algid_legacy); + return ret; +} + +static int test_x509_spki_aid(X509 *cert, const char *filename) +{ + X509_PUBKEY *pubkey = X509_get_X509_PUBKEY(cert); + + return test_spki_aid(pubkey, filename); +} + +/* + * TODO + * When we gain the ability to get an EVP_SIGNATURE with a complete signature + * algorithm name (like "sha1WithRSAEncryption" or its corresponding OID in + * text form, "1.2.840.113549.1.1.2"), we won't have to limit this test to + * what we have in libcrypto's cross-reference db, i.e. won't have to call + * OBJ_find_sigid_algs() to find out the EVP_PKEY_METHOD NID any more. + * All we'd have to do is used OBJ_obj2txt() on an ASN1_OBJECT and pass the + * result. + */ +static int test_x509_sig_aid(X509 *eecert, const char *ee_filename, + X509 *cacert, const char *ca_filename) +{ + const ASN1_OBJECT *sig_oid = NULL; + const X509_ALGOR *alg = NULL; + int sig_nid = NID_undef, dig_nid = NID_undef, pkey_nid = NID_undef; + EVP_MD_CTX *mdctx = NULL; + EVP_PKEY_CTX *pctx = NULL; + EVP_PKEY *pkey = NULL; + unsigned char *algid_legacy = NULL; + int algid_legacy_len = 0; + static unsigned char algid_prov[OSSL_MAX_ALGORITHM_ID_SIZE]; + size_t algid_prov_len = 0; + const OSSL_PARAM *gettable_params = NULL; + OSSL_PARAM params[] = { + OSSL_PARAM_octet_string("algorithm-id", + &algid_prov, sizeof(algid_prov)), + OSSL_PARAM_END + }; + int ret = 0; + + X509_get0_signature(NULL, &alg, eecert); + X509_ALGOR_get0(&sig_oid, NULL, NULL, alg); + if (!TEST_int_eq(X509_ALGOR_cmp(alg, X509_get0_tbs_sigalg(eecert)), 0)) + goto end; + if (!TEST_int_ne(sig_nid = OBJ_obj2nid(sig_oid), NID_undef) + || !TEST_true(OBJ_find_sigid_algs(sig_nid, &dig_nid, &pkey_nid)) + || !TEST_ptr(pkey = X509_get0_pubkey(cacert))) + goto end; + + if (!TEST_true(EVP_PKEY_is_a(pkey, OBJ_nid2sn(pkey_nid)))) { + TEST_info("The '%s' pubkey can't be used to verify the '%s' signature", + ca_filename, ee_filename); + TEST_info("Signature algorithm is %s (pkey type %s, hash type %s)", + OBJ_nid2sn(sig_nid), OBJ_nid2sn(pkey_nid), OBJ_nid2sn(dig_nid)); + TEST_info("Pkey key type is %s", EVP_PKEY_get0_first_alg_name(pkey)); + goto end; + } + + if (!TEST_int_ge(algid_legacy_len = i2d_X509_ALGOR(alg, &algid_legacy), 0)) + goto end; + + if (!TEST_ptr(mdctx = EVP_MD_CTX_new()) + || !TEST_true(EVP_DigestVerifyInit_ex(mdctx, &pctx, + OBJ_nid2sn(dig_nid), + NULL, NULL, pkey))) { + TEST_info("Couldn't initialize a DigestVerify operation with " + "pkey type %s and hash type %s", + OBJ_nid2sn(pkey_nid), OBJ_nid2sn(dig_nid)); + goto end; + } + + if (!TEST_ptr(gettable_params = EVP_PKEY_CTX_gettable_params(pctx)) + || !TEST_ptr(OSSL_PARAM_locate_const(gettable_params, ALGORITHMID_NAME))) { + TEST_info("The %s provider keymgmt appears to lack support for algorithm-id" + " Skipping...", + OBJ_nid2sn(pkey_nid)); + ret = 1; + goto end; + } + + algid_prov[0] = '\0'; + if (!TEST_true(EVP_PKEY_CTX_get_params(pctx, params))) + goto end; + algid_prov_len = params[0].return_size; + + /* We now have all the algorithm IDs we need, let's compare them */ + if (TEST_mem_eq(algid_legacy, algid_legacy_len, + algid_prov, algid_prov_len)) + ret = 1; + + end: + EVP_MD_CTX_free(mdctx); + /* pctx is free by EVP_MD_CTX_free() */ + OPENSSL_free(algid_legacy); + return ret; +} + +static int test_spki_file(void) +{ + X509_PUBKEY *pubkey = NULL; + BIO *b = BIO_new_file(pubkey_filename, "r"); + int ret = 0; + + if (b == NULL) { + TEST_error("Couldn't open '%s' for reading\n", pubkey_filename); + TEST_openssl_errors(); + goto end; + } + + if ((pubkey = PEM_read_bio_X509_PUBKEY(b, NULL, NULL, NULL)) == NULL) { + TEST_error("'%s' doesn't appear to be a SubjectPublicKeyInfo in PEM format\n", + pubkey_filename); + TEST_openssl_errors(); + goto end; + } + + ret = test_spki_aid(pubkey, pubkey_filename); + end: + BIO_free(b); + X509_PUBKEY_free(pubkey); + return ret; +} + +static int test_x509_files(void) +{ + X509 *eecert = NULL, *cacert = NULL; + BIO *bee = NULL, *bca = NULL; + int ret = 0; + + if ((bee = BIO_new_file(eecert_filename, "r")) == NULL) { + TEST_error("Couldn't open '%s' for reading\n", eecert_filename); + TEST_openssl_errors(); + goto end; + } + if ((bca = BIO_new_file(cacert_filename, "r")) == NULL) { + TEST_error("Couldn't open '%s' for reading\n", cacert_filename); + TEST_openssl_errors(); + goto end; + } + + if ((eecert = PEM_read_bio_X509(bee, NULL, NULL, NULL)) == NULL) { + TEST_error("'%s' doesn't appear to be a X.509 certificate in PEM format\n", + eecert_filename); + TEST_openssl_errors(); + goto end; + } + if ((cacert = PEM_read_bio_X509(bca, NULL, NULL, NULL)) == NULL) { + TEST_error("'%s' doesn't appear to be a X.509 certificate in PEM format\n", + cacert_filename); + TEST_openssl_errors(); + goto end; + } + + ret = test_x509_sig_aid(eecert, eecert_filename, cacert, cacert_filename) + & test_x509_spki_aid(eecert, eecert_filename) + & test_x509_spki_aid(cacert, cacert_filename); + end: + BIO_free(bee); + BIO_free(bca); + X509_free(eecert); + X509_free(cacert); + return ret; +} + +typedef enum OPTION_choice { + OPT_ERR = -1, + OPT_EOF = 0, + OPT_X509, + OPT_SPKI, + OPT_TEST_ENUM +} OPTION_CHOICE; + +const OPTIONS *test_get_options(void) +{ + static const OPTIONS test_options[] = { + OPT_TEST_OPTIONS_WITH_EXTRA_USAGE("file...\n"), + { "x509", OPT_X509, '-', "Test X.509 certificates. Requires two files" }, + { "spki", OPT_SPKI, '-', "Test public keys in SubjectPublicKeyInfo form. Requires one file" }, + { OPT_HELP_STR, 1, '-', + "file...\tFile(s) to run tests on. All files must be PEM encoded.\n" }, + { NULL } + }; + return test_options; +} + +int setup_tests(void) +{ + OPTION_CHOICE o; + int n, x509 = 0, spki = 0, testcount = 0; + + while ((o = opt_next()) != OPT_EOF) { + switch (o) { + case OPT_X509: + x509 = 1; + break; + case OPT_SPKI: + spki = 1; + break; + case OPT_TEST_CASES: + break; + default: + case OPT_ERR: + return 0; + } + } + + /* |testcount| adds all the given test types together */ + testcount = x509 + spki; + + if (testcount < 1) + BIO_printf(bio_err, "No test type given\n"); + else if (testcount > 1) + BIO_printf(bio_err, "Only one test type may be given\n"); + if (testcount != 1) + return 0; + + n = test_get_argument_count(); + if (spki && n == 1) { + pubkey_filename = test_get_argument(0); + } else if (x509 && n == 2) { + eecert_filename = test_get_argument(0); + cacert_filename = test_get_argument(1); + } + + if (spki && pubkey_filename == NULL) { + BIO_printf(bio_err, "Missing -spki argument\n"); + return 0; + } else if (x509 && (eecert_filename == NULL || cacert_filename == NULL)) { + BIO_printf(bio_err, "Missing -x509 argument(s)\n"); + return 0; + } + + if (x509) + ADD_TEST(test_x509_files); + if (spki) + ADD_TEST(test_spki_file); + return 1; +} diff --git a/test/build.info b/test/build.info index b9e6d4f3b1..159f7146e3 100644 --- a/test/build.info +++ b/test/build.info @@ -707,6 +707,11 @@ IF[{- !$disabled{tests} -}] SOURCE[ssl_old_test]=ssl_old_test.c helpers/predefined_dhparams.c INCLUDE[ssl_old_test]=.. ../include ../apps/include DEPEND[ssl_old_test]=../libcrypto.a ../libssl.a libtestutil.a + + PROGRAMS{noinst}=algorithmid_test + SOURCE[algorithmid_test]=algorithmid_test.c + INCLUDE[algorithmid_test]=../include ../apps/include + DEPEND[algorithmid_test]=../libcrypto.a libtestutil.a ENDIF PROGRAMS{noinst}=asn1_time_test diff --git a/test/recipes/06-test_algorithmid.t b/test/recipes/06-test_algorithmid.t new file mode 100644 index 0000000000..7d56c09150 --- /dev/null +++ b/test/recipes/06-test_algorithmid.t @@ -0,0 +1,60 @@ +#! /usr/bin/perl + +# Copyright 2018 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the Apache License 2.0 (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + +use strict; + +use OpenSSL::Test qw(:DEFAULT srctop_file); +use OpenSSL::Test::Utils; + +setup("test_algorithmid"); + +# eecert => cacert +my %certs_info = + ( + 'ee-cert' => 'ca-cert', + 'ee-cert2' => 'ca-cert2', + + # 'ee-pss-sha1-cert' => 'ca-cert', + # 'ee-pss-sha256-cert' => 'ca-cert', + # 'ee-pss-cert' => 'ca-pss-cert', + # 'server-pss-restrict-cert' => 'rootcert', + + ( + disabled('ec') + ? () + : ( + 'ee-cert-ec-explicit' => 'ca-cert-ec-named', + 'ee-cert-ec-named-explicit' => 'ca-cert-ec-explicit', + 'ee-cert-ec-named-named' => 'ca-cert-ec-named', + # 'server-ed448-cert' => 'root-ed448-cert' + 'server-ecdsa-brainpoolP256r1-cert' => 'rootcert', + ) + ) + ); +my @pubkeys = + ( + 'testrsapub', + disabled('dsa') ? () : 'testdsapub', + disabled('ec') ? () : qw(testecpub-p256 tested25519pub tested448pub) + ); +my @certs = sort keys %certs_info; + +plan tests => + scalar @certs + + scalar @pubkeys; + +foreach (@certs) { + ok(run(test(['algorithmid_test', '-x509', + srctop_file('test', 'certs', "$_.pem"), + srctop_file('test', 'certs', "$certs_info{$_}.pem")]))); +} + +foreach (sort @pubkeys) { + ok(run(test(['algorithmid_test', '-spki', srctop_file('test', "$_.pem")]))); +} From levitte at openssl.org Fri Feb 5 14:52:11 2021 From: levitte at openssl.org (Richard Levitte) Date: Fri, 05 Feb 2021 14:52:11 +0000 Subject: [openssl] master update Message-ID: <1612536731.280518.14686.nullmailer@dev.openssl.org> The branch master has been updated via 9ca08f91e9817892c3545612a91d38687e593e14 (commit) via b8393eae224d11276323957fcd493953d5b135b9 (commit) from 388eb0d9709b4edf0fe4edf207b23d924fde2649 (commit) - Log ----------------------------------------------------------------- commit 9ca08f91e9817892c3545612a91d38687e593e14 Author: Richard Levitte Date: Thu Feb 4 15:32:37 2021 +0100 Makefile template: Allow separate generation of .pod.in -> .pod We do this by adding the attribute 'pod' to all .pod.in -> .pod generations, like this: DEPEND[NAME.pod]{pod}=NAME.pod.in, ... and selecting out the target files for those dependencies into a dedicated target 'build_generated_pods', which the 'doc-nits' and 'cmd-nits' make targets are made to depend on. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14067) commit b8393eae224d11276323957fcd493953d5b135b9 Author: Richard Levitte Date: Thu Feb 4 12:58:35 2021 +0100 DOCS: Remove the "global" dependency on writing .pod files from .pod.in The dependency was made in such a way that .pod.in -> .pod generation would always be done, no matter what. This changes the procedure so that the generation is made "on demand", i.e. when the resulting .pod files are needed. This turned out to be duplicated dependencies, as the .pod -> .pod.in dependencies were already in place. Just removing the duplicate fixes the situation. 'make build_all_generated' still works, for those who do want to have all file generations performed. (as a reminder, this is suitable to generate the files a fast system and then copy the result to a slower system, or system where there's no perl) Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14067) ----------------------------------------------------------------------- Summary of changes: Configurations/unix-Makefile.tmpl | 18 ++++++++++-- build.info | 3 +- doc/build.info | 1 + doc/man1/build.info | 61 ++------------------------------------- 4 files changed, 21 insertions(+), 62 deletions(-) diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl index 174e52871e..0cf287ac5a 100644 --- a/Configurations/unix-Makefile.tmpl +++ b/Configurations/unix-Makefile.tmpl @@ -112,6 +112,19 @@ DEPS={- join(" \\\n" . ' ' x 5, GENERATED_MANDATORY={- join(" \\\n" . ' ' x 20, fill_lines(" ", $COLUMNS - 20, @{$unified_info{depends}->{""}})) -} +GENERATED_PODS={- # common0.tmpl provides @generated + join(" \\\n" . ' ' x 15, + fill_lines(" ", $COLUMNS - 15, + map { my $x = $_; + ( + grep { + $unified_info{attributes}->{depends} + ->{$x}->{$_}->{pod} // 0 + } + keys %{$unified_info{attributes}->{depends}->{$x}} + ) ? $x : (); + } + @generated)) -} GENERATED={- # common0.tmpl provides @generated join(" \\\n" . ' ' x 5, fill_lines(" ", $COLUMNS - 5, @@ -457,6 +470,7 @@ LANG=C {- dependmagic('build_modules'); -}: build_modules_nodep {- dependmagic('build_programs'); -}: build_programs_nodep +build_generated_pods: $(GENERATED_PODS) build_docs: build_man_docs build_html_docs build_man_docs: $(MANDOCS1) $(MANDOCS3) $(MANDOCS5) $(MANDOCS7) build_html_docs: $(HTMLDOCS1) $(HTMLDOCS3) $(HTMLDOCS5) $(HTMLDOCS7) @@ -1014,10 +1028,10 @@ generate: generate_apps generate_crypto_bn generate_crypto_objects \ generate_crypto_conf generate_crypto_asn1 generate_fuzz_oids .PHONY: doc-nits cmd-nits md-nits -doc-nits: build_generated +doc-nits: build_generated_pods $(PERL) $(SRCDIR)/util/find-doc-nits -n -l -e -cmd-nits: build_generated apps/openssl +cmd-nits: build_generated apps/openssl build_generated_pods $(PERL) $(SRCDIR)/util/find-doc-nits -c # This uses "mdl", the markdownlint application, which is written in ruby. diff --git a/build.info b/build.info index 27818b7fce..053329c682 100644 --- a/build.info +++ b/build.info @@ -38,8 +38,7 @@ DEPEND[]=include/openssl/asn1.h \ include/openssl/x509.h \ include/openssl/x509v3.h \ include/openssl/x509_vfy.h \ - include/crypto/bn_conf.h include/crypto/dso_conf.h \ - doc/man7/openssl_user_macros.pod + include/crypto/bn_conf.h include/crypto/dso_conf.h GENERATE[include/openssl/asn1.h]=include/openssl/asn1.h.in GENERATE[include/openssl/asn1t.h]=include/openssl/asn1t.h.in diff --git a/doc/build.info b/doc/build.info index 83da34ee29..267629040d 100644 --- a/doc/build.info +++ b/doc/build.info @@ -56,6 +56,7 @@ DEPEND[$manfile]=$podfile GENERATE[$manfile]=$podfile _____ $OUT .= << "_____" if $podinfile; +DEPEND[$podfile]{pod}=$podinfile GENERATE[$podfile]=$podinfile _____ } diff --git a/doc/man1/build.info b/doc/man1/build.info index 6d9d7b564c..b796fce42f 100644 --- a/doc/man1/build.info +++ b/doc/man1/build.info @@ -1,58 +1,6 @@ - -DEPEND[]= \ - openssl-asn1parse.pod \ - openssl-ca.pod \ - openssl-ciphers.pod \ - openssl-cmds.pod \ - openssl-cmp.pod \ - openssl-cms.pod \ - openssl-crl2pkcs7.pod \ - openssl-crl.pod \ - openssl-dgst.pod \ - openssl-dhparam.pod \ - openssl-dsaparam.pod \ - openssl-dsa.pod \ - openssl-ecparam.pod \ - openssl-ec.pod \ - openssl-enc.pod \ - openssl-engine.pod \ - openssl-errstr.pod \ - openssl-fipsinstall.pod \ - openssl-gendsa.pod \ - openssl-genpkey.pod \ - openssl-genrsa.pod \ - openssl-info.pod \ - openssl-kdf.pod \ - openssl-list.pod \ - openssl-mac.pod \ - openssl-nseq.pod \ - openssl-ocsp.pod \ - openssl-passwd.pod \ - openssl-pkcs12.pod \ - openssl-pkcs7.pod \ - openssl-pkcs8.pod \ - openssl-pkeyparam.pod \ - openssl-pkey.pod \ - openssl-pkeyutl.pod \ - openssl-prime.pod \ - openssl-rand.pod \ - openssl-rehash.pod \ - openssl-req.pod \ - openssl-rsa.pod \ - openssl-rsautl.pod \ - openssl-s_client.pod \ - openssl-sess_id.pod \ - openssl-smime.pod \ - openssl-speed.pod \ - openssl-spkac.pod \ - openssl-srp.pod \ - openssl-s_server.pod \ - openssl-s_time.pod \ - openssl-storeutl.pod \ - openssl-ts.pod \ - openssl-verify.pod \ - openssl-version.pod \ - openssl-x509.pod +# All .pod.in files are detected by build.info in the parent directory, and +# turned into appropriate DEPEND and GENERATE lines. All we need here are +# the additional dependencies on ../perlvars.pm. DEPEND[openssl-asn1parse.pod]=../perlvars.pm DEPEND[openssl-ca.pod]=../perlvars.pm @@ -107,6 +55,3 @@ DEPEND[openssl-ts.pod]=../perlvars.pm DEPEND[openssl-verify.pod]=../perlvars.pm DEPEND[openssl-version.pod]=../perlvars.pm DEPEND[openssl-x509.pod]=../perlvars.pm - -# All .pod.in files are detected by build.info in the parent directory, and -# turned into appropriate GENERATE lines. From matt at openssl.org Fri Feb 5 15:39:51 2021 From: matt at openssl.org (Matt Caswell) Date: Fri, 05 Feb 2021 15:39:51 +0000 Subject: [openssl] master update Message-ID: <1612539591.786185.14784.nullmailer@dev.openssl.org> The branch master has been updated via 5682e77dff5123f0e9259c258bb58bc6d2e358ef (commit) via e376242d28e08591af229674a2816ac6f4bb8fdf (commit) via 462f4f4bc0eeb6505a8914bd751b3f20b43ea778 (commit) via 54e3efff81f41f71fe17303d5ec6db49415e5d6d (commit) via 306b8e7e19f6c5019a9fc4050c5de6ebe7135c1f (commit) via 3de751e7f0791f5c9778faf44631555f05e24fad (commit) via 05b4b85d4bb9f54fa7ed5e964595308f1f87d5b8 (commit) via a763ca11777ce01a286751f3f3dd9b106ef74f30 (commit) via 8b1db5d329740bd5363fd1763d4030d0e015b521 (commit) via ddf8f1ce634b9a3bd30603d9e0eaec1990a0d586 (commit) via 5b64ce89b0859956387cda1d56718d2a5f09d928 (commit) from 9ca08f91e9817892c3545612a91d38687e593e14 (commit) - Log ----------------------------------------------------------------- commit 5682e77dff5123f0e9259c258bb58bc6d2e358ef Author: Matt Caswell Date: Mon Feb 1 15:15:10 2021 +0000 Fix the cipher_overhead_test Now that libssl no longer has any OPENSSL_NO_ALG guards the internal cipher_overhead_test wasn't quite handling disabled ciphers correctly. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13916) commit e376242d28e08591af229674a2816ac6f4bb8fdf Author: Matt Caswell Date: Wed Jan 20 15:29:59 2021 +0000 Remove all OPENSSL_NO_XXX from libssl where XXX is a crypto alg We should no longer be relying on compile time checks in libssl for the availability of crypto algorithms. The availability of crypto algorithms should be determined at runtime based on what providers have been loaded. Fixes #13616 Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13916) commit 462f4f4bc0eeb6505a8914bd751b3f20b43ea778 Author: Matt Caswell Date: Fri Jan 15 16:54:28 2021 +0000 Remove OPENSSL_NO_EC guards from libssl Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13916) commit 54e3efff81f41f71fe17303d5ec6db49415e5d6d Author: Matt Caswell Date: Wed Jan 20 15:09:24 2021 +0000 Make sure we don't use sigalgs that are not available We may have compiled in sigalg values that we can't support at runtime. Make sure we only use sigalgs that are actually enabled. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13916) commit 306b8e7e19f6c5019a9fc4050c5de6ebe7135c1f Author: Matt Caswell Date: Wed Jan 20 12:38:43 2021 +0000 Add the nist group names as aliases for the normal TLS group names By recognising the nist group names directly we can avoid having to call EC_curve_nist2nid in libssl, which is not available in a no-ec build. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13916) commit 3de751e7f0791f5c9778faf44631555f05e24fad Author: Matt Caswell Date: Fri Jan 15 16:10:52 2021 +0000 Remove compile time guard checking from ssl3_get_req_cert_type With 3.0 we need to know whether algs are available at run time not at compile time. Actually the code as written is sufficient to do this, so we can simply remove the guards. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13916) commit 05b4b85d4bb9f54fa7ed5e964595308f1f87d5b8 Author: Matt Caswell Date: Fri Jan 15 15:43:28 2021 +0000 Check for availability of ciphersuites at run time In 1.1.1 and below we would check for the availability of certain algorithms based on compile time guards. However with 3.0 this is no longer sufficient. Some algorithms that are unavailable at compile time may become available later if 3rd party providers are loaded. Similarly, algorithms that exist in our built-in providers at compile time may not be available at run time if those providers are not loaded. Fixes #13184 Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13916) commit a763ca11777ce01a286751f3f3dd9b106ef74f30 Author: Matt Caswell Date: Thu Jan 14 15:50:20 2021 +0000 Stop disabling TLSv1.3 if ec and dh are disabled Even if EC and DH are disabled then we may still be able to use TLSv1.3 if we have groups that have been plugged in by an external provider. Fixes #13767 Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13916) commit 8b1db5d329740bd5363fd1763d4030d0e015b521 Author: Matt Caswell Date: Wed Jan 13 17:27:10 2021 +0000 Make supported_groups code independent of EC and DH The supported groups code was checking the OPENSSL_NO_EC and OPENSSL_NO_DH guards in order to work, and the list of default groups was based on those guards. However we now need it to work even in a no-ec and no-dh build, because new groups might be added from providers. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13916) commit ddf8f1ce634b9a3bd30603d9e0eaec1990a0d586 Author: Matt Caswell Date: Wed Jan 13 15:50:36 2021 +0000 Ensure default supported groups works even with no-ec and no-dh The default supported groups code was disabled in the event of a build with no-ec and no-dh. However now that providers can add there own groups (which might not fit into either of these categories), this is no longer appropriate. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13916) commit 5b64ce89b0859956387cda1d56718d2a5f09d928 Author: Matt Caswell Date: Wed Jan 13 12:39:40 2021 +0000 Remove OPENSSL_NO_DH guards from libssl This removes man unnecessary OPENSSL_NO_DH guards from libssl. Now that libssl is entirely using the EVP APIs and implementations can be plugged in via providers it is no longer needed to disable DH at compile time in libssl. Instead it should detect at runtime whether DH is available from the loaded providers. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13916) ----------------------------------------------------------------------- Summary of changes: CHANGES.md | 11 +++ Configure | 2 - crypto/err/openssl.txt | 3 +- include/openssl/ssl.h.in | 9 +-- include/openssl/sslerr.h | 2 + providers/common/capabilities.c | 26 ++++--- ssl/s3_enc.c | 2 - ssl/s3_lib.c | 79 +++++-------------- ssl/ssl_cert.c | 3 +- ssl/ssl_ciph.c | 52 +++++++------ ssl/ssl_conf.c | 16 ++-- ssl/ssl_err.c | 3 + ssl/ssl_lib.c | 43 +---------- ssl/ssl_local.h | 20 +---- ssl/ssl_rsa.c | 4 +- ssl/sslerr.h | 2 +- ssl/statem/extensions.c | 12 --- ssl/statem/extensions_clnt.c | 34 +++++---- ssl/statem/extensions_cust.c | 2 - ssl/statem/extensions_srvr.c | 10 +-- ssl/statem/statem_clnt.c | 24 +----- ssl/statem/statem_lib.c | 6 -- ssl/statem/statem_local.h | 8 -- ssl/statem/statem_srvr.c | 23 +----- ssl/t1_enc.c | 2 - ssl/t1_lib.c | 129 +++++++++++++++----------------- ssl/t1_trce.c | 2 - ssl/tls_depr.c | 32 +++++++- test/cipher_overhead_test.c | 23 ++++++ test/helpers/ssltestlib.c | 49 +++++++----- test/recipes/70-test_comp.t | 3 +- test/recipes/70-test_key_share.t | 3 + test/recipes/70-test_sslcbcpadding.t | 2 + test/recipes/70-test_sslextension.t | 6 +- test/recipes/70-test_sslrecords.t | 13 +++- test/recipes/70-test_sslsigalgs.t | 15 ++-- test/recipes/70-test_sslsignature.t | 4 +- test/recipes/70-test_sslversions.t | 5 +- test/recipes/70-test_tls13alerts.t | 2 +- test/recipes/70-test_tls13cookie.t | 2 +- test/recipes/70-test_tls13downgrade.t | 4 +- test/recipes/70-test_tls13hrr.t | 2 +- test/recipes/70-test_tls13kexmodes.t | 2 +- test/recipes/70-test_tls13psk.t | 2 +- test/recipes/70-test_tlsextms.t | 17 +++-- test/recipes/80-test_ssl_new.t | 11 ++- test/recipes/80-test_ssl_old.t | 2 + test/recipes/90-test_tls13ccs.t | 2 +- test/recipes/90-test_tls13encryption.t | 2 +- test/recipes/90-test_tls13secrets.t | 4 +- test/recordlentest.c | 3 +- test/servername_test.c | 15 ++++ test/ssl-tests/04-client_auth.cnf.in | 4 +- test/ssl-tests/27-ticket-appdata.cnf.in | 3 +- test/ssl-tests/protocol_version.pm | 22 ++++-- test/ssl_old_test.c | 5 ++ test/ssl_test.c | 22 ++++-- test/sslapitest.c | 121 ++++++++++++++++-------------- 58 files changed, 466 insertions(+), 465 deletions(-) diff --git a/CHANGES.md b/CHANGES.md index d80016560e..7c934935eb 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -23,6 +23,17 @@ OpenSSL 3.0 ### Changes between 1.1.1 and 3.0 [xx XXX xxxx] + * Combining the Configure options no-ec and no-dh no longer disables TLSv1.3. + Typically if OpenSSL has no EC or DH algorithms then it cannot support + connections with TLSv1.3. However OpenSSL now supports "pluggable" groups + through providers. Therefore third party providers may supply group + implementations even where there are no built-in ones. Attempting to create + TLS connections in such a build without also disabling TLSv1.3 at run time or + using third party provider groups may result in handshake failures. TLSv1.3 + can be disabled at compile time using the "no-tls1_3" Configure option. + + *Matt Caswell* + * The undocumented function X509_certificate_type() has been deprecated; applications can use X509_get0_pubkey() and X509_get0_signature() to get the same information. diff --git a/Configure b/Configure index e429d6ff5b..9a96a7f0c0 100755 --- a/Configure +++ b/Configure @@ -563,8 +563,6 @@ my @disable_cascades = ( "zlib" => [ "zlib-dynamic" ], "des" => [ "mdc2" ], "ec" => [ "ec2m", "ecdsa", "ecdh", "sm2", "gost" ], - sub { $disabled{"ec"} && $disabled{"dh"} } - => [ "tls1_3" ], "dgram" => [ "dtls", "sctp" ], "sock" => [ "dgram" ], "dtls" => [ @dtls ], diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt index d64b356044..c1a0f1d0bd 100644 --- a/crypto/err/openssl.txt +++ b/crypto/err/openssl.txt @@ -1264,6 +1264,7 @@ SSL_R_BLOCK_CIPHER_PAD_IS_WRONG:129:block cipher pad is wrong SSL_R_BN_LIB:130:bn lib SSL_R_CALLBACK_FAILED:234:callback failed SSL_R_CANNOT_CHANGE_CIPHER:109:cannot change cipher +SSL_R_CANNOT_GET_GROUP_NAME:299:cannot get group name SSL_R_CA_DN_LENGTH_MISMATCH:131:ca dn length mismatch SSL_R_CA_KEY_TOO_SMALL:397:ca key too small SSL_R_CA_MD_TOO_WEAK:398:ca md too weak @@ -1273,7 +1274,6 @@ SSL_R_CERT_CB_ERROR:377:cert cb error SSL_R_CERT_LENGTH_MISMATCH:135:cert length mismatch SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED:218:ciphersuite digest has changed SSL_R_CIPHER_CODE_WRONG_LENGTH:137:cipher code wrong length -SSL_R_CIPHER_OR_HASH_UNAVAILABLE:138:cipher or hash unavailable SSL_R_CLIENTHELLO_TLSEXT:226:clienthello tlsext SSL_R_COMPRESSED_LENGTH_TOO_LONG:140:compressed length too long SSL_R_COMPRESSION_DISABLED:343:compression disabled @@ -1399,6 +1399,7 @@ SSL_R_NO_SHARED_GROUPS:410:no shared groups SSL_R_NO_SHARED_SIGNATURE_ALGORITHMS:376:no shared signature algorithms SSL_R_NO_SRTP_PROFILES:359:no srtp profiles SSL_R_NO_SUITABLE_DIGEST_ALGORITHM:297:no suitable digest algorithm +SSL_R_NO_SUITABLE_GROUPS:295:no suitable groups SSL_R_NO_SUITABLE_KEY_SHARE:101:no suitable key share SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM:118:no suitable signature algorithm SSL_R_NO_VALID_SCTS:216:no valid scts diff --git a/include/openssl/ssl.h.in b/include/openssl/ssl.h.in index 00956547e7..f329514324 100644 --- a/include/openssl/ssl.h.in +++ b/include/openssl/ssl.h.in @@ -194,14 +194,9 @@ extern "C" { * DEPRECATED IN 3.0.0, in favor of OSSL_default_ciphersuites() * Update both macro and function simultaneously */ -# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305) -# define TLS_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:" \ - "TLS_CHACHA20_POLY1305_SHA256:" \ - "TLS_AES_128_GCM_SHA256" -# else -# define TLS_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:" \ +# define TLS_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:" \ + "TLS_CHACHA20_POLY1305_SHA256:" \ "TLS_AES_128_GCM_SHA256" -# endif # endif /* * As of OpenSSL 1.0.0, ssl_create_cipher_list() in ssl/ssl_ciph.c always diff --git a/include/openssl/sslerr.h b/include/openssl/sslerr.h index 27664afd58..7fea8a87b7 100644 --- a/include/openssl/sslerr.h +++ b/include/openssl/sslerr.h @@ -66,6 +66,7 @@ # define SSL_R_BN_LIB 130 # define SSL_R_CALLBACK_FAILED 234 # define SSL_R_CANNOT_CHANGE_CIPHER 109 +# define SSL_R_CANNOT_GET_GROUP_NAME 299 # define SSL_R_CA_DN_LENGTH_MISMATCH 131 # define SSL_R_CA_KEY_TOO_SMALL 397 # define SSL_R_CA_MD_TOO_WEAK 398 @@ -195,6 +196,7 @@ # define SSL_R_NO_SHARED_SIGNATURE_ALGORITHMS 376 # define SSL_R_NO_SRTP_PROFILES 359 # define SSL_R_NO_SUITABLE_DIGEST_ALGORITHM 297 +# define SSL_R_NO_SUITABLE_GROUPS 295 # define SSL_R_NO_SUITABLE_KEY_SHARE 101 # define SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM 118 # define SSL_R_NO_VALID_SCTS 216 diff --git a/providers/common/capabilities.c b/providers/common/capabilities.c index f935268ab2..f708beb16d 100644 --- a/providers/common/capabilities.c +++ b/providers/common/capabilities.c @@ -102,12 +102,14 @@ static const OSSL_PARAM param_group_list[][10] = { # ifndef OPENSSL_NO_EC # ifndef OPENSSL_NO_EC2M TLS_GROUP_ENTRY("sect163k1", "sect163k1", "EC", 0), + TLS_GROUP_ENTRY("K-163", "sect163k1", "EC", 0), /* Alias of above */ # endif # ifndef FIPS_MODULE TLS_GROUP_ENTRY("sect163r1", "sect163r1", "EC", 1), # endif # ifndef OPENSSL_NO_EC2M TLS_GROUP_ENTRY("sect163r2", "sect163r2", "EC", 2), + TLS_GROUP_ENTRY("B-163", "sect163r2", "EC", 2), /* Alias of above */ # endif # ifndef FIPS_MODULE TLS_GROUP_ENTRY("sect193r1", "sect193r1", "EC", 3), @@ -115,18 +117,26 @@ static const OSSL_PARAM param_group_list[][10] = { # endif # ifndef OPENSSL_NO_EC2M TLS_GROUP_ENTRY("sect233k1", "sect233k1", "EC", 5), + TLS_GROUP_ENTRY("K-233", "sect233k1", "EC", 5), /* Alias of above */ TLS_GROUP_ENTRY("sect233r1", "sect233r1", "EC", 6), + TLS_GROUP_ENTRY("B-233", "sect233r1", "EC", 6), /* Alias of above */ # endif # ifndef FIPS_MODULE TLS_GROUP_ENTRY("sect239k1", "sect239k1", "EC", 7), # endif # ifndef OPENSSL_NO_EC2M TLS_GROUP_ENTRY("sect283k1", "sect283k1", "EC", 8), + TLS_GROUP_ENTRY("K-283", "sect283k1", "EC", 8), /* Alias of above */ TLS_GROUP_ENTRY("sect283r1", "sect283r1", "EC", 9), + TLS_GROUP_ENTRY("B-283", "sect283r1", "EC", 9), /* Alias of above */ TLS_GROUP_ENTRY("sect409k1", "sect409k1", "EC", 10), + TLS_GROUP_ENTRY("K-409", "sect409k1", "EC", 10), /* Alias of above */ TLS_GROUP_ENTRY("sect409r1", "sect409r1", "EC", 11), + TLS_GROUP_ENTRY("B-409", "sect409r1", "EC", 11), /* Alias of above */ TLS_GROUP_ENTRY("sect571k1", "sect571k1", "EC", 12), + TLS_GROUP_ENTRY("K-571", "sect571k1", "EC", 12), /* Alias of above */ TLS_GROUP_ENTRY("sect571r1", "sect571r1", "EC", 13), + TLS_GROUP_ENTRY("B-571", "sect571r1", "EC", 13), /* Alias of above */ # endif # ifndef FIPS_MODULE TLS_GROUP_ENTRY("secp160k1", "secp160k1", "EC", 14), @@ -135,23 +145,28 @@ static const OSSL_PARAM param_group_list[][10] = { TLS_GROUP_ENTRY("secp192k1", "secp192k1", "EC", 17), # endif TLS_GROUP_ENTRY("secp192r1", "prime192v1", "EC", 18), + TLS_GROUP_ENTRY("P-192", "prime192v1", "EC", 18), /* Alias of above */ # ifndef FIPS_MODULE TLS_GROUP_ENTRY("secp224k1", "secp224k1", "EC", 19), # endif TLS_GROUP_ENTRY("secp224r1", "secp224r1", "EC", 20), + TLS_GROUP_ENTRY("P-224", "secp224r1", "EC", 20), /* Alias of above */ # ifndef FIPS_MODULE TLS_GROUP_ENTRY("secp256k1", "secp256k1", "EC", 21), # endif TLS_GROUP_ENTRY("secp256r1", "prime256v1", "EC", 22), + TLS_GROUP_ENTRY("P-256", "prime256v1", "EC", 22), /* Alias of above */ TLS_GROUP_ENTRY("secp384r1", "secp384r1", "EC", 23), + TLS_GROUP_ENTRY("P-384", "secp384r1", "EC", 23), /* Alias of above */ TLS_GROUP_ENTRY("secp521r1", "secp521r1", "EC", 24), + TLS_GROUP_ENTRY("P-521", "secp521r1", "EC", 24), /* Alias of above */ # ifndef FIPS_MODULE TLS_GROUP_ENTRY("brainpoolP256r1", "brainpoolP256r1", "EC", 25), TLS_GROUP_ENTRY("brainpoolP384r1", "brainpoolP384r1", "EC", 26), TLS_GROUP_ENTRY("brainpoolP512r1", "brainpoolP512r1", "EC", 27), # endif - TLS_GROUP_ENTRY("x25519", "x25519", "X25519", 28), - TLS_GROUP_ENTRY("x448", "x448", "X448", 29), + TLS_GROUP_ENTRY("x25519", "X25519", "X25519", 28), + TLS_GROUP_ENTRY("x448", "X448", "X448", 29), # endif /* OPENSSL_NO_EC */ # ifndef OPENSSL_NO_DH /* Security bit values for FFDHE groups are as per RFC 7919 */ @@ -169,13 +184,6 @@ static int tls_group_capability(OSSL_CALLBACK *cb, void *arg) #if !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH) size_t i; -# if !defined(OPENSSL_NO_EC) \ - && !defined(OPENSSL_NO_EC2M) \ - && !defined(OPENSSL_NO_DH) \ - && !defined(FIPS_MODULE) - assert(OSSL_NELEM(param_group_list) == OSSL_NELEM(group_list)); -# endif - for (i = 0; i < OSSL_NELEM(param_group_list); i++) if (!cb(param_group_list[i], arg)) return 0; diff --git a/ssl/s3_enc.c b/ssl/s3_enc.c index 1e297d23d5..cf4d5fe4e7 100644 --- a/ssl/s3_enc.c +++ b/ssl/s3_enc.c @@ -297,10 +297,8 @@ int ssl3_setup_key_block(SSL *s) if (s->session->cipher->algorithm_enc == SSL_eNULL) s->s3.need_empty_fragments = 0; -#ifndef OPENSSL_NO_RC4 if (s->session->cipher->algorithm_enc == SSL_RC4) s->s3.need_empty_fragments = 0; -#endif } } diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c index a6c87ad75d..ec19eeacc3 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c @@ -66,7 +66,6 @@ static SSL_CIPHER tls13_ciphers[] = { 256, 256, }, -#if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305) { 1, TLS1_3_RFC_CHACHA20_POLY1305_SHA256, @@ -83,7 +82,6 @@ static SSL_CIPHER tls13_ciphers[] = { 256, 256, }, -#endif { 1, TLS1_3_RFC_AES_128_CCM_SHA256, @@ -2036,7 +2034,6 @@ static SSL_CIPHER ssl3_ciphers[] = { 256, }, -#if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305) { 1, TLS1_TXT_DHE_RSA_WITH_CHACHA20_POLY1305, @@ -2149,10 +2146,7 @@ static SSL_CIPHER ssl3_ciphers[] = { 256, 256, }, -#endif /* !defined(OPENSSL_NO_CHACHA) && - * !defined(OPENSSL_NO_POLY1305) */ -#ifndef OPENSSL_NO_CAMELLIA { 1, TLS1_TXT_RSA_WITH_CAMELLIA_128_CBC_SHA256, @@ -2601,7 +2595,6 @@ static SSL_CIPHER ssl3_ciphers[] = { 256, 256, }, -#endif /* OPENSSL_NO_CAMELLIA */ #ifndef OPENSSL_NO_GOST { @@ -2718,7 +2711,6 @@ static SSL_CIPHER ssl3_ciphers[] = { }, #endif /* OPENSSL_NO_GOST */ -#ifndef OPENSSL_NO_IDEA { 1, SSL3_TXT_RSA_IDEA_128_SHA, @@ -2735,9 +2727,7 @@ static SSL_CIPHER ssl3_ciphers[] = { 128, 128, }, -#endif -#ifndef OPENSSL_NO_SEED { 1, TLS1_TXT_RSA_WITH_SEED_SHA, @@ -2802,7 +2792,6 @@ static SSL_CIPHER ssl3_ciphers[] = { 128, 128, }, -#endif /* OPENSSL_NO_SEED */ #ifndef OPENSSL_NO_WEAK_SSL_CIPHERS { @@ -2967,7 +2956,6 @@ static SSL_CIPHER ssl3_ciphers[] = { }, #endif /* OPENSSL_NO_WEAK_SSL_CIPHERS */ -#ifndef OPENSSL_NO_ARIA { 1, TLS1_TXT_RSA_WITH_ARIA_128_GCM_SHA256, @@ -3224,7 +3212,6 @@ static SSL_CIPHER ssl3_ciphers[] = { 256, 256, }, -#endif /* OPENSSL_NO_ARIA */ }; /* @@ -3360,12 +3347,10 @@ void ssl3_free(SSL *s) ssl3_cleanup_key_block(s); -#if !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH) EVP_PKEY_free(s->s3.peer_tmp); s->s3.peer_tmp = NULL; EVP_PKEY_free(s->s3.tmp.pkey); s->s3.tmp.pkey = NULL; -#endif ssl_evp_cipher_free(s->s3.tmp.new_sym_enc); ssl_evp_md_free(s->s3.tmp.new_hash); @@ -3396,10 +3381,8 @@ int ssl3_clear(SSL *s) OPENSSL_free(s->s3.tmp.peer_sigalgs); OPENSSL_free(s->s3.tmp.peer_cert_sigalgs); -#if !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH) EVP_PKEY_free(s->s3.tmp.pkey); EVP_PKEY_free(s->s3.peer_tmp); -#endif /* !OPENSSL_NO_EC */ ssl3_free_digest_list(s); @@ -3452,7 +3435,7 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) case SSL_CTRL_GET_FLAGS: ret = (int)(s->s3.flags); break; -#if !defined(OPENSSL_NO_DH) && !defined(OPENSSL_NO_DEPRECATED_3_0) +#if !defined(OPENSSL_NO_DEPRECATED_3_0) case SSL_CTRL_SET_TMP_DH: { EVP_PKEY *pkdh = NULL; @@ -3477,7 +3460,7 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) case SSL_CTRL_SET_DH_AUTO: s->cert->dh_tmp_auto = larg; return 1; -#if !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_DEPRECATED_3_0) +#if !defined(OPENSSL_NO_DEPRECATED_3_0) case SSL_CTRL_SET_TMP_ECDH: { if (parg == NULL) { @@ -3488,7 +3471,7 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) &s->ext.supportedgroups_len, parg); } -#endif +#endif /* !OPENSSL_NO_DEPRECATED_3_0 */ case SSL_CTRL_SET_TLSEXT_HOSTNAME: /* * This API is only used for a client to set what SNI it will request @@ -3610,7 +3593,6 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) } return ssl_cert_set_current(s->cert, larg); -#if !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH) case SSL_CTRL_GET_GROUPS: { uint16_t *clist; @@ -3656,7 +3638,6 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) case SSL_CTRL_GET_NEGOTIATED_GROUP: ret = tls1_group_id2nid(s->s3.group_id, 1); break; -#endif /* !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH) */ case SSL_CTRL_SET_SIGALGS: return tls1_set_sigalgs(s->cert, parg, larg, 0); @@ -3707,7 +3688,6 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) return 1; case SSL_CTRL_GET_PEER_TMP_KEY: -#if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_EC) if (s->session == NULL || s->s3.peer_tmp == NULL) { return 0; } else { @@ -3715,12 +3695,8 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) *(EVP_PKEY **)parg = s->s3.peer_tmp; return 1; } -#else - return 0; -#endif case SSL_CTRL_GET_TMP_KEY: -#if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_EC) if (s->session == NULL || s->s3.tmp.pkey == NULL) { return 0; } else { @@ -3728,11 +3704,7 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) *(EVP_PKEY **)parg = s->s3.tmp.pkey; return 1; } -#else - return 0; -#endif -#ifndef OPENSSL_NO_EC case SSL_CTRL_GET_EC_POINT_FORMATS: { const unsigned char **pformat = parg; @@ -3742,7 +3714,6 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) *pformat = s->ext.peer_ecpointformats; return (int)s->ext.peer_ecpointformats_len; } -#endif default: break; @@ -3755,7 +3726,7 @@ long ssl3_callback_ctrl(SSL *s, int cmd, void (*fp) (void)) int ret = 0; switch (cmd) { -#if !defined(OPENSSL_NO_DH) && !defined(OPENSSL_NO_DEPRECATED_3_0) +#if !defined(OPENSSL_NO_DEPRECATED_3_0) case SSL_CTRL_SET_TMP_DH_CB: s->cert->dh_tmp_cb = (DH *(*)(SSL *, int, int))fp; ret = 1; @@ -3780,7 +3751,7 @@ long ssl3_callback_ctrl(SSL *s, int cmd, void (*fp) (void)) long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) { switch (cmd) { -#if !defined(OPENSSL_NO_DH) && !defined(OPENSSL_NO_DEPRECATED_3_0) +#if !defined(OPENSSL_NO_DEPRECATED_3_0) case SSL_CTRL_SET_TMP_DH: { EVP_PKEY *pkdh = NULL; @@ -3804,7 +3775,7 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) case SSL_CTRL_SET_DH_AUTO: ctx->cert->dh_tmp_auto = larg; return 1; -#if !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_DEPRECATED_3_0) +#if !defined(OPENSSL_NO_DEPRECATED_3_0) case SSL_CTRL_SET_TMP_ECDH: { if (parg == NULL) { @@ -3815,7 +3786,7 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) &ctx->ext.supportedgroups_len, parg); } -#endif +#endif /* !OPENSSL_NO_DEPRECATED_3_0 */ case SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG: ctx->ext.servername_arg = parg; break; @@ -3911,7 +3882,6 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) break; #endif -#if !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH) case SSL_CTRL_SET_GROUPS: return tls1_set_groups(&ctx->ext.supportedgroups, &ctx->ext.supportedgroups_len, @@ -3921,7 +3891,6 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) return tls1_set_groups_list(ctx, &ctx->ext.supportedgroups, &ctx->ext.supportedgroups_len, parg); -#endif /* !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH) */ case SSL_CTRL_SET_SIGALGS: return tls1_set_sigalgs(ctx->cert, parg, larg, 0); @@ -4004,7 +3973,7 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) long ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp) (void)) { switch (cmd) { -#if !defined(OPENSSL_NO_DH) && !defined(OPENSSL_NO_DEPRECATED_3_0) +#if !defined(OPENSSL_NO_DEPRECATED_3_0) case SSL_CTRL_SET_TMP_DH_CB: { ctx->cert->dh_tmp_cb = (DH *(*)(SSL *, int, int))fp; @@ -4138,9 +4107,7 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, STACK_OF(SSL_CIPHER) *prio, *allow; int i, ii, ok, prefer_sha256 = 0; unsigned long alg_k = 0, alg_a = 0, mask_k = 0, mask_a = 0; -#ifndef OPENSSL_NO_CHACHA STACK_OF(SSL_CIPHER) *prio_chacha = NULL; -#endif /* Let's see which ciphers we can support */ @@ -4173,7 +4140,7 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, } else if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) { prio = srvr; allow = clnt; -#ifndef OPENSSL_NO_CHACHA + /* If ChaCha20 is at the top of the client preference list, and there are ChaCha20 ciphers in the server list, then temporarily prioritize all ChaCha20 ciphers in the servers list. */ @@ -4212,7 +4179,6 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, } } } -# endif } else { prio = clnt; allow = srvr; @@ -4282,14 +4248,12 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, "%d:[%08lX:%08lX:%08lX:%08lX]%p:%s\n", ok, alg_k, alg_a, mask_k, mask_a, (void *)c, c->name); -#ifndef OPENSSL_NO_EC /* * if we are considering an ECC cipher suite that uses an ephemeral * EC key check it */ if (alg_k & SSL_kECDHE) ok = ok && tls1_check_ec_tmp_key(s, c->id); -#endif /* OPENSSL_NO_EC */ if (!ok) continue; @@ -4300,14 +4264,14 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, if (!ssl_security(s, SSL_SECOP_CIPHER_SHARED, c->strength_bits, 0, (void *)c)) continue; -#if !defined(OPENSSL_NO_EC) + if ((alg_k & SSL_kECDHE) && (alg_a & SSL_aECDSA) && s->s3.is_probably_safari) { if (!ret) ret = sk_SSL_CIPHER_value(allow, ii); continue; } -#endif + if (prefer_sha256) { const SSL_CIPHER *tmp = sk_SSL_CIPHER_value(allow, ii); @@ -4328,9 +4292,9 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, break; } } -#ifndef OPENSSL_NO_CHACHA + sk_SSL_CIPHER_free(prio_chacha); -#endif + return ret; } @@ -4362,22 +4326,17 @@ int ssl3_get_req_cert_type(SSL *s, WPACKET *pkt) #endif if ((s->version == SSL3_VERSION) && (alg_k & SSL_kDHE)) { -#ifndef OPENSSL_NO_DH if (!WPACKET_put_bytes_u8(pkt, SSL3_CT_RSA_EPHEMERAL_DH)) return 0; -# ifndef OPENSSL_NO_DSA - if (!WPACKET_put_bytes_u8(pkt, SSL3_CT_DSS_EPHEMERAL_DH)) + if (!(alg_a & SSL_aDSS) + && !WPACKET_put_bytes_u8(pkt, SSL3_CT_DSS_EPHEMERAL_DH)) return 0; -# endif -#endif /* !OPENSSL_NO_DH */ } if (!(alg_a & SSL_aRSA) && !WPACKET_put_bytes_u8(pkt, SSL3_CT_RSA_SIGN)) return 0; -#ifndef OPENSSL_NO_DSA if (!(alg_a & SSL_aDSS) && !WPACKET_put_bytes_u8(pkt, SSL3_CT_DSS_SIGN)) return 0; -#endif -#ifndef OPENSSL_NO_EC + /* * ECDSA certs can be used with RSA cipher suites too so we don't * need to check for SSL_kECDH or SSL_kECDHE @@ -4386,7 +4345,7 @@ int ssl3_get_req_cert_type(SSL *s, WPACKET *pkt) && !(alg_a & SSL_aECDSA) && !WPACKET_put_bytes_u8(pkt, TLS_CT_ECDSA_SIGN)) return 0; -#endif + return 1; } @@ -4820,10 +4779,8 @@ int ssl_derive(SSL *s, EVP_PKEY *privkey, EVP_PKEY *pubkey, int gensecret) goto err; } -#ifndef OPENSSL_NO_DH - if (SSL_IS_TLS13(s) && EVP_PKEY_id(privkey) == EVP_PKEY_DH) + if (SSL_IS_TLS13(s) && EVP_PKEY_is_a(privkey, "DH")) EVP_PKEY_CTX_set_dh_pad(pctx, 1); -#endif pms = OPENSSL_malloc(pmslen); if (pms == NULL) { diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c index 93608beddc..a9d9b9ca06 100644 --- a/ssl/ssl_cert.c +++ b/ssl/ssl_cert.c @@ -95,9 +95,8 @@ CERT *ssl_cert_dup(CERT *cert) ret->dh_tmp = cert->dh_tmp; EVP_PKEY_up_ref(ret->dh_tmp); } -#ifndef OPENSSL_NO_DH + ret->dh_tmp_cb = cert->dh_tmp_cb; -#endif ret->dh_tmp_auto = cert->dh_tmp_auto; for (i = 0; i < SSL_PKEY_NUM; i++) { diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c index ec366707e5..d517799895 100644 --- a/ssl/ssl_ciph.c +++ b/ssl/ssl_ciph.c @@ -323,6 +323,8 @@ int ssl_load_ciphers(SSL_CTX *ctx) { size_t i; const ssl_cipher_table *t; + EVP_KEYEXCH *kex = NULL; + EVP_SIGNATURE *sig = NULL; ctx->disabled_enc_mask = 0; for (i = 0, t = ssl_cipher_table_cipher; i < SSL_ENC_NUM_IDX; i++, t++) { @@ -354,16 +356,33 @@ int ssl_load_ciphers(SSL_CTX *ctx) ctx->disabled_mkey_mask = 0; ctx->disabled_auth_mask = 0; -#ifdef OPENSSL_NO_DSA - ctx->disabled_auth_mask |= SSL_aDSS; -#endif -#ifdef OPENSSL_NO_DH - ctx->disabled_mkey_mask |= SSL_kDHE | SSL_kDHEPSK; -#endif -#ifdef OPENSSL_NO_EC - ctx->disabled_mkey_mask |= SSL_kECDHE | SSL_kECDHEPSK; - ctx->disabled_auth_mask |= SSL_aECDSA; -#endif + /* + * We ignore any errors from the fetches below. They are expected to fail + * if theose algorithms are not available. + */ + ERR_set_mark(); + sig = EVP_SIGNATURE_fetch(ctx->libctx, "DSA", ctx->propq); + if (sig == NULL) + ctx->disabled_auth_mask |= SSL_aDSS; + else + EVP_SIGNATURE_free(sig); + kex = EVP_KEYEXCH_fetch(ctx->libctx, "DH", ctx->propq); + if (kex == NULL) + ctx->disabled_mkey_mask |= SSL_kDHE | SSL_kDHEPSK; + else + EVP_KEYEXCH_free(kex); + kex = EVP_KEYEXCH_fetch(ctx->libctx, "ECDH", ctx->propq); + if (kex == NULL) + ctx->disabled_mkey_mask |= SSL_kECDHE | SSL_kECDHEPSK; + else + EVP_KEYEXCH_free(kex); + sig = EVP_SIGNATURE_fetch(ctx->libctx, "ECDSA", ctx->propq); + if (sig == NULL) + ctx->disabled_auth_mask |= SSL_aECDSA; + else + EVP_SIGNATURE_free(sig); + ERR_pop_to_mark(); + #ifdef OPENSSL_NO_PSK ctx->disabled_mkey_mask |= SSL_PSK; ctx->disabled_auth_mask |= SSL_aPSK; @@ -1226,7 +1245,6 @@ static int ssl_cipher_process_rulestr(const char *rule_str, return retval; } -#ifndef OPENSSL_NO_EC static int check_suiteb_cipher_list(const SSL_METHOD *meth, CERT *c, const char **prule_str) { @@ -1257,7 +1275,7 @@ static int check_suiteb_cipher_list(const SSL_METHOD *meth, CERT *c, ERR_raise(ERR_LIB_SSL, SSL_R_AT_LEAST_TLS_1_2_NEEDED_IN_SUITEB_MODE); return 0; } -# ifndef OPENSSL_NO_EC + switch (suiteb_flags) { case SSL_CERT_FLAG_SUITEB_128_LOS: if (suiteb_comb2) @@ -1274,12 +1292,7 @@ static int check_suiteb_cipher_list(const SSL_METHOD *meth, CERT *c, break; } return 1; -# else - ERR_raise(ERR_LIB_SSL, SSL_R_ECDH_REQUIRED_FOR_SUITEB_MODE); - return 0; -# endif } -#endif static int ciphersuite_cb(const char *elem, int len, void *arg) { @@ -1427,10 +1440,9 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx, */ if (rule_str == NULL || cipher_list == NULL || cipher_list_by_id == NULL) return NULL; -#ifndef OPENSSL_NO_EC + if (!check_suiteb_cipher_list(ssl_method, c, &rule_str)) return NULL; -#endif /* * To reduce the work to do we only want to process the compiled @@ -2203,8 +2215,6 @@ const char *OSSL_default_cipher_list(void) const char *OSSL_default_ciphersuites(void) { return "TLS_AES_256_GCM_SHA384:" -#if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305) "TLS_CHACHA20_POLY1305_SHA256:" -#endif "TLS_AES_128_GCM_SHA256"; } diff --git a/ssl/ssl_conf.c b/ssl/ssl_conf.c index 2e8240c73b..edd3fd7640 100644 --- a/ssl/ssl_conf.c +++ b/ssl/ssl_conf.c @@ -221,12 +221,10 @@ static int cmd_Curves(SSL_CONF_CTX *cctx, const char *value) return cmd_Groups(cctx, value); } -#ifndef OPENSSL_NO_EC /* ECDH temporary parameters */ static int cmd_ECDHParameters(SSL_CONF_CTX *cctx, const char *value) { int rv = 1; - int nid; /* Ignore values supported by 1.0.2 for the automatic selection */ if ((cctx->flags & SSL_CONF_FLAG_FILE) @@ -237,20 +235,18 @@ static int cmd_ECDHParameters(SSL_CONF_CTX *cctx, const char *value) strcmp(value, "auto") == 0) return 1; - nid = EC_curve_nist2nid(value); - if (nid == NID_undef) - nid = OBJ_sn2nid(value); - if (nid == 0) + /* ECDHParameters accepts a single group name */ + if (strstr(value, ":") != NULL) return 0; if (cctx->ctx) - rv = SSL_CTX_set1_groups(cctx->ctx, &nid, 1); + rv = SSL_CTX_set1_groups_list(cctx->ctx, value); else if (cctx->ssl) - rv = SSL_set1_groups(cctx->ssl, &nid, 1); + rv = SSL_set1_groups_list(cctx->ssl, value); return rv > 0; } -#endif + static int cmd_CipherString(SSL_CONF_CTX *cctx, const char *value) { int rv = 1; @@ -701,9 +697,7 @@ static const ssl_conf_cmd_tbl ssl_conf_cmds[] = { SSL_CONF_CMD_STRING(ClientSignatureAlgorithms, "client_sigalgs", 0), SSL_CONF_CMD_STRING(Curves, "curves", 0), SSL_CONF_CMD_STRING(Groups, "groups", 0), -#ifndef OPENSSL_NO_EC SSL_CONF_CMD_STRING(ECDHParameters, "named_curve", SSL_CONF_FLAG_SERVER), -#endif SSL_CONF_CMD_STRING(CipherString, "cipher", 0), SSL_CONF_CMD_STRING(Ciphersuites, "ciphersuites", 0), SSL_CONF_CMD_STRING(Protocol, NULL, 0), diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c index 879b276520..357cfc7d94 100644 --- a/ssl/ssl_err.c +++ b/ssl/ssl_err.c @@ -74,6 +74,8 @@ static const ERR_STRING_DATA SSL_str_reasons[] = { {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_CALLBACK_FAILED), "callback failed"}, {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_CANNOT_CHANGE_CIPHER), "cannot change cipher"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_CANNOT_GET_GROUP_NAME), + "cannot get group name"}, {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_CA_DN_LENGTH_MISMATCH), "ca dn length mismatch"}, {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_CA_KEY_TOO_SMALL), "ca key too small"}, @@ -299,6 +301,7 @@ static const ERR_STRING_DATA SSL_str_reasons[] = { {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NO_SRTP_PROFILES), "no srtp profiles"}, {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NO_SUITABLE_DIGEST_ALGORITHM), "no suitable digest algorithm"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NO_SUITABLE_GROUPS), "no suitable groups"}, {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NO_SUITABLE_KEY_SHARE), "no suitable key share"}, {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM), diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index 5adc6f71a9..554fc3533d 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -768,7 +768,6 @@ SSL *SSL_new(SSL_CTX *ctx) s->ext.ocsp.resp_len = 0; SSL_CTX_up_ref(ctx); s->session_ctx = ctx; -#ifndef OPENSSL_NO_EC if (ctx->ext.ecpointformats) { s->ext.ecpointformats = OPENSSL_memdup(ctx->ext.ecpointformats, @@ -778,7 +777,6 @@ SSL *SSL_new(SSL_CTX *ctx) s->ext.ecpointformats_len = ctx->ext.ecpointformats_len; } -#endif if (ctx->ext.supportedgroups) { s->ext.supportedgroups = OPENSSL_memdup(ctx->ext.supportedgroups, @@ -1212,10 +1210,8 @@ void SSL_free(SSL *s) OPENSSL_free(s->ext.hostname); SSL_CTX_free(s->session_ctx); -#ifndef OPENSSL_NO_EC OPENSSL_free(s->ext.ecpointformats); OPENSSL_free(s->ext.peer_ecpointformats); -#endif /* OPENSSL_NO_EC */ OPENSSL_free(s->ext.supportedgroups); OPENSSL_free(s->ext.peer_supportedgroups); sk_X509_EXTENSION_pop_free(s->ext.ocsp.exts, X509_EXTENSION_free); @@ -3392,10 +3388,9 @@ void SSL_CTX_free(SSL_CTX *a) tls_engine_finish(a->client_cert_engine); #endif -#ifndef OPENSSL_NO_EC OPENSSL_free(a->ext.ecpointformats); -#endif OPENSSL_free(a->ext.supportedgroups); + OPENSSL_free(a->ext.supported_groups_default); OPENSSL_free(a->ext.alpn); OPENSSL_secure_free(a->ext.secure); @@ -3498,24 +3493,19 @@ void ssl_set_masks(SSL *s) uint32_t *pvalid = s->s3.tmp.valid_flags; int rsa_enc, rsa_sign, dh_tmp, dsa_sign; unsigned long mask_k, mask_a; -#ifndef OPENSSL_NO_EC int have_ecc_cert, ecdsa_ok; -#endif + if (c == NULL) return; dh_tmp = (c->dh_tmp != NULL -#ifndef OPENSSL_NO_DH || c->dh_tmp_cb != NULL -#endif || c->dh_tmp_auto); rsa_enc = pvalid[SSL_PKEY_RSA] & CERT_PKEY_VALID; rsa_sign = pvalid[SSL_PKEY_RSA] & CERT_PKEY_VALID; dsa_sign = pvalid[SSL_PKEY_DSA_SIGN] & CERT_PKEY_VALID; -#ifndef OPENSSL_NO_EC have_ecc_cert = pvalid[SSL_PKEY_ECC] & CERT_PKEY_VALID; -#endif mask_k = 0; mask_a = 0; @@ -3563,7 +3553,6 @@ void ssl_set_masks(SSL *s) * An ECC certificate may be usable for ECDH and/or ECDSA cipher suites * depending on the key usage extension. */ -#ifndef OPENSSL_NO_EC if (have_ecc_cert) { uint32_t ex_kusage; ex_kusage = X509_get_key_usage(c->pkeys[SSL_PKEY_ECC].x509); @@ -3584,11 +3573,8 @@ void ssl_set_masks(SSL *s) && pvalid[SSL_PKEY_ED448] & CERT_PKEY_EXPLICIT_SIGN && TLS1_get_version(s) == TLS1_2_VERSION) mask_a |= SSL_aECDSA; -#endif -#ifndef OPENSSL_NO_EC mask_k |= SSL_kECDHE; -#endif #ifndef OPENSSL_NO_PSK mask_k |= SSL_kPSK; @@ -3605,8 +3591,6 @@ void ssl_set_masks(SSL *s) s->s3.tmp.mask_a = mask_a; } -#ifndef OPENSSL_NO_EC - int ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s) { if (s->s3.tmp.new_cipher->algorithm_auth & SSL_aECDSA) { @@ -3619,8 +3603,6 @@ int ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s) return 1; /* all checks are ok */ } -#endif - int ssl_get_server_cert_serverinfo(SSL *s, const unsigned char **serverinfo, size_t *serverinfo_length) { @@ -4483,27 +4465,6 @@ int SSL_want(const SSL *s) return s->rwstate; } -/** - * \brief Set the callback for generating temporary DH keys. - * \param ctx the SSL context. - * \param dh the callback - */ - -#if !defined(OPENSSL_NO_DH) && !defined(OPENSSL_NO_DEPRECATED_3_0) -void SSL_CTX_set_tmp_dh_callback(SSL_CTX *ctx, - DH *(*dh) (SSL *ssl, int is_export, - int keylength)) -{ - SSL_CTX_callback_ctrl(ctx, SSL_CTRL_SET_TMP_DH_CB, (void (*)(void))dh); -} - -void SSL_set_tmp_dh_callback(SSL *ssl, DH *(*dh) (SSL *ssl, int is_export, - int keylength)) -{ - SSL_callback_ctrl(ssl, SSL_CTRL_SET_TMP_DH_CB, (void (*)(void))dh); -} -#endif - #ifndef OPENSSL_NO_PSK int SSL_CTX_use_psk_identity_hint(SSL_CTX *ctx, const char *identity_hint) { diff --git a/ssl/ssl_local.h b/ssl/ssl_local.h index 1b8a43d131..5956b6c834 100644 --- a/ssl/ssl_local.h +++ b/ssl/ssl_local.h @@ -1051,15 +1051,15 @@ struct ssl_ctx_st { /* RFC 4366 Maximum Fragment Length Negotiation */ uint8_t max_fragment_len_mode; -# ifndef OPENSSL_NO_EC /* EC extension values inherited by SSL structure */ size_t ecpointformats_len; unsigned char *ecpointformats; -# endif /* OPENSSL_NO_EC */ size_t supportedgroups_len; uint16_t *supportedgroups; + uint16_t *supported_groups_default; + size_t supported_groups_default_len; /* * ALPN information (we are in the process of transitioning from NPN to * ALPN.) @@ -1405,14 +1405,12 @@ struct ssl_st { /* used by the client to know if it actually sent alpn */ int alpn_sent; -# ifndef OPENSSL_NO_EC /* * This is set to true if we believe that this is a version of Safari * running on OS X 10.6 or newer. We wish to know this because Safari on * 10.8 .. 10.8.3 has broken ECDHE-ECDSA support. */ char is_probably_safari; -# endif /* !OPENSSL_NO_EC */ /* For clients: peer temporary key */ /* The group_id for the key exchange key */ @@ -1593,7 +1591,6 @@ struct ssl_st { int ticket_expected; /* TLS 1.3 tickets requested by the application. */ int extra_tickets_expected; -# ifndef OPENSSL_NO_EC size_t ecpointformats_len; /* our list */ unsigned char *ecpointformats; @@ -1601,7 +1598,6 @@ struct ssl_st { size_t peer_ecpointformats_len; /* peer's list */ unsigned char *peer_ecpointformats; -# endif /* OPENSSL_NO_EC */ size_t supportedgroups_len; /* our list */ uint16_t *supportedgroups; @@ -1927,14 +1923,12 @@ typedef struct dtls1_state_st { } DTLS1_STATE; -# ifndef OPENSSL_NO_EC /* * From ECC-TLS draft, used in encoding the curve type in ECParameters */ # define EXPLICIT_PRIME_CURVE_TYPE 1 # define EXPLICIT_CHAR2_CURVE_TYPE 2 # define NAMED_CURVE_TYPE 3 -# endif /* OPENSSL_NO_EC */ struct cert_pkey_st { X509 *x509; @@ -2009,9 +2003,7 @@ typedef struct cert_st { CERT_PKEY *key; EVP_PKEY *dh_tmp; -#ifndef OPENSSL_NO_DH DH *(*dh_tmp_cb) (SSL *ssl, int is_export, int keysize); -#endif int dh_tmp_auto; /* Flags related to certificates */ uint32_t cert_flags; @@ -2644,9 +2636,7 @@ __owur int tls1_alert_code(int code); __owur int tls13_alert_code(int code); __owur int ssl3_alert_code(int code); -# ifndef OPENSSL_NO_EC __owur int ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s); -# endif SSL_COMP *ssl3_comp_find(STACK_OF(SSL_COMP) *sk, int n); @@ -2661,13 +2651,11 @@ __owur int tls1_set_groups_list(SSL_CTX *ctx, uint16_t **pext, size_t *pextlen, const char *str); __owur EVP_PKEY *ssl_generate_pkey_group(SSL *s, uint16_t id); __owur int tls_valid_group(SSL *s, uint16_t group_id, int minversion, - int maxversion); + int maxversion, int isec, int *okfortls13); __owur EVP_PKEY *ssl_generate_param_group(SSL *s, uint16_t id); -# ifndef OPENSSL_NO_EC void tls1_get_formatlist(SSL *s, const unsigned char **pformats, size_t *num_formats); __owur int tls1_check_ec_tmp_key(SSL *s, unsigned long id); -# endif /* OPENSSL_NO_EC */ __owur int tls_group_allowed(SSL *s, uint16_t curve, int op); void tls1_get_supported_groups(SSL *s, const uint16_t **pgroups, @@ -2719,9 +2707,7 @@ __owur int tls1_set_peer_legacy_sigalg(SSL *s, const EVP_PKEY *pkey); __owur int tls1_lookup_md(SSL_CTX *ctx, const SIGALG_LOOKUP *lu, const EVP_MD **pmd); __owur size_t tls12_get_psigalgs(SSL *s, int sent, const uint16_t **psigs); -# ifndef OPENSSL_NO_EC __owur int tls_check_sigalg_curve(const SSL *s, int curve); -# endif __owur int tls12_check_peer_sigalg(SSL *s, uint16_t, EVP_PKEY *pkey); __owur int ssl_set_client_disabled(SSL *s); __owur int ssl_cipher_disabled(const SSL *s, const SSL_CIPHER *c, int op, int echde); diff --git a/ssl/ssl_rsa.c b/ssl/ssl_rsa.c index 7c64a994e8..b78d751818 100644 --- a/ssl/ssl_rsa.c +++ b/ssl/ssl_rsa.c @@ -239,12 +239,12 @@ static int ssl_set_cert(CERT *c, X509 *x) ERR_raise(ERR_LIB_SSL, SSL_R_UNKNOWN_CERTIFICATE_TYPE); return 0; } -#ifndef OPENSSL_NO_EC + if (i == SSL_PKEY_ECC && !EVP_PKEY_can_sign(pkey)) { ERR_raise(ERR_LIB_SSL, SSL_R_ECC_CERT_NOT_FOR_SIGNING); return 0; } -#endif + if (c->pkeys[i].privatekey != NULL) { /* * The return code from EVP_PKEY_copy_parameters is deliberately diff --git a/ssl/sslerr.h b/ssl/sslerr.h index ed70efc264..3ad54e4dcc 100644 --- a/ssl/sslerr.h +++ b/ssl/sslerr.h @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/ssl/statem/extensions.c b/ssl/statem/extensions.c index 1a3435a949..13e5f5a8e5 100644 --- a/ssl/statem/extensions.c +++ b/ssl/statem/extensions.c @@ -17,9 +17,7 @@ static int final_renegotiate(SSL *s, unsigned int context, int sent); static int init_server_name(SSL *s, unsigned int context); static int final_server_name(SSL *s, unsigned int context, int sent); -#ifndef OPENSSL_NO_EC static int final_ec_pt_formats(SSL *s, unsigned int context, int sent); -#endif static int init_session_ticket(SSL *s, unsigned int context); #ifndef OPENSSL_NO_OCSP static int init_status_request(SSL *s, unsigned int context); @@ -151,7 +149,6 @@ static const EXTENSION_DEFINITION ext_defs[] = { #else INVALID_EXTENSION, #endif -#ifndef OPENSSL_NO_EC { TLSEXT_TYPE_ec_point_formats, SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO @@ -160,10 +157,6 @@ static const EXTENSION_DEFINITION ext_defs[] = { tls_construct_stoc_ec_pt_formats, tls_construct_ctos_ec_pt_formats, final_ec_pt_formats }, -#else - INVALID_EXTENSION, -#endif -#if !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH) { /* * "supported_groups" is spread across several specifications. @@ -197,9 +190,6 @@ static const EXTENSION_DEFINITION ext_defs[] = { tls_construct_stoc_supported_groups, tls_construct_ctos_supported_groups, NULL }, -#else - INVALID_EXTENSION, -#endif { TLSEXT_TYPE_session_ticket, SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO @@ -1012,7 +1002,6 @@ static int final_server_name(SSL *s, unsigned int context, int sent) } } -#ifndef OPENSSL_NO_EC static int final_ec_pt_formats(SSL *s, unsigned int context, int sent) { unsigned long alg_k, alg_a; @@ -1050,7 +1039,6 @@ static int final_ec_pt_formats(SSL *s, unsigned int context, int sent) return 1; } -#endif static int init_session_ticket(SSL *s, unsigned int context) { diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c index 14dd7cfc76..3e4353b90e 100644 --- a/ssl/statem/extensions_clnt.c +++ b/ssl/statem/extensions_clnt.c @@ -108,7 +108,6 @@ EXT_RETURN tls_construct_ctos_srp(SSL *s, WPACKET *pkt, unsigned int context, } #endif -#ifndef OPENSSL_NO_EC static int use_ecc(SSL *s, int min_version, int max_version) { int i, end, ret = 0; @@ -144,7 +143,7 @@ static int use_ecc(SSL *s, int min_version, int max_version) for (j = 0; j < num_groups; j++) { uint16_t ctmp = pgroups[j]; - if (tls_valid_group(s, ctmp, min_version, max_version) + if (tls_valid_group(s, ctmp, min_version, max_version, 1, NULL) && tls_group_allowed(s, ctmp, SSL_SECOP_CURVE_SUPPORTED)) return 1; } @@ -182,15 +181,13 @@ EXT_RETURN tls_construct_ctos_ec_pt_formats(SSL *s, WPACKET *pkt, return EXT_RETURN_SENT; } -#endif -#if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_EC) EXT_RETURN tls_construct_ctos_supported_groups(SSL *s, WPACKET *pkt, unsigned int context, X509 *x, size_t chainidx) { const uint16_t *pgroups = NULL; - size_t num_groups = 0, i; + size_t num_groups = 0, i, tls13added = 0, added = 0; int min_version, max_version, reason; reason = ssl_get_min_max_version(s, &min_version, &max_version, NULL); @@ -199,13 +196,13 @@ EXT_RETURN tls_construct_ctos_supported_groups(SSL *s, WPACKET *pkt, return EXT_RETURN_FAIL; } -#if defined(OPENSSL_NO_EC) - if (SSL_IS_DTLS(s) || max_version < TLS1_3_VERSION) - return EXT_RETURN_NOT_SENT; -#else - if (!use_ecc(s, min_version, max_version) && max_version < TLS1_3_VERSION) + /* + * We only support EC groups in TLSv1.2 or below, and in DTLS. Therefore + * if we don't have EC support then we don't send this extension. + */ + if (!use_ecc(s, min_version, max_version) + && (SSL_IS_DTLS(s) || max_version < TLS1_3_VERSION)) return EXT_RETURN_NOT_SENT; -#endif /* * Add TLS extension supported_groups to the ClientHello message @@ -223,23 +220,30 @@ EXT_RETURN tls_construct_ctos_supported_groups(SSL *s, WPACKET *pkt, /* Copy group ID if supported */ for (i = 0; i < num_groups; i++) { uint16_t ctmp = pgroups[i]; + int okfortls13; - if (tls_valid_group(s, ctmp, min_version, max_version) + if (tls_valid_group(s, ctmp, min_version, max_version, 0, &okfortls13) && tls_group_allowed(s, ctmp, SSL_SECOP_CURVE_SUPPORTED)) { if (!WPACKET_put_bytes_u16(pkt, ctmp)) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); return EXT_RETURN_FAIL; } + if (okfortls13 && max_version == TLS1_3_VERSION) + tls13added++; + added++; } } if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) { - SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); + if (added == 0 || (tls13added == 0 && max_version == TLS1_3_VERSION)) + SSLfatal_data(s, SSL_AD_INTERNAL_ERROR, SSL_R_NO_SUITABLE_GROUPS, + "No groups enabled for max supported SSL/TLS version"); + else + SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); return EXT_RETURN_FAIL; } return EXT_RETURN_SENT; } -#endif EXT_RETURN tls_construct_ctos_session_ticket(SSL *s, WPACKET *pkt, unsigned int context, X509 *x, @@ -1306,7 +1310,6 @@ int tls_parse_stoc_server_name(SSL *s, PACKET *pkt, unsigned int context, return 1; } -#ifndef OPENSSL_NO_EC int tls_parse_stoc_ec_pt_formats(SSL *s, PACKET *pkt, unsigned int context, X509 *x, size_t chainidx) { @@ -1344,7 +1347,6 @@ int tls_parse_stoc_ec_pt_formats(SSL *s, PACKET *pkt, unsigned int context, return 1; } -#endif int tls_parse_stoc_session_ticket(SSL *s, PACKET *pkt, unsigned int context, X509 *x, size_t chainidx) diff --git a/ssl/statem/extensions_cust.c b/ssl/statem/extensions_cust.c index 2bc17db1bf..738051e1da 100644 --- a/ssl/statem/extensions_cust.c +++ b/ssl/statem/extensions_cust.c @@ -488,11 +488,9 @@ int SSL_extension_supported(unsigned int ext_type) switch (ext_type) { /* Internally supported extensions. */ case TLSEXT_TYPE_application_layer_protocol_negotiation: -#ifndef OPENSSL_NO_EC case TLSEXT_TYPE_ec_point_formats: case TLSEXT_TYPE_supported_groups: case TLSEXT_TYPE_key_share: -#endif #ifndef OPENSSL_NO_NEXTPROTONEG case TLSEXT_TYPE_next_proto_neg: #endif diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c index 2a6d89558b..56fcbd03c1 100644 --- a/ssl/statem/extensions_srvr.c +++ b/ssl/statem/extensions_srvr.c @@ -228,7 +228,6 @@ int tls_parse_ctos_srp(SSL *s, PACKET *pkt, unsigned int context, X509 *x, } #endif -#ifndef OPENSSL_NO_EC int tls_parse_ctos_ec_pt_formats(SSL *s, PACKET *pkt, unsigned int context, X509 *x, size_t chainidx) { @@ -251,7 +250,6 @@ int tls_parse_ctos_ec_pt_formats(SSL *s, PACKET *pkt, unsigned int context, return 1; } -#endif /* OPENSSL_NO_EC */ int tls_parse_ctos_session_ticket(SSL *s, PACKET *pkt, unsigned int context, X509 *x, size_t chainidx) @@ -893,7 +891,6 @@ int tls_parse_ctos_cookie(SSL *s, PACKET *pkt, unsigned int context, X509 *x, return 1; } -#if !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH) int tls_parse_ctos_supported_groups(SSL *s, PACKET *pkt, unsigned int context, X509 *x, size_t chainidx) { @@ -921,7 +918,6 @@ int tls_parse_ctos_supported_groups(SSL *s, PACKET *pkt, unsigned int context, return 1; } -#endif int tls_parse_ctos_ems(SSL *s, PACKET *pkt, unsigned int context, X509 *x, size_t chainidx) @@ -1305,7 +1301,6 @@ EXT_RETURN tls_construct_stoc_maxfragmentlen(SSL *s, WPACKET *pkt, return EXT_RETURN_SENT; } -#ifndef OPENSSL_NO_EC EXT_RETURN tls_construct_stoc_ec_pt_formats(SSL *s, WPACKET *pkt, unsigned int context, X509 *x, size_t chainidx) @@ -1331,9 +1326,7 @@ EXT_RETURN tls_construct_stoc_ec_pt_formats(SSL *s, WPACKET *pkt, return EXT_RETURN_SENT; } -#endif -#if !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH) EXT_RETURN tls_construct_stoc_supported_groups(SSL *s, WPACKET *pkt, unsigned int context, X509 *x, size_t chainidx) @@ -1358,7 +1351,7 @@ EXT_RETURN tls_construct_stoc_supported_groups(SSL *s, WPACKET *pkt, for (i = 0; i < numgroups; i++) { uint16_t group = groups[i]; - if (tls_valid_group(s, group, version, version) + if (tls_valid_group(s, group, version, version, 0, NULL) && tls_group_allowed(s, group, SSL_SECOP_CURVE_SUPPORTED)) { if (first) { /* @@ -1393,7 +1386,6 @@ EXT_RETURN tls_construct_stoc_supported_groups(SSL *s, WPACKET *pkt, return EXT_RETURN_SENT; } -#endif EXT_RETURN tls_construct_stoc_session_ticket(SSL *s, WPACKET *pkt, unsigned int context, X509 *x, diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c index 35e45d59a1..cff522604f 100644 --- a/ssl/statem/statem_clnt.c +++ b/ssl/statem/statem_clnt.c @@ -1725,11 +1725,7 @@ static MSG_PROCESS_RETURN tls_process_as_hello_retry_request(SSL *s, OPENSSL_free(extensions); extensions = NULL; - if (s->ext.tls13_cookie_len == 0 -#if !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH) - && s->s3.tmp.pkey != NULL -#endif - ) { + if (s->ext.tls13_cookie_len == 0 && s->s3.tmp.pkey != NULL) { /* * We didn't receive a cookie or a new key_share so the next * ClientHello will not change @@ -2115,7 +2111,6 @@ static int tls_process_ske_dhe(SSL *s, PACKET *pkt, EVP_PKEY **pkey) static int tls_process_ske_ecdhe(SSL *s, PACKET *pkt, EVP_PKEY **pkey) { -#ifndef OPENSSL_NO_EC PACKET encoded_pt; unsigned int curve_type, curve_id; @@ -2168,10 +2163,6 @@ static int tls_process_ske_ecdhe(SSL *s, PACKET *pkt, EVP_PKEY **pkey) /* else anonymous ECDH, so no certificate or pkey. */ return 1; -#else - SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); - return 0; -#endif } MSG_PROCESS_RETURN tls_process_key_exchange(SSL *s, PACKET *pkt) @@ -2186,10 +2177,8 @@ MSG_PROCESS_RETURN tls_process_key_exchange(SSL *s, PACKET *pkt) save_param_start = *pkt; -#if !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH) EVP_PKEY_free(s->s3.peer_tmp); s->s3.peer_tmp = NULL; -#endif if (alg_k & SSL_PSK) { if (!tls_process_ske_psk_preamble(s, pkt)) { @@ -2965,7 +2954,6 @@ static int tls_construct_cke_dhe(SSL *s, WPACKET *pkt) static int tls_construct_cke_ecdhe(SSL *s, WPACKET *pkt) { -#ifndef OPENSSL_NO_EC unsigned char *encodedPoint = NULL; size_t encoded_pt_len = 0; EVP_PKEY *ckey = NULL, *skey = NULL; @@ -3006,10 +2994,6 @@ static int tls_construct_cke_ecdhe(SSL *s, WPACKET *pkt) OPENSSL_free(encodedPoint); EVP_PKEY_free(ckey); return ret; -#else - SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); - return 0; -#endif } static int tls_construct_cke_gost(SSL *s, WPACKET *pkt) @@ -3556,25 +3540,23 @@ int ssl3_check_cert_and_algorithm(SSL *s) return 0; } -#ifndef OPENSSL_NO_EC if (clu->amask & SSL_aECDSA) { if (ssl_check_srvr_ecc_cert_and_alg(s->session->peer, s)) return 1; SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_BAD_ECC_CERT); return 0; } -#endif + if (alg_k & (SSL_kRSA | SSL_kRSAPSK) && idx != SSL_PKEY_RSA) { SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_MISSING_RSA_ENCRYPTING_CERT); return 0; } -#ifndef OPENSSL_NO_DH + if ((alg_k & SSL_kDHE) && (s->s3.peer_tmp == NULL)) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); return 0; } -#endif return 1; } diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c index d5def193a0..6e491c978a 100644 --- a/ssl/statem/statem_lib.c +++ b/ssl/statem/statem_lib.c @@ -1521,9 +1521,7 @@ static int ssl_method_error(const SSL *s, const SSL_METHOD *method) static int is_tls13_capable(const SSL *s) { int i; -#ifndef OPENSSL_NO_EC int curve; -#endif if (!ossl_assert(s->ctx != NULL) || !ossl_assert(s->session_ctx != NULL)) return 0; @@ -1557,7 +1555,6 @@ static int is_tls13_capable(const SSL *s) } if (!ssl_has_cert(s, i)) continue; -#ifndef OPENSSL_NO_EC if (i != SSL_PKEY_ECC) return 1; /* @@ -1568,9 +1565,6 @@ static int is_tls13_capable(const SSL *s) curve = ssl_get_EC_curve_nid(s->cert->pkeys[SSL_PKEY_ECC].privatekey); if (tls_check_sigalg_curve(s, curve)) return 1; -#else - return 1; -#endif } return 0; diff --git a/ssl/statem/statem_local.h b/ssl/statem/statem_local.h index 839a7010c9..c277a8e9c5 100644 --- a/ssl/statem/statem_local.h +++ b/ssl/statem/statem_local.h @@ -205,10 +205,8 @@ int tls_parse_ctos_srp(SSL *s, PACKET *pkt, unsigned int context, X509 *x, #endif int tls_parse_ctos_early_data(SSL *s, PACKET *pkt, unsigned int context, X509 *x, size_t chainidx); -#ifndef OPENSSL_NO_EC int tls_parse_ctos_ec_pt_formats(SSL *s, PACKET *pkt, unsigned int context, X509 *x, size_t chainidx); -#endif int tls_parse_ctos_supported_groups(SSL *s, PACKET *pkt, unsigned int context, X509 *x, size_t chainidxl); int tls_parse_ctos_session_ticket(SSL *s, PACKET *pkt, unsigned int context, @@ -258,11 +256,9 @@ EXT_RETURN tls_construct_stoc_early_data(SSL *s, WPACKET *pkt, EXT_RETURN tls_construct_stoc_maxfragmentlen(SSL *s, WPACKET *pkt, unsigned int context, X509 *x, size_t chainidx); -#ifndef OPENSSL_NO_EC EXT_RETURN tls_construct_stoc_ec_pt_formats(SSL *s, WPACKET *pkt, unsigned int context, X509 *x, size_t chainidx); -#endif EXT_RETURN tls_construct_stoc_supported_groups(SSL *s, WPACKET *pkt, unsigned int context, X509 *x, size_t chainidx); @@ -319,11 +315,9 @@ EXT_RETURN tls_construct_ctos_maxfragmentlen(SSL *s, WPACKET *pkt, unsigned int EXT_RETURN tls_construct_ctos_srp(SSL *s, WPACKET *pkt, unsigned int context, X509 *x, size_t chainidx); #endif -#ifndef OPENSSL_NO_EC EXT_RETURN tls_construct_ctos_ec_pt_formats(SSL *s, WPACKET *pkt, unsigned int context, X509 *x, size_t chainidx); -#endif EXT_RETURN tls_construct_ctos_supported_groups(SSL *s, WPACKET *pkt, unsigned int context, X509 *x, size_t chainidx); @@ -387,10 +381,8 @@ int tls_parse_stoc_early_data(SSL *s, PACKET *pkt, unsigned int context, X509 *x, size_t chainidx); int tls_parse_stoc_maxfragmentlen(SSL *s, PACKET *pkt, unsigned int context, X509 *x, size_t chainidx); -#ifndef OPENSSL_NO_EC int tls_parse_stoc_ec_pt_formats(SSL *s, PACKET *pkt, unsigned int context, X509 *x, size_t chainidx); -#endif int tls_parse_stoc_session_ticket(SSL *s, PACKET *pkt, unsigned int context, X509 *x, size_t chainidx); #ifndef OPENSSL_NO_OCSP diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c index 8ae8ddc052..956348613b 100644 --- a/ssl/statem/statem_srvr.c +++ b/ssl/statem/statem_srvr.c @@ -1306,7 +1306,6 @@ int dtls_construct_hello_verify_request(SSL *s, WPACKET *pkt) return 1; } -#ifndef OPENSSL_NO_EC /*- * ssl_check_for_safari attempts to fingerprint Safari using OS X * SecureTransport using the TLS extension block in |hello|. @@ -1368,7 +1367,6 @@ static void ssl_check_for_safari(SSL *s, const CLIENTHELLO_MSG *hello) s->s3.is_probably_safari = PACKET_equal(&tmppkt, kSafariExtensionsBlock, ext_len); } -#endif /* !OPENSSL_NO_EC */ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) { @@ -1853,10 +1851,8 @@ static int tls_early_post_process_client_hello(SSL *s) goto err; } -#ifndef OPENSSL_NO_EC if (s->options & SSL_OP_SAFARI_ECDHE_ECDSA_BUG) ssl_check_for_safari(s, clienthello); -#endif /* !OPENSSL_NO_EC */ /* TLS extensions */ if (!tls_parse_all_extensions(s, SSL_EXT_CLIENT_HELLO, @@ -2420,11 +2416,9 @@ int tls_construct_server_done(SSL *s, WPACKET *pkt) int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt) { EVP_PKEY *pkdh = NULL; -#ifndef OPENSSL_NO_EC unsigned char *encodedPoint = NULL; size_t encodedlen = 0; int curve_id = 0; -#endif const SIGALG_LOOKUP *lu = s->s3.tmp.sigalg; int i; unsigned long type; @@ -2466,7 +2460,7 @@ int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt) } else { pkdhp = cert->dh_tmp; } -#if !defined(OPENSSL_NO_DH) && !defined(OPENSSL_NO_DEPRECATED_3_0) +#if !defined(OPENSSL_NO_DEPRECATED_3_0) if ((pkdhp == NULL) && (s->cert->dh_tmp_cb != NULL)) { pkdh = ssl_dh_to_pkey(s->cert->dh_tmp_cb(s, 0, 1024)); if (pkdh == NULL) { @@ -2510,9 +2504,7 @@ int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt) SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); goto err; } - } else -#ifndef OPENSSL_NO_EC - if (type & (SSL_kECDHE | SSL_kECDHEPSK)) { + } else if (type & (SSL_kECDHE | SSL_kECDHEPSK)) { if (s->s3.tmp.pkey != NULL) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); @@ -2550,7 +2542,6 @@ int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt) r[2] = NULL; r[3] = NULL; } else -#endif /* !OPENSSL_NO_EC */ #ifndef OPENSSL_NO_SRP if (type & SSL_kSRP) { if ((s->srp_ctx.N == NULL) || @@ -2638,7 +2629,6 @@ int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt) BN_bn2bin(r[i], binval); } -#ifndef OPENSSL_NO_EC if (type & (SSL_kECDHE | SSL_kECDHEPSK)) { /* * We only support named (not generic) curves. In this situation, the @@ -2656,7 +2646,6 @@ int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt) OPENSSL_free(encodedPoint); encodedPoint = NULL; } -#endif /* not anonymous */ if (lu != NULL) { @@ -2717,9 +2706,7 @@ int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt) ret = 1; err: EVP_PKEY_free(pkdh); -#ifndef OPENSSL_NO_EC OPENSSL_free(encodedPoint); -#endif EVP_MD_CTX_free(md_ctx); if (freer) { BN_free(r[0]); @@ -3004,7 +2991,6 @@ static int tls_process_cke_dhe(SSL *s, PACKET *pkt) static int tls_process_cke_ecdhe(SSL *s, PACKET *pkt) { -#ifndef OPENSSL_NO_EC EVP_PKEY *skey = s->s3.tmp.pkey; EVP_PKEY *ckey = NULL; int ret = 0; @@ -3057,11 +3043,6 @@ static int tls_process_cke_ecdhe(SSL *s, PACKET *pkt) EVP_PKEY_free(ckey); return ret; -#else - /* Should never happen */ - SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); - return 0; -#endif } static int tls_process_cke_srp(SSL *s, PACKET *pkt) diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c index 67d148473e..531872bfb0 100644 --- a/ssl/t1_enc.c +++ b/ssl/t1_enc.c @@ -597,10 +597,8 @@ int tls1_setup_key_block(SSL *s) if (s->session->cipher->algorithm_enc == SSL_eNULL) s->s3.need_empty_fragments = 0; -#ifndef OPENSSL_NO_RC4 if (s->session->cipher->algorithm_enc == SSL_RC4) s->s3.need_empty_fragments = 0; -#endif } } diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index 7328c8e2b1..a7b5a6cc3f 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -185,25 +185,19 @@ static struct { {NID_ffdhe8192, OSSL_TLS_GROUP_ID_ffdhe8192} }; -#ifndef OPENSSL_NO_EC static const unsigned char ecformats_default[] = { TLSEXT_ECPOINTFORMAT_uncompressed, TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime, TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2 }; -#endif /* !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH) */ /* The default curves */ -#if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_EC) static const uint16_t supported_groups_default[] = { -# ifndef OPENSSL_NO_EC 29, /* X25519 (29) */ 23, /* secp256r1 (23) */ 30, /* X448 (30) */ 25, /* secp521r1 (25) */ 24, /* secp384r1 (24) */ -# endif -# ifndef OPENSSL_NO_GOST 34, /* GC256A (34) */ 35, /* GC256B (35) */ 36, /* GC256C (36) */ @@ -211,23 +205,17 @@ static const uint16_t supported_groups_default[] = { 38, /* GC512A (38) */ 39, /* GC512B (39) */ 40, /* GC512C (40) */ -# endif -# ifndef OPENSSL_NO_DH 0x100, /* ffdhe2048 (0x100) */ 0x101, /* ffdhe3072 (0x101) */ 0x102, /* ffdhe4096 (0x102) */ 0x103, /* ffdhe6144 (0x103) */ 0x104, /* ffdhe8192 (0x104) */ -# endif }; -#endif /* !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH) */ -#ifndef OPENSSL_NO_EC static const uint16_t suiteb_curves[] = { TLSEXT_curve_P_256, TLSEXT_curve_P_384 }; -#endif struct provider_group_data_st { SSL_CTX *ctx; @@ -398,29 +386,47 @@ static int discover_provider_groups(OSSL_PROVIDER *provider, void *vctx) int ssl_load_groups(SSL_CTX *ctx) { - return OSSL_PROVIDER_do_all(ctx->libctx, discover_provider_groups, ctx); + size_t i, j, num_deflt_grps = 0; + uint16_t tmp_supp_groups[OSSL_NELEM(supported_groups_default)]; + + if (!OSSL_PROVIDER_do_all(ctx->libctx, discover_provider_groups, ctx)) + return 0; + + for (i = 0; i < OSSL_NELEM(supported_groups_default); i++) { + for (j = 0; j < ctx->group_list_len; j++) { + if (ctx->group_list[j].group_id == supported_groups_default[i]) { + tmp_supp_groups[num_deflt_grps++] = ctx->group_list[j].group_id; + break; + } + } + } + + if (num_deflt_grps == 0) + return 1; + + ctx->ext.supported_groups_default + = OPENSSL_malloc(sizeof(uint16_t) * num_deflt_grps); + + if (ctx->ext.supported_groups_default == NULL) { + ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE); + return 0; + } + + memcpy(ctx->ext.supported_groups_default, + tmp_supp_groups, + num_deflt_grps * sizeof(tmp_supp_groups[0])); + ctx->ext.supported_groups_default_len = num_deflt_grps; + + return 1; } static uint16_t tls1_group_name2id(SSL_CTX *ctx, const char *name) { size_t i; - int nid = NID_undef; - - /* See if we can identify a nid for this name */ -#ifndef OPENSSL_NO_EC - nid = EC_curve_nist2nid(name); -#endif - if (nid == NID_undef) - nid = OBJ_sn2nid(name); - if (nid == NID_undef) - nid = OBJ_ln2nid(name); for (i = 0; i < ctx->group_list_len; i++) { if (strcmp(ctx->group_list[i].tlsname, name) == 0 - || (nid != NID_undef - && nid == tls1_group_id2nid(ctx->group_list[i].group_id, - 0)) - ) + || strcmp(ctx->group_list[i].realname, name) == 0) return ctx->group_list[i].group_id; } @@ -484,10 +490,8 @@ uint16_t tls1_nid2group_id(int nid) void tls1_get_supported_groups(SSL *s, const uint16_t **pgroups, size_t *pgroupslen) { -#if !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH) /* For Suite B mode only include P-256, P-384 */ switch (tls1_suiteb(s)) { -# ifndef OPENSSL_NO_EC case SSL_CERT_FLAG_SUITEB_128_LOS: *pgroups = suiteb_curves; *pgroupslen = OSSL_NELEM(suiteb_curves); @@ -502,29 +506,28 @@ void tls1_get_supported_groups(SSL *s, const uint16_t **pgroups, *pgroups = suiteb_curves + 1; *pgroupslen = 1; break; -# endif default: if (s->ext.supportedgroups == NULL) { - *pgroups = supported_groups_default; - *pgroupslen = OSSL_NELEM(supported_groups_default); + *pgroups = s->ctx->ext.supported_groups_default; + *pgroupslen = s->ctx->ext.supported_groups_default_len; } else { *pgroups = s->ext.supportedgroups; *pgroupslen = s->ext.supportedgroups_len; } break; } -#else - *pgroups = NULL; - *pgroupslen = 0; -#endif /* !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH) */ } -int tls_valid_group(SSL *s, uint16_t group_id, int minversion, int maxversion) +int tls_valid_group(SSL *s, uint16_t group_id, int minversion, int maxversion, + int isec, int *okfortls13) { const TLS_GROUP_INFO *ginfo = tls1_group_id_lookup(s->ctx, group_id); int ret; + if (okfortls13 != NULL) + okfortls13 = 0; + if (ginfo == NULL) return 0; @@ -546,7 +549,14 @@ int tls_valid_group(SSL *s, uint16_t group_id, int minversion, int maxversion) ret = (minversion <= ginfo->maxtls); if (ginfo->mintls > 0) ret &= (maxversion >= ginfo->mintls); + if (ret && okfortls13 != NULL && maxversion == TLS1_3_VERSION) + *okfortls13 = (ginfo->maxtls == 0) + || (ginfo->maxtls >= TLS1_3_VERSION); } + ret &= !isec + || strcmp(ginfo->algorithm, "EC") == 0 + || strcmp(ginfo->algorithm, "X25519") == 0 + || strcmp(ginfo->algorithm, "X448") == 0; return ret; } @@ -795,7 +805,6 @@ int tls1_check_group_id(SSL *s, uint16_t group_id, int check_own_groups) return tls1_in_list(group_id, groups, groups_len); } -#ifndef OPENSSL_NO_EC void tls1_get_formatlist(SSL *s, const unsigned char **pformats, size_t *num_formats) { @@ -948,24 +957,13 @@ int tls1_check_ec_tmp_key(SSL *s, unsigned long cid) return 0; } -#else - -static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md) -{ - return 1; -} - -#endif /* OPENSSL_NO_EC */ - /* Default sigalg schemes */ static const uint16_t tls12_sigalgs[] = { -#ifndef OPENSSL_NO_EC TLSEXT_SIGALG_ecdsa_secp256r1_sha256, TLSEXT_SIGALG_ecdsa_secp384r1_sha384, TLSEXT_SIGALG_ecdsa_secp521r1_sha512, TLSEXT_SIGALG_ed25519, TLSEXT_SIGALG_ed448, -#endif TLSEXT_SIGALG_rsa_pss_pss_sha256, TLSEXT_SIGALG_rsa_pss_pss_sha384, @@ -978,20 +976,19 @@ static const uint16_t tls12_sigalgs[] = { TLSEXT_SIGALG_rsa_pkcs1_sha384, TLSEXT_SIGALG_rsa_pkcs1_sha512, -#ifndef OPENSSL_NO_EC TLSEXT_SIGALG_ecdsa_sha224, TLSEXT_SIGALG_ecdsa_sha1, -#endif + TLSEXT_SIGALG_rsa_pkcs1_sha224, TLSEXT_SIGALG_rsa_pkcs1_sha1, -#ifndef OPENSSL_NO_DSA + TLSEXT_SIGALG_dsa_sha224, TLSEXT_SIGALG_dsa_sha1, TLSEXT_SIGALG_dsa_sha256, TLSEXT_SIGALG_dsa_sha384, TLSEXT_SIGALG_dsa_sha512, -#endif + #ifndef OPENSSL_NO_GOST TLSEXT_SIGALG_gostr34102012_256_intrinsic, TLSEXT_SIGALG_gostr34102012_512_intrinsic, @@ -1001,15 +998,13 @@ static const uint16_t tls12_sigalgs[] = { #endif }; -#ifndef OPENSSL_NO_EC + static const uint16_t suiteb_sigalgs[] = { TLSEXT_SIGALG_ecdsa_secp256r1_sha256, TLSEXT_SIGALG_ecdsa_secp384r1_sha384 }; -#endif static const SIGALG_LOOKUP sigalg_lookup_tbl[] = { -#ifndef OPENSSL_NO_EC {"ecdsa_secp256r1_sha256", TLSEXT_SIGALG_ecdsa_secp256r1_sha256, NID_sha256, SSL_MD_SHA256_IDX, EVP_PKEY_EC, SSL_PKEY_ECC, NID_ecdsa_with_SHA256, NID_X9_62_prime256v1, 1}, @@ -1031,7 +1026,6 @@ static const SIGALG_LOOKUP sigalg_lookup_tbl[] = { {NULL, TLSEXT_SIGALG_ecdsa_sha1, NID_sha1, SSL_MD_SHA1_IDX, EVP_PKEY_EC, SSL_PKEY_ECC, NID_ecdsa_with_SHA1, NID_undef, 1}, -#endif {"rsa_pss_rsae_sha256", TLSEXT_SIGALG_rsa_pss_rsae_sha256, NID_sha256, SSL_MD_SHA256_IDX, EVP_PKEY_RSA_PSS, SSL_PKEY_RSA, NID_undef, NID_undef, 1}, @@ -1065,7 +1059,6 @@ static const SIGALG_LOOKUP sigalg_lookup_tbl[] = { {"rsa_pkcs1_sha1", TLSEXT_SIGALG_rsa_pkcs1_sha1, NID_sha1, SSL_MD_SHA1_IDX, EVP_PKEY_RSA, SSL_PKEY_RSA, NID_sha1WithRSAEncryption, NID_undef, 1}, -#ifndef OPENSSL_NO_DSA {NULL, TLSEXT_SIGALG_dsa_sha256, NID_sha256, SSL_MD_SHA256_IDX, EVP_PKEY_DSA, SSL_PKEY_DSA_SIGN, NID_dsa_with_SHA256, NID_undef, 1}, @@ -1081,7 +1074,6 @@ static const SIGALG_LOOKUP sigalg_lookup_tbl[] = { {NULL, TLSEXT_SIGALG_dsa_sha1, NID_sha1, SSL_MD_SHA1_IDX, EVP_PKEY_DSA, SSL_PKEY_DSA_SIGN, NID_dsaWithSHA1, NID_undef, 1}, -#endif #ifndef OPENSSL_NO_GOST {NULL, TLSEXT_SIGALG_gostr34102012_256_intrinsic, NID_id_GostR3411_2012_256, SSL_MD_GOST12_256_IDX, @@ -1193,8 +1185,11 @@ static const SIGALG_LOOKUP *tls1_lookup_sigalg(const SSL *s, uint16_t sigalg) /* cache should have the same number of elements as sigalg_lookup_tbl */ i < OSSL_NELEM(sigalg_lookup_tbl); lu++, i++) { - if (lu->sigalg == sigalg) + if (lu->sigalg == sigalg) { + if (!lu->enabled) + return NULL; return lu; + } } return NULL; } @@ -1300,6 +1295,8 @@ static const SIGALG_LOOKUP *tls1_get_legacy_sigalg(const SSL *s, int idx) if (SSL_USE_SIGALGS(s) || idx != SSL_PKEY_RSA) { const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(s, tls_default_sigalg[idx]); + if (lu == NULL) + return NULL; if (!tls1_lookup_md(s->ctx, lu, NULL)) return NULL; if (!tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SUPPORTED, lu)) @@ -1331,7 +1328,6 @@ size_t tls12_get_psigalgs(SSL *s, int sent, const uint16_t **psigs) * If Suite B mode use Suite B sigalgs only, ignore any other * preferences. */ -#ifndef OPENSSL_NO_EC switch (tls1_suiteb(s)) { case SSL_CERT_FLAG_SUITEB_128_LOS: *psigs = suiteb_sigalgs; @@ -1345,7 +1341,6 @@ size_t tls12_get_psigalgs(SSL *s, int sent, const uint16_t **psigs) *psigs = suiteb_sigalgs + 1; return 1; } -#endif /* * We use client_sigalgs (if not NULL) if we're a server * and sending a certificate request or if we're a client and @@ -1363,7 +1358,6 @@ size_t tls12_get_psigalgs(SSL *s, int sent, const uint16_t **psigs) } } -#ifndef OPENSSL_NO_EC /* * Called by servers only. Checks that we have a sig alg that supports the * specified EC curve. @@ -1394,7 +1388,6 @@ int tls_check_sigalg_curve(const SSL *s, int curve) return 0; } -#endif /* * Return the number of security bits for the signature algorithm, or 0 on @@ -1487,7 +1480,6 @@ int tls12_check_peer_sigalg(SSL *s, uint16_t sig, EVP_PKEY *pkey) return 0; } -#ifndef OPENSSL_NO_EC if (pkeyid == EVP_PKEY_EC) { /* Check point compression is permitted */ @@ -1526,7 +1518,6 @@ int tls12_check_peer_sigalg(SSL *s, uint16_t sig, EVP_PKEY *pkey) SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_WRONG_SIGNATURE_TYPE); return 0; } -#endif /* Check signature matches a type we sent */ sent_sigslen = tls12_get_psigalgs(s, 1, &sent_sigs); @@ -2140,7 +2131,8 @@ int tls12_copy_sigalgs(SSL *s, WPACKET *pkt, for (i = 0; i < psiglen; i++, psig++) { const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(s, *psig); - if (!tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SUPPORTED, lu)) + if (lu == NULL + || !tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SUPPORTED, lu)) continue; if (!WPACKET_put_bytes_u16(pkt, *psig)) return 0; @@ -2170,7 +2162,8 @@ static size_t tls12_shared_sigalgs(SSL *s, const SIGALG_LOOKUP **shsig, const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(s, *ptmp); /* Skip disabled hashes or signature algorithms */ - if (!tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SHARED, lu)) + if (lu == NULL + || !tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SHARED, lu)) continue; for (j = 0, atmp = allow; j < allowlen; j++, atmp++) { if (*ptmp == *atmp) { diff --git a/ssl/t1_trce.c b/ssl/t1_trce.c index 58695a0b69..19ec1eabf5 100644 --- a/ssl/t1_trce.c +++ b/ssl/t1_trce.c @@ -1181,7 +1181,6 @@ static int ssl_print_server_keyex(BIO *bio, int indent, const SSL *ssl, return 0; break; -# ifndef OPENSSL_NO_EC case SSL_kECDHE: case SSL_kECDHEPSK: if (msglen < 1) @@ -1207,7 +1206,6 @@ static int ssl_print_server_keyex(BIO *bio, int indent, const SSL *ssl, return 0; } break; -# endif case SSL_kPSK: case SSL_kRSAPSK: diff --git a/ssl/tls_depr.c b/ssl/tls_depr.c index 7ecb61e79c..0b21ff7669 100644 --- a/ssl/tls_depr.c +++ b/ssl/tls_depr.c @@ -144,9 +144,9 @@ HMAC_CTX *ssl_hmac_get0_HMAC_CTX(SSL_HMAC *ctx) } /* Some deprecated public APIs pass DH objects */ -# ifndef OPENSSL_NO_DH EVP_PKEY *ssl_dh_to_pkey(DH *dh) { +# ifndef OPENSSL_NO_DH EVP_PKEY *ret; if (dh == NULL) @@ -157,14 +157,16 @@ EVP_PKEY *ssl_dh_to_pkey(DH *dh) return NULL; } return ret; -} +# else + return NULL; # endif +} /* Some deprecated public APIs pass EC_KEY objects */ -# ifndef OPENSSL_NO_EC int ssl_set_tmp_ecdh_groups(uint16_t **pext, size_t *pextlen, void *key) { +# ifndef OPENSSL_NO_EC const EC_GROUP *group = EC_KEY_get0_group((const EC_KEY *)key); int nid; @@ -176,6 +178,28 @@ int ssl_set_tmp_ecdh_groups(uint16_t **pext, size_t *pextlen, if (nid == NID_undef) return 0; return tls1_set_groups(pext, pextlen, &nid, 1); +# else + return 0; +# endif +} + +/* + * Set the callback for generating temporary DH keys. + * ctx: the SSL context. + * dh: the callback + */ +# if !defined(OPENSSL_NO_DH) +void SSL_CTX_set_tmp_dh_callback(SSL_CTX *ctx, + DH *(*dh) (SSL *ssl, int is_export, + int keylength)) +{ + SSL_CTX_callback_ctrl(ctx, SSL_CTRL_SET_TMP_DH_CB, (void (*)(void))dh); +} + +void SSL_set_tmp_dh_callback(SSL *ssl, DH *(*dh) (SSL *ssl, int is_export, + int keylength)) +{ + SSL_callback_ctrl(ssl, SSL_CTRL_SET_TMP_DH_CB, (void (*)(void))dh); } # endif -#endif +#endif /* OPENSSL_NO_DEPRECATED */ diff --git a/test/cipher_overhead_test.c b/test/cipher_overhead_test.c index 04be8d71cf..2231a215fd 100644 --- a/test/cipher_overhead_test.c +++ b/test/cipher_overhead_test.c @@ -11,6 +11,25 @@ #include "testutil.h" #include "../ssl/ssl_local.h" +static int cipher_enabled(const SSL_CIPHER *ciph) +{ + /* + * ssl_cipher_get_overhead() actually works with AEAD ciphers even if the + * underlying implementation is not present. + */ + if ((ciph->algorithm_mac & SSL_AEAD) != 0) + return 1; + + if (ciph->algorithm_enc != SSL_eNULL + && EVP_get_cipherbynid(SSL_CIPHER_get_cipher_nid(ciph)) == NULL) + return 0; + + if (EVP_get_digestbynid(SSL_CIPHER_get_digest_nid(ciph)) == NULL) + return 0; + + return 1; +} + static int cipher_overhead(void) { int ret = 1, i, n = ssl3_num_ciphers(); @@ -21,6 +40,10 @@ static int cipher_overhead(void) ciph = ssl3_get_cipher(i); if (!ciph->min_dtls) continue; + if (!cipher_enabled(ciph)) { + TEST_skip("Skipping disabled cipher %s", ciph->name); + continue; + } if (!TEST_true(ssl_cipher_get_overhead(ciph, &mac, &in, &blk, &ex))) { TEST_info("Failed getting %s", ciph->name); ret = 0; diff --git a/test/helpers/ssltestlib.c b/test/helpers/ssltestlib.c index 2366c3db4d..e339d7972c 100644 --- a/test/helpers/ssltestlib.c +++ b/test/helpers/ssltestlib.c @@ -685,18 +685,19 @@ static int always_retry_puts(BIO *bio, const char *str) } int create_ssl_ctx_pair(OSSL_LIB_CTX *libctx, const SSL_METHOD *sm, -const SSL_METHOD *cm, - int min_proto_version, int max_proto_version, - SSL_CTX **sctx, SSL_CTX **cctx, char *certfile, - char *privkeyfile) + const SSL_METHOD *cm, int min_proto_version, + int max_proto_version, SSL_CTX **sctx, SSL_CTX **cctx, + char *certfile, char *privkeyfile) { SSL_CTX *serverctx = NULL; SSL_CTX *clientctx = NULL; - if (*sctx != NULL) - serverctx = *sctx; - else if (!TEST_ptr(serverctx = SSL_CTX_new_ex(libctx, NULL, sm))) - goto err; + if (sctx != NULL) { + if (*sctx != NULL) + serverctx = *sctx; + else if (!TEST_ptr(serverctx = SSL_CTX_new_ex(libctx, NULL, sm))) + goto err; + } if (cctx != NULL) { if (*cctx != NULL) @@ -705,12 +706,25 @@ const SSL_METHOD *cm, goto err; } - if ((min_proto_version > 0 - && !TEST_true(SSL_CTX_set_min_proto_version(serverctx, - min_proto_version))) - || (max_proto_version > 0 - && !TEST_true(SSL_CTX_set_max_proto_version(serverctx, - max_proto_version)))) +#if !defined(OPENSSL_NO_TLS1_3) \ + && defined(OPENSSL_NO_EC) \ + && defined(OPENSSL_NO_DH) + /* + * There are no usable built-in TLSv1.3 groups if ec and dh are both + * disabled + */ + if (max_proto_version == 0 + && (sm == TLS_server_method() || cm == TLS_client_method())) + max_proto_version = TLS1_2_VERSION; +#endif + + if (serverctx != NULL + && ((min_proto_version > 0 + && !TEST_true(SSL_CTX_set_min_proto_version(serverctx, + min_proto_version))) + || (max_proto_version > 0 + && !TEST_true(SSL_CTX_set_max_proto_version(serverctx, + max_proto_version))))) goto err; if (clientctx != NULL && ((min_proto_version > 0 @@ -721,7 +735,7 @@ const SSL_METHOD *cm, max_proto_version))))) goto err; - if (certfile != NULL && privkeyfile != NULL) { + if (serverctx != NULL && certfile != NULL && privkeyfile != NULL) { if (!TEST_int_eq(SSL_CTX_use_certificate_file(serverctx, certfile, SSL_FILETYPE_PEM), 1) || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(serverctx, @@ -731,13 +745,14 @@ const SSL_METHOD *cm, goto err; } - *sctx = serverctx; + if (sctx != NULL) + *sctx = serverctx; if (cctx != NULL) *cctx = clientctx; return 1; err: - if (*sctx == NULL) + if (sctx != NULL && *sctx == NULL) SSL_CTX_free(serverctx); if (cctx != NULL && *cctx == NULL) SSL_CTX_free(clientctx); diff --git a/test/recipes/70-test_comp.t b/test/recipes/70-test_comp.t index 2ac168c252..abd41d756c 100644 --- a/test/recipes/70-test_comp.t +++ b/test/recipes/70-test_comp.t @@ -65,7 +65,8 @@ SKIP: { } SKIP: { - skip "TLSv1.3 disabled", 2 if disabled("tls1_3"); + skip "TLSv1.3 disabled", 2 + if disabled("tls1_3") || (disabled("ec") && disabled("dh")); #Test 3: Check that sending multiple compression methods in a TLSv1.3 # ClientHello fails $proxy->clear(); diff --git a/test/recipes/70-test_key_share.t b/test/recipes/70-test_key_share.t index b5b01907c6..7ecba99ee8 100644 --- a/test/recipes/70-test_key_share.t +++ b/test/recipes/70-test_key_share.t @@ -60,6 +60,9 @@ plan skip_all => "$test_name needs the sock feature enabled" plan skip_all => "$test_name needs TLS1.3 enabled" if disabled("tls1_3"); +plan skip_all => "$test_name needs EC or DH enabled" + if disabled("ec") && disabled("dh"); + $ENV{OPENSSL_ia32cap} = '~0x200000200000000'; my $proxy = TLSProxy::Proxy->new( diff --git a/test/recipes/70-test_sslcbcpadding.t b/test/recipes/70-test_sslcbcpadding.t index a293ab1e8d..273093244c 100644 --- a/test/recipes/70-test_sslcbcpadding.t +++ b/test/recipes/70-test_sslcbcpadding.t @@ -43,6 +43,7 @@ my @test_offsets = (0, 128, 254, 255); # Test that maximally-padded records are accepted. my $bad_padding_offset = -1; $proxy->serverflags("-tls1_2"); +$proxy->clientflags("-no_tls1_3"); $proxy->serverconnects(1 + scalar(@test_offsets)); $proxy->start() or plan skip_all => "Unable to start up Proxy for tests"; plan tests => 1 + scalar(@test_offsets); @@ -55,6 +56,7 @@ foreach my $offset (@test_offsets) { $bad_padding_offset = $offset; $fatal_alert = 0; $proxy->clearClient(); + $proxy->clientflags("-no_tls1_3"); $proxy->clientstart(); ok($fatal_alert, "Invalid padding byte $bad_padding_offset"); } diff --git a/test/recipes/70-test_sslextension.t b/test/recipes/70-test_sslextension.t index 9be001edc2..2d6262f2d4 100644 --- a/test/recipes/70-test_sslextension.t +++ b/test/recipes/70-test_sslextension.t @@ -197,6 +197,7 @@ ok($fatal_alert, "Duplicate ClientHello extension"); $fatal_alert = 0; $proxy->clear(); $proxy->filter(\&inject_duplicate_extension_serverhello); +$proxy->clientflags("-no_tls1_3"); $proxy->start(); ok($fatal_alert, "Duplicate ServerHello extension"); @@ -207,6 +208,7 @@ SKIP: { $proxy->clear(); $proxy->filter(\&extension_filter); $proxy->ciphers("AES128-SHA:\@SECLEVEL=0"); + $proxy->clientflags("-no_tls1_3"); $proxy->start(); ok(TLSProxy::Message->success, "Zero extension length test"); @@ -244,7 +246,8 @@ SKIP: { } SKIP: { - skip "TLS 1.3 disabled", 1 if disabled("tls1_3"); + skip "TLS 1.3 disabled", 1 + if disabled("tls1_3") || (disabled("ec") && disabled("dh")); #Test 7: Inject an unsolicited extension (TLSv1.3) $fatal_alert = 0; $proxy->clear(); @@ -260,5 +263,6 @@ SKIP: { # ignore it in a ClientHello $proxy->clear(); $proxy->filter(\&inject_cryptopro_extension); +$proxy->clientflags("-no_tls1_3"); $proxy->start(); ok(TLSProxy::Message->success(), "Cryptopro extension in ClientHello"); diff --git a/test/recipes/70-test_sslrecords.t b/test/recipes/70-test_sslrecords.t index 151216c57d..4a0e3e6b78 100644 --- a/test/recipes/70-test_sslrecords.t +++ b/test/recipes/70-test_sslrecords.t @@ -43,6 +43,7 @@ my $fatal_alert = 0; # set by filters at expected fatal alerts my $content_type = TLSProxy::Record::RT_APPLICATION_DATA; my $inject_recs_num = 1; $proxy->serverflags("-tls1_2"); +$proxy->clientflags("-no_tls1_3"); $proxy->start() or plan skip_all => "Unable to start up Proxy for tests"; plan tests => 20; ok($fatal_alert, "Out of context empty records test"); @@ -51,6 +52,7 @@ ok($fatal_alert, "Out of context empty records test"); $proxy->clear(); $content_type = TLSProxy::Record::RT_HANDSHAKE; $proxy->serverflags("-tls1_2"); +$proxy->clientflags("-no_tls1_3"); $proxy->start(); ok(TLSProxy::Message->success(), "In context empty records test"); @@ -60,6 +62,7 @@ $proxy->clear(); #We allow 32 consecutive in context empty records $inject_recs_num = 33; $proxy->serverflags("-tls1_2"); +$proxy->clientflags("-no_tls1_3"); $proxy->start(); ok($fatal_alert, "Too many in context empty records test"); @@ -70,6 +73,7 @@ $fatal_alert = 0; $proxy->clear(); $proxy->filter(\&add_frag_alert_filter); $proxy->serverflags("-tls1_2"); +$proxy->clientflags("-no_tls1_3"); $proxy->start(); ok($fatal_alert, "Fragmented alert records test"); @@ -92,6 +96,7 @@ my $sslv2testtype = TLSV1_2_IN_SSLV2; $proxy->clear(); $proxy->filter(\&add_sslv2_filter); $proxy->serverflags("-tls1_2"); +$proxy->clientflags("-no_tls1_3"); $proxy->ciphers("AES128-SHA:\@SECLEVEL=0"); $proxy->start(); ok(TLSProxy::Message->success(), "TLSv1.2 in SSLv2 ClientHello test"); @@ -102,6 +107,7 @@ ok(TLSProxy::Message->success(), "TLSv1.2 in SSLv2 ClientHello test"); $sslv2testtype = SSLV2_IN_SSLV2; $proxy->clear(); $proxy->serverflags("-tls1_2"); +$proxy->clientflags("-no_tls1_3"); $proxy->ciphers("AES128-SHA:\@SECLEVEL=0"); $proxy->start(); ok(TLSProxy::Message->fail(), "SSLv2 in SSLv2 ClientHello test"); @@ -112,6 +118,7 @@ ok(TLSProxy::Message->fail(), "SSLv2 in SSLv2 ClientHello test"); $sslv2testtype = FRAGMENTED_IN_TLSV1_2; $proxy->clear(); $proxy->serverflags("-tls1_2"); +$proxy->clientflags("-no_tls1_3"); $proxy->ciphers("AES128-SHA:\@SECLEVEL=0"); $proxy->start(); ok(TLSProxy::Message->success(), "Fragmented ClientHello in TLSv1.2 test"); @@ -121,6 +128,7 @@ ok(TLSProxy::Message->success(), "Fragmented ClientHello in TLSv1.2 test"); $sslv2testtype = FRAGMENTED_IN_SSLV2; $proxy->clear(); $proxy->serverflags("-tls1_2"); +$proxy->clientflags("-no_tls1_3"); $proxy->ciphers("AES128-SHA:\@SECLEVEL=0"); $proxy->start(); ok(TLSProxy::Message->fail(), "Fragmented ClientHello in TLSv1.2/SSLv2 test"); @@ -130,6 +138,7 @@ ok(TLSProxy::Message->fail(), "Fragmented ClientHello in TLSv1.2/SSLv2 test"); $sslv2testtype = ALERT_BEFORE_SSLV2; $proxy->clear(); $proxy->serverflags("-tls1_2"); +$proxy->clientflags("-no_tls1_3"); $proxy->ciphers("AES128-SHA:\@SECLEVEL=0"); $proxy->start(); ok(TLSProxy::Message->fail(), "Alert before SSLv2 ClientHello test"); @@ -140,6 +149,7 @@ ok(TLSProxy::Message->fail(), "Alert before SSLv2 ClientHello test"); $fatal_alert = 0; $proxy->clear(); $proxy->serverflags("-tls1_2"); +$proxy->clientflags("-no_tls1_3"); $proxy->filter(\&add_unknown_record_type); $proxy->start(); ok($fatal_alert, "Unrecognised record type in TLS1.2"); @@ -166,7 +176,8 @@ ok($fatal_alert, "Changed record version in TLS1.2"); #TLS1.3 specific tests SKIP: { - skip "TLSv1.3 disabled", 8 if disabled("tls1_3"); + skip "TLSv1.3 disabled", 8 + if disabled("tls1_3") || (disabled("ec") && disabled("dh")); #Test 13: Sending a different record version in TLS1.3 should fail $proxy->clear(); diff --git a/test/recipes/70-test_sslsigalgs.t b/test/recipes/70-test_sslsigalgs.t index 3548704138..609c88e716 100644 --- a/test/recipes/70-test_sslsigalgs.t +++ b/test/recipes/70-test_sslsigalgs.t @@ -54,13 +54,15 @@ use constant { # the sigalgs #Test 1: Default sig algs should succeed +$proxy->clientflags("-no_tls1_3") if disabled("ec") && disabled("dh"); $proxy->start() or plan skip_all => "Unable to start up Proxy for tests"; plan tests => 26; ok(TLSProxy::Message->success, "Default sigalgs"); my $testtype; SKIP: { - skip "TLSv1.3 disabled", 6 if disabled("tls1_3"); + skip "TLSv1.3 disabled", 6 + if disabled("tls1_3") || (disabled("ec") && disabled("dh")); $proxy->filter(\&sigalgs_filter); @@ -237,7 +239,10 @@ SKIP: { my ($dsa_status, $sha1_status, $sha224_status); SKIP: { - skip "TLSv1.3 disabled", 2 if disabled("tls1_3") || disabled("dsa"); + skip "TLSv1.3 disabled", 2 + if disabled("tls1_3") + || disabled("dsa") + || (disabled("ec") && disabled("dh")); #Test 20: signature_algorithms with 1.3-only ClientHello $testtype = PURE_SIGALGS; $dsa_status = $sha1_status = $sha224_status = 0; @@ -263,7 +268,8 @@ SKIP: { } SKIP: { - skip "TLSv1.3 disabled", 3 if disabled("tls1_3"); + skip "TLSv1.3 disabled", 5 + if disabled("tls1_3") || (disabled("ec") && disabled("dh")); #Test 22: Insert signature_algorithms_cert that match normal sigalgs $testtype = SIGALGS_CERT_ALL; $proxy->clear(); @@ -284,10 +290,7 @@ SKIP: { $proxy->filter(\&modify_sigalgs_cert_filter); $proxy->start(); ok(TLSProxy::Message->fail, "No matching certificate for sigalgs_cert"); -} -SKIP: { - skip "TLS 1.3 disabled", 2 if disabled("tls1_3"); #Test 25: Send an unrecognized signature_algorithms_cert # We should be able to skip over the unrecognized value and use a # valid one that appears later in the list. diff --git a/test/recipes/70-test_sslsignature.t b/test/recipes/70-test_sslsignature.t index a7d33503ed..147dd38bf2 100644 --- a/test/recipes/70-test_sslsignature.t +++ b/test/recipes/70-test_sslsignature.t @@ -45,12 +45,14 @@ $proxy->filter(\&signature_filter); #Test 1: No corruption should succeed my $testtype = NO_CORRUPTION; +$proxy->clientflags("-no_tls1_3") if disabled("ec") && disabled("dh"); $proxy->start() or plan skip_all => "Unable to start up Proxy for tests"; plan tests => 4; ok(TLSProxy::Message->success, "No corruption"); SKIP: { - skip "TLSv1.3 disabled", 1 if disabled("tls1_3"); + skip "TLSv1.3 disabled", 1 + if disabled("tls1_3") || (disabled("ec") && disabled("dh")); #Test 2: Corrupting a server CertVerify signature in TLSv1.3 should fail $proxy->clear(); diff --git a/test/recipes/70-test_sslversions.t b/test/recipes/70-test_sslversions.t index 864f4f5283..0a67fe1006 100644 --- a/test/recipes/70-test_sslversions.t +++ b/test/recipes/70-test_sslversions.t @@ -37,7 +37,10 @@ plan skip_all => "$test_name needs the sock feature enabled" if disabled("sock"); plan skip_all => "$test_name needs TLS1.3, TLS1.2 and TLS1.1 enabled" - if disabled("tls1_3") || disabled("tls1_2") || disabled("tls1_1"); + if disabled("tls1_3") + || (disabled("ec") && disabled("dh")) + || disabled("tls1_2") + || disabled("tls1_1"); $ENV{OPENSSL_ia32cap} = '~0x200000200000000'; diff --git a/test/recipes/70-test_tls13alerts.t b/test/recipes/70-test_tls13alerts.t index 205955fad8..c6c9d25f8d 100644 --- a/test/recipes/70-test_tls13alerts.t +++ b/test/recipes/70-test_tls13alerts.t @@ -24,7 +24,7 @@ plan skip_all => "$test_name needs the sock feature enabled" if disabled("sock"); plan skip_all => "$test_name needs TLS1.3 enabled" - if disabled("tls1_3"); + if disabled("tls1_3") || (disabled("ec") && disabled("dh")); $ENV{OPENSSL_ia32cap} = '~0x200000200000000'; diff --git a/test/recipes/70-test_tls13cookie.t b/test/recipes/70-test_tls13cookie.t index aef2cf8848..2036583fda 100644 --- a/test/recipes/70-test_tls13cookie.t +++ b/test/recipes/70-test_tls13cookie.t @@ -24,7 +24,7 @@ plan skip_all => "$test_name needs the sock feature enabled" if disabled("sock"); plan skip_all => "$test_name needs TLS1.3 enabled" - if disabled("tls1_3"); + if disabled("tls1_3") || (disabled("ec") && disabled("dh")); $ENV{OPENSSL_ia32cap} = '~0x200000200000000'; diff --git a/test/recipes/70-test_tls13downgrade.t b/test/recipes/70-test_tls13downgrade.t index f8dc8543be..63902a58e6 100644 --- a/test/recipes/70-test_tls13downgrade.t +++ b/test/recipes/70-test_tls13downgrade.t @@ -24,7 +24,9 @@ plan skip_all => "$test_name needs the sock feature enabled" if disabled("sock"); plan skip_all => "$test_name needs TLS1.3 and TLS1.2 enabled" - if disabled("tls1_3") || disabled("tls1_2"); + if disabled("tls1_3") + || (disabled("ec") && disabled("dh")) + || disabled("tls1_2"); $ENV{OPENSSL_ia32cap} = '~0x200000200000000'; diff --git a/test/recipes/70-test_tls13hrr.t b/test/recipes/70-test_tls13hrr.t index 8f6e54e235..0423bc3c36 100644 --- a/test/recipes/70-test_tls13hrr.t +++ b/test/recipes/70-test_tls13hrr.t @@ -24,7 +24,7 @@ plan skip_all => "$test_name needs the sock feature enabled" if disabled("sock"); plan skip_all => "$test_name needs TLS1.3 enabled" - if disabled("tls1_3"); + if disabled("tls1_3") || (disabled("ec") && disabled("dh")); $ENV{OPENSSL_ia32cap} = '~0x200000200000000'; diff --git a/test/recipes/70-test_tls13kexmodes.t b/test/recipes/70-test_tls13kexmodes.t index 6648376c0c..da4f3f3865 100644 --- a/test/recipes/70-test_tls13kexmodes.t +++ b/test/recipes/70-test_tls13kexmodes.t @@ -26,7 +26,7 @@ plan skip_all => "$test_name needs the sock feature enabled" if disabled("sock"); plan skip_all => "$test_name needs TLSv1.3 enabled" - if disabled("tls1_3"); + if disabled("tls1_3") || (disabled("ec") && disabled("dh")); plan skip_all => "$test_name needs EC enabled" if disabled("ec"); diff --git a/test/recipes/70-test_tls13psk.t b/test/recipes/70-test_tls13psk.t index 66582b7d8e..2f750d858b 100644 --- a/test/recipes/70-test_tls13psk.t +++ b/test/recipes/70-test_tls13psk.t @@ -25,7 +25,7 @@ plan skip_all => "$test_name needs the sock feature enabled" if disabled("sock"); plan skip_all => "$test_name needs TLSv1.3 enabled" - if disabled("tls1_3"); + if disabled("tls1_3") || (disabled("ec") && disabled("dh")); $ENV{OPENSSL_ia32cap} = '~0x200000200000000'; diff --git a/test/recipes/70-test_tlsextms.t b/test/recipes/70-test_tlsextms.t index 55ef58e202..d567b15552 100644 --- a/test/recipes/70-test_tlsextms.t +++ b/test/recipes/70-test_tlsextms.t @@ -56,9 +56,7 @@ my $proxy = TLSProxy::Proxy->new( setrmextms(0, 0); $proxy->clientflags("-no_tls1_3"); $proxy->start() or plan skip_all => "Unable to start up Proxy for tests"; -my $numtests = 9; -$numtests++ if (!disabled("tls1_3")); -plan tests => $numtests; +plan tests => 10; checkmessages(1, "Default extended master secret test", 1, 1, 1); #Test 2: If client omits extended master secret extension, server should too. @@ -175,11 +173,14 @@ $proxy->clientstart(); ok(TLSProxy::Message->fail(), "Server inconsistent session resumption 2"); unlink $session; -#Test 10: In TLS1.3 we should not negotiate extended master secret -#Expected result: ClientHello extension seen; ServerHello extension not seen -# TLS1.3 handshake (will appear as abbreviated handshake -# because of no CKE message) -if (!disabled("tls1_3")) { +SKIP: { + skip "TLS 1.3 disabled", 1 + if disabled("tls1_3") || (disabled("ec") && disabled("dh")); + + #Test 10: In TLS1.3 we should not negotiate extended master secret + #Expected result: ClientHello extension seen; ServerHello extension not seen + # TLS1.3 handshake (will appear as abbreviated handshake + # because of no CKE message) clearall(); setrmextms(0, 0); $proxy->start(); diff --git a/test/recipes/80-test_ssl_new.t b/test/recipes/80-test_ssl_new.t index 24e75ae1c9..99dbdea1bb 100644 --- a/test/recipes/80-test_ssl_new.t +++ b/test/recipes/80-test_ssl_new.t @@ -43,13 +43,16 @@ plan tests => 30 # = scalar @conf_srcs # verify generated sources in the default configuration. my $is_default_tls = (disabled("ssl3") && !disabled("tls1") && !disabled("tls1_1") && !disabled("tls1_2") && - !disabled("tls1_3")); + !disabled("tls1_3") && (!disabled("ec") || !disabled("dh"))); my $is_default_dtls = (!disabled("dtls1") && !disabled("dtls1_2")); my @all_pre_tls1_3 = ("ssl3", "tls1", "tls1_1", "tls1_2"); my $no_tls = alldisabled(available_protocols("tls")); my $no_tls_below1_3 = $no_tls || (disabled("tls1_2") && !disabled("tls1_3")); +if (!$no_tls && $no_tls_below1_3 && disabled("ec") && disabled("dh")) { + $no_tls = 1; +} my $no_pre_tls1_3 = alldisabled(@all_pre_tls1_3); my $no_dtls = alldisabled(available_protocols("dtls")); my $no_npn = disabled("nextprotoneg"); @@ -105,13 +108,13 @@ my %skip = ( "18-dtls-renegotiate.cnf" => $no_dtls, "19-mac-then-encrypt.cnf" => $no_pre_tls1_3, "20-cert-select.cnf" => disabled("tls1_2") || $no_ec, - "21-key-update.cnf" => disabled("tls1_3"), + "21-key-update.cnf" => disabled("tls1_3") || ($no_ec && $no_dh), "22-compression.cnf" => disabled("zlib") || $no_tls, "23-srp.cnf" => (disabled("tls1") && disabled ("tls1_1") && disabled("tls1_2")) || disabled("srp"), - "24-padding.cnf" => disabled("tls1_3"), + "24-padding.cnf" => disabled("tls1_3") || ($no_ec && $no_dh), "25-cipher.cnf" => disabled("ec") || disabled("tls1_2"), - "26-tls13_client_auth.cnf" => disabled("tls1_3"), + "26-tls13_client_auth.cnf" => disabled("tls1_3") || ($no_ec && $no_dh), "29-dtls-sctp-label-bug.cnf" => disabled("sctp") || disabled("sock"), ); diff --git a/test/recipes/80-test_ssl_old.t b/test/recipes/80-test_ssl_old.t index 975d1a9fd6..2f3d5d1c8c 100644 --- a/test/recipes/80-test_ssl_old.t +++ b/test/recipes/80-test_ssl_old.t @@ -33,6 +33,8 @@ my ($no_rsa, $no_dsa, $no_dh, $no_ec, $no_psk, anydisabled qw/rsa dsa dh ec psk ssl3 tls1 tls1_1 tls1_2 tls1_3 dtls dtls1 dtls1_2 ct/; +#If ec and dh are disabled then don't use TLSv1.3 +$no_tls1_3 = 1 if (!$no_tls1_3 && $no_ec && $no_dh); my $no_anytls = alldisabled(available_protocols("tls")); my $no_anydtls = alldisabled(available_protocols("dtls")); diff --git a/test/recipes/90-test_tls13ccs.t b/test/recipes/90-test_tls13ccs.t index 1281c362d6..3bd65b8ba0 100644 --- a/test/recipes/90-test_tls13ccs.t +++ b/test/recipes/90-test_tls13ccs.t @@ -14,7 +14,7 @@ my $test_name = "test_tls13ccs"; setup($test_name); plan skip_all => "$test_name is not supported in this build" - if disabled("tls1_3"); + if disabled("tls1_3") || (disabled("ec") && disabled("dh")); plan tests => 1; diff --git a/test/recipes/90-test_tls13encryption.t b/test/recipes/90-test_tls13encryption.t index 145e1b9f8c..45b7b8a9aa 100644 --- a/test/recipes/90-test_tls13encryption.t +++ b/test/recipes/90-test_tls13encryption.t @@ -13,7 +13,7 @@ my $test_name = "tls13encryption"; setup($test_name); plan skip_all => "$test_name is not supported in this build" - if disabled("tls1_3"); + if disabled("tls1_3") || (disabled("ec") && disabled("dh")); plan tests => 1; diff --git a/test/recipes/90-test_tls13secrets.t b/test/recipes/90-test_tls13secrets.t index ba437f59b8..13af681bf0 100644 --- a/test/recipes/90-test_tls13secrets.t +++ b/test/recipes/90-test_tls13secrets.t @@ -13,7 +13,9 @@ my $test_name = "tls13secrets"; setup($test_name); plan skip_all => "$test_name is not supported in this build" - if disabled("tls1_3") || disabled("shared"); + if disabled("tls1_3") + || disabled("shared") + || (disabled("ec") && disabled("dh")); plan tests => 1; diff --git a/test/recordlentest.c b/test/recordlentest.c index 5388db7ddd..daf19bb8f3 100644 --- a/test/recordlentest.c +++ b/test/recordlentest.c @@ -94,7 +94,8 @@ static int test_record_overflow(int idx) || idx == TEST_ENCRYPTED_OVERFLOW_TLS1_2_NOT_OK) return 1; #endif -#ifdef OPENSSL_NO_TLS1_3 +#if defined(OPENSSL_NO_TLS1_3) \ + || (defined(OPENSSL_NO_EC) && defined(OPENSSL_NO_DH)) if (idx == TEST_ENCRYPTED_OVERFLOW_TLS1_3_OK || idx == TEST_ENCRYPTED_OVERFLOW_TLS1_3_NOT_OK) return 1; diff --git a/test/servername_test.c b/test/servername_test.c index 14088211c9..d6fb7b5bb6 100644 --- a/test/servername_test.c +++ b/test/servername_test.c @@ -31,6 +31,13 @@ static const char *host = "dummy-host"; static char *cert = NULL; static char *privkey = NULL; +#if defined(OPENSSL_NO_TLS1_3) || \ + (defined(OPENSSL_NO_EC) && defined(OPENSSL_NO_DH)) +static int maxversion = TLS1_2_VERSION; +#else +static int maxversion = 0; +#endif + static int get_sni_from_client_hello(BIO *bio, char **sni) { long len; @@ -101,6 +108,10 @@ static int client_setup_sni_before_state(void) if (!TEST_ptr(ctx)) goto end; + if (maxversion > 0 + && !TEST_true(SSL_CTX_set_max_proto_version(ctx, maxversion))) + goto end; + con = SSL_new(ctx); if (!TEST_ptr(con)) goto end; @@ -149,6 +160,10 @@ static int client_setup_sni_after_state(void) if (!TEST_ptr(ctx)) goto end; + if (maxversion > 0 + && !TEST_true(SSL_CTX_set_max_proto_version(ctx, maxversion))) + goto end; + con = SSL_new(ctx); if (!TEST_ptr(con)) goto end; diff --git a/test/ssl-tests/04-client_auth.cnf.in b/test/ssl-tests/04-client_auth.cnf.in index ad0ae7ae18..d908ad1c7d 100644 --- a/test/ssl-tests/04-client_auth.cnf.in +++ b/test/ssl-tests/04-client_auth.cnf.in @@ -116,7 +116,9 @@ sub generate_tests() { test => { "ExpectedResult" => "ServerFail", "ExpectedServerAlert" => - ($protocol_name eq "flex" && !disabled("tls1_3")) + ($protocol_name eq "flex" + && !disabled("tls1_3") + && (!disabled("ec") || !disabled("dh"))) ? "CertificateRequired" : "HandshakeFailure", "Method" => $method, }, diff --git a/test/ssl-tests/27-ticket-appdata.cnf.in b/test/ssl-tests/27-ticket-appdata.cnf.in index 719c98a107..d9e861933f 100644 --- a/test/ssl-tests/27-ticket-appdata.cnf.in +++ b/test/ssl-tests/27-ticket-appdata.cnf.in @@ -96,4 +96,5 @@ our @tests13 = ( our @tests = (); push @tests, @tests12 unless disabled("tls1_2"); -push @tests, @tests13 unless disabled("tls1_3"); +push @tests, @tests13 unless disabled("tls1_3") + || (disabled("ec") && disabled("dh")); diff --git a/test/ssl-tests/protocol_version.pm b/test/ssl-tests/protocol_version.pm index 0f0bd2e7cc..70c5722469 100644 --- a/test/ssl-tests/protocol_version.pm +++ b/test/ssl-tests/protocol_version.pm @@ -64,7 +64,10 @@ sub max_prot_enabled { my $max_enabled; foreach my $i (0..$#protocols) { - if (!$is_disabled[$i]) { + if (!$is_disabled[$i] + && ($protocols[$i] ne "TLSv1.3" + || !disabled("ec") + || !disabled("dh"))) { $max_enabled = $i; } } @@ -172,7 +175,11 @@ sub generate_version_tests { } } } - return @tests if disabled("tls1_3") || disabled("tls1_2") || $dtls; + return @tests + if disabled("tls1_3") + || disabled("tls1_2") + || (disabled("ec") && disabled("dh")) + || $dtls; #Add some version/ciphersuite sanity check tests push @tests, { @@ -307,7 +314,7 @@ sub generate_resumption_tests { } } - if (!disabled("tls1_3") && !$dtls) { + if (!disabled("tls1_3") && (!disabled("ec") || !disabled("dh")) && !$dtls) { push @client_tests, { "name" => "resumption-with-hrr", "client" => { @@ -332,7 +339,9 @@ sub generate_resumption_tests { sub expected_result { my ($c_min, $c_max, $s_min, $s_max, $min_enabled, $max_enabled, $protocols) = @_; + my @prots = @$protocols; + my $orig_c_max = $c_max; # Adjust for "undef" (no limit). $c_min = $c_min == 0 ? 0 : $c_min - 1; $c_max = $c_max == scalar @$protocols ? $c_max - 1 : $c_max; @@ -346,7 +355,11 @@ sub expected_result { $c_max = min $c_max, $max_enabled; $s_max = min $s_max, $max_enabled; - if ($c_min > $c_max) { + if ($c_min > $c_max + || ($orig_c_max != scalar @$protocols + && $prots[$orig_c_max] eq "TLSv1.3" + && $c_max != $orig_c_max + && !disabled("tls1_3"))) { # Client should fail to even send a hello. return ("ClientFail", undef); } elsif ($s_min > $s_max) { @@ -356,7 +369,6 @@ sub expected_result { # Server doesn't support the client range. return ("ServerFail", undef); } elsif ($c_min > $s_max) { - my @prots = @$protocols; if ($prots[$c_max] eq "TLSv1.3") { # Client will have sent supported_versions, so server will know # that there are no overlapping versions. diff --git a/test/ssl_old_test.c b/test/ssl_old_test.c index 48f0e8dae7..ad9a4a256c 100644 --- a/test/ssl_old_test.c +++ b/test/ssl_old_test.c @@ -1321,7 +1321,12 @@ int main(int argc, char *argv[]) max_version = TLS1_2_VERSION; } else { min_version = 0; +# if defined(OPENSSL_NO_EC) && defined(OPENSSL_NO_DH) + /* We only have ec and dh based built-in groups for TLSv1.3 */ + max_version = TLS1_2_VERSION; +# else max_version = 0; +# endif } #endif #ifndef OPENSSL_NO_DTLS diff --git a/test/ssl_test.c b/test/ssl_test.c index 042a05e453..cefcfb569f 100644 --- a/test/ssl_test.c +++ b/test/ssl_test.c @@ -436,8 +436,17 @@ static int test_handshake(int idx) } #endif if (test_ctx->method == SSL_TEST_METHOD_TLS) { +#if !defined(OPENSSL_NO_TLS1_3) \ + && defined(OPENSSL_NO_EC) \ + && defined(OPENSSL_NO_DH) + /* Without ec or dh there are no built-in groups for TLSv1.3 */ + int maxversion = TLS1_2_VERSION; +#else + int maxversion = 0; +#endif + server_ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method()); - if (!TEST_true(SSL_CTX_set_max_proto_version(server_ctx, 0))) + if (!TEST_true(SSL_CTX_set_max_proto_version(server_ctx, maxversion))) goto err; /* SNI on resumption isn't supported/tested yet. */ if (test_ctx->extra.server.servername_callback != @@ -445,21 +454,24 @@ static int test_handshake(int idx) if (!TEST_ptr(server2_ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method()))) goto err; - if (!TEST_true(SSL_CTX_set_max_proto_version(server2_ctx, 0))) + if (!TEST_true(SSL_CTX_set_max_proto_version(server2_ctx, + maxversion))) goto err; } client_ctx = SSL_CTX_new_ex(libctx, NULL, TLS_client_method()); - if (!TEST_true(SSL_CTX_set_max_proto_version(client_ctx, 0))) + if (!TEST_true(SSL_CTX_set_max_proto_version(client_ctx, maxversion))) goto err; if (test_ctx->handshake_mode == SSL_TEST_HANDSHAKE_RESUME) { resume_server_ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method()); - if (!TEST_true(SSL_CTX_set_max_proto_version(resume_server_ctx, 0))) + if (!TEST_true(SSL_CTX_set_max_proto_version(resume_server_ctx, + maxversion))) goto err; resume_client_ctx = SSL_CTX_new_ex(libctx, NULL, TLS_client_method()); - if (!TEST_true(SSL_CTX_set_max_proto_version(resume_client_ctx, 0))) + if (!TEST_true(SSL_CTX_set_max_proto_version(resume_client_ctx, + maxversion))) goto err; if (!TEST_ptr(resume_server_ctx) || !TEST_ptr(resume_client_ctx)) diff --git a/test/sslapitest.c b/test/sslapitest.c index 51d1bdd8de..7cae297a17 100644 --- a/test/sslapitest.c +++ b/test/sslapitest.c @@ -39,6 +39,16 @@ #include "internal/ktls.h" #include "../ssl/ssl_local.h" +#undef OSSL_NO_USABLE_TLS1_3 +#if defined(OPENSSL_NO_TLS1_3) \ + || (defined(OPENSSL_NO_EC) && defined(OPENSSL_NO_DH)) +/* + * If we don't have ec or dh then there are no built-in groups that are usable + * with TLSv1.3 + */ +# define OSSL_NO_USABLE_TLS1_3 +#endif + /* Defined in filterprov.c */ OSSL_provider_init_fn filter_provider_init; int filter_provider_set_filter(int operation, const char *name); @@ -52,7 +62,7 @@ int tls_provider_init(const OSSL_CORE_HANDLE *handle, static OSSL_LIB_CTX *libctx = NULL; static OSSL_PROVIDER *defctxnull = NULL; -#ifndef OPENSSL_NO_TLS1_3 +#ifndef OSSL_NO_USABLE_TLS1_3 static SSL_SESSION *clientpsk = NULL; static SSL_SESSION *serverpsk = NULL; @@ -351,7 +361,7 @@ static int test_keylog_output(char *buffer, const SSL *ssl, return 1; } -#if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3) +#if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3) static int test_keylog(void) { SSL_CTX *cctx = NULL, *sctx = NULL; @@ -432,7 +442,7 @@ end: } #endif -#ifndef OPENSSL_NO_TLS1_3 +#ifndef OSSL_NO_USABLE_TLS1_3 static int test_keylog_no_master_key(void) { SSL_CTX *cctx = NULL, *sctx = NULL; @@ -957,7 +967,7 @@ static int execute_test_large_message(const SSL_METHOD *smeth, } #if !defined(OPENSSL_NO_SOCK) && !defined(OPENSSL_NO_KTLS) && \ - !(defined(OPENSSL_NO_TLS1_3) && defined(OPENSSL_NO_TLS1_2)) + !(defined(OSSL_NO_USABLE_TLS1_3) && defined(OPENSSL_NO_TLS1_2)) #define TLS_CIPHER_MAX_REC_SEQ_SIZE 8 /* sock must be connected */ static int ktls_chk_platform(int sock) @@ -1272,14 +1282,14 @@ end: return testresult; } -#if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3) +#if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3) static int test_ktls(int test) { int cis_ktls_tx, cis_ktls_rx, sis_ktls_tx, sis_ktls_rx; int tlsver, testresult; if (test > 15) { -#if defined(OPENSSL_NO_TLS1_3) +#if defined(OSSL_NO_USABLE_TLS1_3) return 1; #else test -= 16; @@ -1302,7 +1312,7 @@ static int test_ktls(int test) if (cis_ktls_rx || sis_ktls_rx) return 1; #endif -#if !defined(OPENSSL_NO_TLS1_3) +#if !defined(OSSL_NO_USABLE_TLS1_3) if (tlsver == TLS1_3_VERSION && (cis_ktls_rx || sis_ktls_rx)) return 1; #endif @@ -1332,7 +1342,7 @@ static int test_ktls_sendfile_anytls(int tst) int tlsver; if (tst > 2) { -#if defined(OPENSSL_NO_TLS1_3) +#if defined(OSSL_NO_USABLE_TLS1_3) return 1; #else tst -= 3; @@ -1481,7 +1491,7 @@ static int test_cleanse_plaintext(void) #endif -#if !defined(OPENSSL_NO_TLS1_3) +#if !defined(OSSL_NO_USABLE_TLS1_3) if (!TEST_true(execute_cleanse_plaintext(TLS_server_method(), TLS_client_method(), TLS1_3_VERSION, @@ -1676,7 +1686,7 @@ static int test_tlsext_status_type(void) } #endif -#if !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) +#if !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) static int new_called, remove_called, get_called; static int new_session_cb(SSL *ssl, SSL_SESSION *sess) @@ -1992,11 +2002,11 @@ static int execute_test_session(int maxprot, int use_int_cache, return testresult; } -#endif /* !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */ +#endif /* !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */ static int test_session_with_only_int_cache(void) { -#ifndef OPENSSL_NO_TLS1_3 +#ifndef OSSL_NO_USABLE_TLS1_3 if (!execute_test_session(TLS1_3_VERSION, 1, 0, 0)) return 0; #endif @@ -2010,7 +2020,7 @@ static int test_session_with_only_int_cache(void) static int test_session_with_only_ext_cache(void) { -#ifndef OPENSSL_NO_TLS1_3 +#ifndef OSSL_NO_USABLE_TLS1_3 if (!execute_test_session(TLS1_3_VERSION, 0, 1, 0)) return 0; #endif @@ -2024,7 +2034,7 @@ static int test_session_with_only_ext_cache(void) static int test_session_with_both_cache(void) { -#ifndef OPENSSL_NO_TLS1_3 +#ifndef OSSL_NO_USABLE_TLS1_3 if (!execute_test_session(TLS1_3_VERSION, 1, 1, 0)) return 0; #endif @@ -2038,7 +2048,7 @@ static int test_session_with_both_cache(void) static int test_session_wo_ca_names(void) { -#ifndef OPENSSL_NO_TLS1_3 +#ifndef OSSL_NO_USABLE_TLS1_3 if (!execute_test_session(TLS1_3_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES)) return 0; #endif @@ -2051,7 +2061,7 @@ static int test_session_wo_ca_names(void) } -#ifndef OPENSSL_NO_TLS1_3 +#ifndef OSSL_NO_USABLE_TLS1_3 static SSL_SESSION *sesscache[6]; static int do_cache; @@ -2492,7 +2502,7 @@ static int test_extra_tickets(int idx) #define TOTAL_NO_CONN_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3) #define TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS (2 * 2) -#if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) +#if !defined(OSSL_NO_USABLE_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS (2 * 2) #else # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS 0 @@ -2721,7 +2731,7 @@ static int test_ssl_bio_change_wbio(void) return execute_test_ssl_bio(0, CHANGE_WBIO); } -#if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3) +#if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3) typedef struct { /* The list of sig algs */ const int *list; @@ -2852,7 +2862,7 @@ static int test_set_sigalgs(int idx) } #endif -#ifndef OPENSSL_NO_TLS1_3 +#ifndef OSSL_NO_USABLE_TLS1_3 static int psk_client_cb_cnt = 0; static int psk_server_cb_cnt = 0; @@ -5048,7 +5058,7 @@ static int test_stateless(void) return testresult; } -#endif /* OPENSSL_NO_TLS1_3 */ +#endif /* OSSL_NO_USABLE_TLS1_3 */ static int clntaddoldcb = 0; static int clntparseoldcb = 0; @@ -5183,7 +5193,7 @@ static int test_custom_exts(int tst) SSL_SESSION *sess = NULL; unsigned int context; -#if defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_TLS1_3) +#if defined(OPENSSL_NO_TLS1_2) && !defined(OSSL_NO_USABLE_TLS1_3) /* Skip tests for TLSv1.2 and below in this case */ if (tst < 3) return 1; @@ -5478,7 +5488,7 @@ static int test_export_key_mat(int tst) if (tst == 2) return 1; #endif -#ifdef OPENSSL_NO_TLS1_3 +#ifdef OSSL_NO_USABLE_TLS1_3 if (tst >= 3) return 1; #endif @@ -5604,7 +5614,7 @@ static int test_export_key_mat(int tst) return testresult; } -#ifndef OPENSSL_NO_TLS1_3 +#ifndef OSSL_NO_USABLE_TLS1_3 /* * Test that SSL_export_keying_material_early() produces expected * results. There are no test vectors so all we do is test that both @@ -5823,7 +5833,7 @@ static int test_key_update_in_write(int tst) return testresult; } -#endif /* OPENSSL_NO_TLS1_3 */ +#endif /* OSSL_NO_USABLE_TLS1_3 */ static int test_ssl_clear(int idx) { @@ -5942,14 +5952,15 @@ static const unsigned char max_fragment_len_test[] = { static int test_max_fragment_len_ext(int idx_tst) { - SSL_CTX *ctx; + SSL_CTX *ctx = NULL; SSL *con = NULL; int testresult = 0, MFL_mode = 0; BIO *rbio, *wbio; - ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method()); - if (!TEST_ptr(ctx)) - goto end; + if (!TEST_true(create_ssl_ctx_pair(libctx, NULL, TLS_client_method(), + TLS1_VERSION, 0, NULL, &ctx, NULL, + NULL))) + return 0; if (!TEST_true(SSL_CTX_set_tlsext_max_fragment_length( ctx, max_fragment_len_test[idx_tst]))) @@ -5968,7 +5979,6 @@ static int test_max_fragment_len_ext(int idx_tst) } SSL_set_bio(con, rbio, wbio); - SSL_set_connect_state(con); if (!TEST_int_le(SSL_connect(con), 0)) { /* This shouldn't succeed because we don't have a server! */ @@ -5990,7 +6000,7 @@ end: return testresult; } -#ifndef OPENSSL_NO_TLS1_3 +#ifndef OSSL_NO_USABLE_TLS1_3 static int test_pha_key_update(void) { SSL_CTX *cctx = NULL, *sctx = NULL; @@ -6432,7 +6442,7 @@ static int test_info_callback(int tst) return 1; #endif } else { -#ifndef OPENSSL_NO_TLS1_3 +#ifndef OSSL_NO_USABLE_TLS1_3 tlsvers = TLS1_3_VERSION; #else return 1; @@ -6444,7 +6454,7 @@ static int test_info_callback(int tst) info_cb_this_state = -1; info_cb_offset = tst; -#ifndef OPENSSL_NO_TLS1_3 +#ifndef OSSL_NO_USABLE_TLS1_3 if (tst >= 4) { SSL_SESSION *sess = NULL; size_t written, readbytes; @@ -6603,7 +6613,7 @@ static struct { * We can't establish a connection (even in TLSv1.1) with these ciphersuites if * TLSv1.3 is enabled but TLSv1.2 is disabled. */ -#if defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) +#if defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) { TLS1_2_VERSION, "AES128-SHA:AES256-SHA", @@ -6649,7 +6659,7 @@ static struct { * This test combines TLSv1.3 and TLSv1.2 ciphersuites so they must both be * enabled. */ -#if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) \ +#if !defined(OSSL_NO_USABLE_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) \ && !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305) { TLS1_3_VERSION, @@ -6662,7 +6672,7 @@ static struct { "TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:AES256-SHA" }, #endif -#ifndef OPENSSL_NO_TLS1_3 +#ifndef OSSL_NO_USABLE_TLS1_3 { TLS1_3_VERSION, "AES128-SHA", @@ -6907,7 +6917,7 @@ static int test_ticket_callbacks(int tst) if (tst % 2 == 0) return 1; #endif -#ifdef OPENSSL_NO_TLS1_3 +#ifdef OSSL_NO_USABLE_TLS1_3 if (tst % 2 == 1) return 1; #endif @@ -7124,7 +7134,7 @@ static int test_shutdown(int tst) if (tst <= 1) return 1; #endif -#ifdef OPENSSL_NO_TLS1_3 +#ifdef OSSL_NO_USABLE_TLS1_3 if (tst >= 2) return 1; #endif @@ -7259,7 +7269,7 @@ static int test_shutdown(int tst) return testresult; } -#if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3) +#if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3) static int cert_cb_cnt; static int cert_cb(SSL *s, void *arg) @@ -7440,7 +7450,7 @@ static int test_cert_cb(int tst) #ifndef OPENSSL_NO_TLS1_2 testresult &= test_cert_cb_int(TLS1_2_VERSION, tst); #endif -#ifndef OPENSSL_NO_TLS1_3 +#ifndef OSSL_NO_USABLE_TLS1_3 testresult &= test_cert_cb_int(TLS1_3_VERSION, tst); #endif @@ -7498,7 +7508,7 @@ static int test_client_cert_cb(int tst) if (tst == 0) return 1; #endif -#ifdef OPENSSL_NO_TLS1_3 +#ifdef OSSL_NO_USABLE_TLS1_3 if (tst == 1) return 1; #endif @@ -7537,7 +7547,7 @@ static int test_client_cert_cb(int tst) return testresult; } -#if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3) +#if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3) /* * Test setting certificate authorities on both client and server. * @@ -7664,7 +7674,7 @@ static int test_ca_names(int tst) #ifndef OPENSSL_NO_TLS1_2 testresult &= test_ca_names_int(TLS1_2_VERSION, tst); #endif -#ifndef OPENSSL_NO_TLS1_3 +#ifndef OSSL_NO_USABLE_TLS1_3 testresult &= test_ca_names_int(TLS1_3_VERSION, tst); #endif @@ -7794,7 +7804,7 @@ static int test_servername(int tst) if (tst <= 4) return 1; #endif -#ifdef OPENSSL_NO_TLS1_3 +#ifdef OSSL_NO_USABLE_TLS1_3 if (tst >= 5) return 1; #endif @@ -7925,7 +7935,7 @@ static int test_servername(int tst) } #if !defined(OPENSSL_NO_EC) \ - && (!defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)) + && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)) /* * Test that if signature algorithms are not available, then we do not offer or * accept them. @@ -8062,10 +8072,11 @@ static int test_sigalgs_available(int idx) } #endif /* * !defined(OPENSSL_NO_EC) \ - * && (!defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)) + * && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)) */ #ifndef OPENSSL_NO_TLS1_3 +/* This test can run in TLSv1.3 even if ec and dh are disabled */ static int test_pluggable_group(int idx) { SSL_CTX *cctx = NULL, *sctx = NULL; @@ -8489,7 +8500,7 @@ static int test_dh_auto(int idx) # endif /* OPENSSL_NO_DH */ #endif /* OPENSSL_NO_TLS1_2 */ -#ifndef OPENSSL_NO_TLS1_3 +#ifndef OSSL_NO_USABLE_TLS1_3 /* * Test that setting an SNI callback works with TLSv1.3. Specifically we check * that it works even without a certificate configured for the original @@ -8667,7 +8678,7 @@ int setup_tests(void) goto err; #if !defined(OPENSSL_NO_KTLS) && !defined(OPENSSL_NO_SOCK) -# if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3) +# if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3) ADD_ALL_TESTS(test_ktls, 32); ADD_ALL_TESTS(test_ktls_sendfile_anytls, 6); # endif @@ -8685,7 +8696,7 @@ int setup_tests(void) ADD_TEST(test_session_with_only_ext_cache); ADD_TEST(test_session_with_both_cache); ADD_TEST(test_session_wo_ca_names); -#ifndef OPENSSL_NO_TLS1_3 +#ifndef OSSL_NO_USABLE_TLS1_3 ADD_ALL_TESTS(test_stateful_tickets, 3); ADD_ALL_TESTS(test_stateless_tickets, 3); ADD_TEST(test_psk_tickets); @@ -8696,11 +8707,11 @@ int setup_tests(void) ADD_TEST(test_ssl_bio_pop_ssl_bio); ADD_TEST(test_ssl_bio_change_rbio); ADD_TEST(test_ssl_bio_change_wbio); -#if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3) +#if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3) ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2); ADD_TEST(test_keylog); #endif -#ifndef OPENSSL_NO_TLS1_3 +#ifndef OSSL_NO_USABLE_TLS1_3 ADD_TEST(test_keylog_no_master_key); #endif ADD_TEST(test_client_cert_verify_cb); @@ -8709,7 +8720,7 @@ int setup_tests(void) ADD_TEST(test_no_ems); ADD_TEST(test_ccs_change_cipher); #endif -#ifndef OPENSSL_NO_TLS1_3 +#ifndef OSSL_NO_USABLE_TLS1_3 ADD_ALL_TESTS(test_early_data_read_write, 3); /* * We don't do replay tests for external PSK. Replay protection isn't used @@ -8728,7 +8739,7 @@ int setup_tests(void) ADD_ALL_TESTS(test_early_data_tls1_2, 3); # endif #endif -#ifndef OPENSSL_NO_TLS1_3 +#ifndef OSSL_NO_USABLE_TLS1_3 ADD_ALL_TESTS(test_set_ciphersuite, 10); ADD_TEST(test_ciphersuite_change); ADD_ALL_TESTS(test_tls13_ciphersuite, 4); @@ -8752,7 +8763,7 @@ int setup_tests(void) #endif ADD_ALL_TESTS(test_serverinfo, 8); ADD_ALL_TESTS(test_export_key_mat, 6); -#ifndef OPENSSL_NO_TLS1_3 +#ifndef OSSL_NO_USABLE_TLS1_3 ADD_ALL_TESTS(test_export_key_mat_early, 3); ADD_TEST(test_key_update); ADD_ALL_TESTS(test_key_update_in_write, 2); @@ -8776,7 +8787,7 @@ int setup_tests(void) #endif ADD_ALL_TESTS(test_servername, 10); #if !defined(OPENSSL_NO_EC) \ - && (!defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)) + && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)) ADD_ALL_TESTS(test_sigalgs_available, 6); #endif #ifndef OPENSSL_NO_TLS1_3 @@ -8789,7 +8800,7 @@ int setup_tests(void) ADD_ALL_TESTS(test_dh_auto, 7); # endif #endif -#ifndef OPENSSL_NO_TLS1_3 +#ifndef OSSL_NO_USABLE_TLS1_3 ADD_TEST(test_sni_tls13); #endif return 1; From levitte at openssl.org Fri Feb 5 15:54:17 2021 From: levitte at openssl.org (Richard Levitte) Date: Fri, 05 Feb 2021 15:54:17 +0000 Subject: [openssl] master update Message-ID: <1612540457.773042.17878.nullmailer@dev.openssl.org> The branch master has been updated via 2bb05a9668323ac2719f84cf8e9ccffc2bc99916 (commit) from 5682e77dff5123f0e9259c258bb58bc6d2e358ef (commit) - Log ----------------------------------------------------------------- commit 2bb05a9668323ac2719f84cf8e9ccffc2bc99916 Author: Richard Levitte Date: Sun Jan 31 23:15:08 2021 +0100 PROV: Fix encoding of MDWithRSAEncryption signature AlgorithmID All {MD}WithRSAEncryption signature AlgorithmID have the parameters being NULL, according to PKCS#1. We didn't. Now corrected. This bug was the topic of this thread on openssl-users at openssl.org: https://mta.openssl.org/pipermail/openssl-users/2021-January/013416.html Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14030) ----------------------------------------------------------------------- Summary of changes: providers/common/der/der_rsa_sig.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/providers/common/der/der_rsa_sig.c b/providers/common/der/der_rsa_sig.c index 94ed60b69f..7fb69f87b0 100644 --- a/providers/common/der/der_rsa_sig.c +++ b/providers/common/der/der_rsa_sig.c @@ -58,7 +58,9 @@ int ossl_DER_w_algorithmIdentifier_MDWithRSAEncryption(WPACKET *pkt, int tag, } return ossl_DER_w_begin_sequence(pkt, tag) - /* No parameters (yet?) */ + /* PARAMETERS, always NULL according to current standards */ + && ossl_DER_w_null(pkt, -1) + /* OID */ && ossl_DER_w_precompiled(pkt, -1, precompiled, precompiled_sz) && ossl_DER_w_end_sequence(pkt, tag); } From no-reply at appveyor.com Fri Feb 5 16:34:00 2021 From: no-reply at appveyor.com (AppVeyor) Date: Fri, 05 Feb 2021 16:34:00 +0000 Subject: Build failed: openssl master.39628 Message-ID: <20210205163400.1.68DFAB9D329CEA25@appveyor.com> An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Fri Feb 5 21:08:29 2021 From: no-reply at appveyor.com (AppVeyor) Date: Fri, 05 Feb 2021 21:08:29 +0000 Subject: Build failed: openssl master.39639 Message-ID: <20210205210829.1.A897A3D09E6E73A1@appveyor.com> An HTML attachment was scrubbed... URL: From openssl at openssl.org Fri Feb 5 22:36:58 2021 From: openssl at openssl.org (OpenSSL run-checker) Date: Fri, 05 Feb 2021 22:36:58 +0000 Subject: Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-dtls1_2 Message-ID: <1612564618.493648.1549021.nullmailer@run.openssl.org> Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-dtls1_2 Commit log since last time: 9db6af922c EC: Reverse the default asn1_flag in a new EC_GROUP 977e95b912 EVP: Fix evp_pkey_ctx_store_cached_data() to handle provider backed EVP_PKEY_CTX 60488d2434 EVP: Don't find standard EVP_PKEY_METHODs automatically 8ce04db808 CORE & PROV: clean away OSSL_FUNC_mac_size() 28e1904250 apps/ecparam: Avoid crash when parameters fail to load 963a65bfb4 apps/ca: Properly handle certificate expiration times in do_updatedb 1409b5f664 Deprecate EVP_MD_CTX_{set_}update_fn() 66194839fe Add diacritics to my name in CHANGES.md 6a1a6498ac dh_cms_set_peerkey: Pad the public key to p size af403db090 Add some missing committers to the AUTHORS list f94a91698b Add a CI job to run the threads test with threads sanitizer on 0b07db6f56 Ensure the EVP_PKEY operation_cache is appropriately locked 4099460514 Ensure access to FIPS_state and rate_limit is appropriately locked 04b9435a99 Always ensure we hold ctx->lock when calling CRYPTO_get_ex_data() b233ea8276 Avoid races by caching exported ciphers in the init function cd4e6a3512 Refactor RAND_get0_primary() locking a0134d293e Add a multi-thread test for shared EVP_PKEYs 7ff9fdd4b3 Deprecate X509_certificate_type d3372c2f35 Add some PKIX-RPKI objects 6aab42c390 OSSL_HTTP_REQ_CTX.pod and OSSL_HTTP_transfer.pod: various improvements 4d190f99ef Constify OSSL_HTTP_REQ_CTX_get0_mem_bio() a6d40689ec HTTP: add more error detection to low-level API d337af1891 HTTP: Fix mistakes and unclarities on maxline and max_resp_len params 8e71614797 Fix not backwards-compat X509_http_nbio() and X509_CRL_http_nbio() 673474b164 OSSL_HTTP_REQ_CTX_nbio(): Revert to having state var that keeps req len still to send f2db0528d8 PROV: Add SM2 encoders and decoders, as well as support functionality 58f422f6f4 Fix some odd names in our provider source code b8a1272d57 Test that EC keys without a public key in them work as expected ec7aef3356 Ensure EC keys with a private key but without a public key can be created Build log ended with (last 100 lines): # SSL_accept() failed -1, 1 # 807193C2137F0000:error:0A000076:SSL routines:tls_choose_sigalg:no suitable signature algorithm:../openssl/ssl/t1_lib.c:3309: # INFO: @ ../openssl/test/helpers/ssltestlib.c:942 # SSL_connect() failed -1, 1 # 807193C2137F0000:error:0A000438:SSL routines:dtls1_read_bytes:tlsv1 alert internal error:../openssl/ssl/record/rec_layer_d1.c:613:SSL alert number 80 # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:6567 # false not ok 2 - iteration 2 # ------------------------------------------------------------------------------ not ok 54 - test_ssl_pending # ------------------------------------------------------------------------------ ../../util/wrap.pl ../../test/sslapitest ../../../openssl/test/certs ../../../openssl/test/recipes/90-test_sslapi_data/passwd.txt /tmp/22pJuYM96w default ../../../openssl/test/default.cnf => 1 not ok 1 - running sslapitest # ------------------------------------------------------------------------------ # INFO: @ ../openssl/test/helpers/ssltestlib.c:942 # SSL_connect() failed -1, 1 # 80910AB7027F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # INFO: @ ../openssl/test/helpers/ssltestlib.c:960 # SSL_accept() failed -1, 1 # 80910AB7027F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:937 # false not ok 3 - test_large_message_dtls # ------------------------------------------------------------------------------ # INFO: @ ../openssl/test/helpers/ssltestlib.c:942 # SSL_connect() failed -1, 1 # 80910AB7027F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # INFO: @ ../openssl/test/helpers/ssltestlib.c:960 # SSL_accept() failed -1, 1 # 80910AB7027F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:1418 # false # ERROR: (bool) 'execute_cleanse_plaintext(DTLS_server_method(), DTLS_client_method(), DTLS1_VERSION, 0) == true' failed @ ../openssl/test/sslapitest.c:1496 # false not ok 4 - test_cleanse_plaintext # ------------------------------------------------------------------------------ # INFO: @ ../openssl/test/helpers/ssltestlib.c:942 # SSL_connect() failed -1, 1 # 80910AB7027F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # INFO: @ ../openssl/test/helpers/ssltestlib.c:960 # SSL_accept() failed -1, 1 # 80910AB7027F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:6567 # false not ok 2 - iteration 2 # ------------------------------------------------------------------------------ not ok 54 - test_ssl_pending # ------------------------------------------------------------------------------ ../../util/wrap.pl ../../test/sslapitest ../../../openssl/test/certs ../../../openssl/test/recipes/90-test_sslapi_data/passwd.txt /tmp/22pJuYM96w fips ../../../openssl/test/fips-and-base.cnf => 1 not ok 3 - running sslapitest # ------------------------------------------------------------------------------ # Failed test 'running sslapitest' # at ../openssl/test/recipes/90-test_sslapi.t line 45. # Looks like you failed 2 tests of 3.90-test_sslapi.t ................... Dubious, test returned 2 (wstat 512, 0x200) Failed 2/3 subtests 90-test_sslbuffers.t ............... ok 90-test_store.t .................... ok 90-test_sysdefault.t ............... ok 90-test_threads.t .................. ok 90-test_time_offset.t .............. ok 90-test_tls13ccs.t ................. ok 90-test_tls13encryption.t .......... ok 90-test_tls13secrets.t ............. ok 90-test_v3name.t ................... ok 91-test_pkey_check.t ............... ok 95-test_external_boringssl.t ....... skipped: No external tests in this configuration 95-test_external_gost_engine.t ..... skipped: No external tests in this configuration 95-test_external_krb5.t ............ skipped: No external tests in this configuration 95-test_external_pyca.t ............ skipped: No external tests in this configuration 99-test_ecstress.t ................. ok 99-test_fuzz_asn1.t ................ ok 99-test_fuzz_asn1parse.t ........... ok 99-test_fuzz_bignum.t .............. ok 99-test_fuzz_bndiv.t ............... ok 99-test_fuzz_client.t .............. ok 99-test_fuzz_cmp.t ................. ok 99-test_fuzz_cms.t ................. ok 99-test_fuzz_conf.t ................ ok 99-test_fuzz_crl.t ................. ok 99-test_fuzz_ct.t .................. ok 99-test_fuzz_server.t .............. ok 99-test_fuzz_x509.t ................ ok Test Summary Report ------------------- 80-test_dtls.t (Wstat: 256 Tests: 1 Failed: 1) Failed test: 1 Non-zero exit status: 1 80-test_ssl_new.t (Wstat: 768 Tests: 31 Failed: 3) Failed tests: 8, 17, 19 Non-zero exit status: 3 90-test_sslapi.t (Wstat: 512 Tests: 3 Failed: 2) Failed tests: 1, 3 Non-zero exit status: 2 Files=228, Tests=3208, 865 wallclock secs (13.49 usr 1.24 sys + 783.94 cusr 78.29 csys = 876.96 CPU) Result: FAIL make[1]: *** [Makefile:3267: _tests] Error 1 make[1]: Leaving directory '/home/openssl/run-checker/no-dtls1_2' make: *** [Makefile:3264: tests] Error 2 From openssl at openssl.org Sat Feb 6 01:07:07 2021 From: openssl at openssl.org (OpenSSL run-checker) Date: Sat, 06 Feb 2021 01:07:07 +0000 Subject: Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-dtls1_2-method Message-ID: <1612573627.008851.1861530.nullmailer@run.openssl.org> Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-dtls1_2-method Commit log since last time: 9db6af922c EC: Reverse the default asn1_flag in a new EC_GROUP 977e95b912 EVP: Fix evp_pkey_ctx_store_cached_data() to handle provider backed EVP_PKEY_CTX 60488d2434 EVP: Don't find standard EVP_PKEY_METHODs automatically 8ce04db808 CORE & PROV: clean away OSSL_FUNC_mac_size() 28e1904250 apps/ecparam: Avoid crash when parameters fail to load 963a65bfb4 apps/ca: Properly handle certificate expiration times in do_updatedb 1409b5f664 Deprecate EVP_MD_CTX_{set_}update_fn() 66194839fe Add diacritics to my name in CHANGES.md 6a1a6498ac dh_cms_set_peerkey: Pad the public key to p size af403db090 Add some missing committers to the AUTHORS list f94a91698b Add a CI job to run the threads test with threads sanitizer on 0b07db6f56 Ensure the EVP_PKEY operation_cache is appropriately locked 4099460514 Ensure access to FIPS_state and rate_limit is appropriately locked 04b9435a99 Always ensure we hold ctx->lock when calling CRYPTO_get_ex_data() b233ea8276 Avoid races by caching exported ciphers in the init function cd4e6a3512 Refactor RAND_get0_primary() locking a0134d293e Add a multi-thread test for shared EVP_PKEYs 7ff9fdd4b3 Deprecate X509_certificate_type d3372c2f35 Add some PKIX-RPKI objects 6aab42c390 OSSL_HTTP_REQ_CTX.pod and OSSL_HTTP_transfer.pod: various improvements 4d190f99ef Constify OSSL_HTTP_REQ_CTX_get0_mem_bio() a6d40689ec HTTP: add more error detection to low-level API d337af1891 HTTP: Fix mistakes and unclarities on maxline and max_resp_len params 8e71614797 Fix not backwards-compat X509_http_nbio() and X509_CRL_http_nbio() 673474b164 OSSL_HTTP_REQ_CTX_nbio(): Revert to having state var that keeps req len still to send f2db0528d8 PROV: Add SM2 encoders and decoders, as well as support functionality 58f422f6f4 Fix some odd names in our provider source code b8a1272d57 Test that EC keys without a public key in them work as expected ec7aef3356 Ensure EC keys with a private key but without a public key can be created Build log ended with (last 100 lines): # SSL_accept() failed -1, 1 # 80A10E40BC7F0000:error:0A000076:SSL routines:tls_choose_sigalg:no suitable signature algorithm:../openssl/ssl/t1_lib.c:3309: # INFO: @ ../openssl/test/helpers/ssltestlib.c:942 # SSL_connect() failed -1, 1 # 80A10E40BC7F0000:error:0A000438:SSL routines:dtls1_read_bytes:tlsv1 alert internal error:../openssl/ssl/record/rec_layer_d1.c:613:SSL alert number 80 # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:6567 # false not ok 2 - iteration 2 # ------------------------------------------------------------------------------ not ok 54 - test_ssl_pending # ------------------------------------------------------------------------------ ../../util/wrap.pl ../../test/sslapitest ../../../openssl/test/certs ../../../openssl/test/recipes/90-test_sslapi_data/passwd.txt /tmp/LV3qu_I_22 default ../../../openssl/test/default.cnf => 1 not ok 1 - running sslapitest # ------------------------------------------------------------------------------ # INFO: @ ../openssl/test/helpers/ssltestlib.c:942 # SSL_connect() failed -1, 1 # 8021D182FA7F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # INFO: @ ../openssl/test/helpers/ssltestlib.c:960 # SSL_accept() failed -1, 1 # 8021D182FA7F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:937 # false not ok 3 - test_large_message_dtls # ------------------------------------------------------------------------------ # INFO: @ ../openssl/test/helpers/ssltestlib.c:942 # SSL_connect() failed -1, 1 # 8021D182FA7F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # INFO: @ ../openssl/test/helpers/ssltestlib.c:960 # SSL_accept() failed -1, 1 # 8021D182FA7F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:1418 # false # ERROR: (bool) 'execute_cleanse_plaintext(DTLS_server_method(), DTLS_client_method(), DTLS1_VERSION, 0) == true' failed @ ../openssl/test/sslapitest.c:1496 # false not ok 4 - test_cleanse_plaintext # ------------------------------------------------------------------------------ # INFO: @ ../openssl/test/helpers/ssltestlib.c:942 # SSL_connect() failed -1, 1 # 8021D182FA7F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # INFO: @ ../openssl/test/helpers/ssltestlib.c:960 # SSL_accept() failed -1, 1 # 8021D182FA7F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:6567 # false not ok 2 - iteration 2 # ------------------------------------------------------------------------------ not ok 54 - test_ssl_pending # ------------------------------------------------------------------------------ ../../util/wrap.pl ../../test/sslapitest ../../../openssl/test/certs ../../../openssl/test/recipes/90-test_sslapi_data/passwd.txt /tmp/LV3qu_I_22 fips ../../../openssl/test/fips-and-base.cnf => 1 not ok 3 - running sslapitest # ------------------------------------------------------------------------------ # Failed test 'running sslapitest' # at ../openssl/test/recipes/90-test_sslapi.t line 45. # Looks like you failed 2 tests of 3.90-test_sslapi.t ................... Dubious, test returned 2 (wstat 512, 0x200) Failed 2/3 subtests 90-test_sslbuffers.t ............... ok 90-test_store.t .................... ok 90-test_sysdefault.t ............... ok 90-test_threads.t .................. ok 90-test_time_offset.t .............. ok 90-test_tls13ccs.t ................. ok 90-test_tls13encryption.t .......... ok 90-test_tls13secrets.t ............. ok 90-test_v3name.t ................... ok 91-test_pkey_check.t ............... ok 95-test_external_boringssl.t ....... skipped: No external tests in this configuration 95-test_external_gost_engine.t ..... skipped: No external tests in this configuration 95-test_external_krb5.t ............ skipped: No external tests in this configuration 95-test_external_pyca.t ............ skipped: No external tests in this configuration 99-test_ecstress.t ................. ok 99-test_fuzz_asn1.t ................ ok 99-test_fuzz_asn1parse.t ........... ok 99-test_fuzz_bignum.t .............. ok 99-test_fuzz_bndiv.t ............... ok 99-test_fuzz_client.t .............. ok 99-test_fuzz_cmp.t ................. ok 99-test_fuzz_cms.t ................. ok 99-test_fuzz_conf.t ................ ok 99-test_fuzz_crl.t ................. ok 99-test_fuzz_ct.t .................. ok 99-test_fuzz_server.t .............. ok 99-test_fuzz_x509.t ................ ok Test Summary Report ------------------- 80-test_dtls.t (Wstat: 256 Tests: 1 Failed: 1) Failed test: 1 Non-zero exit status: 1 80-test_ssl_new.t (Wstat: 768 Tests: 31 Failed: 3) Failed tests: 8, 17, 19 Non-zero exit status: 3 90-test_sslapi.t (Wstat: 512 Tests: 3 Failed: 2) Failed tests: 1, 3 Non-zero exit status: 2 Files=228, Tests=3208, 879 wallclock secs (14.44 usr 1.33 sys + 781.18 cusr 96.73 csys = 893.68 CPU) Result: FAIL make[1]: *** [Makefile:3259: _tests] Error 1 make[1]: Leaving directory '/home/openssl/run-checker/no-dtls1_2-method' make: *** [Makefile:3256: tests] Error 2 From no-reply at appveyor.com Sat Feb 6 08:12:30 2021 From: no-reply at appveyor.com (AppVeyor) Date: Sat, 06 Feb 2021 08:12:30 +0000 Subject: Build failed: openssl master.39652 Message-ID: <20210206081230.1.BF61F9EB8DB5CC57@appveyor.com> An HTML attachment was scrubbed... URL: From matthias.st.pierre at ncp-e.com Sat Feb 6 15:08:18 2021 From: matthias.st.pierre at ncp-e.com (matthias.st.pierre at ncp-e.com) Date: Sat, 06 Feb 2021 15:08:18 +0000 Subject: [openssl] OpenSSL_1_1_1-stable update Message-ID: <1612624098.590771.8346.nullmailer@dev.openssl.org> The branch OpenSSL_1_1_1-stable has been updated via fb97b8e8a52b853b2b2209d5aeee36eaa08bb9ad (commit) from 8d5ace52d923f596ebfb8e0997efaa067ee73bba (commit) - Log ----------------------------------------------------------------- commit fb97b8e8a52b853b2b2209d5aeee36eaa08bb9ad Author: Jay Satiro Date: Fri Feb 5 03:42:06 2021 -0500 NOTES.WIN: fix typo CLA: trivial Reviewed-by: Paul Dale Reviewed-by: Richard Levitte Reviewed-by: Matthias St. Pierre (Merged from https://github.com/openssl/openssl/pull/14078) ----------------------------------------------------------------------- Summary of changes: NOTES.WIN | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/NOTES.WIN b/NOTES.WIN index 26c1e6b19b..66a6a45372 100644 --- a/NOTES.WIN +++ b/NOTES.WIN @@ -62,8 +62,8 @@ For VC-WIN32, the following defaults are use: - PREFIX: %ProgramFiles(86)%\OpenSSL - OPENSSLDIR: %CommonProgramFiles(86)%\SSL + PREFIX: %ProgramFiles(x86)%\OpenSSL + OPENSSLDIR: %CommonProgramFiles(x86)%\SSL For VC-WIN64, the following defaults are use: From no-reply at appveyor.com Sat Feb 6 16:15:19 2021 From: no-reply at appveyor.com (AppVeyor) Date: Sat, 06 Feb 2021 16:15:19 +0000 Subject: Build completed: openssl OpenSSL_1_1_1-stable.39653 Message-ID: <20210206161519.1.66D61F7049061845@appveyor.com> An HTML attachment was scrubbed... URL: From dev at ddvo.net Sat Feb 6 17:54:19 2021 From: dev at ddvo.net (dev at ddvo.net) Date: Sat, 06 Feb 2021 17:54:19 +0000 Subject: [openssl] master update Message-ID: <1612634059.303470.18075.nullmailer@dev.openssl.org> The branch master has been updated via 11ddbf84597d26c937ecb8f266424dea7f72cbdf (commit) from 2bb05a9668323ac2719f84cf8e9ccffc2bc99916 (commit) - Log ----------------------------------------------------------------- commit 11ddbf84597d26c937ecb8f266424dea7f72cbdf Author: Dr. David von Oheimb Date: Thu Jan 28 00:28:25 2021 +0100 Add X509_STORE_CTX_verify(), which takes the first untrusted cert as default target Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14021) ----------------------------------------------------------------------- Summary of changes: crypto/x509/x509_vfy.c | 18 ++++++++++++-- doc/man3/X509_STORE_CTX_get_error.pod | 12 +++++----- doc/man3/X509_STORE_CTX_new.pod | 44 ++++++++++++++++++++++------------- doc/man3/X509_verify_cert.pod | 41 ++++++++++++++++++-------------- include/openssl/x509.h.in | 2 -- include/openssl/x509_vfy.h.in | 3 +++ test/danetest.c | 6 ++--- util/libcrypto.num | 1 + 8 files changed, 79 insertions(+), 48 deletions(-) diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c index ec7df5caa6..d55808e524 100644 --- a/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c @@ -237,11 +237,25 @@ static int verify_chain(X509_STORE_CTX *ctx) return ok; } +int X509_STORE_CTX_verify(X509_STORE_CTX *ctx) +{ + if (ctx == NULL) { + ERR_raise(ERR_LIB_X509, ERR_R_PASSED_NULL_PARAMETER); + return -1; + } + if (ctx->cert == NULL && sk_X509_num(ctx->untrusted) >= 1) + ctx->cert = sk_X509_value(ctx->untrusted, 0); + return X509_verify_cert(ctx); +} + int X509_verify_cert(X509_STORE_CTX *ctx) { - SSL_DANE *dane = ctx->dane; int ret; + if (ctx == NULL) { + ERR_raise(ERR_LIB_X509, ERR_R_PASSED_NULL_PARAMETER); + return -1; + } if (ctx->cert == NULL) { ERR_raise(ERR_LIB_X509, X509_R_NO_CERT_SET_FOR_US_TO_VERIFY); ctx->error = X509_V_ERR_INVALID_CALL; @@ -268,7 +282,7 @@ int X509_verify_cert(X509_STORE_CTX *ctx) CB_FAIL_IF(!check_key_level(ctx, ctx->cert), ctx, ctx->cert, 0, X509_V_ERR_EE_KEY_TOO_SMALL); - ret = DANETLS_ENABLED(dane) ? dane_verify(ctx) : verify_chain(ctx); + ret = DANETLS_ENABLED(ctx->dane) ? dane_verify(ctx) : verify_chain(ctx); /* * Safety-net. If we are returning an error, we must also set ctx->error, diff --git a/doc/man3/X509_STORE_CTX_get_error.pod b/doc/man3/X509_STORE_CTX_get_error.pod index e6a6b6b0ca..8d0e2ad2dc 100644 --- a/doc/man3/X509_STORE_CTX_get_error.pod +++ b/doc/man3/X509_STORE_CTX_get_error.pod @@ -27,7 +27,8 @@ information =head1 DESCRIPTION -These functions are typically called after X509_verify_cert() has indicated +These functions are typically called after certificate or chain verification +using L or L has indicated an error or in a verification callback to determine the nature of an error. X509_STORE_CTX_get_error() returns the error code of B, see @@ -65,10 +66,9 @@ X509_STORE_CTX_get0_cert() retrieves an internal pointer to the certificate being verified by the B. X509_STORE_CTX_get1_chain() returns a complete validate chain if a previous -call to X509_verify_cert() is successful. If the call to X509_verify_cert() -is B successful the returned chain may be incomplete or invalid. The -returned chain persists after the B structure is freed, when it is -no longer needed it should be free up using: +verification is successful. Otherwise the returned chain may be incomplete or +invalid. The returned chain persists after the B structure is freed, +when it is no longer needed it should be free up using: sk_X509_pop_free(chain, X509_free); @@ -459,7 +459,7 @@ thread safe but will never happen unless an invalid code is passed. =head1 SEE ALSO -L, +L, L, L, L. diff --git a/doc/man3/X509_STORE_CTX_new.pod b/doc/man3/X509_STORE_CTX_new.pod index b5ef577310..e98dcc7cfa 100644 --- a/doc/man3/X509_STORE_CTX_new.pod +++ b/doc/man3/X509_STORE_CTX_new.pod @@ -23,8 +23,8 @@ X509_STORE_CTX_verify_fn void X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx); void X509_STORE_CTX_free(X509_STORE_CTX *ctx); - int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, - X509 *x509, STACK_OF(X509) *chain); + int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *trust_store, + X509 *target, STACK_OF(X509) *untrusted); void X509_STORE_CTX_set0_trusted_stack(X509_STORE_CTX *ctx, STACK_OF(X509) *sk); @@ -48,7 +48,7 @@ X509_STORE_CTX_verify_fn =head1 DESCRIPTION These functions initialise an B structure for subsequent use -by X509_verify_cert(). +by L or L. X509_STORE_CTX_new_ex() returns a newly initialised B structure associated with the specified library context I and property @@ -67,22 +67,31 @@ is no longer valid. If I is NULL nothing is done. X509_STORE_CTX_init() sets up I for a subsequent verification operation. -It must be called before each call to X509_verify_cert(), i.e. a I is only -good for one call to X509_verify_cert(); if you want to verify a second -certificate with the same I then you must call X509_STORE_CTX_cleanup() +It must be called before each call to L, i.e., a I is +only good for one verification; if you want to verify a second certificate +or chain with the same I then you must call X509_STORE_CTX_cleanup() and then X509_STORE_CTX_init() again before the second call to -X509_verify_cert(). The trusted certificate store is set to I, the end -entity certificate to be verified is set to I and a set of additional -certificates (which will be untrusted but may be used to build the chain) in -I. Any or all of the I, I and I parameters can be -B. +L or L. +The trusted certificate store is set to I of type B. +This may be NULL because there are no trusted certificates or because +they are provided simply as a list using X509_STORE_CTX_set0_trusted_stack(). +The end entity certificate to be verified is set to I, +and a list of additional certificates may be provided in I, +which will not be trusted but may be used to build the chain. +Each of the I, I and I parameters can be +B. Yet note that L and L +will need a verification target. +This can also be set using X509_STORE_CTX_set_cert(). +For L, which takes by default the first element of the +list of untrusted certificates as its verification target, +this can be also set indirectly using X509_STORE_CTX_set0_untrusted(). X509_STORE_CTX_set0_trusted_stack() sets the set of trusted certificates of I to I. This is an alternative way of specifying trusted certificates instead of using an B. -X509_STORE_CTX_set_cert() sets the certificate to be verified in I to -I. +X509_STORE_CTX_set_cert() sets the target certificate to be verified in I +to I. X509_STORE_CTX_set0_verified_chain() sets the validated chain used by I to be I. @@ -103,8 +112,10 @@ to the verification parameters associated with I. X509_STORE_CTX_get0_untrusted() retrieves an internal pointer to the stack of untrusted certificates associated with I. -X509_STORE_CTX_set0_untrusted() sets the internal point to the stack +X509_STORE_CTX_set0_untrusted() sets the internal pointer to the stack of untrusted certificates associated with I to I. +X509_STORE_CTX_verify() will take the first element, if any, +as its default target if the target certificate is not set explicitly. X509_STORE_CTX_set0_param() sets the internal verification parameter pointer to I. After this call B should not be used. @@ -114,7 +125,8 @@ method to I. This uses the function X509_VERIFY_PARAM_lookup() to find an appropriate set of parameters from I. X509_STORE_CTX_get_num_untrusted() returns the number of untrusted certificates -that were used in building the chain following a call to X509_verify_cert(). +that were used in building the chain following a call to L. +With L, this does not count the first chain element. X509_STORE_CTX_set_verify() provides the capability for overriding the default verify function. This function is responsible for verifying chain signatures and @@ -162,7 +174,7 @@ used. =head1 SEE ALSO -L +L, L, L =head1 HISTORY diff --git a/doc/man3/X509_verify_cert.pod b/doc/man3/X509_verify_cert.pod index c60d27ac12..13854f5ed6 100644 --- a/doc/man3/X509_verify_cert.pod +++ b/doc/man3/X509_verify_cert.pod @@ -2,22 +2,25 @@ =head1 NAME -X509_verify_cert - discover and verify X509 certificate chain +X509_verify_cert, +X509_STORE_CTX_verify - discover and verify X509 certificate chain =head1 SYNOPSIS - #include + #include int X509_verify_cert(X509_STORE_CTX *ctx); + int X509_STORE_CTX_verify(X509_STORE_CTX *ctx); =head1 DESCRIPTION The X509_verify_cert() function attempts to discover and validate a -certificate chain based on parameters in B. +certificate chain based on parameters in I. The verification context, of type B, can be constructed using L and L. -It usually includes a set of certificates serving as trust anchors, -a set of non-trusted certificates that may be needed for chain construction, +It usually includes a target certificate to be verified, +a set of certificates serving as trust anchors, +a list of non-trusted certificates that may be helpful for chain construction, flags such as X509_V_FLAG_X509_STRICT, and various other optional components such as a callback function that allows customizing the verification outcome. A complete description of the certificate verification process is contained in @@ -28,33 +31,35 @@ OpenSSL internally for certificate validation, in both the S/MIME and SSL/TLS code. A negative return value from X509_verify_cert() can occur if it is invoked -incorrectly, such as with no certificate set in B, or when it is called -twice in succession without reinitialising B for the second call. +incorrectly, such as with no certificate set in I, or when it is called +twice in succession without reinitialising I for the second call. A negative return value can also happen due to internal resource problems or if a retry operation is requested during internal lookups (which never happens with standard lookup methods). Applications must check for <= 0 return value on error. -=head1 RETURN VALUES - -If a complete chain can be built and validated this function returns 1, -otherwise it return zero, in exceptional circumstances it can also -return a negative code. +The X509_STORE_CTX_verify() behaves like X509_verify_cert() except that its +target certificate is the first element of the list of untrusted certificates +in I unless a target certificate is set explicitly. -If the function fails additional error information can be obtained by -examining B using, for example L. +=head1 RETURN VALUES -=head1 BUGS +Both functions return 1 if a complete chain can be built and validated, +otherwise they return 0, and in exceptional circumstances (such as malloc +failure and internal errors) they can also return a negative code. -This function uses the header F<< >> -as opposed to most chain verification -functions which use F<< >>. +On error or failure additional error information can be obtained by +examining I using, for example, L. =head1 SEE ALSO L, L, L +=head1 HISTORY + +X509_STORE_CTX_verify() was added in OpenSSL 3.0. + =head1 COPYRIGHT Copyright 2009-2021 The OpenSSL Project Authors. All Rights Reserved. diff --git a/include/openssl/x509.h.in b/include/openssl/x509.h.in index 7aef798e5b..7fc1558b18 100644 --- a/include/openssl/x509.h.in +++ b/include/openssl/x509.h.in @@ -1042,8 +1042,6 @@ int EVP_PKEY_add1_attr_by_txt(EVP_PKEY *key, const char *attrname, int type, const unsigned char *bytes, int len); -int X509_verify_cert(X509_STORE_CTX *ctx); - /* lookup a cert from a X509 STACK */ X509 *X509_find_by_issuer_and_serial(STACK_OF(X509) *sk, const X509_NAME *name, const ASN1_INTEGER *serial); diff --git a/include/openssl/x509_vfy.h.in b/include/openssl/x509_vfy.h.in index f4ab746f75..b72513272f 100644 --- a/include/openssl/x509_vfy.h.in +++ b/include/openssl/x509_vfy.h.in @@ -72,6 +72,9 @@ typedef enum { .generate_stack_macros("X509_VERIFY_PARAM"); -} +int X509_verify_cert(X509_STORE_CTX *ctx); +int X509_STORE_CTX_verify(X509_STORE_CTX *ctx); + int X509_STORE_set_depth(X509_STORE *store, int depth); typedef int (*X509_STORE_CTX_verify_cb)(int, X509_STORE_CTX *); diff --git a/test/danetest.c b/test/danetest.c index b0d6ffe563..25fd16a411 100644 --- a/test/danetest.c +++ b/test/danetest.c @@ -57,15 +57,13 @@ static int verify_chain(SSL *ssl, STACK_OF(X509) *chain) X509_STORE_CTX *store_ctx = NULL; SSL_CTX *ssl_ctx = NULL; X509_STORE *store = NULL; - X509 *cert = NULL; int ret = 0; int store_ctx_idx = SSL_get_ex_data_X509_STORE_CTX_idx(); if (!TEST_ptr(store_ctx = X509_STORE_CTX_new()) || !TEST_ptr(ssl_ctx = SSL_get_SSL_CTX(ssl)) || !TEST_ptr(store = SSL_CTX_get_cert_store(ssl_ctx)) - || !TEST_ptr(cert = sk_X509_value(chain, 0)) - || !TEST_true(X509_STORE_CTX_init(store_ctx, store, cert, chain)) + || !TEST_true(X509_STORE_CTX_init(store_ctx, store, NULL, chain)) || !TEST_true(X509_STORE_CTX_set_ex_data(store_ctx, store_ctx_idx, ssl))) goto end; @@ -80,7 +78,7 @@ static int verify_chain(SSL *ssl, STACK_OF(X509) *chain) X509_STORE_CTX_set_verify_cb(store_ctx, SSL_get_verify_callback(ssl)); /* Mask "internal failures" (-1) from our return value. */ - if (!TEST_int_ge(ret = X509_verify_cert(store_ctx), 0)) + if (!TEST_int_ge(ret = X509_STORE_CTX_verify(store_ctx), 0)) ret = 0; SSL_set_verify_result(ssl, X509_STORE_CTX_get_error(store_ctx)); diff --git a/util/libcrypto.num b/util/libcrypto.num index 32e7779bce..c591ab8ec5 100644 --- a/util/libcrypto.num +++ b/util/libcrypto.num @@ -4996,6 +4996,7 @@ EVP_PKEY_get_octet_string_param ? 3_0_0 EXIST::FUNCTION: EVP_PKEY_is_a ? 3_0_0 EXIST::FUNCTION: EVP_PKEY_can_sign ? 3_0_0 EXIST::FUNCTION: X509_STORE_CTX_new_ex ? 3_0_0 EXIST::FUNCTION: +X509_STORE_CTX_verify ? 3_0_0 EXIST::FUNCTION: CT_POLICY_EVAL_CTX_new_ex ? 3_0_0 EXIST::FUNCTION:CT CTLOG_new_ex ? 3_0_0 EXIST::FUNCTION:CT CTLOG_new_from_base64_ex ? 3_0_0 EXIST::FUNCTION:CT From no-reply at appveyor.com Sun Feb 7 00:45:37 2021 From: no-reply at appveyor.com (AppVeyor) Date: Sun, 07 Feb 2021 00:45:37 +0000 Subject: Build failed: openssl master.39660 Message-ID: <20210207004537.1.E3DA645566B8A871@appveyor.com> An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Sun Feb 7 01:57:18 2021 From: no-reply at appveyor.com (AppVeyor) Date: Sun, 07 Feb 2021 01:57:18 +0000 Subject: Build completed: openssl master.39661 Message-ID: <20210207015718.1.75C3084C225006BD@appveyor.com> An HTML attachment was scrubbed... URL: From levitte at openssl.org Sun Feb 7 06:22:32 2021 From: levitte at openssl.org (Richard Levitte) Date: Sun, 07 Feb 2021 06:22:32 +0000 Subject: [openssl] OpenSSL_1_1_1-stable update Message-ID: <1612678952.698087.10136.nullmailer@dev.openssl.org> The branch OpenSSL_1_1_1-stable has been updated via b5aff22ac90623afeb0c74b36096f85eff5bc2b9 (commit) via a2a76471ee2ef7ed434fbc51c8e115052dad39e6 (commit) from fb97b8e8a52b853b2b2209d5aeee36eaa08bb9ad (commit) - Log ----------------------------------------------------------------- commit b5aff22ac90623afeb0c74b36096f85eff5bc2b9 Author: Richard Levitte Date: Fri Feb 5 15:32:42 2021 +0100 Configuration: ensure that 'no-tests' works correctly 'no-tests' wasn't entirely respected by test/build.info. Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/14081) commit a2a76471ee2ef7ed434fbc51c8e115052dad39e6 Author: Richard Levitte Date: Fri Feb 5 15:00:17 2021 +0100 configdata.pm: Better display of enabled/disabled options The options listed in the array @disablables are regular expressions. For most of them, it's not visible, but there are a few. However, configdata.pm didn't quite treat them that way, which meant that the few that are visibly regular expressions, there's a difference between that and the corresponding the key in %disabled, which is never a regular expression. To correctly display the enabled and disabled options with --dump, we must therefore go through a bit of Perl gymnastics to get the output correct enough, primarly so that disabled features don't look enabled. Fixes #13790 Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/14081) ----------------------------------------------------------------------- Summary of changes: Configure | 19 +++++++++++-------- test/build.info | 2 +- 2 files changed, 12 insertions(+), 9 deletions(-) diff --git a/Configure b/Configure index f25b84bff2..3173503b76 100755 --- a/Configure +++ b/Configure @@ -2611,19 +2611,22 @@ _____ } print "\nEnabled features:\n\n"; foreach my $what (@disablables) { - print " $what\n" unless $disabled{$what}; + print " $what\n" + unless grep { $_ =~ /^${what}$/ } keys %disabled; } print "\nDisabled features:\n\n"; foreach my $what (@disablables) { - if ($disabled{$what}) { - print " $what", ' ' x ($longest - length($what) + 1), - "[$disabled{$what}]", ' ' x ($longest2 - length($disabled{$what}) + 1); - print $disabled_info{$what}->{macro} - if $disabled_info{$what}->{macro}; + my @what2 = grep { $_ =~ /^${what}$/ } keys %disabled; + my $what3 = $what2[0]; + if ($what3) { + print " $what3", ' ' x ($longest - length($what3) + 1), + "[$disabled{$what3}]", ' ' x ($longest2 - length($disabled{$what3}) + 1); + print $disabled_info{$what3}->{macro} + if $disabled_info{$what3}->{macro}; print ' (skip ', - join(', ', @{$disabled_info{$what}->{skipped}}), + join(', ', @{$disabled_info{$what3}->{skipped}}), ')' - if $disabled_info{$what}->{skipped}; + if $disabled_info{$what3}->{skipped}; print "\n"; } } diff --git a/test/build.info b/test/build.info index 7830ae1b7e..bc3dae81f9 100644 --- a/test/build.info +++ b/test/build.info @@ -567,7 +567,6 @@ INCLUDE_MAIN___test_libtestutil_OLB = /INCLUDE=MAIN SOURCE[gosttest]=gosttest.c ssltestlib.c INCLUDE[gosttest]=../include .. DEPEND[gosttest]=../libcrypto ../libssl libtestutil.a -ENDIF SOURCE[ssl_ctx_test]=ssl_ctx_test.c INCLUDE[ssl_ctx_test]=../include @@ -609,3 +608,4 @@ _____ _____ } -} +ENDIF From scan-admin at coverity.com Sun Feb 7 07:50:49 2021 From: scan-admin at coverity.com (scan-admin at coverity.com) Date: Sun, 07 Feb 2021 07:50:49 +0000 (UTC) Subject: Coverity Scan: Analysis completed for openssl/openssl Message-ID: <601f9bd88316f_2b75302af51457af6046826@prd-scan-dashboard-0.mail> Your request for analysis of openssl/openssl has been completed successfully. The results are available at https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoN-2BQSVjTtaSz8wS4wOr7HlekBtV1P4YRtWclMVkCdvAA-3D-3Di5aS_MulOTlHne1IxTRELXXnGni8d68xSVF-2BUCe3a7Ux-2BjeHx5IeTHQDWDyaGU4Xgq5GO65fW-2BpfZkVVgP1YcLZCxAfWrak1rPVGN-2BC5FZrBoFZRFMoB85l6-2Bv1rCsQK9gSR9GoJCj5I5hU7iHJORFPjVDtUR5p0UD8d990oAhP2dkDN-2B77vBwUYbIBthzOfSr64tuANtae9qqQmAGuo92vrm9JIKV-2F3xyEf5WDvvtFFZQfk-3D Build ID: 368197 Analysis Summary: New defects found: 10 Defects eliminated: 0 If you have difficulty understanding any defects, email us at scan-admin at coverity.com, or post your question to StackOverflow at https://u15810271.ct.sendgrid.net/ls/click?upn=CTPegkVN6peWFCMEieYYmPWIi1E4yUS9EoqKFcNAiqhRq8qmgeBE-2Bdt3uvFRAFXd-2FlwX83-2FVVdybfzIMOby0qA-3D-3DkWLN_MulOTlHne1IxTRELXXnGni8d68xSVF-2BUCe3a7Ux-2BjeHx5IeTHQDWDyaGU4Xgq5GO65fW-2BpfZkVVgP1YcLZCxAd0gOqRhXHU7o-2BlG-2BxR330wi-2BjL8Ejffqktxbxt1ZNCwi4RmvRcTETKqpuMDPyu-2FVd1OvHzP4oE3l1IbWJu6rRX-2Fthsjexufm7Ytt316Yq9njZ1KGBHC9hWH5mE7L-2B4mGipMLtg8Fqckpymy6hPBkn8-3D From scan-admin at coverity.com Sun Feb 7 07:52:50 2021 From: scan-admin at coverity.com (scan-admin at coverity.com) Date: Sun, 07 Feb 2021 07:52:50 +0000 (UTC) Subject: Coverity Scan: Analysis completed for OpenSSL-1.0.2 Message-ID: <601f9c51c473c_2b776a2af51457af6046853@prd-scan-dashboard-0.mail> Your request for analysis of OpenSSL-1.0.2 has been completed successfully. The results are available at https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoN-2BQSVjTtaSz8wS4wOr7Hlun-2FGpeF2rhqKLKnzox0Gkw-3D-3DXQPk_MulOTlHne1IxTRELXXnGni8d68xSVF-2BUCe3a7Ux-2BjeGo2tgSKnP16tNEqQnY5Ype9YOAWOfiVS4e0g5gWCkbfA0qa4GZRBLWT780D10lykWsY0YzAWibc-2B22x8gty3gBjCUto6Q9EBa7hbWMAVOP88KqaICNhs-2BrA0A6CalXYsC8GunOaUGZUWCjN9h4gun6uhwrJub5jkLpZRxlBncOLIRliziGbhKWn-2BXQ3sLJmko-3D Build ID: 368198 Analysis Summary: New defects found: 0 Defects eliminated: 0 From pauli at openssl.org Sun Feb 7 10:02:42 2021 From: pauli at openssl.org (Dr. Paul Dale) Date: Sun, 07 Feb 2021 10:02:42 +0000 Subject: [openssl] master update Message-ID: <1612692162.950876.25893.nullmailer@dev.openssl.org> The branch master has been updated via 64954e2f34b8839ca7ad1e9576a6efaf3e49e17c (commit) from 11ddbf84597d26c937ecb8f266424dea7f72cbdf (commit) - Log ----------------------------------------------------------------- commit 64954e2f34b8839ca7ad1e9576a6efaf3e49e17c Author: Pauli Date: Thu Feb 4 14:40:19 2021 +1000 Fix race condition & allow operation cache to grow. This fixes a race condition where the index to the cache location was found under a read lock and a later write lock set the cache entry. The issue being that two threads could get the same location index and then fight each other over writing the cache entry. The most likely outcome is a memory leak, however it would be possible to set up an invalid cache entry. The operation cache was a fixed sized array, once full an assertion failed. The other fix here is to convert this to a stack. The code is simplified and it avoids a cache overflow condition. Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/14062) ----------------------------------------------------------------------- Summary of changes: crypto/evp/keymgmt_lib.c | 99 ++++++++++++---------- crypto/evp/p_lib.c | 33 ++++---- .../man3/evp_keymgmt_util_export_to_provider.pod | 31 ++++--- include/crypto/evp.h | 36 +++++--- 4 files changed, 110 insertions(+), 89 deletions(-) diff --git a/crypto/evp/keymgmt_lib.c b/crypto/evp/keymgmt_lib.c index 0112036263..85a39b3d89 100644 --- a/crypto/evp/keymgmt_lib.c +++ b/crypto/evp/keymgmt_lib.c @@ -87,7 +87,7 @@ int evp_keymgmt_util_export(const EVP_PKEY *pk, int selection, void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt) { struct evp_keymgmt_util_try_import_data_st import_data; - size_t i = 0; + OP_CACHE_ELEM *op; /* Export to where? */ if (keymgmt == NULL) @@ -104,15 +104,14 @@ void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt) CRYPTO_THREAD_read_lock(pk->lock); /* * If the provider native "origin" hasn't changed since last time, we - * try to find our keymgmt in the operation cache. If it has changed, - * |i| remains zero, and we will clear the cache further down. + * try to find our keymgmt in the operation cache. If it has changed + * and our keymgmt isn't found, we will clear the cache further down. */ if (pk->dirty_cnt == pk->dirty_cnt_copy) { /* If this key is already exported to |keymgmt|, no more to do */ - i = evp_keymgmt_util_find_operation_cache_index(pk, keymgmt); - if (i < OSSL_NELEM(pk->operation_cache) - && pk->operation_cache[i].keymgmt != NULL) { - void *ret = pk->operation_cache[i].keydata; + op = evp_keymgmt_util_find_operation_cache(pk, keymgmt); + if (op != NULL && op->keymgmt != NULL) { + void *ret = op->keydata; CRYPTO_THREAD_unlock(pk->lock); return ret; @@ -128,15 +127,6 @@ void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt) if (pk->keymgmt->export == NULL) return NULL; - /* Check that we have found an empty slot in the export cache */ - /* - * TODO(3.0) Right now, we assume we have ample space. We will have to - * think about a cache aging scheme, though, if |i| indexes outside the - * array. - */ - if (!ossl_assert(i < OSSL_NELEM(pk->operation_cache))) - return NULL; - /* * Make sure that the type of the keymgmt to export to matches the type * of the "origin" @@ -168,10 +158,9 @@ void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt) CRYPTO_THREAD_write_lock(pk->lock); /* Check to make sure some other thread didn't get there first */ - i = evp_keymgmt_util_find_operation_cache_index(pk, keymgmt); - if (i < OSSL_NELEM(pk->operation_cache) - && pk->operation_cache[i].keymgmt != NULL) { - void *ret = pk->operation_cache[i].keydata; + op = evp_keymgmt_util_find_operation_cache(pk, keymgmt); + if (op != NULL && op->keydata != NULL) { + void *ret = op->keydata; CRYPTO_THREAD_unlock(pk->lock); @@ -192,7 +181,7 @@ void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt) evp_keymgmt_util_clear_operation_cache(pk, 0); /* Add the new export to the operation cache */ - if (!evp_keymgmt_util_cache_keydata(pk, i, keymgmt, import_data.keydata)) { + if (!evp_keymgmt_util_cache_keydata(pk, keymgmt, import_data.keydata)) { evp_keymgmt_freedata(keymgmt, import_data.keydata); return NULL; } @@ -205,22 +194,20 @@ void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt) return import_data.keydata; } -int evp_keymgmt_util_clear_operation_cache(EVP_PKEY *pk, int locking) +static void op_cache_free(OP_CACHE_ELEM *e) { - size_t i, end = OSSL_NELEM(pk->operation_cache); + evp_keymgmt_freedata(e->keymgmt, e->keydata); + EVP_KEYMGMT_free(e->keymgmt); + OPENSSL_free(e); +} +int evp_keymgmt_util_clear_operation_cache(EVP_PKEY *pk, int locking) +{ if (pk != NULL) { if (locking && pk->lock != NULL && !CRYPTO_THREAD_write_lock(pk->lock)) return 0; - for (i = 0; i < end && pk->operation_cache[i].keymgmt != NULL; i++) { - EVP_KEYMGMT *keymgmt = pk->operation_cache[i].keymgmt; - void *keydata = pk->operation_cache[i].keydata; - - pk->operation_cache[i].keymgmt = NULL; - pk->operation_cache[i].keydata = NULL; - evp_keymgmt_freedata(keymgmt, keydata); - EVP_KEYMGMT_free(keymgmt); - } + sk_OP_CACHE_ELEM_pop_free(pk->operation_cache, op_cache_free); + pk->operation_cache = NULL; if (locking && pk->lock != NULL) CRYPTO_THREAD_unlock(pk->lock); } @@ -228,28 +215,52 @@ int evp_keymgmt_util_clear_operation_cache(EVP_PKEY *pk, int locking) return 1; } -size_t evp_keymgmt_util_find_operation_cache_index(EVP_PKEY *pk, - EVP_KEYMGMT *keymgmt) +OP_CACHE_ELEM *evp_keymgmt_util_find_operation_cache(EVP_PKEY *pk, + EVP_KEYMGMT *keymgmt) { - size_t i, end = OSSL_NELEM(pk->operation_cache); + int i, end = sk_OP_CACHE_ELEM_num(pk->operation_cache); + OP_CACHE_ELEM *p; - for (i = 0; i < end && pk->operation_cache[i].keymgmt != NULL; i++) { - if (keymgmt == pk->operation_cache[i].keymgmt) - break; + /* + * A comparison and sk_P_CACHE_ELEM_find() are avoided to not cause + * problems when we've only a read lock. + */ + for (i = 0; i < end; i++) { + p = sk_OP_CACHE_ELEM_value(pk->operation_cache, i); + if (keymgmt == p->keymgmt) + return p; } - - return i; + return NULL; } -int evp_keymgmt_util_cache_keydata(EVP_PKEY *pk, size_t index, +int evp_keymgmt_util_cache_keydata(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt, void *keydata) { + OP_CACHE_ELEM *p = NULL; + if (keydata != NULL) { - if (!EVP_KEYMGMT_up_ref(keymgmt)) + if (pk->operation_cache == NULL) { + pk->operation_cache = sk_OP_CACHE_ELEM_new_null(); + if (pk->operation_cache == NULL) + return 0; + } + + p = OPENSSL_malloc(sizeof(*p)); + if (p == NULL) return 0; + p->keydata = keydata; + p->keymgmt = keymgmt; - pk->operation_cache[index].keydata = keydata; - pk->operation_cache[index].keymgmt = keymgmt; + if (!EVP_KEYMGMT_up_ref(keymgmt)) { + OPENSSL_free(p); + return 0; + } + + if (!sk_OP_CACHE_ELEM_push(pk->operation_cache, p)) { + EVP_KEYMGMT_free(keymgmt); + OPENSSL_free(p); + return 0; + } } return 1; } diff --git a/crypto/evp/p_lib.c b/crypto/evp/p_lib.c index 95cc15e9d7..fc0e5be7de 100644 --- a/crypto/evp/p_lib.c +++ b/crypto/evp/p_lib.c @@ -1629,6 +1629,7 @@ static void evp_pkey_free_it(EVP_PKEY *x) /* internal function; x is never NULL */ evp_keymgmt_util_clear_operation_cache(x, 1); + sk_OP_CACHE_ELEM_free(x->operation_cache); #ifndef FIPS_MODULE evp_pkey_free_legacy(x); #endif @@ -1734,7 +1735,7 @@ void *evp_pkey_export_to_provider(EVP_PKEY *pk, OSSL_LIB_CTX *libctx, #ifndef FIPS_MODULE if (pk->pkey.ptr != NULL) { - size_t i = 0; + OP_CACHE_ELEM *op; /* * If the legacy "origin" hasn't changed since last time, we try @@ -1744,7 +1745,7 @@ void *evp_pkey_export_to_provider(EVP_PKEY *pk, OSSL_LIB_CTX *libctx, if (pk->ameth->dirty_cnt(pk) == pk->dirty_cnt_copy) { if (!CRYPTO_THREAD_read_lock(pk->lock)) goto end; - i = evp_keymgmt_util_find_operation_cache_index(pk, tmp_keymgmt); + op = evp_keymgmt_util_find_operation_cache(pk, tmp_keymgmt); /* * If |tmp_keymgmt| is present in the operation cache, it means @@ -1752,23 +1753,14 @@ void *evp_pkey_export_to_provider(EVP_PKEY *pk, OSSL_LIB_CTX *libctx, * token copies of the cached pointers, to have token success * values to return. */ - if (i < OSSL_NELEM(pk->operation_cache) - && pk->operation_cache[i].keymgmt != NULL) { - keydata = pk->operation_cache[i].keydata; + if (op != NULL && op->keymgmt != NULL) { + keydata = op->keydata; CRYPTO_THREAD_unlock(pk->lock); goto end; } CRYPTO_THREAD_unlock(pk->lock); } - /* - * TODO(3.0) Right now, we assume we have ample space. We will have - * to think about a cache aging scheme, though, if |i| indexes outside - * the array. - */ - if (!ossl_assert(i < OSSL_NELEM(pk->operation_cache))) - goto end; - /* Make sure that the keymgmt key type matches the legacy NID */ if (!ossl_assert(EVP_KEYMGMT_is_a(tmp_keymgmt, OBJ_nid2sn(pk->type)))) goto end; @@ -1806,8 +1798,19 @@ void *evp_pkey_export_to_provider(EVP_PKEY *pk, OSSL_LIB_CTX *libctx, } EVP_KEYMGMT_free(tmp_keymgmt); /* refcnt-- */ + /* Check to make sure some other thread didn't get there first */ + op = evp_keymgmt_util_find_operation_cache(pk, tmp_keymgmt); + if (op != NULL && op->keymgmt != NULL) { + void *tmp_keydata = op->keydata; + + CRYPTO_THREAD_unlock(pk->lock); + evp_keymgmt_freedata(tmp_keymgmt, keydata); + keydata = tmp_keydata; + goto end; + } + /* Add the new export to the operation cache */ - if (!evp_keymgmt_util_cache_keydata(pk, i, tmp_keymgmt, keydata)) { + if (!evp_keymgmt_util_cache_keydata(pk, tmp_keymgmt, keydata)) { CRYPTO_THREAD_unlock(pk->lock); evp_keymgmt_freedata(tmp_keymgmt, keydata); keydata = NULL; @@ -1972,7 +1975,7 @@ int evp_pkey_downgrade(EVP_PKEY *pk) * reference count, so we need to decrement it, or there will be a * leak. */ - evp_keymgmt_util_cache_keydata(pk, 0, tmp_copy.keymgmt, + evp_keymgmt_util_cache_keydata(pk, tmp_copy.keymgmt, tmp_copy.keydata); EVP_KEYMGMT_free(tmp_copy.keymgmt); diff --git a/doc/internal/man3/evp_keymgmt_util_export_to_provider.pod b/doc/internal/man3/evp_keymgmt_util_export_to_provider.pod index 31f8b00e47..f55980376e 100644 --- a/doc/internal/man3/evp_keymgmt_util_export_to_provider.pod +++ b/doc/internal/man3/evp_keymgmt_util_export_to_provider.pod @@ -4,24 +4,27 @@ evp_keymgmt_util_export, evp_keymgmt_util_export_to_provider, -evp_keymgmt_util_find_operation_cache_index, +evp_keymgmt_util_find_operation_cache, evp_keymgmt_util_clear_operation_cache, evp_keymgmt_util_cache_keydata, evp_keymgmt_util_cache_keyinfo, -evp_keymgmt_util_fromdata +evp_keymgmt_util_fromdata, +OP_CACHE_ELEM - internal KEYMGMT utility functions =head1 SYNOPSIS #include "crypto/evp.h" + typedef struct OP_CACHE_ELEM; + int evp_keymgmt_util_export(const EVP_PKEY *pk, int selection, OSSL_CALLBACK *export_cb, void *export_cbarg); void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt); - size_t evp_keymgmt_util_find_operation_cache_index(EVP_PKEY *pk, - EVP_KEYMGMT *keymgmt); + OP_CACHE_ELEM *evp_keymgmt_util_find_operation_cache(EVP_PKEY *pk, + EVP_KEYMGMT *keymgmt); int evp_keymgmt_util_clear_operation_cache(EVP_PKEY *pk, int locking); - int evp_keymgmt_util_cache_keydata(EVP_PKEY *pk, size_t index, + int evp_keymgmt_util_cache_keydata(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt, void *keydata); void evp_keymgmt_util_cache_keyinfo(EVP_PKEY *pk); void *evp_keymgmt_util_fromdata(EVP_PKEY *target, EVP_KEYMGMT *keymgmt, @@ -41,20 +44,17 @@ of all provider side keys. To export a legacy key, use L instead, as this function ignores any legacy key data. -evp_keymgmt_util_find_operation_cache_index() finds the location if -I in I's cache of provided keys for operations. If -I is NULL or couldn't be found in the cache, it finds the -first empty slot instead if there is any. It should only be called while -holding I's lock (read or write). +evp_keymgmt_util_find_operation_cache() finds +I in I's cache of provided keys for operations. +It should only be called while holding I's lock (read or write). evp_keymgmt_util_clear_operation_cache() can be used to explicitly clear the cache of operation key references. If I is set to 1 then then I's lock will be obtained while doing the clear. Otherwise it will be assumed that the lock has already been obtained or is not required. -evp_keymgmt_util_cache_keydata() can be used to assign a provider key -object to a specific cache slot in the given I. -I. +evp_keymgmt_util_cache_keydata() can be used to add a provider key +object to a B. evp_keymgmt_util_cache_keyinfo() can be used to get all kinds of information from the provvider "origin" and save it in I's @@ -70,10 +70,9 @@ evp_keymgmt_export_to_provider() and evp_keymgmt_util_fromdata() return a pointer to the appropriate provider side key (created or found again), or NULL on error. -evp_keymgmt_util_find_operation_cache_index() returns the index of the +evp_keymgmt_util_find_operation_cache() returns a pointer to the operation cache slot. If I is NULL, or if there is no slot -with a match for I, the index of the first empty slot is -returned, or the maximum number of slots if there isn't an empty one. +with a match for I, NULL is returned. evp_keymgmt_util_cache_keydata() and evp_keymgmt_util_clear_operation_cache() return 1 on success or 0 otherwise. diff --git a/include/crypto/evp.h b/include/crypto/evp.h index 7b3c4bfd2f..60f07c7cf7 100644 --- a/include/crypto/evp.h +++ b/include/crypto/evp.h @@ -548,6 +548,23 @@ int evp_cipher_param_to_asn1_ex(EVP_CIPHER_CTX *c, ASN1_TYPE *type, int evp_cipher_asn1_to_param_ex(EVP_CIPHER_CTX *c, ASN1_TYPE *type, evp_cipher_aead_asn1_params *params); +/* + * To support transparent execution of operation in backends other + * than the "origin" key, we support transparent export/import to + * those providers, and maintain a cache of the imported keydata, + * so we don't need to redo the export/import every time we perform + * the same operation in that same provider. + * This requires that the "origin" backend (whether it's a legacy or a + * provider "origin") implements exports, and that the target provider + * has an EVP_KEYMGMT that implements import. + */ +typedef struct { + EVP_KEYMGMT *keymgmt; + void *keydata; +} OP_CACHE_ELEM; + +DEFINE_STACK_OF(OP_CACHE_ELEM) + /* * An EVP_PKEY can have the following states: * @@ -644,18 +661,9 @@ struct evp_pkey_st { * those providers, and maintain a cache of the imported keydata, * so we don't need to redo the export/import every time we perform * the same operation in that same provider. - * This requires that the "origin" backend (whether it's a legacy or a - * provider "origin") implements exports, and that the target provider - * has an EVP_KEYMGMT that implements import. - * - * The cache limit is set at 10 different providers using the same - * "origin". It's probably over the top, but is preferable to too - * few. */ - struct { - EVP_KEYMGMT *keymgmt; - void *keydata; - } operation_cache[10]; + STACK_OF(OP_CACHE_ELEM) *operation_cache; + /* * We keep a copy of that "origin"'s dirty count, so we know if the * operation cache needs flushing. @@ -726,10 +734,10 @@ EVP_PKEY *evp_keymgmt_util_make_pkey(EVP_KEYMGMT *keymgmt, void *keydata); int evp_keymgmt_util_export(const EVP_PKEY *pk, int selection, OSSL_CALLBACK *export_cb, void *export_cbarg); void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt); -size_t evp_keymgmt_util_find_operation_cache_index(EVP_PKEY *pk, - EVP_KEYMGMT *keymgmt); +OP_CACHE_ELEM *evp_keymgmt_util_find_operation_cache(EVP_PKEY *pk, + EVP_KEYMGMT *keymgmt); int evp_keymgmt_util_clear_operation_cache(EVP_PKEY *pk, int locking); -int evp_keymgmt_util_cache_keydata(EVP_PKEY *pk, size_t index, +int evp_keymgmt_util_cache_keydata(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt, void *keydata); void evp_keymgmt_util_cache_keyinfo(EVP_PKEY *pk); void *evp_keymgmt_util_fromdata(EVP_PKEY *target, EVP_KEYMGMT *keymgmt, From no-reply at appveyor.com Sun Feb 7 13:09:38 2021 From: no-reply at appveyor.com (AppVeyor) Date: Sun, 07 Feb 2021 13:09:38 +0000 Subject: Build failed: openssl master.39668 Message-ID: <20210207130938.1.7D0E0B46BE702C81@appveyor.com> An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Sun Feb 7 15:11:26 2021 From: no-reply at appveyor.com (AppVeyor) Date: Sun, 07 Feb 2021 15:11:26 +0000 Subject: Build completed: openssl master.39669 Message-ID: <20210207151126.1.8D0041AE62BDAF9B@appveyor.com> An HTML attachment was scrubbed... URL: From openssl at openssl.org Mon Feb 8 01:08:53 2021 From: openssl at openssl.org (OpenSSL run-checker) Date: Mon, 08 Feb 2021 01:08:53 +0000 Subject: Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-asm Message-ID: <1612746533.556859.2512588.nullmailer@run.openssl.org> Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-asm Commit log since last time: 64954e2f34 Fix race condition & allow operation cache to grow. 11ddbf8459 Add X509_STORE_CTX_verify(), which takes the first untrusted cert as default target 2bb05a9668 PROV: Fix encoding of MDWithRSAEncryption signature AlgorithmID 5682e77dff Fix the cipher_overhead_test e376242d28 Remove all OPENSSL_NO_XXX from libssl where XXX is a crypto alg 462f4f4bc0 Remove OPENSSL_NO_EC guards from libssl 54e3efff81 Make sure we don't use sigalgs that are not available 306b8e7e19 Add the nist group names as aliases for the normal TLS group names 3de751e7f0 Remove compile time guard checking from ssl3_get_req_cert_type 05b4b85d4b Check for availability of ciphersuites at run time a763ca1177 Stop disabling TLSv1.3 if ec and dh are disabled 8b1db5d329 Make supported_groups code independent of EC and DH ddf8f1ce63 Ensure default supported groups works even with no-ec and no-dh 5b64ce89b0 Remove OPENSSL_NO_DH guards from libssl 9ca08f91e9 Makefile template: Allow separate generation of .pod.in -> .pod b8393eae22 DOCS: Remove the "global" dependency on writing .pod files from .pod.in 388eb0d970 TEST: Add an algorithm ID tester for libcrypto vs provider 93d6132a79 EVP: use evp_pkey_copy_downgraded() in EVP_PKEY_copy_parameters() 93bae03abf dev/release.sh: Fix typo 1e3affbbcd Remove the old DEPRECATEDIN macros e337b82410 ERR: Rebuild all generated error headers and source files b14c8465c0 ERR: clean away everything related to _F_ macros from util/mkerr.pl bbde856619 RSA: properly generate algorithm identifier for RSA-PSS signatures 26372a4d44 provider-signature.pod: Fix formatting. e60147fe74 Don't make pthreads mutexes recursive. 05f41859dd Switch to BIO_snprintf to avoid missing symbol problems on Windows 76624df15f EVP: Adapt EVP_PKEY_{set1,get1}_encoded_public_key() d82c7f3dba EVP: Modify the checks in EVP_PKEY_{set,get}_xxx_param() functions 13e85fb321 EVP: Adapt the other EVP_PKEY_set_xxx_param() functions f4a3799cc4 EVP: Make EVP_PKEY_set_params() increment the dirty count 7dc67708c8 apps/openssl: add -propquery command line option 88444854af x509_vfy.c: Improve coding style and comments all over the file af4d6c26af Remove a DSA related TODO 08cea586c9 Remove some TODO(OpenSSL1.2) references a7246ea645 DH/DHX parameter check using pkeyparam d53b437f99 Allow NULL arg to OPENSSL_sk_{dup,deep_copy} returning empty stack b91a13f429 run_tests.pl: Improve diagnostics on the use of HARNESS_JOBS c87bcdbde4 test/recipes: split 81_test_cmp_cli.t, add test using -engine loader_attic 03da39a768 apps/cmp.c: check and exit on engine load error acfccbd5ee openssl.pod: Add documentation for using the loader_attic engine 8549b97214 Fix a use after free issue when a provider context is being used and isn't cached Build log ended with (last 100 lines): 30-test_evp_fetch_prov.t ........... ok 30-test_evp_kdf.t .................. ok 30-test_evp_libctx.t ............... ok 30-test_evp_pkey_dparam.t .......... ok 30-test_evp_pkey_provided.t ........ ok 30-test_pbelu.t .................... ok 30-test_pkey_meth.t ................ ok 30-test_pkey_meth_kdf.t ............ ok 30-test_provider_status.t .......... ok 40-test_rehash.t ................... ok 60-test_x509_check_cert_pkey.t ..... ok 60-test_x509_dup_cert.t ............ ok 60-test_x509_store.t ............... ok 60-test_x509_time.t ................ ok 61-test_bio_prefix.t ............... ok 65-test_cmp_asn.t .................. ok 65-test_cmp_client.t ............... ok 65-test_cmp_ctx.t .................. ok 65-test_cmp_hdr.t .................. ok 65-test_cmp_msg.t .................. ok 65-test_cmp_protect.t .............. ok 65-test_cmp_server.t ............... ok 65-test_cmp_status.t ............... ok 65-test_cmp_vfy.t .................. ok 66-test_ossl_store.t ............... ok 70-test_asyncio.t .................. ok 70-test_bad_dtls.t ................. ok 70-test_clienthello.t .............. ok 70-test_comp.t ..................... ok 70-test_key_share.t ................ ok 70-test_packet.t ................... ok 70-test_recordlen.t ................ ok 70-test_renegotiation.t ............ ok 70-test_servername.t ............... ok 70-test_sslcbcpadding.t ............ ok 70-test_sslcertstatus.t ............ ok 70-test_sslextension.t ............. ok 70-test_sslmessages.t .............. ok 70-test_sslrecords.t ............... ok 70-test_sslsessiontick.t ........... ok 70-test_sslsigalgs.t ............... ok 70-test_sslsignature.t ............. ok 70-test_sslskewith0p.t ............. ok 70-test_sslversions.t .............. ok 70-test_sslvertol.t ................ ok 70-test_tls13alerts.t .............. ok 70-test_tls13cookie.t .............. ok 70-test_tls13downgrade.t ........... ok 70-test_tls13hrr.t ................. ok 70-test_tls13kexmodes.t ............ ok 70-test_tls13messages.t ............ ok 70-test_tls13psk.t ................. ok 70-test_tlsextms.t ................. ok 70-test_verify_extra.t ............. ok 70-test_wpacket.t .................. ok 71-test_ssl_ctx.t .................. ok 80-test_ca.t ....................... ok 80-test_cipherbytes.t .............. ok 80-test_cipherlist.t ............... ok 80-test_ciphername.t ............... ok # 80-test_cmp_http.t ................. ok # 80-test_cms.t ...................... ok 80-test_cmsapi.t ................... ok 80-test_ct.t ....................... ok 80-test_dane.t ..................... ok 80-test_dtls.t ..................... ok 80-test_dtls_mtu.t ................. ok 80-test_dtlsv1listen.t ............. ok 80-test_http.t ..................... ok 80-test_ocsp.t ..................... ok 80-test_pkcs12.t ................... ok 80-test_ssl_new.t .................. ok 80-test_ssl_old.t .................. ok 80-test_ssl_test_ctx.t ............. ok 80-test_sslcorrupt.t ............... ok 80-test_tsa.t ...................... ok 80-test_x509aux.t .................. ok 81-test_cmp_cli.t .................. ok 90-test_asn1_time.t ................ ok 90-test_async.t .................... ok 90-test_bio_enc.t .................. ok 90-test_bio_memleak.t .............. ok 90-test_constant_time.t ............ ok 90-test_fatalerr.t ................. ok 90-test_fipsload.t ................. ok 90-test_gmdiff.t ................... ok 90-test_gost.t ..................... ok 90-test_ige.t ...................... ok 90-test_includes.t ................. ok 90-test_memleak.t .................. ok 90-test_overhead.t ................. ok 90-test_secmem.t ................... ok 90-test_shlibload.t ................ ok 90-test_srp.t ...................... ok make[1]: *** wait: No child processes. Stop. make[1]: *** Waiting for unfinished jobs.... make[1]: *** wait: No child processes. Stop. make: *** [Makefile:3259: tests] Terminated From openssl at openssl.org Mon Feb 8 01:55:35 2021 From: openssl at openssl.org (OpenSSL run-checker) Date: Mon, 08 Feb 2021 01:55:35 +0000 Subject: Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-autoerrinit Message-ID: <1612749335.551297.2625072.nullmailer@run.openssl.org> Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-autoerrinit Commit log since last time: 64954e2f34 Fix race condition & allow operation cache to grow. 11ddbf8459 Add X509_STORE_CTX_verify(), which takes the first untrusted cert as default target 2bb05a9668 PROV: Fix encoding of MDWithRSAEncryption signature AlgorithmID 5682e77dff Fix the cipher_overhead_test e376242d28 Remove all OPENSSL_NO_XXX from libssl where XXX is a crypto alg 462f4f4bc0 Remove OPENSSL_NO_EC guards from libssl 54e3efff81 Make sure we don't use sigalgs that are not available 306b8e7e19 Add the nist group names as aliases for the normal TLS group names 3de751e7f0 Remove compile time guard checking from ssl3_get_req_cert_type 05b4b85d4b Check for availability of ciphersuites at run time a763ca1177 Stop disabling TLSv1.3 if ec and dh are disabled 8b1db5d329 Make supported_groups code independent of EC and DH ddf8f1ce63 Ensure default supported groups works even with no-ec and no-dh 5b64ce89b0 Remove OPENSSL_NO_DH guards from libssl 9ca08f91e9 Makefile template: Allow separate generation of .pod.in -> .pod b8393eae22 DOCS: Remove the "global" dependency on writing .pod files from .pod.in 388eb0d970 TEST: Add an algorithm ID tester for libcrypto vs provider 93d6132a79 EVP: use evp_pkey_copy_downgraded() in EVP_PKEY_copy_parameters() 93bae03abf dev/release.sh: Fix typo 1e3affbbcd Remove the old DEPRECATEDIN macros e337b82410 ERR: Rebuild all generated error headers and source files b14c8465c0 ERR: clean away everything related to _F_ macros from util/mkerr.pl bbde856619 RSA: properly generate algorithm identifier for RSA-PSS signatures 26372a4d44 provider-signature.pod: Fix formatting. e60147fe74 Don't make pthreads mutexes recursive. 05f41859dd Switch to BIO_snprintf to avoid missing symbol problems on Windows 76624df15f EVP: Adapt EVP_PKEY_{set1,get1}_encoded_public_key() d82c7f3dba EVP: Modify the checks in EVP_PKEY_{set,get}_xxx_param() functions 13e85fb321 EVP: Adapt the other EVP_PKEY_set_xxx_param() functions f4a3799cc4 EVP: Make EVP_PKEY_set_params() increment the dirty count 7dc67708c8 apps/openssl: add -propquery command line option 88444854af x509_vfy.c: Improve coding style and comments all over the file af4d6c26af Remove a DSA related TODO 08cea586c9 Remove some TODO(OpenSSL1.2) references a7246ea645 DH/DHX parameter check using pkeyparam d53b437f99 Allow NULL arg to OPENSSL_sk_{dup,deep_copy} returning empty stack b91a13f429 run_tests.pl: Improve diagnostics on the use of HARNESS_JOBS c87bcdbde4 test/recipes: split 81_test_cmp_cli.t, add test using -engine loader_attic 03da39a768 apps/cmp.c: check and exit on engine load error acfccbd5ee openssl.pod: Add documentation for using the loader_attic engine 8549b97214 Fix a use after free issue when a provider context is being used and isn't cached Build log ended with (last 100 lines): 70-test_sslcertstatus.t ............ ok 70-test_sslextension.t ............. ok 70-test_sslmessages.t .............. ok 70-test_sslrecords.t ............... ok 70-test_sslsessiontick.t ........... ok 70-test_sslsigalgs.t ............... ok 70-test_sslsignature.t ............. ok 70-test_sslskewith0p.t ............. ok 70-test_sslversions.t .............. ok 70-test_sslvertol.t ................ ok 70-test_tls13alerts.t .............. ok 70-test_tls13cookie.t .............. ok 70-test_tls13downgrade.t ........... ok 70-test_tls13hrr.t ................. ok 70-test_tls13kexmodes.t ............ ok 70-test_tls13messages.t ............ ok 70-test_tls13psk.t ................. ok 70-test_tlsextms.t ................. ok 70-test_verify_extra.t ............. ok 70-test_wpacket.t .................. ok 71-test_ssl_ctx.t .................. ok 80-test_ca.t ....................... ok 80-test_cipherbytes.t .............. ok 80-test_cipherlist.t ............... ok 80-test_ciphername.t ............... ok # 80-test_cmp_http.t ................. ok # 80-test_cms.t ...................... ok 80-test_cmsapi.t ................... ok 80-test_ct.t ....................... ok 80-test_dane.t ..................... ok 80-test_dtls.t ..................... ok 80-test_dtls_mtu.t ................. ok 80-test_dtlsv1listen.t ............. ok 80-test_http.t ..................... ok 80-test_ocsp.t ..................... ok 80-test_pkcs12.t ................... ok 80-test_ssl_new.t .................. ok 80-test_ssl_old.t .................. ok 80-test_ssl_test_ctx.t ............. ok 80-test_sslcorrupt.t ............... ok 80-test_tsa.t ...................... ok 80-test_x509aux.t .................. ok 81-test_cmp_cli.t .................. ok 90-test_asn1_time.t ................ ok 90-test_async.t .................... ok 90-test_bio_enc.t .................. ok 90-test_bio_memleak.t .............. ok 90-test_constant_time.t ............ ok 90-test_fatalerr.t ................. ok 90-test_fipsload.t ................. ok 90-test_gmdiff.t ................... ok 90-test_gost.t ..................... ok 90-test_ige.t ...................... ok 90-test_includes.t ................. ok 90-test_memleak.t .................. ok 90-test_overhead.t ................. ok 90-test_secmem.t ................... ok 90-test_shlibload.t ................ ok 90-test_srp.t ...................... ok 90-test_sslapi.t ................... ok 90-test_sslbuffers.t ............... ok 90-test_store.t .................... ok 90-test_sysdefault.t ............... ok 90-test_threads.t .................. ok 90-test_time_offset.t .............. ok 90-test_tls13ccs.t ................. ok 90-test_tls13encryption.t .......... ok 90-test_tls13secrets.t ............. ok 90-test_v3name.t ................... ok 91-test_pkey_check.t ............... ok 95-test_external_boringssl.t ....... skipped: No external tests in this configuration 95-test_external_gost_engine.t ..... skipped: No external tests in this configuration 95-test_external_krb5.t ............ skipped: No external tests in this configuration 95-test_external_pyca.t ............ skipped: No external tests in this configuration 99-test_ecstress.t ................. ok 99-test_fuzz_asn1.t ................ ok 99-test_fuzz_asn1parse.t ........... ok 99-test_fuzz_bignum.t .............. ok 99-test_fuzz_bndiv.t ............... ok 99-test_fuzz_client.t .............. ok 99-test_fuzz_cmp.t ................. ok 99-test_fuzz_cms.t ................. ok 99-test_fuzz_conf.t ................ ok 99-test_fuzz_crl.t ................. ok 99-test_fuzz_ct.t .................. ok 99-test_fuzz_server.t .............. ok 99-test_fuzz_x509.t ................ ok Test Summary Report ------------------- 04-test_err.t (Wstat: 256 Tests: 1 Failed: 1) Failed test: 1 Non-zero exit status: 1 Files=231, Tests=3130, 927 wallclock secs (14.63 usr 1.42 sys + 830.71 cusr 93.19 csys = 939.95 CPU) Result: FAIL make[1]: *** [Makefile:3265: _tests] Error 1 make[1]: Leaving directory '/home/openssl/run-checker/no-autoerrinit' make: *** [Makefile:3262: tests] Error 2 From shane.lontis at oracle.com Mon Feb 8 06:39:04 2021 From: shane.lontis at oracle.com (shane.lontis at oracle.com) Date: Mon, 08 Feb 2021 06:39:04 +0000 Subject: [openssl] master update Message-ID: <1612766344.217454.3521.nullmailer@dev.openssl.org> The branch master has been updated via 2db985b7b1e20ac670d196981aa7e8f31881d2eb (commit) from 64954e2f34b8839ca7ad1e9576a6efaf3e49e17c (commit) - Log ----------------------------------------------------------------- commit 2db985b7b1e20ac670d196981aa7e8f31881d2eb Author: Shane Lontis Date: Fri Feb 5 13:55:50 2021 +1000 Simplify the EVP_PKEY_XXX_fromdata_XX methods. The existing names such as EVP_PKEY_param_fromdata_settable were a bit confusing since the 'param' referred to key params not OSSL_PARAM. To simplify the interface a 'selection' parameter will be passed instead. The changes are: (1) EVP_PKEY_fromdata_init() replaces both EVP_PKEY_key_fromdata_init() and EVP_PKEY_param_fromdata_init(). (2) EVP_PKEY_fromdata() has an additional selection parameter. (3) EVP_PKEY_fromdata_settable() replaces EVP_PKEY_key_fromdata_settable() and EVP_PKEY_param_fromdata_settable(). EVP_PKEY_fromdata_settable() also uses a selection parameter. Fixes #12989 Reviewed-by: Richard Levitte Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/14076) ----------------------------------------------------------------------- Summary of changes: apps/dhparam.c | 4 +- crypto/evp/p_lib.c | 8 ++-- crypto/evp/pmeth_gn.c | 46 ++++---------------- doc/man3/EVP_PKEY_fromdata.pod | 88 +++++++++++++++++++++++--------------- include/openssl/evp.h | 35 +++++++-------- providers/fips/self_test_kats.c | 16 +++---- ssl/statem/statem_clnt.c | 4 +- ssl/t1_lib.c | 5 ++- test/acvp_test.c | 18 ++++---- test/ectest.c | 13 +++--- test/evp_extra_test.c | 15 ++++--- test/evp_pkey_provided_test.c | 35 +++++++++------ test/helpers/predefined_dhparams.c | 5 ++- test/sslapitest.c | 5 ++- util/libcrypto.num | 6 +-- 15 files changed, 153 insertions(+), 150 deletions(-) diff --git a/apps/dhparam.c b/apps/dhparam.c index 8242a1f1d7..cfa399e459 100644 --- a/apps/dhparam.c +++ b/apps/dhparam.c @@ -387,8 +387,8 @@ static EVP_PKEY *dsa_to_dh(EVP_PKEY *dh) ctx = EVP_PKEY_CTX_new_from_name(NULL, "DHX", NULL); if (ctx == NULL - || !EVP_PKEY_param_fromdata_init(ctx) - || !EVP_PKEY_fromdata(ctx, &pkey, params)) { + || !EVP_PKEY_fromdata_init(ctx) + || !EVP_PKEY_fromdata(ctx, &pkey, EVP_PKEY_KEY_PARAMETERS, params)) { BIO_printf(bio_err, "Error, failed to set DH parameters\n"); goto err; } diff --git a/crypto/evp/p_lib.c b/crypto/evp/p_lib.c index fc0e5be7de..fe53b62cdd 100644 --- a/crypto/evp/p_lib.c +++ b/crypto/evp/p_lib.c @@ -391,7 +391,7 @@ static EVP_PKEY *new_raw_key_int(OSSL_LIB_CTX *libctx, goto err; /* May fail if no provider available */ ERR_set_mark(); - if (EVP_PKEY_key_fromdata_init(ctx) == 1) { + if (EVP_PKEY_fromdata_init(ctx) == 1) { OSSL_PARAM params[] = { OSSL_PARAM_END, OSSL_PARAM_END }; ERR_clear_last_mark(); @@ -400,7 +400,7 @@ static EVP_PKEY *new_raw_key_int(OSSL_LIB_CTX *libctx, : OSSL_PKEY_PARAM_PUB_KEY, (void *)key, len); - if (EVP_PKEY_fromdata(ctx, &pkey, params) != 1) { + if (EVP_PKEY_fromdata(ctx, &pkey, EVP_PKEY_KEYPAIR, params) != 1) { ERR_raise(ERR_LIB_EVP, EVP_R_KEY_SETUP_FAILED); goto err; } @@ -610,7 +610,7 @@ static EVP_PKEY *new_cmac_key_int(const unsigned char *priv, size_t len, if (ctx == NULL) goto err; - if (!EVP_PKEY_key_fromdata_init(ctx)) { + if (!EVP_PKEY_fromdata_init(ctx)) { ERR_raise(ERR_LIB_EVP, EVP_R_KEY_SETUP_FAILED); goto err; } @@ -629,7 +629,7 @@ static EVP_PKEY *new_cmac_key_int(const unsigned char *priv, size_t len, # endif *p = OSSL_PARAM_construct_end(); - if (!EVP_PKEY_fromdata(ctx, &pkey, params)) { + if (!EVP_PKEY_fromdata(ctx, &pkey, EVP_PKEY_KEYPAIR, params)) { ERR_raise(ERR_LIB_EVP, EVP_R_KEY_SETUP_FAILED); goto err; } diff --git a/crypto/evp/pmeth_gn.c b/crypto/evp/pmeth_gn.c index beaa001bf5..bf35088a7d 100644 --- a/crypto/evp/pmeth_gn.c +++ b/crypto/evp/pmeth_gn.c @@ -345,22 +345,17 @@ static int fromdata_init(EVP_PKEY_CTX *ctx, int operation) return -2; } -int EVP_PKEY_param_fromdata_init(EVP_PKEY_CTX *ctx) +int EVP_PKEY_fromdata_init(EVP_PKEY_CTX *ctx) { - return fromdata_init(ctx, EVP_PKEY_OP_PARAMFROMDATA); + return fromdata_init(ctx, EVP_PKEY_OP_FROMDATA); } -int EVP_PKEY_key_fromdata_init(EVP_PKEY_CTX *ctx) -{ - return fromdata_init(ctx, EVP_PKEY_OP_KEYFROMDATA); -} - -int EVP_PKEY_fromdata(EVP_PKEY_CTX *ctx, EVP_PKEY **ppkey, OSSL_PARAM params[]) +int EVP_PKEY_fromdata(EVP_PKEY_CTX *ctx, EVP_PKEY **ppkey, int selection, + OSSL_PARAM params[]) { void *keydata = NULL; - int selection; - if (ctx == NULL || (ctx->operation & EVP_PKEY_OP_TYPE_FROMDATA) == 0) { + if (ctx == NULL || (ctx->operation & EVP_PKEY_OP_FROMDATA) == 0) { ERR_raise(ERR_LIB_EVP, EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE); return -2; } @@ -376,40 +371,17 @@ int EVP_PKEY_fromdata(EVP_PKEY_CTX *ctx, EVP_PKEY **ppkey, OSSL_PARAM params[]) return -1; } - if (ctx->operation == EVP_PKEY_OP_PARAMFROMDATA) - selection = OSSL_KEYMGMT_SELECT_ALL_PARAMETERS; - else - selection = OSSL_KEYMGMT_SELECT_ALL; - keydata = evp_keymgmt_util_fromdata(*ppkey, ctx->keymgmt, selection, - params); - + keydata = evp_keymgmt_util_fromdata(*ppkey, ctx->keymgmt, selection, params); if (keydata == NULL) return 0; /* keydata is cached in *ppkey, so we need not bother with it further */ return 1; } -/* - * TODO(3.0) Re-evaluate the names, it's possible that we find these to be - * better: - * - * EVP_PKEY_param_settable() - * EVP_PKEY_param_gettable() - */ -const OSSL_PARAM *EVP_PKEY_param_fromdata_settable(EVP_PKEY_CTX *ctx) -{ - /* We call fromdata_init to get ctx->keymgmt populated */ - if (fromdata_init(ctx, EVP_PKEY_OP_UNDEFINED)) - return evp_keymgmt_import_types(ctx->keymgmt, - OSSL_KEYMGMT_SELECT_ALL_PARAMETERS); - return NULL; -} - -const OSSL_PARAM *EVP_PKEY_key_fromdata_settable(EVP_PKEY_CTX *ctx) +const OSSL_PARAM *EVP_PKEY_fromdata_settable(EVP_PKEY_CTX *ctx, int selection) { /* We call fromdata_init to get ctx->keymgmt populated */ - if (fromdata_init(ctx, EVP_PKEY_OP_UNDEFINED)) - return evp_keymgmt_import_types(ctx->keymgmt, - OSSL_KEYMGMT_SELECT_ALL); + if (fromdata_init(ctx, EVP_PKEY_OP_UNDEFINED) == 1) + return evp_keymgmt_import_types(ctx->keymgmt, selection); return NULL; } diff --git a/doc/man3/EVP_PKEY_fromdata.pod b/doc/man3/EVP_PKEY_fromdata.pod index aaf545d648..40f39d7c68 100644 --- a/doc/man3/EVP_PKEY_fromdata.pod +++ b/doc/man3/EVP_PKEY_fromdata.pod @@ -2,19 +2,17 @@ =head1 NAME -EVP_PKEY_param_fromdata_init, EVP_PKEY_key_fromdata_init, EVP_PKEY_fromdata, -EVP_PKEY_param_fromdata_settable, EVP_PKEY_key_fromdata_settable -- functions to create key parameters and keys from user data +EVP_PKEY_fromdata_init, EVP_PKEY_fromdata, EVP_PKEY_fromdata_settable +- functions to create keys and key parameters from user data =head1 SYNOPSIS #include - int EVP_PKEY_param_fromdata_init(EVP_PKEY_CTX *ctx); - int EVP_PKEY_key_fromdata_init(EVP_PKEY_CTX *ctx); - int EVP_PKEY_fromdata(EVP_PKEY_CTX *ctx, EVP_PKEY **ppkey, OSSL_PARAM params[]); - const OSSL_PARAM *EVP_PKEY_param_fromdata_settable(EVP_PKEY_CTX *ctx); - const OSSL_PARAM *EVP_PKEY_key_fromdata_settable(EVP_PKEY_CTX *ctx); + int EVP_PKEY_fromdata_init(EVP_PKEY_CTX *ctx); + int EVP_PKEY_fromdata(EVP_PKEY_CTX *ctx, EVP_PKEY **ppkey, int selection, + OSSL_PARAM params[]); + const OSSL_PARAM *EVP_PKEY_fromdata_settable(EVP_PKEY_CTX *ctx, int selection); =head1 DESCRIPTION @@ -29,17 +27,15 @@ L. The exact key data that the user can pass depends on the key type. These are passed as an L array. -EVP_PKEY_param_fromdata_init() initializes a public key algorithm context -for creating key parameters from user data. +EVP_PKEY_fromdata_init() initializes a public key algorithm context +for creating a key or key parameters from user data. -EVP_PKEY_key_fromdata_init() initializes a public key algorithm context for -creating a key from user data. - -EVP_PKEY_fromdata() creates the structure to store key parameters or a -key, given data from I and a context that's been initialized with -EVP_PKEY_param_fromdata_init() or EVP_PKEY_key_fromdata_init(). The result is -written to I<*ppkey>. The parameters that can be used for various types of key -are as described by the diverse "Common parameters" sections of the +EVP_PKEY_fromdata() creates the structure to store a key or key parameters, +given data from I, I and a context that's been initialized +with EVP_PKEY_fromdata_init(). The result is written to I<*ppkey>. +I is described in L. +The parameters that can be used for various types of key are as described by the +diverse "Common parameters" sections of the L(7)|EVP_PKEY-RSA(7)/Common RSA parameters>, L(7)|EVP_PKEY-DSA(7)/Common DSA & DH parameters>, L(7)|EVP_PKEY-DH(7)/Common DH parameters>, @@ -52,24 +48,44 @@ and L(7)|EVP_PKEY-ED25519(7)/Common X25519, X448, ED25519 an =for comment the awful list of links above is made this way so we get nice rendering as a man-page while still getting proper links in HTML -EVP_PKEY_param_fromdata_settable() and EVP_PKEY_key_fromdata_settable() -get a constant B array that describes the settable parameters -that can be used with EVP_PKEY_fromdata(). +EVP_PKEY_fromdata_settable() gets a constant B array that describes +the settable parameters that can be used with EVP_PKEY_fromdata(). +I is described in L. See L for the use of B as parameter descriptor. +=head2 Selections + +The following constants can be used for I: + +=over 4 + +=item B + +Only key parameters will be selected. + +=item B + +Only public key components will be selected. This includes optional key +parameters. + +=item B + +Any keypair components will be selected. This includes the private key, +public key and key parameters. + +=back + =head1 NOTES -These functions only work with key management methods coming from a -provider. +These functions only work with key management methods coming from a provider. =for comment We may choose to make this available for legacy methods too... =head1 RETURN VALUES -EVP_PKEY_key_fromdata_init(), EVP_PKEY_param_fromdata_init() and -EVP_PKEY_fromdata() return 1 for success and 0 or a negative value for -failure. In particular a return value of -2 indicates the operation is -not supported by the public key algorithm. +EVP_PKEY_fromdata_init() and EVP_PKEY_fromdata() return 1 for success and 0 or +a negative value for failure. In particular a return value of -2 indicates the +operation is not supported by the public key algorithm. =head1 EXAMPLES @@ -110,8 +126,8 @@ TODO Write a set of cookbook documents and link to them. EVP_PKEY *pkey = NULL; if (ctx == NULL - || EVP_PKEY_key_fromdata_init(ctx) <= 0 - || EVP_PKEY_fromdata(ctx, &pkey, params) <= 0) + || EVP_PKEY_fromdata_init(ctx) <= 0 + || EVP_PKEY_fromdata(ctx, &pkey, EVP_PKEY_KEYPAIR, params) <= 0) exit(1); /* Do what you want with |pkey| */ @@ -173,8 +189,8 @@ TODO Write a set of cookbook documents and link to them. ctx = EVP_PKEY_CTX_new_from_name(NULL, "EC", NULL); if (ctx == NULL || params != NULL - || EVP_PKEY_key_fromdata_init(ctx) <= 0 - || EVP_PKEY_fromdata(ctx, &pkey, params) <= 0) { + || EVP_PKEY_fromdata_init(ctx) <= 0 + || EVP_PKEY_fromdata(ctx, &pkey, EVP_PKEY_KEYPAIR, params) <= 0) { exitcode = 1; } else { /* Do what you want with |pkey| */ @@ -199,8 +215,10 @@ TODO Write a set of cookbook documents and link to them. EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new_from_name(NULL, argv[1], NULL); const *OSSL_PARAM *settable_params = NULL; - if (ctx == NULL - || (settable_params = EVP_PKEY_key_fromdata_settable(ctx)) == NULL) + if (ctx == NULL) + exit(1); + settable_params = EVP_PKEY_fromdata_settable(ctx, EVP_PKEY_KEYPAIR); + if (settable_params == NULL) exit(1); for (; settable_params->key != NULL; settable_params++) { @@ -235,7 +253,7 @@ TODO Write a set of cookbook documents and link to them. } The descriptor L returned by -EVP_PKEY_key_fromdata_settable() may also be used programmatically, for +EVP_PKEY_fromdata_settable() may also be used programmatically, for example with L. =head1 SEE ALSO @@ -252,7 +270,7 @@ These functions were added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/include/openssl/evp.h b/include/openssl/evp.h index 239b107833..5f9de9d8b9 100644 --- a/include/openssl/evp.h +++ b/include/openssl/evp.h @@ -21,6 +21,7 @@ # include # include # include +# include # include # include # include @@ -1552,18 +1553,17 @@ const char *EVP_PKEY_get0_first_alg_name(const EVP_PKEY *key); # define EVP_PKEY_OP_UNDEFINED 0 # define EVP_PKEY_OP_PARAMGEN (1<<1) # define EVP_PKEY_OP_KEYGEN (1<<2) -# define EVP_PKEY_OP_PARAMFROMDATA (1<<3) -# define EVP_PKEY_OP_KEYFROMDATA (1<<4) -# define EVP_PKEY_OP_SIGN (1<<5) -# define EVP_PKEY_OP_VERIFY (1<<6) -# define EVP_PKEY_OP_VERIFYRECOVER (1<<7) -# define EVP_PKEY_OP_SIGNCTX (1<<8) -# define EVP_PKEY_OP_VERIFYCTX (1<<9) -# define EVP_PKEY_OP_ENCRYPT (1<<10) -# define EVP_PKEY_OP_DECRYPT (1<<11) -# define EVP_PKEY_OP_DERIVE (1<<12) -# define EVP_PKEY_OP_ENCAPSULATE (1<<13) -# define EVP_PKEY_OP_DECAPSULATE (1<<14) +# define EVP_PKEY_OP_FROMDATA (1<<3) +# define EVP_PKEY_OP_SIGN (1<<4) +# define EVP_PKEY_OP_VERIFY (1<<5) +# define EVP_PKEY_OP_VERIFYRECOVER (1<<6) +# define EVP_PKEY_OP_SIGNCTX (1<<7) +# define EVP_PKEY_OP_VERIFYCTX (1<<8) +# define EVP_PKEY_OP_ENCRYPT (1<<9) +# define EVP_PKEY_OP_DECRYPT (1<<10) +# define EVP_PKEY_OP_DERIVE (1<<11) +# define EVP_PKEY_OP_ENCAPSULATE (1<<12) +# define EVP_PKEY_OP_DECAPSULATE (1<<13) # define EVP_PKEY_OP_TYPE_SIG \ (EVP_PKEY_OP_SIGN | EVP_PKEY_OP_VERIFY | EVP_PKEY_OP_VERIFYRECOVER \ @@ -1578,8 +1578,6 @@ const char *EVP_PKEY_get0_first_alg_name(const EVP_PKEY *key); # define EVP_PKEY_OP_TYPE_GEN \ (EVP_PKEY_OP_PARAMGEN | EVP_PKEY_OP_KEYGEN) -# define EVP_PKEY_OP_TYPE_FROMDATA \ - (EVP_PKEY_OP_PARAMFROMDATA | EVP_PKEY_OP_KEYFROMDATA) int EVP_PKEY_CTX_set_mac_key(EVP_PKEY_CTX *ctx, const unsigned char *key, int keylen); @@ -1790,11 +1788,10 @@ int EVP_PKEY_decapsulate(EVP_PKEY_CTX *ctx, typedef int EVP_PKEY_gen_cb(EVP_PKEY_CTX *ctx); -int EVP_PKEY_param_fromdata_init(EVP_PKEY_CTX *ctx); -int EVP_PKEY_key_fromdata_init(EVP_PKEY_CTX *ctx); -int EVP_PKEY_fromdata(EVP_PKEY_CTX *ctx, EVP_PKEY **ppkey, OSSL_PARAM param[]); -const OSSL_PARAM *EVP_PKEY_param_fromdata_settable(EVP_PKEY_CTX *ctx); -const OSSL_PARAM *EVP_PKEY_key_fromdata_settable(EVP_PKEY_CTX *ctx); +int EVP_PKEY_fromdata_init(EVP_PKEY_CTX *ctx); +int EVP_PKEY_fromdata(EVP_PKEY_CTX *ctx, EVP_PKEY **ppkey, int selection, + OSSL_PARAM param[]); +const OSSL_PARAM *EVP_PKEY_fromdata_settable(EVP_PKEY_CTX *ctx, int selection); const OSSL_PARAM *EVP_PKEY_gettable_params(const EVP_PKEY *pkey); int EVP_PKEY_get_params(const EVP_PKEY *pkey, OSSL_PARAM params[]); int EVP_PKEY_get_int_param(const EVP_PKEY *pkey, const char *key_name, diff --git a/providers/fips/self_test_kats.c b/providers/fips/self_test_kats.c index d4102f25bd..c408339298 100644 --- a/providers/fips/self_test_kats.c +++ b/providers/fips/self_test_kats.c @@ -392,11 +392,11 @@ static int self_test_ka(const ST_KAT_KAS *t, kactx = EVP_PKEY_CTX_new_from_name(libctx, t->algorithm, ""); if (kactx == NULL) goto err; - if (EVP_PKEY_key_fromdata_init(kactx) <= 0 - || EVP_PKEY_fromdata(kactx, &pkey, params) <= 0) + if (EVP_PKEY_fromdata_init(kactx) <= 0 + || EVP_PKEY_fromdata(kactx, &pkey, EVP_PKEY_KEYPAIR, params) <= 0) goto err; - if (EVP_PKEY_key_fromdata_init(kactx) <= 0 - || EVP_PKEY_fromdata(kactx, &peerkey, params_peer) <= 0) + if (EVP_PKEY_fromdata_init(kactx) <= 0 + || EVP_PKEY_fromdata(kactx, &peerkey, EVP_PKEY_KEYPAIR, params_peer) <= 0) goto err; /* Create a EVP_PKEY_CTX to perform key derivation */ @@ -464,8 +464,8 @@ static int self_test_sign(const ST_KAT_SIGN *t, kctx = EVP_PKEY_CTX_new_from_name(libctx, t->algorithm, ""); if (kctx == NULL || params == NULL) goto err; - if (EVP_PKEY_key_fromdata_init(kctx) <= 0 - || EVP_PKEY_fromdata(kctx, &pkey, params) <= 0) + if (EVP_PKEY_fromdata_init(kctx) <= 0 + || EVP_PKEY_fromdata(kctx, &pkey, EVP_PKEY_KEYPAIR, params) <= 0) goto err; /* Create a EVP_PKEY_CTX to use for the signing operation */ @@ -546,8 +546,8 @@ static int self_test_asym_cipher(const ST_KAT_ASYM_CIPHER *t, OSSL_SELF_TEST *st keyctx = EVP_PKEY_CTX_new_from_name(libctx, t->algorithm, NULL); if (keyctx == NULL || keyparams == NULL) goto err; - if (EVP_PKEY_key_fromdata_init(keyctx) <= 0 - || EVP_PKEY_fromdata(keyctx, &key, keyparams) <= 0) + if (EVP_PKEY_fromdata_init(keyctx) <= 0 + || EVP_PKEY_fromdata(keyctx, &key, EVP_PKEY_KEYPAIR, keyparams) <= 0) goto err; /* Create a EVP_PKEY_CTX to use for the encrypt or decrypt operation */ diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c index cff522604f..1e9ab00976 100644 --- a/ssl/statem/statem_clnt.c +++ b/ssl/statem/statem_clnt.c @@ -2063,8 +2063,8 @@ static int tls_process_ske_dhe(SSL *s, PACKET *pkt, EVP_PKEY **pkey) SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); goto err; } - if (EVP_PKEY_key_fromdata_init(pctx) <= 0 - || EVP_PKEY_fromdata(pctx, &peer_tmp, params) <= 0) { + if (EVP_PKEY_fromdata_init(pctx) <= 0 + || EVP_PKEY_fromdata(pctx, &peer_tmp, EVP_PKEY_KEYPAIR, params) <= 0) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_DH_VALUE); goto err; } diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index a7b5a6cc3f..684e8494fc 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -2901,7 +2901,7 @@ EVP_PKEY *ssl_get_auto_dh(SSL *s) pctx = EVP_PKEY_CTX_new_from_name(s->ctx->libctx, "DH", s->ctx->propq); if (pctx == NULL - || EVP_PKEY_key_fromdata_init(pctx) != 1) + || EVP_PKEY_fromdata_init(pctx) != 1) goto err; tmpl = OSSL_PARAM_BLD_new(); @@ -2911,7 +2911,8 @@ EVP_PKEY *ssl_get_auto_dh(SSL *s) goto err; params = OSSL_PARAM_BLD_to_param(tmpl); - if (params == NULL || EVP_PKEY_fromdata(pctx, &dhp, params) != 1) + if (params == NULL + || EVP_PKEY_fromdata(pctx, &dhp, EVP_PKEY_KEY_PARAMETERS, params) != 1) goto err; err: diff --git a/test/acvp_test.c b/test/acvp_test.c index 3d4214c784..2dc01aeeae 100644 --- a/test/acvp_test.c +++ b/test/acvp_test.c @@ -169,8 +169,9 @@ static int ecdsa_create_pkey(EVP_PKEY **pkey, const char *curve_name, pub, pub_len) > 0) || !TEST_ptr(params = OSSL_PARAM_BLD_to_param(bld)) || !TEST_ptr(ctx = EVP_PKEY_CTX_new_from_name(libctx, "EC", NULL)) - || !TEST_true(EVP_PKEY_key_fromdata_init(ctx)) - || !TEST_int_eq(EVP_PKEY_fromdata(ctx, pkey, params), expected)) + || !TEST_true(EVP_PKEY_fromdata_init(ctx)) + || !TEST_int_eq(EVP_PKEY_fromdata(ctx, pkey, EVP_PKEY_PUBLIC_KEY, + params), expected)) goto err; ret = 1; @@ -510,8 +511,8 @@ static int dsa_create_pkey(EVP_PKEY **pkey, } if (!TEST_ptr(params = OSSL_PARAM_BLD_to_param(bld)) || !TEST_ptr(ctx = EVP_PKEY_CTX_new_from_name(libctx, "DSA", NULL)) - || !TEST_true(EVP_PKEY_key_fromdata_init(ctx)) - || !TEST_true(EVP_PKEY_fromdata(ctx, pkey, params))) + || !TEST_true(EVP_PKEY_fromdata_init(ctx)) + || !TEST_true(EVP_PKEY_fromdata(ctx, pkey, EVP_PKEY_PUBLIC_KEY, params))) goto err; ret = 1; @@ -930,8 +931,9 @@ static int dh_create_pkey(EVP_PKEY **pkey, const char *group_name, if (!TEST_ptr(params = OSSL_PARAM_BLD_to_param(bld)) || !TEST_ptr(ctx = EVP_PKEY_CTX_new_from_name(libctx, "DH", NULL)) - || !TEST_true(EVP_PKEY_key_fromdata_init(ctx)) - || !TEST_int_eq(EVP_PKEY_fromdata(ctx, pkey, params), pass)) + || !TEST_true(EVP_PKEY_fromdata_init(ctx)) + || !TEST_int_eq(EVP_PKEY_fromdata(ctx, pkey, EVP_PKEY_KEYPAIR, params), + pass)) goto err; ret = 1; @@ -1053,8 +1055,8 @@ static int rsa_create_pkey(EVP_PKEY **pkey, } if (!TEST_ptr(params = OSSL_PARAM_BLD_to_param(bld)) || !TEST_ptr(ctx = EVP_PKEY_CTX_new_from_name(libctx, "RSA", NULL)) - || !TEST_true(EVP_PKEY_key_fromdata_init(ctx)) - || !TEST_true(EVP_PKEY_fromdata(ctx, pkey, params))) + || !TEST_true(EVP_PKEY_fromdata_init(ctx)) + || !TEST_true(EVP_PKEY_fromdata(ctx, pkey, EVP_PKEY_KEYPAIR, params))) goto err; ret = 1; diff --git a/test/ectest.c b/test/ectest.c index e00e7c2b3a..6d08d0481f 100644 --- a/test/ectest.c +++ b/test/ectest.c @@ -2409,8 +2409,9 @@ static int do_test_custom_explicit_fromdata(EC_GROUP *group, BN_CTX *ctx, if (!TEST_ptr(params = OSSL_PARAM_BLD_to_param(bld)) || !TEST_ptr(pctx = EVP_PKEY_CTX_new_from_name(NULL, "EC", NULL)) - || !TEST_int_gt(EVP_PKEY_param_fromdata_init(pctx), 0) - || !TEST_int_gt(EVP_PKEY_fromdata(pctx, &pkeyparam, params), 0)) + || !TEST_int_gt(EVP_PKEY_fromdata_init(pctx), 0) + || !TEST_int_gt(EVP_PKEY_fromdata(pctx, &pkeyparam, + EVP_PKEY_KEY_PARAMETERS, params), 0)) goto err; /*- Check that all the set values are retrievable -*/ @@ -2869,9 +2870,11 @@ static int custom_params_test(int id) /* create two new provider-native `EVP_PKEY`s */ EVP_PKEY_CTX_free(pctx2); if (!TEST_ptr(pctx2 = EVP_PKEY_CTX_new_from_name(NULL, "EC", NULL)) - || !TEST_true(EVP_PKEY_key_fromdata_init(pctx2)) - || !TEST_true(EVP_PKEY_fromdata(pctx2, &pkey1, params1)) - || !TEST_true(EVP_PKEY_fromdata(pctx2, &pkey2, params2))) + || !TEST_true(EVP_PKEY_fromdata_init(pctx2)) + || !TEST_true(EVP_PKEY_fromdata(pctx2, &pkey1, EVP_PKEY_KEYPAIR, + params1)) + || !TEST_true(EVP_PKEY_fromdata(pctx2, &pkey2, EVP_PKEY_PUBLIC_KEY, + params2))) goto err; /* compute keyexchange once more using the provider keys */ diff --git a/test/evp_extra_test.c b/test/evp_extra_test.c index 223a8db6f1..b3f2ec689b 100644 --- a/test/evp_extra_test.c +++ b/test/evp_extra_test.c @@ -496,8 +496,9 @@ static int test_fromdata(char *keytype, OSSL_PARAM *params) if (!TEST_ptr(pctx = EVP_PKEY_CTX_new_from_name(testctx, keytype, NULL))) goto err; - if (!TEST_int_gt(EVP_PKEY_key_fromdata_init(pctx), 0) - || !TEST_int_gt(EVP_PKEY_fromdata(pctx, &pkey, params), 0)) + if (!TEST_int_gt(EVP_PKEY_fromdata_init(pctx), 0) + || !TEST_int_gt(EVP_PKEY_fromdata(pctx, &pkey, EVP_PKEY_KEYPAIR, + params), 0)) goto err; if (!TEST_ptr(pkey)) @@ -1954,8 +1955,9 @@ static int test_DSA_get_set_params(void) if (!TEST_ptr(params = OSSL_PARAM_BLD_to_param(bld))) goto err; - if (!TEST_int_gt(EVP_PKEY_key_fromdata_init(pctx), 0) - || !TEST_int_gt(EVP_PKEY_fromdata(pctx, &pkey, params), 0)) + if (!TEST_int_gt(EVP_PKEY_fromdata_init(pctx), 0) + || !TEST_int_gt(EVP_PKEY_fromdata(pctx, &pkey, EVP_PKEY_KEYPAIR, + params), 0)) goto err; if (!TEST_ptr(pkey)) @@ -2014,8 +2016,9 @@ static int test_RSA_get_set_params(void) if (!TEST_ptr(params = OSSL_PARAM_BLD_to_param(bld))) goto err; - if (!TEST_int_gt(EVP_PKEY_key_fromdata_init(pctx), 0) - || !TEST_int_gt(EVP_PKEY_fromdata(pctx, &pkey, params), 0)) + if (!TEST_int_gt(EVP_PKEY_fromdata_init(pctx), 0) + || !TEST_int_gt(EVP_PKEY_fromdata(pctx, &pkey, EVP_PKEY_KEYPAIR, + params), 0)) goto err; if (!TEST_ptr(pkey)) diff --git a/test/evp_pkey_provided_test.c b/test/evp_pkey_provided_test.c index bfc9cd2ebc..85ae542b7c 100644 --- a/test/evp_pkey_provided_test.c +++ b/test/evp_pkey_provided_test.c @@ -339,8 +339,9 @@ static int test_fromdata_rsa(void) if (!TEST_ptr(ctx = EVP_PKEY_CTX_new_from_name(NULL, "RSA", NULL))) goto err; - if (!TEST_true(EVP_PKEY_key_fromdata_init(ctx)) - || !TEST_true(EVP_PKEY_fromdata(ctx, &pk, fromdata_params)) + if (!TEST_true(EVP_PKEY_fromdata_init(ctx)) + || !TEST_true(EVP_PKEY_fromdata(ctx, &pk, EVP_PKEY_KEYPAIR, + fromdata_params)) || !TEST_int_eq(EVP_PKEY_bits(pk), 32) || !TEST_int_eq(EVP_PKEY_security_bits(pk), 8) || !TEST_int_eq(EVP_PKEY_size(pk), 4)) @@ -411,8 +412,9 @@ static int test_evp_pkey_get_bn_param_large(void) || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_RSA_D, d)) || !TEST_ptr(fromdata_params = OSSL_PARAM_BLD_to_param(bld)) || !TEST_ptr(ctx = EVP_PKEY_CTX_new_from_name(NULL, "RSA", NULL)) - || !TEST_true(EVP_PKEY_key_fromdata_init(ctx)) - || !TEST_true(EVP_PKEY_fromdata(ctx, &pk, fromdata_params)) + || !TEST_true(EVP_PKEY_fromdata_init(ctx)) + || !TEST_true(EVP_PKEY_fromdata(ctx, &pk, EVP_PKEY_KEYPAIR, + fromdata_params)) || !TEST_ptr(key_ctx = EVP_PKEY_CTX_new_from_pkey(NULL, pk, "")) || !TEST_true(EVP_PKEY_get_bn_param(pk, OSSL_PKEY_PARAM_RSA_N, &n_out)) || !TEST_BN_eq(n, n_out)) @@ -501,8 +503,9 @@ static int test_fromdata_dh_named_group(void) if (!TEST_ptr(ctx = EVP_PKEY_CTX_new_from_name(NULL, "DH", NULL))) goto err; - if (!TEST_true(EVP_PKEY_key_fromdata_init(ctx)) - || !TEST_true(EVP_PKEY_fromdata(ctx, &pk, fromdata_params)) + if (!TEST_true(EVP_PKEY_fromdata_init(ctx)) + || !TEST_true(EVP_PKEY_fromdata(ctx, &pk, EVP_PKEY_KEYPAIR, + fromdata_params)) || !TEST_int_eq(EVP_PKEY_bits(pk), 2048) || !TEST_int_eq(EVP_PKEY_security_bits(pk), 112) || !TEST_int_eq(EVP_PKEY_size(pk), 256)) @@ -645,8 +648,9 @@ static int test_fromdata_dh_fips186_4(void) if (!TEST_ptr(ctx = EVP_PKEY_CTX_new_from_name(NULL, "DH", NULL))) goto err; - if (!TEST_true(EVP_PKEY_key_fromdata_init(ctx)) - || !TEST_true(EVP_PKEY_fromdata(ctx, &pk, fromdata_params)) + if (!TEST_true(EVP_PKEY_fromdata_init(ctx)) + || !TEST_true(EVP_PKEY_fromdata(ctx, &pk, EVP_PKEY_KEYPAIR, + fromdata_params)) || !TEST_int_eq(EVP_PKEY_bits(pk), 2048) || !TEST_int_eq(EVP_PKEY_security_bits(pk), 112) || !TEST_int_eq(EVP_PKEY_size(pk), 256)) @@ -916,8 +920,9 @@ static int test_fromdata_ecx(int tst) fromdata_params = params; } - if (!TEST_true(EVP_PKEY_key_fromdata_init(ctx)) - || !TEST_true(EVP_PKEY_fromdata(ctx, &pk, fromdata_params)) + if (!TEST_true(EVP_PKEY_fromdata_init(ctx)) + || !TEST_true(EVP_PKEY_fromdata(ctx, &pk, EVP_PKEY_KEYPAIR, + fromdata_params)) || !TEST_int_eq(EVP_PKEY_bits(pk), bits) || !TEST_int_eq(EVP_PKEY_security_bits(pk), security_bits) || !TEST_int_eq(EVP_PKEY_size(pk), size)) @@ -1028,8 +1033,9 @@ static int test_fromdata_ec(void) if (!TEST_ptr(ctx)) goto err; - if (!TEST_true(EVP_PKEY_key_fromdata_init(ctx)) - || !TEST_true(EVP_PKEY_fromdata(ctx, &pk, fromdata_params)) + if (!TEST_true(EVP_PKEY_fromdata_init(ctx)) + || !TEST_true(EVP_PKEY_fromdata(ctx, &pk, EVP_PKEY_KEYPAIR, + fromdata_params)) || !TEST_int_eq(EVP_PKEY_bits(pk), 256) || !TEST_int_eq(EVP_PKEY_security_bits(pk), 128) || !TEST_int_eq(EVP_PKEY_size(pk), 2 + 35 * 2)) @@ -1286,8 +1292,9 @@ static int test_fromdata_dsa_fips186_4(void) if (!TEST_ptr(ctx = EVP_PKEY_CTX_new_from_name(NULL, "DSA", NULL))) goto err; - if (!TEST_true(EVP_PKEY_key_fromdata_init(ctx)) - || !TEST_true(EVP_PKEY_fromdata(ctx, &pk, fromdata_params)) + if (!TEST_true(EVP_PKEY_fromdata_init(ctx)) + || !TEST_true(EVP_PKEY_fromdata(ctx, &pk, EVP_PKEY_KEYPAIR, + fromdata_params)) || !TEST_int_eq(EVP_PKEY_bits(pk), 2048) || !TEST_int_eq(EVP_PKEY_security_bits(pk), 112) || !TEST_int_eq(EVP_PKEY_size(pk), 2 + 2 * (3 + sizeof(q_data)))) diff --git a/test/helpers/predefined_dhparams.c b/test/helpers/predefined_dhparams.c index 18fb096216..1a19470081 100644 --- a/test/helpers/predefined_dhparams.c +++ b/test/helpers/predefined_dhparams.c @@ -23,7 +23,7 @@ static EVP_PKEY *get_dh_from_pg_bn(OSSL_LIB_CTX *libctx, const char *type, OSSL_PARAM *params = NULL; EVP_PKEY *dhpkey = NULL; - if (pctx == NULL || !EVP_PKEY_key_fromdata_init(pctx)) + if (pctx == NULL || !EVP_PKEY_fromdata_init(pctx)) goto err; if ((tmpl = OSSL_PARAM_BLD_new()) == NULL @@ -34,7 +34,8 @@ static EVP_PKEY *get_dh_from_pg_bn(OSSL_LIB_CTX *libctx, const char *type, goto err; params = OSSL_PARAM_BLD_to_param(tmpl); - if (params == NULL || !EVP_PKEY_fromdata(pctx, &dhpkey, params)) + if (params == NULL + || !EVP_PKEY_fromdata(pctx, &dhpkey, EVP_PKEY_KEY_PARAMETERS, params)) goto err; err: diff --git a/test/sslapitest.c b/test/sslapitest.c index 7cae297a17..6f30a7efd1 100644 --- a/test/sslapitest.c +++ b/test/sslapitest.c @@ -8221,7 +8221,7 @@ static EVP_PKEY *get_tmp_dh_params(void) pctx = EVP_PKEY_CTX_new_from_name(libctx, "DH", NULL); if (!TEST_ptr(pctx) - || !TEST_true(EVP_PKEY_key_fromdata_init(pctx))) + || !TEST_true(EVP_PKEY_fromdata_init(pctx))) goto end; tmpl = OSSL_PARAM_BLD_new(); @@ -8236,7 +8236,8 @@ static EVP_PKEY *get_tmp_dh_params(void) params = OSSL_PARAM_BLD_to_param(tmpl); if (!TEST_ptr(params) - || !TEST_true(EVP_PKEY_fromdata(pctx, &dhpkey, params))) + || !TEST_true(EVP_PKEY_fromdata(pctx, &dhpkey, + EVP_PKEY_KEY_PARAMETERS, params))) goto end; tmp_dh_params = dhpkey; diff --git a/util/libcrypto.num b/util/libcrypto.num index c591ab8ec5..f72749f062 100644 --- a/util/libcrypto.num +++ b/util/libcrypto.num @@ -4798,11 +4798,7 @@ X509_add_certs ? 3_0_0 EXIST::FUNCTION: X509_STORE_load_file ? 3_0_0 EXIST::FUNCTION: X509_STORE_load_path ? 3_0_0 EXIST::FUNCTION: X509_STORE_load_store ? 3_0_0 EXIST::FUNCTION: -EVP_PKEY_param_fromdata_init ? 3_0_0 EXIST::FUNCTION: -EVP_PKEY_key_fromdata_init ? 3_0_0 EXIST::FUNCTION: EVP_PKEY_fromdata ? 3_0_0 EXIST::FUNCTION: -EVP_PKEY_param_fromdata_settable ? 3_0_0 EXIST::FUNCTION: -EVP_PKEY_key_fromdata_settable ? 3_0_0 EXIST::FUNCTION: EVP_ASYM_CIPHER_free ? 3_0_0 EXIST::FUNCTION: EVP_ASYM_CIPHER_up_ref ? 3_0_0 EXIST::FUNCTION: EVP_ASYM_CIPHER_provider ? 3_0_0 EXIST::FUNCTION: @@ -5300,3 +5296,5 @@ EVP_PKEY_set_octet_string_param ? 3_0_0 EXIST::FUNCTION: EVP_PKEY_get_ec_point_conv_form ? 3_0_0 EXIST::FUNCTION: EVP_PKEY_get_field_type ? 3_0_0 EXIST::FUNCTION: EVP_PKEY_get_params ? 3_0_0 EXIST::FUNCTION: +EVP_PKEY_fromdata_init ? 3_0_0 EXIST::FUNCTION: +EVP_PKEY_fromdata_settable ? 3_0_0 EXIST::FUNCTION: From dev at ddvo.net Mon Feb 8 06:49:14 2021 From: dev at ddvo.net (dev at ddvo.net) Date: Mon, 08 Feb 2021 06:49:14 +0000 Subject: [openssl] master update Message-ID: <1612766954.455848.25440.nullmailer@dev.openssl.org> The branch master has been updated via 50ccc176da8644be079eccc4523c261e34f7b293 (commit) from 2db985b7b1e20ac670d196981aa7e8f31881d2eb (commit) - Log ----------------------------------------------------------------- commit 50ccc176da8644be079eccc4523c261e34f7b293 Author: Dr. David von Oheimb Date: Thu Feb 4 15:58:51 2021 +0100 mknum.pl: Exclude duplicate entries and include source file name in diagnostics Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/14074) ----------------------------------------------------------------------- Summary of changes: util/mknum.pl | 4 ++-- util/perl/OpenSSL/Ordinals.pm | 55 ++++++++++++++++++++++++++++--------------- 2 files changed, 38 insertions(+), 21 deletions(-) diff --git a/util/mknum.pl b/util/mknum.pl index 45f3381c81..19d9d55108 100644 --- a/util/mknum.pl +++ b/util/mknum.pl @@ -73,7 +73,7 @@ foreach my $f (($symhacks_file // (), @ARGV)) { && defined $symhacks_file && $f eq $symhacks_file && $_->{value} =~ /^\w(?:\w|\d)*/) { - $ordinals->add_alias($_->{value}, $_->{name}, @{$_->{conds}}); + $ordinals->add_alias($f, $_->{value}, $_->{name}, @{$_->{conds}}); } else { next if $_->{returntype} =~ /\b(?:ossl_)inline/; my $type = { @@ -81,7 +81,7 @@ foreach my $f (($symhacks_file // (), @ARGV)) { V => 'VARIABLE', } -> {$_->{type}}; if ($type) { - $ordinals->add($_->{name}, $type, @{$_->{conds}}); + $ordinals->add($f, $_->{name}, $type, @{$_->{conds}}); } } } diff --git a/util/perl/OpenSSL/Ordinals.pm b/util/perl/OpenSSL/Ordinals.pm index 4b337c6ffd..f2517da7d8 100644 --- a/util/perl/OpenSSL/Ordinals.pm +++ b/util/perl/OpenSSL/Ordinals.pm @@ -130,7 +130,7 @@ sub load { s|#.*||; next if /^\s*$/; - my $item = OpenSSL::Ordinals::Item->new(from => $_); + my $item = OpenSSL::Ordinals::Item->new(source => $filename, from => $_); my $num = $item->number(); if ($num eq '?') { @@ -299,8 +299,10 @@ sub items { # Put an array of items back into the object after having checked consistency # If there are exactly two items: # - They MUST have the same number +# - They MUST have the same version # - For platforms, both MUST hold the same ones, but with opposite values # - For features, both MUST hold the same ones. +# - They MUST NOT have identical name, type, numeral, version, platforms, and features # If there's just one item, just put it in the slot of its number # In all other cases, something is wrong sub _putback { @@ -308,8 +310,8 @@ sub _putback { my @items = @_; if (scalar @items < 1 || scalar @items > 2) { - croak "Wrong number of items: ", scalar @items, " : ", - join(", ", map { $_->name() } @items), "\n"; + croak "Wrong number of items: ", scalar @items, "\n ", + join("\n ", map { $_->{source}.": ".$_->name() } @items), "\n"; } if (scalar @items == 2) { # Collect some data @@ -343,6 +345,13 @@ sub _putback { join(", ", sort keys %features), "\n" if %features; + # Check for in addition identical name, type, and platforms + croak "Duplicate entries for ".$items[0]->name()." from ". + $items[0]->source()." and ".$items[1]->source()."\n" + if $items[0]->name() eq $items[1]->name() + && $items[0]->type() eq $items[2]->type() + && $items[0]->platforms() eq $items[1]->platforms(); + # Check that all platforms exist in both items, and have opposite values my @platforms = ( { $items[0]->platforms() }, { $items[1]->platforms() } ); @@ -424,9 +433,10 @@ sub _adjust_version { return $version; } -=item B<< $ordinals->add NAME, TYPE, LIST >> +=item B<< $ordinals->add SOURCE, NAME, TYPE, LIST >> -Adds a new item named NAME with the type TYPE, and a set of C macros in +Adds a new item from file SOURCE named NAME with the type TYPE, +and a set of C macros in LIST that are expected to be defined or undefined to use this symbol, if any. For undefined macros, they each must be prefixed with a C. @@ -438,6 +448,7 @@ If it's entirely new, it will get a '?' and the current default version. sub add { my $self = shift; + my $source = shift; # file where item was defined my $name = shift; my $type = shift; # FUNCTION or VARIABLE my @defs = @_; # Macros from #ifdef and #ifndef @@ -462,7 +473,8 @@ sub add { @items = grep { $_->exists() } @items; my $new_item = - OpenSSL::Ordinals::Item->new( name => $name, + OpenSSL::Ordinals::Item->new( source => $source, + name => $name, type => $type, number => $number, intnum => $intnum, @@ -485,15 +497,15 @@ sub add { # For the caller to show my @returns = ( $new_item ); - push @returns, $self->add_alias($alias->{name}, $name, @{$alias->{defs}}) + push @returns, $self->add_alias($source, $alias->{name}, $name, @{$alias->{defs}}) if defined $alias; return @returns; } -=item B<< $ordinals->add_alias ALIAS, NAME, LIST >> +=item B<< $ordinals->add_alias SOURCE, ALIAS, NAME, LIST >> -Adds an alias ALIAS for the symbol NAME, and a set of C macros in LIST -that are expected to be defined or undefined to use this symbol, if any. +Adds an alias ALIAS for the symbol NAME from file SOURCE, and a set of C macros +in LIST that are expected to be defined or undefined to use this symbol, if any. For undefined macros, they each must be prefixed with a C. If this symbol already exists in loaded data, it will be rewritten using @@ -504,15 +516,16 @@ that the symbol NAME shows up. sub add_alias { my $self = shift; + my $source = shift; my $alias = shift; # This is the alias being added my $name = shift; # For this name (assuming it exists) my @defs = @_; # Platform attributes for the alias # call signature for debug output my $verbsig = - "add_alias('$alias' , '$name' , [ " . join(', ', @defs) . " ])"; + "add_alias('$source' , '$alias' , '$name' , [ " . join(', ', @defs) . " ])"; - croak "You're kidding me..." if $alias eq $name; + croak "You're kidding me... $alias == $name" if $alias eq $name; my %platforms = _parse_platforms(@defs); my %features = _parse_features(@defs); @@ -533,7 +546,8 @@ sub add_alias { if (scalar @items == 0) { # The item we want to alias for doesn't exist yet, so we cache the # alias and hope the item we're making an alias of shows up later - $self->{aliases}->{$name} = { name => $alias, defs => [ @defs ] }; + $self->{aliases}->{$name} = { source => $source, + name => $alias, defs => [ @defs ] }; print STDERR "DEBUG[",__PACKAGE__,":add_alias] $verbsig\n", "\tSet future alias $alias => $name\n" @@ -553,6 +567,7 @@ sub add_alias { my $number = $items[0]->number() =~ m|^\?| ? '?+' : $items[0]->number(); my $alias_item = OpenSSL::Ordinals::Item->new( + source => $source, name => $alias, type => $items[0]->type(), number => $number, @@ -734,9 +749,9 @@ Available options are: =over 4 -=item B<< from => STRING >> +=item B<< source => FILENAME >>, B<< from => STRING >> -This will create a new item, filled with data coming from STRING. +This will create a new item from FILENAME, filled with data coming from STRING. STRING must conform to the following EBNF description: @@ -757,8 +772,8 @@ STRING must conform to the following EBNF description: (C and C are assumed self evident) -=item B<< name => STRING >>, B<< number => NUMBER >>, B<< version => STRING >>, - B<< exists => BOOLEAN >>, B<< type => STRING >>, +=item B<< source => FILENAME >>, B<< name => STRING >>, B<< number => NUMBER >>, + B<< version => STRING >>, B<< exists => BOOLEAN >>, B<< type => STRING >>, B<< platforms => HASHref >>, B<< features => LISTref >> This will create a new item with data coming from the arguments. @@ -796,7 +811,8 @@ sub new { /x ); my @b = split /:/, $a[3]; - %opts = ( name => $a[0], + %opts = ( source => $opts{source}, + name => $a[0], number => $a[1], version => $a[2], exists => $b[0] eq 'EXIST', @@ -812,7 +828,8 @@ sub new { my $version = $opts{version}; $version =~ s|_|.|g; - $instance = { name => $opts{name}, + $instance = { source => $opts{source}, + name => $opts{name}, type => $opts{type}, number => $opts{number}, intnum => $opts{intnum}, From openssl at openssl.org Mon Feb 8 07:39:42 2021 From: openssl at openssl.org (OpenSSL run-checker) Date: Mon, 08 Feb 2021 07:39:42 +0000 Subject: Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-des Message-ID: <1612769982.392099.3356360.nullmailer@run.openssl.org> Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-des Commit log since last time: 64954e2f34 Fix race condition & allow operation cache to grow. 11ddbf8459 Add X509_STORE_CTX_verify(), which takes the first untrusted cert as default target 2bb05a9668 PROV: Fix encoding of MDWithRSAEncryption signature AlgorithmID 5682e77dff Fix the cipher_overhead_test e376242d28 Remove all OPENSSL_NO_XXX from libssl where XXX is a crypto alg 462f4f4bc0 Remove OPENSSL_NO_EC guards from libssl 54e3efff81 Make sure we don't use sigalgs that are not available 306b8e7e19 Add the nist group names as aliases for the normal TLS group names 3de751e7f0 Remove compile time guard checking from ssl3_get_req_cert_type 05b4b85d4b Check for availability of ciphersuites at run time a763ca1177 Stop disabling TLSv1.3 if ec and dh are disabled 8b1db5d329 Make supported_groups code independent of EC and DH ddf8f1ce63 Ensure default supported groups works even with no-ec and no-dh 5b64ce89b0 Remove OPENSSL_NO_DH guards from libssl 9ca08f91e9 Makefile template: Allow separate generation of .pod.in -> .pod b8393eae22 DOCS: Remove the "global" dependency on writing .pod files from .pod.in 388eb0d970 TEST: Add an algorithm ID tester for libcrypto vs provider 93d6132a79 EVP: use evp_pkey_copy_downgraded() in EVP_PKEY_copy_parameters() 93bae03abf dev/release.sh: Fix typo 1e3affbbcd Remove the old DEPRECATEDIN macros e337b82410 ERR: Rebuild all generated error headers and source files b14c8465c0 ERR: clean away everything related to _F_ macros from util/mkerr.pl bbde856619 RSA: properly generate algorithm identifier for RSA-PSS signatures 26372a4d44 provider-signature.pod: Fix formatting. e60147fe74 Don't make pthreads mutexes recursive. 05f41859dd Switch to BIO_snprintf to avoid missing symbol problems on Windows 76624df15f EVP: Adapt EVP_PKEY_{set1,get1}_encoded_public_key() d82c7f3dba EVP: Modify the checks in EVP_PKEY_{set,get}_xxx_param() functions 13e85fb321 EVP: Adapt the other EVP_PKEY_set_xxx_param() functions f4a3799cc4 EVP: Make EVP_PKEY_set_params() increment the dirty count 7dc67708c8 apps/openssl: add -propquery command line option 88444854af x509_vfy.c: Improve coding style and comments all over the file af4d6c26af Remove a DSA related TODO 08cea586c9 Remove some TODO(OpenSSL1.2) references a7246ea645 DH/DHX parameter check using pkeyparam d53b437f99 Allow NULL arg to OPENSSL_sk_{dup,deep_copy} returning empty stack b91a13f429 run_tests.pl: Improve diagnostics on the use of HARNESS_JOBS c87bcdbde4 test/recipes: split 81_test_cmp_cli.t, add test using -engine loader_attic 03da39a768 apps/cmp.c: check and exit on engine load error acfccbd5ee openssl.pod: Add documentation for using the loader_attic engine 8549b97214 Fix a use after free issue when a provider context is being used and isn't cached Build log ended with (last 100 lines): 70-test_sslrecords.t ............... ok 70-test_sslsessiontick.t ........... ok 70-test_sslsigalgs.t ............... ok 70-test_sslsignature.t ............. ok 70-test_sslskewith0p.t ............. ok 70-test_sslversions.t .............. ok 70-test_sslvertol.t ................ ok 70-test_tls13alerts.t .............. ok 70-test_tls13cookie.t .............. ok 70-test_tls13downgrade.t ........... ok 70-test_tls13hrr.t ................. ok 70-test_tls13kexmodes.t ............ ok 70-test_tls13messages.t ............ ok 70-test_tls13psk.t ................. ok 70-test_tlsextms.t ................. ok 70-test_verify_extra.t ............. ok 70-test_wpacket.t .................. ok 71-test_ssl_ctx.t .................. ok 80-test_ca.t ....................... ok 80-test_cipherbytes.t .............. ok 80-test_cipherlist.t ............... ok 80-test_ciphername.t ............... ok # 80-test_cmp_http.t ................. ok # 80-test_cms.t ...................... ok 80-test_cmsapi.t ................... ok 80-test_ct.t ....................... ok 80-test_dane.t ..................... ok 80-test_dtls.t ..................... ok 80-test_dtls_mtu.t ................. ok 80-test_dtlsv1listen.t ............. ok 80-test_http.t ..................... ok 80-test_ocsp.t ..................... ok 80-test_pkcs12.t ................... skipped: The PKCS12 command line utility is not supported by this OpenSSL build 80-test_ssl_new.t .................. ok 80-test_ssl_old.t .................. ok 80-test_ssl_test_ctx.t ............. ok 80-test_sslcorrupt.t ............... ok 80-test_tsa.t ...................... ok 80-test_x509aux.t .................. ok 81-test_cmp_cli.t .................. ok 90-test_asn1_time.t ................ ok 90-test_async.t .................... ok 90-test_bio_enc.t .................. ok 90-test_bio_memleak.t .............. ok 90-test_constant_time.t ............ ok 90-test_fatalerr.t ................. ok 90-test_fipsload.t ................. ok 90-test_gmdiff.t ................... ok 90-test_gost.t ..................... ok 90-test_ige.t ...................... ok 90-test_includes.t ................. ok 90-test_memleak.t .................. ok 90-test_overhead.t ................. ok 90-test_secmem.t ................... ok 90-test_shlibload.t ................ ok 90-test_srp.t ...................... ok 90-test_sslapi.t ................... ok 90-test_sslbuffers.t ............... ok 90-test_store.t .................... ok 90-test_sysdefault.t ............... ok 90-test_threads.t .................. ok 90-test_time_offset.t .............. ok 90-test_tls13ccs.t ................. ok 90-test_tls13encryption.t .......... ok 90-test_tls13secrets.t ............. ok 90-test_v3name.t ................... ok 91-test_pkey_check.t ............... ok 95-test_external_boringssl.t ....... skipped: No external tests in this configuration 95-test_external_gost_engine.t ..... skipped: No external tests in this configuration 95-test_external_krb5.t ............ skipped: No external tests in this configuration 95-test_external_pyca.t ............ skipped: No external tests in this configuration 99-test_ecstress.t ................. ok 99-test_fuzz_asn1.t ................ ok 99-test_fuzz_asn1parse.t ........... ok 99-test_fuzz_bignum.t .............. ok 99-test_fuzz_bndiv.t ............... ok 99-test_fuzz_client.t .............. ok 99-test_fuzz_cmp.t ................. ok 99-test_fuzz_cms.t ................. ok 99-test_fuzz_conf.t ................ ok 99-test_fuzz_crl.t ................. ok 99-test_fuzz_ct.t .................. ok 99-test_fuzz_server.t .............. ok 99-test_fuzz_x509.t ................ ok Test Summary Report ------------------- 30-test_evp.t (Wstat: 512 Tests: 90 Failed: 2) Failed tests: 14, 40 Non-zero exit status: 2 30-test_evp_kdf.t (Wstat: 256 Tests: 1 Failed: 1) Failed test: 1 Non-zero exit status: 1 Files=231, Tests=3132, 902 wallclock secs (14.50 usr 1.34 sys + 808.17 cusr 91.85 csys = 915.86 CPU) Result: FAIL make[1]: *** [Makefile:3204: _tests] Error 1 make[1]: Leaving directory '/home/openssl/run-checker/no-des' make: *** [Makefile:3201: tests] Error 2 From no-reply at appveyor.com Mon Feb 8 10:21:09 2021 From: no-reply at appveyor.com (AppVeyor) Date: Mon, 08 Feb 2021 10:21:09 +0000 Subject: Build failed: openssl master.39677 Message-ID: <20210208102109.1.7DD2A8D23A6D402B@appveyor.com> An HTML attachment was scrubbed... URL: From levitte at openssl.org Mon Feb 8 15:45:48 2021 From: levitte at openssl.org (Richard Levitte) Date: Mon, 08 Feb 2021 15:45:48 +0000 Subject: [openssl] master update Message-ID: <1612799148.230956.13492.nullmailer@dev.openssl.org> The branch master has been updated via 3f71add9e57fb48cb5efdc765860daf754db40e9 (commit) from 50ccc176da8644be079eccc4523c261e34f7b293 (commit) - Log ----------------------------------------------------------------- commit 3f71add9e57fb48cb5efdc765860daf754db40e9 Author: Randall S. Becker Date: Thu Jan 28 11:05:02 2021 -0700 Enable fipsload test on NonStop x86. CLA: Trivial Fixes: #14005 Signed-off-by: Randall S. Becker Reviewed-by: Shane Lontis Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/14006) ----------------------------------------------------------------------- Summary of changes: test/recipes/90-test_fipsload.t | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/recipes/90-test_fipsload.t b/test/recipes/90-test_fipsload.t index c4f713385d..0e08837ad2 100644 --- a/test/recipes/90-test_fipsload.t +++ b/test/recipes/90-test_fipsload.t @@ -18,7 +18,7 @@ use platform; plan skip_all => 'Test only supported in a shared build' if disabled('shared'); plan skip_all => 'Test is disabled on AIX' if config('target') =~ m|^aix|; -plan skip_all => 'Test is disabled on NonStop' if config('target') =~ m|^nonstop|; +plan skip_all => 'Test is disabled on NonStop ia64' if config('target') =~ m|^nonstop-nse|; plan skip_all => 'Test only supported in a dso build' if disabled('dso'); plan skip_all => 'Test is disabled in an address sanitizer build' unless disabled('asan'); From no-reply at appveyor.com Mon Feb 8 22:25:20 2021 From: no-reply at appveyor.com (AppVeyor) Date: Mon, 08 Feb 2021 22:25:20 +0000 Subject: Build failed: openssl master.39694 Message-ID: <20210208222520.1.E45CF6E5453BF3EF@appveyor.com> An HTML attachment was scrubbed... URL: From openssl at openssl.org Tue Feb 9 00:18:15 2021 From: openssl at openssl.org (OpenSSL run-checker) Date: Tue, 09 Feb 2021 00:18:15 +0000 Subject: Still FAILED build of OpenSSL branch master with options -d enable-fuzz-afl no-shared no-module Message-ID: <1612829895.538161.1175951.nullmailer@run.openssl.org> Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=afl-clang-fast ../openssl/config -d enable-fuzz-afl no-shared no-module Commit log since last time: 64954e2f34 Fix race condition & allow operation cache to grow. 11ddbf8459 Add X509_STORE_CTX_verify(), which takes the first untrusted cert as default target 2bb05a9668 PROV: Fix encoding of MDWithRSAEncryption signature AlgorithmID 5682e77dff Fix the cipher_overhead_test e376242d28 Remove all OPENSSL_NO_XXX from libssl where XXX is a crypto alg 462f4f4bc0 Remove OPENSSL_NO_EC guards from libssl 54e3efff81 Make sure we don't use sigalgs that are not available 306b8e7e19 Add the nist group names as aliases for the normal TLS group names 3de751e7f0 Remove compile time guard checking from ssl3_get_req_cert_type 05b4b85d4b Check for availability of ciphersuites at run time a763ca1177 Stop disabling TLSv1.3 if ec and dh are disabled 8b1db5d329 Make supported_groups code independent of EC and DH ddf8f1ce63 Ensure default supported groups works even with no-ec and no-dh 5b64ce89b0 Remove OPENSSL_NO_DH guards from libssl 9ca08f91e9 Makefile template: Allow separate generation of .pod.in -> .pod b8393eae22 DOCS: Remove the "global" dependency on writing .pod files from .pod.in 388eb0d970 TEST: Add an algorithm ID tester for libcrypto vs provider 93d6132a79 EVP: use evp_pkey_copy_downgraded() in EVP_PKEY_copy_parameters() 93bae03abf dev/release.sh: Fix typo 1e3affbbcd Remove the old DEPRECATEDIN macros e337b82410 ERR: Rebuild all generated error headers and source files b14c8465c0 ERR: clean away everything related to _F_ macros from util/mkerr.pl bbde856619 RSA: properly generate algorithm identifier for RSA-PSS signatures 26372a4d44 provider-signature.pod: Fix formatting. e60147fe74 Don't make pthreads mutexes recursive. 05f41859dd Switch to BIO_snprintf to avoid missing symbol problems on Windows 76624df15f EVP: Adapt EVP_PKEY_{set1,get1}_encoded_public_key() d82c7f3dba EVP: Modify the checks in EVP_PKEY_{set,get}_xxx_param() functions 13e85fb321 EVP: Adapt the other EVP_PKEY_set_xxx_param() functions f4a3799cc4 EVP: Make EVP_PKEY_set_params() increment the dirty count 7dc67708c8 apps/openssl: add -propquery command line option 88444854af x509_vfy.c: Improve coding style and comments all over the file af4d6c26af Remove a DSA related TODO 08cea586c9 Remove some TODO(OpenSSL1.2) references a7246ea645 DH/DHX parameter check using pkeyparam d53b437f99 Allow NULL arg to OPENSSL_sk_{dup,deep_copy} returning empty stack b91a13f429 run_tests.pl: Improve diagnostics on the use of HARNESS_JOBS c87bcdbde4 test/recipes: split 81_test_cmp_cli.t, add test using -engine loader_attic 03da39a768 apps/cmp.c: check and exit on engine load error acfccbd5ee openssl.pod: Add documentation for using the loader_attic engine 8549b97214 Fix a use after free issue when a provider context is being used and isn't cached Build log ended with (last 100 lines): ../../../../../enable-fuzz-afl/util/wrap.pl ../../../../../enable-fuzz-afl/apps/openssl cmp -config ../Mock/test.cnf -section 'Mock enrollment' -certout ../../../../../enable-fuzz-afl/test-runs/test_cmp_http/test.cert.pem -proxy '' -no_proxy 127.0.0.1 -cmd ir -newkey new.key -newkeypass 'pass:' -popo -1 -certout ../../../../../enable-fuzz-afl/test-runs/test_cmp_http/test.certout_popo5.pem -out_trusted root.crt => 0 not ok 47 - popo NONE # ------------------------------------------------------------------------------ # Failed test 'popo NONE' # at ../openssl/test/recipes/80-test_cmp_http.t line 145. # cmp_main:../openssl/apps/cmp.c:2685:CMP info: using section(s) 'Mock enrollment' of OpenSSL configuration file '../Mock/test.cnf' # opt_str:../openssl/apps/cmp.c:2284:CMP warning: argument of -proxy option is empty string, resetting option # warn_cert_msg:../openssl/apps/cmp.c:694:CMP warning: certificate from 'trusted.crt' with subject '/O=openssl_cmp' is not a CA cert # setup_client_ctx:../openssl/apps/cmp.c:2001:CMP info: will contact http://127.0.0.1:1700/pkix/ # send_receive_check:../openssl/crypto/cmp/cmp_client.c:165:CMP info: sending IR # send_receive_check:../openssl/crypto/cmp/cmp_client.c:183:CMP info: received IP # send_receive_check:../openssl/crypto/cmp/cmp_client.c:165:CMP info: sending CERTCONF # send_receive_check:../openssl/crypto/cmp/cmp_client.c:183:CMP info: received PKICONF # save_free_certs:../openssl/apps/cmp.c:2051:CMP info: received 1 enrolled certificate(s), saving to file '../../../../../enable-fuzz-afl/test-runs/test_cmp_http/test.certout_popo6.pem' ../../../../../enable-fuzz-afl/util/wrap.pl ../../../../../enable-fuzz-afl/apps/openssl cmp -config ../Mock/test.cnf -section 'Mock enrollment' -certout ../../../../../enable-fuzz-afl/test-runs/test_cmp_http/test.cert.pem -proxy '' -no_proxy 127.0.0.1 -cmd ir -newkey new.key -newkeypass 'pass:' -popo 2 -certout ../../../../../enable-fuzz-afl/test-runs/test_cmp_http/test.certout_popo6.pem -out_trusted root.crt => 0 not ok 48 - popo KEYENC not supported # ------------------------------------------------------------------------------ # Looks like you failed 3 tests of 92. not ok 5 - CMP app CLI Mock enrollment # ------------------------------------------------------------------------------ # # Failed test 'CMP app CLI Mock enrollment # ' # at /home/openssl/run-checker/enable-fuzz-afl/../openssl/util/perl/OpenSSL/Test.pm line 1335. # Looks like you failed 3 tests of 5.80-test_cmp_http.t ................. Dubious, test returned 3 (wstat 768, 0x300) Failed 3/5 subtests # 80-test_cms.t ...................... ok 80-test_cmsapi.t ................... ok 80-test_ct.t ....................... ok 80-test_dane.t ..................... ok 80-test_dtls.t ..................... ok 80-test_dtls_mtu.t ................. ok 80-test_dtlsv1listen.t ............. ok 80-test_http.t ..................... ok 80-test_ocsp.t ..................... ok 80-test_pkcs12.t ................... ok 80-test_ssl_new.t .................. ok 80-test_ssl_old.t .................. ok 80-test_ssl_test_ctx.t ............. ok 80-test_sslcorrupt.t ............... ok 80-test_tsa.t ...................... ok 80-test_x509aux.t .................. ok 81-test_cmp_cli.t .................. ok 90-test_asn1_time.t ................ ok 90-test_async.t .................... ok 90-test_bio_enc.t .................. ok 90-test_bio_memleak.t .............. ok 90-test_constant_time.t ............ ok 90-test_fatalerr.t ................. ok 90-test_fipsload.t ................. skipped: Test only supported in a shared build 90-test_gmdiff.t ................... ok 90-test_gost.t ..................... skipped: GOST support is disabled in this OpenSSL build 90-test_ige.t ...................... ok 90-test_includes.t ................. ok 90-test_memleak.t .................. ok 90-test_overhead.t ................. ok 90-test_secmem.t ................... ok 90-test_shlibload.t ................ skipped: Test only supported in a shared build 90-test_srp.t ...................... ok 90-test_sslapi.t ................... ok 90-test_sslbuffers.t ............... ok 90-test_store.t .................... ok 90-test_sysdefault.t ............... ok 90-test_threads.t .................. ok 90-test_time_offset.t .............. ok 90-test_tls13ccs.t ................. ok 90-test_tls13encryption.t .......... ok 90-test_tls13secrets.t ............. skipped: tls13secrets is not supported in this build 90-test_v3name.t ................... ok 91-test_pkey_check.t ............... ok 95-test_external_boringssl.t ....... skipped: No external tests in this configuration 95-test_external_gost_engine.t ..... skipped: No external tests in this configuration 95-test_external_krb5.t ............ skipped: No external tests in this configuration 95-test_external_pyca.t ............ skipped: No external tests in this configuration 99-test_ecstress.t ................. ok 99-test_fuzz_asn1.t ................ ok 99-test_fuzz_asn1parse.t ........... ok 99-test_fuzz_bignum.t .............. ok 99-test_fuzz_bndiv.t ............... ok 99-test_fuzz_client.t .............. ok 99-test_fuzz_cmp.t ................. ok 99-test_fuzz_cms.t ................. ok 99-test_fuzz_conf.t ................ ok 99-test_fuzz_crl.t ................. ok 99-test_fuzz_ct.t .................. ok 99-test_fuzz_server.t .............. ok 99-test_fuzz_x509.t ................ ok Test Summary Report ------------------- 80-test_cmp_http.t (Wstat: 768 Tests: 5 Failed: 3) Failed tests: 2-3, 5 Non-zero exit status: 3 Files=231, Tests=2702, 698 wallclock secs ( 9.73 usr 1.28 sys + 612.87 cusr 75.77 csys = 699.65 CPU) Result: FAIL make[1]: *** [Makefile:2464: _tests] Error 1 make[1]: Leaving directory '/home/openssl/run-checker/enable-fuzz-afl' make: *** [Makefile:2461: tests] Error 2 From no-reply at appveyor.com Tue Feb 9 01:08:30 2021 From: no-reply at appveyor.com (AppVeyor) Date: Tue, 09 Feb 2021 01:08:30 +0000 Subject: Build completed: openssl master.39695 Message-ID: <20210209010830.1.EDA2DA47363B7B38@appveyor.com> An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Tue Feb 9 04:55:04 2021 From: no-reply at appveyor.com (AppVeyor) Date: Tue, 09 Feb 2021 04:55:04 +0000 Subject: Build failed: openssl master.39703 Message-ID: <20210209045504.1.3C2E6EA0AB81816E@appveyor.com> An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Tue Feb 9 06:06:56 2021 From: no-reply at appveyor.com (AppVeyor) Date: Tue, 09 Feb 2021 06:06:56 +0000 Subject: Build completed: openssl master.39704 Message-ID: <20210209060656.1.1BFDA6B3837A86AC@appveyor.com> An HTML attachment was scrubbed... URL: From pauli at openssl.org Tue Feb 9 07:05:27 2021 From: pauli at openssl.org (Dr. Paul Dale) Date: Tue, 09 Feb 2021 07:05:27 +0000 Subject: [openssl] master update Message-ID: <1612854327.033910.15818.nullmailer@dev.openssl.org> The branch master has been updated via e60a748a13a244e8b13bacca18bad9bb3505aa90 (commit) from 3f71add9e57fb48cb5efdc765860daf754db40e9 (commit) - Log ----------------------------------------------------------------- commit e60a748a13a244e8b13bacca18bad9bb3505aa90 Author: Richard Levitte Date: Fri Feb 5 15:39:32 2021 +0100 Configuration: ensure that 'no-tests' works correctly 'no-tests' wasn't entirely respected when specifying subdirs in the top build.info. Reviewed-by: Shane Lontis Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/14082) ----------------------------------------------------------------------- Summary of changes: build.info | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/build.info b/build.info index 053329c682..f631d6c780 100644 --- a/build.info +++ b/build.info @@ -1,7 +1,10 @@ # Note that some of these directories are filtered in Configure. Look for # %skipdir there for further explanations. -SUBDIRS=crypto ssl apps test util tools fuzz providers doc +SUBDIRS=crypto ssl apps util tools fuzz providers doc +IF[{- !$disabled{tests} -}] + SUBDIRS=test +ENDIF IF[{- !$disabled{'deprecated-3.0'} -}] SUBDIRS=engines ENDIF From levitte at openssl.org Tue Feb 9 10:16:03 2021 From: levitte at openssl.org (Richard Levitte) Date: Tue, 09 Feb 2021 10:16:03 +0000 Subject: [openssl] master update Message-ID: <1612865763.018148.20412.nullmailer@dev.openssl.org> The branch master has been updated via 604b86d8d360e36fc2fc0d1611d05bf38699d297 (commit) from e60a748a13a244e8b13bacca18bad9bb3505aa90 (commit) - Log ----------------------------------------------------------------- commit 604b86d8d360e36fc2fc0d1611d05bf38699d297 Author: Petr Gotthard Date: Sat Feb 6 21:47:20 2021 +0100 Enhanced integer parsing in OSSL_PARAM_allocate_from_text Fixes #14041 and additional bugs discovered by the newly created tests. This patch: - Introduces support for 0x prefixed integers - Fixes parsing of negative integers (negative numbers were shifted by -2) - Fixes ability to parse maximal unsigned numbers ("too small buffer" error used to be reported incorrectly) - Fixes a memory leak when OSSL_PARAM_allocate_from_text fails leaving a temporary BN allocated Reviewed-by: Matt Caswell Reviewed-by: Paul Dale Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/14093) ----------------------------------------------------------------------- Summary of changes: crypto/params_from_text.c | 21 ++++++--- doc/man3/OSSL_PARAM_allocate_from_text.pod | 11 +++-- test/params_test.c | 73 ++++++++++++++++++++++++++++++ 3 files changed, 94 insertions(+), 11 deletions(-) diff --git a/crypto/params_from_text.c b/crypto/params_from_text.c index ddc3c38aa4..b019744f9b 100644 --- a/crypto/params_from_text.c +++ b/crypto/params_from_text.c @@ -28,6 +28,7 @@ static int prepare_from_text(const OSSL_PARAM *paramdefs, const char *key, size_t *buf_n, BIGNUM **tmpbn, int *found) { const OSSL_PARAM *p; + size_t buf_bits; /* * ishex is used to translate legacy style string controls in hex format @@ -50,7 +51,7 @@ static int prepare_from_text(const OSSL_PARAM *paramdefs, const char *key, if (*ishex) BN_hex2bn(tmpbn, value); else - BN_dec2bn(tmpbn, value); + BN_asc2bn(tmpbn, value); if (*tmpbn == NULL) return 0; @@ -62,20 +63,25 @@ static int prepare_from_text(const OSSL_PARAM *paramdefs, const char *key, * buffer, i.e. if it's negative, we need to deal with it. We do * it by subtracting 1 here and inverting the bytes in * construct_from_text() below. + * To subtract 1 from an absolute value of a negative number we + * actually have to add 1: -3 - 1 = -4, |-3| = 3 + 1 = 4. */ if (p->data_type == OSSL_PARAM_INTEGER && BN_is_negative(*tmpbn) - && !BN_sub_word(*tmpbn, 1)) { + && !BN_add_word(*tmpbn, 1)) { return 0; } - *buf_n = BN_num_bytes(*tmpbn); + buf_bits = (size_t)BN_num_bits(*tmpbn); + *buf_n = (buf_bits + 7) / 8; /* * TODO(v3.0) is this the right way to do this? This code expects * a zero data size to simply mean "arbitrary size". */ if (p->data_size > 0) { - if (*buf_n >= p->data_size) { + if (buf_bits > p->data_size * 8 + || (p->data_type == OSSL_PARAM_INTEGER + && buf_bits == p->data_size * 8)) { ERR_raise(ERR_LIB_CRYPTO, CRYPTO_R_TOO_SMALL_BUFFER); /* Since this is a different error, we don't break */ return 0; @@ -184,11 +190,11 @@ int OSSL_PARAM_allocate_from_text(OSSL_PARAM *to, if (!prepare_from_text(paramdefs, key, value, value_n, ¶mdef, &ishex, &buf_n, &tmpbn, found)) - return 0; + goto err; if ((buf = OPENSSL_zalloc(buf_n > 0 ? buf_n : 1)) == NULL) { ERR_raise(ERR_LIB_CRYPTO, ERR_R_MALLOC_FAILURE); - return 0; + goto err; } ok = construct_from_text(to, paramdef, value, value_n, ishex, @@ -197,4 +203,7 @@ int OSSL_PARAM_allocate_from_text(OSSL_PARAM *to, if (!ok) OPENSSL_free(buf); return ok; + err: + BN_free(tmpbn); + return 0; } diff --git a/doc/man3/OSSL_PARAM_allocate_from_text.pod b/doc/man3/OSSL_PARAM_allocate_from_text.pod index ef68f0e10c..80ba555a8f 100644 --- a/doc/man3/OSSL_PARAM_allocate_from_text.pod +++ b/doc/man3/OSSL_PARAM_allocate_from_text.pod @@ -55,15 +55,16 @@ depending on that item's I, as follows: =item B and B -If I started with "hex", I is assumed to contain -I hexadecimal characters, which are decoded, and the -resulting bytes become the number stored in the I<< to->data >> -storage. - If I didn't start with "hex", I is assumed to contain I decimal characters, which are decoded, and the resulting bytes become the number stored in the I<< to->data >> storage. +If I starts with "0x", it is assumed to contain I +hexadecimal characters. + +If I started with "hex", I is assumed to contain +I hexadecimal characters without the "0x" prefix. + If I contains characters that couldn't be decoded as hexadecimal or decimal characters, OSSL_PARAM_allocate_from_text() considers that an error. diff --git a/test/params_test.c b/test/params_test.c index 8ee2e1594c..913df9eb8a 100644 --- a/test/params_test.c +++ b/test/params_test.c @@ -541,8 +541,81 @@ static int test_case(int i) test_cases[i].prov)); } +/*- + * OSSL_PARAM_allocate_from_text() tests + * ===================================== + */ + +static const OSSL_PARAM params_from_text[] = { + OSSL_PARAM_int32("int", NULL), + OSSL_PARAM_DEFN("short", OSSL_PARAM_INTEGER, NULL, sizeof(int16_t)), + OSSL_PARAM_DEFN("ushort", OSSL_PARAM_UNSIGNED_INTEGER, NULL, sizeof(uint16_t)), + OSSL_PARAM_END, +}; + +struct int_from_text_test_st { + const char *argname; + const char *strval; + long int intval; + int res; +}; + +static struct int_from_text_test_st int_from_text_test_cases[] = { + { "int", "", 0, 0 }, + { "int", "0", 0, 1 }, + { "int", "101", 101, 1 }, + { "int", "-102", -102, 1 }, + { "int", "12A", 12, 1 }, /* incomplete */ + { "int", "0x12B", 0x12B, 1 }, + { "hexint", "12C", 0x12C, 1 }, + { "hexint", "0x12D", 0, 1 }, /* zero */ + /* test check of the target buffer size */ + { "int", "0x7fffffff", INT32_MAX, 1 }, + { "int", "2147483647", INT32_MAX, 1 }, + { "int", "2147483648", 0, 0 }, /* too small buffer */ + { "int", "-2147483648", INT32_MIN, 1 }, + { "int", "-2147483649", 0, 0 }, /* too small buffer */ + { "short", "0x7fff", INT16_MAX, 1 }, + { "short", "32767", INT16_MAX, 1 }, + { "short", "32768", 0, 0 }, /* too small buffer */ + { "ushort", "0xffff", UINT16_MAX, 1 }, + { "ushort", "65535", UINT16_MAX, 1 }, + { "ushort", "65536", 0, 0 }, /* too small buffer */ +}; + +static int check_int_from_text(const struct int_from_text_test_st a) +{ + OSSL_PARAM param; + long int val = 0; + int res; + + if (!OSSL_PARAM_allocate_from_text(¶m, params_from_text, + a.argname, a.strval, 0, NULL)) { + if (a.res) + TEST_error("errant %s param \"%s\"", a.argname, a.strval); + return !a.res; + } + + res = OSSL_PARAM_get_long(¶m, &val); + OPENSSL_free(param.data); + + if (res ^ a.res || val != a.intval) { + TEST_error("errant %s \"%s\" %li != %li", + a.argname, a.strval, a.intval, val); + return 0; + } + + return a.res; +} + +static int test_allocate_from_text(int i) +{ + return check_int_from_text(int_from_text_test_cases[i]); +} + int setup_tests(void) { ADD_ALL_TESTS(test_case, OSSL_NELEM(test_cases)); + ADD_ALL_TESTS(test_allocate_from_text, OSSL_NELEM(int_from_text_test_cases)); return 1; } From no-reply at appveyor.com Tue Feb 9 11:25:08 2021 From: no-reply at appveyor.com (AppVeyor) Date: Tue, 09 Feb 2021 11:25:08 +0000 Subject: Build failed: openssl master.39712 Message-ID: <20210209112508.1.1753B56C777595C0@appveyor.com> An HTML attachment was scrubbed... URL: From openssl at openssl.org Tue Feb 9 12:32:41 2021 From: openssl at openssl.org (OpenSSL run-checker) Date: Tue, 09 Feb 2021 12:32:41 +0000 Subject: FAILED build of OpenSSL branch master with options -d --strict-warnings no-sock Message-ID: <1612873961.782865.2673399.nullmailer@run.openssl.org> Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-sock Commit log since last time: 64954e2f34 Fix race condition & allow operation cache to grow. 11ddbf8459 Add X509_STORE_CTX_verify(), which takes the first untrusted cert as default target 2bb05a9668 PROV: Fix encoding of MDWithRSAEncryption signature AlgorithmID 5682e77dff Fix the cipher_overhead_test e376242d28 Remove all OPENSSL_NO_XXX from libssl where XXX is a crypto alg 462f4f4bc0 Remove OPENSSL_NO_EC guards from libssl 54e3efff81 Make sure we don't use sigalgs that are not available 306b8e7e19 Add the nist group names as aliases for the normal TLS group names 3de751e7f0 Remove compile time guard checking from ssl3_get_req_cert_type 05b4b85d4b Check for availability of ciphersuites at run time a763ca1177 Stop disabling TLSv1.3 if ec and dh are disabled 8b1db5d329 Make supported_groups code independent of EC and DH ddf8f1ce63 Ensure default supported groups works even with no-ec and no-dh 5b64ce89b0 Remove OPENSSL_NO_DH guards from libssl 9ca08f91e9 Makefile template: Allow separate generation of .pod.in -> .pod b8393eae22 DOCS: Remove the "global" dependency on writing .pod files from .pod.in 388eb0d970 TEST: Add an algorithm ID tester for libcrypto vs provider 93d6132a79 EVP: use evp_pkey_copy_downgraded() in EVP_PKEY_copy_parameters() 93bae03abf dev/release.sh: Fix typo 1e3affbbcd Remove the old DEPRECATEDIN macros e337b82410 ERR: Rebuild all generated error headers and source files b14c8465c0 ERR: clean away everything related to _F_ macros from util/mkerr.pl bbde856619 RSA: properly generate algorithm identifier for RSA-PSS signatures 26372a4d44 provider-signature.pod: Fix formatting. e60147fe74 Don't make pthreads mutexes recursive. 05f41859dd Switch to BIO_snprintf to avoid missing symbol problems on Windows 76624df15f EVP: Adapt EVP_PKEY_{set1,get1}_encoded_public_key() d82c7f3dba EVP: Modify the checks in EVP_PKEY_{set,get}_xxx_param() functions 13e85fb321 EVP: Adapt the other EVP_PKEY_set_xxx_param() functions f4a3799cc4 EVP: Make EVP_PKEY_set_params() increment the dirty count 7dc67708c8 apps/openssl: add -propquery command line option 88444854af x509_vfy.c: Improve coding style and comments all over the file af4d6c26af Remove a DSA related TODO 08cea586c9 Remove some TODO(OpenSSL1.2) references a7246ea645 DH/DHX parameter check using pkeyparam d53b437f99 Allow NULL arg to OPENSSL_sk_{dup,deep_copy} returning empty stack b91a13f429 run_tests.pl: Improve diagnostics on the use of HARNESS_JOBS c87bcdbde4 test/recipes: split 81_test_cmp_cli.t, add test using -engine loader_attic 03da39a768 apps/cmp.c: check and exit on engine load error acfccbd5ee openssl.pod: Add documentation for using the loader_attic engine 8549b97214 Fix a use after free issue when a provider context is being used and isn't cached Build log ended with (last 100 lines): 70-test_sslrecords.t ............... skipped: test_sslrecords needs the sock feature enabled 70-test_sslsessiontick.t ........... skipped: test_sslsessiontick needs the sock feature enabled 70-test_sslsigalgs.t ............... skipped: test_sslsigalgs needs the sock feature enabled 70-test_sslsignature.t ............. skipped: test_sslsignature needs the sock feature enabled 70-test_sslskewith0p.t ............. skipped: test_sslskewith0p needs the sock feature enabled 70-test_sslversions.t .............. skipped: test_sslversions needs the sock feature enabled 70-test_sslvertol.t ................ skipped: test_sslextension needs the sock feature enabled 70-test_tls13alerts.t .............. skipped: test_tls13alerts needs the sock feature enabled 70-test_tls13cookie.t .............. skipped: test_tls13cookie needs the sock feature enabled 70-test_tls13downgrade.t ........... skipped: test_tls13downgrade needs the sock feature enabled 70-test_tls13hrr.t ................. skipped: test_tls13hrr needs the sock feature enabled 70-test_tls13kexmodes.t ............ skipped: test_tls13kexmodes needs the sock feature enabled 70-test_tls13messages.t ............ skipped: test_tls13messages needs the sock feature enabled 70-test_tls13psk.t ................. skipped: test_tls13psk needs the sock feature enabled 70-test_tlsextms.t ................. skipped: test_tlsextms needs the sock feature enabled 70-test_verify_extra.t ............. ok 70-test_wpacket.t .................. ok 71-test_ssl_ctx.t .................. ok 80-test_ca.t ....................... ok 80-test_cipherbytes.t .............. ok 80-test_cipherlist.t ............... ok 80-test_ciphername.t ............... ok Label not found for "last SKIP" at /usr/share/perl/5.30/Test/More.pm line 1372. # Looks like your test exited with 1 just after 5.80-test_cmp_http.t ................. Dubious, test returned 1 (wstat 256, 0x100) All 5 subtests passed (less 5 skipped subtests: 0 okay) # 80-test_cms.t ...................... ok 80-test_cmsapi.t ................... ok 80-test_ct.t ....................... ok 80-test_dane.t ..................... ok 80-test_dtls.t ..................... skipped: No DTLS protocols are supported by this OpenSSL build 80-test_dtls_mtu.t ................. skipped: test_dtls_mtu needs DTLS and PSK support enabled 80-test_dtlsv1listen.t ............. ok 80-test_http.t ..................... ok 80-test_ocsp.t ..................... ok 80-test_pkcs12.t ................... ok 80-test_ssl_new.t .................. ok 80-test_ssl_old.t .................. ok 80-test_ssl_test_ctx.t ............. ok 80-test_sslcorrupt.t ............... ok 80-test_tsa.t ...................... ok 80-test_x509aux.t .................. ok 81-test_cmp_cli.t .................. ok 90-test_asn1_time.t ................ ok 90-test_async.t .................... ok 90-test_bio_enc.t .................. ok 90-test_bio_memleak.t .............. ok 90-test_constant_time.t ............ ok 90-test_fatalerr.t ................. ok 90-test_fipsload.t ................. ok 90-test_gmdiff.t ................... ok 90-test_gost.t ..................... ok 90-test_ige.t ...................... ok 90-test_includes.t ................. ok 90-test_memleak.t .................. ok 90-test_overhead.t ................. ok 90-test_secmem.t ................... ok 90-test_shlibload.t ................ ok 90-test_srp.t ...................... ok 90-test_sslapi.t ................... ok 90-test_sslbuffers.t ............... ok 90-test_store.t .................... ok 90-test_sysdefault.t ............... ok 90-test_threads.t .................. ok 90-test_time_offset.t .............. ok 90-test_tls13ccs.t ................. ok 90-test_tls13encryption.t .......... ok 90-test_tls13secrets.t ............. ok 90-test_v3name.t ................... ok 91-test_pkey_check.t ............... ok 95-test_external_boringssl.t ....... skipped: No external tests in this configuration 95-test_external_gost_engine.t ..... skipped: No external tests in this configuration 95-test_external_krb5.t ............ skipped: No external tests in this configuration 95-test_external_pyca.t ............ skipped: No external tests in this configuration 99-test_ecstress.t ................. ok 99-test_fuzz_asn1.t ................ ok 99-test_fuzz_asn1parse.t ........... ok 99-test_fuzz_bignum.t .............. ok 99-test_fuzz_bndiv.t ............... ok 99-test_fuzz_client.t .............. ok 99-test_fuzz_cmp.t ................. ok 99-test_fuzz_cms.t ................. ok 99-test_fuzz_conf.t ................ ok 99-test_fuzz_crl.t ................. ok 99-test_fuzz_ct.t .................. ok 99-test_fuzz_server.t .............. ok 99-test_fuzz_x509.t ................ ok Test Summary Report ------------------- 80-test_cmp_http.t (Wstat: 256 Tests: 5 Failed: 0) Non-zero exit status: 1 Files=231, Tests=3074, 827 wallclock secs (11.07 usr 1.33 sys + 755.06 cusr 79.68 csys = 847.14 CPU) Result: FAIL make[1]: *** [Makefile:3264: _tests] Error 1 make[1]: Leaving directory '/home/openssl/run-checker/no-sock' make: *** [Makefile:3261: tests] Error 2 From tmraz at fedoraproject.org Tue Feb 9 12:41:24 2021 From: tmraz at fedoraproject.org (tmraz at fedoraproject.org) Date: Tue, 09 Feb 2021 12:41:24 +0000 Subject: [openssl] master update Message-ID: <1612874484.916309.2420.nullmailer@dev.openssl.org> The branch master has been updated via 4d2a6159db1060ca38a3808cfa60bac46737c670 (commit) from 604b86d8d360e36fc2fc0d1611d05bf38699d297 (commit) - Log ----------------------------------------------------------------- commit 4d2a6159db1060ca38a3808cfa60bac46737c670 Author: Tomas Mraz Date: Thu Feb 4 19:25:44 2021 +0100 Deprecate BN_pseudo_rand() and BN_pseudo_rand_range() The functions are obsolete aliases for BN_rand() and BN_rand_range() since 1.1.0. Reviewed-by: Dmitry Belyavskiy Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/14080) ----------------------------------------------------------------------- Summary of changes: CHANGES.md | 6 ++++++ crypto/bn/bn_rand.c | 2 ++ doc/man3/BN_rand.pod | 15 +++++++++------ include/openssl/bn.h | 4 ++++ test/ec_internal_test.c | 4 ++-- util/libcrypto.num | 4 ++-- 6 files changed, 25 insertions(+), 10 deletions(-) diff --git a/CHANGES.md b/CHANGES.md index 7c934935eb..318cce84fc 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -40,6 +40,12 @@ OpenSSL 3.0 *Rich Salz* + * Deprecated the obsolete BN_pseudo_rand() and BN_pseudo_rand_range() + functions. They are identical to BN_rand() and BN_rand_range() + respectively. + + *Tom?? Mr?z* + * Deprecated the obsolete X9.31 RSA key generation related functions BN_X931_generate_Xpq(), BN_X931_derive_prime_ex(), and BN_X931_generate_prime_ex(). diff --git a/crypto/bn/bn_rand.c b/crypto/bn/bn_rand.c index c6dd6e8814..3068c28710 100644 --- a/crypto/bn/bn_rand.c +++ b/crypto/bn/bn_rand.c @@ -217,6 +217,7 @@ int BN_priv_rand_range(BIGNUM *r, const BIGNUM *range) return bnrand_range(PRIVATE, r, range, NULL); } +# ifndef OPENSSL_NO_DEPRECATED_3_0 int BN_pseudo_rand(BIGNUM *rnd, int bits, int top, int bottom) { return BN_rand(rnd, bits, top, bottom); @@ -226,6 +227,7 @@ int BN_pseudo_rand_range(BIGNUM *r, const BIGNUM *range) { return BN_rand_range(r, range); } +# endif #endif /* diff --git a/doc/man3/BN_rand.pod b/doc/man3/BN_rand.pod index 01c3ff4dd1..38ef8f47f0 100644 --- a/doc/man3/BN_rand.pod +++ b/doc/man3/BN_rand.pod @@ -17,14 +17,17 @@ BN_pseudo_rand_range int BN_priv_rand_ex(BIGNUM *rnd, int bits, int top, int bottom, BN_CTX *ctx); int BN_priv_rand(BIGNUM *rnd, int bits, int top, int bottom); - int BN_pseudo_rand(BIGNUM *rnd, int bits, int top, int bottom); - int BN_rand_range_ex(BIGNUM *rnd, BIGNUM *range, BN_CTX *ctx); int BN_rand_range(BIGNUM *rnd, BIGNUM *range); int BN_priv_rand_range_ex(BIGNUM *rnd, BIGNUM *range, BN_CTX *ctx); int BN_priv_rand_range(BIGNUM *rnd, BIGNUM *range); +Deprecated since OpenSSL 3.0, can be hidden entirely by defining +OPENSSL_API_COMPAT with a suitable version value, see +openssl_user_macros(7): + + int BN_pseudo_rand(BIGNUM *rnd, int bits, int top, int bottom); int BN_pseudo_rand_range(BIGNUM *rnd, BIGNUM *range); =head1 DESCRIPTION @@ -93,13 +96,13 @@ L Starting with OpenSSL release 1.1.0, BN_pseudo_rand() has been identical to BN_rand() and BN_pseudo_rand_range() has been identical to BN_rand_range(). -The "pseudo" functions should not be used and may be deprecated in -a future release. +The BN_pseudo_rand() and BN_pseudo_rand_range() functions were +deprecated in OpenSSL 3.0. =item * -The -BN_priv_rand() and BN_priv_rand_range() functions were added in OpenSSL 1.1.1. +The BN_priv_rand() and BN_priv_rand_range() functions were added in +OpenSSL 1.1.1. =item * diff --git a/include/openssl/bn.h b/include/openssl/bn.h index 39383f8509..1e4b27bf02 100644 --- a/include/openssl/bn.h +++ b/include/openssl/bn.h @@ -222,8 +222,12 @@ int BN_rand_range_ex(BIGNUM *r, const BIGNUM *range, BN_CTX *ctx); int BN_rand_range(BIGNUM *rnd, const BIGNUM *range); int BN_priv_rand_range_ex(BIGNUM *r, const BIGNUM *range, BN_CTX *ctx); int BN_priv_rand_range(BIGNUM *rnd, const BIGNUM *range); +# ifndef OPENSSL_NO_DEPRECATED_3_0 +OSSL_DEPRECATEDIN_3_0 int BN_pseudo_rand(BIGNUM *rnd, int bits, int top, int bottom); +OSSL_DEPRECATEDIN_3_0 int BN_pseudo_rand_range(BIGNUM *rnd, const BIGNUM *range); +# endif int BN_num_bits(const BIGNUM *a); int BN_num_bits_word(BN_ULONG l); int BN_security_bits(int L, int N); diff --git a/test/ec_internal_test.c b/test/ec_internal_test.c index d3db698467..345ce199c5 100644 --- a/test/ec_internal_test.c +++ b/test/ec_internal_test.c @@ -38,8 +38,8 @@ static int group_field_tests(const EC_GROUP *group, BN_CTX *ctx) || !TEST_true(group->meth->field_inv(group, b, BN_value_one(), ctx)) || !TEST_true(BN_is_one(b)) /* (1/a)*a = 1 */ - || !TEST_true(BN_pseudo_rand(a, BN_num_bits(group->field) - 1, - BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ANY)) + || !TEST_true(BN_rand(a, BN_num_bits(group->field) - 1, + BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ANY)) || !TEST_true(group->meth->field_inv(group, b, a, ctx)) || (group->meth->field_encode && !TEST_true(group->meth->field_encode(group, a, a, ctx))) diff --git a/util/libcrypto.num b/util/libcrypto.num index f72749f062..226e496fc9 100644 --- a/util/libcrypto.num +++ b/util/libcrypto.num @@ -2423,7 +2423,7 @@ EC_POINT_get_Jprojective_coordinates_GFp 2473 3_0_0 EXIST::FUNCTION:DEPRECATEDIN EVP_aes_128_cbc_hmac_sha256 2474 3_0_0 EXIST::FUNCTION: i2d_PKCS7_SIGNED 2475 3_0_0 EXIST::FUNCTION: TS_VERIFY_CTX_set_data 2476 3_0_0 EXIST::FUNCTION:TS -BN_pseudo_rand_range 2477 3_0_0 EXIST::FUNCTION: +BN_pseudo_rand_range 2477 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0 X509V3_EXT_add_nconf 2478 3_0_0 EXIST::FUNCTION: EVP_CIPHER_CTX_ctrl 2479 3_0_0 EXIST::FUNCTION: ASN1_T61STRING_it 2480 3_0_0 EXIST::FUNCTION: @@ -3435,7 +3435,7 @@ X509_check_host 3506 3_0_0 EXIST::FUNCTION: PEM_read_ECPKParameters 3507 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,EC,STDIO X509_ATTRIBUTE_get0_data 3508 3_0_0 EXIST::FUNCTION: CMS_add1_signer 3509 3_0_0 EXIST::FUNCTION:CMS -BN_pseudo_rand 3510 3_0_0 EXIST::FUNCTION: +BN_pseudo_rand 3510 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0 d2i_DIRECTORYSTRING 3511 3_0_0 EXIST::FUNCTION: d2i_ASN1_PRINTABLE 3512 3_0_0 EXIST::FUNCTION: EVP_PKEY_add1_attr_by_NID 3513 3_0_0 EXIST::FUNCTION: From tmraz at fedoraproject.org Tue Feb 9 12:45:38 2021 From: tmraz at fedoraproject.org (tmraz at fedoraproject.org) Date: Tue, 09 Feb 2021 12:45:38 +0000 Subject: [openssl] master update Message-ID: <1612874738.991711.16735.nullmailer@dev.openssl.org> The branch master has been updated via 93b39c85c9bbf4b40d3cc2486a0ecac50422b2f3 (commit) from 4d2a6159db1060ca38a3808cfa60bac46737c670 (commit) - Log ----------------------------------------------------------------- commit 93b39c85c9bbf4b40d3cc2486a0ecac50422b2f3 Author: Tomas Mraz Date: Thu Feb 4 18:40:33 2021 +0100 CHANGES.md: Mention RSA key generation slowdown related changes Fixes #14068 Reviewed-by: Kurt Roeckx Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/14073) ----------------------------------------------------------------------- Summary of changes: CHANGES.md | 18 +++++++++++++++++- doc/man3/BN_generate_prime.pod | 3 +++ 2 files changed, 20 insertions(+), 1 deletion(-) diff --git a/CHANGES.md b/CHANGES.md index 318cce84fc..380cd07886 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -52,7 +52,23 @@ OpenSSL 3.0 *Tom?? Mr?z* - * Deprecate EVP_MD_CTX_set_update_fn() and EVP_MD_CTX_update_fn() + * The default key generation method for the regular 2-prime RSA keys was + changed to the FIPS 186-4 B.3.6 method (Generation of Probable Primes with + Conditions Based on Auxiliary Probable Primes). This method is slower + than the original method. + + *Shane Lontis* + + * Deprecated the BN_is_prime_ex() and BN_is_prime_fasttest_ex() functions. + They are replaced with the BN_check_prime() function that avoids possible + misuse and always uses at least 64 rounds of the Miller-Rabin + primality test. At least 64 rounds of the Miller-Rabin test are now also + used for all prime generation, including RSA key generation. + This increases key generation time, especially for larger keys. + + *Kurt Roeckx* + + * Deprecated EVP_MD_CTX_set_update_fn() and EVP_MD_CTX_update_fn() as they are not useful with non-deprecated functions. *Rich Salz* diff --git a/doc/man3/BN_generate_prime.pod b/doc/man3/BN_generate_prime.pod index 6b2ca3baab..288969c525 100644 --- a/doc/man3/BN_generate_prime.pod +++ b/doc/man3/BN_generate_prime.pod @@ -233,6 +233,9 @@ L =head1 HISTORY +The BN_is_prime_ex() and BN_is_prime_fasttest_ex() functions were +deprecated in OpenSSL 3.0. + The BN_GENCB_new(), BN_GENCB_free(), and BN_GENCB_get_arg() functions were added in OpenSSL 1.1.0. From no-reply at appveyor.com Tue Feb 9 13:13:58 2021 From: no-reply at appveyor.com (AppVeyor) Date: Tue, 09 Feb 2021 13:13:58 +0000 Subject: Build failed: openssl master.39719 Message-ID: <20210209131358.1.5FD9742F63F1D665@appveyor.com> An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Tue Feb 9 13:47:33 2021 From: no-reply at appveyor.com (AppVeyor) Date: Tue, 09 Feb 2021 13:47:33 +0000 Subject: Build failed: openssl master.39720 Message-ID: <20210209134733.1.223505A0C76BE2BD@appveyor.com> An HTML attachment was scrubbed... URL: From dev at ddvo.net Tue Feb 9 14:18:45 2021 From: dev at ddvo.net (dev at ddvo.net) Date: Tue, 09 Feb 2021 14:18:45 +0000 Subject: [openssl] master update Message-ID: <1612880325.177098.31238.nullmailer@dev.openssl.org> The branch master has been updated via 990a15fe73b059d78d06c351e902115a30f02e70 (commit) via 579262af1442e4126677495b3a488490f2c3f082 (commit) from 93b39c85c9bbf4b40d3cc2486a0ecac50422b2f3 (commit) - Log ----------------------------------------------------------------- commit 990a15fe73b059d78d06c351e902115a30f02e70 Author: Dr. David von Oheimb Date: Mon Feb 8 08:17:23 2021 +0100 x509_vfy: Clarify relevance of ctx->error also on successful verification Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/14127) commit 579262af1442e4126677495b3a488490f2c3f082 Author: Dr. David von Oheimb Date: Mon Feb 8 08:12:15 2021 +0100 x509_vfy.c: Fix various coding style and documentation style nits Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/14127) ----------------------------------------------------------------------- Summary of changes: crypto/x509/x509_vfy.c | 22 +++++++++--------- doc/man3/X509_STORE_CTX_get_error.pod | 43 +++++++++++++++++++---------------- doc/man3/X509_verify_cert.pod | 4 +++- 3 files changed, 37 insertions(+), 32 deletions(-) diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c index d55808e524..dc64b34ec8 100644 --- a/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c @@ -122,7 +122,7 @@ static X509 *lookup_cert_match(X509_STORE_CTX *ctx, X509 *x) /* Look for exact match */ for (i = 0; i < sk_X509_num(certs); i++) { xtmp = sk_X509_value(certs, i); - if (!X509_cmp(xtmp, x)) + if (X509_cmp(xtmp, x) == 0) break; xtmp = NULL; } @@ -232,7 +232,7 @@ static int verify_chain(X509_STORE_CTX *ctx) #endif /* If we get this far evaluate policies */ - if (ctx->param->flags & X509_V_FLAG_POLICY_CHECK) + if ((ctx->param->flags & X509_V_FLAG_POLICY_CHECK) != 0) ok = ctx->check_policy(ctx); return ok; } @@ -816,12 +816,13 @@ static int check_trust(X509_STORE_CTX *ctx, int num_untrusted) * the chain is PKIX trusted. */ if (num_untrusted < num) { - if (ctx->param->flags & X509_V_FLAG_PARTIAL_CHAIN) + if ((ctx->param->flags & X509_V_FLAG_PARTIAL_CHAIN) != 0) goto trusted; return X509_TRUST_UNTRUSTED; } - if (num_untrusted == num && ctx->param->flags & X509_V_FLAG_PARTIAL_CHAIN) { + if (num_untrusted == num + && (ctx->param->flags & X509_V_FLAG_PARTIAL_CHAIN) != 0) { /* * Last-resort call with no new trusted certificates, check the leaf * for a direct trust store match. @@ -1744,7 +1745,7 @@ static int internal_verify(X509_STORE_CTX *ctx) */ if (xi != NULL && (xs != xi - || ((ctx->param->flags & X509_V_FLAG_CHECK_SS_SIGNATURE) + || ((ctx->param->flags & X509_V_FLAG_CHECK_SS_SIGNATURE) != 0 && (xi->ex_flags & EXFLAG_SS) != 0))) { EVP_PKEY *pkey; /* @@ -1936,7 +1937,7 @@ int X509_get_pubkey_parameters(EVP_PKEY *pkey, STACK_OF(X509) *chain) EVP_PKEY *ktmp = NULL, *ktmp2; int i, j; - if ((pkey != NULL) && !EVP_PKEY_missing_parameters(pkey)) + if (pkey != NULL && !EVP_PKEY_missing_parameters(pkey)) return 1; for (i = 0; i < sk_X509_num(chain); i++) { @@ -2176,7 +2177,6 @@ int X509_STORE_CTX_set_trust(X509_STORE_CTX *ctx, int trust) * application can set: if they aren't set then we use the default of SSL * client/server. */ - int X509_STORE_CTX_purpose_inherit(X509_STORE_CTX *ctx, int def_purpose, int purpose, int trust) { @@ -2958,7 +2958,7 @@ static int build_chain(X509_STORE_CTX *ctx) * and alternate chains are not disabled, try building an alternate chain * if no luck with untrusted first. */ - search = (ctx->untrusted != NULL) ? S_DOUNTRUSTED : 0; + search = ctx->untrusted != NULL ? S_DOUNTRUSTED : 0; if (DANETLS_HAS_PKIX(dane) || !DANETLS_HAS_DANE(dane)) { if (search == 0 || (ctx->param->flags & X509_V_FLAG_TRUSTED_FIRST) != 0) search |= S_DOTRUSTED; @@ -3054,7 +3054,7 @@ static int build_chain(X509_STORE_CTX *ctx) } curr = sk_X509_value(ctx->chain, i - 1); - ok = depth < num ? 0 : get_issuer(&issuer, ctx, curr); + ok = num > depth ? 0 : get_issuer(&issuer, ctx, curr); if (ok < 0) { trust = X509_TRUST_REJECTED; @@ -3191,7 +3191,7 @@ static int build_chain(X509_STORE_CTX *ctx) if (!ossl_assert(num == ctx->num_untrusted)) goto int_err; curr = sk_X509_value(ctx->chain, num - 1); - issuer = (self_signed || depth < num) ? + issuer = (self_signed || num > depth) ? NULL : find_issuer(ctx, sk_untrusted, curr); if (issuer == NULL) { /* @@ -3208,7 +3208,7 @@ static int build_chain(X509_STORE_CTX *ctx) /* Drop this issuer from future consideration */ (void)sk_X509_delete_ptr(sk_untrusted, issuer); - if (!X509_add_cert(ctx->chain, issuer, X509_ADD_FLAG_UP_REF)) + if (!X509_add_cert(ctx->chain, issuer, X509_ADD_FLAG_UP_REF)) goto int_err; ++ctx->num_untrusted; diff --git a/doc/man3/X509_STORE_CTX_get_error.pod b/doc/man3/X509_STORE_CTX_get_error.pod index 8d0e2ad2dc..91e65f4af6 100644 --- a/doc/man3/X509_STORE_CTX_get_error.pod +++ b/doc/man3/X509_STORE_CTX_get_error.pod @@ -31,26 +31,28 @@ These functions are typically called after certificate or chain verification using L or L has indicated an error or in a verification callback to determine the nature of an error. -X509_STORE_CTX_get_error() returns the error code of B, see -the B section for a full description of all error codes. +X509_STORE_CTX_get_error() returns the error code of I. +See the L section for a full description of all error codes. +It may return a code != X509_V_OK even if X509_verify_cert() did not indicate +an error, likely because a verification callback function has waived the error. -X509_STORE_CTX_set_error() sets the error code of B to B. For example +X509_STORE_CTX_set_error() sets the error code of I to I. For example it might be used in a verification callback to set an error based on additional checks. -X509_STORE_CTX_get_error_depth() returns the B of the error. This is a +X509_STORE_CTX_get_error_depth() returns the I of the error. This is a nonnegative integer representing where in the certificate chain the error occurred. If it is zero it occurred in the end entity certificate, one if it is the certificate which signed the end entity certificate and so on. -X509_STORE_CTX_set_error_depth() sets the error B. +X509_STORE_CTX_set_error_depth() sets the error I. This can be used in combination with X509_STORE_CTX_set_error() to set the depth at which an error condition was detected. -X509_STORE_CTX_get_current_cert() returns the certificate in B which -caused the error or B if no certificate is relevant. +X509_STORE_CTX_get_current_cert() returns the certificate in I which +caused the error or NULL if no certificate is relevant. -X509_STORE_CTX_set_current_cert() sets the certificate B in B which +X509_STORE_CTX_set_current_cert() sets the certificate I in I which caused the error. This value is not intended to remain valid for very long, and remains owned by the caller. @@ -63,17 +65,17 @@ Once such a I certificate is no longer needed it can be freed with L. X509_STORE_CTX_get0_cert() retrieves an internal pointer to the -certificate being verified by the B. +certificate being verified by the I. X509_STORE_CTX_get1_chain() returns a complete validate chain if a previous verification is successful. Otherwise the returned chain may be incomplete or -invalid. The returned chain persists after the B structure is freed, -when it is no longer needed it should be free up using: +invalid. The returned chain persists after the I structure is freed. +When it is no longer needed it should be free up using: sk_X509_pop_free(chain, X509_free); X509_verify_cert_error_string() returns a human readable error string for -verification error B. +verification error I. =head1 RETURN VALUES @@ -82,10 +84,10 @@ X509_STORE_CTX_get_error() returns B or an error code. X509_STORE_CTX_get_error_depth() returns a nonnegative error depth. X509_STORE_CTX_get_current_cert() returns the certificate which caused the -error or B if no certificate is relevant to the error. +error or NULL if no certificate is relevant to the error. X509_verify_cert_error_string() returns a human readable error string for -verification error B. +verification error I. =head1 ERROR CODES @@ -163,12 +165,12 @@ The CRL has expired. =item B -The certificate B field contains an invalid time. +The certificate C field contains an invalid time. =item B -The certificate B field contains an invalid time. +The certificate C field contains an invalid time. =item B @@ -178,7 +180,7 @@ The CRL B field contains an invalid time. =item B -The CRL B field contains an invalid time. +The CRL C field contains an invalid time. =item B @@ -261,7 +263,7 @@ Not used as of OpenSSL 1.1.0. =item B -The current candidate issuer certificate was rejected because its B +The current candidate issuer certificate was rejected because its C extension does not permit certificate signing. Not used as of OpenSSL 1.1.0. @@ -359,7 +361,8 @@ certificates. =item B -Proxy certificates not allowed unless the B<-allow_proxy_certs> option is used. +Proxy certificates not allowed unless the B flag +is set. =item B @@ -449,7 +452,7 @@ The above functions should be used instead of directly referencing the fields in the B structure. In versions of OpenSSL before 1.0 the current certificate returned by -X509_STORE_CTX_get_current_cert() was never B. Applications should +X509_STORE_CTX_get_current_cert() was never NULL. Applications should check the return value before printing out any debugging information relating to the current certificate. diff --git a/doc/man3/X509_verify_cert.pod b/doc/man3/X509_verify_cert.pod index 13854f5ed6..2f9cfa3858 100644 --- a/doc/man3/X509_verify_cert.pod +++ b/doc/man3/X509_verify_cert.pod @@ -49,7 +49,9 @@ otherwise they return 0, and in exceptional circumstances (such as malloc failure and internal errors) they can also return a negative code. On error or failure additional error information can be obtained by -examining I using, for example, L. +examining I using, for example, L. Even if +verification indicated success, the stored error code may be different from +X509_V_OK, likely because a verification callback function has waived the error. =head1 SEE ALSO From dev at ddvo.net Tue Feb 9 14:48:55 2021 From: dev at ddvo.net (dev at ddvo.net) Date: Tue, 09 Feb 2021 14:48:55 +0000 Subject: [openssl] master update Message-ID: <1612882135.318935.23174.nullmailer@dev.openssl.org> The branch master has been updated via 7e365d51a1ac7f092b7c2e459332051126f76d72 (commit) via 364246a986cd08e6b2b0e9ab8043ed2e2c505026 (commit) from 990a15fe73b059d78d06c351e902115a30f02e70 (commit) - Log ----------------------------------------------------------------- commit 7e365d51a1ac7f092b7c2e459332051126f76d72 Author: Dr. David von Oheimb Date: Sat Feb 6 22:41:40 2021 +0100 x509_vfy.c: Sort out return values 0 vs. -1 (failure/internal error) Also simplify first part of verify_chain() Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/14095) commit 364246a986cd08e6b2b0e9ab8043ed2e2c505026 Author: Dr. David von Oheimb Date: Mon Feb 8 07:31:11 2021 +0100 X509_get_pubkey_parameters(): Correct failure behavior and its use Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/14095) ----------------------------------------------------------------------- Summary of changes: crypto/x509/x509_vfy.c | 202 ++++++++++++++++++++++++------------------ doc/man3/X509_verify_cert.pod | 14 ++- 2 files changed, 126 insertions(+), 90 deletions(-) diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c index dc64b34ec8..c3b0ba934a 100644 --- a/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c @@ -106,19 +106,23 @@ int X509_self_signed(X509 *cert, int verify_signature) return X509_verify(cert, pkey); } -/* Given a certificate try and find an exact match in the store */ -static X509 *lookup_cert_match(X509_STORE_CTX *ctx, X509 *x) +/* + * Given a certificate, try and find an exact match in the store. + * Returns 1 on success, 0 on not found, -1 on internal error. + */ +static int lookup_cert_match(X509 **result, X509_STORE_CTX *ctx, X509 *x) { STACK_OF(X509) *certs; X509 *xtmp = NULL; - int i; + int i, ret; + *result = NULL; /* Lookup all certs with matching subject name */ ERR_set_mark(); certs = ctx->lookup_certs(ctx, X509_get_subject_name(x)); ERR_pop_to_mark(); if (certs == NULL) - return NULL; + return -1; /* Look for exact match */ for (i = 0; i < sk_X509_num(certs); i++) { xtmp = sk_X509_value(certs, i); @@ -126,10 +130,15 @@ static X509 *lookup_cert_match(X509_STORE_CTX *ctx, X509 *x) break; xtmp = NULL; } - if (xtmp != NULL && !X509_up_ref(xtmp)) - xtmp = NULL; + ret = xtmp != NULL; + if (ret) { + if (!X509_up_ref(xtmp)) + ret = -1; + else + *result = xtmp; + } sk_X509_pop_free(certs, X509_free); - return xtmp; + return ret; } /*- @@ -194,22 +203,19 @@ static int check_auth_level(X509_STORE_CTX *ctx) return 1; } +/* Returns -1 on internal error */ static int verify_chain(X509_STORE_CTX *ctx) { int err; int ok; - /* - * Before either returning with an error, or continuing with CRL checks, - * instantiate chain public key parameters. - */ - if ((ok = build_chain(ctx)) == 0 || - (ok = check_chain(ctx)) == 0 || - (ok = check_auth_level(ctx)) == 0 || - (ok = check_id(ctx)) == 0 || 1) - X509_get_pubkey_parameters(NULL, ctx->chain); - if (ok == 0 || (ok = ctx->check_revocation(ctx)) == 0) - return 0; + if ((ok = build_chain(ctx)) <= 0 + || (ok = check_chain(ctx)) <= 0 + || (ok = check_auth_level(ctx)) <= 0 + || (ok = check_id(ctx)) <= 0 + || (ok = X509_get_pubkey_parameters(NULL, ctx->chain) ? 1 : -1) <= 0 + || (ok = ctx->check_revocation(ctx)) <= 0) + return ok; err = X509_chain_check_suiteb(&ctx->error_depth, NULL, ctx->chain, ctx->param->flags); @@ -217,18 +223,18 @@ static int verify_chain(X509_STORE_CTX *ctx) /* Verify chain signatures and expiration times */ ok = ctx->verify != NULL ? ctx->verify(ctx) : internal_verify(ctx); - if (!ok) - return 0; + if (ok <= 0) + return ok; - if ((ok = check_name_constraints(ctx)) == 0) - return 0; + if ((ok = check_name_constraints(ctx)) <= 0) + return ok; #ifndef OPENSSL_NO_RFC3779 /* RFC 3779 path validation, now that CRL check has been done */ - if ((ok = X509v3_asid_validate_path(ctx)) == 0) - return 0; - if ((ok = X509v3_addr_validate_path(ctx)) == 0) - return 0; + if ((ok = X509v3_asid_validate_path(ctx)) <= 0) + return ok; + if ((ok = X509v3_addr_validate_path(ctx)) <= 0) + return ok; #endif /* If we get this far evaluate policies */ @@ -336,28 +342,32 @@ static int check_issued(ossl_unused X509_STORE_CTX *ctx, X509 *x, X509 *issuer) return x509_likely_issued(issuer, x) == X509_V_OK; } -/* Alternative lookup method: look from a STACK stored in other_ctx */ +/* + * Alternative lookup method: look from a STACK stored in other_ctx. + * Returns -1 on internal error. + */ static int get_issuer_sk(X509 **issuer, X509_STORE_CTX *ctx, X509 *x) { *issuer = find_issuer(ctx, ctx->other_ctx, x); - if (*issuer != NULL && X509_up_ref(*issuer)) - return 1; - - *issuer = NULL; + if (*issuer != NULL) + return X509_up_ref(*issuer) ? 1 : -1; return 0; } +/* Returns NULL on internal error (such as out of memory) */ static STACK_OF(X509) *lookup_certs_sk(X509_STORE_CTX *ctx, const X509_NAME *nm) { - STACK_OF(X509) *sk = NULL; + STACK_OF(X509) *sk = sk_X509_new_null(); X509 *x; int i; + if (sk == NULL) + return NULL; for (i = 0; i < sk_X509_num(ctx->other_ctx); i++) { x = sk_X509_value(ctx->other_ctx, i); if (X509_NAME_cmp(nm, X509_get_subject_name(x)) == 0) { - if (!X509_add_cert_new(&sk, x, X509_ADD_FLAG_UP_REF)) { + if (!X509_add_cert(sk, x, X509_ADD_FLAG_UP_REF)) { sk_X509_pop_free(sk, X509_free); ctx->error = X509_V_ERR_OUT_OF_MEM; return NULL; @@ -370,6 +380,7 @@ static STACK_OF(X509) *lookup_certs_sk(X509_STORE_CTX *ctx, /* * Check EE or CA certificate purpose. For trusted certificates explicit local * auxiliary trust can be used to override EKU-restrictions. + * Sadly, returns 0 also on internal error. */ static int check_purpose(X509_STORE_CTX *ctx, X509 *x, int purpose, int depth, int must_be_ca) @@ -418,7 +429,10 @@ static int check_purpose(X509_STORE_CTX *ctx, X509 *x, int purpose, int depth, return verify_cb_cert(ctx, x, depth, X509_V_ERR_INVALID_PURPOSE); } -/* Check extensions of a cert chain for consistency with the supplied purpose */ +/* + * Check extensions of a cert chain for consistency with the supplied purpose. + * Sadly, returns 0 also on internal error. + */ static int check_chain(X509_STORE_CTX *ctx) { int i, must_be_ca, plen = 0; @@ -600,7 +614,7 @@ static int has_san_id(X509 *x, int gtype) GENERAL_NAMES *gs = X509_get_ext_d2i(x, NID_subject_alt_name, NULL, NULL); if (gs == NULL) - return 0; + return -1; for (i = 0; i < sk_GENERAL_NAME_num(gs); i++) { GENERAL_NAME *g = sk_GENERAL_NAME_value(gs, i); @@ -614,6 +628,7 @@ static int has_san_id(X509 *x, int gtype) return ret; } +/* Returns -1 on internal error */ static int check_name_constraints(X509_STORE_CTX *ctx) { int i; @@ -676,7 +691,7 @@ static int check_name_constraints(X509_STORE_CTX *ctx) if (tmpsubject == NULL) { ERR_raise(ERR_LIB_X509, ERR_R_MALLOC_FAILURE); ctx->error = X509_V_ERR_OUT_OF_MEM; - return 0; + return -1; } tmpentry = X509_NAME_delete_entry(tmpsubject, last_loc); @@ -705,6 +720,7 @@ static int check_name_constraints(X509_STORE_CTX *ctx) if (nc) { int rv = NAME_CONSTRAINTS_check(x, nc); + int ret = 1; /* If EE certificate check commonName too */ if (rv == X509_V_OK && i == 0 @@ -712,14 +728,16 @@ static int check_name_constraints(X509_STORE_CTX *ctx) & X509_CHECK_FLAG_NEVER_CHECK_SUBJECT) == 0 && ((ctx->param->hostflags & X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT) != 0 - || !has_san_id(x, GEN_DNS))) + || (ret = has_san_id(x, GEN_DNS)) == 0)) rv = NAME_CONSTRAINTS_check_CN(x, nc); + if (ret < 0) + return ret; switch (rv) { case X509_V_OK: break; case X509_V_ERR_OUT_OF_MEM: - return 0; + return -1; default: CB_FAIL_IF(1, ctx, x, i, rv); break; @@ -774,9 +792,10 @@ static int check_id(X509_STORE_CTX *ctx) return 1; } +/* Returns -1 on internal error */ static int check_trust(X509_STORE_CTX *ctx, int num_untrusted) { - int i; + int i, res; X509 *x = NULL; X509 *mx; SSL_DANE *dane = ctx->dane; @@ -788,11 +807,9 @@ static int check_trust(X509_STORE_CTX *ctx, int num_untrusted) * match, we're done, otherwise we'll merely record the match depth. */ if (DANETLS_HAS_TA(dane) && num_untrusted > 0 && num_untrusted < num) { - switch (trust = check_dane_issuer(ctx, num_untrusted)) { - case X509_TRUST_TRUSTED: - case X509_TRUST_REJECTED: + trust = check_dane_issuer(ctx, num_untrusted); + if (trust != X509_TRUST_UNTRUSTED) return trust; - } } /* @@ -829,7 +846,9 @@ static int check_trust(X509_STORE_CTX *ctx, int num_untrusted) */ i = 0; x = sk_X509_value(ctx->chain, i); - mx = lookup_cert_match(ctx, x); + res = lookup_cert_match(&mx, ctx, x); + if (res < 0) + return res; if (mx == NULL) return X509_TRUST_UNTRUSTED; @@ -871,6 +890,7 @@ static int check_trust(X509_STORE_CTX *ctx, int num_untrusted) return X509_TRUST_UNTRUSTED; } +/* Sadly, returns 0 also on internal error. */ static int check_revocation(X509_STORE_CTX *ctx) { int i = 0, last = 0, ok = 0; @@ -894,6 +914,7 @@ static int check_revocation(X509_STORE_CTX *ctx) return 1; } +/* Sadly, returns 0 also on internal error. */ static int check_cert(X509_STORE_CTX *ctx) { X509_CRL *crl = NULL, *dcrl = NULL; @@ -1608,21 +1629,15 @@ static int check_policy(X509_STORE_CTX *ctx) * was verified via a bare public key, and pop it off right after the * X509_policy_check() call. */ - if (ctx->bare_ta_signed && !sk_X509_push(ctx->chain, NULL)) { - ERR_raise(ERR_LIB_X509, ERR_R_MALLOC_FAILURE); - ctx->error = X509_V_ERR_OUT_OF_MEM; - return 0; - } + if (ctx->bare_ta_signed && !sk_X509_push(ctx->chain, NULL)) + goto memerr; ret = X509_policy_check(&ctx->tree, &ctx->explicit_policy, ctx->chain, ctx->param->policies, ctx->param->flags); if (ctx->bare_ta_signed) (void)sk_X509_pop(ctx->chain); - if (ret == X509_PCY_TREE_INTERNAL) { - ERR_raise(ERR_LIB_X509, ERR_R_MALLOC_FAILURE); - ctx->error = X509_V_ERR_OUT_OF_MEM; - return 0; - } + if (ret == X509_PCY_TREE_INTERNAL) + goto memerr; /* Invalid or inconsistent extensions */ if (ret == X509_PCY_TREE_INVALID) { int i; @@ -1659,6 +1674,11 @@ static int check_policy(X509_STORE_CTX *ctx) } return 1; + + memerr: + ERR_raise(ERR_LIB_X509, ERR_R_MALLOC_FAILURE); + ctx->error = X509_V_ERR_OUT_OF_MEM; + return -1; } /*- @@ -1694,7 +1714,10 @@ int x509_check_cert_time(X509_STORE_CTX *ctx, X509 *x, int depth) return 1; } -/* verify the issuer signatures and cert times of ctx->chain */ +/* + * Verify the issuer signatures and cert times of ctx->chain. + * Sadly, returns 0 also on internal error. + */ static int internal_verify(X509_STORE_CTX *ctx) { int n = sk_X509_num(ctx->chain) - 1; @@ -1932,6 +1955,7 @@ ASN1_TIME *X509_time_adj_ex(ASN1_TIME *s, return ASN1_TIME_adj(s, t, offset_day, offset_sec); } +/* Copy any missing public key parameters up the chain towards pkey */ int X509_get_pubkey_parameters(EVP_PKEY *pkey, STACK_OF(X509) *chain) { EVP_PKEY *ktmp = NULL, *ktmp2; @@ -1948,6 +1972,7 @@ int X509_get_pubkey_parameters(EVP_PKEY *pkey, STACK_OF(X509) *chain) } if (!EVP_PKEY_missing_parameters(ktmp)) break; + ktmp = NULL; } if (ktmp == NULL) { ERR_raise(ERR_LIB_X509, X509_R_UNABLE_TO_FIND_PARAMETERS_IN_CHAIN); @@ -1957,15 +1982,19 @@ int X509_get_pubkey_parameters(EVP_PKEY *pkey, STACK_OF(X509) *chain) /* first, populate the other certs */ for (j = i - 1; j >= 0; j--) { ktmp2 = X509_get0_pubkey(sk_X509_value(chain, j)); - EVP_PKEY_copy_parameters(ktmp2, ktmp); + if (!EVP_PKEY_copy_parameters(ktmp2, ktmp)) + return 0; } if (pkey != NULL) - EVP_PKEY_copy_parameters(pkey, ktmp); + return EVP_PKEY_copy_parameters(pkey, ktmp); return 1; } -/* Make a delta CRL as the difference between two full CRLs */ +/* + * Make a delta CRL as the difference between two full CRLs. + * Sadly, returns NULL also on internal error. + */ X509_CRL *X509_CRL_diff(X509_CRL *base, X509_CRL *newer, EVP_PKEY *skey, const EVP_MD *md, unsigned int flags) { @@ -2629,6 +2658,7 @@ static unsigned char *dane_i2d(X509 *cert, uint8_t selector, #define DANETLS_NONE 256 /* impossible uint8_t */ +/* Returns -1 on internal error */ static int dane_match(X509_STORE_CTX *ctx, X509 *cert, int depth) { SSL_DANE *dane = ctx->dane; @@ -2771,6 +2801,7 @@ static int dane_match(X509_STORE_CTX *ctx, X509 *cert, int depth) return matched; } +/* Returns -1 on internal error */ static int check_dane_issuer(X509_STORE_CTX *ctx, int depth) { SSL_DANE *dane = ctx->dane; @@ -2787,7 +2818,7 @@ static int check_dane_issuer(X509_STORE_CTX *ctx, int depth) */ cert = sk_X509_value(ctx->chain, depth); if (cert != NULL && (matched = dane_match(ctx, cert, depth)) < 0) - return X509_TRUST_REJECTED; + return matched; if (matched > 0) { ctx->num_untrusted = depth - 1; return X509_TRUST_TRUSTED; @@ -2851,6 +2882,7 @@ static int check_leaf_suiteb(X509_STORE_CTX *ctx, X509 *cert) return 1; } +/* Returns -1 on internal error */ static int dane_verify(X509_STORE_CTX *ctx) { X509 *cert = ctx->cert; @@ -2875,8 +2907,8 @@ static int dane_verify(X509_STORE_CTX *ctx) matched = dane_match(ctx, ctx->cert, 0); done = matched != 0 || (!DANETLS_HAS_TA(dane) && dane->mdpth < 0); - if (done) - X509_get_pubkey_parameters(NULL, ctx->chain); + if (done && !X509_get_pubkey_parameters(NULL, ctx->chain)) + return -1; if (matched > 0) { /* Callback invoked as needed */ @@ -2913,7 +2945,10 @@ static int dane_verify(X509_STORE_CTX *ctx) return verify_chain(ctx); } -/* Get issuer, without duplicate suppression */ +/* + * Get issuer, without duplicate suppression + * Returns -1 on internal error. + */ static int get_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *cert) { STACK_OF(X509) *saved_chain = ctx->chain; @@ -2926,6 +2961,7 @@ static int get_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *cert) return ok; } +/* Returns -1 on internal error */ static int build_chain(X509_STORE_CTX *ctx) { SSL_DANE *dane = ctx->dane; @@ -2972,11 +3008,8 @@ static int build_chain(X509_STORE_CTX *ctx) * typically the content of the peer's certificate message) so can make * multiple passes over it, while free to remove elements as we go. */ - if ((sk_untrusted = sk_X509_dup(ctx->untrusted)) == NULL) { - ERR_raise(ERR_LIB_X509, ERR_R_MALLOC_FAILURE); - ctx->error = X509_V_ERR_OUT_OF_MEM; - return 0; - } + if ((sk_untrusted = sk_X509_dup(ctx->untrusted)) == NULL) + goto memerr; /* * If we got any "DANE-TA(2) Cert(0) Full(0)" trust anchors from DNS, add @@ -2989,15 +3022,11 @@ static int build_chain(X509_STORE_CTX *ctx) * this to change. ] */ if (DANETLS_ENABLED(dane) && dane->certs != NULL) { - if (sk_untrusted == NULL && (sk_untrusted = sk_X509_new_null()) == NULL) { - ERR_raise(ERR_LIB_X509, ERR_R_MALLOC_FAILURE); - ctx->error = X509_V_ERR_OUT_OF_MEM; - return 0; - } + if (sk_untrusted == NULL && (sk_untrusted = sk_X509_new_null()) == NULL) + goto memerr; if (!X509_add_certs(sk_untrusted, dane->certs, X509_ADD_FLAG_DEFAULT)) { sk_X509_free(sk_untrusted); - ctx->error = X509_V_ERR_OUT_OF_MEM; - return 0; + goto memerr; } } @@ -3057,7 +3086,7 @@ static int build_chain(X509_STORE_CTX *ctx) ok = num > depth ? 0 : get_issuer(&issuer, ctx, curr); if (ok < 0) { - trust = X509_TRUST_REJECTED; + trust = -1; ctx->error = X509_V_ERR_STORE_LOOKUP; break; } @@ -3079,11 +3108,8 @@ static int build_chain(X509_STORE_CTX *ctx) */ if ((search & S_DOALTERNATE) != 0) { if (!ossl_assert(num > i && i > 0 && !self_signed)) { - ERR_raise(ERR_LIB_X509, ERR_R_INTERNAL_ERROR); X509_free(issuer); - trust = X509_TRUST_REJECTED; - ctx->error = X509_V_ERR_UNSPECIFIED; - break; + goto int_err; } search &= ~S_DOALTERNATE; for (; num > i; --num) @@ -3111,10 +3137,7 @@ static int build_chain(X509_STORE_CTX *ctx) goto int_err; if (!sk_X509_push(ctx->chain, curr)) { X509_free(issuer); - ERR_raise(ERR_LIB_X509, ERR_R_MALLOC_FAILURE); - trust = X509_TRUST_REJECTED; - ctx->error = X509_V_ERR_OUT_OF_MEM; - break; + goto memerr; } } else if (num == ctx->num_untrusted) { /* @@ -3154,8 +3177,7 @@ static int build_chain(X509_STORE_CTX *ctx) goto int_err; search &= ~S_DOUNTRUSTED; trust = check_trust(ctx, num); - if (trust == X509_TRUST_TRUSTED - || trust == X509_TRUST_REJECTED) + if (trust != X509_TRUST_UNTRUSTED) break; if (!self_signed) continue; @@ -3224,6 +3246,9 @@ static int build_chain(X509_STORE_CTX *ctx) } sk_X509_free(sk_untrusted); + if (trust < 0) /* internal error */ + return trust; + /* * Last chance to make a trusted chain, either bare DANE-TA public-key * signers, or else direct leaf PKIX trust. @@ -3265,7 +3290,12 @@ static int build_chain(X509_STORE_CTX *ctx) sk_X509_free(sk_untrusted); ERR_raise(ERR_LIB_X509, ERR_R_INTERNAL_ERROR); ctx->error = X509_V_ERR_UNSPECIFIED; - return 0; + return -1; + + memerr: + ERR_raise(ERR_LIB_X509, ERR_R_MALLOC_FAILURE); + ctx->error = X509_V_ERR_OUT_OF_MEM; + return -1; } static const int minbits_table[] = { 80, 112, 128, 192, 256 }; diff --git a/doc/man3/X509_verify_cert.pod b/doc/man3/X509_verify_cert.pod index 2f9cfa3858..deb6b15869 100644 --- a/doc/man3/X509_verify_cert.pod +++ b/doc/man3/X509_verify_cert.pod @@ -33,10 +33,11 @@ SSL/TLS code. A negative return value from X509_verify_cert() can occur if it is invoked incorrectly, such as with no certificate set in I, or when it is called twice in succession without reinitialising I for the second call. -A negative return value can also happen due to internal resource problems or if -a retry operation is requested during internal lookups (which never happens -with standard lookup methods). -Applications must check for <= 0 return value on error. +A negative return value can also happen due to internal resource problems +or because an internal inconsistency has been detected +or if a retry operation is requested during internal lookups +(which never happens with standard lookup methods). +Applications must interpret any return value <= 0 as an error. The X509_STORE_CTX_verify() behaves like X509_verify_cert() except that its target certificate is the first element of the list of untrusted certificates @@ -48,6 +49,11 @@ Both functions return 1 if a complete chain can be built and validated, otherwise they return 0, and in exceptional circumstances (such as malloc failure and internal errors) they can also return a negative code. +If a complete chain can be built and validated both functions return 1. +If the certificate must be rejected on the basis of the data available +or any required certificate status data is not available they return 0. +If no definite answer possible they usually return a negative code. + On error or failure additional error information can be obtained by examining I using, for example, L. Even if verification indicated success, the stored error code may be different from From openssl at openssl.org Tue Feb 9 21:51:14 2021 From: openssl at openssl.org (OpenSSL run-checker) Date: Tue, 09 Feb 2021 21:51:14 +0000 Subject: FAILED build of OpenSSL branch master with options -d --strict-warnings no-tls1_2 Message-ID: <1612907474.598552.3782712.nullmailer@run.openssl.org> Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-tls1_2 Commit log since last time: 64954e2f34 Fix race condition & allow operation cache to grow. 11ddbf8459 Add X509_STORE_CTX_verify(), which takes the first untrusted cert as default target 2bb05a9668 PROV: Fix encoding of MDWithRSAEncryption signature AlgorithmID 5682e77dff Fix the cipher_overhead_test e376242d28 Remove all OPENSSL_NO_XXX from libssl where XXX is a crypto alg 462f4f4bc0 Remove OPENSSL_NO_EC guards from libssl 54e3efff81 Make sure we don't use sigalgs that are not available 306b8e7e19 Add the nist group names as aliases for the normal TLS group names 3de751e7f0 Remove compile time guard checking from ssl3_get_req_cert_type 05b4b85d4b Check for availability of ciphersuites at run time a763ca1177 Stop disabling TLSv1.3 if ec and dh are disabled 8b1db5d329 Make supported_groups code independent of EC and DH ddf8f1ce63 Ensure default supported groups works even with no-ec and no-dh 5b64ce89b0 Remove OPENSSL_NO_DH guards from libssl 9ca08f91e9 Makefile template: Allow separate generation of .pod.in -> .pod b8393eae22 DOCS: Remove the "global" dependency on writing .pod files from .pod.in 388eb0d970 TEST: Add an algorithm ID tester for libcrypto vs provider 93d6132a79 EVP: use evp_pkey_copy_downgraded() in EVP_PKEY_copy_parameters() 93bae03abf dev/release.sh: Fix typo 1e3affbbcd Remove the old DEPRECATEDIN macros e337b82410 ERR: Rebuild all generated error headers and source files b14c8465c0 ERR: clean away everything related to _F_ macros from util/mkerr.pl bbde856619 RSA: properly generate algorithm identifier for RSA-PSS signatures 26372a4d44 provider-signature.pod: Fix formatting. e60147fe74 Don't make pthreads mutexes recursive. 05f41859dd Switch to BIO_snprintf to avoid missing symbol problems on Windows 76624df15f EVP: Adapt EVP_PKEY_{set1,get1}_encoded_public_key() d82c7f3dba EVP: Modify the checks in EVP_PKEY_{set,get}_xxx_param() functions 13e85fb321 EVP: Adapt the other EVP_PKEY_set_xxx_param() functions f4a3799cc4 EVP: Make EVP_PKEY_set_params() increment the dirty count 7dc67708c8 apps/openssl: add -propquery command line option 88444854af x509_vfy.c: Improve coding style and comments all over the file af4d6c26af Remove a DSA related TODO 08cea586c9 Remove some TODO(OpenSSL1.2) references a7246ea645 DH/DHX parameter check using pkeyparam d53b437f99 Allow NULL arg to OPENSSL_sk_{dup,deep_copy} returning empty stack b91a13f429 run_tests.pl: Improve diagnostics on the use of HARNESS_JOBS c87bcdbde4 test/recipes: split 81_test_cmp_cli.t, add test using -engine loader_attic 03da39a768 apps/cmp.c: check and exit on engine load error acfccbd5ee openssl.pod: Add documentation for using the loader_attic engine 8549b97214 Fix a use after free issue when a provider context is being used and isn't cached Build log ended with (last 100 lines): (less 4 skipped subtests: 2 okay) 70-test_sslmessages.t .............. skipped: test_sslmessages needs TLS enabled 70-test_sslrecords.t ............... skipped: test_sslrecords needs TLSv1.2 enabled 70-test_sslsessiontick.t ........... skipped: test_sslsessiontick needs SSLv3, TLSv1, TLSv1.1 or TLSv1.2 enabled 70-test_sslsigalgs.t ............... ok 70-test_sslsignature.t ............. ok 70-test_sslskewith0p.t ............. ok 70-test_sslversions.t .............. skipped: test_sslversions needs TLS1.3, TLS1.2 and TLS1.1 enabled 70-test_sslvertol.t ................ ok 70-test_tls13alerts.t .............. ok 70-test_tls13cookie.t .............. ok 70-test_tls13downgrade.t ........... skipped: test_tls13downgrade needs TLS1.3 and TLS1.2 enabled 70-test_tls13hrr.t ................. ok 70-test_tls13kexmodes.t ............ ok 70-test_tls13messages.t ............ ok 70-test_tls13psk.t ................. ok 70-test_tlsextms.t ................. skipped: test_tlsextms needs TLSv1.0, TLSv1.1 or TLSv1.2 enabled 70-test_verify_extra.t ............. ok 70-test_wpacket.t .................. ok 71-test_ssl_ctx.t .................. ok 80-test_ca.t ....................... ok 80-test_cipherbytes.t .............. ok 80-test_cipherlist.t ............... ok 80-test_ciphername.t ............... ok # 80-test_cmp_http.t ................. ok # 80-test_cms.t ...................... ok 80-test_cmsapi.t ................... ok 80-test_ct.t ....................... ok 80-test_dane.t ..................... ok 80-test_dtls.t ..................... ok 80-test_dtls_mtu.t ................. ok 80-test_dtlsv1listen.t ............. ok 80-test_http.t ..................... ok 80-test_ocsp.t ..................... ok 80-test_pkcs12.t ................... ok 80-test_ssl_new.t .................. ok 80-test_ssl_old.t .................. ok 80-test_ssl_test_ctx.t ............. ok 80-test_sslcorrupt.t ............... ok 80-test_tsa.t ...................... ok 80-test_x509aux.t .................. ok 81-test_cmp_cli.t .................. ok 90-test_asn1_time.t ................ ok 90-test_async.t .................... ok 90-test_bio_enc.t .................. ok 90-test_bio_memleak.t .............. ok 90-test_constant_time.t ............ ok 90-test_fatalerr.t ................. ok 90-test_fipsload.t ................. ok 90-test_gmdiff.t ................... ok 90-test_gost.t ..................... skipped: TLSv1.3 or TLSv1.2 are disabled in this OpenSSL build 90-test_ige.t ...................... ok 90-test_includes.t ................. ok 90-test_memleak.t .................. ok 90-test_overhead.t ................. ok 90-test_secmem.t ................... ok 90-test_shlibload.t ................ ok 90-test_srp.t ...................... ok 90-test_sslapi.t ................... ok 90-test_sslbuffers.t ............... ok 90-test_store.t .................... ok 90-test_sysdefault.t ............... skipped: test_sysdefault is not supported in this build 90-test_threads.t .................. ok 90-test_time_offset.t .............. ok 90-test_tls13ccs.t ................. ok 90-test_tls13encryption.t .......... ok 90-test_tls13secrets.t ............. ok 90-test_v3name.t ................... ok 91-test_pkey_check.t ............... ok 95-test_external_boringssl.t ....... skipped: No external tests in this configuration 95-test_external_gost_engine.t ..... skipped: No external tests in this configuration 95-test_external_krb5.t ............ skipped: No external tests in this configuration 95-test_external_pyca.t ............ skipped: No external tests in this configuration 99-test_ecstress.t ................. ok 99-test_fuzz_asn1.t ................ ok 99-test_fuzz_asn1parse.t ........... ok 99-test_fuzz_bignum.t .............. ok 99-test_fuzz_bndiv.t ............... ok 99-test_fuzz_client.t .............. ok 99-test_fuzz_cmp.t ................. ok 99-test_fuzz_cms.t ................. ok 99-test_fuzz_conf.t ................ ok 99-test_fuzz_crl.t ................. ok 99-test_fuzz_ct.t .................. ok 99-test_fuzz_server.t .............. ok 99-test_fuzz_x509.t ................ ok Test Summary Report ------------------- 70-test_sslextension.t (Wstat: 256 Tests: 7 Failed: 1) Failed test: 2 Non-zero exit status: 1 Parse errors: Bad plan. You planned 8 tests but ran 7. Files=231, Tests=3180, 839 wallclock secs (12.60 usr 1.48 sys + 751.69 cusr 87.51 csys = 853.28 CPU) Result: FAIL make[1]: *** [Makefile:3267: _tests] Error 1 make[1]: Leaving directory '/home/openssl/run-checker/no-tls1_2' make: *** [Makefile:3264: tests] Error 2 From openssl at openssl.org Tue Feb 9 22:41:07 2021 From: openssl at openssl.org (OpenSSL run-checker) Date: Tue, 09 Feb 2021 22:41:07 +0000 Subject: Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-dtls1_2 Message-ID: <1612910467.157231.3888672.nullmailer@run.openssl.org> Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-dtls1_2 Commit log since last time: 64954e2f34 Fix race condition & allow operation cache to grow. 11ddbf8459 Add X509_STORE_CTX_verify(), which takes the first untrusted cert as default target 2bb05a9668 PROV: Fix encoding of MDWithRSAEncryption signature AlgorithmID 5682e77dff Fix the cipher_overhead_test e376242d28 Remove all OPENSSL_NO_XXX from libssl where XXX is a crypto alg 462f4f4bc0 Remove OPENSSL_NO_EC guards from libssl 54e3efff81 Make sure we don't use sigalgs that are not available 306b8e7e19 Add the nist group names as aliases for the normal TLS group names 3de751e7f0 Remove compile time guard checking from ssl3_get_req_cert_type 05b4b85d4b Check for availability of ciphersuites at run time a763ca1177 Stop disabling TLSv1.3 if ec and dh are disabled 8b1db5d329 Make supported_groups code independent of EC and DH ddf8f1ce63 Ensure default supported groups works even with no-ec and no-dh 5b64ce89b0 Remove OPENSSL_NO_DH guards from libssl 9ca08f91e9 Makefile template: Allow separate generation of .pod.in -> .pod b8393eae22 DOCS: Remove the "global" dependency on writing .pod files from .pod.in 388eb0d970 TEST: Add an algorithm ID tester for libcrypto vs provider 93d6132a79 EVP: use evp_pkey_copy_downgraded() in EVP_PKEY_copy_parameters() 93bae03abf dev/release.sh: Fix typo 1e3affbbcd Remove the old DEPRECATEDIN macros e337b82410 ERR: Rebuild all generated error headers and source files b14c8465c0 ERR: clean away everything related to _F_ macros from util/mkerr.pl bbde856619 RSA: properly generate algorithm identifier for RSA-PSS signatures 26372a4d44 provider-signature.pod: Fix formatting. e60147fe74 Don't make pthreads mutexes recursive. 05f41859dd Switch to BIO_snprintf to avoid missing symbol problems on Windows 76624df15f EVP: Adapt EVP_PKEY_{set1,get1}_encoded_public_key() d82c7f3dba EVP: Modify the checks in EVP_PKEY_{set,get}_xxx_param() functions 13e85fb321 EVP: Adapt the other EVP_PKEY_set_xxx_param() functions f4a3799cc4 EVP: Make EVP_PKEY_set_params() increment the dirty count 7dc67708c8 apps/openssl: add -propquery command line option 88444854af x509_vfy.c: Improve coding style and comments all over the file af4d6c26af Remove a DSA related TODO 08cea586c9 Remove some TODO(OpenSSL1.2) references a7246ea645 DH/DHX parameter check using pkeyparam d53b437f99 Allow NULL arg to OPENSSL_sk_{dup,deep_copy} returning empty stack b91a13f429 run_tests.pl: Improve diagnostics on the use of HARNESS_JOBS c87bcdbde4 test/recipes: split 81_test_cmp_cli.t, add test using -engine loader_attic 03da39a768 apps/cmp.c: check and exit on engine load error acfccbd5ee openssl.pod: Add documentation for using the loader_attic engine 8549b97214 Fix a use after free issue when a provider context is being used and isn't cached Build log ended with (last 100 lines): # SSL_accept() failed -1, 1 # 80B1FD3E2D7F0000:error:0A000076:SSL routines:tls_choose_sigalg:no suitable signature algorithm:../openssl/ssl/t1_lib.c:3305: # INFO: @ ../openssl/test/helpers/ssltestlib.c:957 # SSL_connect() failed -1, 1 # 80B1FD3E2D7F0000:error:0A000438:SSL routines:dtls1_read_bytes:tlsv1 alert internal error:../openssl/ssl/record/rec_layer_d1.c:613:SSL alert number 80 # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:6577 # false not ok 2 - iteration 2 # ------------------------------------------------------------------------------ not ok 54 - test_ssl_pending # ------------------------------------------------------------------------------ ../../util/wrap.pl ../../test/sslapitest ../../../openssl/test/certs ../../../openssl/test/recipes/90-test_sslapi_data/passwd.txt /tmp/5zhIPDye_d default ../../../openssl/test/default.cnf => 1 not ok 1 - running sslapitest # ------------------------------------------------------------------------------ # INFO: @ ../openssl/test/helpers/ssltestlib.c:957 # SSL_connect() failed -1, 1 # 8071C77EA97F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # INFO: @ ../openssl/test/helpers/ssltestlib.c:975 # SSL_accept() failed -1, 1 # 8071C77EA97F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:947 # false not ok 3 - test_large_message_dtls # ------------------------------------------------------------------------------ # INFO: @ ../openssl/test/helpers/ssltestlib.c:957 # SSL_connect() failed -1, 1 # 8071C77EA97F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # INFO: @ ../openssl/test/helpers/ssltestlib.c:975 # SSL_accept() failed -1, 1 # 8071C77EA97F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:1428 # false # ERROR: (bool) 'execute_cleanse_plaintext(DTLS_server_method(), DTLS_client_method(), DTLS1_VERSION, 0) == true' failed @ ../openssl/test/sslapitest.c:1506 # false not ok 4 - test_cleanse_plaintext # ------------------------------------------------------------------------------ # INFO: @ ../openssl/test/helpers/ssltestlib.c:957 # SSL_connect() failed -1, 1 # 8071C77EA97F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # INFO: @ ../openssl/test/helpers/ssltestlib.c:975 # SSL_accept() failed -1, 1 # 8071C77EA97F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:6577 # false not ok 2 - iteration 2 # ------------------------------------------------------------------------------ not ok 54 - test_ssl_pending # ------------------------------------------------------------------------------ ../../util/wrap.pl ../../test/sslapitest ../../../openssl/test/certs ../../../openssl/test/recipes/90-test_sslapi_data/passwd.txt /tmp/5zhIPDye_d fips ../../../openssl/test/fips-and-base.cnf => 1 not ok 3 - running sslapitest # ------------------------------------------------------------------------------ # Failed test 'running sslapitest' # at ../openssl/test/recipes/90-test_sslapi.t line 45. # Looks like you failed 2 tests of 3.90-test_sslapi.t ................... Dubious, test returned 2 (wstat 512, 0x200) Failed 2/3 subtests 90-test_sslbuffers.t ............... ok 90-test_store.t .................... ok 90-test_sysdefault.t ............... ok 90-test_threads.t .................. ok 90-test_time_offset.t .............. ok 90-test_tls13ccs.t ................. ok 90-test_tls13encryption.t .......... ok 90-test_tls13secrets.t ............. ok 90-test_v3name.t ................... ok 91-test_pkey_check.t ............... ok 95-test_external_boringssl.t ....... skipped: No external tests in this configuration 95-test_external_gost_engine.t ..... skipped: No external tests in this configuration 95-test_external_krb5.t ............ skipped: No external tests in this configuration 95-test_external_pyca.t ............ skipped: No external tests in this configuration 99-test_ecstress.t ................. ok 99-test_fuzz_asn1.t ................ ok 99-test_fuzz_asn1parse.t ........... ok 99-test_fuzz_bignum.t .............. ok 99-test_fuzz_bndiv.t ............... ok 99-test_fuzz_client.t .............. ok 99-test_fuzz_cmp.t ................. ok 99-test_fuzz_cms.t ................. ok 99-test_fuzz_conf.t ................ ok 99-test_fuzz_crl.t ................. ok 99-test_fuzz_ct.t .................. ok 99-test_fuzz_server.t .............. ok 99-test_fuzz_x509.t ................ ok Test Summary Report ------------------- 80-test_dtls.t (Wstat: 256 Tests: 1 Failed: 1) Failed test: 1 Non-zero exit status: 1 80-test_ssl_new.t (Wstat: 768 Tests: 31 Failed: 3) Failed tests: 8, 17, 19 Non-zero exit status: 3 90-test_sslapi.t (Wstat: 512 Tests: 3 Failed: 2) Failed tests: 1, 3 Non-zero exit status: 2 Files=231, Tests=3266, 894 wallclock secs (14.75 usr 1.57 sys + 797.56 cusr 95.95 csys = 909.83 CPU) Result: FAIL make[1]: *** [Makefile:3273: _tests] Error 1 make[1]: Leaving directory '/home/openssl/run-checker/no-dtls1_2' make: *** [Makefile:3270: tests] Error 2 From openssl at openssl.org Wed Feb 10 00:20:53 2021 From: openssl at openssl.org (OpenSSL run-checker) Date: Wed, 10 Feb 2021 00:20:53 +0000 Subject: FAILED build of OpenSSL branch master with options -d --strict-warnings no-tls1_2-method Message-ID: <1612916453.086165.4096808.nullmailer@run.openssl.org> Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-tls1_2-method Commit log since last time: 64954e2f34 Fix race condition & allow operation cache to grow. 11ddbf8459 Add X509_STORE_CTX_verify(), which takes the first untrusted cert as default target 2bb05a9668 PROV: Fix encoding of MDWithRSAEncryption signature AlgorithmID 5682e77dff Fix the cipher_overhead_test e376242d28 Remove all OPENSSL_NO_XXX from libssl where XXX is a crypto alg 462f4f4bc0 Remove OPENSSL_NO_EC guards from libssl 54e3efff81 Make sure we don't use sigalgs that are not available 306b8e7e19 Add the nist group names as aliases for the normal TLS group names 3de751e7f0 Remove compile time guard checking from ssl3_get_req_cert_type 05b4b85d4b Check for availability of ciphersuites at run time a763ca1177 Stop disabling TLSv1.3 if ec and dh are disabled 8b1db5d329 Make supported_groups code independent of EC and DH ddf8f1ce63 Ensure default supported groups works even with no-ec and no-dh 5b64ce89b0 Remove OPENSSL_NO_DH guards from libssl 9ca08f91e9 Makefile template: Allow separate generation of .pod.in -> .pod b8393eae22 DOCS: Remove the "global" dependency on writing .pod files from .pod.in 388eb0d970 TEST: Add an algorithm ID tester for libcrypto vs provider 93d6132a79 EVP: use evp_pkey_copy_downgraded() in EVP_PKEY_copy_parameters() 93bae03abf dev/release.sh: Fix typo 1e3affbbcd Remove the old DEPRECATEDIN macros e337b82410 ERR: Rebuild all generated error headers and source files b14c8465c0 ERR: clean away everything related to _F_ macros from util/mkerr.pl bbde856619 RSA: properly generate algorithm identifier for RSA-PSS signatures 26372a4d44 provider-signature.pod: Fix formatting. e60147fe74 Don't make pthreads mutexes recursive. 05f41859dd Switch to BIO_snprintf to avoid missing symbol problems on Windows 76624df15f EVP: Adapt EVP_PKEY_{set1,get1}_encoded_public_key() d82c7f3dba EVP: Modify the checks in EVP_PKEY_{set,get}_xxx_param() functions 13e85fb321 EVP: Adapt the other EVP_PKEY_set_xxx_param() functions f4a3799cc4 EVP: Make EVP_PKEY_set_params() increment the dirty count 7dc67708c8 apps/openssl: add -propquery command line option 88444854af x509_vfy.c: Improve coding style and comments all over the file af4d6c26af Remove a DSA related TODO 08cea586c9 Remove some TODO(OpenSSL1.2) references a7246ea645 DH/DHX parameter check using pkeyparam d53b437f99 Allow NULL arg to OPENSSL_sk_{dup,deep_copy} returning empty stack b91a13f429 run_tests.pl: Improve diagnostics on the use of HARNESS_JOBS c87bcdbde4 test/recipes: split 81_test_cmp_cli.t, add test using -engine loader_attic 03da39a768 apps/cmp.c: check and exit on engine load error acfccbd5ee openssl.pod: Add documentation for using the loader_attic engine 8549b97214 Fix a use after free issue when a provider context is being used and isn't cached Build log ended with (last 100 lines): (less 4 skipped subtests: 2 okay) 70-test_sslmessages.t .............. skipped: test_sslmessages needs TLS enabled 70-test_sslrecords.t ............... skipped: test_sslrecords needs TLSv1.2 enabled 70-test_sslsessiontick.t ........... skipped: test_sslsessiontick needs SSLv3, TLSv1, TLSv1.1 or TLSv1.2 enabled 70-test_sslsigalgs.t ............... ok 70-test_sslsignature.t ............. ok 70-test_sslskewith0p.t ............. ok 70-test_sslversions.t .............. skipped: test_sslversions needs TLS1.3, TLS1.2 and TLS1.1 enabled 70-test_sslvertol.t ................ ok 70-test_tls13alerts.t .............. ok 70-test_tls13cookie.t .............. ok 70-test_tls13downgrade.t ........... skipped: test_tls13downgrade needs TLS1.3 and TLS1.2 enabled 70-test_tls13hrr.t ................. ok 70-test_tls13kexmodes.t ............ ok 70-test_tls13messages.t ............ ok 70-test_tls13psk.t ................. ok 70-test_tlsextms.t ................. skipped: test_tlsextms needs TLSv1.0, TLSv1.1 or TLSv1.2 enabled 70-test_verify_extra.t ............. ok 70-test_wpacket.t .................. ok 71-test_ssl_ctx.t .................. ok 80-test_ca.t ....................... ok 80-test_cipherbytes.t .............. ok 80-test_cipherlist.t ............... ok 80-test_ciphername.t ............... ok # 80-test_cmp_http.t ................. ok # 80-test_cms.t ...................... ok 80-test_cmsapi.t ................... ok 80-test_ct.t ....................... ok 80-test_dane.t ..................... ok 80-test_dtls.t ..................... ok 80-test_dtls_mtu.t ................. ok 80-test_dtlsv1listen.t ............. ok 80-test_http.t ..................... ok 80-test_ocsp.t ..................... ok 80-test_pkcs12.t ................... ok 80-test_ssl_new.t .................. ok 80-test_ssl_old.t .................. ok 80-test_ssl_test_ctx.t ............. ok 80-test_sslcorrupt.t ............... ok 80-test_tsa.t ...................... ok 80-test_x509aux.t .................. ok 81-test_cmp_cli.t .................. ok 90-test_asn1_time.t ................ ok 90-test_async.t .................... ok 90-test_bio_enc.t .................. ok 90-test_bio_memleak.t .............. ok 90-test_constant_time.t ............ ok 90-test_fatalerr.t ................. ok 90-test_fipsload.t ................. ok 90-test_gmdiff.t ................... ok 90-test_gost.t ..................... skipped: TLSv1.3 or TLSv1.2 are disabled in this OpenSSL build 90-test_ige.t ...................... ok 90-test_includes.t ................. ok 90-test_memleak.t .................. ok 90-test_overhead.t ................. ok 90-test_secmem.t ................... ok 90-test_shlibload.t ................ ok 90-test_srp.t ...................... ok 90-test_sslapi.t ................... ok 90-test_sslbuffers.t ............... ok 90-test_store.t .................... ok 90-test_sysdefault.t ............... skipped: test_sysdefault is not supported in this build 90-test_threads.t .................. ok 90-test_time_offset.t .............. ok 90-test_tls13ccs.t ................. ok 90-test_tls13encryption.t .......... ok 90-test_tls13secrets.t ............. ok 90-test_v3name.t ................... ok 91-test_pkey_check.t ............... ok 95-test_external_boringssl.t ....... skipped: No external tests in this configuration 95-test_external_gost_engine.t ..... skipped: No external tests in this configuration 95-test_external_krb5.t ............ skipped: No external tests in this configuration 95-test_external_pyca.t ............ skipped: No external tests in this configuration 99-test_ecstress.t ................. ok 99-test_fuzz_asn1.t ................ ok 99-test_fuzz_asn1parse.t ........... ok 99-test_fuzz_bignum.t .............. ok 99-test_fuzz_bndiv.t ............... ok 99-test_fuzz_client.t .............. ok 99-test_fuzz_cmp.t ................. ok 99-test_fuzz_cms.t ................. ok 99-test_fuzz_conf.t ................ ok 99-test_fuzz_crl.t ................. ok 99-test_fuzz_ct.t .................. ok 99-test_fuzz_server.t .............. ok 99-test_fuzz_x509.t ................ ok Test Summary Report ------------------- 70-test_sslextension.t (Wstat: 256 Tests: 7 Failed: 1) Failed test: 2 Non-zero exit status: 1 Parse errors: Bad plan. You planned 8 tests but ran 7. Files=231, Tests=3180, 862 wallclock secs (12.65 usr 1.32 sys + 775.66 cusr 87.39 csys = 877.02 CPU) Result: FAIL make[1]: *** [Makefile:3266: _tests] Error 1 make[1]: Leaving directory '/home/openssl/run-checker/no-tls1_2-method' make: *** [Makefile:3263: tests] Error 2 From shane.lontis at oracle.com Wed Feb 10 00:33:42 2021 From: shane.lontis at oracle.com (shane.lontis at oracle.com) Date: Wed, 10 Feb 2021 00:33:42 +0000 Subject: [openssl] master update Message-ID: <1612917222.381487.24324.nullmailer@dev.openssl.org> The branch master has been updated via 8a686bdb3ac7d61b6d5f02b9132c4878ae80a7e5 (commit) from 7e365d51a1ac7f092b7c2e459332051126f76d72 (commit) - Log ----------------------------------------------------------------- commit 8a686bdb3ac7d61b6d5f02b9132c4878ae80a7e5 Author: Shane Lontis Date: Fri Feb 5 17:45:39 2021 +1000 Change the ASN1 variant of x942kdf so that it can test acvp data. This 'special' way of specifying the data should only be used for testing purposes. It should not be used in production environments. ACVP passes a blob of DER encoded data for some of the fields rather than passing them as separate fields that need to be DER encoded. Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/14077) ----------------------------------------------------------------------- Summary of changes: doc/man7/EVP_KDF-X942-ASN1.pod | 8 ++++ include/openssl/core_names.h | 1 + providers/implementations/kdfs/x942kdf.c | 69 +++++++++++++++++++-------- test/recipes/30-test_evp_data/evpkdf_x942.txt | 32 +++++++++++++ 4 files changed, 91 insertions(+), 19 deletions(-) diff --git a/doc/man7/EVP_KDF-X942-ASN1.pod b/doc/man7/EVP_KDF-X942-ASN1.pod index 3c5c3077ca..bc19b27508 100644 --- a/doc/man7/EVP_KDF-X942-ASN1.pod +++ b/doc/man7/EVP_KDF-X942-ASN1.pod @@ -34,6 +34,14 @@ These parameters work as described in L. The shared secret used for key derivation. This parameter sets the secret. +=item "acvp-info" (B) + +This value should not be used in production and should only be used for ACVP +testing. It is an optional octet string containing a combined DER encoded blob +of any of the optional fields related to "partyu-info", "partyv-info", +"supp-pubinfo" and "supp-privinfo". If it is specified then none of these other +fields should be used. + =item "partyu-info" (B) An optional octet string containing public info contributed by the initiator. diff --git a/include/openssl/core_names.h b/include/openssl/core_names.h index 07b95e043b..221d67b823 100644 --- a/include/openssl/core_names.h +++ b/include/openssl/core_names.h @@ -203,6 +203,7 @@ extern "C" { #define OSSL_KDF_PARAM_PKCS12_ID "id" /* int */ #define OSSL_KDF_PARAM_KBKDF_USE_L "use-l" /* int */ #define OSSL_KDF_PARAM_KBKDF_USE_SEPARATOR "use-separator" /* int */ +#define OSSL_KDF_PARAM_X942_ACVPINFO "acvp-info" #define OSSL_KDF_PARAM_X942_PARTYUINFO "partyu-info" #define OSSL_KDF_PARAM_X942_PARTYVINFO "partyv-info" #define OSSL_KDF_PARAM_X942_SUPP_PUBINFO "supp-pubinfo" diff --git a/providers/implementations/kdfs/x942kdf.c b/providers/implementations/kdfs/x942kdf.c index 31a69a096e..ae3ed69201 100644 --- a/providers/implementations/kdfs/x942kdf.c +++ b/providers/implementations/kdfs/x942kdf.c @@ -39,6 +39,8 @@ typedef struct { PROV_DIGEST digest; unsigned char *secret; size_t secret_len; + unsigned char *acvpinfo; + size_t acvpinfo_len; unsigned char *partyuinfo, *partyvinfo, *supp_pubinfo, *supp_privinfo; size_t partyuinfo_len, partyvinfo_len, supp_pubinfo_len, supp_privinfo_len; size_t dkm_len; @@ -110,6 +112,7 @@ static int DER_w_keyinfo(WPACKET *pkt, static int der_encode_sharedinfo(WPACKET *pkt, unsigned char *buf, size_t buflen, const unsigned char *der_oid, size_t der_oidlen, + const unsigned char *acvp, size_t acvplen, const unsigned char *partyu, size_t partyulen, const unsigned char *partyv, size_t partyvlen, const unsigned char *supp_pub, size_t supp_publen, @@ -127,6 +130,7 @@ static int der_encode_sharedinfo(WPACKET *pkt, unsigned char *buf, size_t buflen || ossl_DER_w_octet_string_uint32(pkt, 2, keylen_bits)) && (partyv == NULL || ossl_DER_w_octet_string(pkt, 1, partyv, partyvlen)) && (partyu == NULL || ossl_DER_w_octet_string(pkt, 0, partyu, partyulen)) + && (acvp == NULL || ossl_DER_w_precompiled(pkt, -1, acvp, acvplen)) && DER_w_keyinfo(pkt, der_oid, der_oidlen, pcounter) && ossl_DER_w_end_sequence(pkt, -1) && WPACKET_finish(pkt); @@ -159,35 +163,40 @@ static int der_encode_sharedinfo(WPACKET *pkt, unsigned char *buf, size_t buflen * } * Where suppPubInfo is the key length (in bits) (stored into 4 bytes) * -} - * * |keylen| is the length (in bytes) of the generated KEK. It is stored into - * suppPubInfo (in bits). It is ignored if the value is 0. + * suppPubInfo (in bits). It is ignored if the value is 0. * |cek_oid| The oid of the key wrapping algorithm. * |cek_oidlen| The length (in bytes) of the key wrapping algorithm oid, - * |partyu| is the optional public info contributed by the initiator. It - * can be NULL. (It is also used as the ukm by CMS). + * |acvp| is the optional blob of DER data representing one or more of the + * OtherInfo fields related to |partyu|, |partyv|, |supp_pub| and |supp_priv|. + * This field should noramlly be NULL. If |acvp| is non NULL then |partyu|, + * |partyv|, |supp_pub| and |supp_priv| should all be NULL. + * |acvp_len| is the |acvp| length (in bytes). + * |partyu| is the optional public info contributed by the initiator. + * It can be NULL. (It is also used as the ukm by CMS). * |partyu_len| is the |partyu| length (in bytes). - * |partyv| is the optional public info contributed by the responder. It - * can be NULL. + * |partyv| is the optional public info contributed by the responder. + * It can be NULL. * |partyv_len| is the |partyv| length (in bytes). - * |supp_pub| is the optional additional, mutually-known public information. It - * can be NULL. |keylen| should be 0 if this is not NULL. + * |supp_pub| is the optional additional, mutually-known public information. + * It can be NULL. |keylen| should be 0 if this is not NULL. * |supp_pub_len| is the |supp_pub| length (in bytes). - * |supp_priv| is the optional additional, mutually-known private information. It - * can be NULL. + * |supp_priv| is the optional additional, mutually-known private information. + * It can be NULL. * |supp_priv_len| is the |supp_priv| length (in bytes). * |der| is the returned encoded data. It must be freed by the caller. * |der_len| is the returned size of the encoded data. * |out_ctr| returns a pointer to the counter data which is embedded inside the - * encoded data. This allows the counter bytes to be updated without re-encoding. + * encoded data. This allows the counter bytes to be updated without + * re-encoding. * * Returns: 1 if successfully encoded, or 0 otherwise. * Assumptions: |der|, |der_len| & |out_ctr| are not NULL. */ static int x942_encode_otherinfo(size_t keylen, - const unsigned char *cek_oid, size_t cek_oidlen, + const unsigned char *cek_oid, size_t cek_oid_len, + const unsigned char *acvp, size_t acvp_len, const unsigned char *partyu, size_t partyu_len, const unsigned char *partyv, size_t partyv_len, const unsigned char *supp_pub, size_t supp_pub_len, @@ -207,7 +216,8 @@ x942_encode_otherinfo(size_t keylen, keylen_bits = 8 * keylen; /* Calculate the size of the buffer */ - if (!der_encode_sharedinfo(&pkt, NULL, 0, cek_oid, cek_oidlen, + if (!der_encode_sharedinfo(&pkt, NULL, 0, cek_oid, cek_oid_len, + acvp, acvp_len, partyu, partyu_len, partyv, partyv_len, supp_pub, supp_pub_len, supp_priv, supp_priv_len, keylen_bits, NULL) @@ -219,7 +229,8 @@ x942_encode_otherinfo(size_t keylen, if (der_buf == NULL) goto err; /* Encode into the buffer */ - if (!der_encode_sharedinfo(&pkt, der_buf, der_buflen, cek_oid, cek_oidlen, + if (!der_encode_sharedinfo(&pkt, der_buf, der_buflen, cek_oid, cek_oid_len, + acvp, acvp_len, partyu, partyu_len, partyv, partyv_len, supp_pub, supp_pub_len, supp_priv, supp_priv_len, keylen_bits, &pcounter)) @@ -262,9 +273,10 @@ static int x942kdf_hash_kdm(const EVP_MD *kdf_md, unsigned char *out = derived_key; EVP_MD_CTX *ctx = NULL, *ctx_init = NULL; - if (z_len > X942KDF_MAX_INLEN || other_len > X942KDF_MAX_INLEN - || derived_key_len > X942KDF_MAX_INLEN - || derived_key_len == 0) { + if (z_len > X942KDF_MAX_INLEN + || other_len > X942KDF_MAX_INLEN + || derived_key_len > X942KDF_MAX_INLEN + || derived_key_len == 0) { ERR_raise(ERR_LIB_PROV, PROV_R_BAD_LENGTH); return 0; } @@ -336,6 +348,7 @@ static void x942kdf_reset(void *vctx) ossl_prov_digest_reset(&ctx->digest); OPENSSL_clear_free(ctx->secret, ctx->secret_len); + OPENSSL_clear_free(ctx->acvpinfo, ctx->acvpinfo_len); OPENSSL_clear_free(ctx->partyuinfo, ctx->partyuinfo_len); OPENSSL_clear_free(ctx->partyvinfo, ctx->partyvinfo_len); OPENSSL_clear_free(ctx->supp_pubinfo, ctx->supp_pubinfo_len); @@ -399,7 +412,18 @@ static int x942kdf_derive(void *vctx, unsigned char *key, size_t keylen) ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_PUBINFO); return 0; } - + /* + * If the blob of acvp data is used then the individual info fields that it + * replaces should not also be defined. + */ + if (ctx->acvpinfo != NULL + && (ctx->partyuinfo != NULL + || ctx->partyvinfo != NULL + || ctx->supp_pubinfo != NULL + || ctx->supp_privinfo != NULL)) { + ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_DATA); + return 0; + } if (ctx->secret == NULL) { ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_SECRET); return 0; @@ -424,6 +448,7 @@ static int x942kdf_derive(void *vctx, unsigned char *key, size_t keylen) /* generate the otherinfo der */ if (!x942_encode_otherinfo(ctx->use_keybits ? ctx->dkm_len : 0, ctx->cek_oid, ctx->cek_oid_len, + ctx->acvpinfo, ctx->acvpinfo_len, ctx->partyuinfo, ctx->partyuinfo_len, ctx->partyvinfo, ctx->partyvinfo_len, ctx->supp_pubinfo, ctx->supp_pubinfo_len, @@ -455,6 +480,11 @@ static int x942kdf_set_ctx_params(void *vctx, const OSSL_PARAM params[]) if (p != NULL && !x942kdf_set_buffer(&ctx->secret, &ctx->secret_len, p)) return 0; + p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_X942_ACVPINFO); + if (p != NULL + && !x942kdf_set_buffer(&ctx->acvpinfo, &ctx->acvpinfo_len, p)) + return 0; + p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_X942_PARTYUINFO); if (p == NULL) p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_UKM); @@ -511,6 +541,7 @@ static const OSSL_PARAM *x942kdf_settable_ctx_params(ossl_unused void *provctx) OSSL_PARAM_octet_string(OSSL_KDF_PARAM_SECRET, NULL, 0), OSSL_PARAM_octet_string(OSSL_KDF_PARAM_KEY, NULL, 0), OSSL_PARAM_octet_string(OSSL_KDF_PARAM_UKM, NULL, 0), + OSSL_PARAM_octet_string(OSSL_KDF_PARAM_X942_ACVPINFO, NULL, 0), OSSL_PARAM_octet_string(OSSL_KDF_PARAM_X942_PARTYUINFO, NULL, 0), OSSL_PARAM_octet_string(OSSL_KDF_PARAM_X942_PARTYVINFO, NULL, 0), OSSL_PARAM_octet_string(OSSL_KDF_PARAM_X942_SUPP_PUBINFO, NULL, 0), diff --git a/test/recipes/30-test_evp_data/evpkdf_x942.txt b/test/recipes/30-test_evp_data/evpkdf_x942.txt index 88f9dd379d..b695c64f5b 100644 --- a/test/recipes/30-test_evp_data/evpkdf_x942.txt +++ b/test/recipes/30-test_evp_data/evpkdf_x942.txt @@ -83,3 +83,35 @@ Ctrl.hexpartyv-info = hexpartyv-info:fedcba9876543210 Ctrl.hexsupp-pubinfo = hexsupp-pubinfo:12345678 Ctrl.hexsupp-privinfo = hexsupp-privinfo:87654321 Output = 2c5c1f028c6d1fc9ba752e41fdb9edb2ea936f1b2449f214acd56d31 + +Title = X9.42 KDF tests (ACVP test vectors) + +Availablein = default +KDF = X942KDF-ASN1 +Ctrl.digest = digest:SHA256 +Ctrl.hexsecret = hexsecret:6B +Ctrl.use-keybits = use-keybits:0 +Ctrl.cekalg = cekalg:id-smime-alg-CMS3DESwrap +Ctrl.hexacvp-info = hexacvp-info:a020299D468D60BC6A257E0B6523D691A3FC1602453B35F308C762FBBAC6069A88BCa12080D49BFE5BE01C7D56489AB017663C22B8CBB34C3174D1D71F00CB7505AC759Aa2203C21A5EA5988562C007986E0503D039E7231D9F152FE72A231A1FD98C59BCA6Aa320FD47477542989B51E4A0845DFABD6EEAA465F69B3D75349B2520051782C7F3FC +Output = A7758EC5DA5373C736F1E4CF18A4B6349B23ED86227234185B44638C69EBB222 + +KDF = X942KDF-ASN1 +Ctrl.digest = digest:SHA256 +Ctrl.hexsecret = hexsecret:6B +Ctrl.use-keybits = use-keybits:0 +Ctrl.cekalg = cekalg:id-aes128-wrap +Ctrl.hexacvp-info = hexacvp-info:a020299D468D60BC6A257E0B6523D691A3FC1602453B35F308C762FBBAC6069A88BCa12080D49BFE5BE01C7D56489AB017663C22B8CBB34C3174D1D71F00CB7505AC759Aa2203C21A5EA5988562C007986E0503D039E7231D9F152FE72A231A1FD98C59BCA6Aa320FD47477542989B51E4A0845DFABD6EEAA465F69B3D75349B2520051782C7F3FC +Output = C2E6A0978C24AF3932F478583ADBFB5F57D491822592EAD3C538875F46EB057A + +# Negative tests + +# Fail if both acvp and ukm values are specified. +KDF = X942KDF-ASN1 +Ctrl.digest = digest:SHA256 +Ctrl.hexsecret = hexsecret:6B +Ctrl.use-keybits = use-keybits:0 +Ctrl.cekalg = cekalg:id-aes128-wrap +Ctrl.hexacvp-info = hexacvp-info:a020299D468D60BC6A257E0B6523D691A3FC1602453B35F308C762FBBAC6069A88BCa12080D49BFE5BE01C7D56489AB017663C22B8CBB34C3174D1D71F00CB7505AC759Aa2203C21A5EA5988562C007986E0503D039E7231D9F152FE72A231A1FD98C59BCA6Aa320FD47477542989B51E4A0845DFABD6EEAA465F69B3D75349B2520051782C7F3FC +Ctrl.hexukm = hexukm:012345 +Output = C2E6A0978C24AF3932F478583ADBFB5F57D491822592EAD3C538875F46EB057A +Result = KDF_DERIVE_ERROR From openssl at openssl.org Wed Feb 10 01:12:28 2021 From: openssl at openssl.org (OpenSSL run-checker) Date: Wed, 10 Feb 2021 01:12:28 +0000 Subject: Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-dtls1_2-method Message-ID: <1612919548.635531.8782.nullmailer@run.openssl.org> Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-dtls1_2-method Commit log since last time: 64954e2f34 Fix race condition & allow operation cache to grow. 11ddbf8459 Add X509_STORE_CTX_verify(), which takes the first untrusted cert as default target 2bb05a9668 PROV: Fix encoding of MDWithRSAEncryption signature AlgorithmID 5682e77dff Fix the cipher_overhead_test e376242d28 Remove all OPENSSL_NO_XXX from libssl where XXX is a crypto alg 462f4f4bc0 Remove OPENSSL_NO_EC guards from libssl 54e3efff81 Make sure we don't use sigalgs that are not available 306b8e7e19 Add the nist group names as aliases for the normal TLS group names 3de751e7f0 Remove compile time guard checking from ssl3_get_req_cert_type 05b4b85d4b Check for availability of ciphersuites at run time a763ca1177 Stop disabling TLSv1.3 if ec and dh are disabled 8b1db5d329 Make supported_groups code independent of EC and DH ddf8f1ce63 Ensure default supported groups works even with no-ec and no-dh 5b64ce89b0 Remove OPENSSL_NO_DH guards from libssl 9ca08f91e9 Makefile template: Allow separate generation of .pod.in -> .pod b8393eae22 DOCS: Remove the "global" dependency on writing .pod files from .pod.in 388eb0d970 TEST: Add an algorithm ID tester for libcrypto vs provider 93d6132a79 EVP: use evp_pkey_copy_downgraded() in EVP_PKEY_copy_parameters() 93bae03abf dev/release.sh: Fix typo 1e3affbbcd Remove the old DEPRECATEDIN macros e337b82410 ERR: Rebuild all generated error headers and source files b14c8465c0 ERR: clean away everything related to _F_ macros from util/mkerr.pl bbde856619 RSA: properly generate algorithm identifier for RSA-PSS signatures 26372a4d44 provider-signature.pod: Fix formatting. e60147fe74 Don't make pthreads mutexes recursive. 05f41859dd Switch to BIO_snprintf to avoid missing symbol problems on Windows 76624df15f EVP: Adapt EVP_PKEY_{set1,get1}_encoded_public_key() d82c7f3dba EVP: Modify the checks in EVP_PKEY_{set,get}_xxx_param() functions 13e85fb321 EVP: Adapt the other EVP_PKEY_set_xxx_param() functions f4a3799cc4 EVP: Make EVP_PKEY_set_params() increment the dirty count 7dc67708c8 apps/openssl: add -propquery command line option 88444854af x509_vfy.c: Improve coding style and comments all over the file af4d6c26af Remove a DSA related TODO 08cea586c9 Remove some TODO(OpenSSL1.2) references a7246ea645 DH/DHX parameter check using pkeyparam d53b437f99 Allow NULL arg to OPENSSL_sk_{dup,deep_copy} returning empty stack b91a13f429 run_tests.pl: Improve diagnostics on the use of HARNESS_JOBS c87bcdbde4 test/recipes: split 81_test_cmp_cli.t, add test using -engine loader_attic 03da39a768 apps/cmp.c: check and exit on engine load error acfccbd5ee openssl.pod: Add documentation for using the loader_attic engine 8549b97214 Fix a use after free issue when a provider context is being used and isn't cached Build log ended with (last 100 lines): # SSL_accept() failed -1, 1 # 803122952F7F0000:error:0A000076:SSL routines:tls_choose_sigalg:no suitable signature algorithm:../openssl/ssl/t1_lib.c:3305: # INFO: @ ../openssl/test/helpers/ssltestlib.c:957 # SSL_connect() failed -1, 1 # 803122952F7F0000:error:0A000438:SSL routines:dtls1_read_bytes:tlsv1 alert internal error:../openssl/ssl/record/rec_layer_d1.c:613:SSL alert number 80 # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:6577 # false not ok 2 - iteration 2 # ------------------------------------------------------------------------------ not ok 54 - test_ssl_pending # ------------------------------------------------------------------------------ ../../util/wrap.pl ../../test/sslapitest ../../../openssl/test/certs ../../../openssl/test/recipes/90-test_sslapi_data/passwd.txt /tmp/DprjbcE9rd default ../../../openssl/test/default.cnf => 1 not ok 1 - running sslapitest # ------------------------------------------------------------------------------ # INFO: @ ../openssl/test/helpers/ssltestlib.c:957 # SSL_connect() failed -1, 1 # 80F1E73D2D7F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # INFO: @ ../openssl/test/helpers/ssltestlib.c:975 # SSL_accept() failed -1, 1 # 80F1E73D2D7F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:947 # false not ok 3 - test_large_message_dtls # ------------------------------------------------------------------------------ # INFO: @ ../openssl/test/helpers/ssltestlib.c:957 # SSL_connect() failed -1, 1 # 80F1E73D2D7F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # INFO: @ ../openssl/test/helpers/ssltestlib.c:975 # SSL_accept() failed -1, 1 # 80F1E73D2D7F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:1428 # false # ERROR: (bool) 'execute_cleanse_plaintext(DTLS_server_method(), DTLS_client_method(), DTLS1_VERSION, 0) == true' failed @ ../openssl/test/sslapitest.c:1506 # false not ok 4 - test_cleanse_plaintext # ------------------------------------------------------------------------------ # INFO: @ ../openssl/test/helpers/ssltestlib.c:957 # SSL_connect() failed -1, 1 # 80F1E73D2D7F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # INFO: @ ../openssl/test/helpers/ssltestlib.c:975 # SSL_accept() failed -1, 1 # 80F1E73D2D7F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:6577 # false not ok 2 - iteration 2 # ------------------------------------------------------------------------------ not ok 54 - test_ssl_pending # ------------------------------------------------------------------------------ ../../util/wrap.pl ../../test/sslapitest ../../../openssl/test/certs ../../../openssl/test/recipes/90-test_sslapi_data/passwd.txt /tmp/DprjbcE9rd fips ../../../openssl/test/fips-and-base.cnf => 1 not ok 3 - running sslapitest # ------------------------------------------------------------------------------ # Failed test 'running sslapitest' # at ../openssl/test/recipes/90-test_sslapi.t line 45. # Looks like you failed 2 tests of 3.90-test_sslapi.t ................... Dubious, test returned 2 (wstat 512, 0x200) Failed 2/3 subtests 90-test_sslbuffers.t ............... ok 90-test_store.t .................... ok 90-test_sysdefault.t ............... ok 90-test_threads.t .................. ok 90-test_time_offset.t .............. ok 90-test_tls13ccs.t ................. ok 90-test_tls13encryption.t .......... ok 90-test_tls13secrets.t ............. ok 90-test_v3name.t ................... ok 91-test_pkey_check.t ............... ok 95-test_external_boringssl.t ....... skipped: No external tests in this configuration 95-test_external_gost_engine.t ..... skipped: No external tests in this configuration 95-test_external_krb5.t ............ skipped: No external tests in this configuration 95-test_external_pyca.t ............ skipped: No external tests in this configuration 99-test_ecstress.t ................. ok 99-test_fuzz_asn1.t ................ ok 99-test_fuzz_asn1parse.t ........... ok 99-test_fuzz_bignum.t .............. ok 99-test_fuzz_bndiv.t ............... ok 99-test_fuzz_client.t .............. ok 99-test_fuzz_cmp.t ................. ok 99-test_fuzz_cms.t ................. ok 99-test_fuzz_conf.t ................ ok 99-test_fuzz_crl.t ................. ok 99-test_fuzz_ct.t .................. ok 99-test_fuzz_server.t .............. ok 99-test_fuzz_x509.t ................ ok Test Summary Report ------------------- 80-test_dtls.t (Wstat: 256 Tests: 1 Failed: 1) Failed test: 1 Non-zero exit status: 1 80-test_ssl_new.t (Wstat: 768 Tests: 31 Failed: 3) Failed tests: 8, 17, 19 Non-zero exit status: 3 90-test_sslapi.t (Wstat: 512 Tests: 3 Failed: 2) Failed tests: 1, 3 Non-zero exit status: 2 Files=231, Tests=3266, 892 wallclock secs (14.41 usr 1.37 sys + 799.02 cusr 94.42 csys = 909.22 CPU) Result: FAIL make[1]: *** [Makefile:3261: _tests] Error 1 make[1]: Leaving directory '/home/openssl/run-checker/no-dtls1_2-method' make: *** [Makefile:3258: tests] Error 2 From pauli at openssl.org Wed Feb 10 02:32:12 2021 From: pauli at openssl.org (Dr. Paul Dale) Date: Wed, 10 Feb 2021 02:32:12 +0000 Subject: [openssl] master update Message-ID: <1612924332.819440.361.nullmailer@dev.openssl.org> The branch master has been updated via af53092c2b67a8a0b76ae73385414cb1815ea7cc (commit) via a054d15c22c501d33e1382bb09ba80bac08c2738 (commit) via 36978c19a9a5bfd514b1c6f9db66fda4b39ed2c3 (commit) from 8a686bdb3ac7d61b6d5f02b9132c4878ae80a7e5 (commit) - Log ----------------------------------------------------------------- commit af53092c2b67a8a0b76ae73385414cb1815ea7cc Author: Shane Lontis Date: Thu Dec 17 16:42:05 2020 +1000 Replace provider digest flags with separate param fields Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/13830) commit a054d15c22c501d33e1382bb09ba80bac08c2738 Author: Shane Lontis Date: Thu Dec 17 16:39:57 2020 +1000 Replace provider cipher flags with separate param fields Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/13830) commit 36978c19a9a5bfd514b1c6f9db66fda4b39ed2c3 Author: Shane Lontis Date: Mon Dec 14 14:36:48 2020 +1000 Replace MAC flags OSSL_MAC_PARAM_FLAGS with separate param fields. Fixes #12992 Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/13830) ----------------------------------------------------------------------- Summary of changes: crypto/evp/digest.c | 16 +++++--- crypto/evp/evp_lib.c | 44 +++++++++++++++------- doc/man3/EVP_DigestInit.pod | 4 +- doc/man3/EVP_MAC.pod | 15 ++++++-- doc/man7/EVP_MAC-HMAC.pod | 6 ++- doc/man7/EVP_MD-MDC2.pod | 2 +- doc/man7/provider-cipher.pod | 28 ++++++++++---- doc/man7/provider-mac.pod | 11 +++++- include/openssl/core_names.h | 34 ++++++++++------- .../ciphers/cipher_aes_cbc_hmac_sha.c | 7 +--- .../implementations/ciphers/cipher_aes_cts.inc | 8 ++-- providers/implementations/ciphers/cipher_aes_siv.c | 3 +- providers/implementations/ciphers/cipher_aes_siv.h | 1 - providers/implementations/ciphers/cipher_aes_wrp.c | 8 ++-- providers/implementations/ciphers/cipher_aes_xts.c | 11 +----- .../implementations/ciphers/cipher_blowfish.c | 2 +- providers/implementations/ciphers/cipher_cast5.c | 2 +- .../implementations/ciphers/cipher_chacha20.c | 3 +- .../ciphers/cipher_chacha20_poly1305.c | 10 +---- providers/implementations/ciphers/cipher_des.c | 3 +- providers/implementations/ciphers/cipher_des.h | 3 +- providers/implementations/ciphers/cipher_rc2.c | 13 ++++--- providers/implementations/ciphers/cipher_rc4.c | 7 ++-- .../implementations/ciphers/cipher_rc4_hmac_md5.c | 13 +++---- providers/implementations/ciphers/cipher_rc5.c | 10 +++-- providers/implementations/ciphers/cipher_tdes.c | 2 +- providers/implementations/ciphers/cipher_tdes.h | 4 +- .../ciphers/cipher_tdes_default_hw.c | 2 +- .../implementations/ciphers/cipher_tdes_wrap.c | 4 +- providers/implementations/ciphers/ciphercommon.c | 39 +++++++++++++++---- .../implementations/ciphers/ciphercommon_ccm.c | 5 +-- .../implementations/ciphers/ciphercommon_hw.c | 2 +- providers/implementations/digests/digestcommon.c | 14 +++++-- providers/implementations/digests/sha2_prov.c | 22 +++++------ providers/implementations/digests/sha3_prov.c | 10 +++-- .../implementations/include/prov/ciphercommon.h | 23 ++++++++--- .../include/prov/ciphercommon_aead.h | 19 ++++------ .../implementations/include/prov/digestcommon.h | 4 ++ providers/implementations/macs/hmac_prov.c | 38 ++++++++++++++----- 39 files changed, 272 insertions(+), 180 deletions(-) diff --git a/crypto/evp/digest.c b/crypto/evp/digest.c index e89b591978..40aedae47b 100644 --- a/crypto/evp/digest.c +++ b/crypto/evp/digest.c @@ -830,23 +830,27 @@ static void set_legacy_nid(const char *name, void *vlegacy_nid) static int evp_md_cache_constants(EVP_MD *md) { - int ok; + int ok, xof = 0, algid_absent = 0; size_t blksz = 0; size_t mdsize = 0; - unsigned long flags = 0; - OSSL_PARAM params[4]; + OSSL_PARAM params[5]; params[0] = OSSL_PARAM_construct_size_t(OSSL_DIGEST_PARAM_BLOCK_SIZE, &blksz); params[1] = OSSL_PARAM_construct_size_t(OSSL_DIGEST_PARAM_SIZE, &mdsize); - params[2] = OSSL_PARAM_construct_ulong(OSSL_DIGEST_PARAM_FLAGS, &flags); - params[3] = OSSL_PARAM_construct_end(); + params[2] = OSSL_PARAM_construct_int(OSSL_DIGEST_PARAM_XOF, &xof); + params[3] = OSSL_PARAM_construct_int(OSSL_DIGEST_PARAM_ALGID_ABSENT, + &algid_absent); + params[4] = OSSL_PARAM_construct_end(); ok = evp_do_md_getparams(md, params); if (mdsize > INT_MAX || blksz > INT_MAX) ok = 0; if (ok) { md->block_size = (int)blksz; md->md_size = (int)mdsize; - md->flags = flags; + if (xof) + md->flags |= EVP_MD_FLAG_XOF; + if (algid_absent) + md->flags |= EVP_MD_FLAG_DIGALGID_ABSENT; } return ok; } diff --git a/crypto/evp/evp_lib.c b/crypto/evp/evp_lib.c index 2febcfc2d5..427ffc813a 100644 --- a/crypto/evp/evp_lib.c +++ b/crypto/evp/evp_lib.c @@ -333,29 +333,41 @@ int EVP_CIPHER_type(const EVP_CIPHER *ctx) int evp_cipher_cache_constants(EVP_CIPHER *cipher) { - int ok; + int ok, aead = 0, custom_iv = 0, cts = 0, multiblock = 0; size_t ivlen = 0; size_t blksz = 0; size_t keylen = 0; unsigned int mode = 0; - unsigned long flags = 0; - OSSL_PARAM params[6]; + OSSL_PARAM params[9]; params[0] = OSSL_PARAM_construct_size_t(OSSL_CIPHER_PARAM_BLOCK_SIZE, &blksz); params[1] = OSSL_PARAM_construct_size_t(OSSL_CIPHER_PARAM_IVLEN, &ivlen); params[2] = OSSL_PARAM_construct_size_t(OSSL_CIPHER_PARAM_KEYLEN, &keylen); params[3] = OSSL_PARAM_construct_uint(OSSL_CIPHER_PARAM_MODE, &mode); - params[4] = OSSL_PARAM_construct_ulong(OSSL_CIPHER_PARAM_FLAGS, &flags); - params[5] = OSSL_PARAM_construct_end(); + params[4] = OSSL_PARAM_construct_int(OSSL_CIPHER_PARAM_AEAD, &aead); + params[5] = OSSL_PARAM_construct_int(OSSL_CIPHER_PARAM_CUSTOM_IV, + &custom_iv); + params[6] = OSSL_PARAM_construct_int(OSSL_CIPHER_PARAM_CTS, &cts); + params[7] = OSSL_PARAM_construct_int(OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK, + &multiblock); + params[8] = OSSL_PARAM_construct_end(); ok = evp_do_ciph_getparams(cipher, params); if (ok) { - /* Provided implementations may have a custom cipher_cipher */ - if (cipher->prov != NULL && cipher->ccipher != NULL) - flags |= EVP_CIPH_FLAG_CUSTOM_CIPHER; cipher->block_size = blksz; cipher->iv_len = ivlen; cipher->key_len = keylen; - cipher->flags = flags | mode; + cipher->flags = mode; + if (aead) + cipher->flags |= EVP_CIPH_FLAG_AEAD_CIPHER; + if (custom_iv) + cipher->flags |= EVP_CIPH_CUSTOM_IV; + if (cts) + cipher->flags |= EVP_CIPH_FLAG_CTS; + if (multiblock) + cipher->flags |= EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK; + /* Provided implementations may have a custom cipher_cipher */ + if (cipher->prov != NULL && cipher->ccipher != NULL) + cipher->flags |= EVP_CIPH_FLAG_CUSTOM_CIPHER; } return ok; } @@ -686,11 +698,6 @@ const OSSL_PROVIDER *EVP_MD_provider(const EVP_MD *md) return md->prov; } -int EVP_MD_block_size(const EVP_MD *md) -{ - return md->block_size; -} - int EVP_MD_type(const EVP_MD *md) { return md->type; @@ -701,6 +708,15 @@ int EVP_MD_pkey_type(const EVP_MD *md) return md->pkey_type; } +int EVP_MD_block_size(const EVP_MD *md) +{ + if (md == NULL) { + ERR_raise(ERR_LIB_EVP, EVP_R_MESSAGE_DIGEST_IS_NULL); + return -1; + } + return md->block_size; +} + int EVP_MD_size(const EVP_MD *md) { if (md == NULL) { diff --git a/doc/man3/EVP_DigestInit.pod b/doc/man3/EVP_DigestInit.pod index 3a17243976..28572f23b3 100644 --- a/doc/man3/EVP_DigestInit.pod +++ b/doc/man3/EVP_DigestInit.pod @@ -393,13 +393,13 @@ EVP_MD_CTX_set_params() can be used with the following OSSL_PARAM keys: =over 4 -=item "xoflen" (B) +=item "xoflen" (B) Sets the digest length for extendable output functions. It is used by the SHAKE algorithm and should not exceed what can be given using a B. -=item "pad_type" (B) +=item "pad-type" (B) Sets the padding type. It is used by the MDC2 algorithm. diff --git a/doc/man3/EVP_MAC.pod b/doc/man3/EVP_MAC.pod index 455d154cee..926c1fbd06 100644 --- a/doc/man3/EVP_MAC.pod +++ b/doc/man3/EVP_MAC.pod @@ -225,10 +225,19 @@ It's a simple flag, the value 0 or 1 are expected. This option is used by KMAC. -=item "flags" (B) +=item "digest-noinit" (B) -These will set the MAC flags to the given numbers. -Some MACs do not support this option. +A simple flag to set the MAC digest to not initialise the +implementation specific data. The value 0 or 1 is expected. + +This option is used by HMAC. + +=item "digest-oneshot" (B) + +A simple flag to set the MAC digest to be a oneshot operation. +The value 0 or 1 is expected. + +This option is used by HMAC. =item "properties" (B) diff --git a/doc/man7/EVP_MAC-HMAC.pod b/doc/man7/EVP_MAC-HMAC.pod index 94bac8dbcf..8136bed000 100644 --- a/doc/man7/EVP_MAC-HMAC.pod +++ b/doc/man7/EVP_MAC-HMAC.pod @@ -30,10 +30,12 @@ The following parameter can be set with EVP_MAC_CTX_set_params(): =item "key" (B) -=item "flags" (B) - =item "digest" (B) +=item "digest-noinit" (B) + +=item "digest-oneshot" (B) + =item "properties" (B) =item "tls-data-size" (B) diff --git a/doc/man7/EVP_MD-MDC2.pod b/doc/man7/EVP_MD-MDC2.pod index 516e19da19..53069557ea 100644 --- a/doc/man7/EVP_MD-MDC2.pod +++ b/doc/man7/EVP_MD-MDC2.pod @@ -25,7 +25,7 @@ settable for an B with L: =over 4 -=item "pad_type" (B) +=item "pad-type" (B) Sets the padding type to be used. Normally the final MDC2 block is padded with zeros. diff --git a/doc/man7/provider-cipher.pod b/doc/man7/provider-cipher.pod index 3ab277ecf9..34a5ec0a7f 100644 --- a/doc/man7/provider-cipher.pod +++ b/doc/man7/provider-cipher.pod @@ -218,13 +218,27 @@ For example AES in CTR mode has a block size of 1 (because it operates like a stream cipher), even though AES has a block size of 16. The length of the "blocksize" parameter should not exceed that of a B. -=item "flags" (B) +=item "aead" (B) -Gets any flags for the associated cipher algorithm. -See L for a list of currently defined cipher -flags. -The length of the "flags" parameter should equal that of an -B. +Gets 1 if this is an AEAD cipher algorithm, otherwise it gets 0. + +=item "custom-iv" (B) + +Gets 1 if the cipher algorithm has a custom IV, otherwise it gets 0. +Storing and initializing the IV is left entirely to the implementation, if a +custom IV is used. + +=item "cts" (B) + +Gets 1 if the cipher algorithm uses ciphertext stealing, otherwise it gets 0. +This is currently used to indicate that the cipher is a one shot that only +allows a single call to EVP_CipherUpdate(). + +=item "tls-multi" (B) + +Gets 1 if the cipher algorithm supports interleaving of crypto blocks, otherwise +it gets 0. The interleaving is an optimization only applicable to certain +TLS ciphers. =item "keylen" (B) @@ -263,7 +277,7 @@ See L. =item "taglen" (B) Gets the tag length to be used for an AEAD cipher for the associated cipher ctx. -It returns a default value if it has not been set. +It gets a default value if it has not been set. The length of the "taglen" parameter should not exceed that of a B. =item "tlsaad" (B) diff --git a/doc/man7/provider-mac.pod b/doc/man7/provider-mac.pod index f89b1fe0e2..f18a8c7fde 100644 --- a/doc/man7/provider-mac.pod +++ b/doc/man7/provider-mac.pod @@ -172,9 +172,16 @@ Sets the salt of the underlying cipher, when applicable. Sets XOF mode in the associated MAC ctx. 0 means no XOF mode, 1 means XOF mode. -=item "flags" (B) +=item "digest-noinit" (B) + +A simple flag to set the MAC digest to not initialise the +implementation specific data. The value 0 or 1 is expected. + +=item "digest-oneshot" (B) + +A simple flag to set the MAC digest to be a oneshot operation. +The value 0 or 1 is expected. -Gets flags associated with the MAC. =for comment We need to investigate if this is the right approach diff --git a/include/openssl/core_names.h b/include/openssl/core_names.h index 221d67b823..ff2d1a03f9 100644 --- a/include/openssl/core_names.h +++ b/include/openssl/core_names.h @@ -69,7 +69,10 @@ extern "C" { #define OSSL_CIPHER_PARAM_TLS_MAC_SIZE "tls-mac-size" /* size_t */ #define OSSL_CIPHER_PARAM_MODE "mode" /* uint */ #define OSSL_CIPHER_PARAM_BLOCK_SIZE "blocksize" /* size_t */ -#define OSSL_CIPHER_PARAM_FLAGS "flags" /* ulong */ +#define OSSL_CIPHER_PARAM_AEAD "aead" /* int, 0 or 1 */ +#define OSSL_CIPHER_PARAM_CUSTOM_IV "custom-iv" /* int, 0 or 1 */ +#define OSSL_CIPHER_PARAM_CTS "cts" /* int, 0 or 1 */ +#define OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK "tls-multi" /* int, 0 or 1 */ #define OSSL_CIPHER_PARAM_KEYLEN "keylen" /* size_t */ #define OSSL_CIPHER_PARAM_IVLEN "ivlen" /* size_t */ #define OSSL_CIPHER_PARAM_IV "iv" /* octet_string OR octet_ptr */ @@ -115,13 +118,14 @@ extern "C" { #define OSSL_CIPHER_CTS_MODE_CS3 "CS3" /* digest parameters */ -#define OSSL_DIGEST_PARAM_XOFLEN "xoflen" /* size_t */ -#define OSSL_DIGEST_PARAM_SSL3_MS "ssl3-ms" /* octet string */ -#define OSSL_DIGEST_PARAM_PAD_TYPE "pad_type" /* uint */ -#define OSSL_DIGEST_PARAM_MICALG "micalg" /* utf8 string */ -#define OSSL_DIGEST_PARAM_BLOCK_SIZE "blocksize" /* size_t */ -#define OSSL_DIGEST_PARAM_SIZE "size" /* size_t */ -#define OSSL_DIGEST_PARAM_FLAGS "flags" /* ulong */ +#define OSSL_DIGEST_PARAM_XOFLEN "xoflen" /* size_t */ +#define OSSL_DIGEST_PARAM_SSL3_MS "ssl3-ms" /* octet string */ +#define OSSL_DIGEST_PARAM_PAD_TYPE "pad-type" /* uint */ +#define OSSL_DIGEST_PARAM_MICALG "micalg" /* utf8 string */ +#define OSSL_DIGEST_PARAM_BLOCK_SIZE "blocksize" /* size_t */ +#define OSSL_DIGEST_PARAM_SIZE "size" /* size_t */ +#define OSSL_DIGEST_PARAM_XOF "xof" /* int, 0 or 1 */ +#define OSSL_DIGEST_PARAM_ALGID_ABSENT "algid-absent" /* int, 0 or 1 */ /* Known DIGEST names (not a complete list) */ #define OSSL_DIGEST_NAME_MD5 "MD5" @@ -146,12 +150,14 @@ extern "C" { #define OSSL_DIGEST_NAME_SM3 "SM3" /* MAC parameters */ -#define OSSL_MAC_PARAM_KEY "key" /* octet string */ -#define OSSL_MAC_PARAM_IV "iv" /* octet string */ -#define OSSL_MAC_PARAM_CUSTOM "custom" /* utf8 string */ -#define OSSL_MAC_PARAM_SALT "salt" /* octet string */ -#define OSSL_MAC_PARAM_XOF "xof" /* int, 0 or 1 */ -#define OSSL_MAC_PARAM_FLAGS "flags" /* int */ +#define OSSL_MAC_PARAM_KEY "key" /* octet string */ +#define OSSL_MAC_PARAM_IV "iv" /* octet string */ +#define OSSL_MAC_PARAM_CUSTOM "custom" /* utf8 string */ +#define OSSL_MAC_PARAM_SALT "salt" /* octet string */ +#define OSSL_MAC_PARAM_XOF "xof" /* int, 0 or 1 */ +#define OSSL_MAC_PARAM_DIGEST_NOINIT "digest-noinit" /* int, 0 or 1 */ +#define OSSL_MAC_PARAM_DIGEST_ONESHOT "digest-oneshot" /* int, 0 or 1 */ + /* * If "engine" or "properties" are specified, they should always be paired * with "cipher" or "digest". diff --git a/providers/implementations/ciphers/cipher_aes_cbc_hmac_sha.c b/providers/implementations/ciphers/cipher_aes_cbc_hmac_sha.c index 53bef600a5..03f216d22e 100644 --- a/providers/implementations/ciphers/cipher_aes_cbc_hmac_sha.c +++ b/providers/implementations/ciphers/cipher_aes_cbc_hmac_sha.c @@ -30,11 +30,8 @@ const OSSL_DISPATCH ossl_##nm##kbits##sub##_functions[] = { \ #else # include "prov/providercommonerr.h" -/* TODO(3.0) Figure out what flags are required */ -# define AES_CBC_HMAC_SHA_FLAGS (EVP_CIPH_CBC_MODE \ - | EVP_CIPH_FLAG_DEFAULT_ASN1 \ - | EVP_CIPH_FLAG_AEAD_CIPHER \ - | EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK) +# define AES_CBC_HMAC_SHA_FLAGS (PROV_CIPHER_FLAG_AEAD \ + | PROV_CIPHER_FLAG_TLS1_MULTIBLOCK) static OSSL_FUNC_cipher_freectx_fn aes_cbc_hmac_sha1_freectx; static OSSL_FUNC_cipher_freectx_fn aes_cbc_hmac_sha256_freectx; diff --git a/providers/implementations/ciphers/cipher_aes_cts.inc b/providers/implementations/ciphers/cipher_aes_cts.inc index 6eb85a083f..dae112febf 100644 --- a/providers/implementations/ciphers/cipher_aes_cts.inc +++ b/providers/implementations/ciphers/cipher_aes_cts.inc @@ -12,6 +12,8 @@ #include "cipher_aes_cts.h" #include "prov/providercommonerr.h" +#define AES_CTS_FLAGS PROV_CIPHER_FLAG_CTS + static OSSL_FUNC_cipher_get_ctx_params_fn aes_cbc_cts_get_ctx_params; static OSSL_FUNC_cipher_set_ctx_params_fn aes_cbc_cts_set_ctx_params; static OSSL_FUNC_cipher_gettable_ctx_params_fn aes_cbc_cts_gettable_ctx_params; @@ -101,8 +103,8 @@ const OSSL_DISPATCH ossl_##alg##kbits##lcmode##_cts_functions[] = { \ }; /* ossl_aes256cbc_cts_functions */ -IMPLEMENT_cts_cipher(aes, AES, cbc, CBC, EVP_CIPH_FLAG_CTS, 256, 128, 128, block) +IMPLEMENT_cts_cipher(aes, AES, cbc, CBC, AES_CTS_FLAGS, 256, 128, 128, block) /* ossl_aes192cbc_cts_functions */ -IMPLEMENT_cts_cipher(aes, AES, cbc, CBC, EVP_CIPH_FLAG_CTS, 192, 128, 128, block) +IMPLEMENT_cts_cipher(aes, AES, cbc, CBC, AES_CTS_FLAGS, 192, 128, 128, block) /* ossl_aes128cbc_cts_functions */ -IMPLEMENT_cts_cipher(aes, AES, cbc, CBC, EVP_CIPH_FLAG_CTS, 128, 128, 128, block) +IMPLEMENT_cts_cipher(aes, AES, cbc, CBC, AES_CTS_FLAGS, 128, 128, 128, block) diff --git a/providers/implementations/ciphers/cipher_aes_siv.c b/providers/implementations/ciphers/cipher_aes_siv.c index 7a83506c24..469515bb8c 100644 --- a/providers/implementations/ciphers/cipher_aes_siv.c +++ b/providers/implementations/ciphers/cipher_aes_siv.c @@ -37,7 +37,6 @@ static void *aes_siv_newctx(void *provctx, size_t keybits, unsigned int mode, if (ctx != NULL) { ctx->taglen = SIV_LEN; ctx->mode = mode; - ctx->flags = flags; ctx->keylen = keybits / 8; ctx->hw = ossl_prov_cipher_hw_aes_siv(keybits); ctx->libctx = PROV_LIBCTX_OF(provctx); @@ -259,7 +258,7 @@ static OSSL_FUNC_cipher_settable_ctx_params_fn \ static int alg##_##kbits##_##lc##_get_params(OSSL_PARAM params[]) \ { \ return ossl_cipher_generic_get_params(params, EVP_CIPH_##UCMODE##_MODE, \ - flags, 2*kbits, blkbits, ivbits); \ + flags, 2*kbits, blkbits, ivbits); \ } \ static void * alg##kbits##lc##_newctx(void *provctx) \ { \ diff --git a/providers/implementations/ciphers/cipher_aes_siv.h b/providers/implementations/ciphers/cipher_aes_siv.h index 6d2649f049..c0b2a903bc 100644 --- a/providers/implementations/ciphers/cipher_aes_siv.h +++ b/providers/implementations/ciphers/cipher_aes_siv.h @@ -24,7 +24,6 @@ typedef struct prov_cipher_hw_aes_siv_st { typedef struct prov_siv_ctx_st { unsigned int mode; /* The mode that we are using */ unsigned int enc : 1; /* Set to 1 if we are encrypting or 0 otherwise */ - uint64_t flags; size_t keylen; /* The input keylength (twice the alg key length) */ size_t taglen; /* the taglen is the same as the sivlen */ SIV128_CONTEXT siv; diff --git a/providers/implementations/ciphers/cipher_aes_wrp.c b/providers/implementations/ciphers/cipher_aes_wrp.c index ca57666e7a..dc625216ca 100644 --- a/providers/implementations/ciphers/cipher_aes_wrp.c +++ b/providers/implementations/ciphers/cipher_aes_wrp.c @@ -22,10 +22,8 @@ #define AES_WRAP_PAD_IVLEN 4 #define AES_WRAP_NOPAD_IVLEN 8 -/* TODO(3.0) Figure out what flags need to be passed */ -#define WRAP_FLAGS (EVP_CIPH_WRAP_MODE | EVP_CIPH_CUSTOM_IV \ - | EVP_CIPH_ALWAYS_CALL_INIT) -#define WRAP_FLAGS_INV (WRAP_FLAGS | EVP_CIPH_FLAG_INVERSE_CIPHER) +#define WRAP_FLAGS (PROV_CIPHER_FLAG_CUSTOM_IV) +#define WRAP_FLAGS_INV (WRAP_FLAGS | PROV_CIPHER_FLAG_INVERSE_CIPHER) typedef size_t (*aeswrap_fn)(void *key, const unsigned char *iv, unsigned char *out, const unsigned char *in, @@ -111,7 +109,7 @@ static int aes_wrap_init(void *vctx, const unsigned char *key, * to be the AES decryption function, then CIPH-1K will be the AES * encryption function. */ - if ((ctx->flags & EVP_CIPH_FLAG_INVERSE_CIPHER) == 0) + if (ctx->inverse_cipher == 0) use_forward_transform = ctx->enc; else use_forward_transform = !ctx->enc; diff --git a/providers/implementations/ciphers/cipher_aes_xts.c b/providers/implementations/ciphers/cipher_aes_xts.c index 7ccad56198..cf768d27d4 100644 --- a/providers/implementations/ciphers/cipher_aes_xts.c +++ b/providers/implementations/ciphers/cipher_aes_xts.c @@ -20,12 +20,7 @@ #include "prov/providercommon.h" #include "prov/providercommonerr.h" -/* TODO (3.0) Figure out what flags need to be set */ -#define AES_XTS_FLAGS (EVP_CIPH_CUSTOM_IV \ - | EVP_CIPH_ALWAYS_CALL_INIT \ - | EVP_CIPH_CTRL_INIT \ - | EVP_CIPH_CUSTOM_COPY) - +#define AES_XTS_FLAGS PROV_CIPHER_FLAG_CUSTOM_IV #define AES_XTS_IV_BITS 128 #define AES_XTS_BLOCK_BITS 8 @@ -233,10 +228,6 @@ static int aes_xts_set_ctx_params(void *vctx, const OSSL_PARAM params[]) PROV_CIPHER_CTX *ctx = (PROV_CIPHER_CTX *)vctx; const OSSL_PARAM *p; - /* - * TODO(3.0) We need a general solution for handling missing parameters - * inside set_params and get_params methods. - */ p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_KEYLEN); if (p != NULL) { size_t keylen; diff --git a/providers/implementations/ciphers/cipher_blowfish.c b/providers/implementations/ciphers/cipher_blowfish.c index 6320f560a0..cf303bb863 100644 --- a/providers/implementations/ciphers/cipher_blowfish.c +++ b/providers/implementations/ciphers/cipher_blowfish.c @@ -19,7 +19,7 @@ #include "prov/implementations.h" #include "prov/providercommon.h" -#define BF_FLAGS (EVP_CIPH_VARIABLE_LENGTH) +#define BF_FLAGS PROV_CIPHER_FLAG_VARIABLE_LENGTH static OSSL_FUNC_cipher_freectx_fn blowfish_freectx; static OSSL_FUNC_cipher_dupctx_fn blowfish_dupctx; diff --git a/providers/implementations/ciphers/cipher_cast5.c b/providers/implementations/ciphers/cipher_cast5.c index 7c686013d8..1d525343b4 100644 --- a/providers/implementations/ciphers/cipher_cast5.c +++ b/providers/implementations/ciphers/cipher_cast5.c @@ -20,7 +20,7 @@ #include "prov/providercommon.h" #include "prov/providercommonerr.h" -#define CAST5_FLAGS (EVP_CIPH_VARIABLE_LENGTH) +#define CAST5_FLAGS PROV_CIPHER_FLAG_VARIABLE_LENGTH static OSSL_FUNC_cipher_freectx_fn cast5_freectx; static OSSL_FUNC_cipher_dupctx_fn cast5_dupctx; diff --git a/providers/implementations/ciphers/cipher_chacha20.c b/providers/implementations/ciphers/cipher_chacha20.c index 8e0727ae47..b2fe1b1957 100644 --- a/providers/implementations/ciphers/cipher_chacha20.c +++ b/providers/implementations/ciphers/cipher_chacha20.c @@ -17,8 +17,7 @@ #define CHACHA20_KEYLEN (CHACHA_KEY_SIZE) #define CHACHA20_BLKLEN (1) #define CHACHA20_IVLEN (CHACHA_CTR_SIZE) -/* TODO(3.0) Figure out what flags are required */ -#define CHACHA20_FLAGS (EVP_CIPH_CUSTOM_IV | EVP_CIPH_ALWAYS_CALL_INIT) +#define CHACHA20_FLAGS (PROV_CIPHER_FLAG_CUSTOM_IV) static OSSL_FUNC_cipher_newctx_fn chacha20_newctx; static OSSL_FUNC_cipher_freectx_fn chacha20_freectx; diff --git a/providers/implementations/ciphers/cipher_chacha20_poly1305.c b/providers/implementations/ciphers/cipher_chacha20_poly1305.c index 7a9cc5c20f..919d4fba94 100644 --- a/providers/implementations/ciphers/cipher_chacha20_poly1305.c +++ b/providers/implementations/ciphers/cipher_chacha20_poly1305.c @@ -19,14 +19,8 @@ #define CHACHA20_POLY1305_BLKLEN 1 #define CHACHA20_POLY1305_MAX_IVLEN 12 #define CHACHA20_POLY1305_MODE 0 -/* TODO(3.0) Figure out what flags are required */ -#define CHACHA20_POLY1305_FLAGS (EVP_CIPH_FLAG_AEAD_CIPHER \ - | EVP_CIPH_ALWAYS_CALL_INIT \ - | EVP_CIPH_CTRL_INIT \ - | EVP_CIPH_CUSTOM_COPY \ - | EVP_CIPH_FLAG_CUSTOM_CIPHER \ - | EVP_CIPH_CUSTOM_IV \ - | EVP_CIPH_CUSTOM_IV_LENGTH) +#define CHACHA20_POLY1305_FLAGS (PROV_CIPHER_FLAG_AEAD \ + | PROV_CIPHER_FLAG_CUSTOM_IV) static OSSL_FUNC_cipher_newctx_fn chacha20_poly1305_newctx; static OSSL_FUNC_cipher_freectx_fn chacha20_poly1305_freectx; diff --git a/providers/implementations/ciphers/cipher_des.c b/providers/implementations/ciphers/cipher_des.c index 345adfab60..ec186445c8 100644 --- a/providers/implementations/ciphers/cipher_des.c +++ b/providers/implementations/ciphers/cipher_des.c @@ -20,8 +20,7 @@ #include "prov/providercommon.h" #include "prov/providercommonerr.h" -/* TODO(3.0) Figure out what flags need to be here */ -#define DES_FLAGS (EVP_CIPH_RAND_KEY) +#define DES_FLAGS 0 static OSSL_FUNC_cipher_freectx_fn des_freectx; static OSSL_FUNC_cipher_encrypt_init_fn des_einit; diff --git a/providers/implementations/ciphers/cipher_des.h b/providers/implementations/ciphers/cipher_des.h index aedb38177e..78ca686bad 100644 --- a/providers/implementations/ciphers/cipher_des.h +++ b/providers/implementations/ciphers/cipher_des.h @@ -10,8 +10,7 @@ #include #include "crypto/des_platform.h" -/* TODO(3.0) Figure out what flags need to be here */ -#define TDES_FLAGS (EVP_CIPH_RAND_KEY) +#define TDES_FLAGS 0 typedef struct prov_des_ctx_st { PROV_CIPHER_CTX base; /* Must be first */ diff --git a/providers/implementations/ciphers/cipher_rc2.c b/providers/implementations/ciphers/cipher_rc2.c index b7c244f245..09d66b2cdd 100644 --- a/providers/implementations/ciphers/cipher_rc2.c +++ b/providers/implementations/ciphers/cipher_rc2.c @@ -23,6 +23,7 @@ #define RC2_40_MAGIC 0xa0 #define RC2_64_MAGIC 0x78 #define RC2_128_MAGIC 0x3a +#define RC2_FLAGS PROV_CIPHER_FLAG_VARIABLE_LENGTH static OSSL_FUNC_cipher_freectx_fn rc2_freectx; static OSSL_FUNC_cipher_dupctx_fn rc2_dupctx; @@ -242,15 +243,15 @@ const OSSL_DISPATCH ossl_##alg##kbits##lcmode##_functions[] = { \ }; /* ossl_rc2128ecb_functions */ -IMPLEMENT_cipher(rc2, RC2, ecb, ECB, EVP_CIPH_VARIABLE_LENGTH, 128, 64, 0, block) +IMPLEMENT_cipher(rc2, RC2, ecb, ECB, RC2_FLAGS, 128, 64, 0, block) /* ossl_rc2128cbc_functions */ -IMPLEMENT_cipher(rc2, RC2, cbc, CBC, EVP_CIPH_VARIABLE_LENGTH, 128, 64, 64, block) +IMPLEMENT_cipher(rc2, RC2, cbc, CBC, RC2_FLAGS, 128, 64, 64, block) /* ossl_rc240cbc_functions */ -IMPLEMENT_cipher(rc2, RC2, cbc, CBC, EVP_CIPH_VARIABLE_LENGTH, 40, 64, 64, block) +IMPLEMENT_cipher(rc2, RC2, cbc, CBC, RC2_FLAGS, 40, 64, 64, block) /* ossl_rc264cbc_functions */ -IMPLEMENT_cipher(rc2, RC2, cbc, CBC, EVP_CIPH_VARIABLE_LENGTH, 64, 64, 64, block) +IMPLEMENT_cipher(rc2, RC2, cbc, CBC, RC2_FLAGS, 64, 64, 64, block) /* ossl_rc2128ofb128_functions */ -IMPLEMENT_cipher(rc2, RC2, ofb128, OFB, EVP_CIPH_VARIABLE_LENGTH, 128, 8, 64, stream) +IMPLEMENT_cipher(rc2, RC2, ofb128, OFB, RC2_FLAGS, 128, 8, 64, stream) /* ossl_rc2128cfb128_functions */ -IMPLEMENT_cipher(rc2, RC2, cfb128, CFB, EVP_CIPH_VARIABLE_LENGTH, 128, 8, 64, stream) +IMPLEMENT_cipher(rc2, RC2, cfb128, CFB, RC2_FLAGS, 128, 8, 64, stream) diff --git a/providers/implementations/ciphers/cipher_rc4.c b/providers/implementations/ciphers/cipher_rc4.c index 91644fca59..18233bbac1 100644 --- a/providers/implementations/ciphers/cipher_rc4.c +++ b/providers/implementations/ciphers/cipher_rc4.c @@ -19,8 +19,7 @@ #include "prov/implementations.h" #include "prov/providercommon.h" -/* TODO (3.0) Figure out what flags are required */ -#define RC4_FLAGS EVP_CIPH_FLAG_DEFAULT_ASN1 +#define RC4_FLAGS PROV_CIPHER_FLAG_VARIABLE_LENGTH static OSSL_FUNC_cipher_freectx_fn rc4_freectx; static OSSL_FUNC_cipher_dupctx_fn rc4_dupctx; @@ -97,6 +96,6 @@ const OSSL_DISPATCH ossl_##alg##kbits##_functions[] = { \ }; /* ossl_rc440_functions */ -IMPLEMENT_cipher(rc4, RC4, EVP_CIPH_VARIABLE_LENGTH, 40, 8, 0, stream) +IMPLEMENT_cipher(rc4, RC4, RC4_FLAGS, 40, 8, 0, stream) /* ossl_rc4128_functions */ -IMPLEMENT_cipher(rc4, RC4, EVP_CIPH_VARIABLE_LENGTH, 128, 8, 0, stream) +IMPLEMENT_cipher(rc4, RC4, RC4_FLAGS, 128, 8, 0, stream) diff --git a/providers/implementations/ciphers/cipher_rc4_hmac_md5.c b/providers/implementations/ciphers/cipher_rc4_hmac_md5.c index 9dc9615c04..b757197110 100644 --- a/providers/implementations/ciphers/cipher_rc4_hmac_md5.c +++ b/providers/implementations/ciphers/cipher_rc4_hmac_md5.c @@ -20,9 +20,8 @@ #include "prov/providercommon.h" #include "prov/providercommonerr.h" -/* TODO(3.0) Figure out what flags are required */ -#define RC4_HMAC_MD5_FLAGS (EVP_CIPH_STREAM_CIPHER | EVP_CIPH_VARIABLE_LENGTH \ - | EVP_CIPH_FLAG_AEAD_CIPHER) +#define RC4_HMAC_MD5_FLAGS (PROV_CIPHER_FLAG_VARIABLE_LENGTH \ + | PROV_CIPHER_FLAG_AEAD) #define RC4_HMAC_MD5_KEY_BITS (16 * 8) #define RC4_HMAC_MD5_BLOCK_BITS (1 * 8) @@ -183,10 +182,10 @@ static int rc4_hmac_md5_set_ctx_params(void *vctx, const OSSL_PARAM params[]) static int rc4_hmac_md5_get_params(OSSL_PARAM params[]) { return ossl_cipher_generic_get_params(params, RC4_HMAC_MD5_MODE, - RC4_HMAC_MD5_FLAGS, - RC4_HMAC_MD5_KEY_BITS, - RC4_HMAC_MD5_BLOCK_BITS, - RC4_HMAC_MD5_IV_BITS); + RC4_HMAC_MD5_FLAGS, + RC4_HMAC_MD5_KEY_BITS, + RC4_HMAC_MD5_BLOCK_BITS, + RC4_HMAC_MD5_IV_BITS); } const OSSL_DISPATCH ossl_rc4_hmac_ossl_md5_functions[] = { diff --git a/providers/implementations/ciphers/cipher_rc5.c b/providers/implementations/ciphers/cipher_rc5.c index 80de5f4bdd..ec408ed885 100644 --- a/providers/implementations/ciphers/cipher_rc5.c +++ b/providers/implementations/ciphers/cipher_rc5.c @@ -20,6 +20,8 @@ #include "prov/providercommon.h" #include "prov/providercommonerr.h" +#define RC5_FLAGS PROV_CIPHER_FLAG_VARIABLE_LENGTH + static OSSL_FUNC_cipher_freectx_fn rc5_freectx; static OSSL_FUNC_cipher_dupctx_fn rc5_dupctx; OSSL_FUNC_cipher_gettable_ctx_params_fn rc5_gettable_ctx_params; @@ -153,10 +155,10 @@ const OSSL_DISPATCH ossl_##alg##kbits##lcmode##_functions[] = { \ }; /* ossl_rc5128ecb_functions */ -IMPLEMENT_cipher(rc5, RC5, ecb, ECB, EVP_CIPH_VARIABLE_LENGTH, 128, 64, 0, block) +IMPLEMENT_cipher(rc5, RC5, ecb, ECB, RC5_FLAGS, 128, 64, 0, block) /* ossl_rc5128cbc_functions */ -IMPLEMENT_cipher(rc5, RC5, cbc, CBC, EVP_CIPH_VARIABLE_LENGTH, 128, 64, 64, block) +IMPLEMENT_cipher(rc5, RC5, cbc, CBC, RC5_FLAGS, 128, 64, 64, block) /* ossl_rc5128ofb64_functions */ -IMPLEMENT_cipher(rc5, RC5, ofb64, OFB, EVP_CIPH_VARIABLE_LENGTH, 128, 8, 64, stream) +IMPLEMENT_cipher(rc5, RC5, ofb64, OFB, RC5_FLAGS, 128, 8, 64, stream) /* ossl_rc5128cfb64_functions */ -IMPLEMENT_cipher(rc5, RC5, cfb64, CFB, EVP_CIPH_VARIABLE_LENGTH, 128, 8, 64, stream) +IMPLEMENT_cipher(rc5, RC5, cfb64, CFB, RC5_FLAGS, 128, 8, 64, stream) diff --git a/providers/implementations/ciphers/cipher_tdes.c b/providers/implementations/ciphers/cipher_tdes.c index c9fb1ceda7..a2855af481 100644 --- a/providers/implementations/ciphers/cipher_tdes.c +++ b/providers/implementations/ciphers/cipher_tdes.c @@ -20,7 +20,7 @@ #include "prov/providercommonerr.h" /* - * TODO(3.0) - ECB mode does not use an IV - but existing test code is setting + * NOTE: ECB mode does not use an IV - but existing test code is setting * an IV. Fixing this could potentially make applications break. */ /* ossl_tdes_ede3_ecb_functions */ diff --git a/providers/implementations/ciphers/cipher_tdes.h b/providers/implementations/ciphers/cipher_tdes.h index 081a00fffa..9bef908cc3 100644 --- a/providers/implementations/ciphers/cipher_tdes.h +++ b/providers/implementations/ciphers/cipher_tdes.h @@ -13,9 +13,7 @@ #define DES_BLOCK_SIZE 8 #define TDES_IVLEN 8 - -/* TODO(3.0) Figure out what flags need to be here */ -#define TDES_FLAGS (EVP_CIPH_RAND_KEY) +#define TDES_FLAGS 0 typedef struct prov_tdes_ctx_st { PROV_CIPHER_CTX base; /* Must be first */ diff --git a/providers/implementations/ciphers/cipher_tdes_default_hw.c b/providers/implementations/ciphers/cipher_tdes_default_hw.c index b7c7ea11f7..77b08ebbe1 100644 --- a/providers/implementations/ciphers/cipher_tdes_default_hw.c +++ b/providers/implementations/ciphers/cipher_tdes_default_hw.c @@ -101,7 +101,7 @@ static int ossl_cipher_hw_tdes_cfb1(PROV_CIPHER_CTX *ctx, unsigned char *out, size_t n; unsigned char c[1], d[1]; - if ((ctx->flags & EVP_CIPH_FLAG_LENGTH_BITS) == 0) + if (ctx->use_bits == 0) inl *= 8; for (n = 0; n < inl; ++n) { c[0] = (in[n / 8] & (1 << (7 - n % 8))) ? 0x80 : 0; diff --git a/providers/implementations/ciphers/cipher_tdes_wrap.c b/providers/implementations/ciphers/cipher_tdes_wrap.c index acb8c97e33..b78a77c254 100644 --- a/providers/implementations/ciphers/cipher_tdes_wrap.c +++ b/providers/implementations/ciphers/cipher_tdes_wrap.c @@ -21,9 +21,7 @@ #include "prov/providercommon.h" #include "prov/providercommonerr.h" -/* TODO (3.0) Figure out what flags are required */ -#define TDES_WRAP_FLAGS (EVP_CIPH_WRAP_MODE | EVP_CIPH_CUSTOM_IV) - +#define TDES_WRAP_FLAGS PROV_CIPHER_FLAG_CUSTOM_IV static OSSL_FUNC_cipher_update_fn tdes_wrap_update; static OSSL_FUNC_cipher_cipher_fn tdes_wrap_cipher; diff --git a/providers/implementations/ciphers/ciphercommon.c b/providers/implementations/ciphers/ciphercommon.c index d1e8c461b5..fa73edb473 100644 --- a/providers/implementations/ciphers/ciphercommon.c +++ b/providers/implementations/ciphers/ciphercommon.c @@ -26,7 +26,10 @@ static const OSSL_PARAM cipher_known_gettable_params[] = { OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_KEYLEN, NULL), OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_IVLEN, NULL), OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_BLOCK_SIZE, NULL), - OSSL_PARAM_ulong(OSSL_CIPHER_PARAM_FLAGS, NULL), + OSSL_PARAM_int(OSSL_CIPHER_PARAM_AEAD, NULL), + OSSL_PARAM_int(OSSL_CIPHER_PARAM_CUSTOM_IV, NULL), + OSSL_PARAM_int(OSSL_CIPHER_PARAM_CTS, NULL), + OSSL_PARAM_int(OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK, NULL), { OSSL_CIPHER_PARAM_TLS_MAC, OSSL_PARAM_OCTET_PTR, NULL, 0, OSSL_PARAM_UNMODIFIED }, OSSL_PARAM_END }; @@ -36,7 +39,7 @@ const OSSL_PARAM *ossl_cipher_generic_gettable_params(void *provctx) } int ossl_cipher_generic_get_params(OSSL_PARAM params[], unsigned int md, - unsigned long flags, + uint64_t flags, size_t kbits, size_t blkbits, size_t ivbits) { OSSL_PARAM *p; @@ -46,8 +49,27 @@ int ossl_cipher_generic_get_params(OSSL_PARAM params[], unsigned int md, ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER); return 0; } - p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_FLAGS); - if (p != NULL && !OSSL_PARAM_set_ulong(p, flags)) { + p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_AEAD); + if (p != NULL + && !OSSL_PARAM_set_int(p, (flags & PROV_CIPHER_FLAG_AEAD) != 0)) { + ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER); + return 0; + } + p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_CUSTOM_IV); + if (p != NULL + && !OSSL_PARAM_set_int(p, (flags & PROV_CIPHER_FLAG_CUSTOM_IV) != 0)) { + ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER); + return 0; + } + p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_CTS); + if (p != NULL + && !OSSL_PARAM_set_int(p, (flags & PROV_CIPHER_FLAG_CTS) != 0)) { + ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER); + return 0; + } + p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK); + if (p != NULL + && !OSSL_PARAM_set_int(p, (flags & PROV_CIPHER_FLAG_TLS1_MULTIBLOCK) != 0)) { ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER); return 0; } @@ -80,7 +102,6 @@ CIPHER_DEFAULT_SETTABLE_CTX_PARAMS_END(ossl_cipher_generic) /* * Variable key length cipher functions for OSSL_PARAM settables */ - int ossl_cipher_var_keylen_set_ctx_params(void *vctx, const OSSL_PARAM params[]) { PROV_CIPHER_CTX *ctx = (PROV_CIPHER_CTX *)vctx; @@ -168,7 +189,7 @@ static int cipher_generic_init_internal(PROV_CIPHER_CTX *ctx, return 0; } if (key != NULL) { - if ((ctx->flags & EVP_CIPH_VARIABLE_LENGTH) == 0) { + if (ctx->variable_keylength == 0) { if (keylen != ctx->keylen) { ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEYLEN); return 0; @@ -608,7 +629,11 @@ void ossl_cipher_generic_initkey(void *vctx, size_t kbits, size_t blkbits, { PROV_CIPHER_CTX *ctx = (PROV_CIPHER_CTX *)vctx; - ctx->flags = flags; + if ((flags & PROV_CIPHER_FLAG_INVERSE_CIPHER) != 0) + ctx->inverse_cipher = 1; + if ((flags & PROV_CIPHER_FLAG_VARIABLE_LENGTH) != 0) + ctx->variable_keylength = 1; + ctx->pad = 1; ctx->keylen = ((kbits) / 8); ctx->ivlen = ((ivbits) / 8); diff --git a/providers/implementations/ciphers/ciphercommon_ccm.c b/providers/implementations/ciphers/ciphercommon_ccm.c index cb529f5f31..0009e9876c 100644 --- a/providers/implementations/ciphers/ciphercommon_ccm.c +++ b/providers/implementations/ciphers/ciphercommon_ccm.c @@ -291,9 +291,8 @@ int ccm_stream_final(void *vctx, unsigned char *out, size_t *outl, return 1; } -int ccm_cipher(void *vctx, - unsigned char *out, size_t *outl, size_t outsize, - const unsigned char *in, size_t inl) +int ccm_cipher(void *vctx, unsigned char *out, size_t *outl, size_t outsize, + const unsigned char *in, size_t inl) { PROV_CCM_CTX *ctx = (PROV_CCM_CTX *)vctx; diff --git a/providers/implementations/ciphers/ciphercommon_hw.c b/providers/implementations/ciphers/ciphercommon_hw.c index 7063593011..8673e7b744 100644 --- a/providers/implementations/ciphers/ciphercommon_hw.c +++ b/providers/implementations/ciphers/ciphercommon_hw.c @@ -85,7 +85,7 @@ int ossl_cipher_hw_generic_cfb1(PROV_CIPHER_CTX *dat, unsigned char *out, { int num = dat->num; - if ((dat->flags & EVP_CIPH_FLAG_LENGTH_BITS) != 0) { + if (dat->use_bits) { CRYPTO_cfb128_1_encrypt(in, out, len, dat->ks, dat->iv, &num, dat->enc, dat->block); dat->num = num; diff --git a/providers/implementations/digests/digestcommon.c b/providers/implementations/digests/digestcommon.c index 6d926713c8..b8e7efde60 100644 --- a/providers/implementations/digests/digestcommon.c +++ b/providers/implementations/digests/digestcommon.c @@ -26,8 +26,15 @@ int digest_default_get_params(OSSL_PARAM params[], size_t blksz, size_t paramsz, ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER); return 0; } - p = OSSL_PARAM_locate(params, OSSL_DIGEST_PARAM_FLAGS); - if (p != NULL && !OSSL_PARAM_set_ulong(p, flags)) { + p = OSSL_PARAM_locate(params, OSSL_DIGEST_PARAM_XOF); + if (p != NULL + && !OSSL_PARAM_set_int(p, (flags & PROV_DIGEST_FLAG_XOF) != 0)) { + ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER); + return 0; + } + p = OSSL_PARAM_locate(params, OSSL_DIGEST_PARAM_ALGID_ABSENT); + if (p != NULL + && !OSSL_PARAM_set_int(p, (flags & PROV_DIGEST_FLAG_ALGID_ABSENT) != 0)) { ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER); return 0; } @@ -37,7 +44,8 @@ int digest_default_get_params(OSSL_PARAM params[], size_t blksz, size_t paramsz, static const OSSL_PARAM digest_default_known_gettable_params[] = { OSSL_PARAM_size_t(OSSL_DIGEST_PARAM_BLOCK_SIZE, NULL), OSSL_PARAM_size_t(OSSL_DIGEST_PARAM_SIZE, NULL), - OSSL_PARAM_ulong(OSSL_DIGEST_PARAM_FLAGS, NULL), + OSSL_PARAM_int(OSSL_DIGEST_PARAM_XOF, NULL), + OSSL_PARAM_int(OSSL_DIGEST_PARAM_ALGID_ABSENT, NULL), OSSL_PARAM_END }; const OSSL_PARAM *digest_default_gettable_params(void *provctx) diff --git a/providers/implementations/digests/sha2_prov.c b/providers/implementations/digests/sha2_prov.c index 2f01149ad9..4cff62131c 100644 --- a/providers/implementations/digests/sha2_prov.c +++ b/providers/implementations/digests/sha2_prov.c @@ -24,6 +24,8 @@ #include "prov/implementations.h" #include "crypto/sha.h" +#define SHA2_FLAGS PROV_DIGEST_FLAG_ALGID_ABSENT + static OSSL_FUNC_digest_set_ctx_params_fn sha1_set_ctx_params; static OSSL_FUNC_digest_settable_ctx_params_fn sha1_settable_ctx_params; @@ -53,43 +55,37 @@ static int sha1_set_ctx_params(void *vctx, const OSSL_PARAM params[]) /* ossl_sha1_functions */ IMPLEMENT_digest_functions_with_settable_ctx( - sha1, SHA_CTX, SHA_CBLOCK, SHA_DIGEST_LENGTH, EVP_MD_FLAG_DIGALGID_ABSENT, + sha1, SHA_CTX, SHA_CBLOCK, SHA_DIGEST_LENGTH, SHA2_FLAGS, SHA1_Init, SHA1_Update, SHA1_Final, sha1_settable_ctx_params, sha1_set_ctx_params) /* ossl_sha224_functions */ IMPLEMENT_digest_functions(sha224, SHA256_CTX, - SHA256_CBLOCK, SHA224_DIGEST_LENGTH, - EVP_MD_FLAG_DIGALGID_ABSENT, + SHA256_CBLOCK, SHA224_DIGEST_LENGTH, SHA2_FLAGS, SHA224_Init, SHA224_Update, SHA224_Final) /* ossl_sha256_functions */ IMPLEMENT_digest_functions(sha256, SHA256_CTX, - SHA256_CBLOCK, SHA256_DIGEST_LENGTH, - EVP_MD_FLAG_DIGALGID_ABSENT, + SHA256_CBLOCK, SHA256_DIGEST_LENGTH, SHA2_FLAGS, SHA256_Init, SHA256_Update, SHA256_Final) /* ossl_sha384_functions */ IMPLEMENT_digest_functions(sha384, SHA512_CTX, - SHA512_CBLOCK, SHA384_DIGEST_LENGTH, - EVP_MD_FLAG_DIGALGID_ABSENT, + SHA512_CBLOCK, SHA384_DIGEST_LENGTH, SHA2_FLAGS, SHA384_Init, SHA384_Update, SHA384_Final) /* ossl_sha512_functions */ IMPLEMENT_digest_functions(sha512, SHA512_CTX, - SHA512_CBLOCK, SHA512_DIGEST_LENGTH, - EVP_MD_FLAG_DIGALGID_ABSENT, + SHA512_CBLOCK, SHA512_DIGEST_LENGTH, SHA2_FLAGS, SHA512_Init, SHA512_Update, SHA512_Final) /* ossl_sha512_224_functions */ IMPLEMENT_digest_functions(sha512_224, SHA512_CTX, - SHA512_CBLOCK, SHA224_DIGEST_LENGTH, - EVP_MD_FLAG_DIGALGID_ABSENT, + SHA512_CBLOCK, SHA224_DIGEST_LENGTH, SHA2_FLAGS, sha512_224_init, SHA512_Update, SHA512_Final) /* ossl_sha512_256_functions */ IMPLEMENT_digest_functions(sha512_256, SHA512_CTX, - SHA512_CBLOCK, SHA256_DIGEST_LENGTH, - EVP_MD_FLAG_DIGALGID_ABSENT, + SHA512_CBLOCK, SHA256_DIGEST_LENGTH, SHA2_FLAGS, sha512_256_init, SHA512_Update, SHA512_Final) diff --git a/providers/implementations/digests/sha3_prov.c b/providers/implementations/digests/sha3_prov.c index 6b44792529..6e731fd842 100644 --- a/providers/implementations/digests/sha3_prov.c +++ b/providers/implementations/digests/sha3_prov.c @@ -18,6 +18,10 @@ #include "prov/implementations.h" #include "prov/providercommonerr.h" +#define SHA3_FLAGS PROV_DIGEST_FLAG_ALGID_ABSENT +#define SHAKE_FLAGS PROV_DIGEST_FLAG_XOF +#define KMAC_FLAGS PROV_DIGEST_FLAG_XOF + /* * Forward declaration of any unique methods implemented here. This is not strictly * necessary for the compiler, but provides an assurance that the signatures @@ -286,18 +290,18 @@ static int shake_set_ctx_params(void *vctx, const OSSL_PARAM params[]) SHA3_newctx(sha3, SHA3_##bitlen, sha3_##bitlen, bitlen, '\x06') \ PROV_FUNC_SHA3_DIGEST(sha3_##bitlen, bitlen, \ SHA3_BLOCKSIZE(bitlen), SHA3_MDSIZE(bitlen), \ - EVP_MD_FLAG_DIGALGID_ABSENT) + SHA3_FLAGS) #define IMPLEMENT_SHAKE_functions(bitlen) \ SHA3_newctx(shake, SHAKE_##bitlen, shake_##bitlen, bitlen, '\x1f') \ PROV_FUNC_SHAKE_DIGEST(shake_##bitlen, bitlen, \ SHA3_BLOCKSIZE(bitlen), SHA3_MDSIZE(bitlen), \ - EVP_MD_FLAG_XOF) + SHAKE_FLAGS) #define IMPLEMENT_KMAC_functions(bitlen) \ KMAC_newctx(keccak_kmac_##bitlen, bitlen, '\x04') \ PROV_FUNC_SHAKE_DIGEST(keccak_kmac_##bitlen, bitlen, \ SHA3_BLOCKSIZE(bitlen), KMAC_MDSIZE(bitlen), \ - EVP_MD_FLAG_XOF) + KMAC_FLAGS) /* ossl_sha3_224_functions */ IMPLEMENT_SHA3_functions(224) diff --git a/providers/implementations/include/prov/ciphercommon.h b/providers/implementations/include/prov/ciphercommon.h index efc7eb9223..ee35400936 100644 --- a/providers/implementations/include/prov/ciphercommon.h +++ b/providers/implementations/include/prov/ciphercommon.h @@ -34,6 +34,15 @@ typedef int (PROV_CIPHER_HW_FN)(PROV_CIPHER_CTX *dat, unsigned char *out, /* TODO(3.0): VERIFY ME */ #define MAX_TLS_MAC_SIZE 48 +/* Internal flags that can be queried */ +#define PROV_CIPHER_FLAG_AEAD 0x0001 +#define PROV_CIPHER_FLAG_CUSTOM_IV 0x0002 +#define PROV_CIPHER_FLAG_CTS 0x0004 +#define PROV_CIPHER_FLAG_TLS1_MULTIBLOCK 0x0008 +/* Internal flags that are only used within the provider */ +#define PROV_CIPHER_FLAG_VARIABLE_LENGTH 0x0010 +#define PROV_CIPHER_FLAG_INVERSE_CIPHER 0x0020 + struct prov_cipher_ctx_st { block128_f block; union { @@ -52,7 +61,9 @@ struct prov_cipher_ctx_st { unsigned int enc : 1; /* Set to 1 for encrypt, or 0 otherwise */ unsigned int iv_set : 1; /* Set when the iv is copied to the iv/oiv buffers */ unsigned int updated : 1; /* Set to 1 during update for one shot ciphers */ - + unsigned int variable_keylength : 1; + unsigned int inverse_cipher : 1; /* set to 1 to use inverse cipher */ + unsigned int use_bits : 1; /* Set to 0 for cfb1 to use bits instead of bytes */ unsigned int tlsversion; /* If TLS padding is in use the TLS version number */ unsigned char *tlsmac; /* tls MAC extracted from the last record */ @@ -73,7 +84,6 @@ struct prov_cipher_ctx_st { * manage partial blocks themselves. */ unsigned int num; - uint64_t flags; /* The original value of the iv */ unsigned char oiv[GENERIC_BLOCK_SIZE]; @@ -110,11 +120,12 @@ OSSL_FUNC_cipher_gettable_ctx_params_fn ossl_cipher_aead_gettable_ctx_params; OSSL_FUNC_cipher_settable_ctx_params_fn ossl_cipher_aead_settable_ctx_params; int ossl_cipher_generic_get_params(OSSL_PARAM params[], unsigned int md, - unsigned long flags, - size_t kbits, size_t blkbits, size_t ivbits); + uint64_t flags, + size_t kbits, size_t blkbits, size_t ivbits); void ossl_cipher_generic_initkey(void *vctx, size_t kbits, size_t blkbits, - size_t ivbits, unsigned int mode, uint64_t flags, - const PROV_CIPHER_HW *hw, void *provctx); + size_t ivbits, unsigned int mode, + uint64_t flags, + const PROV_CIPHER_HW *hw, void *provctx); #define IMPLEMENT_generic_cipher_func(alg, UCALG, lcmode, UCMODE, flags, kbits,\ blkbits, ivbits, typ) \ diff --git a/providers/implementations/include/prov/ciphercommon_aead.h b/providers/implementations/include/prov/ciphercommon_aead.h index 47175f7247..63fdb54151 100644 --- a/providers/implementations/include/prov/ciphercommon_aead.h +++ b/providers/implementations/include/prov/ciphercommon_aead.h @@ -9,21 +9,16 @@ #define UNINITIALISED_SIZET ((size_t)-1) -/* TODO(3.0) Figure out what flags are really needed */ -#define AEAD_FLAGS (EVP_CIPH_FLAG_AEAD_CIPHER \ - | EVP_CIPH_CUSTOM_IV \ - | EVP_CIPH_ALWAYS_CALL_INIT \ - | EVP_CIPH_CTRL_INIT \ - | EVP_CIPH_CUSTOM_COPY) +#define AEAD_FLAGS (PROV_CIPHER_FLAG_AEAD | PROV_CIPHER_FLAG_CUSTOM_IV) #define IMPLEMENT_aead_cipher(alg, lc, UCMODE, flags, kbits, blkbits, ivbits) \ -static OSSL_FUNC_cipher_get_params_fn alg##_##kbits##_##lc##_get_params; \ +static OSSL_FUNC_cipher_get_params_fn alg##_##kbits##_##lc##_get_params; \ static int alg##_##kbits##_##lc##_get_params(OSSL_PARAM params[]) \ { \ - return ossl_cipher_generic_get_params(params, EVP_CIPH_##UCMODE##_MODE, \ + return ossl_cipher_generic_get_params(params, EVP_CIPH_##UCMODE##_MODE, \ flags, kbits, blkbits, ivbits); \ } \ -static OSSL_FUNC_cipher_newctx_fn alg##kbits##lc##_newctx; \ +static OSSL_FUNC_cipher_newctx_fn alg##kbits##lc##_newctx; \ static void * alg##kbits##lc##_newctx(void *provctx) \ { \ return alg##_##lc##_newctx(provctx, kbits); \ @@ -43,10 +38,10 @@ const OSSL_DISPATCH ossl_##alg##kbits##lc##_functions[] = { \ { OSSL_FUNC_CIPHER_SET_CTX_PARAMS, \ (void (*)(void)) lc##_set_ctx_params }, \ { OSSL_FUNC_CIPHER_GETTABLE_PARAMS, \ - (void (*)(void))ossl_cipher_generic_gettable_params }, \ + (void (*)(void))ossl_cipher_generic_gettable_params }, \ { OSSL_FUNC_CIPHER_GETTABLE_CTX_PARAMS, \ - (void (*)(void))ossl_cipher_aead_gettable_ctx_params }, \ + (void (*)(void))ossl_cipher_aead_gettable_ctx_params }, \ { OSSL_FUNC_CIPHER_SETTABLE_CTX_PARAMS, \ - (void (*)(void))ossl_cipher_aead_settable_ctx_params }, \ + (void (*)(void))ossl_cipher_aead_settable_ctx_params }, \ { 0, NULL } \ } diff --git a/providers/implementations/include/prov/digestcommon.h b/providers/implementations/include/prov/digestcommon.h index 99004731fa..f1164c5a1a 100644 --- a/providers/implementations/include/prov/digestcommon.h +++ b/providers/implementations/include/prov/digestcommon.h @@ -15,6 +15,10 @@ # include # include "prov/providercommon.h" +/* Internal flags that can be queried */ +#define PROV_DIGEST_FLAG_XOF 0x0001 +#define PROV_DIGEST_FLAG_ALGID_ABSENT 0x0002 + # ifdef __cplusplus extern "C" { # endif diff --git a/providers/implementations/macs/hmac_prov.c b/providers/implementations/macs/hmac_prov.c index 993e36ae34..3f9a862458 100644 --- a/providers/implementations/macs/hmac_prov.c +++ b/providers/implementations/macs/hmac_prov.c @@ -83,7 +83,6 @@ static void *hmac_new(void *provctx) OPENSSL_free(macctx); return NULL; } - /* TODO(3.0) Should we do something more with that context? */ macctx->provctx = provctx; return macctx; @@ -239,7 +238,8 @@ static const OSSL_PARAM known_settable_ctx_params[] = { OSSL_PARAM_utf8_string(OSSL_MAC_PARAM_DIGEST, NULL, 0), OSSL_PARAM_utf8_string(OSSL_MAC_PARAM_PROPERTIES, NULL, 0), OSSL_PARAM_octet_string(OSSL_MAC_PARAM_KEY, NULL, 0), - OSSL_PARAM_int(OSSL_MAC_PARAM_FLAGS, NULL), + OSSL_PARAM_int(OSSL_MAC_PARAM_DIGEST_NOINIT, NULL), + OSSL_PARAM_int(OSSL_MAC_PARAM_DIGEST_ONESHOT, NULL), OSSL_PARAM_size_t(OSSL_MAC_PARAM_TLS_DATA_SIZE, NULL), OSSL_PARAM_END }; @@ -248,6 +248,23 @@ static const OSSL_PARAM *hmac_settable_ctx_params(ossl_unused void *provctx) return known_settable_ctx_params; } +static int set_flag(const OSSL_PARAM params[], const char *key, int mask, + int *flags) +{ + const OSSL_PARAM *p = OSSL_PARAM_locate_const(params, key); + int flag = 0; + + if (p != NULL) { + if (!OSSL_PARAM_get_int(p, &flag)) + return 0; + if (flag == 0) + *flags &= ~mask; + else + *flags |= mask; + } + return 1; +} + /* * ALL parameters should be set before init(). */ @@ -256,19 +273,20 @@ static int hmac_set_ctx_params(void *vmacctx, const OSSL_PARAM params[]) struct hmac_data_st *macctx = vmacctx; OSSL_LIB_CTX *ctx = PROV_LIBCTX_OF(macctx->provctx); const OSSL_PARAM *p; + int flags = 0; if (!ossl_prov_digest_load_from_params(&macctx->digest, params, ctx)) return 0; - /* TODO(3.0) formalize the meaning of "flags", perhaps as other params */ - if ((p = OSSL_PARAM_locate_const(params, - OSSL_MAC_PARAM_FLAGS)) != NULL) { - int flags = 0; - - if (!OSSL_PARAM_get_int(p, &flags)) - return 0; + if (!set_flag(params, OSSL_MAC_PARAM_DIGEST_NOINIT, EVP_MD_CTX_FLAG_NO_INIT, + &flags)) + return 0; + if (!set_flag(params, OSSL_MAC_PARAM_DIGEST_ONESHOT, EVP_MD_CTX_FLAG_ONESHOT, + &flags)) + return 0; + if (flags) HMAC_CTX_set_flags(macctx->ctx, flags); - } + if ((p = OSSL_PARAM_locate_const(params, OSSL_MAC_PARAM_KEY)) != NULL) { if (p->data_type != OSSL_PARAM_OCTET_STRING) return 0; From no-reply at appveyor.com Wed Feb 10 04:10:41 2021 From: no-reply at appveyor.com (AppVeyor) Date: Wed, 10 Feb 2021 04:10:41 +0000 Subject: Build failed: openssl master.39739 Message-ID: <20210210041041.1.7172F47190F5EBE6@appveyor.com> An HTML attachment was scrubbed... URL: From kaduk at mit.edu Wed Feb 10 06:15:03 2021 From: kaduk at mit.edu (kaduk at mit.edu) Date: Wed, 10 Feb 2021 06:15:03 +0000 Subject: [openssl] master update Message-ID: <1612937703.602939.28241.nullmailer@dev.openssl.org> The branch master has been updated via 3bc0b621a7baf1a11bc5cad69a287ad093674d68 (commit) from af53092c2b67a8a0b76ae73385414cb1815ea7cc (commit) - Log ----------------------------------------------------------------- commit 3bc0b621a7baf1a11bc5cad69a287ad093674d68 Author: Benjamin Kaduk Date: Wed Jan 27 12:19:08 2021 -0800 Remove unused 'peer_type' from SSL_SESSION This field has not been used since #3858 was merged in 2017 when we moved to a table-based lookup for certificate type properties instead of an index-based one. Reviewed-by: Kurt Roeckx (Merged from https://github.com/openssl/openssl/pull/13991) ----------------------------------------------------------------------- Summary of changes: ssl/ssl_local.h | 1 - ssl/statem/statem_clnt.c | 1 - 2 files changed, 2 deletions(-) diff --git a/ssl/ssl_local.h b/ssl/ssl_local.h index 5956b6c834..2687a47c2a 100644 --- a/ssl/ssl_local.h +++ b/ssl/ssl_local.h @@ -585,7 +585,6 @@ struct ssl_session_st { int not_resumable; /* This is the cert and type for the other end. */ X509 *peer; - int peer_type; /* Certificate chain peer sent. */ STACK_OF(X509) *peer_chain; /* diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c index 1e9ab00976..83862e076d 100644 --- a/ssl/statem/statem_clnt.c +++ b/ssl/statem/statem_clnt.c @@ -1916,7 +1916,6 @@ WORK_STATE tls_post_process_server_certificate(SSL *s, WORK_STATE wst) return WORK_ERROR; } } - s->session->peer_type = certidx; X509_free(s->session->peer); X509_up_ref(x); From kaduk at mit.edu Wed Feb 10 06:20:35 2021 From: kaduk at mit.edu (kaduk at mit.edu) Date: Wed, 10 Feb 2021 06:20:35 +0000 Subject: [openssl] OpenSSL_1_1_1-stable update Message-ID: <1612938035.524526.30499.nullmailer@dev.openssl.org> The branch OpenSSL_1_1_1-stable has been updated via ee833fe9c325ecacc15b1f4e6c931f69aac0664e (commit) from b5aff22ac90623afeb0c74b36096f85eff5bc2b9 (commit) - Log ----------------------------------------------------------------- commit ee833fe9c325ecacc15b1f4e6c931f69aac0664e Author: Benjamin Kaduk Date: Wed Jan 27 12:19:08 2021 -0800 Remove unused 'peer_type' from SSL_SESSION This field has not been used since #3858 was merged in 2017 when we moved to a table-based lookup for certificate type properties instead of an index-based one. Reviewed-by: Kurt Roeckx (Merged from https://github.com/openssl/openssl/pull/13991) (cherry picked from commit 3bc0b621a7baf1a11bc5cad69a287ad093674d68) ----------------------------------------------------------------------- Summary of changes: ssl/ssl_local.h | 1 - ssl/statem/statem_clnt.c | 1 - 2 files changed, 2 deletions(-) diff --git a/ssl/ssl_local.h b/ssl/ssl_local.h index 8ddbde7729..3f02751dde 100644 --- a/ssl/ssl_local.h +++ b/ssl/ssl_local.h @@ -537,7 +537,6 @@ struct ssl_session_st { int not_resumable; /* This is the cert and type for the other end. */ X509 *peer; - int peer_type; /* Certificate chain peer sent. */ STACK_OF(X509) *peer_chain; /* diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c index 3420ce65c7..d68cd1f9d7 100644 --- a/ssl/statem/statem_clnt.c +++ b/ssl/statem/statem_clnt.c @@ -1960,7 +1960,6 @@ MSG_PROCESS_RETURN tls_process_server_certificate(SSL *s, PACKET *pkt) goto err; } } - s->session->peer_type = certidx; X509_free(s->session->peer); X509_up_ref(x); From matt at openssl.org Wed Feb 10 09:28:47 2021 From: matt at openssl.org (Matt Caswell) Date: Wed, 10 Feb 2021 09:28:47 +0000 Subject: [openssl] master update Message-ID: <1612949327.140852.992.nullmailer@dev.openssl.org> The branch master has been updated via dfcfd17f2818cf520ce6381aed9ec3d2fc12170d (commit) from 3bc0b621a7baf1a11bc5cad69a287ad093674d68 (commit) - Log ----------------------------------------------------------------- commit dfcfd17f2818cf520ce6381aed9ec3d2fc12170d Author: Oleksandr Tymoshenko Date: Sun Dec 20 11:01:53 2020 -0800 Handle partial data re-sending on ktls/sendfile on FreeBSD Add a handler for EBUSY sendfile error in addition to EAGAIN. With EBUSY returned the data still can be partially sent and user code has to be notified about it, otherwise it may try to send data multiple times. Reviewed-by: Ben Kaduk Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/13716) ----------------------------------------------------------------------- Summary of changes: doc/man3/SSL_write.pod | 3 ++- include/internal/ktls.h | 9 +++------ 2 files changed, 5 insertions(+), 7 deletions(-) diff --git a/doc/man3/SSL_write.pod b/doc/man3/SSL_write.pod index 06bd368c46..9a5a6f0744 100644 --- a/doc/man3/SSL_write.pod +++ b/doc/man3/SSL_write.pod @@ -120,7 +120,8 @@ For SSL_sendfile(), the following return values can occur: =item Z<>>= 0 The write operation was successful, the return value is the number -of bytes of the file written to the TLS/SSL connection. +of bytes of the file written to the TLS/SSL connection. The return +value can be less than B for a partial write. =item E 0 diff --git a/include/internal/ktls.h b/include/internal/ktls.h index 135f953ca2..1f486e7b48 100644 --- a/include/internal/ktls.h +++ b/include/internal/ktls.h @@ -192,15 +192,12 @@ static ossl_inline int ktls_read_record(int fd, void *data, size_t length) static ossl_inline ossl_ssize_t ktls_sendfile(int s, int fd, off_t off, size_t size, int flags) { - off_t sbytes; + off_t sbytes = 0; int ret; ret = sendfile(fd, s, off, size, NULL, &sbytes, flags); - if (ret == -1) { - if (errno == EAGAIN && sbytes != 0) - return sbytes; - return -1; - } + if (ret == -1 && sbytes == 0) + return -1; return sbytes; } From no-reply at appveyor.com Wed Feb 10 12:46:27 2021 From: no-reply at appveyor.com (AppVeyor) Date: Wed, 10 Feb 2021 12:46:27 +0000 Subject: Build failed: openssl master.39751 Message-ID: <20210210124627.1.327CF57C2EF4418C@appveyor.com> An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Wed Feb 10 14:13:30 2021 From: no-reply at appveyor.com (AppVeyor) Date: Wed, 10 Feb 2021 14:13:30 +0000 Subject: Build completed: openssl master.39752 Message-ID: <20210210141330.1.CB32A6AA854C9A9B@appveyor.com> An HTML attachment was scrubbed... URL: From pauli at openssl.org Wed Feb 10 22:16:53 2021 From: pauli at openssl.org (Dr. Paul Dale) Date: Wed, 10 Feb 2021 22:16:53 +0000 Subject: [openssl] master update Message-ID: <1612995413.719261.28729.nullmailer@dev.openssl.org> The branch master has been updated via 835f3526a259947463286bf6e082134af2ab7d49 (commit) from dfcfd17f2818cf520ce6381aed9ec3d2fc12170d (commit) - Log ----------------------------------------------------------------- commit 835f3526a259947463286bf6e082134af2ab7d49 Author: Pauli Date: Tue Feb 9 18:32:32 2021 +1000 test: turn off parallel tests in verbose mode. The existing code prints a warning saying that verbose mode is ignored with parallel jobs. This seems backward, more useful is disabling parallel jobs when verbose is enabled. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14137) ----------------------------------------------------------------------- Summary of changes: test/run_tests.pl | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/test/run_tests.pl b/test/run_tests.pl index 2be4e607a0..8e50d1bc90 100644 --- a/test/run_tests.pl +++ b/test/run_tests.pl @@ -46,8 +46,14 @@ my %tapargs = merge => 1, ); -$tapargs{jobs} = $jobs if $jobs > 1; -print "Using HARNESS_JOBS=$jobs\n" if $jobs > 1; +if ($jobs > 1) { + if ($ENV{HARNESS_VERBOSE}) { + print "Warning: HARNESS_JOBS > 1 ignored with HARNESS_VERBOSE\n"; + } else { + $tapargs{jobs} = $jobs; + print "Using HARNESS_JOBS=$jobs\n"; + } +} # Additional OpenSSL special TAP arguments. Because we can't pass them via # TAP::Harness->new(), they will be accessed directly, see the @@ -57,8 +63,6 @@ my %openssl_args = (); $openssl_args{'failure_verbosity'} = $ENV{HARNESS_VERBOSE} ? 0 : $ENV{HARNESS_VERBOSE_FAILURE_PROGRESS} ? 2 : 1; # $ENV{HARNESS_VERBOSE_FAILURE} -print "Warning: HARNESS_JOBS > 1 overrides HARNESS_VERBOSE\n" - if $jobs > 1 && $ENV{HARNESS_VERBOSE}; print "Warning: HARNESS_VERBOSE overrides HARNESS_VERBOSE_FAILURE*\n" if ($ENV{HARNESS_VERBOSE} && ($ENV{HARNESS_VERBOSE_FAILURE} || $ENV{HARNESS_VERBOSE_FAILURE_PROGRESS})); From matthias.st.pierre at ncp-e.com Wed Feb 10 22:21:57 2021 From: matthias.st.pierre at ncp-e.com (matthias.st.pierre at ncp-e.com) Date: Wed, 10 Feb 2021 22:21:57 +0000 Subject: [openssl] master update Message-ID: <1612995717.736384.31326.nullmailer@dev.openssl.org> The branch master has been updated via 3a111aadc3d24e0f325497f830a59295d0616e98 (commit) via d59068bd145ad6def4cd0cff2ea2acae28543e8a (commit) via 80ce21fe1a425738eb0151ef9fdb975ba3050273 (commit) from 835f3526a259947463286bf6e082134af2ab7d49 (commit) - Log ----------------------------------------------------------------- commit 3a111aadc3d24e0f325497f830a59295d0616e98 Author: FdaSilvaYY Date: Sat Feb 6 22:14:03 2021 +0100 include/internal: add a few missing #pragma once directives Reviewed-by: Paul Dale Reviewed-by: Matthias St. Pierre (Merged from https://github.com/openssl/openssl/pull/14096) commit d59068bd145ad6def4cd0cff2ea2acae28543e8a Author: FdaSilvaYY Date: Sat Feb 6 22:13:21 2021 +0100 include/openssl: add a few missing #pragma once directives Reviewed-by: Paul Dale Reviewed-by: Matthias St. Pierre (Merged from https://github.com/openssl/openssl/pull/14096) commit 80ce21fe1a425738eb0151ef9fdb975ba3050273 Author: FdaSilvaYY Date: Sat Feb 6 22:36:46 2021 +0100 include/crypto: add a few missing #pragma once directives Reviewed-by: Paul Dale Reviewed-by: Matthias St. Pierre (Merged from https://github.com/openssl/openssl/pull/14096) ----------------------------------------------------------------------- Summary of changes: crypto/objects/obj_compat.h | 2 +- crypto/objects/objects.pl | 9 +++++++++ include/crypto/aes_platform.h | 1 + include/crypto/aria.h | 1 + include/crypto/asn1.h | 8 +++++++- include/crypto/asn1_dsa.h | 1 + include/crypto/async.h | 7 ++++++- include/crypto/bn.h | 1 + include/crypto/bn_conf.h.in | 1 + include/crypto/chacha.h | 1 + include/crypto/cmll_platform.h | 1 + include/crypto/cms.h | 8 +++++++- include/crypto/cryptlib.h | 10 ++++++++-- include/crypto/ctype.h | 1 + include/crypto/decoder.h | 1 + include/crypto/des_platform.h | 1 + include/crypto/dh.h | 14 ++++++++++---- include/crypto/dsa.h | 12 +++++++++--- include/crypto/dso_conf.h.in | 2 ++ include/crypto/ec.h | 2 ++ include/crypto/ecx.h | 2 ++ include/crypto/err.h | 1 + include/crypto/ess.h | 6 ++++++ include/crypto/evp.h | 27 +++++++++++++++++---------- include/crypto/lhash.h | 3 ++- include/crypto/pem.h | 1 + include/crypto/pkcs7.h | 6 ++++++ include/crypto/poly1305.h | 6 ++++++ include/crypto/punycode.h | 2 +- include/crypto/rand.h | 1 + include/crypto/rand_pool.h | 1 + include/crypto/rsa.h | 1 + include/crypto/security_bits.h | 1 + include/crypto/sha.h | 1 + include/crypto/siphash.h | 16 +++++++++++----- include/crypto/sm2.h | 2 ++ include/crypto/sm4.h | 1 + include/crypto/sparse_array.h | 1 + include/crypto/store.h | 1 + include/crypto/x509.h | 12 +++++++++--- include/internal/asn1.h | 1 + include/internal/bio.h | 9 +++++---- include/internal/conf.h | 5 +++-- include/internal/constant_time.h | 1 + include/internal/core.h | 1 + include/internal/cryptlib.h | 1 + include/internal/dane.h | 3 ++- include/internal/deprecated.h | 1 + include/internal/dso.h | 1 + include/internal/endian.h | 1 + include/internal/err.h | 1 + include/internal/ffc.h | 1 + include/internal/ktls.h | 2 ++ include/internal/nelem.h | 1 + include/internal/numbers.h | 1 + include/internal/o_dir.h | 1 + include/internal/packet.h | 1 + include/internal/param_build_set.h | 10 ++++++++-- include/internal/passphrase.h | 1 + include/internal/property.h | 3 ++- include/internal/provider.h | 1 + include/internal/refcount.h | 1 + include/internal/sha3.h | 1 + include/internal/sizes.h | 1 + include/internal/sm3.h | 1 + include/internal/sockets.h | 1 + include/internal/sslconf.h | 1 + include/internal/symhacks.h | 1 + include/internal/thread_once.h | 23 ++++++++++++++--------- include/internal/tlsgroups.h | 1 + include/openssl/cmp_util.h | 1 + include/openssl/configuration.h.in | 1 + include/openssl/core.h | 1 + include/openssl/core_dispatch.h | 1 + include/openssl/core_names.h | 1 + include/openssl/core_object.h | 1 + include/openssl/crypto.h.in | 1 - include/openssl/ess.h.in | 8 +++++--- include/openssl/fips_names.h | 1 + include/openssl/fipskey.h.in | 1 + include/openssl/kdferr.h | 6 ++++++ include/openssl/macros.h | 6 ++++-- include/openssl/obj_mac.h | 8 +++++++- include/openssl/opensslconf.h | 5 +++-- include/openssl/param_build.h | 17 +++++++++++++++-- include/openssl/params.h | 1 + include/openssl/provider.h | 1 + include/openssl/self_test.h | 1 + include/openssl/trace.h | 1 + include/openssl/types.h | 7 ++++--- 90 files changed, 258 insertions(+), 66 deletions(-) diff --git a/crypto/objects/obj_compat.h b/crypto/objects/obj_compat.h index 68d1d73307..cbe4438695 100644 --- a/crypto/objects/obj_compat.h +++ b/crypto/objects/obj_compat.h @@ -43,4 +43,4 @@ #define SN_grasshopper_mac SN_kuznyechik_mac #define NID_grasshopper_mac NID_kuznyechik_mac -#endif +#endif /* OPENSSL_NO_DEPRECATED_3_0 */ diff --git a/crypto/objects/objects.pl b/crypto/objects/objects.pl index 5edf26ec0d..62e34aa52f 100644 --- a/crypto/objects/objects.pl +++ b/crypto/objects/objects.pl @@ -144,6 +144,10 @@ print <<"EOF"; * https://www.openssl.org/source/license.html */ +#ifndef OPENSSL_OBJ_MAC_H +# define OPENSSL_OBJ_MAC_H +# pragma once + #define SN_undef "UNDEF" #define LN_undef "undefined" #define NID_undef 0 @@ -169,6 +173,11 @@ foreach (sort { $a <=> $b } keys %ordern) print expand("#define OBJ_$Cname\t\t$obj{$Cname}\n") if $obj{$Cname} ne ""; } +print < diff --git a/include/crypto/asn1.h b/include/crypto/asn1.h index 72844126ec..7d9dec10db 100644 --- a/include/crypto/asn1.h +++ b/include/crypto/asn1.h @@ -7,7 +7,11 @@ * https://www.openssl.org/source/license.html */ -#include +#ifndef OSSL_CRYPTO_ASN1_H +# define OSSL_CRYPTO_ASN1_H +# pragma once + +# include /* Internal ASN1 structures and functions: not for application use */ @@ -139,3 +143,5 @@ const EVP_MD *x509_algor_get_md(X509_ALGOR *alg); X509_ALGOR *x509_algor_mgf1_decode(X509_ALGOR *alg); int x509_algor_md_to_mgf1(X509_ALGOR **palg, const EVP_MD *mgf1md); int asn1_time_print_ex(BIO *bp, const ASN1_TIME *tm); + +#endif /* ndef OSSL_CRYPTO_ASN1_H */ diff --git a/include/crypto/asn1_dsa.h b/include/crypto/asn1_dsa.h index df6ca0fe9c..4d2399a45f 100644 --- a/include/crypto/asn1_dsa.h +++ b/include/crypto/asn1_dsa.h @@ -9,6 +9,7 @@ #ifndef OSSL_CRYPTO_ASN1_DSA_H # define OSSL_CRYPTO_ASN1_DSA_H +# pragma once #include "internal/packet.h" diff --git a/include/crypto/async.h b/include/crypto/async.h index e9a89da314..691148858c 100644 --- a/include/crypto/async.h +++ b/include/crypto/async.h @@ -7,8 +7,13 @@ * https://www.openssl.org/source/license.html */ -#include +#ifndef OSSL_CRYPTO_ASYNC_H +# define OSSL_CRYPTO_ASYNC_H +# pragma once + +# include int async_init(void); void async_deinit(void); +#endif diff --git a/include/crypto/bn.h b/include/crypto/bn.h index 4060541886..730854d7e1 100644 --- a/include/crypto/bn.h +++ b/include/crypto/bn.h @@ -9,6 +9,7 @@ #ifndef OSSL_CRYPTO_BN_H # define OSSL_CRYPTO_BN_H +# pragma once # include # include diff --git a/include/crypto/bn_conf.h.in b/include/crypto/bn_conf.h.in index c8fdf36cae..9d244d52a3 100644 --- a/include/crypto/bn_conf.h.in +++ b/include/crypto/bn_conf.h.in @@ -10,6 +10,7 @@ #ifndef OSSL_CRYPTO_BN_CONF_H # define OSSL_CRYPTO_BN_CONF_H +# pragma once /* * The contents of this file are not used in the UEFI build, as diff --git a/include/crypto/chacha.h b/include/crypto/chacha.h index 77cfd3b281..b789515b7e 100644 --- a/include/crypto/chacha.h +++ b/include/crypto/chacha.h @@ -9,6 +9,7 @@ #ifndef OSSL_CRYPTO_CHACHA_H #define OSSL_CRYPTO_CHACHA_H +# pragma once #include diff --git a/include/crypto/cmll_platform.h b/include/crypto/cmll_platform.h index c82cf9f961..34fac61f07 100644 --- a/include/crypto/cmll_platform.h +++ b/include/crypto/cmll_platform.h @@ -9,6 +9,7 @@ #ifndef OSSL_CMLL_PLATFORM_H # define OSSL_CMLL_PLATFORM_H +# pragma once # if defined(CMLL_ASM) && (defined(__sparc) || defined(__sparc__)) diff --git a/include/crypto/cms.h b/include/crypto/cms.h index 67263fa886..5a58407a11 100644 --- a/include/crypto/cms.h +++ b/include/crypto/cms.h @@ -7,7 +7,11 @@ * https://www.openssl.org/source/license.html */ -#ifndef OPENSSL_NO_CMS +#ifndef OSSL_CRYPTO_CMS_H +# define OSSL_CRYPTO_CMS_H +# pragma once + +# ifndef OPENSSL_NO_CMS /* internal CMS-ESS related stuff */ @@ -18,4 +22,6 @@ int cms_signerinfo_get_signing_cert_v2(CMS_SignerInfo *si, ESS_SIGNING_CERT_V2 **psc); int cms_signerinfo_get_signing_cert(CMS_SignerInfo *si, ESS_SIGNING_CERT **psc); +# endif /* OPENSSL_NO_CMS */ + #endif diff --git a/include/crypto/cryptlib.h b/include/crypto/cryptlib.h index 8fd04fa16f..d70cd78415 100644 --- a/include/crypto/cryptlib.h +++ b/include/crypto/cryptlib.h @@ -7,8 +7,12 @@ * https://www.openssl.org/source/license.html */ -#include -#include "internal/cryptlib.h" +#ifndef OSSL_CRYPTO_CRYPTLIB_H +# define OSSL_CRYPTO_CRYPTLIB_H +# pragma once + +# include +# include "internal/cryptlib.h" /* This file is not scanned by mkdef.pl, whereas cryptlib.h is */ @@ -32,3 +36,5 @@ void ossl_malloc_setup_failures(void); int ossl_crypto_alloc_ex_data_intern(int class_index, void *obj, CRYPTO_EX_DATA *ad, int idx); + +#endif /* OSSL_CRYPTO_CRYPTLIB_H */ diff --git a/include/crypto/ctype.h b/include/crypto/ctype.h index f3ab678e14..7117281215 100644 --- a/include/crypto/ctype.h +++ b/include/crypto/ctype.h @@ -20,6 +20,7 @@ */ #ifndef OSSL_CRYPTO_CTYPE_H # define OSSL_CRYPTO_CTYPE_H +# pragma once # define CTYPE_MASK_lower 0x1 # define CTYPE_MASK_upper 0x2 diff --git a/include/crypto/decoder.h b/include/crypto/decoder.h index f19e8bf841..5d055fecd8 100644 --- a/include/crypto/decoder.h +++ b/include/crypto/decoder.h @@ -9,6 +9,7 @@ #ifndef OSSL_CRYPTO_DECODER_H # define OSSL_CRYPTO_DECODER_H +# pragma once # include diff --git a/include/crypto/des_platform.h b/include/crypto/des_platform.h index 28e319f50e..18bd2f8afd 100644 --- a/include/crypto/des_platform.h +++ b/include/crypto/des_platform.h @@ -9,6 +9,7 @@ #ifndef OSSL_DES_PLATFORM_H # define OSSL_DES_PLATFORM_H +# pragma once # if defined(DES_ASM) && (defined(__sparc) || defined(__sparc__)) diff --git a/include/crypto/dh.h b/include/crypto/dh.h index 290cc7c0d2..91a2db263a 100644 --- a/include/crypto/dh.h +++ b/include/crypto/dh.h @@ -7,10 +7,14 @@ * https://www.openssl.org/source/license.html */ -#include -#include -#include -#include "internal/ffc.h" +#ifndef OSSL_CRYPTO_DH_H +# define OSSL_CRYPTO_DH_H +# pragma once + +# include +# include +# include +# include "internal/ffc.h" DH *dh_new_by_nid_ex(OSSL_LIB_CTX *libctx, int nid); DH *dh_new_ex(OSSL_LIB_CTX *libctx); @@ -46,3 +50,5 @@ int dh_KDF_X9_42_asn1(unsigned char *out, size_t outlen, const char *cek_alg, const unsigned char *ukm, size_t ukmlen, const EVP_MD *md, OSSL_LIB_CTX *libctx, const char *propq); + +#endif /* OSSL_CRYPTO_DH_H */ diff --git a/include/crypto/dsa.h b/include/crypto/dsa.h index 775a83c1ea..8d282ab188 100644 --- a/include/crypto/dsa.h +++ b/include/crypto/dsa.h @@ -7,9 +7,13 @@ * https://www.openssl.org/source/license.html */ -#include -#include -#include "internal/ffc.h" +#ifndef OSSL_CRYPTO_DSAERR_H +# define OSSL_CRYPTO_DSAERR_H +# pragma once + +# include +# include +# include "internal/ffc.h" #define DSA_PARAMGEN_TYPE_FIPS_186_4 0 /* Use FIPS186-4 standard */ #define DSA_PARAMGEN_TYPE_FIPS_186_2 1 /* Use legacy FIPS186-2 standard */ @@ -34,3 +38,5 @@ int dsa_check_pub_key(const DSA *dsa, const BIGNUM *pub_key, int *ret); int dsa_check_pub_key_partial(const DSA *dsa, const BIGNUM *pub_key, int *ret); int dsa_check_priv_key(const DSA *dsa, const BIGNUM *priv_key, int *ret); int dsa_check_pairwise(const DSA *dsa); + +#endif diff --git a/include/crypto/dso_conf.h.in b/include/crypto/dso_conf.h.in index fd0e16b3f9..eba3deba66 100644 --- a/include/crypto/dso_conf.h.in +++ b/include/crypto/dso_conf.h.in @@ -10,6 +10,8 @@ #ifndef OSSL_CRYPTO_DSO_CONF_H # define OSSL_CRYPTO_DSO_CONF_H +# pragma once + {- # The DSO code currently always implements all functions so that no # applications will have to worry about that from a compilation point # of view. However, the "method"s may return zero unless that platform diff --git a/include/crypto/ec.h b/include/crypto/ec.h index 80f76d69bd..682311b26d 100644 --- a/include/crypto/ec.h +++ b/include/crypto/ec.h @@ -11,6 +11,8 @@ #ifndef OSSL_CRYPTO_EC_H # define OSSL_CRYPTO_EC_H +# pragma once + # include # include diff --git a/include/crypto/ecx.h b/include/crypto/ecx.h index df04cdb562..663cdfc566 100644 --- a/include/crypto/ecx.h +++ b/include/crypto/ecx.h @@ -11,6 +11,8 @@ #ifndef OSSL_CRYPTO_ECX_H # define OSSL_CRYPTO_ECX_H +# pragma once + # include # ifndef OPENSSL_NO_EC diff --git a/include/crypto/err.h b/include/crypto/err.h index b59367e8cb..9e72b5640c 100644 --- a/include/crypto/err.h +++ b/include/crypto/err.h @@ -9,6 +9,7 @@ #ifndef OSSL_CRYPTO_ERR_H # define OSSL_CRYPTO_ERR_H +# pragma once int err_load_ERR_strings_int(void); int err_load_crypto_strings_int(void); diff --git a/include/crypto/ess.h b/include/crypto/ess.h index 6ae9a8180b..74833f29a7 100644 --- a/include/crypto/ess.h +++ b/include/crypto/ess.h @@ -7,6 +7,10 @@ * https://www.openssl.org/source/license.html */ +#ifndef OSSL_CRYPTO_ESS_H +# define OSSL_CRYPTO_ESS_H +# pragma once + /* internal ESS related stuff */ ESS_SIGNING_CERT *ESS_SIGNING_CERT_get(PKCS7_SIGNER_INFO *si); @@ -89,3 +93,5 @@ struct ESS_signing_cert_v2_st { STACK_OF(ESS_CERT_ID_V2) *cert_ids; STACK_OF(POLICYINFO) *policy_info; }; + +#endif /* OSSL_CRYPTO_ESS_H */ diff --git a/include/crypto/evp.h b/include/crypto/evp.h index 60f07c7cf7..b78535aed0 100644 --- a/include/crypto/evp.h +++ b/include/crypto/evp.h @@ -7,10 +7,14 @@ * https://www.openssl.org/source/license.html */ -#include -#include -#include "internal/refcount.h" -#include "crypto/ecx.h" +#ifndef OSSL_CRYPTO_EVP_H +# define OSSL_CRYPTO_EVP_H +# pragma once + +# include +# include +# include "internal/refcount.h" +# include "crypto/ecx.h" /* * Don't free up md_ctx->pctx in EVP_MD_CTX_reset, use the reserved flag @@ -793,10 +797,10 @@ int evp_keymgmt_copy(const EVP_KEYMGMT *keymgmt, /* Pulling defines out of C source files */ -#define EVP_RC4_KEY_SIZE 16 -#ifndef TLS1_1_VERSION -# define TLS1_1_VERSION 0x0302 -#endif +# define EVP_RC4_KEY_SIZE 16 +# ifndef TLS1_1_VERSION +# define TLS1_1_VERSION 0x0302 +# endif void evp_encode_ctx_set_flags(EVP_ENCODE_CTX *ctx, unsigned int flags); @@ -816,7 +820,7 @@ int pkcs5_pbkdf2_hmac_ex(const char *pass, int passlen, const EVP_MD *digest, int keylen, unsigned char *out, OSSL_LIB_CTX *libctx, const char *propq); -#ifndef FIPS_MODULE +# ifndef FIPS_MODULE /* * Internal helpers for stricter EVP_PKEY_CTX_{set,get}_params(). * @@ -842,9 +846,12 @@ int evp_pkey_ctx_get1_id_prov(EVP_PKEY_CTX *ctx, void *id); int evp_pkey_ctx_get1_id_len_prov(EVP_PKEY_CTX *ctx, size_t *id_len); int evp_pkey_ctx_use_cached_data(EVP_PKEY_CTX *ctx); -#endif /* !defined(FIPS_MODULE) */ +# endif /* !defined(FIPS_MODULE) */ + void evp_method_store_flush(OSSL_LIB_CTX *libctx); int evp_set_default_properties_int(OSSL_LIB_CTX *libctx, const char *propq, int loadconfig); void evp_md_ctx_clear_digest(EVP_MD_CTX *ctx, int force); + +#endif /* OSSL_CRYPTO_EVP_H */ diff --git a/include/crypto/lhash.h b/include/crypto/lhash.h index 9629936262..d7bd2c137f 100644 --- a/include/crypto/lhash.h +++ b/include/crypto/lhash.h @@ -9,7 +9,8 @@ #ifndef OSSL_CRYPTO_LHASH_H # define OSSL_CRYPTO_LHASH_H +# pragma once unsigned long openssl_lh_strcasehash(const char *); -#endif +#endif /* OSSL_CRYPTO_LHASH_H */ diff --git a/include/crypto/pem.h b/include/crypto/pem.h index e3ec8b24cb..24e4787acc 100644 --- a/include/crypto/pem.h +++ b/include/crypto/pem.h @@ -9,6 +9,7 @@ #ifndef OSSL_INTERNAL_PEM_H # define OSSL_INTERNAL_PEM_H +# pragma once # include diff --git a/include/crypto/pkcs7.h b/include/crypto/pkcs7.h index 60e01e5c39..17bb3cd72c 100644 --- a/include/crypto/pkcs7.h +++ b/include/crypto/pkcs7.h @@ -7,4 +7,10 @@ * https://www.openssl.org/source/license.html */ +#ifndef OSSL_CRYPTO_PKCS7_H +# define OSSL_CRYPTO_PKCS7_H +# pragma once + void pkcs7_resolve_libctx(PKCS7 *p7); + +#endif diff --git a/include/crypto/poly1305.h b/include/crypto/poly1305.h index a73c2311d4..86317bcf8a 100644 --- a/include/crypto/poly1305.h +++ b/include/crypto/poly1305.h @@ -7,6 +7,10 @@ * https://www.openssl.org/source/license.html */ +#ifndef OSSL_CRYPTO_POLY1305_H +# define OSSL_CRYPTO_POLY1305_H +# pragma once + #include #define POLY1305_BLOCK_SIZE 16 @@ -38,3 +42,5 @@ size_t Poly1305_ctx_size(void); void Poly1305_Init(POLY1305 *ctx, const unsigned char key[32]); void Poly1305_Update(POLY1305 *ctx, const unsigned char *inp, size_t len); void Poly1305_Final(POLY1305 *ctx, unsigned char mac[16]); + +#endif /* OSSL_CRYPTO_POLY1305_H */ diff --git a/include/crypto/punycode.h b/include/crypto/punycode.h index ab31494060..5b3074a348 100644 --- a/include/crypto/punycode.h +++ b/include/crypto/punycode.h @@ -9,7 +9,7 @@ #ifndef OSSL_CRYPTO_PUNYCODE_H # define OSSL_CRYPTO_PUNYCODE_H - +# pragma once int ossl_punycode_decode ( const char *pEncoded, diff --git a/include/crypto/rand.h b/include/crypto/rand.h index c870245521..89505aa0ed 100644 --- a/include/crypto/rand.h +++ b/include/crypto/rand.h @@ -17,6 +17,7 @@ #ifndef OSSL_CRYPTO_RAND_H # define OSSL_CRYPTO_RAND_H +# pragma once # include # include "crypto/rand_pool.h" diff --git a/include/crypto/rand_pool.h b/include/crypto/rand_pool.h index 9c5c92e365..26e65c0436 100644 --- a/include/crypto/rand_pool.h +++ b/include/crypto/rand_pool.h @@ -9,6 +9,7 @@ #ifndef OSSL_PROVIDER_RAND_POOL_H # define OSSL_PROVIDER_RAND_POOL_H +# pragma once # include # include diff --git a/include/crypto/rsa.h b/include/crypto/rsa.h index 599978dc3b..62087b347e 100644 --- a/include/crypto/rsa.h +++ b/include/crypto/rsa.h @@ -9,6 +9,7 @@ #ifndef OSSL_INTERNAL_RSA_H # define OSSL_INTERNAL_RSA_H +# pragma once # include # include diff --git a/include/crypto/security_bits.h b/include/crypto/security_bits.h index c62d89bcb8..90cb7d625f 100644 --- a/include/crypto/security_bits.h +++ b/include/crypto/security_bits.h @@ -9,6 +9,7 @@ #ifndef OSSL_SECURITY_BITS_H # define OSSL_SECURITY_BITS_H +# pragma once uint16_t ifc_ffc_compute_security_bits(int n); diff --git a/include/crypto/sha.h b/include/crypto/sha.h index 9a86599984..7c0276a23a 100644 --- a/include/crypto/sha.h +++ b/include/crypto/sha.h @@ -10,6 +10,7 @@ #ifndef OSSL_CRYPTO_SHA_H # define OSSL_CRYPTO_SHA_H +# pragma once # include diff --git a/include/crypto/siphash.h b/include/crypto/siphash.h index 1575141c40..bb4d614998 100644 --- a/include/crypto/siphash.h +++ b/include/crypto/siphash.h @@ -7,12 +7,16 @@ * https://www.openssl.org/source/license.html */ -#include +#ifndef OSSL_CRYPTO_SIPHASH_H +# define OSSL_CRYPTO_SIPHASH_H +# pragma once -#define SIPHASH_BLOCK_SIZE 8 -#define SIPHASH_KEY_SIZE 16 -#define SIPHASH_MIN_DIGEST_SIZE 8 -#define SIPHASH_MAX_DIGEST_SIZE 16 +# include + +# define SIPHASH_BLOCK_SIZE 8 +# define SIPHASH_KEY_SIZE 16 +# define SIPHASH_MIN_DIGEST_SIZE 8 +# define SIPHASH_MAX_DIGEST_SIZE 16 typedef struct siphash_st SIPHASH; @@ -23,3 +27,5 @@ int SipHash_Init(SIPHASH *ctx, const unsigned char *k, int crounds, int drounds); void SipHash_Update(SIPHASH *ctx, const unsigned char *in, size_t inlen); int SipHash_Final(SIPHASH *ctx, unsigned char *out, size_t outlen); + +#endif diff --git a/include/crypto/sm2.h b/include/crypto/sm2.h index 78fd4dbc13..2bd0af03d6 100644 --- a/include/crypto/sm2.h +++ b/include/crypto/sm2.h @@ -11,6 +11,8 @@ #ifndef OSSL_CRYPTO_SM2_H # define OSSL_CRYPTO_SM2_H +# pragma once + # include # ifndef OPENSSL_NO_SM2 diff --git a/include/crypto/sm4.h b/include/crypto/sm4.h index fb5253d857..87be6daa91 100644 --- a/include/crypto/sm4.h +++ b/include/crypto/sm4.h @@ -10,6 +10,7 @@ #ifndef OSSL_CRYPTO_SM4_H # define OSSL_CRYPTO_SM4_H +# pragma once # include # include diff --git a/include/crypto/sparse_array.h b/include/crypto/sparse_array.h index a8031cd3f1..ee49105167 100644 --- a/include/crypto/sparse_array.h +++ b/include/crypto/sparse_array.h @@ -10,6 +10,7 @@ #ifndef OSSL_CRYPTO_SPARSE_ARRAY_H # define OSSL_CRYPTO_SPARSE_ARRAY_H +# pragma once # include diff --git a/include/crypto/store.h b/include/crypto/store.h index 8bd2bc022f..72d5a01a96 100644 --- a/include/crypto/store.h +++ b/include/crypto/store.h @@ -9,6 +9,7 @@ #ifndef OSSL_CRYPTO_STORE_H # define OSSL_CRYPTO_STORE_H +# pragma once # include # include diff --git a/include/crypto/x509.h b/include/crypto/x509.h index 542a3d6e60..93cb814017 100644 --- a/include/crypto/x509.h +++ b/include/crypto/x509.h @@ -7,9 +7,13 @@ * https://www.openssl.org/source/license.html */ -#include "internal/refcount.h" -#include -#include +#ifndef OSSL_CRYPTO_X509_H +# define OSSL_CRYPTO_X509_H +# pragma once + +# include "internal/refcount.h" +# include +# include /* Internal X509 structures and functions: not for application use */ @@ -320,3 +324,5 @@ int X509_PUBKEY_get0_libctx(OSSL_LIB_CTX **plibctx, const char **ppropq, const X509_PUBKEY *key); /* Calculate default key identifier according to RFC 5280 section 4.2.1.2 (1) */ ASN1_OCTET_STRING *x509_pubkey_hash(X509_PUBKEY *pubkey); + +#endif diff --git a/include/internal/asn1.h b/include/internal/asn1.h index 8448786919..36d90e22b1 100644 --- a/include/internal/asn1.h +++ b/include/internal/asn1.h @@ -9,6 +9,7 @@ #ifndef OSSL_INTERNAL_ASN1_H # define OSSL_INTERNAL_ASN1_H +# pragma once int asn1_d2i_read_bio(BIO *in, BUF_MEM **pb); diff --git a/include/internal/bio.h b/include/internal/bio.h index 2fb0d5cb76..12782c85a2 100644 --- a/include/internal/bio.h +++ b/include/internal/bio.h @@ -9,8 +9,9 @@ #ifndef OSSL_INTERNAL_BIO_H # define OSSL_INTERNAL_BIO_H +# pragma once -#include +# include struct bio_method_st { int type; @@ -62,11 +63,11 @@ int bread_conv(BIO *bio, char *data, size_t datal, size_t *read); # define BIO_clear_ktls_ctrl_msg_flag(b) \ BIO_clear_flags(b, BIO_FLAGS_KTLS_TX_CTRL_MSG) -# define BIO_set_ktls(b, keyblob, is_tx) \ +# define BIO_set_ktls(b, keyblob, is_tx) \ BIO_ctrl(b, BIO_CTRL_SET_KTLS, is_tx, keyblob) -# define BIO_set_ktls_ctrl_msg(b, record_type) \ +# define BIO_set_ktls_ctrl_msg(b, record_type) \ BIO_ctrl(b, BIO_CTRL_SET_KTLS_TX_SEND_CTRL_MSG, record_type, NULL) -# define BIO_clear_ktls_ctrl_msg(b) \ +# define BIO_clear_ktls_ctrl_msg(b) \ BIO_ctrl(b, BIO_CTRL_CLEAR_KTLS_TX_CTRL_MSG, 0, NULL) #endif diff --git a/include/internal/conf.h b/include/internal/conf.h index 1e7ab2cedf..44043613a4 100644 --- a/include/internal/conf.h +++ b/include/internal/conf.h @@ -9,10 +9,11 @@ #ifndef OSSL_INTERNAL_CONF_H # define OSSL_INTERNAL_CONF_H +# pragma once -#include +# include -#define DEFAULT_CONF_MFLAGS \ +# define DEFAULT_CONF_MFLAGS \ (CONF_MFLAGS_DEFAULT_SECTION | \ CONF_MFLAGS_IGNORE_MISSING_FILE | \ CONF_MFLAGS_IGNORE_RETURN_CODES) diff --git a/include/internal/constant_time.h b/include/internal/constant_time.h index dc75e31df1..b50b10ba80 100644 --- a/include/internal/constant_time.h +++ b/include/internal/constant_time.h @@ -9,6 +9,7 @@ #ifndef OSSL_INTERNAL_CONSTANT_TIME_H # define OSSL_INTERNAL_CONSTANT_TIME_H +# pragma once # include # include diff --git a/include/internal/core.h b/include/internal/core.h index 8499f35794..75bcfeb4e8 100644 --- a/include/internal/core.h +++ b/include/internal/core.h @@ -9,6 +9,7 @@ #ifndef OSSL_INTERNAL_CORE_H # define OSSL_INTERNAL_CORE_H +# pragma once /* * namespaces: diff --git a/include/internal/cryptlib.h b/include/internal/cryptlib.h index 93dedda94c..5145178dee 100644 --- a/include/internal/cryptlib.h +++ b/include/internal/cryptlib.h @@ -9,6 +9,7 @@ #ifndef OSSL_INTERNAL_CRYPTLIB_H # define OSSL_INTERNAL_CRYPTLIB_H +# pragma once # include # include diff --git a/include/internal/dane.h b/include/internal/dane.h index d9bae2b9f7..6639d2d97f 100644 --- a/include/internal/dane.h +++ b/include/internal/dane.h @@ -9,8 +9,9 @@ #ifndef OSSL_INTERNAL_DANE_H #define OSSL_INTERNAL_DANE_H +# pragma once -#include +# include /*- * Certificate usages: diff --git a/include/internal/deprecated.h b/include/internal/deprecated.h index 16b0751275..a6de395702 100644 --- a/include/internal/deprecated.h +++ b/include/internal/deprecated.h @@ -18,6 +18,7 @@ #ifndef OSSL_INTERNAL_DEPRECATED_H # define OSSL_INTERNAL_DEPRECATED_H +# pragma once # include diff --git a/include/internal/dso.h b/include/internal/dso.h index ec58926f72..d04a1c166e 100644 --- a/include/internal/dso.h +++ b/include/internal/dso.h @@ -9,6 +9,7 @@ #ifndef OSSL_INTERNAL_DSO_H # define OSSL_INTERNAL_DSO_H +# pragma once # include # include "internal/dsoerr.h" diff --git a/include/internal/endian.h b/include/internal/endian.h index b4e486da3a..01b926d0bd 100644 --- a/include/internal/endian.h +++ b/include/internal/endian.h @@ -9,6 +9,7 @@ #ifndef OSSL_INTERNAL_ENDIAN_H # define OSSL_INTERNAL_ENDIAN_H +# pragma once /* * IS_LITTLE_ENDIAN and IS_BIG_ENDIAN can be used to detect the endiannes diff --git a/include/internal/err.h b/include/internal/err.h index 8cb72ae370..d5ad9abdf4 100644 --- a/include/internal/err.h +++ b/include/internal/err.h @@ -9,6 +9,7 @@ #ifndef OSSL_INTERNAL_ERR_H # define OSSL_INTERNAL_ERR_H +# pragma once void err_free_strings_int(void); diff --git a/include/internal/ffc.h b/include/internal/ffc.h index 191f9369f1..7653b6e2fa 100644 --- a/include/internal/ffc.h +++ b/include/internal/ffc.h @@ -9,6 +9,7 @@ #ifndef OSSL_INTERNAL_FFC_H # define OSSL_INTERNAL_FFC_H +# pragma once # include # include diff --git a/include/internal/ktls.h b/include/internal/ktls.h index 1f486e7b48..dae94226d7 100644 --- a/include/internal/ktls.h +++ b/include/internal/ktls.h @@ -22,6 +22,8 @@ #ifndef HEADER_INTERNAL_KTLS # define HEADER_INTERNAL_KTLS +# pragma once + # ifndef OPENSSL_NO_KTLS # if defined(__FreeBSD__) diff --git a/include/internal/nelem.h b/include/internal/nelem.h index 0c32483fc5..f0a53c37d5 100644 --- a/include/internal/nelem.h +++ b/include/internal/nelem.h @@ -9,6 +9,7 @@ #ifndef OSSL_INTERNAL_NELEM_H # define OSSL_INTERNAL_NELEM_H +# pragma once # define OSSL_NELEM(x) (sizeof(x)/sizeof((x)[0])) #endif diff --git a/include/internal/numbers.h b/include/internal/numbers.h index db65559c6b..bade59fd89 100644 --- a/include/internal/numbers.h +++ b/include/internal/numbers.h @@ -9,6 +9,7 @@ #ifndef OSSL_INTERNAL_NUMBERS_H # define OSSL_INTERNAL_NUMBERS_H +# pragma once # include diff --git a/include/internal/o_dir.h b/include/internal/o_dir.h index 220cf173e6..90c247d65e 100644 --- a/include/internal/o_dir.h +++ b/include/internal/o_dir.h @@ -38,6 +38,7 @@ #ifndef OSSL_INTERNAL_O_DIR_H # define OSSL_INTERNAL_O_DIR_H +# pragma once typedef struct OPENSSL_dir_context_st OPENSSL_DIR_CTX; diff --git a/include/internal/packet.h b/include/internal/packet.h index 95aeb1c49f..efb1a702ef 100644 --- a/include/internal/packet.h +++ b/include/internal/packet.h @@ -9,6 +9,7 @@ #ifndef OSSL_INTERNAL_PACKET_H # define OSSL_INTERNAL_PACKET_H +# pragma once # include # include diff --git a/include/internal/param_build_set.h b/include/internal/param_build_set.h index d1f1863381..a037ab8ee1 100644 --- a/include/internal/param_build_set.h +++ b/include/internal/param_build_set.h @@ -7,8 +7,12 @@ * https://www.openssl.org/source/license.html */ -#include -#include +#ifndef OSSL_INTERNAL_PARAM_BUILD_SET_H +# define OSSL_INTERNAL_PARAM_BUILD_SET_H +# pragma once + +# include +# include int ossl_param_build_set_int(OSSL_PARAM_BLD *bld, OSSL_PARAM *p, const char *key, int num); @@ -27,3 +31,5 @@ int ossl_param_build_set_bn_pad(OSSL_PARAM_BLD *bld, OSSL_PARAM *p, int ossl_param_build_set_multi_key_bn(OSSL_PARAM_BLD *bld, OSSL_PARAM *p, const char *names[], STACK_OF(BIGNUM_const) *stk); + +#endif /* OSSL_INTERNAL_PARAM_BUILD_SET_H */ diff --git a/include/internal/passphrase.h b/include/internal/passphrase.h index 9077907d52..f2d2614132 100644 --- a/include/internal/passphrase.h +++ b/include/internal/passphrase.h @@ -9,6 +9,7 @@ #ifndef OSSL_INTERNAL_PASSPHRASE_H # define OSSL_INTERNAL_PASSPHRASE_H +# pragma once /* * This is a passphrase reader bridge with bells and whistles. diff --git a/include/internal/property.h b/include/internal/property.h index f2682a1fed..a5335110a8 100644 --- a/include/internal/property.h +++ b/include/internal/property.h @@ -10,8 +10,9 @@ #ifndef OSSL_INTERNAL_PROPERTY_H # define OSSL_INTERNAL_PROPERTY_H +# pragma once -#include "internal/cryptlib.h" +# include "internal/cryptlib.h" typedef struct ossl_method_store_st OSSL_METHOD_STORE; typedef struct ossl_property_list_st OSSL_PROPERTY_LIST; diff --git a/include/internal/provider.h b/include/internal/provider.h index 7a0fc84875..dc064fd70b 100644 --- a/include/internal/provider.h +++ b/include/internal/provider.h @@ -9,6 +9,7 @@ #ifndef OSSL_INTERNAL_PROVIDER_H # define OSSL_INTERNAL_PROVIDER_H +# pragma once # include # include diff --git a/include/internal/refcount.h b/include/internal/refcount.h index 5899e8c8e1..e5c4aca167 100644 --- a/include/internal/refcount.h +++ b/include/internal/refcount.h @@ -8,6 +8,7 @@ */ #ifndef OSSL_INTERNAL_REFCOUNT_H # define OSSL_INTERNAL_REFCOUNT_H +# pragma once # include diff --git a/include/internal/sha3.h b/include/internal/sha3.h index 2fd7b20af3..f564549b59 100644 --- a/include/internal/sha3.h +++ b/include/internal/sha3.h @@ -10,6 +10,7 @@ /* TODO(3.0) Move this header into provider when dependencies are removed */ #ifndef OSSL_INTERNAL_SHA3_H # define OSSL_INTERNAL_SHA3_H +# pragma once # include # include diff --git a/include/internal/sizes.h b/include/internal/sizes.h index 00a5d3e88e..d9abb53788 100644 --- a/include/internal/sizes.h +++ b/include/internal/sizes.h @@ -9,6 +9,7 @@ #ifndef OSSL_INTERNAL_SIZES_H # define OSSL_INTERNAL_SIZES_H +# pragma once /* * Max sizes used to allocate buffers with a fixed sizes, for example for diff --git a/include/internal/sm3.h b/include/internal/sm3.h index 51bb265fff..b9b0636d01 100644 --- a/include/internal/sm3.h +++ b/include/internal/sm3.h @@ -11,6 +11,7 @@ /* TODO(3.0) Move this header into provider when dependencies are removed */ #ifndef OSSL_INTERNAL_SM3_H # define OSSL_INTERNAL_SM3_H +# pragma once # include diff --git a/include/internal/sockets.h b/include/internal/sockets.h index e86ae8a09e..5d169b631d 100644 --- a/include/internal/sockets.h +++ b/include/internal/sockets.h @@ -10,6 +10,7 @@ #ifndef OSSL_INTERNAL_SOCKETS_H # define OSSL_INTERNAL_SOCKETS_H +# pragma once # if defined(OPENSSL_SYS_VXWORKS) || defined(OPENSSL_SYS_UEFI) # define NO_SYS_PARAM_H diff --git a/include/internal/sslconf.h b/include/internal/sslconf.h index 9e635da98a..2c2044c104 100644 --- a/include/internal/sslconf.h +++ b/include/internal/sslconf.h @@ -9,6 +9,7 @@ #ifndef OSSL_INTERNAL_SSLCONF_H # define OSSL_INTERNAL_SSLCONF_H +# pragma once typedef struct ssl_conf_cmd_st SSL_CONF_CMD; diff --git a/include/internal/symhacks.h b/include/internal/symhacks.h index 6a5a1875ff..425b644d3a 100644 --- a/include/internal/symhacks.h +++ b/include/internal/symhacks.h @@ -9,6 +9,7 @@ #ifndef OSSL_INTERNAL_SYMHACKS_H # define OSSL_INTERNAL_SYMHACKS_H +# pragma once # include diff --git a/include/internal/thread_once.h b/include/internal/thread_once.h index 7b72700a3f..d6cb2eeec3 100644 --- a/include/internal/thread_once.h +++ b/include/internal/thread_once.h @@ -7,7 +7,11 @@ * https://www.openssl.org/source/license.html */ -#include +#ifndef OSSL_INTERNAL_THREAD_ONCE_H +# define OSSL_INTERNAL_THREAD_ONCE_H +# pragma once + +# include /* * Initialisation of global data should never happen via "RUN_ONCE" inside the @@ -15,7 +19,7 @@ * OSSL_LIB_CTX object. In this way data will get cleaned up correctly when the * module gets unloaded. */ -#if !defined(FIPS_MODULE) || defined(ALLOW_RUN_ONCE_IN_FIPS) +# if !defined(FIPS_MODULE) || defined(ALLOW_RUN_ONCE_IN_FIPS) /* * DEFINE_RUN_ONCE: Define an initialiser function that should be run exactly * once. It takes no arguments and returns an int result (1 for success or @@ -30,7 +34,7 @@ * return 0; * } */ -# define DEFINE_RUN_ONCE(init) \ +# define DEFINE_RUN_ONCE(init) \ static int init(void); \ int init##_ossl_ret_ = 0; \ void init##_ossl_(void) \ @@ -43,7 +47,7 @@ * DECLARE_RUN_ONCE: Declare an initialiser function that should be run exactly * once that has been defined in another file via DEFINE_RUN_ONCE(). */ -# define DECLARE_RUN_ONCE(init) \ +# define DECLARE_RUN_ONCE(init) \ extern int init##_ossl_ret_; \ void init##_ossl_(void); @@ -62,7 +66,7 @@ * return 0; * } */ -# define DEFINE_RUN_ONCE_STATIC(init) \ +# define DEFINE_RUN_ONCE_STATIC(init) \ static int init(void); \ static int init##_ossl_ret_ = 0; \ static void init##_ossl_(void) \ @@ -103,7 +107,7 @@ * return 0; * } */ -# define DEFINE_RUN_ONCE_STATIC_ALT(initalt, init) \ +# define DEFINE_RUN_ONCE_STATIC_ALT(initalt, init) \ static int initalt(void); \ static void initalt##_ossl_(void) \ { \ @@ -122,7 +126,7 @@ * * (*) by convention, since the init function must return 1 on success. */ -# define RUN_ONCE(once, init) \ +# define RUN_ONCE(once, init) \ (CRYPTO_THREAD_run_once(once, init##_ossl_) ? init##_ossl_ret_ : 0) /* @@ -140,7 +144,8 @@ * * (*) by convention, since the init function must return 1 on success. */ -# define RUN_ONCE_ALT(once, initalt, init) \ +# define RUN_ONCE_ALT(once, initalt, init) \ (CRYPTO_THREAD_run_once(once, initalt##_ossl_) ? init##_ossl_ret_ : 0) -#endif /* FIPS_MODULE */ +# endif /* FIPS_MODULE */ +#endif /* OSSL_INTERNAL_THREAD_ONCE_H */ diff --git a/include/internal/tlsgroups.h b/include/internal/tlsgroups.h index 024556315f..c5653bdbd3 100644 --- a/include/internal/tlsgroups.h +++ b/include/internal/tlsgroups.h @@ -9,6 +9,7 @@ #ifndef OSSL_INTERNAL_TLSGROUPS_H # define OSSL_INTERNAL_TLSGROUPS_H +# pragma once # define OSSL_TLS_GROUP_ID_sect163k1 0x0001 # define OSSL_TLS_GROUP_ID_sect163r1 0x0002 diff --git a/include/openssl/cmp_util.h b/include/openssl/cmp_util.h index becbc9208e..5de50d7a9a 100644 --- a/include/openssl/cmp_util.h +++ b/include/openssl/cmp_util.h @@ -11,6 +11,7 @@ #ifndef OPENSSL_CMP_UTIL_H # define OPENSSL_CMP_UTIL_H +# pragma once # include # ifndef OPENSSL_NO_CMP diff --git a/include/openssl/configuration.h.in b/include/openssl/configuration.h.in index 00a4fc0aa3..c1a5f8c485 100644 --- a/include/openssl/configuration.h.in +++ b/include/openssl/configuration.h.in @@ -11,6 +11,7 @@ #ifndef OPENSSL_CONFIGURATION_H # define OPENSSL_CONFIGURATION_H +# pragma once # ifdef __cplusplus extern "C" { diff --git a/include/openssl/core.h b/include/openssl/core.h index 80ba32d9bf..9a183da4e8 100644 --- a/include/openssl/core.h +++ b/include/openssl/core.h @@ -9,6 +9,7 @@ #ifndef OPENSSL_CORE_H # define OPENSSL_CORE_H +# pragma once # include # include diff --git a/include/openssl/core_dispatch.h b/include/openssl/core_dispatch.h index a8e9e52151..1689778c72 100644 --- a/include/openssl/core_dispatch.h +++ b/include/openssl/core_dispatch.h @@ -9,6 +9,7 @@ #ifndef OPENSSL_CORE_NUMBERS_H # define OPENSSL_CORE_NUMBERS_H +# pragma once # include # include diff --git a/include/openssl/core_names.h b/include/openssl/core_names.h index ff2d1a03f9..a9ab57dbff 100644 --- a/include/openssl/core_names.h +++ b/include/openssl/core_names.h @@ -9,6 +9,7 @@ #ifndef OPENSSL_CORE_NAMES_H # define OPENSSL_CORE_NAMES_H +# pragma once # ifdef __cplusplus extern "C" { diff --git a/include/openssl/core_object.h b/include/openssl/core_object.h index 395279d7bc..6b31a6b421 100644 --- a/include/openssl/core_object.h +++ b/include/openssl/core_object.h @@ -9,6 +9,7 @@ #ifndef OPENSSL_CORE_OBJECT_H # define OPENSSL_CORE_OBJECT_H +# pragma once # ifdef __cplusplus extern "C" { diff --git a/include/openssl/crypto.h.in b/include/openssl/crypto.h.in index 0b9aeefe04..356eaaabf1 100644 --- a/include/openssl/crypto.h.in +++ b/include/openssl/crypto.h.in @@ -14,7 +14,6 @@ use OpenSSL::stackhash qw(generate_stack_macros); -} - #ifndef OPENSSL_CRYPTO_H # define OPENSSL_CRYPTO_H # pragma once diff --git a/include/openssl/ess.h.in b/include/openssl/ess.h.in index 185bdd8f8b..2522912f2f 100644 --- a/include/openssl/ess.h.in +++ b/include/openssl/ess.h.in @@ -15,16 +15,18 @@ use OpenSSL::stackhash qw(generate_stack_macros); #ifndef OPENSSL_ESS_H # define OPENSSL_ESS_H +# pragma once # include -# ifdef __cplusplus -extern "C" { -# endif # include # include # include +# ifdef __cplusplus +extern "C" { +# endif + typedef struct ESS_issuer_serial ESS_ISSUER_SERIAL; typedef struct ESS_cert_id ESS_CERT_ID; diff --git a/include/openssl/fips_names.h b/include/openssl/fips_names.h index b42fe503f9..4bd579cb3a 100644 --- a/include/openssl/fips_names.h +++ b/include/openssl/fips_names.h @@ -9,6 +9,7 @@ #ifndef OPENSSL_FIPS_NAMES_H # define OPENSSL_FIPS_NAMES_H +# pragma once # ifdef __cplusplus extern "C" { diff --git a/include/openssl/fipskey.h.in b/include/openssl/fipskey.h.in index eaa1798772..367fe20471 100644 --- a/include/openssl/fipskey.h.in +++ b/include/openssl/fipskey.h.in @@ -11,6 +11,7 @@ #ifndef OPENSSL_FIPSKEY_H # define OPENSSL_FIPSKEY_H +# pragma once # ifdef __cplusplus extern "C" { diff --git a/include/openssl/kdferr.h b/include/openssl/kdferr.h index d339871f6a..52d8e14a26 100644 --- a/include/openssl/kdferr.h +++ b/include/openssl/kdferr.h @@ -7,4 +7,10 @@ * https://www.openssl.org/source/license.html */ +#ifndef OPENSSL_KDFERR_H +# define OPENSSL_KDFERR_H +# pragma once + #include + +#endif /* !defined(OPENSSL_KDFERR_H) */ diff --git a/include/openssl/macros.h b/include/openssl/macros.h index d22bab91dc..4de30968d2 100644 --- a/include/openssl/macros.h +++ b/include/openssl/macros.h @@ -7,11 +7,13 @@ * https://www.openssl.org/source/license.html */ +#ifndef OPENSSL_MACROS_H +# define OPENSSL_MACROS_H +# pragma once + #include #include -#ifndef OPENSSL_MACROS_H -# define OPENSSL_MACROS_H /* Helper macros for CPP string composition */ # define OPENSSL_MSTR_HELPER(x) #x diff --git a/include/openssl/obj_mac.h b/include/openssl/obj_mac.h index 9bf4e3b86f..367f72f3c3 100644 --- a/include/openssl/obj_mac.h +++ b/include/openssl/obj_mac.h @@ -9,6 +9,10 @@ * https://www.openssl.org/source/license.html */ +#ifndef OPENSSL_OBJ_MAC_H +# define OPENSSL_OBJ_MAC_H +# pragma once + #define SN_undef "UNDEF" #define LN_undef "undefined" #define NID_undef 0 @@ -5420,6 +5424,8 @@ #define LN_aes_256_siv "aes-256-siv" #define NID_aes_256_siv 1200 +#endif /* OPENSSL_OBJ_MAC_H */ + #ifndef OPENSSL_NO_DEPRECATED_3_0 #define SN_id_tc26_cipher_gostr3412_2015_magma_ctracpkm SN_magma_ctr_acpkm @@ -5464,4 +5470,4 @@ #define SN_grasshopper_mac SN_kuznyechik_mac #define NID_grasshopper_mac NID_kuznyechik_mac -#endif +#endif /* OPENSSL_NO_DEPRECATED_3_0 */ diff --git a/include/openssl/opensslconf.h b/include/openssl/opensslconf.h index 9a49bceea3..6a2de489b0 100644 --- a/include/openssl/opensslconf.h +++ b/include/openssl/opensslconf.h @@ -9,8 +9,9 @@ #ifndef OPENSSL_OPENSSLCONF_H # define OPENSSL_OPENSSLCONF_H +# pragma once -#include -#include +# include +# include #endif /* OPENSSL_OPENSSLCONF_H */ diff --git a/include/openssl/param_build.h b/include/openssl/param_build.h index 58ad9be732..eec500d340 100644 --- a/include/openssl/param_build.h +++ b/include/openssl/param_build.h @@ -8,8 +8,16 @@ * https://www.openssl.org/source/license.html */ -#include -#include +#ifndef OPENSSL_PARAM_BUILD_H +# define OPENSSL_PARAM_BUILD_H +# pragma once + +# include +# include + +# ifdef __cplusplus +extern "C" { +# endif OSSL_PARAM_BLD *OSSL_PARAM_BLD_new(void); OSSL_PARAM *OSSL_PARAM_BLD_to_param(OSSL_PARAM_BLD *bld); @@ -49,3 +57,8 @@ int OSSL_PARAM_BLD_push_octet_string(OSSL_PARAM_BLD *bld, const char *key, const void *buf, size_t bsize); int OSSL_PARAM_BLD_push_octet_ptr(OSSL_PARAM_BLD *bld, const char *key, void *buf, size_t bsize); + +# ifdef __cplusplus +} +# endif +#endif /* OPENSSL_PARAM_BUILD_H */ diff --git a/include/openssl/params.h b/include/openssl/params.h index 8c14ca227f..ee592189a1 100644 --- a/include/openssl/params.h +++ b/include/openssl/params.h @@ -10,6 +10,7 @@ #ifndef OPENSSL_PARAMS_H # define OPENSSL_PARAMS_H +# pragma once # include # include diff --git a/include/openssl/provider.h b/include/openssl/provider.h index 80a1b412ed..3f2ce38701 100644 --- a/include/openssl/provider.h +++ b/include/openssl/provider.h @@ -9,6 +9,7 @@ #ifndef OPENSSL_PROVIDER_H # define OPENSSL_PROVIDER_H +# pragma once # include diff --git a/include/openssl/self_test.h b/include/openssl/self_test.h index 17a78052d5..11722c3163 100644 --- a/include/openssl/self_test.h +++ b/include/openssl/self_test.h @@ -9,6 +9,7 @@ #ifndef OPENSSL_SELF_TEST_H # define OPENSSL_SELF_TEST_H +# pragma once # include /* OSSL_CALLBACK */ diff --git a/include/openssl/trace.h b/include/openssl/trace.h index a0894ee2a4..8bdc08b037 100644 --- a/include/openssl/trace.h +++ b/include/openssl/trace.h @@ -9,6 +9,7 @@ #ifndef OPENSSL_TRACE_H # define OPENSSL_TRACE_H +# pragma once # include diff --git a/include/openssl/types.h b/include/openssl/types.h index 2dc3606a90..bf5846db05 100644 --- a/include/openssl/types.h +++ b/include/openssl/types.h @@ -9,12 +9,13 @@ #ifndef OPENSSL_TYPES_H # define OPENSSL_TYPES_H +# pragma once -#include +# include -#ifdef __cplusplus +# ifdef __cplusplus extern "C" { -#endif +# endif # include # include From no-reply at appveyor.com Wed Feb 10 23:57:57 2021 From: no-reply at appveyor.com (AppVeyor) Date: Wed, 10 Feb 2021 23:57:57 +0000 Subject: Build failed: openssl master.39774 Message-ID: <20210210235757.1.145B181679C18337@appveyor.com> An HTML attachment was scrubbed... URL: From pauli at openssl.org Thu Feb 11 00:19:40 2021 From: pauli at openssl.org (Dr. Paul Dale) Date: Thu, 11 Feb 2021 00:19:40 +0000 Subject: [openssl] master update Message-ID: <1613002780.657353.30999.nullmailer@dev.openssl.org> The branch master has been updated via dc9ec65a018d92306e4b3139239505c5cfc5b15e (commit) from 3a111aadc3d24e0f325497f830a59295d0616e98 (commit) - Log ----------------------------------------------------------------- commit dc9ec65a018d92306e4b3139239505c5cfc5b15e Author: KOBAYASHI Ittoku Date: Sat Feb 6 11:59:12 2021 +0900 Match description with actual output of dgst CLA: trivial Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/14089) ----------------------------------------------------------------------- Summary of changes: doc/man1/openssl-dgst.pod.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/man1/openssl-dgst.pod.in b/doc/man1/openssl-dgst.pod.in index d90e6146c6..b976ad45d8 100644 --- a/doc/man1/openssl-dgst.pod.in +++ b/doc/man1/openssl-dgst.pod.in @@ -125,7 +125,7 @@ see L. =item B<-verify> I Verify the signature using the public key in "filename". -The output is either "Verification OK" or "Verification Failure". +The output is either "Verified OK" or "Verification Failure". =item B<-prverify> I From openssl at openssl.org Thu Feb 11 01:04:39 2021 From: openssl at openssl.org (OpenSSL run-checker) Date: Thu, 11 Feb 2021 01:04:39 +0000 Subject: Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-asm Message-ID: <1613005479.087597.560509.nullmailer@run.openssl.org> Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-asm Commit log since last time: dfcfd17f28 Handle partial data re-sending on ktls/sendfile on FreeBSD 3bc0b621a7 Remove unused 'peer_type' from SSL_SESSION af53092c2b Replace provider digest flags with separate param fields a054d15c22 Replace provider cipher flags with separate param fields 36978c19a9 Replace MAC flags OSSL_MAC_PARAM_FLAGS with separate param fields. 8a686bdb3a Change the ASN1 variant of x942kdf so that it can test acvp data. 7e365d51a1 x509_vfy.c: Sort out return values 0 vs. -1 (failure/internal error) 364246a986 X509_get_pubkey_parameters(): Correct failure behavior and its use 990a15fe73 x509_vfy: Clarify relevance of ctx->error also on successful verification 579262af14 x509_vfy.c: Fix various coding style and documentation style nits 93b39c85c9 CHANGES.md: Mention RSA key generation slowdown related changes 4d2a6159db Deprecate BN_pseudo_rand() and BN_pseudo_rand_range() 604b86d8d3 Enhanced integer parsing in OSSL_PARAM_allocate_from_text e60a748a13 Configuration: ensure that 'no-tests' works correctly 3f71add9e5 Enable fipsload test on NonStop x86. 50ccc176da mknum.pl: Exclude duplicate entries and include source file name in diagnostics 2db985b7b1 Simplify the EVP_PKEY_XXX_fromdata_XX methods. Build log ended with (last 100 lines): 01-test_test.t ..................... ok 02-test_errstr.t ................... ok 02-test_internal_context.t ......... ok 02-test_internal_ctype.t ........... ok 02-test_internal_keymgmt.t ......... ok 02-test_internal_provider.t ........ ok 02-test_lhash.t .................... ok 02-test_ordinals.t ................. ok 02-test_sparse_array.t ............. ok 02-test_stack.t .................... ok 03-test_exdata.t ................... ok 03-test_fipsinstall.t .............. ok 03-test_internal_asn1.t ............ ok 03-test_internal_asn1_dsa.t ........ ok 03-test_internal_bn.t .............. ok 03-test_internal_chacha.t .......... ok 03-test_internal_curve448.t ........ ok 03-test_internal_ec.t .............. ok 03-test_internal_ffc.t ............. ok 03-test_internal_mdc2.t ............ ok 03-test_internal_modes.t ........... ok 03-test_internal_namemap.t ......... ok 03-test_internal_poly1305.t ........ ok 03-test_internal_rsa_sp800_56b.t ... ok 03-test_internal_siphash.t ......... ok 03-test_internal_sm2.t ............. ok 03-test_internal_sm4.t ............. ok 03-test_internal_ssl_cert_table.t .. ok 03-test_internal_x509.t ............ ok 03-test_params_api.t ............... ok 03-test_property.t ................. ok 03-test_ui.t ....................... ok 04-test_asn1_decode.t .............. ok 04-test_asn1_encode.t .............. ok 04-test_asn1_string_table.t ........ ok 04-test_bio_callback.t ............. ok 04-test_bioprint.t ................. ok 04-test_conf.t ..................... ok 04-test_encoder_decoder.t .......... ok 04-test_encoder_decoder_legacy.t ... ok 04-test_err.t ...................... ok 04-test_hexstring.t ................ ok 04-test_param_build.t .............. ok 04-test_params.t ................... ok 04-test_params_conversion.t ........ ok 04-test_pem.t ...................... ok 04-test_pem_read_depr.t ............ ok 04-test_provider.t ................. ok 04-test_provider_fallback.t ........ ok 05-test_bf.t ....................... ok 05-test_cast.t ..................... ok 05-test_cmac.t ..................... ok 05-test_des.t ...................... ok 05-test_hmac.t ..................... ok 05-test_idea.t ..................... ok 05-test_rand.t ..................... ok 05-test_rc2.t ...................... ok 05-test_rc4.t ...................... ok 05-test_rc5.t ...................... skipped: rc5 is not supported by this OpenSSL build 06-test-rdrand.t ................... ok 06-test_algorithmid.t .............. ok 10-test_bn.t ....................... ok 10-test_exp.t ...................... ok 15-test_dh.t ....................... ok 15-test_dsa.t ...................... ok 15-test_ec.t ....................... ok 15-test_ecdsa.t .................... ok 15-test_ecparam.t .................. ok 15-test_gendh.t .................... ok 15-test_gendsa.t ................... ok 15-test_genec.t .................... ok 15-test_genrsa.t ................... ok 15-test_mp_rsa.t ................... ok 15-test_out_option.t ............... ok 15-test_rsa.t ...................... ok 15-test_rsaoaep.t .................. ok 15-test_rsapss.t ................... ok 20-test_app.t ...................... ok 20-test_cli_fips.t ................. ok 20-test_dgst.t ..................... ok 20-test_dhparam.t .................. ok 20-test_dhparam_check.t ............ ok 20-test_enc.t ...................... ok 20-test_enc_more.t ................. ok 20-test_kdf.t ...................... ok 20-test_mac.t ...................... ok 20-test_passwd.t ................... ok 20-test_pkeyutl.t .................. ok 20-test_rand_config.t .............. ok 25-test_crl.t ...................... ok 25-test_d2i.t ...................... ok 25-test_eai_data.t ................. ok 25-test_pkcs7.t .................... ok 25-test_req.t ...................... ok 25-test_rusext.t ................... ok 25-test_sid.t ...................... ok 25-test_verify.t ................... ok 25-test_verify_store.t ............. ok 25-test_x509.t ..................... ok make[1]: *** [Makefile:3249: _tests] Terminated From openssl at openssl.org Thu Feb 11 01:56:36 2021 From: openssl at openssl.org (OpenSSL run-checker) Date: Thu, 11 Feb 2021 01:56:36 +0000 Subject: Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-autoerrinit Message-ID: <1613008596.297747.672365.nullmailer@run.openssl.org> Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-autoerrinit Commit log since last time: dfcfd17f28 Handle partial data re-sending on ktls/sendfile on FreeBSD 3bc0b621a7 Remove unused 'peer_type' from SSL_SESSION af53092c2b Replace provider digest flags with separate param fields a054d15c22 Replace provider cipher flags with separate param fields 36978c19a9 Replace MAC flags OSSL_MAC_PARAM_FLAGS with separate param fields. 8a686bdb3a Change the ASN1 variant of x942kdf so that it can test acvp data. 7e365d51a1 x509_vfy.c: Sort out return values 0 vs. -1 (failure/internal error) 364246a986 X509_get_pubkey_parameters(): Correct failure behavior and its use 990a15fe73 x509_vfy: Clarify relevance of ctx->error also on successful verification 579262af14 x509_vfy.c: Fix various coding style and documentation style nits 93b39c85c9 CHANGES.md: Mention RSA key generation slowdown related changes 4d2a6159db Deprecate BN_pseudo_rand() and BN_pseudo_rand_range() 604b86d8d3 Enhanced integer parsing in OSSL_PARAM_allocate_from_text e60a748a13 Configuration: ensure that 'no-tests' works correctly 3f71add9e5 Enable fipsload test on NonStop x86. 50ccc176da mknum.pl: Exclude duplicate entries and include source file name in diagnostics 2db985b7b1 Simplify the EVP_PKEY_XXX_fromdata_XX methods. Build log ended with (last 100 lines): 70-test_sslcertstatus.t ............ ok 70-test_sslextension.t ............. ok 70-test_sslmessages.t .............. ok 70-test_sslrecords.t ............... ok 70-test_sslsessiontick.t ........... ok 70-test_sslsigalgs.t ............... ok 70-test_sslsignature.t ............. ok 70-test_sslskewith0p.t ............. ok 70-test_sslversions.t .............. ok 70-test_sslvertol.t ................ ok 70-test_tls13alerts.t .............. ok 70-test_tls13cookie.t .............. ok 70-test_tls13downgrade.t ........... ok 70-test_tls13hrr.t ................. ok 70-test_tls13kexmodes.t ............ ok 70-test_tls13messages.t ............ ok 70-test_tls13psk.t ................. ok 70-test_tlsextms.t ................. ok 70-test_verify_extra.t ............. ok 70-test_wpacket.t .................. ok 71-test_ssl_ctx.t .................. ok 80-test_ca.t ....................... ok 80-test_cipherbytes.t .............. ok 80-test_cipherlist.t ............... ok 80-test_ciphername.t ............... ok # 80-test_cmp_http.t ................. ok # 80-test_cms.t ...................... ok 80-test_cmsapi.t ................... ok 80-test_ct.t ....................... ok 80-test_dane.t ..................... ok 80-test_dtls.t ..................... ok 80-test_dtls_mtu.t ................. ok 80-test_dtlsv1listen.t ............. ok 80-test_http.t ..................... ok 80-test_ocsp.t ..................... ok 80-test_pkcs12.t ................... ok 80-test_ssl_new.t .................. ok 80-test_ssl_old.t .................. ok 80-test_ssl_test_ctx.t ............. ok 80-test_sslcorrupt.t ............... ok 80-test_tsa.t ...................... ok 80-test_x509aux.t .................. ok 81-test_cmp_cli.t .................. ok 90-test_asn1_time.t ................ ok 90-test_async.t .................... ok 90-test_bio_enc.t .................. ok 90-test_bio_memleak.t .............. ok 90-test_constant_time.t ............ ok 90-test_fatalerr.t ................. ok 90-test_fipsload.t ................. ok 90-test_gmdiff.t ................... ok 90-test_gost.t ..................... ok 90-test_ige.t ...................... ok 90-test_includes.t ................. ok 90-test_memleak.t .................. ok 90-test_overhead.t ................. ok 90-test_secmem.t ................... ok 90-test_shlibload.t ................ ok 90-test_srp.t ...................... ok 90-test_sslapi.t ................... ok 90-test_sslbuffers.t ............... ok 90-test_store.t .................... ok 90-test_sysdefault.t ............... ok 90-test_threads.t .................. ok 90-test_time_offset.t .............. ok 90-test_tls13ccs.t ................. ok 90-test_tls13encryption.t .......... ok 90-test_tls13secrets.t ............. ok 90-test_v3name.t ................... ok 91-test_pkey_check.t ............... ok 95-test_external_boringssl.t ....... skipped: No external tests in this configuration 95-test_external_gost_engine.t ..... skipped: No external tests in this configuration 95-test_external_krb5.t ............ skipped: No external tests in this configuration 95-test_external_pyca.t ............ skipped: No external tests in this configuration 99-test_ecstress.t ................. ok 99-test_fuzz_asn1.t ................ ok 99-test_fuzz_asn1parse.t ........... ok 99-test_fuzz_bignum.t .............. ok 99-test_fuzz_bndiv.t ............... ok 99-test_fuzz_client.t .............. ok 99-test_fuzz_cmp.t ................. ok 99-test_fuzz_cms.t ................. ok 99-test_fuzz_conf.t ................ ok 99-test_fuzz_crl.t ................. ok 99-test_fuzz_ct.t .................. ok 99-test_fuzz_server.t .............. ok 99-test_fuzz_x509.t ................ ok Test Summary Report ------------------- 04-test_err.t (Wstat: 256 Tests: 1 Failed: 1) Failed test: 1 Non-zero exit status: 1 Files=231, Tests=3130, 909 wallclock secs (14.56 usr 1.34 sys + 814.42 cusr 92.31 csys = 922.63 CPU) Result: FAIL make[1]: *** [Makefile:3264: _tests] Error 1 make[1]: Leaving directory '/home/openssl/run-checker/no-autoerrinit' make: *** [Makefile:3261: tests] Error 2 From openssl at openssl.org Thu Feb 11 07:36:59 2021 From: openssl at openssl.org (OpenSSL run-checker) Date: Thu, 11 Feb 2021 07:36:59 +0000 Subject: Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-des Message-ID: <1613029019.194408.1403917.nullmailer@run.openssl.org> Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-des Commit log since last time: dfcfd17f28 Handle partial data re-sending on ktls/sendfile on FreeBSD 3bc0b621a7 Remove unused 'peer_type' from SSL_SESSION af53092c2b Replace provider digest flags with separate param fields a054d15c22 Replace provider cipher flags with separate param fields 36978c19a9 Replace MAC flags OSSL_MAC_PARAM_FLAGS with separate param fields. 8a686bdb3a Change the ASN1 variant of x942kdf so that it can test acvp data. 7e365d51a1 x509_vfy.c: Sort out return values 0 vs. -1 (failure/internal error) 364246a986 X509_get_pubkey_parameters(): Correct failure behavior and its use 990a15fe73 x509_vfy: Clarify relevance of ctx->error also on successful verification 579262af14 x509_vfy.c: Fix various coding style and documentation style nits 93b39c85c9 CHANGES.md: Mention RSA key generation slowdown related changes 4d2a6159db Deprecate BN_pseudo_rand() and BN_pseudo_rand_range() 604b86d8d3 Enhanced integer parsing in OSSL_PARAM_allocate_from_text e60a748a13 Configuration: ensure that 'no-tests' works correctly 3f71add9e5 Enable fipsload test on NonStop x86. 50ccc176da mknum.pl: Exclude duplicate entries and include source file name in diagnostics 2db985b7b1 Simplify the EVP_PKEY_XXX_fromdata_XX methods. Build log ended with (last 100 lines): 70-test_sslrecords.t ............... ok 70-test_sslsessiontick.t ........... ok 70-test_sslsigalgs.t ............... ok 70-test_sslsignature.t ............. ok 70-test_sslskewith0p.t ............. ok 70-test_sslversions.t .............. ok 70-test_sslvertol.t ................ ok 70-test_tls13alerts.t .............. ok 70-test_tls13cookie.t .............. ok 70-test_tls13downgrade.t ........... ok 70-test_tls13hrr.t ................. ok 70-test_tls13kexmodes.t ............ ok 70-test_tls13messages.t ............ ok 70-test_tls13psk.t ................. ok 70-test_tlsextms.t ................. ok 70-test_verify_extra.t ............. ok 70-test_wpacket.t .................. ok 71-test_ssl_ctx.t .................. ok 80-test_ca.t ....................... ok 80-test_cipherbytes.t .............. ok 80-test_cipherlist.t ............... ok 80-test_ciphername.t ............... ok # 80-test_cmp_http.t ................. ok # 80-test_cms.t ...................... ok 80-test_cmsapi.t ................... ok 80-test_ct.t ....................... ok 80-test_dane.t ..................... ok 80-test_dtls.t ..................... ok 80-test_dtls_mtu.t ................. ok 80-test_dtlsv1listen.t ............. ok 80-test_http.t ..................... ok 80-test_ocsp.t ..................... ok 80-test_pkcs12.t ................... skipped: The PKCS12 command line utility is not supported by this OpenSSL build 80-test_ssl_new.t .................. ok 80-test_ssl_old.t .................. ok 80-test_ssl_test_ctx.t ............. ok 80-test_sslcorrupt.t ............... ok 80-test_tsa.t ...................... ok 80-test_x509aux.t .................. ok 81-test_cmp_cli.t .................. ok 90-test_asn1_time.t ................ ok 90-test_async.t .................... ok 90-test_bio_enc.t .................. ok 90-test_bio_memleak.t .............. ok 90-test_constant_time.t ............ ok 90-test_fatalerr.t ................. ok 90-test_fipsload.t ................. ok 90-test_gmdiff.t ................... ok 90-test_gost.t ..................... ok 90-test_ige.t ...................... ok 90-test_includes.t ................. ok 90-test_memleak.t .................. ok 90-test_overhead.t ................. ok 90-test_secmem.t ................... ok 90-test_shlibload.t ................ ok 90-test_srp.t ...................... ok 90-test_sslapi.t ................... ok 90-test_sslbuffers.t ............... ok 90-test_store.t .................... ok 90-test_sysdefault.t ............... ok 90-test_threads.t .................. ok 90-test_time_offset.t .............. ok 90-test_tls13ccs.t ................. ok 90-test_tls13encryption.t .......... ok 90-test_tls13secrets.t ............. ok 90-test_v3name.t ................... ok 91-test_pkey_check.t ............... ok 95-test_external_boringssl.t ....... skipped: No external tests in this configuration 95-test_external_gost_engine.t ..... skipped: No external tests in this configuration 95-test_external_krb5.t ............ skipped: No external tests in this configuration 95-test_external_pyca.t ............ skipped: No external tests in this configuration 99-test_ecstress.t ................. ok 99-test_fuzz_asn1.t ................ ok 99-test_fuzz_asn1parse.t ........... ok 99-test_fuzz_bignum.t .............. ok 99-test_fuzz_bndiv.t ............... ok 99-test_fuzz_client.t .............. ok 99-test_fuzz_cmp.t ................. ok 99-test_fuzz_cms.t ................. ok 99-test_fuzz_conf.t ................ ok 99-test_fuzz_crl.t ................. ok 99-test_fuzz_ct.t .................. ok 99-test_fuzz_server.t .............. ok 99-test_fuzz_x509.t ................ ok Test Summary Report ------------------- 30-test_evp.t (Wstat: 512 Tests: 90 Failed: 2) Failed tests: 14, 40 Non-zero exit status: 2 30-test_evp_kdf.t (Wstat: 256 Tests: 1 Failed: 1) Failed test: 1 Non-zero exit status: 1 Files=231, Tests=3132, 821 wallclock secs (13.31 usr 1.22 sys + 738.55 cusr 77.62 csys = 830.70 CPU) Result: FAIL make[1]: *** [Makefile:3203: _tests] Error 1 make[1]: Leaving directory '/home/openssl/run-checker/no-des' make: *** [Makefile:3200: tests] Error 2 From tmraz at fedoraproject.org Thu Feb 11 08:35:15 2021 From: tmraz at fedoraproject.org (tmraz at fedoraproject.org) Date: Thu, 11 Feb 2021 08:35:15 +0000 Subject: [openssl] master update Message-ID: <1613032515.803315.22407.nullmailer@dev.openssl.org> The branch master has been updated via 283df0b84bb6c35ad1291cabd6f693328faca267 (commit) via f5f29796f00b94d150087bc72469a4f60a67a23b (commit) via 2741128e9deeb7f6fd73f10a1c657c05433a41cb (commit) from dc9ec65a018d92306e4b3139239505c5cfc5b15e (commit) - Log ----------------------------------------------------------------- commit 283df0b84bb6c35ad1291cabd6f693328faca267 Author: Tomas Mraz Date: Tue Feb 9 13:25:16 2021 +0100 Rename internal providercommonerr.h to less mouthful proverr.h Reviewed-by: Richard Levitte Reviewed-by: Paul Dale Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/14086) commit f5f29796f00b94d150087bc72469a4f60a67a23b Author: Tomas Mraz Date: Fri Feb 5 18:51:37 2021 +0100 Various cleanup of PROV_R_ reason codes Reviewed-by: Richard Levitte Reviewed-by: Paul Dale Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/14086) commit 2741128e9deeb7f6fd73f10a1c657c05433a41cb Author: Tomas Mraz Date: Fri Feb 5 17:40:42 2021 +0100 Move the PROV_R reason codes to a public header The PROV_R codes can be returned to applications so it is useful to have some common set of provider reason codes for the applications or third party providers. Reviewed-by: Richard Levitte Reviewed-by: Paul Dale Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/14086) ----------------------------------------------------------------------- Summary of changes: crypto/err/err_all.c | 2 +- crypto/err/openssl.ec | 2 +- crypto/err/openssl.txt | 24 +++---------- .../openssl/proverr.h | 38 +++++--------------- .../common/include/prov/proverr.h | 6 ++-- providers/common/provider_err.c | 41 ++++++---------------- providers/common/provider_util.c | 2 +- providers/common/securitycheck.c | 2 +- providers/common/securitycheck_fips.c | 2 +- providers/fips/fipsprov.c | 2 +- providers/fips/self_test.c | 2 +- providers/implementations/asymciphers/rsa_enc.c | 2 +- providers/implementations/asymciphers/sm2_enc.c | 2 +- .../ciphers/cipher_aes_cbc_hmac_sha.c | 2 +- .../implementations/ciphers/cipher_aes_cts.inc | 2 +- providers/implementations/ciphers/cipher_aes_hw.c | 4 +-- .../ciphers/cipher_aes_hw_aesni.inc | 2 +- .../implementations/ciphers/cipher_aes_hw_t4.inc | 2 +- providers/implementations/ciphers/cipher_aes_ocb.c | 4 +-- providers/implementations/ciphers/cipher_aes_siv.c | 2 +- providers/implementations/ciphers/cipher_aes_wrp.c | 2 +- providers/implementations/ciphers/cipher_aes_xts.c | 2 +- providers/implementations/ciphers/cipher_aria_hw.c | 3 +- .../implementations/ciphers/cipher_camellia_hw.c | 5 +-- .../ciphers/cipher_camellia_hw_t4.inc | 2 +- providers/implementations/ciphers/cipher_cast5.c | 2 +- .../implementations/ciphers/cipher_chacha20.c | 2 +- .../ciphers/cipher_chacha20_poly1305.c | 10 +++--- providers/implementations/ciphers/cipher_des.c | 6 ++-- providers/implementations/ciphers/cipher_null.c | 2 +- providers/implementations/ciphers/cipher_rc2.c | 2 +- .../implementations/ciphers/cipher_rc4_hmac_md5.c | 2 +- providers/implementations/ciphers/cipher_rc5.c | 2 +- providers/implementations/ciphers/cipher_tdes.c | 4 +-- .../implementations/ciphers/cipher_tdes_common.c | 6 ++-- .../implementations/ciphers/cipher_tdes_wrap.c | 2 +- providers/implementations/ciphers/ciphercommon.c | 6 ++-- .../implementations/ciphers/ciphercommon_block.c | 2 +- .../implementations/ciphers/ciphercommon_ccm.c | 18 +++++----- .../implementations/ciphers/ciphercommon_gcm.c | 6 ++-- providers/implementations/digests/digestcommon.c | 4 +-- providers/implementations/digests/mdc2_prov.c | 2 +- providers/implementations/digests/sha3_prov.c | 2 +- .../implementations/encode_decode/decode_der2key.c | 4 +-- .../implementations/encode_decode/decode_pem2der.c | 2 +- .../implementations/encode_decode/encode_key2any.c | 4 +-- .../encode_decode/encode_key2text.c | 2 +- providers/implementations/exchange/ecx_exch.c | 2 +- providers/implementations/kdfs/hkdf.c | 2 +- providers/implementations/kdfs/kbkdf.c | 2 +- providers/implementations/kdfs/krb5kdf.c | 2 +- providers/implementations/kdfs/pbkdf2.c | 6 ++-- providers/implementations/kdfs/pkcs12kdf.c | 2 +- providers/implementations/kdfs/scrypt.c | 2 +- providers/implementations/kdfs/sshkdf.c | 2 +- providers/implementations/kdfs/sskdf.c | 2 +- providers/implementations/kdfs/tls1_prf.c | 2 +- providers/implementations/kdfs/x942kdf.c | 2 +- providers/implementations/kem/rsa_kem.c | 2 +- providers/implementations/keymgmt/ec_kmgmt.c | 2 +- .../implementations/keymgmt/mac_legacy_kmgmt.c | 3 +- providers/implementations/macs/blake2_mac_impl.c | 2 +- providers/implementations/macs/gmac_prov.c | 6 ++-- providers/implementations/macs/kmac_prov.c | 4 +-- providers/implementations/macs/poly1305_prov.c | 2 +- providers/implementations/macs/siphash_prov.c | 2 +- providers/implementations/rands/drbg.c | 2 +- providers/implementations/rands/drbg_ctr.c | 2 +- providers/implementations/rands/drbg_hash.c | 2 +- providers/implementations/rands/drbg_hmac.c | 2 +- providers/implementations/rands/seed_src.c | 2 +- providers/implementations/signature/dsa.c | 2 +- providers/implementations/signature/ecdsa.c | 2 +- providers/implementations/signature/eddsa.c | 2 +- providers/implementations/signature/rsa.c | 7 ++-- providers/implementations/signature/sm2sig.c | 2 +- providers/implementations/storemgmt/file_store.c | 2 +- 77 files changed, 139 insertions(+), 188 deletions(-) rename providers/common/include/prov/providercommonerr.h => include/openssl/proverr.h (84%) copy ssl/sslerr.h => providers/common/include/prov/proverr.h (86%) diff --git a/crypto/err/err_all.c b/crypto/err/err_all.c index 1d26c19d90..b1e69b5cc5 100644 --- a/crypto/err/err_all.c +++ b/crypto/err/err_all.c @@ -43,7 +43,7 @@ #include "crypto/storeerr.h" #include "crypto/esserr.h" #include "internal/propertyerr.h" -#include "prov/providercommonerr.h" +#include "prov/proverr.h" int err_load_crypto_strings_int(void) { diff --git a/crypto/err/openssl.ec b/crypto/err/openssl.ec index f265ca0f5d..3612c195f0 100644 --- a/crypto/err/openssl.ec +++ b/crypto/err/openssl.ec @@ -40,7 +40,7 @@ L SM2 NONE crypto/sm2/sm2_err.c L OSSL_STORE include/openssl/storeerr.h crypto/store/store_err.c include/crypto/storeerr.h L ESS include/openssl/esserr.h crypto/ess/ess_err.c include/crypto/esserr.h L PROP NONE crypto/property/property_err.c include/internal/propertyerr.h -L PROV NONE providers/common/provider_err.c providers/common/include/prov/providercommonerr.h +L PROV include/openssl/proverr.h providers/common/provider_err.c providers/common/include/prov/proverr.h L OSSL_ENCODER include/openssl/encodererr.h crypto/encode_decode/encoder_err.c include/crypto/encodererr.h L OSSL_DECODER include/openssl/decodererr.h crypto/encode_decode/decoder_err.c include/crypto/decodererr.h L HTTP include/openssl/httperr.h crypto/http/http_err.c include/crypto/httperr.h diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt index c1a0f1d0bd..0e4f017287 100644 --- a/crypto/err/openssl.txt +++ b/crypto/err/openssl.txt @@ -936,7 +936,6 @@ PROP_R_PARSE_FAILED:108:parse failed PROP_R_STRING_TOO_LONG:109:string too long PROP_R_TRAILING_CHARACTERS:110:trailing characters PROV_R_ADDITIONAL_INPUT_TOO_LONG:184:additional input too long -PROV_R_AES_KEY_SETUP_FAILED:101:aes key setup failed PROV_R_ALGORITHM_MISMATCH:173:algorithm mismatch PROV_R_ALREADY_INSTANTIATED:185:already instantiated PROV_R_BAD_DECRYPT:100:bad decrypt @@ -944,13 +943,9 @@ PROV_R_BAD_ENCODING:141:bad encoding PROV_R_BAD_LENGTH:142:bad length PROV_R_BAD_TLS_CLIENT_VERSION:161:bad tls client version PROV_R_BN_ERROR:160:bn error -PROV_R_BOTH_MODE_AND_MODE_INT:127:both mode and mode int PROV_R_CIPHER_OPERATION_FAILED:102:cipher operation failed PROV_R_DERIVATION_FUNCTION_INIT_FAILED:205:derivation function init failed -PROV_R_DERIVATION_FUNCTION_MANDATORY_FOR_FIPS:186:\ - derivation function mandatory for fips PROV_R_DIGEST_NOT_ALLOWED:174:digest not allowed -PROV_R_DRBG_ALREADY_INITIALIZED:187:drbg already initialized PROV_R_ERROR_INSTANTIATING_DRBG:188:error instantiating drbg PROV_R_ERROR_RETRIEVING_ENTROPY:189:error retrieving entropy PROV_R_ERROR_RETRIEVING_NONCE:190:error retrieving nonce @@ -967,7 +962,6 @@ PROV_R_FIPS_MODULE_IN_ERROR_STATE:225:fips module in error state PROV_R_GENERATE_ERROR:191:generate error PROV_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE:165:\ illegal or unsupported padding mode -PROV_R_INAVLID_UKM_LENGTH:146:inavlid ukm length PROV_R_INDICATOR_INTEGRITY_FAILURE:210:indicator integrity failure PROV_R_INSUFFICIENT_DRBG_STRENGTH:181:insufficient drbg strength PROV_R_INVALID_AAD:108:invalid aad @@ -980,29 +974,24 @@ PROV_R_INVALID_DIGEST:122:invalid digest PROV_R_INVALID_DIGEST_LENGTH:166:invalid digest length PROV_R_INVALID_DIGEST_SIZE:218:invalid digest size PROV_R_INVALID_ITERATION_COUNT:123:invalid iteration count -PROV_R_INVALID_IVLEN:116:invalid ivlen PROV_R_INVALID_IV_LENGTH:109:invalid iv length PROV_R_INVALID_KEY:158:invalid key -PROV_R_INVALID_KEYLEN:117:invalid keylen -PROV_R_INVALID_KEY_LEN:124:invalid key len PROV_R_INVALID_KEY_LENGTH:105:invalid key length PROV_R_INVALID_MAC:151:invalid mac PROV_R_INVALID_MGF1_MD:167:invalid mgf1 md PROV_R_INVALID_MODE:125:invalid mode -PROV_R_INVALID_MODE_INT:126:invalid mode int PROV_R_INVALID_PADDING_MODE:168:invalid padding mode -PROV_R_INVALID_PSS_SALTLEN:169:invalid pss saltlen PROV_R_INVALID_PUBINFO:198:invalid pubinfo -PROV_R_INVALID_RSA_KEY:217:invalid rsa key PROV_R_INVALID_SALT_LENGTH:112:invalid salt length PROV_R_INVALID_SEED_LENGTH:154:invalid seed length PROV_R_INVALID_SIGNATURE_SIZE:179:invalid signature size PROV_R_INVALID_STATE:212:invalid state PROV_R_INVALID_TAG:110:invalid tag -PROV_R_INVALID_TAGLEN:118:invalid taglen +PROV_R_INVALID_TAG_LENGTH:118:invalid tag length PROV_R_INVALID_UKM_LENGTH:200:invalid ukm length PROV_R_INVALID_X931_DIGEST:170:invalid x931 digest PROV_R_IN_ERROR_STATE:192:in error state +PROV_R_KEY_SETUP_FAILED:101:key setup failed PROV_R_KEY_SIZE_TOO_SMALL:171:key size too small PROV_R_MISSING_CEK_ALG:144:missing cek alg PROV_R_MISSING_CIPHER:155:missing cipher @@ -1038,7 +1027,6 @@ PROV_R_PARENT_STRENGTH_TOO_WEAK:194:parent strength too weak PROV_R_PATH_MUST_BE_ABSOLUTE:219:path must be absolute PROV_R_PERSONALISATION_STRING_TOO_LONG:195:personalisation string too long PROV_R_PSS_SALTLEN_TOO_SMALL:172:pss saltlen too small -PROV_R_READ_KEY:159:read key PROV_R_REQUEST_TOO_LARGE_FOR_DRBG:196:request too large for drbg PROV_R_REQUIRE_CTR_MODE_CIPHER:206:require ctr mode cipher PROV_R_RESEED_ERROR:197:reseed error @@ -1048,18 +1036,16 @@ PROV_R_SEED_SOURCES_MUST_NOT_HAVE_A_PARENT:229:\ seed sources must not have a parent PROV_R_SELF_TEST_KAT_FAILURE:215:self test kat failure PROV_R_SELF_TEST_POST_FAILURE:216:self test post failure -PROV_R_TAG_NOTSET:119:tag notset +PROV_R_TAG_NOT_SET:119:tag not set PROV_R_TAG_NOT_NEEDED:120:tag not needed +PROV_R_TOO_MANY_RECORDS:126:too many records PROV_R_UNABLE_TO_FIND_CIPHERS:207:unable to find ciphers -PROV_R_UNABLE_TO_GET_ENTROPY:202:unable to get entropy -PROV_R_UNABLE_TO_GET_NONCE:203:unable to get nonce PROV_R_UNABLE_TO_GET_PARENT_STRENGTH:199:unable to get parent strength +PROV_R_UNABLE_TO_GET_PASSPHRASE:159:unable to get passphrase PROV_R_UNABLE_TO_INITIALISE_CIPHERS:208:unable to initialise ciphers -PROV_R_UNABLE_TO_LOAD_SHA1:143:unable to load sha1 PROV_R_UNABLE_TO_LOAD_SHA256:147:unable to load sha256 PROV_R_UNABLE_TO_LOCK_PARENT:201:unable to lock parent PROV_R_UNABLE_TO_RESEED:204:unable to reseed -PROV_R_UNKNOWN_PADDING_TYPE:163:unknown padding type PROV_R_UNSUPPORTED_CEK_ALG:145:unsupported cek alg PROV_R_UNSUPPORTED_KEY_SIZE:153:unsupported key size PROV_R_UNSUPPORTED_MAC_TYPE:137:unsupported mac type diff --git a/providers/common/include/prov/providercommonerr.h b/include/openssl/proverr.h similarity index 84% rename from providers/common/include/prov/providercommonerr.h rename to include/openssl/proverr.h index e59ee36abb..6e5c0debe7 100644 --- a/providers/common/include/prov/providercommonerr.h +++ b/include/openssl/proverr.h @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -8,24 +8,20 @@ * https://www.openssl.org/source/license.html */ -#ifndef OSSL_PROVIDERCOMMONERR_H -# define OSSL_PROVIDERCOMMONERR_H +#ifndef OPENSSL_PROVERR_H +# define OPENSSL_PROVERR_H # pragma once # include # include +# include -# ifdef __cplusplus -extern "C" { -# endif -int err_load_PROV_strings_int(void); /* * PROV reason codes. */ # define PROV_R_ADDITIONAL_INPUT_TOO_LONG 184 -# define PROV_R_AES_KEY_SETUP_FAILED 101 # define PROV_R_ALGORITHM_MISMATCH 173 # define PROV_R_ALREADY_INSTANTIATED 185 # define PROV_R_BAD_DECRYPT 100 @@ -33,12 +29,9 @@ int err_load_PROV_strings_int(void); # define PROV_R_BAD_LENGTH 142 # define PROV_R_BAD_TLS_CLIENT_VERSION 161 # define PROV_R_BN_ERROR 160 -# define PROV_R_BOTH_MODE_AND_MODE_INT 127 # define PROV_R_CIPHER_OPERATION_FAILED 102 # define PROV_R_DERIVATION_FUNCTION_INIT_FAILED 205 -# define PROV_R_DERIVATION_FUNCTION_MANDATORY_FOR_FIPS 186 # define PROV_R_DIGEST_NOT_ALLOWED 174 -# define PROV_R_DRBG_ALREADY_INITIALIZED 187 # define PROV_R_ERROR_INSTANTIATING_DRBG 188 # define PROV_R_ERROR_RETRIEVING_ENTROPY 189 # define PROV_R_ERROR_RETRIEVING_NONCE 190 @@ -54,7 +47,6 @@ int err_load_PROV_strings_int(void); # define PROV_R_FIPS_MODULE_IN_ERROR_STATE 225 # define PROV_R_GENERATE_ERROR 191 # define PROV_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE 165 -# define PROV_R_INAVLID_UKM_LENGTH 146 # define PROV_R_INDICATOR_INTEGRITY_FAILURE 210 # define PROV_R_INSUFFICIENT_DRBG_STRENGTH 181 # define PROV_R_INVALID_AAD 108 @@ -67,29 +59,24 @@ int err_load_PROV_strings_int(void); # define PROV_R_INVALID_DIGEST_LENGTH 166 # define PROV_R_INVALID_DIGEST_SIZE 218 # define PROV_R_INVALID_ITERATION_COUNT 123 -# define PROV_R_INVALID_IVLEN 116 # define PROV_R_INVALID_IV_LENGTH 109 # define PROV_R_INVALID_KEY 158 -# define PROV_R_INVALID_KEYLEN 117 -# define PROV_R_INVALID_KEY_LEN 124 # define PROV_R_INVALID_KEY_LENGTH 105 # define PROV_R_INVALID_MAC 151 # define PROV_R_INVALID_MGF1_MD 167 # define PROV_R_INVALID_MODE 125 -# define PROV_R_INVALID_MODE_INT 126 # define PROV_R_INVALID_PADDING_MODE 168 -# define PROV_R_INVALID_PSS_SALTLEN 169 # define PROV_R_INVALID_PUBINFO 198 -# define PROV_R_INVALID_RSA_KEY 217 # define PROV_R_INVALID_SALT_LENGTH 112 # define PROV_R_INVALID_SEED_LENGTH 154 # define PROV_R_INVALID_SIGNATURE_SIZE 179 # define PROV_R_INVALID_STATE 212 # define PROV_R_INVALID_TAG 110 -# define PROV_R_INVALID_TAGLEN 118 +# define PROV_R_INVALID_TAG_LENGTH 118 # define PROV_R_INVALID_UKM_LENGTH 200 # define PROV_R_INVALID_X931_DIGEST 170 # define PROV_R_IN_ERROR_STATE 192 +# define PROV_R_KEY_SETUP_FAILED 101 # define PROV_R_KEY_SIZE_TOO_SMALL 171 # define PROV_R_MISSING_CEK_ALG 144 # define PROV_R_MISSING_CIPHER 155 @@ -123,7 +110,6 @@ int err_load_PROV_strings_int(void); # define PROV_R_PATH_MUST_BE_ABSOLUTE 219 # define PROV_R_PERSONALISATION_STRING_TOO_LONG 195 # define PROV_R_PSS_SALTLEN_TOO_SMALL 172 -# define PROV_R_READ_KEY 159 # define PROV_R_REQUEST_TOO_LARGE_FOR_DRBG 196 # define PROV_R_REQUIRE_CTR_MODE_CIPHER 206 # define PROV_R_RESEED_ERROR 197 @@ -131,18 +117,16 @@ int err_load_PROV_strings_int(void); # define PROV_R_SEED_SOURCES_MUST_NOT_HAVE_A_PARENT 229 # define PROV_R_SELF_TEST_KAT_FAILURE 215 # define PROV_R_SELF_TEST_POST_FAILURE 216 -# define PROV_R_TAG_NOTSET 119 +# define PROV_R_TAG_NOT_SET 119 # define PROV_R_TAG_NOT_NEEDED 120 +# define PROV_R_TOO_MANY_RECORDS 126 # define PROV_R_UNABLE_TO_FIND_CIPHERS 207 -# define PROV_R_UNABLE_TO_GET_ENTROPY 202 -# define PROV_R_UNABLE_TO_GET_NONCE 203 # define PROV_R_UNABLE_TO_GET_PARENT_STRENGTH 199 +# define PROV_R_UNABLE_TO_GET_PASSPHRASE 159 # define PROV_R_UNABLE_TO_INITIALISE_CIPHERS 208 -# define PROV_R_UNABLE_TO_LOAD_SHA1 143 # define PROV_R_UNABLE_TO_LOAD_SHA256 147 # define PROV_R_UNABLE_TO_LOCK_PARENT 201 # define PROV_R_UNABLE_TO_RESEED 204 -# define PROV_R_UNKNOWN_PADDING_TYPE 163 # define PROV_R_UNSUPPORTED_CEK_ALG 145 # define PROV_R_UNSUPPORTED_KEY_SIZE 153 # define PROV_R_UNSUPPORTED_MAC_TYPE 137 @@ -155,8 +139,4 @@ int err_load_PROV_strings_int(void); # define PROV_R_XTS_DATA_UNIT_IS_TOO_LARGE 148 # define PROV_R_XTS_DUPLICATED_KEYS 149 - -# ifdef __cplusplus -} -# endif #endif diff --git a/ssl/sslerr.h b/providers/common/include/prov/proverr.h similarity index 86% copy from ssl/sslerr.h copy to providers/common/include/prov/proverr.h index 3ad54e4dcc..d9744d06b8 100644 --- a/ssl/sslerr.h +++ b/providers/common/include/prov/proverr.h @@ -8,8 +8,8 @@ * https://www.openssl.org/source/license.html */ -#ifndef OSSL_SSLERR_H -# define OSSL_SSLERR_H +#ifndef OSSL_PROVERR_H +# define OSSL_PROVERR_H # pragma once # include @@ -19,7 +19,7 @@ extern "C" { # endif -int err_load_SSL_strings_int(void); +int err_load_PROV_strings_int(void); # ifdef __cplusplus } diff --git a/providers/common/provider_err.c b/providers/common/provider_err.c index 3a28eaaa2d..a64c5d2ece 100644 --- a/providers/common/provider_err.c +++ b/providers/common/provider_err.c @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -9,15 +9,14 @@ */ #include -#include "include/prov/providercommonerr.h" +#include +#include "include/prov/proverr.h" #ifndef OPENSSL_NO_ERR static const ERR_STRING_DATA PROV_str_reasons[] = { {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_ADDITIONAL_INPUT_TOO_LONG), "additional input too long"}, - {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_AES_KEY_SETUP_FAILED), - "aes key setup failed"}, {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_ALGORITHM_MISMATCH), "algorithm mismatch"}, {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_ALREADY_INSTANTIATED), @@ -28,18 +27,12 @@ static const ERR_STRING_DATA PROV_str_reasons[] = { {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_BAD_TLS_CLIENT_VERSION), "bad tls client version"}, {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_BN_ERROR), "bn error"}, - {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_BOTH_MODE_AND_MODE_INT), - "both mode and mode int"}, {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_CIPHER_OPERATION_FAILED), "cipher operation failed"}, {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_DERIVATION_FUNCTION_INIT_FAILED), "derivation function init failed"}, - {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_DERIVATION_FUNCTION_MANDATORY_FOR_FIPS), - "derivation function mandatory for fips"}, {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_DIGEST_NOT_ALLOWED), "digest not allowed"}, - {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_DRBG_ALREADY_INITIALIZED), - "drbg already initialized"}, {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_ERROR_INSTANTIATING_DRBG), "error instantiating drbg"}, {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_ERROR_RETRIEVING_ENTROPY), @@ -67,8 +60,6 @@ static const ERR_STRING_DATA PROV_str_reasons[] = { {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_GENERATE_ERROR), "generate error"}, {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE), "illegal or unsupported padding mode"}, - {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_INAVLID_UKM_LENGTH), - "inavlid ukm length"}, {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_INDICATOR_INTEGRITY_FAILURE), "indicator integrity failure"}, {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_INSUFFICIENT_DRBG_STRENGTH), @@ -89,23 +80,16 @@ static const ERR_STRING_DATA PROV_str_reasons[] = { "invalid digest size"}, {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_INVALID_ITERATION_COUNT), "invalid iteration count"}, - {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_INVALID_IVLEN), "invalid ivlen"}, {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_INVALID_IV_LENGTH), "invalid iv length"}, {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_INVALID_KEY), "invalid key"}, - {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_INVALID_KEYLEN), "invalid keylen"}, - {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_INVALID_KEY_LEN), "invalid key len"}, {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_INVALID_KEY_LENGTH), "invalid key length"}, {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_INVALID_MAC), "invalid mac"}, {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_INVALID_MGF1_MD), "invalid mgf1 md"}, {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_INVALID_MODE), "invalid mode"}, - {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_INVALID_MODE_INT), "invalid mode int"}, {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_INVALID_PADDING_MODE), "invalid padding mode"}, - {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_INVALID_PSS_SALTLEN), - "invalid pss saltlen"}, {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_INVALID_PUBINFO), "invalid pubinfo"}, - {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_INVALID_RSA_KEY), "invalid rsa key"}, {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_INVALID_SALT_LENGTH), "invalid salt length"}, {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_INVALID_SEED_LENGTH), @@ -114,12 +98,15 @@ static const ERR_STRING_DATA PROV_str_reasons[] = { "invalid signature size"}, {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_INVALID_STATE), "invalid state"}, {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_INVALID_TAG), "invalid tag"}, - {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_INVALID_TAGLEN), "invalid taglen"}, + {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_INVALID_TAG_LENGTH), + "invalid tag_length"}, {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_INVALID_UKM_LENGTH), "invalid ukm length"}, {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_INVALID_X931_DIGEST), "invalid x931 digest"}, {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_IN_ERROR_STATE), "in error state"}, + {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_KEY_SETUP_FAILED), + "key setup failed"}, {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_KEY_SIZE_TOO_SMALL), "key size too small"}, {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_MISSING_CEK_ALG), "missing cek alg"}, @@ -167,7 +154,6 @@ static const ERR_STRING_DATA PROV_str_reasons[] = { "personalisation string too long"}, {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_PSS_SALTLEN_TOO_SMALL), "pss saltlen too small"}, - {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_READ_KEY), "read key"}, {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_REQUEST_TOO_LARGE_FOR_DRBG), "request too large for drbg"}, {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_REQUIRE_CTR_MODE_CIPHER), @@ -181,27 +167,22 @@ static const ERR_STRING_DATA PROV_str_reasons[] = { "self test kat failure"}, {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_SELF_TEST_POST_FAILURE), "self test post failure"}, - {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_TAG_NOTSET), "tag notset"}, + {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_TAG_NOT_SET), "tag not set"}, {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_TAG_NOT_NEEDED), "tag not needed"}, + {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_TOO_MANY_RECORDS), "too many records"}, {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_UNABLE_TO_FIND_CIPHERS), "unable to find ciphers"}, - {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_UNABLE_TO_GET_ENTROPY), - "unable to get entropy"}, - {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_UNABLE_TO_GET_NONCE), - "unable to get nonce"}, {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_UNABLE_TO_GET_PARENT_STRENGTH), "unable to get parent strength"}, + {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_UNABLE_TO_GET_PASSPHRASE), + "unable to get passphrase"}, {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_UNABLE_TO_INITIALISE_CIPHERS), "unable to initialise ciphers"}, - {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_UNABLE_TO_LOAD_SHA1), - "unable to load sha1"}, {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_UNABLE_TO_LOAD_SHA256), "unable to load sha256"}, {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_UNABLE_TO_LOCK_PARENT), "unable to lock parent"}, {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_UNABLE_TO_RESEED), "unable to reseed"}, - {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_UNKNOWN_PADDING_TYPE), - "unknown padding type"}, {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_UNSUPPORTED_CEK_ALG), "unsupported cek alg"}, {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_UNSUPPORTED_KEY_SIZE), diff --git a/providers/common/provider_util.c b/providers/common/provider_util.c index 2499d1534e..516ec46dd7 100644 --- a/providers/common/provider_util.c +++ b/providers/common/provider_util.c @@ -13,8 +13,8 @@ #include #include #include +#include #include "prov/provider_util.h" -#include "prov/providercommonerr.h" #include "internal/nelem.h" void ossl_prov_cipher_reset(PROV_CIPHER *pc) diff --git a/providers/common/securitycheck.c b/providers/common/securitycheck.c index 9d02536c38..9457f4b53a 100644 --- a/providers/common/securitycheck.c +++ b/providers/common/securitycheck.c @@ -14,10 +14,10 @@ #include #include #include +#include #include #include #include "prov/securitycheck.h" -#include "prov/providercommonerr.h" /* * FIPS requires a minimum security strength of 112 bits (for encryption or diff --git a/providers/common/securitycheck_fips.c b/providers/common/securitycheck_fips.c index 94457d6ccf..5bf59c9a35 100644 --- a/providers/common/securitycheck_fips.c +++ b/providers/common/securitycheck_fips.c @@ -14,10 +14,10 @@ #include #include #include +#include #include #include #include "prov/securitycheck.h" -#include "prov/providercommonerr.h" extern int FIPS_security_check_enabled(void); diff --git a/providers/fips/fipsprov.c b/providers/fips/fipsprov.c index dc1bd7b472..90491b0e5f 100644 --- a/providers/fips/fipsprov.c +++ b/providers/fips/fipsprov.c @@ -12,11 +12,11 @@ #include #include #include /* RAND_get0_public() */ +#include #include "internal/cryptlib.h" #include "prov/implementations.h" #include "prov/provider_ctx.h" #include "prov/providercommon.h" -#include "prov/providercommonerr.h" #include "prov/provider_util.h" #include "prov/seeding.h" #include "self_test.h" diff --git a/providers/fips/self_test.c b/providers/fips/self_test.c index a3dd621262..17053d6f9f 100644 --- a/providers/fips/self_test.c +++ b/providers/fips/self_test.c @@ -13,8 +13,8 @@ #include #include #include +#include #include "e_os.h" -#include "prov/providercommonerr.h" #include "prov/providercommon.h" /* diff --git a/providers/implementations/asymciphers/rsa_enc.c b/providers/implementations/asymciphers/rsa_enc.c index 3b6dbe09fa..461dee8c6d 100644 --- a/providers/implementations/asymciphers/rsa_enc.c +++ b/providers/implementations/asymciphers/rsa_enc.c @@ -20,12 +20,12 @@ #include #include #include +#include /* Just for SSL_MAX_MASTER_KEY_LENGTH */ #include #include "internal/constant_time.h" #include "internal/sizes.h" #include "crypto/rsa.h" -#include "prov/providercommonerr.h" #include "prov/provider_ctx.h" #include "prov/implementations.h" #include "prov/providercommon.h" diff --git a/providers/implementations/asymciphers/sm2_enc.c b/providers/implementations/asymciphers/sm2_enc.c index 3dd4d83838..923ee5694a 100644 --- a/providers/implementations/asymciphers/sm2_enc.c +++ b/providers/implementations/asymciphers/sm2_enc.c @@ -15,8 +15,8 @@ #include #include #include +#include #include -#include "prov/providercommonerr.h" #include "prov/provider_ctx.h" #include "prov/implementations.h" #include "prov/provider_util.h" diff --git a/providers/implementations/ciphers/cipher_aes_cbc_hmac_sha.c b/providers/implementations/ciphers/cipher_aes_cbc_hmac_sha.c index 03f216d22e..abefc20ab2 100644 --- a/providers/implementations/ciphers/cipher_aes_cbc_hmac_sha.c +++ b/providers/implementations/ciphers/cipher_aes_cbc_hmac_sha.c @@ -18,6 +18,7 @@ /* Only for SSL3_VERSION and TLS1_VERSION */ #include +#include #include "cipher_aes_cbc_hmac_sha.h" #include "prov/implementations.h" #include "prov/providercommon.h" @@ -28,7 +29,6 @@ const OSSL_DISPATCH ossl_##nm##kbits##sub##_functions[] = { \ { 0, NULL } \ }; #else -# include "prov/providercommonerr.h" # define AES_CBC_HMAC_SHA_FLAGS (PROV_CIPHER_FLAG_AEAD \ | PROV_CIPHER_FLAG_TLS1_MULTIBLOCK) diff --git a/providers/implementations/ciphers/cipher_aes_cts.inc b/providers/implementations/ciphers/cipher_aes_cts.inc index dae112febf..f398534dda 100644 --- a/providers/implementations/ciphers/cipher_aes_cts.inc +++ b/providers/implementations/ciphers/cipher_aes_cts.inc @@ -9,8 +9,8 @@ /* Dispatch functions for AES CBC CTS ciphers */ +#include #include "cipher_aes_cts.h" -#include "prov/providercommonerr.h" #define AES_CTS_FLAGS PROV_CIPHER_FLAG_CTS diff --git a/providers/implementations/ciphers/cipher_aes_hw.c b/providers/implementations/ciphers/cipher_aes_hw.c index 0b6f06f915..588e030417 100644 --- a/providers/implementations/ciphers/cipher_aes_hw.c +++ b/providers/implementations/ciphers/cipher_aes_hw.c @@ -13,8 +13,8 @@ */ #include "internal/deprecated.h" +#include #include "cipher_aes.h" -#include "prov/providercommonerr.h" static int cipher_hw_aes_initkey(PROV_CIPHER_CTX *dat, const unsigned char *key, size_t keylen) @@ -114,7 +114,7 @@ static int cipher_hw_aes_initkey(PROV_CIPHER_CTX *dat, } if (ret < 0) { - ERR_raise(ERR_LIB_PROV, PROV_R_AES_KEY_SETUP_FAILED); + ERR_raise(ERR_LIB_PROV, PROV_R_KEY_SETUP_FAILED); return 0; } diff --git a/providers/implementations/ciphers/cipher_aes_hw_aesni.inc b/providers/implementations/ciphers/cipher_aes_hw_aesni.inc index 13b52d5987..a2358b43f9 100644 --- a/providers/implementations/ciphers/cipher_aes_hw_aesni.inc +++ b/providers/implementations/ciphers/cipher_aes_hw_aesni.inc @@ -45,7 +45,7 @@ static int cipher_hw_aesni_initkey(PROV_CIPHER_CTX *dat, } if (ret < 0) { - ERR_raise(ERR_LIB_PROV, PROV_R_AES_KEY_SETUP_FAILED); + ERR_raise(ERR_LIB_PROV, PROV_R_KEY_SETUP_FAILED); return 0; } diff --git a/providers/implementations/ciphers/cipher_aes_hw_t4.inc b/providers/implementations/ciphers/cipher_aes_hw_t4.inc index 2ccc383e9d..826ff0239d 100644 --- a/providers/implementations/ciphers/cipher_aes_hw_t4.inc +++ b/providers/implementations/ciphers/cipher_aes_hw_t4.inc @@ -78,7 +78,7 @@ static int cipher_hw_aes_t4_initkey(PROV_CIPHER_CTX *dat, } if (ret < 0) { - ERR_raise(ERR_LIB_PROV, PROV_R_AES_KEY_SETUP_FAILED); + ERR_raise(ERR_LIB_PROV, PROV_R_KEY_SETUP_FAILED); return 0; } diff --git a/providers/implementations/ciphers/cipher_aes_ocb.c b/providers/implementations/ciphers/cipher_aes_ocb.c index 26ffdab7a4..faa6cb470c 100644 --- a/providers/implementations/ciphers/cipher_aes_ocb.c +++ b/providers/implementations/ciphers/cipher_aes_ocb.c @@ -14,9 +14,9 @@ */ #include "internal/deprecated.h" +#include #include "cipher_aes_ocb.h" #include "prov/providercommon.h" -#include "prov/providercommonerr.h" #include "prov/ciphercommon_aead.h" #include "prov/implementations.h" @@ -451,7 +451,7 @@ static int aes_ocb_get_ctx_params(void *vctx, OSSL_PARAM params[]) return 0; } if (!ctx->base.enc || p->data_size != ctx->taglen) { - ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_TAGLEN); + ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_TAG_LENGTH); return 0; } memcpy(p->data, ctx->tag, ctx->taglen); diff --git a/providers/implementations/ciphers/cipher_aes_siv.c b/providers/implementations/ciphers/cipher_aes_siv.c index 469515bb8c..9a9adb02d9 100644 --- a/providers/implementations/ciphers/cipher_aes_siv.c +++ b/providers/implementations/ciphers/cipher_aes_siv.c @@ -15,10 +15,10 @@ */ #include "internal/deprecated.h" +#include #include "cipher_aes_siv.h" #include "prov/implementations.h" #include "prov/providercommon.h" -#include "prov/providercommonerr.h" #include "prov/ciphercommon_aead.h" #include "prov/provider_ctx.h" diff --git a/providers/implementations/ciphers/cipher_aes_wrp.c b/providers/implementations/ciphers/cipher_aes_wrp.c index dc625216ca..967e12206b 100644 --- a/providers/implementations/ciphers/cipher_aes_wrp.c +++ b/providers/implementations/ciphers/cipher_aes_wrp.c @@ -13,9 +13,9 @@ */ #include "internal/deprecated.h" +#include #include "cipher_aes.h" #include "prov/providercommon.h" -#include "prov/providercommonerr.h" #include "prov/implementations.h" /* AES wrap with padding has IV length of 4, without padding 8 */ diff --git a/providers/implementations/ciphers/cipher_aes_xts.c b/providers/implementations/ciphers/cipher_aes_xts.c index cf768d27d4..c5699d645b 100644 --- a/providers/implementations/ciphers/cipher_aes_xts.c +++ b/providers/implementations/ciphers/cipher_aes_xts.c @@ -15,10 +15,10 @@ */ #include "internal/deprecated.h" +#include #include "cipher_aes_xts.h" #include "prov/implementations.h" #include "prov/providercommon.h" -#include "prov/providercommonerr.h" #define AES_XTS_FLAGS PROV_CIPHER_FLAG_CUSTOM_IV #define AES_XTS_IV_BITS 128 diff --git a/providers/implementations/ciphers/cipher_aria_hw.c b/providers/implementations/ciphers/cipher_aria_hw.c index f457aaf750..67a282f59c 100644 --- a/providers/implementations/ciphers/cipher_aria_hw.c +++ b/providers/implementations/ciphers/cipher_aria_hw.c @@ -7,6 +7,7 @@ * https://www.openssl.org/source/license.html */ +#include #include "cipher_aria.h" static int cipher_hw_aria_initkey(PROV_CIPHER_CTX *dat, @@ -21,7 +22,7 @@ static int cipher_hw_aria_initkey(PROV_CIPHER_CTX *dat, else ret = aria_set_decrypt_key(key, keylen * 8, ks); if (ret < 0) { - ERR_raise(ERR_LIB_PROV, EVP_R_ARIA_KEY_SETUP_FAILED); + ERR_raise(ERR_LIB_PROV, PROV_R_KEY_SETUP_FAILED); return 0; } dat->ks = ks; diff --git a/providers/implementations/ciphers/cipher_camellia_hw.c b/providers/implementations/ciphers/cipher_camellia_hw.c index e8ada99a7e..66a2b143c3 100644 --- a/providers/implementations/ciphers/cipher_camellia_hw.c +++ b/providers/implementations/ciphers/cipher_camellia_hw.c @@ -13,8 +13,9 @@ */ #include "internal/deprecated.h" -#include "cipher_camellia.h" #include +#include +#include "cipher_camellia.h" static int cipher_hw_camellia_initkey(PROV_CIPHER_CTX *dat, const unsigned char *key, size_t keylen) @@ -26,7 +27,7 @@ static int cipher_hw_camellia_initkey(PROV_CIPHER_CTX *dat, dat->ks = ks; ret = Camellia_set_key(key, keylen * 8, ks); if (ret < 0) { - ERR_raise(ERR_LIB_PROV, EVP_R_ARIA_KEY_SETUP_FAILED); + ERR_raise(ERR_LIB_PROV, PROV_R_KEY_SETUP_FAILED); return 0; } if (dat->enc || (mode != EVP_CIPH_ECB_MODE && mode != EVP_CIPH_CBC_MODE)) { diff --git a/providers/implementations/ciphers/cipher_camellia_hw_t4.inc b/providers/implementations/ciphers/cipher_camellia_hw_t4.inc index c04613700a..032402a556 100644 --- a/providers/implementations/ciphers/cipher_camellia_hw_t4.inc +++ b/providers/implementations/ciphers/cipher_camellia_hw_t4.inc @@ -67,7 +67,7 @@ static int cipher_hw_camellia_t4_initkey(PROV_CIPHER_CTX *dat, } } if (ret < 0) { - ERR_raise(ERR_LIB_PROV, EVP_R_CAMELLIA_KEY_SETUP_FAILED); + ERR_raise(ERR_LIB_PROV, PROV_R_KEY_SETUP_FAILED); return 0; } return 1; diff --git a/providers/implementations/ciphers/cipher_cast5.c b/providers/implementations/ciphers/cipher_cast5.c index 1d525343b4..f5f7cba631 100644 --- a/providers/implementations/ciphers/cipher_cast5.c +++ b/providers/implementations/ciphers/cipher_cast5.c @@ -15,10 +15,10 @@ /* Dispatch functions for cast cipher modes ecb, cbc, ofb, cfb */ +#include #include "cipher_cast.h" #include "prov/implementations.h" #include "prov/providercommon.h" -#include "prov/providercommonerr.h" #define CAST5_FLAGS PROV_CIPHER_FLAG_VARIABLE_LENGTH diff --git a/providers/implementations/ciphers/cipher_chacha20.c b/providers/implementations/ciphers/cipher_chacha20.c index b2fe1b1957..c4042c1b39 100644 --- a/providers/implementations/ciphers/cipher_chacha20.c +++ b/providers/implementations/ciphers/cipher_chacha20.c @@ -9,10 +9,10 @@ /* Dispatch functions for chacha20 cipher */ +#include #include "cipher_chacha20.h" #include "prov/implementations.h" #include "prov/providercommon.h" -#include "prov/providercommonerr.h" #define CHACHA20_KEYLEN (CHACHA_KEY_SIZE) #define CHACHA20_BLKLEN (1) diff --git a/providers/implementations/ciphers/cipher_chacha20_poly1305.c b/providers/implementations/ciphers/cipher_chacha20_poly1305.c index 919d4fba94..b328cdb993 100644 --- a/providers/implementations/ciphers/cipher_chacha20_poly1305.c +++ b/providers/implementations/ciphers/cipher_chacha20_poly1305.c @@ -9,10 +9,10 @@ /* Dispatch functions for chacha20_poly1305 cipher */ +#include #include "cipher_chacha20_poly1305.h" #include "prov/implementations.h" #include "prov/providercommon.h" -#include "prov/providercommonerr.h" #define CHACHA20_POLY1305_KEYLEN CHACHA_KEY_SIZE @@ -113,11 +113,11 @@ static int chacha20_poly1305_get_ctx_params(void *vctx, OSSL_PARAM params[]) return 0; } if (!ctx->base.enc) { - ERR_raise(ERR_LIB_PROV, PROV_R_TAG_NOTSET); + ERR_raise(ERR_LIB_PROV, PROV_R_TAG_NOT_SET); return 0; } if (p->data_size == 0 || p->data_size > POLY1305_BLOCK_SIZE) { - ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_TAGLEN); + ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_TAG_LENGTH); return 0; } memcpy(p->data, ctx->tag, p->data_size); @@ -180,7 +180,7 @@ static int chacha20_poly1305_set_ctx_params(void *vctx, return 0; } if (p->data_size == 0 || p->data_size > POLY1305_BLOCK_SIZE) { - ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_TAGLEN); + ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_TAG_LENGTH); return 0; } if (p->data != NULL) { @@ -214,7 +214,7 @@ static int chacha20_poly1305_set_ctx_params(void *vctx, return 0; } if (hw->tls_iv_set_fixed(&ctx->base, p->data, p->data_size) == 0) { - ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_IVLEN); + ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_IV_LENGTH); return 0; } } diff --git a/providers/implementations/ciphers/cipher_des.c b/providers/implementations/ciphers/cipher_des.c index ec186445c8..11688080ce 100644 --- a/providers/implementations/ciphers/cipher_des.c +++ b/providers/implementations/ciphers/cipher_des.c @@ -13,12 +13,12 @@ */ #include "internal/deprecated.h" +#include +#include #include "prov/ciphercommon.h" #include "cipher_des.h" -#include #include "prov/implementations.h" #include "prov/providercommon.h" -#include "prov/providercommonerr.h" #define DES_FLAGS 0 @@ -89,7 +89,7 @@ static int des_init(void *vctx, const unsigned char *key, size_t keylen, if (key != NULL) { if (keylen != ctx->keylen) { - ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEYLEN); + ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH); return 0; } return ctx->hw->init(ctx, key, keylen); diff --git a/providers/implementations/ciphers/cipher_null.c b/providers/implementations/ciphers/cipher_null.c index c3ebb25c28..01db056983 100644 --- a/providers/implementations/ciphers/cipher_null.c +++ b/providers/implementations/ciphers/cipher_null.c @@ -10,10 +10,10 @@ #include #include #include +#include #include "prov/implementations.h" #include "prov/ciphercommon.h" #include "prov/providercommon.h" -#include "prov/providercommonerr.h" typedef struct prov_cipher_null_ctx_st { int enc; diff --git a/providers/implementations/ciphers/cipher_rc2.c b/providers/implementations/ciphers/cipher_rc2.c index 09d66b2cdd..6e25d1534a 100644 --- a/providers/implementations/ciphers/cipher_rc2.c +++ b/providers/implementations/ciphers/cipher_rc2.c @@ -15,10 +15,10 @@ */ #include "internal/deprecated.h" +#include #include "cipher_rc2.h" #include "prov/implementations.h" #include "prov/providercommon.h" -#include "prov/providercommonerr.h" #define RC2_40_MAGIC 0xa0 #define RC2_64_MAGIC 0x78 diff --git a/providers/implementations/ciphers/cipher_rc4_hmac_md5.c b/providers/implementations/ciphers/cipher_rc4_hmac_md5.c index b757197110..c69b9aecb8 100644 --- a/providers/implementations/ciphers/cipher_rc4_hmac_md5.c +++ b/providers/implementations/ciphers/cipher_rc4_hmac_md5.c @@ -15,10 +15,10 @@ */ #include "internal/deprecated.h" +#include #include "cipher_rc4_hmac_md5.h" #include "prov/implementations.h" #include "prov/providercommon.h" -#include "prov/providercommonerr.h" #define RC4_HMAC_MD5_FLAGS (PROV_CIPHER_FLAG_VARIABLE_LENGTH \ | PROV_CIPHER_FLAG_AEAD) diff --git a/providers/implementations/ciphers/cipher_rc5.c b/providers/implementations/ciphers/cipher_rc5.c index ec408ed885..db0dbaaf05 100644 --- a/providers/implementations/ciphers/cipher_rc5.c +++ b/providers/implementations/ciphers/cipher_rc5.c @@ -15,10 +15,10 @@ */ #include "internal/deprecated.h" +#include #include "cipher_rc5.h" #include "prov/implementations.h" #include "prov/providercommon.h" -#include "prov/providercommonerr.h" #define RC5_FLAGS PROV_CIPHER_FLAG_VARIABLE_LENGTH diff --git a/providers/implementations/ciphers/cipher_tdes.c b/providers/implementations/ciphers/cipher_tdes.c index a2855af481..6ab083db41 100644 --- a/providers/implementations/ciphers/cipher_tdes.c +++ b/providers/implementations/ciphers/cipher_tdes.c @@ -13,11 +13,11 @@ */ #include "internal/deprecated.h" +#include +#include #include "prov/ciphercommon.h" #include "cipher_tdes.h" -#include #include "prov/implementations.h" -#include "prov/providercommonerr.h" /* * NOTE: ECB mode does not use an IV - but existing test code is setting diff --git a/providers/implementations/ciphers/cipher_tdes_common.c b/providers/implementations/ciphers/cipher_tdes_common.c index 17b8ce40b0..59c8a976cc 100644 --- a/providers/implementations/ciphers/cipher_tdes_common.c +++ b/providers/implementations/ciphers/cipher_tdes_common.c @@ -13,12 +13,12 @@ */ #include "internal/deprecated.h" +#include +#include #include "prov/ciphercommon.h" #include "cipher_tdes.h" -#include #include "prov/implementations.h" #include "prov/providercommon.h" -#include "prov/providercommonerr.h" void *tdes_newctx(void *provctx, int mode, size_t kbits, size_t blkbits, size_t ivbits, uint64_t flags, const PROV_CIPHER_HW *hw) @@ -80,7 +80,7 @@ static int tdes_init(void *vctx, const unsigned char *key, size_t keylen, if (key != NULL) { if (keylen != ctx->keylen) { - ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEYLEN); + ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH); return 0; } return ctx->hw->init(ctx, key, ctx->keylen); diff --git a/providers/implementations/ciphers/cipher_tdes_wrap.c b/providers/implementations/ciphers/cipher_tdes_wrap.c index b78a77c254..d42bf78d8e 100644 --- a/providers/implementations/ciphers/cipher_tdes_wrap.c +++ b/providers/implementations/ciphers/cipher_tdes_wrap.c @@ -15,11 +15,11 @@ #include #include +#include #include "cipher_tdes_default.h" #include "crypto/evp.h" #include "prov/implementations.h" #include "prov/providercommon.h" -#include "prov/providercommonerr.h" #define TDES_WRAP_FLAGS PROV_CIPHER_FLAG_CUSTOM_IV diff --git a/providers/implementations/ciphers/ciphercommon.c b/providers/implementations/ciphers/ciphercommon.c index fa73edb473..9f6c82bddd 100644 --- a/providers/implementations/ciphers/ciphercommon.c +++ b/providers/implementations/ciphers/ciphercommon.c @@ -13,10 +13,10 @@ /* For SSL3_VERSION */ #include +#include #include "ciphercommon_local.h" #include "prov/provider_ctx.h" #include "prov/providercommon.h" -#include "prov/providercommonerr.h" /*- * Generic cipher functions for OSSL_PARAM gettables and settables @@ -191,7 +191,7 @@ static int cipher_generic_init_internal(PROV_CIPHER_CTX *ctx, if (key != NULL) { if (ctx->variable_keylength == 0) { if (keylen != ctx->keylen) { - ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEYLEN); + ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH); return 0; } } else { @@ -613,7 +613,7 @@ int ossl_cipher_generic_initiv(PROV_CIPHER_CTX *ctx, const unsigned char *iv, { if (ivlen != ctx->ivlen || ivlen > sizeof(ctx->iv)) { - ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_IVLEN); + ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_IV_LENGTH); return 0; } ctx->iv_set = 1; diff --git a/providers/implementations/ciphers/ciphercommon_block.c b/providers/implementations/ciphers/ciphercommon_block.c index 68d5495b77..de375a6327 100644 --- a/providers/implementations/ciphers/ciphercommon_block.c +++ b/providers/implementations/ciphers/ciphercommon_block.c @@ -11,9 +11,9 @@ /* For SSL3_VERSION, TLS1_VERSION etc */ #include #include +#include #include "internal/constant_time.h" #include "ciphercommon_local.h" -#include "prov/providercommonerr.h" /* Functions defined in ssl/tls_pad.c */ int ssl3_cbc_remove_padding_and_mac(size_t *reclen, diff --git a/providers/implementations/ciphers/ciphercommon_ccm.c b/providers/implementations/ciphers/ciphercommon_ccm.c index 0009e9876c..a780e7aed3 100644 --- a/providers/implementations/ciphers/ciphercommon_ccm.c +++ b/providers/implementations/ciphers/ciphercommon_ccm.c @@ -9,10 +9,10 @@ /* Dispatch functions for ccm mode */ +#include #include "prov/ciphercommon.h" #include "prov/ciphercommon_ccm.h" #include "prov/providercommon.h" -#include "prov/providercommonerr.h" static int ccm_cipher_internal(PROV_CCM_CTX *ctx, unsigned char *out, size_t *padlen, const unsigned char *in, @@ -78,7 +78,7 @@ int ccm_set_ctx_params(void *vctx, const OSSL_PARAM params[]) return 0; } if ((p->data_size & 1) || (p->data_size < 4) || p->data_size > 16) { - ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_TAGLEN); + ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_TAG_LENGTH); return 0; } @@ -103,7 +103,7 @@ int ccm_set_ctx_params(void *vctx, const OSSL_PARAM params[]) } ivlen = 15 - sz; if (ivlen < 2 || ivlen > 8) { - ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_IVLEN); + ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_IV_LENGTH); return 0; } ctx->l = ivlen; @@ -130,7 +130,7 @@ int ccm_set_ctx_params(void *vctx, const OSSL_PARAM params[]) return 0; } if (ccm_tls_iv_set_fixed(ctx, p->data, p->data_size) == 0) { - ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_IVLEN); + ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_IV_LENGTH); return 0; } } @@ -162,7 +162,7 @@ int ccm_get_ctx_params(void *vctx, OSSL_PARAM params[]) p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_IV); if (p != NULL) { if (ccm_get_ivlen(ctx) > p->data_size) { - ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_IVLEN); + ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_IV_LENGTH); return 0; } if (!OSSL_PARAM_set_octet_string(p, ctx->iv, p->data_size) @@ -175,7 +175,7 @@ int ccm_get_ctx_params(void *vctx, OSSL_PARAM params[]) p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_UPDATED_IV); if (p != NULL) { if (ccm_get_ivlen(ctx) > p->data_size) { - ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_IVLEN); + ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_IV_LENGTH); return 0; } if (!OSSL_PARAM_set_octet_string(p, ctx->iv, p->data_size) @@ -200,7 +200,7 @@ int ccm_get_ctx_params(void *vctx, OSSL_PARAM params[]) p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_AEAD_TAG); if (p != NULL) { if (!ctx->enc || !ctx->tag_set) { - ERR_raise(ERR_LIB_PROV, PROV_R_TAG_NOTSET); + ERR_raise(ERR_LIB_PROV, PROV_R_TAG_NOT_SET); return 0; } if (p->data_type != OSSL_PARAM_OCTET_STRING) { @@ -228,7 +228,7 @@ static int ccm_init(void *vctx, const unsigned char *key, size_t keylen, if (iv != NULL) { if (ivlen != ccm_get_ivlen(ctx)) { - ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_IVLEN); + ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_IV_LENGTH); return 0; } memcpy(ctx->iv, iv, ivlen); @@ -236,7 +236,7 @@ static int ccm_init(void *vctx, const unsigned char *key, size_t keylen, } if (key != NULL) { if (keylen != ctx->keylen) { - ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEYLEN); + ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH); return 0; } return ctx->hw->setkey(ctx, key, keylen); diff --git a/providers/implementations/ciphers/ciphercommon_gcm.c b/providers/implementations/ciphers/ciphercommon_gcm.c index 974a8f6026..02a496d1dd 100644 --- a/providers/implementations/ciphers/ciphercommon_gcm.c +++ b/providers/implementations/ciphers/ciphercommon_gcm.c @@ -9,11 +9,11 @@ /* Dispatch functions for gcm mode */ +#include +#include #include "prov/ciphercommon.h" #include "prov/ciphercommon_gcm.h" #include "prov/providercommon.h" -#include "prov/providercommonerr.h" -#include #include "prov/provider_ctx.h" static int gcm_tls_init(PROV_GCM_CTX *dat, unsigned char *aad, size_t aad_len); @@ -513,7 +513,7 @@ static int gcm_tls_cipher(PROV_GCM_CTX *ctx, unsigned char *out, size_t *padlen, * side only. */ if (ctx->enc && ++ctx->tls_enc_records == 0) { - ERR_raise(ERR_LIB_PROV, EVP_R_TOO_MANY_RECORDS); + ERR_raise(ERR_LIB_PROV, PROV_R_TOO_MANY_RECORDS); goto err; } diff --git a/providers/implementations/digests/digestcommon.c b/providers/implementations/digests/digestcommon.c index b8e7efde60..cbf32ac2f9 100644 --- a/providers/implementations/digests/digestcommon.c +++ b/providers/implementations/digests/digestcommon.c @@ -7,9 +7,9 @@ * https://www.openssl.org/source/license.html */ -#include "openssl/err.h" +#include +#include #include "prov/digestcommon.h" -#include "prov/providercommonerr.h" int digest_default_get_params(OSSL_PARAM params[], size_t blksz, size_t paramsz, unsigned long flags) diff --git a/providers/implementations/digests/mdc2_prov.c b/providers/implementations/digests/mdc2_prov.c index b184c8393c..8dc1d1af74 100644 --- a/providers/implementations/digests/mdc2_prov.c +++ b/providers/implementations/digests/mdc2_prov.c @@ -18,9 +18,9 @@ #include #include #include +#include #include "prov/digestcommon.h" #include "prov/implementations.h" -#include "prov/providercommonerr.h" static OSSL_FUNC_digest_set_ctx_params_fn mdc2_set_ctx_params; static OSSL_FUNC_digest_settable_ctx_params_fn mdc2_settable_ctx_params; diff --git a/providers/implementations/digests/sha3_prov.c b/providers/implementations/digests/sha3_prov.c index 6e731fd842..cd8045f92c 100644 --- a/providers/implementations/digests/sha3_prov.c +++ b/providers/implementations/digests/sha3_prov.c @@ -13,10 +13,10 @@ #include #include #include +#include #include "internal/sha3.h" #include "prov/digestcommon.h" #include "prov/implementations.h" -#include "prov/providercommonerr.h" #define SHA3_FLAGS PROV_DIGEST_FLAG_ALGID_ABSENT #define SHAKE_FLAGS PROV_DIGEST_FLAG_XOF diff --git a/providers/implementations/encode_decode/decode_der2key.c b/providers/implementations/encode_decode/decode_der2key.c index 6611e808d1..09776127d4 100644 --- a/providers/implementations/encode_decode/decode_der2key.c +++ b/providers/implementations/encode_decode/decode_der2key.c @@ -22,6 +22,7 @@ #include /* PEM_BUFSIZE and public PEM functions */ #include #include +#include #include "internal/cryptlib.h" /* ossl_assert() */ #include "internal/asn1.h" #include "crypto/dh.h" @@ -31,7 +32,6 @@ #include "crypto/rsa.h" #include "prov/bio.h" #include "prov/implementations.h" -#include "prov/providercommonerr.h" #include "endecoder_local.h" #define SET_ERR_MARK() ERR_set_mark() @@ -87,7 +87,7 @@ static int der_from_p8(unsigned char **new_der, long *new_der_len, size_t plen = 0; if (!pw_cb(pbuf, sizeof(pbuf), &plen, NULL, pw_cbarg)) { - ERR_raise(ERR_LIB_PROV, PROV_R_READ_KEY); + ERR_raise(ERR_LIB_PROV, PROV_R_UNABLE_TO_GET_PASSPHRASE); } else { const X509_ALGOR *alg = NULL; const ASN1_OCTET_STRING *oct = NULL; diff --git a/providers/implementations/encode_decode/decode_pem2der.c b/providers/implementations/encode_decode/decode_pem2der.c index 6c8b108290..cb6ebcefb6 100644 --- a/providers/implementations/encode_decode/decode_pem2der.c +++ b/providers/implementations/encode_decode/decode_pem2der.c @@ -21,10 +21,10 @@ #include #include #include +#include #include "internal/nelem.h" #include "prov/bio.h" #include "prov/implementations.h" -#include "prov/providercommonerr.h" #include "endecoder_local.h" static int read_pem(PROV_CTX *provctx, OSSL_CORE_BIO *cin, diff --git a/providers/implementations/encode_decode/encode_key2any.c b/providers/implementations/encode_decode/encode_key2any.c index 7af53cca96..8f868249ee 100644 --- a/providers/implementations/encode_decode/encode_key2any.c +++ b/providers/implementations/encode_decode/encode_key2any.c @@ -25,12 +25,12 @@ #include #include #include +#include #include "internal/passphrase.h" #include "internal/cryptlib.h" #include "crypto/ecx.h" #include "crypto/rsa.h" #include "prov/implementations.h" -#include "prov/providercommonerr.h" #include "prov/bio.h" #include "prov/provider_ctx.h" #include "prov/der_rsa.h" @@ -96,7 +96,7 @@ static X509_SIG *p8info_to_encp8(PKCS8_PRIV_KEY_INFO *p8info, if (!ossl_pw_get_passphrase(kstr, sizeof(kstr), &klen, NULL, 1, &ctx->pwdata)) { - ERR_raise(ERR_LIB_PROV, PROV_R_READ_KEY); + ERR_raise(ERR_LIB_PROV, PROV_R_UNABLE_TO_GET_PASSPHRASE); return NULL; } /* First argument == -1 means "standard" */ diff --git a/providers/implementations/encode_decode/encode_key2text.c b/providers/implementations/encode_decode/encode_key2text.c index 21cedbb0dd..05cccdce36 100644 --- a/providers/implementations/encode_decode/encode_key2text.c +++ b/providers/implementations/encode_decode/encode_key2text.c @@ -20,6 +20,7 @@ #include #include #include +#include #include "internal/ffc.h" #include "crypto/bn.h" /* bn_get_words() */ #include "crypto/dh.h" /* dh_get0_params() */ @@ -29,7 +30,6 @@ #include "crypto/rsa.h" /* RSA_PSS_PARAMS_30, etc... */ #include "prov/bio.h" #include "prov/implementations.h" -#include "prov/providercommonerr.h" #include "endecoder_local.h" DEFINE_SPECIAL_STACK_OF_CONST(BIGNUM_const, BIGNUM) diff --git a/providers/implementations/exchange/ecx_exch.c b/providers/implementations/exchange/ecx_exch.c index db6aa90c03..3b082ab503 100644 --- a/providers/implementations/exchange/ecx_exch.c +++ b/providers/implementations/exchange/ecx_exch.c @@ -12,11 +12,11 @@ #include #include #include +#include #include "internal/cryptlib.h" #include "crypto/ecx.h" #include "prov/implementations.h" #include "prov/providercommon.h" -#include "prov/providercommonerr.h" #ifdef S390X_EC_ASM # include "s390x_arch.h" #endif diff --git a/providers/implementations/kdfs/hkdf.c b/providers/implementations/kdfs/hkdf.c index a985c85440..5fa24b93e3 100644 --- a/providers/implementations/kdfs/hkdf.c +++ b/providers/implementations/kdfs/hkdf.c @@ -20,12 +20,12 @@ #include #include #include +#include #include "internal/cryptlib.h" #include "internal/numbers.h" #include "crypto/evp.h" #include "prov/provider_ctx.h" #include "prov/providercommon.h" -#include "prov/providercommonerr.h" #include "prov/implementations.h" #include "prov/provider_util.h" #include "e_os.h" diff --git a/providers/implementations/kdfs/kbkdf.c b/providers/implementations/kdfs/kbkdf.c index a8f09bdbff..2e1a96e28f 100644 --- a/providers/implementations/kdfs/kbkdf.c +++ b/providers/implementations/kdfs/kbkdf.c @@ -33,6 +33,7 @@ #include #include #include +#include #include "internal/cryptlib.h" #include "crypto/evp.h" @@ -42,7 +43,6 @@ #include "prov/provider_ctx.h" #include "prov/provider_util.h" #include "prov/providercommon.h" -#include "prov/providercommonerr.h" #include "e_os.h" diff --git a/providers/implementations/kdfs/krb5kdf.c b/providers/implementations/kdfs/krb5kdf.c index 56a61b5cec..a928edbb0c 100644 --- a/providers/implementations/kdfs/krb5kdf.c +++ b/providers/implementations/kdfs/krb5kdf.c @@ -21,6 +21,7 @@ #include #include #include +#include #include "internal/cryptlib.h" #include "crypto/evp.h" @@ -29,7 +30,6 @@ #include "prov/provider_ctx.h" #include "prov/provider_util.h" #include "prov/providercommon.h" -#include "prov/providercommonerr.h" /* KRB5 KDF defined in RFC 3961, Section 5.1 */ diff --git a/providers/implementations/kdfs/pbkdf2.c b/providers/implementations/kdfs/pbkdf2.c index 37a81f00ba..a3ecea2b03 100644 --- a/providers/implementations/kdfs/pbkdf2.c +++ b/providers/implementations/kdfs/pbkdf2.c @@ -20,12 +20,12 @@ #include #include #include +#include #include "internal/cryptlib.h" #include "internal/numbers.h" #include "crypto/evp.h" #include "prov/provider_ctx.h" #include "prov/providercommon.h" -#include "prov/providercommonerr.h" #include "prov/implementations.h" #include "prov/provider_util.h" #include "pbkdf2.h" @@ -285,13 +285,13 @@ static int pbkdf2_derive(const char *pass, size_t passlen, * results in an overflow of the loop counter 'i'. */ if ((keylen / mdlen) >= KDF_PBKDF2_MAX_KEY_LEN_DIGEST_RATIO) { - ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LEN); + ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH); return 0; } if (lower_bound_checks) { if ((keylen * 8) < KDF_PBKDF2_MIN_KEY_LEN_BITS) { - ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LEN); + ERR_raise(ERR_LIB_PROV, PROV_R_KEY_SIZE_TOO_SMALL); return 0; } if (saltlen < KDF_PBKDF2_MIN_SALT_LEN) { diff --git a/providers/implementations/kdfs/pkcs12kdf.c b/providers/implementations/kdfs/pkcs12kdf.c index b058005e1d..b388efe786 100644 --- a/providers/implementations/kdfs/pkcs12kdf.c +++ b/providers/implementations/kdfs/pkcs12kdf.c @@ -14,12 +14,12 @@ #include #include #include +#include #include "internal/cryptlib.h" #include "internal/numbers.h" #include "crypto/evp.h" #include "prov/provider_ctx.h" #include "prov/providercommon.h" -#include "prov/providercommonerr.h" #include "prov/implementations.h" #include "prov/provider_util.h" diff --git a/providers/implementations/kdfs/scrypt.c b/providers/implementations/kdfs/scrypt.c index 023b1916a1..3aba9f7955 100644 --- a/providers/implementations/kdfs/scrypt.c +++ b/providers/implementations/kdfs/scrypt.c @@ -14,12 +14,12 @@ #include #include #include +#include #include "crypto/evp.h" #include "internal/numbers.h" #include "prov/implementations.h" #include "prov/provider_ctx.h" #include "prov/providercommon.h" -#include "prov/providercommonerr.h" #include "prov/implementations.h" #ifndef OPENSSL_NO_SCRYPT diff --git a/providers/implementations/kdfs/sshkdf.c b/providers/implementations/kdfs/sshkdf.c index e86c502184..058f3b95b7 100644 --- a/providers/implementations/kdfs/sshkdf.c +++ b/providers/implementations/kdfs/sshkdf.c @@ -13,12 +13,12 @@ #include #include #include +#include #include "internal/cryptlib.h" #include "internal/numbers.h" #include "crypto/evp.h" #include "prov/provider_ctx.h" #include "prov/providercommon.h" -#include "prov/providercommonerr.h" #include "prov/implementations.h" #include "prov/provider_util.h" diff --git a/providers/implementations/kdfs/sskdf.c b/providers/implementations/kdfs/sskdf.c index 84711dde27..641aacbe97 100644 --- a/providers/implementations/kdfs/sskdf.c +++ b/providers/implementations/kdfs/sskdf.c @@ -42,12 +42,12 @@ #include #include #include +#include #include "internal/cryptlib.h" #include "internal/numbers.h" #include "crypto/evp.h" #include "prov/provider_ctx.h" #include "prov/providercommon.h" -#include "prov/providercommonerr.h" #include "prov/implementations.h" #include "prov/provider_util.h" diff --git a/providers/implementations/kdfs/tls1_prf.c b/providers/implementations/kdfs/tls1_prf.c index aba08068ca..2cb825229b 100644 --- a/providers/implementations/kdfs/tls1_prf.c +++ b/providers/implementations/kdfs/tls1_prf.c @@ -52,12 +52,12 @@ #include #include #include +#include #include "internal/cryptlib.h" #include "internal/numbers.h" #include "crypto/evp.h" #include "prov/provider_ctx.h" #include "prov/providercommon.h" -#include "prov/providercommonerr.h" #include "prov/implementations.h" #include "prov/provider_util.h" #include "e_os.h" diff --git a/providers/implementations/kdfs/x942kdf.c b/providers/implementations/kdfs/x942kdf.c index ae3ed69201..7f1f0e6c9d 100644 --- a/providers/implementations/kdfs/x942kdf.c +++ b/providers/implementations/kdfs/x942kdf.c @@ -14,11 +14,11 @@ #include #include #include +#include #include "internal/packet.h" #include "internal/der.h" #include "prov/provider_ctx.h" #include "prov/providercommon.h" -#include "prov/providercommonerr.h" #include "prov/implementations.h" #include "prov/provider_util.h" #include "prov/der_wrap.h" diff --git a/providers/implementations/kem/rsa_kem.c b/providers/implementations/kem/rsa_kem.c index 58a223fe42..0007224072 100644 --- a/providers/implementations/kem/rsa_kem.c +++ b/providers/implementations/kem/rsa_kem.c @@ -22,7 +22,7 @@ #include #include #include -#include "prov/providercommonerr.h" +#include #include "prov/provider_ctx.h" #include "prov/implementations.h" #include "prov/securitycheck.h" diff --git a/providers/implementations/keymgmt/ec_kmgmt.c b/providers/implementations/keymgmt/ec_kmgmt.c index 3a58d9e4dc..bb479181c3 100644 --- a/providers/implementations/keymgmt/ec_kmgmt.c +++ b/providers/implementations/keymgmt/ec_kmgmt.c @@ -20,11 +20,11 @@ #include #include #include +#include #include "crypto/bn.h" #include "crypto/ec.h" #include "prov/implementations.h" #include "prov/providercommon.h" -#include "prov/providercommonerr.h" #include "prov/provider_ctx.h" #include "internal/param_build_set.h" diff --git a/providers/implementations/keymgmt/mac_legacy_kmgmt.c b/providers/implementations/keymgmt/mac_legacy_kmgmt.c index 08de2a07cc..0f7f65ddbb 100644 --- a/providers/implementations/keymgmt/mac_legacy_kmgmt.c +++ b/providers/implementations/keymgmt/mac_legacy_kmgmt.c @@ -16,6 +16,7 @@ #include #include #include +#include #include "openssl/param_build.h" #include "internal/param_build_set.h" #include "prov/implementations.h" @@ -464,7 +465,7 @@ static void *mac_gen(void *genctx, OSSL_CALLBACK *cb, void *cbarg) return key; if (gctx->priv_key == NULL) { - ERR_raise(ERR_LIB_PROV, EVP_R_INVALID_KEY); + ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY); ossl_mac_key_free(key); return NULL; } diff --git a/providers/implementations/macs/blake2_mac_impl.c b/providers/implementations/macs/blake2_mac_impl.c index 542595efa1..4f57795500 100644 --- a/providers/implementations/macs/blake2_mac_impl.c +++ b/providers/implementations/macs/blake2_mac_impl.c @@ -10,10 +10,10 @@ #include #include #include +#include #include "prov/blake2.h" #include "internal/cryptlib.h" -#include "prov/providercommonerr.h" #include "prov/implementations.h" #include "prov/providercommon.h" diff --git a/providers/implementations/macs/gmac_prov.c b/providers/implementations/macs/gmac_prov.c index fe4d2c3c8a..1d5d26f170 100644 --- a/providers/implementations/macs/gmac_prov.c +++ b/providers/implementations/macs/gmac_prov.c @@ -14,8 +14,8 @@ #include #include #include +#include -#include "prov/providercommonerr.h" #include "prov/implementations.h" #include "prov/provider_ctx.h" #include "prov/provider_util.h" @@ -191,7 +191,7 @@ static int gmac_set_ctx_params(void *vmacctx, const OSSL_PARAM params[]) if (EVP_CIPHER_mode(ossl_prov_cipher_cipher(&macctx->cipher)) != EVP_CIPH_GCM_MODE) { - ERR_raise(ERR_LIB_PROV, EVP_R_CIPHER_NOT_GCM_MODE); + ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_MODE); return 0; } if (!EVP_EncryptInit_ex(ctx, ossl_prov_cipher_cipher(&macctx->cipher), @@ -204,7 +204,7 @@ static int gmac_set_ctx_params(void *vmacctx, const OSSL_PARAM params[]) return 0; if (p->data_size != (size_t)EVP_CIPHER_CTX_key_length(ctx)) { - ERR_raise(ERR_LIB_PROV, EVP_R_INVALID_KEY_LENGTH); + ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH); return 0; } if (!EVP_EncryptInit_ex(ctx, NULL, NULL, p->data, NULL)) diff --git a/providers/implementations/macs/kmac_prov.c b/providers/implementations/macs/kmac_prov.c index b9a6318e12..3a57dd0db6 100644 --- a/providers/implementations/macs/kmac_prov.c +++ b/providers/implementations/macs/kmac_prov.c @@ -53,8 +53,8 @@ #include #include #include +#include -#include "prov/providercommonerr.h" #include "prov/implementations.h" #include "prov/provider_ctx.h" #include "prov/provider_util.h" @@ -258,7 +258,7 @@ static int kmac_init(void *vmacctx) /* Check key has been set */ if (kctx->key_len == 0) { - ERR_raise(ERR_LIB_EVP, EVP_R_NO_KEY_SET); + ERR_raise(ERR_LIB_PROV, PROV_R_NO_KEY_SET); return 0; } if (!EVP_DigestInit_ex(kctx->ctx, ossl_prov_digest_md(&kctx->digest), diff --git a/providers/implementations/macs/poly1305_prov.c b/providers/implementations/macs/poly1305_prov.c index a3bc47253c..b029dfefd4 100644 --- a/providers/implementations/macs/poly1305_prov.c +++ b/providers/implementations/macs/poly1305_prov.c @@ -12,10 +12,10 @@ #include #include #include +#include #include "crypto/poly1305.h" -#include "prov/providercommonerr.h" #include "prov/implementations.h" #include "prov/providercommon.h" diff --git a/providers/implementations/macs/siphash_prov.c b/providers/implementations/macs/siphash_prov.c index 1a79ae0c6a..f2105a9c46 100644 --- a/providers/implementations/macs/siphash_prov.c +++ b/providers/implementations/macs/siphash_prov.c @@ -13,6 +13,7 @@ #include #include #include +#include #include "crypto/siphash.h" /* @@ -22,7 +23,6 @@ */ #include "../../../crypto/siphash/siphash_local.h" -#include "prov/providercommonerr.h" #include "prov/implementations.h" #include "prov/providercommon.h" diff --git a/providers/implementations/rands/drbg.c b/providers/implementations/rands/drbg.c index cc965c9bc0..bdc980ef59 100644 --- a/providers/implementations/rands/drbg.c +++ b/providers/implementations/rands/drbg.c @@ -13,13 +13,13 @@ #include #include #include "crypto/rand.h" +#include #include "drbg_local.h" #include "internal/thread_once.h" #include "crypto/cryptlib.h" #include "prov/seeding.h" #include "crypto/rand_pool.h" #include "prov/provider_ctx.h" -#include "prov/providercommonerr.h" #include "prov/providercommon.h" /* diff --git a/providers/implementations/rands/drbg_ctr.c b/providers/implementations/rands/drbg_ctr.c index 9785c083fe..caf885c4cb 100644 --- a/providers/implementations/rands/drbg_ctr.c +++ b/providers/implementations/rands/drbg_ctr.c @@ -13,12 +13,12 @@ #include #include #include +#include #include "e_os.h" /* strcasecmp */ #include "crypto/modes.h" #include "internal/thread_once.h" #include "prov/implementations.h" #include "prov/provider_ctx.h" -#include "prov/providercommonerr.h" #include "drbg_local.h" static OSSL_FUNC_rand_newctx_fn drbg_ctr_new_wrapper; diff --git a/providers/implementations/rands/drbg_hash.c b/providers/implementations/rands/drbg_hash.c index 57e789099b..9c44c0bdb4 100644 --- a/providers/implementations/rands/drbg_hash.c +++ b/providers/implementations/rands/drbg_hash.c @@ -15,12 +15,12 @@ #include #include #include +#include #include "internal/thread_once.h" #include "prov/providercommon.h" #include "prov/provider_ctx.h" #include "prov/provider_util.h" #include "prov/implementations.h" -#include "prov/providercommonerr.h" #include "drbg_local.h" static OSSL_FUNC_rand_newctx_fn drbg_hash_new_wrapper; diff --git a/providers/implementations/rands/drbg_hmac.c b/providers/implementations/rands/drbg_hmac.c index 6311a57a97..314243d8ab 100644 --- a/providers/implementations/rands/drbg_hmac.c +++ b/providers/implementations/rands/drbg_hmac.c @@ -12,10 +12,10 @@ #include #include #include +#include #include "prov/provider_util.h" #include "internal/thread_once.h" #include "prov/providercommon.h" -#include "prov/providercommonerr.h" #include "prov/implementations.h" #include "prov/provider_ctx.h" #include "drbg_local.h" diff --git a/providers/implementations/rands/seed_src.c b/providers/implementations/rands/seed_src.c index 0a533d016f..60088b2779 100644 --- a/providers/implementations/rands/seed_src.c +++ b/providers/implementations/rands/seed_src.c @@ -16,9 +16,9 @@ #include #include #include +#include #include "prov/implementations.h" #include "prov/provider_ctx.h" -#include "prov/providercommonerr.h" #include "crypto/rand.h" #include "crypto/rand_pool.h" diff --git a/providers/implementations/signature/dsa.c b/providers/implementations/signature/dsa.c index 515845c56c..be1a8fca3f 100644 --- a/providers/implementations/signature/dsa.c +++ b/providers/implementations/signature/dsa.c @@ -23,12 +23,12 @@ #include #include #include +#include #include "internal/nelem.h" #include "internal/sizes.h" #include "internal/cryptlib.h" #include "prov/providercommon.h" #include "prov/implementations.h" -#include "prov/providercommonerr.h" #include "prov/provider_ctx.h" #include "prov/securitycheck.h" #include "crypto/dsa.h" diff --git a/providers/implementations/signature/ecdsa.c b/providers/implementations/signature/ecdsa.c index e8e8e8d143..ed21ac79c3 100644 --- a/providers/implementations/signature/ecdsa.c +++ b/providers/implementations/signature/ecdsa.c @@ -21,11 +21,11 @@ #include #include #include +#include #include "internal/nelem.h" #include "internal/sizes.h" #include "internal/cryptlib.h" #include "prov/providercommon.h" -#include "prov/providercommonerr.h" #include "prov/implementations.h" #include "prov/provider_ctx.h" #include "prov/securitycheck.h" diff --git a/providers/implementations/signature/eddsa.c b/providers/implementations/signature/eddsa.c index 57c37096ef..0409ed1892 100644 --- a/providers/implementations/signature/eddsa.c +++ b/providers/implementations/signature/eddsa.c @@ -14,11 +14,11 @@ #include #include #include +#include #include "internal/nelem.h" #include "internal/sizes.h" #include "prov/providercommon.h" #include "prov/implementations.h" -#include "prov/providercommonerr.h" #include "prov/provider_ctx.h" #include "prov/der_ecx.h" #include "crypto/ecx.h" diff --git a/providers/implementations/signature/rsa.c b/providers/implementations/signature/rsa.c index e61d8ab04e..cb68de3b3e 100644 --- a/providers/implementations/signature/rsa.c +++ b/providers/implementations/signature/rsa.c @@ -22,12 +22,12 @@ #include #include #include +#include #include "internal/cryptlib.h" #include "internal/nelem.h" #include "internal/sizes.h" #include "crypto/rsa.h" #include "prov/providercommon.h" -#include "prov/providercommonerr.h" #include "prov/implementations.h" #include "prov/provider_ctx.h" #include "prov/der_rsa.h" @@ -1245,7 +1245,7 @@ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[]) * lowest saltlen number possible. */ if (saltlen < RSA_PSS_SALTLEN_MAX) { - ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_PSS_SALTLEN); + ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_SALT_LENGTH); return 0; } @@ -1253,7 +1253,8 @@ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[]) switch (saltlen) { case RSA_PSS_SALTLEN_AUTO: if (prsactx->operation == EVP_PKEY_OP_VERIFY) { - ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_PSS_SALTLEN); + ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_SALT_LENGTH, + "Cannot use autodetected salt length"); return 0; } break; diff --git a/providers/implementations/signature/sm2sig.c b/providers/implementations/signature/sm2sig.c index 45fd70ef40..a3709ff074 100644 --- a/providers/implementations/signature/sm2sig.c +++ b/providers/implementations/signature/sm2sig.c @@ -21,10 +21,10 @@ #include #include #include +#include #include "internal/nelem.h" #include "internal/sizes.h" #include "internal/cryptlib.h" -#include "prov/providercommonerr.h" #include "prov/implementations.h" #include "prov/provider_ctx.h" #include "crypto/ec.h" diff --git a/providers/implementations/storemgmt/file_store.c b/providers/implementations/storemgmt/file_store.c index 7f4dadbc28..a5edc53506 100644 --- a/providers/implementations/storemgmt/file_store.c +++ b/providers/implementations/storemgmt/file_store.c @@ -24,6 +24,7 @@ #include #include #include /* The OSSL_STORE_INFO type numbers */ +#include #include "internal/cryptlib.h" #include "internal/o_dir.h" #include "crypto/pem.h" /* For PVK and "blob" PEM headers */ @@ -31,7 +32,6 @@ #include "prov/implementations.h" #include "prov/bio.h" #include "prov/provider_ctx.h" -#include "prov/providercommonerr.h" #include "file_store_local.h" DEFINE_STACK_OF(OSSL_STORE_INFO) From no-reply at appveyor.com Thu Feb 11 15:53:45 2021 From: no-reply at appveyor.com (AppVeyor) Date: Thu, 11 Feb 2021 15:53:45 +0000 Subject: Build failed: openssl master.39792 Message-ID: <20210211155345.1.04F982A08BABA436@appveyor.com> An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Thu Feb 11 17:05:46 2021 From: no-reply at appveyor.com (AppVeyor) Date: Thu, 11 Feb 2021 17:05:46 +0000 Subject: Build completed: openssl master.39793 Message-ID: <20210211170546.1.7778F5DBDC28968B@appveyor.com> An HTML attachment was scrubbed... URL: From dev at ddvo.net Thu Feb 11 19:08:58 2021 From: dev at ddvo.net (dev at ddvo.net) Date: Thu, 11 Feb 2021 19:08:58 +0000 Subject: [openssl] master update Message-ID: <1613070538.044124.14770.nullmailer@dev.openssl.org> The branch master has been updated via d1e85cdf79989685800968afe5099138bdc38729 (commit) from 283df0b84bb6c35ad1291cabd6f693328faca267 (commit) - Log ----------------------------------------------------------------- commit d1e85cdf79989685800968afe5099138bdc38729 Author: Dr. David von Oheimb Date: Sat Feb 6 21:51:55 2021 +0100 x509_vfy.c: Make chain_build() error diagnostics to the point Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/14094) ----------------------------------------------------------------------- Summary of changes: crypto/x509/x509_vfy.c | 41 +++++++++++++++++++++++++++++++---------- include/openssl/x509_vfy.h.in | 2 +- 2 files changed, 32 insertions(+), 11 deletions(-) diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c index c3b0ba934a..a0bf50a708 100644 --- a/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c @@ -143,16 +143,19 @@ static int lookup_cert_match(X509 **result, X509_STORE_CTX *ctx, X509 *x) /*- * Inform the verify callback of an error. - * If 'x' is not NULL it is the error cert, otherwise use the chain cert at - * 'depth' - * If 'err' is not X509_V_OK, that's the error value, otherwise leave - * unchanged (presumably set by the caller). + * The error code is set to |err| if |err| is not X509_V_OK, else + * |ctx->error| is left unchanged (under the assumption it is set elsewhere). + * The error depth is |depth| if >= 0, else it defaults to |ctx->error_depth|. + * The error cert is |x| if not NULL, else defaults to the chain cert at depth. * * Returns 0 to abort verification with an error, non-zero to continue. */ static int verify_cb_cert(X509_STORE_CTX *ctx, X509 *x, int depth, int err) { - ctx->error_depth = depth; + if (depth < 0) + depth = ctx->error_depth; + else + ctx->error_depth = depth; ctx->current_cert = (x != NULL) ? x : sk_X509_value(ctx->chain, depth); if (err != X509_V_OK) ctx->error = err; @@ -339,7 +342,17 @@ static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x) /* Check that the given certificate 'x' is issued by the certificate 'issuer' */ static int check_issued(ossl_unused X509_STORE_CTX *ctx, X509 *x, X509 *issuer) { - return x509_likely_issued(issuer, x) == X509_V_OK; + int err = x509_likely_issued(issuer, x); + + if (err == X509_V_OK) + return 1; + /* + * SUBJECT_ISSUER_MISMATCH just means 'x' is clearly not issued by 'issuer'. + * Every other error code likely indicates a real error. + */ + if (err != X509_V_ERR_SUBJECT_ISSUER_MISMATCH) + ctx->error = err; + return 0; /* Better call verify_cb_cert(ctx, x, ctx->error_depth, err) ? */ } /* @@ -1732,7 +1745,7 @@ static int internal_verify(X509_STORE_CTX *ctx) * We report the issuer as NULL because all we have is a bare key. */ xi = NULL; - } else if (!ctx->check_issued(ctx, xi, xi) + } else if (x509_likely_issued(xi, xi) != X509_V_OK /* exceptional case: last cert in the chain is not self-issued */ && ((ctx->param->flags & X509_V_FLAG_PARTIAL_CHAIN) == 0)) { if (n > 0) { @@ -1750,7 +1763,7 @@ static int internal_verify(X509_STORE_CTX *ctx) } /* - * Do not clear ctx->error = 0, it must be "sticky", + * Do not clear error (by ctx->error = X509_V_OK), it must be "sticky", * only the user's callback is allowed to reset errors (at its own peril). */ while (n >= 0) { @@ -2308,7 +2321,7 @@ int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509, ctx->other_ctx = NULL; ctx->valid = 0; ctx->chain = NULL; - ctx->error = 0; + ctx->error = X509_V_OK; ctx->explicit_policy = 0; ctx->error_depth = 0; ctx->current_cert = NULL; @@ -2976,6 +2989,7 @@ static int build_chain(X509_STORE_CTX *ctx) int alt_untrusted = 0; int depth; int ok = 0; + int prev_error = ctx->error; int i; /* Our chain starts with a single untrusted element. */ @@ -3047,6 +3061,8 @@ static int build_chain(X509_STORE_CTX *ctx) while (search != 0) { X509 *issuer = NULL; + num = sk_X509_num(ctx->chain); + ctx->error_depth = num - 1; /* * Look in the trust store if enabled for first lookup, or we've run * out of untrusted issuers and search here is not disabled. When we @@ -3062,7 +3078,7 @@ static int build_chain(X509_STORE_CTX *ctx) * would be a-priori too long. */ if ((search & S_DOTRUSTED) != 0) { - i = num = sk_X509_num(ctx->chain); + i = num; if ((search & S_DOALTERNATE) != 0) { /* * As high up the chain as we can, look for an alternative @@ -3263,12 +3279,17 @@ static int build_chain(X509_STORE_CTX *ctx) switch (trust) { case X509_TRUST_TRUSTED: + /* Must restore any previous error value for backward compatibility */ + ctx->error = prev_error; return 1; case X509_TRUST_REJECTED: /* Callback already issued */ return 0; case X509_TRUST_UNTRUSTED: default: + if (ctx->error != X509_V_OK) + /* Callback already issued in most such cases */ + return 0; num = sk_X509_num(ctx->chain); CB_FAIL_IF(num > depth, ctx, NULL, num - 1, X509_V_ERR_CERT_CHAIN_TOO_LONG); diff --git a/include/openssl/x509_vfy.h.in b/include/openssl/x509_vfy.h.in index b72513272f..901b589adb 100644 --- a/include/openssl/x509_vfy.h.in +++ b/include/openssl/x509_vfy.h.in @@ -399,7 +399,7 @@ int X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x); void X509_STORE_CTX_free(X509_STORE_CTX *ctx); int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, - X509 *x509, STACK_OF(X509) *chain); + X509 *target, STACK_OF(X509) *chain); void X509_STORE_CTX_set0_trusted_stack(X509_STORE_CTX *ctx, STACK_OF(X509) *sk); void X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx); From dev at ddvo.net Thu Feb 11 19:25:44 2021 From: dev at ddvo.net (dev at ddvo.net) Date: Thu, 11 Feb 2021 19:25:44 +0000 Subject: [openssl] master update Message-ID: <1613071544.745928.18968.nullmailer@dev.openssl.org> The branch master has been updated via f1923a2147cdbfbc67ab54dfc15d2c6c4611ea9c (commit) from d1e85cdf79989685800968afe5099138bdc38729 (commit) - Log ----------------------------------------------------------------- commit f1923a2147cdbfbc67ab54dfc15d2c6c4611ea9c Author: Dr. David von Oheimb Date: Mon Feb 8 15:27:49 2021 +0100 X509_STORE_CTX_get1_issuer(): Make preference on expired certs consistent with find_issuer() Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14130) ----------------------------------------------------------------------- Summary of changes: crypto/x509/x509_lu.c | 45 +++++++++++++++++++++++++-------------------- 1 file changed, 25 insertions(+), 20 deletions(-) diff --git a/crypto/x509/x509_lu.c b/crypto/x509/x509_lu.c index 349c5e8c9f..96dfe83eef 100644 --- a/crypto/x509/x509_lu.c +++ b/crypto/x509/x509_lu.c @@ -305,6 +305,7 @@ X509_OBJECT *X509_STORE_CTX_get_obj_by_subject(X509_STORE_CTX *vs, return ret; } +/* Also fill the cache with all matching certificates */ int X509_STORE_CTX_get_by_subject(const X509_STORE_CTX *vs, X509_LOOKUP_TYPE type, const X509_NAME *name, X509_OBJECT *ret) @@ -711,11 +712,8 @@ X509_OBJECT *X509_OBJECT_retrieve_match(STACK_OF(X509_OBJECT) *h, } /*- - * Try to get issuer certificate from store. Due to limitations - * of the API this can only retrieve a single certificate matching - * a given subject name. However it will fill the cache with all - * matching certificates, so we can examine the cache for all - * matches. + * Try to get issuer cert from |ctx->store| matching the subject name of |x|. + * Prefer the first non-expired one, else take the most recently expired one. * * Return values are: * 1 lookup successful. @@ -738,7 +736,7 @@ int X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x) X509_OBJECT_free(obj); return 0; } - /* If certificate matches all OK */ + /* If certificate matches and is currently valid all OK */ if (ctx->check_issued(ctx, x, obj->data.x509)) { if (x509_check_cert_time(ctx, obj->data.x509, -1)) { *issuer = obj->data.x509; @@ -752,39 +750,46 @@ int X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x) } X509_OBJECT_free(obj); + /* + * Due to limitations of the API this can only retrieve a single cert. + * However it will fill the cache with all matching certificates, + * so we can examine the cache for all matches. + */ if (store == NULL) return 0; - /* Else find index of first cert accepted by 'check_issued' */ + /* Find index of first currently valid cert accepted by 'check_issued' */ ret = 0; X509_STORE_lock(store); idx = X509_OBJECT_idx_by_subject(store->objs, X509_LU_X509, xn); - if (idx != -1) { /* should be true as we've had at least one - * match */ + if (idx != -1) { /* should be true as we've had at least one match */ /* Look through all matching certs for suitable issuer */ for (i = idx; i < sk_X509_OBJECT_num(store->objs); i++) { pobj = sk_X509_OBJECT_value(store->objs, i); /* See if we've run past the matches */ if (pobj->type != X509_LU_X509) break; - if (X509_NAME_cmp(xn, X509_get_subject_name(pobj->data.x509))) - break; + if (X509_NAME_cmp(X509_get_subject_name(pobj->data.x509), xn) != 0) + break; /* Not more cert matches xn */ if (ctx->check_issued(ctx, x, pobj->data.x509)) { - *issuer = pobj->data.x509; ret = 1; + /* If times check fine, exit with match, else keep looking. */ + if (x509_check_cert_time(ctx, pobj->data.x509, -1)) { + *issuer = pobj->data.x509; + break; + } /* - * If times check, exit with match, - * otherwise keep looking. Leave last - * match in issuer so we return nearest - * match if no certificate time is OK. + * Leave the so far most recently expired match in *issuer + * so we return nearest match if no certificate time is OK. */ - - if (x509_check_cert_time(ctx, *issuer, -1)) - break; + if (*issuer == NULL + || ASN1_TIME_compare(X509_get0_notAfter(pobj->data.x509), + X509_get0_notAfter(*issuer)) > 0) + *issuer = pobj->data.x509; } } } - if (*issuer && !X509_up_ref(*issuer)) { + if (*issuer != NULL && !X509_up_ref(*issuer)) { *issuer = NULL; ret = -1; } From dev at ddvo.net Thu Feb 11 20:34:47 2021 From: dev at ddvo.net (dev at ddvo.net) Date: Thu, 11 Feb 2021 20:34:47 +0000 Subject: [openssl] master update Message-ID: <1613075687.644060.1207.nullmailer@dev.openssl.org> The branch master has been updated via c926a5ecb7a855c2ca1716e4c408410d2b2adccd (commit) from f1923a2147cdbfbc67ab54dfc15d2c6c4611ea9c (commit) - Log ----------------------------------------------------------------- commit c926a5ecb7a855c2ca1716e4c408410d2b2adccd Author: Dr. David von Oheimb Date: Fri Feb 5 21:52:01 2021 +0100 X509_STORE_CTX_cleanup(): Use internally so no need to call explicitly Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14088) ----------------------------------------------------------------------- Summary of changes: crypto/pkcs7/pk7_doit.c | 2 -- crypto/pkcs7/pk7_smime.c | 1 - crypto/x509/x509_vfy.c | 12 +++++++++--- doc/man3/X509_STORE_CTX_new.pod | 29 +++++++++++++++-------------- test/danetest.c | 1 - 5 files changed, 24 insertions(+), 21 deletions(-) diff --git a/crypto/pkcs7/pk7_doit.c b/crypto/pkcs7/pk7_doit.c index e962e93688..a979544aeb 100644 --- a/crypto/pkcs7/pk7_doit.c +++ b/crypto/pkcs7/pk7_doit.c @@ -1053,10 +1053,8 @@ int PKCS7_dataVerify(X509_STORE *cert_store, X509_STORE_CTX *ctx, BIO *bio, i = X509_verify_cert(ctx); if (i <= 0) { ERR_raise(ERR_LIB_PKCS7, ERR_R_X509_LIB); - X509_STORE_CTX_cleanup(ctx); goto err; } - X509_STORE_CTX_cleanup(ctx); return PKCS7_signatureVerify(bio, p7, si, x509); err: diff --git a/crypto/pkcs7/pk7_smime.c b/crypto/pkcs7/pk7_smime.c index 8d89f7fd44..f6853513e0 100644 --- a/crypto/pkcs7/pk7_smime.c +++ b/crypto/pkcs7/pk7_smime.c @@ -289,7 +289,6 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store, i = X509_verify_cert(cert_ctx); if (i <= 0) j = X509_STORE_CTX_get_error(cert_ctx); - X509_STORE_CTX_cleanup(cert_ctx); if (i <= 0) { ERR_raise_data(ERR_LIB_PKCS7, PKCS7_R_CERTIFICATE_VERIFY_ERROR, "Verify error: %s", diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c index a0bf50a708..58598bbf1f 100644 --- a/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c @@ -1317,7 +1317,7 @@ static void crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl, */ static int check_crl_path(X509_STORE_CTX *ctx, X509 *x) { - X509_STORE_CTX crl_ctx; + X509_STORE_CTX crl_ctx = {0}; int ret; /* Don't allow recursive CRL path validation */ @@ -2313,6 +2313,12 @@ int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509, { int ret = 1; + if (ctx == NULL) { + ERR_raise(ERR_LIB_X509, ERR_R_PASSED_NULL_PARAMETER); + return 0; + } + X509_STORE_CTX_cleanup(ctx); + ctx->store = store; ctx->cert = x509; ctx->untrusted = chain; @@ -2340,7 +2346,7 @@ int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509, if (store != NULL) ctx->cleanup = store->cleanup; else - ctx->cleanup = 0; + ctx->cleanup = NULL; if (store != NULL && store->check_issued != NULL) ctx->check_issued = store->check_issued; @@ -2463,7 +2469,7 @@ void X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx) * calls cleanup() for the same object twice! Thus we must zero the * pointers below after they're freed! */ - /* Seems to always be 0 in OpenSSL, do this at most once. */ + /* Seems to always be NULL in OpenSSL, do this at most once. */ if (ctx->cleanup != NULL) { ctx->cleanup(ctx); ctx->cleanup = NULL; diff --git a/doc/man3/X509_STORE_CTX_new.pod b/doc/man3/X509_STORE_CTX_new.pod index e98dcc7cfa..3251c3b810 100644 --- a/doc/man3/X509_STORE_CTX_new.pod +++ b/doc/man3/X509_STORE_CTX_new.pod @@ -24,7 +24,7 @@ X509_STORE_CTX_verify_fn void X509_STORE_CTX_free(X509_STORE_CTX *ctx); int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *trust_store, - X509 *target, STACK_OF(X509) *untrusted); + X509 *target, STACK_OF(X509) *chain); void X509_STORE_CTX_set0_trusted_stack(X509_STORE_CTX *ctx, STACK_OF(X509) *sk); @@ -60,26 +60,25 @@ X509_STORE_CTX_new() is the same as X509_STORE_CTX_new_ex() except that the default library context and a NULL property query string are used. X509_STORE_CTX_cleanup() internally cleans up an B structure. -The context can then be reused with a new call to X509_STORE_CTX_init(). +It is used by X509_STORE_CTX_init() and X509_STORE_CTX_free(). X509_STORE_CTX_free() completely frees up I. After this call I is no longer valid. If I is NULL nothing is done. X509_STORE_CTX_init() sets up I for a subsequent verification operation. -It must be called before each call to L, i.e., a I is -only good for one verification; if you want to verify a second certificate -or chain with the same I then you must call X509_STORE_CTX_cleanup() -and then X509_STORE_CTX_init() again before the second call to -L or L. +It must be called before each call to L or +L, i.e., a context is only good for one verification. +If you want to verify a further certificate or chain with the same I +then you must call X509_STORE_CTX_init() again. The trusted certificate store is set to I of type B. This may be NULL because there are no trusted certificates or because they are provided simply as a list using X509_STORE_CTX_set0_trusted_stack(). -The end entity certificate to be verified is set to I, -and a list of additional certificates may be provided in I, -which will not be trusted but may be used to build the chain. -Each of the I, I and I parameters can be -B. Yet note that L and L +The certificate to be verified is set to I, +and a list of additional certificates may be provided in I, +which will be untrusted but may be used to build the chain. +Each of the I, I and I parameters can be NULL. +Yet note that L and L will need a verification target. This can also be set using X509_STORE_CTX_set_cert(). For L, which takes by default the first element of the @@ -153,13 +152,13 @@ should be made or reference counts increased instead. =head1 RETURN VALUES -X509_STORE_CTX_new() returns a newly allocates context or B is an +X509_STORE_CTX_new() returns a newly allocated context or NULL if an error occurred. X509_STORE_CTX_init() returns 1 for success or 0 if an error occurred. X509_STORE_CTX_get0_param() returns a pointer to an B -structure or B if an error occurred. +structure or NULL if an error occurred. X509_STORE_CTX_cleanup(), X509_STORE_CTX_free(), X509_STORE_CTX_set0_trusted_stack(), @@ -183,6 +182,8 @@ The X509_STORE_CTX_set0_crls() function was added in OpenSSL 1.0.0. The X509_STORE_CTX_get_num_untrusted() function was added in OpenSSL 1.1.0. The X509_STORE_CTX_new_ex() function was added in OpenSSL 3.0. +There is no need to call X509_STORE_CTX_cleanup() explicitly since OpenSSL 3.0. + =head1 COPYRIGHT Copyright 2009-2020 The OpenSSL Project Authors. All Rights Reserved. diff --git a/test/danetest.c b/test/danetest.c index 25fd16a411..49bcfb2570 100644 --- a/test/danetest.c +++ b/test/danetest.c @@ -82,7 +82,6 @@ static int verify_chain(SSL *ssl, STACK_OF(X509) *chain) ret = 0; SSL_set_verify_result(ssl, X509_STORE_CTX_get_error(store_ctx)); - X509_STORE_CTX_cleanup(store_ctx); end: X509_STORE_CTX_free(store_ctx); From pauli at openssl.org Thu Feb 11 22:32:23 2021 From: pauli at openssl.org (Dr. Paul Dale) Date: Thu, 11 Feb 2021 22:32:23 +0000 Subject: [openssl] master update Message-ID: <1613082743.673067.16380.nullmailer@dev.openssl.org> The branch master has been updated via 1baad060f9d440b8043a33ecf3fd4fc87534e075 (commit) from c926a5ecb7a855c2ca1716e4c408410d2b2adccd (commit) - Log ----------------------------------------------------------------- commit 1baad060f9d440b8043a33ecf3fd4fc87534e075 Author: Pauli Date: Thu Feb 11 08:28:41 2021 +1000 test: add an option to output timing information from tests. Fixes #14141 Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/14149) ----------------------------------------------------------------------- Summary of changes: test/run_tests.pl | 1 + 1 file changed, 1 insertion(+) diff --git a/test/run_tests.pl b/test/run_tests.pl index 8e50d1bc90..aa29888967 100644 --- a/test/run_tests.pl +++ b/test/run_tests.pl @@ -44,6 +44,7 @@ my %tapargs = lib => [ $libdir ], switches => '-w', merge => 1, + timer => $ENV{HARNESS_TIMER} ? 1 : 0, ); if ($jobs > 1) { From pauli at openssl.org Thu Feb 11 22:35:56 2021 From: pauli at openssl.org (Dr. Paul Dale) Date: Thu, 11 Feb 2021 22:35:56 +0000 Subject: [openssl] master update Message-ID: <1613082956.601780.18355.nullmailer@dev.openssl.org> The branch master has been updated via 22040fb790c854cefb04bed98ed38ea6357daf83 (commit) via 03bbd346f4410c329d472cc043fb6c49f6688eba (commit) via d0190e11639956677747f6bc7bb5bcd610fd8600 (commit) via 51e5df0ed01efa47335940425cc8744ecff1b6ae (commit) via 182717bd8a7a438c110d3a3b28387477833b4edc (commit) via 50ca7e18954d901ee9215a1a4bb3ecf00b95642a (commit) from 1baad060f9d440b8043a33ecf3fd4fc87534e075 (commit) - Log ----------------------------------------------------------------- commit 22040fb790c854cefb04bed98ed38ea6357daf83 Author: Rich Salz Date: Wed Feb 10 13:33:41 2021 -0500 Allow -rand to be repeated Reviewed-by: Shane Lontis Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/14135) commit 03bbd346f4410c329d472cc043fb6c49f6688eba Author: Rich Salz Date: Mon Feb 8 14:20:01 2021 -0500 Fetch cipher after loading providers Reviewed-by: Shane Lontis Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/14135) commit d0190e11639956677747f6bc7bb5bcd610fd8600 Author: Rich Salz Date: Mon Feb 8 14:03:35 2021 -0500 Process digest option after loading providers Reviewed-by: Shane Lontis Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/14135) commit 51e5df0ed01efa47335940425cc8744ecff1b6ae Author: Rich Salz Date: Mon Feb 8 13:45:23 2021 -0500 Load rand state after loading providers Reviewed-by: Shane Lontis Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/14135) commit 182717bd8a7a438c110d3a3b28387477833b4edc Author: Rich Salz Date: Sun Feb 7 10:42:23 2021 -0500 Fetch alg, etc., after loading providers Reviewed-by: Shane Lontis Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/14135) commit 50ca7e18954d901ee9215a1a4bb3ecf00b95642a Author: Rich Salz Date: Fri Feb 5 15:38:07 2021 -0500 Fetch algorithm after loading providers Reviewed-by: Shane Lontis Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/14135) ----------------------------------------------------------------------- Summary of changes: apps/ca.c | 3 ++- apps/cms.c | 20 +++++++++----- apps/crl.c | 8 ++++-- apps/dgst.c | 13 +++++---- apps/dhparam.c | 1 + apps/dsa.c | 9 ++++--- apps/dsaparam.c | 1 + apps/ec.c | 9 ++++--- apps/ecparam.c | 1 + apps/enc.c | 39 +++++++++++++-------------- apps/gendsa.c | 12 ++++++--- apps/genpkey.c | 76 +++++++++++++++++++++++++++++------------------------ apps/genrsa.c | 10 ++++--- apps/include/apps.h | 1 + apps/lib/app_rand.c | 24 ++++++++++++++++- apps/ocsp.c | 10 ++++--- apps/passwd.c | 1 + apps/pkcs12.c | 26 +++++++++++------- apps/pkcs8.c | 10 ++++--- apps/pkey.c | 9 ++++--- apps/pkeyutl.c | 11 +++++--- apps/rand.c | 1 + apps/req.c | 13 ++++++--- apps/rsa.c | 9 ++++--- apps/rsautl.c | 1 + apps/s_client.c | 5 ++-- apps/s_server.c | 1 + apps/smime.c | 18 +++++++++---- apps/speed.c | 1 + apps/srp.c | 1 + apps/storeutl.c | 11 +++++--- apps/ts.c | 10 ++++--- apps/x509.c | 11 +++++--- 33 files changed, 250 insertions(+), 126 deletions(-) diff --git a/apps/ca.c b/apps/ca.c index 61e49336d0..29f62f86f2 100755 --- a/apps/ca.c +++ b/apps/ca.c @@ -209,7 +209,7 @@ const OPTIONS ca_options[] = { {"noemailDN", OPT_NOEMAILDN, '-', "Don't add the EMAIL field to the DN"}, OPT_SECTION("Signing"), - {"md", OPT_MD, 's', "md to use; one of md2, md5, sha or sha1"}, + {"md", OPT_MD, 's', "Digest to use, such as sha256"}, {"keyfile", OPT_KEYFILE, 's', "The CA private key"}, {"keyform", OPT_KEYFORM, 'f', "Private key file format (ENGINE, other values ignored)"}, @@ -521,6 +521,7 @@ end_of_options: goto end; app_RAND_load_conf(conf, BASE_SECTION); + app_RAND_load(); f = NCONF_get_string(conf, section, STRING_MASK); if (f == NULL) diff --git a/apps/cms.c b/apps/cms.c index 36fb88e15c..67cbb9379a 100644 --- a/apps/cms.c +++ b/apps/cms.c @@ -286,10 +286,11 @@ int cms_main(int argc, char **argv) X509_VERIFY_PARAM *vpm = NULL; char *certfile = NULL, *keyfile = NULL, *contfile = NULL; const char *CAfile = NULL, *CApath = NULL, *CAstore = NULL; - char *certsoutfile = NULL; + char *certsoutfile = NULL, *digestname = NULL; int noCAfile = 0, noCApath = 0, noCAstore = 0; char *infile = NULL, *outfile = NULL, *rctfile = NULL; - char *passinarg = NULL, *passin = NULL, *signerfile = NULL, *originatorfile = NULL, *recipfile = NULL; + char *passinarg = NULL, *passin = NULL, *signerfile = NULL; + char *originatorfile = NULL, *recipfile = NULL, *ciphername = NULL; char *to = NULL, *from = NULL, *subject = NULL, *prog; cms_key_param *key_first = NULL, *key_param = NULL; int flags = CMS_DETACHED, noout = 0, print = 0, keyidx = -1, vpmtouched = 0; @@ -565,8 +566,7 @@ int cms_main(int argc, char **argv) certsoutfile = opt_arg(); break; case OPT_MD: - if (!opt_md(opt_arg(), &sign_md)) - goto end; + digestname = opt_arg(); break; case OPT_SIGNER: /* If previous -signer argument add signer to list */ @@ -625,8 +625,7 @@ int cms_main(int argc, char **argv) } break; case OPT_CIPHER: - if (!opt_cipher(opt_unknown(), &cipher)) - goto end; + ciphername = opt_unknown(); break; case OPT_KEYOPT: keyidx = -1; @@ -698,6 +697,15 @@ int cms_main(int argc, char **argv) break; } } + app_RAND_load(); + if (digestname != NULL) { + if (!opt_md(digestname, &sign_md)) + goto end; + } + if (ciphername != NULL) { + if (!opt_cipher(ciphername, &cipher)) + goto end; + } /* Remaining args are files to process. */ argc = opt_num_rest(); diff --git a/apps/crl.c b/apps/crl.c index ddbf96bfca..dd9d41e8ea 100644 --- a/apps/crl.c +++ b/apps/crl.c @@ -84,6 +84,7 @@ int crl_main(int argc, char **argv) EVP_PKEY *pkey; const EVP_MD *digest = EVP_sha1(); char *infile = NULL, *outfile = NULL, *crldiff = NULL, *keyfile = NULL; + char *digestname = NULL; const char *CAfile = NULL, *CApath = NULL, *CAstore = NULL, *prog; OPTION_CHOICE o; int hash = 0, issuer = 0, lastupdate = 0, nextupdate = 0, noout = 0; @@ -192,8 +193,7 @@ int crl_main(int argc, char **argv) goto opthelp; break; case OPT_MD: - if (!opt_md(opt_unknown(), &digest)) - goto opthelp; + digestname = opt_unknown(); break; case OPT_PROV_CASES: if (!opt_provider(o)) @@ -207,6 +207,10 @@ int crl_main(int argc, char **argv) if (argc != 0) goto opthelp; + if (digestname != NULL) { + if (!opt_md(digestname, &digest)) + goto opthelp; + } x = load_crl(infile, "CRL"); if (x == NULL) goto end; diff --git a/apps/dgst.c b/apps/dgst.c index 0eb84f5169..891cf79279 100644 --- a/apps/dgst.c +++ b/apps/dgst.c @@ -97,9 +97,9 @@ int dgst_main(int argc, char **argv) EVP_PKEY *sigkey = NULL; STACK_OF(OPENSSL_STRING) *sigopts = NULL, *macopts = NULL; char *hmac_key = NULL; - char *mac_name = NULL; + char *mac_name = NULL, *digestname = NULL; char *passinarg = NULL, *passin = NULL; - const EVP_MD *md = NULL, *m; + const EVP_MD *md = NULL; const char *outfile = NULL, *keyfile = NULL, *prog = NULL; const char *sigfile = NULL; const char *md_name = NULL; @@ -209,9 +209,7 @@ int dgst_main(int argc, char **argv) goto opthelp; break; case OPT_DIGEST: - if (!opt_md(opt_unknown(), &m)) - goto opthelp; - md = m; + digestname = opt_unknown(); break; case OPT_PROV_CASES: if (!opt_provider(o)) @@ -227,6 +225,11 @@ int dgst_main(int argc, char **argv) BIO_printf(bio_err, "%s: Can only sign or verify one file.\n", prog); goto end; } + app_RAND_load(); + if (digestname != NULL) { + if (!opt_md(digestname, &md)) + goto opthelp; + } if (do_verify && sigfile == NULL) { BIO_printf(bio_err, diff --git a/apps/dhparam.c b/apps/dhparam.c index cfa399e459..30fdfbbf6e 100644 --- a/apps/dhparam.c +++ b/apps/dhparam.c @@ -158,6 +158,7 @@ int dhparam_main(int argc, char **argv) } else if (argc != 0) { goto opthelp; } + app_RAND_load(); if (g && !num) diff --git a/apps/dsa.c b/apps/dsa.c index ebb841fa53..c4baaf7de9 100644 --- a/apps/dsa.c +++ b/apps/dsa.c @@ -87,7 +87,7 @@ int dsa_main(int argc, char **argv) int modulus = 0, pubin = 0, pubout = 0, ret = 1; int pvk_encr = DEFAULT_PVK_ENCR_STRENGTH; int private = 0; - const char *output_type = NULL; + const char *output_type = NULL, *ciphername = NULL; const char *output_structure = NULL; int selection = 0; OSSL_ENCODER_CTX *ectx = NULL; @@ -151,8 +151,7 @@ int dsa_main(int argc, char **argv) pubout = 1; break; case OPT_CIPHER: - if (!opt_cipher(opt_unknown(), &enc)) - goto end; + ciphername = opt_unknown(); break; case OPT_PROV_CASES: if (!opt_provider(o)) @@ -166,6 +165,10 @@ int dsa_main(int argc, char **argv) if (argc != 0) goto opthelp; + if (ciphername != NULL) { + if (!opt_cipher(ciphername, &enc)) + goto end; + } private = pubin || pubout ? 0 : 1; if (text && !pubin) private = 1; diff --git a/apps/dsaparam.c b/apps/dsaparam.c index f09318f54b..70c698dbec 100644 --- a/apps/dsaparam.c +++ b/apps/dsaparam.c @@ -135,6 +135,7 @@ int dsaparam_main(int argc, char **argv) } else if (argc != 0) { goto opthelp; } + app_RAND_load(); /* generate a key */ numbits = num; diff --git a/apps/ec.c b/apps/ec.c index 495e8e6617..d89c580020 100644 --- a/apps/ec.c +++ b/apps/ec.c @@ -70,7 +70,7 @@ int ec_main(int argc, char **argv) BIO *in = NULL, *out = NULL; ENGINE *e = NULL; const EVP_CIPHER *enc = NULL; - char *infile = NULL, *outfile = NULL, *prog; + char *infile = NULL, *outfile = NULL, *ciphername = NULL, *prog; char *passin = NULL, *passout = NULL, *passinarg = NULL, *passoutarg = NULL; OPTION_CHOICE o; int informat = FORMAT_PEM, outformat = FORMAT_PEM, text = 0, noout = 0; @@ -131,8 +131,7 @@ int ec_main(int argc, char **argv) e = setup_engine(opt_arg(), 0); break; case OPT_CIPHER: - if (!opt_cipher(opt_unknown(), &enc)) - goto opthelp; + ciphername = opt_unknown(); break; case OPT_CONV_FORM: point_format = opt_arg(); @@ -162,6 +161,10 @@ int ec_main(int argc, char **argv) if (argc != 0) goto opthelp; + if (ciphername != NULL) { + if (!opt_cipher(ciphername, &enc)) + goto opthelp; + } private = param_out || pubin || pubout ? 0 : 1; if (text && !pubin) private = 1; diff --git a/apps/ecparam.c b/apps/ecparam.c index 762da3f2c9..e05a3a495f 100644 --- a/apps/ecparam.c +++ b/apps/ecparam.c @@ -190,6 +190,7 @@ int ecparam_main(int argc, char **argv) if (argc != 0) goto opthelp; + app_RAND_load(); private = genkey ? 1 : 0; in = bio_open_default(infile, 'r', informat); diff --git a/apps/enc.c b/apps/enc.c index 81e52c10ce..9982337c01 100644 --- a/apps/enc.c +++ b/apps/enc.c @@ -109,11 +109,13 @@ int enc_main(int argc, char **argv) BIO *in = NULL, *out = NULL, *b64 = NULL, *benc = NULL, *rbio = NULL, *wbio = NULL; EVP_CIPHER_CTX *ctx = NULL; - const EVP_CIPHER *cipher = NULL, *c; + const EVP_CIPHER *cipher = NULL; const EVP_MD *dgst = NULL; + const char *digestname = NULL; char *hkey = NULL, *hiv = NULL, *hsalt = NULL, *p; - char *infile = NULL, *outfile = NULL, *prog, *arg0; + char *infile = NULL, *outfile = NULL, *prog; char *str = NULL, *passarg = NULL, *pass = NULL, *strbuf = NULL; + const char *ciphername = NULL; char mbuf[sizeof(magic) - 1]; OPTION_CHOICE o; int bsize = BSIZE, verbose = 0, debug = 0, olb64 = 0, nosalt = 0; @@ -132,20 +134,14 @@ int enc_main(int argc, char **argv) #endif /* first check the command name */ - arg0 = argv[0]; - if (strcmp(arg0, "base64") == 0) { + if (strcmp(argv[0], "base64") == 0) base64 = 1; #ifdef ZLIB - } else if (strcmp(arg0, "zlib") == 0) { + else if (strcmp(argv[0], "zlib") == 0) do_zlib = 1; #endif - } else { - cipher = EVP_get_cipherbyname(arg0); - if (cipher == NULL && strcmp(arg0, "enc") != 0) { - BIO_printf(bio_err, "%s is not a known cipher\n", arg0); - goto end; - } - } + else if (strcmp(argv[0], "enc") != 0) + ciphername = argv[0]; prog = opt_init(argc, argv, enc_options); while ((o = opt_next()) != OPT_EOF) { @@ -264,13 +260,10 @@ int enc_main(int argc, char **argv) hiv = opt_arg(); break; case OPT_MD: - if (!opt_md(opt_arg(), &dgst)) - goto opthelp; + digestname = opt_arg(); break; case OPT_CIPHER: - if (!opt_cipher(opt_unknown(), &c)) - goto opthelp; - cipher = c; + ciphername = opt_unknown(); break; case OPT_ITER: if (!opt_int(opt_arg(), &iter)) @@ -300,17 +293,25 @@ int enc_main(int argc, char **argv) argc = opt_num_rest(); if (argc != 0) goto opthelp; + app_RAND_load(); + /* Get the cipher name, either from progname (if set) or flag. */ + if (ciphername != NULL) { + if (!opt_cipher(ciphername, &cipher)) + goto opthelp; + } if (cipher && EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER) { BIO_printf(bio_err, "%s: AEAD ciphers not supported\n", prog); goto end; } - if (cipher && (EVP_CIPHER_mode(cipher) == EVP_CIPH_XTS_MODE)) { BIO_printf(bio_err, "%s XTS ciphers not supported\n", prog); goto end; } - + if (digestname != NULL) { + if (!opt_md(digestname, &dgst)) + goto opthelp; + } if (dgst == NULL) dgst = EVP_sha256(); diff --git a/apps/gendsa.c b/apps/gendsa.c index c90a01d979..c6c84c9a56 100644 --- a/apps/gendsa.c +++ b/apps/gendsa.c @@ -57,7 +57,7 @@ int gendsa_main(int argc, char **argv) EVP_PKEY *pkey = NULL; EVP_PKEY_CTX *ctx = NULL; const EVP_CIPHER *enc = NULL; - char *dsaparams = NULL; + char *dsaparams = NULL, *ciphername = NULL; char *outfile = NULL, *passoutarg = NULL, *passout = NULL, *prog; OPTION_CHOICE o; int ret = 1, private = 0, verbose = 0; @@ -93,8 +93,7 @@ int gendsa_main(int argc, char **argv) goto end; break; case OPT_CIPHER: - if (!opt_cipher(opt_unknown(), &enc)) - goto end; + ciphername = opt_unknown(); break; case OPT_VERBOSE: verbose = 1; @@ -107,8 +106,13 @@ int gendsa_main(int argc, char **argv) argv = opt_rest(); if (argc != 1) goto opthelp; - dsaparams = argv[0]; + + app_RAND_load(); + if (ciphername != NULL) { + if (!opt_cipher(ciphername, &enc)) + goto end; + } private = 1; if (!app_passwd(NULL, passoutarg, NULL, &passout)) { diff --git a/apps/genpkey.c b/apps/genpkey.c index bdd8b43e47..4d28b4ecc2 100644 --- a/apps/genpkey.c +++ b/apps/genpkey.c @@ -62,14 +62,19 @@ int genpkey_main(int argc, char **argv) ENGINE *e = NULL; EVP_PKEY *pkey = NULL; EVP_PKEY_CTX *ctx = NULL; - char *outfile = NULL, *passarg = NULL, *pass = NULL, *prog; + char *outfile = NULL, *passarg = NULL, *pass = NULL, *prog, *p; + const char *ciphername = NULL, *paramfile = NULL, *algname = NULL; const EVP_CIPHER *cipher = NULL; OPTION_CHOICE o; int outformat = FORMAT_PEM, text = 0, ret = 1, rv, do_param = 0; - int private = 0; + int private = 0, i, m; OSSL_LIB_CTX *libctx = app_get0_libctx(); + STACK_OF(OPENSSL_STRING) *keyopt = NULL; prog = opt_init(argc, argv, genpkey_options); + keyopt = sk_OPENSSL_STRING_new_null(); + if (keyopt == NULL) + goto end; while ((o = opt_next()) != OPT_EOF) { switch (o) { case OPT_EOF: @@ -97,49 +102,23 @@ int genpkey_main(int argc, char **argv) case OPT_PARAMFILE: if (do_param == 1) goto opthelp; - if (!init_keygen_file(&ctx, opt_arg(), e, libctx, app_get0_propq())) - goto end; + paramfile = opt_arg(); break; case OPT_ALGORITHM: - if (!init_gen_str(&ctx, opt_arg(), e, do_param, libctx, app_get0_propq())) - goto end; + algname = opt_arg(); break; case OPT_PKEYOPT: - if (ctx == NULL) { - BIO_printf(bio_err, "%s: No keytype specified.\n", prog); - goto opthelp; - } - if (pkey_ctrl_string(ctx, opt_arg()) <= 0) { - BIO_printf(bio_err, - "%s: Error setting %s parameter:\n", - prog, opt_arg()); - ERR_print_errors(bio_err); + if (!sk_OPENSSL_STRING_push(keyopt, opt_arg())) goto end; - } break; case OPT_GENPARAM: - if (ctx != NULL) { - BIO_printf(bio_err, - "%s: '-genparam' option must be set before" - " the '-algorithm' option.\n", prog); - goto opthelp; - } do_param = 1; break; case OPT_TEXT: text = 1; break; case OPT_CIPHER: - if (!opt_cipher(opt_unknown(), &cipher) - || do_param == 1) - goto opthelp; - if (EVP_CIPHER_mode(cipher) == EVP_CIPH_GCM_MODE || - EVP_CIPHER_mode(cipher) == EVP_CIPH_CCM_MODE || - EVP_CIPHER_mode(cipher) == EVP_CIPH_XTS_MODE || - EVP_CIPHER_mode(cipher) == EVP_CIPH_OCB_MODE) { - BIO_printf(bio_err, "%s: cipher mode not supported\n", prog); - goto end; - } + ciphername = opt_unknown(); break; case OPT_CONFIG: conf = app_load_config_modules(opt_arg()); @@ -158,11 +137,39 @@ int genpkey_main(int argc, char **argv) if (argc != 0) goto opthelp; - private = do_param ? 0 : 1; - + /* Fetch cipher, etc. */ + if (paramfile != NULL) { + if (!init_keygen_file(&ctx, paramfile, e, libctx, app_get0_propq())) + goto end; + } + if (algname != NULL) { + if (!init_gen_str(&ctx, algname, e, do_param, libctx, app_get0_propq())) + goto end; + } if (ctx == NULL) goto opthelp; + for (i = 0; i < sk_OPENSSL_STRING_num(keyopt); i++) { + p = sk_OPENSSL_STRING_value(keyopt, i); + if (pkey_ctrl_string(ctx, p) <= 0) { + BIO_printf(bio_err, "%s: Error setting %s parameter:\n", prog, p); + ERR_print_errors(bio_err); + goto end; + } + } + if (ciphername != NULL) { + if (!opt_cipher(ciphername, &cipher) || do_param == 1) + goto opthelp; + m = EVP_CIPHER_mode(cipher); + if (m == EVP_CIPH_GCM_MODE || m == EVP_CIPH_CCM_MODE + || m == EVP_CIPH_XTS_MODE || m == EVP_CIPH_OCB_MODE) { + BIO_printf(bio_err, "%s: cipher mode not supported\n", prog); + goto end; + } + } + + private = do_param ? 0 : 1; + if (!app_passwd(passarg, NULL, &pass, NULL)) { BIO_puts(bio_err, "Error getting password\n"); goto end; @@ -224,6 +231,7 @@ int genpkey_main(int argc, char **argv) } end: + sk_OPENSSL_STRING_free(keyopt); EVP_PKEY_free(pkey); EVP_PKEY_CTX_free(ctx); BIO_free_all(out); diff --git a/apps/genrsa.c b/apps/genrsa.c index 2cc1abfbe5..cd99b53a3b 100644 --- a/apps/genrsa.c +++ b/apps/genrsa.c @@ -86,7 +86,7 @@ int genrsa_main(int argc, char **argv) int ret = 1, num = DEFBITS, private = 0, primes = DEFPRIMES; unsigned long f4 = RSA_F4; char *outfile = NULL, *passoutarg = NULL, *passout = NULL; - char *prog, *hexe, *dece; + char *prog, *hexe, *dece, *ciphername = NULL; OPTION_CHOICE o; int traditional = 0; @@ -131,8 +131,7 @@ opthelp: passoutarg = opt_arg(); break; case OPT_CIPHER: - if (!opt_cipher(opt_unknown(), &enc)) - goto end; + ciphername = opt_unknown(); break; case OPT_PRIMES: if (!opt_int(opt_arg(), &primes)) @@ -164,7 +163,12 @@ opthelp: goto opthelp; } + app_RAND_load(); private = 1; + if (ciphername != NULL) { + if (!opt_cipher(ciphername, &enc)) + goto end; + } if (!app_passwd(NULL, passoutarg, NULL, &passout)) { BIO_printf(bio_err, "Error getting password\n"); goto end; diff --git a/apps/include/apps.h b/apps/include/apps.h index d4241fa61e..45a9c4e758 100644 --- a/apps/include/apps.h +++ b/apps/include/apps.h @@ -47,6 +47,7 @@ void app_RAND_load_conf(CONF *c, const char *section); void app_RAND_write(void); +int app_RAND_load(void); extern char *default_config_file; /* may be "" */ extern BIO *bio_in; diff --git a/apps/lib/app_rand.c b/apps/lib/app_rand.c index 1861343a9c..913e66e73f 100644 --- a/apps/lib/app_rand.c +++ b/apps/lib/app_rand.c @@ -14,6 +14,7 @@ #include static char *save_rand_file; +static STACK_OF(OPENSSL_STRING) *randfiles; void app_RAND_load_conf(CONF *c, const char *section) { @@ -57,6 +58,23 @@ static int loadfiles(char *name) return ret; } +int app_RAND_load(void) +{ + char *p; + int i, ret = 1; + + if (randfiles == NULL) + return 1; + + for (i = 0; i < sk_OPENSSL_STRING_num(randfiles); i++) { + p = sk_OPENSSL_STRING_value(randfiles, i); + if (!loadfiles(p)) + ret = 0; + } + sk_OPENSSL_STRING_free(randfiles); + return ret; +} + void app_RAND_write(void) { if (save_rand_file == NULL) @@ -82,7 +100,11 @@ int opt_rand(int opt) case OPT_R__LAST: break; case OPT_R_RAND: - return loadfiles(opt_arg()); + if (randfiles == NULL + && (randfiles = sk_OPENSSL_STRING_new_null()) == NULL) + return 0; + if (!sk_OPENSSL_STRING_push(randfiles, opt_arg())) + return 0; break; case OPT_R_WRITERAND: OPENSSL_free(save_rand_file); diff --git a/apps/ocsp.c b/apps/ocsp.c index 982423d1ef..dd1677b1c1 100644 --- a/apps/ocsp.c +++ b/apps/ocsp.c @@ -223,7 +223,7 @@ int ocsp_main(int argc, char **argv) X509_STORE *store = NULL; X509_VERIFY_PARAM *vpm = NULL; const char *CAfile = NULL, *CApath = NULL, *CAstore = NULL; - char *header, *value; + char *header, *value, *respdigname = NULL; char *host = NULL, *port = NULL, *path = "/", *outfile = NULL; char *rca_filename = NULL, *reqin = NULL, *respin = NULL; char *reqout = NULL, *respout = NULL, *ridx_filename = NULL; @@ -467,8 +467,7 @@ int ocsp_main(int argc, char **argv) rcertfile = opt_arg(); break; case OPT_RMD: /* Response MessageDigest */ - if (!opt_md(opt_arg(), &rsign_md)) - goto end; + respdigname = opt_arg(); break; case OPT_RSIGOPT: if (rsign_sigopts == NULL) @@ -526,6 +525,11 @@ int ocsp_main(int argc, char **argv) goto opthelp; } + if (respdigname != NULL) { + if (!opt_md(respdigname, &rsign_md)) + goto end; + } + /* Have we anything to do? */ if (req == NULL && reqin == NULL && respin == NULL && !(port != NULL && ridx_filename != NULL)) diff --git a/apps/passwd.c b/apps/passwd.c index f8a0493c4c..08b94622da 100644 --- a/apps/passwd.c +++ b/apps/passwd.c @@ -195,6 +195,7 @@ int passwd_main(int argc, char **argv) passwds = argv; } + app_RAND_load(); if (mode == passwd_unset) { /* use default */ mode = passwd_md5; diff --git a/apps/pkcs12.c b/apps/pkcs12.c index 60e12cf932..e96f9ec4a4 100644 --- a/apps/pkcs12.c +++ b/apps/pkcs12.c @@ -145,7 +145,7 @@ const OPTIONS pkcs12_options[] = { int pkcs12_main(int argc, char **argv) { char *infile = NULL, *outfile = NULL, *keyname = NULL, *certfile = NULL; - char *untrusted = NULL; + char *untrusted = NULL, *ciphername = NULL, *enc_flag = NULL; char *passcertsarg = NULL, *passcerts = NULL; char *name = NULL, *csp_name = NULL; char pass[PASSWD_BUF_SIZE] = "", macpass[PASSWD_BUF_SIZE] = ""; @@ -164,7 +164,6 @@ int pkcs12_main(int argc, char **argv) BIO *in = NULL, *out = NULL; PKCS12 *p12 = NULL; STACK_OF(OPENSSL_STRING) *canames = NULL; - const char *enc_flag = NULL; const EVP_CIPHER *const default_enc = EVP_aes_256_cbc(); const EVP_CIPHER *enc = default_enc; OPTION_CHOICE o; @@ -220,10 +219,19 @@ int pkcs12_main(int argc, char **argv) case OPT_EXPORT: export_pkcs12 = 1; break; + case OPT_NODES: + case OPT_NOENC: + /* + * |enc_flag| stores the name of the option used so it + * can be printed if an error message is output. + */ + enc_flag = opt_flag() + 1; + enc = NULL; + ciphername = NULL; + break; case OPT_CIPHER: + ciphername = opt_unknown(); enc_flag = opt_unknown(); - if (!opt_cipher(enc_flag, &enc)) - goto opthelp; break; case OPT_ITER: if (!opt_int(opt_arg(), &iter)) @@ -246,11 +254,6 @@ int pkcs12_main(int argc, char **argv) case OPT_MACALG: macalg = opt_arg(); break; - case OPT_NODES: - case OPT_NOENC: - enc_flag = opt_flag() + 1; - enc = NULL; - break; case OPT_CERTPBE: if (!set_pbe(&cert_pbe, opt_arg())) goto opthelp; @@ -341,6 +344,11 @@ int pkcs12_main(int argc, char **argv) if (argc != 0) goto opthelp; + app_RAND_load(); + if (ciphername != NULL) { + if (!opt_cipher(ciphername, &enc)) + goto opthelp; + } if (export_pkcs12) { if ((options & INFO) != 0) WARN_EXPORT("info"); diff --git a/apps/pkcs8.c b/apps/pkcs8.c index ae0824c6d2..674007498a 100644 --- a/apps/pkcs8.c +++ b/apps/pkcs8.c @@ -75,7 +75,7 @@ int pkcs8_main(int argc, char **argv) PKCS8_PRIV_KEY_INFO *p8inf = NULL; X509_SIG *p8 = NULL; const EVP_CIPHER *cipher = NULL; - char *infile = NULL, *outfile = NULL; + char *infile = NULL, *outfile = NULL, *ciphername = NULL; char *passinarg = NULL, *passoutarg = NULL, *prog; #ifndef OPENSSL_NO_UI_CONSOLE char pass[APP_PASS_LEN]; @@ -136,8 +136,7 @@ int pkcs8_main(int argc, char **argv) traditional = 1; break; case OPT_V2: - if (!opt_cipher(opt_arg(), &cipher)) - goto opthelp; + ciphername = opt_arg(); break; case OPT_V1: pbe_nid = OBJ_txt2nid(opt_arg()); @@ -200,6 +199,11 @@ int pkcs8_main(int argc, char **argv) goto opthelp; private = 1; + app_RAND_load(); + if (ciphername != NULL) { + if (!opt_cipher(ciphername, &cipher)) + goto opthelp; + } if (!app_passwd(passinarg, passoutarg, &passin, &passout)) { BIO_printf(bio_err, "Error getting passwords\n"); diff --git a/apps/pkey.c b/apps/pkey.c index a48c9856bf..1a53447401 100644 --- a/apps/pkey.c +++ b/apps/pkey.c @@ -73,7 +73,7 @@ int pkey_main(int argc, char **argv) EVP_PKEY_CTX *ctx = NULL; const EVP_CIPHER *cipher = NULL; char *infile = NULL, *outfile = NULL, *passin = NULL, *passout = NULL; - char *passinarg = NULL, *passoutarg = NULL, *prog; + char *passinarg = NULL, *passoutarg = NULL, *ciphername = NULL, *prog; OPTION_CHOICE o; int informat = FORMAT_PEM, outformat = FORMAT_PEM; int pubin = 0, pubout = 0, text_pub = 0, text = 0, noout = 0, ret = 1; @@ -143,8 +143,7 @@ int pkey_main(int argc, char **argv) pub_check = 1; break; case OPT_CIPHER: - if (!opt_cipher(opt_unknown(), &cipher)) - goto opthelp; + ciphername = opt_unknown(); break; case OPT_EC_CONV_FORM: #ifdef OPENSSL_NO_EC @@ -187,6 +186,10 @@ int pkey_main(int argc, char **argv) "Warning: The -traditional is ignored since there is no PEM output\n"); private = (!noout && !pubout) || (text && !text_pub); + if (ciphername != NULL) { + if (!opt_cipher(ciphername, &cipher)) + goto opthelp; + } if (cipher == NULL) { if (passoutarg != NULL) BIO_printf(bio_err, diff --git a/apps/pkeyutl.c b/apps/pkeyutl.c index 4eb15c30f4..b70f9935b6 100644 --- a/apps/pkeyutl.c +++ b/apps/pkeyutl.c @@ -117,7 +117,7 @@ int pkeyutl_main(int argc, char **argv) size_t buf_outlen; const char *inkey = NULL; const char *peerkey = NULL; - const char *kdfalg = NULL; + const char *kdfalg = NULL, *digestname = NULL; int kdflen = 0; STACK_OF(OPENSSL_STRING) *pkeyopts = NULL; STACK_OF(OPENSSL_STRING) *pkeyopts_passin = NULL; @@ -244,8 +244,7 @@ int pkeyutl_main(int argc, char **argv) rawin = 1; break; case OPT_DIGEST: - if (!opt_md(opt_arg(), &md)) - goto end; + digestname = opt_arg(); break; } } @@ -255,6 +254,12 @@ int pkeyutl_main(int argc, char **argv) if (argc != 0) goto opthelp; + app_RAND_load(); + if (digestname != NULL) { + if (!opt_md(digestname, &md)) + goto end; + } + if (rawin && pkey_op != EVP_PKEY_OP_SIGN && pkey_op != EVP_PKEY_OP_VERIFY) { BIO_printf(bio_err, "%s: -rawin can only be used with -sign or -verify\n", diff --git a/apps/rand.c b/apps/rand.c index c78123e161..69a13f975e 100644 --- a/apps/rand.c +++ b/apps/rand.c @@ -99,6 +99,7 @@ int rand_main(int argc, char **argv) goto opthelp; } + app_RAND_load(); out = bio_open_default(outfile, 'w', format); if (out == NULL) goto end; diff --git a/apps/req.c b/apps/req.c index 75840ae387..881cbb45c7 100644 --- a/apps/req.c +++ b/apps/req.c @@ -245,7 +245,7 @@ int req_main(int argc, char **argv) BIO *addext_bio = NULL; char *extensions = NULL; const char *infile = NULL, *CAfile = NULL, *CAkeyfile = NULL; - char *outfile = NULL, *keyfile = NULL; + char *outfile = NULL, *keyfile = NULL, *digestname = NULL; char *keyalgstr = NULL, *p, *prog, *passargin = NULL, *passargout = NULL; char *passin = NULL, *passout = NULL; char *nofree_passin = NULL, *nofree_passout = NULL; @@ -468,9 +468,7 @@ int req_main(int argc, char **argv) newreq = precert = 1; break; case OPT_MD: - if (!opt_md(opt_unknown(), &md_alg)) - goto opthelp; - digest = md_alg; + digestname = opt_unknown(); break; } } @@ -480,6 +478,13 @@ int req_main(int argc, char **argv) if (argc != 0) goto opthelp; + app_RAND_load(); + if (digestname != NULL) { + if (!opt_md(digestname, &md_alg)) + goto opthelp; + digest = md_alg; + } + if (!gen_x509) { if (days != UNSET_DAYS) BIO_printf(bio_err, "Ignoring -days without -x509; not generating a certificate\n"); diff --git a/apps/rsa.c b/apps/rsa.c index b65c8fc793..1a75681c70 100644 --- a/apps/rsa.c +++ b/apps/rsa.c @@ -93,7 +93,7 @@ int rsa_main(int argc, char **argv) EVP_PKEY *pkey = NULL; EVP_PKEY_CTX *pctx; const EVP_CIPHER *enc = NULL; - char *infile = NULL, *outfile = NULL, *prog; + char *infile = NULL, *outfile = NULL, *ciphername = NULL, *prog; char *passin = NULL, *passout = NULL, *passinarg = NULL, *passoutarg = NULL; int private = 0; int informat = FORMAT_PEM, outformat = FORMAT_PEM, text = 0, check = 0; @@ -171,8 +171,7 @@ int rsa_main(int argc, char **argv) check = 1; break; case OPT_CIPHER: - if (!opt_cipher(opt_unknown(), &enc)) - goto opthelp; + ciphername = opt_unknown(); break; case OPT_PROV_CASES: if (!opt_provider(o)) @@ -189,6 +188,10 @@ int rsa_main(int argc, char **argv) if (argc != 0) goto opthelp; + if (ciphername != NULL) { + if (!opt_cipher(ciphername, &enc)) + goto opthelp; + } private = (text && !pubin) || (!pubout && !noout) ? 1 : 0; if (!app_passwd(passinarg, passoutarg, &passin, &passout)) { diff --git a/apps/rsautl.c b/apps/rsautl.c index 333edb9363..ae4855f8f5 100644 --- a/apps/rsautl.c +++ b/apps/rsautl.c @@ -177,6 +177,7 @@ int rsautl_main(int argc, char **argv) if (argc != 0) goto opthelp; + app_RAND_load(); if (need_priv && (key_type != KEY_PRIVKEY)) { BIO_printf(bio_err, "A private key is needed for this operation\n"); goto end; diff --git a/apps/s_client.c b/apps/s_client.c index 188ce26a8f..90f9411f45 100644 --- a/apps/s_client.c +++ b/apps/s_client.c @@ -1574,9 +1574,7 @@ int s_client_main(int argc, char **argv) /* Optional argument is connect string if -connect not used. */ argc = opt_num_rest(); if (argc == 1) { - /* - * Don't allow -connect and a separate argument. - */ + /* Don't allow -connect and a separate argument. */ if (connectstr != NULL) { BIO_printf(bio_err, "%s: cannot provide both -connect option and target parameter\n", @@ -1588,6 +1586,7 @@ int s_client_main(int argc, char **argv) } else if (argc != 0) { goto opthelp; } + app_RAND_load(); if (count4or6 >= 2) { BIO_printf(bio_err, "%s: Can't use both -4 and -6\n", prog); diff --git a/apps/s_server.c b/apps/s_server.c index 2f9b469953..498e629dbf 100644 --- a/apps/s_server.c +++ b/apps/s_server.c @@ -1662,6 +1662,7 @@ int s_server_main(int argc, char *argv[]) if (argc != 0) goto opthelp; + app_RAND_load(); #ifndef OPENSSL_NO_NEXTPROTONEG if (min_version == TLS1_3_VERSION && next_proto_neg_in != NULL) { BIO_printf(bio_err, "Cannot supply -nextprotoneg with TLSv1.3\n"); diff --git a/apps/smime.c b/apps/smime.c index 2a9ee27a34..63578f28d5 100644 --- a/apps/smime.c +++ b/apps/smime.c @@ -145,7 +145,8 @@ int smime_main(int argc, char **argv) const char *CAfile = NULL, *CApath = NULL, *CAstore = NULL, *prog = NULL; char *certfile = NULL, *keyfile = NULL, *contfile = NULL; char *infile = NULL, *outfile = NULL, *signerfile = NULL, *recipfile = NULL; - char *passinarg = NULL, *passin = NULL, *to = NULL, *from = NULL, *subject = NULL; + char *passinarg = NULL, *passin = NULL, *to = NULL, *from = NULL; + char *subject = NULL, *digestname = NULL, *ciphername = NULL; OPTION_CHOICE o; int noCApath = 0, noCAfile = 0, noCAstore = 0; int flags = PKCS7_DETACHED, operation = 0, ret = 0, indef = 0; @@ -293,12 +294,10 @@ int smime_main(int argc, char **argv) recipfile = opt_arg(); break; case OPT_MD: - if (!opt_md(opt_arg(), &sign_md)) - goto opthelp; + digestname = opt_arg(); break; case OPT_CIPHER: - if (!opt_cipher(opt_unknown(), &cipher)) - goto opthelp; + ciphername = opt_unknown(); break; case OPT_INKEY: /* If previous -inkey argument add signer to list */ @@ -360,6 +359,15 @@ int smime_main(int argc, char **argv) argc = opt_num_rest(); argv = opt_rest(); + app_RAND_load(); + if (digestname != NULL) { + if (!opt_md(digestname, &sign_md)) + goto opthelp; + } + if (ciphername != NULL) { + if (!opt_cipher(ciphername, &cipher)) + goto opthelp; + } if (!(operation & SMIME_SIGNERS) && (skkeys != NULL || sksigners != NULL)) { BIO_puts(bio_err, "Multiple signers or keys not allowed\n"); goto opthelp; diff --git a/apps/speed.c b/apps/speed.c index fd2a8e951a..c41fca483f 100644 --- a/apps/speed.c +++ b/apps/speed.c @@ -1854,6 +1854,7 @@ int speed_main(int argc, char **argv) argc = opt_num_rest(); argv = opt_rest(); + app_RAND_load(); for (; *argv; argv++) { const char *algo = *argv; diff --git a/apps/srp.c b/apps/srp.c index 764dba2c6b..2edc448c6c 100644 --- a/apps/srp.c +++ b/apps/srp.c @@ -306,6 +306,7 @@ int srp_main(int argc, char **argv) argc = opt_num_rest(); argv = opt_rest(); + app_RAND_load(); if (srpvfile != NULL && configfile != NULL) { BIO_printf(bio_err, "-srpvfile and -configfile cannot be specified together.\n"); diff --git a/apps/storeutl.c b/apps/storeutl.c index 9333c478f2..7c13092fe5 100644 --- a/apps/storeutl.c +++ b/apps/storeutl.c @@ -81,7 +81,7 @@ int storeutl_main(int argc, char *argv[]) ASN1_INTEGER *serial = NULL; unsigned char *fingerprint = NULL; size_t fingerprintlen = 0; - char *alias = NULL; + char *alias = NULL, *digestname = NULL; OSSL_STORE_SEARCH *search = NULL; const EVP_MD *digest = NULL; OSSL_LIB_CTX *libctx = app_get0_libctx(); @@ -247,8 +247,8 @@ int storeutl_main(int argc, char *argv[]) e = setup_engine(opt_arg(), 0); break; case OPT_MD: - if (!opt_md(opt_unknown(), &digest)) - goto opthelp; + digestname = opt_unknown(); + break; case OPT_PROV_CASES: if (!opt_provider(o)) goto end; @@ -262,6 +262,11 @@ int storeutl_main(int argc, char *argv[]) if (argc != 1) goto opthelp; + if (digestname != NULL) { + if (!opt_md(digestname, &digest)) + goto opthelp; + } + if (criterion != 0) { switch (criterion) { case OSSL_STORE_SEARCH_BY_NAME: diff --git a/apps/ts.c b/apps/ts.c index 5ff80062ef..8500968a0c 100644 --- a/apps/ts.c +++ b/apps/ts.c @@ -160,7 +160,7 @@ int ts_main(int argc, char **argv) CONF *conf = NULL; const char *CAfile = NULL, *untrusted = NULL, *prog; const char *configfile = default_config_file, *engine = NULL; - const char *section = NULL; + const char *section = NULL, *digestname = NULL; char **helpp; char *password = NULL; char *data = NULL, *digest = NULL, *policy = NULL; @@ -276,8 +276,7 @@ int ts_main(int argc, char **argv) engine = opt_arg(); break; case OPT_MD: - if (!opt_md(opt_unknown(), &md)) - goto opthelp; + digestname = opt_unknown(); break; case OPT_V_CASES: if (!opt_verify(o, vpm)) @@ -292,6 +291,11 @@ int ts_main(int argc, char **argv) if (argc != 0 || mode == OPT_ERR) goto opthelp; + app_RAND_load(); + if (digestname != NULL) { + if (!opt_md(digestname, &md)) + goto opthelp; + } if (mode == OPT_REPLY && passin && !app_passwd(passin, NULL, &password, NULL)) { BIO_printf(bio_err, "Error getting password.\n"); diff --git a/apps/x509.c b/apps/x509.c index 3fdd44f2f3..67895c8169 100644 --- a/apps/x509.c +++ b/apps/x509.c @@ -246,7 +246,7 @@ int x509_main(int argc, char **argv) X509V3_CTX ext_ctx; EVP_PKEY *signkey = NULL, *CAkey = NULL, *pubkey = NULL; int newcert = 0; - char *subj = NULL; + char *subj = NULL, *digestname = NULL; X509_NAME *fsubj = NULL; const unsigned long chtype = MBSTRING_ASC; const int multirdn = 1; @@ -569,8 +569,8 @@ int x509_main(int argc, char **argv) preserve_dates = 1; break; case OPT_MD: - if (!opt_md(opt_unknown(), &digest)) - goto opthelp; + digestname = opt_unknown(); + break; } } @@ -579,6 +579,11 @@ int x509_main(int argc, char **argv) if (argc != 0) goto opthelp; + app_RAND_load(); + if (digestname != NULL) { + if (!opt_md(digestname, &digest)) + goto opthelp; + } if (preserve_dates && days != UNSET_DAYS) { BIO_printf(bio_err, "Cannot use -preserve_dates with -days option\n"); goto end; From openssl at openssl.org Fri Feb 12 00:25:33 2021 From: openssl at openssl.org (OpenSSL run-checker) Date: Fri, 12 Feb 2021 00:25:33 +0000 Subject: Still FAILED build of OpenSSL branch master with options -d enable-fuzz-afl no-shared no-module Message-ID: <1613089533.868737.3417888.nullmailer@run.openssl.org> Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=afl-clang-fast ../openssl/config -d enable-fuzz-afl no-shared no-module Commit log since last time: dfcfd17f28 Handle partial data re-sending on ktls/sendfile on FreeBSD 3bc0b621a7 Remove unused 'peer_type' from SSL_SESSION af53092c2b Replace provider digest flags with separate param fields a054d15c22 Replace provider cipher flags with separate param fields 36978c19a9 Replace MAC flags OSSL_MAC_PARAM_FLAGS with separate param fields. 8a686bdb3a Change the ASN1 variant of x942kdf so that it can test acvp data. 7e365d51a1 x509_vfy.c: Sort out return values 0 vs. -1 (failure/internal error) 364246a986 X509_get_pubkey_parameters(): Correct failure behavior and its use 990a15fe73 x509_vfy: Clarify relevance of ctx->error also on successful verification 579262af14 x509_vfy.c: Fix various coding style and documentation style nits 93b39c85c9 CHANGES.md: Mention RSA key generation slowdown related changes 4d2a6159db Deprecate BN_pseudo_rand() and BN_pseudo_rand_range() 604b86d8d3 Enhanced integer parsing in OSSL_PARAM_allocate_from_text e60a748a13 Configuration: ensure that 'no-tests' works correctly 3f71add9e5 Enable fipsload test on NonStop x86. 50ccc176da mknum.pl: Exclude duplicate entries and include source file name in diagnostics 2db985b7b1 Simplify the EVP_PKEY_XXX_fromdata_XX methods. Build log ended with (last 100 lines): ../../../../../enable-fuzz-afl/util/wrap.pl ../../../../../enable-fuzz-afl/apps/openssl cmp -config ../Mock/test.cnf -section 'Mock enrollment' -certout ../../../../../enable-fuzz-afl/test-runs/test_cmp_http/test.cert.pem -proxy '' -no_proxy 127.0.0.1 -cmd ir -newkey new.key -newkeypass 'pass:' -popo -1 -certout ../../../../../enable-fuzz-afl/test-runs/test_cmp_http/test.certout_popo5.pem -out_trusted root.crt => 0 not ok 47 - popo NONE # ------------------------------------------------------------------------------ # Failed test 'popo NONE' # at ../openssl/test/recipes/80-test_cmp_http.t line 145. # cmp_main:../openssl/apps/cmp.c:2685:CMP info: using section(s) 'Mock enrollment' of OpenSSL configuration file '../Mock/test.cnf' # opt_str:../openssl/apps/cmp.c:2284:CMP warning: argument of -proxy option is empty string, resetting option # warn_cert_msg:../openssl/apps/cmp.c:694:CMP warning: certificate from 'trusted.crt' with subject '/O=openssl_cmp' is not a CA cert # setup_client_ctx:../openssl/apps/cmp.c:2001:CMP info: will contact http://127.0.0.1:1700/pkix/ # send_receive_check:../openssl/crypto/cmp/cmp_client.c:165:CMP info: sending IR # send_receive_check:../openssl/crypto/cmp/cmp_client.c:183:CMP info: received IP # send_receive_check:../openssl/crypto/cmp/cmp_client.c:165:CMP info: sending CERTCONF # send_receive_check:../openssl/crypto/cmp/cmp_client.c:183:CMP info: received PKICONF # save_free_certs:../openssl/apps/cmp.c:2051:CMP info: received 1 enrolled certificate(s), saving to file '../../../../../enable-fuzz-afl/test-runs/test_cmp_http/test.certout_popo6.pem' ../../../../../enable-fuzz-afl/util/wrap.pl ../../../../../enable-fuzz-afl/apps/openssl cmp -config ../Mock/test.cnf -section 'Mock enrollment' -certout ../../../../../enable-fuzz-afl/test-runs/test_cmp_http/test.cert.pem -proxy '' -no_proxy 127.0.0.1 -cmd ir -newkey new.key -newkeypass 'pass:' -popo 2 -certout ../../../../../enable-fuzz-afl/test-runs/test_cmp_http/test.certout_popo6.pem -out_trusted root.crt => 0 not ok 48 - popo KEYENC not supported # ------------------------------------------------------------------------------ # Looks like you failed 3 tests of 92. not ok 5 - CMP app CLI Mock enrollment # ------------------------------------------------------------------------------ # # Failed test 'CMP app CLI Mock enrollment # ' # at /home/openssl/run-checker/enable-fuzz-afl/../openssl/util/perl/OpenSSL/Test.pm line 1335. # Looks like you failed 3 tests of 5.80-test_cmp_http.t ................. Dubious, test returned 3 (wstat 768, 0x300) Failed 3/5 subtests # 80-test_cms.t ...................... ok 80-test_cmsapi.t ................... ok 80-test_ct.t ....................... ok 80-test_dane.t ..................... ok 80-test_dtls.t ..................... ok 80-test_dtls_mtu.t ................. ok 80-test_dtlsv1listen.t ............. ok 80-test_http.t ..................... ok 80-test_ocsp.t ..................... ok 80-test_pkcs12.t ................... ok 80-test_ssl_new.t .................. ok 80-test_ssl_old.t .................. ok 80-test_ssl_test_ctx.t ............. ok 80-test_sslcorrupt.t ............... ok 80-test_tsa.t ...................... ok 80-test_x509aux.t .................. ok 81-test_cmp_cli.t .................. ok 90-test_asn1_time.t ................ ok 90-test_async.t .................... ok 90-test_bio_enc.t .................. ok 90-test_bio_memleak.t .............. ok 90-test_constant_time.t ............ ok 90-test_fatalerr.t ................. ok 90-test_fipsload.t ................. skipped: Test only supported in a shared build 90-test_gmdiff.t ................... ok 90-test_gost.t ..................... skipped: GOST support is disabled in this OpenSSL build 90-test_ige.t ...................... ok 90-test_includes.t ................. ok 90-test_memleak.t .................. ok 90-test_overhead.t ................. ok 90-test_secmem.t ................... ok 90-test_shlibload.t ................ skipped: Test only supported in a shared build 90-test_srp.t ...................... ok 90-test_sslapi.t ................... ok 90-test_sslbuffers.t ............... ok 90-test_store.t .................... ok 90-test_sysdefault.t ............... ok 90-test_threads.t .................. ok 90-test_time_offset.t .............. ok 90-test_tls13ccs.t ................. ok 90-test_tls13encryption.t .......... ok 90-test_tls13secrets.t ............. skipped: tls13secrets is not supported in this build 90-test_v3name.t ................... ok 91-test_pkey_check.t ............... ok 95-test_external_boringssl.t ....... skipped: No external tests in this configuration 95-test_external_gost_engine.t ..... skipped: No external tests in this configuration 95-test_external_krb5.t ............ skipped: No external tests in this configuration 95-test_external_pyca.t ............ skipped: No external tests in this configuration 99-test_ecstress.t ................. ok 99-test_fuzz_asn1.t ................ ok 99-test_fuzz_asn1parse.t ........... ok 99-test_fuzz_bignum.t .............. ok 99-test_fuzz_bndiv.t ............... ok 99-test_fuzz_client.t .............. ok 99-test_fuzz_cmp.t ................. ok 99-test_fuzz_cms.t ................. ok 99-test_fuzz_conf.t ................ ok 99-test_fuzz_crl.t ................. ok 99-test_fuzz_ct.t .................. ok 99-test_fuzz_server.t .............. ok 99-test_fuzz_x509.t ................ ok Test Summary Report ------------------- 80-test_cmp_http.t (Wstat: 768 Tests: 5 Failed: 3) Failed tests: 2-3, 5 Non-zero exit status: 3 Files=231, Tests=2702, 744 wallclock secs (10.54 usr 1.34 sys + 657.15 cusr 76.85 csys = 745.88 CPU) Result: FAIL make[1]: *** [Makefile:2482: _tests] Error 1 make[1]: Leaving directory '/home/openssl/run-checker/enable-fuzz-afl' make: *** [Makefile:2479: tests] Error 2 From no-reply at appveyor.com Fri Feb 12 01:06:02 2021 From: no-reply at appveyor.com (AppVeyor) Date: Fri, 12 Feb 2021 01:06:02 +0000 Subject: Build failed: openssl master.39803 Message-ID: <20210212010602.1.83D98347013930E0@appveyor.com> An HTML attachment was scrubbed... URL: From pauli at openssl.org Fri Feb 12 02:31:16 2021 From: pauli at openssl.org (Dr. Paul Dale) Date: Fri, 12 Feb 2021 02:31:16 +0000 Subject: [openssl] master update Message-ID: <1613097076.444797.27725.nullmailer@dev.openssl.org> The branch master has been updated via 1eaf1fc353729ce696ac2528471d551d51175b8e (commit) via 2b248f4e3f53b97a745865a7f9e3984bb7acee17 (commit) via ca2c778c26d488bd923121d7e4718b580fd283f2 (commit) via 7dd5a00f410206974d4ee134bb0ca05bf0f42061 (commit) via b5873b31761e68015f4943ab137fc5e63323342e (commit) via aea01d13135565680c7b1bc74222f5b2bf3f66c4 (commit) via 7dce37e2ec3d580eccce65c32f8d60dea600a28a (commit) via 499f2ae9e989015b75c5a3895994f26bc0a7334a (commit) via 31f7ff37b403f5ed50cf2e1e828a2e63576dac58 (commit) from 22040fb790c854cefb04bed98ed38ea6357daf83 (commit) - Log ----------------------------------------------------------------- commit 1eaf1fc353729ce696ac2528471d551d51175b8e Author: Pauli Date: Wed Feb 10 21:53:57 2021 +1000 Add a configure time option to disable the fetch cache. Reviewed-by: Shane Lontis Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14126) commit 2b248f4e3f53b97a745865a7f9e3984bb7acee17 Author: Pauli Date: Tue Feb 9 16:58:38 2021 +1000 test: add import and export key management hooks for the TLS provider. Without these hooks, if the TLS provider isn't matched in the fetch cache, a test failure will occur in the TLS API tests. Without allowing import and export, an existing key can not move to a new key manager even if it is really the same. Reviewed-by: Shane Lontis Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14126) commit ca2c778c26d488bd923121d7e4718b580fd283f2 Author: Pauli Date: Tue Feb 9 11:55:59 2021 +1000 test: filter provider honours the no_cache setting. Reviewed-by: Shane Lontis Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14126) commit 7dd5a00f410206974d4ee134bb0ca05bf0f42061 Author: Pauli Date: Mon Feb 8 13:09:49 2021 +1000 changes: add a CHANGES.md entry for the OSSL_FORCE_NO_CACHE_FETCH option. Reviewed-by: Shane Lontis Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14126) commit b5873b31761e68015f4943ab137fc5e63323342e Author: Pauli Date: Mon Feb 8 12:01:20 2021 +1000 test: fix no-cache problem with the quality comparison for KDFs. In a caching world, it's fine to compare the pointers directly. In a non-caching world, the names and providers need to be compared. Reviewed-by: Shane Lontis Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14126) commit aea01d13135565680c7b1bc74222f5b2bf3f66c4 Author: Pauli Date: Mon Feb 8 11:38:21 2021 +1000 EVP: fix reference counting for EVP_CIPHER. Under some circumstances, the reference count for a cipher wasn't updated properly. This shows up best when fetches are not being queried but would be possible if the cache flushed at a bad time. Reviewed-by: Shane Lontis Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14126) commit 7dce37e2ec3d580eccce65c32f8d60dea600a28a Author: Pauli Date: Mon Feb 8 11:03:01 2021 +1000 Prov: add an option to force provider fetches to not be cached. If the macro OSSL_FORCE_NO_CACHE_FETCH is defined, no provider will have its fetches cached. Reviewed-by: Shane Lontis Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14126) commit 499f2ae9e989015b75c5a3895994f26bc0a7334a Author: Pauli Date: Mon Feb 8 11:02:52 2021 +1000 CI: add a non-caching CI loop Reviewed-by: Shane Lontis Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14126) commit 31f7ff37b403f5ed50cf2e1e828a2e63576dac58 Author: Pauli Date: Mon Feb 8 10:54:52 2021 +1000 EVP: fix reference counting for digest operations. The reference count wasn't being incremented but the EVP_MD pointer was being held. In a no cache build, this resulted in a failure on update in some circumstances. Reviewed-by: Shane Lontis Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14126) ----------------------------------------------------------------------- Summary of changes: .github/workflows/ci.yml | 11 +++++++ CHANGES.md | 6 ++++ Configure | 1 + INSTALL.md | 8 +++++ crypto/evp/digest.c | 12 ++++++- crypto/evp/evp_enc.c | 8 +++++ crypto/provider_core.c | 13 ++++++-- test/evp_kdf_test.c | 21 ++++++++++-- test/filterprov.c | 8 ++--- test/tls-provider.c | 85 ++++++++++++++++++++++++++++++++++++++++++++++++ 10 files changed, 162 insertions(+), 11 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index b057eb1d5b..67ec2541b3 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -80,6 +80,17 @@ jobs: - name: make test run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} + non-caching: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout at v2 + - name: config + run: ./config enable-asan enable-ubsan no-cached-fetch && perl configdata.pm --dump + - name: make + run: make -s -j4 + - name: make test + run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} OPENSSL_TEST_RAND_ORDER=0 TESTS="-test_fuzz* -test_ssl_* -test_evp -test_cmp_http -test_store -test_enc -[01][0-9]" + sanitizers: runs-on: ubuntu-latest steps: diff --git a/CHANGES.md b/CHANGES.md index 380cd07886..b846746204 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -23,6 +23,12 @@ OpenSSL 3.0 ### Changes between 1.1.1 and 3.0 [xx XXX xxxx] + * Add a compile time option to prevent the caching of provider fetched + algorithms. This is enabled by including the no-cached-fetch option + at configuration time. + + *Paul Dale* + * Combining the Configure options no-ec and no-dh no longer disables TLSv1.3. Typically if OpenSSL has no EC or DH algorithms then it cannot support connections with TLSv1.3. However OpenSSL now supports "pluggable" groups diff --git a/Configure b/Configure index 9a96a7f0c0..cd11b2e393 100755 --- a/Configure +++ b/Configure @@ -392,6 +392,7 @@ my @disablables = ( "blake2", "buildtest-c++", "bulk", + "cached-fetch", "camellia", "capieng", "cast", diff --git a/INSTALL.md b/INSTALL.md index e005312bc0..d9aa5c47c2 100644 --- a/INSTALL.md +++ b/INSTALL.md @@ -582,6 +582,14 @@ alternative, you can use the language specific variables, `CFLAGS` and `CXXFLAGS Build only some minimal set of features. This is a developer option used internally for CI build tests of the project. +### no-cached-fetch + +Never cache algorithms when they are fetched from a provider. Normally, a +provider indicates if the algorithms it supplies can be cached or not. Using +this option will reduce run-time memory usage but it also introduces a +significant performance penalty. This option is primarily designed to help +with detecting incorrect reference counting. + ### no-capieng Don't build the CAPI engine. diff --git a/crypto/evp/digest.c b/crypto/evp/digest.c index 40aedae47b..3dfcfcda8e 100644 --- a/crypto/evp/digest.c +++ b/crypto/evp/digest.c @@ -235,8 +235,10 @@ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl) #else EVP_MD *provmd = EVP_MD_fetch(NULL, OBJ_nid2sn(type->type), ""); - if (provmd == NULL) + if (provmd == NULL) { + ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR); return 0; + } type = provmd; EVP_MD_free(ctx->fetched_digest); ctx->fetched_digest = provmd; @@ -248,6 +250,14 @@ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl) ctx->digest->freectx(ctx->provctx); ctx->provctx = NULL; } + if (type->prov != NULL && ctx->fetched_digest != type) { + if (!EVP_MD_up_ref((EVP_MD *)type)) { + ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR); + return 0; + } + EVP_MD_free(ctx->fetched_digest); + ctx->fetched_digest = (EVP_MD *)type; + } ctx->digest = type; if (ctx->provctx == NULL) { ctx->provctx = ctx->digest->newctx(ossl_provider_ctx(type->prov)); diff --git a/crypto/evp/evp_enc.c b/crypto/evp/evp_enc.c index eb8c0faf14..b804d74914 100644 --- a/crypto/evp/evp_enc.c +++ b/crypto/evp/evp_enc.c @@ -182,6 +182,14 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, #endif } + if (cipher->prov != NULL) { + if (!EVP_CIPHER_up_ref((EVP_CIPHER *)cipher)) { + ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR); + return 0; + } + EVP_CIPHER_free(ctx->fetched_cipher); + ctx->fetched_cipher = (EVP_CIPHER *)cipher; + } ctx->cipher = cipher; if (ctx->provctx == NULL) { ctx->provctx = ctx->cipher->newctx(ossl_provider_ctx(cipher->prov)); diff --git a/crypto/provider_core.c b/crypto/provider_core.c index 5016d54d55..627ff384e1 100644 --- a/crypto/provider_core.c +++ b/crypto/provider_core.c @@ -914,8 +914,17 @@ const OSSL_ALGORITHM *ossl_provider_query_operation(const OSSL_PROVIDER *prov, int operation_id, int *no_cache) { - return prov->query_operation == NULL - ? NULL : prov->query_operation(prov->provctx, operation_id, no_cache); + const OSSL_ALGORITHM *res; + + if (prov->query_operation == NULL) + return NULL; + res = prov->query_operation(prov->provctx, operation_id, no_cache); +#if defined(OPENSSL_NO_CACHED_FETCH) + /* Forcing the non-caching of queries */ + if (no_cache != NULL) + *no_cache = 1; +#endif + return res; } int ossl_provider_set_operation_bit(OSSL_PROVIDER *provider, size_t bitnum) diff --git a/test/evp_kdf_test.c b/test/evp_kdf_test.c index b0e8d2b5fb..37d4653577 100644 --- a/test/evp_kdf_test.c +++ b/test/evp_kdf_test.c @@ -1260,6 +1260,21 @@ static int test_kdf_sshkdf(void) return ret; } +static int test_kdfs_same( EVP_KDF *kdf1, EVP_KDF *kdf2) +{ + /* Fast path in case the two are the same algorithm pointer */ + if (kdf1 == kdf2) + return 1; + /* + * Compare their names and providers instead. + * This is necessary in a non-caching build (or a cache flush during fetch) + * because without the algorithm in the cache, fetching it a second time + * will result in a different pointer. + */ + return TEST_ptr_eq(EVP_KDF_provider(kdf1), EVP_KDF_provider(kdf2)) + && TEST_str_eq(EVP_KDF_name(kdf1), EVP_KDF_name(kdf2)); +} + static int test_kdf_get_kdf(void) { EVP_KDF *kdf1 = NULL, *kdf2 = NULL; @@ -1270,7 +1285,7 @@ static int test_kdf_get_kdf(void) || !TEST_ptr(kdf1 = EVP_KDF_fetch(NULL, OSSL_KDF_NAME_PBKDF2, NULL)) || !TEST_ptr(kdf2 = EVP_KDF_fetch(NULL, OBJ_nid2sn(OBJ_obj2nid(obj)), NULL)) - || !TEST_ptr_eq(kdf1, kdf2)) + || !test_kdfs_same(kdf1, kdf2)) ok = 0; EVP_KDF_free(kdf1); kdf1 = NULL; @@ -1279,14 +1294,14 @@ static int test_kdf_get_kdf(void) if (!TEST_ptr(kdf1 = EVP_KDF_fetch(NULL, SN_tls1_prf, NULL)) || !TEST_ptr(kdf2 = EVP_KDF_fetch(NULL, LN_tls1_prf, NULL)) - || !TEST_ptr_eq(kdf1, kdf2)) + || !test_kdfs_same(kdf1, kdf2)) ok = 0; /* kdf1 is re-used below, so don't free it here */ EVP_KDF_free(kdf2); kdf2 = NULL; if (!TEST_ptr(kdf2 = EVP_KDF_fetch(NULL, OBJ_nid2sn(NID_tls1_prf), NULL)) - || !TEST_ptr_eq(kdf1, kdf2)) + || !test_kdfs_same(kdf1, kdf2)) ok = 0; EVP_KDF_free(kdf1); kdf1 = NULL; diff --git a/test/filterprov.c b/test/filterprov.c index 3cfb095ae5..93ebca70ae 100644 --- a/test/filterprov.c +++ b/test/filterprov.c @@ -33,6 +33,7 @@ struct filter_prov_globals_st { OSSL_ALGORITHM alg[MAX_ALG_FILTERS + 1]; } dispatch[MAX_FILTERS]; int num_dispatch; + int no_cache; }; static struct filter_prov_globals_st ourglobals; @@ -83,7 +84,7 @@ static const OSSL_ALGORITHM *filter_query(void *provctx, for (i = 0; i < globs->num_dispatch; i++) { if (globs->dispatch[i].operation == operation_id) { - *no_cache = 0; + *no_cache = globs->no_cache; return globs->dispatch[i].alg; } } @@ -156,10 +157,6 @@ int filter_provider_set_filter(int operation, const char *filterstr) if (filterstrtmp == NULL) goto err; - /* We don't support no_cache */ - if (no_cache) - goto err; - /* Nothing to filter */ if (provalgs == NULL) goto err; @@ -199,6 +196,7 @@ int filter_provider_set_filter(int operation, const char *filterstr) } globs->dispatch[globs->num_dispatch].operation = operation; + globs->no_cache = no_cache; globs->num_dispatch++; ret = 1; diff --git a/test/tls-provider.c b/test/tls-provider.c index 184b926881..64c855f4a9 100644 --- a/test/tls-provider.c +++ b/test/tls-provider.c @@ -15,6 +15,11 @@ /* For TLS1_3_VERSION */ #include +static OSSL_FUNC_keymgmt_import_fn xor_import; +static OSSL_FUNC_keymgmt_import_types_fn xor_import_types; +static OSSL_FUNC_keymgmt_export_fn xor_export; +static OSSL_FUNC_keymgmt_export_types_fn xor_export_types; + int tls_provider_init(const OSSL_CORE_HANDLE *handle, const OSSL_DISPATCH *in, const OSSL_DISPATCH **out, @@ -600,6 +605,82 @@ static void *xor_gen(void *genctx, OSSL_CALLBACK *osslcb, void *cbarg) return key; } +/* IMPORT + EXPORT */ + +static int xor_import(void *vkey, int select, const OSSL_PARAM params[]) +{ + XORKEY *key = vkey; + const OSSL_PARAM *param_priv_key, *param_pub_key; + unsigned char privkey[XOR_KEY_SIZE]; + unsigned char pubkey[XOR_KEY_SIZE]; + void *pprivkey = privkey, *ppubkey = pubkey; + size_t priv_len = 0, pub_len = 0; + int res = 0; + + if (key == NULL || (select & OSSL_KEYMGMT_SELECT_KEYPAIR) == 0) + return 0; + + memset(privkey, 0, sizeof(privkey)); + memset(pubkey, 0, sizeof(pubkey)); + param_priv_key = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_PRIV_KEY); + param_pub_key = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_PUB_KEY); + + if ((param_priv_key != NULL + && !OSSL_PARAM_get_octet_string(param_priv_key, &pprivkey, + sizeof(privkey), &priv_len)) + || (param_pub_key != NULL + && !OSSL_PARAM_get_octet_string(param_pub_key, &ppubkey, + sizeof(pubkey), &pub_len))) + goto err; + + if (priv_len > 0) { + memcpy(key->privkey, privkey, priv_len); + key->hasprivkey = 1; + } + if (pub_len > 0) { + memcpy(key->pubkey, pubkey, pub_len); + key->haspubkey = 1; + } + res = 1; + err: + return res; +} + +static int xor_export(void *vkey, int select, OSSL_CALLBACK *param_cb, + void *cbarg) +{ + XORKEY *key = vkey; + OSSL_PARAM params[3], *p = params; + + if (key == NULL || (select & OSSL_KEYMGMT_SELECT_KEYPAIR) == 0) + return 0; + + *p++ = OSSL_PARAM_construct_octet_string(OSSL_PKEY_PARAM_PRIV_KEY, + key->privkey, + sizeof(key->privkey)); + *p++ = OSSL_PARAM_construct_octet_string(OSSL_PKEY_PARAM_PUB_KEY, + key->pubkey, sizeof(key->pubkey)); + *p++ = OSSL_PARAM_construct_end(); + + return param_cb(params, cbarg); +} + +static const OSSL_PARAM xor_key_types[] = { + OSSL_PARAM_BN(OSSL_PKEY_PARAM_PUB_KEY, NULL, 0), + OSSL_PARAM_BN(OSSL_PKEY_PARAM_PRIV_KEY, NULL, 0), + OSSL_PARAM_END +}; + +static const OSSL_PARAM *xor_import_types(int select) +{ + return (select & OSSL_KEYMGMT_SELECT_KEYPAIR) != 0 ? xor_key_types : NULL; +} + +static const OSSL_PARAM *xor_export_types(int select) +{ + return (select & OSSL_KEYMGMT_SELECT_KEYPAIR) != 0 ? xor_key_types : NULL; +} + static void xor_gen_cleanup(void *genctx) { OPENSSL_free(genctx); @@ -620,6 +701,10 @@ static const OSSL_DISPATCH xor_keymgmt_functions[] = { { OSSL_FUNC_KEYMGMT_HAS, (void (*)(void))xor_has }, { OSSL_FUNC_KEYMGMT_COPY, (void (*)(void))xor_copy }, { OSSL_FUNC_KEYMGMT_FREE, (void (*)(void))xor_freedata }, + { OSSL_FUNC_KEYMGMT_IMPORT, (void (*)(void))xor_import }, + { OSSL_FUNC_KEYMGMT_IMPORT_TYPES, (void (*)(void))xor_import_types }, + { OSSL_FUNC_KEYMGMT_EXPORT, (void (*)(void))xor_export }, + { OSSL_FUNC_KEYMGMT_EXPORT_TYPES, (void (*)(void))xor_export_types }, { 0, NULL } }; From pauli at openssl.org Fri Feb 12 02:34:41 2021 From: pauli at openssl.org (Dr. Paul Dale) Date: Fri, 12 Feb 2021 02:34:41 +0000 Subject: [openssl] master update Message-ID: <1613097281.204036.29258.nullmailer@dev.openssl.org> The branch master has been updated via f2d785364cc8b59ad3b49c5f276b99dcfdc2e7d7 (commit) from 1eaf1fc353729ce696ac2528471d551d51175b8e (commit) - Log ----------------------------------------------------------------- commit f2d785364cc8b59ad3b49c5f276b99dcfdc2e7d7 Author: Job Snijders Date: Tue Feb 2 14:14:27 2021 +0000 Add OID for draft-ietf-opsawg-finding-geofeeds detached CMS signature RFC 8805 Geofeed files can be authenticated with RPKI CLA: trivial Reviewed-by: Shane Lontis Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/14050) ----------------------------------------------------------------------- Summary of changes: crypto/objects/obj_dat.h | 15 ++++++++++----- crypto/objects/obj_mac.num | 1 + crypto/objects/objects.txt | 1 + fuzz/oids.txt | 1 + include/openssl/obj_mac.h | 4 ++++ 5 files changed, 17 insertions(+), 5 deletions(-) diff --git a/crypto/objects/obj_dat.h b/crypto/objects/obj_dat.h index 697cd527b3..3ce82bf4e6 100644 --- a/crypto/objects/obj_dat.h +++ b/crypto/objects/obj_dat.h @@ -10,7 +10,7 @@ */ /* Serialized OID's */ -static const unsigned char so[8054] = { +static const unsigned char so[8065] = { 0x2A,0x86,0x48,0x86,0xF7,0x0D, /* [ 0] OBJ_rsadsi */ 0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01, /* [ 6] OBJ_pkcs */ 0x2A,0x86,0x48,0x86,0xF7,0x0D,0x02,0x02, /* [ 13] OBJ_md2 */ @@ -1113,9 +1113,10 @@ static const unsigned char so[8054] = { 0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x0A, /* [ 8029] OBJ_rpkiManifest */ 0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x0B, /* [ 8037] OBJ_signedObject */ 0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x0D, /* [ 8045] OBJ_rpkiNotify */ + 0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x01,0x2F, /* [ 8053] OBJ_id_ct_geofeedCSVwithCRLF */ }; -#define NUM_NID 1246 +#define NUM_NID 1247 static const ASN1_OBJECT nid_objs[NUM_NID] = { {"UNDEF", "undefined", NID_undef}, {"rsadsi", "RSA Data Security, Inc.", NID_rsadsi, 6, &so[0]}, @@ -2363,9 +2364,10 @@ static const ASN1_OBJECT nid_objs[NUM_NID] = { {"rpkiManifest", "RPKI Manifest", NID_rpkiManifest, 8, &so[8029]}, {"signedObject", "Signed Object", NID_signedObject, 8, &so[8037]}, {"rpkiNotify", "RPKI Notify", NID_rpkiNotify, 8, &so[8045]}, + {"id-ct-geofeedCSVwithCRLF", "id-ct-geofeedCSVwithCRLF", NID_id_ct_geofeedCSVwithCRLF, 11, &so[8053]}, }; -#define NUM_SN 1237 +#define NUM_SN 1238 static const unsigned int sn_objs[NUM_SN] = { 364, /* "AD_DVCS" */ 419, /* "AES-128-CBC" */ @@ -2977,6 +2979,7 @@ static const unsigned int sn_objs[NUM_SN] = { 331, /* "id-cmc-transactionId" */ 1238, /* "id-cp" */ 787, /* "id-ct-asciiTextWithCRLF" */ + 1246, /* "id-ct-geofeedCSVwithCRLF" */ 1237, /* "id-ct-resourceTaggedAttest" */ 1234, /* "id-ct-routeOriginAuthz" */ 1236, /* "id-ct-rpkiGhostbusters" */ @@ -3606,7 +3609,7 @@ static const unsigned int sn_objs[NUM_SN] = { 1093, /* "x509ExtAdmission" */ }; -#define NUM_LN 1237 +#define NUM_LN 1238 static const unsigned int ln_objs[NUM_LN] = { 363, /* "AD Time Stamping" */ 405, /* "ANSI X9.62" */ @@ -4236,6 +4239,7 @@ static const unsigned int ln_objs[NUM_LN] = { 331, /* "id-cmc-transactionId" */ 1238, /* "id-cp" */ 787, /* "id-ct-asciiTextWithCRLF" */ + 1246, /* "id-ct-geofeedCSVwithCRLF" */ 1237, /* "id-ct-resourceTaggedAttest" */ 1234, /* "id-ct-routeOriginAuthz" */ 1236, /* "id-ct-rpkiGhostbusters" */ @@ -4847,7 +4851,7 @@ static const unsigned int ln_objs[NUM_LN] = { 125, /* "zlib compression" */ }; -#define NUM_OBJ 1108 +#define NUM_OBJ 1109 static const unsigned int obj_objs[NUM_OBJ] = { 0, /* OBJ_undef 0 */ 181, /* OBJ_iso 1 */ @@ -5886,6 +5890,7 @@ static const unsigned int obj_objs[NUM_OBJ] = { 1060, /* OBJ_id_ct_xml 1 2 840 113549 1 9 16 1 28 */ 1236, /* OBJ_id_ct_rpkiGhostbusters 1 2 840 113549 1 9 16 1 35 */ 1237, /* OBJ_id_ct_resourceTaggedAttest 1 2 840 113549 1 9 16 1 36 */ + 1246, /* OBJ_id_ct_geofeedCSVwithCRLF 1 2 840 113549 1 9 16 1 47 */ 212, /* OBJ_id_smime_aa_receiptRequest 1 2 840 113549 1 9 16 2 1 */ 213, /* OBJ_id_smime_aa_securityLabel 1 2 840 113549 1 9 16 2 2 */ 214, /* OBJ_id_smime_aa_mlExpandHistory 1 2 840 113549 1 9 16 2 3 */ diff --git a/crypto/objects/obj_mac.num b/crypto/objects/obj_mac.num index 9f9636f818..5b89b7b84a 100644 --- a/crypto/objects/obj_mac.num +++ b/crypto/objects/obj_mac.num @@ -1243,3 +1243,4 @@ ipAddr_asNumberv2 1242 rpkiManifest 1243 signedObject 1244 rpkiNotify 1245 +id_ct_geofeedCSVwithCRLF 1246 diff --git a/crypto/objects/objects.txt b/crypto/objects/objects.txt index 62bc8c1a8e..6fde1ca116 100644 --- a/crypto/objects/objects.txt +++ b/crypto/objects/objects.txt @@ -280,6 +280,7 @@ id-smime-ct 27 : id-ct-asciiTextWithCRLF id-smime-ct 28 : id-ct-xml id-smime-ct 35 : id-ct-rpkiGhostbusters id-smime-ct 36 : id-ct-resourceTaggedAttest +id-smime-ct 47 : id-ct-geofeedCSVwithCRLF # S/MIME Attributes id-smime-aa 1 : id-smime-aa-receiptRequest diff --git a/fuzz/oids.txt b/fuzz/oids.txt index cc3f1f1401..cec6a70151 100644 --- a/fuzz/oids.txt +++ b/fuzz/oids.txt @@ -1100,3 +1100,4 @@ OBJ_ipAddr_asNumberv2="\x2B\x06\x01\x05\x05\x07\x0E\x03" OBJ_rpkiManifest="\x2B\x06\x01\x05\x05\x07\x30\x0A" OBJ_signedObject="\x2B\x06\x01\x05\x05\x07\x30\x0B" OBJ_rpkiNotify="\x2B\x06\x01\x05\x05\x07\x30\x0D" +OBJ_id_ct_geofeedCSVwithCRLF="\x2A\x86\x48\x86\xF7\x0D\x01\x09\x10\x01\x2F" diff --git a/include/openssl/obj_mac.h b/include/openssl/obj_mac.h index 367f72f3c3..9e9e3ab22f 100644 --- a/include/openssl/obj_mac.h +++ b/include/openssl/obj_mac.h @@ -878,6 +878,10 @@ #define NID_id_ct_resourceTaggedAttest 1237 #define OBJ_id_ct_resourceTaggedAttest OBJ_id_smime_ct,36L +#define SN_id_ct_geofeedCSVwithCRLF "id-ct-geofeedCSVwithCRLF" +#define NID_id_ct_geofeedCSVwithCRLF 1246 +#define OBJ_id_ct_geofeedCSVwithCRLF OBJ_id_smime_ct,47L + #define SN_id_smime_aa_receiptRequest "id-smime-aa-receiptRequest" #define NID_id_smime_aa_receiptRequest 212 #define OBJ_id_smime_aa_receiptRequest OBJ_id_smime_aa,1L From matt at openssl.org Fri Feb 12 08:59:26 2021 From: matt at openssl.org (Matt Caswell) Date: Fri, 12 Feb 2021 08:59:26 +0000 Subject: [openssl] master update Message-ID: <1613120366.883289.30543.nullmailer@dev.openssl.org> The branch master has been updated via 13888e797c5a3193e91d71e5f5a196a2d68d266f (commit) via 76cb077f81c96e98d2f2042478c916ed2fdeda16 (commit) via 6d2a1eff553b0bd463cce008a25506d89280679f (commit) from f2d785364cc8b59ad3b49c5f276b99dcfdc2e7d7 (commit) - Log ----------------------------------------------------------------- commit 13888e797c5a3193e91d71e5f5a196a2d68d266f Author: Matt Caswell Date: Mon Feb 8 15:52:07 2021 +0000 Update documentation following deprecation of SRP Ensure all the man pages correctly reflect the deprecated status of SRP. Fixes #13917 Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14132) commit 76cb077f81c96e98d2f2042478c916ed2fdeda16 Author: Matt Caswell Date: Mon Feb 8 11:31:59 2021 +0000 Deprecate the libssl level SRP APIs The low level SRP implementation has been deprecated with no replacement. Therefore the libssl level APIs need to be similarly deprecated. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14132) commit 6d2a1eff553b0bd463cce008a25506d89280679f Author: Matt Caswell Date: Fri Feb 5 11:28:15 2021 +0000 Deprecate the low level SRP APIs The OTC decided that all low level APIs should be deprecated. This extends to SRP, even though at the current time there is no "EVP" interface to it. This could be added in a future release. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14132) ----------------------------------------------------------------------- Summary of changes: CHANGES.md | 8 +- Configure | 7 +- apps/ciphers.c | 11 +- apps/include/s_apps.h | 28 +++++ apps/lib/build.info | 4 + apps/lib/tlssrp_depr.c | 231 ++++++++++++++++++++++++++++++++++ apps/s_client.c | 142 ++------------------- apps/s_server.c | 143 ++++----------------- apps/srp.c | 3 + crypto/srp/srp_lib.c | 3 + crypto/srp/srp_vfy.c | 3 + doc/man1/openssl-ciphers.pod.in | 3 +- doc/man1/openssl-s_client.pod.in | 11 +- doc/man1/openssl-srp.pod.in | 6 +- doc/man1/openssl.pod | 2 +- doc/man3/SRP_Calc_B.pod | 14 ++- doc/man3/SRP_VBASE_new.pod | 9 ++ doc/man3/SRP_create_verifier.pod | 12 +- doc/man3/SRP_user_pwd_new.pod | 9 +- doc/man3/SSL_CTX_set_srp_password.pod | 9 +- include/openssl/srp.h.in | 92 ++++++++++---- include/openssl/ssl.h.in | 34 ++--- ssl/s3_lib.c | 4 +- ssl/ssl_lib.c | 4 +- ssl/ssl_local.h | 8 ++ ssl/statem/statem_clnt.c | 2 +- ssl/statem/statem_srvr.c | 2 +- ssl/tls_srp.c | 72 ++++++++++- test/build.info | 3 + test/helpers/handshake.c | 61 +-------- test/helpers/handshake.h | 17 +++ test/helpers/handshake_srp.c | 71 +++++++++++ test/srptest.c | 6 + util/libcrypto.num | 56 ++++----- 34 files changed, 672 insertions(+), 418 deletions(-) create mode 100644 apps/lib/tlssrp_depr.c create mode 100644 test/helpers/handshake_srp.c diff --git a/CHANGES.md b/CHANGES.md index b846746204..bda3c44aa1 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -23,12 +23,18 @@ OpenSSL 3.0 ### Changes between 1.1.1 and 3.0 [xx XXX xxxx] +* The SRP APIs have been deprecated. The old APIs do not work via providers, + and there is no EVP interface to them. Unfortunately there is no replacement + for these APIs at this time. + + *Matt Caswell* + * Add a compile time option to prevent the caching of provider fetched algorithms. This is enabled by including the no-cached-fetch option at configuration time. *Paul Dale* - + * Combining the Configure options no-ec and no-dh no longer disables TLSv1.3. Typically if OpenSSL has no EC or DH algorithms then it cannot support connections with TLSv1.3. However OpenSSL now supports "pluggable" groups diff --git a/Configure b/Configure index cd11b2e393..12911d988a 100755 --- a/Configure +++ b/Configure @@ -612,13 +612,12 @@ my @disable_cascades = ( sub { !$disabled{"msan"} } => [ "asm" ], - sub { $disabled{cmac}; } => [ "siv" ], - "legacy" => [ "md2" ], + "cmac" => [ "siv" ], + "legacy" => [ "md2" ], "cmp" => [ "crmf" ], - sub { $disabled{"deprecated-3.0"} } - => [ "engine" ] + "deprecated-3.0" => [ "engine", "srp" ] ); # Avoid protocol support holes. Also disable all versions below N, if version diff --git a/apps/ciphers.c b/apps/ciphers.c index 3afbbe5002..03ffad3b3b 100644 --- a/apps/ciphers.c +++ b/apps/ciphers.c @@ -14,6 +14,7 @@ #include "progs.h" #include #include +#include "s_apps.h" typedef enum OPTION_choice { OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, @@ -63,7 +64,7 @@ const OPTIONS ciphers_options[] = { {"psk", OPT_PSK, '-', "Include ciphersuites requiring PSK"}, #endif #ifndef OPENSSL_NO_SRP - {"srp", OPT_SRP, '-', "Include ciphersuites requiring SRP"}, + {"srp", OPT_SRP, '-', "(deprecated) Include ciphersuites requiring SRP"}, #endif {"ciphersuites", OPT_CIPHERSUITES, 's', "Configure the TLSv1.3 ciphersuites to use"}, @@ -83,12 +84,6 @@ static unsigned int dummy_psk(SSL *ssl, const char *hint, char *identity, return 0; } #endif -#ifndef OPENSSL_NO_SRP -static char *dummy_srp(SSL *ssl, void *arg) -{ - return ""; -} -#endif int ciphers_main(int argc, char **argv) { @@ -205,7 +200,7 @@ int ciphers_main(int argc, char **argv) #endif #ifndef OPENSSL_NO_SRP if (srp) - SSL_CTX_set_srp_client_pwd_callback(ctx, dummy_srp); + set_up_dummy_srp(ctx); #endif if (ciphersuites != NULL && !SSL_CTX_set_ciphersuites(ctx, ciphersuites)) { diff --git a/apps/include/s_apps.h b/apps/include/s_apps.h index 0a1ae526a5..8ddf7d51e1 100644 --- a/apps/include/s_apps.h +++ b/apps/include/s_apps.h @@ -10,6 +10,7 @@ #include #include +#include #define PORT "4433" #define PROTOCOL "tcp" @@ -77,3 +78,30 @@ int ssl_load_stores(SSL_CTX *ctx, const char *vfyCApath, void ssl_ctx_security_debug(SSL_CTX *ctx, int verbose); int set_keylog_file(SSL_CTX *ctx, const char *keylog_file); void print_ca_names(BIO *bio, SSL *s); + +#ifndef OPENSSL_NO_SRP +/* The client side SRP context that we pass to all SRP related callbacks */ +typedef struct srp_arg_st { + char *srppassin; + char *srplogin; + int msg; /* copy from c_msg */ + int debug; /* copy from c_debug */ + int amp; /* allow more groups */ + int strength; /* minimal size for N */ +} SRP_ARG; + +int set_up_srp_arg(SSL_CTX *ctx, SRP_ARG *srp_arg, int srp_lateuser, int c_msg, + int c_debug); +void set_up_dummy_srp(SSL_CTX *ctx); + +/* The server side SRP context that we pass to all SRP related callbacks */ +typedef struct srpsrvparm_st { + char *login; + SRP_VBASE *vb; + SRP_user_pwd *user; +} srpsrvparm; + +int set_up_srp_verifier_file(SSL_CTX *ctx, srpsrvparm *srp_callback_parm, + char *srpuserseed, char *srp_verifier_file); +void lookup_srp_user(srpsrvparm *srp_callback_parm, BIO *bio_s_out); +#endif /* OPENSSL_NO_SRP */ diff --git a/apps/lib/build.info b/apps/lib/build.info index 93d0a99df9..c352f7086d 100644 --- a/apps/lib/build.info +++ b/apps/lib/build.info @@ -17,3 +17,7 @@ IF[{- !$disabled{apps} -}] SOURCE[../libapps.a]=$LIBAPPSSRC $AUXLIBAPPSSRC INCLUDE[../libapps.a]=../.. ../../include ../include ENDIF + +IF[{- !$disabled{srp} -}] + SOURCE[../libapps.a]=tlssrp_depr.c +ENDIF diff --git a/apps/lib/tlssrp_depr.c b/apps/lib/tlssrp_depr.c new file mode 100644 index 0000000000..91c19b096e --- /dev/null +++ b/apps/lib/tlssrp_depr.c @@ -0,0 +1,231 @@ +/* + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2005 Nokia. All rights reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +/* + * This file is to enable backwards compatibility for the SRP features of + * s_client, s_server and ciphers. All of those features are deprecated and will + * eventually disappear. In the meantime, to continue to support them, we + * need to access deprecated SRP APIs. + */ +#define OPENSSL_SUPPRESS_DEPRECATED + +#include +#include +#include +#include +#include "apps_ui.h" +#include "apps.h" +#include "s_apps.h" + +static int srp_Verify_N_and_g(const BIGNUM *N, const BIGNUM *g) +{ + BN_CTX *bn_ctx = BN_CTX_new(); + BIGNUM *p = BN_new(); + BIGNUM *r = BN_new(); + int ret = + g != NULL && N != NULL && bn_ctx != NULL && BN_is_odd(N) && + BN_check_prime(N, bn_ctx, NULL) == 1 && + p != NULL && BN_rshift1(p, N) && + /* p = (N-1)/2 */ + BN_check_prime(p, bn_ctx, NULL) == 1 && + r != NULL && + /* verify g^((N-1)/2) == -1 (mod N) */ + BN_mod_exp(r, g, p, N, bn_ctx) && + BN_add_word(r, 1) && BN_cmp(r, N) == 0; + + BN_free(r); + BN_free(p); + BN_CTX_free(bn_ctx); + return ret; +} + +/*- + * This callback is used here for two purposes: + * - extended debugging + * - making some primality tests for unknown groups + * The callback is only called for a non default group. + * + * An application does not need the call back at all if + * only the standard groups are used. In real life situations, + * client and server already share well known groups, + * thus there is no need to verify them. + * Furthermore, in case that a server actually proposes a group that + * is not one of those defined in RFC 5054, it is more appropriate + * to add the group to a static list and then compare since + * primality tests are rather cpu consuming. + */ + +static int ssl_srp_verify_param_cb(SSL *s, void *arg) +{ + SRP_ARG *srp_arg = (SRP_ARG *)arg; + BIGNUM *N = NULL, *g = NULL; + + if (((N = SSL_get_srp_N(s)) == NULL) || ((g = SSL_get_srp_g(s)) == NULL)) + return 0; + if (srp_arg->debug || srp_arg->msg || srp_arg->amp == 1) { + BIO_printf(bio_err, "SRP parameters:\n"); + BIO_printf(bio_err, "\tN="); + BN_print(bio_err, N); + BIO_printf(bio_err, "\n\tg="); + BN_print(bio_err, g); + BIO_printf(bio_err, "\n"); + } + + if (SRP_check_known_gN_param(g, N)) + return 1; + + if (srp_arg->amp == 1) { + if (srp_arg->debug) + BIO_printf(bio_err, + "SRP param N and g are not known params, going to check deeper.\n"); + + /* + * The srp_moregroups is a real debugging feature. Implementors + * should rather add the value to the known ones. The minimal size + * has already been tested. + */ + if (BN_num_bits(g) <= BN_BITS && srp_Verify_N_and_g(N, g)) + return 1; + } + BIO_printf(bio_err, "SRP param N and g rejected.\n"); + return 0; +} + +#define PWD_STRLEN 1024 + +static char *ssl_give_srp_client_pwd_cb(SSL *s, void *arg) +{ + SRP_ARG *srp_arg = (SRP_ARG *)arg; + char *pass = app_malloc(PWD_STRLEN + 1, "SRP password buffer"); + PW_CB_DATA cb_tmp; + int l; + + cb_tmp.password = (char *)srp_arg->srppassin; + cb_tmp.prompt_info = "SRP user"; + if ((l = password_callback(pass, PWD_STRLEN, 0, &cb_tmp)) < 0) { + BIO_printf(bio_err, "Can't read Password\n"); + OPENSSL_free(pass); + return NULL; + } + *(pass + l) = '\0'; + + return pass; +} + +int set_up_srp_arg(SSL_CTX *ctx, SRP_ARG *srp_arg, int srp_lateuser, int c_msg, + int c_debug) +{ + if (!srp_lateuser && !SSL_CTX_set_srp_username(ctx, srp_arg->srplogin)) { + BIO_printf(bio_err, "Unable to set SRP username\n"); + return 0; + } + srp_arg->msg = c_msg; + srp_arg->debug = c_debug; + SSL_CTX_set_srp_cb_arg(ctx, &srp_arg); + SSL_CTX_set_srp_client_pwd_callback(ctx, ssl_give_srp_client_pwd_cb); + SSL_CTX_set_srp_strength(ctx, srp_arg->strength); + if (c_msg || c_debug || srp_arg->amp == 0) + SSL_CTX_set_srp_verify_param_callback(ctx, ssl_srp_verify_param_cb); + + return 1; +} + +static char *dummy_srp(SSL *ssl, void *arg) +{ + return ""; +} + +void set_up_dummy_srp(SSL_CTX *ctx) +{ + SSL_CTX_set_srp_client_pwd_callback(ctx, dummy_srp); +} + +/* + * This callback pretends to require some asynchronous logic in order to + * obtain a verifier. When the callback is called for a new connection we + * return with a negative value. This will provoke the accept etc to return + * with an LOOKUP_X509. The main logic of the reinvokes the suspended call + * (which would normally occur after a worker has finished) and we set the + * user parameters. + */ +static int ssl_srp_server_param_cb(SSL *s, int *ad, void *arg) +{ + srpsrvparm *p = (srpsrvparm *) arg; + int ret = SSL3_AL_FATAL; + + if (p->login == NULL && p->user == NULL) { + p->login = SSL_get_srp_username(s); + BIO_printf(bio_err, "SRP username = \"%s\"\n", p->login); + return -1; + } + + if (p->user == NULL) { + BIO_printf(bio_err, "User %s doesn't exist\n", p->login); + goto err; + } + + if (SSL_set_srp_server_param + (s, p->user->N, p->user->g, p->user->s, p->user->v, + p->user->info) < 0) { + *ad = SSL_AD_INTERNAL_ERROR; + goto err; + } + BIO_printf(bio_err, + "SRP parameters set: username = \"%s\" info=\"%s\" \n", + p->login, p->user->info); + ret = SSL_ERROR_NONE; + + err: + SRP_user_pwd_free(p->user); + p->user = NULL; + p->login = NULL; + return ret; +} + +int set_up_srp_verifier_file(SSL_CTX *ctx, srpsrvparm *srp_callback_parm, + char *srpuserseed, char *srp_verifier_file) +{ + int ret; + + srp_callback_parm->vb = SRP_VBASE_new(srpuserseed); + srp_callback_parm->user = NULL; + srp_callback_parm->login = NULL; + + if (srp_callback_parm->vb == NULL) { + BIO_printf(bio_err, "Failed to initialize SRP verifier file \n"); + return 0; + } + if ((ret = + SRP_VBASE_init(srp_callback_parm->vb, + srp_verifier_file)) != SRP_NO_ERROR) { + BIO_printf(bio_err, + "Cannot initialize SRP verifier file \"%s\":ret=%d\n", + srp_verifier_file, ret); + return 0; + } + SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, verify_callback); + SSL_CTX_set_srp_cb_arg(ctx, &srp_callback_parm); + SSL_CTX_set_srp_username_callback(ctx, ssl_srp_server_param_cb); + + return 1; +} + +void lookup_srp_user(srpsrvparm *srp_callback_parm, BIO *bio_s_out) +{ + SRP_user_pwd_free(srp_callback_parm->user); + srp_callback_parm->user = SRP_VBASE_get1_by_user(srp_callback_parm->vb, + srp_callback_parm->login); + + if (srp_callback_parm->user != NULL) + BIO_printf(bio_s_out, "LOOKUP done %s\n", + srp_callback_parm->user->info); + else + BIO_printf(bio_s_out, "LOOKUP not successful\n"); +} diff --git a/apps/s_client.c b/apps/s_client.c index 90f9411f45..a6394462db 100644 --- a/apps/s_client.c +++ b/apps/s_client.c @@ -40,9 +40,6 @@ typedef unsigned int u_int; #include #include #include -#ifndef OPENSSL_NO_SRP -# include -#endif #ifndef OPENSSL_NO_CT # include #endif @@ -238,115 +235,6 @@ static int ssl_servername_cb(SSL *s, int *ad, void *arg) return SSL_TLSEXT_ERR_OK; } -#ifndef OPENSSL_NO_SRP - -/* This is a context that we pass to all callbacks */ -typedef struct srp_arg_st { - char *srppassin; - char *srplogin; - int msg; /* copy from c_msg */ - int debug; /* copy from c_debug */ - int amp; /* allow more groups */ - int strength; /* minimal size for N */ -} SRP_ARG; - -static int srp_Verify_N_and_g(const BIGNUM *N, const BIGNUM *g) -{ - BN_CTX *bn_ctx = BN_CTX_new(); - BIGNUM *p = BN_new(); - BIGNUM *r = BN_new(); - int ret = - g != NULL && N != NULL && bn_ctx != NULL && BN_is_odd(N) && - BN_check_prime(N, bn_ctx, NULL) == 1 && - p != NULL && BN_rshift1(p, N) && - /* p = (N-1)/2 */ - BN_check_prime(p, bn_ctx, NULL) == 1 && - r != NULL && - /* verify g^((N-1)/2) == -1 (mod N) */ - BN_mod_exp(r, g, p, N, bn_ctx) && - BN_add_word(r, 1) && BN_cmp(r, N) == 0; - - BN_free(r); - BN_free(p); - BN_CTX_free(bn_ctx); - return ret; -} - -/*- - * This callback is used here for two purposes: - * - extended debugging - * - making some primality tests for unknown groups - * The callback is only called for a non default group. - * - * An application does not need the call back at all if - * only the standard groups are used. In real life situations, - * client and server already share well known groups, - * thus there is no need to verify them. - * Furthermore, in case that a server actually proposes a group that - * is not one of those defined in RFC 5054, it is more appropriate - * to add the group to a static list and then compare since - * primality tests are rather cpu consuming. - */ - -static int ssl_srp_verify_param_cb(SSL *s, void *arg) -{ - SRP_ARG *srp_arg = (SRP_ARG *)arg; - BIGNUM *N = NULL, *g = NULL; - - if (((N = SSL_get_srp_N(s)) == NULL) || ((g = SSL_get_srp_g(s)) == NULL)) - return 0; - if (srp_arg->debug || srp_arg->msg || srp_arg->amp == 1) { - BIO_printf(bio_err, "SRP parameters:\n"); - BIO_printf(bio_err, "\tN="); - BN_print(bio_err, N); - BIO_printf(bio_err, "\n\tg="); - BN_print(bio_err, g); - BIO_printf(bio_err, "\n"); - } - - if (SRP_check_known_gN_param(g, N)) - return 1; - - if (srp_arg->amp == 1) { - if (srp_arg->debug) - BIO_printf(bio_err, - "SRP param N and g are not known params, going to check deeper.\n"); - - /* - * The srp_moregroups is a real debugging feature. Implementors - * should rather add the value to the known ones. The minimal size - * has already been tested. - */ - if (BN_num_bits(g) <= BN_BITS && srp_Verify_N_and_g(N, g)) - return 1; - } - BIO_printf(bio_err, "SRP param N and g rejected.\n"); - return 0; -} - -# define PWD_STRLEN 1024 - -static char *ssl_give_srp_client_pwd_cb(SSL *s, void *arg) -{ - SRP_ARG *srp_arg = (SRP_ARG *)arg; - char *pass = app_malloc(PWD_STRLEN + 1, "SRP password buffer"); - PW_CB_DATA cb_tmp; - int l; - - cb_tmp.password = (char *)srp_arg->srppassin; - cb_tmp.prompt_info = "SRP user"; - if ((l = password_callback(pass, PWD_STRLEN, 0, &cb_tmp)) < 0) { - BIO_printf(bio_err, "Can't read Password\n"); - OPENSSL_free(pass); - return NULL; - } - *(pass + l) = '\0'; - - return pass; -} - -#endif - #ifndef OPENSSL_NO_NEXTPROTONEG /* This the context that we pass to next_proto_cb */ typedef struct tlsextnextprotoctx_st { @@ -767,13 +655,14 @@ const OPTIONS s_client_options[] = { "Offer SRTP key management with a colon-separated profile list"}, #endif #ifndef OPENSSL_NO_SRP - {"srpuser", OPT_SRPUSER, 's', "SRP authentication for 'user'"}, - {"srppass", OPT_SRPPASS, 's', "Password for 'user'"}, + {"srpuser", OPT_SRPUSER, 's', "(deprecated) SRP authentication for 'user'"}, + {"srppass", OPT_SRPPASS, 's', "(deprecated) Password for 'user'"}, {"srp_lateuser", OPT_SRP_LATEUSER, '-', - "SRP username into second ClientHello message"}, + "(deprecated) SRP username into second ClientHello message"}, {"srp_moregroups", OPT_SRP_MOREGROUPS, '-', - "Tolerate other than the known g N values."}, - {"srp_strength", OPT_SRP_STRENGTH, 'p', "Minimal length in bits for N"}, + "(deprecated) Tolerate other than the known g N values."}, + {"srp_strength", OPT_SRP_STRENGTH, 'p', + "(deprecated) Minimal length in bits for N"}, #endif OPT_R_OPTIONS, @@ -2000,21 +1889,10 @@ int s_client_main(int argc, char **argv) SSL_CTX_set_tlsext_servername_callback(ctx, ssl_servername_cb); SSL_CTX_set_tlsext_servername_arg(ctx, &tlsextcbp); } -# ifndef OPENSSL_NO_SRP - if (srp_arg.srplogin) { - if (!srp_lateuser && !SSL_CTX_set_srp_username(ctx, srp_arg.srplogin)) { - BIO_printf(bio_err, "Unable to set SRP username\n"); - goto end; - } - srp_arg.msg = c_msg; - srp_arg.debug = c_debug; - SSL_CTX_set_srp_cb_arg(ctx, &srp_arg); - SSL_CTX_set_srp_client_pwd_callback(ctx, ssl_give_srp_client_pwd_cb); - SSL_CTX_set_srp_strength(ctx, srp_arg.strength); - if (c_msg || c_debug || srp_arg.amp == 0) - SSL_CTX_set_srp_verify_param_callback(ctx, - ssl_srp_verify_param_cb); - } +#ifndef OPENSSL_NO_SRP + if (srp_arg.srplogin != NULL + && !set_up_srp_arg(ctx, &srp_arg, srp_lateuser, c_msg, c_debug)) + goto end; # endif if (dane_tlsa_domain != NULL) { diff --git a/apps/s_server.c b/apps/s_server.c index 498e629dbf..5d8fb99023 100644 --- a/apps/s_server.c +++ b/apps/s_server.c @@ -49,9 +49,6 @@ typedef unsigned int u_int; # include #endif #include -#ifndef OPENSSL_NO_SRP -# include -#endif #include "s_apps.h" #include "timeouts.h" #ifdef CHARSET_EBCDIC @@ -230,56 +227,7 @@ static int psk_find_session_cb(SSL *ssl, const unsigned char *identity, } #ifndef OPENSSL_NO_SRP -/* This is a context that we pass to callbacks */ -typedef struct srpsrvparm_st { - char *login; - SRP_VBASE *vb; - SRP_user_pwd *user; -} srpsrvparm; static srpsrvparm srp_callback_parm; - -/* - * This callback pretends to require some asynchronous logic in order to - * obtain a verifier. When the callback is called for a new connection we - * return with a negative value. This will provoke the accept etc to return - * with an LOOKUP_X509. The main logic of the reinvokes the suspended call - * (which would normally occur after a worker has finished) and we set the - * user parameters. - */ -static int ssl_srp_server_param_cb(SSL *s, int *ad, void *arg) -{ - srpsrvparm *p = (srpsrvparm *) arg; - int ret = SSL3_AL_FATAL; - - if (p->login == NULL && p->user == NULL) { - p->login = SSL_get_srp_username(s); - BIO_printf(bio_err, "SRP username = \"%s\"\n", p->login); - return -1; - } - - if (p->user == NULL) { - BIO_printf(bio_err, "User %s doesn't exist\n", p->login); - goto err; - } - - if (SSL_set_srp_server_param - (s, p->user->N, p->user->g, p->user->s, p->user->v, - p->user->info) < 0) { - *ad = SSL_AD_INTERNAL_ERROR; - goto err; - } - BIO_printf(bio_err, - "SRP parameters set: username = \"%s\" info=\"%s\" \n", - p->login, p->user->info); - ret = SSL_ERROR_NONE; - - err: - SRP_user_pwd_free(p->user); - p->user = NULL; - p->login = NULL; - return ret; -} - #endif static int local_argc = 0; @@ -926,9 +874,9 @@ const OPTIONS s_server_options[] = { {"psk", OPT_PSK, 's', "PSK in hex (without 0x)"}, {"psk_session", OPT_PSK_SESS, '<', "File to read PSK SSL session from"}, #ifndef OPENSSL_NO_SRP - {"srpvfile", OPT_SRPVFILE, '<', "The verifier file for SRP"}, + {"srpvfile", OPT_SRPVFILE, '<', "(deprecated) The verifier file for SRP"}, {"srpuserseed", OPT_SRPUSERSEED, 's', - "A seed string for a default user salt"}, + "(deprecated) A seed string for a default user salt"}, #endif OPT_SECTION("Protocol and version"), @@ -2183,20 +2131,9 @@ int s_server_main(int argc, char *argv[]) #ifndef OPENSSL_NO_SRP if (srp_verifier_file != NULL) { - srp_callback_parm.vb = SRP_VBASE_new(srpuserseed); - srp_callback_parm.user = NULL; - srp_callback_parm.login = NULL; - if ((ret = - SRP_VBASE_init(srp_callback_parm.vb, - srp_verifier_file)) != SRP_NO_ERROR) { - BIO_printf(bio_err, - "Cannot initialize SRP verifier file \"%s\":ret=%d\n", - srp_verifier_file, ret); + if (!set_up_srp_verifier_file(ctx, &srp_callback_parm, srpuserseed, + srp_verifier_file)) goto end; - } - SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, verify_callback); - SSL_CTX_set_srp_cb_arg(ctx, &srp_callback_parm); - SSL_CTX_set_srp_username_callback(ctx, ssl_srp_server_param_cb); } else #endif if (CAfile != NULL) { @@ -2651,15 +2588,9 @@ static int sv_body(int s, int stype, int prot, unsigned char *context) #ifndef OPENSSL_NO_SRP while (SSL_get_error(con, k) == SSL_ERROR_WANT_X509_LOOKUP) { BIO_printf(bio_s_out, "LOOKUP renego during write\n"); - SRP_user_pwd_free(srp_callback_parm.user); - srp_callback_parm.user = - SRP_VBASE_get1_by_user(srp_callback_parm.vb, - srp_callback_parm.login); - if (srp_callback_parm.user) - BIO_printf(bio_s_out, "LOOKUP done %s\n", - srp_callback_parm.user->info); - else - BIO_printf(bio_s_out, "LOOKUP not successful\n"); + + lookup_srp_user(&srp_callback_parm, bio_s_out); + k = SSL_write(con, &(buf[l]), (unsigned int)i); } #endif @@ -2726,15 +2657,9 @@ static int sv_body(int s, int stype, int prot, unsigned char *context) #ifndef OPENSSL_NO_SRP while (SSL_get_error(con, i) == SSL_ERROR_WANT_X509_LOOKUP) { BIO_printf(bio_s_out, "LOOKUP renego during read\n"); - SRP_user_pwd_free(srp_callback_parm.user); - srp_callback_parm.user = - SRP_VBASE_get1_by_user(srp_callback_parm.vb, - srp_callback_parm.login); - if (srp_callback_parm.user) - BIO_printf(bio_s_out, "LOOKUP done %s\n", - srp_callback_parm.user->info); - else - BIO_printf(bio_s_out, "LOOKUP not successful\n"); + + lookup_srp_user(&srp_callback_parm, bio_s_out); + i = SSL_read(con, (char *)buf, bufsize); } #endif @@ -2876,15 +2801,9 @@ static int init_ssl_connection(SSL *con) && SSL_get_error(con, i) == SSL_ERROR_WANT_X509_LOOKUP) { BIO_printf(bio_s_out, "LOOKUP during accept %s\n", srp_callback_parm.login); - SRP_user_pwd_free(srp_callback_parm.user); - srp_callback_parm.user = - SRP_VBASE_get1_by_user(srp_callback_parm.vb, - srp_callback_parm.login); - if (srp_callback_parm.user) - BIO_printf(bio_s_out, "LOOKUP done %s\n", - srp_callback_parm.user->info); - else - BIO_printf(bio_s_out, "LOOKUP not successful\n"); + + lookup_srp_user(&srp_callback_parm, bio_s_out); + i = SSL_accept(con); if (i <= 0) retry = is_retryable(con, i); @@ -3100,15 +3019,9 @@ static int www_body(int s, int stype, int prot, unsigned char *context) if (BIO_should_io_special(io) && BIO_get_retry_reason(io) == BIO_RR_SSL_X509_LOOKUP) { BIO_printf(bio_s_out, "LOOKUP renego during read\n"); - SRP_user_pwd_free(srp_callback_parm.user); - srp_callback_parm.user = - SRP_VBASE_get1_by_user(srp_callback_parm.vb, - srp_callback_parm.login); - if (srp_callback_parm.user) - BIO_printf(bio_s_out, "LOOKUP done %s\n", - srp_callback_parm.user->info); - else - BIO_printf(bio_s_out, "LOOKUP not successful\n"); + + lookup_srp_user(&srp_callback_parm, bio_s_out); + continue; } #endif @@ -3512,15 +3425,9 @@ static int rev_body(int s, int stype, int prot, unsigned char *context) if (BIO_should_io_special(io) && BIO_get_retry_reason(io) == BIO_RR_SSL_X509_LOOKUP) { BIO_printf(bio_s_out, "LOOKUP renego during accept\n"); - SRP_user_pwd_free(srp_callback_parm.user); - srp_callback_parm.user = - SRP_VBASE_get1_by_user(srp_callback_parm.vb, - srp_callback_parm.login); - if (srp_callback_parm.user) - BIO_printf(bio_s_out, "LOOKUP done %s\n", - srp_callback_parm.user->info); - else - BIO_printf(bio_s_out, "LOOKUP not successful\n"); + + lookup_srp_user(&srp_callback_parm, bio_s_out); + continue; } #endif @@ -3541,15 +3448,9 @@ static int rev_body(int s, int stype, int prot, unsigned char *context) if (BIO_should_io_special(io) && BIO_get_retry_reason(io) == BIO_RR_SSL_X509_LOOKUP) { BIO_printf(bio_s_out, "LOOKUP renego during read\n"); - SRP_user_pwd_free(srp_callback_parm.user); - srp_callback_parm.user = - SRP_VBASE_get1_by_user(srp_callback_parm.vb, - srp_callback_parm.login); - if (srp_callback_parm.user) - BIO_printf(bio_s_out, "LOOKUP done %s\n", - srp_callback_parm.user->info); - else - BIO_printf(bio_s_out, "LOOKUP not successful\n"); + + lookup_srp_user(&srp_callback_parm, bio_s_out); + continue; } #endif diff --git a/apps/srp.c b/apps/srp.c index 2edc448c6c..375ae1327c 100644 --- a/apps/srp.c +++ b/apps/srp.c @@ -11,6 +11,9 @@ * for the EdelKey project. */ +/* SRP is deprecated, so we're going to have to use some deprecated APIs */ +#define OPENSSL_SUPPRESS_DEPRECATED + #include #include diff --git a/crypto/srp/srp_lib.c b/crypto/srp/srp_lib.c index ad180f2746..38bde78bfa 100644 --- a/crypto/srp/srp_lib.c +++ b/crypto/srp/srp_lib.c @@ -11,6 +11,9 @@ * for the EdelKey project. */ +/* All the SRP APIs in this file are deprecated */ +#define OPENSSL_SUPPRESS_DEPRECATED + #ifndef OPENSSL_NO_SRP # include "internal/cryptlib.h" # include diff --git a/crypto/srp/srp_vfy.c b/crypto/srp/srp_vfy.c index f9053b4c11..1dd0c554f4 100644 --- a/crypto/srp/srp_vfy.c +++ b/crypto/srp/srp_vfy.c @@ -11,6 +11,9 @@ * for the EdelKey project. */ +/* All the SRP APIs in this file are deprecated */ +#define OPENSSL_SUPPRESS_DEPRECATED + #ifndef OPENSSL_NO_SRP # include "internal/cryptlib.h" # include "crypto/evp.h" diff --git a/doc/man1/openssl-ciphers.pod.in b/doc/man1/openssl-ciphers.pod.in index b4ed3e51d5..baaf3c198f 100644 --- a/doc/man1/openssl-ciphers.pod.in +++ b/doc/man1/openssl-ciphers.pod.in @@ -67,7 +67,8 @@ When combined with B<-s> includes cipher suites which require PSK. =item B<-srp> -When combined with B<-s> includes cipher suites which require SRP. +When combined with B<-s> includes cipher suites which require SRP. This option +is deprecated. =item B<-v> diff --git a/doc/man1/openssl-s_client.pod.in b/doc/man1/openssl-s_client.pod.in index e6fea3fa1e..d6b7caadfc 100644 --- a/doc/man1/openssl-s_client.pod.in +++ b/doc/man1/openssl-s_client.pod.in @@ -752,23 +752,24 @@ Offer SRTP key management, where B is a colon-separated profile list. =item B<-srpuser> I -Set the SRP username to the specified value. +Set the SRP username to the specified value. This option is deprecated. =item B<-srppass> I -Set the SRP password to the specified value. +Set the SRP password to the specified value. This option is deprecated. =item B<-srp_lateuser> -SRP username for the second ClientHello message. +SRP username for the second ClientHello message. This option is deprecated. -=item B<-srp_moregroups> +=item B<-srp_moregroups> This option is deprecated. Tolerate other than the known B and B values. =item B<-srp_strength> I -Set the minimal acceptable length, in bits, for B. +Set the minimal acceptable length, in bits, for B. This option is +deprecated. {- $OpenSSL::safe::opt_version_item -} diff --git a/doc/man1/openssl-srp.pod.in b/doc/man1/openssl-srp.pod.in index 73e4e70f97..6ce5ebdf0d 100644 --- a/doc/man1/openssl-srp.pod.in +++ b/doc/man1/openssl-srp.pod.in @@ -29,9 +29,9 @@ B =head1 DESCRIPTION -This command is used to maintain an SRP (secure remote password) file. -At most one of the B<-add>, B<-modify>, B<-delete>, and B<-list> options -can be specified. +This command is deprecated. It is used to maintain an SRP (secure remote +password) file. At most one of the B<-add>, B<-modify>, B<-delete>, and B<-list> +options can be specified. These options take zero or more usernames as parameters and perform the appropriate operation on the SRP file. For B<-list>, if no I is given then all users are displayed. diff --git a/doc/man1/openssl.pod b/doc/man1/openssl.pod index 8e30f81fe9..7b84921893 100644 --- a/doc/man1/openssl.pod +++ b/doc/man1/openssl.pod @@ -294,7 +294,7 @@ SPKAC printing and generating command. =item B -Maintain SRP password file. +Maintain SRP password file. This command is deprecated. =item B diff --git a/doc/man3/SRP_Calc_B.pod b/doc/man3/SRP_Calc_B.pod index b0dde086f3..e581505336 100644 --- a/doc/man3/SRP_Calc_B.pod +++ b/doc/man3/SRP_Calc_B.pod @@ -18,6 +18,10 @@ SRP_Calc_client_key #include +Deprecated since OpenSSL 3.0, can be hidden entirely by defining +B with a suitable version value, see +L: + /* server side .... */ BIGNUM *SRP_Calc_server_key(const BIGNUM *A, const BIGNUM *v, const BIGNUM *u, const BIGNUM *b, const BIGNUM *N); @@ -43,6 +47,9 @@ SRP_Calc_client_key =head1 DESCRIPTION +All of the functions described on this page are deprecated. There are no +available replacement functions at this time. + The SRP functions described on this page are used to calculate various parameters and keys used by SRP as defined in RFC2945. The server key and I and I parameters are used on the server side and are calculated via @@ -74,7 +81,12 @@ L =head1 HISTORY -These functions were added in OpenSSL 1.0.1. +SRP_Calc_B_ex, SRP_Calc_u_ex, SRP_Calc_client_key_ex and SRP_Calc_x_ex were +introduced in OpenSSL 3.0. + +All of the other functions were added in OpenSSL 1.0.1. + +All of these functions were deprecated in OpenSSL 3.0. =head1 COPYRIGHT diff --git a/doc/man3/SRP_VBASE_new.pod b/doc/man3/SRP_VBASE_new.pod index aed0fe4771..710d48df24 100644 --- a/doc/man3/SRP_VBASE_new.pod +++ b/doc/man3/SRP_VBASE_new.pod @@ -14,6 +14,10 @@ SRP_VBASE_get_by_user #include +Deprecated since OpenSSL 3.0, can be hidden entirely by defining +B with a suitable version value, see +L: + SRP_VBASE *SRP_VBASE_new(char *seed_key); void SRP_VBASE_free(SRP_VBASE *vb); @@ -25,6 +29,9 @@ SRP_VBASE_get_by_user =head1 DESCRIPTION +All of the functions described on this page are deprecated. There are no +available replacement functions at this time. + The SRP_VBASE_new() function allocates a structure to store server side SRP verifier information. If B is not NULL a copy is stored and used to generate dummy parameters @@ -87,6 +94,8 @@ The SRP_VBASE_add0_user() function was added in OpenSSL 3.0. All other functions were added in OpenSSL 1.0.1. +All of these functions were deprecated in OpenSSL 3.0. + =head1 COPYRIGHT Copyright 2018 The OpenSSL Project Authors. All Rights Reserved. diff --git a/doc/man3/SRP_create_verifier.pod b/doc/man3/SRP_create_verifier.pod index 884cf0d660..bef9e77043 100644 --- a/doc/man3/SRP_create_verifier.pod +++ b/doc/man3/SRP_create_verifier.pod @@ -14,6 +14,10 @@ SRP_get_default_gN #include +Deprecated since OpenSSL 3.0, can be hidden entirely by defining +B with a suitable version value, see +L: + int SRP_create_verifier_BN_ex(const char *user, const char *pass, BIGNUM **salt, BIGNUM **verifier, const BIGNUM *N, const BIGNUM *g, OSSL_LIB_CTX *libctx, @@ -31,6 +35,9 @@ SRP_get_default_gN =head1 DESCRIPTION +All of the functions described on this page are deprecated. There are no +available replacement functions at this time. + The SRP_create_verifier_BN_ex() function creates an SRP password verifier from the supplied parameters as defined in section 2.4 of RFC 5054 using the library context I and property query string I. Any cryptographic @@ -115,7 +122,10 @@ L =head1 HISTORY -These functions were added in OpenSSL 1.0.1. +SRP_create_verifier_BN_ex() and SRP_create_verifier_ex() were introduced in +OpenSSL 3.0. All other functions were added in OpenSSL 1.0.1. + +All of these functions were deprecated in OpenSSL 3.0. =head1 COPYRIGHT diff --git a/doc/man3/SRP_user_pwd_new.pod b/doc/man3/SRP_user_pwd_new.pod index 823e32a2cd..6be2ed4f3a 100644 --- a/doc/man3/SRP_user_pwd_new.pod +++ b/doc/man3/SRP_user_pwd_new.pod @@ -13,6 +13,10 @@ SRP_user_pwd_set0_sv #include +Deprecated since OpenSSL 3.0, can be hidden entirely by defining +B with a suitable version value, see +L: + SRP_user_pwd *SRP_user_pwd_new(void); void SRP_user_pwd_free(SRP_user_pwd *user_pwd); @@ -22,6 +26,9 @@ SRP_user_pwd_set0_sv =head1 DESCRIPTION +All of the functions described on this page are deprecated. There are no +available replacement functions at this time. + The SRP_user_pwd_new() function allocates a structure to store a user verifier record. @@ -56,7 +63,7 @@ L =head1 HISTORY -These functions were made public in OpenSSL 3.0. +These functions were made public in OpenSSL 3.0 and are deprecated. =head1 COPYRIGHT diff --git a/doc/man3/SSL_CTX_set_srp_password.pod b/doc/man3/SSL_CTX_set_srp_password.pod index bd89261485..9f08144467 100644 --- a/doc/man3/SSL_CTX_set_srp_password.pod +++ b/doc/man3/SSL_CTX_set_srp_password.pod @@ -21,6 +21,10 @@ SSL_get_srp_userinfo #include +Deprecated since OpenSSL 3.0, can be hidden entirely by defining +B with a suitable version value, see +L: + int SSL_CTX_set_srp_username(SSL_CTX *ctx, char *name); int SSL_CTX_set_srp_password(SSL_CTX *ctx, char *password); int SSL_CTX_set_srp_strength(SSL_CTX *ctx, int strength); @@ -45,6 +49,9 @@ SSL_get_srp_userinfo =head1 DESCRIPTION +All of the functions described on this page are deprecated. There are no +available replacement functions at this time. + These functions provide access to SRP (Secure Remote Password) parameters, an alternate authentication mechanism for TLS. SRP allows the use of usernames and passwords over unencrypted channels without revealing the password to an @@ -203,7 +210,7 @@ L =head1 HISTORY -These functions were added in OpenSSL 1.0.1. +These functions were added in OpenSSL 1.0.1 and deprecated in OpenSSL 3.0. =head1 COPYRIGHT diff --git a/include/openssl/srp.h.in b/include/openssl/srp.h.in index 8ddee32df3..07b2e6fd5b 100644 --- a/include/openssl/srp.h.in +++ b/include/openssl/srp.h.in @@ -39,6 +39,8 @@ use OpenSSL::stackhash qw(generate_stack_macros); extern "C" { # endif +# ifndef OPENSSL_NO_DEPRECATED_3_0 + typedef struct SRP_gN_cache_st { char *b64_bn; BIGNUM *bn; @@ -63,11 +65,18 @@ typedef struct SRP_user_pwd_st { generate_stack_macros("SRP_user_pwd"); -} +OSSL_DEPRECATEDIN_3_0 SRP_user_pwd *SRP_user_pwd_new(void); +OSSL_DEPRECATEDIN_3_0 void SRP_user_pwd_free(SRP_user_pwd *user_pwd); -void SRP_user_pwd_set_gN(SRP_user_pwd *user_pwd, const BIGNUM *g, const BIGNUM *N); -int SRP_user_pwd_set1_ids(SRP_user_pwd *user_pwd, const char *id, const char *info); +OSSL_DEPRECATEDIN_3_0 +void SRP_user_pwd_set_gN(SRP_user_pwd *user_pwd, const BIGNUM *g, + const BIGNUM *N); +OSSL_DEPRECATEDIN_3_0 +int SRP_user_pwd_set1_ids(SRP_user_pwd *user_pwd, const char *id, + const char *info); +OSSL_DEPRECATEDIN_3_0 int SRP_user_pwd_set0_sv(SRP_user_pwd *user_pwd, BIGNUM *s, BIGNUM *v); typedef struct SRP_VBASE_st { @@ -92,81 +101,110 @@ typedef struct SRP_gN_st { -} +OSSL_DEPRECATEDIN_3_0 SRP_VBASE *SRP_VBASE_new(char *seed_key); +OSSL_DEPRECATEDIN_3_0 void SRP_VBASE_free(SRP_VBASE *vb); +OSSL_DEPRECATEDIN_3_0 int SRP_VBASE_init(SRP_VBASE *vb, char *verifier_file); +OSSL_DEPRECATEDIN_3_0 int SRP_VBASE_add0_user(SRP_VBASE *vb, SRP_user_pwd *user_pwd); -/* This method ignores the configured seed and fails for an unknown user. */ -# ifndef OPENSSL_NO_DEPRECATED_1_1_0 -OSSL_DEPRECATEDIN_1_1_0 -SRP_user_pwd *SRP_VBASE_get_by_user(SRP_VBASE *vb, char *username); -# endif + /* NOTE: unlike in SRP_VBASE_get_by_user, caller owns the returned pointer.*/ +OSSL_DEPRECATEDIN_3_0 SRP_user_pwd *SRP_VBASE_get1_by_user(SRP_VBASE *vb, char *username); +OSSL_DEPRECATEDIN_3_0 char *SRP_create_verifier_ex(const char *user, const char *pass, char **salt, char **verifier, const char *N, const char *g, OSSL_LIB_CTX *libctx, const char *propq); +OSSL_DEPRECATEDIN_3_0 char *SRP_create_verifier(const char *user, const char *pass, char **salt, char **verifier, const char *N, const char *g); +OSSL_DEPRECATEDIN_3_0 int SRP_create_verifier_BN_ex(const char *user, const char *pass, BIGNUM **salt, BIGNUM **verifier, const BIGNUM *N, const BIGNUM *g, OSSL_LIB_CTX *libctx, const char *propq); +OSSL_DEPRECATEDIN_3_0 int SRP_create_verifier_BN(const char *user, const char *pass, BIGNUM **salt, BIGNUM **verifier, const BIGNUM *N, const BIGNUM *g); -# define SRP_NO_ERROR 0 -# define SRP_ERR_VBASE_INCOMPLETE_FILE 1 -# define SRP_ERR_VBASE_BN_LIB 2 -# define SRP_ERR_OPEN_FILE 3 -# define SRP_ERR_MEMORY 4 - -# define DB_srptype 0 -# define DB_srpverifier 1 -# define DB_srpsalt 2 -# define DB_srpid 3 -# define DB_srpgN 4 -# define DB_srpinfo 5 -# undef DB_NUMBER -# define DB_NUMBER 6 - -# define DB_SRP_INDEX 'I' -# define DB_SRP_VALID 'V' -# define DB_SRP_REVOKED 'R' -# define DB_SRP_MODIF 'v' +# define SRP_NO_ERROR 0 +# define SRP_ERR_VBASE_INCOMPLETE_FILE 1 +# define SRP_ERR_VBASE_BN_LIB 2 +# define SRP_ERR_OPEN_FILE 3 +# define SRP_ERR_MEMORY 4 + +# define DB_srptype 0 +# define DB_srpverifier 1 +# define DB_srpsalt 2 +# define DB_srpid 3 +# define DB_srpgN 4 +# define DB_srpinfo 5 +# undef DB_NUMBER +# define DB_NUMBER 6 + +# define DB_SRP_INDEX 'I' +# define DB_SRP_VALID 'V' +# define DB_SRP_REVOKED 'R' +# define DB_SRP_MODIF 'v' /* see srp.c */ +OSSL_DEPRECATEDIN_3_0 char *SRP_check_known_gN_param(const BIGNUM *g, const BIGNUM *N); +OSSL_DEPRECATEDIN_3_0 SRP_gN *SRP_get_default_gN(const char *id); /* server side .... */ +OSSL_DEPRECATEDIN_3_0 BIGNUM *SRP_Calc_server_key(const BIGNUM *A, const BIGNUM *v, const BIGNUM *u, const BIGNUM *b, const BIGNUM *N); +OSSL_DEPRECATEDIN_3_0 BIGNUM *SRP_Calc_B_ex(const BIGNUM *b, const BIGNUM *N, const BIGNUM *g, const BIGNUM *v, OSSL_LIB_CTX *libctx, const char *propq); +OSSL_DEPRECATEDIN_3_0 BIGNUM *SRP_Calc_B(const BIGNUM *b, const BIGNUM *N, const BIGNUM *g, const BIGNUM *v); + +OSSL_DEPRECATEDIN_3_0 int SRP_Verify_A_mod_N(const BIGNUM *A, const BIGNUM *N); +OSSL_DEPRECATEDIN_3_0 BIGNUM *SRP_Calc_u_ex(const BIGNUM *A, const BIGNUM *B, const BIGNUM *N, OSSL_LIB_CTX *libctx, const char *propq); +OSSL_DEPRECATEDIN_3_0 BIGNUM *SRP_Calc_u(const BIGNUM *A, const BIGNUM *B, const BIGNUM *N); /* client side .... */ + +OSSL_DEPRECATEDIN_3_0 BIGNUM *SRP_Calc_x_ex(const BIGNUM *s, const char *user, const char *pass, OSSL_LIB_CTX *libctx, const char *propq); +OSSL_DEPRECATEDIN_3_0 BIGNUM *SRP_Calc_x(const BIGNUM *s, const char *user, const char *pass); +OSSL_DEPRECATEDIN_3_0 BIGNUM *SRP_Calc_A(const BIGNUM *a, const BIGNUM *N, const BIGNUM *g); +OSSL_DEPRECATEDIN_3_0 BIGNUM *SRP_Calc_client_key_ex(const BIGNUM *N, const BIGNUM *B, const BIGNUM *g, const BIGNUM *x, const BIGNUM *a, const BIGNUM *u, OSSL_LIB_CTX *libctx, const char *propq); +OSSL_DEPRECATEDIN_3_0 BIGNUM *SRP_Calc_client_key(const BIGNUM *N, const BIGNUM *B, const BIGNUM *g, const BIGNUM *x, const BIGNUM *a, const BIGNUM *u); +OSSL_DEPRECATEDIN_3_0 int SRP_Verify_B_mod_N(const BIGNUM *B, const BIGNUM *N); -# define SRP_MINIMAL_N 1024 +# define SRP_MINIMAL_N 1024 + +# endif /* OPENSSL_NO_DEPRECATED_3_0 */ + +/* This method ignores the configured seed and fails for an unknown user. */ +# ifndef OPENSSL_NO_DEPRECATED_1_1_0 +OSSL_DEPRECATEDIN_1_1_0 +SRP_user_pwd *SRP_VBASE_get_by_user(SRP_VBASE *vb, char *username); +# endif # ifdef __cplusplus } diff --git a/include/openssl/ssl.h.in b/include/openssl/ssl.h.in index f329514324..0da5b3804f 100644 --- a/include/openssl/ssl.h.in +++ b/include/openssl/ssl.h.in @@ -666,12 +666,13 @@ void SSL_set_msg_callback(SSL *ssl, # ifndef OPENSSL_NO_SRP /* see tls_srp.c */ -__owur int SSL_SRP_CTX_init(SSL *s); -__owur int SSL_CTX_SRP_CTX_init(SSL_CTX *ctx); -int SSL_SRP_CTX_free(SSL *ctx); -int SSL_CTX_SRP_CTX_free(SSL_CTX *ctx); -__owur int SSL_srp_server_param_with_username(SSL *s, int *ad); -__owur int SRP_Calc_A_param(SSL *s); +OSSL_DEPRECATEDIN_3_0 __owur int SSL_SRP_CTX_init(SSL *s); +OSSL_DEPRECATEDIN_3_0 __owur int SSL_CTX_SRP_CTX_init(SSL_CTX *ctx); +OSSL_DEPRECATEDIN_3_0 int SSL_SRP_CTX_free(SSL *ctx); +OSSL_DEPRECATEDIN_3_0 int SSL_CTX_SRP_CTX_free(SSL_CTX *ctx); +OSSL_DEPRECATEDIN_3_0 __owur int SSL_srp_server_param_with_username(SSL *s, + int *ad); +OSSL_DEPRECATEDIN_3_0 __owur int SRP_Calc_A_param(SSL *s); # endif @@ -1833,27 +1834,32 @@ __owur X509_VERIFY_PARAM *SSL_CTX_get0_param(SSL_CTX *ctx); __owur X509_VERIFY_PARAM *SSL_get0_param(SSL *ssl); # ifndef OPENSSL_NO_SRP -int SSL_CTX_set_srp_username(SSL_CTX *ctx, char *name); -int SSL_CTX_set_srp_password(SSL_CTX *ctx, char *password); -int SSL_CTX_set_srp_strength(SSL_CTX *ctx, int strength); +OSSL_DEPRECATEDIN_3_0 int SSL_CTX_set_srp_username(SSL_CTX *ctx, char *name); +OSSL_DEPRECATEDIN_3_0 int SSL_CTX_set_srp_password(SSL_CTX *ctx, char *password); +OSSL_DEPRECATEDIN_3_0 int SSL_CTX_set_srp_strength(SSL_CTX *ctx, int strength); +OSSL_DEPRECATEDIN_3_0 int SSL_CTX_set_srp_client_pwd_callback(SSL_CTX *ctx, char *(*cb) (SSL *, void *)); +OSSL_DEPRECATEDIN_3_0 int SSL_CTX_set_srp_verify_param_callback(SSL_CTX *ctx, int (*cb) (SSL *, void *)); +OSSL_DEPRECATEDIN_3_0 int SSL_CTX_set_srp_username_callback(SSL_CTX *ctx, int (*cb) (SSL *, int *, void *)); -int SSL_CTX_set_srp_cb_arg(SSL_CTX *ctx, void *arg); +OSSL_DEPRECATEDIN_3_0 int SSL_CTX_set_srp_cb_arg(SSL_CTX *ctx, void *arg); +OSSL_DEPRECATEDIN_3_0 int SSL_set_srp_server_param(SSL *s, const BIGNUM *N, const BIGNUM *g, BIGNUM *sa, BIGNUM *v, char *info); +OSSL_DEPRECATEDIN_3_0 int SSL_set_srp_server_param_pw(SSL *s, const char *user, const char *pass, const char *grp); -__owur BIGNUM *SSL_get_srp_g(SSL *s); -__owur BIGNUM *SSL_get_srp_N(SSL *s); +OSSL_DEPRECATEDIN_3_0 __owur BIGNUM *SSL_get_srp_g(SSL *s); +OSSL_DEPRECATEDIN_3_0 __owur BIGNUM *SSL_get_srp_N(SSL *s); -__owur char *SSL_get_srp_username(SSL *s); -__owur char *SSL_get_srp_userinfo(SSL *s); +OSSL_DEPRECATEDIN_3_0 __owur char *SSL_get_srp_username(SSL *s); +OSSL_DEPRECATEDIN_3_0 __owur char *SSL_get_srp_userinfo(SSL *s); # endif /* diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c index ec19eeacc3..8eb0f7c864 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c @@ -3330,7 +3330,7 @@ int ssl3_handshake_write(SSL *s) int ssl3_new(SSL *s) { #ifndef OPENSSL_NO_SRP - if (!SSL_SRP_CTX_init(s)) + if (!ssl_srp_ctx_init_intern(s)) return 0; #endif @@ -3366,7 +3366,7 @@ void ssl3_free(SSL *s) OPENSSL_free(s->s3.alpn_proposed); #ifndef OPENSSL_NO_SRP - SSL_SRP_CTX_free(s); + ssl_srp_ctx_free_intern(s); #endif memset(&s->s3, 0, sizeof(s->s3)); } diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index 554fc3533d..1fded640a1 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -3239,7 +3239,7 @@ SSL_CTX *SSL_CTX_new_ex(OSSL_LIB_CTX *libctx, const char *propq, goto err; #ifndef OPENSSL_NO_SRP - if (!SSL_CTX_SRP_CTX_init(ret)) + if (!ssl_ctx_srp_ctx_init_intern(ret)) goto err; #endif #ifndef OPENSSL_NO_ENGINE @@ -3382,7 +3382,7 @@ void SSL_CTX_free(SSL_CTX *a) sk_SRTP_PROTECTION_PROFILE_free(a->srtp_profiles); #endif #ifndef OPENSSL_NO_SRP - SSL_CTX_SRP_CTX_free(a); + ssl_ctx_srp_ctx_free_intern(a); #endif #ifndef OPENSSL_NO_ENGINE tls_engine_finish(a->client_cert_engine); diff --git a/ssl/ssl_local.h b/ssl/ssl_local.h index 2687a47c2a..127011b62c 100644 --- a/ssl/ssl_local.h +++ b/ssl/ssl_local.h @@ -2828,6 +2828,14 @@ int ssl_hmac_old_update(SSL_HMAC *ctx, const unsigned char *data, size_t len); int ssl_hmac_old_final(SSL_HMAC *ctx, unsigned char *md, size_t *len); size_t ssl_hmac_old_size(const SSL_HMAC *ctx); +int ssl_ctx_srp_ctx_free_intern(SSL_CTX *ctx); +int ssl_ctx_srp_ctx_init_intern(SSL_CTX *ctx); +int ssl_srp_ctx_free_intern(SSL *s); +int ssl_srp_ctx_init_intern(SSL *s); + +int ssl_srp_calc_a_param_intern(SSL *s); +int ssl_srp_server_param_with_username_intern(SSL *s, int *ad); + # else /* OPENSSL_UNIT_TEST */ # define ssl_init_wbio_buffer SSL_test_functions()->p_ssl_init_wbio_buffer diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c index 83862e076d..2358e2c616 100644 --- a/ssl/statem/statem_clnt.c +++ b/ssl/statem/statem_clnt.c @@ -2716,7 +2716,7 @@ MSG_PROCESS_RETURN tls_process_server_done(SSL *s, PACKET *pkt) } #ifndef OPENSSL_NO_SRP if (s->s3.tmp.new_cipher->algorithm_mkey & SSL_kSRP) { - if (SRP_Calc_A_param(s) <= 0) { + if (ssl_srp_calc_a_param_intern(s) <= 0) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_SRP_A_CALC); return MSG_PROCESS_ERROR; } diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c index 956348613b..d1138e45d5 100644 --- a/ssl/statem/statem_srvr.c +++ b/ssl/statem/statem_srvr.c @@ -1258,7 +1258,7 @@ static int ssl_check_srp_ext_ClientHello(SSL *s) SSL_R_PSK_IDENTITY_NOT_FOUND); return -1; } else { - ret = SSL_srp_server_param_with_username(s, &al); + ret = ssl_srp_server_param_with_username_intern(s, &al); if (ret < 0) return 0; if (ret == SSL3_AL_FATAL) { diff --git a/ssl/tls_srp.c b/ssl/tls_srp.c index 69aef0c8d5..1d9f4d29f6 100644 --- a/ssl/tls_srp.c +++ b/ssl/tls_srp.c @@ -11,6 +11,12 @@ * for the EdelKey project. */ +/* + * We need to use the SRP deprecated APIs in order to implement the SSL SRP + * APIs - which are themselves deprecated. + */ +#define OPENSSL_SUPPRESS_DEPRECATED + #include #include #include @@ -19,7 +25,11 @@ #ifndef OPENSSL_NO_SRP # include -int SSL_CTX_SRP_CTX_free(struct ssl_ctx_st *ctx) +/* + * The public API SSL_CTX_SRP_CTX_free() is deprecated so we use + * ssl_ctx_srp_ctx_free_intern() internally. + */ +int ssl_ctx_srp_ctx_free_intern(SSL_CTX *ctx) { if (ctx == NULL) return 0; @@ -38,7 +48,16 @@ int SSL_CTX_SRP_CTX_free(struct ssl_ctx_st *ctx) return 1; } -int SSL_SRP_CTX_free(struct ssl_st *s) +int SSL_CTX_SRP_CTX_free(SSL_CTX *ctx) +{ + return ssl_ctx_srp_ctx_free_intern(ctx); +} + +/* + * The public API SSL_SRP_CTX_free() is deprecated so we use + * ssl_srp_ctx_free_intern() internally. + */ +int ssl_srp_ctx_free_intern(SSL *s) { if (s == NULL) return 0; @@ -57,7 +76,16 @@ int SSL_SRP_CTX_free(struct ssl_st *s) return 1; } -int SSL_SRP_CTX_init(struct ssl_st *s) +int SSL_SRP_CTX_free(SSL *s) +{ + return ssl_srp_ctx_free_intern(s); +} + +/* + * The public API SSL_SRP_CTX_init() is deprecated so we use + * ssl_srp_ctx_init_intern() internally. + */ +int ssl_srp_ctx_init_intern(SSL *s) { SSL_CTX *ctx; @@ -126,7 +154,16 @@ int SSL_SRP_CTX_init(struct ssl_st *s) return 0; } -int SSL_CTX_SRP_CTX_init(struct ssl_ctx_st *ctx) +int SSL_SRP_CTX_init(SSL *s) +{ + return ssl_srp_ctx_init_intern(s); +} + +/* + * The public API SSL_CTX_SRP_CTX_init() is deprecated so we use + * ssl_ctx_srp_ctx_init_intern() internally. + */ +int ssl_ctx_srp_ctx_init_intern(SSL_CTX *ctx) { if (ctx == NULL) return 0; @@ -137,8 +174,17 @@ int SSL_CTX_SRP_CTX_init(struct ssl_ctx_st *ctx) return 1; } +int SSL_CTX_SRP_CTX_init(SSL_CTX *ctx) +{ + return ssl_ctx_srp_ctx_init_intern(ctx); +} + /* server side */ -int SSL_srp_server_param_with_username(SSL *s, int *ad) +/* + * The public API SSL_srp_server_param_with_username() is deprecated so we use + * ssl_srp_server_param_with_username_intern() internally. + */ +int ssl_srp_server_param_with_username_intern(SSL *s, int *ad) { unsigned char b[SSL_MAX_MASTER_KEY_LENGTH]; int al; @@ -170,6 +216,11 @@ int SSL_srp_server_param_with_username(SSL *s, int *ad) NULL) ? SSL_ERROR_NONE : SSL3_AL_FATAL; } +int SSL_srp_server_param_with_username(SSL *s, int *ad) +{ + return ssl_srp_server_param_with_username_intern(s, ad); +} + /* * If the server just has the raw password, make up a verifier entry on the * fly @@ -361,7 +412,11 @@ int srp_verify_server_param(SSL *s) return 1; } -int SRP_Calc_A_param(SSL *s) +/* + * The public API SRP_Calc_A_param() is deprecated so we use + * ssl_srp_calc_a_param_intern() internally. + */ +int ssl_srp_calc_a_param_intern(SSL *s) { unsigned char rnd[SSL_MAX_MASTER_KEY_LENGTH]; @@ -376,6 +431,11 @@ int SRP_Calc_A_param(SSL *s) return 1; } +int SRP_Calc_A_param(SSL *s) +{ + return ssl_srp_calc_a_param_intern(s); +} + BIGNUM *SSL_get_srp_g(SSL *s) { if (s->srp_ctx.g != NULL) diff --git a/test/build.info b/test/build.info index 159f7146e3..3f65d68b8c 100644 --- a/test/build.info +++ b/test/build.info @@ -279,6 +279,9 @@ IF[{- !$disabled{tests} -}] DEPEND[ssl_test_ctx_test]=../libcrypto ../libssl libtestutil.a SOURCE[ssl_test]=ssl_test.c helpers/ssl_test_ctx.c helpers/handshake.c + IF[{- !$disabled{'srp'} -}] + SOURCE[ssl_test]=helpers/handshake_srp.c + ENDIF INCLUDE[ssl_test]=../include ../apps/include DEPEND[ssl_test]=../libcrypto ../libssl libtestutil.a diff --git a/test/helpers/handshake.c b/test/helpers/handshake.c index 1a06365ebb..bba78f6d79 100644 --- a/test/helpers/handshake.c +++ b/test/helpers/handshake.c @@ -13,9 +13,6 @@ #include #include #include -#ifndef OPENSSL_NO_SRP -#include -#endif #include "../../ssl/ssl_local.h" #include "internal/sockets.h" @@ -63,16 +60,6 @@ typedef struct handshake_ex_data_st { ssl_servername_t servername; } HANDSHAKE_EX_DATA; -typedef struct ctx_data_st { - unsigned char *npn_protocols; - size_t npn_protocols_len; - unsigned char *alpn_protocols; - size_t alpn_protocols_len; - char *srp_user; - char *srp_password; - char *session_ticket_app_data; -} CTX_DATA; - /* |ctx_data| itself is stack-allocated. */ static void ctx_data_free_data(CTX_DATA *ctx_data) { @@ -449,28 +436,6 @@ static int server_alpn_cb(SSL *s, const unsigned char **out, : SSL_TLSEXT_ERR_ALERT_FATAL; } -#ifndef OPENSSL_NO_SRP -static char *client_srp_cb(SSL *s, void *arg) -{ - CTX_DATA *ctx_data = (CTX_DATA*)(arg); - return OPENSSL_strdup(ctx_data->srp_password); -} - -static int server_srp_cb(SSL *s, int *ad, void *arg) -{ - CTX_DATA *ctx_data = (CTX_DATA*)(arg); - if (strcmp(ctx_data->srp_user, SSL_get_srp_username(s)) != 0) - return SSL3_AL_FATAL; - if (SSL_set_srp_server_param_pw(s, ctx_data->srp_user, - ctx_data->srp_password, - "2048" /* known group */) < 0) { - *ad = SSL_AD_INTERNAL_ERROR; - return SSL3_AL_FATAL; - } - return SSL_ERROR_NONE; -} -#endif /* !OPENSSL_NO_SRP */ - static int generate_session_ticket_cb(SSL *s, void *arg) { CTX_DATA *server_ctx_data = arg; @@ -711,28 +676,10 @@ static int configure_handshake_ctx(SSL_CTX *server_ctx, SSL_CTX *server2_ctx, } #endif #ifndef OPENSSL_NO_SRP - if (extra->server.srp_user != NULL) { - SSL_CTX_set_srp_username_callback(server_ctx, server_srp_cb); - server_ctx_data->srp_user = OPENSSL_strdup(extra->server.srp_user); - server_ctx_data->srp_password = OPENSSL_strdup(extra->server.srp_password); - SSL_CTX_set_srp_cb_arg(server_ctx, server_ctx_data); - } - if (extra->server2.srp_user != NULL) { - if (!TEST_ptr(server2_ctx)) - goto err; - SSL_CTX_set_srp_username_callback(server2_ctx, server_srp_cb); - server2_ctx_data->srp_user = OPENSSL_strdup(extra->server2.srp_user); - server2_ctx_data->srp_password = OPENSSL_strdup(extra->server2.srp_password); - SSL_CTX_set_srp_cb_arg(server2_ctx, server2_ctx_data); - } - if (extra->client.srp_user != NULL) { - if (!TEST_true(SSL_CTX_set_srp_username(client_ctx, - extra->client.srp_user))) - goto err; - SSL_CTX_set_srp_client_pwd_callback(client_ctx, client_srp_cb); - client_ctx_data->srp_password = OPENSSL_strdup(extra->client.srp_password); - SSL_CTX_set_srp_cb_arg(client_ctx, client_ctx_data); - } + if (!configure_handshake_ctx_for_srp(server_ctx, server2_ctx, client_ctx, + extra, server_ctx_data, + server2_ctx_data, client_ctx_data)) + goto err; #endif /* !OPENSSL_NO_SRP */ return 1; err: diff --git a/test/helpers/handshake.h b/test/helpers/handshake.h index f0ae5a8d7e..04ff874623 100644 --- a/test/helpers/handshake.h +++ b/test/helpers/handshake.h @@ -12,6 +12,16 @@ #include "ssl_test_ctx.h" +typedef struct ctx_data_st { + unsigned char *npn_protocols; + size_t npn_protocols_len; + unsigned char *alpn_protocols; + size_t alpn_protocols_len; + char *srp_user; + char *srp_password; + char *session_ticket_app_data; +} CTX_DATA; + typedef struct handshake_result { ssl_test_result_t result; /* These alerts are in the 2-byte format returned by the info_callback. */ @@ -78,4 +88,11 @@ HANDSHAKE_RESULT *do_handshake(SSL_CTX *server_ctx, SSL_CTX *server2_ctx, SSL_CTX *resume_client_ctx, const SSL_TEST_CTX *test_ctx); +int configure_handshake_ctx_for_srp(SSL_CTX *server_ctx, SSL_CTX *server2_ctx, + SSL_CTX *client_ctx, + const SSL_TEST_EXTRA_CONF *extra, + CTX_DATA *server_ctx_data, + CTX_DATA *server2_ctx_data, + CTX_DATA *client_ctx_data); + #endif /* OSSL_TEST_HANDSHAKE_HELPER_H */ diff --git a/test/helpers/handshake_srp.c b/test/helpers/handshake_srp.c new file mode 100644 index 0000000000..f18e5c81a6 --- /dev/null +++ b/test/helpers/handshake_srp.c @@ -0,0 +1,71 @@ +/* + * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +/* + * SRP is deprecated and there is no replacent. When SRP is removed, the code in + * this file can be removed too. Until then we have to use the deprecated APIs. + */ +#define OPENSSL_SUPPRESS_DEPRECATED + +#include +#include +#include "handshake.h" +#include "../testutil.h" + +static char *client_srp_cb(SSL *s, void *arg) +{ + CTX_DATA *ctx_data = (CTX_DATA*)(arg); + return OPENSSL_strdup(ctx_data->srp_password); +} + +static int server_srp_cb(SSL *s, int *ad, void *arg) +{ + CTX_DATA *ctx_data = (CTX_DATA*)(arg); + if (strcmp(ctx_data->srp_user, SSL_get_srp_username(s)) != 0) + return SSL3_AL_FATAL; + if (SSL_set_srp_server_param_pw(s, ctx_data->srp_user, + ctx_data->srp_password, + "2048" /* known group */) < 0) { + *ad = SSL_AD_INTERNAL_ERROR; + return SSL3_AL_FATAL; + } + return SSL_ERROR_NONE; +} + +int configure_handshake_ctx_for_srp(SSL_CTX *server_ctx, SSL_CTX *server2_ctx, + SSL_CTX *client_ctx, + const SSL_TEST_EXTRA_CONF *extra, + CTX_DATA *server_ctx_data, + CTX_DATA *server2_ctx_data, + CTX_DATA *client_ctx_data) +{ + if (extra->server.srp_user != NULL) { + SSL_CTX_set_srp_username_callback(server_ctx, server_srp_cb); + server_ctx_data->srp_user = OPENSSL_strdup(extra->server.srp_user); + server_ctx_data->srp_password = OPENSSL_strdup(extra->server.srp_password); + SSL_CTX_set_srp_cb_arg(server_ctx, server_ctx_data); + } + if (extra->server2.srp_user != NULL) { + if (!TEST_ptr(server2_ctx)) + return 0; + SSL_CTX_set_srp_username_callback(server2_ctx, server_srp_cb); + server2_ctx_data->srp_user = OPENSSL_strdup(extra->server2.srp_user); + server2_ctx_data->srp_password = OPENSSL_strdup(extra->server2.srp_password); + SSL_CTX_set_srp_cb_arg(server2_ctx, server2_ctx_data); + } + if (extra->client.srp_user != NULL) { + if (!TEST_true(SSL_CTX_set_srp_username(client_ctx, + extra->client.srp_user))) + return 0; + SSL_CTX_set_srp_client_pwd_callback(client_ctx, client_srp_cb); + client_ctx_data->srp_password = OPENSSL_strdup(extra->client.srp_password); + SSL_CTX_set_srp_cb_arg(client_ctx, client_ctx_data); + } + return 1; +} diff --git a/test/srptest.c b/test/srptest.c index 6a615a43d3..ac42094d65 100644 --- a/test/srptest.c +++ b/test/srptest.c @@ -7,6 +7,12 @@ * https://www.openssl.org/source/license.html */ +/* + * SRP is deprecated, so we're going to have to use some deprecated APIs in + * order to test it. + */ +#define OPENSSL_SUPPRESS_DEPRECATED + #include # include "testutil.h" diff --git a/util/libcrypto.num b/util/libcrypto.num index 226e496fc9..fa7a096145 100644 --- a/util/libcrypto.num +++ b/util/libcrypto.num @@ -56,7 +56,7 @@ EVP_MD_do_all_sorted 57 3_0_0 EXIST::FUNCTION: OCSP_crl_reason_str 58 3_0_0 EXIST::FUNCTION:OCSP ENGINE_ctrl_cmd_string 59 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,ENGINE ENGINE_finish 60 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,ENGINE -SRP_Calc_client_key 61 3_0_0 EXIST::FUNCTION:SRP +SRP_Calc_client_key 61 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,SRP X509_PUBKEY_free 62 3_0_0 EXIST::FUNCTION: BIO_free_all 63 3_0_0 EXIST::FUNCTION: EVP_idea_ofb 64 3_0_0 EXIST::FUNCTION:IDEA @@ -328,7 +328,7 @@ d2i_RSAPrivateKey_fp 333 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3 s2i_ASN1_IA5STRING 334 3_0_0 EXIST::FUNCTION: UI_get_ex_data 335 3_0_0 EXIST::FUNCTION: EVP_EncryptUpdate 336 3_0_0 EXIST::FUNCTION: -SRP_create_verifier 337 3_0_0 EXIST::FUNCTION:SRP +SRP_create_verifier 337 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,SRP TS_TST_INFO_print_bio 338 3_0_0 EXIST::FUNCTION:TS X509_NAME_get_index_by_OBJ 339 3_0_0 EXIST::FUNCTION: BIO_get_host_ip 340 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_1_1_0,SOCK @@ -1373,7 +1373,7 @@ BIO_dump_cb 1405 3_0_0 EXIST::FUNCTION: v2i_GENERAL_NAMES 1406 3_0_0 EXIST::FUNCTION: EVP_des_ede3_ofb 1407 3_0_0 EXIST::FUNCTION:DES EVP_MD_meth_get_cleanup 1408 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0 -SRP_Calc_server_key 1409 3_0_0 EXIST::FUNCTION:SRP +SRP_Calc_server_key 1409 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,SRP BN_mod_exp_simple 1410 3_0_0 EXIST::FUNCTION: BIO_set_ex_data 1411 3_0_0 EXIST::FUNCTION: SHA512 1412 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0 @@ -1504,7 +1504,7 @@ ASN1_INTEGER_set_uint64 1537 3_0_0 EXIST::FUNCTION: EVP_PKEY_get_attr_by_OBJ 1538 3_0_0 EXIST::FUNCTION: ASN1_add_oid_module 1539 3_0_0 EXIST::FUNCTION: BN_div_recp 1540 3_0_0 EXIST::FUNCTION: -SRP_Verify_B_mod_N 1541 3_0_0 EXIST::FUNCTION:SRP +SRP_Verify_B_mod_N 1541 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,SRP SXNET_free 1542 3_0_0 EXIST::FUNCTION: CMS_get0_content 1543 3_0_0 EXIST::FUNCTION:CMS BN_is_word 1544 3_0_0 EXIST::FUNCTION: @@ -1549,8 +1549,8 @@ X509_policy_tree_get0_user_policies 1582 3_0_0 EXIST::FUNCTION: DSA_do_sign 1584 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,DSA EVP_CIPHER_CTX_reset 1585 3_0_0 EXIST::FUNCTION: OCSP_REVOKEDINFO_new 1586 3_0_0 EXIST::FUNCTION:OCSP -SRP_Verify_A_mod_N 1587 3_0_0 EXIST::FUNCTION:SRP -SRP_VBASE_free 1588 3_0_0 EXIST::FUNCTION:SRP +SRP_Verify_A_mod_N 1587 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,SRP +SRP_VBASE_free 1588 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,SRP PKCS7_add0_attrib_signing_time 1589 3_0_0 EXIST::FUNCTION: X509_STORE_set_flags 1590 3_0_0 EXIST::FUNCTION: UI_get0_output_string 1591 3_0_0 EXIST::FUNCTION: @@ -1862,7 +1862,7 @@ SCT_set1_signature 1906 3_0_0 EXIST::FUNCTION:CT CONF_imodule_get_module 1907 3_0_0 EXIST::FUNCTION: NAME_CONSTRAINTS_new 1908 3_0_0 EXIST::FUNCTION: BN_usub 1909 3_0_0 EXIST::FUNCTION: -SRP_Calc_B 1910 3_0_0 EXIST::FUNCTION:SRP +SRP_Calc_B 1910 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,SRP CMS_decrypt_set1_key 1911 3_0_0 EXIST::FUNCTION:CMS EC_GROUP_get_degree 1912 3_0_0 EXIST::FUNCTION:EC X509_ALGOR_set0 1913 3_0_0 EXIST::FUNCTION: @@ -1877,7 +1877,7 @@ X509_REQ_free 1921 3_0_0 EXIST::FUNCTION: ASN1_INTEGER_set 1922 3_0_0 EXIST::FUNCTION: EVP_DecodeFinal 1923 3_0_0 EXIST::FUNCTION: MD5_Transform 1925 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,MD5 -SRP_create_verifier_BN 1926 3_0_0 EXIST::FUNCTION:SRP +SRP_create_verifier_BN 1926 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,SRP ENGINE_register_all_EC 1927 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,ENGINE EVP_camellia_128_ofb 1928 3_0_0 EXIST::FUNCTION:CAMELLIA PEM_write_X509_AUX 1929 3_0_0 EXIST::FUNCTION:STDIO @@ -1967,7 +1967,7 @@ ENGINE_get_init_function 2012 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_ EC_POINT_point2hex 2013 3_0_0 EXIST::FUNCTION:EC ENGINE_get_default_DSA 2014 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,ENGINE ENGINE_register_all_complete 2015 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,ENGINE -SRP_get_default_gN 2016 3_0_0 EXIST::FUNCTION:SRP +SRP_get_default_gN 2016 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,SRP UI_dup_input_boolean 2017 3_0_0 EXIST::FUNCTION: PKCS7_dup 2018 3_0_0 EXIST::FUNCTION: i2d_TS_REQ_fp 2019 3_0_0 EXIST::FUNCTION:STDIO,TS @@ -2190,7 +2190,7 @@ PKCS7_SIGNER_INFO_set 2237 3_0_0 EXIST::FUNCTION: PEM_write_bio_PKCS8_PRIV_KEY_INFO 2238 3_0_0 EXIST::FUNCTION: EC_GROUP_set_curve_GF2m 2239 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,EC,EC2M ENGINE_load_builtin_engines 2240 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,ENGINE -SRP_VBASE_init 2241 3_0_0 EXIST::FUNCTION:SRP +SRP_VBASE_init 2241 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,SRP SHA224_Final 2242 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0 OCSP_CERTSTATUS_free 2243 3_0_0 EXIST::FUNCTION:OCSP d2i_TS_TST_INFO 2244 3_0_0 EXIST::FUNCTION:TS @@ -2350,7 +2350,7 @@ X509_TRUST_get_count 2399 3_0_0 EXIST::FUNCTION: IPAddressOrRange_free 2400 3_0_0 EXIST::FUNCTION:RFC3779 RSA_padding_add_PKCS1_OAEP 2401 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0 EC_KEY_set_ex_data 2402 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,EC -SRP_VBASE_new 2403 3_0_0 EXIST::FUNCTION:SRP +SRP_VBASE_new 2403 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,SRP i2d_ECDSA_SIG 2404 3_0_0 EXIST::FUNCTION:EC BIO_dump_indent 2405 3_0_0 EXIST::FUNCTION: ENGINE_set_pkey_asn1_meths 2406 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,ENGINE @@ -2771,7 +2771,7 @@ TS_TST_INFO_get_ext 2831 3_0_0 EXIST::FUNCTION:TS i2d_OCSP_RESPID 2832 3_0_0 EXIST::FUNCTION:OCSP EVP_camellia_256_cfb8 2833 3_0_0 EXIST::FUNCTION:CAMELLIA EC_KEY_get0_public_key 2834 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,EC -SRP_Calc_x 2835 3_0_0 EXIST::FUNCTION:SRP +SRP_Calc_x 2835 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,SRP a2i_ASN1_ENUMERATED 2836 3_0_0 EXIST::FUNCTION: CONF_module_get_usr_data 2837 3_0_0 EXIST::FUNCTION: i2d_X509_NAME_ENTRY 2838 3_0_0 EXIST::FUNCTION: @@ -3033,7 +3033,7 @@ TS_RESP_create_response 3097 3_0_0 EXIST::FUNCTION:TS BIO_ADDR_rawaddress 3098 3_0_0 EXIST::FUNCTION:SOCK PKCS7_ENCRYPT_new 3099 3_0_0 EXIST::FUNCTION: i2d_PKCS8PrivateKey_fp 3100 3_0_0 EXIST::FUNCTION:STDIO -SRP_user_pwd_free 3101 3_0_0 EXIST::FUNCTION:SRP +SRP_user_pwd_free 3101 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,SRP Camellia_encrypt 3102 3_0_0 EXIST::FUNCTION:CAMELLIA,DEPRECATEDIN_3_0 BIO_ADDR_hostname_string 3103 3_0_0 EXIST::FUNCTION:SOCK USERNOTICE_new 3104 3_0_0 EXIST::FUNCTION: @@ -3132,7 +3132,7 @@ SCT_get_version 3197 3_0_0 EXIST::FUNCTION:CT IDEA_set_encrypt_key 3198 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,IDEA ENGINE_get_DH 3199 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,ENGINE i2d_ASIdentifierChoice 3200 3_0_0 EXIST::FUNCTION:RFC3779 -SRP_Calc_A 3201 3_0_0 EXIST::FUNCTION:SRP +SRP_Calc_A 3201 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,SRP OCSP_BASICRESP_add_ext 3202 3_0_0 EXIST::FUNCTION:OCSP EVP_idea_cfb64 3203 3_0_0 EXIST::FUNCTION:IDEA PKCS12_newpass 3204 3_0_0 EXIST::FUNCTION: @@ -3218,7 +3218,7 @@ OCSP_cert_id_new 3284 3_0_0 EXIST::FUNCTION:OCSP GENERAL_SUBTREE_new 3285 3_0_0 EXIST::FUNCTION: OPENSSL_sk_push 3286 3_0_0 EXIST::FUNCTION: X509_LOOKUP_ctrl 3287 3_0_0 EXIST::FUNCTION: -SRP_check_known_gN_param 3288 3_0_0 EXIST::FUNCTION:SRP +SRP_check_known_gN_param 3288 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,SRP d2i_DIST_POINT 3289 3_0_0 EXIST::FUNCTION: EVP_PKEY_CTX_free 3290 3_0_0 EXIST::FUNCTION: PBEPARAM_free 3291 3_0_0 EXIST::FUNCTION: @@ -3541,7 +3541,7 @@ ERR_get_error 3618 3_0_0 EXIST::FUNCTION: TS_CONF_set_signer_digest 3619 3_0_0 EXIST::FUNCTION:TS OBJ_new_nid 3620 3_0_0 EXIST::FUNCTION: CMS_ReceiptRequest_new 3621 3_0_0 EXIST::FUNCTION:CMS -SRP_VBASE_get1_by_user 3622 3_0_0 EXIST::FUNCTION:SRP +SRP_VBASE_get1_by_user 3622 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,SRP UI_method_get_closer 3623 3_0_0 EXIST::FUNCTION: ENGINE_get_ex_data 3624 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,ENGINE BN_print_fp 3625 3_0_0 EXIST::FUNCTION:STDIO @@ -3654,7 +3654,7 @@ EVP_CIPHER_meth_get_set_asn1_params 3734 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_ X509_STORE_CTX_get_ex_data 3735 3_0_0 EXIST::FUNCTION: CMS_RecipientInfo_kari_set0_pkey 3736 3_0_0 EXIST::FUNCTION:CMS X509v3_addr_add_inherit 3737 3_0_0 EXIST::FUNCTION:RFC3779 -SRP_Calc_u 3738 3_0_0 EXIST::FUNCTION:SRP +SRP_Calc_u 3738 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,SRP i2d_PKCS8PrivateKey_bio 3739 3_0_0 EXIST::FUNCTION: X509_get_extension_flags 3740 3_0_0 EXIST::FUNCTION: X509V3_EXT_val_prn 3741 3_0_0 EXIST::FUNCTION: @@ -4414,11 +4414,11 @@ EVP_MAC_init ? 3_0_0 EXIST::FUNCTION: EVP_MAC_update ? 3_0_0 EXIST::FUNCTION: EVP_MAC_final ? 3_0_0 EXIST::FUNCTION: EVP_PKEY_supports_digest_nid ? 3_0_0 EXIST::FUNCTION: -SRP_VBASE_add0_user ? 3_0_0 EXIST::FUNCTION:SRP -SRP_user_pwd_new ? 3_0_0 EXIST::FUNCTION:SRP -SRP_user_pwd_set_gN ? 3_0_0 EXIST::FUNCTION:SRP -SRP_user_pwd_set1_ids ? 3_0_0 EXIST::FUNCTION:SRP -SRP_user_pwd_set0_sv ? 3_0_0 EXIST::FUNCTION:SRP +SRP_VBASE_add0_user ? 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,SRP +SRP_user_pwd_new ? 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,SRP +SRP_user_pwd_set_gN ? 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,SRP +SRP_user_pwd_set1_ids ? 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,SRP +SRP_user_pwd_set0_sv ? 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,SRP OPENSSL_version_major ? 3_0_0 EXIST::FUNCTION: OPENSSL_version_minor ? 3_0_0 EXIST::FUNCTION: OPENSSL_version_patch ? 3_0_0 EXIST::FUNCTION: @@ -4977,12 +4977,12 @@ OSSL_PARAM_BLD_free ? 3_0_0 EXIST::FUNCTION: EVP_PKEY_set_type_by_keymgmt ? 3_0_0 EXIST::FUNCTION: OCSP_RESPID_set_by_key_ex ? 3_0_0 EXIST::FUNCTION:OCSP OCSP_RESPID_match_ex ? 3_0_0 EXIST::FUNCTION:OCSP -SRP_create_verifier_ex ? 3_0_0 EXIST::FUNCTION:SRP -SRP_create_verifier_BN_ex ? 3_0_0 EXIST::FUNCTION:SRP -SRP_Calc_B_ex ? 3_0_0 EXIST::FUNCTION:SRP -SRP_Calc_u_ex ? 3_0_0 EXIST::FUNCTION:SRP -SRP_Calc_x_ex ? 3_0_0 EXIST::FUNCTION:SRP -SRP_Calc_client_key_ex ? 3_0_0 EXIST::FUNCTION:SRP +SRP_create_verifier_ex ? 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,SRP +SRP_create_verifier_BN_ex ? 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,SRP +SRP_Calc_B_ex ? 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,SRP +SRP_Calc_u_ex ? 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,SRP +SRP_Calc_x_ex ? 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,SRP +SRP_Calc_client_key_ex ? 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,SRP EVP_PKEY_gettable_params ? 3_0_0 EXIST::FUNCTION: EVP_PKEY_get_int_param ? 3_0_0 EXIST::FUNCTION: EVP_PKEY_get_size_t_param ? 3_0_0 EXIST::FUNCTION: From openssl at openssl.org Fri Feb 12 12:47:13 2021 From: openssl at openssl.org (OpenSSL run-checker) Date: Fri, 12 Feb 2021 12:47:13 +0000 Subject: Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-sock Message-ID: <1613134033.906154.721511.nullmailer@run.openssl.org> Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-sock Commit log since last time: dfcfd17f28 Handle partial data re-sending on ktls/sendfile on FreeBSD 3bc0b621a7 Remove unused 'peer_type' from SSL_SESSION af53092c2b Replace provider digest flags with separate param fields a054d15c22 Replace provider cipher flags with separate param fields 36978c19a9 Replace MAC flags OSSL_MAC_PARAM_FLAGS with separate param fields. 8a686bdb3a Change the ASN1 variant of x942kdf so that it can test acvp data. 7e365d51a1 x509_vfy.c: Sort out return values 0 vs. -1 (failure/internal error) 364246a986 X509_get_pubkey_parameters(): Correct failure behavior and its use 990a15fe73 x509_vfy: Clarify relevance of ctx->error also on successful verification 579262af14 x509_vfy.c: Fix various coding style and documentation style nits 93b39c85c9 CHANGES.md: Mention RSA key generation slowdown related changes 4d2a6159db Deprecate BN_pseudo_rand() and BN_pseudo_rand_range() 604b86d8d3 Enhanced integer parsing in OSSL_PARAM_allocate_from_text e60a748a13 Configuration: ensure that 'no-tests' works correctly 3f71add9e5 Enable fipsload test on NonStop x86. 50ccc176da mknum.pl: Exclude duplicate entries and include source file name in diagnostics 2db985b7b1 Simplify the EVP_PKEY_XXX_fromdata_XX methods. Build log ended with (last 100 lines): 70-test_sslrecords.t ............... skipped: test_sslrecords needs the sock feature enabled 70-test_sslsessiontick.t ........... skipped: test_sslsessiontick needs the sock feature enabled 70-test_sslsigalgs.t ............... skipped: test_sslsigalgs needs the sock feature enabled 70-test_sslsignature.t ............. skipped: test_sslsignature needs the sock feature enabled 70-test_sslskewith0p.t ............. skipped: test_sslskewith0p needs the sock feature enabled 70-test_sslversions.t .............. skipped: test_sslversions needs the sock feature enabled 70-test_sslvertol.t ................ skipped: test_sslextension needs the sock feature enabled 70-test_tls13alerts.t .............. skipped: test_tls13alerts needs the sock feature enabled 70-test_tls13cookie.t .............. skipped: test_tls13cookie needs the sock feature enabled 70-test_tls13downgrade.t ........... skipped: test_tls13downgrade needs the sock feature enabled 70-test_tls13hrr.t ................. skipped: test_tls13hrr needs the sock feature enabled 70-test_tls13kexmodes.t ............ skipped: test_tls13kexmodes needs the sock feature enabled 70-test_tls13messages.t ............ skipped: test_tls13messages needs the sock feature enabled 70-test_tls13psk.t ................. skipped: test_tls13psk needs the sock feature enabled 70-test_tlsextms.t ................. skipped: test_tlsextms needs the sock feature enabled 70-test_verify_extra.t ............. ok 70-test_wpacket.t .................. ok 71-test_ssl_ctx.t .................. ok 80-test_ca.t ....................... ok 80-test_cipherbytes.t .............. ok 80-test_cipherlist.t ............... ok 80-test_ciphername.t ............... ok Label not found for "last SKIP" at /usr/share/perl/5.30/Test/More.pm line 1372. # Looks like your test exited with 1 just after 5.80-test_cmp_http.t ................. Dubious, test returned 1 (wstat 256, 0x100) All 5 subtests passed (less 5 skipped subtests: 0 okay) # 80-test_cms.t ...................... ok 80-test_cmsapi.t ................... ok 80-test_ct.t ....................... ok 80-test_dane.t ..................... ok 80-test_dtls.t ..................... skipped: No DTLS protocols are supported by this OpenSSL build 80-test_dtls_mtu.t ................. skipped: test_dtls_mtu needs DTLS and PSK support enabled 80-test_dtlsv1listen.t ............. ok 80-test_http.t ..................... ok 80-test_ocsp.t ..................... ok 80-test_pkcs12.t ................... ok 80-test_ssl_new.t .................. ok 80-test_ssl_old.t .................. ok 80-test_ssl_test_ctx.t ............. ok 80-test_sslcorrupt.t ............... ok 80-test_tsa.t ...................... ok 80-test_x509aux.t .................. ok 81-test_cmp_cli.t .................. ok 90-test_asn1_time.t ................ ok 90-test_async.t .................... ok 90-test_bio_enc.t .................. ok 90-test_bio_memleak.t .............. ok 90-test_constant_time.t ............ ok 90-test_fatalerr.t ................. ok 90-test_fipsload.t ................. ok 90-test_gmdiff.t ................... ok 90-test_gost.t ..................... ok 90-test_ige.t ...................... ok 90-test_includes.t ................. ok 90-test_memleak.t .................. ok 90-test_overhead.t ................. ok 90-test_secmem.t ................... ok 90-test_shlibload.t ................ ok 90-test_srp.t ...................... ok 90-test_sslapi.t ................... ok 90-test_sslbuffers.t ............... ok 90-test_store.t .................... ok 90-test_sysdefault.t ............... ok 90-test_threads.t .................. ok 90-test_time_offset.t .............. ok 90-test_tls13ccs.t ................. ok 90-test_tls13encryption.t .......... ok 90-test_tls13secrets.t ............. ok 90-test_v3name.t ................... ok 91-test_pkey_check.t ............... ok 95-test_external_boringssl.t ....... skipped: No external tests in this configuration 95-test_external_gost_engine.t ..... skipped: No external tests in this configuration 95-test_external_krb5.t ............ skipped: No external tests in this configuration 95-test_external_pyca.t ............ skipped: No external tests in this configuration 99-test_ecstress.t ................. ok 99-test_fuzz_asn1.t ................ ok 99-test_fuzz_asn1parse.t ........... ok 99-test_fuzz_bignum.t .............. ok 99-test_fuzz_bndiv.t ............... ok 99-test_fuzz_client.t .............. ok 99-test_fuzz_cmp.t ................. ok 99-test_fuzz_cms.t ................. ok 99-test_fuzz_conf.t ................ ok 99-test_fuzz_crl.t ................. ok 99-test_fuzz_ct.t .................. ok 99-test_fuzz_server.t .............. ok 99-test_fuzz_x509.t ................ ok Test Summary Report ------------------- 80-test_cmp_http.t (Wstat: 256 Tests: 5 Failed: 0) Non-zero exit status: 1 Files=231, Tests=3074, 750 wallclock secs ( 9.94 usr 1.26 sys + 690.92 cusr 68.39 csys = 770.51 CPU) Result: FAIL make[1]: *** [Makefile:3265: _tests] Error 1 make[1]: Leaving directory '/home/openssl/run-checker/no-sock' make: *** [Makefile:3262: tests] Error 2 From levitte at openssl.org Fri Feb 12 13:03:16 2021 From: levitte at openssl.org (Richard Levitte) Date: Fri, 12 Feb 2021 13:03:16 +0000 Subject: [openssl] master update Message-ID: <1613134996.856686.30600.nullmailer@dev.openssl.org> The branch master has been updated via c5689319ebcb5356a28c297779094f3208f925f8 (commit) from 13888e797c5a3193e91d71e5f5a196a2d68d266f (commit) - Log ----------------------------------------------------------------- commit c5689319ebcb5356a28c297779094f3208f925f8 Author: Richard Levitte Date: Thu Feb 11 12:55:19 2021 +0100 Use ERR_R_*_LIB instead of ERR_LIB_* as reason code for sub-libraries Using ERR_LIB_* causes the error output to say 'reason(n)' instead of the name of the sub-library in question. Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14152) ----------------------------------------------------------------------- Summary of changes: crypto/ct/ct_log.c | 2 +- crypto/rsa/rsa_gen.c | 2 +- providers/implementations/signature/rsa.c | 22 +++++++++++----------- ssl/record/ssl3_record.c | 4 ++-- 4 files changed, 15 insertions(+), 15 deletions(-) diff --git a/crypto/ct/ct_log.c b/crypto/ct/ct_log.c index d41039e5b4..12e09d07a2 100644 --- a/crypto/ct/ct_log.c +++ b/crypto/ct/ct_log.c @@ -88,7 +88,7 @@ static int ct_v1_log_id_from_pkey(CTLOG *log, EVP_PKEY *pkey) } sha256 = EVP_MD_fetch(log->libctx, "SHA2-256", log->propq); if (sha256 == NULL) { - ERR_raise(ERR_LIB_CT, ERR_LIB_EVP); + ERR_raise(ERR_LIB_CT, ERR_R_EVP_LIB); goto err; } diff --git a/crypto/rsa/rsa_gen.c b/crypto/rsa/rsa_gen.c index 53545edb71..3a124e5b66 100644 --- a/crypto/rsa/rsa_gen.c +++ b/crypto/rsa/rsa_gen.c @@ -410,7 +410,7 @@ static int rsa_multiprime_keygen(RSA *rsa, int bits, int primes, ok = 1; err: if (ok == -1) { - ERR_raise(ERR_LIB_RSA, ERR_LIB_BN); + ERR_raise(ERR_LIB_RSA, ERR_R_BN_LIB); ok = 0; } BN_CTX_end(ctx); diff --git a/providers/implementations/signature/rsa.c b/providers/implementations/signature/rsa.c index cb68de3b3e..98e3a2d1f4 100644 --- a/providers/implementations/signature/rsa.c +++ b/providers/implementations/signature/rsa.c @@ -517,7 +517,7 @@ static int rsa_sign(void *vprsactx, unsigned char *sig, size_t *siglen, prsactx->rsa); if (ret <= 0) { - ERR_raise(ERR_LIB_PROV, ERR_LIB_RSA); + ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB); return 0; } ret = sltmp; @@ -550,7 +550,7 @@ static int rsa_sign(void *vprsactx, unsigned char *sig, size_t *siglen, ret = RSA_sign(prsactx->mdnid, tbs, tbslen, sig, &sltmp, prsactx->rsa); if (ret <= 0) { - ERR_raise(ERR_LIB_PROV, ERR_LIB_RSA); + ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB); return 0; } ret = sltmp; @@ -592,7 +592,7 @@ static int rsa_sign(void *vprsactx, unsigned char *sig, size_t *siglen, prsactx->tbuf, tbs, prsactx->md, prsactx->mgf1_md, prsactx->saltlen)) { - ERR_raise(ERR_LIB_PROV, ERR_LIB_RSA); + ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB); return 0; } ret = RSA_private_encrypt(RSA_size(prsactx->rsa), prsactx->tbuf, @@ -614,7 +614,7 @@ static int rsa_sign(void *vprsactx, unsigned char *sig, size_t *siglen, end: #endif if (ret <= 0) { - ERR_raise(ERR_LIB_PROV, ERR_LIB_RSA); + ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB); return 0; } @@ -655,7 +655,7 @@ static int rsa_verify_recover(void *vprsactx, ret = RSA_public_decrypt(siglen, sig, prsactx->tbuf, prsactx->rsa, RSA_X931_PADDING); if (ret < 1) { - ERR_raise(ERR_LIB_PROV, ERR_LIB_RSA); + ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB); return 0; } ret--; @@ -689,7 +689,7 @@ static int rsa_verify_recover(void *vprsactx, ret = int_rsa_verify(prsactx->mdnid, NULL, 0, rout, &sltmp, sig, siglen, prsactx->rsa); if (ret <= 0) { - ERR_raise(ERR_LIB_PROV, ERR_LIB_RSA); + ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB); return 0; } ret = sltmp; @@ -705,7 +705,7 @@ static int rsa_verify_recover(void *vprsactx, ret = RSA_public_decrypt(siglen, sig, rout, prsactx->rsa, prsactx->pad_mode); if (ret < 0) { - ERR_raise(ERR_LIB_PROV, ERR_LIB_RSA); + ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB); return 0; } } @@ -733,7 +733,7 @@ static int rsa_verify(void *vprsactx, const unsigned char *sig, size_t siglen, case RSA_PKCS1_PADDING: if (!RSA_verify(prsactx->mdnid, tbs, tbslen, sig, siglen, prsactx->rsa)) { - ERR_raise(ERR_LIB_PROV, ERR_LIB_RSA); + ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB); return 0; } return 1; @@ -766,7 +766,7 @@ static int rsa_verify(void *vprsactx, const unsigned char *sig, size_t siglen, ret = RSA_public_decrypt(siglen, sig, prsactx->tbuf, prsactx->rsa, RSA_NO_PADDING); if (ret <= 0) { - ERR_raise(ERR_LIB_PROV, ERR_LIB_RSA); + ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB); return 0; } ret = RSA_verify_PKCS1_PSS_mgf1(prsactx->rsa, tbs, @@ -774,7 +774,7 @@ static int rsa_verify(void *vprsactx, const unsigned char *sig, size_t siglen, prsactx->tbuf, prsactx->saltlen); if (ret <= 0) { - ERR_raise(ERR_LIB_PROV, ERR_LIB_RSA); + ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB); return 0; } return 1; @@ -790,7 +790,7 @@ static int rsa_verify(void *vprsactx, const unsigned char *sig, size_t siglen, rslen = RSA_public_decrypt(siglen, sig, prsactx->tbuf, prsactx->rsa, prsactx->pad_mode); if (rslen == 0) { - ERR_raise(ERR_LIB_PROV, ERR_LIB_RSA); + ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB); return 0; } } diff --git a/ssl/record/ssl3_record.c b/ssl/record/ssl3_record.c index a1b5467eab..8ada303838 100644 --- a/ssl/record/ssl3_record.c +++ b/ssl/record/ssl3_record.c @@ -528,7 +528,7 @@ int ssl3_get_record(SSL *s) if (tmpmd != NULL) { imac_size = EVP_MD_size(tmpmd); if (!ossl_assert(imac_size >= 0 && imac_size <= EVP_MAX_MD_SIZE)) { - SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_LIB_EVP); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); return -1; } mac_size = (size_t)imac_size; @@ -1552,7 +1552,7 @@ int dtls1_process_record(SSL *s, DTLS1_BITMAP *bitmap) if (tmpmd != NULL) { imac_size = EVP_MD_size(tmpmd); if (!ossl_assert(imac_size >= 0 && imac_size <= EVP_MAX_MD_SIZE)) { - SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_LIB_EVP); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); return -1; } mac_size = (size_t)imac_size; From levitte at openssl.org Fri Feb 12 14:52:18 2021 From: levitte at openssl.org (Richard Levitte) Date: Fri, 12 Feb 2021 14:52:18 +0000 Subject: [openssl] master update Message-ID: <1613141538.862317.19115.nullmailer@dev.openssl.org> The branch master has been updated via 1695e10e402a2d25e57df2ac709d6265f3a2533f (commit) from c5689319ebcb5356a28c297779094f3208f925f8 (commit) - Log ----------------------------------------------------------------- commit 1695e10e402a2d25e57df2ac709d6265f3a2533f Author: Richard Levitte Date: Wed Feb 3 20:40:37 2021 +0100 DOCS: Update the internal documentation on EVP_PKEY. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14059) ----------------------------------------------------------------------- Summary of changes: doc/internal/man7/EVP_PKEY.pod | 197 +++++++++++++++++++++++++++++++++++++---- 1 file changed, 179 insertions(+), 18 deletions(-) diff --git a/doc/internal/man7/EVP_PKEY.pod b/doc/internal/man7/EVP_PKEY.pod index 00d4df57f5..7e7c292f85 100644 --- a/doc/internal/man7/EVP_PKEY.pod +++ b/doc/internal/man7/EVP_PKEY.pod @@ -8,37 +8,198 @@ EVP_PKEY - an internal description #include "crypto/evp.h" - struct evp_pkey_st; + typedef struct evp_pkey_st EVP_PKEY; =head1 DESCRIPTION I B is a complex type that's essentially a container for -private/public key key pairs, but has had other uses as well. +private/public key pairs, but has had other uses as well. =for comment "uses" could as well be "abuses"... -It can contain the legacy form of keys -- i.e. pointers to the low-level key types, such as B, B and B --, but also the -provided form of keys -- i.e. pointers to provider side key data. -Those two forms are mutually exclusive; an B instance can't -contain both a key in legacy form and in provided form. Regardless of -form, this key is commonly referred to as the "origin". - -An B also contains a cache of provider side copies of the -key, each adapted for the provider that is going to use that copy to -perform some operation. -For a legacy "origin", the B's functions -export_to() and dirty_cnt() must be implemented for such caching to be -possible. For a provider side "origin", the B's function -OP_keymgmt_export() must be implemented. In all cases, the receiving -B must have an implemented OP_keygmt_import(). +The private/public key pair that an B contains is refered to +as its "internal key" or "origin" (the reason for "origin" is +explained further down, in L), +and it can take one of the following forms: + +=over 4 + +=item legacy origin + +This is the form that an B in OpenSSL prior to 3.0 had. The +internal key in the B is a pointer to the low-level key +types, such as B, B and B, or an engine driven +structure, and is governed by an associated L and +an L. + +The functions available through those two method structures get full +access to the B and therefore have a lot of freedom to +modify whatever they want. This also means that an B is a +shared structure between libcrypto and any ENGINE that serves such +methods. + +=item provider-native origin + +This is a new form in OpenSSL 3.0, which permits providers to hold the +key data (see L). The internal key in the +B is a pointer to that key data held by the provider, and +is governed by an associated L method structure. + +The functions available through the L have no access +to the B, and can therefore not make any direct changes. +Similarly, the key data that the B points at is only known +to the functions pointed at in the L. + +=back + +These two forms can never co-exist in the same B, the main +reason being that having both at the same time will create problems +with synchronising between the two forms, and potentially make it +confusing which one of the two is the origin. + +=head2 Key mutability + +The B internal keys are mutable. + +This is especially visible with internal legacy keys, since they can +be extracted with functions like L and then +modified at will with functions like L. + +Internal provider native keys are also possible to be modified, if the +associated L implementation allows it. This is done +with L and its specialised derivatives. The +OpenSSL providers allow it for the following: + +=over 4 + +=item DH, EC, X25519, X448: + +It's possible to set the encoded public key. This is supported in +particular through L. + +=item EC: + +It's possible to flip the ECDH cofactor mode. + +=back + +Every time the B internal key mutates, an internal dirty +count is incremented. The need for a dirty count is explained further +in L. + +For provider native origin keys, this doesn't require any help from +the L, the dirty count is maintained in the B +itself, and is incremented every time L or its +specialised derivatives are called. +For legacy origin keys, this requires the associated +L to implement the dirty_cnt() function. All +of OpenSSL's built-in L implement this +function. + +=head2 Export cache for provider operations + +OpenSSL 3.0 can handle operations such as signing, encrypting, etc in +diverse providers, potentially others than the provider of the +L. Two providers, possibly from different vendors, +can't be expected to share internal key structures. There are +therefore instances where key data will need to be exported to the +provider that is going to perform the operation (this also implies +that every provider that implements a key pair based operation must +also implement an L). + +For performance reasons, libcrypto tries to minimize the need to +perform such an export, so it maintains a cache of such exports in the +B. Each cache entry has two items, a pointer to the +provider side key data and the associated L. + +I + +The export to the operation key cache can be performed independent of +what form the origin has. +For a legacy origin, this requires that the associated +L implements the functions export_to() and +dirty_cnt(). +For a provider native origin, this requires that the associated +L implements the OSSL_FUNC_keymgmt_export() function +(see L). +In all cases, the receiving L (the one associated with +the exported key data) must implement OSSL_FUNC_keymgmt_import(). If such caching isn't supported, the operations that can be performed -with that key are limited to the same backend as the "origin" key -(ENGINE for legacy "origin" keys, provider for provider side "origin" +with that key are limited to the same backend as the origin key +(ENGINE for legacy origin keys, provider for provider side origin keys). +=head3 Exporting implementation details + + +Exporting a key to the operation cache involves the following: + +=over 4 + +=item 1. + +Check if the dirty count for the internal origin key has changed since +the previous time. This is done by comparing it with a copy of the +dirty count, which is maintained by the export function. + +If the dirty count has changed, the export cache is cleared. + +=item 2. + +Check if there's an entry in the export cache with the same +L that's the same provider that an export is to be +made to (which is the provider that's going to perform an operation +for which the current B is going to be used). + +If such an entry is found, nothing more is done, the key data and +L found in that export cache entry will be used for +the operation to be performed. + +=item 3. + +Export the internal origin key to the provider, using the appropriate +method. + +For legacy origin keys, that's done with the help of the +L export_to() function. + +For provider native origin keys, that's done by retrieving the key +data in L form from the origin keys, using the +OSSL_FUNC_keymgmt_export() functions of the associated +L, and sending that data to the L of +the provider that's to perform the operation, using its +OSSL_FUNC_keymgmt_import() function. + +=back + +=head2 Upgrading and downgrading a key + +An B with a legacy origin will I be upgraded to +become an B with a provider native origin. Instead, we have +the operation cache as described above, that takes care of the needs +of the diverse operation the application may want to perform. + +An B with a provider native origin, I be downgraded to +be I into an B with a legacy origin. Because +an B can't have two origins, it means that it stops having a +provider native origin. The previous provider native key data is +moved to the operation cache. Downgrading is performed with the +internal function L. + +I, and possibly surprising, +and should therefore be done I, but is needed +to be able to support functions like L. +The general recommendation is to use L +whenever possible, which it should be if the need for a legacy origin +is only internal, or better yet, to remove the need for downgrade at +all. + =head1 SEE ALSO L From levitte at openssl.org Fri Feb 12 14:55:42 2021 From: levitte at openssl.org (Richard Levitte) Date: Fri, 12 Feb 2021 14:55:42 +0000 Subject: [openssl] OpenSSL_1_1_1-stable update Message-ID: <1613141742.364460.12937.nullmailer@dev.openssl.org> The branch OpenSSL_1_1_1-stable has been updated via c8c6e7438c03b2fc24e7ead460feeaef04911fb4 (commit) via 1881643499c4fa149177075bd2255efa6e6ebc56 (commit) from ee833fe9c325ecacc15b1f4e6c931f69aac0664e (commit) - Log ----------------------------------------------------------------- commit c8c6e7438c03b2fc24e7ead460feeaef04911fb4 Author: Richard Levitte Date: Mon Jan 11 08:51:43 2021 +0100 VMS documentation fixes This mostly clarifies details. Fixes #13789 Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13834) commit 1881643499c4fa149177075bd2255efa6e6ebc56 Author: Richard Levitte Date: Mon Jan 11 08:31:21 2021 +0100 Configurations/descrip.mms.tmpl: avoid enormous PIPE commands DCL has a total command line limitation that's too easily broken by them. We solve them by creating separate message scripts and using them. Fixes #13789 Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13834) ----------------------------------------------------------------------- Summary of changes: Configurations/descrip.mms.tmpl | 36 +++++++++++++++--------------------- INSTALL | 15 ++++++++------- NOTES.VMS | 12 ++++++++++-- VMS/msg_install.com | 19 +++++++++++++++++++ VMS/msg_staging.com | 37 +++++++++++++++++++++++++++++++++++++ 5 files changed, 89 insertions(+), 30 deletions(-) create mode 100644 VMS/msg_install.com create mode 100644 VMS/msg_staging.com diff --git a/Configurations/descrip.mms.tmpl b/Configurations/descrip.mms.tmpl index 399f34b3ee..04c93222cc 100644 --- a/Configurations/descrip.mms.tmpl +++ b/Configurations/descrip.mms.tmpl @@ -377,8 +377,13 @@ NODEBUG=@ $(NODEBUG) ! $(NODEBUG) ! Installation logical names $(NODEBUG) ! - $(NODEBUG) installtop = F$PARSE(staging_instdir,"$(INSTALLTOP)","[]A.;",,"SYNTAX_ONLY,NO_CONCEAL") - ".][000000" - "[000000." - "][" - "]A.;" + ".]" - $(NODEBUG) datatop = F$PARSE(staging_datadir,"$(OPENSSLDIR)","[]A.;",,"SYNTAX_ONLY,NO_CONCEAL") - ".][000000" - "[000000." - "][" - "]A.;" + ".]" + $(NODEBUG) ! This also creates a few DCL variables that are used for + $(NODEBUG) ! the "install_msg" target. + $(NODEBUG) ! + $(NODEBUG) installroot = F$PARSE(staging_instdir,"$(INSTALLTOP)","[]A.;",,"SYNTAX_ONLY,NO_CONCEAL") - ".][000000" - "[000000." - "][" - "]A.;" + $(NODEBUG) installtop = installroot + ".]" + $(NODEBUG) dataroot = F$PARSE(staging_datadir,"$(OPENSSLDIR)","[]A.;",,"SYNTAX_ONLY,NO_CONCEAL") - ".][000000" - "[000000." - "][" - "]A.;" + $(NODEBUG) datatop = dataroot + ".]" $(NODEBUG) DEFINE ossl_installroot 'installtop' $(NODEBUG) DEFINE ossl_dataroot 'datatop' $(NODEBUG) ! @@ -455,30 +460,19 @@ list-tests : @ WRITE SYS$OUTPUT "Tests are not supported with your chosen Configure options" @ ! {- output_on() if !$disabled{tests}; "" -} -install : install_sw install_ssldirs install_docs +install : install_sw install_ssldirs install_docs install_msg + @ ! + +install_msg : @ WRITE SYS$OUTPUT "" @ WRITE SYS$OUTPUT "######################################################################" @ WRITE SYS$OUTPUT "" @ IF "$(DESTDIR)" .EQS. "" THEN - - PIPE ( WRITE SYS$OUTPUT "Installation complete" ; - - WRITE SYS$OUTPUT "" ; - - WRITE SYS$OUTPUT "Run @$(SYSTARTUP)openssl_startup{- $osslver -} to set up logical names" ; - - WRITE SYS$OUTPUT "then run @$(SYSTARTUP)openssl_utils{- $osslver -} to define commands" ; - - WRITE SYS$OUTPUT "" ) + @{- sourcefile("VMS", "msg_install.com") -} "$(SYSTARTUP)" "{- $osslver -}" @ IF "$(DESTDIR)" .NES. "" THEN - - PIPE ( WRITE SYS$OUTPUT "Staging installation complete" ; - - WRITE SYS$OUTPUT "" ; - - WRITE SYS$OUTPUT "Finish or package in such a way that the contents of the directory tree" ; - - WRITE SYS$OUTPUT staging_instdir ; - - WRITE SYS$OUTPUT "ends up in $(INSTALLTOP)," ; - - WRITE SYS$OUTPUT "and that the contents of the contents of the directory tree" ; - - WRITE SYS$OUTPUT staging_datadir ; - - WRITE SYS$OUTPUT "ends up in $(OPENSSLDIR)" ; - - WRITE SYS$OUTPUT "" ; - - WRITE SYS$OUTPUT "When in its final destination," ; - - WRITE SYS$OUTPUT "Run @$(SYSTARTUP)openssl_startup{- $osslver -} to set up logical names" ; - - WRITE SYS$OUTPUT "then run @$(SYSTARTUP)openssl_utils{- $osslver -} to define commands" ; - - WRITE SYS$OUTPUT "" ) + @{- sourcefile("VMS", "msg_staging.com") -} - + "''installroot']" "''dataroot']" "$(INSTALLTOP)" "$(OPENSSLDIR)" - + "$(SYSTARTUP)" "{- $osslver -}" check_install : spawn/nolog @ossl_installroot:[SYSTEST]openssl_ivp{- $osslver -}.com diff --git a/INSTALL b/INSTALL index f5118428b3..f3ac727183 100644 --- a/INSTALL +++ b/INSTALL @@ -106,8 +106,7 @@ This will build and install OpenSSL in the default location, which is: Unix: normal installation directories under /usr/local - OpenVMS: SYS$COMMON:[OPENSSL-'version'...], where 'version' is the - OpenSSL version number with underscores instead of periods. + OpenVMS: SYS$COMMON:[OPENSSL] Windows: C:\Program Files\OpenSSL or C:\Program Files (x86)\OpenSSL The installation directory should be appropriately protected to ensure @@ -116,7 +115,9 @@ your Operating System it is recommended that you do not overwrite the system version and instead install to somewhere else. - If you want to install it anywhere else, run config like this: + If you want to install it anywhere else, run config like this (the options + --prefix and --openssldir are explained further down, and the values shown + here are mere examples): On Unix: @@ -198,7 +199,7 @@ Unix: /usr/local Windows: C:\Program Files\OpenSSL or C:\Program Files (x86)\OpenSSL - OpenVMS: SYS$COMMON:[OPENSSL-'version'] + OpenVMS: SYS$COMMON:[OPENSSL] --release Build OpenSSL without debugging symbols. This is the default. @@ -961,9 +962,9 @@ share/doc/openssl/html/man7 Contains the HTML rendition of the man-pages. - OpenVMS ('arch' is replaced with the architecture name, "Alpha" - or "ia64", 'sover' is replaced with the shared library version - (0101 for 1.1), and 'pz' is replaced with the pointer size + OpenVMS ('arch' is replaced with the architecture name, "ALPHA" + or "IA64", 'sover' is replaced with the shared library version + (0101 for 1.1.x), and 'pz' is replaced with the pointer size OpenSSL was built with): [.EXE.'arch'] Contains the openssl binary. diff --git a/NOTES.VMS b/NOTES.VMS index c82e231ad7..bb226da310 100644 --- a/NOTES.VMS +++ b/NOTES.VMS @@ -90,9 +90,9 @@ Unix mount point. The easiest way to check if everything got through as it should is to - check for one of the following files: + check that this file exists: - [.crypto]opensslconf^.h.in + [.include.openssl]opensslconf^.h.in The best way to get a correct distribution is to download the gzipped tar file from ftp://ftp.openssl.org/source/, use GZIP -d to uncompress @@ -105,3 +105,11 @@ Should you need it, you can find UnZip for VMS here: http://www.info-zip.org/UnZip.html + + + How the value of 'arch' is determined + ------------------------------------- + + 'arch' is mentioned in INSTALL. It's value is determined like this: + + arch = f$edit( f$getsyi( "arch_name"), "upcase") diff --git a/VMS/msg_install.com b/VMS/msg_install.com new file mode 100644 index 0000000000..d1eec7c982 --- /dev/null +++ b/VMS/msg_install.com @@ -0,0 +1,19 @@ +$ ! Used by the main descrip.mms to print the installation complete +$ ! message. +$ ! Arguments: +$ ! P1 startup / setup / shutdown scripts directory +$ ! P2 distinguishing version number ("major version") +$ +$ systartup = p1 +$ osslver = p2 +$ +$ WRITE SYS$OUTPUT "Installation complete" +$ WRITE SYS$OUTPUT "" +$ WRITE SYS$OUTPUT "The following commands need to be executed to enable you to use OpenSSL:" +$ WRITE SYS$OUTPUT "" +$ WRITE SYS$OUTPUT "- to set up OpenSSL logical names:" +$ WRITE SYS$OUTPUT " @''systartup'openssl_startup''osslver'" +$ WRITE SYS$OUTPUT "" +$ WRITE SYS$OUTPUT "- to define the OpenSSL command" +$ WRITE SYS$OUTPUT " @''systartup'openssl_utils''osslver'" +$ WRITE SYS$OUTPUT "" diff --git a/VMS/msg_staging.com b/VMS/msg_staging.com new file mode 100644 index 0000000000..11cd80870d --- /dev/null +++ b/VMS/msg_staging.com @@ -0,0 +1,37 @@ +$ ! Used by the main descrip.mms to print the statging installation +$ ! complete +$ ! message. +$ ! Arguments: +$ ! P1 staging software installation directory +$ ! P2 staging data installation directory +$ ! P3 final software installation directory +$ ! P4 final data installation directory +$ ! P5 startup / setup / shutdown scripts directory +$ ! P6 distinguishing version number ("major version") +$ +$ staging_instdir = p1 +$ staging_datadir = p2 +$ final_instdir = p3 +$ final_datadir = p4 +$ systartup = p5 +$ osslver = p6 +$ +$ WRITE SYS$OUTPUT "Staging installation complete" +$ WRITE SYS$OUTPUT "" +$ WRITE SYS$OUTPUT "Finish or package in such a way that the contents of the following directory" +$ WRITE SYS$OUTPUT "trees end up being copied:" +$ WRITE SYS$OUTPUT "" +$ WRITE SYS$OUTPUT "- from ", staging_instdir +$ WRITE SYS$OUTPUT " to ", final_instdir +$ WRITE SYS$OUTPUT "- from ", staging_datadir +$ WRITE SYS$OUTPUT " to ", final_datadir +$ WRITE SYS$OUTPUT "" +$ WRITE SYS$OUTPUT "When in its final destination, the following commands need to be executed" +$ WRITE SYS$OUTPUT "to use OpenSSL:" +$ WRITE SYS$OUTPUT "" +$ WRITE SYS$OUTPUT "- to set up OpenSSL logical names:" +$ WRITE SYS$OUTPUT " @''systartup'openssl_startup''osslver'" +$ WRITE SYS$OUTPUT "" +$ WRITE SYS$OUTPUT "- to define the OpenSSL command" +$ WRITE SYS$OUTPUT " @''systartup'openssl_utils''osslver'" +$ WRITE SYS$OUTPUT "" From levitte at openssl.org Fri Feb 12 14:57:58 2021 From: levitte at openssl.org (Richard Levitte) Date: Fri, 12 Feb 2021 14:57:58 +0000 Subject: [openssl] master update Message-ID: <1613141878.343417.9284.nullmailer@dev.openssl.org> The branch master has been updated via d8c1cafbbc5dfe2347a7157178db5b50fdf9d248 (commit) via 72ddea9b817e9b787e58d5b7ca8b7b8e6351f06e (commit) from 1695e10e402a2d25e57df2ac709d6265f3a2533f (commit) - Log ----------------------------------------------------------------- commit d8c1cafbbc5dfe2347a7157178db5b50fdf9d248 Author: Richard Levitte Date: Mon Jan 11 08:51:43 2021 +0100 VMS documentation fixes This mostly clarifies details. Fixes #13789 Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13835) commit 72ddea9b817e9b787e58d5b7ca8b7b8e6351f06e Author: Richard Levitte Date: Mon Jan 11 08:31:21 2021 +0100 Configurations/descrip.mms.tmpl: avoid enormous PIPE commands DCL has a total command line limitation that's too easily broken by them. We solve them by creating separate message scripts and using them. Fixes #13789 Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13835) ----------------------------------------------------------------------- Summary of changes: Configurations/descrip.mms.tmpl | 35 +++++++++++++---------------------- INSTALL.md | 12 ++++++------ NOTES-VMS.md | 11 +++++++++-- VMS/msg_install.com | 19 +++++++++++++++++++ VMS/msg_staging.com | 37 +++++++++++++++++++++++++++++++++++++ 5 files changed, 84 insertions(+), 30 deletions(-) create mode 100644 VMS/msg_install.com create mode 100644 VMS/msg_staging.com diff --git a/Configurations/descrip.mms.tmpl b/Configurations/descrip.mms.tmpl index a2f3293c54..3f015a0eb5 100644 --- a/Configurations/descrip.mms.tmpl +++ b/Configurations/descrip.mms.tmpl @@ -392,8 +392,13 @@ NODEBUG=@ $(NODEBUG) ! $(NODEBUG) ! Installation logical names $(NODEBUG) ! - $(NODEBUG) installtop = F$PARSE(staging_instdir,"$(INSTALLTOP)","[]A.;",,"SYNTAX_ONLY,NO_CONCEAL") - ".][000000" - "[000000." - "][" - "]A.;" + ".]" - $(NODEBUG) datatop = F$PARSE(staging_datadir,"$(OPENSSLDIR)","[]A.;",,"SYNTAX_ONLY,NO_CONCEAL") - ".][000000" - "[000000." - "][" - "]A.;" + ".]" + $(NODEBUG) ! This also creates a few DCL variables that are used for + $(NODEBUG) ! the "install_msg" target. + $(NODEBUG) ! + $(NODEBUG) installroot = F$PARSE(staging_instdir,"$(INSTALLTOP)","[]A.;",,"SYNTAX_ONLY,NO_CONCEAL") - ".][000000" - "[000000." - "][" - "]A.;" + $(NODEBUG) installtop = installroot + ".]" + $(NODEBUG) dataroot = F$PARSE(staging_datadir,"$(OPENSSLDIR)","[]A.;",,"SYNTAX_ONLY,NO_CONCEAL") - ".][000000" - "[000000." - "][" - "]A.;" + $(NODEBUG) datatop = dataroot + ".]" $(NODEBUG) DEFINE ossl_installroot 'installtop' $(NODEBUG) DEFINE ossl_dataroot 'datatop' $(NODEBUG) ! @@ -468,32 +473,18 @@ list-tests : @ WRITE SYS$OUTPUT "Tests are not supported with your chosen Configure options" @ ! {- output_on() if !$disabled{tests}; "" -} -install : install_sw install_ssldirs install_docs install_final +install : install_sw install_ssldirs install_docs install_msg -install_final : +install_msg : @ WRITE SYS$OUTPUT "" @ WRITE SYS$OUTPUT "######################################################################" @ WRITE SYS$OUTPUT "" @ IF "$(DESTDIR)" .EQS. "" THEN - - PIPE ( WRITE SYS$OUTPUT "Installation complete" ; - - WRITE SYS$OUTPUT "" ; - - WRITE SYS$OUTPUT "Run @$(SYSTARTUP)openssl_startup{- $osslver -} to set up logical names" ; - - WRITE SYS$OUTPUT "then run @$(SYSTARTUP)openssl_utils{- $osslver -} to define commands" ; - - WRITE SYS$OUTPUT "" ) + @{- sourcefile("VMS", "msg_install.com") -} "$(SYSTARTUP)" "{- $osslver -}" @ IF "$(DESTDIR)" .NES. "" THEN - - PIPE ( WRITE SYS$OUTPUT "Staging installation complete" ; - - WRITE SYS$OUTPUT "" ; - - WRITE SYS$OUTPUT "Finish or package in such a way that the contents of the directory tree" ; - - WRITE SYS$OUTPUT staging_instdir ; - - WRITE SYS$OUTPUT "ends up in $(INSTALLTOP)," ; - - WRITE SYS$OUTPUT "and that the contents of the contents of the directory tree" ; - - WRITE SYS$OUTPUT staging_datadir ; - - WRITE SYS$OUTPUT "ends up in $(OPENSSLDIR)" ; - - WRITE SYS$OUTPUT "" ; - - WRITE SYS$OUTPUT "When in its final destination," ; - - WRITE SYS$OUTPUT "Run @$(SYSTARTUP)openssl_startup{- $osslver -} to set up logical names" ; - - WRITE SYS$OUTPUT "then run @$(SYSTARTUP)openssl_utils{- $osslver -} to define commands" ; - - WRITE SYS$OUTPUT "" ) + @{- sourcefile("VMS", "msg_staging.com") -} - + "''installroot']" "''dataroot']" "$(INSTALLTOP)" "$(OPENSSLDIR)" - + "$(SYSTARTUP)" "{- $osslver -}" check_install : spawn/nolog @ossl_installroot:[SYSTEST]openssl_ivp{- $osslver -}.com diff --git a/INSTALL.md b/INSTALL.md index d9aa5c47c2..eec2f3a2b3 100644 --- a/INSTALL.md +++ b/INSTALL.md @@ -234,10 +234,7 @@ Use the following command to install OpenSSL. By default, OpenSSL will be installed to - SYS$COMMON:[OPENSSL-'version'...] - -where 'version' is the OpenSSL version number with underscores instead -of periods. + SYS$COMMON:[OPENSSL] ### Windows @@ -266,6 +263,9 @@ To install OpenSSL to a different location (for example into your home directory for testing purposes) run `Configure` as shown in the following examples. +The options `--prefix` and `--openssldir` are explained in further detail in +[Directories](#directories) below, and the values used here are mere examples. + On Unix: $ ./Configure --prefix=/opt/openssl --openssldir=/usr/local/ssl @@ -375,7 +375,7 @@ The top of the installation directory tree. Defaults are: Unix: /usr/local Windows: C:\Program Files\OpenSSL - OpenVMS: SYS$COMMON:[OPENSSL-'version'] + OpenVMS: SYS$COMMON:[OPENSSL] Compiler Warnings ----------------- @@ -1289,7 +1289,7 @@ its default): ### OpenVMS -'arch' is replaced with the architecture name, `Alpha` or `ia64`, +'arch' is replaced with the architecture name, `ALPHA` or `IA64`, 'sover' is replaced with the shared library version (`0101` for 1.1), and 'pz' is replaced with the pointer size OpenSSL was built with: diff --git a/NOTES-VMS.md b/NOTES-VMS.md index c317e82de2..ebb1e8e152 100644 --- a/NOTES-VMS.md +++ b/NOTES-VMS.md @@ -84,9 +84,9 @@ NOTES FOR THE OPENVMS PLATFORM Unix mount point. The easiest way to check if everything got through as it should is to - check for one of the following files: + check that this file exists: - [.crypto]opensslconf^.h.in + [.include.openssl]configuration^.h.in The best way to get a correct distribution is to download the gzipped tar file from ftp://ftp.openssl.org/source/, use `GZIP -d` to uncompress @@ -99,3 +99,10 @@ NOTES FOR THE OPENVMS PLATFORM Should you need it, you can find UnZip for VMS here: + + How the value of 'arch' is determined + ------------------------------------- + + 'arch' is mentioned in INSTALL. It's value is determined like this: + + arch = f$edit( f$getsyi( "arch_name"), "upcase") diff --git a/VMS/msg_install.com b/VMS/msg_install.com new file mode 100644 index 0000000000..d1eec7c982 --- /dev/null +++ b/VMS/msg_install.com @@ -0,0 +1,19 @@ +$ ! Used by the main descrip.mms to print the installation complete +$ ! message. +$ ! Arguments: +$ ! P1 startup / setup / shutdown scripts directory +$ ! P2 distinguishing version number ("major version") +$ +$ systartup = p1 +$ osslver = p2 +$ +$ WRITE SYS$OUTPUT "Installation complete" +$ WRITE SYS$OUTPUT "" +$ WRITE SYS$OUTPUT "The following commands need to be executed to enable you to use OpenSSL:" +$ WRITE SYS$OUTPUT "" +$ WRITE SYS$OUTPUT "- to set up OpenSSL logical names:" +$ WRITE SYS$OUTPUT " @''systartup'openssl_startup''osslver'" +$ WRITE SYS$OUTPUT "" +$ WRITE SYS$OUTPUT "- to define the OpenSSL command" +$ WRITE SYS$OUTPUT " @''systartup'openssl_utils''osslver'" +$ WRITE SYS$OUTPUT "" diff --git a/VMS/msg_staging.com b/VMS/msg_staging.com new file mode 100644 index 0000000000..11cd80870d --- /dev/null +++ b/VMS/msg_staging.com @@ -0,0 +1,37 @@ +$ ! Used by the main descrip.mms to print the statging installation +$ ! complete +$ ! message. +$ ! Arguments: +$ ! P1 staging software installation directory +$ ! P2 staging data installation directory +$ ! P3 final software installation directory +$ ! P4 final data installation directory +$ ! P5 startup / setup / shutdown scripts directory +$ ! P6 distinguishing version number ("major version") +$ +$ staging_instdir = p1 +$ staging_datadir = p2 +$ final_instdir = p3 +$ final_datadir = p4 +$ systartup = p5 +$ osslver = p6 +$ +$ WRITE SYS$OUTPUT "Staging installation complete" +$ WRITE SYS$OUTPUT "" +$ WRITE SYS$OUTPUT "Finish or package in such a way that the contents of the following directory" +$ WRITE SYS$OUTPUT "trees end up being copied:" +$ WRITE SYS$OUTPUT "" +$ WRITE SYS$OUTPUT "- from ", staging_instdir +$ WRITE SYS$OUTPUT " to ", final_instdir +$ WRITE SYS$OUTPUT "- from ", staging_datadir +$ WRITE SYS$OUTPUT " to ", final_datadir +$ WRITE SYS$OUTPUT "" +$ WRITE SYS$OUTPUT "When in its final destination, the following commands need to be executed" +$ WRITE SYS$OUTPUT "to use OpenSSL:" +$ WRITE SYS$OUTPUT "" +$ WRITE SYS$OUTPUT "- to set up OpenSSL logical names:" +$ WRITE SYS$OUTPUT " @''systartup'openssl_startup''osslver'" +$ WRITE SYS$OUTPUT "" +$ WRITE SYS$OUTPUT "- to define the OpenSSL command" +$ WRITE SYS$OUTPUT " @''systartup'openssl_utils''osslver'" +$ WRITE SYS$OUTPUT "" From matthias.st.pierre at ncp-e.com Fri Feb 12 19:44:24 2021 From: matthias.st.pierre at ncp-e.com (matthias.st.pierre at ncp-e.com) Date: Fri, 12 Feb 2021 19:44:24 +0000 Subject: [openssl] master update Message-ID: <1613159064.984256.5172.nullmailer@dev.openssl.org> The branch master has been updated via 70f23648827c2c8e6386e483c557e6e935b3103f (commit) via a0ca1eed2435ba3c23df7f9d18fcfd1172777334 (commit) via d507436a26d6cf525f3a9ad2aefd6c5aa673de06 (commit) via 4148581eb25db2aec132a5037d9de14c3b0eab48 (commit) via dc589daec888b64af405baeefa24afbb5b8823fb (commit) via 9f1fe6a950d20fefe9c3477b9b5260609538d7fc (commit) from 9ff5bd612a415571b12cc9febe22c710d9d2d42a (commit) - Log ----------------------------------------------------------------- commit 70f23648827c2c8e6386e483c557e6e935b3103f Author: Jay Satiro Date: Fri Feb 5 03:42:06 2021 -0500 NOTES-WINDOWS: fix typo CLA: trivial (cherry picked from commit fb97b8e8a52b853b2b2209d5aeee36eaa08bb9ad) Reviewed-by: Paul Dale Reviewed-by: Matthias St. Pierre (Merged from https://github.com/openssl/openssl/pull/14042) commit a0ca1eed2435ba3c23df7f9d18fcfd1172777334 Author: Dr. Matthias St. Pierre Date: Tue Feb 2 18:49:15 2021 +0100 Add a skeleton README-PROVIDERS file The current content of this README file are just meant to be a starting point and an incentive to add more. Most of the text was borrowed from the [OpenSSL 3.0 Wiki], which is the reason why a added Matt as co-author. To be continued... [OpenSSL 3.0 Wiki]: https://wiki.openssl.org/index.php/OpenSSL_3.0 Co-authored-by: Matt Caswell Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/14042) commit d507436a26d6cf525f3a9ad2aefd6c5aa673de06 Author: Dr. Matthias St. Pierre Date: Tue Feb 2 17:55:50 2021 +0100 Add deprecation note to the README-ENGINES file Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/14042) commit 4148581eb25db2aec132a5037d9de14c3b0eab48 Author: Dr. Matthias St. Pierre Date: Mon Feb 1 18:57:40 2021 +0100 Unify the markdown links to the NOTES and README files In many locations, the files have been converted to markdown syntactically, but don't utilize the power of markdown yet. Here, instead of just repeating the file name, the markdown link now shows the title of the document. Additionally, the notes are now reference in the same order in both the README and the INSTALL file. Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/14042) commit dc589daec888b64af405baeefa24afbb5b8823fb Author: Dr. Matthias St. Pierre Date: Mon Feb 1 18:53:29 2021 +0100 Reformat some NOTES and README files Formatting is still very mixed in the NOTES and README files. This commit tries to make formatting more consistent with the one introduced in pull request #10545. Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/14042) commit 9f1fe6a950d20fefe9c3477b9b5260609538d7fc Author: Dr. Matthias St. Pierre Date: Tue Feb 2 18:16:19 2021 +0100 Revise some renamings of NOTES and README files Some of the notes and readme files have been converted to markdown format recently and renamed during this process. While adding the .md extension was a natural step, switching to mixed cases was not a change to the better, it gives them a ragged appearance: NOTES.ANDROID => NOTES-Android.md NOTES.DJGPP => NOTES-DJGPP.md NOTES.PERL => NOTES-Perl.md NOTES.UNIX => NOTES-Unix.md NOTES.VMS => NOTES-VMS.md NOTES.VALGRIND => NOTES-Valgrind.md NOTES.WIN => NOTES-Windows.txt README.ENGINE => README-Engine.md README.FIPS => README-FIPS.md Moreover, the NOTES-Windows.txt file is the only file which has been converted to markdown but has received a .txt file extension. This doesn't make sense, because the OpenSSL users on Windows will need to read the other markdown documents as well. Since they are developers, we can trust them to be able to associate their favorite editor with the .md extension. In fact, having a comment at the beginning of the file saying that it is in markdown format but we didn't dare to add the correct extension in order not to overwhelm our Windows users can be interpreted either as unintentionally funny or disrespectful ;-) This commit suggests the following more consistent renaming: NOTES.ANDROID => NOTES-ANDROID.md NOTES.DJGPP => NOTES-DJGPP.md NOTES.PERL => NOTES-PERL.md NOTES.UNIX => NOTES-UNIX.md NOTES.VMS => NOTES-VMS.md NOTES.VALGRIND => NOTES-VALGRIND.md NOTES.WIN => NOTES-WINDOWS.md README.ENGINE => README-ENGINES.md README.FIPS => README-FIPS.md (note the plural in README-ENGINES, anticipating a README-PROVIDERS) Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/14042) ----------------------------------------------------------------------- Summary of changes: Configurations/unix-Makefile.tmpl | 2 +- INSTALL.md | 20 +-- NOTES-Android.md => NOTES-ANDROID.md | 2 +- NOTES-DJGPP.md | 6 +- NOTES-PERL.md | 133 ++++++++++++++ NOTES-Perl.md | 125 ------------- NOTES-Unix.md => NOTES-UNIX.md | 4 +- NOTES-Valgrind.md => NOTES-VALGRIND.md | 4 +- NOTES-VMS.md | 132 +++++++------- NOTES-WINDOWS.md | 226 +++++++++++++++++++++++ NOTES-Windows.txt | 217 ---------------------- README-ENGINES.md | 317 +++++++++++++++++++++++++++++++++ README-Engine.md | 308 -------------------------------- README-PROVIDERS.md | 151 ++++++++++++++++ README.md | 14 +- 15 files changed, 923 insertions(+), 738 deletions(-) rename NOTES-Android.md => NOTES-ANDROID.md (99%) create mode 100644 NOTES-PERL.md delete mode 100644 NOTES-Perl.md rename NOTES-Unix.md => NOTES-UNIX.md (98%) rename NOTES-Valgrind.md => NOTES-VALGRIND.md (98%) create mode 100644 NOTES-WINDOWS.md delete mode 100644 NOTES-Windows.txt create mode 100644 README-ENGINES.md delete mode 100644 README-Engine.md create mode 100644 README-PROVIDERS.md diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl index 0cf287ac5a..b2abee23e6 100644 --- a/Configurations/unix-Makefile.tmpl +++ b/Configurations/unix-Makefile.tmpl @@ -1041,7 +1041,7 @@ cmd-nits: build_generated apps/openssl build_generated_pods # Finally, there's a Node.js version, which we haven't tried, that # can be found at https://github.com/DavidAnson/markdownlint md-nits: - mdl -s util/markdownlint.rb . NOTES-Windows.txt + mdl -s util/markdownlint.rb . # Test coverage is a good idea for the future #coverage: $(PROGRAMS) $(TESTPROGRAMS) diff --git a/INSTALL.md b/INSTALL.md index eec2f3a2b3..01c360e8d4 100644 --- a/INSTALL.md +++ b/INSTALL.md @@ -48,8 +48,8 @@ Prerequisites To install OpenSSL, you will need: * A "make" implementation - * Perl 5 with core modules (please read [NOTES-Perl.md](NOTES-Perl.md)) - * The Perl module `Text::Template` (please read [NOTES-PERL.md](NOTES-Perl.md)) + * Perl 5 with core modules (please read [NOTES-PERL.md](NOTES-PERL.md)) + * The Perl module `Text::Template` (please read [NOTES-PERL.md](NOTES-PERL.md)) * an ANSI C compiler * a development environment in the form of development libraries and C header files @@ -58,13 +58,13 @@ To install OpenSSL, you will need: For additional platform specific requirements, solutions to specific issues and other details, please read one of these: - * [NOTES-Unix.md](NOTES-Unix.md) - notes for Unix like systems - * [NOTES-VMS.md](NOTES-VMS.md) - notes related to OpenVMS - * [NOTES-Windows.txt](NOTES-Windows.txt) - notes related to the Windows platform - * [NOTES-DJGPP.md](NOTES-DJGPP.md) - building for DOS with DJGPP - * [NOTES-Android.md](NOTES-Android.md) - building for Android platforms (using NDK) - * [NOTES-Valgrind.md](NOTES-Valgrind.md) - testing with Valgrind - * [NOTES-Perl.m](NOTES-Perl.md) - some notes on Perl + * [Notes for UNIX-like platforms](NOTES-UNIX.md) + * [Notes for Android platforms](NOTES-ANDROID.md) + * [Notes for Windows platforms](NOTES-WINDOWS.md) + * [Notes for the DOS platform with DJGPP](NOTES-DJGPP.md) + * [Notes for the OpenVMS platform](NOTES-VMS.md) + * [Notes on Perl](NOTES-PERL.md) + * [Notes on Valgrind](NOTES-VALGRIND.md) Notational conventions ====================== @@ -285,7 +285,7 @@ Configuration Options There are several options to `./Configure` to customize the build (note that for Windows, the defaults for `--prefix` and `--openssldir` depend on what configuration is used and what Windows implementation OpenSSL is built on. -More notes on this in [NOTES-Windows.txt](NOTES-Windows.txt): +For more information, see the [Notes for Windows platforms](NOTES-WINDOWS.md). API Level --------- diff --git a/NOTES-Android.md b/NOTES-ANDROID.md similarity index 99% rename from NOTES-Android.md rename to NOTES-ANDROID.md index e1e7370d26..eebf03a4c4 100644 --- a/NOTES-Android.md +++ b/NOTES-ANDROID.md @@ -1,4 +1,4 @@ -NOTES FOR ANDROID PLATFORMS +Notes for Android platforms =========================== Requirement details diff --git a/NOTES-DJGPP.md b/NOTES-DJGPP.md index 739710b09c..0b23c48370 100644 --- a/NOTES-DJGPP.md +++ b/NOTES-DJGPP.md @@ -1,5 +1,5 @@ -INSTALLATION ON THE DOS PLATFORM WITH DJGPP -=========================================== +Notes for the DOS platform with DJGPP +===================================== OpenSSL has been ported to DJGPP, a Unix look-alike 32-bit run-time environment for 16-bit DOS, but only with long filename support. @@ -10,7 +10,7 @@ INSTALLATION ON THE DOS PLATFORM WITH DJGPP You should have a full DJGPP environment installed, including the latest versions of DJGPP, GCC, BINUTILS, BASH, etc. This package requires that PERL and the PERL module `Text::Template` also be - installed (see [NOTES-Perl.md](NOTES-Perl.md)). + installed (see [NOTES-PERL.md](NOTES-PERL.md)). All of these can be obtained from the usual DJGPP mirror sites or directly at . For help on which diff --git a/NOTES-PERL.md b/NOTES-PERL.md new file mode 100644 index 0000000000..dbaae0d40e --- /dev/null +++ b/NOTES-PERL.md @@ -0,0 +1,133 @@ +Notes on Perl +============= + + - [General Notes](#general-notes) + - [Perl on Windows](#perl-on-windows) + - [Perl on VMS](#perl-on-vms) + - [Required Perl modules](#required-perl-modules) + - [Notes on installing a Perl module](#notes-on-installing-a-perl-module]) + + +General Notes +------------- + +For our scripts, we rely quite a bit on Perl, and increasingly on +some core Perl modules. These Perl modules are part of the Perl +source, so if you build Perl on your own, you should be set. + +However, if you install Perl as binary packages, the outcome might +differ, and you may have to check that you do get the core modules +installed properly. We do not claim to know them all, but experience +has told us the following: + + - on Linux distributions based on Debian, the package `perl` will + install the core Perl modules as well, so you will be fine. + - on Linux distributions based on RPMs, you will need to install + `perl-core` rather than just `perl`. + +You MUST have at least Perl version 5.10.0 installed. This minimum +requirement is due to our use of regexp backslash sequence \R among +other features that didn't exist in core Perl before that version. + +Perl on Windows +--------------- + +There are a number of build targets that can be viewed as "Windows". +Indeed, there are `VC-*` configs targeting VisualStudio C, as well as +MinGW and Cygwin. The key recommendation is to use a Perl installation +that matches the build environment. For example, if you will build +on Cygwin be sure to use the Cygwin package manager to install Perl. +For MSYS builds use the MSYS provided Perl. +For VC-* builds we recommend Strawberry Perl, from . +An alternative is ActiveState Perl, from +for which you may need to explicitly select the Perl module Win32/Console.pm +available via . + +Perl on VMS +----------- + +You will need to install Perl separately. One way to do so is to +download the source from , unpacking it, reading +`README-VMS.md` and follow the instructions. Another way is to download a +`.PCSI` file from and install it using the +POLYCENTER install tool. + +Required Perl modules +--------------------- + +We do our best to limit ourselves to core Perl modules to keep the +requirements down. There are just a few exceptions. + + +## For Building + + * `Text::Template` + + This module is not part of the core Perl modules. + As a matter of fact, the core Perl modules do not + include any templating module to date. + This module is absolutely needed, + configuration depends on it. + +## For Testing + + * `Test::More` + + We require the minimum version to be 0.96, which + appeared in Perl 5.13.4, because that version was + the first to have all the features we're using. + This module is required for testing only! + If you don't plan on running the tests, + you don't need to bother with this one. + + + +To avoid unnecessary initial hurdles, we have bundled a copy of the +following modules in our source. They will work as fallbacks if +these modules aren't already installed on the system. + + Text::Template + +Notes on installing a Perl module +--------------------------------- + +There are a number of ways to install a perl module. In all +descriptions below, `Text::Template` will serve as an example. + +1. for Linux users, the easiest is to install with the use of your + favorite package manager. Usually, all you need to do is search + for the module name and to install the package that comes up. + + On Debian based Linux distributions, it would go like this: + + $ apt-cache search Text::Template + ... + libtext-template-perl - perl module to process text templates + $ sudo apt-get install libtext-template-perl + + Perl modules in Debian based distributions use package names like + the name of the module in question, with "lib" prepended and + "-perl" appended. + +2. Install using CPAN. This is very easy, but usually requires root + access: + + $ cpan -i Text::Template + + Note that this runs all the tests that the module to be installed + comes with. This is usually a smooth operation, but there are + platforms where a failure is indicated even though the actual tests + were successful. Should that happen, you can force an + installation regardless (that should be safe since you've already + seen the tests succeed!): + + $ cpan -f -i Text::Template + + Note: on VMS, you must quote any argument that contains upper case + characters, so the lines above would be: + + $ cpan -i "Text::Template" + + and: + + $ cpan -f -i "Text::Template" diff --git a/NOTES-Perl.md b/NOTES-Perl.md deleted file mode 100644 index 13565dea6c..0000000000 --- a/NOTES-Perl.md +++ /dev/null @@ -1,125 +0,0 @@ -TOC -=== - - - Notes on Perl - - Notes on Perl on Windows - - Notes on Perl modules we use - - Notes on installing a perl module - - Notes on Perl - ------------- - - For our scripts, we rely quite a bit on Perl, and increasingly on - some core Perl modules. These Perl modules are part of the Perl - source, so if you build Perl on your own, you should be set. - - However, if you install Perl as binary packages, the outcome might - differ, and you may have to check that you do get the core modules - installed properly. We do not claim to know them all, but experience - has told us the following: - - - on Linux distributions based on Debian, the package `perl` will - install the core Perl modules as well, so you will be fine. - - on Linux distributions based on RPMs, you will need to install - `perl-core` rather than just `perl`. - - You MUST have at least Perl version 5.10.0 installed. This minimum - requirement is due to our use of regexp backslash sequence \R among - other features that didn't exist in core Perl before that version. - - Notes on Perl on Windows - ------------------------ - - There are a number of build targets that can be viewed as "Windows". - Indeed, there are `VC-*` configs targeting VisualStudio C, as well as - MinGW and Cygwin. The key recommendation is to use "matching" Perl, - one that matches build environment. For example, if you will build - on Cygwin be sure to use the Cygwin package manager to install Perl. - For MSYS builds use the MSYS provided Perl. - For VC-* builds we recommend Strawberry Perl, from . - An alternative is ActiveState Perl, from - for which you may need to explicitly select the Perl module Win32/Console.pm - available via . - - Notes on Perl on VMS - -------------------- - - You will need to install Perl separately. One way to do so is to - download the source from , unpacking it, reading - `README-VMS.md` and follow the instructions. Another way is to download a - `.PCSI` file from and install it using the - POLYCENTER install tool. - - Notes on Perl modules we use - ---------------------------- - - We make increasing use of Perl modules, and do our best to limit - ourselves to core Perl modules to keep the requirements down. There - are just a few exceptions: - - * `Test::More` - - We require the minimum version to be 0.96, which - appeared in Perl 5.13.4, because that version was - the first to have all the features we're using. - This module is required for testing only! - If you don't plan on running the tests, - you don't need to bother with this one. - - * `Text::Template` - - This module is not part of the core Perl modules. - As a matter of fact, the core Perl modules do not - include any templating module to date. - This module is absolutely needed, - configuration depends on it. - - To avoid unnecessary initial hurdles, we have bundled a copy of the - following modules in our source. They will work as fallbacks if - these modules aren't already installed on the system. - - Text::Template - - Notes on installing a perl module - --------------------------------- - - There are a number of ways to install a perl module. In all - descriptions below, `Text::Template` will serve as an example. - - 1. for Linux users, the easiest is to install with the use of your - favorite package manager. Usually, all you need to do is search - for the module name and to install the package that comes up. - - On Debian based Linux distributions, it would go like this: - - $ apt-cache search Text::Template - ... - libtext-template-perl - perl module to process text templates - $ sudo apt-get install libtext-template-perl - - Perl modules in Debian based distributions use package names like - the name of the module in question, with "lib" prepended and - "-perl" appended. - - 2. Install using CPAN. This is very easy, but usually requires root - access: - - $ cpan -i Text::Template - - Note that this runs all the tests that the module to be installed - comes with. This is usually a smooth operation, but there are - platforms where a failure is indicated even though the actual tests - were successful. Should that happen, you can force an - installation regardless (that should be safe since you've already - seen the tests succeed!): - - $ cpan -f -i Text::Template - - Note: on VMS, you must quote any argument that contains upper case - characters, so the lines above would be: - - $ cpan -i "Text::Template" - - and: - - $ cpan -f -i "Text::Template" diff --git a/NOTES-Unix.md b/NOTES-UNIX.md similarity index 98% rename from NOTES-Unix.md rename to NOTES-UNIX.md index 98f3a799cc..0b0a531db4 100644 --- a/NOTES-Unix.md +++ b/NOTES-UNIX.md @@ -1,8 +1,8 @@ -NOTES FOR UNIX-LIKE PLATFORMS +Notes for UNIX-like platforms ============================= For Unix/POSIX runtime systems on Windows, - please see [NOTES-Windows.txt](NOTES-Windows.txt). + please see the [Notes for Windows platforms](NOTES-WINDOWS.md). OpenSSL uses the compiler to link programs and shared libraries --------------------------------------------------------------- diff --git a/NOTES-Valgrind.md b/NOTES-VALGRIND.md similarity index 98% rename from NOTES-Valgrind.md rename to NOTES-VALGRIND.md index 00647cbd9b..a37e323e23 100644 --- a/NOTES-Valgrind.md +++ b/NOTES-VALGRIND.md @@ -1,5 +1,5 @@ -NOTES FOR VALGRIND -================== +Notes on Valgrind +================= Valgrind is a test harness that includes many tools such as memcheck, which is commonly used to check for memory leaks, etc. The default tool diff --git a/NOTES-VMS.md b/NOTES-VMS.md index ebb1e8e152..02e6cbcb8d 100644 --- a/NOTES-VMS.md +++ b/NOTES-VMS.md @@ -1,102 +1,110 @@ -NOTES FOR THE OPENVMS PLATFORM +Notes for the OpenVMS platform ============================== - Requirement details - ------------------- + - [Requirement details](#requirement-details) + - [About ANSI C compiler](#about-ansi-c-compiler) + - [About ODS-5 directory names and Perl](#about-ods-5-directory-names-and-perl) + - [About MMS and DCL](#about-mms-and-dcl) + - [About debugging](#about-debugging) + - [Checking the distribution](#checking-the-distribution) - In addition to the requirements and instructions listed - in [INSTALL.md](INSTALL.md), this are required as well: + +Requirement details +------------------- + +In addition to the requirements and instructions listed +in [INSTALL.md](INSTALL.md), this are required as well: * At least ODS-5 disk organization for source and build. Installation can be done on any existing disk organization. - About ANSI C compiler - --------------------- +About ANSI C compiler +--------------------- - An ANSI C compiled is needed among other things. This means that - VAX C is not and will not be supported. +An ANSI C compiled is needed among other things. This means that +VAX C is not and will not be supported. - We have only tested with DEC C (aka HP VMS C / VSI C) and require - version 7.1 or later. Compiling with a different ANSI C compiler may - require some work. +We have only tested with DEC C (aka HP VMS C / VSI C) and require +version 7.1 or later. Compiling with a different ANSI C compiler may +require some work. - Please avoid using C RTL feature logical names `DECC$*` when building - and testing OpenSSL. Most of all, they can be disruptive when - running the tests, as they affect the Perl interpreter. +Please avoid using C RTL feature logical names `DECC$*` when building +and testing OpenSSL. Most of all, they can be disruptive when +running the tests, as they affect the Perl interpreter. - About ODS-5 directory names and Perl - ------------------------------------ +About ODS-5 directory names and Perl +------------------------------------ - It seems that the perl function canonpath() in the `File::Spec` module - doesn't treat file specifications where the last directory name - contains periods very well. Unfortunately, some versions of VMS tar - will keep the periods in the OpenSSL source directory instead of - converting them to underscore, thereby leaving your source in - something like `[.openssl-1^.1^.0]`. This will lead to issues when - configuring and building OpenSSL. +It seems that the perl function canonpath() in the `File::Spec` module +doesn't treat file specifications where the last directory name +contains periods very well. Unfortunately, some versions of VMS tar +will keep the periods in the OpenSSL source directory instead of +converting them to underscore, thereby leaving your source in +something like `[.openssl-1^.1^.0]`. This will lead to issues when +configuring and building OpenSSL. - We have no replacement for Perl's canonpath(), so the best workaround - for now is to rename the OpenSSL source directory, as follows (please - adjust for the actual source directory name you have): +We have no replacement for Perl's canonpath(), so the best workaround +for now is to rename the OpenSSL source directory, as follows (please +adjust for the actual source directory name you have): $ rename openssl-1^.1^.0.DIR openssl-1_1_0.DIR - About MMS and DCL - ----------------- +About MMS and DCL +----------------- - MMS has certain limitations when it comes to line length, and DCL has - certain limitations when it comes to total command length. We do - what we can to mitigate, but there is the possibility that it's not - enough. Should you run into issues, a very simple solution is to set - yourself up a few logical names for the directory trees you're going - to use. +MMS has certain limitations when it comes to line length, and DCL has +certain limitations when it comes to total command length. We do +what we can to mitigate, but there is the possibility that it's not +enough. Should you run into issues, a very simple solution is to set +yourself up a few logical names for the directory trees you're going +to use. - About debugging - --------------- +About debugging +--------------- - If you build for debugging, the default on VMS is that image - activation starts the debugger automatically, giving you a debug - prompt. Unfortunately, this disrupts all other uses, such as running - test programs in the test framework. +If you build for debugging, the default on VMS is that image +activation starts the debugger automatically, giving you a debug +prompt. Unfortunately, this disrupts all other uses, such as running +test programs in the test framework. - Generally speaking, if you build for debugging, only use the programs - directly for debugging. Do not try to use them from a script, such - as running the test suite. +Generally speaking, if you build for debugging, only use the programs +directly for debugging. Do not try to use them from a script, such +as running the test suite. - ### The following is not available on Alpha +### The following is not available on Alpha - As a compromise, we're turning off the flag that makes the debugger - start automatically. If there is a program that you need to debug, - you need to turn that flag back on first, for example: +As a compromise, we're turning off the flag that makes the debugger +start automatically. If there is a program that you need to debug, +you need to turn that flag back on first, for example: $ set image /flag=call_debug [.test]evp_test.exe - Then just run it and you will find yourself in a debugging session. - When done, we recommend that you turn that flag back off: +Then just run it and you will find yourself in a debugging session. +When done, we recommend that you turn that flag back off: $ set image /flag=nocall_debug [.test]evp_test.exe - Checking the distribution - ------------------------- +Checking the distribution +------------------------- - There have been reports of places where the distribution didn't quite - get through, for example if you've copied the tree from a NFS-mounted - Unix mount point. +There have been reports of places where the distribution didn't quite +get through, for example if you've copied the tree from a NFS-mounted +Unix mount point. - The easiest way to check if everything got through as it should is to - check that this file exists: +The easiest way to check if everything got through as it should is to +check that this file exists: [.include.openssl]configuration^.h.in - The best way to get a correct distribution is to download the gzipped - tar file from ftp://ftp.openssl.org/source/, use `GZIP -d` to uncompress - it and `VMSTAR` to unpack the resulting tar file. +The best way to get a correct distribution is to download the gzipped +tar file from ftp://ftp.openssl.org/source/, use `GZIP -d` to uncompress +it and `VMSTAR` to unpack the resulting tar file. - Gzip and VMSTAR are available here: +Gzip and VMSTAR are available here: - Should you need it, you can find UnZip for VMS here: +Should you need it, you can find UnZip for VMS here: diff --git a/NOTES-WINDOWS.md b/NOTES-WINDOWS.md new file mode 100644 index 0000000000..dca13a7260 --- /dev/null +++ b/NOTES-WINDOWS.md @@ -0,0 +1,226 @@ +Notes for Windows platforms +=========================== + + - [Native builds using Visual C++](#native-builds-using-visual-c++) + - [Native builds using MinGW](#native-builds-using-mingw) + - [Linking native applications](#linking-native-applications) + - [Hosted builds using Cygwin](#hosted-builds-using-cygwin) + + +There are various options to build and run OpenSSL on the Windows platforms. + +"Native" OpenSSL uses the Windows APIs directly at run time. +To build a native OpenSSL you can either use: + + Microsoft Visual C++ (MSVC) C compiler on the command line +or + MinGW cross compiler + run on the GNU-like development environment MSYS2 + or run on Linux or Cygwin + +"Hosted" OpenSSL relies on an external POSIX compatibility layer +for building (using GNU/Unix shell, compiler, and tools) and at run time. +For this option you can use Cygwin. + +Native builds using Visual C++ +============================== + +The native builds using Visual C++ have a VC-* prefix. + +Requirement details +------------------- + +In addition to the requirements and instructions listed in INSTALL.md, +these are required as well: + +### Perl + +We recommend Strawberry Perl, available from +Please read NOTES.PERL for more information, including the use of CPAN. +An alternative is ActiveState Perl, +for which you may need to explicitly build the Perl module Win32/Console.pm +via and then download it. + +### Microsoft Visual C compiler. + +Since these are proprietary and ever-changing we cannot test them all. +Older versions may not work. Use a recent version wherever possible. + +### Netwide Assembler (NASM) + +NASM is the only supported assembler. It is available from . + +Quick start +----------- + + 1. Install Perl + + 2. Install NASM + + 3. Make sure both Perl and NASM are on your %PATH% + + 4. Use Visual Studio Developer Command Prompt with administrative privileges, + choosing one of its variants depending on the intended architecture. + Or run "cmd" and execute "vcvarsall.bat" with one of the options x86, + x86_amd64, x86_arm, x86_arm64, amd64, amd64_x86, amd64_arm, or amd64_arm64. + This sets up the environment variables needed for nmake.exe, cl.exe, etc. + See also + + + 5. From the root of the OpenSSL source directory enter + perl Configure VC-WIN32 if you want 32-bit OpenSSL or + perl Configure VC-WIN64A if you want 64-bit OpenSSL or + perl Configure to let Configure figure out the platform + + 6. nmake + + 7. nmake test + + 8. nmake install + +For the full installation instructions, or if anything goes wrong at any stage, +check the INSTALL.md file. + +Installation directories +------------------------ + +The default installation directories are derived from environment +variables. + +For VC-WIN32, the following defaults are use: + + PREFIX: %ProgramFiles(x86)%\OpenSSL + OPENSSLDIR: %CommonProgramFiles(x86)%\SSL + +For VC-WIN64, the following defaults are use: + + PREFIX: %ProgramW6432%\OpenSSL + OPENSSLDIR: %CommonProgramW6432%\SSL + +Should those environment variables not exist (on a pure Win32 +installation for examples), these fallbacks are used: + + PREFIX: %ProgramFiles%\OpenSSL + OPENSSLDIR: %CommonProgramFiles%\SSL + +ALSO NOTE that those directories are usually write protected, even if +your account is in the Administrators group. To work around that, +start the command prompt by right-clicking on it and choosing "Run as +Administrator" before running 'nmake install'. The other solution +is, of course, to choose a different set of directories by using +--prefix and --openssldir when configuring. + +Special notes for Universal Windows Platform builds, aka VC-*-UWP +-------------------------------------------------------------------- + + - UWP targets only support building the static and dynamic libraries. + + - You should define the platform type to "uwp" and the target arch via + "vcvarsall.bat" before you compile. For example, if you want to build + "arm64" builds, you should run "vcvarsall.bat x86_arm64 uwp". + +Native builds using MinGW +========================= + +MinGW offers an alternative way to build native OpenSSL, by cross compilation. + + * Usually the build is done on Windows in a GNU-like environment called MSYS2. + + MSYS2 provides GNU tools, a Unix-like command prompt, + and a UNIX compatibility layer for applications. + However, in this context it is only used for building OpenSSL. + The resulting OpenSSL does not rely on MSYS2 to run and is fully native. + + Requirement details + + - MSYS2 shell, from + + - Perl, at least version 5.10.0, which usually comes pre-installed with MSYS2 + + - make, installed using "pacman -S make" into the MSYS2 environment + + - MinGW[64] compiler: mingw-w64-i686-gcc and/or mingw-w64-x86_64-gcc. + These compilers must be on your MSYS2 $PATH. + A common error is to not have these on your $PATH. + The MSYS2 version of gcc will not work correctly here. + + In the MSYS2 shell do the configuration depending on the target architecture: + + ./Configure mingw ... + or + ./Configure mingw64 ... + or + ./Configure ... + + for the default architecture. + + Apart from that, follow the Unix / Linux instructions in INSTALL.md. + + * It is also possible to build mingw[64] on Linux or Cygwin. + + In this case configure with the corresponding --cross-compile-prefix= option. + For example + + ./Configure mingw --cross-compile-prefix=i686-w64-mingw32- ... + or + ./Configure mingw64 --cross-compile-prefix=x86_64-w64-mingw32- ... + + This requires that you've installed the necessary add-on packages for + mingw[64] cross compilation. + +Linking native applications +=========================== + +This section applies to all native builds. + +If you link with static OpenSSL libraries then you're expected to +additionally link your application with WS2_32.LIB, GDI32.LIB, +ADVAPI32.LIB, CRYPT32.LIB and USER32.LIB. Those developing +non-interactive service applications might feel concerned about +linking with GDI32.LIB and USER32.LIB, as they are justly associated +with interactive desktop, which is not available to service +processes. The toolkit is designed to detect in which context it's +currently executed, GUI, console app or service, and act accordingly, +namely whether or not to actually make GUI calls. Additionally those +who wish to /DELAYLOAD:GDI32.DLL and /DELAYLOAD:USER32.DLL and +actually keep them off service process should consider implementing +and exporting from .exe image in question own _OPENSSL_isservice not +relying on USER32.DLL. E.g., on Windows Vista and later you could: + + __declspec(dllexport) __cdecl BOOL _OPENSSL_isservice(void) + { + DWORD sess; + + if (ProcessIdToSessionId(GetCurrentProcessId(), &sess)) + return sess == 0; + return FALSE; + } + +If you link with OpenSSL .DLLs, then you're expected to include into +your application code a small "shim" snippet, which provides +the glue between the OpenSSL BIO layer and your compiler run-time. +See also the OPENSSL_Applink manual page. + +Hosted builds using Cygwin +========================== + +Cygwin implements a POSIX/Unix runtime system (cygwin1.dll) on top of the +Windows subsystem and provides a Bash shell and GNU tools environment. +Consequently, a build of OpenSSL with Cygwin is virtually identical to the +Unix procedure. + +To build OpenSSL using Cygwin, you need to: + + * Install Cygwin, see + + * Install Cygwin Perl, at least version 5.10.0 + and ensure it is in the $PATH + + * Run the Cygwin Bash shell + +Apart from that, follow the Unix / Linux instructions in INSTALL.md. + +NOTE: "make test" and normal file operations may fail in directories +mounted as text (i.e. mount -t c:\somewhere /home) due to Cygwin +stripping of carriage returns. To avoid this ensure that a binary +mount is used, e.g. mount -b c:\somewhere /home. diff --git a/NOTES-Windows.txt b/NOTES-Windows.txt deleted file mode 100644 index 20cce41911..0000000000 --- a/NOTES-Windows.txt +++ /dev/null @@ -1,217 +0,0 @@ -NOTES FOR WINDOWS PLATFORMS -=========================== - - (This file, like the others, is in "markdown" format, but has a ".txt" - extension to make it easier to view/edit on Windows.) - - There are various options to build and run OpenSSL on the Windows platforms. - - "Native" OpenSSL uses the Windows APIs directly at run time. - To build a native OpenSSL you can either use: - - Microsoft Visual C++ (MSVC) C compiler on the command line - or - MinGW cross compiler - run on the GNU-like development environment MSYS2 - or run on Linux or Cygwin - - "Hosted" OpenSSL relies on an external POSIX compatibility layer - for building (using GNU/Unix shell, compiler, and tools) and at run time. - For this option you can use Cygwin. - - Visual C++ native builds, aka VC-* - ===================================== - - Requirement details - ------------------- - - In addition to the requirements and instructions listed in INSTALL.md, - these are required as well: - - - Perl. - We recommend Strawberry Perl, available from - Please read NOTES.PERL for more information, including the use of CPAN. - An alternative is ActiveState Perl, - for which you may need to explicitly build the Perl module Win32/Console.pm - via and then download it. - - - Microsoft Visual C compiler. - Since these are proprietary and ever-changing we cannot test them all. - Older versions may not work. Use a recent version wherever possible. - - - Netwide Assembler (NASM), available from - Note that NASM is the only supported assembler. - - Quick start - ----------- - - 1. Install Perl - - 2. Install NASM - - 3. Make sure both Perl and NASM are on your %PATH% - - 4. Use Visual Studio Developer Command Prompt with administrative privileges, - choosing one of its variants depending on the intended architecture. - Or run "cmd" and execute "vcvarsall.bat" with one of the options x86, - x86_amd64, x86_arm, x86_arm64, amd64, amd64_x86, amd64_arm, or amd64_arm64. - This sets up the environment variables needed for nmake.exe, cl.exe, etc. - See also - - - 5. From the root of the OpenSSL source directory enter - perl Configure VC-WIN32 if you want 32-bit OpenSSL or - perl Configure VC-WIN64A if you want 64-bit OpenSSL or - perl Configure to let Configure figure out the platform - - 6. nmake - - 7. nmake test - - 8. nmake install - - For the full installation instructions, or if anything goes wrong at any stage, - check the INSTALL.md file. - - Installation directories - ------------------------ - - The default installation directories are derived from environment - variables. - - For VC-WIN32, the following defaults are use: - - PREFIX: %ProgramFiles(86)%\OpenSSL - OPENSSLDIR: %CommonProgramFiles(86)%\SSL - - For VC-WIN64, the following defaults are use: - - PREFIX: %ProgramW6432%\OpenSSL - OPENSSLDIR: %CommonProgramW6432%\SSL - - Should those environment variables not exist (on a pure Win32 - installation for examples), these fallbacks are used: - - PREFIX: %ProgramFiles%\OpenSSL - OPENSSLDIR: %CommonProgramFiles%\SSL - - ALSO NOTE that those directories are usually write protected, even if - your account is in the Administrators group. To work around that, - start the command prompt by right-clicking on it and choosing "Run as - Administrator" before running 'nmake install'. The other solution - is, of course, to choose a different set of directories by using - --prefix and --openssldir when configuring. - - Special notes for Universal Windows Platform builds, aka VC-*-UWP - -------------------------------------------------------------------- - - - UWP targets only support building the static and dynamic libraries. - - - You should define the platform type to "uwp" and the target arch via - "vcvarsall.bat" before you compile. For example, if you want to build - "arm64" builds, you should run "vcvarsall.bat x86_arm64 uwp". - - Native OpenSSL built using MinGW - ================================ - - MinGW offers an alternative way to build native OpenSSL, by cross compilation. - - * Usually the build is done on Windows in a GNU-like environment called MSYS2. - - MSYS2 provides GNU tools, a Unix-like command prompt, - and a UNIX compatibility layer for applications. - However, in this context it is only used for building OpenSSL. - The resulting OpenSSL does not rely on MSYS2 to run and is fully native. - - Requirement details - - - MSYS2 shell, from - - - Perl, at least version 5.10.0, which usually comes pre-installed with MSYS2 - - - make, installed using "pacman -S make" into the MSYS2 environment - - - MinGW[64] compiler: mingw-w64-i686-gcc and/or mingw-w64-x86_64-gcc. - These compilers must be on your MSYS2 $PATH. - A common error is to not have these on your $PATH. - The MSYS2 version of gcc will not work correctly here. - - In the MSYS2 shell do the configuration depending on the target architecture: - - ./Configure mingw ... - or - ./Configure mingw64 ... - or - ./Configure ... - for the default architecture. - - Apart from that, follow the Unix / Linux instructions in INSTALL.md. - - * It is also possible to build mingw[64] on Linux or Cygwin. - - In this case configure with the corresponding --cross-compile-prefix= option. - For example - - ./Configure mingw --cross-compile-prefix=i686-w64-mingw32- ... - or - ./Configure mingw64 --cross-compile-prefix=x86_64-w64-mingw32- ... - - This requires that you've installed the necessary add-on packages for - mingw[64] cross compilation. - - Linking your application - ======================== - - This section applies to all "native" builds. - - If you link with static OpenSSL libraries then you're expected to - additionally link your application with WS2_32.LIB, GDI32.LIB, - ADVAPI32.LIB, CRYPT32.LIB and USER32.LIB. Those developing - non-interactive service applications might feel concerned about - linking with GDI32.LIB and USER32.LIB, as they are justly associated - with interactive desktop, which is not available to service - processes. The toolkit is designed to detect in which context it's - currently executed, GUI, console app or service, and act accordingly, - namely whether or not to actually make GUI calls. Additionally those - who wish to /DELAYLOAD:GDI32.DLL and /DELAYLOAD:USER32.DLL and - actually keep them off service process should consider implementing - and exporting from .exe image in question own _OPENSSL_isservice not - relying on USER32.DLL. E.g., on Windows Vista and later you could: - - __declspec(dllexport) __cdecl BOOL _OPENSSL_isservice(void) - { - DWORD sess; - - if (ProcessIdToSessionId(GetCurrentProcessId(), &sess)) - return sess == 0; - return FALSE; - } - - If you link with OpenSSL .DLLs, then you're expected to include into - your application code a small "shim" snippet, which provides - the glue between the OpenSSL BIO layer and your compiler run-time. - See also the OPENSSL_Applink manual page. - - Hosted OpenSSL built using Cygwin - ================================= - - Cygwin implements a POSIX/Unix runtime system (cygwin1.dll) on top of the - Windows subsystem and provides a Bash shell and GNU tools environment. - Consequently, a build of OpenSSL with Cygwin is virtually identical to the - Unix procedure. - - To build OpenSSL using Cygwin, you need to: - - * Install Cygwin, see - - * Install Cygwin Perl, at least version 5.10.0 - and ensure it is in the $PATH - - * Run the Cygwin Bash shell - - Apart from that, follow the Unix / Linux instructions in INSTALL.md. - - NOTE: "make test" and normal file operations may fail in directories - mounted as text (i.e. mount -t c:\somewhere /home) due to Cygwin - stripping of carriage returns. To avoid this ensure that a binary - mount is used, e.g. mount -b c:\somewhere /home. diff --git a/README-ENGINES.md b/README-ENGINES.md new file mode 100644 index 0000000000..80c1c55cf4 --- /dev/null +++ b/README-ENGINES.md @@ -0,0 +1,317 @@ +Engines +======= + +Deprecation Note +---------------- + +The ENGINE API was introduced in OpenSSL version 0.9.6 as a low level +interface for adding alternative implementations of cryptographic +primitives, most notably for integrating hardware crypto devices. + +The ENGINE interface has its limitations and it has been superseeded +by the [PROVIDER API](README-Provider.md), it is deprecated in OpenSSL +version 3.0. The following documentation is retained as an aid for +users who need to maintain or support existing ENGINE implementations. +Support for new hardware devices or new algorithms should be added +via providers, and existing engines should be converted to providers +as soon as possible. + +Built-in ENGINE implementations +------------------------------- + +There are currently built-in ENGINE implementations for the following +crypto devices: + + * Microsoft CryptoAPI + * VIA Padlock + * nCipher CHIL + +In addition, dynamic binding to external ENGINE implementations is now +provided by a special ENGINE called "dynamic". See the "DYNAMIC ENGINE" +section below for details. + +At this stage, a number of things are still needed and are being worked on: + + 1. Integration of EVP support. + 2. Configuration support. + 3. Documentation! + +Integration of EVP support +-------------------------- + +With respect to EVP, this relates to support for ciphers and digests in +the ENGINE model so that alternative implementations of existing +algorithms/modes (or previously unimplemented ones) can be provided by +ENGINE implementations. + +Configuration support +--------------------- + +Configuration support currently exists in the ENGINE API itself, in the +form of "control commands". These allow an application to expose to the +user/admin the set of commands and parameter types a given ENGINE +implementation supports, and for an application to directly feed string +based input to those ENGINEs, in the form of name-value pairs. This is an +extensible way for ENGINEs to define their own "configuration" mechanisms +that are specific to a given ENGINE (eg. for a particular hardware +device) but that should be consistent across *all* OpenSSL-based +applications when they use that ENGINE. Work is in progress (or at least +in planning) for supporting these control commands from the CONF (or +NCONF) code so that applications using OpenSSL's existing configuration +file format can have ENGINE settings specified in much the same way. +Presently however, applications must use the ENGINE API itself to provide +such functionality. To see first hand the types of commands available +with the various compiled-in ENGINEs (see further down for dynamic +ENGINEs), use the "engine" openssl utility with full verbosity, i.e.: + + openssl engine -vvvv + +Documentation +------------- + +Documentation? Volunteers welcome! The source code is reasonably well +self-documenting, but some summaries and usage instructions are needed - +moreover, they are needed in the same POD format the existing OpenSSL +documentation is provided in. Any complete or incomplete contributions +would help make this happen. + +STABILITY & BUG-REPORTS +======================= + +What already exists is fairly stable as far as it has been tested, but +the test base has been a bit small most of the time. For the most part, +the vendors of the devices these ENGINEs support have contributed to the +development and/or testing of the implementations, and *usually* (with no +guarantees) have experience in using the ENGINE support to drive their +devices from common OpenSSL-based applications. Bugs and/or inexplicable +behaviour in using a specific ENGINE implementation should be sent to the +author of that implementation (if it is mentioned in the corresponding C +file), and in the case of implementations for commercial hardware +devices, also through whatever vendor support channels are available. If +none of this is possible, or the problem seems to be something about the +ENGINE API itself (ie. not necessarily specific to a particular ENGINE +implementation) then you should mail complete details to the relevant +OpenSSL mailing list. For a definition of "complete details", refer to +the OpenSSL "README" file. As for which list to send it to: + + * openssl-users: if you are *using* the ENGINE abstraction, either in an + pre-compiled application or in your own application code. + + * openssl-dev: if you are discussing problems with OpenSSL source code. + +USAGE +===== + +The default "openssl" ENGINE is always chosen when performing crypto +operations unless you specify otherwise. You must actively tell the +openssl utility commands to use anything else through a new command line +switch called "-engine". Also, if you want to use the ENGINE support in +your own code to do something similar, you must likewise explicitly +select the ENGINE implementation you want. + +Depending on the type of hardware, system, and configuration, "settings" +may need to be applied to an ENGINE for it to function as expected/hoped. +The recommended way of doing this is for the application to support +ENGINE "control commands" so that each ENGINE implementation can provide +whatever configuration primitives it might require and the application +can allow the user/admin (and thus the hardware vendor's support desk +also) to provide any such input directly to the ENGINE implementation. +This way, applications do not need to know anything specific to any +device, they only need to provide the means to carry such user/admin +input through to the ENGINE in question. Ie. this connects *you* (and +your helpdesk) to the specific ENGINE implementation (and device), and +allows application authors to not get buried in hassle supporting +arbitrary devices they know (and care) nothing about. + +A new "openssl" utility, "openssl engine", has been added in that allows +for testing and examination of ENGINE implementations. Basic usage +instructions are available by specifying the "-?" command line switch. + +DYNAMIC ENGINES +=============== + +The new "dynamic" ENGINE provides a low-overhead way to support ENGINE +implementations that aren't pre-compiled and linked into OpenSSL-based +applications. This could be because existing compiled-in implementations +have known problems and you wish to use a newer version with an existing +application. It could equally be because the application (or OpenSSL +library) you are using simply doesn't have support for the ENGINE you +wish to use, and the ENGINE provider (eg. hardware vendor) is providing +you with a self-contained implementation in the form of a shared-library. +The other use-case for "dynamic" is with applications that wish to +maintain the smallest foot-print possible and so do not link in various +ENGINE implementations from OpenSSL, but instead leaves you to provide +them, if you want them, in the form of "dynamic"-loadable +shared-libraries. It should be possible for hardware vendors to provide +their own shared-libraries to support arbitrary hardware to work with +applications based on OpenSSL 0.9.7 or later. If you're using an +application based on 0.9.7 (or later) and the support you desire is only +announced for versions later than the one you need, ask the vendor to +backport their ENGINE to the version you need. + +How does "dynamic" work? +------------------------ + +The dynamic ENGINE has a special flag in its implementation such that +every time application code asks for the 'dynamic' ENGINE, it in fact +gets its own copy of it. As such, multi-threaded code (or code that +multiplexes multiple uses of 'dynamic' in a single application in any +way at all) does not get confused by 'dynamic' being used to do many +independent things. Other ENGINEs typically don't do this so there is +only ever 1 ENGINE structure of its type (and reference counts are used +to keep order). The dynamic ENGINE itself provides absolutely no +cryptographic functionality, and any attempt to "initialise" the ENGINE +automatically fails. All it does provide are a few "control commands" +that can be used to control how it will load an external ENGINE +implementation from a shared-library. To see these control commands, +use the command-line; + + openssl engine -vvvv dynamic + +The "SO_PATH" control command should be used to identify the +shared-library that contains the ENGINE implementation, and "NO_VCHECK" +might possibly be useful if there is a minor version conflict and you +(or a vendor helpdesk) is convinced you can safely ignore it. +"ID" is probably only needed if a shared-library implements +multiple ENGINEs, but if you know the engine id you expect to be using, +it doesn't hurt to specify it (and this provides a sanity check if +nothing else). "LIST_ADD" is only required if you actually wish the +loaded ENGINE to be discoverable by application code later on using the +ENGINE's "id". For most applications, this isn't necessary - but some +application authors may have nifty reasons for using it. The "LOAD" +command is the only one that takes no parameters and is the command +that uses the settings from any previous commands to actually *load* +the shared-library ENGINE implementation. If this command succeeds, the +(copy of the) 'dynamic' ENGINE will magically morph into the ENGINE +that has been loaded from the shared-library. As such, any control +commands supported by the loaded ENGINE could then be executed as per +normal. Eg. if ENGINE "foo" is implemented in the shared-library +"libfoo.so" and it supports some special control command "CMD_FOO", the +following code would load and use it (NB: obviously this code has no +error checking); + + ENGINE *e = ENGINE_by_id("dynamic"); + ENGINE_ctrl_cmd_string(e, "SO_PATH", "/lib/libfoo.so", 0); + ENGINE_ctrl_cmd_string(e, "ID", "foo", 0); + ENGINE_ctrl_cmd_string(e, "LOAD", NULL, 0); + ENGINE_ctrl_cmd_string(e, "CMD_FOO", "some input data", 0); + +For testing, the "openssl engine" utility can be useful for this sort +of thing. For example the above code excerpt would achieve much the +same result as; + + openssl engine dynamic \ + -pre SO_PATH:/lib/libfoo.so \ + -pre ID:foo \ + -pre LOAD \ + -pre "CMD_FOO:some input data" + +Or to simply see the list of commands supported by the "foo" ENGINE; + + openssl engine -vvvv dynamic \ + -pre SO_PATH:/lib/libfoo.so \ + -pre ID:foo \ + -pre LOAD + +Applications that support the ENGINE API and more specifically, the +"control commands" mechanism, will provide some way for you to pass +such commands through to ENGINEs. As such, you would select "dynamic" +as the ENGINE to use, and the parameters/commands you pass would +control the *actual* ENGINE used. Each command is actually a name-value +pair and the value can sometimes be omitted (eg. the "LOAD" command). +Whilst the syntax demonstrated in "openssl engine" uses a colon to +separate the command name from the value, applications may provide +their own syntax for making that separation (eg. a win32 registry +key-value pair may be used by some applications). The reason for the +"-pre" syntax in the "openssl engine" utility is that some commands +might be issued to an ENGINE *after* it has been initialised for use. +Eg. if an ENGINE implementation requires a smart-card to be inserted +during initialisation (or a PIN to be typed, or whatever), there may be +a control command you can issue afterwards to "forget" the smart-card +so that additional initialisation is no longer possible. In +applications such as web-servers, where potentially volatile code may +run on the same host system, this may provide some arguable security +value. In such a case, the command would be passed to the ENGINE after +it has been initialised for use, and so the "-post" switch would be +used instead. Applications may provide a different syntax for +supporting this distinction, and some may simply not provide it at all +("-pre" is almost always what you're after, in reality). + +How do I build a "dynamic" ENGINE? +---------------------------------- + +This question is trickier - currently OpenSSL bundles various ENGINE +implementations that are statically built in, and any application that +calls the "ENGINE_load_builtin_engines()" function will automatically +have all such ENGINEs available (and occupying memory). Applications +that don't call that function have no ENGINEs available like that and +would have to use "dynamic" to load any such ENGINE - but on the other +hand such applications would only have the memory footprint of any +ENGINEs explicitly loaded using user/admin provided control commands. +The main advantage of not statically linking ENGINEs and only using +"dynamic" for hardware support is that any installation using no +"external" ENGINE suffers no unnecessary memory footprint from unused +ENGINEs. Likewise, installations that do require an ENGINE incur the +overheads from only *that* ENGINE once it has been loaded. + +Sounds good? Maybe, but currently building an ENGINE implementation as +a shared-library that can be loaded by "dynamic" isn't automated in +OpenSSL's build process. It can be done manually quite easily however. +Such a shared-library can either be built with any OpenSSL code it +needs statically linked in, or it can link dynamically against OpenSSL +if OpenSSL itself is built as a shared library. The instructions are +the same in each case, but in the former (statically linked any +dependencies on OpenSSL) you must ensure OpenSSL is built with +position-independent code ("PIC"). The default OpenSSL compilation may +already specify the relevant flags to do this, but you should consult +with your compiler documentation if you are in any doubt. + +This example will show building the "atalla" ENGINE in the +crypto/engine/ directory as a shared-library for use via the "dynamic" +ENGINE. + + 1. "cd" to the crypto/engine/ directory of a pre-compiled OpenSSL + source tree. + + 2. Recompile at least one source file so you can see all the compiler + flags (and syntax) being used to build normally. Eg; + + touch hw_atalla.c ; make + + will rebuild "hw_atalla.o" using all such flags. + + 3. Manually enter the same compilation line to compile the + "hw_atalla.c" file but with the following two changes; + * add "-DENGINE_DYNAMIC_SUPPORT" to the command line switches, + * change the output file from "hw_atalla.o" to something new, + eg. "tmp_atalla.o" + + 4. Link "tmp_atalla.o" into a shared-library using the top-level + OpenSSL libraries to resolve any dependencies. The syntax for doing + this depends heavily on your system/compiler and is a nightmare + known well to anyone who has worked with shared-library portability + before. 'gcc' on Linux, for example, would use the following syntax; + + gcc -shared -o dyn_atalla.so tmp_atalla.o -L../.. -lcrypto + + 5. Test your shared library using "openssl engine" as explained in the + previous section. Eg. from the top-level directory, you might try + + apps/openssl engine -vvvv dynamic \ + -pre SO_PATH:./crypto/engine/dyn_atalla.so -pre LOAD + +If the shared-library loads successfully, you will see both "-pre" +commands marked as "SUCCESS" and the list of control commands +displayed (because of "-vvvv") will be the control commands for the +*atalla* ENGINE (ie. *not* the 'dynamic' ENGINE). You can also add +the "-t" switch to the utility if you want it to try and initialise +the atalla ENGINE for use to test any possible hardware/driver issues. + +PROBLEMS +======== + +It seems like the ENGINE part doesn't work too well with CryptoSwift on Win32. +A quick test done right before the release showed that trying "openssl speed +-engine cswift" generated errors. If the DSO gets enabled, an attempt is made +to write at memory address 0x00000002. + diff --git a/README-Engine.md b/README-Engine.md deleted file mode 100644 index 2fc4e40a2b..0000000000 --- a/README-Engine.md +++ /dev/null @@ -1,308 +0,0 @@ -ENGINES -======= - - With OpenSSL 0.9.6, a new component was added to support alternative - cryptography implementations, most commonly for interfacing with external - crypto devices (eg. accelerator cards). This component is called ENGINE, - and its presence in OpenSSL 0.9.6 (and subsequent bug-fix releases) - caused a little confusion as 0.9.6** releases were rolled in two - versions, a "standard" and an "engine" version. In development for 0.9.7, - the ENGINE code has been merged into the main branch and will be present - in the standard releases from 0.9.7 forwards. - - There are currently built-in ENGINE implementations for the following - crypto devices: - - * Microsoft CryptoAPI - * VIA Padlock - * nCipher CHIL - - In addition, dynamic binding to external ENGINE implementations is now - provided by a special ENGINE called "dynamic". See the "DYNAMIC ENGINE" - section below for details. - - At this stage, a number of things are still needed and are being worked on: - - 1. Integration of EVP support. - 2. Configuration support. - 3. Documentation! - - Integration of EVP support - -------------------------- - - With respect to EVP, this relates to support for ciphers and digests in - the ENGINE model so that alternative implementations of existing - algorithms/modes (or previously unimplemented ones) can be provided by - ENGINE implementations. - - Configuration support - --------------------- - - Configuration support currently exists in the ENGINE API itself, in the - form of "control commands". These allow an application to expose to the - user/admin the set of commands and parameter types a given ENGINE - implementation supports, and for an application to directly feed string - based input to those ENGINEs, in the form of name-value pairs. This is an - extensible way for ENGINEs to define their own "configuration" mechanisms - that are specific to a given ENGINE (eg. for a particular hardware - device) but that should be consistent across *all* OpenSSL-based - applications when they use that ENGINE. Work is in progress (or at least - in planning) for supporting these control commands from the CONF (or - NCONF) code so that applications using OpenSSL's existing configuration - file format can have ENGINE settings specified in much the same way. - Presently however, applications must use the ENGINE API itself to provide - such functionality. To see first hand the types of commands available - with the various compiled-in ENGINEs (see further down for dynamic - ENGINEs), use the "engine" openssl utility with full verbosity, i.e.: - - openssl engine -vvvv - - Documentation - ------------- - - Documentation? Volunteers welcome! The source code is reasonably well - self-documenting, but some summaries and usage instructions are needed - - moreover, they are needed in the same POD format the existing OpenSSL - documentation is provided in. Any complete or incomplete contributions - would help make this happen. - - STABILITY & BUG-REPORTS - ======================= - - What already exists is fairly stable as far as it has been tested, but - the test base has been a bit small most of the time. For the most part, - the vendors of the devices these ENGINEs support have contributed to the - development and/or testing of the implementations, and *usually* (with no - guarantees) have experience in using the ENGINE support to drive their - devices from common OpenSSL-based applications. Bugs and/or inexplicable - behaviour in using a specific ENGINE implementation should be sent to the - author of that implementation (if it is mentioned in the corresponding C - file), and in the case of implementations for commercial hardware - devices, also through whatever vendor support channels are available. If - none of this is possible, or the problem seems to be something about the - ENGINE API itself (ie. not necessarily specific to a particular ENGINE - implementation) then you should mail complete details to the relevant - OpenSSL mailing list. For a definition of "complete details", refer to - the OpenSSL "README" file. As for which list to send it to: - - * openssl-users: if you are *using* the ENGINE abstraction, either in an - pre-compiled application or in your own application code. - - * openssl-dev: if you are discussing problems with OpenSSL source code. - - USAGE - ===== - - The default "openssl" ENGINE is always chosen when performing crypto - operations unless you specify otherwise. You must actively tell the - openssl utility commands to use anything else through a new command line - switch called "-engine". Also, if you want to use the ENGINE support in - your own code to do something similar, you must likewise explicitly - select the ENGINE implementation you want. - - Depending on the type of hardware, system, and configuration, "settings" - may need to be applied to an ENGINE for it to function as expected/hoped. - The recommended way of doing this is for the application to support - ENGINE "control commands" so that each ENGINE implementation can provide - whatever configuration primitives it might require and the application - can allow the user/admin (and thus the hardware vendor's support desk - also) to provide any such input directly to the ENGINE implementation. - This way, applications do not need to know anything specific to any - device, they only need to provide the means to carry such user/admin - input through to the ENGINE in question. Ie. this connects *you* (and - your helpdesk) to the specific ENGINE implementation (and device), and - allows application authors to not get buried in hassle supporting - arbitrary devices they know (and care) nothing about. - - A new "openssl" utility, "openssl engine", has been added in that allows - for testing and examination of ENGINE implementations. Basic usage - instructions are available by specifying the "-?" command line switch. - - DYNAMIC ENGINES - =============== - - The new "dynamic" ENGINE provides a low-overhead way to support ENGINE - implementations that aren't pre-compiled and linked into OpenSSL-based - applications. This could be because existing compiled-in implementations - have known problems and you wish to use a newer version with an existing - application. It could equally be because the application (or OpenSSL - library) you are using simply doesn't have support for the ENGINE you - wish to use, and the ENGINE provider (eg. hardware vendor) is providing - you with a self-contained implementation in the form of a shared-library. - The other use-case for "dynamic" is with applications that wish to - maintain the smallest foot-print possible and so do not link in various - ENGINE implementations from OpenSSL, but instead leaves you to provide - them, if you want them, in the form of "dynamic"-loadable - shared-libraries. It should be possible for hardware vendors to provide - their own shared-libraries to support arbitrary hardware to work with - applications based on OpenSSL 0.9.7 or later. If you're using an - application based on 0.9.7 (or later) and the support you desire is only - announced for versions later than the one you need, ask the vendor to - backport their ENGINE to the version you need. - - How does "dynamic" work? - ------------------------ - - The dynamic ENGINE has a special flag in its implementation such that - every time application code asks for the 'dynamic' ENGINE, it in fact - gets its own copy of it. As such, multi-threaded code (or code that - multiplexes multiple uses of 'dynamic' in a single application in any - way at all) does not get confused by 'dynamic' being used to do many - independent things. Other ENGINEs typically don't do this so there is - only ever 1 ENGINE structure of its type (and reference counts are used - to keep order). The dynamic ENGINE itself provides absolutely no - cryptographic functionality, and any attempt to "initialise" the ENGINE - automatically fails. All it does provide are a few "control commands" - that can be used to control how it will load an external ENGINE - implementation from a shared-library. To see these control commands, - use the command-line; - - openssl engine -vvvv dynamic - - The "SO_PATH" control command should be used to identify the - shared-library that contains the ENGINE implementation, and "NO_VCHECK" - might possibly be useful if there is a minor version conflict and you - (or a vendor helpdesk) is convinced you can safely ignore it. - "ID" is probably only needed if a shared-library implements - multiple ENGINEs, but if you know the engine id you expect to be using, - it doesn't hurt to specify it (and this provides a sanity check if - nothing else). "LIST_ADD" is only required if you actually wish the - loaded ENGINE to be discoverable by application code later on using the - ENGINE's "id". For most applications, this isn't necessary - but some - application authors may have nifty reasons for using it. The "LOAD" - command is the only one that takes no parameters and is the command - that uses the settings from any previous commands to actually *load* - the shared-library ENGINE implementation. If this command succeeds, the - (copy of the) 'dynamic' ENGINE will magically morph into the ENGINE - that has been loaded from the shared-library. As such, any control - commands supported by the loaded ENGINE could then be executed as per - normal. Eg. if ENGINE "foo" is implemented in the shared-library - "libfoo.so" and it supports some special control command "CMD_FOO", the - following code would load and use it (NB: obviously this code has no - error checking); - - ENGINE *e = ENGINE_by_id("dynamic"); - ENGINE_ctrl_cmd_string(e, "SO_PATH", "/lib/libfoo.so", 0); - ENGINE_ctrl_cmd_string(e, "ID", "foo", 0); - ENGINE_ctrl_cmd_string(e, "LOAD", NULL, 0); - ENGINE_ctrl_cmd_string(e, "CMD_FOO", "some input data", 0); - - For testing, the "openssl engine" utility can be useful for this sort - of thing. For example the above code excerpt would achieve much the - same result as; - - openssl engine dynamic \ - -pre SO_PATH:/lib/libfoo.so \ - -pre ID:foo \ - -pre LOAD \ - -pre "CMD_FOO:some input data" - - Or to simply see the list of commands supported by the "foo" ENGINE; - - openssl engine -vvvv dynamic \ - -pre SO_PATH:/lib/libfoo.so \ - -pre ID:foo \ - -pre LOAD - - Applications that support the ENGINE API and more specifically, the - "control commands" mechanism, will provide some way for you to pass - such commands through to ENGINEs. As such, you would select "dynamic" - as the ENGINE to use, and the parameters/commands you pass would - control the *actual* ENGINE used. Each command is actually a name-value - pair and the value can sometimes be omitted (eg. the "LOAD" command). - Whilst the syntax demonstrated in "openssl engine" uses a colon to - separate the command name from the value, applications may provide - their own syntax for making that separation (eg. a win32 registry - key-value pair may be used by some applications). The reason for the - "-pre" syntax in the "openssl engine" utility is that some commands - might be issued to an ENGINE *after* it has been initialised for use. - Eg. if an ENGINE implementation requires a smart-card to be inserted - during initialisation (or a PIN to be typed, or whatever), there may be - a control command you can issue afterwards to "forget" the smart-card - so that additional initialisation is no longer possible. In - applications such as web-servers, where potentially volatile code may - run on the same host system, this may provide some arguable security - value. In such a case, the command would be passed to the ENGINE after - it has been initialised for use, and so the "-post" switch would be - used instead. Applications may provide a different syntax for - supporting this distinction, and some may simply not provide it at all - ("-pre" is almost always what you're after, in reality). - - How do I build a "dynamic" ENGINE? - ---------------------------------- - - This question is trickier - currently OpenSSL bundles various ENGINE - implementations that are statically built in, and any application that - calls the "ENGINE_load_builtin_engines()" function will automatically - have all such ENGINEs available (and occupying memory). Applications - that don't call that function have no ENGINEs available like that and - would have to use "dynamic" to load any such ENGINE - but on the other - hand such applications would only have the memory footprint of any - ENGINEs explicitly loaded using user/admin provided control commands. - The main advantage of not statically linking ENGINEs and only using - "dynamic" for hardware support is that any installation using no - "external" ENGINE suffers no unnecessary memory footprint from unused - ENGINEs. Likewise, installations that do require an ENGINE incur the - overheads from only *that* ENGINE once it has been loaded. - - Sounds good? Maybe, but currently building an ENGINE implementation as - a shared-library that can be loaded by "dynamic" isn't automated in - OpenSSL's build process. It can be done manually quite easily however. - Such a shared-library can either be built with any OpenSSL code it - needs statically linked in, or it can link dynamically against OpenSSL - if OpenSSL itself is built as a shared library. The instructions are - the same in each case, but in the former (statically linked any - dependencies on OpenSSL) you must ensure OpenSSL is built with - position-independent code ("PIC"). The default OpenSSL compilation may - already specify the relevant flags to do this, but you should consult - with your compiler documentation if you are in any doubt. - - This example will show building the "atalla" ENGINE in the - crypto/engine/ directory as a shared-library for use via the "dynamic" - ENGINE. - - 1. "cd" to the crypto/engine/ directory of a pre-compiled OpenSSL - source tree. - - 2. Recompile at least one source file so you can see all the compiler - flags (and syntax) being used to build normally. Eg; - - touch hw_atalla.c ; make - - will rebuild "hw_atalla.o" using all such flags. - - 3. Manually enter the same compilation line to compile the - "hw_atalla.c" file but with the following two changes; - * add "-DENGINE_DYNAMIC_SUPPORT" to the command line switches, - * change the output file from "hw_atalla.o" to something new, - eg. "tmp_atalla.o" - - 4. Link "tmp_atalla.o" into a shared-library using the top-level - OpenSSL libraries to resolve any dependencies. The syntax for doing - this depends heavily on your system/compiler and is a nightmare - known well to anyone who has worked with shared-library portability - before. 'gcc' on Linux, for example, would use the following syntax; - - gcc -shared -o dyn_atalla.so tmp_atalla.o -L../.. -lcrypto - - 5. Test your shared library using "openssl engine" as explained in the - previous section. Eg. from the top-level directory, you might try - - apps/openssl engine -vvvv dynamic \ - -pre SO_PATH:./crypto/engine/dyn_atalla.so -pre LOAD - - If the shared-library loads successfully, you will see both "-pre" - commands marked as "SUCCESS" and the list of control commands - displayed (because of "-vvvv") will be the control commands for the - *atalla* ENGINE (ie. *not* the 'dynamic' ENGINE). You can also add - the "-t" switch to the utility if you want it to try and initialise - the atalla ENGINE for use to test any possible hardware/driver issues. - - PROBLEMS - ======== - - It seems like the ENGINE part doesn't work too well with CryptoSwift on Win32. - A quick test done right before the release showed that trying "openssl speed - -engine cswift" generated errors. If the DSO gets enabled, an attempt is made - to write at memory address 0x00000002. - diff --git a/README-PROVIDERS.md b/README-PROVIDERS.md new file mode 100644 index 0000000000..5092d039f3 --- /dev/null +++ b/README-PROVIDERS.md @@ -0,0 +1,151 @@ +Providers +========= + + - [Standard Providers](#standard-providers) + - [The Default Provider](#the-default-provider) + - [The Legacy Provider](#the-legacy-provider) + - [The FIPS Provider](#the-fips-provider) + - [The Base Provider](#the-base-provider) + - [The Null Provider](#the-null-provider) + - [Loading Providers](#loading-providers) + + +Standard Providers +================== + +Providers are containers for algorithm implementations. Whenever a cryptographic +algorithm is used via the high level APIs a provider is selected. It is that +provider implementation that actually does the required work. There are five +providers distributed with OpenSSL. In the future we expect third parties to +distribute their own providers which can be added to OpenSSL dynamically. +Documentation about writing providers is available on the [provider(7)] +manual page. + + [provider(7)]: https://www.openssl.org/docs/manmaster/man7/provider.html + + +The Default Provider +-------------------- + +The default provider collects together all of the standard built-in OpenSSL +algorithm implementations. If an application doesn't specify anything else +explicitly (e.g. in the application or via config), then this is the provider +that will be used. It is loaded automatically the first time that we try to +get an algorithm from a provider if no other provider has been loaded yet. +If another provider has already been loaded then it won't be loaded +automatically. Therefore if you want to use it in conjunction with other +providers then you must load it explicitly. + +This is a "built-in" provider which means that it is compiled and linked +into the libcrypto library and does not exist as a separate standalone module. + +The Legacy Provider +------------------- + +The legacy provider is a collection of legacy algorithms that are either no +longer in common use or considered insecure and strongly discouraged from use. +However, some applications may need to use these algorithms for backwards +compatibility reasons. This provider is **not** loaded by default. +This may mean that some applications upgrading from earlier versions of OpenSSL +may find that some algorithms are no longer available unless they load the +legacy provider explicitly. + +Algorithms in the legacy provider include MD2, MD4, MDC2, RMD160, CAST5, +BF (Blowfish), IDEA, SEED, RC2, RC4, RC5 and DES (but not 3DES). + +The FIPS Provider +----------------- + +The FIPS provider contains a sub-set of the algorithm implementations available +from the default provider, consisting of algorithms conforming to FIPS standards. +It is intended that this provider will be FIPS140-2 validated. + +In some cases there may be minor behavioural differences between algorithm +implementations in this provider compared to the equivalent algorithm in the +default provider. This is typically in order to conform to FIPS standards. + +The Base Provider +----------------- + +The base provider contains a small sub-set of non-cryptographic algorithms +available in the default provider. For example, it contains algorithms to +serialize and deserialize keys to files. If you do not load the default +provider then you should always load this one instead (in particular, if +you are using the FIPS provider). + +The Null Provider +----------------- + +The null provider is "built-in" to libcrypto and contains no algorithm +implementations. In order to guarantee that the default provider is not +automatically loaded, the null provider can be loaded instead. + +This can be useful if you are using non-default library contexts and want +to ensure that the default library context is never used unintentionally. + + +Loading Providers +================= + + +Providers to be loaded can be specified in the OpenSSL config file. +See the [config(5)] manual page for information about how to configure +providers via the config file, and how to automatically activate them. + + [config(5)]: https://www.openssl.org/docs/manmaster/man5/config.html + +The following is a minimal config file example to load and activate both +the legacy and the default provider in the default library context. + + openssl_conf = openssl_init + + [openssl_init] + providers = provider_sect + + [provider_sect] + default = default_sect + legacy = legacy_sect + + [default_sect] + activate = 1 + + [legacy_sect] + activate = 1 + + +It is also possible to load providers programmatically. For example you can +load the legacy provider into the default library context as shown below. +Note that once you have explicitly loaded a provider into the library context +the default provider will no longer be automatically loaded. Therefore you will +often also want to explicitly load the default provider, as is done here: + + + #include + #include + + #include + + int main(void) + { + OSSL_PROVIDER *legacy; + OSSL_PROVIDER *deflt; + + /* Load Multiple providers into the default (NULL) library context */ + legacy = OSSL_PROVIDER_load(NULL, "legacy"); + if (legacy == NULL) { + printf("Failed to load Legacy provider\n"); + exit(EXIT_FAILURE); + } + deflt = OSSL_PROVIDER_load(NULL, "default"); + if (deflt == NULL) { + printf("Failed to load Default provider\n"); + OSSL_PROVIDER_unload(legacy); + exit(EXIT_FAILURE); + } + + /* Rest of application */ + + OSSL_PROVIDER_unload(legacy); + OSSL_PROVIDER_unload(deflt); + exit(EXIT_SUCCESS); + } diff --git a/README.md b/README.md index d50114e272..680faea76f 100644 --- a/README.md +++ b/README.md @@ -105,13 +105,13 @@ detailed instructions about building and installing OpenSSL. For some platforms, the installation instructions are amended by a platform specific document. - * [NOTES-Android.md](NOTES-Android.md) - * [NOTES-DJGPP.md](NOTES-DJGPP.md) - * [NOTES-Unix.md](NOTES-Unix.md) - * [NOTES-VMS.md](NOTES-VMS.md) - * [NOTES-Windows.txt](NOTES-Windows.txt) - * [NOTES-Perl.md](NOTES-Perl.md) - * [NOTES-Valgrind.md](NOTES-Valgrind.md) + * [Notes for UNIX-like platforms](NOTES-UNIX.md) + * [Notes for Android platforms](NOTES-ANDROID.md) + * [Notes for Windows platforms](NOTES-WINDOWS.md) + * [Notes for the DOS platform with DJGPP](NOTES-DJGPP.md) + * [Notes for the OpenVMS platform](NOTES-VMS.md) + * [Notes on Perl](NOTES-PERL.md) + * [Notes on Valgrind](NOTES-VALGRIND.md) Specific notes on upgrading to OpenSSL 3.0 from previous versions, as well as known issues are available on the [OpenSSL 3.0 Wiki] page. From no-reply at appveyor.com Fri Feb 12 22:17:20 2021 From: no-reply at appveyor.com (AppVeyor) Date: Fri, 12 Feb 2021 22:17:20 +0000 Subject: Build failed: openssl master.39832 Message-ID: <20210212221720.1.EFCC83D1B55A759C@appveyor.com> An HTML attachment was scrubbed... URL: From openssl at openssl.org Fri Feb 12 22:18:34 2021 From: openssl at openssl.org (OpenSSL run-checker) Date: Fri, 12 Feb 2021 22:18:34 +0000 Subject: Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-tls1_2 Message-ID: <1613168314.309612.1828714.nullmailer@run.openssl.org> Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-tls1_2 Commit log since last time: dfcfd17f28 Handle partial data re-sending on ktls/sendfile on FreeBSD 3bc0b621a7 Remove unused 'peer_type' from SSL_SESSION af53092c2b Replace provider digest flags with separate param fields a054d15c22 Replace provider cipher flags with separate param fields 36978c19a9 Replace MAC flags OSSL_MAC_PARAM_FLAGS with separate param fields. 8a686bdb3a Change the ASN1 variant of x942kdf so that it can test acvp data. 7e365d51a1 x509_vfy.c: Sort out return values 0 vs. -1 (failure/internal error) 364246a986 X509_get_pubkey_parameters(): Correct failure behavior and its use 990a15fe73 x509_vfy: Clarify relevance of ctx->error also on successful verification 579262af14 x509_vfy.c: Fix various coding style and documentation style nits 93b39c85c9 CHANGES.md: Mention RSA key generation slowdown related changes 4d2a6159db Deprecate BN_pseudo_rand() and BN_pseudo_rand_range() 604b86d8d3 Enhanced integer parsing in OSSL_PARAM_allocate_from_text e60a748a13 Configuration: ensure that 'no-tests' works correctly 3f71add9e5 Enable fipsload test on NonStop x86. 50ccc176da mknum.pl: Exclude duplicate entries and include source file name in diagnostics 2db985b7b1 Simplify the EVP_PKEY_XXX_fromdata_XX methods. Build log ended with (last 100 lines): (less 4 skipped subtests: 2 okay) 70-test_sslmessages.t .............. skipped: test_sslmessages needs TLS enabled 70-test_sslrecords.t ............... skipped: test_sslrecords needs TLSv1.2 enabled 70-test_sslsessiontick.t ........... skipped: test_sslsessiontick needs SSLv3, TLSv1, TLSv1.1 or TLSv1.2 enabled 70-test_sslsigalgs.t ............... ok 70-test_sslsignature.t ............. ok 70-test_sslskewith0p.t ............. ok 70-test_sslversions.t .............. skipped: test_sslversions needs TLS1.3, TLS1.2 and TLS1.1 enabled 70-test_sslvertol.t ................ ok 70-test_tls13alerts.t .............. ok 70-test_tls13cookie.t .............. ok 70-test_tls13downgrade.t ........... skipped: test_tls13downgrade needs TLS1.3 and TLS1.2 enabled 70-test_tls13hrr.t ................. ok 70-test_tls13kexmodes.t ............ ok 70-test_tls13messages.t ............ ok 70-test_tls13psk.t ................. ok 70-test_tlsextms.t ................. skipped: test_tlsextms needs TLSv1.0, TLSv1.1 or TLSv1.2 enabled 70-test_verify_extra.t ............. ok 70-test_wpacket.t .................. ok 71-test_ssl_ctx.t .................. ok 80-test_ca.t ....................... ok 80-test_cipherbytes.t .............. ok 80-test_cipherlist.t ............... ok 80-test_ciphername.t ............... ok # 80-test_cmp_http.t ................. ok # 80-test_cms.t ...................... ok 80-test_cmsapi.t ................... ok 80-test_ct.t ....................... ok 80-test_dane.t ..................... ok 80-test_dtls.t ..................... ok 80-test_dtls_mtu.t ................. ok 80-test_dtlsv1listen.t ............. ok 80-test_http.t ..................... ok 80-test_ocsp.t ..................... ok 80-test_pkcs12.t ................... ok 80-test_ssl_new.t .................. ok 80-test_ssl_old.t .................. ok 80-test_ssl_test_ctx.t ............. ok 80-test_sslcorrupt.t ............... ok 80-test_tsa.t ...................... ok 80-test_x509aux.t .................. ok 81-test_cmp_cli.t .................. ok 90-test_asn1_time.t ................ ok 90-test_async.t .................... ok 90-test_bio_enc.t .................. ok 90-test_bio_memleak.t .............. ok 90-test_constant_time.t ............ ok 90-test_fatalerr.t ................. ok 90-test_fipsload.t ................. ok 90-test_gmdiff.t ................... ok 90-test_gost.t ..................... skipped: TLSv1.3 or TLSv1.2 are disabled in this OpenSSL build 90-test_ige.t ...................... ok 90-test_includes.t ................. ok 90-test_memleak.t .................. ok 90-test_overhead.t ................. ok 90-test_secmem.t ................... ok 90-test_shlibload.t ................ ok 90-test_srp.t ...................... ok 90-test_sslapi.t ................... ok 90-test_sslbuffers.t ............... ok 90-test_store.t .................... ok 90-test_sysdefault.t ............... skipped: test_sysdefault is not supported in this build 90-test_threads.t .................. ok 90-test_time_offset.t .............. ok 90-test_tls13ccs.t ................. ok 90-test_tls13encryption.t .......... ok 90-test_tls13secrets.t ............. ok 90-test_v3name.t ................... ok 91-test_pkey_check.t ............... ok 95-test_external_boringssl.t ....... skipped: No external tests in this configuration 95-test_external_gost_engine.t ..... skipped: No external tests in this configuration 95-test_external_krb5.t ............ skipped: No external tests in this configuration 95-test_external_pyca.t ............ skipped: No external tests in this configuration 99-test_ecstress.t ................. ok 99-test_fuzz_asn1.t ................ ok 99-test_fuzz_asn1parse.t ........... ok 99-test_fuzz_bignum.t .............. ok 99-test_fuzz_bndiv.t ............... ok 99-test_fuzz_client.t .............. ok 99-test_fuzz_cmp.t ................. ok 99-test_fuzz_cms.t ................. ok 99-test_fuzz_conf.t ................ ok 99-test_fuzz_crl.t ................. ok 99-test_fuzz_ct.t .................. ok 99-test_fuzz_server.t .............. ok 99-test_fuzz_x509.t ................ ok Test Summary Report ------------------- 70-test_sslextension.t (Wstat: 256 Tests: 7 Failed: 1) Failed test: 2 Non-zero exit status: 1 Parse errors: Bad plan. You planned 8 tests but ran 7. Files=231, Tests=3180, 926 wallclock secs (12.61 usr 1.44 sys + 841.85 cusr 87.00 csys = 942.90 CPU) Result: FAIL make[1]: *** [Makefile:3276: _tests] Error 1 make[1]: Leaving directory '/home/openssl/run-checker/no-tls1_2' make: *** [Makefile:3273: tests] Error 2 From openssl at openssl.org Fri Feb 12 23:04:12 2021 From: openssl at openssl.org (OpenSSL run-checker) Date: Fri, 12 Feb 2021 23:04:12 +0000 Subject: Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-dtls1_2 Message-ID: <1613171052.045496.1934526.nullmailer@run.openssl.org> Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-dtls1_2 Commit log since last time: dfcfd17f28 Handle partial data re-sending on ktls/sendfile on FreeBSD 3bc0b621a7 Remove unused 'peer_type' from SSL_SESSION af53092c2b Replace provider digest flags with separate param fields a054d15c22 Replace provider cipher flags with separate param fields 36978c19a9 Replace MAC flags OSSL_MAC_PARAM_FLAGS with separate param fields. 8a686bdb3a Change the ASN1 variant of x942kdf so that it can test acvp data. 7e365d51a1 x509_vfy.c: Sort out return values 0 vs. -1 (failure/internal error) 364246a986 X509_get_pubkey_parameters(): Correct failure behavior and its use 990a15fe73 x509_vfy: Clarify relevance of ctx->error also on successful verification 579262af14 x509_vfy.c: Fix various coding style and documentation style nits 93b39c85c9 CHANGES.md: Mention RSA key generation slowdown related changes 4d2a6159db Deprecate BN_pseudo_rand() and BN_pseudo_rand_range() 604b86d8d3 Enhanced integer parsing in OSSL_PARAM_allocate_from_text e60a748a13 Configuration: ensure that 'no-tests' works correctly 3f71add9e5 Enable fipsload test on NonStop x86. 50ccc176da mknum.pl: Exclude duplicate entries and include source file name in diagnostics 2db985b7b1 Simplify the EVP_PKEY_XXX_fromdata_XX methods. Build log ended with (last 100 lines): # SSL_accept() failed -1, 1 # 8091C7549E7F0000:error:0A000076:SSL routines:tls_choose_sigalg:no suitable signature algorithm:../openssl/ssl/t1_lib.c:3306: # INFO: @ ../openssl/test/helpers/ssltestlib.c:957 # SSL_connect() failed -1, 1 # 8091C7549E7F0000:error:0A000438:SSL routines:dtls1_read_bytes:tlsv1 alert internal error:../openssl/ssl/record/rec_layer_d1.c:613:SSL alert number 80 # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:6577 # false not ok 2 - iteration 2 # ------------------------------------------------------------------------------ not ok 54 - test_ssl_pending # ------------------------------------------------------------------------------ ../../util/wrap.pl ../../test/sslapitest ../../../openssl/test/certs ../../../openssl/test/recipes/90-test_sslapi_data/passwd.txt /tmp/W9FDP_a_p6 default ../../../openssl/test/default.cnf => 1 not ok 1 - running sslapitest # ------------------------------------------------------------------------------ # INFO: @ ../openssl/test/helpers/ssltestlib.c:957 # SSL_connect() failed -1, 1 # 8071C2A78B7F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # INFO: @ ../openssl/test/helpers/ssltestlib.c:975 # SSL_accept() failed -1, 1 # 8071C2A78B7F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:947 # false not ok 3 - test_large_message_dtls # ------------------------------------------------------------------------------ # INFO: @ ../openssl/test/helpers/ssltestlib.c:957 # SSL_connect() failed -1, 1 # 8071C2A78B7F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # INFO: @ ../openssl/test/helpers/ssltestlib.c:975 # SSL_accept() failed -1, 1 # 8071C2A78B7F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:1428 # false # ERROR: (bool) 'execute_cleanse_plaintext(DTLS_server_method(), DTLS_client_method(), DTLS1_VERSION, 0) == true' failed @ ../openssl/test/sslapitest.c:1506 # false not ok 4 - test_cleanse_plaintext # ------------------------------------------------------------------------------ # INFO: @ ../openssl/test/helpers/ssltestlib.c:957 # SSL_connect() failed -1, 1 # 8071C2A78B7F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # INFO: @ ../openssl/test/helpers/ssltestlib.c:975 # SSL_accept() failed -1, 1 # 8071C2A78B7F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:6577 # false not ok 2 - iteration 2 # ------------------------------------------------------------------------------ not ok 54 - test_ssl_pending # ------------------------------------------------------------------------------ ../../util/wrap.pl ../../test/sslapitest ../../../openssl/test/certs ../../../openssl/test/recipes/90-test_sslapi_data/passwd.txt /tmp/W9FDP_a_p6 fips ../../../openssl/test/fips-and-base.cnf => 1 not ok 3 - running sslapitest # ------------------------------------------------------------------------------ # Failed test 'running sslapitest' # at ../openssl/test/recipes/90-test_sslapi.t line 45. # Looks like you failed 2 tests of 3.90-test_sslapi.t ................... Dubious, test returned 2 (wstat 512, 0x200) Failed 2/3 subtests 90-test_sslbuffers.t ............... ok 90-test_store.t .................... ok 90-test_sysdefault.t ............... ok 90-test_threads.t .................. ok 90-test_time_offset.t .............. ok 90-test_tls13ccs.t ................. ok 90-test_tls13encryption.t .......... ok 90-test_tls13secrets.t ............. ok 90-test_v3name.t ................... ok 91-test_pkey_check.t ............... ok 95-test_external_boringssl.t ....... skipped: No external tests in this configuration 95-test_external_gost_engine.t ..... skipped: No external tests in this configuration 95-test_external_krb5.t ............ skipped: No external tests in this configuration 95-test_external_pyca.t ............ skipped: No external tests in this configuration 99-test_ecstress.t ................. ok 99-test_fuzz_asn1.t ................ ok 99-test_fuzz_asn1parse.t ........... ok 99-test_fuzz_bignum.t .............. ok 99-test_fuzz_bndiv.t ............... ok 99-test_fuzz_client.t .............. ok 99-test_fuzz_cmp.t ................. ok 99-test_fuzz_cms.t ................. ok 99-test_fuzz_conf.t ................ ok 99-test_fuzz_crl.t ................. ok 99-test_fuzz_ct.t .................. ok 99-test_fuzz_server.t .............. ok 99-test_fuzz_x509.t ................ ok Test Summary Report ------------------- 80-test_dtls.t (Wstat: 256 Tests: 1 Failed: 1) Failed test: 1 Non-zero exit status: 1 80-test_ssl_new.t (Wstat: 768 Tests: 31 Failed: 3) Failed tests: 8, 17, 19 Non-zero exit status: 3 90-test_sslapi.t (Wstat: 512 Tests: 3 Failed: 2) Failed tests: 1, 3 Non-zero exit status: 2 Files=231, Tests=3266, 681 wallclock secs (10.94 usr 1.06 sys + 610.99 cusr 67.93 csys = 690.92 CPU) Result: FAIL make[1]: *** [Makefile:3264: _tests] Error 1 make[1]: Leaving directory '/home/openssl/run-checker/no-dtls1_2' make: *** [Makefile:3261: tests] Error 2 From no-reply at appveyor.com Sat Feb 13 00:23:39 2021 From: no-reply at appveyor.com (AppVeyor) Date: Sat, 13 Feb 2021 00:23:39 +0000 Subject: Build failed: openssl master.39833 Message-ID: <20210213002339.1.4134E260C772C793@appveyor.com> An HTML attachment was scrubbed... URL: From openssl at openssl.org Sat Feb 13 00:45:27 2021 From: openssl at openssl.org (OpenSSL run-checker) Date: Sat, 13 Feb 2021 00:45:27 +0000 Subject: Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-tls1_2-method Message-ID: <1613177127.819591.2142079.nullmailer@run.openssl.org> Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-tls1_2-method Commit log since last time: dfcfd17f28 Handle partial data re-sending on ktls/sendfile on FreeBSD 3bc0b621a7 Remove unused 'peer_type' from SSL_SESSION af53092c2b Replace provider digest flags with separate param fields a054d15c22 Replace provider cipher flags with separate param fields 36978c19a9 Replace MAC flags OSSL_MAC_PARAM_FLAGS with separate param fields. 8a686bdb3a Change the ASN1 variant of x942kdf so that it can test acvp data. 7e365d51a1 x509_vfy.c: Sort out return values 0 vs. -1 (failure/internal error) 364246a986 X509_get_pubkey_parameters(): Correct failure behavior and its use 990a15fe73 x509_vfy: Clarify relevance of ctx->error also on successful verification 579262af14 x509_vfy.c: Fix various coding style and documentation style nits 93b39c85c9 CHANGES.md: Mention RSA key generation slowdown related changes 4d2a6159db Deprecate BN_pseudo_rand() and BN_pseudo_rand_range() 604b86d8d3 Enhanced integer parsing in OSSL_PARAM_allocate_from_text e60a748a13 Configuration: ensure that 'no-tests' works correctly 3f71add9e5 Enable fipsload test on NonStop x86. 50ccc176da mknum.pl: Exclude duplicate entries and include source file name in diagnostics 2db985b7b1 Simplify the EVP_PKEY_XXX_fromdata_XX methods. Build log ended with (last 100 lines): (less 4 skipped subtests: 2 okay) 70-test_sslmessages.t .............. skipped: test_sslmessages needs TLS enabled 70-test_sslrecords.t ............... skipped: test_sslrecords needs TLSv1.2 enabled 70-test_sslsessiontick.t ........... skipped: test_sslsessiontick needs SSLv3, TLSv1, TLSv1.1 or TLSv1.2 enabled 70-test_sslsigalgs.t ............... ok 70-test_sslsignature.t ............. ok 70-test_sslskewith0p.t ............. ok 70-test_sslversions.t .............. skipped: test_sslversions needs TLS1.3, TLS1.2 and TLS1.1 enabled 70-test_sslvertol.t ................ ok 70-test_tls13alerts.t .............. ok 70-test_tls13cookie.t .............. ok 70-test_tls13downgrade.t ........... skipped: test_tls13downgrade needs TLS1.3 and TLS1.2 enabled 70-test_tls13hrr.t ................. ok 70-test_tls13kexmodes.t ............ ok 70-test_tls13messages.t ............ ok 70-test_tls13psk.t ................. ok 70-test_tlsextms.t ................. skipped: test_tlsextms needs TLSv1.0, TLSv1.1 or TLSv1.2 enabled 70-test_verify_extra.t ............. ok 70-test_wpacket.t .................. ok 71-test_ssl_ctx.t .................. ok 80-test_ca.t ....................... ok 80-test_cipherbytes.t .............. ok 80-test_cipherlist.t ............... ok 80-test_ciphername.t ............... ok # 80-test_cmp_http.t ................. ok # 80-test_cms.t ...................... ok 80-test_cmsapi.t ................... ok 80-test_ct.t ....................... ok 80-test_dane.t ..................... ok 80-test_dtls.t ..................... ok 80-test_dtls_mtu.t ................. ok 80-test_dtlsv1listen.t ............. ok 80-test_http.t ..................... ok 80-test_ocsp.t ..................... ok 80-test_pkcs12.t ................... ok 80-test_ssl_new.t .................. ok 80-test_ssl_old.t .................. ok 80-test_ssl_test_ctx.t ............. ok 80-test_sslcorrupt.t ............... ok 80-test_tsa.t ...................... ok 80-test_x509aux.t .................. ok 81-test_cmp_cli.t .................. ok 90-test_asn1_time.t ................ ok 90-test_async.t .................... ok 90-test_bio_enc.t .................. ok 90-test_bio_memleak.t .............. ok 90-test_constant_time.t ............ ok 90-test_fatalerr.t ................. ok 90-test_fipsload.t ................. ok 90-test_gmdiff.t ................... ok 90-test_gost.t ..................... skipped: TLSv1.3 or TLSv1.2 are disabled in this OpenSSL build 90-test_ige.t ...................... ok 90-test_includes.t ................. ok 90-test_memleak.t .................. ok 90-test_overhead.t ................. ok 90-test_secmem.t ................... ok 90-test_shlibload.t ................ ok 90-test_srp.t ...................... ok 90-test_sslapi.t ................... ok 90-test_sslbuffers.t ............... ok 90-test_store.t .................... ok 90-test_sysdefault.t ............... skipped: test_sysdefault is not supported in this build 90-test_threads.t .................. ok 90-test_time_offset.t .............. ok 90-test_tls13ccs.t ................. ok 90-test_tls13encryption.t .......... ok 90-test_tls13secrets.t ............. ok 90-test_v3name.t ................... ok 91-test_pkey_check.t ............... ok 95-test_external_boringssl.t ....... skipped: No external tests in this configuration 95-test_external_gost_engine.t ..... skipped: No external tests in this configuration 95-test_external_krb5.t ............ skipped: No external tests in this configuration 95-test_external_pyca.t ............ skipped: No external tests in this configuration 99-test_ecstress.t ................. ok 99-test_fuzz_asn1.t ................ ok 99-test_fuzz_asn1parse.t ........... ok 99-test_fuzz_bignum.t .............. ok 99-test_fuzz_bndiv.t ............... ok 99-test_fuzz_client.t .............. ok 99-test_fuzz_cmp.t ................. ok 99-test_fuzz_cms.t ................. ok 99-test_fuzz_conf.t ................ ok 99-test_fuzz_crl.t ................. ok 99-test_fuzz_ct.t .................. ok 99-test_fuzz_server.t .............. ok 99-test_fuzz_x509.t ................ ok Test Summary Report ------------------- 70-test_sslextension.t (Wstat: 256 Tests: 7 Failed: 1) Failed test: 2 Non-zero exit status: 1 Parse errors: Bad plan. You planned 8 tests but ran 7. Files=231, Tests=3180, 820 wallclock secs (12.64 usr 1.37 sys + 735.89 cusr 88.18 csys = 838.08 CPU) Result: FAIL make[1]: *** [Makefile:3265: _tests] Error 1 make[1]: Leaving directory '/home/openssl/run-checker/no-tls1_2-method' make: *** [Makefile:3262: tests] Error 2 From openssl at openssl.org Sat Feb 13 01:36:15 2021 From: openssl at openssl.org (OpenSSL run-checker) Date: Sat, 13 Feb 2021 01:36:15 +0000 Subject: Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-dtls1_2-method Message-ID: <1613180175.384582.2247969.nullmailer@run.openssl.org> Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-dtls1_2-method Commit log since last time: dfcfd17f28 Handle partial data re-sending on ktls/sendfile on FreeBSD 3bc0b621a7 Remove unused 'peer_type' from SSL_SESSION af53092c2b Replace provider digest flags with separate param fields a054d15c22 Replace provider cipher flags with separate param fields 36978c19a9 Replace MAC flags OSSL_MAC_PARAM_FLAGS with separate param fields. 8a686bdb3a Change the ASN1 variant of x942kdf so that it can test acvp data. 7e365d51a1 x509_vfy.c: Sort out return values 0 vs. -1 (failure/internal error) 364246a986 X509_get_pubkey_parameters(): Correct failure behavior and its use 990a15fe73 x509_vfy: Clarify relevance of ctx->error also on successful verification 579262af14 x509_vfy.c: Fix various coding style and documentation style nits 93b39c85c9 CHANGES.md: Mention RSA key generation slowdown related changes 4d2a6159db Deprecate BN_pseudo_rand() and BN_pseudo_rand_range() 604b86d8d3 Enhanced integer parsing in OSSL_PARAM_allocate_from_text e60a748a13 Configuration: ensure that 'no-tests' works correctly 3f71add9e5 Enable fipsload test on NonStop x86. 50ccc176da mknum.pl: Exclude duplicate entries and include source file name in diagnostics 2db985b7b1 Simplify the EVP_PKEY_XXX_fromdata_XX methods. Build log ended with (last 100 lines): # SSL_accept() failed -1, 1 # 80A100CF557F0000:error:0A000076:SSL routines:tls_choose_sigalg:no suitable signature algorithm:../openssl/ssl/t1_lib.c:3306: # INFO: @ ../openssl/test/helpers/ssltestlib.c:957 # SSL_connect() failed -1, 1 # 80A100CF557F0000:error:0A000438:SSL routines:dtls1_read_bytes:tlsv1 alert internal error:../openssl/ssl/record/rec_layer_d1.c:613:SSL alert number 80 # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:6577 # false not ok 2 - iteration 2 # ------------------------------------------------------------------------------ not ok 54 - test_ssl_pending # ------------------------------------------------------------------------------ ../../util/wrap.pl ../../test/sslapitest ../../../openssl/test/certs ../../../openssl/test/recipes/90-test_sslapi_data/passwd.txt /tmp/cbIWd4Hyj9 default ../../../openssl/test/default.cnf => 1 not ok 1 - running sslapitest # ------------------------------------------------------------------------------ # INFO: @ ../openssl/test/helpers/ssltestlib.c:957 # SSL_connect() failed -1, 1 # 8031F19C0D7F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # INFO: @ ../openssl/test/helpers/ssltestlib.c:975 # SSL_accept() failed -1, 1 # 8031F19C0D7F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:947 # false not ok 3 - test_large_message_dtls # ------------------------------------------------------------------------------ # INFO: @ ../openssl/test/helpers/ssltestlib.c:957 # SSL_connect() failed -1, 1 # 8031F19C0D7F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # INFO: @ ../openssl/test/helpers/ssltestlib.c:975 # SSL_accept() failed -1, 1 # 8031F19C0D7F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:1428 # false # ERROR: (bool) 'execute_cleanse_plaintext(DTLS_server_method(), DTLS_client_method(), DTLS1_VERSION, 0) == true' failed @ ../openssl/test/sslapitest.c:1506 # false not ok 4 - test_cleanse_plaintext # ------------------------------------------------------------------------------ # INFO: @ ../openssl/test/helpers/ssltestlib.c:957 # SSL_connect() failed -1, 1 # 8031F19C0D7F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # INFO: @ ../openssl/test/helpers/ssltestlib.c:975 # SSL_accept() failed -1, 1 # 8031F19C0D7F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:6577 # false not ok 2 - iteration 2 # ------------------------------------------------------------------------------ not ok 54 - test_ssl_pending # ------------------------------------------------------------------------------ ../../util/wrap.pl ../../test/sslapitest ../../../openssl/test/certs ../../../openssl/test/recipes/90-test_sslapi_data/passwd.txt /tmp/cbIWd4Hyj9 fips ../../../openssl/test/fips-and-base.cnf => 1 not ok 3 - running sslapitest # ------------------------------------------------------------------------------ # Failed test 'running sslapitest' # at ../openssl/test/recipes/90-test_sslapi.t line 45. # Looks like you failed 2 tests of 3.90-test_sslapi.t ................... Dubious, test returned 2 (wstat 512, 0x200) Failed 2/3 subtests 90-test_sslbuffers.t ............... ok 90-test_store.t .................... ok 90-test_sysdefault.t ............... ok 90-test_threads.t .................. ok 90-test_time_offset.t .............. ok 90-test_tls13ccs.t ................. ok 90-test_tls13encryption.t .......... ok 90-test_tls13secrets.t ............. ok 90-test_v3name.t ................... ok 91-test_pkey_check.t ............... ok 95-test_external_boringssl.t ....... skipped: No external tests in this configuration 95-test_external_gost_engine.t ..... skipped: No external tests in this configuration 95-test_external_krb5.t ............ skipped: No external tests in this configuration 95-test_external_pyca.t ............ skipped: No external tests in this configuration 99-test_ecstress.t ................. ok 99-test_fuzz_asn1.t ................ ok 99-test_fuzz_asn1parse.t ........... ok 99-test_fuzz_bignum.t .............. ok 99-test_fuzz_bndiv.t ............... ok 99-test_fuzz_client.t .............. ok 99-test_fuzz_cmp.t ................. ok 99-test_fuzz_cms.t ................. ok 99-test_fuzz_conf.t ................ ok 99-test_fuzz_crl.t ................. ok 99-test_fuzz_ct.t .................. ok 99-test_fuzz_server.t .............. ok 99-test_fuzz_x509.t ................ ok Test Summary Report ------------------- 80-test_dtls.t (Wstat: 256 Tests: 1 Failed: 1) Failed test: 1 Non-zero exit status: 1 80-test_ssl_new.t (Wstat: 768 Tests: 31 Failed: 3) Failed tests: 8, 17, 19 Non-zero exit status: 3 90-test_sslapi.t (Wstat: 512 Tests: 3 Failed: 2) Failed tests: 1, 3 Non-zero exit status: 2 Files=231, Tests=3266, 1006 wallclock secs (14.38 usr 1.41 sys + 909.22 cusr 94.46 csys = 1019.47 CPU) Result: FAIL make[1]: *** [Makefile:3256: _tests] Error 1 make[1]: Leaving directory '/home/openssl/run-checker/no-dtls1_2-method' make: *** [Makefile:3253: tests] Error 2 From no-reply at appveyor.com Sat Feb 13 02:59:39 2021 From: no-reply at appveyor.com (AppVeyor) Date: Sat, 13 Feb 2021 02:59:39 +0000 Subject: Build completed: openssl master.39834 Message-ID: <20210213025939.1.EB727D19ED742AE1@appveyor.com> An HTML attachment was scrubbed... URL: From pauli at openssl.org Sat Feb 13 03:45:58 2021 From: pauli at openssl.org (Dr. Paul Dale) Date: Sat, 13 Feb 2021 03:45:58 +0000 Subject: [openssl] master update Message-ID: <1613187958.352464.20963.nullmailer@dev.openssl.org> The branch master has been updated via bae39163409ac3b8a1c579c2bcfbdae35370a133 (commit) from 70f23648827c2c8e6386e483c557e6e935b3103f (commit) - Log ----------------------------------------------------------------- commit bae39163409ac3b8a1c579c2bcfbdae35370a133 Author: Disconnect3d Date: Thu Feb 11 20:00:40 2021 +0100 passwd.c: use the actual ROUNDS_DEFAULT macro Before this commit, the `ROUNDS_DEFAULT` macro was not used at all, while defined in the source code. Instead, a `unsigned int rounds = 5000;` was set, which uses the same value. This commit changes the `5000` to `ROUNDS_DEFAULT`. CLA: trivial Reviewed-by: Tomas Mraz Reviewed-by: Shane Lontis Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/14156) ----------------------------------------------------------------------- Summary of changes: apps/passwd.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apps/passwd.c b/apps/passwd.c index 08b94622da..6e58112363 100644 --- a/apps/passwd.c +++ b/apps/passwd.c @@ -516,7 +516,7 @@ static char *shacrypt(const char *passwd, const char *magic, const char *salt) EVP_MD_CTX *md = NULL, *md2 = NULL; const EVP_MD *sha = NULL; size_t passwd_len, salt_len, magic_len; - unsigned int rounds = 5000; /* Default */ + unsigned int rounds = ROUNDS_DEFAULT; /* Default */ char rounds_custom = 0; char *p_bytes = NULL; char *s_bytes = NULL; From no-reply at appveyor.com Sat Feb 13 06:09:00 2021 From: no-reply at appveyor.com (AppVeyor) Date: Sat, 13 Feb 2021 06:09:00 +0000 Subject: Build failed: openssl master.39840 Message-ID: <20210213060900.1.44B8F78DA500F462@appveyor.com> An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Sat Feb 13 07:20:31 2021 From: no-reply at appveyor.com (AppVeyor) Date: Sat, 13 Feb 2021 07:20:31 +0000 Subject: Build completed: openssl master.39841 Message-ID: <20210213072031.1.D97742291B57D8BD@appveyor.com> An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Sat Feb 13 12:44:22 2021 From: no-reply at appveyor.com (AppVeyor) Date: Sat, 13 Feb 2021 12:44:22 +0000 Subject: Build failed: openssl master.39845 Message-ID: <20210213124422.1.E2228F3BBF8E4720@appveyor.com> An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Sat Feb 13 13:28:19 2021 From: no-reply at appveyor.com (AppVeyor) Date: Sat, 13 Feb 2021 13:28:19 +0000 Subject: Build failed: openssl master.39846 Message-ID: <20210213132819.1.CF3580D3A34E6FEF@appveyor.com> An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Sat Feb 13 14:55:52 2021 From: no-reply at appveyor.com (AppVeyor) Date: Sat, 13 Feb 2021 14:55:52 +0000 Subject: Build completed: openssl master.39847 Message-ID: <20210213145552.1.EBC378877B82091C@appveyor.com> An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Sat Feb 13 19:06:14 2021 From: no-reply at appveyor.com (AppVeyor) Date: Sat, 13 Feb 2021 19:06:14 +0000 Subject: Build failed: openssl master.39852 Message-ID: <20210213190614.1.E1605B6FC1A8E3F5@appveyor.com> An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Sat Feb 13 20:06:28 2021 From: no-reply at appveyor.com (AppVeyor) Date: Sat, 13 Feb 2021 20:06:28 +0000 Subject: Build failed: openssl master.39853 Message-ID: <20210213200628.1.9C2EDE31578083B3@appveyor.com> An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Sat Feb 13 22:30:51 2021 From: no-reply at appveyor.com (AppVeyor) Date: Sat, 13 Feb 2021 22:30:51 +0000 Subject: Build failed: openssl master.39855 Message-ID: <20210213223051.1.436CB4AA3DD2D93C@appveyor.com> An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Sat Feb 13 22:50:44 2021 From: no-reply at appveyor.com (AppVeyor) Date: Sat, 13 Feb 2021 22:50:44 +0000 Subject: Build failed: openssl master.39856 Message-ID: <20210213225044.1.EEA8197E225FE42B@appveyor.com> An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Sun Feb 14 00:23:25 2021 From: no-reply at appveyor.com (AppVeyor) Date: Sun, 14 Feb 2021 00:23:25 +0000 Subject: Build completed: openssl master.39857 Message-ID: <20210214002325.1.2330F6D72FD0E4D5@appveyor.com> An HTML attachment was scrubbed... URL: From pauli at openssl.org Sun Feb 14 06:49:12 2021 From: pauli at openssl.org (Dr. Paul Dale) Date: Sun, 14 Feb 2021 06:49:12 +0000 Subject: [openssl] master update Message-ID: <1613285352.870601.32329.nullmailer@dev.openssl.org> The branch master has been updated via 8a43091bc7c021ae90101473ade8ee4f52976482 (commit) from bae39163409ac3b8a1c579c2bcfbdae35370a133 (commit) - Log ----------------------------------------------------------------- commit 8a43091bc7c021ae90101473ade8ee4f52976482 Author: Shane Lontis Date: Fri Feb 12 14:17:23 2021 +1000 Remove dead code in rsa_pkey_ctrl. Fixes CID #1472393 Previously this switch handled CMS & PCKS7 controls (e.g ANS1_PKEY_CTRL_PKCS7_SIGN) which fell thru to the dead code to set the X509_ALG. Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/14163) ----------------------------------------------------------------------- Summary of changes: crypto/rsa/rsa_ameth.c | 8 -------- 1 file changed, 8 deletions(-) diff --git a/crypto/rsa/rsa_ameth.c b/crypto/rsa/rsa_ameth.c index e2dec1c98d..479155b90b 100644 --- a/crypto/rsa/rsa_ameth.c +++ b/crypto/rsa/rsa_ameth.c @@ -486,7 +486,6 @@ static int rsa_sig_print(BIO *bp, const X509_ALGOR *sigalg, static int rsa_pkey_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2) { - X509_ALGOR *alg = NULL; const EVP_MD *md; const EVP_MD *mgf1md; int min_saltlen; @@ -508,14 +507,7 @@ static int rsa_pkey_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2) default: return -2; - } - - if (alg) - X509_ALGOR_set0(alg, OBJ_nid2obj(NID_rsaEncryption), V_ASN1_NULL, 0); - - return 1; - } /* From pauli at openssl.org Sun Feb 14 06:50:30 2021 From: pauli at openssl.org (Dr. Paul Dale) Date: Sun, 14 Feb 2021 06:50:30 +0000 Subject: [openssl] master update Message-ID: <1613285430.827265.1139.nullmailer@dev.openssl.org> The branch master has been updated via 09c77b87ae5a7c2b7b6046aa1caa50080cdaa3a3 (commit) from 8a43091bc7c021ae90101473ade8ee4f52976482 (commit) - Log ----------------------------------------------------------------- commit 09c77b87ae5a7c2b7b6046aa1caa50080cdaa3a3 Author: Pauli Date: Fri Feb 12 20:06:10 2021 +1000 Remove an unnecessary free call. https://github.com/openssl/openssl/commit/64954e2f34b8839ca7ad1e9576a6efaf3e49e17c#r47045920 Reviewed-by: Matt Caswell Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/14165) ----------------------------------------------------------------------- Summary of changes: crypto/evp/p_lib.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/crypto/evp/p_lib.c b/crypto/evp/p_lib.c index fe53b62cdd..8cf65d6a34 100644 --- a/crypto/evp/p_lib.c +++ b/crypto/evp/p_lib.c @@ -1627,9 +1627,7 @@ void evp_pkey_free_legacy(EVP_PKEY *x) static void evp_pkey_free_it(EVP_PKEY *x) { /* internal function; x is never NULL */ - evp_keymgmt_util_clear_operation_cache(x, 1); - sk_OP_CACHE_ELEM_free(x->operation_cache); #ifndef FIPS_MODULE evp_pkey_free_legacy(x); #endif From scan-admin at coverity.com Sun Feb 14 07:52:00 2021 From: scan-admin at coverity.com (scan-admin at coverity.com) Date: Sun, 14 Feb 2021 07:52:00 +0000 (UTC) Subject: Coverity Scan: Analysis completed for openssl/openssl Message-ID: <6028d69feee5c_dc2ed2aedd7a74f503966e@prd-scan-dashboard-0.mail> Your request for analysis of openssl/openssl has been completed successfully. The results are available at https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoN-2BQSVjTtaSz8wS4wOr7HlekBtV1P4YRtWclMVkCdvAA-3D-3DH3L0_MulOTlHne1IxTRELXXnGni8d68xSVF-2BUCe3a7Ux-2BjeHvf7YAvY7sdAqsWERYRtrgXXArvBHoXtdsJ7kvSBGFJfxOYSg1o7keQqL4cIxQpc-2BCxrtoBS5xJHh1tirnLwjs8QyC20pBMLdB6M-2Bi3t5L4REHlWpkALi4hg7O2-2FLFTz-2BfTR-2BSmDD3y63RMlhu9McCIF38QedUsD7-2Bs415Nb9pX4ZUxAdyv50fnsd-2BA5EWcZI-3D Build ID: 369360 Analysis Summary: New defects found: 4 Defects eliminated: 3 If you have difficulty understanding any defects, email us at scan-admin at coverity.com, or post your question to StackOverflow at https://u15810271.ct.sendgrid.net/ls/click?upn=CTPegkVN6peWFCMEieYYmPWIi1E4yUS9EoqKFcNAiqhRq8qmgeBE-2Bdt3uvFRAFXd-2FlwX83-2FVVdybfzIMOby0qA-3D-3DtYxQ_MulOTlHne1IxTRELXXnGni8d68xSVF-2BUCe3a7Ux-2BjeHvf7YAvY7sdAqsWERYRtrgXXArvBHoXtdsJ7kvSBGFJVwx6O0TbM88XCBf3yPBR4Ou6ATcSedTyRiMMmVrhe58e0nHWsWy6tgR9V1RpXYYXI0-2BGfC0tXcOgJMTrq87DIAhcNsZXVPCjyFU1Q-2F-2FJsCPwHswWAECFHtLhG8gRGhq-2FyQMCZFk0TCqTkF91uCLqGo-3D From scan-admin at coverity.com Sun Feb 14 07:53:11 2021 From: scan-admin at coverity.com (scan-admin at coverity.com) Date: Sun, 14 Feb 2021 07:53:11 +0000 (UTC) Subject: Coverity Scan: Analysis completed for OpenSSL-1.0.2 Message-ID: <6028d6e763576_dc4b02aedd7a74f50396f0@prd-scan-dashboard-0.mail> Your request for analysis of OpenSSL-1.0.2 has been completed successfully. The results are available at https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoN-2BQSVjTtaSz8wS4wOr7Hlun-2FGpeF2rhqKLKnzox0Gkw-3D-3Dnz4e_MulOTlHne1IxTRELXXnGni8d68xSVF-2BUCe3a7Ux-2BjeFYNUrkT194x6ccWkD04nxchCYiQyRNd5-2Bqqaan-2BwmUFdiwn9LkKSZCkd9vx4g6cDZif-2B0bAv0lxA5DNmgF5Md8G3v8-2BL8I6aV-2BYOy2fI3vVYUtjZ4a4xY88KGU7h2HtfuqzRFBxClJGGdOsXenS0XntdEyen2AFwAZXgZg-2BoyjzqNnCtcpcF6KOtiahBOU0UgWVh9v3A-2FGI-2BeYbflWhh0x Build ID: 369361 Analysis Summary: New defects found: 0 Defects eliminated: 0 From pauli at openssl.org Sun Feb 14 21:46:32 2021 From: pauli at openssl.org (Dr. Paul Dale) Date: Sun, 14 Feb 2021 21:46:32 +0000 Subject: [tools] master update Message-ID: <1613339192.443987.26050.nullmailer@dev.openssl.org> The branch master has been updated via af3ebdeb6cc591cf92a3790ae091a11bf8da7e9a (commit) from bd6c6f78c080744a0092f04c04b7a38121ddcff3 (commit) - Log ----------------------------------------------------------------- commit af3ebdeb6cc591cf92a3790ae091a11bf8da7e9a Author: Pauli Date: Wed Feb 10 22:09:19 2021 +1000 Add a run-checker job that uses the no-cached-fetch option. This cannot be merged until after #14126 is. Reviewed-by: Matt Caswell Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/tools/pull/82) ----------------------------------------------------------------------- Summary of changes: run-checker/run-checker.sh | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/run-checker/run-checker.sh b/run-checker/run-checker.sh index 441fc60..05d6332 100755 --- a/run-checker/run-checker.sh +++ b/run-checker/run-checker.sh @@ -43,7 +43,7 @@ enable-unit-test no-whirlpool enable-weak-ssl-ciphers enable-zlib enable-zlib-dynamic 386 no-dtls no-tls no-ssl3 no-tls1 no-tls1_1 no-tls1_2 no-dtls1 no-dtls1_2 no-ssl3-method no-tls1-method no-tls1_1-method no-tls1_2-method no-dtls1-method no-dtls1_2-method no-siphash no-tls1_3 no-sm2 -no-sm3 no-sm4 enable-trace no-legacy) +no-sm3 no-sm4 enable-trace no-legacy no-cached-fetch) run-hook () { local hookname=$1; shift @@ -119,6 +119,8 @@ if run-hook prepare; then #The gost engine uses some deprecated symbols so we don't use it #in a no-deprecated build gost_engine="" + elif [ "$opt" == "no-cached-fetch" ]; then + expandedopts="no-cached-fetch enable-asan enable-ubsan" fi if [ -z "$opt" ]; then From openssl at openssl.org Mon Feb 15 01:04:23 2021 From: openssl at openssl.org (OpenSSL run-checker) Date: Mon, 15 Feb 2021 01:04:23 +0000 Subject: Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-asm Message-ID: <1613351063.488635.2869246.nullmailer@run.openssl.org> Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-asm Commit log since last time: 09c77b87ae Remove an unnecessary free call. 8a43091bc7 Remove dead code in rsa_pkey_ctrl. bae3916340 passwd.c: use the actual ROUNDS_DEFAULT macro 70f2364882 NOTES-WINDOWS: fix typo a0ca1eed24 Add a skeleton README-PROVIDERS file d507436a26 Add deprecation note to the README-ENGINES file 4148581eb2 Unify the markdown links to the NOTES and README files dc589daec8 Reformat some NOTES and README files 9f1fe6a950 Revise some renamings of NOTES and README files 9ff5bd612a ssl_test: Add testcases for disallowing non-TLS1.3 curves with TLS1.3 89e14ca7c7 tls_valid_group: Add missing dereference of okfortls13 d8c1cafbbc VMS documentation fixes 72ddea9b81 Configurations/descrip.mms.tmpl: avoid enormous PIPE commands 1695e10e40 DOCS: Update the internal documentation on EVP_PKEY. c5689319eb Use ERR_R_*_LIB instead of ERR_LIB_* as reason code for sub-libraries 13888e797c Update documentation following deprecation of SRP 76cb077f81 Deprecate the libssl level SRP APIs 6d2a1eff55 Deprecate the low level SRP APIs f2d785364c Add OID for draft-ietf-opsawg-finding-geofeeds detached CMS signature 1eaf1fc353 Add a configure time option to disable the fetch cache. 2b248f4e3f test: add import and export key management hooks for the TLS provider. ca2c778c26 test: filter provider honours the no_cache setting. 7dd5a00f41 changes: add a CHANGES.md entry for the OSSL_FORCE_NO_CACHE_FETCH option. b5873b3176 test: fix no-cache problem with the quality comparison for KDFs. aea01d1313 EVP: fix reference counting for EVP_CIPHER. 7dce37e2ec Prov: add an option to force provider fetches to not be cached. 499f2ae9e9 CI: add a non-caching CI loop 31f7ff37b4 EVP: fix reference counting for digest operations. 22040fb790 Allow -rand to be repeated 03bbd346f4 Fetch cipher after loading providers d0190e1163 Process digest option after loading providers 51e5df0ed0 Load rand state after loading providers 182717bd8a Fetch alg, etc., after loading providers 50ca7e1895 Fetch algorithm after loading providers 1baad060f9 test: add an option to output timing information from tests. c926a5ecb7 X509_STORE_CTX_cleanup(): Use internally so no need to call explicitly f1923a2147 X509_STORE_CTX_get1_issuer(): Make preference on expired certs consistent with find_issuer() d1e85cdf79 x509_vfy.c: Make chain_build() error diagnostics to the point 283df0b84b Rename internal providercommonerr.h to less mouthful proverr.h f5f29796f0 Various cleanup of PROV_R_ reason codes 2741128e9d Move the PROV_R reason codes to a public header dc9ec65a01 Match description with actual output of dgst 3a111aadc3 include/internal: add a few missing #pragma once directives d59068bd14 include/openssl: add a few missing #pragma once directives 80ce21fe1a include/crypto: add a few missing #pragma once directives 835f3526a2 test: turn off parallel tests in verbose mode. Build log ended with (last 100 lines): ${LDCMD:-clang} -pthread -m64 -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -L. \ -o test/sslapitest \ test/helpers/sslapitest-bin-ssltestlib.o \ test/sslapitest-bin-filterprov.o \ test/sslapitest-bin-sslapitest.o \ test/sslapitest-bin-tls-provider.o \ -lssl test/libtestutil.a -lcrypto -ldl -pthread rm -f test/sslbuffertest ${LDCMD:-clang} -pthread -m64 -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -L. \ -o test/sslbuffertest \ test/helpers/sslbuffertest-bin-ssltestlib.o \ test/sslbuffertest-bin-sslbuffertest.o \ -lssl test/libtestutil.a -lcrypto -ldl -pthread rm -f test/sslcorrupttest ${LDCMD:-clang} -pthread -m64 -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -L. \ -o test/sslcorrupttest \ test/helpers/sslcorrupttest-bin-ssltestlib.o \ test/sslcorrupttest-bin-sslcorrupttest.o \ -lssl test/libtestutil.a -lcrypto -ldl -pthread rm -f test/sysdefaulttest ${LDCMD:-clang} -pthread -m64 -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -L. \ -o test/sysdefaulttest \ test/sysdefaulttest-bin-sysdefaulttest.o \ -lssl test/libtestutil.a -lcrypto -ldl -pthread rm -f test/tls13ccstest ${LDCMD:-clang} -pthread -m64 -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -L. \ -o test/tls13ccstest \ test/helpers/tls13ccstest-bin-ssltestlib.o \ test/tls13ccstest-bin-tls13ccstest.o \ -lssl test/libtestutil.a -lcrypto -ldl -pthread rm -f test/tls13secretstest ${LDCMD:-clang} -pthread -m64 -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -L. \ -o test/tls13secretstest \ crypto/tls13secretstest-bin-packet.o \ ssl/tls13secretstest-bin-tls13_enc.o \ test/tls13secretstest-bin-tls13secretstest.o \ -lssl test/libtestutil.a -lcrypto -ldl -pthread rm -f test/uitest ${LDCMD:-clang} -pthread -m64 -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -L. \ -o test/uitest \ apps/lib/uitest-bin-apps_ui.o test/uitest-bin-uitest.o \ -lssl test/libtestutil.a -lcrypto -ldl -pthread make[1]: Leaving directory '/home/openssl/run-checker/no-asm' $ make test make depend && make _tests make[1]: Entering directory '/home/openssl/run-checker/no-asm' make[1]: Leaving directory '/home/openssl/run-checker/no-asm' make[1]: Entering directory '/home/openssl/run-checker/no-asm' ( SRCTOP=../openssl \ BLDTOP=. \ PERL="/usr/bin/perl" \ FIPSKEY="f4556650ac31d35461610bac4ed81b1a181b2d8a43ea2854cbae22ca74560813" \ EXE_EXT= \ /usr/bin/perl ../openssl/test/run_tests.pl ) 01-test_abort.t .................... ok 01-test_sanity.t ................... ok 01-test_symbol_presence.t .......... ok 01-test_test.t ..................... ok 02-test_errstr.t ................... ok 02-test_internal_context.t ......... ok 02-test_internal_ctype.t ........... ok 02-test_internal_keymgmt.t ......... ok 02-test_internal_provider.t ........ ok 02-test_lhash.t .................... ok 02-test_ordinals.t ................. ok 02-test_sparse_array.t ............. ok 02-test_stack.t .................... ok 03-test_exdata.t ................... ok 03-test_fipsinstall.t .............. ok 03-test_internal_asn1.t ............ ok 03-test_internal_asn1_dsa.t ........ ok 03-test_internal_bn.t .............. ok 03-test_internal_chacha.t .......... ok 03-test_internal_curve448.t ........ ok 03-test_internal_ec.t .............. ok 03-test_internal_ffc.t ............. ok 03-test_internal_mdc2.t ............ ok 03-test_internal_modes.t ........... ok 03-test_internal_namemap.t ......... ok 03-test_internal_poly1305.t ........ ok 03-test_internal_rsa_sp800_56b.t ... ok 03-test_internal_siphash.t ......... ok 03-test_internal_sm2.t ............. ok 03-test_internal_sm4.t ............. ok 03-test_internal_ssl_cert_table.t .. ok 03-test_internal_x509.t ............ ok 03-test_params_api.t ............... ok 03-test_property.t ................. ok 03-test_ui.t ....................... ok 04-test_asn1_decode.t .............. ok 04-test_asn1_encode.t .............. ok 04-test_asn1_string_table.t ........ ok 04-test_bio_callback.t ............. ok 04-test_bioprint.t ................. ok 04-test_conf.t ..................... ok 04-test_encoder_decoder.t .......... ok Terminated make[1]: *** [Makefile:3267: _tests] Error 143 make[1]: Leaving directory '/home/openssl/run-checker/no-asm' make: *** [Makefile:3264: tests] Terminated From shane.lontis at oracle.com Mon Feb 15 01:23:16 2021 From: shane.lontis at oracle.com (shane.lontis at oracle.com) Date: Mon, 15 Feb 2021 01:23:16 +0000 Subject: [openssl] master update Message-ID: <1613352196.276696.29055.nullmailer@dev.openssl.org> The branch master has been updated via 99c166a1b0408e6d5c6efdc402fa859652048751 (commit) from 09c77b87ae5a7c2b7b6046aa1caa50080cdaa3a3 (commit) - Log ----------------------------------------------------------------- commit 99c166a1b0408e6d5c6efdc402fa859652048751 Author: Shane Lontis Date: Wed Nov 11 17:50:17 2020 +1000 Add docs for ASN1_item_sign and ASN1_item_verify functions This is to address part of issue #13192. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13373) ----------------------------------------------------------------------- Summary of changes: doc/man3/ASN1_item_sign.pod | 226 ++++++++++++++++++++++++++++++++++++++++++++ util/missingcrypto.txt | 6 -- 2 files changed, 226 insertions(+), 6 deletions(-) create mode 100644 doc/man3/ASN1_item_sign.pod diff --git a/doc/man3/ASN1_item_sign.pod b/doc/man3/ASN1_item_sign.pod new file mode 100644 index 0000000000..407268bf17 --- /dev/null +++ b/doc/man3/ASN1_item_sign.pod @@ -0,0 +1,226 @@ +=pod + +=head1 NAME + +ASN1_item_sign, ASN1_item_sign_ex, ASN1_item_sign_ctx, +ASN1_item_verify, ASN1_item_verify_ex, ASN1_item_verify_ctx - +ASN1 sign and verify + +=head1 SYNOPSIS + + #include + + int ASN1_item_sign_ex(const ASN1_ITEM *it, X509_ALGOR *algor1, + X509_ALGOR *algor2, ASN1_BIT_STRING *signature, + const void *data, const ASN1_OCTET_STRING *id, + EVP_PKEY *pkey, const EVP_MD *md, OSSL_LIB_CTX *libctx, + const char *propq); + + int ASN1_item_sign(const ASN1_ITEM *it, X509_ALGOR *algor1, X509_ALGOR *algor2, + ASN1_BIT_STRING *signature, const void *data, + EVP_PKEY *pkey, const EVP_MD *md); + + int ASN1_item_sign_ctx(const ASN1_ITEM *it, X509_ALGOR *algor1, + X509_ALGOR *algor2, ASN1_BIT_STRING *signature, + const void *data, EVP_MD_CTX *ctx); + + int ASN1_item_verify_ex(const ASN1_ITEM *it, const X509_ALGOR *alg, + const ASN1_BIT_STRING *signature, const void *data, + const ASN1_OCTET_STRING *id, EVP_PKEY *pkey, + OSSL_LIB_CTX *libctx, const char *propq); + + int ASN1_item_verify(const ASN1_ITEM *it, const X509_ALGOR *alg, + const ASN1_BIT_STRING *signature, const void *data, + EVP_PKEY *pkey); + + int ASN1_item_verify_ctx(const ASN1_ITEM *it, const X509_ALGOR *alg, + const ASN1_BIT_STRING *signature, const void *data, + EVP_MD_CTX *ctx); + +=head1 DESCRIPTION + +ASN1_item_sign_ex() is used to sign arbitrary ASN1 data using a data object +I, the ASN.1 structure I, private key I and message digest I. +The data that is signed is formed by taking the data object in I and +converting it to der format using the ASN.1 structure I. +The I that will be signed, and a structure containing the signature may +both have a copy of the B. The ASN1_item_sign_ex() function will +write the correct B to the structs based on the algorithms and +parameters that have been set up. If one of I or I points to the +B of the I to be signed, then that B will first be +written before the signature is generated. +Examples of valid values that can be used by the ASN.1 structure I are +ASN1_ITEM_rptr(X509_CINF), ASN1_ITEM_rptr(X509_REQ_INFO) and +ASN1_ITEM_rptr(X509_CRL_INFO). +The B specified in I and the property query string +specified in I are used when searching for algorithms in providers. +The generated signature is set into I. +The optional parameter I can be NULL, but can be set for special key types. +See EVP_PKEY_CTX_set1_id() for further info. The output parameters and +I are ignored if they are NULL. + +ASN1_item_sign() is similar to ASN1_item_sign_ex() but uses default values of +NULL for the I, I and I. + +ASN1_item_sign_ctx() is similiar to ASN1_item_sign() but uses the parameters +contained in digest context I. + +ASN1_item_verify_ex() is used to verify the signature I of internal +data I using the public key I and algorithm identifier I. +The data that is verified is formed by taking the data object in I and +converting it to der format using the ASN.1 structure I. +The B specified in I and the property query string +specified in I are used when searching for algorithms in providers. +The optional parameter I can be NULL, but can be set for special key types. +See EVP_PKEY_CTX_set1_id() for further info. + +ASN1_item_verify() is similar to ASN1_item_verify_ex() but uses default values of +NULL for the I, I and I. + +ASN1_item_verify_ctx() is similiar to ASN1_item_verify() but uses the parameters +contained in digest context I. + + +=head1 RETURN VALUES + +All sign functions return the size of the signature in bytes for success and +zero for failure. + +All verify functions return 1 if the signature is valid and 0 if the signature +check fails. If the signature could not be checked at all because it was +ill-formed or some other error occurred then -1 is returned. + +=head1 EXAMPLES + +In the following example a 'MyObject' object is signed using the key contained +in an EVP_MD_CTX. The signature is written to MyObject.signature. The object is +then output in DER format and then loaded back in and verified. + + #include + #include + + /* An object used to store the ASN1 data fields that will be signed */ + typedef struct MySignInfoObject_st + { + ASN1_INTEGER *version; + X509_ALGOR sig_alg; + } MySignInfoObject; + + DECLARE_ASN1_FUNCTIONS(MySignInfoObject) + /* + * A higher level object containing the ASN1 fields, signature alg and + * output signature. + */ + typedef struct MyObject_st + { + MySignInfoObject info; + X509_ALGOR sig_alg; + ASN1_BIT_STRING *signature; + } MyObject; + + DECLARE_ASN1_FUNCTIONS(MyObject) + + /* The ASN1 definition of MySignInfoObject */ + ASN1_SEQUENCE_cb(MySignInfoObject, NULL) = { + ASN1_SIMPLE(MySignInfoObject, version, ASN1_INTEGER) + ASN1_EMBED(MySignInfoObject, sig_alg, X509_ALGOR), + } ASN1_SEQUENCE_END_cb(MySignInfoObject, MySignInfoObject) + + /* new, free, d2i & i2d functions for MySignInfoObject */ + IMPLEMENT_ASN1_FUNCTIONS(MySignInfoObject) + + /* The ASN1 definition of MyObject */ + ASN1_SEQUENCE_cb(MyObject, NULL) = { + ASN1_EMBED(MyObject, info, MySignInfoObject), + ASN1_EMBED(MyObject, sig_alg, X509_ALGOR), + ASN1_SIMPLE(MyObject, signature, ASN1_BIT_STRING) + } ASN1_SEQUENCE_END_cb(MyObject, MyObject) + + /* new, free, d2i & i2d functions for MyObject */ + IMPLEMENT_ASN1_FUNCTIONS(MyObject) + + int test_asn1_item_sign_verify(const char *mdname, EVP_PKEY *pkey, long version) + { + int ret = 0; + unsigned char *obj_der = NULL; + const unsigned char *p = NULL; + MyObject *obj = NULL, *loaded_obj = NULL; + const ASN1_ITEM *it = ASN1_ITEM_rptr(MySignInfoObject); + EVP_MD_CTX *sctx = NULL, *vctx = NULL; + int len; + + /* Create MyObject and set its version */ + obj = MyObject_new(); + if (obj == NULL) + goto err; + if (!ASN1_INTEGER_set(obj->info.version, version)) + goto err; + + /* Set the key and digest used for signing */ + sctx = EVP_MD_CTX_new(); + if (sctx == NULL + || !EVP_DigestSignInit_ex(sctx, NULL, mdname, NULL, NULL, pkey)) + goto err; + + /* + * it contains the mapping between ASN.1 data and an object MySignInfoObject + * obj->info is the 'MySignInfoObject' object that will be + * converted into DER data and then signed. + * obj->signature will contain the output signature. + * obj->sig_alg is filled with the private key's signing algorithm id. + * obj->info.sig_alg is another copy of the signing algorithm id that sits + * within MyObject. + */ + len = ASN1_item_sign_ctx(it, &obj->sig_alg, &obj->info.sig_alg, + obj->signature, &obj->info, sctx); + if (len <= 0 + || X509_ALGOR_cmp(&obj->sig_alg, &obj->info.sig_alg) != 0) + goto err; + + /* Output MyObject in der form */ + len = i2d_MyObject(obj, &obj_der); + if (len <= 0) + goto err; + + /* Set the key and digest used for verifying */ + vctx = EVP_MD_CTX_new(); + if (vctx == NULL + || !EVP_DigestVerifyInit_ex(vctx, NULL, mdname, NULL, NULL, pkey)) + goto err; + + /* Load the der data back into an object */ + p = obj_der; + loaded_obj = d2i_MyObject(NULL, &p, len); + if (loaded_obj == NULL) + goto err; + /* Verify the loaded object */ + ret = ASN1_item_verify_ctx(it, &loaded_obj->sig_alg, loaded_obj->signature, + &loaded_obj->info, vctx); +err: + OPENSSL_free(obj_der); + MyObject_free(loaded_obj); + MyObject_free(obj); + EVP_MD_CTX_free(sctx); + EVP_MD_CTX_free(vctx); + return ret; + } + +=head1 SEE ALSO + +L, +L + +=head1 HISTORY + +ASN1_item_sign_ex() and ASN1_item_verify_ex() were added in OpenSSL 3.0. + +=head1 COPYRIGHT + +Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. + +Licensed under the Apache License 2.0 (the "License"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file LICENSE in the source distribution or at +L. + +=cut diff --git a/util/missingcrypto.txt b/util/missingcrypto.txt index 169aab1bd6..85f03fc9cc 100644 --- a/util/missingcrypto.txt +++ b/util/missingcrypto.txt @@ -154,13 +154,7 @@ ASN1_item_ndef_i2d(3) ASN1_item_new(3) ASN1_item_pack(3) ASN1_item_print(3) -ASN1_item_sign(3) -ASN1_item_sign_ctx(3) -ASN1_item_sign_ex(3) ASN1_item_unpack(3) -ASN1_item_verify(3) -ASN1_item_verify_ctx(3) -ASN1_item_verify_ex(3) ASN1_mbstring_copy(3) ASN1_mbstring_ncopy(3) ASN1_object_size(3) From openssl at openssl.org Mon Feb 15 01:55:20 2021 From: openssl at openssl.org (OpenSSL run-checker) Date: Mon, 15 Feb 2021 01:55:20 +0000 Subject: Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-autoerrinit Message-ID: <1613354120.183757.2981096.nullmailer@run.openssl.org> Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-autoerrinit Commit log since last time: 09c77b87ae Remove an unnecessary free call. 8a43091bc7 Remove dead code in rsa_pkey_ctrl. bae3916340 passwd.c: use the actual ROUNDS_DEFAULT macro 70f2364882 NOTES-WINDOWS: fix typo a0ca1eed24 Add a skeleton README-PROVIDERS file d507436a26 Add deprecation note to the README-ENGINES file 4148581eb2 Unify the markdown links to the NOTES and README files dc589daec8 Reformat some NOTES and README files 9f1fe6a950 Revise some renamings of NOTES and README files 9ff5bd612a ssl_test: Add testcases for disallowing non-TLS1.3 curves with TLS1.3 89e14ca7c7 tls_valid_group: Add missing dereference of okfortls13 d8c1cafbbc VMS documentation fixes 72ddea9b81 Configurations/descrip.mms.tmpl: avoid enormous PIPE commands 1695e10e40 DOCS: Update the internal documentation on EVP_PKEY. c5689319eb Use ERR_R_*_LIB instead of ERR_LIB_* as reason code for sub-libraries 13888e797c Update documentation following deprecation of SRP 76cb077f81 Deprecate the libssl level SRP APIs 6d2a1eff55 Deprecate the low level SRP APIs f2d785364c Add OID for draft-ietf-opsawg-finding-geofeeds detached CMS signature 1eaf1fc353 Add a configure time option to disable the fetch cache. 2b248f4e3f test: add import and export key management hooks for the TLS provider. ca2c778c26 test: filter provider honours the no_cache setting. 7dd5a00f41 changes: add a CHANGES.md entry for the OSSL_FORCE_NO_CACHE_FETCH option. b5873b3176 test: fix no-cache problem with the quality comparison for KDFs. aea01d1313 EVP: fix reference counting for EVP_CIPHER. 7dce37e2ec Prov: add an option to force provider fetches to not be cached. 499f2ae9e9 CI: add a non-caching CI loop 31f7ff37b4 EVP: fix reference counting for digest operations. 22040fb790 Allow -rand to be repeated 03bbd346f4 Fetch cipher after loading providers d0190e1163 Process digest option after loading providers 51e5df0ed0 Load rand state after loading providers 182717bd8a Fetch alg, etc., after loading providers 50ca7e1895 Fetch algorithm after loading providers 1baad060f9 test: add an option to output timing information from tests. c926a5ecb7 X509_STORE_CTX_cleanup(): Use internally so no need to call explicitly f1923a2147 X509_STORE_CTX_get1_issuer(): Make preference on expired certs consistent with find_issuer() d1e85cdf79 x509_vfy.c: Make chain_build() error diagnostics to the point 283df0b84b Rename internal providercommonerr.h to less mouthful proverr.h f5f29796f0 Various cleanup of PROV_R_ reason codes 2741128e9d Move the PROV_R reason codes to a public header dc9ec65a01 Match description with actual output of dgst 3a111aadc3 include/internal: add a few missing #pragma once directives d59068bd14 include/openssl: add a few missing #pragma once directives 80ce21fe1a include/crypto: add a few missing #pragma once directives 835f3526a2 test: turn off parallel tests in verbose mode. Build log ended with (last 100 lines): 70-test_sslcertstatus.t ............ ok 70-test_sslextension.t ............. ok 70-test_sslmessages.t .............. ok 70-test_sslrecords.t ............... ok 70-test_sslsessiontick.t ........... ok 70-test_sslsigalgs.t ............... ok 70-test_sslsignature.t ............. ok 70-test_sslskewith0p.t ............. ok 70-test_sslversions.t .............. ok 70-test_sslvertol.t ................ ok 70-test_tls13alerts.t .............. ok 70-test_tls13cookie.t .............. ok 70-test_tls13downgrade.t ........... ok 70-test_tls13hrr.t ................. ok 70-test_tls13kexmodes.t ............ ok 70-test_tls13messages.t ............ ok 70-test_tls13psk.t ................. ok 70-test_tlsextms.t ................. ok 70-test_verify_extra.t ............. ok 70-test_wpacket.t .................. ok 71-test_ssl_ctx.t .................. ok 80-test_ca.t ....................... ok 80-test_cipherbytes.t .............. ok 80-test_cipherlist.t ............... ok 80-test_ciphername.t ............... ok # 80-test_cmp_http.t ................. ok # 80-test_cms.t ...................... ok 80-test_cmsapi.t ................... ok 80-test_ct.t ....................... ok 80-test_dane.t ..................... ok 80-test_dtls.t ..................... ok 80-test_dtls_mtu.t ................. ok 80-test_dtlsv1listen.t ............. ok 80-test_http.t ..................... ok 80-test_ocsp.t ..................... ok 80-test_pkcs12.t ................... ok 80-test_ssl_new.t .................. ok 80-test_ssl_old.t .................. ok 80-test_ssl_test_ctx.t ............. ok 80-test_sslcorrupt.t ............... ok 80-test_tsa.t ...................... ok 80-test_x509aux.t .................. ok 81-test_cmp_cli.t .................. ok 90-test_asn1_time.t ................ ok 90-test_async.t .................... ok 90-test_bio_enc.t .................. ok 90-test_bio_memleak.t .............. ok 90-test_constant_time.t ............ ok 90-test_fatalerr.t ................. ok 90-test_fipsload.t ................. ok 90-test_gmdiff.t ................... ok 90-test_gost.t ..................... ok 90-test_ige.t ...................... ok 90-test_includes.t ................. ok 90-test_memleak.t .................. ok 90-test_overhead.t ................. ok 90-test_secmem.t ................... ok 90-test_shlibload.t ................ ok 90-test_srp.t ...................... ok 90-test_sslapi.t ................... ok 90-test_sslbuffers.t ............... ok 90-test_store.t .................... ok 90-test_sysdefault.t ............... ok 90-test_threads.t .................. ok 90-test_time_offset.t .............. ok 90-test_tls13ccs.t ................. ok 90-test_tls13encryption.t .......... ok 90-test_tls13secrets.t ............. ok 90-test_v3name.t ................... ok 91-test_pkey_check.t ............... ok 95-test_external_boringssl.t ....... skipped: No external tests in this configuration 95-test_external_gost_engine.t ..... skipped: No external tests in this configuration 95-test_external_krb5.t ............ skipped: No external tests in this configuration 95-test_external_pyca.t ............ skipped: No external tests in this configuration 99-test_ecstress.t ................. ok 99-test_fuzz_asn1.t ................ ok 99-test_fuzz_asn1parse.t ........... ok 99-test_fuzz_bignum.t .............. ok 99-test_fuzz_bndiv.t ............... ok 99-test_fuzz_client.t .............. ok 99-test_fuzz_cmp.t ................. ok 99-test_fuzz_cms.t ................. ok 99-test_fuzz_conf.t ................ ok 99-test_fuzz_crl.t ................. ok 99-test_fuzz_ct.t .................. ok 99-test_fuzz_server.t .............. ok 99-test_fuzz_x509.t ................ ok Test Summary Report ------------------- 04-test_err.t (Wstat: 256 Tests: 1 Failed: 1) Failed test: 1 Non-zero exit status: 1 Files=231, Tests=3130, 967 wallclock secs (14.79 usr 1.23 sys + 871.84 cusr 92.19 csys = 980.05 CPU) Result: FAIL make[1]: *** [Makefile:3289: _tests] Error 1 make[1]: Leaving directory '/home/openssl/run-checker/no-autoerrinit' make: *** [Makefile:3286: tests] Error 2 From shane.lontis at oracle.com Mon Feb 15 04:14:12 2021 From: shane.lontis at oracle.com (shane.lontis at oracle.com) Date: Mon, 15 Feb 2021 04:14:12 +0000 Subject: [openssl] master update Message-ID: <1613362452.017281.8441.nullmailer@dev.openssl.org> The branch master has been updated via 63ae8476796510c15163c9bd18998ccef6c1de16 (commit) from 99c166a1b0408e6d5c6efdc402fa859652048751 (commit) - Log ----------------------------------------------------------------- commit 63ae8476796510c15163c9bd18998ccef6c1de16 Author: Benjamin Kaduk Date: Thu Feb 11 16:10:50 2021 -0800 x509_vfy: remove redundant stack allocation Fix CID 1472833 by removing a codepath that attempts to allocate a stack if not already allocated, when the stack was already allocated unconditionally a few lines previously. Interestingly enough, this additional allocation path (and the comment describing the need for it) were added in commit 69664d6af0cdd7738f55d10fbbe46cdf15f72e0e, also prompted by Coverity(!). It seems that the intervening (and much more recent) commit d53b437f9992f974c1623e9b9b9bdf053aefbcc3 that allowed sk_X509_dup() to accept a NULL argument allowed the earlier initialization path to unconditionally allocate a stack, rendering this later allocation fully redundant. Reviewed-by: Tomas Mraz Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/14161) ----------------------------------------------------------------------- Summary of changes: crypto/x509/x509_vfy.c | 10 +--------- 1 file changed, 1 insertion(+), 9 deletions(-) diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c index 58598bbf1f..4e192abec4 100644 --- a/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c @@ -3033,17 +3033,9 @@ static int build_chain(X509_STORE_CTX *ctx) /* * If we got any "DANE-TA(2) Cert(0) Full(0)" trust anchors from DNS, add - * them to our working copy of the untrusted certificate stack. Since the - * caller of X509_STORE_CTX_init() may have provided only a leaf cert with - * no corresponding stack of untrusted certificates, we may need to create - * an empty stack first. [ At present only the ssl library provides DANE - * support, and ssl_verify_cert_chain() always provides a non-null stack - * containing at least the leaf certificate, but we must be prepared for - * this to change. ] + * them to our working copy of the untrusted certificate stack. */ if (DANETLS_ENABLED(dane) && dane->certs != NULL) { - if (sk_untrusted == NULL && (sk_untrusted = sk_X509_new_null()) == NULL) - goto memerr; if (!X509_add_certs(sk_untrusted, dane->certs, X509_ADD_FLAG_DEFAULT)) { sk_X509_free(sk_untrusted); goto memerr; From shane.lontis at oracle.com Mon Feb 15 04:17:27 2021 From: shane.lontis at oracle.com (shane.lontis at oracle.com) Date: Mon, 15 Feb 2021 04:17:27 +0000 Subject: [openssl] master update Message-ID: <1613362647.744636.10044.nullmailer@dev.openssl.org> The branch master has been updated via 93e43f4c47ea3ec3b916c0a7fcd4912f47460416 (commit) from 63ae8476796510c15163c9bd18998ccef6c1de16 (commit) - Log ----------------------------------------------------------------- commit 93e43f4c47ea3ec3b916c0a7fcd4912f47460416 Author: Benjamin Kaduk Date: Thu Feb 11 15:52:54 2021 -0800 RSA: avoid dereferencing possibly-NULL parameter in initializers Fix CID 1472835: the explicit NULL check for prsactx is useless when we have already dereferenced it in the initializers. Move the actual initialization to the function body to get the logic sequenced properly. Reviewed-by: Paul Dale Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/14160) ----------------------------------------------------------------------- Summary of changes: providers/implementations/signature/rsa.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/providers/implementations/signature/rsa.c b/providers/implementations/signature/rsa.c index 98e3a2d1f4..4cdd90a5c6 100644 --- a/providers/implementations/signature/rsa.c +++ b/providers/implementations/signature/rsa.c @@ -1107,8 +1107,8 @@ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[]) { PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; const OSSL_PARAM *p; - int pad_mode = prsactx->pad_mode; - int saltlen = prsactx->saltlen; + int pad_mode; + int saltlen; char mdname[OSSL_MAX_NAME_SIZE] = "", *pmdname = NULL; char mdprops[OSSL_MAX_PROPQUERY_SIZE] = "", *pmdprops = NULL; char mgf1mdname[OSSL_MAX_NAME_SIZE] = "", *pmgf1mdname = NULL; @@ -1116,6 +1116,8 @@ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[]) if (prsactx == NULL || params == NULL) return 0; + pad_mode = prsactx->pad_mode; + saltlen = prsactx->saltlen; p = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_DIGEST); /* Not allowed during certain operations */ From shane.lontis at oracle.com Mon Feb 15 04:32:08 2021 From: shane.lontis at oracle.com (shane.lontis at oracle.com) Date: Mon, 15 Feb 2021 04:32:08 +0000 Subject: [openssl] master update Message-ID: <1613363528.420485.13081.nullmailer@dev.openssl.org> The branch master has been updated via 9dc9c7f2d7f25e100dd7d80e9bc51e205033cd8c (commit) via 0217e53e33a9561c6d911df9ec7e99195be7de62 (commit) via 899e25643dc63a84a924d08f86d7d19613714431 (commit) via aee73562d17499f2660c14f8c150459097680a1d (commit) from 93e43f4c47ea3ec3b916c0a7fcd4912f47460416 (commit) - Log ----------------------------------------------------------------- commit 9dc9c7f2d7f25e100dd7d80e9bc51e205033cd8c Author: Matt Caswell Date: Wed Feb 10 14:18:47 2021 +0000 Document the newly added function EVP_PKEY_param_check_quick() Reviewed-by: Paul Dale Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/14146) commit 0217e53e33a9561c6d911df9ec7e99195be7de62 Author: Matt Caswell Date: Wed Feb 10 12:29:36 2021 +0000 Fix the dhparam_check test genpkey can sometimes create files that fail "openssl dhparam -check". See issue #14145. We had some instances of such invalid files in the dhparam_check test. Now that "openssl dhparam -check" has been fixed to work the same way as it did in 1.1.1 these tests were failing. We move the invalid files inot the "invalid" directory. A future PR will have to fix genpkey to not generate invalid files. We also remove a "SKIP" block that was skipping tests in a no deprecated build unnecessarily. Nothing being tested is deprecated. Reviewed-by: Paul Dale Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/14146) commit 899e25643dc63a84a924d08f86d7d19613714431 Author: Matt Caswell Date: Tue Feb 9 15:50:05 2021 +0000 Implement EVP_PKEY_param_check_quick() and use it in libssl The low level DH API has two functions for checking parameters: DH_check_ex() and DH_check_params_ex(). The former does a "full" check, while the latter does a "quick" check. Most importantly it skips the check for a safe prime. We're ok without using safe primes here because we're doing ephemeral DH. Now that libssl is fully using the EVP API, we need a way to specify that we want a quick check instead of a full check. Therefore we introduce EVP_PKEY_param_check_quick() and use it. Reviewed-by: Paul Dale Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/14146) commit aee73562d17499f2660c14f8c150459097680a1d Author: Matt Caswell Date: Tue Feb 9 15:12:09 2021 +0000 Run DH_check_ex() not DH_check_params_ex() when checking params Both DH_check_ex() and DH_check_params_ex() check the parameters. DH_check_ex() performs a more complete check, while DH_check_params_ex() performs a lightweight check. In 1.1.1 EVP_PKEY_param_check() would call DH_check_ex() for DH keys. For backwards compatibility we should continue with that behaviour. Fixes #13501 Reviewed-by: Paul Dale Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/14146) ----------------------------------------------------------------------- Summary of changes: crypto/evp/keymgmt_meth.c | 4 +-- crypto/evp/pmeth_check.c | 31 ++++++++++++++++------ doc/man3/EVP_PKEY_check.pod | 15 ++++++++--- doc/man7/provider-keymgmt.pod | 9 +++++-- include/crypto/evp.h | 2 +- include/openssl/core_dispatch.h | 6 ++++- include/openssl/evp.h | 1 + providers/implementations/keymgmt/dh_kmgmt.c | 15 ++++++++--- providers/implementations/keymgmt/dsa_kmgmt.c | 2 +- providers/implementations/keymgmt/ec_kmgmt.c | 4 +-- providers/implementations/keymgmt/ecx_kmgmt.c | 8 +++--- providers/implementations/keymgmt/rsa_kmgmt.c | 2 +- ssl/statem/statem_clnt.c | 8 +++++- test/recipes/20-test_dhparam_check.t | 27 +++++++------------ .../dh5114_1.pem => invalid/dh5114_1_pkcs3.pem} | 0 .../dh5114_2.pem => invalid/dh5114_2_pkcs3.pem} | 0 .../dh5114_3.pem => invalid/dh5114_3_pkcs3.pem} | 0 .../dh_p1024_t1862_pkcs3.pem} | 0 .../dh_p2048_t1862_pkcs3.pem} | 0 .../dh_p2048_t1864_pkcs3.pem} | 0 .../dh_p3072_t1862_pkcs3.pem} | 0 util/libcrypto.num | 1 + 22 files changed, 87 insertions(+), 48 deletions(-) rename test/recipes/20-test_dhparam_check_data/{valid/dh5114_1.pem => invalid/dh5114_1_pkcs3.pem} (100%) rename test/recipes/20-test_dhparam_check_data/{valid/dh5114_2.pem => invalid/dh5114_2_pkcs3.pem} (100%) rename test/recipes/20-test_dhparam_check_data/{valid/dh5114_3.pem => invalid/dh5114_3_pkcs3.pem} (100%) rename test/recipes/20-test_dhparam_check_data/{valid/dh_p1024_t1862.pem => invalid/dh_p1024_t1862_pkcs3.pem} (100%) rename test/recipes/20-test_dhparam_check_data/{valid/dh_p2048_t1862.pem => invalid/dh_p2048_t1862_pkcs3.pem} (100%) rename test/recipes/20-test_dhparam_check_data/{valid/dh_p2048_t1864.pem => invalid/dh_p2048_t1864_pkcs3.pem} (100%) rename test/recipes/20-test_dhparam_check_data/{valid/dh_p3072_t1862.pem => invalid/dh_p3072_t1862_pkcs3.pem} (100%) diff --git a/crypto/evp/keymgmt_meth.c b/crypto/evp/keymgmt_meth.c index 7ef2d703f8..460fd24cec 100644 --- a/crypto/evp/keymgmt_meth.c +++ b/crypto/evp/keymgmt_meth.c @@ -404,12 +404,12 @@ int evp_keymgmt_has(const EVP_KEYMGMT *keymgmt, void *keydata, int selection) } int evp_keymgmt_validate(const EVP_KEYMGMT *keymgmt, void *keydata, - int selection) + int selection, int checktype) { /* We assume valid if the implementation doesn't have a function */ if (keymgmt->validate == NULL) return 1; - return keymgmt->validate(keydata, selection); + return keymgmt->validate(keydata, selection, checktype); } int evp_keymgmt_match(const EVP_KEYMGMT *keymgmt, diff --git a/crypto/evp/pmeth_check.c b/crypto/evp/pmeth_check.c index c9a5a7bc65..36dbb4c4e6 100644 --- a/crypto/evp/pmeth_check.c +++ b/crypto/evp/pmeth_check.c @@ -23,7 +23,7 @@ * 0 False * -1 Unsupported (use legacy path) */ -static int try_provided_check(EVP_PKEY_CTX *ctx, int selection) +static int try_provided_check(EVP_PKEY_CTX *ctx, int selection, int checktype) { EVP_KEYMGMT *keymgmt; void *keydata; @@ -39,7 +39,7 @@ static int try_provided_check(EVP_PKEY_CTX *ctx, int selection) return 0; } - return evp_keymgmt_validate(keymgmt, keydata, selection); + return evp_keymgmt_validate(keymgmt, keydata, selection, checktype); } int EVP_PKEY_public_check(EVP_PKEY_CTX *ctx) @@ -52,7 +52,8 @@ int EVP_PKEY_public_check(EVP_PKEY_CTX *ctx) return 0; } - if ((ok = try_provided_check(ctx, OSSL_KEYMGMT_SELECT_PUBLIC_KEY)) != -1) + if ((ok = try_provided_check(ctx, OSSL_KEYMGMT_SELECT_PUBLIC_KEY, + OSSL_KEYMGMT_VALIDATE_FULL_CHECK)) != -1) return ok; if (pkey->type == EVP_PKEY_NONE) @@ -75,7 +76,7 @@ int EVP_PKEY_public_check(EVP_PKEY_CTX *ctx) return -2; } -int EVP_PKEY_param_check(EVP_PKEY_CTX *ctx) +static int evp_pkey_param_check_combined(EVP_PKEY_CTX *ctx, int checktype) { EVP_PKEY *pkey = ctx->pkey; int ok; @@ -86,7 +87,8 @@ int EVP_PKEY_param_check(EVP_PKEY_CTX *ctx) } if ((ok = try_provided_check(ctx, - OSSL_KEYMGMT_SELECT_ALL_PARAMETERS)) != -1) + OSSL_KEYMGMT_SELECT_ALL_PARAMETERS, + checktype)) != -1) return ok; if (pkey->type == EVP_PKEY_NONE) @@ -109,6 +111,16 @@ int EVP_PKEY_param_check(EVP_PKEY_CTX *ctx) return -2; } +int EVP_PKEY_param_check(EVP_PKEY_CTX *ctx) +{ + return evp_pkey_param_check_combined(ctx, OSSL_KEYMGMT_VALIDATE_FULL_CHECK); +} + +int EVP_PKEY_param_check_quick(EVP_PKEY_CTX *ctx) +{ + return evp_pkey_param_check_combined(ctx, OSSL_KEYMGMT_VALIDATE_QUICK_CHECK); +} + int EVP_PKEY_private_check(EVP_PKEY_CTX *ctx) { EVP_PKEY *pkey = ctx->pkey; @@ -119,7 +131,8 @@ int EVP_PKEY_private_check(EVP_PKEY_CTX *ctx) return 0; } - if ((ok = try_provided_check(ctx, OSSL_KEYMGMT_SELECT_PRIVATE_KEY)) != -1) + if ((ok = try_provided_check(ctx, OSSL_KEYMGMT_SELECT_PRIVATE_KEY, + OSSL_KEYMGMT_VALIDATE_FULL_CHECK)) != -1) return ok; /* not supported for legacy keys */ @@ -137,7 +150,8 @@ int EVP_PKEY_pairwise_check(EVP_PKEY_CTX *ctx) return 0; } - if ((ok = try_provided_check(ctx, OSSL_KEYMGMT_SELECT_KEYPAIR)) != -1) + if ((ok = try_provided_check(ctx, OSSL_KEYMGMT_SELECT_KEYPAIR, + OSSL_KEYMGMT_VALIDATE_FULL_CHECK)) != -1) return ok; /* not supported for legacy keys */ @@ -155,7 +169,8 @@ int EVP_PKEY_check(EVP_PKEY_CTX *ctx) return 0; } - if ((ok = try_provided_check(ctx, OSSL_KEYMGMT_SELECT_KEYPAIR)) != -1) + if ((ok = try_provided_check(ctx, OSSL_KEYMGMT_SELECT_KEYPAIR, + OSSL_KEYMGMT_VALIDATE_FULL_CHECK)) != -1) return ok; if (pkey->type == EVP_PKEY_NONE) diff --git a/doc/man3/EVP_PKEY_check.pod b/doc/man3/EVP_PKEY_check.pod index 6d4fff8343..ad2c2025cb 100644 --- a/doc/man3/EVP_PKEY_check.pod +++ b/doc/man3/EVP_PKEY_check.pod @@ -2,8 +2,8 @@ =head1 NAME -EVP_PKEY_check, EVP_PKEY_param_check, EVP_PKEY_public_check, -EVP_PKEY_private_check, EVP_PKEY_pairwise_check +EVP_PKEY_check, EVP_PKEY_param_check, EVP_PKEY_param_check_quick, +EVP_PKEY_public_check, EVP_PKEY_private_check, EVP_PKEY_pairwise_check - key and parameter validation functions =head1 SYNOPSIS @@ -12,6 +12,7 @@ EVP_PKEY_private_check, EVP_PKEY_pairwise_check int EVP_PKEY_check(EVP_PKEY_CTX *ctx); int EVP_PKEY_param_check(EVP_PKEY_CTX *ctx); + int EVP_PKEY_param_check_quick(EVP_PKEY_CTX *ctx); int EVP_PKEY_public_check(EVP_PKEY_CTX *ctx); int EVP_PKEY_private_check(EVP_PKEY_CTX *ctx); int EVP_PKEY_pairwise_check(EVP_PKEY_CTX *ctx); @@ -21,6 +22,12 @@ EVP_PKEY_private_check, EVP_PKEY_pairwise_check EVP_PKEY_param_check() validates the parameters component of the key given by B. +EVP_PKEY_param_check_quick() validates the parameters component of the key +given by B like EVP_PKEY_param_check() does. However some algorithm +implementations may offer a quicker form of validation that omits some checks in +order to perform a lightweight sanity check of the key. If a quicker form is not +provided then this function call does the same thing as EVP_PKEY_param_check(). + EVP_PKEY_public_check() validates the public component of the key given by B. EVP_PKEY_private_check() validates the private component of the key given by B. @@ -53,8 +60,8 @@ L, EVP_PKEY_check(), EVP_PKEY_public_check() and EVP_PKEY_param_check() were added in OpenSSL 1.1.1. -EVP_PKEY_private_check() and EVP_PKEY_pairwise_check() were added -in OpenSSL 3.0. +EVP_PKEY_param_check_quick(), EVP_PKEY_private_check() and +EVP_PKEY_pairwise_check() were added in OpenSSL 3.0. =head1 COPYRIGHT diff --git a/doc/man7/provider-keymgmt.pod b/doc/man7/provider-keymgmt.pod index 0095da00ca..4c1f032744 100644 --- a/doc/man7/provider-keymgmt.pod +++ b/doc/man7/provider-keymgmt.pod @@ -54,7 +54,7 @@ provider-keymgmt - The KEYMGMT library E-E provider functions int OSSL_FUNC_keymgmt_copy(void *keydata_to, const void *keydata_from, int selection); /* Key object validation */ - int OSSL_FUNC_keymgmt_validate(const void *keydata, int selection); + int OSSL_FUNC_keymgmt_validate(const void *keydata, int selection, int checktype); =head1 DESCRIPTION @@ -298,7 +298,12 @@ data subsets may cause validation of the combined data. For example, the combination of B and B (or B for short) is expected to check that the pairwise consistency of -I is valid. +I is valid. The I parameter controls what type of check is +performed on the subset of data. Two types of check are defined: +B and B. +The interpretation of how much checking is performed in a full check versus a +quick check is key type specific. Some providers may have no distinction +between a full check and a quick check. OSSL_FUNC_keymgmt_match() should check if the data subset indicated by I in I and I match. It is assumed that diff --git a/include/crypto/evp.h b/include/crypto/evp.h index b78535aed0..1017ace03d 100644 --- a/include/crypto/evp.h +++ b/include/crypto/evp.h @@ -778,7 +778,7 @@ void *evp_keymgmt_load(const EVP_KEYMGMT *keymgmt, int evp_keymgmt_has(const EVP_KEYMGMT *keymgmt, void *keyddata, int selection); int evp_keymgmt_validate(const EVP_KEYMGMT *keymgmt, void *keydata, - int selection); + int selection, int checktype); int evp_keymgmt_match(const EVP_KEYMGMT *keymgmt, const void *keydata1, const void *keydata2, int selection); diff --git a/include/openssl/core_dispatch.h b/include/openssl/core_dispatch.h index 1689778c72..7823af7cbd 100644 --- a/include/openssl/core_dispatch.h +++ b/include/openssl/core_dispatch.h @@ -491,6 +491,9 @@ OSSL_CORE_MAKE_FUNC(int,rand_verify_zeroization, # define OSSL_KEYMGMT_SELECT_ALL \ ( OSSL_KEYMGMT_SELECT_KEYPAIR | OSSL_KEYMGMT_SELECT_ALL_PARAMETERS ) +# define OSSL_KEYMGMT_VALIDATE_FULL_CHECK 0 +# define OSSL_KEYMGMT_VALIDATE_QUICK_CHECK 1 + /* Basic key object creation */ # define OSSL_FUNC_KEYMGMT_NEW 1 OSSL_CORE_MAKE_FUNC(void *, keymgmt_new, (void *provctx)) @@ -551,7 +554,8 @@ OSSL_CORE_MAKE_FUNC(int, keymgmt_has, (const void *keydata, int selection)) /* Key checks - validation */ # define OSSL_FUNC_KEYMGMT_VALIDATE 22 -OSSL_CORE_MAKE_FUNC(int, keymgmt_validate, (const void *keydata, int selection)) +OSSL_CORE_MAKE_FUNC(int, keymgmt_validate, (const void *keydata, int selection, + int checktype)) /* Key checks - matching */ # define OSSL_FUNC_KEYMGMT_MATCH 23 diff --git a/include/openssl/evp.h b/include/openssl/evp.h index 5f9de9d8b9..aeff6de4f7 100644 --- a/include/openssl/evp.h +++ b/include/openssl/evp.h @@ -1828,6 +1828,7 @@ int EVP_PKEY_gen(EVP_PKEY_CTX *ctx, EVP_PKEY **ppkey); int EVP_PKEY_check(EVP_PKEY_CTX *ctx); int EVP_PKEY_public_check(EVP_PKEY_CTX *ctx); int EVP_PKEY_param_check(EVP_PKEY_CTX *ctx); +int EVP_PKEY_param_check_quick(EVP_PKEY_CTX *ctx); int EVP_PKEY_private_check(EVP_PKEY_CTX *ctx); int EVP_PKEY_pairwise_check(EVP_PKEY_CTX *ctx); diff --git a/providers/implementations/keymgmt/dh_kmgmt.c b/providers/implementations/keymgmt/dh_kmgmt.c index 1d674a14bf..007ab6a5b5 100644 --- a/providers/implementations/keymgmt/dh_kmgmt.c +++ b/providers/implementations/keymgmt/dh_kmgmt.c @@ -366,7 +366,7 @@ static int dh_validate_private(const DH *dh) return dh_check_priv_key(dh, priv_key, &status);; } -static int dh_validate(const void *keydata, int selection) +static int dh_validate(const void *keydata, int selection, int checktype) { const DH *dh = keydata; int ok = 0; @@ -377,8 +377,17 @@ static int dh_validate(const void *keydata, int selection) if ((selection & DH_POSSIBLE_SELECTIONS) != 0) ok = 1; - if ((selection & OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS) != 0) - ok = ok && DH_check_params_ex(dh); + if ((selection & OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS) != 0) { + /* + * Both of these functions check parameters. DH_check_params_ex() + * performs a lightweight check (e.g. it does not check that p is a + * safe prime) + */ + if (checktype == OSSL_KEYMGMT_VALIDATE_QUICK_CHECK) + ok = ok && DH_check_params_ex(dh); + else + ok = ok && DH_check_ex(dh); + } if ((selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) != 0) ok = ok && dh_validate_public(dh); diff --git a/providers/implementations/keymgmt/dsa_kmgmt.c b/providers/implementations/keymgmt/dsa_kmgmt.c index bc4591b1d6..28e8409aa2 100644 --- a/providers/implementations/keymgmt/dsa_kmgmt.c +++ b/providers/implementations/keymgmt/dsa_kmgmt.c @@ -338,7 +338,7 @@ static int dsa_validate_private(const DSA *dsa) return dsa_check_priv_key(dsa, priv_key, &status); } -static int dsa_validate(const void *keydata, int selection) +static int dsa_validate(const void *keydata, int selection, int checktype) { const DSA *dsa = keydata; int ok = 0; diff --git a/providers/implementations/keymgmt/ec_kmgmt.c b/providers/implementations/keymgmt/ec_kmgmt.c index bb479181c3..33abdc8692 100644 --- a/providers/implementations/keymgmt/ec_kmgmt.c +++ b/providers/implementations/keymgmt/ec_kmgmt.c @@ -833,7 +833,7 @@ const OSSL_PARAM *sm2_settable_params(ossl_unused void *provctx) } static -int sm2_validate(const void *keydata, int selection) +int sm2_validate(const void *keydata, int selection, int checktype) { const EC_KEY *eck = keydata; int ok = 0; @@ -868,7 +868,7 @@ int sm2_validate(const void *keydata, int selection) #endif static -int ec_validate(const void *keydata, int selection) +int ec_validate(const void *keydata, int selection, int checktype) { const EC_KEY *eck = keydata; int ok = 0; diff --git a/providers/implementations/keymgmt/ecx_kmgmt.c b/providers/implementations/keymgmt/ecx_kmgmt.c index 076e59eafe..3c057f3da4 100644 --- a/providers/implementations/keymgmt/ecx_kmgmt.c +++ b/providers/implementations/keymgmt/ecx_kmgmt.c @@ -726,22 +726,22 @@ static int ecx_validate(const void *keydata, int selection, int type, size_t key return ok; } -static int x25519_validate(const void *keydata, int selection) +static int x25519_validate(const void *keydata, int selection, int checktype) { return ecx_validate(keydata, selection, ECX_KEY_TYPE_X25519, X25519_KEYLEN); } -static int x448_validate(const void *keydata, int selection) +static int x448_validate(const void *keydata, int selection, int checktype) { return ecx_validate(keydata, selection, ECX_KEY_TYPE_X448, X448_KEYLEN); } -static int ed25519_validate(const void *keydata, int selection) +static int ed25519_validate(const void *keydata, int selection, int checktype) { return ecx_validate(keydata, selection, ECX_KEY_TYPE_ED25519, ED25519_KEYLEN); } -static int ed448_validate(const void *keydata, int selection) +static int ed448_validate(const void *keydata, int selection, int checktype) { return ecx_validate(keydata, selection, ECX_KEY_TYPE_ED448, ED448_KEYLEN); } diff --git a/providers/implementations/keymgmt/rsa_kmgmt.c b/providers/implementations/keymgmt/rsa_kmgmt.c index 64779ca6be..e4e10084b8 100644 --- a/providers/implementations/keymgmt/rsa_kmgmt.c +++ b/providers/implementations/keymgmt/rsa_kmgmt.c @@ -359,7 +359,7 @@ static const OSSL_PARAM *rsa_gettable_params(void *provctx) return rsa_params; } -static int rsa_validate(const void *keydata, int selection) +static int rsa_validate(const void *keydata, int selection, int checktype) { const RSA *rsa = keydata; int ok = 0; diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c index 2358e2c616..e5a255d75d 100644 --- a/ssl/statem/statem_clnt.c +++ b/ssl/statem/statem_clnt.c @@ -2071,7 +2071,13 @@ static int tls_process_ske_dhe(SSL *s, PACKET *pkt, EVP_PKEY **pkey) EVP_PKEY_CTX_free(pctx); pctx = EVP_PKEY_CTX_new_from_pkey(s->ctx->libctx, peer_tmp, s->ctx->propq); if (pctx == NULL - || EVP_PKEY_param_check(pctx) != 1 + /* + * EVP_PKEY_param_check() will verify that the DH params are using + * a safe prime. In this context, because we're using ephemeral DH, + * we're ok with it not being a safe prime. + * EVP_PKEY_param_check_quick() skips the safe prime check. + */ + || EVP_PKEY_param_check_quick(pctx) != 1 || EVP_PKEY_public_check(pctx) != 1) { SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_DH_VALUE); goto err; diff --git a/test/recipes/20-test_dhparam_check.t b/test/recipes/20-test_dhparam_check.t index 97e1506d8a..086e9de938 100644 --- a/test/recipes/20-test_dhparam_check.t +++ b/test/recipes/20-test_dhparam_check.t @@ -28,10 +28,12 @@ TESTDIR=test/recipes/20-test_dhparam_check_data/valid rm -rf $TESTDIR mkdir -p $TESTDIR +#TODO(3.0): These 3 currently create invalid output - see issue #14145 ./util/opensslwrap.sh genpkey -genparam -algorithm DH -pkeyopt dh_rfc5114:1 -out $TESTDIR/dh5114_1.pem ./util/opensslwrap.sh genpkey -genparam -algorithm DH -pkeyopt dh_rfc5114:2 -out $TESTDIR/dh5114_2.pem ./util/opensslwrap.sh genpkey -genparam -algorithm DH -pkeyopt dh_rfc5114:3 -out $TESTDIR/dh5114_3.pem +#TODO(3.0): These 4 currently create invalid output - see issue #14145 ./util/opensslwrap.sh genpkey -genparam -algorithm DH -pkeyopt pbits:1024 -pkeyopt type:fips186_2 -out $TESTDIR/dh_p1024_t1862.pem ./util/opensslwrap.sh genpkey -genparam -algorithm DH -pkeyopt pbits:2048 -pkeyopt type:fips186_2 -out $TESTDIR/dh_p2048_t1862.pem ./util/opensslwrap.sh genpkey -genparam -algorithm DH -pkeyopt pbits:2048 -pkeyopt type:fips186_4 -out $TESTDIR/dh_p2048_t1864.pem @@ -57,28 +59,17 @@ mkdir -p $TESTDIR =cut my @valid = glob(data_file("valid", "*.pem")); -#my @invalid = glob(data_file("invalid", "*.pem")); +my @invalid = glob(data_file("invalid", "*.pem")); -my $num_tests = scalar @valid;# + scalar @invalid; +my $num_tests = scalar @valid + scalar @invalid; plan tests => 2 * $num_tests; - SKIP: { - skip "Skipping DH tests", $num_tests - if disabled('deprecated-3.0'); - - foreach (@valid) { - ok(run(app([qw{openssl dhparam -noout -check -in}, $_]))); - } - -# foreach (@invalid) { -# ok(!run(app([qw{openssl dhparam -noout -check -in}, $_]))); -# } -} - foreach (@valid) { + ok(run(app([qw{openssl dhparam -noout -check -in}, $_]))); ok(run(app([qw{openssl pkeyparam -noout -check -in}, $_]))); } -#foreach (@invalid) { -# ok(!run(app([qw{openssl pkeyparam -noout -check -in}, $_]))); -#} +foreach (@invalid) { + ok(!run(app([qw{openssl dhparam -noout -check -in}, $_]))); + ok(!run(app([qw{openssl pkeyparam -noout -check -in}, $_]))); +} diff --git a/test/recipes/20-test_dhparam_check_data/valid/dh5114_1.pem b/test/recipes/20-test_dhparam_check_data/invalid/dh5114_1_pkcs3.pem similarity index 100% rename from test/recipes/20-test_dhparam_check_data/valid/dh5114_1.pem rename to test/recipes/20-test_dhparam_check_data/invalid/dh5114_1_pkcs3.pem diff --git a/test/recipes/20-test_dhparam_check_data/valid/dh5114_2.pem b/test/recipes/20-test_dhparam_check_data/invalid/dh5114_2_pkcs3.pem similarity index 100% rename from test/recipes/20-test_dhparam_check_data/valid/dh5114_2.pem rename to test/recipes/20-test_dhparam_check_data/invalid/dh5114_2_pkcs3.pem diff --git a/test/recipes/20-test_dhparam_check_data/valid/dh5114_3.pem b/test/recipes/20-test_dhparam_check_data/invalid/dh5114_3_pkcs3.pem similarity index 100% rename from test/recipes/20-test_dhparam_check_data/valid/dh5114_3.pem rename to test/recipes/20-test_dhparam_check_data/invalid/dh5114_3_pkcs3.pem diff --git a/test/recipes/20-test_dhparam_check_data/valid/dh_p1024_t1862.pem b/test/recipes/20-test_dhparam_check_data/invalid/dh_p1024_t1862_pkcs3.pem similarity index 100% rename from test/recipes/20-test_dhparam_check_data/valid/dh_p1024_t1862.pem rename to test/recipes/20-test_dhparam_check_data/invalid/dh_p1024_t1862_pkcs3.pem diff --git a/test/recipes/20-test_dhparam_check_data/valid/dh_p2048_t1862.pem b/test/recipes/20-test_dhparam_check_data/invalid/dh_p2048_t1862_pkcs3.pem similarity index 100% rename from test/recipes/20-test_dhparam_check_data/valid/dh_p2048_t1862.pem rename to test/recipes/20-test_dhparam_check_data/invalid/dh_p2048_t1862_pkcs3.pem diff --git a/test/recipes/20-test_dhparam_check_data/valid/dh_p2048_t1864.pem b/test/recipes/20-test_dhparam_check_data/invalid/dh_p2048_t1864_pkcs3.pem similarity index 100% rename from test/recipes/20-test_dhparam_check_data/valid/dh_p2048_t1864.pem rename to test/recipes/20-test_dhparam_check_data/invalid/dh_p2048_t1864_pkcs3.pem diff --git a/test/recipes/20-test_dhparam_check_data/valid/dh_p3072_t1862.pem b/test/recipes/20-test_dhparam_check_data/invalid/dh_p3072_t1862_pkcs3.pem similarity index 100% rename from test/recipes/20-test_dhparam_check_data/valid/dh_p3072_t1862.pem rename to test/recipes/20-test_dhparam_check_data/invalid/dh_p3072_t1862_pkcs3.pem diff --git a/util/libcrypto.num b/util/libcrypto.num index fa7a096145..5e3ee9e408 100644 --- a/util/libcrypto.num +++ b/util/libcrypto.num @@ -5298,3 +5298,4 @@ EVP_PKEY_get_field_type ? 3_0_0 EXIST::FUNCTION: EVP_PKEY_get_params ? 3_0_0 EXIST::FUNCTION: EVP_PKEY_fromdata_init ? 3_0_0 EXIST::FUNCTION: EVP_PKEY_fromdata_settable ? 3_0_0 EXIST::FUNCTION: +EVP_PKEY_param_check_quick ? 3_0_0 EXIST::FUNCTION: From openssl at openssl.org Mon Feb 15 07:38:03 2021 From: openssl at openssl.org (OpenSSL run-checker) Date: Mon, 15 Feb 2021 07:38:03 +0000 Subject: Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-des Message-ID: <1613374683.490056.3712340.nullmailer@run.openssl.org> Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-des Commit log since last time: 09c77b87ae Remove an unnecessary free call. 8a43091bc7 Remove dead code in rsa_pkey_ctrl. bae3916340 passwd.c: use the actual ROUNDS_DEFAULT macro 70f2364882 NOTES-WINDOWS: fix typo a0ca1eed24 Add a skeleton README-PROVIDERS file d507436a26 Add deprecation note to the README-ENGINES file 4148581eb2 Unify the markdown links to the NOTES and README files dc589daec8 Reformat some NOTES and README files 9f1fe6a950 Revise some renamings of NOTES and README files 9ff5bd612a ssl_test: Add testcases for disallowing non-TLS1.3 curves with TLS1.3 89e14ca7c7 tls_valid_group: Add missing dereference of okfortls13 d8c1cafbbc VMS documentation fixes 72ddea9b81 Configurations/descrip.mms.tmpl: avoid enormous PIPE commands 1695e10e40 DOCS: Update the internal documentation on EVP_PKEY. c5689319eb Use ERR_R_*_LIB instead of ERR_LIB_* as reason code for sub-libraries 13888e797c Update documentation following deprecation of SRP 76cb077f81 Deprecate the libssl level SRP APIs 6d2a1eff55 Deprecate the low level SRP APIs f2d785364c Add OID for draft-ietf-opsawg-finding-geofeeds detached CMS signature 1eaf1fc353 Add a configure time option to disable the fetch cache. 2b248f4e3f test: add import and export key management hooks for the TLS provider. ca2c778c26 test: filter provider honours the no_cache setting. 7dd5a00f41 changes: add a CHANGES.md entry for the OSSL_FORCE_NO_CACHE_FETCH option. b5873b3176 test: fix no-cache problem with the quality comparison for KDFs. aea01d1313 EVP: fix reference counting for EVP_CIPHER. 7dce37e2ec Prov: add an option to force provider fetches to not be cached. 499f2ae9e9 CI: add a non-caching CI loop 31f7ff37b4 EVP: fix reference counting for digest operations. 22040fb790 Allow -rand to be repeated 03bbd346f4 Fetch cipher after loading providers d0190e1163 Process digest option after loading providers 51e5df0ed0 Load rand state after loading providers 182717bd8a Fetch alg, etc., after loading providers 50ca7e1895 Fetch algorithm after loading providers 1baad060f9 test: add an option to output timing information from tests. c926a5ecb7 X509_STORE_CTX_cleanup(): Use internally so no need to call explicitly f1923a2147 X509_STORE_CTX_get1_issuer(): Make preference on expired certs consistent with find_issuer() d1e85cdf79 x509_vfy.c: Make chain_build() error diagnostics to the point 283df0b84b Rename internal providercommonerr.h to less mouthful proverr.h f5f29796f0 Various cleanup of PROV_R_ reason codes 2741128e9d Move the PROV_R reason codes to a public header dc9ec65a01 Match description with actual output of dgst 3a111aadc3 include/internal: add a few missing #pragma once directives d59068bd14 include/openssl: add a few missing #pragma once directives 80ce21fe1a include/crypto: add a few missing #pragma once directives 835f3526a2 test: turn off parallel tests in verbose mode. Build log ended with (last 100 lines): 70-test_sslrecords.t ............... ok 70-test_sslsessiontick.t ........... ok 70-test_sslsigalgs.t ............... ok 70-test_sslsignature.t ............. ok 70-test_sslskewith0p.t ............. ok 70-test_sslversions.t .............. ok 70-test_sslvertol.t ................ ok 70-test_tls13alerts.t .............. ok 70-test_tls13cookie.t .............. ok 70-test_tls13downgrade.t ........... ok 70-test_tls13hrr.t ................. ok 70-test_tls13kexmodes.t ............ ok 70-test_tls13messages.t ............ ok 70-test_tls13psk.t ................. ok 70-test_tlsextms.t ................. ok 70-test_verify_extra.t ............. ok 70-test_wpacket.t .................. ok 71-test_ssl_ctx.t .................. ok 80-test_ca.t ....................... ok 80-test_cipherbytes.t .............. ok 80-test_cipherlist.t ............... ok 80-test_ciphername.t ............... ok # 80-test_cmp_http.t ................. ok # 80-test_cms.t ...................... ok 80-test_cmsapi.t ................... ok 80-test_ct.t ....................... ok 80-test_dane.t ..................... ok 80-test_dtls.t ..................... ok 80-test_dtls_mtu.t ................. ok 80-test_dtlsv1listen.t ............. ok 80-test_http.t ..................... ok 80-test_ocsp.t ..................... ok 80-test_pkcs12.t ................... skipped: The PKCS12 command line utility is not supported by this OpenSSL build 80-test_ssl_new.t .................. ok 80-test_ssl_old.t .................. ok 80-test_ssl_test_ctx.t ............. ok 80-test_sslcorrupt.t ............... ok 80-test_tsa.t ...................... ok 80-test_x509aux.t .................. ok 81-test_cmp_cli.t .................. ok 90-test_asn1_time.t ................ ok 90-test_async.t .................... ok 90-test_bio_enc.t .................. ok 90-test_bio_memleak.t .............. ok 90-test_constant_time.t ............ ok 90-test_fatalerr.t ................. ok 90-test_fipsload.t ................. ok 90-test_gmdiff.t ................... ok 90-test_gost.t ..................... ok 90-test_ige.t ...................... ok 90-test_includes.t ................. ok 90-test_memleak.t .................. ok 90-test_overhead.t ................. ok 90-test_secmem.t ................... ok 90-test_shlibload.t ................ ok 90-test_srp.t ...................... ok 90-test_sslapi.t ................... ok 90-test_sslbuffers.t ............... ok 90-test_store.t .................... ok 90-test_sysdefault.t ............... ok 90-test_threads.t .................. ok 90-test_time_offset.t .............. ok 90-test_tls13ccs.t ................. ok 90-test_tls13encryption.t .......... ok 90-test_tls13secrets.t ............. ok 90-test_v3name.t ................... ok 91-test_pkey_check.t ............... ok 95-test_external_boringssl.t ....... skipped: No external tests in this configuration 95-test_external_gost_engine.t ..... skipped: No external tests in this configuration 95-test_external_krb5.t ............ skipped: No external tests in this configuration 95-test_external_pyca.t ............ skipped: No external tests in this configuration 99-test_ecstress.t ................. ok 99-test_fuzz_asn1.t ................ ok 99-test_fuzz_asn1parse.t ........... ok 99-test_fuzz_bignum.t .............. ok 99-test_fuzz_bndiv.t ............... ok 99-test_fuzz_client.t .............. ok 99-test_fuzz_cmp.t ................. ok 99-test_fuzz_cms.t ................. ok 99-test_fuzz_conf.t ................ ok 99-test_fuzz_crl.t ................. ok 99-test_fuzz_ct.t .................. ok 99-test_fuzz_server.t .............. ok 99-test_fuzz_x509.t ................ ok Test Summary Report ------------------- 30-test_evp.t (Wstat: 512 Tests: 90 Failed: 2) Failed tests: 14, 40 Non-zero exit status: 2 30-test_evp_kdf.t (Wstat: 256 Tests: 1 Failed: 1) Failed test: 1 Non-zero exit status: 1 Files=231, Tests=3132, 869 wallclock secs (14.42 usr 1.43 sys + 777.87 cusr 90.99 csys = 884.71 CPU) Result: FAIL make[1]: *** [Makefile:3209: _tests] Error 1 make[1]: Leaving directory '/home/openssl/run-checker/no-des' make: *** [Makefile:3206: tests] Error 2 From tomas at openssl.org Fri Feb 12 18:06:30 2021 From: tomas at openssl.org (tomas at openssl.org) Date: Fri, 12 Feb 2021 18:06:30 +0000 Subject: [openssl] master update Message-ID: <1613153190.806539.17061.nullmailer@dev.openssl.org> The branch master has been updated via 9ff5bd612a415571b12cc9febe22c710d9d2d42a (commit) via 89e14ca7c7003b3b5874a8dac3f21521a4f844b4 (commit) from d8c1cafbbc5dfe2347a7157178db5b50fdf9d248 (commit) - Log ----------------------------------------------------------------- commit 9ff5bd612a415571b12cc9febe22c710d9d2d42a Author: Tomas Mraz Date: Thu Feb 11 18:18:49 2021 +0100 ssl_test: Add testcases for disallowing non-TLS1.3 curves with TLS1.3 Also correctly mark max protocol version for some curves. Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/14154) commit 89e14ca7c7003b3b5874a8dac3f21521a4f844b4 Author: Tomas Mraz Date: Thu Feb 11 15:25:35 2021 +0100 tls_valid_group: Add missing dereference of okfortls13 Fixes #14153 Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/14154) ----------------------------------------------------------------------- Summary of changes: providers/common/capabilities.c | 66 ++- ssl/t1_lib.c | 2 +- test/ssl-tests/14-curves.cnf | 1112 ++++++++++++++++++++++++++++++++------- test/ssl-tests/14-curves.cnf.in | 53 +- 4 files changed, 1012 insertions(+), 221 deletions(-) diff --git a/providers/common/capabilities.c b/providers/common/capabilities.c index f708beb16d..da3cf50820 100644 --- a/providers/common/capabilities.c +++ b/providers/common/capabilities.c @@ -31,28 +31,50 @@ typedef struct tls_group_constants_st { } TLS_GROUP_CONSTANTS; static const TLS_GROUP_CONSTANTS group_list[35] = { - { OSSL_TLS_GROUP_ID_sect163k1, 80, TLS1_VERSION, 0, DTLS1_VERSION, 0 }, - { OSSL_TLS_GROUP_ID_sect163r1, 80, TLS1_VERSION, 0, DTLS1_VERSION, 0 }, - { OSSL_TLS_GROUP_ID_sect163r2, 80, TLS1_VERSION, 0, DTLS1_VERSION, 0 }, - { OSSL_TLS_GROUP_ID_sect193r1, 80, TLS1_VERSION, 0, DTLS1_VERSION, 0 }, - { OSSL_TLS_GROUP_ID_sect193r2, 80, TLS1_VERSION, 0, DTLS1_VERSION, 0 }, - { OSSL_TLS_GROUP_ID_sect233k1, 112, TLS1_VERSION, 0, DTLS1_VERSION, 0 }, - { OSSL_TLS_GROUP_ID_sect233r1, 112, TLS1_VERSION, 0, DTLS1_VERSION, 0 }, - { OSSL_TLS_GROUP_ID_sect239k1, 112, TLS1_VERSION, 0, DTLS1_VERSION, 0 }, - { OSSL_TLS_GROUP_ID_sect283k1, 128, TLS1_VERSION, 0, DTLS1_VERSION, 0 }, - { OSSL_TLS_GROUP_ID_sect283r1, 128, TLS1_VERSION, 0, DTLS1_VERSION, 0 }, - { OSSL_TLS_GROUP_ID_sect409k1, 192, TLS1_VERSION, 0, DTLS1_VERSION, 0 }, - { OSSL_TLS_GROUP_ID_sect409r1, 192, TLS1_VERSION, 0, DTLS1_VERSION, 0 }, - { OSSL_TLS_GROUP_ID_sect571k1, 256, TLS1_VERSION, 0, DTLS1_VERSION, 0 }, - { OSSL_TLS_GROUP_ID_sect571r1, 256, TLS1_VERSION, 0, DTLS1_VERSION, 0 }, - { OSSL_TLS_GROUP_ID_secp160k1, 80, TLS1_VERSION, 0, DTLS1_VERSION, 0 }, - { OSSL_TLS_GROUP_ID_secp160r1, 80, TLS1_VERSION, 0, DTLS1_VERSION, 0 }, - { OSSL_TLS_GROUP_ID_secp160r2, 80, TLS1_VERSION, 0, DTLS1_VERSION, 0 }, - { OSSL_TLS_GROUP_ID_secp192k1, 80, TLS1_VERSION, 0, DTLS1_VERSION, 0 }, - { OSSL_TLS_GROUP_ID_secp192r1, 80, TLS1_VERSION, 0, DTLS1_VERSION, 0 }, - { OSSL_TLS_GROUP_ID_secp224k1, 112, TLS1_VERSION, 0, DTLS1_VERSION, 0 }, - { OSSL_TLS_GROUP_ID_secp224r1, 112, TLS1_VERSION, 0, DTLS1_VERSION, 0 }, - { OSSL_TLS_GROUP_ID_secp256k1, 128, TLS1_VERSION, 0, DTLS1_VERSION, 0 }, + { OSSL_TLS_GROUP_ID_sect163k1, 80, TLS1_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION }, + { OSSL_TLS_GROUP_ID_sect163r1, 80, TLS1_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION }, + { OSSL_TLS_GROUP_ID_sect163r2, 80, TLS1_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION }, + { OSSL_TLS_GROUP_ID_sect193r1, 80, TLS1_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION }, + { OSSL_TLS_GROUP_ID_sect193r2, 80, TLS1_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION }, + { OSSL_TLS_GROUP_ID_sect233k1, 112, TLS1_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION }, + { OSSL_TLS_GROUP_ID_sect233r1, 112, TLS1_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION }, + { OSSL_TLS_GROUP_ID_sect239k1, 112, TLS1_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION }, + { OSSL_TLS_GROUP_ID_sect283k1, 128, TLS1_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION }, + { OSSL_TLS_GROUP_ID_sect283r1, 128, TLS1_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION }, + { OSSL_TLS_GROUP_ID_sect409k1, 192, TLS1_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION }, + { OSSL_TLS_GROUP_ID_sect409r1, 192, TLS1_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION }, + { OSSL_TLS_GROUP_ID_sect571k1, 256, TLS1_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION }, + { OSSL_TLS_GROUP_ID_sect571r1, 256, TLS1_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION }, + { OSSL_TLS_GROUP_ID_secp160k1, 80, TLS1_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION }, + { OSSL_TLS_GROUP_ID_secp160r1, 80, TLS1_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION }, + { OSSL_TLS_GROUP_ID_secp160r2, 80, TLS1_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION }, + { OSSL_TLS_GROUP_ID_secp192k1, 80, TLS1_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION }, + { OSSL_TLS_GROUP_ID_secp192r1, 80, TLS1_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION }, + { OSSL_TLS_GROUP_ID_secp224k1, 112, TLS1_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION }, + { OSSL_TLS_GROUP_ID_secp224r1, 112, TLS1_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION }, + { OSSL_TLS_GROUP_ID_secp256k1, 128, TLS1_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION }, { OSSL_TLS_GROUP_ID_secp256r1, 128, TLS1_VERSION, 0, DTLS1_VERSION, 0 }, { OSSL_TLS_GROUP_ID_secp384r1, 192, TLS1_VERSION, 0, DTLS1_VERSION, 0 }, { OSSL_TLS_GROUP_ID_secp521r1, 256, TLS1_VERSION, 0, DTLS1_VERSION, 0 }, diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index 684e8494fc..ace890d915 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -526,7 +526,7 @@ int tls_valid_group(SSL *s, uint16_t group_id, int minversion, int maxversion, int ret; if (okfortls13 != NULL) - okfortls13 = 0; + *okfortls13 = 0; if (ginfo == NULL) return 0; diff --git a/test/ssl-tests/14-curves.cnf b/test/ssl-tests/14-curves.cnf index 1982c99db7..824a9f9a0e 100644 --- a/test/ssl-tests/14-curves.cnf +++ b/test/ssl-tests/14-curves.cnf @@ -1,21 +1,21 @@ # Generated with generate_ssl_tests.pl -num_tests = 30 - -test-0 = 0-curve-sect233k1 -test-1 = 1-curve-sect233r1 -test-2 = 2-curve-sect283k1 -test-3 = 3-curve-sect283r1 -test-4 = 4-curve-sect409k1 -test-5 = 5-curve-sect409r1 -test-6 = 6-curve-sect571k1 -test-7 = 7-curve-sect571r1 -test-8 = 8-curve-secp224r1 -test-9 = 9-curve-prime256v1 -test-10 = 10-curve-secp384r1 -test-11 = 11-curve-secp521r1 -test-12 = 12-curve-X25519 -test-13 = 13-curve-X448 +num_tests = 55 + +test-0 = 0-curve-prime256v1 +test-1 = 1-curve-secp384r1 +test-2 = 2-curve-secp521r1 +test-3 = 3-curve-X25519 +test-4 = 4-curve-X448 +test-5 = 5-curve-sect233k1 +test-6 = 6-curve-sect233r1 +test-7 = 7-curve-sect283k1 +test-8 = 8-curve-sect283r1 +test-9 = 9-curve-sect409k1 +test-10 = 10-curve-sect409r1 +test-11 = 11-curve-sect571k1 +test-12 = 12-curve-sect571r1 +test-13 = 13-curve-secp224r1 test-14 = 14-curve-sect163k1 test-15 = 15-curve-sect163r2 test-16 = 16-curve-prime192v1 @@ -32,396 +32,435 @@ test-26 = 26-curve-secp256k1 test-27 = 27-curve-brainpoolP256r1 test-28 = 28-curve-brainpoolP384r1 test-29 = 29-curve-brainpoolP512r1 +test-30 = 30-curve-sect233k1-tls13 +test-31 = 31-curve-sect233r1-tls13 +test-32 = 32-curve-sect283k1-tls13 +test-33 = 33-curve-sect283r1-tls13 +test-34 = 34-curve-sect409k1-tls13 +test-35 = 35-curve-sect409r1-tls13 +test-36 = 36-curve-sect571k1-tls13 +test-37 = 37-curve-sect571r1-tls13 +test-38 = 38-curve-secp224r1-tls13 +test-39 = 39-curve-sect163k1-tls13 +test-40 = 40-curve-sect163r2-tls13 +test-41 = 41-curve-prime192v1-tls13 +test-42 = 42-curve-sect163r1-tls13 +test-43 = 43-curve-sect193r1-tls13 +test-44 = 44-curve-sect193r2-tls13 +test-45 = 45-curve-sect239k1-tls13 +test-46 = 46-curve-secp160k1-tls13 +test-47 = 47-curve-secp160r1-tls13 +test-48 = 48-curve-secp160r2-tls13 +test-49 = 49-curve-secp192k1-tls13 +test-50 = 50-curve-secp224k1-tls13 +test-51 = 51-curve-secp256k1-tls13 +test-52 = 52-curve-brainpoolP256r1-tls13 +test-53 = 53-curve-brainpoolP384r1-tls13 +test-54 = 54-curve-brainpoolP512r1-tls13 # =========================================================== -[0-curve-sect233k1] -ssl_conf = 0-curve-sect233k1-ssl +[0-curve-prime256v1] +ssl_conf = 0-curve-prime256v1-ssl -[0-curve-sect233k1-ssl] -server = 0-curve-sect233k1-server -client = 0-curve-sect233k1-client +[0-curve-prime256v1-ssl] +server = 0-curve-prime256v1-server +client = 0-curve-prime256v1-client -[0-curve-sect233k1-server] +[0-curve-prime256v1-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT -Curves = sect233k1 -MaxProtocol = TLSv1.2 +Curves = prime256v1 +MaxProtocol = TLSv1.3 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[0-curve-sect233k1-client] +[0-curve-prime256v1-client] CipherString = ECDHE -Curves = sect233k1 -MaxProtocol = TLSv1.2 +Curves = prime256v1 +MaxProtocol = TLSv1.3 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-0] +ExpectedProtocol = TLSv1.3 ExpectedResult = Success -ExpectedTmpKeyType = sect233k1 +ExpectedTmpKeyType = prime256v1 # =========================================================== -[1-curve-sect233r1] -ssl_conf = 1-curve-sect233r1-ssl +[1-curve-secp384r1] +ssl_conf = 1-curve-secp384r1-ssl -[1-curve-sect233r1-ssl] -server = 1-curve-sect233r1-server -client = 1-curve-sect233r1-client +[1-curve-secp384r1-ssl] +server = 1-curve-secp384r1-server +client = 1-curve-secp384r1-client -[1-curve-sect233r1-server] +[1-curve-secp384r1-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT -Curves = sect233r1 -MaxProtocol = TLSv1.2 +Curves = secp384r1 +MaxProtocol = TLSv1.3 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[1-curve-sect233r1-client] +[1-curve-secp384r1-client] CipherString = ECDHE -Curves = sect233r1 -MaxProtocol = TLSv1.2 +Curves = secp384r1 +MaxProtocol = TLSv1.3 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-1] +ExpectedProtocol = TLSv1.3 ExpectedResult = Success -ExpectedTmpKeyType = sect233r1 +ExpectedTmpKeyType = secp384r1 # =========================================================== -[2-curve-sect283k1] -ssl_conf = 2-curve-sect283k1-ssl +[2-curve-secp521r1] +ssl_conf = 2-curve-secp521r1-ssl -[2-curve-sect283k1-ssl] -server = 2-curve-sect283k1-server -client = 2-curve-sect283k1-client +[2-curve-secp521r1-ssl] +server = 2-curve-secp521r1-server +client = 2-curve-secp521r1-client -[2-curve-sect283k1-server] +[2-curve-secp521r1-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT -Curves = sect283k1 -MaxProtocol = TLSv1.2 +Curves = secp521r1 +MaxProtocol = TLSv1.3 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[2-curve-sect283k1-client] +[2-curve-secp521r1-client] CipherString = ECDHE -Curves = sect283k1 -MaxProtocol = TLSv1.2 +Curves = secp521r1 +MaxProtocol = TLSv1.3 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-2] +ExpectedProtocol = TLSv1.3 ExpectedResult = Success -ExpectedTmpKeyType = sect283k1 +ExpectedTmpKeyType = secp521r1 # =========================================================== -[3-curve-sect283r1] -ssl_conf = 3-curve-sect283r1-ssl +[3-curve-X25519] +ssl_conf = 3-curve-X25519-ssl -[3-curve-sect283r1-ssl] -server = 3-curve-sect283r1-server -client = 3-curve-sect283r1-client +[3-curve-X25519-ssl] +server = 3-curve-X25519-server +client = 3-curve-X25519-client -[3-curve-sect283r1-server] +[3-curve-X25519-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT -Curves = sect283r1 -MaxProtocol = TLSv1.2 +Curves = X25519 +MaxProtocol = TLSv1.3 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[3-curve-sect283r1-client] +[3-curve-X25519-client] CipherString = ECDHE -Curves = sect283r1 -MaxProtocol = TLSv1.2 +Curves = X25519 +MaxProtocol = TLSv1.3 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-3] +ExpectedProtocol = TLSv1.3 ExpectedResult = Success -ExpectedTmpKeyType = sect283r1 +ExpectedTmpKeyType = X25519 # =========================================================== -[4-curve-sect409k1] -ssl_conf = 4-curve-sect409k1-ssl +[4-curve-X448] +ssl_conf = 4-curve-X448-ssl -[4-curve-sect409k1-ssl] -server = 4-curve-sect409k1-server -client = 4-curve-sect409k1-client +[4-curve-X448-ssl] +server = 4-curve-X448-server +client = 4-curve-X448-client -[4-curve-sect409k1-server] +[4-curve-X448-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT -Curves = sect409k1 -MaxProtocol = TLSv1.2 +Curves = X448 +MaxProtocol = TLSv1.3 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[4-curve-sect409k1-client] +[4-curve-X448-client] CipherString = ECDHE -Curves = sect409k1 -MaxProtocol = TLSv1.2 +Curves = X448 +MaxProtocol = TLSv1.3 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-4] +ExpectedProtocol = TLSv1.3 ExpectedResult = Success -ExpectedTmpKeyType = sect409k1 +ExpectedTmpKeyType = X448 # =========================================================== -[5-curve-sect409r1] -ssl_conf = 5-curve-sect409r1-ssl +[5-curve-sect233k1] +ssl_conf = 5-curve-sect233k1-ssl -[5-curve-sect409r1-ssl] -server = 5-curve-sect409r1-server -client = 5-curve-sect409r1-client +[5-curve-sect233k1-ssl] +server = 5-curve-sect233k1-server +client = 5-curve-sect233k1-client -[5-curve-sect409r1-server] +[5-curve-sect233k1-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT -Curves = sect409r1 -MaxProtocol = TLSv1.2 +Curves = sect233k1 +MaxProtocol = TLSv1.3 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[5-curve-sect409r1-client] +[5-curve-sect233k1-client] CipherString = ECDHE -Curves = sect409r1 +Curves = sect233k1 MaxProtocol = TLSv1.2 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-5] +ExpectedProtocol = TLSv1.2 ExpectedResult = Success -ExpectedTmpKeyType = sect409r1 +ExpectedTmpKeyType = sect233k1 # =========================================================== -[6-curve-sect571k1] -ssl_conf = 6-curve-sect571k1-ssl +[6-curve-sect233r1] +ssl_conf = 6-curve-sect233r1-ssl -[6-curve-sect571k1-ssl] -server = 6-curve-sect571k1-server -client = 6-curve-sect571k1-client +[6-curve-sect233r1-ssl] +server = 6-curve-sect233r1-server +client = 6-curve-sect233r1-client -[6-curve-sect571k1-server] +[6-curve-sect233r1-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT -Curves = sect571k1 -MaxProtocol = TLSv1.2 +Curves = sect233r1 +MaxProtocol = TLSv1.3 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[6-curve-sect571k1-client] +[6-curve-sect233r1-client] CipherString = ECDHE -Curves = sect571k1 +Curves = sect233r1 MaxProtocol = TLSv1.2 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-6] +ExpectedProtocol = TLSv1.2 ExpectedResult = Success -ExpectedTmpKeyType = sect571k1 +ExpectedTmpKeyType = sect233r1 # =========================================================== -[7-curve-sect571r1] -ssl_conf = 7-curve-sect571r1-ssl +[7-curve-sect283k1] +ssl_conf = 7-curve-sect283k1-ssl -[7-curve-sect571r1-ssl] -server = 7-curve-sect571r1-server -client = 7-curve-sect571r1-client +[7-curve-sect283k1-ssl] +server = 7-curve-sect283k1-server +client = 7-curve-sect283k1-client -[7-curve-sect571r1-server] +[7-curve-sect283k1-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT -Curves = sect571r1 -MaxProtocol = TLSv1.2 +Curves = sect283k1 +MaxProtocol = TLSv1.3 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[7-curve-sect571r1-client] +[7-curve-sect283k1-client] CipherString = ECDHE -Curves = sect571r1 +Curves = sect283k1 MaxProtocol = TLSv1.2 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-7] +ExpectedProtocol = TLSv1.2 ExpectedResult = Success -ExpectedTmpKeyType = sect571r1 +ExpectedTmpKeyType = sect283k1 # =========================================================== -[8-curve-secp224r1] -ssl_conf = 8-curve-secp224r1-ssl +[8-curve-sect283r1] +ssl_conf = 8-curve-sect283r1-ssl -[8-curve-secp224r1-ssl] -server = 8-curve-secp224r1-server -client = 8-curve-secp224r1-client +[8-curve-sect283r1-ssl] +server = 8-curve-sect283r1-server +client = 8-curve-sect283r1-client -[8-curve-secp224r1-server] +[8-curve-sect283r1-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT -Curves = secp224r1 -MaxProtocol = TLSv1.2 +Curves = sect283r1 +MaxProtocol = TLSv1.3 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[8-curve-secp224r1-client] +[8-curve-sect283r1-client] CipherString = ECDHE -Curves = secp224r1 +Curves = sect283r1 MaxProtocol = TLSv1.2 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-8] +ExpectedProtocol = TLSv1.2 ExpectedResult = Success -ExpectedTmpKeyType = secp224r1 +ExpectedTmpKeyType = sect283r1 # =========================================================== -[9-curve-prime256v1] -ssl_conf = 9-curve-prime256v1-ssl +[9-curve-sect409k1] +ssl_conf = 9-curve-sect409k1-ssl -[9-curve-prime256v1-ssl] -server = 9-curve-prime256v1-server -client = 9-curve-prime256v1-client +[9-curve-sect409k1-ssl] +server = 9-curve-sect409k1-server +client = 9-curve-sect409k1-client -[9-curve-prime256v1-server] +[9-curve-sect409k1-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT -Curves = prime256v1 -MaxProtocol = TLSv1.2 +Curves = sect409k1 +MaxProtocol = TLSv1.3 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[9-curve-prime256v1-client] +[9-curve-sect409k1-client] CipherString = ECDHE -Curves = prime256v1 +Curves = sect409k1 MaxProtocol = TLSv1.2 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-9] +ExpectedProtocol = TLSv1.2 ExpectedResult = Success -ExpectedTmpKeyType = prime256v1 +ExpectedTmpKeyType = sect409k1 # =========================================================== -[10-curve-secp384r1] -ssl_conf = 10-curve-secp384r1-ssl +[10-curve-sect409r1] +ssl_conf = 10-curve-sect409r1-ssl -[10-curve-secp384r1-ssl] -server = 10-curve-secp384r1-server -client = 10-curve-secp384r1-client +[10-curve-sect409r1-ssl] +server = 10-curve-sect409r1-server +client = 10-curve-sect409r1-client -[10-curve-secp384r1-server] +[10-curve-sect409r1-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT -Curves = secp384r1 -MaxProtocol = TLSv1.2 +Curves = sect409r1 +MaxProtocol = TLSv1.3 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[10-curve-secp384r1-client] +[10-curve-sect409r1-client] CipherString = ECDHE -Curves = secp384r1 +Curves = sect409r1 MaxProtocol = TLSv1.2 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-10] +ExpectedProtocol = TLSv1.2 ExpectedResult = Success -ExpectedTmpKeyType = secp384r1 +ExpectedTmpKeyType = sect409r1 # =========================================================== -[11-curve-secp521r1] -ssl_conf = 11-curve-secp521r1-ssl +[11-curve-sect571k1] +ssl_conf = 11-curve-sect571k1-ssl -[11-curve-secp521r1-ssl] -server = 11-curve-secp521r1-server -client = 11-curve-secp521r1-client +[11-curve-sect571k1-ssl] +server = 11-curve-sect571k1-server +client = 11-curve-sect571k1-client -[11-curve-secp521r1-server] +[11-curve-sect571k1-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT -Curves = secp521r1 -MaxProtocol = TLSv1.2 +Curves = sect571k1 +MaxProtocol = TLSv1.3 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[11-curve-secp521r1-client] +[11-curve-sect571k1-client] CipherString = ECDHE -Curves = secp521r1 +Curves = sect571k1 MaxProtocol = TLSv1.2 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-11] +ExpectedProtocol = TLSv1.2 ExpectedResult = Success -ExpectedTmpKeyType = secp521r1 +ExpectedTmpKeyType = sect571k1 # =========================================================== -[12-curve-X25519] -ssl_conf = 12-curve-X25519-ssl +[12-curve-sect571r1] +ssl_conf = 12-curve-sect571r1-ssl -[12-curve-X25519-ssl] -server = 12-curve-X25519-server -client = 12-curve-X25519-client +[12-curve-sect571r1-ssl] +server = 12-curve-sect571r1-server +client = 12-curve-sect571r1-client -[12-curve-X25519-server] +[12-curve-sect571r1-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT -Curves = X25519 -MaxProtocol = TLSv1.2 +Curves = sect571r1 +MaxProtocol = TLSv1.3 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[12-curve-X25519-client] +[12-curve-sect571r1-client] CipherString = ECDHE -Curves = X25519 +Curves = sect571r1 MaxProtocol = TLSv1.2 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-12] +ExpectedProtocol = TLSv1.2 ExpectedResult = Success -ExpectedTmpKeyType = X25519 +ExpectedTmpKeyType = sect571r1 # =========================================================== -[13-curve-X448] -ssl_conf = 13-curve-X448-ssl +[13-curve-secp224r1] +ssl_conf = 13-curve-secp224r1-ssl -[13-curve-X448-ssl] -server = 13-curve-X448-server -client = 13-curve-X448-client +[13-curve-secp224r1-ssl] +server = 13-curve-secp224r1-server +client = 13-curve-secp224r1-client -[13-curve-X448-server] +[13-curve-secp224r1-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT -Curves = X448 -MaxProtocol = TLSv1.2 +Curves = secp224r1 +MaxProtocol = TLSv1.3 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[13-curve-X448-client] +[13-curve-secp224r1-client] CipherString = ECDHE -Curves = X448 +Curves = secp224r1 MaxProtocol = TLSv1.2 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-13] +ExpectedProtocol = TLSv1.2 ExpectedResult = Success -ExpectedTmpKeyType = X448 +ExpectedTmpKeyType = secp224r1 # =========================================================== @@ -437,7 +476,7 @@ client = 14-curve-sect163k1-client Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT Curves = sect163k1 -MaxProtocol = TLSv1.2 +MaxProtocol = TLSv1.3 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [14-curve-sect163k1-client] @@ -448,6 +487,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-14] +ExpectedProtocol = TLSv1.2 ExpectedResult = Success ExpectedTmpKeyType = sect163k1 @@ -465,7 +505,7 @@ client = 15-curve-sect163r2-client Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT Curves = sect163r2 -MaxProtocol = TLSv1.2 +MaxProtocol = TLSv1.3 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [15-curve-sect163r2-client] @@ -476,6 +516,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-15] +ExpectedProtocol = TLSv1.2 ExpectedResult = Success ExpectedTmpKeyType = sect163r2 @@ -493,7 +534,7 @@ client = 16-curve-prime192v1-client Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT Curves = prime192v1 -MaxProtocol = TLSv1.2 +MaxProtocol = TLSv1.3 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [16-curve-prime192v1-client] @@ -504,6 +545,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-16] +ExpectedProtocol = TLSv1.2 ExpectedResult = Success ExpectedTmpKeyType = prime192v1 @@ -521,7 +563,7 @@ client = 17-curve-sect163r1-client Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT Curves = sect163r1 -MaxProtocol = TLSv1.2 +MaxProtocol = TLSv1.3 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [17-curve-sect163r1-client] @@ -532,6 +574,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-17] +ExpectedProtocol = TLSv1.2 ExpectedResult = Success ExpectedTmpKeyType = sect163r1 @@ -549,7 +592,7 @@ client = 18-curve-sect193r1-client Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT Curves = sect193r1 -MaxProtocol = TLSv1.2 +MaxProtocol = TLSv1.3 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [18-curve-sect193r1-client] @@ -560,6 +603,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-18] +ExpectedProtocol = TLSv1.2 ExpectedResult = Success ExpectedTmpKeyType = sect193r1 @@ -577,7 +621,7 @@ client = 19-curve-sect193r2-client Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT Curves = sect193r2 -MaxProtocol = TLSv1.2 +MaxProtocol = TLSv1.3 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [19-curve-sect193r2-client] @@ -588,6 +632,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-19] +ExpectedProtocol = TLSv1.2 ExpectedResult = Success ExpectedTmpKeyType = sect193r2 @@ -605,7 +650,7 @@ client = 20-curve-sect239k1-client Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT Curves = sect239k1 -MaxProtocol = TLSv1.2 +MaxProtocol = TLSv1.3 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [20-curve-sect239k1-client] @@ -616,6 +661,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-20] +ExpectedProtocol = TLSv1.2 ExpectedResult = Success ExpectedTmpKeyType = sect239k1 @@ -633,7 +679,7 @@ client = 21-curve-secp160k1-client Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT Curves = secp160k1 -MaxProtocol = TLSv1.2 +MaxProtocol = TLSv1.3 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [21-curve-secp160k1-client] @@ -644,6 +690,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-21] +ExpectedProtocol = TLSv1.2 ExpectedResult = Success ExpectedTmpKeyType = secp160k1 @@ -661,7 +708,7 @@ client = 22-curve-secp160r1-client Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT Curves = secp160r1 -MaxProtocol = TLSv1.2 +MaxProtocol = TLSv1.3 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [22-curve-secp160r1-client] @@ -672,6 +719,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-22] +ExpectedProtocol = TLSv1.2 ExpectedResult = Success ExpectedTmpKeyType = secp160r1 @@ -689,7 +737,7 @@ client = 23-curve-secp160r2-client Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT Curves = secp160r2 -MaxProtocol = TLSv1.2 +MaxProtocol = TLSv1.3 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [23-curve-secp160r2-client] @@ -700,6 +748,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-23] +ExpectedProtocol = TLSv1.2 ExpectedResult = Success ExpectedTmpKeyType = secp160r2 @@ -717,7 +766,7 @@ client = 24-curve-secp192k1-client Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT Curves = secp192k1 -MaxProtocol = TLSv1.2 +MaxProtocol = TLSv1.3 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [24-curve-secp192k1-client] @@ -728,6 +777,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-24] +ExpectedProtocol = TLSv1.2 ExpectedResult = Success ExpectedTmpKeyType = secp192k1 @@ -745,7 +795,7 @@ client = 25-curve-secp224k1-client Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT Curves = secp224k1 -MaxProtocol = TLSv1.2 +MaxProtocol = TLSv1.3 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [25-curve-secp224k1-client] @@ -756,6 +806,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-25] +ExpectedProtocol = TLSv1.2 ExpectedResult = Success ExpectedTmpKeyType = secp224k1 @@ -773,7 +824,7 @@ client = 26-curve-secp256k1-client Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT Curves = secp256k1 -MaxProtocol = TLSv1.2 +MaxProtocol = TLSv1.3 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [26-curve-secp256k1-client] @@ -784,6 +835,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-26] +ExpectedProtocol = TLSv1.2 ExpectedResult = Success ExpectedTmpKeyType = secp256k1 @@ -801,7 +853,7 @@ client = 27-curve-brainpoolP256r1-client Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT Curves = brainpoolP256r1 -MaxProtocol = TLSv1.2 +MaxProtocol = TLSv1.3 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [27-curve-brainpoolP256r1-client] @@ -812,6 +864,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-27] +ExpectedProtocol = TLSv1.2 ExpectedResult = Success ExpectedTmpKeyType = brainpoolP256r1 @@ -829,7 +882,7 @@ client = 28-curve-brainpoolP384r1-client Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT Curves = brainpoolP384r1 -MaxProtocol = TLSv1.2 +MaxProtocol = TLSv1.3 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [28-curve-brainpoolP384r1-client] @@ -840,6 +893,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-28] +ExpectedProtocol = TLSv1.2 ExpectedResult = Success ExpectedTmpKeyType = brainpoolP384r1 @@ -857,7 +911,7 @@ client = 29-curve-brainpoolP512r1-client Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT Curves = brainpoolP512r1 -MaxProtocol = TLSv1.2 +MaxProtocol = TLSv1.3 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [29-curve-brainpoolP512r1-client] @@ -868,7 +922,683 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-29] +ExpectedProtocol = TLSv1.2 ExpectedResult = Success ExpectedTmpKeyType = brainpoolP512r1 +# =========================================================== + +[30-curve-sect233k1-tls13] +ssl_conf = 30-curve-sect233k1-tls13-ssl + +[30-curve-sect233k1-tls13-ssl] +server = 30-curve-sect233k1-tls13-server +client = 30-curve-sect233k1-tls13-client + +[30-curve-sect233k1-tls13-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +Curves = sect233k1 +MaxProtocol = TLSv1.3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[30-curve-sect233k1-tls13-client] +CipherString = ECDHE +Curves = sect233k1 +MinProtocol = TLSv1.3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-30] +ExpectedResult = ClientFail + + +# =========================================================== + +[31-curve-sect233r1-tls13] +ssl_conf = 31-curve-sect233r1-tls13-ssl + +[31-curve-sect233r1-tls13-ssl] +server = 31-curve-sect233r1-tls13-server +client = 31-curve-sect233r1-tls13-client + +[31-curve-sect233r1-tls13-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +Curves = sect233r1 +MaxProtocol = TLSv1.3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[31-curve-sect233r1-tls13-client] +CipherString = ECDHE +Curves = sect233r1 +MinProtocol = TLSv1.3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-31] +ExpectedResult = ClientFail + + +# =========================================================== + +[32-curve-sect283k1-tls13] +ssl_conf = 32-curve-sect283k1-tls13-ssl + +[32-curve-sect283k1-tls13-ssl] +server = 32-curve-sect283k1-tls13-server +client = 32-curve-sect283k1-tls13-client + +[32-curve-sect283k1-tls13-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +Curves = sect283k1 +MaxProtocol = TLSv1.3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[32-curve-sect283k1-tls13-client] +CipherString = ECDHE +Curves = sect283k1 +MinProtocol = TLSv1.3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-32] +ExpectedResult = ClientFail + + +# =========================================================== + +[33-curve-sect283r1-tls13] +ssl_conf = 33-curve-sect283r1-tls13-ssl + +[33-curve-sect283r1-tls13-ssl] +server = 33-curve-sect283r1-tls13-server +client = 33-curve-sect283r1-tls13-client + +[33-curve-sect283r1-tls13-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +Curves = sect283r1 +MaxProtocol = TLSv1.3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[33-curve-sect283r1-tls13-client] +CipherString = ECDHE +Curves = sect283r1 +MinProtocol = TLSv1.3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-33] +ExpectedResult = ClientFail + + +# =========================================================== + +[34-curve-sect409k1-tls13] +ssl_conf = 34-curve-sect409k1-tls13-ssl + +[34-curve-sect409k1-tls13-ssl] +server = 34-curve-sect409k1-tls13-server +client = 34-curve-sect409k1-tls13-client + +[34-curve-sect409k1-tls13-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +Curves = sect409k1 +MaxProtocol = TLSv1.3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[34-curve-sect409k1-tls13-client] +CipherString = ECDHE +Curves = sect409k1 +MinProtocol = TLSv1.3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-34] +ExpectedResult = ClientFail + + +# =========================================================== + +[35-curve-sect409r1-tls13] +ssl_conf = 35-curve-sect409r1-tls13-ssl + +[35-curve-sect409r1-tls13-ssl] +server = 35-curve-sect409r1-tls13-server +client = 35-curve-sect409r1-tls13-client + +[35-curve-sect409r1-tls13-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +Curves = sect409r1 +MaxProtocol = TLSv1.3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[35-curve-sect409r1-tls13-client] +CipherString = ECDHE +Curves = sect409r1 +MinProtocol = TLSv1.3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-35] +ExpectedResult = ClientFail + + +# =========================================================== + +[36-curve-sect571k1-tls13] +ssl_conf = 36-curve-sect571k1-tls13-ssl + +[36-curve-sect571k1-tls13-ssl] +server = 36-curve-sect571k1-tls13-server +client = 36-curve-sect571k1-tls13-client + +[36-curve-sect571k1-tls13-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +Curves = sect571k1 +MaxProtocol = TLSv1.3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[36-curve-sect571k1-tls13-client] +CipherString = ECDHE +Curves = sect571k1 +MinProtocol = TLSv1.3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-36] +ExpectedResult = ClientFail + + +# =========================================================== + +[37-curve-sect571r1-tls13] +ssl_conf = 37-curve-sect571r1-tls13-ssl + +[37-curve-sect571r1-tls13-ssl] +server = 37-curve-sect571r1-tls13-server +client = 37-curve-sect571r1-tls13-client + +[37-curve-sect571r1-tls13-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +Curves = sect571r1 +MaxProtocol = TLSv1.3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[37-curve-sect571r1-tls13-client] +CipherString = ECDHE +Curves = sect571r1 +MinProtocol = TLSv1.3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-37] +ExpectedResult = ClientFail + + +# =========================================================== + +[38-curve-secp224r1-tls13] +ssl_conf = 38-curve-secp224r1-tls13-ssl + +[38-curve-secp224r1-tls13-ssl] +server = 38-curve-secp224r1-tls13-server +client = 38-curve-secp224r1-tls13-client + +[38-curve-secp224r1-tls13-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +Curves = secp224r1 +MaxProtocol = TLSv1.3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[38-curve-secp224r1-tls13-client] +CipherString = ECDHE +Curves = secp224r1 +MinProtocol = TLSv1.3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-38] +ExpectedResult = ClientFail + + +# =========================================================== + +[39-curve-sect163k1-tls13] +ssl_conf = 39-curve-sect163k1-tls13-ssl + +[39-curve-sect163k1-tls13-ssl] +server = 39-curve-sect163k1-tls13-server +client = 39-curve-sect163k1-tls13-client + +[39-curve-sect163k1-tls13-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +Curves = sect163k1 +MaxProtocol = TLSv1.3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[39-curve-sect163k1-tls13-client] +CipherString = ECDHE +Curves = sect163k1 +MinProtocol = TLSv1.3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-39] +ExpectedResult = ClientFail + + +# =========================================================== + +[40-curve-sect163r2-tls13] +ssl_conf = 40-curve-sect163r2-tls13-ssl + +[40-curve-sect163r2-tls13-ssl] +server = 40-curve-sect163r2-tls13-server +client = 40-curve-sect163r2-tls13-client + +[40-curve-sect163r2-tls13-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +Curves = sect163r2 +MaxProtocol = TLSv1.3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[40-curve-sect163r2-tls13-client] +CipherString = ECDHE +Curves = sect163r2 +MinProtocol = TLSv1.3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-40] +ExpectedResult = ClientFail + + +# =========================================================== + +[41-curve-prime192v1-tls13] +ssl_conf = 41-curve-prime192v1-tls13-ssl + +[41-curve-prime192v1-tls13-ssl] +server = 41-curve-prime192v1-tls13-server +client = 41-curve-prime192v1-tls13-client + +[41-curve-prime192v1-tls13-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +Curves = prime192v1 +MaxProtocol = TLSv1.3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[41-curve-prime192v1-tls13-client] +CipherString = ECDHE +Curves = prime192v1 +MinProtocol = TLSv1.3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-41] +ExpectedResult = ClientFail + + +# =========================================================== + +[42-curve-sect163r1-tls13] +ssl_conf = 42-curve-sect163r1-tls13-ssl + +[42-curve-sect163r1-tls13-ssl] +server = 42-curve-sect163r1-tls13-server +client = 42-curve-sect163r1-tls13-client + +[42-curve-sect163r1-tls13-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +Curves = sect163r1 +MaxProtocol = TLSv1.3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[42-curve-sect163r1-tls13-client] +CipherString = ECDHE +Curves = sect163r1 +MinProtocol = TLSv1.3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-42] +ExpectedResult = ClientFail + + +# =========================================================== + +[43-curve-sect193r1-tls13] +ssl_conf = 43-curve-sect193r1-tls13-ssl + +[43-curve-sect193r1-tls13-ssl] +server = 43-curve-sect193r1-tls13-server +client = 43-curve-sect193r1-tls13-client + +[43-curve-sect193r1-tls13-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +Curves = sect193r1 +MaxProtocol = TLSv1.3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[43-curve-sect193r1-tls13-client] +CipherString = ECDHE +Curves = sect193r1 +MinProtocol = TLSv1.3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-43] +ExpectedResult = ClientFail + + +# =========================================================== + +[44-curve-sect193r2-tls13] +ssl_conf = 44-curve-sect193r2-tls13-ssl + +[44-curve-sect193r2-tls13-ssl] +server = 44-curve-sect193r2-tls13-server +client = 44-curve-sect193r2-tls13-client + +[44-curve-sect193r2-tls13-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +Curves = sect193r2 +MaxProtocol = TLSv1.3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[44-curve-sect193r2-tls13-client] +CipherString = ECDHE +Curves = sect193r2 +MinProtocol = TLSv1.3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-44] +ExpectedResult = ClientFail + + +# =========================================================== + +[45-curve-sect239k1-tls13] +ssl_conf = 45-curve-sect239k1-tls13-ssl + +[45-curve-sect239k1-tls13-ssl] +server = 45-curve-sect239k1-tls13-server +client = 45-curve-sect239k1-tls13-client + +[45-curve-sect239k1-tls13-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +Curves = sect239k1 +MaxProtocol = TLSv1.3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[45-curve-sect239k1-tls13-client] +CipherString = ECDHE +Curves = sect239k1 +MinProtocol = TLSv1.3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-45] +ExpectedResult = ClientFail + + +# =========================================================== + +[46-curve-secp160k1-tls13] +ssl_conf = 46-curve-secp160k1-tls13-ssl + +[46-curve-secp160k1-tls13-ssl] +server = 46-curve-secp160k1-tls13-server +client = 46-curve-secp160k1-tls13-client + +[46-curve-secp160k1-tls13-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +Curves = secp160k1 +MaxProtocol = TLSv1.3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[46-curve-secp160k1-tls13-client] +CipherString = ECDHE +Curves = secp160k1 +MinProtocol = TLSv1.3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-46] +ExpectedResult = ClientFail + + +# =========================================================== + +[47-curve-secp160r1-tls13] +ssl_conf = 47-curve-secp160r1-tls13-ssl + +[47-curve-secp160r1-tls13-ssl] +server = 47-curve-secp160r1-tls13-server +client = 47-curve-secp160r1-tls13-client + +[47-curve-secp160r1-tls13-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +Curves = secp160r1 +MaxProtocol = TLSv1.3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[47-curve-secp160r1-tls13-client] +CipherString = ECDHE +Curves = secp160r1 +MinProtocol = TLSv1.3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-47] +ExpectedResult = ClientFail + + +# =========================================================== + +[48-curve-secp160r2-tls13] +ssl_conf = 48-curve-secp160r2-tls13-ssl + +[48-curve-secp160r2-tls13-ssl] +server = 48-curve-secp160r2-tls13-server +client = 48-curve-secp160r2-tls13-client + +[48-curve-secp160r2-tls13-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +Curves = secp160r2 +MaxProtocol = TLSv1.3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[48-curve-secp160r2-tls13-client] +CipherString = ECDHE +Curves = secp160r2 +MinProtocol = TLSv1.3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-48] +ExpectedResult = ClientFail + + +# =========================================================== + +[49-curve-secp192k1-tls13] +ssl_conf = 49-curve-secp192k1-tls13-ssl + +[49-curve-secp192k1-tls13-ssl] +server = 49-curve-secp192k1-tls13-server +client = 49-curve-secp192k1-tls13-client + +[49-curve-secp192k1-tls13-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +Curves = secp192k1 +MaxProtocol = TLSv1.3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[49-curve-secp192k1-tls13-client] +CipherString = ECDHE +Curves = secp192k1 +MinProtocol = TLSv1.3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-49] +ExpectedResult = ClientFail + + +# =========================================================== + +[50-curve-secp224k1-tls13] +ssl_conf = 50-curve-secp224k1-tls13-ssl + +[50-curve-secp224k1-tls13-ssl] +server = 50-curve-secp224k1-tls13-server +client = 50-curve-secp224k1-tls13-client + +[50-curve-secp224k1-tls13-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +Curves = secp224k1 +MaxProtocol = TLSv1.3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[50-curve-secp224k1-tls13-client] +CipherString = ECDHE +Curves = secp224k1 +MinProtocol = TLSv1.3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-50] +ExpectedResult = ClientFail + + +# =========================================================== + +[51-curve-secp256k1-tls13] +ssl_conf = 51-curve-secp256k1-tls13-ssl + +[51-curve-secp256k1-tls13-ssl] +server = 51-curve-secp256k1-tls13-server +client = 51-curve-secp256k1-tls13-client + +[51-curve-secp256k1-tls13-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +Curves = secp256k1 +MaxProtocol = TLSv1.3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[51-curve-secp256k1-tls13-client] +CipherString = ECDHE +Curves = secp256k1 +MinProtocol = TLSv1.3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-51] +ExpectedResult = ClientFail + + +# =========================================================== + +[52-curve-brainpoolP256r1-tls13] +ssl_conf = 52-curve-brainpoolP256r1-tls13-ssl + +[52-curve-brainpoolP256r1-tls13-ssl] +server = 52-curve-brainpoolP256r1-tls13-server +client = 52-curve-brainpoolP256r1-tls13-client + +[52-curve-brainpoolP256r1-tls13-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +Curves = brainpoolP256r1 +MaxProtocol = TLSv1.3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[52-curve-brainpoolP256r1-tls13-client] +CipherString = ECDHE +Curves = brainpoolP256r1 +MinProtocol = TLSv1.3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-52] +ExpectedResult = ClientFail + + +# =========================================================== + +[53-curve-brainpoolP384r1-tls13] +ssl_conf = 53-curve-brainpoolP384r1-tls13-ssl + +[53-curve-brainpoolP384r1-tls13-ssl] +server = 53-curve-brainpoolP384r1-tls13-server +client = 53-curve-brainpoolP384r1-tls13-client + +[53-curve-brainpoolP384r1-tls13-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +Curves = brainpoolP384r1 +MaxProtocol = TLSv1.3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[53-curve-brainpoolP384r1-tls13-client] +CipherString = ECDHE +Curves = brainpoolP384r1 +MinProtocol = TLSv1.3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-53] +ExpectedResult = ClientFail + + +# =========================================================== + +[54-curve-brainpoolP512r1-tls13] +ssl_conf = 54-curve-brainpoolP512r1-tls13-ssl + +[54-curve-brainpoolP512r1-tls13-ssl] +server = 54-curve-brainpoolP512r1-tls13-server +client = 54-curve-brainpoolP512r1-tls13-client + +[54-curve-brainpoolP512r1-tls13-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +Curves = brainpoolP512r1 +MaxProtocol = TLSv1.3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[54-curve-brainpoolP512r1-tls13-client] +CipherString = ECDHE +Curves = brainpoolP512r1 +MinProtocol = TLSv1.3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-54] +ExpectedResult = ClientFail + + diff --git a/test/ssl-tests/14-curves.cnf.in b/test/ssl-tests/14-curves.cnf.in index b5ee4d2827..4c905a8ea8 100644 --- a/test/ssl-tests/14-curves.cnf.in +++ b/test/ssl-tests/14-curves.cnf.in @@ -12,19 +12,20 @@ use OpenSSL::Test::Utils qw(anydisabled); our $fips_mode; -my @curves = ("sect233k1", "sect233r1", - "sect283k1", "sect283r1", "sect409k1", "sect409r1", - "sect571k1", "sect571r1", "secp224r1", - "prime256v1", "secp384r1", "secp521r1", "X25519", +my @curves = ("prime256v1", "secp384r1", "secp521r1", "X25519", "X448"); +my @curves_tls_1_2 = ("sect233k1", "sect233r1", + "sect283k1", "sect283r1", "sect409k1", "sect409r1", + "sect571k1", "sect571r1", "secp224r1"); + my @curves_non_fips = ("sect163k1", "sect163r2", "prime192v1", "sect163r1", "sect193r1", "sect193r2", "sect239k1", "secp160k1", "secp160r1", "secp160r2", "secp192k1", "secp224k1", "secp256k1", "brainpoolP256r1", "brainpoolP384r1", "brainpoolP512r1"); -push @curves, @curves_non_fips if !$fips_mode; +push @curves_tls_1_2, @curves_non_fips if !$fips_mode; our @tests = (); @@ -35,8 +36,27 @@ sub generate_tests() { name => "curve-${curve}", server => { "Curves" => $curve, - # TODO(TLS1.3): Can we get this to work for TLSv1.3? - "MaxProtocol" => "TLSv1.2" + "MaxProtocol" => "TLSv1.3" + }, + client => { + "CipherString" => "ECDHE", + "MaxProtocol" => "TLSv1.3", + "Curves" => $curve + }, + test => { + "ExpectedTmpKeyType" => $curve, + "ExpectedProtocol" => "TLSv1.3", + "ExpectedResult" => "Success" + }, + }; + } + foreach (0..$#curves_tls_1_2) { + my $curve = $curves_tls_1_2[$_]; + push @tests, { + name => "curve-${curve}", + server => { + "Curves" => $curve, + "MaxProtocol" => "TLSv1.3" }, client => { "CipherString" => "ECDHE", @@ -45,10 +65,29 @@ sub generate_tests() { }, test => { "ExpectedTmpKeyType" => $curve, + "ExpectedProtocol" => "TLSv1.2", "ExpectedResult" => "Success" }, }; } + foreach (0..$#curves_tls_1_2) { + my $curve = $curves_tls_1_2[$_]; + push @tests, { + name => "curve-${curve}-tls13", + server => { + "Curves" => $curve, + "MaxProtocol" => "TLSv1.3" + }, + client => { + "CipherString" => "ECDHE", + "MinProtocol" => "TLSv1.3", + "Curves" => $curve + }, + test => { + "ExpectedResult" => "ClientFail" + }, + }; + } } generate_tests(); From matthias.st.pierre at ncp-e.com Mon Feb 15 18:34:53 2021 From: matthias.st.pierre at ncp-e.com (matthias.st.pierre at ncp-e.com) Date: Mon, 15 Feb 2021 18:34:53 +0000 Subject: [openssl] master update Message-ID: <1613414093.717410.25471.nullmailer@dev.openssl.org> The branch master has been updated via 62829f9f26bf248f29be9604870bbe46f946927a (commit) from 9dc9c7f2d7f25e100dd7d80e9bc51e205033cd8c (commit) - Log ----------------------------------------------------------------- commit 62829f9f26bf248f29be9604870bbe46f946927a Author: Beat Bolli Date: Sat Feb 13 15:09:07 2021 +0100 README-ENGINES: fix the link to the provider API README Signed-off-by: Beat Bolli Reviewed-by: Paul Yang Reviewed-by: Paul Dale Reviewed-by: Matthias St. Pierre (Merged from https://github.com/openssl/openssl/pull/14173) ----------------------------------------------------------------------- Summary of changes: README-ENGINES.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README-ENGINES.md b/README-ENGINES.md index 80c1c55cf4..b05ddaa1b6 100644 --- a/README-ENGINES.md +++ b/README-ENGINES.md @@ -9,7 +9,7 @@ interface for adding alternative implementations of cryptographic primitives, most notably for integrating hardware crypto devices. The ENGINE interface has its limitations and it has been superseeded -by the [PROVIDER API](README-Provider.md), it is deprecated in OpenSSL +by the [PROVIDER API](README-PROVIDERS.md), it is deprecated in OpenSSL version 3.0. The following documentation is retained as an aid for users who need to maintain or support existing ENGINE implementations. Support for new hardware devices or new algorithms should be added From no-reply at appveyor.com Tue Feb 16 00:02:33 2021 From: no-reply at appveyor.com (AppVeyor) Date: Tue, 16 Feb 2021 00:02:33 +0000 Subject: Build failed: openssl master.39890 Message-ID: <20210216000233.1.24C9BD509B24BA00@appveyor.com> An HTML attachment was scrubbed... URL: From openssl at openssl.org Tue Feb 16 00:03:55 2021 From: openssl at openssl.org (OpenSSL run-checker) Date: Tue, 16 Feb 2021 00:03:55 +0000 Subject: Still FAILED build of OpenSSL branch master with options -d enable-fuzz-afl no-shared no-module Message-ID: <1613433835.048368.1532681.nullmailer@run.openssl.org> Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=afl-clang-fast ../openssl/config -d enable-fuzz-afl no-shared no-module Commit log since last time: 09c77b87ae Remove an unnecessary free call. 8a43091bc7 Remove dead code in rsa_pkey_ctrl. bae3916340 passwd.c: use the actual ROUNDS_DEFAULT macro 70f2364882 NOTES-WINDOWS: fix typo a0ca1eed24 Add a skeleton README-PROVIDERS file d507436a26 Add deprecation note to the README-ENGINES file 4148581eb2 Unify the markdown links to the NOTES and README files dc589daec8 Reformat some NOTES and README files 9f1fe6a950 Revise some renamings of NOTES and README files 9ff5bd612a ssl_test: Add testcases for disallowing non-TLS1.3 curves with TLS1.3 89e14ca7c7 tls_valid_group: Add missing dereference of okfortls13 d8c1cafbbc VMS documentation fixes 72ddea9b81 Configurations/descrip.mms.tmpl: avoid enormous PIPE commands 1695e10e40 DOCS: Update the internal documentation on EVP_PKEY. c5689319eb Use ERR_R_*_LIB instead of ERR_LIB_* as reason code for sub-libraries 13888e797c Update documentation following deprecation of SRP 76cb077f81 Deprecate the libssl level SRP APIs 6d2a1eff55 Deprecate the low level SRP APIs f2d785364c Add OID for draft-ietf-opsawg-finding-geofeeds detached CMS signature 1eaf1fc353 Add a configure time option to disable the fetch cache. 2b248f4e3f test: add import and export key management hooks for the TLS provider. ca2c778c26 test: filter provider honours the no_cache setting. 7dd5a00f41 changes: add a CHANGES.md entry for the OSSL_FORCE_NO_CACHE_FETCH option. b5873b3176 test: fix no-cache problem with the quality comparison for KDFs. aea01d1313 EVP: fix reference counting for EVP_CIPHER. 7dce37e2ec Prov: add an option to force provider fetches to not be cached. 499f2ae9e9 CI: add a non-caching CI loop 31f7ff37b4 EVP: fix reference counting for digest operations. 22040fb790 Allow -rand to be repeated 03bbd346f4 Fetch cipher after loading providers d0190e1163 Process digest option after loading providers 51e5df0ed0 Load rand state after loading providers 182717bd8a Fetch alg, etc., after loading providers 50ca7e1895 Fetch algorithm after loading providers 1baad060f9 test: add an option to output timing information from tests. c926a5ecb7 X509_STORE_CTX_cleanup(): Use internally so no need to call explicitly f1923a2147 X509_STORE_CTX_get1_issuer(): Make preference on expired certs consistent with find_issuer() d1e85cdf79 x509_vfy.c: Make chain_build() error diagnostics to the point 283df0b84b Rename internal providercommonerr.h to less mouthful proverr.h f5f29796f0 Various cleanup of PROV_R_ reason codes 2741128e9d Move the PROV_R reason codes to a public header dc9ec65a01 Match description with actual output of dgst 3a111aadc3 include/internal: add a few missing #pragma once directives d59068bd14 include/openssl: add a few missing #pragma once directives 80ce21fe1a include/crypto: add a few missing #pragma once directives 835f3526a2 test: turn off parallel tests in verbose mode. Build log ended with (last 100 lines): ../../../../../enable-fuzz-afl/util/wrap.pl ../../../../../enable-fuzz-afl/apps/openssl cmp -config ../Mock/test.cnf -section 'Mock enrollment' -certout ../../../../../enable-fuzz-afl/test-runs/test_cmp_http/test.cert.pem -proxy '' -no_proxy 127.0.0.1 -cmd ir -newkey new.key -newkeypass 'pass:' -popo -1 -certout ../../../../../enable-fuzz-afl/test-runs/test_cmp_http/test.certout_popo5.pem -out_trusted root.crt => 0 not ok 47 - popo NONE # ------------------------------------------------------------------------------ # Failed test 'popo NONE' # at ../openssl/test/recipes/80-test_cmp_http.t line 145. # cmp_main:../openssl/apps/cmp.c:2685:CMP info: using section(s) 'Mock enrollment' of OpenSSL configuration file '../Mock/test.cnf' # opt_str:../openssl/apps/cmp.c:2284:CMP warning: argument of -proxy option is empty string, resetting option # warn_cert_msg:../openssl/apps/cmp.c:694:CMP warning: certificate from 'trusted.crt' with subject '/O=openssl_cmp' is not a CA cert # setup_client_ctx:../openssl/apps/cmp.c:2001:CMP info: will contact http://127.0.0.1:1700/pkix/ # send_receive_check:../openssl/crypto/cmp/cmp_client.c:165:CMP info: sending IR # send_receive_check:../openssl/crypto/cmp/cmp_client.c:183:CMP info: received IP # send_receive_check:../openssl/crypto/cmp/cmp_client.c:165:CMP info: sending CERTCONF # send_receive_check:../openssl/crypto/cmp/cmp_client.c:183:CMP info: received PKICONF # save_free_certs:../openssl/apps/cmp.c:2051:CMP info: received 1 enrolled certificate(s), saving to file '../../../../../enable-fuzz-afl/test-runs/test_cmp_http/test.certout_popo6.pem' ../../../../../enable-fuzz-afl/util/wrap.pl ../../../../../enable-fuzz-afl/apps/openssl cmp -config ../Mock/test.cnf -section 'Mock enrollment' -certout ../../../../../enable-fuzz-afl/test-runs/test_cmp_http/test.cert.pem -proxy '' -no_proxy 127.0.0.1 -cmd ir -newkey new.key -newkeypass 'pass:' -popo 2 -certout ../../../../../enable-fuzz-afl/test-runs/test_cmp_http/test.certout_popo6.pem -out_trusted root.crt => 0 not ok 48 - popo KEYENC not supported # ------------------------------------------------------------------------------ # Looks like you failed 3 tests of 92. not ok 5 - CMP app CLI Mock enrollment # ------------------------------------------------------------------------------ # # Failed test 'CMP app CLI Mock enrollment # ' # at /home/openssl/run-checker/enable-fuzz-afl/../openssl/util/perl/OpenSSL/Test.pm line 1335. # Looks like you failed 3 tests of 5.80-test_cmp_http.t ................. Dubious, test returned 3 (wstat 768, 0x300) Failed 3/5 subtests # 80-test_cms.t ...................... ok 80-test_cmsapi.t ................... ok 80-test_ct.t ....................... ok 80-test_dane.t ..................... ok 80-test_dtls.t ..................... ok 80-test_dtls_mtu.t ................. ok 80-test_dtlsv1listen.t ............. ok 80-test_http.t ..................... ok 80-test_ocsp.t ..................... ok 80-test_pkcs12.t ................... ok 80-test_ssl_new.t .................. ok 80-test_ssl_old.t .................. ok 80-test_ssl_test_ctx.t ............. ok 80-test_sslcorrupt.t ............... ok 80-test_tsa.t ...................... ok 80-test_x509aux.t .................. ok 81-test_cmp_cli.t .................. ok 90-test_asn1_time.t ................ ok 90-test_async.t .................... ok 90-test_bio_enc.t .................. ok 90-test_bio_memleak.t .............. ok 90-test_constant_time.t ............ ok 90-test_fatalerr.t ................. ok 90-test_fipsload.t ................. skipped: Test only supported in a shared build 90-test_gmdiff.t ................... ok 90-test_gost.t ..................... skipped: GOST support is disabled in this OpenSSL build 90-test_ige.t ...................... ok 90-test_includes.t ................. ok 90-test_memleak.t .................. ok 90-test_overhead.t ................. ok 90-test_secmem.t ................... ok 90-test_shlibload.t ................ skipped: Test only supported in a shared build 90-test_srp.t ...................... ok 90-test_sslapi.t ................... ok 90-test_sslbuffers.t ............... ok 90-test_store.t .................... ok 90-test_sysdefault.t ............... ok 90-test_threads.t .................. ok 90-test_time_offset.t .............. ok 90-test_tls13ccs.t ................. ok 90-test_tls13encryption.t .......... ok 90-test_tls13secrets.t ............. skipped: tls13secrets is not supported in this build 90-test_v3name.t ................... ok 91-test_pkey_check.t ............... ok 95-test_external_boringssl.t ....... skipped: No external tests in this configuration 95-test_external_gost_engine.t ..... skipped: No external tests in this configuration 95-test_external_krb5.t ............ skipped: No external tests in this configuration 95-test_external_pyca.t ............ skipped: No external tests in this configuration 99-test_ecstress.t ................. ok 99-test_fuzz_asn1.t ................ ok 99-test_fuzz_asn1parse.t ........... ok 99-test_fuzz_bignum.t .............. ok 99-test_fuzz_bndiv.t ............... ok 99-test_fuzz_client.t .............. ok 99-test_fuzz_cmp.t ................. ok 99-test_fuzz_cms.t ................. ok 99-test_fuzz_conf.t ................ ok 99-test_fuzz_crl.t ................. ok 99-test_fuzz_ct.t .................. ok 99-test_fuzz_server.t .............. ok 99-test_fuzz_x509.t ................ ok Test Summary Report ------------------- 80-test_cmp_http.t (Wstat: 768 Tests: 5 Failed: 3) Failed tests: 2-3, 5 Non-zero exit status: 3 Files=231, Tests=2702, 696 wallclock secs (10.51 usr 1.39 sys + 610.57 cusr 76.60 csys = 699.07 CPU) Result: FAIL make[1]: *** [Makefile:2476: _tests] Error 1 make[1]: Leaving directory '/home/openssl/run-checker/enable-fuzz-afl' make: *** [Makefile:2473: tests] Error 2 From no-reply at appveyor.com Tue Feb 16 01:16:34 2021 From: no-reply at appveyor.com (AppVeyor) Date: Tue, 16 Feb 2021 01:16:34 +0000 Subject: Build completed: openssl master.39891 Message-ID: <20210216011634.1.590599A667A89F22@appveyor.com> An HTML attachment was scrubbed... URL: From matt at openssl.org Tue Feb 16 10:27:35 2021 From: matt at openssl.org (Matt Caswell) Date: Tue, 16 Feb 2021 10:27:35 +0000 Subject: [openssl] master update Message-ID: <1613471255.331972.5864.nullmailer@dev.openssl.org> The branch master has been updated via c9e955dd50f30f46555ff837b0bbae63433cef40 (commit) from 62829f9f26bf248f29be9604870bbe46f946927a (commit) - Log ----------------------------------------------------------------- commit c9e955dd50f30f46555ff837b0bbae63433cef40 Author: Tomas Mraz Date: Mon Feb 15 15:26:14 2021 +0100 Do not match RFC 5114 groups without q as it is significant Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/14189) ----------------------------------------------------------------------- Summary of changes: crypto/ffc/ffc_dh.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/crypto/ffc/ffc_dh.c b/crypto/ffc/ffc_dh.c index 313466b0ea..948c61d988 100644 --- a/crypto/ffc/ffc_dh.c +++ b/crypto/ffc/ffc_dh.c @@ -110,7 +110,9 @@ const DH_NAMED_GROUP *ossl_ffc_numbers_to_dh_named_group(const BIGNUM *p, if (BN_cmp(p, dh_named_groups[i].p) == 0 && BN_cmp(g, dh_named_groups[i].g) == 0 /* Verify q is correct if it exists */ - && (q == NULL || BN_cmp(q, dh_named_groups[i].q) == 0)) + && ((q != NULL && BN_cmp(q, dh_named_groups[i].q) == 0) + /* Do not match RFC 5114 groups without q */ + || (q == NULL && dh_named_groups[i].uid > 3))) return &dh_named_groups[i]; } return NULL; From openssl at openssl.org Tue Feb 16 12:32:53 2021 From: openssl at openssl.org (OpenSSL run-checker) Date: Tue, 16 Feb 2021 12:32:53 +0000 Subject: Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-sock Message-ID: <1613478773.945027.3030892.nullmailer@run.openssl.org> Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-sock Commit log since last time: 09c77b87ae Remove an unnecessary free call. 8a43091bc7 Remove dead code in rsa_pkey_ctrl. bae3916340 passwd.c: use the actual ROUNDS_DEFAULT macro 70f2364882 NOTES-WINDOWS: fix typo a0ca1eed24 Add a skeleton README-PROVIDERS file d507436a26 Add deprecation note to the README-ENGINES file 4148581eb2 Unify the markdown links to the NOTES and README files dc589daec8 Reformat some NOTES and README files 9f1fe6a950 Revise some renamings of NOTES and README files 9ff5bd612a ssl_test: Add testcases for disallowing non-TLS1.3 curves with TLS1.3 89e14ca7c7 tls_valid_group: Add missing dereference of okfortls13 d8c1cafbbc VMS documentation fixes 72ddea9b81 Configurations/descrip.mms.tmpl: avoid enormous PIPE commands 1695e10e40 DOCS: Update the internal documentation on EVP_PKEY. c5689319eb Use ERR_R_*_LIB instead of ERR_LIB_* as reason code for sub-libraries 13888e797c Update documentation following deprecation of SRP 76cb077f81 Deprecate the libssl level SRP APIs 6d2a1eff55 Deprecate the low level SRP APIs f2d785364c Add OID for draft-ietf-opsawg-finding-geofeeds detached CMS signature 1eaf1fc353 Add a configure time option to disable the fetch cache. 2b248f4e3f test: add import and export key management hooks for the TLS provider. ca2c778c26 test: filter provider honours the no_cache setting. 7dd5a00f41 changes: add a CHANGES.md entry for the OSSL_FORCE_NO_CACHE_FETCH option. b5873b3176 test: fix no-cache problem with the quality comparison for KDFs. aea01d1313 EVP: fix reference counting for EVP_CIPHER. 7dce37e2ec Prov: add an option to force provider fetches to not be cached. 499f2ae9e9 CI: add a non-caching CI loop 31f7ff37b4 EVP: fix reference counting for digest operations. 22040fb790 Allow -rand to be repeated 03bbd346f4 Fetch cipher after loading providers d0190e1163 Process digest option after loading providers 51e5df0ed0 Load rand state after loading providers 182717bd8a Fetch alg, etc., after loading providers 50ca7e1895 Fetch algorithm after loading providers 1baad060f9 test: add an option to output timing information from tests. c926a5ecb7 X509_STORE_CTX_cleanup(): Use internally so no need to call explicitly f1923a2147 X509_STORE_CTX_get1_issuer(): Make preference on expired certs consistent with find_issuer() d1e85cdf79 x509_vfy.c: Make chain_build() error diagnostics to the point 283df0b84b Rename internal providercommonerr.h to less mouthful proverr.h f5f29796f0 Various cleanup of PROV_R_ reason codes 2741128e9d Move the PROV_R reason codes to a public header dc9ec65a01 Match description with actual output of dgst 3a111aadc3 include/internal: add a few missing #pragma once directives d59068bd14 include/openssl: add a few missing #pragma once directives 80ce21fe1a include/crypto: add a few missing #pragma once directives 835f3526a2 test: turn off parallel tests in verbose mode. Build log ended with (last 100 lines): 70-test_sslrecords.t ............... skipped: test_sslrecords needs the sock feature enabled 70-test_sslsessiontick.t ........... skipped: test_sslsessiontick needs the sock feature enabled 70-test_sslsigalgs.t ............... skipped: test_sslsigalgs needs the sock feature enabled 70-test_sslsignature.t ............. skipped: test_sslsignature needs the sock feature enabled 70-test_sslskewith0p.t ............. skipped: test_sslskewith0p needs the sock feature enabled 70-test_sslversions.t .............. skipped: test_sslversions needs the sock feature enabled 70-test_sslvertol.t ................ skipped: test_sslextension needs the sock feature enabled 70-test_tls13alerts.t .............. skipped: test_tls13alerts needs the sock feature enabled 70-test_tls13cookie.t .............. skipped: test_tls13cookie needs the sock feature enabled 70-test_tls13downgrade.t ........... skipped: test_tls13downgrade needs the sock feature enabled 70-test_tls13hrr.t ................. skipped: test_tls13hrr needs the sock feature enabled 70-test_tls13kexmodes.t ............ skipped: test_tls13kexmodes needs the sock feature enabled 70-test_tls13messages.t ............ skipped: test_tls13messages needs the sock feature enabled 70-test_tls13psk.t ................. skipped: test_tls13psk needs the sock feature enabled 70-test_tlsextms.t ................. skipped: test_tlsextms needs the sock feature enabled 70-test_verify_extra.t ............. ok 70-test_wpacket.t .................. ok 71-test_ssl_ctx.t .................. ok 80-test_ca.t ....................... ok 80-test_cipherbytes.t .............. ok 80-test_cipherlist.t ............... ok 80-test_ciphername.t ............... ok Label not found for "last SKIP" at /usr/share/perl/5.30/Test/More.pm line 1372. # Looks like your test exited with 1 just after 5.80-test_cmp_http.t ................. Dubious, test returned 1 (wstat 256, 0x100) All 5 subtests passed (less 5 skipped subtests: 0 okay) # 80-test_cms.t ...................... ok 80-test_cmsapi.t ................... ok 80-test_ct.t ....................... ok 80-test_dane.t ..................... ok 80-test_dtls.t ..................... skipped: No DTLS protocols are supported by this OpenSSL build 80-test_dtls_mtu.t ................. skipped: test_dtls_mtu needs DTLS and PSK support enabled 80-test_dtlsv1listen.t ............. ok 80-test_http.t ..................... ok 80-test_ocsp.t ..................... ok 80-test_pkcs12.t ................... ok 80-test_ssl_new.t .................. ok 80-test_ssl_old.t .................. ok 80-test_ssl_test_ctx.t ............. ok 80-test_sslcorrupt.t ............... ok 80-test_tsa.t ...................... ok 80-test_x509aux.t .................. ok 81-test_cmp_cli.t .................. ok 90-test_asn1_time.t ................ ok 90-test_async.t .................... ok 90-test_bio_enc.t .................. ok 90-test_bio_memleak.t .............. ok 90-test_constant_time.t ............ ok 90-test_fatalerr.t ................. ok 90-test_fipsload.t ................. ok 90-test_gmdiff.t ................... ok 90-test_gost.t ..................... ok 90-test_ige.t ...................... ok 90-test_includes.t ................. ok 90-test_memleak.t .................. ok 90-test_overhead.t ................. ok 90-test_secmem.t ................... ok 90-test_shlibload.t ................ ok 90-test_srp.t ...................... ok 90-test_sslapi.t ................... ok 90-test_sslbuffers.t ............... ok 90-test_store.t .................... ok 90-test_sysdefault.t ............... ok 90-test_threads.t .................. ok 90-test_time_offset.t .............. ok 90-test_tls13ccs.t ................. ok 90-test_tls13encryption.t .......... ok 90-test_tls13secrets.t ............. ok 90-test_v3name.t ................... ok 91-test_pkey_check.t ............... ok 95-test_external_boringssl.t ....... skipped: No external tests in this configuration 95-test_external_gost_engine.t ..... skipped: No external tests in this configuration 95-test_external_krb5.t ............ skipped: No external tests in this configuration 95-test_external_pyca.t ............ skipped: No external tests in this configuration 99-test_ecstress.t ................. ok 99-test_fuzz_asn1.t ................ ok 99-test_fuzz_asn1parse.t ........... ok 99-test_fuzz_bignum.t .............. ok 99-test_fuzz_bndiv.t ............... ok 99-test_fuzz_client.t .............. ok 99-test_fuzz_cmp.t ................. ok 99-test_fuzz_cms.t ................. ok 99-test_fuzz_conf.t ................ ok 99-test_fuzz_crl.t ................. ok 99-test_fuzz_ct.t .................. ok 99-test_fuzz_server.t .............. ok 99-test_fuzz_x509.t ................ ok Test Summary Report ------------------- 80-test_cmp_http.t (Wstat: 256 Tests: 5 Failed: 0) Non-zero exit status: 1 Files=231, Tests=3074, 830 wallclock secs (10.90 usr 1.21 sys + 753.91 cusr 81.18 csys = 847.20 CPU) Result: FAIL make[1]: *** [Makefile:3262: _tests] Error 1 make[1]: Leaving directory '/home/openssl/run-checker/no-sock' make: *** [Makefile:3259: tests] Error 2 From mark at openssl.org Tue Feb 16 15:21:43 2021 From: mark at openssl.org (Mark J. Cox) Date: Tue, 16 Feb 2021 15:21:43 +0000 Subject: [web] master update Message-ID: <1613488903.140123.19952.nullmailer@dev.openssl.org> The branch master has been updated via 3529993430cd665987db1ade8fa5e6f17fd9fdc7 (commit) via 0c8d22bbae92c7e78477d4dadadc2bc18c3cfbbf (commit) via c6cf36f015984e82e43de865b8f8103066a77c66 (commit) via 90bc2ffebb6e01e9a7820c13402a8249193e6448 (commit) via 628bbe846b437aba16656c25124294ae90196f53 (commit) via bc3baf2162d6eef8641c165eb70a9586c10a8020 (commit) via 3c797992c0d01f715efe0054c7ef7231fb292591 (commit) via 88a68140e52e169a828a5ef3f6ad6dbcd4f7f70b (commit) via f560958e29b058b606d3a3d665d564ad8a62f751 (commit) via a142c42643d6e8730a8c5948e19940677ee29b77 (commit) via c3555349fb3e1ca3c75e9677a05ece12f2ff644f (commit) via 5a4fd513a1e740b94dff9e051d2fd4e8110f997c (commit) via 635083bad80b21081f78fd0c5acef55afe87d73f (commit) via 3525d32ba43b960dda576cc55e0161ba773b3ec5 (commit) via 96fc8427dab3f7cdfe5175e6422e0c6c9339b308 (commit) via fa82509a79ae0b7c6b6b3aa4834fea358740e135 (commit) via a03ba3426aeae4e9fd7a9abfabba38e90bfe2cfe (commit) via c04f0bfc85bb789d66f9a8f2d4729a148088db4d (commit) via 704484cedfcc60d48b42d28ed8aa3f0464193ee0 (commit) via 5080a36b15ca1a0bd2ebfafbc288fb87422dfc09 (commit) via 9b1da3db16d5e0691137750c8f6850b02068cff0 (commit) via b9af396e59d0832d0e3523a38ce16c16ee3b8940 (commit) via 59c90242b6bf73f9f2c463389258e13dfa120595 (commit) via 30177d15c80f2170bfed542f131edd56397ed03a (commit) via e4f869c1b2d97b1efb9bfbb4e38ff9e7762a61d0 (commit) via cee36dc9d608462c45fff3ad7f280a301c02b34d (commit) from d2b610bc453351c8b9dd50a7da2c2fcbe03c58d5 (commit) - Log ----------------------------------------------------------------- commit 3529993430cd665987db1ade8fa5e6f17fd9fdc7 Merge: 0c8d22b c6cf36f Author: Mark J. Cox Date: Tue Feb 16 15:15:10 2021 +0000 Merge pull request #217 from iamamoose/sponsor Add new bronze level github sponsor commit 0c8d22bbae92c7e78477d4dadadc2bc18c3cfbbf Merge: d2b610b 90bc2ff Author: Mark J. Cox Date: Tue Feb 16 14:57:14 2021 +0000 Merge branch 'master' of github.com:iamamoose/openssl-web commit c6cf36f015984e82e43de865b8f8103066a77c66 Author: Mark J. Cox Date: Tue Feb 16 14:51:33 2021 +0000 Add new bronze level github sponsor commit 90bc2ffebb6e01e9a7820c13402a8249193e6448 Merge: 628bbe8 32ac25c Author: Mark J. Cox Date: Mon Jan 4 15:53:49 2021 +0000 Merge remote-tracking branch 'gh/master' commit 628bbe846b437aba16656c25124294ae90196f53 Merge: bc3baf2 0689c52 Author: Mark J. Cox Date: Mon Jan 4 15:51:30 2021 +0000 Merge remote-tracking branch 'site/master' commit bc3baf2162d6eef8641c165eb70a9586c10a8020 Author: Mark J. Cox Date: Mon Jan 4 15:29:11 2021 +0000 Update the Sponsorship page to remove sponsorships that have lapsed and add a link to recognise the GitHub Sponsors commit 3c797992c0d01f715efe0054c7ef7231fb292591 Author: Matt Caswell Date: Tue Dec 8 13:45:19 2020 +0000 Commits for new releases Reviewed-by: Richard Levitte commit 88a68140e52e169a828a5ef3f6ad6dbcd4f7f70b Author: Matt Caswell Date: Thu Nov 26 15:03:27 2020 +0000 Update newsflash for new release Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/web/pull/208) commit f560958e29b058b606d3a3d665d564ad8a62f751 Author: Pauli Date: Fri Nov 6 22:52:00 2020 +1000 by laws: remove the necessity for the OMC to invite committers and OTC members. It would be better if these invitations come from the OTC which does the nominations. Reviewed-by: Matt Caswell Reviewed-by: Mark J. Cox Reviewed-by: Tim Hudson Reviewed-by: Kurt Roeckx Reviewed-by: Matthias St. Pierre (Merged from https://github.com/openssl/openssl/pull/207) commit a142c42643d6e8730a8c5948e19940677ee29b77 Author: Dr. Matthias St. Pierre Date: Thu Oct 1 18:13:22 2020 +0200 policies/sidebar: add link to OpenSSL Technical Policies Reviewed-by: Matt Caswell Reviewed-by: Paul Dale Reviewed-by: Nicola Tuveri (Merged from https://github.com/openssl/openssl/pull/199) commit c3555349fb3e1ca3c75e9677a05ece12f2ff644f Author: Pauli Date: Thu Nov 5 09:54:17 2020 +1000 Merge SHA2 entries in FIPS table Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/205) commit 5a4fd513a1e740b94dff9e051d2fd4e8110f997c Author: Pauli Date: Thu Nov 5 09:30:22 2020 +1000 3.0 design: remove the SP 800-90 entropy testing entry. Due to rules changes, this will not be happening. Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/205) commit 635083bad80b21081f78fd0c5acef55afe87d73f Author: Pauli Date: Thu Nov 5 09:29:45 2020 +1000 3.0 design: remove the compliance column. Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/205) commit 3525d32ba43b960dda576cc55e0161ba773b3ec5 Author: Matt Caswell Date: Thu Nov 5 14:18:34 2020 +0000 Update newsflash for alpha 8 release Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/web/pull/206) commit 96fc8427dab3f7cdfe5175e6422e0c6c9339b308 Author: Pauli Date: Wed Nov 4 10:50:24 2020 +1000 Remove the TLS fixes items for CBC and key agreement. Both of these have been completed and are no longer relevant FIPS related work. Neither is a FIPS algorithm in of itself. Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/204) commit fa82509a79ae0b7c6b6b3aa4834fea358740e135 Author: Pauli Date: Wed Nov 4 10:49:25 2020 +1000 Update FIPS algorithm list to indicate compliance. The algorithms are now compliant, indicate this in the table. Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/204) commit a03ba3426aeae4e9fd7a9abfabba38e90bfe2cfe Author: Pauli Date: Wed Nov 4 10:43:21 2020 +1000 Update FIPS algorithm list. Some additional algorithms have been added to the FIPS validation. Reflect this in the appendix. Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/204) commit c04f0bfc85bb789d66f9a8f2d4729a148088db4d Author: Matt Caswell Date: Wed Oct 21 11:49:29 2020 +0100 Add link to blog post about alpha7 Reviewed-by: Paul Dale Reviewed-by: Tim Hudson (Merged from https://github.com/openssl/web/pull/203) commit 704484cedfcc60d48b42d28ed8aa3f0464193ee0 Author: Matt Caswell Date: Thu Oct 15 14:23:01 2020 +0100 Update newsflash for alpha7 release Reviewed-by: Mark J. Cox Reviewed-by: Nicola Tuveri (Merged from https://github.com/openssl/openssl/pull/202) commit 5080a36b15ca1a0bd2ebfafbc288fb87422dfc09 Author: Pauli Date: Fri Oct 9 07:52:12 2020 +1000 Add Siemens to the list of companies that support the project by donating employee time. Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/web/pull/200) commit 9b1da3db16d5e0691137750c8f6850b02068cff0 Author: Dr. Matthias St. Pierre Date: Tue Sep 29 22:56:43 2020 +0200 otc-policies: Add 'Voting Procedure' section Reviewed-by: Paul Dale Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/web/pull/198) commit b9af396e59d0832d0e3523a38ce16c16ee3b8940 Author: Dr. Matthias St. Pierre Date: Tue Sep 29 22:46:41 2020 +0200 otc-policies: Add an 'OpenSSL Technical Polices' page This document lists the technical policies and procedures established by the OTC based on the project bylaws and the requirements specified by the OMC. commit 59c90242b6bf73f9f2c463389258e13dfa120595 Author: Matt Caswell Date: Tue Jun 16 10:33:46 2020 +0100 Update the Release schedule in the release strategy Reviewed-by: Paul Dale (Merged from https://github.com/openssl/web/pull/184) commit 30177d15c80f2170bfed542f131edd56397ed03a Author: Matt Caswell Date: Wed Jun 10 09:18:01 2020 +0100 CLA page clarifications Fix a typo and clarify we require CLAs from all original authors. Reviewed-by: Mark J. Cox (Merged from https://github.com/openssl/web/pull/183) commit e4f869c1b2d97b1efb9bfbb4e38ff9e7762a61d0 Author: Matt Caswell Date: Mon Sep 14 11:26:49 2020 +0100 Add a new section to the Coding Style about argument ordering We also add a section about how to extend existing functions. Reviewed-by: Paul Dale Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/web/pull/195) commit cee36dc9d608462c45fff3ad7f280a301c02b34d Author: Matt Caswell Date: Tue Sep 22 14:05:56 2020 +0100 Updates for the 1.1.1h release Reviewed-by: Mark J. Cox Reviewed-by: Matthias St. Pierre (Merged from https://github.com/openssl/web/pull/196) ----------------------------------------------------------------------- Summary of changes: support/acks.html | 1 + 1 file changed, 1 insertion(+) diff --git a/support/acks.html b/support/acks.html index f3c75d2..3bce679 100644 --- a/support/acks.html +++ b/support/acks.html @@ -40,6 +40,7 @@

Bronze:

From matt at openssl.org Tue Feb 16 15:54:14 2021 From: matt at openssl.org (Matt Caswell) Date: Tue, 16 Feb 2021 15:54:14 +0000 Subject: [openssl] OpenSSL_1_1_1-stable update Message-ID: <1613490854.765024.14729.nullmailer@dev.openssl.org> The branch OpenSSL_1_1_1-stable has been updated via 97149c8219189c1bb61d36bfcd511956caeb4771 (commit) via 52c587d60be67c337364b830dd3fdc15404a2f04 (commit) via 2b2e3106fc57b810d91221aef4c4c39a8afd97c3 (commit) via 8b02603cedc8fbdf9901aa2cc71877c28adbcaf2 (commit) via 6a51b9e1d0cf0bf8515f7201b68fb0a3482b3dc1 (commit) via 481a88f13c44996a008195791ea0dc076b968774 (commit) via 901f1ef7dacb6b3bde63233a1f623e1fa2f0f058 (commit) via 16c15c7a5484b341c6647f9f7b4ff3f9dadb5701 (commit) via df1defb809df14bf7ff7aab8532f6e4a7a5235cf (commit) via 122a19ab48091c657f7cb1fb3af9fc07bd557bbf (commit) from c8c6e7438c03b2fc24e7ead460feeaef04911fb4 (commit) - Log ----------------------------------------------------------------- commit 97149c8219189c1bb61d36bfcd511956caeb4771 Author: Matt Caswell Date: Tue Feb 16 15:24:11 2021 +0000 Prepare for 1.1.1k-dev Reviewed-by: Richard Levitte commit 52c587d60be67c337364b830dd3fdc15404a2f04 Author: Matt Caswell Date: Tue Feb 16 15:24:01 2021 +0000 Prepare for 1.1.1j release Reviewed-by: Richard Levitte commit 2b2e3106fc57b810d91221aef4c4c39a8afd97c3 Author: Matt Caswell Date: Tue Feb 16 15:04:45 2021 +0000 Update copyright year Reviewed-by: Richard Levitte commit 8b02603cedc8fbdf9901aa2cc71877c28adbcaf2 Author: Matt Caswell Date: Tue Feb 16 12:17:04 2021 +0000 Update CHANGES and NEWS for new release Reviewed-by: Richard Levitte commit 6a51b9e1d0cf0bf8515f7201b68fb0a3482b3dc1 Author: Matt Caswell Date: Tue Feb 2 17:17:23 2021 +0000 Don't overflow the output length in EVP_CipherUpdate calls CVE-2021-23840 Reviewed-by: Paul Dale commit 481a88f13c44996a008195791ea0dc076b968774 Author: Matt Caswell Date: Fri Jan 22 16:50:11 2021 +0000 Fix rsa_test to properly test RSA_SSLV23_PADDING We test all three cases: - An SSLv2 only client talking to a TLS capable server - A TLS capable client talking to an SSLv2 only server - A TLS capable client talking to a TLS capable server (should fail due to detecting a rollback attack) Reviewed-by: Paul Dale commit 901f1ef7dacb6b3bde63233a1f623e1fa2f0f058 Author: Matt Caswell Date: Fri Jan 22 16:38:50 2021 +0000 Fix the RSA_SSLV23_PADDING padding type This also fixes the public function RSA_padding_check_SSLv23. Commit 6555a89 changed the padding check logic in RSA_padding_check_SSLv23 so that padding is rejected if the nul delimiter byte is not immediately preceded by at least 8 bytes containing 0x03. Prior to that commit the padding is rejected if it *is* preceded by at least 8 bytes containing 0x03. Presumably this change was made to be consistent with what it says in appendix E.3 of RFC 5246. Unfortunately that RFC is in error, and the original behaviour was correct. This is fixed in later errata issued for that RFC. This has no impact on libssl for modern versions of OpenSSL because there is no protocol support for SSLv2 in these versions. However applications that call RSA_paddin_check_SSLv23 directly, or use the RSA_SSLV23_PADDING mode may still be impacted. The effect of the original error is that an RSA message encrypted by an SSLv2 only client will fail to be decrypted properly by a TLS capable server, or a message encrypted by a TLS capable client will fail to decrypt on an SSLv2 only server. Most significantly an RSA message encrypted by a TLS capable client will be successfully decrypted by a TLS capable server. This last case should fail due to a rollback being detected. Thanks to D. Katz and Joel Luellwitz (both from Trustwave) for reporting this issue. CVE-2021-23839 Reviewed-by: Paul Dale commit 16c15c7a5484b341c6647f9f7b4ff3f9dadb5701 Author: Matt Caswell Date: Fri Jan 22 15:49:31 2021 +0000 Refactor rsa_test Reduce code copying by factoring out common code into a separate function. Reviewed-by: Paul Dale commit df1defb809df14bf7ff7aab8532f6e4a7a5235cf Author: Matt Caswell Date: Wed Feb 10 16:36:57 2021 +0000 Test that X509_issuer_and_serial_hash doesn't crash Provide a certificate with a bad issuer and check that X509_issuer_and_serial_hash doesn't crash. Reviewed-by: Richard Levitte Reviewed-by: Paul Dale (cherry picked from commit 55869f594f052561b11a2db6a7c42690051868de) commit 122a19ab48091c657f7cb1fb3af9fc07bd557bbf Author: Matt Caswell Date: Wed Feb 10 16:10:36 2021 +0000 Fix Null pointer deref in X509_issuer_and_serial_hash() The OpenSSL public API function X509_issuer_and_serial_hash() attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it fails to correctly handle any errors that may occur while parsing the issuer field (which might occur if the issuer field is maliciously constructed). This may subsequently result in a NULL pointer deref and a crash leading to a potential denial of service attack. The function X509_issuer_and_serial_hash() is never directly called by OpenSSL itself so applications are only vulnerable if they use this function directly and they use it on certificates that may have been obtained from untrusted sources. CVE-2021-23841 Reviewed-by: Richard Levitte Reviewed-by: Paul Dale (cherry picked from commit 8130d654d1de922ea224fa18ee3bc7262edc39c0) ----------------------------------------------------------------------- Summary of changes: CHANGES | 33 ++++++- Configure | 2 +- NEWS | 12 ++- README | 2 +- apps/ca.c | 2 +- crypto/armcap.c | 2 +- crypto/conf/conf_def.c | 2 +- crypto/dh/dh_key.c | 2 +- crypto/err/openssl.txt | 3 +- crypto/evp/evp_enc.c | 27 ++++++ crypto/evp/evp_err.c | 4 +- crypto/poly1305/asm/poly1305-armv4.pl | 2 +- crypto/ppccap.c | 2 +- crypto/rsa/rsa_ssl.c | 10 +- crypto/srp/srp_lib.c | 2 +- crypto/x509/x509_cmp.c | 4 +- crypto/x509/x509_vfy.c | 2 +- crypto/x509/x_all.c | 2 +- crypto/x509v3/v3_purp.c | 2 +- doc/man1/ca.pod | 2 +- doc/man1/cms.pod | 2 +- doc/man1/crl2pkcs7.pod | 2 +- doc/man1/dgst.pod | 2 +- doc/man1/dsa.pod | 2 +- doc/man1/ec.pod | 2 +- doc/man1/enc.pod | 2 +- doc/man1/genpkey.pod | 2 +- doc/man1/genrsa.pod | 2 +- doc/man1/pkcs12.pod | 2 +- doc/man1/pkcs8.pod | 2 +- doc/man1/pkey.pod | 2 +- doc/man1/pkeyutl.pod | 2 +- doc/man1/req.pod | 2 +- doc/man1/rsa.pod | 2 +- doc/man1/s_client.pod | 2 +- doc/man1/s_server.pod | 2 +- doc/man1/smime.pod | 2 +- doc/man1/spkac.pod | 2 +- doc/man1/storeutl.pod | 2 +- doc/man1/ts.pod | 2 +- doc/man1/x509.pod | 2 +- doc/man3/DH_generate_key.pod | 2 +- doc/man3/X509_get_extension_flags.pod | 2 +- .../x509/f5ded9e25448f6f47349d012eda2eb4fccbc7c76 | Bin 0 -> 356852 bytes fuzz/x509.c | 2 + include/openssl/evperr.h | 7 +- include/openssl/opensslv.h | 4 +- include/openssl/x509v3.h | 2 +- ssl/d1_lib.c | 2 +- ssl/record/rec_layer_d1.c | 2 +- ssl/ssl_local.h | 2 +- ssl/statem/extensions.c | 2 +- ssl/statem/statem_clnt.c | 2 +- test/certs/mkcert.sh | 2 +- test/recipes/25-test_verify.t | 2 +- test/recipes/70-test_verify_extra.t | 2 +- test/recipes/80-test_x509aux.t | 2 +- test/rsa_test.c | 105 +++++++++------------ test/verify_extra_test.c | 2 +- test/x509aux.c | 2 +- 60 files changed, 187 insertions(+), 120 deletions(-) create mode 100644 fuzz/corpora/x509/f5ded9e25448f6f47349d012eda2eb4fccbc7c76 diff --git a/CHANGES b/CHANGES index ba224c45cd..8c2b701311 100644 --- a/CHANGES +++ b/CHANGES @@ -7,9 +7,38 @@ https://github.com/openssl/openssl/commits/ and pick the appropriate release branch. - Changes between 1.1.1i and 1.1.1j [xx XXX xxxx] + Changes between 1.1.1j and 1.1.1k [xx XXX xxxx] - *) Fixed SRP_Calc_client_key so that it uses constant time. The previous + *) + + Changes between 1.1.1i and 1.1.1j [16 Feb 2021] + + *) Fixed the X509_issuer_and_serial_hash() function. It attempts to + create a unique hash value based on the issuer and serial number data + contained within an X509 certificate. However it was failing to correctly + handle any errors that may occur while parsing the issuer field (which might + occur if the issuer field is maliciously constructed). This may subsequently + result in a NULL pointer deref and a crash leading to a potential denial of + service attack. + (CVE-2021-23841) + [Matt Caswell] + + *) Fixed the RSA_padding_check_SSLv23() function and the RSA_SSLV23_PADDING + padding mode to correctly check for rollback attacks. This is considered a + bug in OpenSSL 1.1.1 because it does not support SSLv2. In 1.0.2 this is + CVE-2021-23839. + [Matt Caswell] + + *) Fixed the EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate + functions. Previously they could overflow the output length argument in some + cases where the input length is close to the maximum permissable length for + an integer on the platform. In such cases the return value from the function + call would be 1 (indicating success), but the output length value would be + negative. This could cause applications to behave incorrectly or crash. + (CVE-2021-23840) + [Matt Caswell] + + *) Fixed SRP_Calc_client_key so that it runs in constant time. The previous implementation called BN_mod_exp without setting BN_FLG_CONSTTIME. This could be exploited in a side channel attack to recover the password. Since the attack is local host only this is outside of the current OpenSSL diff --git a/Configure b/Configure index 3173503b76..b286dd0678 100755 --- a/Configure +++ b/Configure @@ -1,6 +1,6 @@ #! /usr/bin/env perl # -*- mode: perl; -*- -# Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/NEWS b/NEWS index 55ffce8ea3..7e1cdf94e0 100644 --- a/NEWS +++ b/NEWS @@ -5,10 +5,20 @@ This file gives a brief overview of the major changes between each OpenSSL release. For more details please read the CHANGES file. - Major changes between OpenSSL 1.1.1i and OpenSSL 1.1.1j [under development] + Major changes between OpenSSL 1.1.1j and OpenSSL 1.1.1k [under development] o + Major changes between OpenSSL 1.1.1i and OpenSSL 1.1.1j [16 Feb 2021] + + o Fixed a NULL pointer deref in the X509_issuer_and_serial_hash() + function (CVE-2021-23841) + o Fixed the RSA_padding_check_SSLv23() function and the RSA_SSLV23_PADDING + padding mode to correctly check for rollback attacks + o Fixed an overflow in the EVP_CipherUpdate, EVP_EncryptUpdate and + EVP_DecryptUpdate functions (CVE-2021-23840) + o Fixed SRP_Calc_client_key so that it runs in constant time + Major changes between OpenSSL 1.1.1h and OpenSSL 1.1.1i [8 Dec 2020] o Fixed NULL pointer deref in GENERAL_NAME_cmp (CVE-2020-1971) diff --git a/README b/README index d52dcf1bc5..98ad8a356a 100644 --- a/README +++ b/README @@ -1,5 +1,5 @@ - OpenSSL 1.1.1j-dev + OpenSSL 1.1.1k-dev Copyright (c) 1998-2020 The OpenSSL Project Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson diff --git a/apps/ca.c b/apps/ca.c index 3346042aa8..390ac37493 100755 --- a/apps/ca.c +++ b/apps/ca.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/armcap.c b/crypto/armcap.c index 53c2855883..8bf96f1021 100644 --- a/crypto/armcap.c +++ b/crypto/armcap.c @@ -1,5 +1,5 @@ /* - * Copyright 2011-2019 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2011-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/conf/conf_def.c b/crypto/conf/conf_def.c index c097ec1286..31c02cc49e 100644 --- a/crypto/conf/conf_def.c +++ b/crypto/conf/conf_def.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c index ccf51b3546..117f2fa883 100644 --- a/crypto/dh/dh_key.c +++ b/crypto/dh/dh_key.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt index 815460b24f..7e1776375d 100644 --- a/crypto/err/openssl.txt +++ b/crypto/err/openssl.txt @@ -1,4 +1,4 @@ -# Copyright 1999-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -2283,6 +2283,7 @@ EVP_R_ONLY_ONESHOT_SUPPORTED:177:only oneshot supported EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE:150:\ operation not supported for this keytype EVP_R_OPERATON_NOT_INITIALIZED:151:operaton not initialized +EVP_R_OUTPUT_WOULD_OVERFLOW:184:output would overflow EVP_R_PARTIALLY_OVERLAPPING:162:partially overlapping buffers EVP_R_PBKDF2_ERROR:181:pbkdf2 error EVP_R_PKEY_APPLICATION_ASN1_METHOD_ALREADY_REGISTERED:179:\ diff --git a/crypto/evp/evp_enc.c b/crypto/evp/evp_enc.c index b9b6490fe0..0843caf4f0 100644 --- a/crypto/evp/evp_enc.c +++ b/crypto/evp/evp_enc.c @@ -8,6 +8,7 @@ */ #include +#include #include #include "internal/cryptlib.h" #include @@ -355,6 +356,19 @@ static int evp_EncryptDecryptUpdate(EVP_CIPHER_CTX *ctx, return 1; } else { j = bl - i; + + /* + * Once we've processed the first j bytes from in, the amount of + * data left that is a multiple of the block length is: + * (inl - j) & ~(bl - 1) + * We must ensure that this amount of data, plus the one block that + * we process from ctx->buf does not exceed INT_MAX + */ + if (((inl - j) & ~(bl - 1)) > INT_MAX - bl) { + EVPerr(EVP_F_EVP_ENCRYPTDECRYPTUPDATE, + EVP_R_OUTPUT_WOULD_OVERFLOW); + return 0; + } memcpy(&(ctx->buf[i]), in, j); inl -= j; in += j; @@ -502,6 +516,19 @@ int EVP_DecryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl, EVPerr(EVP_F_EVP_DECRYPTUPDATE, EVP_R_PARTIALLY_OVERLAPPING); return 0; } + /* + * final_used is only ever set if buf_len is 0. Therefore the maximum + * length output we will ever see from evp_EncryptDecryptUpdate is + * the maximum multiple of the block length that is <= inl, or just: + * inl & ~(b - 1) + * Since final_used has been set then the final output length is: + * (inl & ~(b - 1)) + b + * This must never exceed INT_MAX + */ + if ((inl & ~(b - 1)) > INT_MAX - b) { + EVPerr(EVP_F_EVP_DECRYPTUPDATE, EVP_R_OUTPUT_WOULD_OVERFLOW); + return 0; + } memcpy(out, ctx->final, b); out += b; fix_len = 1; diff --git a/crypto/evp/evp_err.c b/crypto/evp/evp_err.c index 05481d827f..32ac0125de 100644 --- a/crypto/evp/evp_err.c +++ b/crypto/evp/evp_err.c @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -239,6 +239,8 @@ static const ERR_STRING_DATA EVP_str_reasons[] = { "operation not supported for this keytype"}, {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_OPERATON_NOT_INITIALIZED), "operaton not initialized"}, + {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_OUTPUT_WOULD_OVERFLOW), + "output would overflow"}, {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_PARTIALLY_OVERLAPPING), "partially overlapping buffers"}, {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_PBKDF2_ERROR), "pbkdf2 error"}, diff --git a/crypto/poly1305/asm/poly1305-armv4.pl b/crypto/poly1305/asm/poly1305-armv4.pl index 0a4fe55d98..70f46cd140 100755 --- a/crypto/poly1305/asm/poly1305-armv4.pl +++ b/crypto/poly1305/asm/poly1305-armv4.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/crypto/ppccap.c b/crypto/ppccap.c index 1d62226965..e51156468a 100644 --- a/crypto/ppccap.c +++ b/crypto/ppccap.c @@ -1,5 +1,5 @@ /* - * Copyright 2009-2019 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2009-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/rsa/rsa_ssl.c b/crypto/rsa/rsa_ssl.c index 1f155be175..ecdb3cee1f 100644 --- a/crypto/rsa/rsa_ssl.c +++ b/crypto/rsa/rsa_ssl.c @@ -55,7 +55,7 @@ int RSA_padding_add_SSLv23(unsigned char *to, int tlen, /* * Copy of RSA_padding_check_PKCS1_type_2 with a twist that rejects padding - * if nul delimiter is not preceded by 8 consecutive 0x03 bytes. It also + * if nul delimiter is preceded by 8 consecutive 0x03 bytes. It also * preserves error code reporting for backward compatibility. */ int RSA_padding_check_SSLv23(unsigned char *to, int tlen, @@ -122,7 +122,13 @@ int RSA_padding_check_SSLv23(unsigned char *to, int tlen, RSA_R_NULL_BEFORE_BLOCK_MISSING); mask = ~good; - good &= constant_time_ge(threes_in_row, 8); + /* + * Reject if nul delimiter is preceded by 8 consecutive 0x03 bytes. Note + * that RFC5246 incorrectly states this the other way around, i.e. reject + * if it is not preceded by 8 consecutive 0x03 bytes. However this is + * corrected in subsequent errata for that RFC. + */ + good &= constant_time_lt(threes_in_row, 8); err = constant_time_select_int(mask | good, err, RSA_R_SSLV3_ROLLBACK_ATTACK); mask = ~good; diff --git a/crypto/srp/srp_lib.c b/crypto/srp/srp_lib.c index 0cefbfa910..ce3504825c 100644 --- a/crypto/srp/srp_lib.c +++ b/crypto/srp/srp_lib.c @@ -1,5 +1,5 @@ /* - * Copyright 2004-2019 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2004-2021 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2004, EdelKey Project. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use diff --git a/crypto/x509/x509_cmp.c b/crypto/x509/x509_cmp.c index c9d8933640..1d8d2d7b28 100644 --- a/crypto/x509/x509_cmp.c +++ b/crypto/x509/x509_cmp.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -39,6 +39,8 @@ unsigned long X509_issuer_and_serial_hash(X509 *a) if (ctx == NULL) goto err; f = X509_NAME_oneline(a->cert_info.issuer, NULL, 0); + if (f == NULL) + goto err; if (!EVP_DigestInit_ex(ctx, EVP_md5(), NULL)) goto err; if (!EVP_DigestUpdate(ctx, (unsigned char *)f, strlen(f))) diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c index 883c6d7118..0c71b2e8b4 100644 --- a/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/x509/x_all.c b/crypto/x509/x_all.c index bec850af57..a4e9cdaee8 100644 --- a/crypto/x509/x_all.c +++ b/crypto/x509/x_all.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/x509v3/v3_purp.c b/crypto/x509v3/v3_purp.c index 3f5ce5c91c..a1aeb4e4c6 100644 --- a/crypto/x509v3/v3_purp.c +++ b/crypto/x509v3/v3_purp.c @@ -1,5 +1,5 @@ /* - * Copyright 1999-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/doc/man1/ca.pod b/doc/man1/ca.pod index 39726b7ae6..4380d869ea 100644 --- a/doc/man1/ca.pod +++ b/doc/man1/ca.pod @@ -759,7 +759,7 @@ L, L =head1 COPYRIGHT -Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man1/cms.pod b/doc/man1/cms.pod index e9c35cb2d1..2caf3ef4d1 100644 --- a/doc/man1/cms.pod +++ b/doc/man1/cms.pod @@ -735,7 +735,7 @@ The -no_alt_chains option was added in OpenSSL 1.0.2b. =head1 COPYRIGHT -Copyright 2008-2018 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2008-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man1/crl2pkcs7.pod b/doc/man1/crl2pkcs7.pod index 681145e77d..3fcb737b70 100644 --- a/doc/man1/crl2pkcs7.pod +++ b/doc/man1/crl2pkcs7.pod @@ -96,7 +96,7 @@ L =head1 COPYRIGHT -Copyright 2000-2017 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man1/dgst.pod b/doc/man1/dgst.pod index 155c971081..8d48c9aed6 100644 --- a/doc/man1/dgst.pod +++ b/doc/man1/dgst.pod @@ -241,7 +241,7 @@ The FIPS-related options were removed in OpenSSL 1.1.0. =head1 COPYRIGHT -Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man1/dsa.pod b/doc/man1/dsa.pod index 39c2dbd122..752c22063e 100644 --- a/doc/man1/dsa.pod +++ b/doc/man1/dsa.pod @@ -172,7 +172,7 @@ L =head1 COPYRIGHT -Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man1/ec.pod b/doc/man1/ec.pod index 776fbc7359..41ffc6cb63 100644 --- a/doc/man1/ec.pod +++ b/doc/man1/ec.pod @@ -193,7 +193,7 @@ L, L, L =head1 COPYRIGHT -Copyright 2003-2019 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2003-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man1/enc.pod b/doc/man1/enc.pod index 621ad4b1b2..3c7b6c42ea 100644 --- a/doc/man1/enc.pod +++ b/doc/man1/enc.pod @@ -428,7 +428,7 @@ The B<-list> option was added in OpenSSL 1.1.1e. =head1 COPYRIGHT -Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man1/genpkey.pod b/doc/man1/genpkey.pod index 3a2b46f2b9..6a681ef3d2 100644 --- a/doc/man1/genpkey.pod +++ b/doc/man1/genpkey.pod @@ -325,7 +325,7 @@ The ability to generate X448, ED25519 and ED448 keys was added in OpenSSL 1.1.1. =head1 COPYRIGHT -Copyright 2006-2019 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2006-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man1/genrsa.pod b/doc/man1/genrsa.pod index 023081ce8b..8bd3799ea9 100644 --- a/doc/man1/genrsa.pod +++ b/doc/man1/genrsa.pod @@ -118,7 +118,7 @@ L =head1 COPYRIGHT -Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man1/pkcs12.pod b/doc/man1/pkcs12.pod index c1a3cee050..ac0397a945 100644 --- a/doc/man1/pkcs12.pod +++ b/doc/man1/pkcs12.pod @@ -379,7 +379,7 @@ L =head1 COPYRIGHT -Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man1/pkcs8.pod b/doc/man1/pkcs8.pod index ff7dfe4c09..dba75fc8d4 100644 --- a/doc/man1/pkcs8.pod +++ b/doc/man1/pkcs8.pod @@ -309,7 +309,7 @@ The B<-iter> option was added in OpenSSL 1.1.0. =head1 COPYRIGHT -Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man1/pkey.pod b/doc/man1/pkey.pod index 762811be0a..1c29092793 100644 --- a/doc/man1/pkey.pod +++ b/doc/man1/pkey.pod @@ -158,7 +158,7 @@ L, L, L =head1 COPYRIGHT -Copyright 2006-2017 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2006-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man1/pkeyutl.pod b/doc/man1/pkeyutl.pod index 6a26838fc6..3b350efadd 100644 --- a/doc/man1/pkeyutl.pod +++ b/doc/man1/pkeyutl.pod @@ -327,7 +327,7 @@ L, L =head1 COPYRIGHT -Copyright 2006-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2006-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man1/req.pod b/doc/man1/req.pod index dc2db3db3c..539b843803 100644 --- a/doc/man1/req.pod +++ b/doc/man1/req.pod @@ -695,7 +695,7 @@ L =head1 COPYRIGHT -Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man1/rsa.pod b/doc/man1/rsa.pod index 089e0080b4..fddd828b9f 100644 --- a/doc/man1/rsa.pod +++ b/doc/man1/rsa.pod @@ -195,7 +195,7 @@ L =head1 COPYRIGHT -Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man1/s_client.pod b/doc/man1/s_client.pod index 0224541d74..743b2db2ba 100644 --- a/doc/man1/s_client.pod +++ b/doc/man1/s_client.pod @@ -828,7 +828,7 @@ The B<-name> option was added in OpenSSL 1.1.1. =head1 COPYRIGHT -Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man1/s_server.pod b/doc/man1/s_server.pod index 968d0eac03..9fdac49190 100644 --- a/doc/man1/s_server.pod +++ b/doc/man1/s_server.pod @@ -845,7 +845,7 @@ The =head1 COPYRIGHT -Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man1/smime.pod b/doc/man1/smime.pod index dead874286..bf40d04cae 100644 --- a/doc/man1/smime.pod +++ b/doc/man1/smime.pod @@ -514,7 +514,7 @@ The -no_alt_chains option was added in OpenSSL 1.1.0. =head1 COPYRIGHT -Copyright 2000-2017 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man1/spkac.pod b/doc/man1/spkac.pod index 2cc2089ff3..87e1b4bbca 100644 --- a/doc/man1/spkac.pod +++ b/doc/man1/spkac.pod @@ -145,7 +145,7 @@ L =head1 COPYRIGHT -Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man1/storeutl.pod b/doc/man1/storeutl.pod index bbd14928b5..3d2cb60bdc 100644 --- a/doc/man1/storeutl.pod +++ b/doc/man1/storeutl.pod @@ -123,7 +123,7 @@ The B B app was added in OpenSSL 1.1.1. =head1 COPYRIGHT -Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man1/ts.pod b/doc/man1/ts.pod index b7038adfc1..9e1ffd5d08 100644 --- a/doc/man1/ts.pod +++ b/doc/man1/ts.pod @@ -665,7 +665,7 @@ L =head1 COPYRIGHT -Copyright 2006-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2006-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man1/x509.pod b/doc/man1/x509.pod index 12b1243739..3c9b2f2263 100644 --- a/doc/man1/x509.pod +++ b/doc/man1/x509.pod @@ -932,7 +932,7 @@ the old form must have their links rebuilt using B or similar. =head1 COPYRIGHT -Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/DH_generate_key.pod b/doc/man3/DH_generate_key.pod index fab14d77e8..72726661a1 100644 --- a/doc/man3/DH_generate_key.pod +++ b/doc/man3/DH_generate_key.pod @@ -61,7 +61,7 @@ DH_compute_key_padded() was added in OpenSSL 1.0.2. =head1 COPYRIGHT -Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/X509_get_extension_flags.pod b/doc/man3/X509_get_extension_flags.pod index cca72c71fc..d958b22a48 100644 --- a/doc/man3/X509_get_extension_flags.pod +++ b/doc/man3/X509_get_extension_flags.pod @@ -199,7 +199,7 @@ X509_get_proxy_pathlen() were added in OpenSSL 1.1.0. =head1 COPYRIGHT -Copyright 2015-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/fuzz/corpora/x509/f5ded9e25448f6f47349d012eda2eb4fccbc7c76 b/fuzz/corpora/x509/f5ded9e25448f6f47349d012eda2eb4fccbc7c76 new file mode 100644 index 0000000000..439c50b013 Binary files /dev/null and b/fuzz/corpora/x509/f5ded9e25448f6f47349d012eda2eb4fccbc7c76 differ diff --git a/fuzz/x509.c b/fuzz/x509.c index 926287da48..1a20ca21db 100644 --- a/fuzz/x509.c +++ b/fuzz/x509.c @@ -37,6 +37,8 @@ int FuzzerTestOneInput(const uint8_t *buf, size_t len) X509_print(bio, x509); BIO_free(bio); + X509_issuer_and_serial_hash(x509); + i2d_X509(x509, &der); OPENSSL_free(der); diff --git a/include/openssl/evperr.h b/include/openssl/evperr.h index d2b26ea582..b4ea90ae9d 100644 --- a/include/openssl/evperr.h +++ b/include/openssl/evperr.h @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -11,9 +11,7 @@ #ifndef HEADER_EVPERR_H # define HEADER_EVPERR_H -# ifndef HEADER_SYMHACKS_H -# include -# endif +# include # ifdef __cplusplus extern "C" @@ -179,6 +177,7 @@ int ERR_load_EVP_strings(void); # define EVP_R_ONLY_ONESHOT_SUPPORTED 177 # define EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE 150 # define EVP_R_OPERATON_NOT_INITIALIZED 151 +# define EVP_R_OUTPUT_WOULD_OVERFLOW 184 # define EVP_R_PARTIALLY_OVERLAPPING 162 # define EVP_R_PBKDF2_ERROR 181 # define EVP_R_PKEY_APPLICATION_ASN1_METHOD_ALREADY_REGISTERED 179 diff --git a/include/openssl/opensslv.h b/include/openssl/opensslv.h index e91b43bffe..48c54fe673 100644 --- a/include/openssl/opensslv.h +++ b/include/openssl/opensslv.h @@ -39,8 +39,8 @@ extern "C" { * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for * major minor fix final patch/beta) */ -# define OPENSSL_VERSION_NUMBER 0x101010a0L -# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1j-dev xx XXX xxxx" +# define OPENSSL_VERSION_NUMBER 0x101010b0L +# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1k-dev xx XXX xxxx" /*- * The macros below are to be used for shared library (.so, .dll, ...) diff --git a/include/openssl/x509v3.h b/include/openssl/x509v3.h index b9a8943273..90fa3592ce 100644 --- a/include/openssl/x509v3.h +++ b/include/openssl/x509v3.h @@ -1,5 +1,5 @@ /* - * Copyright 1999-2019 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/ssl/d1_lib.c b/ssl/d1_lib.c index 8874bed353..afbf015216 100644 --- a/ssl/d1_lib.c +++ b/ssl/d1_lib.c @@ -1,5 +1,5 @@ /* - * Copyright 2005-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2005-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/ssl/record/rec_layer_d1.c b/ssl/record/rec_layer_d1.c index d0cb72d757..78d29594c6 100644 --- a/ssl/record/rec_layer_d1.c +++ b/ssl/record/rec_layer_d1.c @@ -1,5 +1,5 @@ /* - * Copyright 2005-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2005-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/ssl/ssl_local.h b/ssl/ssl_local.h index 3f02751dde..8c3542a542 100644 --- a/ssl/ssl_local.h +++ b/ssl/ssl_local.h @@ -1,5 +1,5 @@ /* - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved * Copyright 2005 Nokia. All rights reserved. * diff --git a/ssl/statem/extensions.c b/ssl/statem/extensions.c index e24b1b0e4d..9f51a6eb28 100644 --- a/ssl/statem/extensions.c +++ b/ssl/statem/extensions.c @@ -1,5 +1,5 @@ /* - * Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c index d68cd1f9d7..d84cc0460f 100644 --- a/ssl/statem/statem_clnt.c +++ b/ssl/statem/statem_clnt.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved * Copyright 2005 Nokia. All rights reserved. * diff --git a/test/certs/mkcert.sh b/test/certs/mkcert.sh index 2126c4fcfe..d8e7042391 100755 --- a/test/certs/mkcert.sh +++ b/test/certs/mkcert.sh @@ -1,6 +1,6 @@ #! /bin/bash # -# Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. # Copyright (c) 2016 Viktor Dukhovni . # All rights reserved. # diff --git a/test/recipes/25-test_verify.t b/test/recipes/25-test_verify.t index 070c8e2245..96b559e5c9 100644 --- a/test/recipes/25-test_verify.t +++ b/test/recipes/25-test_verify.t @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2015-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/test/recipes/70-test_verify_extra.t b/test/recipes/70-test_verify_extra.t index e3bdcbaaf9..8c7c9576ce 100644 --- a/test/recipes/70-test_verify_extra.t +++ b/test/recipes/70-test_verify_extra.t @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/test/recipes/80-test_x509aux.t b/test/recipes/80-test_x509aux.t index 30adf25257..4c3cefc45c 100644 --- a/test/recipes/80-test_x509aux.t +++ b/test/recipes/80-test_x509aux.t @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/test/rsa_test.c b/test/rsa_test.c index 84d62f00d5..11e373cceb 100644 --- a/test/rsa_test.c +++ b/test/rsa_test.c @@ -42,7 +42,8 @@ int setup_tests(void) BN_bin2bn(dmp1, sizeof(dmp1)-1, NULL), \ BN_bin2bn(dmq1, sizeof(dmq1)-1, NULL), \ BN_bin2bn(iqmp, sizeof(iqmp)-1, NULL)); \ - memcpy(c, ctext_ex, sizeof(ctext_ex) - 1); \ + if (c != NULL) \ + memcpy(c, ctext_ex, sizeof(ctext_ex) - 1); \ return sizeof(ctext_ex) - 1; static int key1(RSA *key, unsigned char *c) @@ -211,16 +212,7 @@ static int key3(RSA *key, unsigned char *c) SetKey; } -static int pad_unknown(void) -{ - unsigned long l; - while ((l = ERR_get_error()) != 0) - if (ERR_GET_REASON(l) == RSA_R_UNKNOWN_PADDING_TYPE) - return 1; - return 0; -} - -static int rsa_setkey(RSA** key, unsigned char* ctext, int idx) +static int rsa_setkey(RSA** key, unsigned char *ctext, int idx) { int clen = 0; @@ -240,63 +232,72 @@ static int rsa_setkey(RSA** key, unsigned char* ctext, int idx) return clen; } -static int test_rsa_pkcs1(int idx) +static int test_rsa_simple(int idx, int en_pad_type, int de_pad_type, + int success, unsigned char *ctext_ex, int *clen, + RSA **retkey) { int ret = 0; RSA *key; unsigned char ptext[256]; unsigned char ctext[256]; static unsigned char ptext_ex[] = "\x54\x85\x9b\x34\x2c\x49\xea\x2a"; - unsigned char ctext_ex[256]; int plen; - int clen = 0; + int clentmp = 0; int num; plen = sizeof(ptext_ex) - 1; - clen = rsa_setkey(&key, ctext_ex, idx); + clentmp = rsa_setkey(&key, ctext_ex, idx); + if (clen != NULL) + *clen = clentmp; - num = RSA_public_encrypt(plen, ptext_ex, ctext, key, - RSA_PKCS1_PADDING); - if (!TEST_int_eq(num, clen)) + num = RSA_public_encrypt(plen, ptext_ex, ctext, key, en_pad_type); + if (!TEST_int_eq(num, clentmp)) goto err; - num = RSA_private_decrypt(num, ctext, ptext, key, RSA_PKCS1_PADDING); - if (!TEST_mem_eq(ptext, num, ptext_ex, plen)) - goto err; + num = RSA_private_decrypt(num, ctext, ptext, key, de_pad_type); + if (success) { + if (!TEST_int_gt(num, 0) || !TEST_mem_eq(ptext, num, ptext_ex, plen)) + goto err; + } else { + if (!TEST_int_lt(num, 0)) + goto err; + } ret = 1; + if (retkey != NULL) { + *retkey = key; + key = NULL; + } err: RSA_free(key); return ret; } +static int test_rsa_pkcs1(int idx) +{ + return test_rsa_simple(idx, RSA_PKCS1_PADDING, RSA_PKCS1_PADDING, 1, NULL, + NULL, NULL); +} + static int test_rsa_sslv23(int idx) { - int ret = 0; - RSA *key; - unsigned char ptext[256]; - unsigned char ctext[256]; - static unsigned char ptext_ex[] = "\x54\x85\x9b\x34\x2c\x49\xea\x2a"; - unsigned char ctext_ex[256]; - int plen; - int clen = 0; - int num; + int ret; - plen = sizeof(ptext_ex) - 1; - clen = rsa_setkey(&key, ctext_ex, idx); + /* Simulate an SSLv2 only client talking to a TLS capable server */ + ret = test_rsa_simple(idx, RSA_PKCS1_PADDING, RSA_SSLV23_PADDING, 1, NULL, + NULL, NULL); - num = RSA_public_encrypt(plen, ptext_ex, ctext, key, - RSA_SSLV23_PADDING); - if (!TEST_int_eq(num, clen)) - goto err; + /* Simulate a TLS capable client talking to an SSLv2 only server */ + ret &= test_rsa_simple(idx, RSA_SSLV23_PADDING, RSA_PKCS1_PADDING, 1, NULL, + NULL, NULL); - num = RSA_private_decrypt(num, ctext, ptext, key, RSA_SSLV23_PADDING); - if (!TEST_mem_eq(ptext, num, ptext_ex, plen)) - goto err; + /* + * Simulate a TLS capable client talking to a TLS capable server. Should + * fail due to detecting a rollback attack. + */ + ret &= test_rsa_simple(idx, RSA_SSLV23_PADDING, RSA_SSLV23_PADDING, 0, NULL, + NULL, NULL); - ret = 1; -err: - RSA_free(key); return ret; } @@ -313,28 +314,16 @@ static int test_rsa_oaep(int idx) int num; int n; - plen = sizeof(ptext_ex) - 1; - clen = rsa_setkey(&key, ctext_ex, idx); - - num = RSA_public_encrypt(plen, ptext_ex, ctext, key, - RSA_PKCS1_OAEP_PADDING); - if (num == -1 && pad_unknown()) { - TEST_info("Skipping: No OAEP support"); - ret = 1; - goto err; - } - if (!TEST_int_eq(num, clen)) + if (!test_rsa_simple(idx, RSA_PKCS1_OAEP_PADDING, RSA_PKCS1_OAEP_PADDING, 1, + ctext_ex, &clen, &key)) goto err; - num = RSA_private_decrypt(num, ctext, ptext, key, - RSA_PKCS1_OAEP_PADDING); - if (!TEST_mem_eq(ptext, num, ptext_ex, plen)) - goto err; + plen = sizeof(ptext_ex) - 1; /* Different ciphertexts. Try decrypting ctext_ex */ num = RSA_private_decrypt(clen, ctext_ex, ptext, key, RSA_PKCS1_OAEP_PADDING); - if (!TEST_mem_eq(ptext, num, ptext_ex, plen)) + if (num <= 0 || !TEST_mem_eq(ptext, num, ptext_ex, plen)) goto err; /* Try decrypting corrupted ciphertexts. */ diff --git a/test/verify_extra_test.c b/test/verify_extra_test.c index 18f785ab8b..010403e74a 100644 --- a/test/verify_extra_test.c +++ b/test/verify_extra_test.c @@ -1,5 +1,5 @@ /* - * Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/test/x509aux.c b/test/x509aux.c index 78013f23ae..dee1b40e8c 100644 --- a/test/x509aux.c +++ b/test/x509aux.c @@ -1,5 +1,5 @@ /* - * Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL licenses, (the "License"); * you may not use this file except in compliance with the License. From matt at openssl.org Tue Feb 16 15:54:28 2021 From: matt at openssl.org (Matt Caswell) Date: Tue, 16 Feb 2021 15:54:28 +0000 Subject: [openssl] master update Message-ID: <1613490868.708918.16090.nullmailer@dev.openssl.org> The branch master has been updated via c913dbd7168393f7eab0dd6132d0d2581dd9e485 (commit) via c9fb704cf3af5524eb8e79961e31b60eee8c3c47 (commit) via c1ddd392cf9737c09c1f9bf690adfbe596403c5e (commit) via d9461cbe87b91fec98c4ab99a6f47621390e4aa2 (commit) via 4357b6174a165f43e5627eb587595f36c4156e4a (commit) via 55869f594f052561b11a2db6a7c42690051868de (commit) via 8130d654d1de922ea224fa18ee3bc7262edc39c0 (commit) from c9e955dd50f30f46555ff837b0bbae63433cef40 (commit) - Log ----------------------------------------------------------------- commit c913dbd7168393f7eab0dd6132d0d2581dd9e485 Author: Matt Caswell Date: Tue Feb 16 12:04:52 2021 +0000 Update CHANGES and NEWS for new release Reviewed-by: Richard Levitte commit c9fb704cf3af5524eb8e79961e31b60eee8c3c47 Author: Matt Caswell Date: Tue Feb 2 17:17:23 2021 +0000 Don't overflow the output length in EVP_CipherUpdate calls CVE-2021-23840 Reviewed-by: Paul Dale commit c1ddd392cf9737c09c1f9bf690adfbe596403c5e Author: Matt Caswell Date: Fri Jan 22 16:50:11 2021 +0000 Fix rsa_test to properly test RSA_SSLV23_PADDING We test all three cases: - An SSLv2 only client talking to a TLS capable server - A TLS capable client talking to an SSLv2 only server - A TLS capable client talking to a TLS capable server (should fail due to detecting a rollback attack) Reviewed-by: Paul Dale commit d9461cbe87b91fec98c4ab99a6f47621390e4aa2 Author: Matt Caswell Date: Fri Jan 22 16:38:50 2021 +0000 Fix the RSA_SSLV23_PADDING padding type This also fixes the public function RSA_padding_check_SSLv23. Commit 6555a89 changed the padding check logic in RSA_padding_check_SSLv23 so that padding is rejected if the nul delimiter byte is not immediately preceded by at least 8 bytes containing 0x03. Prior to that commit the padding is rejected if it *is* preceded by at least 8 bytes containing 0x03. Presumably this change was made to be consistent with what it says in appendix E.3 of RFC 5246. Unfortunately that RFC is in error, and the original behaviour was correct. This is fixed in later errata issued for that RFC. This has no impact on libssl for modern versions of OpenSSL because there is no protocol support for SSLv2 in these versions. However applications that call RSA_paddin_check_SSLv23 directly, or use the RSA_SSLV23_PADDING mode may still be impacted. The effect of the original error is that an RSA message encrypted by an SSLv2 only client will fail to be decrypted properly by a TLS capable server, or a message encrypted by a TLS capable client will fail to decrypt on an SSLv2 only server. Most significantly an RSA message encrypted by a TLS capable client will be successfully decrypted by a TLS capable server. This last case should fail due to a rollback being detected. Thanks to D. Katz and Joel Luellwitz (both from Trustwave) for reporting this issue. CVE-2021-23839 Reviewed-by: Paul Dale commit 4357b6174a165f43e5627eb587595f36c4156e4a Author: Matt Caswell Date: Fri Jan 22 15:49:31 2021 +0000 Refactor rsa_test Reduce code copying by factoring out common code into a separate function. Reviewed-by: Paul Dale commit 55869f594f052561b11a2db6a7c42690051868de Author: Matt Caswell Date: Wed Feb 10 16:36:57 2021 +0000 Test that X509_issuer_and_serial_hash doesn't crash Provide a certificate with a bad issuer and check that X509_issuer_and_serial_hash doesn't crash. Reviewed-by: Richard Levitte Reviewed-by: Paul Dale commit 8130d654d1de922ea224fa18ee3bc7262edc39c0 Author: Matt Caswell Date: Wed Feb 10 16:10:36 2021 +0000 Fix Null pointer deref in X509_issuer_and_serial_hash() The OpenSSL public API function X509_issuer_and_serial_hash() attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it fails to correctly handle any errors that may occur while parsing the issuer field (which might occur if the issuer field is maliciously constructed). This may subsequently result in a NULL pointer deref and a crash leading to a potential denial of service attack. The function X509_issuer_and_serial_hash() is never directly called by OpenSSL itself so applications are only vulnerable if they use this function directly and they use it on certificates that may have been obtained from untrusted sources. CVE-2021-23841 Reviewed-by: Richard Levitte Reviewed-by: Paul Dale ----------------------------------------------------------------------- Summary of changes: CHANGES.md | 34 ++++++- NEWS.md | 14 ++- crypto/err/openssl.txt | 1 + crypto/evp/evp_enc.c | 26 +++++ crypto/evp/evp_err.c | 4 +- crypto/rsa/rsa_ssl.c | 10 +- crypto/x509/x509_cmp.c | 2 + .../x509/f5ded9e25448f6f47349d012eda2eb4fccbc7c76 | Bin 0 -> 356852 bytes fuzz/x509.c | 2 + include/crypto/evperr.h | 2 +- include/openssl/evperr.h | 1 + test/rsa_test.c | 107 +++++++++------------ 12 files changed, 136 insertions(+), 67 deletions(-) create mode 100644 fuzz/corpora/x509/f5ded9e25448f6f47349d012eda2eb4fccbc7c76 diff --git a/CHANGES.md b/CHANGES.md index bda3c44aa1..e45cb3a1fd 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -1487,9 +1487,39 @@ OpenSSL 3.0 OpenSSL 1.1.1 ------------- -### Changes between 1.1.1i and 1.1.1j [xx XXX xxxx] +### Changes between 1.1.1j and 1.1.1k [xx XXX xxxx] - * Fixed SRP_Calc_client_key so that it uses constant time. The previous +### Changes between 1.1.1i and 1.1.1j [16 Feb 2021] + + * Fixed the X509_issuer_and_serial_hash() function. It attempts to + create a unique hash value based on the issuer and serial number data + contained within an X509 certificate. However it was failing to correctly + handle any errors that may occur while parsing the issuer field (which might + occur if the issuer field is maliciously constructed). This may subsequently + result in a NULL pointer deref and a crash leading to a potential denial of + service attack. + ([CVE-2021-23841]) + + *Matt Caswell* + + * Fixed the RSA_padding_check_SSLv23() function and the RSA_SSLV23_PADDING + padding mode to correctly check for rollback attacks. This is considered a + bug in OpenSSL 1.1.1 because it does not support SSLv2. In 1.0.2 this is + CVE-2021-23839. + + *Matt Caswell* + + Fixed the EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate + functions. Previously they could overflow the output length argument in some + cases where the input length is close to the maximum permissable length for + an integer on the platform. In such cases the return value from the function + call would be 1 (indicating success), but the output length value would be + negative. This could cause applications to behave incorrectly or crash. + ([CVE-2021-23840]) + + *Matt Caswell* + + * Fixed SRP_Calc_client_key so that it runs in constant time. The previous implementation called BN_mod_exp without setting BN_FLG_CONSTTIME. This could be exploited in a side channel attack to recover the password. Since the attack is local host only this is outside of the current OpenSSL diff --git a/NEWS.md b/NEWS.md index 2028847247..342e6569f3 100644 --- a/NEWS.md +++ b/NEWS.md @@ -80,7 +80,19 @@ OpenSSL 3.0 OpenSSL 1.1.1 ------------- -### Major changes between OpenSSL 1.1.1h and OpenSSL 1.1.1i [under development] +### Major changes between OpenSSL 1.1.1j and OpenSSL 1.1.1k [under development] + +### Major changes between OpenSSL 1.1.1i and OpenSSL 1.1.1j [16 Feb 2021] + + * Fixed a NULL pointer deref in the X509_issuer_and_serial_hash() + function ([CVE-2021-23841]) + * Fixed the RSA_padding_check_SSLv23() function and the RSA_SSLV23_PADDING + padding mode to correctly check for rollback attacks + * Fixed an overflow in the EVP_CipherUpdate, EVP_EncryptUpdate and + EVP_DecryptUpdate functions ([CVE-2021-23840]) + * Fixed SRP_Calc_client_key so that it runs in constant time + +### Major changes between OpenSSL 1.1.1h and OpenSSL 1.1.1i [8 Dec 2020] * Fixed NULL pointer deref in GENERAL_NAME_cmp ([CVE-2020-1971]) diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt index 0e4f017287..296aa6eaad 100644 --- a/crypto/err/openssl.txt +++ b/crypto/err/openssl.txt @@ -708,6 +708,7 @@ EVP_R_ONLY_ONESHOT_SUPPORTED:177:only oneshot supported EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE:150:\ operation not supported for this keytype EVP_R_OPERATON_NOT_INITIALIZED:151:operation not initialized +EVP_R_OUTPUT_WOULD_OVERFLOW:202:output would overflow EVP_R_PARAMETER_TOO_LARGE:187:parameter too large EVP_R_PARTIALLY_OVERLAPPING:162:partially overlapping buffers EVP_R_PBKDF2_ERROR:181:pbkdf2 error diff --git a/crypto/evp/evp_enc.c b/crypto/evp/evp_enc.c index b804d74914..f049cb40bb 100644 --- a/crypto/evp/evp_enc.c +++ b/crypto/evp/evp_enc.c @@ -11,6 +11,7 @@ #define OPENSSL_SUPPRESS_DEPRECATED #include +#include #include #include "internal/cryptlib.h" #include @@ -511,6 +512,18 @@ static int evp_EncryptDecryptUpdate(EVP_CIPHER_CTX *ctx, return 1; } else { j = bl - i; + + /* + * Once we've processed the first j bytes from in, the amount of + * data left that is a multiple of the block length is: + * (inl - j) & ~(bl - 1) + * We must ensure that this amount of data, plus the one block that + * we process from ctx->buf does not exceed INT_MAX + */ + if (((inl - j) & ~(bl - 1)) > INT_MAX - bl) { + ERR_raise(ERR_LIB_EVP, EVP_R_OUTPUT_WOULD_OVERFLOW); + return 0; + } memcpy(&(ctx->buf[i]), in, j); inl -= j; in += j; @@ -771,6 +784,19 @@ int EVP_DecryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl, ERR_raise(ERR_LIB_EVP, EVP_R_PARTIALLY_OVERLAPPING); return 0; } + /* + * final_used is only ever set if buf_len is 0. Therefore the maximum + * length output we will ever see from evp_EncryptDecryptUpdate is + * the maximum multiple of the block length that is <= inl, or just: + * inl & ~(b - 1) + * Since final_used has been set then the final output length is: + * (inl & ~(b - 1)) + b + * This must never exceed INT_MAX + */ + if ((inl & ~(b - 1)) > INT_MAX - b) { + ERR_raise(ERR_LIB_EVP, EVP_R_OUTPUT_WOULD_OVERFLOW); + return 0; + } memcpy(out, ctx->final, b); out += b; fix_len = 1; diff --git a/crypto/evp/evp_err.c b/crypto/evp/evp_err.c index 33e60145fe..5d9b82c289 100644 --- a/crypto/evp/evp_err.c +++ b/crypto/evp/evp_err.c @@ -137,6 +137,8 @@ static const ERR_STRING_DATA EVP_str_reasons[] = { "operation not supported for this keytype"}, {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_OPERATON_NOT_INITIALIZED), "operation not initialized"}, + {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_OUTPUT_WOULD_OVERFLOW), + "output would overflow"}, {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_PARAMETER_TOO_LARGE), "parameter too large"}, {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_PARTIALLY_OVERLAPPING), @@ -153,7 +155,7 @@ static const ERR_STRING_DATA EVP_str_reasons[] = { "set default property failure"}, {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_TOO_MANY_RECORDS), "too many records"}, {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_UNABLE_TO_ENABLE_LOCKING), - "unable to enable parent locking"}, + "unable to enable locking"}, {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_UNABLE_TO_GET_MAXIMUM_REQUEST_SIZE), "unable to get maximum request size"}, {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_UNABLE_TO_GET_RANDOM_STRENGTH), diff --git a/crypto/rsa/rsa_ssl.c b/crypto/rsa/rsa_ssl.c index 0feef0f655..f89a083095 100644 --- a/crypto/rsa/rsa_ssl.c +++ b/crypto/rsa/rsa_ssl.c @@ -68,7 +68,7 @@ int RSA_padding_add_SSLv23(unsigned char *to, int tlen, /* * Copy of RSA_padding_check_PKCS1_type_2 with a twist that rejects padding - * if nul delimiter is not preceded by 8 consecutive 0x03 bytes. It also + * if nul delimiter is preceded by 8 consecutive 0x03 bytes. It also * preserves error code reporting for backward compatibility. */ int RSA_padding_check_SSLv23(unsigned char *to, int tlen, @@ -135,7 +135,13 @@ int RSA_padding_check_SSLv23(unsigned char *to, int tlen, RSA_R_NULL_BEFORE_BLOCK_MISSING); mask = ~good; - good &= constant_time_ge(threes_in_row, 8); + /* + * Reject if nul delimiter is preceded by 8 consecutive 0x03 bytes. Note + * that RFC5246 incorrectly states this the other way around, i.e. reject + * if it is not preceded by 8 consecutive 0x03 bytes. However this is + * corrected in subsequent errata for that RFC. + */ + good &= constant_time_lt(threes_in_row, 8); err = constant_time_select_int(mask | good, err, RSA_R_SSLV3_ROLLBACK_ATTACK); mask = ~good; diff --git a/crypto/x509/x509_cmp.c b/crypto/x509/x509_cmp.c index 8e525a3815..a74311e92d 100644 --- a/crypto/x509/x509_cmp.c +++ b/crypto/x509/x509_cmp.c @@ -44,6 +44,8 @@ unsigned long X509_issuer_and_serial_hash(X509 *a) if (ctx == NULL) goto err; f = X509_NAME_oneline(a->cert_info.issuer, NULL, 0); + if (f == NULL) + goto err; if (!EVP_DigestInit_ex(ctx, EVP_md5(), NULL)) goto err; if (!EVP_DigestUpdate(ctx, (unsigned char *)f, strlen(f))) diff --git a/fuzz/corpora/x509/f5ded9e25448f6f47349d012eda2eb4fccbc7c76 b/fuzz/corpora/x509/f5ded9e25448f6f47349d012eda2eb4fccbc7c76 new file mode 100644 index 0000000000..439c50b013 Binary files /dev/null and b/fuzz/corpora/x509/f5ded9e25448f6f47349d012eda2eb4fccbc7c76 differ diff --git a/fuzz/x509.c b/fuzz/x509.c index 858ad61bbf..bf2dfb826d 100644 --- a/fuzz/x509.c +++ b/fuzz/x509.c @@ -37,6 +37,8 @@ int FuzzerTestOneInput(const uint8_t *buf, size_t len) X509_print(bio, x509); BIO_free(bio); + X509_issuer_and_serial_hash(x509); + i2d_X509(x509, &der); OPENSSL_free(der); diff --git a/include/crypto/evperr.h b/include/crypto/evperr.h index 2bfc71ad3c..9af2e903f3 100644 --- a/include/crypto/evperr.h +++ b/include/crypto/evperr.h @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 2020-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/openssl/evperr.h b/include/openssl/evperr.h index 48aa10b84a..a96c684f1f 100644 --- a/include/openssl/evperr.h +++ b/include/openssl/evperr.h @@ -97,6 +97,7 @@ # define EVP_R_ONLY_ONESHOT_SUPPORTED 177 # define EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE 150 # define EVP_R_OPERATON_NOT_INITIALIZED 151 +# define EVP_R_OUTPUT_WOULD_OVERFLOW 202 # define EVP_R_PARAMETER_TOO_LARGE 187 # define EVP_R_PARTIALLY_OVERLAPPING 162 # define EVP_R_PBKDF2_ERROR 181 diff --git a/test/rsa_test.c b/test/rsa_test.c index 6badbc7076..f52053bda1 100644 --- a/test/rsa_test.c +++ b/test/rsa_test.c @@ -41,9 +41,8 @@ BN_bin2bn(dmp1, sizeof(dmp1)-1, NULL), \ BN_bin2bn(dmq1, sizeof(dmq1)-1, NULL), \ BN_bin2bn(iqmp, sizeof(iqmp)-1, NULL)); \ - if (c == NULL) \ - return 0; \ - memcpy(c, ctext_ex, sizeof(ctext_ex) - 1); \ + if (c != NULL) \ + memcpy(c, ctext_ex, sizeof(ctext_ex) - 1); \ return sizeof(ctext_ex) - 1; static int key1(RSA *key, unsigned char *c) @@ -212,16 +211,7 @@ static int key3(RSA *key, unsigned char *c) SetKey; } -static int pad_unknown(void) -{ - unsigned long l; - while ((l = ERR_get_error()) != 0) - if (ERR_GET_REASON(l) == RSA_R_UNKNOWN_PADDING_TYPE) - return 1; - return 0; -} - -static int rsa_setkey(RSA** key, unsigned char* ctext, int idx) +static int rsa_setkey(RSA** key, unsigned char *ctext, int idx) { int clen = 0; @@ -241,63 +231,72 @@ static int rsa_setkey(RSA** key, unsigned char* ctext, int idx) return clen; } -static int test_rsa_pkcs1(int idx) +static int test_rsa_simple(int idx, int en_pad_type, int de_pad_type, + int success, unsigned char *ctext_ex, int *clen, + RSA **retkey) { int ret = 0; RSA *key; unsigned char ptext[256]; unsigned char ctext[256]; static unsigned char ptext_ex[] = "\x54\x85\x9b\x34\x2c\x49\xea\x2a"; - unsigned char ctext_ex[256]; int plen; - int clen = 0; + int clentmp = 0; int num; plen = sizeof(ptext_ex) - 1; - clen = rsa_setkey(&key, ctext_ex, idx); + clentmp = rsa_setkey(&key, ctext_ex, idx); + if (clen != NULL) + *clen = clentmp; - num = RSA_public_encrypt(plen, ptext_ex, ctext, key, - RSA_PKCS1_PADDING); - if (!TEST_int_eq(num, clen)) + num = RSA_public_encrypt(plen, ptext_ex, ctext, key, en_pad_type); + if (!TEST_int_eq(num, clentmp)) goto err; - num = RSA_private_decrypt(num, ctext, ptext, key, RSA_PKCS1_PADDING); - if (!TEST_mem_eq(ptext, num, ptext_ex, plen)) - goto err; + num = RSA_private_decrypt(num, ctext, ptext, key, de_pad_type); + if (success) { + if (!TEST_int_gt(num, 0) || !TEST_mem_eq(ptext, num, ptext_ex, plen)) + goto err; + } else { + if (!TEST_int_lt(num, 0)) + goto err; + } ret = 1; + if (retkey != NULL) { + *retkey = key; + key = NULL; + } err: RSA_free(key); return ret; } +static int test_rsa_pkcs1(int idx) +{ + return test_rsa_simple(idx, RSA_PKCS1_PADDING, RSA_PKCS1_PADDING, 1, NULL, + NULL, NULL); +} + static int test_rsa_sslv23(int idx) { - int ret = 0; - RSA *key; - unsigned char ptext[256]; - unsigned char ctext[256]; - static unsigned char ptext_ex[] = "\x54\x85\x9b\x34\x2c\x49\xea\x2a"; - unsigned char ctext_ex[256]; - int plen; - int clen = 0; - int num; + int ret; - plen = sizeof(ptext_ex) - 1; - clen = rsa_setkey(&key, ctext_ex, idx); + /* Simulate an SSLv2 only client talking to a TLS capable server */ + ret = test_rsa_simple(idx, RSA_PKCS1_PADDING, RSA_SSLV23_PADDING, 1, NULL, + NULL, NULL); - num = RSA_public_encrypt(plen, ptext_ex, ctext, key, - RSA_SSLV23_PADDING); - if (!TEST_int_eq(num, clen)) - goto err; + /* Simulate a TLS capable client talking to an SSLv2 only server */ + ret &= test_rsa_simple(idx, RSA_SSLV23_PADDING, RSA_PKCS1_PADDING, 1, NULL, + NULL, NULL); - num = RSA_private_decrypt(num, ctext, ptext, key, RSA_SSLV23_PADDING); - if (!TEST_mem_eq(ptext, num, ptext_ex, plen)) - goto err; + /* + * Simulate a TLS capable client talking to a TLS capable server. Should + * fail due to detecting a rollback attack. + */ + ret &= test_rsa_simple(idx, RSA_SSLV23_PADDING, RSA_SSLV23_PADDING, 0, NULL, + NULL, NULL); - ret = 1; -err: - RSA_free(key); return ret; } @@ -314,28 +313,16 @@ static int test_rsa_oaep(int idx) int num; int n; - plen = sizeof(ptext_ex) - 1; - clen = rsa_setkey(&key, ctext_ex, idx); - - num = RSA_public_encrypt(plen, ptext_ex, ctext, key, - RSA_PKCS1_OAEP_PADDING); - if (num == -1 && pad_unknown()) { - TEST_info("Skipping: No OAEP support"); - ret = 1; - goto err; - } - if (!TEST_int_eq(num, clen)) + if (!test_rsa_simple(idx, RSA_PKCS1_OAEP_PADDING, RSA_PKCS1_OAEP_PADDING, 1, + ctext_ex, &clen, &key)) goto err; - num = RSA_private_decrypt(num, ctext, ptext, key, - RSA_PKCS1_OAEP_PADDING); - if (!TEST_mem_eq(ptext, num, ptext_ex, plen)) - goto err; + plen = sizeof(ptext_ex) - 1; /* Different ciphertexts. Try decrypting ctext_ex */ num = RSA_private_decrypt(clen, ctext_ex, ptext, key, RSA_PKCS1_OAEP_PADDING); - if (!TEST_mem_eq(ptext, num, ptext_ex, plen)) + if (num <= 0 || !TEST_mem_eq(ptext, num, ptext_ex, plen)) goto err; /* Try decrypting corrupted ciphertexts. */ From matt at openssl.org Tue Feb 16 15:56:23 2021 From: matt at openssl.org (Matt Caswell) Date: Tue, 16 Feb 2021 15:56:23 +0000 Subject: [openssl] OpenSSL_1_1_1j create Message-ID: <1613490983.520460.26561.nullmailer@dev.openssl.org> The annotated tag OpenSSL_1_1_1j has been created at ba90f266c71a821c041c1cbc9f86c4d9788d2359 (tag) tagging 52c587d60be67c337364b830dd3fdc15404a2f04 (commit) replaces OpenSSL_1_1_1i tagged by Matt Caswell on Tue Feb 16 15:24:02 2021 +0000 - Log ----------------------------------------------------------------- OpenSSL 1.1.1j release tag -----BEGIN PGP SIGNATURE----- iQFFBAABCAAvFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAmAr45IRHG1hdHRAb3Bl bnNzbC5vcmcACgkQ2cTSbQ5gRJFRuQf9EX1wQ+9PA5V6EctZrMGzfducsshhiE+G m4Rivlg1zcxZ9C2ermo1LiwaM0S6jR1Ldoh7zNV7hXLdc2HQfDof0RisN8HB2Ll5 m9WKyi2YI4jE/ROZ4BpwvLHDHDhxQcyNiSgjCAq2mghK4NWWvQ8tJEnui/cwqPVQ 8DENrVz1sDth6aVBD1HoNnVV72sonLytmxVX8FahwRK6za1wPCCRbPLbeoLkvvfT dPDFmyBdFyChHvHNPvtqWD92kKHIruxDyPGwMSH7MjkJEkqI6PHW+M+GajUbZvvU BlOoY+qYzSohNZCHPIfznTe2zmKOi/nbhzfek4nocKbLJQaPK4sPBQ== =5fK4 -----END PGP SIGNATURE----- Armin Fuerst (1): apps/ca: Properly handle certificate expiration times in do_updatedb Benjamin Kaduk (1): Remove unused 'peer_type' from SSL_SESSION Bernd Edlinger (1): Prevent creating empty folder "../apps/include" Billy Brumley (1): [crypto/dh] side channel hardening for computing DH shared keys (1.1.1) David Carlier (3): CRYPTO_secure_malloc_init: BSD support improvements. OPENSSL_cpuid_setup FreeBSD PowerPC update OPENSSL_cpuid_setup FreeBSD arm update. Dmitry Belyavskiy (1): Skip BOM when reading the config file Dr. David von Oheimb (4): Update copyright years of auto-generated headers (make update) X509_cmp(): Fix comparison in case x509v3_cache_extensions() failed to due to invalid cert x509_vfy.c: Fix a regression in find_isser() check_sig_alg_match(): weaken sig nid comparison to base alg Dr. Matthias St. Pierre (1): Add some missing committers to the AUTHORS list Ingo Schwarze (1): Fix NULL pointer access caused by X509_ATTRIBUTE_create() Jay Satiro (1): NOTES.WIN: fix typo Matt Caswell (14): Prepare for 1.1.1j-dev Modify is_tls13_capable() to take account of the servername cb Test that we can negotiate TLSv1.3 if we have an SNI callback Ensure DTLS free functions can handle NULL Ensure SRP BN_mod_exp follows the constant time path Fix Null pointer deref in X509_issuer_and_serial_hash() Test that X509_issuer_and_serial_hash doesn't crash Refactor rsa_test Fix the RSA_SSLV23_PADDING padding type Fix rsa_test to properly test RSA_SSLV23_PADDING Don't overflow the output length in EVP_CipherUpdate calls Update CHANGES and NEWS for new release Update copyright year Prepare for 1.1.1j release Nan Xiao (1): Fix typo in OPENSSL_malloc.pod Ole Andr? Vadla Ravn?s (1): poly1305/asm/poly1305-armv4.pl: fix Clang compatibility issue Rich Salz (1): Document OCSP_REQ_CTX_i2d. Richard Levitte (7): GitHub CI: Add 'check-update' and 'check-docs' DOCS: Fix incorrect pass phrase options references Drop Travis configdata.pm: Better display of enabled/disabled options Configuration: ensure that 'no-tests' works correctly Configurations/descrip.mms.tmpl: avoid enormous PIPE commands VMS documentation fixes Sebastian Andrzej Siewior (1): Configurations: PowerPC is big endian Tim Hitchins (1): Fix typo in crl2pkcs documentation Todd Short (1): Fix -static builds Tomas Mraz (4): v3nametest: Make the gennames structure static Github CI: run also on repository pushes Fix regression in no-deprecated build CI: Add some legacy stuff that we do not test in GitHub CI yet anupamam13 (1): Fix for negative return value from `SSL_CTX_sess_accept()` ----------------------------------------------------------------------- From matt at openssl.org Tue Feb 16 15:57:32 2021 From: matt at openssl.org (Matt Caswell) Date: Tue, 16 Feb 2021 15:57:32 +0000 Subject: [web] master update Message-ID: <1613491052.146100.27784.nullmailer@dev.openssl.org> The branch master has been updated via 96fab6a7b7406a9d4334c7b8d76c9da02dc35a62 (commit) from 3529993430cd665987db1ade8fa5e6f17fd9fdc7 (commit) - Log ----------------------------------------------------------------- commit 96fab6a7b7406a9d4334c7b8d76c9da02dc35a62 Author: Matt Caswell Date: Tue Feb 16 15:47:12 2021 +0000 Updates for the new release Reviewed-by: Richard Levitte ----------------------------------------------------------------------- Summary of changes: news/newsflash.txt | 1 + news/secadv/20210216.txt | 123 ++++++++++++++++++++++++++++++ news/vulnerabilities.xml | 193 ++++++++++++++++++++++++++++++++++++++++++++++- 3 files changed, 316 insertions(+), 1 deletion(-) create mode 100644 news/secadv/20210216.txt diff --git a/news/newsflash.txt b/news/newsflash.txt index 176275b..16f4f7c 100644 --- a/news/newsflash.txt +++ b/news/newsflash.txt @@ -5,6 +5,7 @@ # headings. URL paths must all be absolute. Date: Item +16-Feb-2021: OpenSSL 1.1.1j is now available, including bug and security fixes 28-Jan-2021: Alpha 11 of OpenSSL 3.0 is now available: please download and test it 07-Jan-2021: Alpha 10 of OpenSSL 3.0 is now available: please download and test it 08-Dec-2020: OpenSSL 1.1.1i is now available, including bug and security fixes diff --git a/news/secadv/20210216.txt b/news/secadv/20210216.txt new file mode 100644 index 0000000..bac4b39 --- /dev/null +++ b/news/secadv/20210216.txt @@ -0,0 +1,123 @@ +OpenSSL Security Advisory [16 February 2021] +============================================ + +Null pointer deref in X509_issuer_and_serial_hash() (CVE-2021-23841) +==================================================================== + +Severity: Moderate + +The OpenSSL public API function X509_issuer_and_serial_hash() attempts to +create a unique hash value based on the issuer and serial number data contained +within an X509 certificate. However it fails to correctly handle any errors +that may occur while parsing the issuer field (which might occur if the issuer +field is maliciously constructed). This may subsequently result in a NULL +pointer deref and a crash leading to a potential denial of service attack. + +The function X509_issuer_and_serial_hash() is never directly called by OpenSSL +itself so applications are only vulnerable if they use this function directly +and they use it on certificates that may have been obtained from untrusted +sources. + +OpenSSL versions 1.1.1i and below are affected by this issue. Users of these +versions should upgrade to OpenSSL 1.1.1j. + +OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL +1.0.2 is out of support and no longer receiving public updates. Premium support +customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade +to 1.1.1j. + +This issue was reported to OpenSSL on 15th December 2020 by Tavis Ormandy from +Google. The fix was developed by Matt Caswell. + +Incorrect SSLv2 rollback protection (CVE-2021-23839) +==================================================== + +Severity: Low + +OpenSSL 1.0.2 supports SSLv2. If a client attempts to negotiate SSLv2 with a +server that is configured to support both SSLv2 and more recent SSL and TLS +versions then a check is made for a version rollback attack when unpadding an +RSA signature. Clients that support SSL or TLS versions greater than SSLv2 are +supposed to use a special form of padding. A server that supports greater than +SSLv2 is supposed to reject connection attempts from a client where this special +form of padding is present, because this indicates that a version rollback has +occurred (i.e. both client and server support greater than SSLv2, and yet this +is the version that is being requested). + +The implementation of this padding check inverted the logic so that the +connection attempt is accepted if the padding is present, and rejected if it +is absent. This means that such as server will accept a connection if a version +rollback attack has occurred. Further the server will erroneously reject a +connection if a normal SSLv2 connection attempt is made. + +Only OpenSSL 1.0.2 servers from version 1.0.2s to 1.0.2x are affected by this +issue. In order to be vulnerable a 1.0.2 server must: + +1) have configured SSLv2 support at compile time (this is off by default), +2) have configured SSLv2 support at runtime (this is off by default), +3) have configured SSLv2 ciphersuites (these are not in the default ciphersuite + list) + +OpenSSL 1.1.1 does not have SSLv2 support and therefore is not vulnerable to +this issue. The underlying error is in the implementation of the +RSA_padding_check_SSLv23() function. This also affects the RSA_SSLV23_PADDING +padding mode used by various other functions. Although 1.1.1 does not support +SSLv2 the RSA_padding_check_SSLv23() function still exists, as does the +RSA_SSLV23_PADDING padding mode. Applications that directly call that function +or use that padding mode will encounter this issue. However since there is no +support for the SSLv2 protocol in 1.1.1 this is considered a bug and not a +security issue in that version. + +OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium +support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should +upgrade to 1.1.1j. + +This issue was reported to OpenSSL on 21st January 2021 by D. Katz and Joel +Luellwitz from Trustwave. The fix was developed by Matt Caswell. + +Integer overflow in CipherUpdate (CVE-2021-23840) +================================================= + +Severity: Low + +Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow +the output length argument in some cases where the input length is close to the +maximum permissable length for an integer on the platform. In such cases the +return value from the function call will be 1 (indicating success), but the +output length value will be negative. This could cause applications to behave +incorrectly or crash. + +OpenSSL versions 1.1.1i and below are affected by this issue. Users of these +versions should upgrade to OpenSSL 1.1.1j. + +OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL +1.0.2 is out of support and no longer receiving public updates. Premium support +customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade +to 1.1.1j. + +This issue was reported to OpenSSL on 13th December 2020 by Paul Kehrer. The fix +was developed by Matt Caswell. + +Note +==== + +OpenSSL 1.0.2 is out of support and no longer receiving public updates. Extended +support is available for premium support customers: +https://www.openssl.org/support/contracts.html + +OpenSSL 1.1.0 is out of support and no longer receiving updates of any kind. +The impact of these issues on OpenSSL 1.1.0 has not been analysed. + +Users of these versions should upgrade to OpenSSL 1.1.1. + +References +========== + +URL for this Security Advisory: +https://www.openssl.org/news/secadv/20210216.txt + +Note: the online version of the advisory may be updated with additional details +over time. + +For details of OpenSSL severity classifications please see: +https://www.openssl.org/policies/secpolicy.html diff --git a/news/vulnerabilities.xml b/news/vulnerabilities.xml index 93543ac..5ac7dc8 100644 --- a/news/vulnerabilities.xml +++ b/news/vulnerabilities.xml @@ -7,7 +7,198 @@ - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + NULL pointer dereference + Null pointer deref in X509_issuer_and_serial_hash() + +The OpenSSL public API function X509_issuer_and_serial_hash() attempts to +create a unique hash value based on the issuer and serial number data contained +within an X509 certificate. However it fails to correctly handle any errors +that may occur while parsing the issuer field (which might occur if the issuer +field is maliciously constructed). This may subsequently result in a NULL +pointer deref and a crash leading to a potential denial of service attack. + +The function X509_issuer_and_serial_hash() is never directly called by OpenSSL +itself so applications are only vulnerable if they use this function directly +and they use it on certificates that may have been obtained from untrusted +sources. + +OpenSSL versions 1.1.1i and below are affected by this issue. Users of these +versions should upgrade to OpenSSL 1.1.1j. + +OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL +1.0.2 is out of support and no longer receiving public updates. Premium support +customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade +to 1.1.1j. + + + + + + + + + + + + + + + + + Rollback attack + Incorrect SSLv2 rollback protection + +OpenSSL 1.0.2 supports SSLv2. If a client attempts to negotiate SSLv2 with a +server that is configured to support both SSLv2 and more recent SSL and TLS +versions then a check is made for a version rollback attack when unpadding an +RSA signature. Clients that support SSL or TLS versions greater than SSLv2 are +supposed to use a special form of padding. A server that supports greater than +SSLv2 is supposed to reject connection attempts from a client where this special +form of padding is present, because this indicates that a version rollback has +occurred (i.e. both client and server support greater than SSLv2, and yet this +is the version that is being requested). + +The implementation of this padding check inverted the logic so that the +connection attempt is accepted if the padding is present, and rejected if it +is absent. This means that such as server will accept a connection if a version +rollback attack has occurred. Further the server will erroneously reject a +connection if a normal SSLv2 connection attempt is made. + +Only OpenSSL 1.0.2 servers from version 1.0.2s to 1.0.2x are affected by this +issue. In order to be vulnerable a 1.0.2 server must: + +1) have configured SSLv2 support at compile time (this is off by default), +2) have configured SSLv2 support at runtime (this is off by default), +3) have configured SSLv2 ciphersuites (these are not in the default ciphersuite + list) + +OpenSSL 1.1.1 does not have SSLv2 support and therefore is not vulnerable to +this issue. The underlying error is in the implementation of the +RSA_padding_check_SSLv23() function. This also affects the RSA_SSLV23_PADDING +padding mode used by various other functions. Although 1.1.1 does not support +SSLv2 the RSA_padding_check_SSLv23() function still exists, as does the +RSA_SSLV23_PADDING padding mode. Applications that directly call that function +or use that padding mode will encounter this issue. However since there is no +support for the SSLv2 protocol in 1.1.1 this is considered a bug and not a +security issue in that version. + +OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium +support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should +upgrade to 1.1.1j. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Overflow + Integer overflow in CipherUpdate + +Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow +the output length argument in some cases where the input length is close to the +maximum permissable length for an integer on the platform. In such cases the +return value from the function call will be 1 (indicating success), but the +output length value will be negative. This could cause applications to behave +incorrectly or crash. + +OpenSSL versions 1.1.1i and below are affected by this issue. Users of these +versions should upgrade to OpenSSL 1.1.1j. + +OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL +1.0.2 is out of support and no longer receiving public updates. Premium support +customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade +to 1.1.1j. + + + + From matt at openssl.org Tue Feb 16 17:45:58 2021 From: matt at openssl.org (Matt Caswell) Date: Tue, 16 Feb 2021 17:45:58 +0000 Subject: [web] master update Message-ID: <1613497558.724190.7440.nullmailer@dev.openssl.org> The branch master has been updated via 5db03e20c8e936a62f1ee71b7178b4844c5ad838 (commit) from 96fab6a7b7406a9d4334c7b8d76c9da02dc35a62 (commit) - Log ----------------------------------------------------------------- commit 5db03e20c8e936a62f1ee71b7178b4844c5ad838 Author: Matt Caswell Date: Tue Feb 16 16:56:36 2021 +0000 Fix a typo in vulnerabilities.xml Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/web/pull/218) ----------------------------------------------------------------------- Summary of changes: news/vulnerabilities.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/news/vulnerabilities.xml b/news/vulnerabilities.xml index 5ac7dc8..255c8e2 100644 --- a/news/vulnerabilities.xml +++ b/news/vulnerabilities.xml @@ -136,7 +136,7 @@ upgrade to 1.1.1j. - + From levitte at openssl.org Tue Feb 16 19:16:15 2021 From: levitte at openssl.org (Richard Levitte) Date: Tue, 16 Feb 2021 19:16:15 +0000 Subject: [openssl] master update Message-ID: <1613502975.601400.22878.nullmailer@dev.openssl.org> The branch master has been updated via 55e9d8cfffc1a40b0ab72e014ff62d5ef2a0ed63 (commit) from c913dbd7168393f7eab0dd6132d0d2581dd9e485 (commit) - Log ----------------------------------------------------------------- commit 55e9d8cfffc1a40b0ab72e014ff62d5ef2a0ed63 Author: Richard Levitte Date: Tue Feb 16 20:02:24 2021 +0100 TEST: Add missing initialization Compiler complained. Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/14204) ----------------------------------------------------------------------- Summary of changes: test/rsa_test.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/rsa_test.c b/test/rsa_test.c index f52053bda1..095cddd8aa 100644 --- a/test/rsa_test.c +++ b/test/rsa_test.c @@ -303,7 +303,7 @@ static int test_rsa_sslv23(int idx) static int test_rsa_oaep(int idx) { int ret = 0; - RSA *key; + RSA *key = NULL; unsigned char ptext[256]; unsigned char ctext[256]; static unsigned char ptext_ex[] = "\x54\x85\x9b\x34\x2c\x49\xea\x2a"; From levitte at openssl.org Tue Feb 16 19:17:21 2021 From: levitte at openssl.org (Richard Levitte) Date: Tue, 16 Feb 2021 19:17:21 +0000 Subject: [openssl] OpenSSL_1_1_1-stable update Message-ID: <1613503041.257484.24167.nullmailer@dev.openssl.org> The branch OpenSSL_1_1_1-stable has been updated via 01cf4f868e08f82daa16d049fa7d241d8089c8d8 (commit) from 97149c8219189c1bb61d36bfcd511956caeb4771 (commit) - Log ----------------------------------------------------------------- commit 01cf4f868e08f82daa16d049fa7d241d8089c8d8 Author: Richard Levitte Date: Tue Feb 16 20:02:24 2021 +0100 TEST: Add missing initialization Compiler complained. Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/14204) (cherry picked from commit 55e9d8cfffc1a40b0ab72e014ff62d5ef2a0ed63) ----------------------------------------------------------------------- Summary of changes: test/rsa_test.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/rsa_test.c b/test/rsa_test.c index 11e373cceb..bdbab75f8f 100644 --- a/test/rsa_test.c +++ b/test/rsa_test.c @@ -304,7 +304,7 @@ static int test_rsa_sslv23(int idx) static int test_rsa_oaep(int idx) { int ret = 0; - RSA *key; + RSA *key = NULL; unsigned char ptext[256]; unsigned char ctext[256]; static unsigned char ptext_ex[] = "\x54\x85\x9b\x34\x2c\x49\xea\x2a"; From openssl at openssl.org Tue Feb 16 22:08:43 2021 From: openssl at openssl.org (OpenSSL run-checker) Date: Tue, 16 Feb 2021 22:08:43 +0000 Subject: Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-tls1_2 Message-ID: <1613513323.449576.4141942.nullmailer@run.openssl.org> Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-tls1_2 Commit log since last time: 09c77b87ae Remove an unnecessary free call. 8a43091bc7 Remove dead code in rsa_pkey_ctrl. bae3916340 passwd.c: use the actual ROUNDS_DEFAULT macro 70f2364882 NOTES-WINDOWS: fix typo a0ca1eed24 Add a skeleton README-PROVIDERS file d507436a26 Add deprecation note to the README-ENGINES file 4148581eb2 Unify the markdown links to the NOTES and README files dc589daec8 Reformat some NOTES and README files 9f1fe6a950 Revise some renamings of NOTES and README files 9ff5bd612a ssl_test: Add testcases for disallowing non-TLS1.3 curves with TLS1.3 89e14ca7c7 tls_valid_group: Add missing dereference of okfortls13 d8c1cafbbc VMS documentation fixes 72ddea9b81 Configurations/descrip.mms.tmpl: avoid enormous PIPE commands 1695e10e40 DOCS: Update the internal documentation on EVP_PKEY. c5689319eb Use ERR_R_*_LIB instead of ERR_LIB_* as reason code for sub-libraries 13888e797c Update documentation following deprecation of SRP 76cb077f81 Deprecate the libssl level SRP APIs 6d2a1eff55 Deprecate the low level SRP APIs f2d785364c Add OID for draft-ietf-opsawg-finding-geofeeds detached CMS signature 1eaf1fc353 Add a configure time option to disable the fetch cache. 2b248f4e3f test: add import and export key management hooks for the TLS provider. ca2c778c26 test: filter provider honours the no_cache setting. 7dd5a00f41 changes: add a CHANGES.md entry for the OSSL_FORCE_NO_CACHE_FETCH option. b5873b3176 test: fix no-cache problem with the quality comparison for KDFs. aea01d1313 EVP: fix reference counting for EVP_CIPHER. 7dce37e2ec Prov: add an option to force provider fetches to not be cached. 499f2ae9e9 CI: add a non-caching CI loop 31f7ff37b4 EVP: fix reference counting for digest operations. 22040fb790 Allow -rand to be repeated 03bbd346f4 Fetch cipher after loading providers d0190e1163 Process digest option after loading providers 51e5df0ed0 Load rand state after loading providers 182717bd8a Fetch alg, etc., after loading providers 50ca7e1895 Fetch algorithm after loading providers 1baad060f9 test: add an option to output timing information from tests. c926a5ecb7 X509_STORE_CTX_cleanup(): Use internally so no need to call explicitly f1923a2147 X509_STORE_CTX_get1_issuer(): Make preference on expired certs consistent with find_issuer() d1e85cdf79 x509_vfy.c: Make chain_build() error diagnostics to the point 283df0b84b Rename internal providercommonerr.h to less mouthful proverr.h f5f29796f0 Various cleanup of PROV_R_ reason codes 2741128e9d Move the PROV_R reason codes to a public header dc9ec65a01 Match description with actual output of dgst 3a111aadc3 include/internal: add a few missing #pragma once directives d59068bd14 include/openssl: add a few missing #pragma once directives 80ce21fe1a include/crypto: add a few missing #pragma once directives 835f3526a2 test: turn off parallel tests in verbose mode. Build log ended with (last 100 lines): (less 4 skipped subtests: 2 okay) 70-test_sslmessages.t .............. skipped: test_sslmessages needs TLS enabled 70-test_sslrecords.t ............... skipped: test_sslrecords needs TLSv1.2 enabled 70-test_sslsessiontick.t ........... skipped: test_sslsessiontick needs SSLv3, TLSv1, TLSv1.1 or TLSv1.2 enabled 70-test_sslsigalgs.t ............... ok 70-test_sslsignature.t ............. ok 70-test_sslskewith0p.t ............. ok 70-test_sslversions.t .............. skipped: test_sslversions needs TLS1.3, TLS1.2 and TLS1.1 enabled 70-test_sslvertol.t ................ ok 70-test_tls13alerts.t .............. ok 70-test_tls13cookie.t .............. ok 70-test_tls13downgrade.t ........... skipped: test_tls13downgrade needs TLS1.3 and TLS1.2 enabled 70-test_tls13hrr.t ................. ok 70-test_tls13kexmodes.t ............ ok 70-test_tls13messages.t ............ ok 70-test_tls13psk.t ................. ok 70-test_tlsextms.t ................. skipped: test_tlsextms needs TLSv1.0, TLSv1.1 or TLSv1.2 enabled 70-test_verify_extra.t ............. ok 70-test_wpacket.t .................. ok 71-test_ssl_ctx.t .................. ok 80-test_ca.t ....................... ok 80-test_cipherbytes.t .............. ok 80-test_cipherlist.t ............... ok 80-test_ciphername.t ............... ok # 80-test_cmp_http.t ................. ok # 80-test_cms.t ...................... ok 80-test_cmsapi.t ................... ok 80-test_ct.t ....................... ok 80-test_dane.t ..................... ok 80-test_dtls.t ..................... ok 80-test_dtls_mtu.t ................. ok 80-test_dtlsv1listen.t ............. ok 80-test_http.t ..................... ok 80-test_ocsp.t ..................... ok 80-test_pkcs12.t ................... ok 80-test_ssl_new.t .................. ok 80-test_ssl_old.t .................. ok 80-test_ssl_test_ctx.t ............. ok 80-test_sslcorrupt.t ............... ok 80-test_tsa.t ...................... ok 80-test_x509aux.t .................. ok 81-test_cmp_cli.t .................. ok 90-test_asn1_time.t ................ ok 90-test_async.t .................... ok 90-test_bio_enc.t .................. ok 90-test_bio_memleak.t .............. ok 90-test_constant_time.t ............ ok 90-test_fatalerr.t ................. ok 90-test_fipsload.t ................. ok 90-test_gmdiff.t ................... ok 90-test_gost.t ..................... skipped: TLSv1.3 or TLSv1.2 are disabled in this OpenSSL build 90-test_ige.t ...................... ok 90-test_includes.t ................. ok 90-test_memleak.t .................. ok 90-test_overhead.t ................. ok 90-test_secmem.t ................... ok 90-test_shlibload.t ................ ok 90-test_srp.t ...................... ok 90-test_sslapi.t ................... ok 90-test_sslbuffers.t ............... ok 90-test_store.t .................... ok 90-test_sysdefault.t ............... skipped: test_sysdefault is not supported in this build 90-test_threads.t .................. ok 90-test_time_offset.t .............. ok 90-test_tls13ccs.t ................. ok 90-test_tls13encryption.t .......... ok 90-test_tls13secrets.t ............. ok 90-test_v3name.t ................... ok 91-test_pkey_check.t ............... ok 95-test_external_boringssl.t ....... skipped: No external tests in this configuration 95-test_external_gost_engine.t ..... skipped: No external tests in this configuration 95-test_external_krb5.t ............ skipped: No external tests in this configuration 95-test_external_pyca.t ............ skipped: No external tests in this configuration 99-test_ecstress.t ................. ok 99-test_fuzz_asn1.t ................ ok 99-test_fuzz_asn1parse.t ........... ok 99-test_fuzz_bignum.t .............. ok 99-test_fuzz_bndiv.t ............... ok 99-test_fuzz_client.t .............. ok 99-test_fuzz_cmp.t ................. ok 99-test_fuzz_cms.t ................. ok 99-test_fuzz_conf.t ................ ok 99-test_fuzz_crl.t ................. ok 99-test_fuzz_ct.t .................. ok 99-test_fuzz_server.t .............. ok 99-test_fuzz_x509.t ................ ok Test Summary Report ------------------- 70-test_sslextension.t (Wstat: 256 Tests: 7 Failed: 1) Failed test: 2 Non-zero exit status: 1 Parse errors: Bad plan. You planned 8 tests but ran 7. Files=231, Tests=3180, 1010 wallclock secs (12.80 usr 1.25 sys + 921.16 cusr 88.52 csys = 1023.73 CPU) Result: FAIL make[1]: *** [Makefile:3274: _tests] Error 1 make[1]: Leaving directory '/home/openssl/run-checker/no-tls1_2' make: *** [Makefile:3271: tests] Error 2 From openssl at openssl.org Tue Feb 16 23:02:45 2021 From: openssl at openssl.org (OpenSSL run-checker) Date: Tue, 16 Feb 2021 23:02:45 +0000 Subject: Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-dtls1_2 Message-ID: <1613516565.690187.54186.nullmailer@run.openssl.org> Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-dtls1_2 Commit log since last time: 09c77b87ae Remove an unnecessary free call. 8a43091bc7 Remove dead code in rsa_pkey_ctrl. bae3916340 passwd.c: use the actual ROUNDS_DEFAULT macro 70f2364882 NOTES-WINDOWS: fix typo a0ca1eed24 Add a skeleton README-PROVIDERS file d507436a26 Add deprecation note to the README-ENGINES file 4148581eb2 Unify the markdown links to the NOTES and README files dc589daec8 Reformat some NOTES and README files 9f1fe6a950 Revise some renamings of NOTES and README files 9ff5bd612a ssl_test: Add testcases for disallowing non-TLS1.3 curves with TLS1.3 89e14ca7c7 tls_valid_group: Add missing dereference of okfortls13 d8c1cafbbc VMS documentation fixes 72ddea9b81 Configurations/descrip.mms.tmpl: avoid enormous PIPE commands 1695e10e40 DOCS: Update the internal documentation on EVP_PKEY. c5689319eb Use ERR_R_*_LIB instead of ERR_LIB_* as reason code for sub-libraries 13888e797c Update documentation following deprecation of SRP 76cb077f81 Deprecate the libssl level SRP APIs 6d2a1eff55 Deprecate the low level SRP APIs f2d785364c Add OID for draft-ietf-opsawg-finding-geofeeds detached CMS signature 1eaf1fc353 Add a configure time option to disable the fetch cache. 2b248f4e3f test: add import and export key management hooks for the TLS provider. ca2c778c26 test: filter provider honours the no_cache setting. 7dd5a00f41 changes: add a CHANGES.md entry for the OSSL_FORCE_NO_CACHE_FETCH option. b5873b3176 test: fix no-cache problem with the quality comparison for KDFs. aea01d1313 EVP: fix reference counting for EVP_CIPHER. 7dce37e2ec Prov: add an option to force provider fetches to not be cached. 499f2ae9e9 CI: add a non-caching CI loop 31f7ff37b4 EVP: fix reference counting for digest operations. 22040fb790 Allow -rand to be repeated 03bbd346f4 Fetch cipher after loading providers d0190e1163 Process digest option after loading providers 51e5df0ed0 Load rand state after loading providers 182717bd8a Fetch alg, etc., after loading providers 50ca7e1895 Fetch algorithm after loading providers 1baad060f9 test: add an option to output timing information from tests. c926a5ecb7 X509_STORE_CTX_cleanup(): Use internally so no need to call explicitly f1923a2147 X509_STORE_CTX_get1_issuer(): Make preference on expired certs consistent with find_issuer() d1e85cdf79 x509_vfy.c: Make chain_build() error diagnostics to the point 283df0b84b Rename internal providercommonerr.h to less mouthful proverr.h f5f29796f0 Various cleanup of PROV_R_ reason codes 2741128e9d Move the PROV_R reason codes to a public header dc9ec65a01 Match description with actual output of dgst 3a111aadc3 include/internal: add a few missing #pragma once directives d59068bd14 include/openssl: add a few missing #pragma once directives 80ce21fe1a include/crypto: add a few missing #pragma once directives 835f3526a2 test: turn off parallel tests in verbose mode. Build log ended with (last 100 lines): # SSL_accept() failed -1, 1 # 804114400C7F0000:error:0A000076:SSL routines:tls_choose_sigalg:no suitable signature algorithm:../openssl/ssl/t1_lib.c:3306: # INFO: @ ../openssl/test/helpers/ssltestlib.c:957 # SSL_connect() failed -1, 1 # 804114400C7F0000:error:0A000438:SSL routines:dtls1_read_bytes:tlsv1 alert internal error:../openssl/ssl/record/rec_layer_d1.c:613:SSL alert number 80 # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:6577 # false not ok 2 - iteration 2 # ------------------------------------------------------------------------------ not ok 54 - test_ssl_pending # ------------------------------------------------------------------------------ ../../util/wrap.pl ../../test/sslapitest ../../../openssl/test/certs ../../../openssl/test/recipes/90-test_sslapi_data/passwd.txt /tmp/gnJCbRP0HD default ../../../openssl/test/default.cnf => 1 not ok 1 - running sslapitest # ------------------------------------------------------------------------------ # INFO: @ ../openssl/test/helpers/ssltestlib.c:957 # SSL_connect() failed -1, 1 # 80017474F07F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # INFO: @ ../openssl/test/helpers/ssltestlib.c:975 # SSL_accept() failed -1, 1 # 80017474F07F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:947 # false not ok 3 - test_large_message_dtls # ------------------------------------------------------------------------------ # INFO: @ ../openssl/test/helpers/ssltestlib.c:957 # SSL_connect() failed -1, 1 # 80017474F07F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # INFO: @ ../openssl/test/helpers/ssltestlib.c:975 # SSL_accept() failed -1, 1 # 80017474F07F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:1428 # false # ERROR: (bool) 'execute_cleanse_plaintext(DTLS_server_method(), DTLS_client_method(), DTLS1_VERSION, 0) == true' failed @ ../openssl/test/sslapitest.c:1506 # false not ok 4 - test_cleanse_plaintext # ------------------------------------------------------------------------------ # INFO: @ ../openssl/test/helpers/ssltestlib.c:957 # SSL_connect() failed -1, 1 # 80017474F07F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # INFO: @ ../openssl/test/helpers/ssltestlib.c:975 # SSL_accept() failed -1, 1 # 80017474F07F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:6577 # false not ok 2 - iteration 2 # ------------------------------------------------------------------------------ not ok 54 - test_ssl_pending # ------------------------------------------------------------------------------ ../../util/wrap.pl ../../test/sslapitest ../../../openssl/test/certs ../../../openssl/test/recipes/90-test_sslapi_data/passwd.txt /tmp/gnJCbRP0HD fips ../../../openssl/test/fips-and-base.cnf => 1 not ok 3 - running sslapitest # ------------------------------------------------------------------------------ # Failed test 'running sslapitest' # at ../openssl/test/recipes/90-test_sslapi.t line 45. # Looks like you failed 2 tests of 3.90-test_sslapi.t ................... Dubious, test returned 2 (wstat 512, 0x200) Failed 2/3 subtests 90-test_sslbuffers.t ............... ok 90-test_store.t .................... ok 90-test_sysdefault.t ............... ok 90-test_threads.t .................. ok 90-test_time_offset.t .............. ok 90-test_tls13ccs.t ................. ok 90-test_tls13encryption.t .......... ok 90-test_tls13secrets.t ............. ok 90-test_v3name.t ................... ok 91-test_pkey_check.t ............... ok 95-test_external_boringssl.t ....... skipped: No external tests in this configuration 95-test_external_gost_engine.t ..... skipped: No external tests in this configuration 95-test_external_krb5.t ............ skipped: No external tests in this configuration 95-test_external_pyca.t ............ skipped: No external tests in this configuration 99-test_ecstress.t ................. ok 99-test_fuzz_asn1.t ................ ok 99-test_fuzz_asn1parse.t ........... ok 99-test_fuzz_bignum.t .............. ok 99-test_fuzz_bndiv.t ............... ok 99-test_fuzz_client.t .............. ok 99-test_fuzz_cmp.t ................. ok 99-test_fuzz_cms.t ................. ok 99-test_fuzz_conf.t ................ ok 99-test_fuzz_crl.t ................. ok 99-test_fuzz_ct.t .................. ok 99-test_fuzz_server.t .............. ok 99-test_fuzz_x509.t ................ ok Test Summary Report ------------------- 80-test_dtls.t (Wstat: 256 Tests: 1 Failed: 1) Failed test: 1 Non-zero exit status: 1 80-test_ssl_new.t (Wstat: 768 Tests: 31 Failed: 3) Failed tests: 8, 17, 19 Non-zero exit status: 3 90-test_sslapi.t (Wstat: 512 Tests: 3 Failed: 2) Failed tests: 1, 3 Non-zero exit status: 2 Files=231, Tests=3266, 951 wallclock secs (14.49 usr 1.41 sys + 853.94 cusr 95.39 csys = 965.23 CPU) Result: FAIL make[1]: *** [Makefile:3266: _tests] Error 1 make[1]: Leaving directory '/home/openssl/run-checker/no-dtls1_2' make: *** [Makefile:3263: tests] Error 2 From openssl at openssl.org Wed Feb 17 00:41:27 2021 From: openssl at openssl.org (OpenSSL run-checker) Date: Wed, 17 Feb 2021 00:41:27 +0000 Subject: Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-tls1_2-method Message-ID: <1613522487.637745.261637.nullmailer@run.openssl.org> Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-tls1_2-method Commit log since last time: 09c77b87ae Remove an unnecessary free call. 8a43091bc7 Remove dead code in rsa_pkey_ctrl. bae3916340 passwd.c: use the actual ROUNDS_DEFAULT macro 70f2364882 NOTES-WINDOWS: fix typo a0ca1eed24 Add a skeleton README-PROVIDERS file d507436a26 Add deprecation note to the README-ENGINES file 4148581eb2 Unify the markdown links to the NOTES and README files dc589daec8 Reformat some NOTES and README files 9f1fe6a950 Revise some renamings of NOTES and README files 9ff5bd612a ssl_test: Add testcases for disallowing non-TLS1.3 curves with TLS1.3 89e14ca7c7 tls_valid_group: Add missing dereference of okfortls13 d8c1cafbbc VMS documentation fixes 72ddea9b81 Configurations/descrip.mms.tmpl: avoid enormous PIPE commands 1695e10e40 DOCS: Update the internal documentation on EVP_PKEY. c5689319eb Use ERR_R_*_LIB instead of ERR_LIB_* as reason code for sub-libraries 13888e797c Update documentation following deprecation of SRP 76cb077f81 Deprecate the libssl level SRP APIs 6d2a1eff55 Deprecate the low level SRP APIs f2d785364c Add OID for draft-ietf-opsawg-finding-geofeeds detached CMS signature 1eaf1fc353 Add a configure time option to disable the fetch cache. 2b248f4e3f test: add import and export key management hooks for the TLS provider. ca2c778c26 test: filter provider honours the no_cache setting. 7dd5a00f41 changes: add a CHANGES.md entry for the OSSL_FORCE_NO_CACHE_FETCH option. b5873b3176 test: fix no-cache problem with the quality comparison for KDFs. aea01d1313 EVP: fix reference counting for EVP_CIPHER. 7dce37e2ec Prov: add an option to force provider fetches to not be cached. 499f2ae9e9 CI: add a non-caching CI loop 31f7ff37b4 EVP: fix reference counting for digest operations. 22040fb790 Allow -rand to be repeated 03bbd346f4 Fetch cipher after loading providers d0190e1163 Process digest option after loading providers 51e5df0ed0 Load rand state after loading providers 182717bd8a Fetch alg, etc., after loading providers 50ca7e1895 Fetch algorithm after loading providers 1baad060f9 test: add an option to output timing information from tests. c926a5ecb7 X509_STORE_CTX_cleanup(): Use internally so no need to call explicitly f1923a2147 X509_STORE_CTX_get1_issuer(): Make preference on expired certs consistent with find_issuer() d1e85cdf79 x509_vfy.c: Make chain_build() error diagnostics to the point 283df0b84b Rename internal providercommonerr.h to less mouthful proverr.h f5f29796f0 Various cleanup of PROV_R_ reason codes 2741128e9d Move the PROV_R reason codes to a public header dc9ec65a01 Match description with actual output of dgst 3a111aadc3 include/internal: add a few missing #pragma once directives d59068bd14 include/openssl: add a few missing #pragma once directives 80ce21fe1a include/crypto: add a few missing #pragma once directives 835f3526a2 test: turn off parallel tests in verbose mode. Build log ended with (last 100 lines): (less 4 skipped subtests: 2 okay) 70-test_sslmessages.t .............. skipped: test_sslmessages needs TLS enabled 70-test_sslrecords.t ............... skipped: test_sslrecords needs TLSv1.2 enabled 70-test_sslsessiontick.t ........... skipped: test_sslsessiontick needs SSLv3, TLSv1, TLSv1.1 or TLSv1.2 enabled 70-test_sslsigalgs.t ............... ok 70-test_sslsignature.t ............. ok 70-test_sslskewith0p.t ............. ok 70-test_sslversions.t .............. skipped: test_sslversions needs TLS1.3, TLS1.2 and TLS1.1 enabled 70-test_sslvertol.t ................ ok 70-test_tls13alerts.t .............. ok 70-test_tls13cookie.t .............. ok 70-test_tls13downgrade.t ........... skipped: test_tls13downgrade needs TLS1.3 and TLS1.2 enabled 70-test_tls13hrr.t ................. ok 70-test_tls13kexmodes.t ............ ok 70-test_tls13messages.t ............ ok 70-test_tls13psk.t ................. ok 70-test_tlsextms.t ................. skipped: test_tlsextms needs TLSv1.0, TLSv1.1 or TLSv1.2 enabled 70-test_verify_extra.t ............. ok 70-test_wpacket.t .................. ok 71-test_ssl_ctx.t .................. ok 80-test_ca.t ....................... ok 80-test_cipherbytes.t .............. ok 80-test_cipherlist.t ............... ok 80-test_ciphername.t ............... ok # 80-test_cmp_http.t ................. ok # 80-test_cms.t ...................... ok 80-test_cmsapi.t ................... ok 80-test_ct.t ....................... ok 80-test_dane.t ..................... ok 80-test_dtls.t ..................... ok 80-test_dtls_mtu.t ................. ok 80-test_dtlsv1listen.t ............. ok 80-test_http.t ..................... ok 80-test_ocsp.t ..................... ok 80-test_pkcs12.t ................... ok 80-test_ssl_new.t .................. ok 80-test_ssl_old.t .................. ok 80-test_ssl_test_ctx.t ............. ok 80-test_sslcorrupt.t ............... ok 80-test_tsa.t ...................... ok 80-test_x509aux.t .................. ok 81-test_cmp_cli.t .................. ok 90-test_asn1_time.t ................ ok 90-test_async.t .................... ok 90-test_bio_enc.t .................. ok 90-test_bio_memleak.t .............. ok 90-test_constant_time.t ............ ok 90-test_fatalerr.t ................. ok 90-test_fipsload.t ................. ok 90-test_gmdiff.t ................... ok 90-test_gost.t ..................... skipped: TLSv1.3 or TLSv1.2 are disabled in this OpenSSL build 90-test_ige.t ...................... ok 90-test_includes.t ................. ok 90-test_memleak.t .................. ok 90-test_overhead.t ................. ok 90-test_secmem.t ................... ok 90-test_shlibload.t ................ ok 90-test_srp.t ...................... ok 90-test_sslapi.t ................... ok 90-test_sslbuffers.t ............... ok 90-test_store.t .................... ok 90-test_sysdefault.t ............... skipped: test_sysdefault is not supported in this build 90-test_threads.t .................. ok 90-test_time_offset.t .............. ok 90-test_tls13ccs.t ................. ok 90-test_tls13encryption.t .......... ok 90-test_tls13secrets.t ............. ok 90-test_v3name.t ................... ok 91-test_pkey_check.t ............... ok 95-test_external_boringssl.t ....... skipped: No external tests in this configuration 95-test_external_gost_engine.t ..... skipped: No external tests in this configuration 95-test_external_krb5.t ............ skipped: No external tests in this configuration 95-test_external_pyca.t ............ skipped: No external tests in this configuration 99-test_ecstress.t ................. ok 99-test_fuzz_asn1.t ................ ok 99-test_fuzz_asn1parse.t ........... ok 99-test_fuzz_bignum.t .............. ok 99-test_fuzz_bndiv.t ............... ok 99-test_fuzz_client.t .............. ok 99-test_fuzz_cmp.t ................. ok 99-test_fuzz_cms.t ................. ok 99-test_fuzz_conf.t ................ ok 99-test_fuzz_crl.t ................. ok 99-test_fuzz_ct.t .................. ok 99-test_fuzz_server.t .............. ok 99-test_fuzz_x509.t ................ ok Test Summary Report ------------------- 70-test_sslextension.t (Wstat: 256 Tests: 7 Failed: 1) Failed test: 2 Non-zero exit status: 1 Parse errors: Bad plan. You planned 8 tests but ran 7. Files=231, Tests=3180, 786 wallclock secs (10.03 usr 1.18 sys + 725.67 cusr 61.75 csys = 798.63 CPU) Result: FAIL make[1]: *** [Makefile:3264: _tests] Error 1 make[1]: Leaving directory '/home/openssl/run-checker/no-tls1_2-method' make: *** [Makefile:3261: tests] Error 2 From shane.lontis at oracle.com Wed Feb 17 01:23:33 2021 From: shane.lontis at oracle.com (shane.lontis at oracle.com) Date: Wed, 17 Feb 2021 01:23:33 +0000 Subject: [openssl] master update Message-ID: <1613525013.277380.19234.nullmailer@dev.openssl.org> The branch master has been updated via 574ca403c81edc1f21229526e2a8a67bcdabeb99 (commit) from 5b888e931b64a132a0cd33b24344dc6cdac74727 (commit) - Log ----------------------------------------------------------------- commit 574ca403c81edc1f21229526e2a8a67bcdabeb99 Author: Petr Gotthard Date: Mon Feb 15 20:07:27 2021 +0100 Replace SSL_CTX_new by SSL_CTX_new_ex in apps/s_server + s_client The `openssl s_server` and `openssl s_client` currently ignore the `-propquery` parameter. Fix patch fixes this. Reviewed-by: Matt Caswell Reviewed-by: Paul Dale Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/14195) ----------------------------------------------------------------------- Summary of changes: apps/s_client.c | 2 +- apps/s_server.c | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/apps/s_client.c b/apps/s_client.c index a6394462db..431df131dd 100644 --- a/apps/s_client.c +++ b/apps/s_client.c @@ -1661,7 +1661,7 @@ int s_client_main(int argc, char **argv) } #endif - ctx = SSL_CTX_new(meth); + ctx = SSL_CTX_new_ex(app_get0_libctx(), app_get0_propq(), meth); if (ctx == NULL) { ERR_print_errors(bio_err); goto end; diff --git a/apps/s_server.c b/apps/s_server.c index 5d8fb99023..eee51f3325 100644 --- a/apps/s_server.c +++ b/apps/s_server.c @@ -1780,7 +1780,7 @@ int s_server_main(int argc, char *argv[]) s_key_file2 = NULL; } - ctx = SSL_CTX_new(meth); + ctx = SSL_CTX_new_ex(app_get0_libctx(), app_get0_propq(), meth); if (ctx == NULL) { ERR_print_errors(bio_err); goto end; @@ -1905,7 +1905,7 @@ int s_server_main(int argc, char *argv[]) } if (s_cert2) { - ctx2 = SSL_CTX_new(meth); + ctx2 = SSL_CTX_new_ex(app_get0_libctx(), app_get0_propq(), meth); if (ctx2 == NULL) { ERR_print_errors(bio_err); goto end; From shane.lontis at oracle.com Wed Feb 17 01:18:49 2021 From: shane.lontis at oracle.com (shane.lontis at oracle.com) Date: Wed, 17 Feb 2021 01:18:49 +0000 Subject: [openssl] master update Message-ID: <1613524729.604131.17661.nullmailer@dev.openssl.org> The branch master has been updated via 5b888e931b64a132a0cd33b24344dc6cdac74727 (commit) from 55e9d8cfffc1a40b0ab72e014ff62d5ef2a0ed63 (commit) - Log ----------------------------------------------------------------- commit 5b888e931b64a132a0cd33b24344dc6cdac74727 Author: Petr Gotthard Date: Mon Feb 15 11:53:45 2021 +0100 Fix propquery handling in EVP_DigestSignInit_ex Fixes #14183. Fix the condition to detect legacy engines, so the `props` are considered even when libctx == NULL. Reviewed-by: Tomas Mraz Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/14188) ----------------------------------------------------------------------- Summary of changes: crypto/evp/m_sigver.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/crypto/evp/m_sigver.c b/crypto/evp/m_sigver.c index bdcac90078..57c8ce78a4 100644 --- a/crypto/evp/m_sigver.c +++ b/crypto/evp/m_sigver.c @@ -60,7 +60,7 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, } if (ctx->pctx == NULL) { - if (libctx != NULL) + if (e == NULL) ctx->pctx = EVP_PKEY_CTX_new_from_pkey(libctx, pkey, props); else ctx->pctx = EVP_PKEY_CTX_new(pkey, e); From openssl at openssl.org Wed Feb 17 01:38:29 2021 From: openssl at openssl.org (OpenSSL run-checker) Date: Wed, 17 Feb 2021 01:38:29 +0000 Subject: Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-dtls1_2-method Message-ID: <1613525909.600407.367872.nullmailer@run.openssl.org> Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-dtls1_2-method Commit log since last time: 09c77b87ae Remove an unnecessary free call. 8a43091bc7 Remove dead code in rsa_pkey_ctrl. bae3916340 passwd.c: use the actual ROUNDS_DEFAULT macro 70f2364882 NOTES-WINDOWS: fix typo a0ca1eed24 Add a skeleton README-PROVIDERS file d507436a26 Add deprecation note to the README-ENGINES file 4148581eb2 Unify the markdown links to the NOTES and README files dc589daec8 Reformat some NOTES and README files 9f1fe6a950 Revise some renamings of NOTES and README files 9ff5bd612a ssl_test: Add testcases for disallowing non-TLS1.3 curves with TLS1.3 89e14ca7c7 tls_valid_group: Add missing dereference of okfortls13 d8c1cafbbc VMS documentation fixes 72ddea9b81 Configurations/descrip.mms.tmpl: avoid enormous PIPE commands 1695e10e40 DOCS: Update the internal documentation on EVP_PKEY. c5689319eb Use ERR_R_*_LIB instead of ERR_LIB_* as reason code for sub-libraries 13888e797c Update documentation following deprecation of SRP 76cb077f81 Deprecate the libssl level SRP APIs 6d2a1eff55 Deprecate the low level SRP APIs f2d785364c Add OID for draft-ietf-opsawg-finding-geofeeds detached CMS signature 1eaf1fc353 Add a configure time option to disable the fetch cache. 2b248f4e3f test: add import and export key management hooks for the TLS provider. ca2c778c26 test: filter provider honours the no_cache setting. 7dd5a00f41 changes: add a CHANGES.md entry for the OSSL_FORCE_NO_CACHE_FETCH option. b5873b3176 test: fix no-cache problem with the quality comparison for KDFs. aea01d1313 EVP: fix reference counting for EVP_CIPHER. 7dce37e2ec Prov: add an option to force provider fetches to not be cached. 499f2ae9e9 CI: add a non-caching CI loop 31f7ff37b4 EVP: fix reference counting for digest operations. 22040fb790 Allow -rand to be repeated 03bbd346f4 Fetch cipher after loading providers d0190e1163 Process digest option after loading providers 51e5df0ed0 Load rand state after loading providers 182717bd8a Fetch alg, etc., after loading providers 50ca7e1895 Fetch algorithm after loading providers 1baad060f9 test: add an option to output timing information from tests. c926a5ecb7 X509_STORE_CTX_cleanup(): Use internally so no need to call explicitly f1923a2147 X509_STORE_CTX_get1_issuer(): Make preference on expired certs consistent with find_issuer() d1e85cdf79 x509_vfy.c: Make chain_build() error diagnostics to the point 283df0b84b Rename internal providercommonerr.h to less mouthful proverr.h f5f29796f0 Various cleanup of PROV_R_ reason codes 2741128e9d Move the PROV_R reason codes to a public header dc9ec65a01 Match description with actual output of dgst 3a111aadc3 include/internal: add a few missing #pragma once directives d59068bd14 include/openssl: add a few missing #pragma once directives 80ce21fe1a include/crypto: add a few missing #pragma once directives 835f3526a2 test: turn off parallel tests in verbose mode. Build log ended with (last 100 lines): # SSL_accept() failed -1, 1 # 8051DCA3C17F0000:error:0A000076:SSL routines:tls_choose_sigalg:no suitable signature algorithm:../openssl/ssl/t1_lib.c:3306: # INFO: @ ../openssl/test/helpers/ssltestlib.c:957 # SSL_connect() failed -1, 1 # 8051DCA3C17F0000:error:0A000438:SSL routines:dtls1_read_bytes:tlsv1 alert internal error:../openssl/ssl/record/rec_layer_d1.c:613:SSL alert number 80 # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:6577 # false not ok 2 - iteration 2 # ------------------------------------------------------------------------------ not ok 54 - test_ssl_pending # ------------------------------------------------------------------------------ ../../util/wrap.pl ../../test/sslapitest ../../../openssl/test/certs ../../../openssl/test/recipes/90-test_sslapi_data/passwd.txt /tmp/SyoPvkP8P6 default ../../../openssl/test/default.cnf => 1 not ok 1 - running sslapitest # ------------------------------------------------------------------------------ # INFO: @ ../openssl/test/helpers/ssltestlib.c:957 # SSL_connect() failed -1, 1 # 80F14BD4577F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # INFO: @ ../openssl/test/helpers/ssltestlib.c:975 # SSL_accept() failed -1, 1 # 80F14BD4577F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:947 # false not ok 3 - test_large_message_dtls # ------------------------------------------------------------------------------ # INFO: @ ../openssl/test/helpers/ssltestlib.c:957 # SSL_connect() failed -1, 1 # 80F14BD4577F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # INFO: @ ../openssl/test/helpers/ssltestlib.c:975 # SSL_accept() failed -1, 1 # 80F14BD4577F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:1428 # false # ERROR: (bool) 'execute_cleanse_plaintext(DTLS_server_method(), DTLS_client_method(), DTLS1_VERSION, 0) == true' failed @ ../openssl/test/sslapitest.c:1506 # false not ok 4 - test_cleanse_plaintext # ------------------------------------------------------------------------------ # INFO: @ ../openssl/test/helpers/ssltestlib.c:957 # SSL_connect() failed -1, 1 # 80F14BD4577F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # INFO: @ ../openssl/test/helpers/ssltestlib.c:975 # SSL_accept() failed -1, 1 # 80F14BD4577F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:6577 # false not ok 2 - iteration 2 # ------------------------------------------------------------------------------ not ok 54 - test_ssl_pending # ------------------------------------------------------------------------------ ../../util/wrap.pl ../../test/sslapitest ../../../openssl/test/certs ../../../openssl/test/recipes/90-test_sslapi_data/passwd.txt /tmp/SyoPvkP8P6 fips ../../../openssl/test/fips-and-base.cnf => 1 not ok 3 - running sslapitest # ------------------------------------------------------------------------------ # Failed test 'running sslapitest' # at ../openssl/test/recipes/90-test_sslapi.t line 45. # Looks like you failed 2 tests of 3.90-test_sslapi.t ................... Dubious, test returned 2 (wstat 512, 0x200) Failed 2/3 subtests 90-test_sslbuffers.t ............... ok 90-test_store.t .................... ok 90-test_sysdefault.t ............... ok 90-test_threads.t .................. ok 90-test_time_offset.t .............. ok 90-test_tls13ccs.t ................. ok 90-test_tls13encryption.t .......... ok 90-test_tls13secrets.t ............. ok 90-test_v3name.t ................... ok 91-test_pkey_check.t ............... ok 95-test_external_boringssl.t ....... skipped: No external tests in this configuration 95-test_external_gost_engine.t ..... skipped: No external tests in this configuration 95-test_external_krb5.t ............ skipped: No external tests in this configuration 95-test_external_pyca.t ............ skipped: No external tests in this configuration 99-test_ecstress.t ................. ok 99-test_fuzz_asn1.t ................ ok 99-test_fuzz_asn1parse.t ........... ok 99-test_fuzz_bignum.t .............. ok 99-test_fuzz_bndiv.t ............... ok 99-test_fuzz_client.t .............. ok 99-test_fuzz_cmp.t ................. ok 99-test_fuzz_cms.t ................. ok 99-test_fuzz_conf.t ................ ok 99-test_fuzz_crl.t ................. ok 99-test_fuzz_ct.t .................. ok 99-test_fuzz_server.t .............. ok 99-test_fuzz_x509.t ................ ok Test Summary Report ------------------- 80-test_dtls.t (Wstat: 256 Tests: 1 Failed: 1) Failed test: 1 Non-zero exit status: 1 80-test_ssl_new.t (Wstat: 768 Tests: 31 Failed: 3) Failed tests: 8, 17, 19 Non-zero exit status: 3 90-test_sslapi.t (Wstat: 512 Tests: 3 Failed: 2) Failed tests: 1, 3 Non-zero exit status: 2 Files=231, Tests=3266, 1094 wallclock secs (14.75 usr 1.34 sys + 1001.08 cusr 92.47 csys = 1109.64 CPU) Result: FAIL make[1]: *** [Makefile:3258: _tests] Error 1 make[1]: Leaving directory '/home/openssl/run-checker/no-dtls1_2-method' make: *** [Makefile:3255: tests] Error 2 From openssl at openssl.org Wed Feb 17 02:30:40 2021 From: openssl at openssl.org (OpenSSL run-checker) Date: Wed, 17 Feb 2021 02:30:40 +0000 Subject: FAILED build of OpenSSL branch master with options -d --strict-warnings no-tls1_3 Message-ID: <1613529040.337242.472170.nullmailer@run.openssl.org> Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-tls1_3 Commit log since last time: 09c77b87ae Remove an unnecessary free call. 8a43091bc7 Remove dead code in rsa_pkey_ctrl. bae3916340 passwd.c: use the actual ROUNDS_DEFAULT macro 70f2364882 NOTES-WINDOWS: fix typo a0ca1eed24 Add a skeleton README-PROVIDERS file d507436a26 Add deprecation note to the README-ENGINES file 4148581eb2 Unify the markdown links to the NOTES and README files dc589daec8 Reformat some NOTES and README files 9f1fe6a950 Revise some renamings of NOTES and README files 9ff5bd612a ssl_test: Add testcases for disallowing non-TLS1.3 curves with TLS1.3 89e14ca7c7 tls_valid_group: Add missing dereference of okfortls13 d8c1cafbbc VMS documentation fixes 72ddea9b81 Configurations/descrip.mms.tmpl: avoid enormous PIPE commands 1695e10e40 DOCS: Update the internal documentation on EVP_PKEY. c5689319eb Use ERR_R_*_LIB instead of ERR_LIB_* as reason code for sub-libraries 13888e797c Update documentation following deprecation of SRP 76cb077f81 Deprecate the libssl level SRP APIs 6d2a1eff55 Deprecate the low level SRP APIs f2d785364c Add OID for draft-ietf-opsawg-finding-geofeeds detached CMS signature 1eaf1fc353 Add a configure time option to disable the fetch cache. 2b248f4e3f test: add import and export key management hooks for the TLS provider. ca2c778c26 test: filter provider honours the no_cache setting. 7dd5a00f41 changes: add a CHANGES.md entry for the OSSL_FORCE_NO_CACHE_FETCH option. b5873b3176 test: fix no-cache problem with the quality comparison for KDFs. aea01d1313 EVP: fix reference counting for EVP_CIPHER. 7dce37e2ec Prov: add an option to force provider fetches to not be cached. 499f2ae9e9 CI: add a non-caching CI loop 31f7ff37b4 EVP: fix reference counting for digest operations. 22040fb790 Allow -rand to be repeated 03bbd346f4 Fetch cipher after loading providers d0190e1163 Process digest option after loading providers 51e5df0ed0 Load rand state after loading providers 182717bd8a Fetch alg, etc., after loading providers 50ca7e1895 Fetch algorithm after loading providers 1baad060f9 test: add an option to output timing information from tests. c926a5ecb7 X509_STORE_CTX_cleanup(): Use internally so no need to call explicitly f1923a2147 X509_STORE_CTX_get1_issuer(): Make preference on expired certs consistent with find_issuer() d1e85cdf79 x509_vfy.c: Make chain_build() error diagnostics to the point 283df0b84b Rename internal providercommonerr.h to less mouthful proverr.h f5f29796f0 Various cleanup of PROV_R_ reason codes 2741128e9d Move the PROV_R reason codes to a public header dc9ec65a01 Match description with actual output of dgst 3a111aadc3 include/internal: add a few missing #pragma once directives d59068bd14 include/openssl: add a few missing #pragma once directives 80ce21fe1a include/crypto: add a few missing #pragma once directives 835f3526a2 test: turn off parallel tests in verbose mode. Build log ended with (last 100 lines): # INFO: @ ../openssl/test/ssl_test.c:117 # Protocol mismatch: expected TLSv1.3, got TLSv1.2. # not ok 2 - iteration 2 # ------------------------------------------------------------------------------ # ERROR: (int) 'result->client_protocol == test_ctx->expected_protocol' failed @ ../openssl/test/ssl_test.c:114 # [771] compared to [772] # INFO: @ ../openssl/test/ssl_test.c:117 # Protocol mismatch: expected TLSv1.3, got TLSv1.2. # not ok 3 - iteration 3 # ------------------------------------------------------------------------------ # ERROR: (int) 'result->client_protocol == test_ctx->expected_protocol' failed @ ../openssl/test/ssl_test.c:114 # [771] compared to [772] # INFO: @ ../openssl/test/ssl_test.c:117 # Protocol mismatch: expected TLSv1.3, got TLSv1.2. # not ok 4 - iteration 4 # ------------------------------------------------------------------------------ # ERROR: (int) 'result->client_protocol == test_ctx->expected_protocol' failed @ ../openssl/test/ssl_test.c:114 # [771] compared to [772] # INFO: @ ../openssl/test/ssl_test.c:117 # Protocol mismatch: expected TLSv1.3, got TLSv1.2. # not ok 5 - iteration 5 # ------------------------------------------------------------------------------ not ok 1 - test_handshake # ------------------------------------------------------------------------------ ../../util/wrap.pl ../../test/ssl_test 14-curves.cnf.fips fips ../../../openssl/test/fips-and-base.cnf => 1 not ok 9 - running ssl_test 14-curves.cnf # ------------------------------------------------------------------------------ # Failed test 'running ssl_test 14-curves.cnf' # at ../openssl/test/recipes/80-test_ssl_new.t line 176. # Looks like you failed 3 tests of 9. not ok 15 - Test configuration 14-curves.cnf # ------------------------------------------------------------------------------ # Looks like you failed 1 test of 31.80-test_ssl_new.t .................. Dubious, test returned 1 (wstat 256, 0x100) Failed 1/31 subtests 80-test_ssl_old.t .................. ok 80-test_ssl_test_ctx.t ............. ok 80-test_sslcorrupt.t ............... ok 80-test_tsa.t ...................... ok 80-test_x509aux.t .................. ok 81-test_cmp_cli.t .................. ok 90-test_asn1_time.t ................ ok 90-test_async.t .................... ok 90-test_bio_enc.t .................. ok 90-test_bio_memleak.t .............. ok 90-test_constant_time.t ............ ok 90-test_fatalerr.t ................. ok 90-test_fipsload.t ................. ok 90-test_gmdiff.t ................... ok 90-test_gost.t ..................... skipped: TLSv1.3 or TLSv1.2 are disabled in this OpenSSL build 90-test_ige.t ...................... ok 90-test_includes.t ................. ok 90-test_memleak.t .................. ok 90-test_overhead.t ................. ok 90-test_secmem.t ................... ok 90-test_shlibload.t ................ ok 90-test_srp.t ...................... ok 90-test_sslapi.t ................... ok 90-test_sslbuffers.t ............... ok 90-test_store.t .................... ok 90-test_sysdefault.t ............... ok 90-test_threads.t .................. ok 90-test_time_offset.t .............. ok 90-test_tls13ccs.t ................. skipped: test_tls13ccs is not supported in this build 90-test_tls13encryption.t .......... skipped: tls13encryption is not supported in this build 90-test_tls13secrets.t ............. skipped: tls13secrets is not supported in this build 90-test_v3name.t ................... ok 91-test_pkey_check.t ............... ok 95-test_external_boringssl.t ....... skipped: No external tests in this configuration 95-test_external_gost_engine.t ..... skipped: No external tests in this configuration 95-test_external_krb5.t ............ skipped: No external tests in this configuration 95-test_external_pyca.t ............ skipped: No external tests in this configuration 99-test_ecstress.t ................. ok 99-test_fuzz_asn1.t ................ ok 99-test_fuzz_asn1parse.t ........... ok 99-test_fuzz_bignum.t .............. ok 99-test_fuzz_bndiv.t ............... ok 99-test_fuzz_client.t .............. ok 99-test_fuzz_cmp.t ................. ok 99-test_fuzz_cms.t ................. ok 99-test_fuzz_conf.t ................ ok 99-test_fuzz_crl.t ................. ok 99-test_fuzz_ct.t .................. ok 99-test_fuzz_server.t .............. ok 99-test_fuzz_x509.t ................ ok Test Summary Report ------------------- 80-test_ssl_new.t (Wstat: 256 Tests: 31 Failed: 1) Failed test: 15 Non-zero exit status: 1 Files=231, Tests=3189, 965 wallclock secs (12.67 usr 1.44 sys + 872.08 cusr 91.71 csys = 977.90 CPU) Result: FAIL make[1]: *** [Makefile:3269: _tests] Error 1 make[1]: Leaving directory '/home/openssl/run-checker/no-tls1_3' make: *** [Makefile:3266: tests] Error 2 From pauli at openssl.org Wed Feb 17 03:12:19 2021 From: pauli at openssl.org (Dr. Paul Dale) Date: Wed, 17 Feb 2021 03:12:19 +0000 Subject: [openssl] master update Message-ID: <1613531539.599926.4649.nullmailer@dev.openssl.org> The branch master has been updated via 68883d9db86534176d744c7691ac7565f5def884 (commit) via 335e85f54246cec8b58cb43dd2263ab9d506d622 (commit) via 78436fd146313b31151252576c4e523eac55c47c (commit) via e2730b8426eb9f1334412a026ea87c0c309b14b9 (commit) via 9ed185a926cc1b8527bba8efa28a6b15392484ce (commit) via 381289f6c7bd0e782cfd97d21c80656e470064d7 (commit) via 79d68c4fb4d5763a1f199ca9676c250e6dd01f74 (commit) from 574ca403c81edc1f21229526e2a8a67bcdabeb99 (commit) - Log ----------------------------------------------------------------- commit 68883d9db86534176d744c7691ac7565f5def884 Author: Pauli Date: Fri Feb 12 13:20:09 2021 +1000 doc: document the two new RAND functions Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/14162) commit 335e85f54246cec8b58cb43dd2263ab9d506d622 Author: Pauli Date: Fri Feb 12 12:54:59 2021 +1000 rand: update DRBGs to use the get_entropy call for seeding Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/14162) commit 78436fd146313b31151252576c4e523eac55c47c Author: Pauli Date: Fri Feb 12 12:45:03 2021 +1000 core: add get_entropy and clear_entropy calls to RAND Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/14162) commit e2730b8426eb9f1334412a026ea87c0c309b14b9 Author: Pauli Date: Fri Feb 12 12:44:43 2021 +1000 RNG test: add get_entropy hook for testing. Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/14162) commit 9ed185a926cc1b8527bba8efa28a6b15392484ce Author: Pauli Date: Fri Feb 12 12:44:21 2021 +1000 RNG seed: add get_entropy hook for seeding. Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/14162) commit 381289f6c7bd0e782cfd97d21c80656e470064d7 Author: Pauli Date: Fri Feb 12 12:44:02 2021 +1000 err: generated error files Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/14162) commit 79d68c4fb4d5763a1f199ca9676c250e6dd01f74 Author: Pauli Date: Fri Feb 12 12:26:54 2021 +1000 test: DRBG test with long seed. Fixes: #14101 Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/14162) ----------------------------------------------------------------------- Summary of changes: crypto/err/openssl.txt | 4 +- doc/man7/provider-rand.pod | 23 +++++- include/openssl/core_dispatch.h | 9 +++ include/openssl/proverr.h | 4 +- providers/common/provider_err.c | 11 ++- providers/implementations/rands/drbg.c | 107 +++++++++++++++------------ providers/implementations/rands/drbg_ctr.c | 2 + providers/implementations/rands/drbg_hash.c | 2 + providers/implementations/rands/drbg_hmac.c | 2 + providers/implementations/rands/drbg_local.h | 7 +- providers/implementations/rands/seed_src.c | 45 +++++++++++ providers/implementations/rands/test_rng.c | 14 ++++ test/recipes/30-test_evp_data/evprand.txt | 16 ++++ 13 files changed, 192 insertions(+), 54 deletions(-) diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt index 296aa6eaad..002a7a0f10 100644 --- a/crypto/err/openssl.txt +++ b/crypto/err/openssl.txt @@ -947,6 +947,7 @@ PROV_R_BN_ERROR:160:bn error PROV_R_CIPHER_OPERATION_FAILED:102:cipher operation failed PROV_R_DERIVATION_FUNCTION_INIT_FAILED:205:derivation function init failed PROV_R_DIGEST_NOT_ALLOWED:174:digest not allowed +PROV_R_ENTROPY_SOURCE_STRENGTH_TOO_WEAK:186:entropy source strength too weak PROV_R_ERROR_INSTANTIATING_DRBG:188:error instantiating drbg PROV_R_ERROR_RETRIEVING_ENTROPY:189:error retrieving entropy PROV_R_ERROR_RETRIEVING_NONCE:190:error retrieving nonce @@ -1023,6 +1024,7 @@ PROV_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE:178:\ PROV_R_OUTPUT_BUFFER_TOO_SMALL:106:output buffer too small PROV_R_PARENT_CANNOT_GENERATE_RANDOM_NUMBERS:228:\ parent cannot generate random numbers +PROV_R_PARENT_CANNOT_SUPPLY_ENTROPY_SEED:187:parent cannot supply entropy seed PROV_R_PARENT_LOCKING_NOT_ENABLED:182:parent locking not enabled PROV_R_PARENT_STRENGTH_TOO_WEAK:194:parent strength too weak PROV_R_PATH_MUST_BE_ABSOLUTE:219:path must be absolute @@ -1037,8 +1039,8 @@ PROV_R_SEED_SOURCES_MUST_NOT_HAVE_A_PARENT:229:\ seed sources must not have a parent PROV_R_SELF_TEST_KAT_FAILURE:215:self test kat failure PROV_R_SELF_TEST_POST_FAILURE:216:self test post failure -PROV_R_TAG_NOT_SET:119:tag not set PROV_R_TAG_NOT_NEEDED:120:tag not needed +PROV_R_TAG_NOT_SET:119:tag not set PROV_R_TOO_MANY_RECORDS:126:too many records PROV_R_UNABLE_TO_FIND_CIPHERS:207:unable to find ciphers PROV_R_UNABLE_TO_GET_PARENT_STRENGTH:199:unable to get parent strength diff --git a/doc/man7/provider-rand.pod b/doc/man7/provider-rand.pod index d75a36d01e..795924e6b7 100644 --- a/doc/man7/provider-rand.pod +++ b/doc/man7/provider-rand.pod @@ -37,7 +37,13 @@ functions /* Random number generator functions: additional */ size_t OSSL_FUNC_rand_nonce(void *ctx, unsigned char *out, size_t outlen, - int strength, size_t min_noncelen, size_t max_noncelen); + int strength, size_t min_noncelen, + size_t max_noncelen); + size_t OSSL_FUNC_rand_get_seed(void *ctx, unsigned char **buffer, + int entropy, size_t min_len, size_t max_len, + int prediction_resistance, + const unsigned char *adin, size_t adin_len); + void OSSL_FUNC_rand_clear_seed(void *ctx, unsigned char *buffer, size_t b_len); int OSSL_FUNC_rand_verify_zeroization(void *ctx); /* Context Locking */ @@ -110,6 +116,18 @@ OSSL_FUNC_rand_nonce() is used to generate a nonce of the given I with length from I to I. If the output buffer I is NULL, the length of the nonce should be returned. +OSSL_FUNC_rand_get_seed() is used by deterministic generators to obtain their +seeding material from their parent. The seed bytes will meet the specified +security level of I bits and there will be between I +and I inclusive bytes in total. If I is +true, the bytes will be produced from a live entropy source. Additional +input I of length I bytes can optionally be provided. +A pointer to the seed material is returned in I<*buffer> and this must be +freed by a later call to OSSL_FUNC_rand_clear_seed(). + +OSSL_FUNC_rand_clear_seed() frees a seed I of length I bytes +which was previously allocated by OSSL_FUNC_rand_get_seed(). + OSSL_FUNC_rand_verify_zeroization() is used to determine if the internal state of the DRBG is zero. This capability is mandated by NIST as part of the self tests, it is unlikely to be useful in other circumstances. @@ -240,6 +258,9 @@ array, or NULL if none is offered. OSSL_FUNC_rand_nonce() returns the size of the generated nonce, or 0 on error. +OSSL_FUNC_rand_get_seed() returns the size of the generated seed, or 0 on +error. + All of the remaining functions should return 1 for success or 0 on error. =head1 SEE ALSO diff --git a/include/openssl/core_dispatch.h b/include/openssl/core_dispatch.h index 7823af7cbd..f9786e1d37 100644 --- a/include/openssl/core_dispatch.h +++ b/include/openssl/core_dispatch.h @@ -399,6 +399,8 @@ OSSL_CORE_MAKE_FUNC(int, kdf_set_ctx_params, # define OSSL_FUNC_RAND_GET_CTX_PARAMS 15 # define OSSL_FUNC_RAND_SET_CTX_PARAMS 16 # define OSSL_FUNC_RAND_VERIFY_ZEROIZATION 17 +# define OSSL_FUNC_RAND_GET_SEED 18 +# define OSSL_FUNC_RAND_CLEAR_SEED 19 OSSL_CORE_MAKE_FUNC(void *,rand_newctx, (void *provctx, void *parent, @@ -440,6 +442,13 @@ OSSL_CORE_MAKE_FUNC(void,rand_set_callbacks, OSSL_CALLBACK *cleanup_nonce, void *arg)) OSSL_CORE_MAKE_FUNC(int,rand_verify_zeroization, (void *vctx)) +OSSL_CORE_MAKE_FUNC(size_t,rand_get_seed, + (void *vctx, unsigned char **buffer, + int entropy, size_t min_len, size_t max_len, + int prediction_resistance, + const unsigned char *adin, size_t adin_len)) +OSSL_CORE_MAKE_FUNC(void,rand_clear_seed, + (void *vctx, unsigned char *buffer, size_t b_len)) /*- * Key management diff --git a/include/openssl/proverr.h b/include/openssl/proverr.h index 6e5c0debe7..99a937f1e3 100644 --- a/include/openssl/proverr.h +++ b/include/openssl/proverr.h @@ -32,6 +32,7 @@ # define PROV_R_CIPHER_OPERATION_FAILED 102 # define PROV_R_DERIVATION_FUNCTION_INIT_FAILED 205 # define PROV_R_DIGEST_NOT_ALLOWED 174 +# define PROV_R_ENTROPY_SOURCE_STRENGTH_TOO_WEAK 186 # define PROV_R_ERROR_INSTANTIATING_DRBG 188 # define PROV_R_ERROR_RETRIEVING_ENTROPY 189 # define PROV_R_ERROR_RETRIEVING_NONCE 190 @@ -105,6 +106,7 @@ # define PROV_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE 178 # define PROV_R_OUTPUT_BUFFER_TOO_SMALL 106 # define PROV_R_PARENT_CANNOT_GENERATE_RANDOM_NUMBERS 228 +# define PROV_R_PARENT_CANNOT_SUPPLY_ENTROPY_SEED 187 # define PROV_R_PARENT_LOCKING_NOT_ENABLED 182 # define PROV_R_PARENT_STRENGTH_TOO_WEAK 194 # define PROV_R_PATH_MUST_BE_ABSOLUTE 219 @@ -117,8 +119,8 @@ # define PROV_R_SEED_SOURCES_MUST_NOT_HAVE_A_PARENT 229 # define PROV_R_SELF_TEST_KAT_FAILURE 215 # define PROV_R_SELF_TEST_POST_FAILURE 216 -# define PROV_R_TAG_NOT_SET 119 # define PROV_R_TAG_NOT_NEEDED 120 +# define PROV_R_TAG_NOT_SET 119 # define PROV_R_TOO_MANY_RECORDS 126 # define PROV_R_UNABLE_TO_FIND_CIPHERS 207 # define PROV_R_UNABLE_TO_GET_PARENT_STRENGTH 199 diff --git a/providers/common/provider_err.c b/providers/common/provider_err.c index a64c5d2ece..30574f4c6c 100644 --- a/providers/common/provider_err.c +++ b/providers/common/provider_err.c @@ -33,6 +33,8 @@ static const ERR_STRING_DATA PROV_str_reasons[] = { "derivation function init failed"}, {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_DIGEST_NOT_ALLOWED), "digest not allowed"}, + {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_ENTROPY_SOURCE_STRENGTH_TOO_WEAK), + "entropy source strength too weak"}, {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_ERROR_INSTANTIATING_DRBG), "error instantiating drbg"}, {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_ERROR_RETRIEVING_ENTROPY), @@ -99,14 +101,13 @@ static const ERR_STRING_DATA PROV_str_reasons[] = { {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_INVALID_STATE), "invalid state"}, {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_INVALID_TAG), "invalid tag"}, {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_INVALID_TAG_LENGTH), - "invalid tag_length"}, + "invalid tag length"}, {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_INVALID_UKM_LENGTH), "invalid ukm length"}, {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_INVALID_X931_DIGEST), "invalid x931 digest"}, {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_IN_ERROR_STATE), "in error state"}, - {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_KEY_SETUP_FAILED), - "key setup failed"}, + {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_KEY_SETUP_FAILED), "key setup failed"}, {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_KEY_SIZE_TOO_SMALL), "key size too small"}, {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_MISSING_CEK_ALG), "missing cek alg"}, @@ -144,6 +145,8 @@ static const ERR_STRING_DATA PROV_str_reasons[] = { "output buffer too small"}, {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_PARENT_CANNOT_GENERATE_RANDOM_NUMBERS), "parent cannot generate random numbers"}, + {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_PARENT_CANNOT_SUPPLY_ENTROPY_SEED), + "parent cannot supply entropy seed"}, {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_PARENT_LOCKING_NOT_ENABLED), "parent locking not enabled"}, {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_PARENT_STRENGTH_TOO_WEAK), @@ -167,8 +170,8 @@ static const ERR_STRING_DATA PROV_str_reasons[] = { "self test kat failure"}, {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_SELF_TEST_POST_FAILURE), "self test post failure"}, - {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_TAG_NOT_SET), "tag not set"}, {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_TAG_NOT_NEEDED), "tag not needed"}, + {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_TAG_NOT_SET), "tag not set"}, {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_TOO_MANY_RECORDS), "too many records"}, {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_UNABLE_TO_FIND_CIPHERS), "unable to find ciphers"}, diff --git a/providers/implementations/rands/drbg.c b/providers/implementations/rands/drbg.c index bdc980ef59..239000ec16 100644 --- a/providers/implementations/rands/drbg.c +++ b/providers/implementations/rands/drbg.c @@ -141,30 +141,15 @@ static unsigned int get_parent_reseed_count(PROV_DRBG *drbg) * If a random pool has been added to the DRBG using RAND_add(), then * its entropy will be used up first. */ -static size_t prov_drbg_get_entropy(PROV_DRBG *drbg, unsigned char **pout, - int entropy, size_t min_len, - size_t max_len, int prediction_resistance) +size_t ossl_drbg_get_seed(void *vdrbg, unsigned char **pout, + int entropy, size_t min_len, + size_t max_len, int prediction_resistance, + const unsigned char *adin, size_t adin_len) { - unsigned int p_str; - size_t r, bytes_needed; + PROV_DRBG *drbg = (PROV_DRBG *)vdrbg; + size_t bytes_needed; unsigned char *buffer; - if (!get_parent_strength(drbg, &p_str)) - return 0; - if (drbg->strength > p_str) { - /* - * We currently don't support the algorithm from NIST SP 800-90C - * 10.1.2 to use a weaker DRBG as source - */ - ERR_raise(ERR_LIB_PROV, PROV_R_PARENT_STRENGTH_TOO_WEAK); - return 0; - } - - if (drbg->parent_generate == NULL) { - ERR_raise(ERR_LIB_PROV, PROV_R_PARENT_CANNOT_GENERATE_RANDOM_NUMBERS); - return 0; - } - /* Figure out how many bytes we need */ bytes_needed = entropy >= 0 ? (entropy + 7) / 8 : 0; if (bytes_needed < min_len) @@ -180,13 +165,7 @@ static size_t prov_drbg_get_entropy(PROV_DRBG *drbg, unsigned char **pout, } /* - * Our lock is already held, but we need to lock our parent before - * generating bits from it. Note: taking the lock will be a no-op - * if locking is not required (while drbg->parent->lock == NULL). - */ - ossl_drbg_lock_parent(drbg); - /* - * Get random data from parent. Include our DRBG address as + * Get random data. Include our DRBG address as * additional input, in order to provide a distinction between * different DRBG child instances. * @@ -194,12 +173,9 @@ static size_t prov_drbg_get_entropy(PROV_DRBG *drbg, unsigned char **pout, * a warning in some static code analyzers, but it's * intentional and correct here. */ - r = drbg->parent_generate(drbg->parent, buffer, bytes_needed, - drbg->strength, prediction_resistance, - (unsigned char *)&drbg, - sizeof(drbg)); - ossl_drbg_unlock_parent(drbg); - if (r == 0) { + if (!ossl_prov_drbg_generate(drbg, buffer, bytes_needed, + drbg->strength, prediction_resistance, + (unsigned char *)&drbg, sizeof(drbg))) { OPENSSL_secure_clear_free(buffer, bytes_needed); ERR_raise(ERR_LIB_PROV, PROV_R_GENERATE_ERROR); return 0; @@ -208,12 +184,9 @@ static size_t prov_drbg_get_entropy(PROV_DRBG *drbg, unsigned char **pout, return bytes_needed; } -/* - * Implements the cleanup_entropy() callback - * - */ -static void prov_drbg_cleanup_entropy(ossl_unused PROV_DRBG *drbg, - unsigned char *out, size_t outlen) +/* Implements the cleanup_entropy() callback */ +void ossl_drbg_clear_seed(ossl_unused void *vdrbg, + unsigned char *out, size_t outlen) { OPENSSL_secure_clear_free(out, outlen); } @@ -222,6 +195,9 @@ static size_t get_entropy(PROV_DRBG *drbg, unsigned char **pout, int entropy, size_t min_len, size_t max_len, int prediction_resistance) { + size_t bytes; + unsigned int p_str; + if (drbg->parent == NULL) #ifdef FIPS_MODULE return ossl_crngt_get_entropy(drbg, pout, entropy, min_len, max_len, @@ -231,8 +207,42 @@ static size_t get_entropy(PROV_DRBG *drbg, unsigned char **pout, int entropy, max_len); #endif - return prov_drbg_get_entropy(drbg, pout, entropy, min_len, max_len, - prediction_resistance); + if (drbg->parent_get_seed == NULL) { + ERR_raise(ERR_LIB_PROV, PROV_R_PARENT_CANNOT_SUPPLY_ENTROPY_SEED); + return 0; + } + if (!get_parent_strength(drbg, &p_str)) + return 0; + if (drbg->strength > p_str) { + /* + * We currently don't support the algorithm from NIST SP 800-90C + * 10.1.2 to use a weaker DRBG as source + */ + ERR_raise(ERR_LIB_PROV, PROV_R_PARENT_STRENGTH_TOO_WEAK); + return 0; + } + + /* + * Our lock is already held, but we need to lock our parent before + * generating bits from it. Note: taking the lock will be a no-op + * if locking is not required (while drbg->parent->lock == NULL). + */ + if (!ossl_drbg_lock_parent(drbg)) + return 0; + /* + * Get random data from parent. Include our DRBG address as + * additional input, in order to provide a distinction between + * different DRBG child instances. + * + * Note: using the sizeof() operator on a pointer triggers + * a warning in some static code analyzers, but it's + * intentional and correct here. + */ + bytes = drbg->parent_get_seed(drbg->parent, pout, drbg->strength, + min_len, max_len, prediction_resistance, + (unsigned char *)&drbg, sizeof(drbg)); + ossl_drbg_unlock_parent(drbg); + return bytes; } static void cleanup_entropy(PROV_DRBG *drbg, unsigned char *out, size_t outlen) @@ -243,8 +253,11 @@ static void cleanup_entropy(PROV_DRBG *drbg, unsigned char *out, size_t outlen) #else ossl_prov_cleanup_entropy(drbg->provctx, out, outlen); #endif - } else { - prov_drbg_cleanup_entropy(drbg, out, outlen); + } else if (drbg->parent_clear_seed != NULL) { + if (!ossl_drbg_lock_parent(drbg)) + return; + drbg->parent_clear_seed(drbg, out, outlen); + ossl_drbg_unlock_parent(drbg); } } @@ -794,10 +807,12 @@ PROV_DRBG *ossl_rand_drbg_new drbg->parent_unlock = OSSL_FUNC_rand_unlock(pfunc); if ((pfunc = find_call(p_dispatch, OSSL_FUNC_RAND_GET_CTX_PARAMS)) != NULL) drbg->parent_get_ctx_params = OSSL_FUNC_rand_get_ctx_params(pfunc); - if ((pfunc = find_call(p_dispatch, OSSL_FUNC_RAND_GENERATE)) != NULL) - drbg->parent_generate = OSSL_FUNC_rand_generate(pfunc); if ((pfunc = find_call(p_dispatch, OSSL_FUNC_RAND_NONCE)) != NULL) drbg->parent_nonce = OSSL_FUNC_rand_nonce(pfunc); + if ((pfunc = find_call(p_dispatch, OSSL_FUNC_RAND_GET_SEED)) != NULL) + drbg->parent_get_seed = OSSL_FUNC_rand_get_seed(pfunc); + if ((pfunc = find_call(p_dispatch, OSSL_FUNC_RAND_CLEAR_SEED)) != NULL) + drbg->parent_clear_seed = OSSL_FUNC_rand_clear_seed(pfunc); /* Set some default maximums up */ drbg->max_entropylen = DRBG_MAX_LENGTH; diff --git a/providers/implementations/rands/drbg_ctr.c b/providers/implementations/rands/drbg_ctr.c index caf885c4cb..1f5b14247b 100644 --- a/providers/implementations/rands/drbg_ctr.c +++ b/providers/implementations/rands/drbg_ctr.c @@ -755,5 +755,7 @@ const OSSL_DISPATCH ossl_drbg_ctr_functions[] = { { OSSL_FUNC_RAND_GET_CTX_PARAMS, (void(*)(void))drbg_ctr_get_ctx_params }, { OSSL_FUNC_RAND_VERIFY_ZEROIZATION, (void(*)(void))drbg_ctr_verify_zeroization }, + { OSSL_FUNC_RAND_GET_SEED, (void(*)(void))ossl_drbg_get_seed }, + { OSSL_FUNC_RAND_CLEAR_SEED, (void(*)(void))ossl_drbg_clear_seed }, { 0, NULL } }; diff --git a/providers/implementations/rands/drbg_hash.c b/providers/implementations/rands/drbg_hash.c index 9c44c0bdb4..c799ef107a 100644 --- a/providers/implementations/rands/drbg_hash.c +++ b/providers/implementations/rands/drbg_hash.c @@ -518,5 +518,7 @@ const OSSL_DISPATCH ossl_drbg_hash_functions[] = { { OSSL_FUNC_RAND_GET_CTX_PARAMS, (void(*)(void))drbg_hash_get_ctx_params }, { OSSL_FUNC_RAND_VERIFY_ZEROIZATION, (void(*)(void))drbg_hash_verify_zeroization }, + { OSSL_FUNC_RAND_GET_SEED, (void(*)(void))ossl_drbg_get_seed }, + { OSSL_FUNC_RAND_CLEAR_SEED, (void(*)(void))ossl_drbg_clear_seed }, { 0, NULL } }; diff --git a/providers/implementations/rands/drbg_hmac.c b/providers/implementations/rands/drbg_hmac.c index 314243d8ab..f166d69c51 100644 --- a/providers/implementations/rands/drbg_hmac.c +++ b/providers/implementations/rands/drbg_hmac.c @@ -432,5 +432,7 @@ const OSSL_DISPATCH ossl_drbg_ossl_hmac_functions[] = { { OSSL_FUNC_RAND_GET_CTX_PARAMS, (void(*)(void))drbg_hmac_get_ctx_params }, { OSSL_FUNC_RAND_VERIFY_ZEROIZATION, (void(*)(void))drbg_hmac_verify_zeroization }, + { OSSL_FUNC_RAND_GET_SEED, (void(*)(void))ossl_drbg_get_seed }, + { OSSL_FUNC_RAND_CLEAR_SEED, (void(*)(void))ossl_drbg_clear_seed }, { 0, NULL } }; diff --git a/providers/implementations/rands/drbg_local.h b/providers/implementations/rands/drbg_local.h index fbae882535..ab8ad9586e 100644 --- a/providers/implementations/rands/drbg_local.h +++ b/providers/implementations/rands/drbg_local.h @@ -91,8 +91,9 @@ struct prov_drbg_st { OSSL_FUNC_rand_lock_fn *parent_lock; OSSL_FUNC_rand_unlock_fn *parent_unlock; OSSL_FUNC_rand_get_ctx_params_fn *parent_get_ctx_params; - OSSL_FUNC_rand_generate_fn *parent_generate; OSSL_FUNC_rand_nonce_fn *parent_nonce; + OSSL_FUNC_rand_get_seed_fn *parent_get_seed; + OSSL_FUNC_rand_clear_seed_fn *parent_clear_seed; const OSSL_DISPATCH *parent_dispatch; @@ -205,6 +206,10 @@ int ossl_prov_drbg_generate(PROV_DRBG *drbg, unsigned char *out, size_t outlen, unsigned int strength, int prediction_resistance, const unsigned char *adin, size_t adinlen); +/* Seeding api */ +OSSL_FUNC_rand_get_seed_fn ossl_drbg_get_seed; +OSSL_FUNC_rand_clear_seed_fn ossl_drbg_clear_seed; + /* Verify that an array of numeric values is all zero */ #define PROV_DRBG_VERYIFY_ZEROIZATION(v) \ { \ diff --git a/providers/implementations/rands/seed_src.c b/providers/implementations/rands/seed_src.c index 60088b2779..c93036cb60 100644 --- a/providers/implementations/rands/seed_src.c +++ b/providers/implementations/rands/seed_src.c @@ -34,6 +34,8 @@ static OSSL_FUNC_rand_verify_zeroization_fn seed_src_verify_zeroization; static OSSL_FUNC_rand_enable_locking_fn seed_src_enable_locking; static OSSL_FUNC_rand_lock_fn seed_src_lock; static OSSL_FUNC_rand_unlock_fn seed_src_unlock; +static OSSL_FUNC_rand_get_seed_fn seed_get_seed; +static OSSL_FUNC_rand_clear_seed_fn seed_clear_seed; typedef struct { void *provctx; @@ -170,6 +172,47 @@ static int seed_src_verify_zeroization(ossl_unused void *vseed) return 1; } +static size_t seed_get_seed(void *vseed, unsigned char **pout, + int entropy, size_t min_len, size_t max_len, + int prediction_resistance, + const unsigned char *adin, size_t adin_len) +{ + size_t bytes_needed; + unsigned char *p; + + /* + * Figure out how many bytes we need. + * This assumes that the seed sources provide eight bits of entropy + * per byte. For lower quality sources, the formula will need to be + * different. + */ + bytes_needed = entropy >= 0 ? (entropy + 7) / 8 : 0; + if (bytes_needed < min_len) + bytes_needed = min_len; + if (bytes_needed > max_len) { + ERR_raise(ERR_LIB_PROV, PROV_R_ENTROPY_SOURCE_STRENGTH_TOO_WEAK); + return 0; + } + + p = OPENSSL_secure_malloc(bytes_needed); + if (p == NULL) { + ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE); + return 0; + } + *pout = p; + if (seed_src_generate(vseed, p, bytes_needed, 0, prediction_resistance, + adin, adin_len) != 0) + return bytes_needed; + OPENSSL_secure_clear_free(p, bytes_needed); + return 0; +} + +static void seed_clear_seed(ossl_unused void *vdrbg, + unsigned char *out, size_t outlen) +{ + OPENSSL_secure_clear_free(out, outlen); +} + static int seed_src_enable_locking(ossl_unused void *vseed) { return 1; @@ -201,5 +244,7 @@ const OSSL_DISPATCH ossl_seed_src_functions[] = { { OSSL_FUNC_RAND_GET_CTX_PARAMS, (void(*)(void))seed_src_get_ctx_params }, { OSSL_FUNC_RAND_VERIFY_ZEROIZATION, (void(*)(void))seed_src_verify_zeroization }, + { OSSL_FUNC_RAND_GET_SEED, (void(*)(void))seed_get_seed }, + { OSSL_FUNC_RAND_CLEAR_SEED, (void(*)(void))seed_clear_seed }, { 0, NULL } }; diff --git a/providers/implementations/rands/test_rng.c b/providers/implementations/rands/test_rng.c index 33cbd20e9b..0c0e0e3b42 100644 --- a/providers/implementations/rands/test_rng.c +++ b/providers/implementations/rands/test_rng.c @@ -35,6 +35,7 @@ static OSSL_FUNC_rand_verify_zeroization_fn test_rng_verify_zeroization; static OSSL_FUNC_rand_enable_locking_fn test_rng_enable_locking; static OSSL_FUNC_rand_lock_fn test_rng_lock; static OSSL_FUNC_rand_unlock_fn test_rng_unlock; +static OSSL_FUNC_rand_get_seed_fn test_rng_get_seed; typedef struct { void *provctx; @@ -228,6 +229,18 @@ static int test_rng_verify_zeroization(ossl_unused void *vtest) return 1; } +static size_t test_rng_get_seed(void *vtest, unsigned char **pout, + int entropy, size_t min_len, size_t max_len, + ossl_unused int prediction_resistance, + ossl_unused const unsigned char *adin, + ossl_unused size_t adin_len) +{ + PROV_TEST_RNG *t = (PROV_TEST_RNG *)vtest; + + *pout = t->entropy; + return t->entropy_len > max_len ? max_len : t->entropy_len; +} + static int test_rng_enable_locking(void *vtest) { PROV_TEST_RNG *t = (PROV_TEST_RNG *)vtest; @@ -280,5 +293,6 @@ const OSSL_DISPATCH ossl_test_rng_functions[] = { { OSSL_FUNC_RAND_GET_CTX_PARAMS, (void(*)(void))test_rng_get_ctx_params }, { OSSL_FUNC_RAND_VERIFY_ZEROIZATION, (void(*)(void))test_rng_verify_zeroization }, + { OSSL_FUNC_RAND_GET_SEED, (void(*)(void))test_rng_get_seed }, { 0, NULL } }; diff --git a/test/recipes/30-test_evp_data/evprand.txt b/test/recipes/30-test_evp_data/evprand.txt index b91f5483ae..f504dc3e0b 100644 --- a/test/recipes/30-test_evp_data/evprand.txt +++ b/test/recipes/30-test_evp_data/evprand.txt @@ -12,6 +12,22 @@ # and continue until a blank line. Lines starting with a pound sign, # like this prolog, are ignored. +# Test vector from NISTs CAVP tool + +Title = CAVP Large Seed + +RAND = CTR-DRBG +Cipher = AES-192-CTR +DerivationFunction = 1 +PredictionResistance = 1 +GenerateBits = 256 +Entropy.0 = 22ED7A66C9E9F494C8D2B8F81D0D49BCDD0C03863FF5979212211EFE3E945758B6228CDD9E9EEC5F7984AEF7212699F3 +Nonce.0 = 5BF245B95F8E1377D5A17EB331AABCD9 +EntropyPredictionResistanceA.0 = C0535ACD3D715A0B1453AB3447D53D9131C939AEE1D9CA24A75B285CF58D79403A4111E2F3DEE011154D31D646D93001 +EntropyPredictionResistanceB.0 = 9FBC48890273FCAFCA1904B6486D1877CAD91EB601E979259506F93BA462AC17D8676C570B2231D4D98EC617C4826573 +Output.0 = 19CED57563D065B606DA27DD5E8DE83B93BB7C8F8B02D0288F475550C3F44B77 + + # Test vectors come from: # https://csrc.nist.gov/CSRC/media/Projects/Cryptographic-Algorithm-Validation-Program/documents/drbg/drbgtestvectors.zip From no-reply at appveyor.com Wed Feb 17 03:38:19 2021 From: no-reply at appveyor.com (AppVeyor) Date: Wed, 17 Feb 2021 03:38:19 +0000 Subject: Build failed: openssl master.39924 Message-ID: <20210217033819.1.A31F5F36695DBFA4@appveyor.com> An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Wed Feb 17 06:57:58 2021 From: no-reply at appveyor.com (AppVeyor) Date: Wed, 17 Feb 2021 06:57:58 +0000 Subject: Build failed: openssl master.39928 Message-ID: <20210217065758.1.EEAA10DA08F05149@appveyor.com> An HTML attachment was scrubbed... URL: From nic.tuv at gmail.com Wed Feb 17 11:27:11 2021 From: nic.tuv at gmail.com (nic.tuv at gmail.com) Date: Wed, 17 Feb 2021 11:27:11 +0000 Subject: [openssl] master update Message-ID: <1613561231.677217.27773.nullmailer@dev.openssl.org> The branch master has been updated via 3a962b2093a6226daa26e4d1855d4eb9f2e5035b (commit) via 851b06b7055b2ab3eaf82f8989f8729920862b2f (commit) from 68883d9db86534176d744c7691ac7565f5def884 (commit) - Log ----------------------------------------------------------------- commit 3a962b2093a6226daa26e4d1855d4eb9f2e5035b Author: Nicola Tuveri Date: Fri Jan 22 18:50:12 2021 +0200 [doc/man3][OSSL_ENCODER] Move NOTES to the bottom For consistency with `OSSL_DECODER.pod`, and `man-pages(7)`, the `NOTES` section is moved at the end of the file. According to `man-pages(7)` the recommended section order is: > NAME > SYNOPSIS > CONFIGURATION [Normally only in Section 4] > DESCRIPTION > OPTIONS [Normally only in Sections 1, 8] > EXIT STATUS [Normally only in Sections 1, 8] > RETURN VALUE [Normally only in Sections 2, 3] > ERRORS [Typically only in Sections 2, 3] > ENVIRONMENT > FILES > VERSIONS [Normally only in Sections 2, 3] > CONFORMING TO > NOTES > BUGS > EXAMPLE > SEE ALSO This commit does not attempt to fix the order in all pages but focuses only on `OSSL_ENCODER` which has a "twin" man page in `OSSL_DECODER`, making the inconsistent section order quite jarring. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13932) commit 851b06b7055b2ab3eaf82f8989f8729920862b2f Author: Nicola Tuveri Date: Fri Jan 22 18:45:07 2021 +0200 [doc/man3] Fix typo in DESCRIPTION of OSSL_ENCODER_properties This commit fixes the DECSCRIPTION section of doc/man3/OSSL_ENCODER.pod, where `OSSL_ENCODER_properties` was incorrectly referred to as `OSSL_ENCODER_provider`. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13932) ----------------------------------------------------------------------- Summary of changes: doc/man3/OSSL_ENCODER.pod | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/doc/man3/OSSL_ENCODER.pod b/doc/man3/OSSL_ENCODER.pod index a9da0aaff3..da1aa475dc 100644 --- a/doc/man3/OSSL_ENCODER.pod +++ b/doc/man3/OSSL_ENCODER.pod @@ -63,7 +63,7 @@ I, and when the count reaches zero, frees it. OSSL_ENCODER_provider() returns the provider of the given I. -OSSL_ENCODER_provider() returns the property definition associated +OSSL_ENCODER_properties() returns the property definition associated with the given I. OSSL_ENCODER_is_a() checks if I is an implementation of an @@ -87,12 +87,6 @@ OSSL_ENCODER_get_params() attempts to get parameters specified with an L array I. Parameters that the implementation doesn't recognise should be ignored. -=head1 NOTES - -OSSL_ENCODER_fetch() may be called implicitly by other fetching -functions, using the same library context and properties. -Any other API that uses keys will typically do this. - =head1 RETURN VALUES OSSL_ENCODER_fetch() returns a pointer to the key management @@ -114,6 +108,12 @@ otherwise 0. OSSL_ENCODER_number() returns an integer. +=head1 NOTES + +OSSL_ENCODER_fetch() may be called implicitly by other fetching +functions, using the same library context and properties. +Any other API that uses keys will typically do this. + =head1 SEE ALSO L, L, L, From levitte at openssl.org Wed Feb 17 13:38:58 2021 From: levitte at openssl.org (Richard Levitte) Date: Wed, 17 Feb 2021 13:38:58 +0000 Subject: [openssl] master update Message-ID: <1613569138.139843.10473.nullmailer@dev.openssl.org> The branch master has been updated via e5ac413b2d3d6bcff57446f06f3d05650921f182 (commit) from 3a962b2093a6226daa26e4d1855d4eb9f2e5035b (commit) - Log ----------------------------------------------------------------- commit e5ac413b2d3d6bcff57446f06f3d05650921f182 Author: Richard Levitte Date: Tue Feb 16 01:19:58 2021 +0100 Fix backward incompatibility revolving around OSSL_HTTP_REQ_CTX_sendreq_d2i() The OSSL_HTTP_REQ_CTX API has a few changes compared to the older OCSP_REQ_CTX API which are not quite obvious at first sight. The old OCSP_REQ_CTX_nbio_d2i() took three arguments, of which one is an output argument, and return an int, while the newer OSSL_HTTP_REQ_CTX_sendreq_d2i() returns the value directly and thereby takes one less argument. The mapping from the old to the new wasn't quite right, this corrects it, along with a couple of X509 macros that needed the same kind of fix. Reviewed-by: Paul Dale Reviewed-by: David von Oheimb (Merged from https://github.com/openssl/openssl/pull/14196) ----------------------------------------------------------------------- Summary of changes: include/openssl/ocsp.h.in | 4 ++-- include/openssl/x509.h.in | 12 ++++++------ 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/include/openssl/ocsp.h.in b/include/openssl/ocsp.h.in index c104b72d8e..3c5de15494 100644 --- a/include/openssl/ocsp.h.in +++ b/include/openssl/ocsp.h.in @@ -189,8 +189,8 @@ typedef OSSL_HTTP_REQ_CTX OCSP_REQ_CTX; OSSL_HTTP_REQ_CTX_i2d(r, "application/ocsp-request", i, req) # define OCSP_REQ_CTX_nbio(r) \ OSSL_HTTP_REQ_CTX_nbio(r) -# define OCSP_REQ_CTX_nbio_d2i(r, i) \ - OSSL_HTTP_REQ_CTX_sendreq_d2i(r, i) +# define OCSP_REQ_CTX_nbio_d2i(r, p, i) \ + ((*(p) = OSSL_HTTP_REQ_CTX_sendreq_d2i(r, i)) != NULL) # define OCSP_REQ_CTX_get0_mem_bio(r) \ OSSL_HTTP_REQ_CTX_get0_mem_bio(r) # define OCSP_set_max_response_length(r, l) \ diff --git a/include/openssl/x509.h.in b/include/openssl/x509.h.in index 7fc1558b18..32aea0e0db 100644 --- a/include/openssl/x509.h.in +++ b/include/openssl/x509.h.in @@ -403,13 +403,13 @@ int X509_NAME_digest(const X509_NAME *data, const EVP_MD *type, unsigned char *md, unsigned int *len); X509 *X509_load_http(const char *url, BIO *bio, BIO *rbio, int timeout); -# define X509_http_nbio(rctx, pcert) \ - OSSL_HTTP_REQ_CTX_sendreq_d2i(rctx, (ASN1_VALUE **)(pcert), \ - ASN1_ITEM_rptr(X509)) +# define X509_http_nbio(rctx, pcert) \ + ((*(pcert) = \ + OSSL_HTTP_REQ_CTX_sendreq_d2i(rctx, ASN1_ITEM_rptr(X509))) != NULL) X509_CRL *X509_CRL_load_http(const char *url, BIO *bio, BIO *rbio, int timeout); -# define X509_CRL_http_nbio(rctx, pcrl) \ - OSSL_HTTP_REQ_CTX_sendreq_d2i(rctx, (ASN1_VALUE **)(pcrl), \ - ASN1_ITEM_rptr(X509_CRL)) +# define X509_CRL_http_nbio(rctx, pcrl) \ + ((*(pcrl) = \ + OSSL_HTTP_REQ_CTX_sendreq_d2i(rctx, ASN1_ITEM_rptr(X509_CRL))) != NULL) # ifndef OPENSSL_NO_STDIO X509 *d2i_X509_fp(FILE *fp, X509 **x509); From tomas at openssl.org Wed Feb 17 14:26:39 2021 From: tomas at openssl.org (tomas at openssl.org) Date: Wed, 17 Feb 2021 14:26:39 +0000 Subject: [openssl] master update Message-ID: <1613571999.075935.22780.nullmailer@dev.openssl.org> The branch master has been updated via fe75766c9c2919f649df7b3ad209df2bc5e56dd0 (commit) from e5ac413b2d3d6bcff57446f06f3d05650921f182 (commit) - Log ----------------------------------------------------------------- commit fe75766c9c2919f649df7b3ad209df2bc5e56dd0 Author: Tomas Mraz Date: Thu Feb 11 16:57:37 2021 +0100 Rename OSSL_ENCODER_CTX_new_by_EVP_PKEY and OSSL_DECODER_CTX_new_by_EVP_PKEY Additional renames done in encoder and decoder implementation to follow the style. Fixes #13622 Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/14155) ----------------------------------------------------------------------- Summary of changes: apps/dhparam.c | 22 ++++---- apps/dsa.c | 4 +- apps/ec.c | 6 +-- apps/ecparam.c | 4 +- apps/rsa.c | 6 +-- crypto/asn1/i2d_evp.c | 4 +- crypto/cms/cms_ec.c | 4 +- crypto/encode_decode/decoder_pkey.c | 46 ++++++++--------- crypto/encode_decode/encoder_pkey.c | 32 ++++++------ crypto/evp/evp_pkey.c | 6 +-- crypto/evp/p_lib.c | 4 +- crypto/pem/pem_all.c | 2 +- crypto/pem/pem_local.h | 58 +++++++++++----------- crypto/pem/pem_pk8.c | 4 +- crypto/pem/pem_pkey.c | 8 +-- crypto/store/store_result.c | 4 +- crypto/x509/x_pubkey.c | 12 ++--- doc/man3/OSSL_DECODER.pod | 2 +- ..._PKEY.pod => OSSL_DECODER_CTX_new_for_pkey.pod} | 34 ++++++------- doc/man3/OSSL_ENCODER.pod | 2 +- ..._PKEY.pod => OSSL_ENCODER_CTX_new_for_pkey.pod} | 29 ++++------- doc/man3/d2i_RSAPrivateKey.pod | 4 +- include/crypto/decoder.h | 8 +-- include/openssl/decoder.h | 10 ++-- include/openssl/encoder.h | 10 ++-- providers/encoders.inc | 10 ++-- providers/implementations/storemgmt/file_store.c | 10 ++-- ssl/ssl_conf.c | 6 +-- test/endecode_test.c | 20 ++++---- test/endecoder_legacy_test.c | 42 ++++++++-------- test/evp_extra_test.c | 4 +- test/evp_libctx_test.c | 8 +-- test/evp_pkey_provided_test.c | 8 +-- util/libcrypto.num | 4 +- 34 files changed, 211 insertions(+), 226 deletions(-) rename doc/man3/{OSSL_DECODER_CTX_new_by_EVP_PKEY.pod => OSSL_DECODER_CTX_new_for_pkey.pod} (84%) rename doc/man3/{OSSL_ENCODER_CTX_new_by_EVP_PKEY.pod => OSSL_ENCODER_CTX_new_for_pkey.pod} (86%) diff --git a/apps/dhparam.c b/apps/dhparam.c index 30fdfbbf6e..d3f96e61d2 100644 --- a/apps/dhparam.c +++ b/apps/dhparam.c @@ -254,14 +254,14 @@ int dhparam_main(int argc, char **argv) * We check that we got one of those key types afterwards. */ decoderctx - = OSSL_DECODER_CTX_new_by_EVP_PKEY(&tmppkey, - (informat == FORMAT_ASN1) + = OSSL_DECODER_CTX_new_for_pkey(&tmppkey, + (informat == FORMAT_ASN1) ? "DER" : "PEM", - NULL, - (informat == FORMAT_ASN1) + NULL, + (informat == FORMAT_ASN1) ? keytype : NULL, - OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS, - NULL, NULL); + OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS, + NULL, NULL); if (decoderctx != NULL && !OSSL_DECODER_from_bio(decoderctx, in) @@ -328,11 +328,11 @@ int dhparam_main(int argc, char **argv) if (!noout) { OSSL_ENCODER_CTX *ectx = - OSSL_ENCODER_CTX_new_by_EVP_PKEY(pkey, - OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS, - outformat == FORMAT_ASN1 - ? "DER" : "PEM", - NULL, NULL); + OSSL_ENCODER_CTX_new_for_pkey(pkey, + OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS, + outformat == FORMAT_ASN1 + ? "DER" : "PEM", + NULL, NULL); if (ectx == NULL || !OSSL_ENCODER_to_bio(ectx, out)) { OSSL_ENCODER_CTX_free(ectx); diff --git a/apps/dsa.c b/apps/dsa.c index c4baaf7de9..523dab80fc 100644 --- a/apps/dsa.c +++ b/apps/dsa.c @@ -260,8 +260,8 @@ int dsa_main(int argc, char **argv) } /* Perform the encoding */ - ectx = OSSL_ENCODER_CTX_new_by_EVP_PKEY(pkey, selection, output_type, - output_structure, NULL); + ectx = OSSL_ENCODER_CTX_new_for_pkey(pkey, selection, output_type, + output_structure, NULL); if (OSSL_ENCODER_CTX_get_num_encoders(ectx) == 0) { BIO_printf(bio_err, "%s format not supported\n", output_type); goto end; diff --git a/apps/ec.c b/apps/ec.c index d89c580020..490a64122b 100644 --- a/apps/ec.c +++ b/apps/ec.c @@ -256,9 +256,9 @@ int ec_main(int argc, char **argv) assert(private); } - ectx = OSSL_ENCODER_CTX_new_by_EVP_PKEY(eckey, selection, - output_type, output_structure, - NULL); + ectx = OSSL_ENCODER_CTX_new_for_pkey(eckey, selection, + output_type, output_structure, + NULL); if (enc != NULL) { OSSL_ENCODER_CTX_set_cipher(ectx, EVP_CIPHER_name(enc), NULL); if (passout != NULL) diff --git a/apps/ecparam.c b/apps/ecparam.c index e05a3a495f..fc19ab6bf9 100644 --- a/apps/ecparam.c +++ b/apps/ecparam.c @@ -292,7 +292,7 @@ int ecparam_main(int argc, char **argv) noout = 1; if (!noout) { - ectx_params = OSSL_ENCODER_CTX_new_by_EVP_PKEY( + ectx_params = OSSL_ENCODER_CTX_new_for_pkey( params_key, OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS, outformat == FORMAT_ASN1 ? "DER" : "PEM", NULL, NULL); if (!OSSL_ENCODER_to_bio(ectx_params, out)) { @@ -317,7 +317,7 @@ int ecparam_main(int argc, char **argv) goto end; } assert(private); - ectx_key = OSSL_ENCODER_CTX_new_by_EVP_PKEY( + ectx_key = OSSL_ENCODER_CTX_new_for_pkey( key, OSSL_KEYMGMT_SELECT_ALL, outformat == FORMAT_ASN1 ? "DER" : "PEM", NULL, NULL); if (!OSSL_ENCODER_to_bio(ectx_key, out)) { diff --git a/apps/rsa.c b/apps/rsa.c index 1a75681c70..8658f58708 100644 --- a/apps/rsa.c +++ b/apps/rsa.c @@ -334,9 +334,9 @@ int rsa_main(int argc, char **argv) } /* Now, perform the encoding */ - ectx = OSSL_ENCODER_CTX_new_by_EVP_PKEY(pkey, selection, - output_type, output_structure, - NULL); + ectx = OSSL_ENCODER_CTX_new_for_pkey(pkey, selection, + output_type, output_structure, + NULL); if (OSSL_ENCODER_CTX_get_num_encoders(ectx) == 0) { BIO_printf(bio_err, "%s format not supported\n", output_type); goto end; diff --git a/crypto/asn1/i2d_evp.c b/crypto/asn1/i2d_evp.c index 599c512901..515a81d18c 100644 --- a/crypto/asn1/i2d_evp.c +++ b/crypto/asn1/i2d_evp.c @@ -42,8 +42,8 @@ static int i2d_provided(const EVP_PKEY *a, int selection, */ size_t len = INT_MAX; - ctx = OSSL_ENCODER_CTX_new_by_EVP_PKEY(a, selection, "DER", - *output_structures, NULL); + ctx = OSSL_ENCODER_CTX_new_for_pkey(a, selection, "DER", + *output_structures, NULL); if (ctx == NULL) return -1; if (OSSL_ENCODER_to_data(ctx, pp, &len)) diff --git a/crypto/cms/cms_ec.c b/crypto/cms/cms_ec.c index 8ae912c9c3..79b96f596c 100644 --- a/crypto/cms/cms_ec.c +++ b/crypto/cms/cms_ec.c @@ -27,8 +27,8 @@ static EVP_PKEY *pkey_type2param(int ptype, const void *pval, OSSL_DECODER_CTX *ctx = NULL; int selection = OSSL_KEYMGMT_SELECT_ALL_PARAMETERS; - ctx = OSSL_DECODER_CTX_new_by_EVP_PKEY(&pkey, "DER", NULL, "EC", - selection, libctx, propq); + ctx = OSSL_DECODER_CTX_new_for_pkey(&pkey, "DER", NULL, "EC", + selection, libctx, propq); if (ctx == NULL) goto err; diff --git a/crypto/encode_decode/decoder_pkey.c b/crypto/encode_decode/decoder_pkey.c index c515cb6d44..3a97afbcb0 100644 --- a/crypto/encode_decode/decoder_pkey.c +++ b/crypto/encode_decode/decoder_pkey.c @@ -48,13 +48,13 @@ int OSSL_DECODER_CTX_set_passphrase_cb(OSSL_DECODER_CTX *ctx, } /* - * Support for OSSL_DECODER_CTX_new_by_EVP_PKEY: + * Support for OSSL_DECODER_CTX_new_for_pkey: * The construct data, and collecting keymgmt information for it */ DEFINE_STACK_OF(EVP_KEYMGMT) -struct decoder_EVP_PKEY_data_st { +struct decoder_pkey_data_st { OSSL_LIB_CTX *libctx; char *propq; @@ -62,11 +62,11 @@ struct decoder_EVP_PKEY_data_st { void **object; /* Where the result should end up */ }; -static int decoder_construct_EVP_PKEY(OSSL_DECODER_INSTANCE *decoder_inst, - const OSSL_PARAM *params, - void *construct_data) +static int decoder_construct_pkey(OSSL_DECODER_INSTANCE *decoder_inst, + const OSSL_PARAM *params, + void *construct_data) { - struct decoder_EVP_PKEY_data_st *data = construct_data; + struct decoder_pkey_data_st *data = construct_data; OSSL_DECODER *decoder = OSSL_DECODER_INSTANCE_get_decoder(decoder_inst); void *decoderctx = OSSL_DECODER_INSTANCE_get_decoder_ctx(decoder_inst); EVP_KEYMGMT *keymgmt = NULL; @@ -159,9 +159,9 @@ static int decoder_construct_EVP_PKEY(OSSL_DECODER_INSTANCE *decoder_inst, return (*data->object != NULL); } -static void decoder_clean_EVP_PKEY_construct_arg(void *construct_data) +static void decoder_clean_pkey_construct_arg(void *construct_data) { - struct decoder_EVP_PKEY_data_st *data = construct_data; + struct decoder_pkey_data_st *data = construct_data; if (data != NULL) { OPENSSL_free(data->propq); @@ -269,12 +269,12 @@ static void collect_decoder(OSSL_DECODER *decoder, void *arg) data->error_occured = 0; /* All is good now */ } -int ossl_decoder_ctx_setup_for_EVP_PKEY(OSSL_DECODER_CTX *ctx, - EVP_PKEY **pkey, const char *keytype, - OSSL_LIB_CTX *libctx, - const char *propquery) +int ossl_decoder_ctx_setup_for_pkey(OSSL_DECODER_CTX *ctx, + EVP_PKEY **pkey, const char *keytype, + OSSL_LIB_CTX *libctx, + const char *propquery) { - struct decoder_EVP_PKEY_data_st *process_data = NULL; + struct decoder_pkey_data_st *process_data = NULL; STACK_OF(EVP_KEYMGMT) *keymgmts = NULL; STACK_OF(OPENSSL_CSTRING) *names = NULL; int ok = 0; @@ -327,10 +327,10 @@ int ossl_decoder_ctx_setup_for_EVP_PKEY(OSSL_DECODER_CTX *ctx, } if (OSSL_DECODER_CTX_get_num_decoders(ctx) != 0) { - if (!OSSL_DECODER_CTX_set_construct(ctx, decoder_construct_EVP_PKEY) + if (!OSSL_DECODER_CTX_set_construct(ctx, decoder_construct_pkey) || !OSSL_DECODER_CTX_set_construct_data(ctx, process_data) || !OSSL_DECODER_CTX_set_cleanup(ctx, - decoder_clean_EVP_PKEY_construct_arg)) + decoder_clean_pkey_construct_arg)) goto err; process_data = NULL; /* Avoid it being freed */ @@ -338,16 +338,16 @@ int ossl_decoder_ctx_setup_for_EVP_PKEY(OSSL_DECODER_CTX *ctx, ok = 1; err: - decoder_clean_EVP_PKEY_construct_arg(process_data); + decoder_clean_pkey_construct_arg(process_data); return ok; } OSSL_DECODER_CTX * -OSSL_DECODER_CTX_new_by_EVP_PKEY(EVP_PKEY **pkey, - const char *input_type, - const char *input_structure, - const char *keytype, int selection, - OSSL_LIB_CTX *libctx, const char *propquery) +OSSL_DECODER_CTX_new_for_pkey(EVP_PKEY **pkey, + const char *input_type, + const char *input_structure, + const char *keytype, int selection, + OSSL_LIB_CTX *libctx, const char *propquery) { OSSL_DECODER_CTX *ctx = NULL; @@ -367,8 +367,8 @@ OSSL_DECODER_CTX_new_by_EVP_PKEY(EVP_PKEY **pkey, if (OSSL_DECODER_CTX_set_input_type(ctx, input_type) && OSSL_DECODER_CTX_set_input_structure(ctx, input_structure) && OSSL_DECODER_CTX_set_selection(ctx, selection) - && ossl_decoder_ctx_setup_for_EVP_PKEY(ctx, pkey, keytype, - libctx, propquery) + && ossl_decoder_ctx_setup_for_pkey(ctx, pkey, keytype, + libctx, propquery) && OSSL_DECODER_CTX_add_extra(ctx, libctx, propquery)) { OSSL_TRACE_BEGIN(DECODER) { BIO_printf(trc_out, "(ctx %p) Got %d decoders\n", diff --git a/crypto/encode_decode/encoder_pkey.c b/crypto/encode_decode/encoder_pkey.c index e8e1c77b5f..9604ae56bd 100644 --- a/crypto/encode_decode/encoder_pkey.c +++ b/crypto/encode_decode/encoder_pkey.c @@ -67,7 +67,7 @@ int OSSL_ENCODER_CTX_set_passphrase_cb(OSSL_ENCODER_CTX *ctx, } /* - * Support for OSSL_ENCODER_CTX_new_by_TYPE: + * Support for OSSL_ENCODER_CTX_new_for_type: * finding a suitable encoder */ @@ -162,7 +162,7 @@ static int encoder_import_cb(const OSSL_PARAM params[], void *arg) } static const void * -encoder_construct_EVP_PKEY(OSSL_ENCODER_INSTANCE *encoder_inst, void *arg) +encoder_construct_pkey(OSSL_ENCODER_INSTANCE *encoder_inst, void *arg) { struct construct_data_st *data = arg; @@ -188,7 +188,7 @@ encoder_construct_EVP_PKEY(OSSL_ENCODER_INSTANCE *encoder_inst, void *arg) return data->obj; } -static void encoder_destruct_EVP_PKEY(void *arg) +static void encoder_destruct_pkey(void *arg) { struct construct_data_st *data = arg; @@ -202,15 +202,15 @@ static void encoder_destruct_EVP_PKEY(void *arg) } /* - * OSSL_ENCODER_CTX_new_by_EVP_PKEY() returns a ctx with no encoder if + * OSSL_ENCODER_CTX_new_for_pkey() returns a ctx with no encoder if * it couldn't find a suitable encoder. This allows a caller to detect if * a suitable encoder was found, with OSSL_ENCODER_CTX_get_num_encoder(), * and to use fallback methods if the result is NULL. */ -static int ossl_encoder_ctx_setup_for_EVP_PKEY(OSSL_ENCODER_CTX *ctx, - const EVP_PKEY *pkey, - int selection, - const char *propquery) +static int ossl_encoder_ctx_setup_for_pkey(OSSL_ENCODER_CTX *ctx, + const EVP_PKEY *pkey, + int selection, + const char *propquery) { struct construct_data_st *data = NULL; OSSL_LIB_CTX *libctx = NULL; @@ -262,9 +262,9 @@ static int ossl_encoder_ctx_setup_for_EVP_PKEY(OSSL_ENCODER_CTX *ctx, } if (OSSL_ENCODER_CTX_get_num_encoders(ctx) != 0) { - if (!OSSL_ENCODER_CTX_set_construct(ctx, encoder_construct_EVP_PKEY) + if (!OSSL_ENCODER_CTX_set_construct(ctx, encoder_construct_pkey) || !OSSL_ENCODER_CTX_set_construct_data(ctx, data) - || !OSSL_ENCODER_CTX_set_cleanup(ctx, encoder_destruct_EVP_PKEY)) + || !OSSL_ENCODER_CTX_set_cleanup(ctx, encoder_destruct_pkey)) goto err; data->pk = pkey; @@ -282,11 +282,11 @@ static int ossl_encoder_ctx_setup_for_EVP_PKEY(OSSL_ENCODER_CTX *ctx, return ok; } -OSSL_ENCODER_CTX *OSSL_ENCODER_CTX_new_by_EVP_PKEY(const EVP_PKEY *pkey, - int selection, - const char *output_type, - const char *output_struct, - const char *propquery) +OSSL_ENCODER_CTX *OSSL_ENCODER_CTX_new_for_pkey(const EVP_PKEY *pkey, + int selection, + const char *output_type, + const char *output_struct, + const char *propquery) { OSSL_ENCODER_CTX *ctx = NULL; OSSL_LIB_CTX *libctx = NULL; @@ -325,7 +325,7 @@ OSSL_ENCODER_CTX *OSSL_ENCODER_CTX_new_by_EVP_PKEY(const EVP_PKEY *pkey, && (output_struct == NULL || OSSL_ENCODER_CTX_set_output_structure(ctx, output_struct)) && OSSL_ENCODER_CTX_set_selection(ctx, selection) - && ossl_encoder_ctx_setup_for_EVP_PKEY(ctx, pkey, selection, propquery) + && ossl_encoder_ctx_setup_for_pkey(ctx, pkey, selection, propquery) && OSSL_ENCODER_CTX_add_extra(ctx, libctx, propquery)) { OSSL_TRACE_BEGIN(ENCODER) { BIO_printf(trc_out, "(ctx %p) Got %d encoders\n", diff --git a/crypto/evp/evp_pkey.c b/crypto/evp/evp_pkey.c index dd20a52e7a..87091cf16b 100644 --- a/crypto/evp/evp_pkey.c +++ b/crypto/evp/evp_pkey.c @@ -85,9 +85,9 @@ PKCS8_PRIV_KEY_INFO *EVP_PKEY2PKCS8(const EVP_PKEY *pkey) size_t derlen = 0; const unsigned char *pp; - if ((ctx = OSSL_ENCODER_CTX_new_by_EVP_PKEY(pkey, selection, - "DER", "pkcs8", - NULL)) == NULL + if ((ctx = OSSL_ENCODER_CTX_new_for_pkey(pkey, selection, + "DER", "pkcs8", + NULL)) == NULL || !OSSL_ENCODER_to_data(ctx, &der, &derlen)) goto error; diff --git a/crypto/evp/p_lib.c b/crypto/evp/p_lib.c index 8cf65d6a34..e655adde05 100644 --- a/crypto/evp/p_lib.c +++ b/crypto/evp/p_lib.c @@ -1093,8 +1093,8 @@ static int print_pkey(const EVP_PKEY *pkey, BIO *out, int indent, if (!print_set_indent(&out, &pop_f_prefix, &saved_indent, indent)) return 0; - ctx = OSSL_ENCODER_CTX_new_by_EVP_PKEY(pkey, selection, "TEXT", NULL, - propquery); + ctx = OSSL_ENCODER_CTX_new_for_pkey(pkey, selection, "TEXT", NULL, + propquery); if (OSSL_ENCODER_CTX_get_num_encoders(ctx) != 0) ret = OSSL_ENCODER_to_bio(ctx, out); OSSL_ENCODER_CTX_free(ctx); diff --git a/crypto/pem/pem_all.c b/crypto/pem/pem_all.c index 8766395051..222af64397 100644 --- a/crypto/pem/pem_all.c +++ b/crypto/pem/pem_all.c @@ -223,4 +223,4 @@ DH *PEM_read_DHparams(FILE *fp, DH **x, pem_password_cb *cb, void *u) # endif #endif -IMPLEMENT_PEM_provided_write(PUBKEY, EVP_PKEY, PEM_STRING_PUBLIC, PUBKEY) +IMPLEMENT_PEM_provided_write(PUBKEY, EVP_PKEY, pkey, PEM_STRING_PUBLIC, PUBKEY) diff --git a/crypto/pem/pem_local.h b/crypto/pem/pem_local.h index 3f54644e89..732825c03c 100644 --- a/crypto/pem/pem_local.h +++ b/crypto/pem/pem_local.h @@ -47,7 +47,7 @@ # define IMPLEMENT_PEM_provided_write_body_vars(type, asn1, pq) \ int ret = 0; \ OSSL_ENCODER_CTX *ctx = \ - OSSL_ENCODER_CTX_new_by_##type(x, PEM_SELECTION_##asn1, \ + OSSL_ENCODER_CTX_new_for_##type(x, PEM_SELECTION_##asn1, \ "PEM", PEM_STRUCTURE_##asn1, \ (pq)); \ \ @@ -98,16 +98,16 @@ return PEM_ASN1_##writename##((i2d_of_void *)i2d_##asn1, str, out, \ x, enc, kstr, klen, cb, u) -# define IMPLEMENT_PEM_provided_write_to(name, type, str, asn1, \ +# define IMPLEMENT_PEM_provided_write_to(name, TYPE, type, str, asn1, \ OUTTYPE, outtype, writename) \ - PEM_write_fnsig(name, type, OUTTYPE, writename) \ + PEM_write_fnsig(name, TYPE, OUTTYPE, writename) \ { \ IMPLEMENT_PEM_provided_write_body_vars(type, asn1, NULL); \ IMPLEMENT_PEM_provided_write_body_main(type, outtype); \ IMPLEMENT_PEM_provided_write_body_fallback(str, asn1, \ writename); \ } \ - PEM_write_ex_fnsig(name, type, OUTTYPE, writename) \ + PEM_write_ex_fnsig(name, TYPE, OUTTYPE, writename) \ { \ IMPLEMENT_PEM_provided_write_body_vars(type, asn1, propq); \ IMPLEMENT_PEM_provided_write_body_main(type, outtype); \ @@ -116,9 +116,9 @@ } -# define IMPLEMENT_PEM_provided_write_cb_to(name, type, str, asn1, \ +# define IMPLEMENT_PEM_provided_write_cb_to(name, TYPE, type, str, asn1, \ OUTTYPE, outtype, writename) \ - PEM_write_cb_fnsig(name, type, OUTTYPE, writename) \ + PEM_write_cb_fnsig(name, TYPE, OUTTYPE, writename) \ { \ IMPLEMENT_PEM_provided_write_body_vars(type, asn1, NULL); \ IMPLEMENT_PEM_provided_write_body_pass(); \ @@ -126,7 +126,7 @@ IMPLEMENT_PEM_provided_write_body_fallback_cb(str, asn1, \ writename); \ } \ - PEM_write_ex_cb_fnsig(name, type, OUTTYPE, writename) \ + PEM_write_ex_cb_fnsig(name, TYPE, OUTTYPE, writename) \ { \ IMPLEMENT_PEM_provided_write_body_vars(type, asn1, propq); \ IMPLEMENT_PEM_provided_write_body_pass(); \ @@ -137,36 +137,36 @@ # ifdef OPENSSL_NO_STDIO -# define IMPLEMENT_PEM_provided_write_fp(name, type, str, asn1) -# define IMPLEMENT_PEM_provided_write_cb_fp(name, type, str, asn1) +# define IMPLEMENT_PEM_provided_write_fp(name, TYPE, type, str, asn1) +# define IMPLEMENT_PEM_provided_write_cb_fp(name, TYPE, type, str, asn1) # else -# define IMPLEMENT_PEM_provided_write_fp(name, type, str, asn1) \ - IMPLEMENT_PEM_provided_write_to(name, type, str, asn1, FILE, fp, write) -# define IMPLEMENT_PEM_provided_write_cb_fp(name, type, str, asn1) \ - IMPLEMENT_PEM_provided_write_cb_to(name, type, str, asn1, FILE, fp, write) +# define IMPLEMENT_PEM_provided_write_fp(name, TYPE, type, str, asn1) \ + IMPLEMENT_PEM_provided_write_to(name, TYPE, type, str, asn1, FILE, fp, write) +# define IMPLEMENT_PEM_provided_write_cb_fp(name, TYPE, type, str, asn1) \ + IMPLEMENT_PEM_provided_write_cb_to(name, TYPE, type, str, asn1, FILE, fp, write) # endif -# define IMPLEMENT_PEM_provided_write_bio(name, type, str, asn1) \ - IMPLEMENT_PEM_provided_write_to(name, type, str, asn1, BIO, bio, write_bio) -# define IMPLEMENT_PEM_provided_write_cb_bio(name, type, str, asn1) \ - IMPLEMENT_PEM_provided_write_cb_to(name, type, str, asn1, BIO, bio, write_bio) +# define IMPLEMENT_PEM_provided_write_bio(name, TYPE, type, str, asn1) \ + IMPLEMENT_PEM_provided_write_to(name, TYPE, type, str, asn1, BIO, bio, write_bio) +# define IMPLEMENT_PEM_provided_write_cb_bio(name, TYPE, type, str, asn1) \ + IMPLEMENT_PEM_provided_write_cb_to(name, TYPE, type, str, asn1, BIO, bio, write_bio) -# define IMPLEMENT_PEM_provided_write(name, type, str, asn1) \ - IMPLEMENT_PEM_provided_write_bio(name, type, str, asn1) \ - IMPLEMENT_PEM_provided_write_fp(name, type, str, asn1) +# define IMPLEMENT_PEM_provided_write(name, TYPE, type, str, asn1) \ + IMPLEMENT_PEM_provided_write_bio(name, TYPE, type, str, asn1) \ + IMPLEMENT_PEM_provided_write_fp(name, TYPE, type, str, asn1) -# define IMPLEMENT_PEM_provided_write_cb(name, type, str, asn1) \ - IMPLEMENT_PEM_provided_write_cb_bio(name, type, str, asn1) \ - IMPLEMENT_PEM_provided_write_cb_fp(name, type, str, asn1) +# define IMPLEMENT_PEM_provided_write_cb(name, TYPE, type, str, asn1) \ + IMPLEMENT_PEM_provided_write_cb_bio(name, TYPE, type, str, asn1) \ + IMPLEMENT_PEM_provided_write_cb_fp(name, TYPE, type, str, asn1) -# define IMPLEMENT_PEM_provided_rw(name, type, str, asn1) \ - IMPLEMENT_PEM_read(name, type, str, asn1) \ - IMPLEMENT_PEM_provided_write(name, type, str, asn1) +# define IMPLEMENT_PEM_provided_rw(name, TYPE, type, str, asn1) \ + IMPLEMENT_PEM_read(name, TYPE, str, asn1) \ + IMPLEMENT_PEM_provided_write(name, TYPE, type, str, asn1) -# define IMPLEMENT_PEM_provided_rw_cb(name, type, str, asn1) \ - IMPLEMENT_PEM_read(name, type, str, asn1) \ - IMPLEMENT_PEM_provided_write_cb(name, type, str, asn1) +# define IMPLEMENT_PEM_provided_rw_cb(name, TYPE, type, str, asn1) \ + IMPLEMENT_PEM_read(name, TYPE, str, asn1) \ + IMPLEMENT_PEM_provided_write_cb(name, TYPE, type, str, asn1) diff --git a/crypto/pem/pem_pk8.c b/crypto/pem/pem_pk8.c index 09d38855b6..62fa45f13d 100644 --- a/crypto/pem/pem_pk8.c +++ b/crypto/pem/pem_pk8.c @@ -73,8 +73,8 @@ static int do_pk8pkey(BIO *bp, const EVP_PKEY *x, int isder, int nid, int ret = 0; const char *outtype = isder ? "DER" : "PEM"; OSSL_ENCODER_CTX *ctx = - OSSL_ENCODER_CTX_new_by_EVP_PKEY(x, OSSL_KEYMGMT_SELECT_ALL, - outtype, "pkcs8", propq); + OSSL_ENCODER_CTX_new_for_pkey(x, OSSL_KEYMGMT_SELECT_ALL, + outtype, "pkcs8", propq); if (ctx == NULL) return 0; diff --git a/crypto/pem/pem_pkey.c b/crypto/pem/pem_pkey.c index c71bc24bb2..f7cc7b88c6 100644 --- a/crypto/pem/pem_pkey.c +++ b/crypto/pem/pem_pkey.c @@ -153,10 +153,10 @@ EVP_PKEY *PEM_read_bio_PrivateKey(BIO *bp, EVP_PKEY **x, pem_password_cb *cb, PEM_write_cb_ex_fnsig(PrivateKey, EVP_PKEY, BIO, write_bio) { - IMPLEMENT_PEM_provided_write_body_vars(EVP_PKEY, PrivateKey, propq); + IMPLEMENT_PEM_provided_write_body_vars(pkey, PrivateKey, propq); IMPLEMENT_PEM_provided_write_body_pass(); - IMPLEMENT_PEM_provided_write_body_main(EVP_PKEY, bio); + IMPLEMENT_PEM_provided_write_body_main(pkey, bio); legacy: if (x->ameth == NULL || x->ameth->priv_encode != NULL) @@ -218,9 +218,9 @@ EVP_PKEY *PEM_read_bio_Parameters(BIO *bp, EVP_PKEY **x) PEM_write_fnsig(Parameters, EVP_PKEY, BIO, write_bio) { char pem_str[80]; - IMPLEMENT_PEM_provided_write_body_vars(EVP_PKEY, Parameters, NULL); + IMPLEMENT_PEM_provided_write_body_vars(pkey, Parameters, NULL); - IMPLEMENT_PEM_provided_write_body_main(EVP_PKEY, bio); + IMPLEMENT_PEM_provided_write_body_main(pkey, bio); legacy: if (!x->ameth || !x->ameth->param_encode) diff --git a/crypto/store/store_result.c b/crypto/store/store_result.c index e0c0532152..6ac77b77dd 100644 --- a/crypto/store/store_result.c +++ b/crypto/store/store_result.c @@ -274,8 +274,8 @@ static EVP_PKEY *try_key_value(struct extracted_param_data_st *data, } decoderctx = - OSSL_DECODER_CTX_new_by_EVP_PKEY(&pk, "DER", NULL, data->data_type, - selection, libctx, propq); + OSSL_DECODER_CTX_new_for_pkey(&pk, "DER", NULL, data->data_type, + selection, libctx, propq); (void)OSSL_DECODER_CTX_set_passphrase_cb(decoderctx, cb, cbarg); /* No error if this couldn't be decoded */ diff --git a/crypto/x509/x_pubkey.c b/crypto/x509/x_pubkey.c index 740702d730..5d500f0690 100644 --- a/crypto/x509/x_pubkey.c +++ b/crypto/x509/x_pubkey.c @@ -122,9 +122,9 @@ int X509_PUBKEY_set(X509_PUBKEY **x, EVP_PKEY *pkey) unsigned char *der = NULL; size_t derlen = 0; OSSL_ENCODER_CTX *ectx = - OSSL_ENCODER_CTX_new_by_EVP_PKEY(pkey, EVP_PKEY_PUBLIC_KEY, - "DER", "SubjectPublicKeyInfo", - NULL); + OSSL_ENCODER_CTX_new_for_pkey(pkey, EVP_PKEY_PUBLIC_KEY, + "DER", "SubjectPublicKeyInfo", + NULL); if (OSSL_ENCODER_to_data(ectx, &der, &derlen)) { const unsigned char *pder = der; @@ -325,9 +325,9 @@ int i2d_PUBKEY(const EVP_PKEY *a, unsigned char **pp) X509_PUBKEY_free(xpk); } else if (a->keymgmt != NULL) { OSSL_ENCODER_CTX *ctx = - OSSL_ENCODER_CTX_new_by_EVP_PKEY(a, EVP_PKEY_PUBLIC_KEY, - "DER", "SubjectPublicKeyInfo", - NULL); + OSSL_ENCODER_CTX_new_for_pkey(a, EVP_PKEY_PUBLIC_KEY, + "DER", "SubjectPublicKeyInfo", + NULL); BIO *out = BIO_new(BIO_s_mem()); BUF_MEM *buf = NULL; diff --git a/doc/man3/OSSL_DECODER.pod b/doc/man3/OSSL_DECODER.pod index f87e693e09..9bc2a035ae 100644 --- a/doc/man3/OSSL_DECODER.pod +++ b/doc/man3/OSSL_DECODER.pod @@ -124,7 +124,7 @@ Text, because pod2xxx doesn't like empty sections =head1 SEE ALSO L, L, L, -L, L +L, L =head1 HISTORY diff --git a/doc/man3/OSSL_DECODER_CTX_new_by_EVP_PKEY.pod b/doc/man3/OSSL_DECODER_CTX_new_for_pkey.pod similarity index 84% rename from doc/man3/OSSL_DECODER_CTX_new_by_EVP_PKEY.pod rename to doc/man3/OSSL_DECODER_CTX_new_for_pkey.pod index 38425ae7dc..acb28f8306 100644 --- a/doc/man3/OSSL_DECODER_CTX_new_by_EVP_PKEY.pod +++ b/doc/man3/OSSL_DECODER_CTX_new_for_pkey.pod @@ -2,7 +2,7 @@ =head1 NAME -OSSL_DECODER_CTX_new_by_EVP_PKEY, +OSSL_DECODER_CTX_new_for_pkey, OSSL_DECODER_CTX_set_passphrase, OSSL_DECODER_CTX_set_pem_password_cb, OSSL_DECODER_CTX_set_passphrase_ui, @@ -14,11 +14,11 @@ OSSL_DECODER_CTX_set_passphrase_cb #include OSSL_DECODER_CTX * - OSSL_DECODER_CTX_new_by_EVP_PKEY(EVP_PKEY **pkey, - const char *input_type, - const char *input_struct, - const char *keytype, int selection, - OSSL_LIB_CTX *libctx, const char *propquery); + OSSL_DECODER_CTX_new_for_pkey(EVP_PKEY **pkey, + const char *input_type, + const char *input_struct, + const char *keytype, int selection, + OSSL_LIB_CTX *libctx, const char *propquery); int OSSL_DECODER_CTX_set_passphrase(OSSL_DECODER_CTX *ctx, const unsigned char *kstr, @@ -35,14 +35,17 @@ OSSL_DECODER_CTX_set_passphrase_cb =head1 DESCRIPTION -OSSL_DECODER_CTX_new_by_EVP_PKEY() is a utility function that creates a +OSSL_DECODER_CTX_new_for_pkey() is a utility function that creates a B, finds all applicable decoder implementations and sets them up, so all the caller has to do next is call functions like L. The caller may use the optional I, I, I and I to specify what the input is -expected to contain. +expected to contain. The I must reference an B variable +that will be set to the newly created B on succesfull decoding. +The referenced variable must be initialized to NULL before calling the +function. -Internally OSSL_DECODER_CTX_new_by_EVP_PKEY() searches for all available +Internally OSSL_DECODER_CTX_new_for_pkey() searches for all available L implementations, and then builds a list of all potential decoder implementations that may be able to process the encoded input into data suitable for Bs. All these implementations are implicitly @@ -62,7 +65,7 @@ NULL and zero are valid and signify that the decoder implementations will find out the keytype and key contents on their own from the input they get. If no suitable decoder implementation is found, -OSSL_DECODER_CTX_new_by_EVP_PKEY() still creates a B, but +OSSL_DECODER_CTX_new_for_pkey() still creates a B, but with no associated decoder (L returns zero). This helps the caller to distinguish between an error when creating the B and missing encoder implementation, and allows it to @@ -107,7 +110,7 @@ encoded according to PKCS#1. =head1 RETURN VALUES -OSSL_DECODER_CTX_new_by_EVP_PKEY() returns a pointer to a +OSSL_DECODER_CTX_new_for_pkey() returns a pointer to a B, or NULL if it couldn't be created. OSSL_DECODER_CTX_set_passphrase(), OSSL_DECODER_CTX_set_pem_password_cb(), @@ -115,15 +118,6 @@ OSSL_DECODER_CTX_set_passphrase_ui() and OSSL_DECODER_CTX_set_passphrase_cb() all return 1 on success, or 0 on failure. -=head1 NOTES - -Parts of the function names are made to match already existing OpenSSL -names. - -B in OSSL_DECODER_CTX_new_by_EVP_PKEY() matches the type name, -thus making for the naming pattern B>() when -new types are handled. - =head1 SEE ALSO L, L, L diff --git a/doc/man3/OSSL_ENCODER.pod b/doc/man3/OSSL_ENCODER.pod index da1aa475dc..6952d850f4 100644 --- a/doc/man3/OSSL_ENCODER.pod +++ b/doc/man3/OSSL_ENCODER.pod @@ -117,7 +117,7 @@ Any other API that uses keys will typically do this. =head1 SEE ALSO L, L, L, -L, L +L, L =head1 HISTORY diff --git a/doc/man3/OSSL_ENCODER_CTX_new_by_EVP_PKEY.pod b/doc/man3/OSSL_ENCODER_CTX_new_for_pkey.pod similarity index 86% rename from doc/man3/OSSL_ENCODER_CTX_new_by_EVP_PKEY.pod rename to doc/man3/OSSL_ENCODER_CTX_new_for_pkey.pod index 403d7a00be..dec48804c6 100644 --- a/doc/man3/OSSL_ENCODER_CTX_new_by_EVP_PKEY.pod +++ b/doc/man3/OSSL_ENCODER_CTX_new_for_pkey.pod @@ -2,7 +2,7 @@ =head1 NAME -OSSL_ENCODER_CTX_new_by_EVP_PKEY, +OSSL_ENCODER_CTX_new_for_pkey, OSSL_ENCODER_CTX_set_cipher, OSSL_ENCODER_CTX_set_passphrase, OSSL_ENCODER_CTX_set_pem_password_cb, @@ -15,10 +15,10 @@ OSSL_ENCODER_CTX_set_passphrase_ui #include OSSL_ENCODER_CTX * - OSSL_ENCODER_CTX_new_by_EVP_PKEY(const EVP_PKEY *pkey, int selection, - const char *output_type, - const char *output_structure, - const char *propquery); + OSSL_ENCODER_CTX_new_for_pkey(const EVP_PKEY *pkey, int selection, + const char *output_type, + const char *output_structure, + const char *propquery); int OSSL_ENCODER_CTX_set_cipher(OSSL_ENCODER_CTX *ctx, const char *cipher_name, @@ -37,7 +37,7 @@ OSSL_ENCODER_CTX_set_passphrase_ui =head1 DESCRIPTION -OSSL_ENCODER_CTX_new_by_EVP_PKEY() is a utility function that creates a +OSSL_ENCODER_CTX_new_for_pkey() is a utility function that creates a B, finds all applicable encoder implementations and sets them up, so almost all the caller has to do next is call functions like L. I determines the final output @@ -46,7 +46,7 @@ should be included in the output. I is further discussed in L below, and I is further described in L. -Internally, OSSL_ENCODER_CTX_new_by_EVP_PKEY() uses the names from the +Internally, OSSL_ENCODER_CTX_new_for_pkey() uses the names from the L implementation associated with I to build a list of applicable encoder implementations that are used to process the I into the encoding named by I, with the outermost structure named by @@ -54,7 +54,7 @@ I if that's relevant. All these implementations are implicitly fetched, with I for finer selection. If no suitable encoder implementation is found, -OSSL_ENCODER_CTX_new_by_EVP_PKEY() still creates a B, but +OSSL_ENCODER_CTX_new_for_pkey() still creates a B, but with no associated encoder (L returns zero). This helps the caller to distinguish between an error when creating the B and missing encoder implementation, and allows it to @@ -146,23 +146,14 @@ usually include the public key. =head1 RETURN VALUES -OSSL_ENCODER_CTX_new_by_EVP_PKEY() returns a pointer to a -B, or NULL if it couldn't be created. +OSSL_ENCODER_CTX_new_for_pkey() returns a pointer to an B, +or NULL if it couldn't be created. OSSL_ENCODER_CTX_set_cipher(), OSSL_ENCODER_CTX_set_passphrase(), OSSL_ENCODER_CTX_set_pem_password_cb(), OSSL_ENCODER_CTX_set_passphrase_ui() and OSSL_ENCODER_CTX_set_passphrase_cb() all return 1 on success, or 0 on failure. -=head1 NOTES - -Parts of the function names are made to match already existing OpenSSL -names. - -B in OSSL_ENCODER_CTX_new_by_EVP_PKEY() matches the type name, -thus making for the naming pattern B>() when -new types are handled. - =head1 SEE ALSO L, L, L diff --git a/doc/man3/d2i_RSAPrivateKey.pod b/doc/man3/d2i_RSAPrivateKey.pod index 41e8e3cb6c..475c53ca1d 100644 --- a/doc/man3/d2i_RSAPrivateKey.pod +++ b/doc/man3/d2i_RSAPrivateKey.pod @@ -222,8 +222,8 @@ The following sample code does the rest of the work: unsigned char *p = buffer; /* |buffer| is supplied by the caller */ size_t len = buffer_size; /* assumed be the size of |buffer| */ OSSL_ENCODER_CTX *ctx = - OSSL_ENCODER_CTX_new_by_EVP_PKEY(pkey, selection, "DER", structure, - NULL, NULL); + OSSL_ENCODER_CTX_new_for_pkey(pkey, selection, "DER", structure, + NULL, NULL); if (ctx == NULL) { /* fatal error handling */ } diff --git a/include/crypto/decoder.h b/include/crypto/decoder.h index 5d055fecd8..a83615a8e6 100644 --- a/include/crypto/decoder.h +++ b/include/crypto/decoder.h @@ -32,10 +32,10 @@ void ossl_decoder_instance_free(OSSL_DECODER_INSTANCE *decoder_inst); int ossl_decoder_ctx_add_decoder_inst(OSSL_DECODER_CTX *ctx, OSSL_DECODER_INSTANCE *di); -int ossl_decoder_ctx_setup_for_EVP_PKEY(OSSL_DECODER_CTX *ctx, - EVP_PKEY **pkey, const char *keytype, - OSSL_LIB_CTX *libctx, - const char *propquery); +int ossl_decoder_ctx_setup_for_pkey(OSSL_DECODER_CTX *ctx, + EVP_PKEY **pkey, const char *keytype, + OSSL_LIB_CTX *libctx, + const char *propquery); #endif diff --git a/include/openssl/decoder.h b/include/openssl/decoder.h index 3c3a9a1ea2..29ccb0a7ff 100644 --- a/include/openssl/decoder.h +++ b/include/openssl/decoder.h @@ -120,11 +120,11 @@ int OSSL_DECODER_from_data(OSSL_DECODER_CTX *ctx, const unsigned char **pdata, * an implicit OSSL_DECODER_fetch(), suitable for the object of that type. */ OSSL_DECODER_CTX * -OSSL_DECODER_CTX_new_by_EVP_PKEY(EVP_PKEY **pkey, - const char *input_type, - const char *input_struct, - const char *keytype, int selection, - OSSL_LIB_CTX *libctx, const char *propquery); +OSSL_DECODER_CTX_new_for_pkey(EVP_PKEY **pkey, + const char *input_type, + const char *input_struct, + const char *keytype, int selection, + OSSL_LIB_CTX *libctx, const char *propquery); # ifdef __cplusplus } diff --git a/include/openssl/encoder.h b/include/openssl/encoder.h index 122a46bac9..c6a300bd9c 100644 --- a/include/openssl/encoder.h +++ b/include/openssl/encoder.h @@ -113,11 +113,11 @@ int OSSL_ENCODER_to_data(OSSL_ENCODER_CTX *ctx, unsigned char **pdata, * an implicit OSSL_ENCODER_fetch(), suitable for the object of that type. * This is more useful than calling OSSL_ENCODER_CTX_new(). */ -OSSL_ENCODER_CTX *OSSL_ENCODER_CTX_new_by_EVP_PKEY(const EVP_PKEY *pkey, - int selection, - const char *output_type, - const char *output_struct, - const char *propquery); +OSSL_ENCODER_CTX *OSSL_ENCODER_CTX_new_for_pkey(const EVP_PKEY *pkey, + int selection, + const char *output_type, + const char *output_struct, + const char *propquery); # ifdef __cplusplus } diff --git a/providers/encoders.inc b/providers/encoders.inc index f2b59e0846..356e2f2f6b 100644 --- a/providers/encoders.inc +++ b/providers/encoders.inc @@ -74,16 +74,16 @@ ENCODER_TEXT("SM2", sm2, yes), * created like this: * * OSSL_ENCODER_CTX *ctx = - * OSSL_ENCODER_CTX_new_by_EVP_PKEY(pkey, selection, "DER", "type-specific", - * NULL, NULL); + * OSSL_ENCODER_CTX_new_for_pkey(pkey, selection, "DER", "type-specific", + * NULL, NULL); * * To replace PEM_write_bio_{TYPE}PrivateKey(), PEM_write_bio_{TYPE}PublicKey() * and PEM_write_bio_{TYPE}Params(), use OSSL_ENCODER functions with an * OSSL_ENCODER_CTX created like this: * * OSSL_ENCODER_CTX *ctx = - * OSSL_ENCODER_CTX_new_by_EVP_PKEY(pkey, selection, "PEM", "type-specific", - * NULL, NULL); + * OSSL_ENCODER_CTX_new_for_pkey(pkey, selection, "PEM", "type-specific", + * NULL, NULL); * * We only implement those for which there are current i2d_ and PEM_write_bio * implementations. @@ -197,7 +197,7 @@ ENCODER_w_structure("SM2", sm2, yes, pem, SubjectPublicKeyInfo), * Entries for key type specific output formats. These are exactly the * same as the type specific above, except that they use the key type * name as structure name instead of "type-specific", in the call on - * OSSL_ENCODER_CTX_new_by_EVP_PKEY(). + * OSSL_ENCODER_CTX_new_for_pkey(). */ /* The RSA encoders only support private key and public key output */ diff --git a/providers/implementations/storemgmt/file_store.c b/providers/implementations/storemgmt/file_store.c index a5edc53506..ab4b4055d9 100644 --- a/providers/implementations/storemgmt/file_store.c +++ b/providers/implementations/storemgmt/file_store.c @@ -59,7 +59,7 @@ static OSSL_FUNC_store_close_fn file_close; * internal OpenSSL functions, thereby bypassing the need for a surrounding * provider. This is ok, since this is a local decoder, not meant for * public consumption. It also uses the libcrypto internal decoder - * setup function ossl_decoder_ctx_setup_for_EVP_PKEY(), to allow the + * setup function ossl_decoder_ctx_setup_for_pkey(), to allow the * last resort decoder to be added first (and thereby be executed last). * Finally, it sets up its own construct and cleanup functions. * @@ -535,7 +535,7 @@ void file_load_cleanup(void *construct_data) static int file_setup_decoders(struct file_ctx_st *ctx) { - EVP_PKEY *dummy; /* for OSSL_DECODER_CTX_new_by_EVP_PKEY() */ + EVP_PKEY *dummy; /* for ossl_decoder_ctx_setup_for_pkey() */ OSSL_LIB_CTX *libctx = ossl_prov_ctx_get0_libctx(ctx->provctx); OSSL_DECODER *to_obj = NULL; /* Last resort decoder */ OSSL_DECODER_INSTANCE *to_obj_inst = NULL; @@ -588,9 +588,9 @@ static int file_setup_decoders(struct file_ctx_st *ctx) * Since we're setting up our own constructor, we don't need to care * more than that... */ - if (!ossl_decoder_ctx_setup_for_EVP_PKEY(ctx->_.file.decoderctx, - &dummy, NULL, - libctx, ctx->_.file.propq) + if (!ossl_decoder_ctx_setup_for_pkey(ctx->_.file.decoderctx, + &dummy, NULL, + libctx, ctx->_.file.propq) || !OSSL_DECODER_CTX_add_extra(ctx->_.file.decoderctx, libctx, ctx->_.file.propq)) { ERR_raise(ERR_LIB_PROV, ERR_R_OSSL_DECODER_LIB); diff --git a/ssl/ssl_conf.c b/ssl/ssl_conf.c index edd3fd7640..12e765c3be 100644 --- a/ssl/ssl_conf.c +++ b/ssl/ssl_conf.c @@ -587,9 +587,9 @@ static int cmd_DHParameters(SSL_CONF_CTX *cctx, const char *value) goto end; decoderctx - = OSSL_DECODER_CTX_new_by_EVP_PKEY(&dhpkey, "PEM", NULL, "DH", - OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS, - sslctx->libctx, sslctx->propq); + = OSSL_DECODER_CTX_new_for_pkey(&dhpkey, "PEM", NULL, "DH", + OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS, + sslctx->libctx, sslctx->propq); if (decoderctx == NULL || !OSSL_DECODER_from_bio(decoderctx, in)) { OSSL_DECODER_CTX_free(decoderctx); diff --git a/test/endecode_test.c b/test/endecode_test.c index 178d0ca77f..b5da47d338 100644 --- a/test/endecode_test.c +++ b/test/endecode_test.c @@ -198,10 +198,10 @@ static int encode_EVP_PKEY_prov(void **encoded, long *encoded_len, const unsigned char *upass = (const unsigned char *)pass; int ok = 0; - if (!TEST_ptr(ectx = OSSL_ENCODER_CTX_new_by_EVP_PKEY(pkey, selection, - output_type, - output_structure, - NULL)) + if (!TEST_ptr(ectx = OSSL_ENCODER_CTX_new_for_pkey(pkey, selection, + output_type, + output_structure, + NULL)) || !TEST_int_gt(OSSL_ENCODER_CTX_get_num_encoders(ectx), 0) || (pass != NULL && !TEST_true(OSSL_ENCODER_CTX_set_passphrase(ectx, upass, @@ -256,12 +256,12 @@ static int decode_EVP_PKEY_prov(void **object, void *encoded, long encoded_len, const char *testtype = (i == 0) ? input_type : ((i == 1) ? NULL : badtype); - if (!TEST_ptr(dctx = OSSL_DECODER_CTX_new_by_EVP_PKEY(&testpkey, - testtype, - NULL, - keytype, - selection, - NULL, NULL)) + if (!TEST_ptr(dctx = OSSL_DECODER_CTX_new_for_pkey(&testpkey, + testtype, + NULL, + keytype, + selection, + NULL, NULL)) || (pass != NULL && !OSSL_DECODER_CTX_set_passphrase(dctx, upass, strlen(pass))) || !TEST_int_gt(BIO_reset(encoded_bio), 0) diff --git a/test/endecoder_legacy_test.c b/test/endecoder_legacy_test.c index ffaa25da7b..64bbea0ad1 100644 --- a/test/endecoder_legacy_test.c +++ b/test/endecoder_legacy_test.c @@ -317,9 +317,9 @@ static int test_protected_PEM(const char *keytype, int evp_type, goto end; if (!TEST_ptr(ectx = - OSSL_ENCODER_CTX_new_by_EVP_PKEY(provided_pkey, selection, - "PEM", structure, - NULL)) + OSSL_ENCODER_CTX_new_for_pkey(provided_pkey, selection, + "PEM", structure, + NULL)) || !TEST_true(OSSL_ENCODER_to_bio(ectx, membio_provided)) || !TEST_true(pem_write_bio(membio_legacy, legacy_key, NULL, NULL, 0, NULL, NULL)) @@ -331,10 +331,10 @@ static int test_protected_PEM(const char *keytype, int evp_type, if (!TEST_ptr(decoded_legacy_pkey = EVP_PKEY_new()) || !TEST_ptr(dctx = - OSSL_DECODER_CTX_new_by_EVP_PKEY(&decoded_provided_pkey, - "PEM", structure, - keytype, selection, - NULL, NULL)) + OSSL_DECODER_CTX_new_for_pkey(&decoded_provided_pkey, + "PEM", structure, + keytype, selection, + NULL, NULL)) || !TEST_true(OSSL_DECODER_from_bio(dctx, membio_provided)) || !TEST_ptr(decoded_legacy_key = pem_read_bio(membio_legacy, NULL, NULL, NULL)) @@ -385,9 +385,9 @@ static int test_unprotected_PEM(const char *keytype, int evp_type, goto end; if (!TEST_ptr(ectx = - OSSL_ENCODER_CTX_new_by_EVP_PKEY(provided_pkey, selection, - "PEM", structure, - NULL)) + OSSL_ENCODER_CTX_new_for_pkey(provided_pkey, selection, + "PEM", structure, + NULL)) || !TEST_true(OSSL_ENCODER_to_bio(ectx, membio_provided)) || !TEST_true(pem_write_bio(membio_legacy, legacy_key)) || !test_membio_str_eq(membio_provided, membio_legacy)) @@ -398,10 +398,10 @@ static int test_unprotected_PEM(const char *keytype, int evp_type, if (!TEST_ptr(decoded_legacy_pkey = EVP_PKEY_new()) || !TEST_ptr(dctx = - OSSL_DECODER_CTX_new_by_EVP_PKEY(&decoded_provided_pkey, - "PEM", structure, - keytype, selection, - NULL, NULL)) + OSSL_DECODER_CTX_new_for_pkey(&decoded_provided_pkey, + "PEM", structure, + keytype, selection, + NULL, NULL)) || !TEST_true(OSSL_DECODER_from_bio(dctx, membio_provided)) || !TEST_ptr(decoded_legacy_key = pem_read_bio(membio_legacy, NULL, NULL, NULL)) @@ -450,9 +450,9 @@ static int test_DER(const char *keytype, int evp_type, EVP_PKEY *decoded_provided_pkey = NULL; if (!TEST_ptr(ectx = - OSSL_ENCODER_CTX_new_by_EVP_PKEY(provided_pkey, selection, - "DER", structure, - NULL)) + OSSL_ENCODER_CTX_new_for_pkey(provided_pkey, selection, + "DER", structure, + NULL)) || !TEST_true(OSSL_ENCODER_to_data(ectx, &der_provided, &der_provided_len)) || !TEST_size_t_gt(der_legacy_len = i2d(legacy_key, &der_legacy), 0) @@ -465,10 +465,10 @@ static int test_DER(const char *keytype, int evp_type, if (!TEST_ptr(decoded_legacy_pkey = EVP_PKEY_new()) || !TEST_ptr(dctx = - OSSL_DECODER_CTX_new_by_EVP_PKEY(&decoded_provided_pkey, - "DER", structure, - keytype, selection, - NULL, NULL)) + OSSL_DECODER_CTX_new_for_pkey(&decoded_provided_pkey, + "DER", structure, + keytype, selection, + NULL, NULL)) || !TEST_true((pder_provided = der_provided, tmp_size = der_provided_len, OSSL_DECODER_from_data(dctx, &pder_provided, diff --git a/test/evp_extra_test.c b/test/evp_extra_test.c index b3f2ec689b..2d32eb98da 100644 --- a/test/evp_extra_test.c +++ b/test/evp_extra_test.c @@ -419,8 +419,8 @@ static EVP_PKEY *load_example_key(const char *keytype, const unsigned char **pdata = &data; EVP_PKEY *pkey = NULL; OSSL_DECODER_CTX *dctx = - OSSL_DECODER_CTX_new_by_EVP_PKEY(&pkey, "DER", NULL, keytype, 0, - testctx, NULL); + OSSL_DECODER_CTX_new_for_pkey(&pkey, "DER", NULL, keytype, 0, + testctx, NULL); /* |pkey| will be NULL on error */ (void)OSSL_DECODER_from_data(dctx, pdata, &data_len); diff --git a/test/evp_libctx_test.c b/test/evp_libctx_test.c index 0b8ea1c4a9..302ec2c9b1 100644 --- a/test/evp_libctx_test.c +++ b/test/evp_libctx_test.c @@ -474,10 +474,10 @@ static int rsa_keygen(int bits, EVP_PKEY **pub, EVP_PKEY **priv) || !TEST_true(EVP_PKEY_CTX_set_rsa_keygen_bits(keygen_ctx, bits)) || !TEST_int_gt(EVP_PKEY_keygen(keygen_ctx, priv), 0) || !TEST_ptr(ectx = - OSSL_ENCODER_CTX_new_by_EVP_PKEY(*priv, - EVP_PKEY_PUBLIC_KEY, - "DER", "type-specific", - NULL)) + OSSL_ENCODER_CTX_new_for_pkey(*priv, + EVP_PKEY_PUBLIC_KEY, + "DER", "type-specific", + NULL)) || !TEST_true(OSSL_ENCODER_to_data(ectx, &pub_der, &len))) goto err; pp = pub_der; diff --git a/test/evp_pkey_provided_test.c b/test/evp_pkey_provided_test.c index 85ae542b7c..62a9346eb4 100644 --- a/test/evp_pkey_provided_test.c +++ b/test/evp_pkey_provided_test.c @@ -219,10 +219,10 @@ static int test_print_key_type_using_encoder(const char *alg, int type, /* Make a context, it's valid for several prints */ TEST_note("Setting up a OSSL_ENCODER context with passphrase"); - if (!TEST_ptr(ctx = OSSL_ENCODER_CTX_new_by_EVP_PKEY(pk, selection, - output_type, - output_structure, - NULL)) + if (!TEST_ptr(ctx = OSSL_ENCODER_CTX_new_for_pkey(pk, selection, + output_type, + output_structure, + NULL)) /* Check that this operation is supported */ || !TEST_int_ne(OSSL_ENCODER_CTX_get_num_encoders(ctx), 0)) goto err; diff --git a/util/libcrypto.num b/util/libcrypto.num index 5e3ee9e408..c2e5c75486 100644 --- a/util/libcrypto.num +++ b/util/libcrypto.num @@ -4838,7 +4838,7 @@ OSSL_ENCODER_CTX_free ? 3_0_0 EXIST::FUNCTION: OSSL_ENCODER_properties ? 3_0_0 EXIST::FUNCTION: OSSL_ENCODER_to_bio ? 3_0_0 EXIST::FUNCTION: OSSL_ENCODER_to_fp ? 3_0_0 EXIST::FUNCTION:STDIO -OSSL_ENCODER_CTX_new_by_EVP_PKEY ? 3_0_0 EXIST::FUNCTION: +OSSL_ENCODER_CTX_new_for_pkey ? 3_0_0 EXIST::FUNCTION: OSSL_ENCODER_CTX_set_cipher ? 3_0_0 EXIST::FUNCTION: OSSL_ENCODER_CTX_set_passphrase ? 3_0_0 EXIST::FUNCTION: OSSL_ENCODER_CTX_set_pem_password_cb ? 3_0_0 EXIST::FUNCTION: @@ -5127,7 +5127,7 @@ OSSL_DECODER_INSTANCE_get_decoder ? 3_0_0 EXIST::FUNCTION: OSSL_DECODER_INSTANCE_get_decoder_ctx ? 3_0_0 EXIST::FUNCTION: OSSL_DECODER_gettable_params ? 3_0_0 EXIST::FUNCTION: OSSL_DECODER_get_params ? 3_0_0 EXIST::FUNCTION: -OSSL_DECODER_CTX_new_by_EVP_PKEY ? 3_0_0 EXIST::FUNCTION: +OSSL_DECODER_CTX_new_for_pkey ? 3_0_0 EXIST::FUNCTION: OSSL_DECODER_CTX_set_construct ? 3_0_0 EXIST::FUNCTION: OSSL_DECODER_CTX_set_construct_data ? 3_0_0 EXIST::FUNCTION: OSSL_DECODER_CTX_set_cleanup ? 3_0_0 EXIST::FUNCTION: From no-reply at appveyor.com Wed Feb 17 16:14:02 2021 From: no-reply at appveyor.com (AppVeyor) Date: Wed, 17 Feb 2021 16:14:02 +0000 Subject: Build failed: openssl master.39942 Message-ID: <20210217161402.1.2E4F4D43A506DEDF@appveyor.com> An HTML attachment was scrubbed... URL: From beldmit at gmail.com Wed Feb 17 16:14:58 2021 From: beldmit at gmail.com (beldmit at gmail.com) Date: Wed, 17 Feb 2021 16:14:58 +0000 Subject: [openssl] master update Message-ID: <1613578498.518145.3472.nullmailer@dev.openssl.org> The branch master has been updated via b51bed05c2ab54a1933b5c18862e68cd4540278c (commit) via d44a8a16c8a2851af7f70575ff3dd23cc06f30e1 (commit) from fe75766c9c2919f649df7b3ad209df2bc5e56dd0 (commit) - Log ----------------------------------------------------------------- commit b51bed05c2ab54a1933b5c18862e68cd4540278c Author: Dr. David von Oheimb Date: Sun Feb 14 20:25:42 2021 +0100 apps/cmp.c: Improve initialization of ext_ctx structure w.r.t. CSR Also improve doc how the -reqexts option affects the CSR given with the -csr option. Reviewed-by: David von Oheimb Reviewed-by: Tomas Mraz Reviewed-by: Dmitry Belyavskiy (Merged from https://github.com/openssl/openssl/pull/14181) commit d44a8a16c8a2851af7f70575ff3dd23cc06f30e1 Author: Dr. David von Oheimb Date: Sun Feb 14 20:12:38 2021 +0100 apps/ca.c: Make sure ext_ctx structure gets initialized Fixes #14175 Reviewed-by: David von Oheimb Reviewed-by: Tomas Mraz Reviewed-by: Dmitry Belyavskiy (Merged from https://github.com/openssl/openssl/pull/14181) ----------------------------------------------------------------------- Summary of changes: apps/ca.c | 11 +++++---- apps/cmp.c | 54 +++++++++++++++++++++++---------------------- doc/man1/openssl-cmp.pod.in | 2 ++ 3 files changed, 37 insertions(+), 30 deletions(-) diff --git a/apps/ca.c b/apps/ca.c index 29f62f86f2..dbb4d15eb8 100755 --- a/apps/ca.c +++ b/apps/ca.c @@ -863,6 +863,7 @@ end_of_options: if (extensions != NULL) { /* Check syntax of config file section */ X509V3_CTX ctx; + X509V3_set_ctx_test(&ctx); X509V3_set_nconf(&ctx, conf); if (!X509V3_EXT_add_nconf(conf, &ctx, extensions, NULL)) { @@ -1141,6 +1142,7 @@ end_of_options: if (crl_ext != NULL) { /* Check syntax of file */ X509V3_CTX ctx; + X509V3_set_ctx_test(&ctx); X509V3_set_nconf(&ctx, conf); if (!X509V3_EXT_add_nconf(conf, &ctx, crl_ext, NULL)) { @@ -1230,6 +1232,7 @@ end_of_options: if (crl_ext != NULL || crlnumberfile != NULL) { X509V3_CTX crlctx; + X509V3_set_ctx(&crlctx, x509, NULL, NULL, crl, 0); X509V3_set_nconf(&crlctx, conf); @@ -1697,12 +1700,12 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, if (!i) goto end; + /* Initialize the context structure */ + X509V3_set_ctx(&ext_ctx, selfsign ? ret : x509, + ret, req, NULL, X509V3_CTX_REPLACE); + /* Lets add the extensions, if there are any */ if (ext_sect) { - /* Initialize the context structure */ - X509V3_set_ctx(&ext_ctx, selfsign ? ret : x509, - ret, req, NULL, X509V3_CTX_REPLACE); - if (extfile_conf != NULL) { if (verbose) BIO_printf(bio_err, "Extra configuration file found\n"); diff --git a/apps/cmp.c b/apps/cmp.c index 1dbd1f7339..887ec5d22e 100644 --- a/apps/cmp.c +++ b/apps/cmp.c @@ -1601,6 +1601,10 @@ static int setup_protection_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine) */ static int setup_request_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine) { + X509_REQ *csr = NULL; + X509_EXTENSIONS *exts = NULL; + X509V3_CTX ext_ctx; + if (opt_subject == NULL && opt_csr == NULL && opt_oldcert == NULL && opt_cert == NULL && opt_cmd != CMP_RR && opt_cmd != CMP_GENM) @@ -1648,30 +1652,41 @@ static int setup_request_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine) return 0; } + if (opt_csr != NULL) { + if (opt_cmd == CMP_GENM) { + CMP_warn("-csr option is ignored for genm command"); + } else { + csr = load_csr_autofmt(opt_csr, "PKCS#10 CSR for p10cr"); + if (csr == NULL) + return 0; + if (!OSSL_CMP_CTX_set1_p10CSR(ctx, csr)) { + X509_REQ_free(csr); + goto oom; + } + } + } if (opt_reqexts != NULL || opt_policies != NULL) { - X509V3_CTX ext_ctx; - X509_EXTENSIONS *exts = sk_X509_EXTENSION_new_null(); - - if (exts == NULL) - return 0; - X509V3_set_ctx(&ext_ctx, NULL, NULL, NULL, NULL, 0); + if ((exts = sk_X509_EXTENSION_new_null()) == NULL) + goto exts_err; + X509V3_set_ctx(&ext_ctx, NULL, NULL, csr, NULL, X509V3_CTX_REPLACE); X509V3_set_nconf(&ext_ctx, conf); if (opt_reqexts != NULL && !X509V3_EXT_add_nconf_sk(conf, &ext_ctx, opt_reqexts, &exts)) { CMP_err1("cannot load certificate request extension section '%s'", opt_reqexts); - sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free); - return 0; + goto exts_err; } if (opt_policies != NULL && !X509V3_EXT_add_nconf_sk(conf, &ext_ctx, opt_policies, &exts)) { CMP_err1("cannot load policy cert request extension section '%s'", opt_policies); - sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free); - return 0; + goto exts_err; } OSSL_CMP_CTX_set0_reqExtensions(ctx, exts); + exts = NULL; } + X509_REQ_free(csr); + csr = NULL; if (OSSL_CMP_CTX_reqExtensions_have_SAN(ctx) && opt_sans != NULL) { CMP_err("cannot have Subject Alternative Names both via -reqexts and via -sans"); return 0; @@ -1720,22 +1735,6 @@ static int setup_request_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine) if (opt_popo >= OSSL_CRMF_POPO_NONE) (void)OSSL_CMP_CTX_set_option(ctx, OSSL_CMP_OPT_POPO_METHOD, opt_popo); - if (opt_csr != NULL) { - if (opt_cmd == CMP_GENM) { - CMP_warn("-csr option is ignored for genm command"); - } else { - X509_REQ *csr = load_csr_autofmt(opt_csr, "PKCS#10 CSR for p10cr"); - - if (csr == NULL) - return 0; - if (!OSSL_CMP_CTX_set1_p10CSR(ctx, csr)) { - X509_REQ_free(csr); - goto oom; - } - X509_REQ_free(csr); - } - } - if (opt_oldcert != NULL) { if (opt_cmd == CMP_GENM) { CMP_warn("-oldcert option is ignored for genm command"); @@ -1762,6 +1761,9 @@ static int setup_request_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine) oom: CMP_err("out of memory"); + exts_err: + sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free); + X509_REQ_free(csr); return 0; } diff --git a/doc/man1/openssl-cmp.pod.in b/doc/man1/openssl-cmp.pod.in index 3f2b742a36..9800de6465 100644 --- a/doc/man1/openssl-cmp.pod.in +++ b/doc/man1/openssl-cmp.pod.in @@ -298,6 +298,8 @@ validity period starts from the current time (as seen by the host). =item B<-reqexts> I Name of section in OpenSSL config file defining certificate request extensions. +If the B<-csr> option is present, these extensions augment the extensions +contained the given PKCS#10 CSR, overriding any extensions with same OIDs. =item B<-sans> I From dev at ddvo.net Wed Feb 17 16:37:28 2021 From: dev at ddvo.net (dev at ddvo.net) Date: Wed, 17 Feb 2021 16:37:28 +0000 Subject: [openssl] master update Message-ID: <1613579848.475978.27964.nullmailer@dev.openssl.org> The branch master has been updated via adc11e1b9cf12df3c67de165a2b42ac72266cbca (commit) from b51bed05c2ab54a1933b5c18862e68cd4540278c (commit) - Log ----------------------------------------------------------------- commit adc11e1b9cf12df3c67de165a2b42ac72266cbca Author: Dr. David von Oheimb Date: Mon Feb 15 10:24:58 2021 +0100 x509_vfy: fix mem leaks in chain_build() on malloc error Coverify CID 1473068 Fixes: Variable "sk_untrusted" going out of scope leaks the storage it points to. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14187) ----------------------------------------------------------------------- Summary of changes: crypto/x509/x509_vfy.c | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c index 4e192abec4..d5c09d28f4 100644 --- a/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c @@ -3035,12 +3035,9 @@ static int build_chain(X509_STORE_CTX *ctx) * If we got any "DANE-TA(2) Cert(0) Full(0)" trust anchors from DNS, add * them to our working copy of the untrusted certificate stack. */ - if (DANETLS_ENABLED(dane) && dane->certs != NULL) { - if (!X509_add_certs(sk_untrusted, dane->certs, X509_ADD_FLAG_DEFAULT)) { - sk_X509_free(sk_untrusted); - goto memerr; - } - } + if (DANETLS_ENABLED(dane) && dane->certs != NULL + && !X509_add_certs(sk_untrusted, dane->certs, X509_ADD_FLAG_DEFAULT)) + goto memerr; /* * Still absurdly large, but arithmetically safe, a lower hard upper bound @@ -3306,14 +3303,15 @@ static int build_chain(X509_STORE_CTX *ctx) } int_err: - sk_X509_free(sk_untrusted); ERR_raise(ERR_LIB_X509, ERR_R_INTERNAL_ERROR); ctx->error = X509_V_ERR_UNSPECIFIED; + sk_X509_free(sk_untrusted); return -1; memerr: ERR_raise(ERR_LIB_X509, ERR_R_MALLOC_FAILURE); ctx->error = X509_V_ERR_OUT_OF_MEM; + sk_X509_free(sk_untrusted); return -1; } From no-reply at appveyor.com Wed Feb 17 17:32:44 2021 From: no-reply at appveyor.com (AppVeyor) Date: Wed, 17 Feb 2021 17:32:44 +0000 Subject: Build completed: openssl master.39943 Message-ID: <20210217173244.1.DDB9CB9F5135F82D@appveyor.com> An HTML attachment was scrubbed... URL: From openssl at openssl.org Thu Feb 18 01:08:42 2021 From: openssl at openssl.org (OpenSSL run-checker) Date: Thu, 18 Feb 2021 01:08:42 +0000 Subject: Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-asm Message-ID: <1613610522.615122.921949.nullmailer@run.openssl.org> Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-asm Commit log since last time: adc11e1b9c x509_vfy: fix mem leaks in chain_build() on malloc error Coverify CID 1473068 b51bed05c2 apps/cmp.c: Improve initialization of ext_ctx structure w.r.t. CSR d44a8a16c8 apps/ca.c: Make sure ext_ctx structure gets initialized fe75766c9c Rename OSSL_ENCODER_CTX_new_by_EVP_PKEY and OSSL_DECODER_CTX_new_by_EVP_PKEY e5ac413b2d Fix backward incompatibility revolving around OSSL_HTTP_REQ_CTX_sendreq_d2i() 3a962b2093 [doc/man3][OSSL_ENCODER] Move NOTES to the bottom 851b06b705 [doc/man3] Fix typo in DESCRIPTION of OSSL_ENCODER_properties 68883d9db8 doc: document the two new RAND functions 335e85f542 rand: update DRBGs to use the get_entropy call for seeding 78436fd146 core: add get_entropy and clear_entropy calls to RAND e2730b8426 RNG test: add get_entropy hook for testing. 9ed185a926 RNG seed: add get_entropy hook for seeding. 381289f6c7 err: generated error files 79d68c4fb4 test: DRBG test with long seed. 574ca403c8 Replace SSL_CTX_new by SSL_CTX_new_ex in apps/s_server + s_client 5b888e931b Fix propquery handling in EVP_DigestSignInit_ex 55e9d8cfff TEST: Add missing initialization c913dbd716 Update CHANGES and NEWS for new release c9fb704cf3 Don't overflow the output length in EVP_CipherUpdate calls c1ddd392cf Fix rsa_test to properly test RSA_SSLV23_PADDING d9461cbe87 Fix the RSA_SSLV23_PADDING padding type 4357b6174a Refactor rsa_test 55869f594f Test that X509_issuer_and_serial_hash doesn't crash 8130d654d1 Fix Null pointer deref in X509_issuer_and_serial_hash() c9e955dd50 Do not match RFC 5114 groups without q as it is significant 62829f9f26 README-ENGINES: fix the link to the provider API README 9dc9c7f2d7 Document the newly added function EVP_PKEY_param_check_quick() 0217e53e33 Fix the dhparam_check test 899e25643d Implement EVP_PKEY_param_check_quick() and use it in libssl aee73562d1 Run DH_check_ex() not DH_check_params_ex() when checking params 93e43f4c47 RSA: avoid dereferencing possibly-NULL parameter in initializers 63ae847679 x509_vfy: remove redundant stack allocation 99c166a1b0 Add docs for ASN1_item_sign and ASN1_item_verify functions Build log ended with (last 100 lines): 01-test_test.t ..................... ok 02-test_errstr.t ................... ok 02-test_internal_context.t ......... ok 02-test_internal_ctype.t ........... ok 02-test_internal_keymgmt.t ......... ok 02-test_internal_provider.t ........ ok 02-test_lhash.t .................... ok 02-test_ordinals.t ................. ok 02-test_sparse_array.t ............. ok 02-test_stack.t .................... ok 03-test_exdata.t ................... ok 03-test_fipsinstall.t .............. ok 03-test_internal_asn1.t ............ ok 03-test_internal_asn1_dsa.t ........ ok 03-test_internal_bn.t .............. ok 03-test_internal_chacha.t .......... ok 03-test_internal_curve448.t ........ ok 03-test_internal_ec.t .............. ok 03-test_internal_ffc.t ............. ok 03-test_internal_mdc2.t ............ ok 03-test_internal_modes.t ........... ok 03-test_internal_namemap.t ......... ok 03-test_internal_poly1305.t ........ ok 03-test_internal_rsa_sp800_56b.t ... ok 03-test_internal_siphash.t ......... ok 03-test_internal_sm2.t ............. ok 03-test_internal_sm4.t ............. ok 03-test_internal_ssl_cert_table.t .. ok 03-test_internal_x509.t ............ ok 03-test_params_api.t ............... ok 03-test_property.t ................. ok 03-test_ui.t ....................... ok 04-test_asn1_decode.t .............. ok 04-test_asn1_encode.t .............. ok 04-test_asn1_string_table.t ........ ok 04-test_bio_callback.t ............. ok 04-test_bioprint.t ................. ok 04-test_conf.t ..................... ok 04-test_encoder_decoder.t .......... ok 04-test_encoder_decoder_legacy.t ... ok 04-test_err.t ...................... ok 04-test_hexstring.t ................ ok 04-test_param_build.t .............. ok 04-test_params.t ................... ok 04-test_params_conversion.t ........ ok 04-test_pem.t ...................... ok 04-test_pem_read_depr.t ............ ok 04-test_provider.t ................. ok 04-test_provider_fallback.t ........ ok 05-test_bf.t ....................... ok 05-test_cast.t ..................... ok 05-test_cmac.t ..................... ok 05-test_des.t ...................... ok 05-test_hmac.t ..................... ok 05-test_idea.t ..................... ok 05-test_rand.t ..................... ok 05-test_rc2.t ...................... ok 05-test_rc4.t ...................... ok 05-test_rc5.t ...................... skipped: rc5 is not supported by this OpenSSL build 06-test-rdrand.t ................... ok 06-test_algorithmid.t .............. ok 10-test_bn.t ....................... ok 10-test_exp.t ...................... ok 15-test_dh.t ....................... ok 15-test_dsa.t ...................... ok 15-test_ec.t ....................... ok 15-test_ecdsa.t .................... ok 15-test_ecparam.t .................. ok 15-test_gendh.t .................... ok 15-test_gendsa.t ................... ok 15-test_genec.t .................... ok 15-test_genrsa.t ................... ok 15-test_mp_rsa.t ................... ok 15-test_out_option.t ............... ok 15-test_rsa.t ...................... ok 15-test_rsaoaep.t .................. ok 15-test_rsapss.t ................... ok 20-test_app.t ...................... ok 20-test_cli_fips.t ................. ok 20-test_dgst.t ..................... ok 20-test_dhparam.t .................. ok 20-test_dhparam_check.t ............ ok 20-test_enc.t ...................... ok 20-test_enc_more.t ................. ok 20-test_kdf.t ...................... ok 20-test_mac.t ...................... ok 20-test_passwd.t ................... ok 20-test_pkeyutl.t .................. ok 20-test_rand_config.t .............. ok 25-test_crl.t ...................... ok 25-test_d2i.t ...................... ok 25-test_eai_data.t ................. ok 25-test_pkcs7.t .................... ok 25-test_req.t ...................... ok 25-test_rusext.t ................... ok 25-test_sid.t ...................... ok 25-test_verify.t ................... ok 25-test_verify_store.t ............. ok 25-test_x509.t ..................... ok make[1]: *** [Makefile:3270: _tests] Terminated From openssl at openssl.org Thu Feb 18 01:59:35 2021 From: openssl at openssl.org (OpenSSL run-checker) Date: Thu, 18 Feb 2021 01:59:35 +0000 Subject: Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-autoerrinit Message-ID: <1613613575.793020.1033900.nullmailer@run.openssl.org> Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-autoerrinit Commit log since last time: adc11e1b9c x509_vfy: fix mem leaks in chain_build() on malloc error Coverify CID 1473068 b51bed05c2 apps/cmp.c: Improve initialization of ext_ctx structure w.r.t. CSR d44a8a16c8 apps/ca.c: Make sure ext_ctx structure gets initialized fe75766c9c Rename OSSL_ENCODER_CTX_new_by_EVP_PKEY and OSSL_DECODER_CTX_new_by_EVP_PKEY e5ac413b2d Fix backward incompatibility revolving around OSSL_HTTP_REQ_CTX_sendreq_d2i() 3a962b2093 [doc/man3][OSSL_ENCODER] Move NOTES to the bottom 851b06b705 [doc/man3] Fix typo in DESCRIPTION of OSSL_ENCODER_properties 68883d9db8 doc: document the two new RAND functions 335e85f542 rand: update DRBGs to use the get_entropy call for seeding 78436fd146 core: add get_entropy and clear_entropy calls to RAND e2730b8426 RNG test: add get_entropy hook for testing. 9ed185a926 RNG seed: add get_entropy hook for seeding. 381289f6c7 err: generated error files 79d68c4fb4 test: DRBG test with long seed. 574ca403c8 Replace SSL_CTX_new by SSL_CTX_new_ex in apps/s_server + s_client 5b888e931b Fix propquery handling in EVP_DigestSignInit_ex 55e9d8cfff TEST: Add missing initialization c913dbd716 Update CHANGES and NEWS for new release c9fb704cf3 Don't overflow the output length in EVP_CipherUpdate calls c1ddd392cf Fix rsa_test to properly test RSA_SSLV23_PADDING d9461cbe87 Fix the RSA_SSLV23_PADDING padding type 4357b6174a Refactor rsa_test 55869f594f Test that X509_issuer_and_serial_hash doesn't crash 8130d654d1 Fix Null pointer deref in X509_issuer_and_serial_hash() c9e955dd50 Do not match RFC 5114 groups without q as it is significant 62829f9f26 README-ENGINES: fix the link to the provider API README 9dc9c7f2d7 Document the newly added function EVP_PKEY_param_check_quick() 0217e53e33 Fix the dhparam_check test 899e25643d Implement EVP_PKEY_param_check_quick() and use it in libssl aee73562d1 Run DH_check_ex() not DH_check_params_ex() when checking params 93e43f4c47 RSA: avoid dereferencing possibly-NULL parameter in initializers 63ae847679 x509_vfy: remove redundant stack allocation 99c166a1b0 Add docs for ASN1_item_sign and ASN1_item_verify functions Build log ended with (last 100 lines): 70-test_sslcertstatus.t ............ ok 70-test_sslextension.t ............. ok 70-test_sslmessages.t .............. ok 70-test_sslrecords.t ............... ok 70-test_sslsessiontick.t ........... ok 70-test_sslsigalgs.t ............... ok 70-test_sslsignature.t ............. ok 70-test_sslskewith0p.t ............. ok 70-test_sslversions.t .............. ok 70-test_sslvertol.t ................ ok 70-test_tls13alerts.t .............. ok 70-test_tls13cookie.t .............. ok 70-test_tls13downgrade.t ........... ok 70-test_tls13hrr.t ................. ok 70-test_tls13kexmodes.t ............ ok 70-test_tls13messages.t ............ ok 70-test_tls13psk.t ................. ok 70-test_tlsextms.t ................. ok 70-test_verify_extra.t ............. ok 70-test_wpacket.t .................. ok 71-test_ssl_ctx.t .................. ok 80-test_ca.t ....................... ok 80-test_cipherbytes.t .............. ok 80-test_cipherlist.t ............... ok 80-test_ciphername.t ............... ok # 80-test_cmp_http.t ................. ok # 80-test_cms.t ...................... ok 80-test_cmsapi.t ................... ok 80-test_ct.t ....................... ok 80-test_dane.t ..................... ok 80-test_dtls.t ..................... ok 80-test_dtls_mtu.t ................. ok 80-test_dtlsv1listen.t ............. ok 80-test_http.t ..................... ok 80-test_ocsp.t ..................... ok 80-test_pkcs12.t ................... ok 80-test_ssl_new.t .................. ok 80-test_ssl_old.t .................. ok 80-test_ssl_test_ctx.t ............. ok 80-test_sslcorrupt.t ............... ok 80-test_tsa.t ...................... ok 80-test_x509aux.t .................. ok 81-test_cmp_cli.t .................. ok 90-test_asn1_time.t ................ ok 90-test_async.t .................... ok 90-test_bio_enc.t .................. ok 90-test_bio_memleak.t .............. ok 90-test_constant_time.t ............ ok 90-test_fatalerr.t ................. ok 90-test_fipsload.t ................. ok 90-test_gmdiff.t ................... ok 90-test_gost.t ..................... ok 90-test_ige.t ...................... ok 90-test_includes.t ................. ok 90-test_memleak.t .................. ok 90-test_overhead.t ................. ok 90-test_secmem.t ................... ok 90-test_shlibload.t ................ ok 90-test_srp.t ...................... ok 90-test_sslapi.t ................... ok 90-test_sslbuffers.t ............... ok 90-test_store.t .................... ok 90-test_sysdefault.t ............... ok 90-test_threads.t .................. ok 90-test_time_offset.t .............. ok 90-test_tls13ccs.t ................. ok 90-test_tls13encryption.t .......... ok 90-test_tls13secrets.t ............. ok 90-test_v3name.t ................... ok 91-test_pkey_check.t ............... ok 95-test_external_boringssl.t ....... skipped: No external tests in this configuration 95-test_external_gost_engine.t ..... skipped: No external tests in this configuration 95-test_external_krb5.t ............ skipped: No external tests in this configuration 95-test_external_pyca.t ............ skipped: No external tests in this configuration 99-test_ecstress.t ................. ok 99-test_fuzz_asn1.t ................ ok 99-test_fuzz_asn1parse.t ........... ok 99-test_fuzz_bignum.t .............. ok 99-test_fuzz_bndiv.t ............... ok 99-test_fuzz_client.t .............. ok 99-test_fuzz_cmp.t ................. ok 99-test_fuzz_cms.t ................. ok 99-test_fuzz_conf.t ................ ok 99-test_fuzz_crl.t ................. ok 99-test_fuzz_ct.t .................. ok 99-test_fuzz_server.t .............. ok 99-test_fuzz_x509.t ................ ok Test Summary Report ------------------- 04-test_err.t (Wstat: 256 Tests: 1 Failed: 1) Failed test: 1 Non-zero exit status: 1 Files=231, Tests=3130, 903 wallclock secs (14.37 usr 1.38 sys + 808.66 cusr 90.92 csys = 915.33 CPU) Result: FAIL make[1]: *** [Makefile:3263: _tests] Error 1 make[1]: Leaving directory '/home/openssl/run-checker/no-autoerrinit' make: *** [Makefile:3260: tests] Error 2 From openssl at openssl.org Thu Feb 18 07:50:55 2021 From: openssl at openssl.org (OpenSSL run-checker) Date: Thu, 18 Feb 2021 07:50:55 +0000 Subject: Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-des Message-ID: <1613634655.074400.1765476.nullmailer@run.openssl.org> Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-des Commit log since last time: adc11e1b9c x509_vfy: fix mem leaks in chain_build() on malloc error Coverify CID 1473068 b51bed05c2 apps/cmp.c: Improve initialization of ext_ctx structure w.r.t. CSR d44a8a16c8 apps/ca.c: Make sure ext_ctx structure gets initialized fe75766c9c Rename OSSL_ENCODER_CTX_new_by_EVP_PKEY and OSSL_DECODER_CTX_new_by_EVP_PKEY e5ac413b2d Fix backward incompatibility revolving around OSSL_HTTP_REQ_CTX_sendreq_d2i() 3a962b2093 [doc/man3][OSSL_ENCODER] Move NOTES to the bottom 851b06b705 [doc/man3] Fix typo in DESCRIPTION of OSSL_ENCODER_properties 68883d9db8 doc: document the two new RAND functions 335e85f542 rand: update DRBGs to use the get_entropy call for seeding 78436fd146 core: add get_entropy and clear_entropy calls to RAND e2730b8426 RNG test: add get_entropy hook for testing. 9ed185a926 RNG seed: add get_entropy hook for seeding. 381289f6c7 err: generated error files 79d68c4fb4 test: DRBG test with long seed. 574ca403c8 Replace SSL_CTX_new by SSL_CTX_new_ex in apps/s_server + s_client 5b888e931b Fix propquery handling in EVP_DigestSignInit_ex 55e9d8cfff TEST: Add missing initialization c913dbd716 Update CHANGES and NEWS for new release c9fb704cf3 Don't overflow the output length in EVP_CipherUpdate calls c1ddd392cf Fix rsa_test to properly test RSA_SSLV23_PADDING d9461cbe87 Fix the RSA_SSLV23_PADDING padding type 4357b6174a Refactor rsa_test 55869f594f Test that X509_issuer_and_serial_hash doesn't crash 8130d654d1 Fix Null pointer deref in X509_issuer_and_serial_hash() c9e955dd50 Do not match RFC 5114 groups without q as it is significant 62829f9f26 README-ENGINES: fix the link to the provider API README 9dc9c7f2d7 Document the newly added function EVP_PKEY_param_check_quick() 0217e53e33 Fix the dhparam_check test 899e25643d Implement EVP_PKEY_param_check_quick() and use it in libssl aee73562d1 Run DH_check_ex() not DH_check_params_ex() when checking params 93e43f4c47 RSA: avoid dereferencing possibly-NULL parameter in initializers 63ae847679 x509_vfy: remove redundant stack allocation 99c166a1b0 Add docs for ASN1_item_sign and ASN1_item_verify functions Build log ended with (last 100 lines): 70-test_sslrecords.t ............... ok 70-test_sslsessiontick.t ........... ok 70-test_sslsigalgs.t ............... ok 70-test_sslsignature.t ............. ok 70-test_sslskewith0p.t ............. ok 70-test_sslversions.t .............. ok 70-test_sslvertol.t ................ ok 70-test_tls13alerts.t .............. ok 70-test_tls13cookie.t .............. ok 70-test_tls13downgrade.t ........... ok 70-test_tls13hrr.t ................. ok 70-test_tls13kexmodes.t ............ ok 70-test_tls13messages.t ............ ok 70-test_tls13psk.t ................. ok 70-test_tlsextms.t ................. ok 70-test_verify_extra.t ............. ok 70-test_wpacket.t .................. ok 71-test_ssl_ctx.t .................. ok 80-test_ca.t ....................... ok 80-test_cipherbytes.t .............. ok 80-test_cipherlist.t ............... ok 80-test_ciphername.t ............... ok # 80-test_cmp_http.t ................. ok # 80-test_cms.t ...................... ok 80-test_cmsapi.t ................... ok 80-test_ct.t ....................... ok 80-test_dane.t ..................... ok 80-test_dtls.t ..................... ok 80-test_dtls_mtu.t ................. ok 80-test_dtlsv1listen.t ............. ok 80-test_http.t ..................... ok 80-test_ocsp.t ..................... ok 80-test_pkcs12.t ................... skipped: The PKCS12 command line utility is not supported by this OpenSSL build 80-test_ssl_new.t .................. ok 80-test_ssl_old.t .................. ok 80-test_ssl_test_ctx.t ............. ok 80-test_sslcorrupt.t ............... ok 80-test_tsa.t ...................... ok 80-test_x509aux.t .................. ok 81-test_cmp_cli.t .................. ok 90-test_asn1_time.t ................ ok 90-test_async.t .................... ok 90-test_bio_enc.t .................. ok 90-test_bio_memleak.t .............. ok 90-test_constant_time.t ............ ok 90-test_fatalerr.t ................. ok 90-test_fipsload.t ................. ok 90-test_gmdiff.t ................... ok 90-test_gost.t ..................... ok 90-test_ige.t ...................... ok 90-test_includes.t ................. ok 90-test_memleak.t .................. ok 90-test_overhead.t ................. ok 90-test_secmem.t ................... ok 90-test_shlibload.t ................ ok 90-test_srp.t ...................... ok 90-test_sslapi.t ................... ok 90-test_sslbuffers.t ............... ok 90-test_store.t .................... ok 90-test_sysdefault.t ............... ok 90-test_threads.t .................. ok 90-test_time_offset.t .............. ok 90-test_tls13ccs.t ................. ok 90-test_tls13encryption.t .......... ok 90-test_tls13secrets.t ............. ok 90-test_v3name.t ................... ok 91-test_pkey_check.t ............... ok 95-test_external_boringssl.t ....... skipped: No external tests in this configuration 95-test_external_gost_engine.t ..... skipped: No external tests in this configuration 95-test_external_krb5.t ............ skipped: No external tests in this configuration 95-test_external_pyca.t ............ skipped: No external tests in this configuration 99-test_ecstress.t ................. ok 99-test_fuzz_asn1.t ................ ok 99-test_fuzz_asn1parse.t ........... ok 99-test_fuzz_bignum.t .............. ok 99-test_fuzz_bndiv.t ............... ok 99-test_fuzz_client.t .............. ok 99-test_fuzz_cmp.t ................. ok 99-test_fuzz_cms.t ................. ok 99-test_fuzz_conf.t ................ ok 99-test_fuzz_crl.t ................. ok 99-test_fuzz_ct.t .................. ok 99-test_fuzz_server.t .............. ok 99-test_fuzz_x509.t ................ ok Test Summary Report ------------------- 30-test_evp.t (Wstat: 512 Tests: 90 Failed: 2) Failed tests: 14, 40 Non-zero exit status: 2 30-test_evp_kdf.t (Wstat: 256 Tests: 1 Failed: 1) Failed test: 1 Non-zero exit status: 1 Files=231, Tests=3132, 991 wallclock secs (14.38 usr 1.42 sys + 896.28 cusr 91.84 csys = 1003.92 CPU) Result: FAIL make[1]: *** [Makefile:3200: _tests] Error 1 make[1]: Leaving directory '/home/openssl/run-checker/no-des' make: *** [Makefile:3197: tests] Error 2 From no-reply at appveyor.com Thu Feb 18 07:59:14 2021 From: no-reply at appveyor.com (AppVeyor) Date: Thu, 18 Feb 2021 07:59:14 +0000 Subject: Build failed: openssl master.39965 Message-ID: <20210218075914.1.5A19E4D0C4658660@appveyor.com> An HTML attachment was scrubbed... URL: From pauli at openssl.org Thu Feb 18 09:32:49 2021 From: pauli at openssl.org (Dr. Paul Dale) Date: Thu, 18 Feb 2021 09:32:49 +0000 Subject: [openssl] master update Message-ID: <1613640769.861418.17300.nullmailer@dev.openssl.org> The branch master has been updated via e36b3c2f757cc7d68dc24174a00476104428b099 (commit) from adc11e1b9cf12df3c67de165a2b42ac72266cbca (commit) - Log ----------------------------------------------------------------- commit e36b3c2f757cc7d68dc24174a00476104428b099 Author: Shane Lontis Date: Wed Feb 17 17:54:29 2021 +1000 Fix external symbols in the provider cipher implementations. Partial fix for #12964 This add ossl_ names for the following symbols. chacha20_dinit, chacha20_einit, chacha20_initctx, ccm_cipher, ccm_dinit, ccm_einit, ccm_generic_auth_decrypt, ccm_generic_auth_encrypt, ccm_generic_gettag, ccm_generic_setaad, ccm_generic_setiv, ccm_get_ctx_params, ccm_initctx, ccm_set_ctx_params, ccm_stream_final, ccm_stream_update gcm_aad_update, gcm_cipher, gcm_cipher_final, gcm_cipher_update gcm_dinit, gcm_einit, gcm_get_ctx_params, gcm_initctx, gcm_one_shot gcm_set_ctx_params, gcm_setiv, gcm_stream_final, gcm_stream_update tdes_dinit, tdes_dupctx, tdes_einit, tdes_freectx tdes_get_ctx_params, tdes_gettable_ctx_params, tdes_newctx PROV_CIPHER_HW_des_*, padblock, unpadblock, tlsunpadblock, fillblock, trailingdata Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/14209) ----------------------------------------------------------------------- Summary of changes: providers/implementations/ciphers/cipher_aes_ccm.c | 2 +- .../implementations/ciphers/cipher_aes_ccm_hw.c | 10 +++--- .../ciphers/cipher_aes_ccm_hw_aesni.inc | 10 +++--- .../ciphers/cipher_aes_ccm_hw_t4.inc | 10 +++--- providers/implementations/ciphers/cipher_aes_gcm.c | 4 +-- .../implementations/ciphers/cipher_aes_gcm_hw.c | 8 ++--- .../ciphers/cipher_aes_gcm_hw_aesni.inc | 8 ++--- .../ciphers/cipher_aes_gcm_hw_armv8.inc | 8 ++--- .../ciphers/cipher_aes_gcm_hw_t4.inc | 8 ++--- providers/implementations/ciphers/cipher_aes_ocb.c | 5 +-- .../implementations/ciphers/cipher_aria_ccm.c | 2 +- .../implementations/ciphers/cipher_aria_ccm_hw.c | 10 +++--- .../implementations/ciphers/cipher_aria_gcm.c | 4 +-- .../implementations/ciphers/cipher_aria_gcm_hw.c | 10 +++--- .../implementations/ciphers/cipher_chacha20.c | 16 +++++----- .../implementations/ciphers/cipher_chacha20.h | 6 ++-- .../ciphers/cipher_chacha20_poly1305.c | 2 +- .../ciphers/cipher_chacha20_poly1305_hw.c | 10 +++--- providers/implementations/ciphers/cipher_des.c | 2 +- providers/implementations/ciphers/cipher_des.h | 12 +++---- providers/implementations/ciphers/cipher_des_hw.c | 2 +- providers/implementations/ciphers/cipher_tdes.h | 34 ++++++++++---------- .../implementations/ciphers/cipher_tdes_common.c | 22 ++++++------- .../implementations/ciphers/cipher_tdes_wrap.c | 19 ++++++----- providers/implementations/ciphers/ciphercommon.c | 17 ++++++---- .../implementations/ciphers/ciphercommon_block.c | 23 ++++++++------ .../implementations/ciphers/ciphercommon_ccm.c | 29 ++++++++--------- .../implementations/ciphers/ciphercommon_ccm_hw.c | 22 ++++++------- .../implementations/ciphers/ciphercommon_gcm.c | 31 +++++++++--------- .../implementations/ciphers/ciphercommon_gcm_hw.c | 17 +++++----- .../implementations/ciphers/ciphercommon_local.h | 10 +++--- .../implementations/include/prov/ciphercommon.h | 11 ++++--- .../include/prov/ciphercommon_aead.h | 16 +++++----- .../include/prov/ciphercommon_ccm.h | 37 +++++++++++----------- .../include/prov/ciphercommon_gcm.h | 36 ++++++++++----------- 35 files changed, 244 insertions(+), 229 deletions(-) diff --git a/providers/implementations/ciphers/cipher_aes_ccm.c b/providers/implementations/ciphers/cipher_aes_ccm.c index 5913b2ce0c..8da044bd95 100644 --- a/providers/implementations/ciphers/cipher_aes_ccm.c +++ b/providers/implementations/ciphers/cipher_aes_ccm.c @@ -29,7 +29,7 @@ static void *aes_ccm_newctx(void *provctx, size_t keybits) ctx = OPENSSL_zalloc(sizeof(*ctx)); if (ctx != NULL) - ccm_initctx(&ctx->base, keybits, ossl_prov_aes_hw_ccm(keybits)); + ossl_ccm_initctx(&ctx->base, keybits, ossl_prov_aes_hw_ccm(keybits)); return ctx; } diff --git a/providers/implementations/ciphers/cipher_aes_ccm_hw.c b/providers/implementations/ciphers/cipher_aes_ccm_hw.c index db50187ea9..c9a7d18d7a 100644 --- a/providers/implementations/ciphers/cipher_aes_ccm_hw.c +++ b/providers/implementations/ciphers/cipher_aes_ccm_hw.c @@ -48,11 +48,11 @@ static int ccm_generic_aes_initkey(PROV_CCM_CTX *ctx, const unsigned char *key, static const PROV_CCM_HW aes_ccm = { ccm_generic_aes_initkey, - ccm_generic_setiv, - ccm_generic_setaad, - ccm_generic_auth_encrypt, - ccm_generic_auth_decrypt, - ccm_generic_gettag + ossl_ccm_generic_setiv, + ossl_ccm_generic_setaad, + ossl_ccm_generic_auth_encrypt, + ossl_ccm_generic_auth_decrypt, + ossl_ccm_generic_gettag }; #if defined(S390X_aes_128_CAPABLE) diff --git a/providers/implementations/ciphers/cipher_aes_ccm_hw_aesni.inc b/providers/implementations/ciphers/cipher_aes_ccm_hw_aesni.inc index 1860f3f701..4772a42f21 100644 --- a/providers/implementations/ciphers/cipher_aes_ccm_hw_aesni.inc +++ b/providers/implementations/ciphers/cipher_aes_ccm_hw_aesni.inc @@ -25,11 +25,11 @@ static int ccm_aesni_initkey(PROV_CCM_CTX *ctx, const unsigned char *key, static const PROV_CCM_HW aesni_ccm = { ccm_aesni_initkey, - ccm_generic_setiv, - ccm_generic_setaad, - ccm_generic_auth_encrypt, - ccm_generic_auth_decrypt, - ccm_generic_gettag + ossl_ccm_generic_setiv, + ossl_ccm_generic_setaad, + ossl_ccm_generic_auth_encrypt, + ossl_ccm_generic_auth_decrypt, + ossl_ccm_generic_gettag }; const PROV_CCM_HW *ossl_prov_aes_hw_ccm(size_t keybits) diff --git a/providers/implementations/ciphers/cipher_aes_ccm_hw_t4.inc b/providers/implementations/ciphers/cipher_aes_ccm_hw_t4.inc index f659ab9b2d..e783b008cf 100644 --- a/providers/implementations/ciphers/cipher_aes_ccm_hw_t4.inc +++ b/providers/implementations/ciphers/cipher_aes_ccm_hw_t4.inc @@ -23,11 +23,11 @@ static int ccm_t4_aes_initkey(PROV_CCM_CTX *ctx, const unsigned char *key, static const PROV_CCM_HW t4_aes_ccm = { ccm_t4_aes_initkey, - ccm_generic_setiv, - ccm_generic_setaad, - ccm_generic_auth_encrypt, - ccm_generic_auth_decrypt, - ccm_generic_gettag + ossl_ccm_generic_setiv, + ossl_ccm_generic_setaad, + ossl_ccm_generic_auth_encrypt, + ossl_ccm_generic_auth_decrypt, + ossl_ccm_generic_gettag }; const PROV_CCM_HW *ossl_prov_aes_hw_ccm(size_t keybits) diff --git a/providers/implementations/ciphers/cipher_aes_gcm.c b/providers/implementations/ciphers/cipher_aes_gcm.c index 6e97b1f9d9..f9463ea7df 100644 --- a/providers/implementations/ciphers/cipher_aes_gcm.c +++ b/providers/implementations/ciphers/cipher_aes_gcm.c @@ -32,8 +32,8 @@ static void *aes_gcm_newctx(void *provctx, size_t keybits) ctx = OPENSSL_zalloc(sizeof(*ctx)); if (ctx != NULL) - gcm_initctx(provctx, &ctx->base, keybits, ossl_prov_aes_hw_gcm(keybits), - AES_GCM_IV_MIN_SIZE); + ossl_gcm_initctx(provctx, &ctx->base, keybits, + ossl_prov_aes_hw_gcm(keybits), AES_GCM_IV_MIN_SIZE); return ctx; } diff --git a/providers/implementations/ciphers/cipher_aes_gcm_hw.c b/providers/implementations/ciphers/cipher_aes_gcm_hw.c index f29a280643..b322a29196 100644 --- a/providers/implementations/ciphers/cipher_aes_gcm_hw.c +++ b/providers/implementations/ciphers/cipher_aes_gcm_hw.c @@ -126,11 +126,11 @@ static int generic_aes_gcm_cipher_update(PROV_GCM_CTX *ctx, const unsigned char static const PROV_GCM_HW aes_gcm = { aes_gcm_initkey, - gcm_setiv, - gcm_aad_update, + ossl_gcm_setiv, + ossl_gcm_aad_update, generic_aes_gcm_cipher_update, - gcm_cipher_final, - gcm_one_shot + ossl_gcm_cipher_final, + ossl_gcm_one_shot }; #if defined(S390X_aes_128_CAPABLE) diff --git a/providers/implementations/ciphers/cipher_aes_gcm_hw_aesni.inc b/providers/implementations/ciphers/cipher_aes_gcm_hw_aesni.inc index c25bd617c2..e17ff8cf94 100644 --- a/providers/implementations/ciphers/cipher_aes_gcm_hw_aesni.inc +++ b/providers/implementations/ciphers/cipher_aes_gcm_hw_aesni.inc @@ -24,11 +24,11 @@ static int aesni_gcm_initkey(PROV_GCM_CTX *ctx, const unsigned char *key, static const PROV_GCM_HW aesni_gcm = { aesni_gcm_initkey, - gcm_setiv, - gcm_aad_update, + ossl_gcm_setiv, + ossl_gcm_aad_update, generic_aes_gcm_cipher_update, - gcm_cipher_final, - gcm_one_shot + ossl_gcm_cipher_final, + ossl_gcm_one_shot }; const PROV_GCM_HW *ossl_prov_aes_hw_gcm(size_t keybits) diff --git a/providers/implementations/ciphers/cipher_aes_gcm_hw_armv8.inc b/providers/implementations/ciphers/cipher_aes_gcm_hw_armv8.inc index 5c84bf31fd..572f8412bf 100644 --- a/providers/implementations/ciphers/cipher_aes_gcm_hw_armv8.inc +++ b/providers/implementations/ciphers/cipher_aes_gcm_hw_armv8.inc @@ -70,11 +70,11 @@ static int armv8_aes_gcm_initkey(PROV_GCM_CTX *ctx, const unsigned char *key, static const PROV_GCM_HW armv8_aes_gcm = { armv8_aes_gcm_initkey, - gcm_setiv, - gcm_aad_update, + ossl_gcm_setiv, + ossl_gcm_aad_update, generic_aes_gcm_cipher_update, - gcm_cipher_final, - gcm_one_shot + ossl_gcm_cipher_final, + ossl_gcm_one_shot }; const PROV_GCM_HW *ossl_prov_aes_hw_gcm(size_t keybits) diff --git a/providers/implementations/ciphers/cipher_aes_gcm_hw_t4.inc b/providers/implementations/ciphers/cipher_aes_gcm_hw_t4.inc index 1ad3ea465d..8ccc802814 100644 --- a/providers/implementations/ciphers/cipher_aes_gcm_hw_t4.inc +++ b/providers/implementations/ciphers/cipher_aes_gcm_hw_t4.inc @@ -40,11 +40,11 @@ static int t4_aes_gcm_initkey(PROV_GCM_CTX *ctx, const unsigned char *key, static const PROV_GCM_HW t4_aes_gcm = { t4_aes_gcm_initkey, - gcm_setiv, - gcm_aad_update, + ossl_gcm_setiv, + ossl_gcm_aad_update, generic_aes_gcm_cipher_update, - gcm_cipher_final, - gcm_one_shot + ossl_gcm_cipher_final, + ossl_gcm_one_shot }; const PROV_GCM_HW *ossl_prov_aes_hw_gcm(size_t keybits) { diff --git a/providers/implementations/ciphers/cipher_aes_ocb.c b/providers/implementations/ciphers/cipher_aes_ocb.c index faa6cb470c..69ee9f2cc5 100644 --- a/providers/implementations/ciphers/cipher_aes_ocb.c +++ b/providers/implementations/ciphers/cipher_aes_ocb.c @@ -162,7 +162,7 @@ static int aes_ocb_block_update_internal(PROV_AES_OCB_CTX *ctx, size_t outlint = 0; if (*bufsz != 0) - nextblocks = fillblock(buf, bufsz, AES_BLOCK_SIZE, &in, &inl); + nextblocks = ossl_cipher_fillblock(buf, bufsz, AES_BLOCK_SIZE, &in, &inl); else nextblocks = inl & ~(AES_BLOCK_SIZE-1); @@ -193,7 +193,8 @@ static int aes_ocb_block_update_internal(PROV_AES_OCB_CTX *ctx, in += nextblocks; inl -= nextblocks; } - if (inl != 0 && !trailingdata(buf, bufsz, AES_BLOCK_SIZE, &in, &inl)) { + if (inl != 0 + && !ossl_cipher_trailingdata(buf, bufsz, AES_BLOCK_SIZE, &in, &inl)) { /* PROVerr already called */ return 0; } diff --git a/providers/implementations/ciphers/cipher_aria_ccm.c b/providers/implementations/ciphers/cipher_aria_ccm.c index a19ad65b62..9952078c91 100644 --- a/providers/implementations/ciphers/cipher_aria_ccm.c +++ b/providers/implementations/ciphers/cipher_aria_ccm.c @@ -24,7 +24,7 @@ static void *aria_ccm_newctx(void *provctx, size_t keybits) ctx = OPENSSL_zalloc(sizeof(*ctx)); if (ctx != NULL) - ccm_initctx(&ctx->base, keybits, ossl_prov_aria_hw_ccm(keybits)); + ossl_ccm_initctx(&ctx->base, keybits, ossl_prov_aria_hw_ccm(keybits)); return ctx; } diff --git a/providers/implementations/ciphers/cipher_aria_ccm_hw.c b/providers/implementations/ciphers/cipher_aria_ccm_hw.c index ec39f5702f..6d5a435a62 100644 --- a/providers/implementations/ciphers/cipher_aria_ccm_hw.c +++ b/providers/implementations/ciphers/cipher_aria_ccm_hw.c @@ -28,11 +28,11 @@ static int ccm_aria_initkey(PROV_CCM_CTX *ctx, static const PROV_CCM_HW ccm_aria = { ccm_aria_initkey, - ccm_generic_setiv, - ccm_generic_setaad, - ccm_generic_auth_encrypt, - ccm_generic_auth_decrypt, - ccm_generic_gettag + ossl_ccm_generic_setiv, + ossl_ccm_generic_setaad, + ossl_ccm_generic_auth_encrypt, + ossl_ccm_generic_auth_decrypt, + ossl_ccm_generic_gettag }; const PROV_CCM_HW *ossl_prov_aria_hw_ccm(size_t keybits) { diff --git a/providers/implementations/ciphers/cipher_aria_gcm.c b/providers/implementations/ciphers/cipher_aria_gcm.c index ad667ae27a..974d70b844 100644 --- a/providers/implementations/ciphers/cipher_aria_gcm.c +++ b/providers/implementations/ciphers/cipher_aria_gcm.c @@ -24,8 +24,8 @@ static void *aria_gcm_newctx(void *provctx, size_t keybits) ctx = OPENSSL_zalloc(sizeof(*ctx)); if (ctx != NULL) - gcm_initctx(provctx, &ctx->base, keybits, - ossl_prov_aria_hw_gcm(keybits), ARIA_GCM_IV_MIN_SIZE); + ossl_gcm_initctx(provctx, &ctx->base, keybits, + ossl_prov_aria_hw_gcm(keybits), ARIA_GCM_IV_MIN_SIZE); return ctx; } diff --git a/providers/implementations/ciphers/cipher_aria_gcm_hw.c b/providers/implementations/ciphers/cipher_aria_gcm_hw.c index 54c635e4bf..3f9832dea0 100644 --- a/providers/implementations/ciphers/cipher_aria_gcm_hw.c +++ b/providers/implementations/ciphers/cipher_aria_gcm_hw.c @@ -25,11 +25,11 @@ static int aria_gcm_initkey(PROV_GCM_CTX *ctx, const unsigned char *key, static const PROV_GCM_HW aria_gcm = { aria_gcm_initkey, - gcm_setiv, - gcm_aad_update, - gcm_cipher_update, - gcm_cipher_final, - gcm_one_shot + ossl_gcm_setiv, + ossl_gcm_aad_update, + ossl_gcm_cipher_update, + ossl_gcm_cipher_final, + ossl_gcm_one_shot }; const PROV_GCM_HW *ossl_prov_aria_hw_gcm(size_t keybits) { diff --git a/providers/implementations/ciphers/cipher_chacha20.c b/providers/implementations/ciphers/cipher_chacha20.c index c4042c1b39..6b1fdb2bd5 100644 --- a/providers/implementations/ciphers/cipher_chacha20.c +++ b/providers/implementations/ciphers/cipher_chacha20.c @@ -31,7 +31,7 @@ static OSSL_FUNC_cipher_settable_ctx_params_fn chacha20_settable_ctx_params; #define chacha20_final ossl_cipher_generic_stream_final #define chacha20_gettable_params ossl_cipher_generic_gettable_params -void chacha20_initctx(PROV_CHACHA20_CTX *ctx) +void ossl_chacha20_initctx(PROV_CHACHA20_CTX *ctx) { ossl_cipher_generic_initkey(ctx, CHACHA20_KEYLEN * 8, CHACHA20_BLKLEN * 8, @@ -50,7 +50,7 @@ static void *chacha20_newctx(void *provctx) ctx = OPENSSL_zalloc(sizeof(*ctx)); if (ctx != NULL) - chacha20_initctx(ctx); + ossl_chacha20_initctx(ctx); return ctx; } @@ -140,8 +140,8 @@ const OSSL_PARAM *chacha20_settable_ctx_params(ossl_unused void *provctx) return chacha20_known_settable_ctx_params; } -int chacha20_einit(void *vctx, const unsigned char *key, size_t keylen, - const unsigned char *iv, size_t ivlen) +int ossl_chacha20_einit(void *vctx, const unsigned char *key, size_t keylen, + const unsigned char *iv, size_t ivlen) { int ret; @@ -156,8 +156,8 @@ int chacha20_einit(void *vctx, const unsigned char *key, size_t keylen, return ret; } -int chacha20_dinit(void *vctx, const unsigned char *key, size_t keylen, - const unsigned char *iv, size_t ivlen) +int ossl_chacha20_dinit(void *vctx, const unsigned char *key, size_t keylen, + const unsigned char *iv, size_t ivlen) { int ret; @@ -176,8 +176,8 @@ int chacha20_dinit(void *vctx, const unsigned char *key, size_t keylen, const OSSL_DISPATCH ossl_chacha20_functions[] = { { OSSL_FUNC_CIPHER_NEWCTX, (void (*)(void))chacha20_newctx }, { OSSL_FUNC_CIPHER_FREECTX, (void (*)(void))chacha20_freectx }, - { OSSL_FUNC_CIPHER_ENCRYPT_INIT, (void (*)(void))chacha20_einit }, - { OSSL_FUNC_CIPHER_DECRYPT_INIT, (void (*)(void))chacha20_dinit }, + { OSSL_FUNC_CIPHER_ENCRYPT_INIT, (void (*)(void))ossl_chacha20_einit }, + { OSSL_FUNC_CIPHER_DECRYPT_INIT, (void (*)(void))ossl_chacha20_dinit }, { OSSL_FUNC_CIPHER_UPDATE, (void (*)(void))chacha20_update }, { OSSL_FUNC_CIPHER_FINAL, (void (*)(void))chacha20_final }, { OSSL_FUNC_CIPHER_CIPHER, (void (*)(void))chacha20_cipher}, diff --git a/providers/implementations/ciphers/cipher_chacha20.h b/providers/implementations/ciphers/cipher_chacha20.h index c494de7d85..c986838d93 100644 --- a/providers/implementations/ciphers/cipher_chacha20.h +++ b/providers/implementations/ciphers/cipher_chacha20.h @@ -29,6 +29,6 @@ typedef struct prov_cipher_hw_chacha20_st { const PROV_CIPHER_HW *ossl_prov_cipher_hw_chacha20(size_t keybits); -OSSL_FUNC_cipher_encrypt_init_fn chacha20_einit; -OSSL_FUNC_cipher_decrypt_init_fn chacha20_dinit; -void chacha20_initctx(PROV_CHACHA20_CTX *ctx); +OSSL_FUNC_cipher_encrypt_init_fn ossl_chacha20_einit; +OSSL_FUNC_cipher_decrypt_init_fn ossl_chacha20_dinit; +void ossl_chacha20_initctx(PROV_CHACHA20_CTX *ctx); diff --git a/providers/implementations/ciphers/cipher_chacha20_poly1305.c b/providers/implementations/ciphers/cipher_chacha20_poly1305.c index b328cdb993..46c20fd7c5 100644 --- a/providers/implementations/ciphers/cipher_chacha20_poly1305.c +++ b/providers/implementations/ciphers/cipher_chacha20_poly1305.c @@ -55,7 +55,7 @@ static void *chacha20_poly1305_newctx(void *provctx) NULL); ctx->nonce_len = CHACHA20_POLY1305_IVLEN; ctx->tls_payload_length = NO_TLS_PAYLOAD_LENGTH; - chacha20_initctx(&ctx->chacha); + ossl_chacha20_initctx(&ctx->chacha); } return ctx; } diff --git a/providers/implementations/ciphers/cipher_chacha20_poly1305_hw.c b/providers/implementations/ciphers/cipher_chacha20_poly1305_hw.c index b60669de97..4e4165868e 100644 --- a/providers/implementations/ciphers/cipher_chacha20_poly1305_hw.c +++ b/providers/implementations/ciphers/cipher_chacha20_poly1305_hw.c @@ -68,9 +68,9 @@ static int chacha20_poly1305_initkey(PROV_CIPHER_CTX *bctx, ctx->tls_payload_length = NO_TLS_PAYLOAD_LENGTH; if (bctx->enc) - return chacha20_einit(&ctx->chacha, key, keylen, NULL, 0); + return ossl_chacha20_einit(&ctx->chacha, key, keylen, NULL, 0); else - return chacha20_dinit(&ctx->chacha, key, keylen, NULL, 0); + return ossl_chacha20_dinit(&ctx->chacha, key, keylen, NULL, 0); } static int chacha20_poly1305_initiv(PROV_CIPHER_CTX *bctx) @@ -91,9 +91,11 @@ static int chacha20_poly1305_initiv(PROV_CIPHER_CTX *bctx) ctx->nonce_len); if (bctx->enc) - ret = chacha20_einit(&ctx->chacha, NULL, 0, tempiv, sizeof(tempiv)); + ret = ossl_chacha20_einit(&ctx->chacha, NULL, 0, + tempiv, sizeof(tempiv)); else - ret = chacha20_dinit(&ctx->chacha, NULL, 0, tempiv, sizeof(tempiv)); + ret = ossl_chacha20_dinit(&ctx->chacha, NULL, 0, + tempiv, sizeof(tempiv)); ctx->nonce[0] = ctx->chacha.counter[1]; ctx->nonce[1] = ctx->chacha.counter[2]; ctx->nonce[2] = ctx->chacha.counter[3]; diff --git a/providers/implementations/ciphers/cipher_des.c b/providers/implementations/ciphers/cipher_des.c index 11688080ce..179ebd00ad 100644 --- a/providers/implementations/ciphers/cipher_des.c +++ b/providers/implementations/ciphers/cipher_des.c @@ -148,7 +148,7 @@ static void *des_##lcmode##_newctx(void *provctx) \ { \ return des_newctx(provctx, kbits, blkbits, ivbits, \ EVP_CIPH_##UCMODE##_MODE, flags, \ - PROV_CIPHER_HW_des_##lcmode()); \ + ossl_prov_cipher_hw_des_##lcmode()); \ } \ static OSSL_FUNC_cipher_get_params_fn des_##lcmode##_get_params; \ static int des_##lcmode##_get_params(OSSL_PARAM params[]) \ diff --git a/providers/implementations/ciphers/cipher_des.h b/providers/implementations/ciphers/cipher_des.h index 78ca686bad..f7a1f6d6cc 100644 --- a/providers/implementations/ciphers/cipher_des.h +++ b/providers/implementations/ciphers/cipher_des.h @@ -25,9 +25,9 @@ typedef struct prov_des_ctx_st { } PROV_DES_CTX; -const PROV_CIPHER_HW *PROV_CIPHER_HW_des_cbc(void); -const PROV_CIPHER_HW *PROV_CIPHER_HW_des_ecb(void); -const PROV_CIPHER_HW *PROV_CIPHER_HW_des_ofb64(void); -const PROV_CIPHER_HW *PROV_CIPHER_HW_des_cfb64(void); -const PROV_CIPHER_HW *PROV_CIPHER_HW_des_cfb1(void); -const PROV_CIPHER_HW *PROV_CIPHER_HW_des_cfb8(void); +const PROV_CIPHER_HW *ossl_prov_cipher_hw_des_cbc(void); +const PROV_CIPHER_HW *ossl_prov_cipher_hw_des_ecb(void); +const PROV_CIPHER_HW *ossl_prov_cipher_hw_des_ofb64(void); +const PROV_CIPHER_HW *ossl_prov_cipher_hw_des_cfb64(void); +const PROV_CIPHER_HW *ossl_prov_cipher_hw_des_cfb1(void); +const PROV_CIPHER_HW *ossl_prov_cipher_hw_des_cfb8(void); diff --git a/providers/implementations/ciphers/cipher_des_hw.c b/providers/implementations/ciphers/cipher_des_hw.c index f52bade45e..4ae15c3826 100644 --- a/providers/implementations/ciphers/cipher_des_hw.c +++ b/providers/implementations/ciphers/cipher_des_hw.c @@ -183,7 +183,7 @@ static const PROV_CIPHER_HW des_##mode = { \ cipher_hw_des_##mode##_cipher, \ cipher_hw_des_copyctx \ }; \ -const PROV_CIPHER_HW *PROV_CIPHER_HW_des_##mode(void) \ +const PROV_CIPHER_HW *ossl_prov_cipher_hw_des_##mode(void) \ { \ return &des_##mode; \ } diff --git a/providers/implementations/ciphers/cipher_tdes.h b/providers/implementations/ciphers/cipher_tdes.h index 9bef908cc3..3c9147d45d 100644 --- a/providers/implementations/ciphers/cipher_tdes.h +++ b/providers/implementations/ciphers/cipher_tdes.h @@ -33,7 +33,7 @@ typedef struct prov_tdes_ctx_st { static OSSL_FUNC_cipher_newctx_fn tdes_##type##_##lcmode##_newctx; \ static void *tdes_##type##_##lcmode##_newctx(void *provctx) \ { \ - return tdes_newctx(provctx, EVP_CIPH_##UCMODE##_MODE, kbits, blkbits, \ + return ossl_tdes_newctx(provctx, EVP_CIPH_##UCMODE##_MODE, kbits, blkbits, \ ivbits, flags, \ ossl_prov_cipher_hw_tdes_##type##_##lcmode()); \ } \ @@ -44,23 +44,25 @@ static int tdes_##type##_##lcmode##_get_params(OSSL_PARAM params[]) \ flags, kbits, blkbits, ivbits); \ } \ const OSSL_DISPATCH ossl_tdes_##type##_##lcmode##_functions[] = { \ - { OSSL_FUNC_CIPHER_ENCRYPT_INIT, (void (*)(void))tdes_einit }, \ - { OSSL_FUNC_CIPHER_DECRYPT_INIT, (void (*)(void))tdes_dinit }, \ + { OSSL_FUNC_CIPHER_ENCRYPT_INIT, (void (*)(void))ossl_tdes_einit }, \ + { OSSL_FUNC_CIPHER_DECRYPT_INIT, (void (*)(void))ossl_tdes_dinit }, \ { OSSL_FUNC_CIPHER_UPDATE, \ (void (*)(void))ossl_cipher_generic_##block##_update }, \ - { OSSL_FUNC_CIPHER_FINAL, (void (*)(void))ossl_cipher_generic_##block##_final },\ + { OSSL_FUNC_CIPHER_FINAL, \ + (void (*)(void))ossl_cipher_generic_##block##_final }, \ { OSSL_FUNC_CIPHER_CIPHER, (void (*)(void))ossl_cipher_generic_cipher }, \ { OSSL_FUNC_CIPHER_NEWCTX, \ (void (*)(void))tdes_##type##_##lcmode##_newctx }, \ - { OSSL_FUNC_CIPHER_DUPCTX, (void (*)(void))tdes_dupctx }, \ - { OSSL_FUNC_CIPHER_FREECTX, (void (*)(void))tdes_freectx }, \ + { OSSL_FUNC_CIPHER_DUPCTX, (void (*)(void))ossl_tdes_dupctx }, \ + { OSSL_FUNC_CIPHER_FREECTX, (void (*)(void))ossl_tdes_freectx }, \ { OSSL_FUNC_CIPHER_GET_PARAMS, \ (void (*)(void))tdes_##type##_##lcmode##_get_params }, \ { OSSL_FUNC_CIPHER_GETTABLE_PARAMS, \ (void (*)(void))ossl_cipher_generic_gettable_params }, \ - { OSSL_FUNC_CIPHER_GET_CTX_PARAMS, (void (*)(void))tdes_get_ctx_params }, \ + { OSSL_FUNC_CIPHER_GET_CTX_PARAMS, \ + (void (*)(void))ossl_tdes_get_ctx_params }, \ { OSSL_FUNC_CIPHER_GETTABLE_CTX_PARAMS, \ - (void (*)(void))tdes_gettable_ctx_params }, \ + (void (*)(void))ossl_tdes_gettable_ctx_params }, \ { OSSL_FUNC_CIPHER_SET_CTX_PARAMS, \ (void (*)(void))ossl_cipher_generic_set_ctx_params }, \ { OSSL_FUNC_CIPHER_SETTABLE_CTX_PARAMS, \ @@ -68,14 +70,14 @@ const OSSL_DISPATCH ossl_tdes_##type##_##lcmode##_functions[] = { \ { 0, NULL } \ } -void *tdes_newctx(void *provctx, int mode, size_t kbits, size_t blkbits, - size_t ivbits, uint64_t flags, const PROV_CIPHER_HW *hw); -OSSL_FUNC_cipher_dupctx_fn tdes_dupctx; -OSSL_FUNC_cipher_freectx_fn tdes_freectx; -OSSL_FUNC_cipher_encrypt_init_fn tdes_einit; -OSSL_FUNC_cipher_decrypt_init_fn tdes_dinit; -OSSL_FUNC_cipher_get_ctx_params_fn tdes_get_ctx_params; -OSSL_FUNC_cipher_gettable_ctx_params_fn tdes_gettable_ctx_params; +void *ossl_tdes_newctx(void *provctx, int mode, size_t kbits, size_t blkbits, + size_t ivbits, uint64_t flags, const PROV_CIPHER_HW *hw); +OSSL_FUNC_cipher_dupctx_fn ossl_tdes_dupctx; +OSSL_FUNC_cipher_freectx_fn ossl_tdes_freectx; +OSSL_FUNC_cipher_encrypt_init_fn ossl_tdes_einit; +OSSL_FUNC_cipher_decrypt_init_fn ossl_tdes_dinit; +OSSL_FUNC_cipher_get_ctx_params_fn ossl_tdes_get_ctx_params; +OSSL_FUNC_cipher_gettable_ctx_params_fn ossl_tdes_gettable_ctx_params; #define PROV_CIPHER_HW_tdes_mode(type, mode) \ static const PROV_CIPHER_HW type##_##mode = { \ diff --git a/providers/implementations/ciphers/cipher_tdes_common.c b/providers/implementations/ciphers/cipher_tdes_common.c index 59c8a976cc..417bac13b2 100644 --- a/providers/implementations/ciphers/cipher_tdes_common.c +++ b/providers/implementations/ciphers/cipher_tdes_common.c @@ -20,8 +20,8 @@ #include "prov/implementations.h" #include "prov/providercommon.h" -void *tdes_newctx(void *provctx, int mode, size_t kbits, size_t blkbits, - size_t ivbits, uint64_t flags, const PROV_CIPHER_HW *hw) +void *ossl_tdes_newctx(void *provctx, int mode, size_t kbits, size_t blkbits, + size_t ivbits, uint64_t flags, const PROV_CIPHER_HW *hw) { PROV_TDES_CTX *tctx; @@ -35,7 +35,7 @@ void *tdes_newctx(void *provctx, int mode, size_t kbits, size_t blkbits, return tctx; } -void *tdes_dupctx(void *ctx) +void *ossl_tdes_dupctx(void *ctx) { PROV_TDES_CTX *in = (PROV_TDES_CTX *)ctx; PROV_TDES_CTX *ret; @@ -53,7 +53,7 @@ void *tdes_dupctx(void *ctx) return ret; } -void tdes_freectx(void *vctx) +void ossl_tdes_freectx(void *vctx) { PROV_TDES_CTX *ctx = (PROV_TDES_CTX *)vctx; @@ -88,21 +88,21 @@ static int tdes_init(void *vctx, const unsigned char *key, size_t keylen, return 1; } -int tdes_einit(void *vctx, const unsigned char *key, size_t keylen, - const unsigned char *iv, size_t ivlen) +int ossl_tdes_einit(void *vctx, const unsigned char *key, size_t keylen, + const unsigned char *iv, size_t ivlen) { return tdes_init(vctx, key, keylen, iv, ivlen, 1); } -int tdes_dinit(void *vctx, const unsigned char *key, size_t keylen, - const unsigned char *iv, size_t ivlen) +int ossl_tdes_dinit(void *vctx, const unsigned char *key, size_t keylen, + const unsigned char *iv, size_t ivlen) { return tdes_init(vctx, key, keylen, iv, ivlen, 0); } -CIPHER_DEFAULT_GETTABLE_CTX_PARAMS_START(tdes) +CIPHER_DEFAULT_GETTABLE_CTX_PARAMS_START(ossl_tdes) OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_RANDOM_KEY, NULL, 0), -CIPHER_DEFAULT_GETTABLE_CTX_PARAMS_END(tdes) +CIPHER_DEFAULT_GETTABLE_CTX_PARAMS_END(ossl_tdes) static int tdes_generatekey(PROV_CIPHER_CTX *ctx, void *ptr) { @@ -122,7 +122,7 @@ static int tdes_generatekey(PROV_CIPHER_CTX *ctx, void *ptr) return 0; } -int tdes_get_ctx_params(void *vctx, OSSL_PARAM params[]) +int ossl_tdes_get_ctx_params(void *vctx, OSSL_PARAM params[]) { PROV_CIPHER_CTX *ctx = (PROV_CIPHER_CTX *)vctx; OSSL_PARAM *p; diff --git a/providers/implementations/ciphers/cipher_tdes_wrap.c b/providers/implementations/ciphers/cipher_tdes_wrap.c index d42bf78d8e..c0828a0c2c 100644 --- a/providers/implementations/ciphers/cipher_tdes_wrap.c +++ b/providers/implementations/ciphers/cipher_tdes_wrap.c @@ -172,8 +172,9 @@ static int tdes_wrap_update(void *vctx, unsigned char *out, size_t *outl, static OSSL_FUNC_cipher_newctx_fn tdes_wrap_newctx; \ static void *tdes_wrap_newctx(void *provctx) \ { \ - return tdes_newctx(provctx, EVP_CIPH_WRAP_MODE, kbits, blkbits, ivbits, \ - flags, ossl_prov_cipher_hw_tdes_wrap_cbc()); \ + return ossl_tdes_newctx(provctx, EVP_CIPH_WRAP_MODE, kbits, blkbits, \ + ivbits, flags, \ + ossl_prov_cipher_hw_tdes_wrap_cbc()); \ } \ static OSSL_FUNC_cipher_get_params_fn tdes_wrap_get_params; \ static int tdes_wrap_get_params(OSSL_PARAM params[]) \ @@ -183,19 +184,21 @@ static int tdes_wrap_get_params(OSSL_PARAM params[]) \ } \ const OSSL_DISPATCH ossl_tdes_wrap_cbc_functions[] = \ { \ - { OSSL_FUNC_CIPHER_ENCRYPT_INIT, (void (*)(void)) tdes_einit }, \ - { OSSL_FUNC_CIPHER_DECRYPT_INIT, (void (*)(void)) tdes_dinit }, \ + { OSSL_FUNC_CIPHER_ENCRYPT_INIT, (void (*)(void)) ossl_tdes_einit }, \ + { OSSL_FUNC_CIPHER_DECRYPT_INIT, (void (*)(void)) ossl_tdes_dinit }, \ { OSSL_FUNC_CIPHER_CIPHER, (void (*)(void))tdes_wrap_cipher }, \ { OSSL_FUNC_CIPHER_NEWCTX, (void (*)(void))tdes_wrap_newctx }, \ - { OSSL_FUNC_CIPHER_FREECTX, (void (*)(void))tdes_freectx }, \ + { OSSL_FUNC_CIPHER_FREECTX, (void (*)(void))ossl_tdes_freectx }, \ { OSSL_FUNC_CIPHER_UPDATE, (void (*)(void))tdes_wrap_update }, \ - { OSSL_FUNC_CIPHER_FINAL, (void (*)(void))ossl_cipher_generic_stream_final },\ + { OSSL_FUNC_CIPHER_FINAL, \ + (void (*)(void))ossl_cipher_generic_stream_final }, \ { OSSL_FUNC_CIPHER_GET_PARAMS, (void (*)(void))tdes_wrap_get_params }, \ { OSSL_FUNC_CIPHER_GETTABLE_PARAMS, \ (void (*)(void))ossl_cipher_generic_gettable_params }, \ - { OSSL_FUNC_CIPHER_GET_CTX_PARAMS, (void (*)(void))tdes_get_ctx_params }, \ + { OSSL_FUNC_CIPHER_GET_CTX_PARAMS, \ + (void (*)(void))ossl_tdes_get_ctx_params }, \ { OSSL_FUNC_CIPHER_GETTABLE_CTX_PARAMS, \ - (void (*)(void))tdes_gettable_ctx_params }, \ + (void (*)(void))ossl_tdes_gettable_ctx_params }, \ { OSSL_FUNC_CIPHER_SET_CTX_PARAMS, \ (void (*)(void))ossl_cipher_generic_set_ctx_params }, \ { OSSL_FUNC_CIPHER_SETTABLE_CTX_PARAMS, \ diff --git a/providers/implementations/ciphers/ciphercommon.c b/providers/implementations/ciphers/ciphercommon.c index 9f6c82bddd..b32f564bf7 100644 --- a/providers/implementations/ciphers/ciphercommon.c +++ b/providers/implementations/ciphers/ciphercommon.c @@ -296,9 +296,10 @@ int ossl_cipher_generic_block_update(void *vctx, unsigned char *out, /* This only fails if padding is publicly invalid */ *outl = inl; if (!ctx->enc - && !tlsunpadblock(ctx->libctx, ctx->tlsversion, out, outl, - blksz, &ctx->tlsmac, &ctx->alloced, - ctx->tlsmacsize, 0)) { + && !ossl_cipher_tlsunpadblock(ctx->libctx, ctx->tlsversion, + out, outl, + blksz, &ctx->tlsmac, &ctx->alloced, + ctx->tlsmacsize, 0)) { ERR_raise(ERR_LIB_PROV, PROV_R_CIPHER_OPERATION_FAILED); return 0; } @@ -306,7 +307,8 @@ int ossl_cipher_generic_block_update(void *vctx, unsigned char *out, } if (ctx->bufsz != 0) - nextblocks = fillblock(ctx->buf, &ctx->bufsz, blksz, &in, &inl); + nextblocks = ossl_cipher_fillblock(ctx->buf, &ctx->bufsz, blksz, + &in, &inl); else nextblocks = inl & ~(blksz-1); @@ -350,7 +352,8 @@ int ossl_cipher_generic_block_update(void *vctx, unsigned char *out, in += nextblocks; inl -= nextblocks; } - if (inl != 0 && !trailingdata(ctx->buf, &ctx->bufsz, blksz, &in, &inl)) { + if (inl != 0 + && !ossl_cipher_trailingdata(ctx->buf, &ctx->bufsz, blksz, &in, &inl)) { /* ERR_raise already called */ return 0; } @@ -376,7 +379,7 @@ int ossl_cipher_generic_block_final(void *vctx, unsigned char *out, if (ctx->enc) { if (ctx->pad) { - padblock(ctx->buf, &ctx->bufsz, blksz); + ossl_cipher_padblock(ctx->buf, &ctx->bufsz, blksz); } else if (ctx->bufsz == 0) { *outl = 0; return 1; @@ -413,7 +416,7 @@ int ossl_cipher_generic_block_final(void *vctx, unsigned char *out, return 0; } - if (ctx->pad && !unpadblock(ctx->buf, &ctx->bufsz, blksz)) { + if (ctx->pad && !ossl_cipher_unpadblock(ctx->buf, &ctx->bufsz, blksz)) { /* ERR_raise already called */ return 0; } diff --git a/providers/implementations/ciphers/ciphercommon_block.c b/providers/implementations/ciphers/ciphercommon_block.c index de375a6327..abc3c8517d 100644 --- a/providers/implementations/ciphers/ciphercommon_block.c +++ b/providers/implementations/ciphers/ciphercommon_block.c @@ -53,8 +53,9 @@ int tls1_cbc_remove_padding_and_mac(size_t *reclen, * the remaining amount of data in *in. Returns the largest value <= *inlen * which is a multiple of the blocksize. */ -size_t fillblock(unsigned char *buf, size_t *buflen, size_t blocksize, - const unsigned char **in, size_t *inlen) +size_t ossl_cipher_fillblock(unsigned char *buf, size_t *buflen, + size_t blocksize, + const unsigned char **in, size_t *inlen) { size_t blockmask = ~(blocksize - 1); size_t bufremain = blocksize - *buflen; @@ -76,8 +77,8 @@ size_t fillblock(unsigned char *buf, size_t *buflen, size_t blocksize, * Fills the buffer with trailing data from an encryption/decryption that didn't * fit into a full block. */ -int trailingdata(unsigned char *buf, size_t *buflen, size_t blocksize, - const unsigned char **in, size_t *inlen) +int ossl_cipher_trailingdata(unsigned char *buf, size_t *buflen, size_t blocksize, + const unsigned char **in, size_t *inlen) { if (*inlen == 0) return 1; @@ -95,7 +96,7 @@ int trailingdata(unsigned char *buf, size_t *buflen, size_t blocksize, } /* Pad the final block for encryption */ -void padblock(unsigned char *buf, size_t *buflen, size_t blocksize) +void ossl_cipher_padblock(unsigned char *buf, size_t *buflen, size_t blocksize) { size_t i; unsigned char pad = (unsigned char)(blocksize - *buflen); @@ -104,7 +105,7 @@ void padblock(unsigned char *buf, size_t *buflen, size_t blocksize) buf[i] = pad; } -int unpadblock(unsigned char *buf, size_t *buflen, size_t blocksize) +int ossl_cipher_unpadblock(unsigned char *buf, size_t *buflen, size_t blocksize) { size_t pad, i; size_t len = *buflen; @@ -134,7 +135,7 @@ int unpadblock(unsigned char *buf, size_t *buflen, size_t blocksize) } /*- - * tlsunpadblock removes the CBC padding from the decrypted, TLS, CBC + * ossl_cipher_tlsunpadblock removes the CBC padding from the decrypted, TLS, CBC * record in constant time. Also removes the MAC from the record in constant * time. * @@ -154,9 +155,11 @@ int unpadblock(unsigned char *buf, size_t *buflen, size_t blocksize) * 1: (in constant time) Record is publicly valid. If padding is invalid then * the mac is random */ -int tlsunpadblock(OSSL_LIB_CTX *libctx, unsigned int tlsversion, - unsigned char *buf, size_t *buflen, size_t blocksize, - unsigned char **mac, int *alloced, size_t macsize, int aead) +int ossl_cipher_tlsunpadblock(OSSL_LIB_CTX *libctx, unsigned int tlsversion, + unsigned char *buf, size_t *buflen, + size_t blocksize, + unsigned char **mac, int *alloced, size_t macsize, + int aead) { int ret; diff --git a/providers/implementations/ciphers/ciphercommon_ccm.c b/providers/implementations/ciphers/ciphercommon_ccm.c index a780e7aed3..d14a7eb5e6 100644 --- a/providers/implementations/ciphers/ciphercommon_ccm.c +++ b/providers/implementations/ciphers/ciphercommon_ccm.c @@ -65,7 +65,7 @@ static size_t ccm_get_ivlen(PROV_CCM_CTX *ctx) return 15 - ctx->l; } -int ccm_set_ctx_params(void *vctx, const OSSL_PARAM params[]) +int ossl_ccm_set_ctx_params(void *vctx, const OSSL_PARAM params[]) { PROV_CCM_CTX *ctx = (PROV_CCM_CTX *)vctx; const OSSL_PARAM *p; @@ -138,7 +138,7 @@ int ccm_set_ctx_params(void *vctx, const OSSL_PARAM params[]) return 1; } -int ccm_get_ctx_params(void *vctx, OSSL_PARAM params[]) +int ossl_ccm_get_ctx_params(void *vctx, OSSL_PARAM params[]) { PROV_CCM_CTX *ctx = (PROV_CCM_CTX *)vctx; OSSL_PARAM *p; @@ -244,21 +244,21 @@ static int ccm_init(void *vctx, const unsigned char *key, size_t keylen, return 1; } -int ccm_einit(void *vctx, const unsigned char *key, size_t keylen, - const unsigned char *iv, size_t ivlen) +int ossl_ccm_einit(void *vctx, const unsigned char *key, size_t keylen, + const unsigned char *iv, size_t ivlen) { return ccm_init(vctx, key, keylen, iv, ivlen, 1); } -int ccm_dinit(void *vctx, const unsigned char *key, size_t keylen, - const unsigned char *iv, size_t ivlen) +int ossl_ccm_dinit(void *vctx, const unsigned char *key, size_t keylen, + const unsigned char *iv, size_t ivlen) { return ccm_init(vctx, key, keylen, iv, ivlen, 0); } -int ccm_stream_update(void *vctx, unsigned char *out, size_t *outl, - size_t outsize, const unsigned char *in, - size_t inl) +int ossl_ccm_stream_update(void *vctx, unsigned char *out, size_t *outl, + size_t outsize, const unsigned char *in, + size_t inl) { PROV_CCM_CTX *ctx = (PROV_CCM_CTX *)vctx; @@ -274,8 +274,8 @@ int ccm_stream_update(void *vctx, unsigned char *out, size_t *outl, return 1; } -int ccm_stream_final(void *vctx, unsigned char *out, size_t *outl, - size_t outsize) +int ossl_ccm_stream_final(void *vctx, unsigned char *out, size_t *outl, + size_t outsize) { PROV_CCM_CTX *ctx = (PROV_CCM_CTX *)vctx; int i; @@ -291,8 +291,8 @@ int ccm_stream_final(void *vctx, unsigned char *out, size_t *outl, return 1; } -int ccm_cipher(void *vctx, unsigned char *out, size_t *outl, size_t outsize, - const unsigned char *in, size_t inl) +int ossl_ccm_cipher(void *vctx, unsigned char *out, size_t *outl, size_t outsize, + const unsigned char *in, size_t inl) { PROV_CCM_CTX *ctx = (PROV_CCM_CTX *)vctx; @@ -432,7 +432,7 @@ err: return rv; } -void ccm_initctx(PROV_CCM_CTX *ctx, size_t keybits, const PROV_CCM_HW *hw) +void ossl_ccm_initctx(PROV_CCM_CTX *ctx, size_t keybits, const PROV_CCM_HW *hw) { ctx->keylen = keybits / 8; ctx->key_set = 0; @@ -444,4 +444,3 @@ void ccm_initctx(PROV_CCM_CTX *ctx, size_t keybits, const PROV_CCM_HW *hw) ctx->tls_aad_len = UNINITIALISED_SIZET; ctx->hw = hw; } - diff --git a/providers/implementations/ciphers/ciphercommon_ccm_hw.c b/providers/implementations/ciphers/ciphercommon_ccm_hw.c index 96cc744f87..f16ca76f10 100644 --- a/providers/implementations/ciphers/ciphercommon_ccm_hw.c +++ b/providers/implementations/ciphers/ciphercommon_ccm_hw.c @@ -10,26 +10,27 @@ #include "prov/ciphercommon.h" #include "prov/ciphercommon_ccm.h" -int ccm_generic_setiv(PROV_CCM_CTX *ctx, const unsigned char *nonce, - size_t nlen, size_t mlen) +int ossl_ccm_generic_setiv(PROV_CCM_CTX *ctx, const unsigned char *nonce, + size_t nlen, size_t mlen) { return CRYPTO_ccm128_setiv(&ctx->ccm_ctx, nonce, nlen, mlen) == 0; } -int ccm_generic_setaad(PROV_CCM_CTX *ctx, const unsigned char *aad, size_t alen) +int ossl_ccm_generic_setaad(PROV_CCM_CTX *ctx, const unsigned char *aad, + size_t alen) { CRYPTO_ccm128_aad(&ctx->ccm_ctx, aad, alen); return 1; } -int ccm_generic_gettag(PROV_CCM_CTX *ctx, unsigned char *tag, size_t tlen) +int ossl_ccm_generic_gettag(PROV_CCM_CTX *ctx, unsigned char *tag, size_t tlen) { return CRYPTO_ccm128_tag(&ctx->ccm_ctx, tag, tlen) > 0; } -int ccm_generic_auth_encrypt(PROV_CCM_CTX *ctx, const unsigned char *in, - unsigned char *out, size_t len, - unsigned char *tag, size_t taglen) +int ossl_ccm_generic_auth_encrypt(PROV_CCM_CTX *ctx, const unsigned char *in, + unsigned char *out, size_t len, + unsigned char *tag, size_t taglen) { int rv; @@ -44,9 +45,9 @@ int ccm_generic_auth_encrypt(PROV_CCM_CTX *ctx, const unsigned char *in, return rv; } -int ccm_generic_auth_decrypt(PROV_CCM_CTX *ctx, const unsigned char *in, - unsigned char *out, size_t len, - unsigned char *expected_tag, size_t taglen) +int ossl_ccm_generic_auth_decrypt(PROV_CCM_CTX *ctx, const unsigned char *in, + unsigned char *out, size_t len, + unsigned char *expected_tag, size_t taglen) { int rv = 0; @@ -66,4 +67,3 @@ int ccm_generic_auth_decrypt(PROV_CCM_CTX *ctx, const unsigned char *in, OPENSSL_cleanse(out, len); return rv; } - diff --git a/providers/implementations/ciphers/ciphercommon_gcm.c b/providers/implementations/ciphers/ciphercommon_gcm.c index 02a496d1dd..c7b91e7bfa 100644 --- a/providers/implementations/ciphers/ciphercommon_gcm.c +++ b/providers/implementations/ciphers/ciphercommon_gcm.c @@ -25,8 +25,8 @@ static int gcm_cipher_internal(PROV_GCM_CTX *ctx, unsigned char *out, size_t *padlen, const unsigned char *in, size_t len); -void gcm_initctx(void *provctx, PROV_GCM_CTX *ctx, size_t keybits, - const PROV_GCM_HW *hw, size_t ivlen_min) +void ossl_gcm_initctx(void *provctx, PROV_GCM_CTX *ctx, size_t keybits, + const PROV_GCM_HW *hw, size_t ivlen_min) { ctx->pad = 1; ctx->mode = EVP_CIPH_GCM_MODE; @@ -69,14 +69,14 @@ static int gcm_init(void *vctx, const unsigned char *key, size_t keylen, return 1; } -int gcm_einit(void *vctx, const unsigned char *key, size_t keylen, - const unsigned char *iv, size_t ivlen) +int ossl_gcm_einit(void *vctx, const unsigned char *key, size_t keylen, + const unsigned char *iv, size_t ivlen) { return gcm_init(vctx, key, keylen, iv, ivlen, 1); } -int gcm_dinit(void *vctx, const unsigned char *key, size_t keylen, - const unsigned char *iv, size_t ivlen) +int ossl_gcm_dinit(void *vctx, const unsigned char *key, size_t keylen, + const unsigned char *iv, size_t ivlen) { return gcm_init(vctx, key, keylen, iv, ivlen, 0); } @@ -129,7 +129,7 @@ static int setivinv(PROV_GCM_CTX *ctx, unsigned char *in, size_t inl) return 1; } -int gcm_get_ctx_params(void *vctx, OSSL_PARAM params[]) +int ossl_gcm_get_ctx_params(void *vctx, OSSL_PARAM params[]) { PROV_GCM_CTX *ctx = (PROV_GCM_CTX *)vctx; OSSL_PARAM *p; @@ -216,7 +216,7 @@ int gcm_get_ctx_params(void *vctx, OSSL_PARAM params[]) return 1; } -int gcm_set_ctx_params(void *vctx, const OSSL_PARAM params[]) +int ossl_gcm_set_ctx_params(void *vctx, const OSSL_PARAM params[]) { PROV_GCM_CTX *ctx = (PROV_GCM_CTX *)vctx; const OSSL_PARAM *p; @@ -287,8 +287,8 @@ int gcm_set_ctx_params(void *vctx, const OSSL_PARAM params[]) return 1; } -int gcm_stream_update(void *vctx, unsigned char *out, size_t *outl, - size_t outsize, const unsigned char *in, size_t inl) +int ossl_gcm_stream_update(void *vctx, unsigned char *out, size_t *outl, + size_t outsize, const unsigned char *in, size_t inl) { PROV_GCM_CTX *ctx = (PROV_GCM_CTX *)vctx; @@ -309,8 +309,8 @@ int gcm_stream_update(void *vctx, unsigned char *out, size_t *outl, return 1; } -int gcm_stream_final(void *vctx, unsigned char *out, size_t *outl, - size_t outsize) +int ossl_gcm_stream_final(void *vctx, unsigned char *out, size_t *outl, + size_t outsize) { PROV_GCM_CTX *ctx = (PROV_GCM_CTX *)vctx; int i; @@ -326,9 +326,9 @@ int gcm_stream_final(void *vctx, unsigned char *out, size_t *outl, return 1; } -int gcm_cipher(void *vctx, - unsigned char *out, size_t *outl, size_t outsize, - const unsigned char *in, size_t inl) +int ossl_gcm_cipher(void *vctx, + unsigned char *out, size_t *outl, size_t outsize, + const unsigned char *in, size_t inl) { PROV_GCM_CTX *ctx = (PROV_GCM_CTX *)vctx; @@ -553,4 +553,3 @@ err: *padlen = plen; return rv; } - diff --git a/providers/implementations/ciphers/ciphercommon_gcm_hw.c b/providers/implementations/ciphers/ciphercommon_gcm_hw.c index db50b8d724..3c68f3c779 100644 --- a/providers/implementations/ciphers/ciphercommon_gcm_hw.c +++ b/providers/implementations/ciphers/ciphercommon_gcm_hw.c @@ -11,19 +11,20 @@ #include "prov/ciphercommon_gcm.h" -int gcm_setiv(PROV_GCM_CTX *ctx, const unsigned char *iv, size_t ivlen) +int ossl_gcm_setiv(PROV_GCM_CTX *ctx, const unsigned char *iv, size_t ivlen) { CRYPTO_gcm128_setiv(&ctx->gcm, iv, ivlen); return 1; } -int gcm_aad_update(PROV_GCM_CTX *ctx, const unsigned char *aad, size_t aad_len) +int ossl_gcm_aad_update(PROV_GCM_CTX *ctx, const unsigned char *aad, + size_t aad_len) { return CRYPTO_gcm128_aad(&ctx->gcm, aad, aad_len) == 0; } -int gcm_cipher_update(PROV_GCM_CTX *ctx, const unsigned char *in, - size_t len, unsigned char *out) +int ossl_gcm_cipher_update(PROV_GCM_CTX *ctx, const unsigned char *in, + size_t len, unsigned char *out) { if (ctx->enc) { if (CRYPTO_gcm128_encrypt(&ctx->gcm, in, out, len)) @@ -35,7 +36,7 @@ int gcm_cipher_update(PROV_GCM_CTX *ctx, const unsigned char *in, return 1; } -int gcm_cipher_final(PROV_GCM_CTX *ctx, unsigned char *tag) +int ossl_gcm_cipher_final(PROV_GCM_CTX *ctx, unsigned char *tag) { if (ctx->enc) { CRYPTO_gcm128_tag(&ctx->gcm, tag, GCM_TAG_MAX_SIZE); @@ -47,9 +48,9 @@ int gcm_cipher_final(PROV_GCM_CTX *ctx, unsigned char *tag) return 1; } -int gcm_one_shot(PROV_GCM_CTX *ctx, unsigned char *aad, size_t aad_len, - const unsigned char *in, size_t in_len, - unsigned char *out, unsigned char *tag, size_t tag_len) +int ossl_gcm_one_shot(PROV_GCM_CTX *ctx, unsigned char *aad, size_t aad_len, + const unsigned char *in, size_t in_len, + unsigned char *out, unsigned char *tag, size_t tag_len) { int ret = 0; diff --git a/providers/implementations/ciphers/ciphercommon_local.h b/providers/implementations/ciphers/ciphercommon_local.h index b84785b731..6cc57934c5 100644 --- a/providers/implementations/ciphers/ciphercommon_local.h +++ b/providers/implementations/ciphers/ciphercommon_local.h @@ -9,8 +9,8 @@ #include "prov/ciphercommon.h" -void padblock(unsigned char *buf, size_t *buflen, size_t blocksize); -int unpadblock(unsigned char *buf, size_t *buflen, size_t blocksize); -int tlsunpadblock(OSSL_LIB_CTX *libctx, unsigned int tlsversion, - unsigned char *buf, size_t *buflen, size_t blocksize, - unsigned char **mac, int *alloced, size_t macsize, int aead); +void ossl_cipher_padblock(unsigned char *buf, size_t *buflen, size_t blocksize); +int ossl_cipher_unpadblock(unsigned char *buf, size_t *buflen, size_t blocksize); +int ossl_cipher_tlsunpadblock(OSSL_LIB_CTX *libctx, unsigned int tlsversion, + unsigned char *buf, size_t *buflen, size_t blocksize, + unsigned char **mac, int *alloced, size_t macsize, int aead); diff --git a/providers/implementations/include/prov/ciphercommon.h b/providers/implementations/include/prov/ciphercommon.h index ee35400936..c0d7a04b24 100644 --- a/providers/implementations/include/prov/ciphercommon.h +++ b/providers/implementations/include/prov/ciphercommon.h @@ -353,8 +353,9 @@ const OSSL_PARAM * name##_settable_ctx_params(ossl_unused void *provctx) \ int ossl_cipher_generic_initiv(PROV_CIPHER_CTX *ctx, const unsigned char *iv, size_t ivlen); -size_t fillblock(unsigned char *buf, size_t *buflen, size_t blocksize, - const unsigned char **in, size_t *inlen); -int trailingdata(unsigned char *buf, size_t *buflen, size_t blocksize, - const unsigned char **in, size_t *inlen); - +size_t ossl_cipher_fillblock(unsigned char *buf, size_t *buflen, + size_t blocksize, + const unsigned char **in, size_t *inlen); +int ossl_cipher_trailingdata(unsigned char *buf, size_t *buflen, + size_t blocksize, + const unsigned char **in, size_t *inlen); diff --git a/providers/implementations/include/prov/ciphercommon_aead.h b/providers/implementations/include/prov/ciphercommon_aead.h index 63fdb54151..d2f4d78039 100644 --- a/providers/implementations/include/prov/ciphercommon_aead.h +++ b/providers/implementations/include/prov/ciphercommon_aead.h @@ -16,7 +16,7 @@ static OSSL_FUNC_cipher_get_params_fn alg##_##kbits##_##lc##_get_params; \ static int alg##_##kbits##_##lc##_get_params(OSSL_PARAM params[]) \ { \ return ossl_cipher_generic_get_params(params, EVP_CIPH_##UCMODE##_MODE, \ - flags, kbits, blkbits, ivbits); \ + flags, kbits, blkbits, ivbits); \ } \ static OSSL_FUNC_cipher_newctx_fn alg##kbits##lc##_newctx; \ static void * alg##kbits##lc##_newctx(void *provctx) \ @@ -26,17 +26,17 @@ static void * alg##kbits##lc##_newctx(void *provctx) \ const OSSL_DISPATCH ossl_##alg##kbits##lc##_functions[] = { \ { OSSL_FUNC_CIPHER_NEWCTX, (void (*)(void))alg##kbits##lc##_newctx }, \ { OSSL_FUNC_CIPHER_FREECTX, (void (*)(void))alg##_##lc##_freectx }, \ - { OSSL_FUNC_CIPHER_ENCRYPT_INIT, (void (*)(void)) lc##_einit }, \ - { OSSL_FUNC_CIPHER_DECRYPT_INIT, (void (*)(void)) lc##_dinit }, \ - { OSSL_FUNC_CIPHER_UPDATE, (void (*)(void)) lc##_stream_update }, \ - { OSSL_FUNC_CIPHER_FINAL, (void (*)(void)) lc##_stream_final }, \ - { OSSL_FUNC_CIPHER_CIPHER, (void (*)(void)) lc##_cipher }, \ + { OSSL_FUNC_CIPHER_ENCRYPT_INIT, (void (*)(void))ossl_##lc##_einit }, \ + { OSSL_FUNC_CIPHER_DECRYPT_INIT, (void (*)(void))ossl_##lc##_dinit }, \ + { OSSL_FUNC_CIPHER_UPDATE, (void (*)(void))ossl_##lc##_stream_update }, \ + { OSSL_FUNC_CIPHER_FINAL, (void (*)(void))ossl_##lc##_stream_final }, \ + { OSSL_FUNC_CIPHER_CIPHER, (void (*)(void))ossl_##lc##_cipher }, \ { OSSL_FUNC_CIPHER_GET_PARAMS, \ (void (*)(void)) alg##_##kbits##_##lc##_get_params }, \ { OSSL_FUNC_CIPHER_GET_CTX_PARAMS, \ - (void (*)(void)) lc##_get_ctx_params }, \ + (void (*)(void)) ossl_##lc##_get_ctx_params }, \ { OSSL_FUNC_CIPHER_SET_CTX_PARAMS, \ - (void (*)(void)) lc##_set_ctx_params }, \ + (void (*)(void)) ossl_##lc##_set_ctx_params }, \ { OSSL_FUNC_CIPHER_GETTABLE_PARAMS, \ (void (*)(void))ossl_cipher_generic_gettable_params }, \ { OSSL_FUNC_CIPHER_GETTABLE_CTX_PARAMS, \ diff --git a/providers/implementations/include/prov/ciphercommon_ccm.h b/providers/implementations/include/prov/ciphercommon_ccm.h index 0e6a64e07a..a4e02d484b 100644 --- a/providers/implementations/include/prov/ciphercommon_ccm.h +++ b/providers/implementations/include/prov/ciphercommon_ccm.h @@ -78,22 +78,23 @@ struct prov_ccm_hw_st { OSSL_CCM_gettag_fn gettag; }; -OSSL_FUNC_cipher_encrypt_init_fn ccm_einit; -OSSL_FUNC_cipher_decrypt_init_fn ccm_dinit; -OSSL_FUNC_cipher_get_ctx_params_fn ccm_get_ctx_params; -OSSL_FUNC_cipher_set_ctx_params_fn ccm_set_ctx_params; -OSSL_FUNC_cipher_update_fn ccm_stream_update; -OSSL_FUNC_cipher_final_fn ccm_stream_final; -OSSL_FUNC_cipher_cipher_fn ccm_cipher; -void ccm_initctx(PROV_CCM_CTX *ctx, size_t keybits, const PROV_CCM_HW *hw); +OSSL_FUNC_cipher_encrypt_init_fn ossl_ccm_einit; +OSSL_FUNC_cipher_decrypt_init_fn ossl_ccm_dinit; +OSSL_FUNC_cipher_get_ctx_params_fn ossl_ccm_get_ctx_params; +OSSL_FUNC_cipher_set_ctx_params_fn ossl_ccm_set_ctx_params; +OSSL_FUNC_cipher_update_fn ossl_ccm_stream_update; +OSSL_FUNC_cipher_final_fn ossl_ccm_stream_final; +OSSL_FUNC_cipher_cipher_fn ossl_ccm_cipher; +void ossl_ccm_initctx(PROV_CCM_CTX *ctx, size_t keybits, const PROV_CCM_HW *hw); -int ccm_generic_setiv(PROV_CCM_CTX *ctx, const unsigned char *nonce, - size_t nlen, size_t mlen); -int ccm_generic_setaad(PROV_CCM_CTX *ctx, const unsigned char *aad, size_t alen); -int ccm_generic_gettag(PROV_CCM_CTX *ctx, unsigned char *tag, size_t tlen); -int ccm_generic_auth_encrypt(PROV_CCM_CTX *ctx, const unsigned char *in, - unsigned char *out, size_t len, - unsigned char *tag, size_t taglen); -int ccm_generic_auth_decrypt(PROV_CCM_CTX *ctx, const unsigned char *in, - unsigned char *out, size_t len, - unsigned char *expected_tag, size_t taglen); +int ossl_ccm_generic_setiv(PROV_CCM_CTX *ctx, const unsigned char *nonce, + size_t nlen, size_t mlen); +int ossl_ccm_generic_setaad(PROV_CCM_CTX *ctx, const unsigned char *aad, + size_t alen); +int ossl_ccm_generic_gettag(PROV_CCM_CTX *ctx, unsigned char *tag, size_t tlen); +int ossl_ccm_generic_auth_encrypt(PROV_CCM_CTX *ctx, const unsigned char *in, + unsigned char *out, size_t len, + unsigned char *tag, size_t taglen); +int ossl_ccm_generic_auth_decrypt(PROV_CCM_CTX *ctx, const unsigned char *in, + unsigned char *out, size_t len, + unsigned char *expected_tag, size_t taglen); diff --git a/providers/implementations/include/prov/ciphercommon_gcm.h b/providers/implementations/include/prov/ciphercommon_gcm.h index dd914bdf25..d878261dfb 100644 --- a/providers/implementations/include/prov/ciphercommon_gcm.h +++ b/providers/implementations/include/prov/ciphercommon_gcm.h @@ -102,25 +102,25 @@ struct prov_gcm_hw_st { OSSL_GCM_oneshot_fn oneshot; }; -OSSL_FUNC_cipher_encrypt_init_fn gcm_einit; -OSSL_FUNC_cipher_decrypt_init_fn gcm_dinit; -OSSL_FUNC_cipher_get_ctx_params_fn gcm_get_ctx_params; -OSSL_FUNC_cipher_set_ctx_params_fn gcm_set_ctx_params; -OSSL_FUNC_cipher_cipher_fn gcm_cipher; -OSSL_FUNC_cipher_update_fn gcm_stream_update; -OSSL_FUNC_cipher_final_fn gcm_stream_final; -void gcm_initctx(void *provctx, PROV_GCM_CTX *ctx, size_t keybits, - const PROV_GCM_HW *hw, size_t ivlen_min); +OSSL_FUNC_cipher_encrypt_init_fn ossl_gcm_einit; +OSSL_FUNC_cipher_decrypt_init_fn ossl_gcm_dinit; +OSSL_FUNC_cipher_get_ctx_params_fn ossl_gcm_get_ctx_params; +OSSL_FUNC_cipher_set_ctx_params_fn ossl_gcm_set_ctx_params; +OSSL_FUNC_cipher_cipher_fn ossl_gcm_cipher; +OSSL_FUNC_cipher_update_fn ossl_gcm_stream_update; +OSSL_FUNC_cipher_final_fn ossl_gcm_stream_final; +void ossl_gcm_initctx(void *provctx, PROV_GCM_CTX *ctx, size_t keybits, + const PROV_GCM_HW *hw, size_t ivlen_min); -int gcm_setiv(PROV_GCM_CTX *ctx, const unsigned char *iv, size_t ivlen); -int gcm_aad_update(PROV_GCM_CTX *ctx, const unsigned char *aad, - size_t aad_len); -int gcm_cipher_final(PROV_GCM_CTX *ctx, unsigned char *tag); -int gcm_one_shot(PROV_GCM_CTX *ctx, unsigned char *aad, size_t aad_len, - const unsigned char *in, size_t in_len, - unsigned char *out, unsigned char *tag, size_t tag_len); -int gcm_cipher_update(PROV_GCM_CTX *ctx, const unsigned char *in, - size_t len, unsigned char *out); +int ossl_gcm_setiv(PROV_GCM_CTX *ctx, const unsigned char *iv, size_t ivlen); +int ossl_gcm_aad_update(PROV_GCM_CTX *ctx, const unsigned char *aad, + size_t aad_len); +int ossl_gcm_cipher_final(PROV_GCM_CTX *ctx, unsigned char *tag); +int ossl_gcm_one_shot(PROV_GCM_CTX *ctx, unsigned char *aad, size_t aad_len, + const unsigned char *in, size_t in_len, + unsigned char *out, unsigned char *tag, size_t tag_len); +int ossl_gcm_cipher_update(PROV_GCM_CTX *ctx, const unsigned char *in, + size_t len, unsigned char *out); #define GCM_HW_SET_KEY_CTR_FN(ks, fn_set_enc_key, fn_block, fn_ctr) \ ctx->ks = ks; \ From tomas at openssl.org Thu Feb 18 10:02:48 2021 From: tomas at openssl.org (tomas at openssl.org) Date: Thu, 18 Feb 2021 10:02:48 +0000 Subject: [openssl] master update Message-ID: <1613642568.287179.24999.nullmailer@dev.openssl.org> The branch master has been updated via ba37b82045b1b2fbcbf7580b317de5e3b52c8035 (commit) via ebcaf110b250cd55281500fa1debef806ab490f0 (commit) from e36b3c2f757cc7d68dc24174a00476104428b099 (commit) - Log ----------------------------------------------------------------- commit ba37b82045b1b2fbcbf7580b317de5e3b52c8035 Author: Tomas Mraz Date: Wed Feb 10 18:44:00 2021 +0100 dsa_check: Perform simple parameter check if seed is not available Added primality check on p and q in the ossl_ffc_params_simple_validate(). Checking for p and q sizes in the default provider is made more lenient. Added two testcases for invalid parameters. Fixes #13950 Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/14148) commit ebcaf110b250cd55281500fa1debef806ab490f0 Author: Dmitry Belyavskiy Date: Fri Jan 22 13:44:16 2021 +0100 DSA parameter check using pkeyparam Reviewed-by: Shane Lontis Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14148) ----------------------------------------------------------------------- Summary of changes: crypto/dh/dh_key.c | 2 +- crypto/dsa/dsa_check.c | 19 +++-- crypto/dsa/dsa_err.c | 1 + crypto/dsa/dsa_key.c | 2 +- crypto/err/openssl.txt | 1 + crypto/ffc/ffc_params_generate.c | 10 +-- crypto/ffc/ffc_params_validate.c | 98 ++++++++++++++++++---- include/crypto/dsa.h | 2 +- include/internal/ffc.h | 8 +- include/openssl/dsaerr.h | 1 + providers/implementations/keymgmt/dsa_kmgmt.c | 6 +- test/recipes/15-test_dsaparam.t | 78 +++++++++++++++++ .../invalid/p2048_q256_bad_q.pem | 14 ++++ .../invalid/p768_q160_too_small.pem | 7 ++ .../valid/p1024_q160_t1862.pem | 9 ++ .../valid/p1024_q160_t1862_gind1.pem | 9 ++ .../valid/p1024_q160_t1864.pem | 9 ++ .../valid/p1024_q160_t1864_gind1.pem | 9 ++ .../valid/p1024_q224_t1862.pem | 9 ++ .../valid/p1024_q224_t1862_gind1.pem | 9 ++ .../valid/p1024_q256_t1862.pem | 9 ++ .../valid/p1024_q256_t1862_gind1.pem | 9 ++ .../valid/p2048_q160_t1862.pem | 14 ++++ .../valid/p2048_q160_t1862_gind1.pem | 14 ++++ .../valid/p2048_q224_t1862.pem | 14 ++++ .../valid/p2048_q224_t1862_gind1.pem | 14 ++++ .../valid/p2048_q224_t1864.pem | 14 ++++ .../valid/p2048_q224_t1864_gind1.pem | 14 ++++ .../valid/p2048_q256_t1862.pem | 14 ++++ .../valid/p2048_q256_t1862_gind1.pem | 14 ++++ .../valid/p2048_q256_t1864.pem | 14 ++++ .../valid/p2048_q256_t1864_gind1.pem | 14 ++++ .../valid/p3072_q160_t1862.pem | 19 +++++ .../valid/p3072_q160_t1862_gind1.pem | 19 +++++ .../valid/p3072_q224_t1862.pem | 19 +++++ .../valid/p3072_q224_t1862_gind1.pem | 19 +++++ .../valid/p3072_q256_t1862.pem | 19 +++++ .../valid/p3072_q256_t1862_gind1.pem | 19 +++++ .../valid/p3072_q256_t1864.pem | 19 +++++ .../valid/p3072_q256_t1864_gind1.pem | 19 +++++ 40 files changed, 577 insertions(+), 36 deletions(-) create mode 100644 test/recipes/15-test_dsaparam.t create mode 100644 test/recipes/15-test_dsaparam_data/invalid/p2048_q256_bad_q.pem create mode 100644 test/recipes/15-test_dsaparam_data/invalid/p768_q160_too_small.pem create mode 100644 test/recipes/15-test_dsaparam_data/valid/p1024_q160_t1862.pem create mode 100644 test/recipes/15-test_dsaparam_data/valid/p1024_q160_t1862_gind1.pem create mode 100644 test/recipes/15-test_dsaparam_data/valid/p1024_q160_t1864.pem create mode 100644 test/recipes/15-test_dsaparam_data/valid/p1024_q160_t1864_gind1.pem create mode 100644 test/recipes/15-test_dsaparam_data/valid/p1024_q224_t1862.pem create mode 100644 test/recipes/15-test_dsaparam_data/valid/p1024_q224_t1862_gind1.pem create mode 100644 test/recipes/15-test_dsaparam_data/valid/p1024_q256_t1862.pem create mode 100644 test/recipes/15-test_dsaparam_data/valid/p1024_q256_t1862_gind1.pem create mode 100644 test/recipes/15-test_dsaparam_data/valid/p2048_q160_t1862.pem create mode 100644 test/recipes/15-test_dsaparam_data/valid/p2048_q160_t1862_gind1.pem create mode 100644 test/recipes/15-test_dsaparam_data/valid/p2048_q224_t1862.pem create mode 100644 test/recipes/15-test_dsaparam_data/valid/p2048_q224_t1862_gind1.pem create mode 100644 test/recipes/15-test_dsaparam_data/valid/p2048_q224_t1864.pem create mode 100644 test/recipes/15-test_dsaparam_data/valid/p2048_q224_t1864_gind1.pem create mode 100644 test/recipes/15-test_dsaparam_data/valid/p2048_q256_t1862.pem create mode 100644 test/recipes/15-test_dsaparam_data/valid/p2048_q256_t1862_gind1.pem create mode 100644 test/recipes/15-test_dsaparam_data/valid/p2048_q256_t1864.pem create mode 100644 test/recipes/15-test_dsaparam_data/valid/p2048_q256_t1864_gind1.pem create mode 100644 test/recipes/15-test_dsaparam_data/valid/p3072_q160_t1862.pem create mode 100644 test/recipes/15-test_dsaparam_data/valid/p3072_q160_t1862_gind1.pem create mode 100644 test/recipes/15-test_dsaparam_data/valid/p3072_q224_t1862.pem create mode 100644 test/recipes/15-test_dsaparam_data/valid/p3072_q224_t1862_gind1.pem create mode 100644 test/recipes/15-test_dsaparam_data/valid/p3072_q256_t1862.pem create mode 100644 test/recipes/15-test_dsaparam_data/valid/p3072_q256_t1862_gind1.pem create mode 100644 test/recipes/15-test_dsaparam_data/valid/p3072_q256_t1864.pem create mode 100644 test/recipes/15-test_dsaparam_data/valid/p3072_q256_t1864_gind1.pem diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c index be940456cd..f8cbbd593b 100644 --- a/crypto/dh/dh_key.c +++ b/crypto/dh/dh_key.c @@ -328,7 +328,7 @@ static int generate_key(DH *dh) { /* Do a partial check for invalid p, q, g */ if (!ossl_ffc_params_simple_validate(dh->libctx, &dh->params, - FFC_PARAM_TYPE_DH)) + FFC_PARAM_TYPE_DH, NULL)) goto err; /* * For FFC FIPS 186-4 keygen diff --git a/crypto/dsa/dsa_check.c b/crypto/dsa/dsa_check.c index 9a1b129df8..7f56a785ab 100644 --- a/crypto/dsa/dsa_check.c +++ b/crypto/dsa/dsa_check.c @@ -19,14 +19,19 @@ #include "dsa_local.h" #include "crypto/dsa.h" -int dsa_check_params(const DSA *dsa, int *ret) +int dsa_check_params(const DSA *dsa, int checktype, int *ret) { - /* - * (2b) FFC domain params conform to FIPS-186-4 explicit domain param - * validity tests. - */ - return ossl_ffc_params_FIPS186_4_validate(dsa->libctx, &dsa->params, - FFC_PARAM_TYPE_DSA, ret, NULL); + if (checktype == OSSL_KEYMGMT_VALIDATE_QUICK_CHECK) + return ossl_ffc_params_simple_validate(dsa->libctx, &dsa->params, + FFC_PARAM_TYPE_DSA, ret); + else + /* + * Do full FFC domain params validation according to FIPS-186-4 + * - always in FIPS_MODULE + * - only if possible (i.e., seed is set) in default provider + */ + return ossl_ffc_params_full_validate(dsa->libctx, &dsa->params, + FFC_PARAM_TYPE_DSA, ret); } /* diff --git a/crypto/dsa/dsa_err.c b/crypto/dsa/dsa_err.c index 99fc0e80fb..6481e2dc58 100644 --- a/crypto/dsa/dsa_err.c +++ b/crypto/dsa/dsa_err.c @@ -32,6 +32,7 @@ static const ERR_STRING_DATA DSA_str_reasons[] = { {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_NO_PARAMETERS_SET), "no parameters set"}, {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_PARAMETER_ENCODING_ERROR), "parameter encoding error"}, + {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_P_NOT_PRIME), "p not prime"}, {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_Q_NOT_PRIME), "q not prime"}, {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_SEED_LEN_SMALL), "seed_len is less than the length of q"}, diff --git a/crypto/dsa/dsa_key.c b/crypto/dsa/dsa_key.c index 899663353f..8646d01957 100644 --- a/crypto/dsa/dsa_key.c +++ b/crypto/dsa/dsa_key.c @@ -77,7 +77,7 @@ static int dsa_keygen(DSA *dsa, int pairwise_test) /* Do a partial check for invalid p, q, g */ if (!ossl_ffc_params_simple_validate(dsa->libctx, &dsa->params, - FFC_PARAM_TYPE_DSA)) + FFC_PARAM_TYPE_DSA, NULL)) goto err; /* diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt index 002a7a0f10..530e3217e4 100644 --- a/crypto/err/openssl.txt +++ b/crypto/err/openssl.txt @@ -502,6 +502,7 @@ DSA_R_MISSING_PRIVATE_KEY:111:missing private key DSA_R_MODULUS_TOO_LARGE:103:modulus too large DSA_R_NO_PARAMETERS_SET:107:no parameters set DSA_R_PARAMETER_ENCODING_ERROR:105:parameter encoding error +DSA_R_P_NOT_PRIME:115:p not prime DSA_R_Q_NOT_PRIME:113:q not prime DSA_R_SEED_LEN_SMALL:110:seed_len is less than the length of q DSO_R_CTRL_FAILED:100:control command failed diff --git a/crypto/ffc/ffc_params_generate.c b/crypto/ffc/ffc_params_generate.c index 9285f93c05..2e50c2b801 100644 --- a/crypto/ffc/ffc_params_generate.c +++ b/crypto/ffc/ffc_params_generate.c @@ -77,12 +77,12 @@ static int ffc_validate_LN(size_t L, size_t N, int type, int verify) ERR_raise(ERR_LIB_DH, DH_R_BAD_FFC_PARAMETERS); # endif } else if (type == FFC_PARAM_TYPE_DSA) { - if (L == 1024 && N == 160) - return 80; - if (L == 2048 && (N == 224 || N == 256)) - return 112; - if (L == 3072 && N == 256) + if (L >= 3072 && N >= 256) return 128; + if (L >= 2048 && N >= 224) + return 112; + if (L >= 1024 && N >= 160) + return 80; # ifndef OPENSSL_NO_DSA ERR_raise(ERR_LIB_DSA, DSA_R_BAD_FFC_PARAMETERS); # endif diff --git a/crypto/ffc/ffc_params_validate.c b/crypto/ffc/ffc_params_validate.c index 22983d62ef..a2bfe22da2 100644 --- a/crypto/ffc/ffc_params_validate.c +++ b/crypto/ffc/ffc_params_validate.c @@ -13,6 +13,10 @@ * It calls the same functions as the generation as the code is very similar. */ +#include +#include +#include +#include #include "internal/ffc.h" /* FIPS186-4 A.2.2 Unverifiable partial validation of Generator g */ @@ -88,30 +92,92 @@ int ossl_ffc_params_FIPS186_2_validate(OSSL_LIB_CTX *libctx, * extra parameters such as the digest and seed, which may not be available for * this test. */ -int ossl_ffc_params_simple_validate(OSSL_LIB_CTX *libctx, FFC_PARAMS *params, - int type) +int ossl_ffc_params_simple_validate(OSSL_LIB_CTX *libctx, const FFC_PARAMS *params, + int paramstype, int *res) { - int ret, res = 0; - int save_gindex; - unsigned int save_flags; + int ret; + int tmpres = 0; + FFC_PARAMS tmpparams = {0}; if (params == NULL) return 0; - save_flags = params->flags; - save_gindex = params->gindex; - params->flags = FFC_PARAM_FLAG_VALIDATE_G; - params->gindex = FFC_UNVERIFIABLE_GINDEX; + if (res == NULL) + res = &tmpres; + + if (!ossl_ffc_params_copy(&tmpparams, params)) + return 0; + + tmpparams.flags = FFC_PARAM_FLAG_VALIDATE_G; + tmpparams.gindex = FFC_UNVERIFIABLE_GINDEX; #ifndef FIPS_MODULE - if (save_flags & FFC_PARAM_FLAG_VALIDATE_LEGACY) - ret = ossl_ffc_params_FIPS186_2_validate(libctx, params, type, &res, - NULL); + if (params->flags & FFC_PARAM_FLAG_VALIDATE_LEGACY) + ret = ossl_ffc_params_FIPS186_2_validate(libctx, &tmpparams, paramstype, + res, NULL); else #endif - ret = ossl_ffc_params_FIPS186_4_validate(libctx, params, type, &res, - NULL); - params->flags = save_flags; - params->gindex = save_gindex; + ret = ossl_ffc_params_FIPS186_4_validate(libctx, &tmpparams, paramstype, + res, NULL); +#ifndef OPENSSL_NO_DH + if (ret == FFC_PARAM_RET_STATUS_FAILED + && (*res & FFC_ERROR_NOT_SUITABLE_GENERATOR) != 0) { + ERR_raise(ERR_LIB_DH, DH_R_NOT_SUITABLE_GENERATOR); + } +#endif + + ossl_ffc_params_cleanup(&tmpparams); + return ret != FFC_PARAM_RET_STATUS_FAILED; } + +/* + * If possible (or always in FIPS_MODULE) do full FIPS 186-4 validation. + * Otherwise do simple check but in addition also check the primality of the + * p and q. + */ +int ossl_ffc_params_full_validate(OSSL_LIB_CTX *libctx, const FFC_PARAMS *params, + int paramstype, int *res) +{ + int tmpres = 0; + + if (params == NULL) + return 0; + + if (res == NULL) + res = &tmpres; + +#ifdef FIPS_MODULE + return ossl_ffc_params_FIPS186_4_validate(libctx, params, paramstype, + res, NULL); +#else + if (params->seed != NULL) { + return ossl_ffc_params_FIPS186_4_validate(libctx, params, paramstype, + res, NULL); + } else { + int ret = 0; + + ret = ossl_ffc_params_simple_validate(libctx, params, paramstype, res); + if (ret) { + BN_CTX *ctx; + + if ((ctx = BN_CTX_new_ex(libctx)) == NULL) + return 0; + if (BN_check_prime(params->q, ctx, NULL) != 1) { +# ifndef OPENSSL_NO_DSA + ERR_raise(ERR_LIB_DSA, DSA_R_Q_NOT_PRIME); +# endif + ret = 0; + } + if (ret && BN_check_prime(params->p, ctx, NULL) != 1) { +# ifndef OPENSSL_NO_DSA + ERR_raise(ERR_LIB_DSA, DSA_R_P_NOT_PRIME); +# endif + ret = 0; + } + BN_CTX_free(ctx); + } + return ret; + } +#endif +} diff --git a/include/crypto/dsa.h b/include/crypto/dsa.h index 8d282ab188..3da5696795 100644 --- a/include/crypto/dsa.h +++ b/include/crypto/dsa.h @@ -33,7 +33,7 @@ int dsa_key_fromdata(DSA *dsa, const OSSL_PARAM params[]); int dsa_generate_public_key(BN_CTX *ctx, const DSA *dsa, const BIGNUM *priv_key, BIGNUM *pub_key); -int dsa_check_params(const DSA *dsa, int *ret); +int dsa_check_params(const DSA *dsa, int checktype, int *ret); int dsa_check_pub_key(const DSA *dsa, const BIGNUM *pub_key, int *ret); int dsa_check_pub_key_partial(const DSA *dsa, const BIGNUM *pub_key, int *ret); int dsa_check_priv_key(const DSA *dsa, const BIGNUM *priv_key, int *ret); diff --git a/include/internal/ffc.h b/include/internal/ffc.h index 7653b6e2fa..4cffc720a6 100644 --- a/include/internal/ffc.h +++ b/include/internal/ffc.h @@ -162,8 +162,12 @@ int ossl_ffc_params_FIPS186_2_gen_verify(OSSL_LIB_CTX *libctx, size_t L, size_t N, int *res, BN_GENCB *cb); -int ossl_ffc_params_simple_validate(OSSL_LIB_CTX *libctx, FFC_PARAMS *params, - int type); +int ossl_ffc_params_simple_validate(OSSL_LIB_CTX *libctx, + const FFC_PARAMS *params, + int paramstype, int *res); +int ossl_ffc_params_full_validate(OSSL_LIB_CTX *libctx, + const FFC_PARAMS *params, + int paramstype, int *res); int ossl_ffc_params_FIPS186_4_validate(OSSL_LIB_CTX *libctx, const FFC_PARAMS *params, int type, int *res, BN_GENCB *cb); diff --git a/include/openssl/dsaerr.h b/include/openssl/dsaerr.h index 49dabbf575..669cd6c87f 100644 --- a/include/openssl/dsaerr.h +++ b/include/openssl/dsaerr.h @@ -35,6 +35,7 @@ # define DSA_R_MODULUS_TOO_LARGE 103 # define DSA_R_NO_PARAMETERS_SET 107 # define DSA_R_PARAMETER_ENCODING_ERROR 105 +# define DSA_R_P_NOT_PRIME 115 # define DSA_R_Q_NOT_PRIME 113 # define DSA_R_SEED_LEN_SMALL 110 diff --git a/providers/implementations/keymgmt/dsa_kmgmt.c b/providers/implementations/keymgmt/dsa_kmgmt.c index 28e8409aa2..467f75bb55 100644 --- a/providers/implementations/keymgmt/dsa_kmgmt.c +++ b/providers/implementations/keymgmt/dsa_kmgmt.c @@ -309,11 +309,11 @@ static const OSSL_PARAM *dsa_gettable_params(void *provctx) return dsa_params; } -static int dsa_validate_domparams(const DSA *dsa) +static int dsa_validate_domparams(const DSA *dsa, int checktype) { int status = 0; - return dsa_check_params(dsa, &status); + return dsa_check_params(dsa, checktype, &status); } static int dsa_validate_public(const DSA *dsa) @@ -350,7 +350,7 @@ static int dsa_validate(const void *keydata, int selection, int checktype) ok = 1; if ((selection & OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS) != 0) - ok = ok && dsa_validate_domparams(dsa); + ok = ok && dsa_validate_domparams(dsa, checktype); if ((selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) != 0) ok = ok && dsa_validate_public(dsa); diff --git a/test/recipes/15-test_dsaparam.t b/test/recipes/15-test_dsaparam.t new file mode 100644 index 0000000000..c34d8ec9cd --- /dev/null +++ b/test/recipes/15-test_dsaparam.t @@ -0,0 +1,78 @@ +#! /usr/bin/env perl +# Copyright 2017-2020 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the Apache License 2.0 (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + +use strict; +use warnings; + +use File::Spec; +use OpenSSL::Glob; +use OpenSSL::Test qw/:DEFAULT data_file/; +use OpenSSL::Test::Utils; + +setup("test_dsaparam"); + +=pod Generation script + +#!/bin/sh + +TESTDIR=test/recipes/15-test_dsaparam_data/valid +rm -rf $TESTDIR +mkdir -p $TESTDIR + +./util/opensslwrap.sh genpkey -genparam -algorithm DSA -pkeyopt dsa_paramgen_bits:1024 -pkeyopt qbits:160 -pkeyopt type:fips186_4 -out $TESTDIR/p1024_q160_t1864.pem +./util/opensslwrap.sh genpkey -genparam -algorithm DSA -pkeyopt dsa_paramgen_bits:2048 -pkeyopt qbits:224 -pkeyopt type:fips186_4 -out $TESTDIR/p2048_q224_t1864.pem +./util/opensslwrap.sh genpkey -genparam -algorithm DSA -pkeyopt dsa_paramgen_bits:2048 -pkeyopt qbits:256 -pkeyopt type:fips186_4 -out $TESTDIR/p2048_q256_t1864.pem +./util/opensslwrap.sh genpkey -genparam -algorithm DSA -pkeyopt dsa_paramgen_bits:3072 -pkeyopt qbits:256 -pkeyopt type:fips186_4 -out $TESTDIR/p3072_q256_t1864.pem + +./util/opensslwrap.sh genpkey -genparam -algorithm DSA -pkeyopt dsa_paramgen_bits:1024 -pkeyopt qbits:160 -pkeyopt type:fips186_4 -pkeyopt gindex:1 -out $TESTDIR/p1024_q160_t1864_gind1.pem +./util/opensslwrap.sh genpkey -genparam -algorithm DSA -pkeyopt dsa_paramgen_bits:2048 -pkeyopt qbits:224 -pkeyopt type:fips186_4 -pkeyopt gindex:1 -out $TESTDIR/p2048_q224_t1864_gind1.pem +./util/opensslwrap.sh genpkey -genparam -algorithm DSA -pkeyopt dsa_paramgen_bits:2048 -pkeyopt qbits:256 -pkeyopt type:fips186_4 -pkeyopt gindex:1 -out $TESTDIR/p2048_q256_t1864_gind1.pem +./util/opensslwrap.sh genpkey -genparam -algorithm DSA -pkeyopt dsa_paramgen_bits:3072 -pkeyopt qbits:256 -pkeyopt type:fips186_4 -pkeyopt gindex:1 -out $TESTDIR/p3072_q256_t1864_gind1.pem + +./util/opensslwrap.sh genpkey -genparam -algorithm DSA -pkeyopt dsa_paramgen_bits:1024 -pkeyopt qbits:160 -pkeyopt type:fips186_2 -out $TESTDIR/p1024_q160_t1862.pem +./util/opensslwrap.sh genpkey -genparam -algorithm DSA -pkeyopt dsa_paramgen_bits:1024 -pkeyopt qbits:224 -pkeyopt type:fips186_2 -out $TESTDIR/p1024_q224_t1862.pem +./util/opensslwrap.sh genpkey -genparam -algorithm DSA -pkeyopt dsa_paramgen_bits:1024 -pkeyopt qbits:256 -pkeyopt type:fips186_2 -out $TESTDIR/p1024_q256_t1862.pem + +./util/opensslwrap.sh genpkey -genparam -algorithm DSA -pkeyopt dsa_paramgen_bits:2048 -pkeyopt qbits:160 -pkeyopt type:fips186_2 -out $TESTDIR/p2048_q160_t1862.pem +./util/opensslwrap.sh genpkey -genparam -algorithm DSA -pkeyopt dsa_paramgen_bits:2048 -pkeyopt qbits:224 -pkeyopt type:fips186_2 -out $TESTDIR/p2048_q224_t1862.pem +./util/opensslwrap.sh genpkey -genparam -algorithm DSA -pkeyopt dsa_paramgen_bits:2048 -pkeyopt qbits:256 -pkeyopt type:fips186_2 -out $TESTDIR/p2048_q256_t1862.pem + +./util/opensslwrap.sh genpkey -genparam -algorithm DSA -pkeyopt dsa_paramgen_bits:3072 -pkeyopt qbits:160 -pkeyopt type:fips186_2 -out $TESTDIR/p3072_q160_t1862.pem +./util/opensslwrap.sh genpkey -genparam -algorithm DSA -pkeyopt dsa_paramgen_bits:3072 -pkeyopt qbits:224 -pkeyopt type:fips186_2 -out $TESTDIR/p3072_q224_t1862.pem +./util/opensslwrap.sh genpkey -genparam -algorithm DSA -pkeyopt dsa_paramgen_bits:3072 -pkeyopt qbits:256 -pkeyopt type:fips186_2 -out $TESTDIR/p3072_q256_t1862.pem + +./util/opensslwrap.sh genpkey -genparam -algorithm DSA -pkeyopt dsa_paramgen_bits:1024 -pkeyopt qbits:160 -pkeyopt type:fips186_2 -pkeyopt gindex:1 -out $TESTDIR/p1024_q160_t1862_gind1.pem +./util/opensslwrap.sh genpkey -genparam -algorithm DSA -pkeyopt dsa_paramgen_bits:1024 -pkeyopt qbits:224 -pkeyopt type:fips186_2 -pkeyopt gindex:1 -out $TESTDIR/p1024_q224_t1862_gind1.pem +./util/opensslwrap.sh genpkey -genparam -algorithm DSA -pkeyopt dsa_paramgen_bits:1024 -pkeyopt qbits:256 -pkeyopt type:fips186_2 -pkeyopt gindex:1 -out $TESTDIR/p1024_q256_t1862_gind1.pem + +./util/opensslwrap.sh genpkey -genparam -algorithm DSA -pkeyopt dsa_paramgen_bits:2048 -pkeyopt qbits:160 -pkeyopt type:fips186_2 -pkeyopt gindex:1 -out $TESTDIR/p2048_q160_t1862_gind1.pem +./util/opensslwrap.sh genpkey -genparam -algorithm DSA -pkeyopt dsa_paramgen_bits:2048 -pkeyopt qbits:224 -pkeyopt type:fips186_2 -pkeyopt gindex:1 -out $TESTDIR/p2048_q224_t1862_gind1.pem +./util/opensslwrap.sh genpkey -genparam -algorithm DSA -pkeyopt dsa_paramgen_bits:2048 -pkeyopt qbits:256 -pkeyopt type:fips186_2 -pkeyopt gindex:1 -out $TESTDIR/p2048_q256_t1862_gind1.pem + +./util/opensslwrap.sh genpkey -genparam -algorithm DSA -pkeyopt dsa_paramgen_bits:3072 -pkeyopt qbits:160 -pkeyopt type:fips186_2 -pkeyopt gindex:1 -out $TESTDIR/p3072_q160_t1862_gind1.pem +./util/opensslwrap.sh genpkey -genparam -algorithm DSA -pkeyopt dsa_paramgen_bits:3072 -pkeyopt qbits:224 -pkeyopt type:fips186_2 -pkeyopt gindex:1 -out $TESTDIR/p3072_q224_t1862_gind1.pem +./util/opensslwrap.sh genpkey -genparam -algorithm DSA -pkeyopt dsa_paramgen_bits:3072 -pkeyopt qbits:256 -pkeyopt type:fips186_2 -pkeyopt gindex:1 -out $TESTDIR/p3072_q256_t1862_gind1.pem + +=cut + +plan skip_all => "DSA isn't supported in this build" + if disabled("dsa"); + +my @valid = glob(data_file("valid", "*.pem")); +my @invalid = glob(data_file("invalid", "*.pem")); + +my $num_tests = scalar @valid + scalar @invalid; +plan tests => $num_tests; + +foreach (@valid) { + ok(run(app([qw{openssl pkeyparam -noout -check -in}, $_]))); +} + +foreach (@invalid) { + ok(!run(app([qw{openssl pkeyparam -noout -check -in}, $_]))); +} diff --git a/test/recipes/15-test_dsaparam_data/invalid/p2048_q256_bad_q.pem b/test/recipes/15-test_dsaparam_data/invalid/p2048_q256_bad_q.pem new file mode 100644 index 0000000000..6f7d98ddfb --- /dev/null +++ b/test/recipes/15-test_dsaparam_data/invalid/p2048_q256_bad_q.pem @@ -0,0 +1,14 @@ +-----BEGIN DSA PARAMETERS----- +MIICLAKCAQEAwmWp4Y+deYlczoQUPiioJt6Qxthrk6L1CAVpGH2uRRlHfTl41WUX +JHIJyCMBgRDtVVQdyAQ7AZ+CxOl1wpazvGJddyQVynhmIFsaUwHF2fYIT00MvBRL +9VA5PQqUmX2Tnog5ezu35CTsEqlBTOYcGqkQ7ctNVjfvjYCkwzvTxJS/Qsvki+dA +fE7NDWe+9r5QjSGEFZtH45alIM4qUnBS1mcN2Az5+S8JxPiivY5Jkt0pXoRQnvCM +In4bHjM8ZOVmLxFCIrpB0dNgKDg+2zEjRjmL7B4aZRcO7wDyrtDPc7jiYPH/rlt/ +wU1o/Y1fnzN9+R3f0AMeWR44bqf5Ol9jVQIhAKDEbXZJcYLbvkUYWBr8TKsVu2hc +H57M3PwkTsq+v2/dAoIBADKkGYUe9qsp4mqxkBKaEdpcjmjfLrvtE+3ikipPPGHh +tbAX7NwZc9WCyhniKYskEbJBWsuAZJXDgIRNaSpCVLK7dd9fx8ZnIKJESO6Htv1z +JfSIST57xW8L6m78Lq2kxpr5dVcm7I4pelTfL5jscTURm/1Ua+2skI9YlZU/Vgux +Wrr30H8bp4fUgWjcgPJbeirSY7xVI8FKrQaES0s4NRFbgGMFUrEGddBF0bgaGkwd +mFEpcXAEQDTJV7SPJp3rbjFug3CF4Atw3RmkV2T/sHAbplyr9YsQDmAQDhPsaWjQ +eSsoRUq0aQ4aa2V4X/gSzSj9It3Q4ngQwkGGOPJEo44= +-----END DSA PARAMETERS----- diff --git a/test/recipes/15-test_dsaparam_data/invalid/p768_q160_too_small.pem b/test/recipes/15-test_dsaparam_data/invalid/p768_q160_too_small.pem new file mode 100644 index 0000000000..c717c917a1 --- /dev/null +++ b/test/recipes/15-test_dsaparam_data/invalid/p768_q160_too_small.pem @@ -0,0 +1,7 @@ +-----BEGIN DSA PARAMETERS----- +MIHcAmEA702xO4DjQl4WxLId1FR8Q0tZ+FQDEqyhzfYheBnLra8Uaf3gLp7V0g52 +aQqDTeY1TK76ZmNo/SvESDcYTHjlgKphYCKLRxAhvuyGfX1RRPWa80BrM76wYtJD +mwB9KSBnAhUArp9BUvskZ9/K8Bzo0MVejsHC6AkCYEugdq5OD0HjCrxt3hFMD3sJ +ZQ7VAZa+Fnu9SJNjCeMYLEww4/A6fktqokDWITjSQpdJAAxwc+r8OlDRwBb0q7jT +w1IDvvbF/xGex5VzHHBZmQU1G1jH+Lq3h7dQ6d4l+g== +-----END DSA PARAMETERS----- diff --git a/test/recipes/15-test_dsaparam_data/valid/p1024_q160_t1862.pem b/test/recipes/15-test_dsaparam_data/valid/p1024_q160_t1862.pem new file mode 100644 index 0000000000..a348548d69 --- /dev/null +++ b/test/recipes/15-test_dsaparam_data/valid/p1024_q160_t1862.pem @@ -0,0 +1,9 @@ +-----BEGIN DSA PARAMETERS----- +MIIBHgKBgQD9xYIlQ/DsVYRe/mLETy7f7U3uKakTOPPDUcmd1Oyaopii0hKek+kN +Uo8gKEMrakJfJcWQmHwGrxbbPRndY7t/3VcNDukETNlrTeHenkIUOfGzE/+mMsr/ +yS0r8xKjsZU886tWU22ngQoftPZ3a+P4sm84yjBzWbOKMKKSw3G3TQIVAMiAYpYu +M8Yh1gu5xsa6GHugzBBTAoGAOxWSatlBZLsMYzqJmzlhzQpc3yJ4RTu2tBZKZbP0 +1AOfLCOD3XXgvVWBEaY0t3sfTqv+iJw5qvmtfkYGeFyU6U3z/pTtDUcSenykU2Rf ++FM00ZgsjHSFCV80V95SaHIEEjqsrvfq6g3GHElxaSJ1ov/D9UrB4fiFJk15B4jd +vP8= +-----END DSA PARAMETERS----- diff --git a/test/recipes/15-test_dsaparam_data/valid/p1024_q160_t1862_gind1.pem b/test/recipes/15-test_dsaparam_data/valid/p1024_q160_t1862_gind1.pem new file mode 100644 index 0000000000..9b8522f847 --- /dev/null +++ b/test/recipes/15-test_dsaparam_data/valid/p1024_q160_t1862_gind1.pem @@ -0,0 +1,9 @@ +-----BEGIN DSA PARAMETERS----- +MIIBHgKBgQDSK3iZ8B7b7aqw8u4h5frUf0245I7CqfIP1smwcCPuPpsrGAIpto2R +/VjaPxTljGyg+DoKBHh8+g3GyIDTCF95KZITZFnNhdgszulUMOBo6BVIcow2xb5P +5OuEEs8SI8msPJ+DELktb4k7R7ErmQkFJkw+js7Cp+OynJXFEeM1/QIVAP0eH8DN +0CVrbBWIKTni5GYMq9w1AoGAS71s2Qtb3i18BTjQpvircllI1JJg2KM0PSrd395l +U5QzWLlOiagq3VxZasl/xVPRWLEjsjJvW0br0+etaK/RUCRh9umiKtAA6ej0CU8H +en/LyRimo/62jB9OUGmNeIlMbDCmTBj0wSicbxTFnyMmnExyRhpmpwxB4R5D1Do9 +7no= +-----END DSA PARAMETERS----- diff --git a/test/recipes/15-test_dsaparam_data/valid/p1024_q160_t1864.pem b/test/recipes/15-test_dsaparam_data/valid/p1024_q160_t1864.pem new file mode 100644 index 0000000000..2ee282a775 --- /dev/null +++ b/test/recipes/15-test_dsaparam_data/valid/p1024_q160_t1864.pem @@ -0,0 +1,9 @@ +-----BEGIN DSA PARAMETERS----- +MIIBHwKBgQC0mfNiG3j2s4OVjBSfxcHRAKm0Pq1EMInOH08H6rGDv2z+jxjpcV8M +trTPH+edBXpcPIfj/g8W4uHzQbrhkgBD5oVFgxeNkdx4XFs6hYR/+Rffoz1yCyrK +Y3u6KuliLh78b35nrD8a60c+sdEeyqyQyityC/DLfDPsHsaDoci/pQIVAKVuzcUl +eLXk7fMosqqyWdRYuqT/AoGBAKA1RycVanmWQDK0GC+qz7YWK9pbN6jOTor+0lYZ +X+ZOOgOJfd2VxN6BRMLrLZzwyZzLkLxCfGewtIESt7VOinJXlV/GQOaw4jSVUpMZ +Vk3XXGzlCREZ3Io3/RB38jvK5L0GAvdlCHC2+SRz3zJv/xsu6jp5YUDyKA6BCpSc +Z1dn +-----END DSA PARAMETERS----- diff --git a/test/recipes/15-test_dsaparam_data/valid/p1024_q160_t1864_gind1.pem b/test/recipes/15-test_dsaparam_data/valid/p1024_q160_t1864_gind1.pem new file mode 100644 index 0000000000..64abf5ed23 --- /dev/null +++ b/test/recipes/15-test_dsaparam_data/valid/p1024_q160_t1864_gind1.pem @@ -0,0 +1,9 @@ +-----BEGIN DSA PARAMETERS----- +MIIBHwKBgQDAs/X8j/GO88thl0UtbO1yzQd1rmDrZDuCz9u7KGb8nih4FMqRvqZq +6SZ/jsgWVVmKSz4BR+pBXYhtzjWk9hJwtyDDMKgb/aQ+A6ceN3Q+56+wyrtq4IHn +GSxq1qos6OGUo2eJ/OnwrFcssmdhsPJh+mRbksFlj4ioOiWFZP6EdwIVAKTxLxHR +1mqrb8VzuKQtF4v29OX9AoGBALIvy95r7pNVU21AvWdgiqZ/0KgOl6Ltw39a4YoB +1KJvAB7w3A+++Y9dJ2KSOcDleea/vOB/zke6Gn8tchTLxC+5wgxqJYWQyIJ2ayU+ +kuGbg73x25ZbxwOf/L/LXawlbYw96K/q8gHtTAemegbg3mA5FdB980PT4QO7r/Wk +8pE8 +-----END DSA PARAMETERS----- diff --git a/test/recipes/15-test_dsaparam_data/valid/p1024_q224_t1862.pem b/test/recipes/15-test_dsaparam_data/valid/p1024_q224_t1862.pem new file mode 100644 index 0000000000..a6ac0a106d --- /dev/null +++ b/test/recipes/15-test_dsaparam_data/valid/p1024_q224_t1862.pem @@ -0,0 +1,9 @@ +-----BEGIN DSA PARAMETERS----- +MIIBJwKBgQCYF3IejaKxzlgFtW2qEHTuciYxEwQDK9wQoJXqnoeCfc0ZzyW0p/1y +ykjmyQibL425XHDqa8n4juHVDlR7sdkWQgCxU9Y476zHMAllJiMRLb0YWd3htG8e +4RrZdBp2ja/axeY0Yt4Y3tpLt8a1Wm6h6E17ZDkWJOHsiyhS0/A3GQIdAPFwM2kA +z0GDenrDrTZReA1en6dw7ks5zyWkpO0CgYEAhULB2zCf7nKNmnbMAZM1M+UyooV7 +9x0esJ0nD192zQSfp5bLMFRobHw8ZJRNwwaxNvGj7T6kN1v0JbF2kD6CQ5qR+VQ0 +B5kPnrLEe1rEnMI5GY3mUEhuXT39aaEZgSZlr6Y28UGMaVPsLK/tUHQRv7NgbSSF +VKxcAFZi3K4b2jQ= +-----END DSA PARAMETERS----- diff --git a/test/recipes/15-test_dsaparam_data/valid/p1024_q224_t1862_gind1.pem b/test/recipes/15-test_dsaparam_data/valid/p1024_q224_t1862_gind1.pem new file mode 100644 index 0000000000..0a2f828a14 --- /dev/null +++ b/test/recipes/15-test_dsaparam_data/valid/p1024_q224_t1862_gind1.pem @@ -0,0 +1,9 @@ +-----BEGIN DSA PARAMETERS----- +MIIBJgKBgQCS0aAy145AKj1XTv8Xn0iBHRdJCHNue94IhsSuOLfqi1Usj1uff+Ti +mV3Rb2EPvGAMoGVnenvH7X3MjO1qWUW1hHPVfZZ6cEJwMoOEht/2X5rv9r8TZiEU +iMIMQNSwdGeRUqsCCEWhGKVhVVkZmHSRhwmG9Y9b2YibPDWEk+8o/QIdAOaZ2Kx/ +nK8OMtoJ7nY51gt6qk8BaLk6JELdsLUCgYAUUhmgW95kcJt15TZqFsVV0CXADHqc +LYT4WcPsXuJdiQorZqeyRXNPzGoRvk9s1nqrDwoIwTcl2rArLPq5phcIEGtATR8B +inIIAPB3v+i6vuZ5TfqdVpA9E4NDNr/hTKR+Jn6hNLzliETHwAXiC+cuAq32sUiW +Ec0eJs9/vgTiOg== +-----END DSA PARAMETERS----- diff --git a/test/recipes/15-test_dsaparam_data/valid/p1024_q256_t1862.pem b/test/recipes/15-test_dsaparam_data/valid/p1024_q256_t1862.pem new file mode 100644 index 0000000000..075b1fb785 --- /dev/null +++ b/test/recipes/15-test_dsaparam_data/valid/p1024_q256_t1862.pem @@ -0,0 +1,9 @@ +-----BEGIN DSA PARAMETERS----- +MIIBKgKBgQD2JhtE0H2GzUgkWXHSj4aLIMdpLhbpcNeM8UR+GCr/QMv9YDmNmdyr +imWHrgc8RhPECHAYkhMT6CbRp7X0eOJH/+Z+wYezCzbj6tWSMhXv0cNmD2qJFNNr +g4ps0xfA2EljAzwQP+GifJuaZXcDrPvolSCaTIirOXUgWWZhRuPUhwIhAJhvIt08 +R98NOzAtFpzE1zIUCLPmCchNpPOLTbzOockVAoGALCWqChas4A2gweHVumUFYk8f +1IEQUsiw/79hQwYk6vGETs0sxHwd+XXAAUhs0ogHmg1pV9FF0cktSgp8IPXQMf3x +/pSfhyAexSY3DWhuFcYkYCrhDHfqMoyylrbdvjPnFONw4RqQWN0Skhwq+/Kdki5P +hf8w4xPcc+HNB76vpd0= +-----END DSA PARAMETERS----- diff --git a/test/recipes/15-test_dsaparam_data/valid/p1024_q256_t1862_gind1.pem b/test/recipes/15-test_dsaparam_data/valid/p1024_q256_t1862_gind1.pem new file mode 100644 index 0000000000..6cd9a27adb --- /dev/null +++ b/test/recipes/15-test_dsaparam_data/valid/p1024_q256_t1862_gind1.pem @@ -0,0 +1,9 @@ +-----BEGIN DSA PARAMETERS----- +MIIBKgKBgQD02ixBdDQoEc5FADUTwlD7DMVb0EkZRlEuC78fH2xorsBBam/3JS84 +x5uiV5UpdyGEZaORTHOmQFC3DvtwojkCEpOzbITYft34ngXGrANdkAAYkfmtbkWH +Oudses211ciLVNEtcvnWp9koyMwaiW8UJS8VXZPPdrF+5Sk7yUWYtwIhAK68pcA1 ++/GbxzchcTcOEd1UzrhnJiQuWhCLAbrF8TjPAoGAVethgbgs116PQGJVwsRwCW+j +dz609/2baEKKVfKnUCSbngA2nZ2EUw8fQjZvvkGeEnGc3noJkDthjxiEITvcXgQT +59qRury4mxPPJ6bKp1U4SpJlmpNl/Uigm3olF45YOjOPrlyj5mIn/fHKvXp+9VH8 +KRjGRfDduSvStNrSQWU= +-----END DSA PARAMETERS----- diff --git a/test/recipes/15-test_dsaparam_data/valid/p2048_q160_t1862.pem b/test/recipes/15-test_dsaparam_data/valid/p2048_q160_t1862.pem new file mode 100644 index 0000000000..4f247195a5 --- /dev/null +++ b/test/recipes/15-test_dsaparam_data/valid/p2048_q160_t1862.pem @@ -0,0 +1,14 @@ +-----BEGIN DSA PARAMETERS----- +MIICIAKCAQEAy4AQqY3+v5g3hulKvCH9iUzGOprsNag0knEt+xdSS7z2kpxj1ab3 +8DJDtIBfn1B92X6GjaiCKuH1FX2acIEq0DOvl4zNYQ7WSTA7Z5+MXK8Zk7slxr9y +MhDj4xyOAnxZ3Rlkuv7H5HgNzS2lP3bZLiFFWw4YYqOLZxzjHDcaTVqU6orNmIJX +6d9qW1MIxhVtKCjPsCqfY3qY206so3dxi+bK8EsweTBP03HO/SmcYIhFVStekE5v +LoCSzTjDOK0DisW4SGF42m3Yh3m52Hk2fOckhc1si/JHA3Tko0VnRqUYz6gP2vWs +7SkJzZSlwQFmxKkUXPdypyn+bA0XAyfQFwIVAMxf1UMfNLp0iajYC/liKwUgS7uT +AoIBABA1H4tJZyvC7+J/xUf2jxIgHlGiJq3G70CXgHr3LKHhLWK/WHSJAsXGKYsl +ZFB/pQmjocwthHYGicwB7pwYHotEv+JNMAWLiZjwb1MckGCZW6HcVsfXw52abqUP +tqGAJu/KbuJEVtoDz3m7umI/S0IHSW8kRY4I96jL+uPXvGOTgnAHtjaxYCEZL3iK +/vRpjuE7A52a52IZGZ+GlQxmfT3cOnHLTZpKaQhFJ6mZyrOYzaLVVnC2JJDMeUuK +w34pH6dqmxPL41uwPyv0cCuzCfAlXbrWPs2AkFbBuKnyD8+hxpy1rz6EK1dVleLW +mgxBLFL2D3yc59rp1hZU/bwIcSs= +-----END DSA PARAMETERS----- diff --git a/test/recipes/15-test_dsaparam_data/valid/p2048_q160_t1862_gind1.pem b/test/recipes/15-test_dsaparam_data/valid/p2048_q160_t1862_gind1.pem new file mode 100644 index 0000000000..e839783209 --- /dev/null +++ b/test/recipes/15-test_dsaparam_data/valid/p2048_q160_t1862_gind1.pem @@ -0,0 +1,14 @@ +-----BEGIN DSA PARAMETERS----- +MIICIAKCAQEAvGtt/0832RbWBAXM9y3ubL7Hj/VZuQo318k8DUbTv1/886isw4uX +Sphv6TsLO9qb7Ma1k18L4bK04NNQheSfvq5LZbMtX/VHWaoCSuzMj73Z+XTWTr/N +aYwVAUq1J/XrX+P5F9b2KCEJ7iLAL0BkZXnIMVMwWcqmY7JthdQYzCwOc6S93aiV +MEHKtekj5KtxhmD5o6tPs1GrVdnCUGXAZZbi1eVHbUro114SyWGflvnaxC+4WGRz +GN9EoqtPZhOKlsAHaEZilf8tJDVOi7rnYw9gFvQH6PUWOV6U2fuYBmUBD8fSx1YE +xv1dd/rawmKJ40ILXxOM2zzMYXwHse/qQwIVAP/hJF3q0imEjGKYSxaJ3cVZ7agp +AoIBABRqCTro/ynhun43xrU/FRhsUIK1ewp5NEBOsaUMjm7w5HBVHfytwyGB+WJp +h3Og73szKv2JsNNWOc+ASw116/mTosO49AJWk3YYdcoIiOpZbO41+4BWAIxE0ZqT +Bjq6uQ3FR6EE+yQk486uIR4KqQ3Uj+BfQ6qJ+hOQI2gpNUkIxNNXVmYYgRZM9H1U +oYTqeJYACR2spZYTRwwzUMFQzfBVyT7if/zHYi5NSAdeK/sjGT+XXAFw52e839nK +7P5UUjCaqsduLuRkYcWE7f6hqgi2O2Rgn4kTaRrL7c4FBLmz+vlEffJJKNnjyX1k +m+RhuXnP8UzBtsUdz+7Z+EioRB4= +-----END DSA PARAMETERS----- diff --git a/test/recipes/15-test_dsaparam_data/valid/p2048_q224_t1862.pem b/test/recipes/15-test_dsaparam_data/valid/p2048_q224_t1862.pem new file mode 100644 index 0000000000..113aca5427 --- /dev/null +++ b/test/recipes/15-test_dsaparam_data/valid/p2048_q224_t1862.pem @@ -0,0 +1,14 @@ +-----BEGIN DSA PARAMETERS----- +MIICKQKCAQEAkv8C0SmPpJc0mQ6yVzDzQr2jIO3Gj2n7MSJ4EN816CecMmO8vBRz +8x8W1BvjYDJiyFW7KIJcgI48D7rBndKqd2A8r9ErPJrFx/7AnPD5/b77vRKcJ14S +8DNjSm+9Qg8281TeIztUrmUjWHIPj1ZNSev1yaprK5u01BSi+YIAxNOST4RrMurZ +wz75VW4QZ/JkAwYy/r9LSmqeli3Hqy1sS52B1Ew/c1tVj6th+dPlprOPiPCzj6KD +BkxDU2wjJJE2rYiMZqq3wKHlkuNl54T211DrYY0tM1YWSrPO/KjQU6lNP6DQK0WM +w414Rt2MpXipr3+eSNGIx+evNOS2qJ84YQIdAPTt4hrsGeHjF2/fhkWJm+LP9FCM +4fiSw79D9D8CggEBAI75tDjL8/Eipou9X61x9ZobVyubG/VaLWCV5mv4Wn4j22Gn +T9OABbmZUAJAp18CTouXXU7zjR6f5mFgC/h/fgOqVqe5M9rAyZ0h/2TZ5cwnya/n +8NydZzJCDPihpk2BXuxWVqX8J0R8MuaOQSSh+LqTd0FgW+by6i9jJm4ZREp6h5v/ +Bam4BPtNdLVKUDk09B0ILfry5St+hFdFdU7HtTgTIBb8buNaNGbiTYgDPaz2YjLT +Nuaq71RU37PBxmbmgCz/rwAdNzQ/eGylfIPNO68YkFTY0zhYKBZfLEtpKN5s8gPT +wpXU8+lm3EnkoG9h7+qbCIs6G5PUu+FartqzPpQ= +-----END DSA PARAMETERS----- diff --git a/test/recipes/15-test_dsaparam_data/valid/p2048_q224_t1862_gind1.pem b/test/recipes/15-test_dsaparam_data/valid/p2048_q224_t1862_gind1.pem new file mode 100644 index 0000000000..c7071a2856 --- /dev/null +++ b/test/recipes/15-test_dsaparam_data/valid/p2048_q224_t1862_gind1.pem @@ -0,0 +1,14 @@ +-----BEGIN DSA PARAMETERS----- +MIICKQKCAQEA5uZxsPfUbcP0YBjVZ8QTc8b0Vv1kphd4FnoqMZgW3aGYL4iTN/I8 +av157vC6PW1x2YeHyjktd3yVJGZidqzfnoYuQdZi3wrJDST8BrGLgh0fuRNjH/RD +/OUdCPCJteobUpRn6myPscvAQyHsWisKpFJcOnmqBlZNfommoXD+a5weABA0KAay +MJu1+ahTaTjWCSGQCQ/JqSHFmYVy88l09yqFaHfvG3L62tATvqvuJZ2cshl5RCYQ +ajXZS0moA7mk3ApShLdvskD9yLZVzPLb4gaG0gT/h36d/gqgZi8pq4KdlSxuAIDa +7QRYWQqLWB/NgHsSvbSoxPN+ibfyyDPzIwIdAJu0noHZp7BCtEhtqSZkVSvGfrL3 +HQh+JP1TMtcCggEBAJlFpiWZ+n0W9dqHZ35QG1e5goMQusyJ0Oke31hCEyKVY1gu +1gdxUVirhQwNpdfeBJMHzMNFpD3ocC3lMKRwEN2oZMXECkjzAPbqyvNs55i38CGn +NW/5aAqkBnJvG4/O+ANwB+r64hgUiwIxlBW3w6TQri3Wa/c5xCvThneRFTFGuDWi +r7hPDIeIyUYzgE6bJelX09ruhQEzeyFj2snfr0uCPjf2lqqy3FnoTVjrZtkSr+Av +/esxiZjLfuqZQhYJtQsAIbuu83rD6VUnMF5X0XqQugMMJXxJgcBgomE6cHlrpqXL +hJD6l77XftHNokshhCQxk7w/N/pH2j4Pxidfj28= +-----END DSA PARAMETERS----- diff --git a/test/recipes/15-test_dsaparam_data/valid/p2048_q224_t1864.pem b/test/recipes/15-test_dsaparam_data/valid/p2048_q224_t1864.pem new file mode 100644 index 0000000000..9b65430b58 --- /dev/null +++ b/test/recipes/15-test_dsaparam_data/valid/p2048_q224_t1864.pem @@ -0,0 +1,14 @@ +-----BEGIN DSA PARAMETERS----- +MIICKAKCAQEA126Pk1rYEEQXV5E2hdg+uS+KfbEdtOncGOoMiCUajJgIdpmPycUh +R5VE66AuwjryRaBAezW71UVfgEKyu5521aTl0SB9N62EkVQ0KtRErSiynZ9jOC58 +4zeRsRUquzbl7OyaYqgZz0N+AuKQYeS/SZUhvFUONJ9wQgVEpLF3Gfeq1xFx1TgM +JTCyMyh6lZwvZvYa3bXcoxfCpsyo/mHmKZB63n+AKy2YRWfMpGFTc0osygaoLFRe +hgo928CU5rcGq3uhkBIRRkYvjq7v1wPNgkdydtPxzsJ/2slZmoD1l92TK0XJGP58 +FP+o9ThvAg8wobLP/rIW/IerL/v0jo4URwIdAPuKgUfEDIyRPWaL3ZqRGrd9xm1o +S8t/0jlAJ0UCggEATxHNhkSCNWypeGWe6SQH7VZBdlcVO4gDu6g04Ui+XaIaMAKg +WtYBlmeyzvArfyZxG/o3mrFL/B1/d3boNkgu850M5Ijz5qY1O4NO2Dof4uLXi+vy +zBJ4ThHF+5p4mr7JSIjVGHpTHCOQEQTAI44LcIdFij8cqQXRUB5MVERkRqY+5lEe +c6oqildf8Gd99xOIdp/R2hD0tRkwMH+zFKYFuDlmX35X4tagzvQRNYBx/KMgFuXl +ZbSMoBIEbF8SvzeJp04FwxjE+OpBur2EMuyjWyxbho42Mque+mAqwJQ8xNLzC1QY +S2CHPTT22NehGZOLK4YtSoU8GUTiQT8xDUitXw== +-----END DSA PARAMETERS----- diff --git a/test/recipes/15-test_dsaparam_data/valid/p2048_q224_t1864_gind1.pem b/test/recipes/15-test_dsaparam_data/valid/p2048_q224_t1864_gind1.pem new file mode 100644 index 0000000000..e715e4836a --- /dev/null +++ b/test/recipes/15-test_dsaparam_data/valid/p2048_q224_t1864_gind1.pem @@ -0,0 +1,14 @@ +-----BEGIN DSA PARAMETERS----- +MIICKQKCAQEA18dE+jFlsFpb68u1HSpjkDsOfBpimo24pBPUPstH5bg1vZNUFXwj +J3BgLw0qOQ4COO9UvLxthcNr/tirW8txqBoVVB0iw+gScPeZQCkSOhwB9MZq15hd +us3a8bBrXe1MXSJ6HMsCJFo3VUM3grLg3IIvMZT13MDlEFre/Ttds4UupSl/WEiv +PjZnUEY6BD9JXNTWAzmHq2gIzQFLd9vLun/KpStotiBitUwXZXy3WTvz25dRpRnA +XCa4MXBAGHsKhFOL1ccLpHgiX2ELWkyopjWEErFLyyAJcynhx2PrQTrIhfv4rgdE +1ecqOi6I2oxntmFyjIjFJ4e8h2GKwxL8WwIdAN8WQLZ6RfMm2Zl3tGVJVldNKaMW +2r0cQuKFL2cCggEBANBlnziHSTcuv7L2SK/nqbivto5xjnnJg8XGGL3ZqWCbbNyv +PJ/XyromDzuMcGBIokn9n6g4YXqh2ik0in3ntOycP5D/JYzANJW7hGefHQ8zonSb +VgncDeX5DfqhPVFvsGhRCPxWehVzvYf/6TPEI1Mhoodj5cOf1+ZQLk31Jhnj62Uj +OC+++GU78p2Ys9vtZXKdpGkHxh5ad/PwyAsbk1a7hNFxPBqm8kZt4GPfslz1e2ZA +QtQENIs3Xd56yzSZM34Q/H1eDREr6vqd5wpNoERMtdvD5cthgpp4cureCDEmaKRr +iLG0Z9vWn6sUCnbHH5ieZ/q6lodfKE1aR/dUkDM= +-----END DSA PARAMETERS----- diff --git a/test/recipes/15-test_dsaparam_data/valid/p2048_q256_t1862.pem b/test/recipes/15-test_dsaparam_data/valid/p2048_q256_t1862.pem new file mode 100644 index 0000000000..773ef4fd93 --- /dev/null +++ b/test/recipes/15-test_dsaparam_data/valid/p2048_q256_t1862.pem @@ -0,0 +1,14 @@ +-----BEGIN DSA PARAMETERS----- +MIICLAKCAQEAgp20bAUCq6LO/qtRdecf1jBrQQSIN7RkiciGLqS6lZsC48EzSbmu +XfSMybc/zsid4D5qwKBwNedEeL7IO1hHESBZ6qD8Hfk02V7QbyatxDX7i6/XkcCo +R9a2pbRDQA149pI13lBSINUAygLk33ez8HviDg27/WeCRaB6QgSMBK3p3XmSCuzz +yVwA59XblCgxqfXWCHyMP6i7o97s/I+CoEryGBtoY2pXpRFakaFzzvMymiU8z4eX +TWjAx4RMkwjDgQvgFEd4na32V0C6NMvQTVVoiPNf85YC9cP2zsoMCS7Yn1OAvn6u +rKr++eLJKJbOtagRyC9hKCFIL/XXB31FNwIhAOUwm8S5B/PqQmjLAP1NRQCjScxd +MNhND3vLSiO2DtS/AoIBADt/4Matb9qA/hKmDj3YxsEKElUUrPkhF/fSyVU12SIp +cT6B860JJ6dUD5PefAwQA47DxJ+T/LTyYyJGK+xw0jKlIH+e1zmhxd6fZyQ82UES +Cb5bulzEsMIZFV2BdKlLppHw6yhUE0qr3nl9gr/4TPULNpT8rVKZhW3MdA7u08PW +7dV2XhY0PliYByGZr1ZjKJM7bpjkWLvJAN1WrwSlHjcJV9vdD6tqIRbVzjOqrcN5 +xlP3JdkQV5iXs3RlZ8JrH1M+MWp6udt4TqkkPkn9VzG4Kkzw9BKn/643Aei14Jet +bucs20eyianZeBHqkH/sMw/tfM1e3GwdnH+I714WTH0= +-----END DSA PARAMETERS----- diff --git a/test/recipes/15-test_dsaparam_data/valid/p2048_q256_t1862_gind1.pem b/test/recipes/15-test_dsaparam_data/valid/p2048_q256_t1862_gind1.pem new file mode 100644 index 0000000000..a405a4a38b --- /dev/null +++ b/test/recipes/15-test_dsaparam_data/valid/p2048_q256_t1862_gind1.pem @@ -0,0 +1,14 @@ +-----BEGIN DSA PARAMETERS----- +MIICLAKCAQEAyKq4F2lBf+8YckEU6JW+pfOqViJjtpOdVlZGDq65sYeUs6hUo+Qs +biO6mZy8m3XyEWnSR/d0suL93xkjtoo82M5jYkz49I7rAHWRJV2WLjWz37asjBzN +F1dYg0RtEio+mEQv2mzLzr5mNeh7XcjRtTMW6iNH3GAQ/kuFjKY2nEPvJc8m4Udx +RYGjGSyL2vdWJf6iQsxv7YmbsF9P0ZQhvLu9VhoZhtNaujqAl+fsfno2cgfDyf31 +Ppsnkl1WuBM3eD8ZWPB7mjsxS1z7Fxh3OxaqTbA1Hd8Fj0ixNG+D6kDoErSnZjg5 +Bc4bjLG10o+B3bCiRx/3ozM9IRGSrpI/ZQIhAMNuTbIp8SR1EtifRudeNiM9Tlk3 +0CmrVR2hzRUSpKPNAoIBADuHBrhuKj93By8DgllwZ/cJOXKV32frVdocX5PAOEIv +2jDFd2ya2Gyi/nS/AE1UimvjAFP9nofyzvDJG0xOhqvwmVU2kdj7632JdSFj/Lzj +twtqNDve2OYdcZ4GCBiH6XOoURX3HOhJqqYtEJHkW7OKFzhlAYZWreELm9RaiuFU ++QgMmVZ6wdbnNoOBpjCjzjtMf+7pX7Whh1g/siYo0fR+LVHHfqHpxBuXWGbbOL04 +cSV0/JF2xqynH74ySqvuoEA3o7K+2Xo0JRGcwE/lkJZTEYaahJmeVQ3Nf2NOrOFY +J0NRY9hOCEz8oQOC0AmBj4OaKaoFQKkP3DQWFNjK4jQ= +-----END DSA PARAMETERS----- diff --git a/test/recipes/15-test_dsaparam_data/valid/p2048_q256_t1864.pem b/test/recipes/15-test_dsaparam_data/valid/p2048_q256_t1864.pem new file mode 100644 index 0000000000..36674bf95c --- /dev/null +++ b/test/recipes/15-test_dsaparam_data/valid/p2048_q256_t1864.pem @@ -0,0 +1,14 @@ +-----BEGIN DSA PARAMETERS----- +MIICLAKCAQEA/nlxxQ86nKiHEsmMT5OtmxXp2tHw//Kz+9089krs/fN+KT8mxUlC +5Czyx3Y8NPCratNfxrB9/74BVFedkt18GMVRUaQNRQw0q0aWrrzPhZpXxBskiXOA +mQelUKdMmuK7ZbulrNjInWIAV9Pr3yO7FOWO272VhoBGL3nasp+5znGLLBUZm+kZ +MEnk8Us1/8KEn4/5Q7bzvaN/Pge2kBF6JPkPprtsCJgy7aJO3ydDc0/GZIfB68Q7 +RbTMvCCLuMzgYdeLc20y0d5CZ570gPBU7zl/ix+a8Plyue9hX5NHt1aHFTGpLNyl +tH2WCiHhJNLcyacbOVK9Gz7XMMeFDR5/AwIhANY0MlY3BTnv9wp4cnACCzNGskxc +XKxwqCalKyQJtRbLAoIBAD1HVMIL/zH5PcEu7hCFkd5O6cJYR5ETRWYk3VQw/i5r +P4jQhoQH/ztY84pr2cd7/maGSbz9O0D6o1M/im3TX2+NrjzwlTNYTRaPI2vV1Z4N +wb/3zczBshhwpZ6heFxIfnchejw9hAXERz94AWfKPN+e4mIGII62Udna5AeOJufM +9KW2PGd9GP0n1HlziDUYtZXlgCqgQvYlfPp3fj6Cdy49MsY7ZeEfEljXWM5+mX8u +lVLTqN0uwkLudAuN51nphaIJI+AJ+TR7rFgYEoG2O/6uoqxBVgMoTKkkJqHM3UhE +5pd7AMkOUpUzuw1YDCW9mdUY1dAgOJr8GZnknWAdjvQ= +-----END DSA PARAMETERS----- diff --git a/test/recipes/15-test_dsaparam_data/valid/p2048_q256_t1864_gind1.pem b/test/recipes/15-test_dsaparam_data/valid/p2048_q256_t1864_gind1.pem new file mode 100644 index 0000000000..398b266940 --- /dev/null +++ b/test/recipes/15-test_dsaparam_data/valid/p2048_q256_t1864_gind1.pem @@ -0,0 +1,14 @@ +-----BEGIN DSA PARAMETERS----- +MIICLQKCAQEA2Drds0DjRV8ht73dVp44MMtcjvSxugNuElrwheVB5Bm1wsmrEVnt +MSGdZJ5FpndQD/ndqSctTssjW+cxjJ4mHjVTXpTZURQZW0MNkn7+qVw6oFrnd+qq +tDkh0jnaTYTNiEp6qm5QmnEC/Ccvr3YZuY9EHurzVptJuoRIMgFGCz4CHj5q2vQ/ +CPvBohUSvC9EmKGveWGFID+tmFWuHZ9d9pF/GWjA2rdW//uRiStssbN24jscsbZ6 +XnNrJpgyGYYjugsl+catrMkodstrLsk7YvEYcE6YYN0TwZc9kjJ5f3ydQnI35Y/s +EQPtP7DdA8aLaOC1ra2Nakm2ZW+pkygPMQIhAI2NF0GuR7NjD7lXx6gnVyk3p6gR +l7u+BNIhHFVJP2/9AoIBAQCvGDoQ9S6So58RDz15ghYjpdNSzCBtA6ixYszesSJU +DksnEDV34AEB2C8/uvzcSIca3314dDsE2R0ubTrh4J/2JNbNE9M5UYEaJh0oK7LW +h7YZ2XI5j08/aAApRsR84kcZdE3r+QYFHTuEnoc0ADkC3J9uIuQwl/CgTkw56OBP +MmA1GD79/MeYc/mvJujujWG0Y+tyuQCORzcYccEpYR8q6kf1r7+IUy1L8r4XFIwM +oW9eB4XyTrA8wKtWQfEpSAo+PX59hfafuOG8wKUPbTANSFK2ePQRJO/6T81rofOF +Bz9oeTjZV0f0EkJIcF14V2rksGVT0kAHndBw73w27ofj +-----END DSA PARAMETERS----- diff --git a/test/recipes/15-test_dsaparam_data/valid/p3072_q160_t1862.pem b/test/recipes/15-test_dsaparam_data/valid/p3072_q160_t1862.pem new file mode 100644 index 0000000000..c8d172b13d --- /dev/null +++ b/test/recipes/15-test_dsaparam_data/valid/p3072_q160_t1862.pem @@ -0,0 +1,19 @@ +-----BEGIN DSA PARAMETERS----- +MIIDIAKCAYEAzEjKQVdMNYbt8uE5P5znYqjWHP+G6Bp6Q93i0eE9NG15G+cBlcke +OJoYQr2fc3ypl6zjO6g8uZQHYvbQGY1zmYnGPikL+AgYqCpbFZHvZ2pG56TJ+2I/ ++d2zmsZifqkXsgQIRa6Hqp+JMW3y53PZjIEn2JYK1pTMRKfIWrfeYwoiZwi1rbeP +l+0D1MgT5AuLXw5H0wWNdKGScbbftRVNm3K3RwukICOvbpEQXIeI04I9wh2oS7x+ +evjZ0YXfN0HsUWYQ8rfA3i2OU9gUVFcbSgdpoSqtkicGJ/6AyyCENr2AuKFAkZ1A +BWYAJn2Nd4apsMflZckq8XdxX77juprjCsZ1DVn4X3hMRz4rnwqq6yPF31/KWyTx +s33PK0JixJCnOzpponSljC8Bo+iTmE9GvBBsxCFZXmKK1bWQpaedUpqcX4eaQHGK +fr7s0R9Ga+Z7LRvD2HeiZUSq+2fk9oW8nTzac/yFiQGlAq82WvQGIV3puYHtxHnZ +Ii24PuTDgy1BAhUAjyumRyUZPh0vSI+VGAJDqiMcmBUCggGAR+j+RHswsFB+TaHv +z8/b9zEBYOUvBfNeX3zs7teQnjRlTZJz2pwo0V2vv503Gv0s9d4Pzsw+ccDikqTr +je3HV8h4iEwb2meh4oFNmUUFuyk5RgEJ8yDPgWgcKTV5bX62QRg0Uch8hRPYCKjn +2hrLWCAc9qIHJY++s08uc1m799sn4chffNkb+fds2DOzzHKkKtj2WXzNyvFBnDOx +qFArr2H+g7Xfx+ykIjMpG3jxKClT+n2a0tiqDYD3HG4gxD2keTBpE/YinEm/6CnT +tLPi8K5wg22GxBpwB/MSBN2W7Q5fw9DnZLk6ROITMmYJE4NU7gEilkNaEmiajBXu +FfyfZdvc+GqpdH64TuzbbvaXckKfEpYEnYSJbIi3WX/71MtSAe4wIWAkU5xB/ujl +3gjX4qJQpm5k5aRVdJJ0IyVz7HaePpO7cdgKbcXiYPCdYIno8eDnUntDEwymmgnU +wsxOzNKiKkXRnku8Or34DiJvgIz5yyZGpIYI2keKNF2A0ins +-----END DSA PARAMETERS----- diff --git a/test/recipes/15-test_dsaparam_data/valid/p3072_q160_t1862_gind1.pem b/test/recipes/15-test_dsaparam_data/valid/p3072_q160_t1862_gind1.pem new file mode 100644 index 0000000000..e8d10f776b --- /dev/null +++ b/test/recipes/15-test_dsaparam_data/valid/p3072_q160_t1862_gind1.pem @@ -0,0 +1,19 @@ +-----BEGIN DSA PARAMETERS----- +MIIDIAKCAYEAyu7VtPuTmkampDvDUwh9tXFDrwrTDOKf7KbokrFNoT3xRjeIce8g +2t2q62jMrk2JnVziGBwq4vRCB6nUTxNnaKry6hF1h2sitlhONHcnNPWW1pXZ8SNZ +W7/YlsATYd3rfsVdtQ1VLnDmoGmSWjsJ0Oh5+XNw/v+DUvl2zaTtaMDl6ST+tH2w +K39RMEWJuUxBMFurWgcqc8jUcvVXSJcL+1Wf1DrVDEG1b6LgCTZeDnfpKaPMzHfW +BnxFMgA9SGek7CwSSOs5L9TmKeQHO2zKZ+pdQejITim5LnzsozgU/Fu66vE9shzu +d9ogHPlAqIpUFKyF4cJPXTNMpsBcsu2pJ0hJ6GoMINl6lTVWRNjWOtVeAn4mHLVQ +oA5OSHHq3nTALETGWkQabC28qh7OK3EbYdjyF4M+gaPWhR5X7qqSy9tUwfLcxc9Z +ngFsrRIDGWywofV3p+PRGSz/HAX4PB9bD3du4cDlT7F5MQsEpoQ0UaaMHp/RzeTo +yiIJDS9fBhtZAhUA4pXEvfNK1n84nAesZsnGmSHB+M0CggGAHQhfqwV7g8UT/JPX +5pJ9cBtLkeTdm0FhrkdoZ5mrfXJuml5mhdQwHh/gT5mQG8ilweaVh1P4GwR3CQ+o +1xqmoKzmu6B68exIXnW9JXrSC0HvthVzjve04P98VZWVzSPMAtfuFDa/XbXMqLdj +evZpBKTeAK1AO0R41t1By30epWazajHNZi5FmV5uwZsJPAqHe0asRhWALAWYK1gK +kdhJhPAlaYTpYnSgrUqM1svnO7T4JLGrzR+ijrs1B8R4EnYsrldQUnqzi5mdweAw +wugnvJTkFOmVn1iAnR0FIpFLzLh/pkp3Ajb4iK7R4hfAqHqlqhhqjHTPzjvKRdMn +bXpAiY8CAC47dNd4t/bIymv4bLXjMxrecd9Ar1LZe3Chcr1egPuOjdOFEcK1MP6w +wIPXJqtYulXjCfd3WR6uQSu/AsyCpOmzyR8EFZN10KoWLAEnGzdRXI5GQ9ddZl5o +tNBAwCGTXg6tTv8FscyLLFbfJ3WOSbe+rNb1MrVHshFBzvG8 +-----END DSA PARAMETERS----- diff --git a/test/recipes/15-test_dsaparam_data/valid/p3072_q224_t1862.pem b/test/recipes/15-test_dsaparam_data/valid/p3072_q224_t1862.pem new file mode 100644 index 0000000000..40e8e120da --- /dev/null +++ b/test/recipes/15-test_dsaparam_data/valid/p3072_q224_t1862.pem @@ -0,0 +1,19 @@ +-----BEGIN DSA PARAMETERS----- +MIIDKQKCAYEAxzGWJFWDGakaCqZHIekcTxRN6axWx6rTOyV1ZSljtuqNtGR4gZVW +BAxKs5eFqykkLl0JmiBJJ8hHpNEWLxU0CG/ZDh7OhlmgUL/o1TeVHHXChyGL4dwn +ds6VXAyBR7lSKoCfvdDpPkQb193XoXnjkt8qLwu4KVT+Xdv4F5oaulCbbMojqoP/ +VEyiYQhPVImIluiEYqjo3xQPAe1vgQ5gAqPnfmcppeHFkUWEGFn7qTTf+9EnUBtu +LTLfwzedwMQhJ32lBqouPqv7QB74KcvzYIJJKb3WTskiLcYOO7dcYEv02q3KYLrY +ij89nU3So5E60GLeQhFvQJA+kaAWC9bOpZT3pMsw9EDvHcbs+jNHNeZgrP9sgxya +X8/sW4QVjsQC3GC5L/wmEC6TtdXLZjr1z8aYi2HPO1VmSR26+Q+jwXfWT7mjrvZH +A1MIB9p8D3CcKOf0bgTSPq9J+NrUuTOQ/vL2JiQDqRiIfWACd3T8SSNANx9H08xg +fHpaurhi3703Ah0AhS3fDX9qc3nH8NDghaBjTNG4+EiSq7q59dH5WwKCAYEAjd0c +DFowwG/lKDDkBOP+ei7HNHizE/N5pJnrw8EFWwHbqgA6q0oihPlb+FIsEOFEJ13E +yQOX0gdotBhUaNFenNgq0XgT6Ji4PTqkd8PE7IqkO6RXSnHRaCbgAW+KlHgQlMpc +12KnRxPFbVErK75hfnGyDyIZ/7GZSvQ2pEdJutwyigCFmb+u69Ri+bOcV3OwtdHS +PfYXum0SF7UzDGYBlYvk6zVlFyMRMdq3Ulyk337zSHY8cwX3sEbSBASh5PrMm1SP +Z1kq23Uo+2sr/nRr3ZiLrJeGIbMaFVbpH59AaYbDBlpJHiUGlRfR9ogAgxDlwjqh +M1a/UZZfcGItFYSGwrLqv/NIHdrk6T4G/LiQsfj1n2TMzUTpSBXYOGdnVy1JyqBq +5T0bPbyRI3yyogpcMYIzbf5xwTXzTRl5IuesLKpDepjfnlG9OKNx8Tr7qcC/jtt2 ++eDnp0G/JEJRvKv6uMzNALaMTGkdVgtG21JrsBEvIH6tRGKOzXq3sGwOz9fE +-----END DSA PARAMETERS----- diff --git a/test/recipes/15-test_dsaparam_data/valid/p3072_q224_t1862_gind1.pem b/test/recipes/15-test_dsaparam_data/valid/p3072_q224_t1862_gind1.pem new file mode 100644 index 0000000000..19087a0735 --- /dev/null +++ b/test/recipes/15-test_dsaparam_data/valid/p3072_q224_t1862_gind1.pem @@ -0,0 +1,19 @@ +-----BEGIN DSA PARAMETERS----- +MIIDKAKCAYEApa4oiH+yG20EaPlCODyXW0tys6dCwztUH4bK0IA8Ld/nhHImQzJ2 +co0twe51KwMDJrw8OCPXOQWe1S6MRrqhv04jkVO37dIdBrlEKQggL+8XFxWrzFtk +RsuGyAxPXcG7tprXCKIkXmJ4ZH4HziVPDr0dv9LBAtoOCqTh7P1Srr48IJsQbRPc +Rf74f5TtGZ41OqfJGK9uHZwpteG4uHK10ferEuSPzDY3I0DOgCYYmGjc6N4MKEOU +10TSUO2ye8IaXPdoayRincRRO/mKF+b62w27cbdn9hrq8aPyw2E7ehZyAduILevt +qEDRJyOxJ/oM7pRAbALytKz0wkCeNL+TxEM92mkLkrqdn3Hhl4xOUHG9W1odtwKJ +36YQMM0ubIy/ISHiwBzVAquiP1aSUudtNRf68g+WwuvRuMaic05j0nizubgtegew +9741+fdKKYRT+aOMsouEnqrOyUht9HnAHzdBVAoNymrvnuX+Ylnu77/D9PwoVhMl +3ttfx/omQzN5Ah0AgOSripFvRSJSWlDK22X8pfYa+QLmLgWMUxtYNwKCAYBlGgar +o2cx8BF839UFfvn4JOY5Sptc+EMBgdJFM+g+9DMUxq1gFkVjDPM8JR/rC5XJf22L +HlxrYAo6/0LZbyPQqm2MjjQJ6onH74nZG8Nn9qk6X2d4wmrMH41uIzd3NG3BEAK0 +9Bhq9TTYBEOduZIR8z4CNONYpom2/tcOBzNqMlQMJDJ5x/hkAlD+1bKlaZoFmwT/ +qhfkp5Z7WcLEq8TVzweSp4EzUtaftcprNVGXExF2nFiBH0NkOIXymOFht+BLgxKh +7xZFYGjc7H4aSQEap5vtKEkQMFoRB24zkrg2e/Wc/eUOEslGw37XTUsZLIg2U8Cl ++EeAm2VxGaZsh0EFmXOwLchwqttP4Tjf02t4CZh8T3I91GNutUaPV/K2QkUcuCLM +BLs+5et5hQiVMM9wp7psXoaexh9YMGx+nhfkIcPtxTAA6ERsg6muVsUAaEE+TxRk +EVqBR86jbmwYUTGMTYU44owlufenclS0W0aB6Flin2wxfgxzo9enIVRHmME= +-----END DSA PARAMETERS----- diff --git a/test/recipes/15-test_dsaparam_data/valid/p3072_q256_t1862.pem b/test/recipes/15-test_dsaparam_data/valid/p3072_q256_t1862.pem new file mode 100644 index 0000000000..c6352818d0 --- /dev/null +++ b/test/recipes/15-test_dsaparam_data/valid/p3072_q256_t1862.pem @@ -0,0 +1,19 @@ +-----BEGIN DSA PARAMETERS----- +MIIDLAKCAYEA9y+7nMniLiXibpJ2MiTdolb4D3SclBqXgnT00VhgqUrx3rSfkQxZ +hljKyzZc2+Ijc7qnW5NvABRFwz/vZuEWUje8qRI6b+rydzK8X26A+RbbbC28xDLV +beKMh1Hx9O4zGVLBL3u66onoJSXhIiG4hu8wkympc9jGAmRIfIF2Uixy15387e1E +mFj7UH2F5frBxiSnPwZ3lFjPSB/U6nLzGgvIsl4xhZb0Txxn/TtECsyzdQnorixh +p5oMnqGa7/Bz1dCswUwTTmkJlqKW8qlJXO52+1+H0mqWCB3JC9EIvlerVgnUa+x9 +uDDya2gvwImH8PxReslOhn8hNqxL6/1v7yxoQvATOwBblkgUrv3jdBerppQV6Yb7 +p3/JnfPGnpF3q/9A4NuTmhXd+lhmx5sT06SNIQ1VCBqYJhTobHTHkNxVJuPwL+Fc +u2jBKXsyzFy6W+ac7yUY58Zi6WFcybx/Sp5zrLUa5EDABfWtyvsCYTgptIRq9AHe +EQIQUvDxgsLjAiEA8KuUTAHKlPQJvd2P8LFblBCyMRTZdemRjTLiy2zO3QsCggGA +bUzbh6SCW1qq0yacP+gPVKikYEmrtsAUphMF5nq3OivstvZ0TZ2M6bp3MIbrVznm +I69/8QnrSDGNqCCKAaoDjoTHWABlRnFKMa3HNhY5Wa0zpzch1ZMx339JmWwRmZOj +UeqlzDiSsD58oMG0VBW0gCssvhCaf6K9XlizJ4JkEG44WGZJX9iw6luiqWcO8QjS +tpwAh1WLgRO2JnrJ4adCF7XoGSptGDfV7oT1+w9IRWFGY3WJWz7c2fEY9hyzvwOM +/QUDEqk7jMxTatX6fzREiQLVflnNf4aO8Ioolt29b5xgOskdRfoX5OsFCS1WemV6 +H/XJonSweFY2fBsxj2z1k5uX2LuxeVPFkNquTIWQFgy/5DxxxzqtaykkBIqM/SIw +I8nsqn7rnMZ+ROPafj/QHuQZrrE9qq8PN4OuuZXCn6JrG/9goATXjsX0dwkSW+/Y +w3zHSAlZSMoaw2RW9i4cv6hSly1+nUBFNWnMRfyBMfIrchL/DpBdVrVWVEBD7Q4z +-----END DSA PARAMETERS----- diff --git a/test/recipes/15-test_dsaparam_data/valid/p3072_q256_t1862_gind1.pem b/test/recipes/15-test_dsaparam_data/valid/p3072_q256_t1862_gind1.pem new file mode 100644 index 0000000000..f465704959 --- /dev/null +++ b/test/recipes/15-test_dsaparam_data/valid/p3072_q256_t1862_gind1.pem @@ -0,0 +1,19 @@ +-----BEGIN DSA PARAMETERS----- +MIIDLAKCAYEAnNFWZGSkdpISzCBfFsZ8p3ouw0fzoyU+0t/DdKdGeiy/PtUkPCfn +KS+lmswLWdWFsQ7T9UtSVzdhDr+Jj9e4oLIDh1HfDGyLaNzvCCYOxWOnR+FdZQmC +G5F8iD9QhTKugy9BhbNTYlpog9MqxfpVwQsAaXmitcSSvnDxJ1KweCN8P0GbfkpI +JXma9SYWXjf6B5tH3Kb2xiPiaO0NSyjeyrossJosZfyYA3qKU/HEVYHLFkyAwMUu +RBCM9sgwWWIzAutLMb1y4H750NP4yeIyP9EZgdXplmJRb9Yous0QT17aQOiC2q6I +xyqXvhjScnRmMVetkbHibuKBpALwLA7dbNCpm+++WYdlMtBqlRkLfM4+BiCLPZT/ +6a9FYiKhNk12R7fdxWPFH4S9GfgUtLJpcwrFYvVbGfyD97O9gjzJiQ36zBrJEPv4 +kZ9MIv9J0qN2yUz7mT5IBKGDbIvBo60IVt7Q4+SyLT0ASZTxLInyUlravfGhog8e +nDOvJUDt2WSnAiEAtxINd2uhphWpMhicTM/N0/aVpQ7yv2rVTRCdGK48XzkCggGA +b1M093z0YaiSd2tM3kQMdLqtXKjDyv0joQGvKlPdPqeUzUuf0E8pvlM/Sp3hcNPi +E1Ll5duR22yFMPE9IXxzloUSY1lmx91T3MfU3mlknl6OKYAhCM9tHwv8IFauJ1CA +E3+mMz7quS0ZvB7hrfBnSI4Q3LcS/FQAg0d5EedLQ2Mdxp4zJFv0sfc7+hCt593h +ohVur/U34ezrrMkA9mnUfM2Kf4cHxbFpV/lTz0Ulan/Q7Oic95zflEdJXL0Fe9mt +1t6y+nkdfmIby9QTTeMSoUVmCmv5qvbyOgtNILtar28MADYPVU9tf289NVWexNCI +uBCangdkBQjgq8UHAdKZafpToYPBSi+tuGs4N2391+jK5vLW8dlhxdxh7bscmlxY +/lwjkU3SLTahErNBi7R45kohFD3iMO/Bum8Qv4s8MR1t6z4lWoICl6FvLBF9nZYV +ZfLUNbSrZgHR5vUJbp8rFsdS1zj2rj0LPrX4gdd6nDxdp/IcJG88/5hEPlfyAcpY +-----END DSA PARAMETERS----- diff --git a/test/recipes/15-test_dsaparam_data/valid/p3072_q256_t1864.pem b/test/recipes/15-test_dsaparam_data/valid/p3072_q256_t1864.pem new file mode 100644 index 0000000000..cb859d66fd --- /dev/null +++ b/test/recipes/15-test_dsaparam_data/valid/p3072_q256_t1864.pem @@ -0,0 +1,19 @@ +-----BEGIN DSA PARAMETERS----- +MIIDLAKCAYEAnplgg+QuPzBBKC7wqLoTVFSu1Vg9EAp2TdHFMUEAt2uLGPJn65SF +vahxsnRJpJKdu8RRSlcTGg1wBpL7wdes+fskrB4OrjEdrf77S/wCxTtKz3xe5AcW +N/qqlvbX+iGuxZKRvJfdbvqxJOo62hnuhNo5SeAh1f1bI7fs/MdF2dECT/LUYVgN +kIfhZKbGEUvaVxYdzbypWFimuPdMDzkrQKKARztQC9W9gZceB7Z86oW3Tq68wxoy +Qemq9zMlBZM9R+KKfCEOa5BI/cGj3As7/A2Y4JxWbaRq7Bq+M7xKtQqqDY9fHvlE +eYXUf0L/6RY9ZoDEOATK8VPiaqr2swimw7lmUVyiR+hdNJ5vrAMStL9+BnzAtFNJ +4N6gX4hdraHJfDKLSAryGqCMesJLb6YQwN0QEfp0uKV2e0z5m27bOQ/6H+i+AssY +Fr6Gbottp3S6/KrPKxWco16FD/DA3OkERQlk0wZai7mucLRmnHz9jhZ6crcez3RN ++/SBlIN1ydN7AiEAwDyPTTslGsYdkM/YopNoEbEu00WGfX2/pP8J2Np7678CggGA +Qu4x5iy2/FqZEbByskh/R3qQdeNvl+rA3TefDdVYK6jUZXZ5SE1ZBailE7e7LMBq +5ao3PyRtoixezZaYB0zFdMpwy3z/YCLHnvUMHaEFQHLQkJZ17JbWSHzhnPGT7K1h +LW36eTkSy0eXcjN5siIr9cnGlARYxccTuEOM8JP2am6fJLSP6JvvGsYgUIraRl38 +TXZ/EcF0msNgUabC+BCGpGBH2Z+2BI7e7yzBy7JSNsoZpf6mZ5dRMmiPlKD2AAvU +j76Sj/UbTrK+O8qrqvuHMT6VwpD3fktvJ/8ENrbwSZiFK+Mk4EWE6quYnxF0JQwj +t5TKhhoordP0li3R9Ie9A99iZszxrCNdpx1QH8OtNyf74TdsekUekNHmUwGg3set +xMVuO5/o5gu82WDIiFdvYrWvQ9jHyilBBKDNQmfnM5xzZwDjC7opwZ1u5oNbGcKR +jPB2Q57B7l4y2h3swGYIwnqMaYnPE32gewexx/YPK+ZhA9UfM5Q5RwUXm1RNkLfv +-----END DSA PARAMETERS----- diff --git a/test/recipes/15-test_dsaparam_data/valid/p3072_q256_t1864_gind1.pem b/test/recipes/15-test_dsaparam_data/valid/p3072_q256_t1864_gind1.pem new file mode 100644 index 0000000000..b84b3eed3a --- /dev/null +++ b/test/recipes/15-test_dsaparam_data/valid/p3072_q256_t1864_gind1.pem @@ -0,0 +1,19 @@ +-----BEGIN DSA PARAMETERS----- +MIIDLAKCAYEAt9BaAblsCrKRV15aP/BFOpUxTG/wzSWarZZQJ32hGXVV7ROFeA7H +TvJdRWtjqvFNg0x1inAPUuSfoZi+dsXWPBc5M9vcZ9+GaB6NP/E/w8cxnnNO6a5f +Bkx68slvWTqtrUxSiwqOLIT7oeSn1ZHDniDAtyRu7WnZhVt6OsP2xQl071phpcd+ +exIwnDsknr6kjRhOFbdgTFLbvIJYEKy/p2dkGmi6a7DTmtwct9hQ5XePggumj5LG +05czAuvIDjfSe5hV1yIgbmchVvu+6WGnq4GUbgODROv2PHxnNEn8FgRBjJVjpcrL +onbKWolvDyam708+tJbAWXGltnukGMiO2b+ODe6ZwzmxXOE4jn/SGkUeTAuzNSAe +BsSsDGn5vZGKhnIkw9ISS29s6qbvhxR3zVLURdCDgFHJQ+Rg1aUsTpeBPlDHP6bw +sRCR5mktZc3xOkUtqBIoR5hjXD+c+0TkMOJRGNzfXLhh1LIbyLpmj4WQK7+ytJO3 +dtUJDpKhEiGhAiEAzFeLXUhljzm6+rCQiiV9cmi5Eyh+wMSwgAsMaVPM6b0CggGA +arqNlSzXpGvyu7J8xWiwYFX2Q4LXpo7AerEW4SVBna+VWSQuyZL/iMYD4eNPrle7 +aVyXRBBBc5FJmfkezG4pf3MQhLNrJoBRyRCIf/CbG8em3eBf3pBIUs7Vd9z8RAFs +Y4cIMteTLbDVULWdfvK2eM5gTf0jl5sjyY+OPSFpNiBpfmIdoStX80j+ygo7MgcI +N+U1Nn8i0DVzjpfm+lBFbkGNrZEy63mNi6UW6m6FnpZSQqqeC/Xy6mqrjHMDoclv +rZuTGSY47IiHTX4cYaXYArwuN6qBQkTNeSDsCzbx21hFmKEXscelumwvXmxJcxr/ +6x6Ymvu/G0NokJk3Z8cOS0OCfXOLxk5kH4C/i3UOEhl9LH9eOd2qQoF3KoaNHkCy +IYwipLyqtQ+o/+qRruOfv1JruRawyl1G1UteU5nire/mcaD7/lJqvfBPD1Z1eBpP +VR4ItsVBbztmDYr9OX6hFH5CuJSW55KBtEME+R5Au2q3d1wZz4/PD7xLio8lWc48 +-----END DSA PARAMETERS----- From dev at ddvo.net Thu Feb 18 10:22:51 2021 From: dev at ddvo.net (dev at ddvo.net) Date: Thu, 18 Feb 2021 10:22:51 +0000 Subject: [openssl] master update Message-ID: <1613643771.106542.28287.nullmailer@dev.openssl.org> The branch master has been updated via 0b3139e815d3d14c4d7506488add6e02a2b682ec (commit) from ba37b82045b1b2fbcbf7580b317de5e3b52c8035 (commit) - Log ----------------------------------------------------------------- commit 0b3139e815d3d14c4d7506488add6e02a2b682ec Author: Dr. David von Oheimb Date: Thu Feb 11 21:07:14 2021 +0100 chain_build(): Call verify_cb_cert() if a preliminary error has become final Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14157) ----------------------------------------------------------------------- Summary of changes: crypto/x509/x509_vfy.c | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c index d5c09d28f4..83dddeeb3d 100644 --- a/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c @@ -352,7 +352,7 @@ static int check_issued(ossl_unused X509_STORE_CTX *ctx, X509 *x, X509 *issuer) */ if (err != X509_V_ERR_SUBJECT_ISSUER_MISMATCH) ctx->error = err; - return 0; /* Better call verify_cb_cert(ctx, x, ctx->error_depth, err) ? */ + return 0; } /* @@ -3282,10 +3282,17 @@ static int build_chain(X509_STORE_CTX *ctx) return 0; case X509_TRUST_UNTRUSTED: default: - if (ctx->error != X509_V_OK) - /* Callback already issued in most such cases */ - return 0; - num = sk_X509_num(ctx->chain); + switch(ctx->error) { + case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD: + case X509_V_ERR_CERT_NOT_YET_VALID: + case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD: + case X509_V_ERR_CERT_HAS_EXPIRED: + return 0; /* Callback already issued by x509_check_cert_time() */ + default: /* A preliminary error has become final */ + return verify_cb_cert(ctx, NULL, num - 1, ctx->error); + case X509_V_OK: + break; + } CB_FAIL_IF(num > depth, ctx, NULL, num - 1, X509_V_ERR_CERT_CHAIN_TOO_LONG); CB_FAIL_IF(DANETLS_ENABLED(dane) From beldmit at gmail.com Thu Feb 18 11:05:25 2021 From: beldmit at gmail.com (beldmit at gmail.com) Date: Thu, 18 Feb 2021 11:05:25 +0000 Subject: [openssl] master update Message-ID: <1613646325.251769.2902.nullmailer@dev.openssl.org> The branch master has been updated via 5d8ffebbcdf4992d3c428201b1f3330020bbe92e (commit) from 0b3139e815d3d14c4d7506488add6e02a2b682ec (commit) - Log ----------------------------------------------------------------- commit 5d8ffebbcdf4992d3c428201b1f3330020bbe92e Author: Sahana Prasad Date: Mon Jan 25 14:44:29 2021 +0100 DH: Make DH_bits(), DH_size(), and DH_security_bits() check that there are key parameters Fixes #13569 Signed-off-by: Sahana Prasad Reviewed-by: Richard Levitte Reviewed-by: Paul Dale Reviewed-by: Dmitry Belyavskiy (Merged from https://github.com/openssl/openssl/pull/13955) ----------------------------------------------------------------------- Summary of changes: crypto/dh/dh_lib.c | 12 +++++++++--- doc/man3/DH_size.pod | 9 ++++++--- 2 files changed, 15 insertions(+), 6 deletions(-) diff --git a/crypto/dh/dh_lib.c b/crypto/dh/dh_lib.c index e8a66878ab..46aba02bad 100644 --- a/crypto/dh/dh_lib.c +++ b/crypto/dh/dh_lib.c @@ -187,12 +187,16 @@ void *DH_get_ex_data(const DH *d, int idx) int DH_bits(const DH *dh) { - return BN_num_bits(dh->params.p); + if (dh->params.p != NULL) + return BN_num_bits(dh->params.p); + return -1; } int DH_size(const DH *dh) { - return BN_num_bytes(dh->params.p); + if (dh->params.p != NULL) + return BN_num_bytes(dh->params.p); + return -1; } int DH_security_bits(const DH *dh) @@ -204,7 +208,9 @@ int DH_security_bits(const DH *dh) N = dh->length; else N = -1; - return BN_security_bits(BN_num_bits(dh->params.p), N); + if (dh->params.p != NULL) + return BN_security_bits(BN_num_bits(dh->params.p), N); + return -1; } void DH_get0_pqg(const DH *dh, diff --git a/doc/man3/DH_size.pod b/doc/man3/DH_size.pod index 099c1bad3f..99e34034f2 100644 --- a/doc/man3/DH_size.pod +++ b/doc/man3/DH_size.pod @@ -38,11 +38,14 @@ key. See L. =head1 RETURN VALUES -DH_bits() returns the number of bits in the key. +DH_bits() returns the number of bits in the key, or -1 if +B doesn't hold any key parameters. -DH_size() returns the prime size of Diffie-Hellman in bytes. +DH_size() returns the prime size of Diffie-Hellman in bytes, or -1 if +B doesn't hold any key parameters. -DH_security_bits() returns the number of security bits. +DH_security_bits() returns the number of security bits, or -1 if +B doesn't hold any key parameters. =head1 SEE ALSO From tomas at openssl.org Thu Feb 18 11:12:04 2021 From: tomas at openssl.org (tomas at openssl.org) Date: Thu, 18 Feb 2021 11:12:04 +0000 Subject: [openssl] master update Message-ID: <1613646724.852953.11975.nullmailer@dev.openssl.org> The branch master has been updated via bcb61b39b47419b9de1dbc37cd2f67b71eeb23ea (commit) from 5d8ffebbcdf4992d3c428201b1f3330020bbe92e (commit) - Log ----------------------------------------------------------------- commit bcb61b39b47419b9de1dbc37cd2f67b71eeb23ea Author: zekeevans-mf <77804765+zekeevans-mf at users.noreply.github.com> Date: Thu Jan 21 12:24:51 2021 -0700 Add deep copy of propq field in mac_dupctx to avoid double free mac_dupctx() should make a copy of the propq field. Currently it does a shallow copy which can result in a double free and crash. The double free occurs when using a provider property string. For example, passing in "fips=no" to SSL_CTX_new_ex() causes the propq field to get set to that value. When mac_dupctx() and mac_freectx() is called (ie: in SSL_write()) it ends up freeing the reference of the original object instead of a copy. Reviewed-by: Paul Dale Reviewed-by: Shane Lontis Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13926) ----------------------------------------------------------------------- Summary of changes: providers/implementations/signature/mac_legacy.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/providers/implementations/signature/mac_legacy.c b/providers/implementations/signature/mac_legacy.c index 7d23e36f2b..2386583069 100644 --- a/providers/implementations/signature/mac_legacy.c +++ b/providers/implementations/signature/mac_legacy.c @@ -172,9 +172,13 @@ static void *mac_dupctx(void *vpmacctx) return NULL; *dstctx = *srcctx; + dstctx->propq = NULL; dstctx->key = NULL; dstctx->macctx = NULL; + if (srcctx->propq != NULL && (dstctx->propq = OPENSSL_strdup(srcctx->propq)) == NULL) + goto err; + if (srcctx->key != NULL && !ossl_mac_key_up_ref(srcctx->key)) goto err; dstctx->key = srcctx->key; From pauli at openssl.org Thu Feb 18 11:15:14 2021 From: pauli at openssl.org (Dr. Paul Dale) Date: Thu, 18 Feb 2021 11:15:14 +0000 Subject: [openssl] master update Message-ID: <1613646914.541247.13716.nullmailer@dev.openssl.org> The branch master has been updated via 7b676cc8c60823570e283fbe325b263670c6ccc2 (commit) via 47c076acfc5debbae386c552bdb423e832042ae7 (commit) from bcb61b39b47419b9de1dbc37cd2f67b71eeb23ea (commit) - Log ----------------------------------------------------------------- commit 7b676cc8c60823570e283fbe325b263670c6ccc2 Author: Shane Lontis Date: Wed Feb 17 20:01:34 2021 +1000 Fix external symbols related to provider related security checks for keys and digests. Partial fix for #12964 This adds ossl_ names for the following symbols: digest_get_approved_nid, digest_get_approved_nid_with_sha1 digest_is_allowed, digest_md_to_nid, digest_rsa_sign_get_md_nid, securitycheck_enabled, dh_check_key, dsa_check_key, ec_check_key, Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/14211) commit 47c076acfc5debbae386c552bdb423e832042ae7 Author: Shane Lontis Date: Wed Feb 17 19:56:35 2021 +1000 Fix external symbols in the provider digest implementations. Partial fix for #12964 This adds ossl_ names for the following symbols: blake2b512_init,blake2b_final,blake2b_init,blake2b_init_key, blake2b_param_init,blake2b_param_set_digest_length,blake2b_param_set_key_length, blake2b_param_set_personal,blake2b_param_set_salt,blake2b_update, blake2s256_init,blake2s_final,blake2s_init,blake2s_init_key, blake2s_param_init,blake2s_param_set_digest_length,blake2s_param_set_key_length, blake2s_param_set_personal,blake2s_param_set_salt,blake2s_update, digest_default_get_params,digest_default_gettable_params Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/14211) ----------------------------------------------------------------------- Summary of changes: crypto/evp/legacy_blake2.c | 8 ++-- providers/common/digest_to_nid.c | 6 +-- providers/common/include/prov/securitycheck.h | 18 ++++---- providers/common/securitycheck.c | 26 ++++++------ providers/common/securitycheck_default.c | 9 ++-- providers/common/securitycheck_fips.c | 10 ++--- providers/implementations/digests/blake2_prov.c | 22 +++++----- providers/implementations/digests/blake2b_prov.c | 23 +++++----- providers/implementations/digests/blake2s_prov.c | 23 +++++----- providers/implementations/digests/digestcommon.c | 6 +-- providers/implementations/exchange/dh_exch.c | 4 +- providers/implementations/exchange/ecdh_exch.c | 6 +-- providers/implementations/include/prov/blake2.h | 49 ++++++++++++---------- .../implementations/include/prov/digestcommon.h | 26 ++++++------ providers/implementations/macs/blake2b_mac.c | 16 +++---- providers/implementations/macs/blake2s_mac.c | 16 +++---- providers/implementations/signature/dsa.c | 4 +- providers/implementations/signature/ecdsa.c | 4 +- providers/implementations/signature/rsa.c | 4 +- 19 files changed, 147 insertions(+), 133 deletions(-) diff --git a/crypto/evp/legacy_blake2.c b/crypto/evp/legacy_blake2.c index e03403406f..22765aca0d 100644 --- a/crypto/evp/legacy_blake2.c +++ b/crypto/evp/legacy_blake2.c @@ -11,11 +11,11 @@ #include "prov/blake2.h" /* diverse BLAKE2 macros */ #include "legacy_meth.h" -#define blake2b_init blake2b512_init -#define blake2s_init blake2s256_init +#define ossl_blake2b_init ossl_blake2b512_init +#define ossl_blake2s_init ossl_blake2s256_init -IMPLEMENT_LEGACY_EVP_MD_METH_LC(blake2s_int, blake2s) -IMPLEMENT_LEGACY_EVP_MD_METH_LC(blake2b_int, blake2b) +IMPLEMENT_LEGACY_EVP_MD_METH_LC(blake2s_int, ossl_blake2s) +IMPLEMENT_LEGACY_EVP_MD_METH_LC(blake2b_int, ossl_blake2b) static const EVP_MD blake2b_md = { NID_blake2b512, diff --git a/providers/common/digest_to_nid.c b/providers/common/digest_to_nid.c index 496d814173..f66b61b4fa 100644 --- a/providers/common/digest_to_nid.c +++ b/providers/common/digest_to_nid.c @@ -20,7 +20,7 @@ * Internal library code deals with NIDs, so we need to translate from a name. * We do so using EVP_MD_is_a(), and therefore need a name to NID map. */ -int digest_md_to_nid(const EVP_MD *md, const OSSL_ITEM *it, size_t it_len) +int ossl_digest_md_to_nid(const EVP_MD *md, const OSSL_ITEM *it, size_t it_len) { size_t i; @@ -37,7 +37,7 @@ int digest_md_to_nid(const EVP_MD *md, const OSSL_ITEM *it, size_t it_len) * Retrieve one of the FIPs approved hash algorithms by nid. * See FIPS 180-4 "Secure Hash Standard" and FIPS 202 - SHA-3. */ -int digest_get_approved_nid(const EVP_MD *md) +int ossl_digest_get_approved_nid(const EVP_MD *md) { static const OSSL_ITEM name_to_nid[] = { { NID_sha1, OSSL_DIGEST_NAME_SHA1 }, @@ -53,5 +53,5 @@ int digest_get_approved_nid(const EVP_MD *md) { NID_sha3_512, OSSL_DIGEST_NAME_SHA3_512 }, }; - return digest_md_to_nid(md, name_to_nid, OSSL_NELEM(name_to_nid)); + return ossl_digest_md_to_nid(md, name_to_nid, OSSL_NELEM(name_to_nid)); } diff --git a/providers/common/include/prov/securitycheck.h b/providers/common/include/prov/securitycheck.h index a9e69c8a29..2b81092f30 100644 --- a/providers/common/include/prov/securitycheck.h +++ b/providers/common/include/prov/securitycheck.h @@ -11,17 +11,17 @@ /* Functions that are common */ int ossl_rsa_check_key(const RSA *rsa, int protect); -int ec_check_key(const EC_KEY *ec, int protect); -int dsa_check_key(const DSA *dsa, int sign); -int dh_check_key(const DH *dh); +int ossl_ec_check_key(const EC_KEY *ec, int protect); +int ossl_dsa_check_key(const DSA *dsa, int sign); +int ossl_dh_check_key(const DH *dh); -int digest_is_allowed(const EVP_MD *md); -int digest_get_approved_nid_with_sha1(const EVP_MD *md, int sha1_allowed); +int ossl_digest_is_allowed(const EVP_MD *md); +int ossl_digest_get_approved_nid_with_sha1(const EVP_MD *md, int sha1_allowed); /* Functions that are common */ -int digest_md_to_nid(const EVP_MD *md, const OSSL_ITEM *it, size_t it_len); -int digest_get_approved_nid(const EVP_MD *md); +int ossl_digest_md_to_nid(const EVP_MD *md, const OSSL_ITEM *it, size_t it_len); +int ossl_digest_get_approved_nid(const EVP_MD *md); /* Functions that have different implementations for the FIPS_MODULE */ -int digest_rsa_sign_get_md_nid(const EVP_MD *md, int sha1_allowed); -int securitycheck_enabled(void); +int ossl_digest_rsa_sign_get_md_nid(const EVP_MD *md, int sha1_allowed); +int ossl_securitycheck_enabled(void); diff --git a/providers/common/securitycheck.c b/providers/common/securitycheck.c index 9457f4b53a..547b74fe3a 100644 --- a/providers/common/securitycheck.c +++ b/providers/common/securitycheck.c @@ -28,7 +28,7 @@ int ossl_rsa_check_key(const RSA *rsa, int protect) { #if !defined(OPENSSL_NO_FIPS_SECURITYCHECKS) - if (securitycheck_enabled()) { + if (ossl_securitycheck_enabled()) { int sz = RSA_bits(rsa); return protect ? (sz >= 2048) : (sz >= 1024); @@ -52,10 +52,10 @@ int ossl_rsa_check_key(const RSA *rsa, int protect) * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf * "Table 2" */ -int ec_check_key(const EC_KEY *ec, int protect) +int ossl_ec_check_key(const EC_KEY *ec, int protect) { # if !defined(OPENSSL_NO_FIPS_SECURITYCHECKS) - if (securitycheck_enabled()) { + if (ossl_securitycheck_enabled()) { int nid, strength; const char *curve_name; const EC_GROUP *group = EC_KEY_get0_group(ec); @@ -110,10 +110,10 @@ int ec_check_key(const EC_KEY *ec, int protect) * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf * "Table 2" */ -int dsa_check_key(const DSA *dsa, int sign) +int ossl_dsa_check_key(const DSA *dsa, int sign) { # if !defined(OPENSSL_NO_FIPS_SECURITYCHECKS) - if (securitycheck_enabled()) { + if (ossl_securitycheck_enabled()) { size_t L, N; const BIGNUM *p, *q; @@ -154,10 +154,10 @@ int dsa_check_key(const DSA *dsa, int sign) * "Section 5.5.1.1FFC Domain Parameter Selection/Generation" and * "Appendix D" FFC Safe-prime Groups */ -int dh_check_key(const DH *dh) +int ossl_dh_check_key(const DH *dh) { # if !defined(OPENSSL_NO_FIPS_SECURITYCHECKS) - if (securitycheck_enabled()) { + if (ossl_securitycheck_enabled()) { size_t L, N; const BIGNUM *p, *q; @@ -187,12 +187,12 @@ int dh_check_key(const DH *dh) } #endif /* OPENSSL_NO_DH */ -int digest_get_approved_nid_with_sha1(const EVP_MD *md, int sha1_allowed) +int ossl_digest_get_approved_nid_with_sha1(const EVP_MD *md, int sha1_allowed) { - int mdnid = digest_get_approved_nid(md); + int mdnid = ossl_digest_get_approved_nid(md); # if !defined(OPENSSL_NO_FIPS_SECURITYCHECKS) - if (securitycheck_enabled()) { + if (ossl_securitycheck_enabled()) { if (mdnid == NID_sha1 && !sha1_allowed) mdnid = NID_undef; } @@ -200,11 +200,11 @@ int digest_get_approved_nid_with_sha1(const EVP_MD *md, int sha1_allowed) return mdnid; } -int digest_is_allowed(const EVP_MD *md) +int ossl_digest_is_allowed(const EVP_MD *md) { # if !defined(OPENSSL_NO_FIPS_SECURITYCHECKS) - if (securitycheck_enabled()) - return digest_get_approved_nid(md) != NID_undef; + if (ossl_securitycheck_enabled()) + return ossl_digest_get_approved_nid(md) != NID_undef; # endif /* OPENSSL_NO_FIPS_SECURITYCHECKS */ return 1; } diff --git a/providers/common/securitycheck_default.c b/providers/common/securitycheck_default.c index e88b642ae2..7bb5639882 100644 --- a/providers/common/securitycheck_default.c +++ b/providers/common/securitycheck_default.c @@ -17,12 +17,13 @@ #include "internal/nelem.h" /* Disable the security checks in the default provider */ -int securitycheck_enabled(void) +int ossl_securitycheck_enabled(void) { return 0; } -int digest_rsa_sign_get_md_nid(const EVP_MD *md, ossl_unused int sha1_allowed) +int ossl_digest_rsa_sign_get_md_nid(const EVP_MD *md, + ossl_unused int sha1_allowed) { int mdnid; @@ -35,8 +36,8 @@ int digest_rsa_sign_get_md_nid(const EVP_MD *md, ossl_unused int sha1_allowed) { NID_ripemd160, OSSL_DIGEST_NAME_RIPEMD160 }, }; - mdnid = digest_get_approved_nid_with_sha1(md, 1); + mdnid = ossl_digest_get_approved_nid_with_sha1(md, 1); if (mdnid == NID_undef) - mdnid = digest_md_to_nid(md, name_to_nid, OSSL_NELEM(name_to_nid)); + mdnid = ossl_digest_md_to_nid(md, name_to_nid, OSSL_NELEM(name_to_nid)); return mdnid; } diff --git a/providers/common/securitycheck_fips.c b/providers/common/securitycheck_fips.c index 5bf59c9a35..35f82433db 100644 --- a/providers/common/securitycheck_fips.c +++ b/providers/common/securitycheck_fips.c @@ -21,7 +21,7 @@ extern int FIPS_security_check_enabled(void); -int securitycheck_enabled(void) +int ossl_securitycheck_enabled(void) { #if !defined(OPENSSL_NO_FIPS_SECURITYCHECKS) return FIPS_security_check_enabled(); @@ -30,11 +30,11 @@ int securitycheck_enabled(void) #endif /* OPENSSL_NO_FIPS_SECURITYCHECKS */ } -int digest_rsa_sign_get_md_nid(const EVP_MD *md, int sha1_allowed) +int ossl_digest_rsa_sign_get_md_nid(const EVP_MD *md, int sha1_allowed) { #if !defined(OPENSSL_NO_FIPS_SECURITYCHECKS) - if (securitycheck_enabled()) - return digest_get_approved_nid_with_sha1(md, sha1_allowed); + if (ossl_securitycheck_enabled()) + return ossl_digest_get_approved_nid_with_sha1(md, sha1_allowed); #endif /* OPENSSL_NO_FIPS_SECURITYCHECKS */ - return digest_get_approved_nid(md); + return ossl_digest_get_approved_nid(md); } diff --git a/providers/implementations/digests/blake2_prov.c b/providers/implementations/digests/blake2_prov.c index 8bb1050f43..a97d17a91b 100644 --- a/providers/implementations/digests/blake2_prov.c +++ b/providers/implementations/digests/blake2_prov.c @@ -12,31 +12,33 @@ #include "prov/digestcommon.h" #include "prov/implementations.h" -OSSL_FUNC_digest_init_fn blake2s256_init; -OSSL_FUNC_digest_init_fn blake2b512_init; +OSSL_FUNC_digest_init_fn ossl_blake2s256_init; +OSSL_FUNC_digest_init_fn ossl_blake2b512_init; -int blake2s256_init(void *ctx) +int ossl_blake2s256_init(void *ctx) { BLAKE2S_PARAM P; - blake2s_param_init(&P); - return blake2s_init((BLAKE2S_CTX *)ctx, &P); + ossl_blake2s_param_init(&P); + return ossl_blake2s_init((BLAKE2S_CTX *)ctx, &P); } -int blake2b512_init(void *ctx) +int ossl_blake2b512_init(void *ctx) { BLAKE2B_PARAM P; - blake2b_param_init(&P); - return blake2b_init((BLAKE2B_CTX *)ctx, &P); + ossl_blake2b_param_init(&P); + return ossl_blake2b_init((BLAKE2B_CTX *)ctx, &P); } /* ossl_blake2s256_functions */ IMPLEMENT_digest_functions(blake2s256, BLAKE2S_CTX, BLAKE2S_BLOCKBYTES, BLAKE2S_DIGEST_LENGTH, 0, - blake2s256_init, blake2s_update, blake2s_final) + ossl_blake2s256_init, ossl_blake2s_update, + ossl_blake2s_final) /* ossl_blake2b512_functions */ IMPLEMENT_digest_functions(blake2b512, BLAKE2B_CTX, BLAKE2B_BLOCKBYTES, BLAKE2B_DIGEST_LENGTH, 0, - blake2b512_init, blake2b_update, blake2b_final) + ossl_blake2b512_init, ossl_blake2b_update, + ossl_blake2b_final) diff --git a/providers/implementations/digests/blake2b_prov.c b/providers/implementations/digests/blake2b_prov.c index baa33e922f..2b31882c1f 100644 --- a/providers/implementations/digests/blake2b_prov.c +++ b/providers/implementations/digests/blake2b_prov.c @@ -80,7 +80,7 @@ static void blake2b_init_param(BLAKE2B_CTX *S, const BLAKE2B_PARAM *P) } /* Initialize the parameter block with default values */ -void blake2b_param_init(BLAKE2B_PARAM *P) +void ossl_blake2b_param_init(BLAKE2B_PARAM *P) { P->digest_length = BLAKE2B_DIGEST_LENGTH; P->key_length = 0; @@ -95,23 +95,25 @@ void blake2b_param_init(BLAKE2B_PARAM *P) memset(P->personal, 0, sizeof(P->personal)); } -void blake2b_param_set_digest_length(BLAKE2B_PARAM *P, uint8_t outlen) +void ossl_blake2b_param_set_digest_length(BLAKE2B_PARAM *P, uint8_t outlen) { P->digest_length = outlen; } -void blake2b_param_set_key_length(BLAKE2B_PARAM *P, uint8_t keylen) +void ossl_blake2b_param_set_key_length(BLAKE2B_PARAM *P, uint8_t keylen) { P->key_length = keylen; } -void blake2b_param_set_personal(BLAKE2B_PARAM *P, const uint8_t *personal, size_t len) +void ossl_blake2b_param_set_personal(BLAKE2B_PARAM *P, const uint8_t *personal, + size_t len) { memcpy(P->personal, personal, len); memset(P->personal + len, 0, BLAKE2B_PERSONALBYTES - len); } -void blake2b_param_set_salt(BLAKE2B_PARAM *P, const uint8_t *salt, size_t len) +void ossl_blake2b_param_set_salt(BLAKE2B_PARAM *P, const uint8_t *salt, + size_t len) { memcpy(P->salt, salt, len); memset(P->salt + len, 0, BLAKE2B_SALTBYTES - len); @@ -121,7 +123,7 @@ void blake2b_param_set_salt(BLAKE2B_PARAM *P, const uint8_t *salt, size_t len) * Initialize the hashing context with the given parameter block. * Always returns 1. */ -int blake2b_init(BLAKE2B_CTX *c, const BLAKE2B_PARAM *P) +int ossl_blake2b_init(BLAKE2B_CTX *c, const BLAKE2B_PARAM *P) { blake2b_init_param(c, P); return 1; @@ -131,7 +133,8 @@ int blake2b_init(BLAKE2B_CTX *c, const BLAKE2B_PARAM *P) * Initialize the hashing context with the given parameter block and key. * Always returns 1. */ -int blake2b_init_key(BLAKE2B_CTX *c, const BLAKE2B_PARAM *P, const void *key) +int ossl_blake2b_init_key(BLAKE2B_CTX *c, const BLAKE2B_PARAM *P, + const void *key) { blake2b_init_param(c, P); @@ -140,7 +143,7 @@ int blake2b_init_key(BLAKE2B_CTX *c, const BLAKE2B_PARAM *P, const void *key) uint8_t block[BLAKE2B_BLOCKBYTES] = {0}; memcpy(block, key, P->key_length); - blake2b_update(c, block, BLAKE2B_BLOCKBYTES); + ossl_blake2b_update(c, block, BLAKE2B_BLOCKBYTES); OPENSSL_cleanse(block, BLAKE2B_BLOCKBYTES); } @@ -252,7 +255,7 @@ static void blake2b_compress(BLAKE2B_CTX *S, } /* Absorb the input data into the hash state. Always returns 1. */ -int blake2b_update(BLAKE2B_CTX *c, const void *data, size_t datalen) +int ossl_blake2b_update(BLAKE2B_CTX *c, const void *data, size_t datalen) { const uint8_t *in = data; size_t fill; @@ -300,7 +303,7 @@ int blake2b_update(BLAKE2B_CTX *c, const void *data, size_t datalen) * Calculate the final hash and save it in md. * Always returns 1. */ -int blake2b_final(unsigned char *md, BLAKE2B_CTX *c) +int ossl_blake2b_final(unsigned char *md, BLAKE2B_CTX *c) { uint8_t outbuffer[BLAKE2B_OUTBYTES] = {0}; uint8_t *target = outbuffer; diff --git a/providers/implementations/digests/blake2s_prov.c b/providers/implementations/digests/blake2s_prov.c index 703d8a8fab..997d0e2943 100644 --- a/providers/implementations/digests/blake2s_prov.c +++ b/providers/implementations/digests/blake2s_prov.c @@ -75,7 +75,7 @@ static void blake2s_init_param(BLAKE2S_CTX *S, const BLAKE2S_PARAM *P) } } -void blake2s_param_init(BLAKE2S_PARAM *P) +void ossl_blake2s_param_init(BLAKE2S_PARAM *P) { P->digest_length = BLAKE2S_DIGEST_LENGTH; P->key_length = 0; @@ -89,23 +89,25 @@ void blake2s_param_init(BLAKE2S_PARAM *P) memset(P->personal, 0, sizeof(P->personal)); } -void blake2s_param_set_digest_length(BLAKE2S_PARAM *P, uint8_t outlen) +void ossl_blake2s_param_set_digest_length(BLAKE2S_PARAM *P, uint8_t outlen) { P->digest_length = outlen; } -void blake2s_param_set_key_length(BLAKE2S_PARAM *P, uint8_t keylen) +void ossl_blake2s_param_set_key_length(BLAKE2S_PARAM *P, uint8_t keylen) { P->key_length = keylen; } -void blake2s_param_set_personal(BLAKE2S_PARAM *P, const uint8_t *personal, size_t len) +void ossl_blake2s_param_set_personal(BLAKE2S_PARAM *P, const uint8_t *personal, + size_t len) { memcpy(P->personal, personal, len); memset(P->personal + len, 0, BLAKE2S_PERSONALBYTES - len); } -void blake2s_param_set_salt(BLAKE2S_PARAM *P, const uint8_t *salt, size_t len) +void ossl_blake2s_param_set_salt(BLAKE2S_PARAM *P, const uint8_t *salt, + size_t len) { memcpy(P->salt, salt, len); memset(P->salt + len, 0, BLAKE2S_SALTBYTES - len);} @@ -114,7 +116,7 @@ void blake2s_param_set_salt(BLAKE2S_PARAM *P, const uint8_t *salt, size_t len) * Initialize the hashing context with the given parameter block. * Always returns 1. */ -int blake2s_init(BLAKE2S_CTX *c, const BLAKE2S_PARAM *P) +int ossl_blake2s_init(BLAKE2S_CTX *c, const BLAKE2S_PARAM *P) { blake2s_init_param(c, P); return 1; @@ -124,7 +126,8 @@ int blake2s_init(BLAKE2S_CTX *c, const BLAKE2S_PARAM *P) * Initialize the hashing context with the given parameter block and key. * Always returns 1. */ -int blake2s_init_key(BLAKE2S_CTX *c, const BLAKE2S_PARAM *P, const void *key) +int ossl_blake2s_init_key(BLAKE2S_CTX *c, const BLAKE2S_PARAM *P, + const void *key) { blake2s_init_param(c, P); @@ -133,7 +136,7 @@ int blake2s_init_key(BLAKE2S_CTX *c, const BLAKE2S_PARAM *P, const void *key) uint8_t block[BLAKE2S_BLOCKBYTES] = {0}; memcpy(block, key, P->key_length); - blake2s_update(c, block, BLAKE2S_BLOCKBYTES); + ossl_blake2s_update(c, block, BLAKE2S_BLOCKBYTES); OPENSSL_cleanse(block, BLAKE2S_BLOCKBYTES); } @@ -243,7 +246,7 @@ static void blake2s_compress(BLAKE2S_CTX *S, } /* Absorb the input data into the hash state. Always returns 1. */ -int blake2s_update(BLAKE2S_CTX *c, const void *data, size_t datalen) +int ossl_blake2s_update(BLAKE2S_CTX *c, const void *data, size_t datalen) { const uint8_t *in = data; size_t fill; @@ -291,7 +294,7 @@ int blake2s_update(BLAKE2S_CTX *c, const void *data, size_t datalen) * Calculate the final hash and save it in md. * Always returns 1. */ -int blake2s_final(unsigned char *md, BLAKE2S_CTX *c) +int ossl_blake2s_final(unsigned char *md, BLAKE2S_CTX *c) { uint8_t outbuffer[BLAKE2S_OUTBYTES] = {0}; uint8_t *target = outbuffer; diff --git a/providers/implementations/digests/digestcommon.c b/providers/implementations/digests/digestcommon.c index cbf32ac2f9..373b3bbf1c 100644 --- a/providers/implementations/digests/digestcommon.c +++ b/providers/implementations/digests/digestcommon.c @@ -11,8 +11,8 @@ #include #include "prov/digestcommon.h" -int digest_default_get_params(OSSL_PARAM params[], size_t blksz, size_t paramsz, - unsigned long flags) +int ossl_digest_default_get_params(OSSL_PARAM params[], size_t blksz, + size_t paramsz, unsigned long flags) { OSSL_PARAM *p = NULL; @@ -48,7 +48,7 @@ static const OSSL_PARAM digest_default_known_gettable_params[] = { OSSL_PARAM_int(OSSL_DIGEST_PARAM_ALGID_ABSENT, NULL), OSSL_PARAM_END }; -const OSSL_PARAM *digest_default_gettable_params(void *provctx) +const OSSL_PARAM *ossl_digest_default_gettable_params(void *provctx) { return digest_default_known_gettable_params; } diff --git a/providers/implementations/exchange/dh_exch.c b/providers/implementations/exchange/dh_exch.c index df412ccf73..32ce2ee0ed 100644 --- a/providers/implementations/exchange/dh_exch.c +++ b/providers/implementations/exchange/dh_exch.c @@ -104,7 +104,7 @@ static int dh_init(void *vpdhctx, void *vdh) DH_free(pdhctx->dh); pdhctx->dh = vdh; pdhctx->kdf_type = PROV_DH_KDF_NONE; - return dh_check_key(vdh); + return ossl_dh_check_key(vdh); } static int dh_set_peer(void *vpdhctx, void *vdh) @@ -321,7 +321,7 @@ static int dh_set_ctx_params(void *vpdhctx, const OSSL_PARAM params[]) EVP_MD_free(pdhctx->kdf_md); pdhctx->kdf_md = EVP_MD_fetch(pdhctx->libctx, name, mdprops); - if (!digest_is_allowed(pdhctx->kdf_md)) { + if (!ossl_digest_is_allowed(pdhctx->kdf_md)) { EVP_MD_free(pdhctx->kdf_md); pdhctx->kdf_md = NULL; } diff --git a/providers/implementations/exchange/ecdh_exch.c b/providers/implementations/exchange/ecdh_exch.c index a1b17443ba..8d3f748f9b 100644 --- a/providers/implementations/exchange/ecdh_exch.c +++ b/providers/implementations/exchange/ecdh_exch.c @@ -111,7 +111,7 @@ int ecdh_init(void *vpecdhctx, void *vecdh) pecdhctx->k = vecdh; pecdhctx->cofactor_mode = -1; pecdhctx->kdf_type = PROV_ECDH_KDF_NONE; - return ec_check_key(vecdh, 1); + return ossl_ec_check_key(vecdh, 1); } static @@ -126,7 +126,7 @@ int ecdh_set_peer(void *vpecdhctx, void *vecdh) return 0; EC_KEY_free(pecdhctx->peerk); pecdhctx->peerk = vecdh; - return ec_check_key(vecdh, 1); + return ossl_ec_check_key(vecdh, 1); } static @@ -254,7 +254,7 @@ int ecdh_set_ctx_params(void *vpecdhctx, const OSSL_PARAM params[]) EVP_MD_free(pectx->kdf_md); pectx->kdf_md = EVP_MD_fetch(pectx->libctx, name, mdprops); - if (!digest_is_allowed(pectx->kdf_md)) { + if (!ossl_digest_is_allowed(pectx->kdf_md)) { EVP_MD_free(pectx->kdf_md); pectx->kdf_md = NULL; } diff --git a/providers/implementations/include/prov/blake2.h b/providers/implementations/include/prov/blake2.h index 895cfb87f0..33b82490ef 100644 --- a/providers/implementations/include/prov/blake2.h +++ b/providers/implementations/include/prov/blake2.h @@ -83,34 +83,39 @@ struct blake2b_ctx_st { typedef struct blake2s_ctx_st BLAKE2S_CTX; typedef struct blake2b_ctx_st BLAKE2B_CTX; -int blake2s256_init(void *ctx); -int blake2b512_init(void *ctx); +int ossl_blake2s256_init(void *ctx); +int ossl_blake2b512_init(void *ctx); -int blake2b_init(BLAKE2B_CTX *c, const BLAKE2B_PARAM *P); -int blake2b_init_key(BLAKE2B_CTX *c, const BLAKE2B_PARAM *P, const void *key); -int blake2b_update(BLAKE2B_CTX *c, const void *data, size_t datalen); -int blake2b_final(unsigned char *md, BLAKE2B_CTX *c); +int ossl_blake2b_init(BLAKE2B_CTX *c, const BLAKE2B_PARAM *P); +int ossl_blake2b_init_key(BLAKE2B_CTX *c, const BLAKE2B_PARAM *P, + const void *key); +int ossl_blake2b_update(BLAKE2B_CTX *c, const void *data, size_t datalen); +int ossl_blake2b_final(unsigned char *md, BLAKE2B_CTX *c); /* * These setters are internal and do not check the validity of their parameters. * See blake2b_mac_ctrl for validation logic. */ -void blake2b_param_init(BLAKE2B_PARAM *P); -void blake2b_param_set_digest_length(BLAKE2B_PARAM *P, uint8_t outlen); -void blake2b_param_set_key_length(BLAKE2B_PARAM *P, uint8_t keylen); -void blake2b_param_set_personal(BLAKE2B_PARAM *P, const uint8_t *personal, size_t length); -void blake2b_param_set_salt(BLAKE2B_PARAM *P, const uint8_t *salt, size_t length); - -int blake2s_init(BLAKE2S_CTX *c, const BLAKE2S_PARAM *P); -int blake2s_init_key(BLAKE2S_CTX *c, const BLAKE2S_PARAM *P, const void *key); -int blake2s_update(BLAKE2S_CTX *c, const void *data, size_t datalen); -int blake2s_final(unsigned char *md, BLAKE2S_CTX *c); - -void blake2s_param_init(BLAKE2S_PARAM *P); -void blake2s_param_set_digest_length(BLAKE2S_PARAM *P, uint8_t outlen); -void blake2s_param_set_key_length(BLAKE2S_PARAM *P, uint8_t keylen); -void blake2s_param_set_personal(BLAKE2S_PARAM *P, const uint8_t *personal, size_t length); -void blake2s_param_set_salt(BLAKE2S_PARAM *P, const uint8_t *salt, size_t length); +void ossl_blake2b_param_init(BLAKE2B_PARAM *P); +void ossl_blake2b_param_set_digest_length(BLAKE2B_PARAM *P, uint8_t outlen); +void ossl_blake2b_param_set_key_length(BLAKE2B_PARAM *P, uint8_t keylen); +void ossl_blake2b_param_set_personal(BLAKE2B_PARAM *P, const uint8_t *personal, + size_t length); +void ossl_blake2b_param_set_salt(BLAKE2B_PARAM *P, const uint8_t *salt, + size_t length); +int ossl_blake2s_init(BLAKE2S_CTX *c, const BLAKE2S_PARAM *P); +int ossl_blake2s_init_key(BLAKE2S_CTX *c, const BLAKE2S_PARAM *P, + const void *key); +int ossl_blake2s_update(BLAKE2S_CTX *c, const void *data, size_t datalen); +int ossl_blake2s_final(unsigned char *md, BLAKE2S_CTX *c); + +void ossl_blake2s_param_init(BLAKE2S_PARAM *P); +void ossl_blake2s_param_set_digest_length(BLAKE2S_PARAM *P, uint8_t outlen); +void ossl_blake2s_param_set_key_length(BLAKE2S_PARAM *P, uint8_t keylen); +void ossl_blake2s_param_set_personal(BLAKE2S_PARAM *P, const uint8_t *personal, + size_t length); +void ossl_blake2s_param_set_salt(BLAKE2S_PARAM *P, const uint8_t *salt, + size_t length); #endif /* OSSL_PROVIDERS_DEFAULT_INCLUDE_INTERNAL_BLAKE2_H */ diff --git a/providers/implementations/include/prov/digestcommon.h b/providers/implementations/include/prov/digestcommon.h index f1164c5a1a..894e7295e5 100644 --- a/providers/implementations/include/prov/digestcommon.h +++ b/providers/implementations/include/prov/digestcommon.h @@ -24,25 +24,25 @@ extern "C" { # endif #define PROV_FUNC_DIGEST_GET_PARAM(name, blksize, dgstsize, flags) \ -static OSSL_FUNC_digest_get_params_fn name##_get_params; \ +static OSSL_FUNC_digest_get_params_fn name##_get_params; \ static int name##_get_params(OSSL_PARAM params[]) \ { \ - return digest_default_get_params(params, blksize, dgstsize, flags); \ + return ossl_digest_default_get_params(params, blksize, dgstsize, flags); \ } #define PROV_DISPATCH_FUNC_DIGEST_GET_PARAMS(name) \ { OSSL_FUNC_DIGEST_GET_PARAMS, (void (*)(void))name##_get_params }, \ { OSSL_FUNC_DIGEST_GETTABLE_PARAMS, \ - (void (*)(void))digest_default_gettable_params } + (void (*)(void))ossl_digest_default_gettable_params } # define PROV_DISPATCH_FUNC_DIGEST_CONSTRUCT_START( \ name, CTX, blksize, dgstsize, flags, init, upd, fin) \ -static OSSL_FUNC_digest_newctx_fn name##_newctx; \ -static OSSL_FUNC_digest_freectx_fn name##_freectx; \ -static OSSL_FUNC_digest_dupctx_fn name##_dupctx; \ +static OSSL_FUNC_digest_newctx_fn name##_newctx; \ +static OSSL_FUNC_digest_freectx_fn name##_freectx; \ +static OSSL_FUNC_digest_dupctx_fn name##_dupctx; \ static void *name##_newctx(void *prov_ctx) \ { \ - CTX *ctx = ossl_prov_is_running() ? OPENSSL_zalloc(sizeof(*ctx)) : NULL; \ + CTX *ctx = ossl_prov_is_running() ? OPENSSL_zalloc(sizeof(*ctx)) : NULL; \ return ctx; \ } \ static void name##_freectx(void *vctx) \ @@ -53,7 +53,7 @@ static void name##_freectx(void *vctx) \ static void *name##_dupctx(void *ctx) \ { \ CTX *in = (CTX *)ctx; \ - CTX *ret = ossl_prov_is_running() ? OPENSSL_malloc(sizeof(*ret)) : NULL; \ + CTX *ret = ossl_prov_is_running() ? OPENSSL_malloc(sizeof(*ret)) : NULL; \ if (ret != NULL) \ *ret = *in; \ return ret; \ @@ -61,13 +61,13 @@ static void *name##_dupctx(void *ctx) \ static OSSL_FUNC_digest_init_fn name##_internal_init; \ static int name##_internal_init(void *ctx) \ { \ - return ossl_prov_is_running() ? init(ctx) : 0; \ + return ossl_prov_is_running() ? init(ctx) : 0; \ } \ static OSSL_FUNC_digest_final_fn name##_internal_final; \ static int name##_internal_final(void *ctx, unsigned char *out, size_t *outl, \ size_t outsz) \ { \ - if (ossl_prov_is_running() && outsz >= dgstsize && fin(out, ctx)) { \ + if (ossl_prov_is_running() && outsz >= dgstsize && fin(out, ctx)) { \ *outl = dgstsize; \ return 1; \ } \ @@ -103,9 +103,9 @@ PROV_DISPATCH_FUNC_DIGEST_CONSTRUCT_START(name, CTX, blksize, dgstsize, flags, \ PROV_DISPATCH_FUNC_DIGEST_CONSTRUCT_END -const OSSL_PARAM *digest_default_gettable_params(void *provctx); -int digest_default_get_params(OSSL_PARAM params[], size_t blksz, size_t paramsz, - unsigned long flags); +const OSSL_PARAM *ossl_digest_default_gettable_params(void *provctx); +int ossl_digest_default_get_params(OSSL_PARAM params[], size_t blksz, + size_t paramsz, unsigned long flags); # ifdef __cplusplus } diff --git a/providers/implementations/macs/blake2b_mac.c b/providers/implementations/macs/blake2b_mac.c index 31c3dd03b3..d1781d0d96 100644 --- a/providers/implementations/macs/blake2b_mac.c +++ b/providers/implementations/macs/blake2b_mac.c @@ -16,14 +16,14 @@ #define BLAKE2_SALTBYTES BLAKE2B_SALTBYTES /* Function names */ -#define BLAKE2_PARAM_INIT blake2b_param_init -#define BLAKE2_INIT_KEY blake2b_init_key -#define BLAKE2_UPDATE blake2b_update -#define BLAKE2_FINAL blake2b_final -#define BLAKE2_PARAM_SET_DIGEST_LENGTH blake2b_param_set_digest_length -#define BLAKE2_PARAM_SET_KEY_LENGTH blake2b_param_set_key_length -#define BLAKE2_PARAM_SET_PERSONAL blake2b_param_set_personal -#define BLAKE2_PARAM_SET_SALT blake2b_param_set_salt +#define BLAKE2_PARAM_INIT ossl_blake2b_param_init +#define BLAKE2_INIT_KEY ossl_blake2b_init_key +#define BLAKE2_UPDATE ossl_blake2b_update +#define BLAKE2_FINAL ossl_blake2b_final +#define BLAKE2_PARAM_SET_DIGEST_LENGTH ossl_blake2b_param_set_digest_length +#define BLAKE2_PARAM_SET_KEY_LENGTH ossl_blake2b_param_set_key_length +#define BLAKE2_PARAM_SET_PERSONAL ossl_blake2b_param_set_personal +#define BLAKE2_PARAM_SET_SALT ossl_blake2b_param_set_salt /* OSSL_DISPATCH symbol */ #define BLAKE2_FUNCTIONS ossl_blake2bmac_functions diff --git a/providers/implementations/macs/blake2s_mac.c b/providers/implementations/macs/blake2s_mac.c index 54db7e3a92..90583a51a8 100644 --- a/providers/implementations/macs/blake2s_mac.c +++ b/providers/implementations/macs/blake2s_mac.c @@ -16,14 +16,14 @@ #define BLAKE2_SALTBYTES BLAKE2S_SALTBYTES /* Function names */ -#define BLAKE2_PARAM_INIT blake2s_param_init -#define BLAKE2_INIT_KEY blake2s_init_key -#define BLAKE2_UPDATE blake2s_update -#define BLAKE2_FINAL blake2s_final -#define BLAKE2_PARAM_SET_DIGEST_LENGTH blake2s_param_set_digest_length -#define BLAKE2_PARAM_SET_KEY_LENGTH blake2s_param_set_key_length -#define BLAKE2_PARAM_SET_PERSONAL blake2s_param_set_personal -#define BLAKE2_PARAM_SET_SALT blake2s_param_set_salt +#define BLAKE2_PARAM_INIT ossl_blake2s_param_init +#define BLAKE2_INIT_KEY ossl_blake2s_init_key +#define BLAKE2_UPDATE ossl_blake2s_update +#define BLAKE2_FINAL ossl_blake2s_final +#define BLAKE2_PARAM_SET_DIGEST_LENGTH ossl_blake2s_param_set_digest_length +#define BLAKE2_PARAM_SET_KEY_LENGTH ossl_blake2s_param_set_key_length +#define BLAKE2_PARAM_SET_PERSONAL ossl_blake2s_param_set_personal +#define BLAKE2_PARAM_SET_SALT ossl_blake2s_param_set_salt /* OSSL_DISPATCH symbol */ #define BLAKE2_FUNCTIONS ossl_blake2smac_functions diff --git a/providers/implementations/signature/dsa.c b/providers/implementations/signature/dsa.c index be1a8fca3f..e6dd538708 100644 --- a/providers/implementations/signature/dsa.c +++ b/providers/implementations/signature/dsa.c @@ -127,7 +127,7 @@ static int dsa_setup_md(PROV_DSA_CTX *ctx, int sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN); WPACKET pkt; EVP_MD *md = EVP_MD_fetch(ctx->libctx, mdname, mdprops); - int md_nid = digest_get_approved_nid_with_sha1(md, sha1_allowed); + int md_nid = ossl_digest_get_approved_nid_with_sha1(md, sha1_allowed); size_t mdname_len = strlen(mdname); if (md == NULL || md_nid == NID_undef) { @@ -183,7 +183,7 @@ static int dsa_signverify_init(void *vpdsactx, void *vdsa, int operation) DSA_free(pdsactx->dsa); pdsactx->dsa = vdsa; pdsactx->operation = operation; - if (!dsa_check_key(vdsa, operation == EVP_PKEY_OP_SIGN)) { + if (!ossl_dsa_check_key(vdsa, operation == EVP_PKEY_OP_SIGN)) { ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH); return 0; } diff --git a/providers/implementations/signature/ecdsa.c b/providers/implementations/signature/ecdsa.c index ed21ac79c3..aff3724435 100644 --- a/providers/implementations/signature/ecdsa.c +++ b/providers/implementations/signature/ecdsa.c @@ -137,7 +137,7 @@ static int ecdsa_signverify_init(void *vctx, void *ec, int operation) EC_KEY_free(ctx->ec); ctx->ec = ec; ctx->operation = operation; - return ec_check_key(ec, operation == EVP_PKEY_OP_SIGN); + return ossl_ec_check_key(ec, operation == EVP_PKEY_OP_SIGN); } static int ecdsa_sign_init(void *vctx, void *ec) @@ -222,7 +222,7 @@ static int ecdsa_setup_md(PROV_ECDSA_CTX *ctx, const char *mdname, return 0; } sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN); - md_nid = digest_get_approved_nid_with_sha1(md, sha1_allowed); + md_nid = ossl_digest_get_approved_nid_with_sha1(md, sha1_allowed); if (md_nid == NID_undef) { ERR_raise_data(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED, "digest=%s", mdname); diff --git a/providers/implementations/signature/rsa.c b/providers/implementations/signature/rsa.c index 4cdd90a5c6..a69981a36a 100644 --- a/providers/implementations/signature/rsa.c +++ b/providers/implementations/signature/rsa.c @@ -276,7 +276,7 @@ static int rsa_setup_md(PROV_RSA_CTX *ctx, const char *mdname, if (mdname != NULL) { EVP_MD *md = EVP_MD_fetch(ctx->libctx, mdname, mdprops); int sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN); - int md_nid = digest_rsa_sign_get_md_nid(md, sha1_allowed); + int md_nid = ossl_digest_rsa_sign_get_md_nid(md, sha1_allowed); size_t mdname_len = strlen(mdname); if (md == NULL @@ -335,7 +335,7 @@ static int rsa_setup_mgf1_md(PROV_RSA_CTX *ctx, const char *mdname, return 0; } /* The default for mgf1 is SHA1 - so allow SHA1 */ - if ((mdnid = digest_rsa_sign_get_md_nid(md, 1)) == NID_undef + if ((mdnid = ossl_digest_rsa_sign_get_md_nid(md, 1)) == NID_undef || !rsa_check_padding(ctx, NULL, mdname, mdnid)) { if (mdnid == NID_undef) ERR_raise_data(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED, From no-reply at appveyor.com Thu Feb 18 14:24:49 2021 From: no-reply at appveyor.com (AppVeyor) Date: Thu, 18 Feb 2021 14:24:49 +0000 Subject: Build failed: openssl master.39977 Message-ID: <20210218142449.1.973B36337A162ABB@appveyor.com> An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Thu Feb 18 15:04:53 2021 From: no-reply at appveyor.com (AppVeyor) Date: Thu, 18 Feb 2021 15:04:53 +0000 Subject: Build failed: openssl master.39979 Message-ID: <20210218150453.1.449DEA1BC81B93EF@appveyor.com> An HTML attachment was scrubbed... URL: From matt at openssl.org Thu Feb 18 15:05:34 2021 From: matt at openssl.org (Matt Caswell) Date: Thu, 18 Feb 2021 15:05:34 +0000 Subject: [openssl] master update Message-ID: <1613660734.944261.21730.nullmailer@dev.openssl.org> The branch master has been updated via a28d06f3e9cbc5594c7985c99a0c6bac5261ae67 (commit) from 7b676cc8c60823570e283fbe325b263670c6ccc2 (commit) - Log ----------------------------------------------------------------- commit a28d06f3e9cbc5594c7985c99a0c6bac5261ae67 Author: Matt Caswell Date: Thu Feb 18 14:57:13 2021 +0000 Update copyright year Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14235) ----------------------------------------------------------------------- Summary of changes: apps/ciphers.c | 2 +- apps/cms.c | 2 +- apps/dhparam.c | 2 +- apps/dsa.c | 2 +- apps/dsaparam.c | 2 +- apps/gendsa.c | 2 +- apps/genrsa.c | 2 +- apps/include/s_apps.h | 2 +- apps/lib/app_provider.c | 2 +- apps/lib/app_rand.c | 2 +- apps/mac.c | 2 +- apps/ocsp.c | 2 +- apps/pkcs12.c | 2 +- apps/pkcs7.c | 2 +- apps/pkcs8.c | 2 +- apps/pkeyutl.c | 2 +- apps/rand.c | 2 +- apps/rsa.c | 2 +- apps/rsautl.c | 2 +- apps/s_server.c | 2 +- apps/storeutl.c | 2 +- apps/ts.c | 2 +- crypto/asn1/i2d_evp.c | 2 +- crypto/bn/bn_rand.c | 2 +- crypto/cmp/cmp_ctx.c | 2 +- crypto/cms/cms_ec.c | 2 +- crypto/ct/ct_log.c | 2 +- crypto/encode_decode/decoder_pkey.c | 2 +- crypto/encode_decode/encoder_pkey.c | 2 +- crypto/err/err_all.c | 2 +- crypto/evp/digest.c | 2 +- crypto/evp/evp_enc.c | 2 +- crypto/evp/evp_pkey.c | 2 +- crypto/evp/keymgmt_lib.c | 2 +- crypto/evp/keymgmt_meth.c | 2 +- crypto/evp/m_sigver.c | 2 +- crypto/evp/pmeth_check.c | 2 +- crypto/evp/pmeth_gn.c | 2 +- crypto/evp/pmeth_lib.c | 2 +- crypto/ex_data.c | 2 +- crypto/ffc/ffc_dh.c | 2 +- crypto/http/http_err.c | 2 +- crypto/objects/objects.pl | 2 +- crypto/ocsp/ocsp_vfy.c | 2 +- crypto/pem/pem_local.h | 2 +- crypto/pem/pem_pk8.c | 2 +- crypto/pem/pem_pkey.c | 2 +- crypto/rsa/rsa_backend.c | 2 +- crypto/rsa/rsa_gen.c | 2 +- crypto/rsa/rsa_pss.c | 2 +- crypto/rsa/rsa_ssl.c | 2 +- crypto/srp/srp_vfy.c | 2 +- crypto/stack/stack.c | 2 +- crypto/store/store_result.c | 2 +- crypto/threads_pthread.c | 2 +- crypto/ts/ts_rsp_sign.c | 2 +- dev/release.sh | 4 ++-- doc/internal/man3/evp_keymgmt_util_export_to_provider.pod | 2 +- doc/internal/man7/EVP_PKEY.pod | 2 +- doc/man1/openssl-ciphers.pod.in | 2 +- doc/man1/openssl-dgst.pod.in | 2 +- doc/man1/openssl-s_client.pod.in | 2 +- doc/man1/openssl-srp.pod.in | 2 +- doc/man3/BN_generate_prime.pod | 2 +- doc/man3/BN_rand.pod | 2 +- doc/man3/DEFINE_STACK_OF.pod | 2 +- doc/man3/EVP_DigestInit.pod | 2 +- doc/man3/EVP_MAC.pod | 2 +- doc/man3/EVP_PKEY_CTX_set_rsa_pss_keygen_md.pod | 2 +- doc/man3/EVP_PKEY_check.pod | 2 +- doc/man3/EVP_PKEY_gettable_params.pod | 2 +- doc/man3/OSSL_DECODER_CTX_new_for_pkey.pod | 2 +- doc/man3/OSSL_ENCODER_CTX_new_for_pkey.pod | 2 +- doc/man3/SRP_Calc_B.pod | 2 +- doc/man3/SRP_VBASE_new.pod | 2 +- doc/man3/SRP_create_verifier.pod | 2 +- doc/man3/SRP_user_pwd_new.pod | 2 +- doc/man3/SSL_CTX_set_srp_password.pod | 2 +- doc/man3/SSL_write.pod | 2 +- doc/man3/X509_STORE_CTX_get_error.pod | 2 +- doc/man3/X509_STORE_CTX_new.pod | 2 +- doc/man3/X509_load_http.pod | 2 +- doc/man3/X509_new.pod | 2 +- doc/man7/EVP_KDF-SSHKDF.pod | 2 +- doc/man7/EVP_KDF-X942-ASN1.pod | 2 +- doc/man7/EVP_MAC-HMAC.pod | 2 +- doc/man7/EVP_MD-MDC2.pod | 2 +- doc/man7/provider-kdf.pod | 2 +- doc/man7/provider-keymgmt.pod | 2 +- doc/man7/provider-mac.pod | 2 +- doc/man7/provider-rand.pod | 2 +- doc/man7/provider-signature.pod | 2 +- doc/perlvars.pm | 2 +- engines/e_afalg.txt | 2 +- engines/e_afalg_err.h | 2 +- engines/e_capi.txt | 2 +- engines/e_capi_err.h | 2 +- engines/e_dasync.txt | 2 +- engines/e_dasync_err.h | 2 +- engines/e_loader_attic.txt | 2 +- engines/e_loader_attic_err.h | 2 +- engines/e_ossltest.txt | 2 +- engines/e_ossltest_err.h | 2 +- fuzz/x509.c | 2 +- include/crypto/aes_platform.h | 2 +- include/crypto/aria.h | 2 +- include/crypto/asn1_dsa.h | 2 +- include/crypto/async.h | 2 +- include/crypto/bn.h | 2 +- include/crypto/bn_conf.h.in | 2 +- include/crypto/chacha.h | 2 +- include/crypto/cmll_platform.h | 2 +- include/crypto/cms.h | 2 +- include/crypto/cryptlib.h | 2 +- include/crypto/ctype.h | 2 +- include/crypto/decoder.h | 2 +- include/crypto/des_platform.h | 2 +- include/crypto/dh.h | 2 +- include/crypto/dsa.h | 2 +- include/crypto/dso_conf.h.in | 2 +- include/crypto/ecx.h | 2 +- include/crypto/err.h | 2 +- include/crypto/ess.h | 2 +- include/crypto/evp.h | 2 +- include/crypto/lhash.h | 2 +- include/crypto/pem.h | 2 +- include/crypto/pkcs7.h | 2 +- include/crypto/poly1305.h | 2 +- include/crypto/punycode.h | 2 +- include/crypto/rand.h | 2 +- include/crypto/rand_pool.h | 2 +- include/crypto/rsa.h | 2 +- include/crypto/security_bits.h | 2 +- include/crypto/sha.h | 2 +- include/crypto/siphash.h | 2 +- include/crypto/sm4.h | 2 +- include/crypto/sparse_array.h | 2 +- include/crypto/store.h | 2 +- include/internal/asn1.h | 2 +- include/internal/bio.h | 2 +- include/internal/conf.h | 2 +- include/internal/constant_time.h | 2 +- include/internal/core.h | 2 +- include/internal/dane.h | 2 +- include/internal/deprecated.h | 2 +- include/internal/dso.h | 2 +- include/internal/dsoerr.h | 2 +- include/internal/endian.h | 2 +- include/internal/err.h | 2 +- include/internal/ffc.h | 2 +- include/internal/nelem.h | 2 +- include/internal/numbers.h | 2 +- include/internal/o_dir.h | 2 +- include/internal/packet.h | 2 +- include/internal/param_build_set.h | 2 +- include/internal/passphrase.h | 2 +- include/internal/property.h | 2 +- include/internal/propertyerr.h | 2 +- include/internal/provider.h | 2 +- include/internal/refcount.h | 2 +- include/internal/sha3.h | 2 +- include/internal/sizes.h | 2 +- include/internal/sm3.h | 2 +- include/internal/sockets.h | 2 +- include/internal/sslconf.h | 2 +- include/internal/symhacks.h | 2 +- include/internal/tlsgroups.h | 2 +- include/openssl/asn1err.h | 2 +- include/openssl/asyncerr.h | 2 +- include/openssl/bnerr.h | 2 +- include/openssl/buffererr.h | 2 +- include/openssl/cmp_util.h | 2 +- include/openssl/cmperr.h | 2 +- include/openssl/cmserr.h | 2 +- include/openssl/comperr.h | 2 +- include/openssl/conferr.h | 2 +- include/openssl/configuration.h.in | 2 +- include/openssl/core.h | 2 +- include/openssl/core_dispatch.h | 2 +- include/openssl/core_object.h | 2 +- include/openssl/crmferr.h | 2 +- include/openssl/crypto.h.in | 2 +- include/openssl/cryptoerr.h | 2 +- include/openssl/cryptoerr_legacy.h | 2 +- include/openssl/cterr.h | 2 +- include/openssl/decoder.h | 2 +- include/openssl/decodererr.h | 2 +- include/openssl/dherr.h | 2 +- include/openssl/dsa.h | 2 +- include/openssl/dsaerr.h | 2 +- include/openssl/ecerr.h | 2 +- include/openssl/encoder.h | 2 +- include/openssl/encodererr.h | 2 +- include/openssl/engineerr.h | 2 +- include/openssl/ess.h.in | 2 +- include/openssl/esserr.h | 2 +- include/openssl/fips_names.h | 2 +- include/openssl/fipskey.h.in | 2 +- include/openssl/httperr.h | 2 +- include/openssl/kdf.h | 2 +- include/openssl/kdferr.h | 2 +- include/openssl/macros.h | 2 +- include/openssl/objectserr.h | 2 +- include/openssl/ocsperr.h | 2 +- include/openssl/opensslconf.h | 2 +- include/openssl/param_build.h | 2 +- include/openssl/pemerr.h | 2 +- include/openssl/pkcs12err.h | 2 +- include/openssl/pkcs7err.h | 2 +- include/openssl/provider.h | 2 +- include/openssl/randerr.h | 2 +- include/openssl/rsa.h | 2 +- include/openssl/rsaerr.h | 2 +- include/openssl/self_test.h | 2 +- include/openssl/srp.h.in | 2 +- include/openssl/sslerr_legacy.h | 2 +- include/openssl/storeerr.h | 2 +- include/openssl/trace.h | 2 +- include/openssl/tserr.h | 2 +- include/openssl/uierr.h | 2 +- include/openssl/x509_vfy.h.in | 2 +- include/openssl/x509err.h | 2 +- include/openssl/x509v3err.h | 2 +- providers/common/capabilities.c | 2 +- providers/common/der/der_rsa.h.in | 2 +- providers/common/der/der_rsa_key.c | 2 +- providers/common/der/der_rsa_sig.c | 2 +- providers/common/provider_util.c | 2 +- providers/common/securitycheck.c | 2 +- providers/common/securitycheck_fips.c | 2 +- providers/decoders.inc | 2 +- providers/defltprov.c | 2 +- providers/encoders.inc | 2 +- providers/fips/self_test.c | 2 +- providers/fips/self_test_data.inc | 2 +- providers/implementations/ciphers/cipher_aes_cts.inc | 2 +- providers/implementations/ciphers/cipher_aes_hw.c | 2 +- providers/implementations/ciphers/cipher_aes_hw_aesni.inc | 2 +- providers/implementations/ciphers/cipher_aes_hw_s390x.inc | 2 +- providers/implementations/ciphers/cipher_aes_hw_t4.inc | 2 +- providers/implementations/ciphers/cipher_aes_siv.c | 2 +- providers/implementations/ciphers/cipher_aes_siv.h | 2 +- providers/implementations/ciphers/cipher_aes_wrp.c | 2 +- providers/implementations/ciphers/cipher_aes_xts.c | 2 +- providers/implementations/ciphers/cipher_aria_hw.c | 2 +- providers/implementations/ciphers/cipher_blowfish.c | 2 +- providers/implementations/ciphers/cipher_camellia_hw.c | 2 +- providers/implementations/ciphers/cipher_camellia_hw_t4.inc | 2 +- providers/implementations/ciphers/cipher_cast5.c | 2 +- providers/implementations/ciphers/cipher_chacha20.c | 2 +- providers/implementations/ciphers/cipher_chacha20_poly1305.c | 2 +- providers/implementations/ciphers/cipher_des.c | 2 +- providers/implementations/ciphers/cipher_des.h | 2 +- providers/implementations/ciphers/cipher_null.c | 2 +- providers/implementations/ciphers/cipher_rc2.c | 2 +- providers/implementations/ciphers/cipher_rc4.c | 2 +- providers/implementations/ciphers/cipher_rc5.c | 2 +- providers/implementations/ciphers/cipher_tdes.c | 2 +- providers/implementations/ciphers/cipher_tdes.h | 2 +- providers/implementations/ciphers/cipher_tdes_common.c | 2 +- providers/implementations/ciphers/cipher_tdes_default_hw.c | 2 +- providers/implementations/ciphers/cipher_tdes_wrap.c | 2 +- providers/implementations/ciphers/ciphercommon_block.c | 2 +- providers/implementations/ciphers/ciphercommon_hw.c | 2 +- providers/implementations/digests/digestcommon.c | 2 +- providers/implementations/digests/mdc2_prov.c | 2 +- providers/implementations/digests/sha2_prov.c | 2 +- providers/implementations/digests/sha3_prov.c | 2 +- providers/implementations/encode_decode/decode_der2key.c | 2 +- providers/implementations/encode_decode/decode_pem2der.c | 2 +- providers/implementations/encode_decode/encode_key2any.c | 2 +- providers/implementations/encode_decode/encode_key2text.c | 2 +- providers/implementations/exchange/ecx_exch.c | 2 +- providers/implementations/include/prov/ciphercommon_aead.h | 2 +- providers/implementations/include/prov/digestcommon.h | 2 +- providers/implementations/include/prov/implementations.h | 2 +- providers/implementations/kdfs/hkdf.c | 2 +- providers/implementations/kdfs/kbkdf.c | 2 +- providers/implementations/kdfs/pbkdf2.c | 2 +- providers/implementations/kdfs/pkcs12kdf.c | 2 +- providers/implementations/kdfs/scrypt.c | 2 +- providers/implementations/kdfs/sshkdf.c | 2 +- providers/implementations/kdfs/sskdf.c | 2 +- providers/implementations/kdfs/tls1_prf.c | 2 +- providers/implementations/kdfs/x942kdf.c | 2 +- providers/implementations/kem/rsa_kem.c | 2 +- providers/implementations/keymgmt/dh_kmgmt.c | 2 +- providers/implementations/keymgmt/dsa_kmgmt.c | 2 +- providers/implementations/keymgmt/ecx_kmgmt.c | 2 +- providers/implementations/keymgmt/mac_legacy_kmgmt.c | 2 +- providers/implementations/keymgmt/rsa_kmgmt.c | 2 +- providers/implementations/macs/blake2_mac_impl.c | 2 +- providers/implementations/macs/gmac_prov.c | 2 +- providers/implementations/macs/hmac_prov.c | 2 +- providers/implementations/macs/kmac_prov.c | 2 +- providers/implementations/macs/poly1305_prov.c | 2 +- providers/implementations/macs/siphash_prov.c | 2 +- providers/implementations/rands/drbg.c | 2 +- providers/implementations/rands/drbg_ctr.c | 2 +- providers/implementations/rands/drbg_hash.c | 2 +- providers/implementations/rands/drbg_hmac.c | 2 +- providers/implementations/rands/drbg_local.h | 2 +- providers/implementations/rands/seed_src.c | 2 +- providers/implementations/rands/test_rng.c | 2 +- providers/implementations/signature/dsa.c | 2 +- providers/implementations/signature/ecdsa.c | 2 +- providers/implementations/signature/eddsa.c | 2 +- providers/implementations/signature/rsa.c | 2 +- providers/implementations/signature/sm2sig.c | 2 +- ssl/record/ssl3_record.c | 2 +- ssl/ssl_conf.c | 2 +- ssl/statem/extensions_clnt.c | 2 +- ssl/statem/extensions_cust.c | 2 +- ssl/statem/extensions_srvr.c | 2 +- ssl/statem/statem_lib.c | 2 +- ssl/t1_trce.c | 2 +- ssl/tls_srp.c | 2 +- test/acvp_test.c | 2 +- test/cipher_overhead_test.c | 2 +- test/danetest.c | 2 +- test/ec_internal_test.c | 2 +- test/endecode_test.c | 2 +- test/endecoder_legacy_test.c | 2 +- test/evp_kdf_test.c | 2 +- test/evp_pkey_provided_test.c | 2 +- test/filterprov.c | 2 +- test/helpers/handshake.h | 2 +- test/helpers/predefined_dhparams.c | 2 +- test/helpers/ssltestlib.c | 2 +- test/params_test.c | 2 +- test/recipes/06-test_algorithmid.t | 2 +- test/recipes/15-test_genrsa.t | 2 +- test/recipes/20-test_dhparam_check.t | 2 +- test/recipes/20-test_mac.t | 2 +- test/recipes/25-test_verify.t | 2 +- test/recipes/30-test_evp_data/evpkdf_x942.txt | 2 +- test/recipes/30-test_evp_data/evprand.txt | 2 +- test/recipes/70-test_comp.t | 2 +- test/recipes/70-test_key_share.t | 2 +- test/recipes/70-test_sslcbcpadding.t | 2 +- test/recipes/70-test_sslextension.t | 2 +- test/recipes/70-test_sslrecords.t | 2 +- test/recipes/70-test_sslsigalgs.t | 2 +- test/recipes/70-test_sslsignature.t | 2 +- test/recipes/70-test_sslversions.t | 2 +- test/recipes/70-test_tls13alerts.t | 2 +- test/recipes/70-test_tls13cookie.t | 2 +- test/recipes/70-test_tls13downgrade.t | 2 +- test/recipes/70-test_tls13hrr.t | 2 +- test/recipes/70-test_tls13kexmodes.t | 2 +- test/recipes/70-test_tls13psk.t | 2 +- test/recipes/70-test_tlsextms.t | 2 +- test/recipes/80-test_cmp_http.t | 2 +- test/recipes/81-test_cmp_cli.t | 2 +- test/recipes/90-test_fipsload.t | 2 +- test/recipes/90-test_tls13ccs.t | 2 +- test/recipes/90-test_tls13encryption.t | 2 +- test/recipes/90-test_tls13secrets.t | 2 +- test/recordlentest.c | 2 +- test/rsa_test.c | 2 +- test/run_tests.pl | 2 +- test/servername_test.c | 2 +- test/srptest.c | 2 +- test/ssl-tests/27-ticket-appdata.cnf.in | 2 +- test/ssl-tests/protocol_version.pm | 2 +- test/ssl_test.c | 2 +- test/stack_test.c | 2 +- test/tls-provider.c | 2 +- util/mkerr.pl | 2 +- util/mknum.pl | 2 +- util/perl/OpenSSL/Ordinals.pm | 2 +- util/perl/OpenSSL/ParseC.pm | 2 +- 372 files changed, 373 insertions(+), 373 deletions(-) diff --git a/apps/ciphers.c b/apps/ciphers.c index 03ffad3b3b..dd70f0c632 100644 --- a/apps/ciphers.c +++ b/apps/ciphers.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/apps/cms.c b/apps/cms.c index 67cbb9379a..f347a3314a 100644 --- a/apps/cms.c +++ b/apps/cms.c @@ -1,5 +1,5 @@ /* - * Copyright 2008-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2008-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/apps/dhparam.c b/apps/dhparam.c index d3f96e61d2..1cd19fae92 100644 --- a/apps/dhparam.c +++ b/apps/dhparam.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/apps/dsa.c b/apps/dsa.c index 523dab80fc..3a799ea17f 100644 --- a/apps/dsa.c +++ b/apps/dsa.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/apps/dsaparam.c b/apps/dsaparam.c index 70c698dbec..c83d1fff41 100644 --- a/apps/dsaparam.c +++ b/apps/dsaparam.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/apps/gendsa.c b/apps/gendsa.c index c6c84c9a56..13ac69d37d 100644 --- a/apps/gendsa.c +++ b/apps/gendsa.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/apps/genrsa.c b/apps/genrsa.c index cd99b53a3b..469b0a0b2f 100644 --- a/apps/genrsa.c +++ b/apps/genrsa.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/apps/include/s_apps.h b/apps/include/s_apps.h index 8ddf7d51e1..3d2bace594 100644 --- a/apps/include/s_apps.h +++ b/apps/include/s_apps.h @@ -1,5 +1,5 @@ /* - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/apps/lib/app_provider.c b/apps/lib/app_provider.c index 1a1757a5bd..5683866377 100644 --- a/apps/lib/app_provider.c +++ b/apps/lib/app_provider.c @@ -1,5 +1,5 @@ /* - * Copyright 2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/apps/lib/app_rand.c b/apps/lib/app_rand.c index 913e66e73f..c521979570 100644 --- a/apps/lib/app_rand.c +++ b/apps/lib/app_rand.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/apps/mac.c b/apps/mac.c index ce00ff92e0..6280fdcd3b 100644 --- a/apps/mac.c +++ b/apps/mac.c @@ -1,5 +1,5 @@ /* - * Copyright 2018-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2018-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/apps/ocsp.c b/apps/ocsp.c index dd1677b1c1..97f9403ff1 100644 --- a/apps/ocsp.c +++ b/apps/ocsp.c @@ -1,5 +1,5 @@ /* - * Copyright 2001-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2001-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/apps/pkcs12.c b/apps/pkcs12.c index e96f9ec4a4..241122b76a 100644 --- a/apps/pkcs12.c +++ b/apps/pkcs12.c @@ -1,5 +1,5 @@ /* - * Copyright 1999-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/apps/pkcs7.c b/apps/pkcs7.c index d970feb30e..fea9eadf65 100644 --- a/apps/pkcs7.c +++ b/apps/pkcs7.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/apps/pkcs8.c b/apps/pkcs8.c index 674007498a..b8b56f1c80 100644 --- a/apps/pkcs8.c +++ b/apps/pkcs8.c @@ -1,5 +1,5 @@ /* - * Copyright 1999-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/apps/pkeyutl.c b/apps/pkeyutl.c index b70f9935b6..f1c73b6368 100644 --- a/apps/pkeyutl.c +++ b/apps/pkeyutl.c @@ -1,5 +1,5 @@ /* - * Copyright 2006-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2006-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/apps/rand.c b/apps/rand.c index 69a13f975e..b439216886 100644 --- a/apps/rand.c +++ b/apps/rand.c @@ -1,5 +1,5 @@ /* - * Copyright 1998-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1998-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/apps/rsa.c b/apps/rsa.c index 8658f58708..499013bae4 100644 --- a/apps/rsa.c +++ b/apps/rsa.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/apps/rsautl.c b/apps/rsautl.c index ae4855f8f5..ef0b1f66c7 100644 --- a/apps/rsautl.c +++ b/apps/rsautl.c @@ -1,5 +1,5 @@ /* - * Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/apps/s_server.c b/apps/s_server.c index eee51f3325..9bd9338a31 100644 --- a/apps/s_server.c +++ b/apps/s_server.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved * Copyright 2005 Nokia. All rights reserved. * diff --git a/apps/storeutl.c b/apps/storeutl.c index 7c13092fe5..618b6b480e 100644 --- a/apps/storeutl.c +++ b/apps/storeutl.c @@ -1,5 +1,5 @@ /* - * Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/apps/ts.c b/apps/ts.c index 8500968a0c..62afe7560d 100644 --- a/apps/ts.c +++ b/apps/ts.c @@ -1,5 +1,5 @@ /* - * Copyright 2006-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2006-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/asn1/i2d_evp.c b/crypto/asn1/i2d_evp.c index 515a81d18c..6e4f7080c7 100644 --- a/crypto/asn1/i2d_evp.c +++ b/crypto/asn1/i2d_evp.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/bn/bn_rand.c b/crypto/bn/bn_rand.c index 3068c28710..1f12e81fb7 100644 --- a/crypto/bn/bn_rand.c +++ b/crypto/bn/bn_rand.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/cmp/cmp_ctx.c b/crypto/cmp/cmp_ctx.c index ccca282721..26274611a8 100644 --- a/crypto/cmp/cmp_ctx.c +++ b/crypto/cmp/cmp_ctx.c @@ -1,5 +1,5 @@ /* - * Copyright 2007-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2007-2021 The OpenSSL Project Authors. All Rights Reserved. * Copyright Nokia 2007-2019 * Copyright Siemens AG 2015-2019 * diff --git a/crypto/cms/cms_ec.c b/crypto/cms/cms_ec.c index 79b96f596c..a4c6da6069 100644 --- a/crypto/cms/cms_ec.c +++ b/crypto/cms/cms_ec.c @@ -1,5 +1,5 @@ /* - * Copyright 2006-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2006-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/ct/ct_log.c b/crypto/ct/ct_log.c index 12e09d07a2..9b77d7a963 100644 --- a/crypto/ct/ct_log.c +++ b/crypto/ct/ct_log.c @@ -1,5 +1,5 @@ /* - * Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/encode_decode/decoder_pkey.c b/crypto/encode_decode/decoder_pkey.c index 3a97afbcb0..ca9c507582 100644 --- a/crypto/encode_decode/decoder_pkey.c +++ b/crypto/encode_decode/decoder_pkey.c @@ -1,5 +1,5 @@ /* - * Copyright 2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/encode_decode/encoder_pkey.c b/crypto/encode_decode/encoder_pkey.c index 9604ae56bd..fb86631a8d 100644 --- a/crypto/encode_decode/encoder_pkey.c +++ b/crypto/encode_decode/encoder_pkey.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/err/err_all.c b/crypto/err/err_all.c index b1e69b5cc5..d5b3b5dbc6 100644 --- a/crypto/err/err_all.c +++ b/crypto/err/err_all.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/evp/digest.c b/crypto/evp/digest.c index 3dfcfcda8e..7346169be6 100644 --- a/crypto/evp/digest.c +++ b/crypto/evp/digest.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/evp/evp_enc.c b/crypto/evp/evp_enc.c index f049cb40bb..b6aa36c5c2 100644 --- a/crypto/evp/evp_enc.c +++ b/crypto/evp/evp_enc.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/evp/evp_pkey.c b/crypto/evp/evp_pkey.c index 87091cf16b..9879392114 100644 --- a/crypto/evp/evp_pkey.c +++ b/crypto/evp/evp_pkey.c @@ -1,5 +1,5 @@ /* - * Copyright 1999-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/evp/keymgmt_lib.c b/crypto/evp/keymgmt_lib.c index 85a39b3d89..27b9f6b907 100644 --- a/crypto/evp/keymgmt_lib.c +++ b/crypto/evp/keymgmt_lib.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/evp/keymgmt_meth.c b/crypto/evp/keymgmt_meth.c index 460fd24cec..c8c3d705c7 100644 --- a/crypto/evp/keymgmt_meth.c +++ b/crypto/evp/keymgmt_meth.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/evp/m_sigver.c b/crypto/evp/m_sigver.c index 57c8ce78a4..795b785983 100644 --- a/crypto/evp/m_sigver.c +++ b/crypto/evp/m_sigver.c @@ -1,5 +1,5 @@ /* - * Copyright 2006-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2006-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/evp/pmeth_check.c b/crypto/evp/pmeth_check.c index 36dbb4c4e6..61e6db655d 100644 --- a/crypto/evp/pmeth_check.c +++ b/crypto/evp/pmeth_check.c @@ -1,5 +1,5 @@ /* - * Copyright 2006-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2006-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/evp/pmeth_gn.c b/crypto/evp/pmeth_gn.c index bf35088a7d..1e4078cfa7 100644 --- a/crypto/evp/pmeth_gn.c +++ b/crypto/evp/pmeth_gn.c @@ -1,5 +1,5 @@ /* - * Copyright 2006-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2006-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/evp/pmeth_lib.c b/crypto/evp/pmeth_lib.c index 91d892ec34..a933752071 100644 --- a/crypto/evp/pmeth_lib.c +++ b/crypto/evp/pmeth_lib.c @@ -1,5 +1,5 @@ /* - * Copyright 2006-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2006-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/ex_data.c b/crypto/ex_data.c index 0d87ea7f0e..291e5a6498 100644 --- a/crypto/ex_data.c +++ b/crypto/ex_data.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/ffc/ffc_dh.c b/crypto/ffc/ffc_dh.c index 948c61d988..db472febb0 100644 --- a/crypto/ffc/ffc_dh.c +++ b/crypto/ffc/ffc_dh.c @@ -1,5 +1,5 @@ /* - * Copyright 2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/http/http_err.c b/crypto/http/http_err.c index 49e56bedbf..20235ba0f8 100644 --- a/crypto/http/http_err.c +++ b/crypto/http/http_err.c @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/objects/objects.pl b/crypto/objects/objects.pl index 62e34aa52f..8c80b2f83f 100644 --- a/crypto/objects/objects.pl +++ b/crypto/objects/objects.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/crypto/ocsp/ocsp_vfy.c b/crypto/ocsp/ocsp_vfy.c index 56b9261640..cd9274dd31 100644 --- a/crypto/ocsp/ocsp_vfy.c +++ b/crypto/ocsp/ocsp_vfy.c @@ -1,5 +1,5 @@ /* - * Copyright 2001-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2001-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/pem/pem_local.h b/crypto/pem/pem_local.h index 732825c03c..509519eb7c 100644 --- a/crypto/pem/pem_local.h +++ b/crypto/pem/pem_local.h @@ -1,5 +1,5 @@ /* - * Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/pem/pem_pk8.c b/crypto/pem/pem_pk8.c index 62fa45f13d..86a66b586c 100644 --- a/crypto/pem/pem_pk8.c +++ b/crypto/pem/pem_pk8.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/pem/pem_pkey.c b/crypto/pem/pem_pkey.c index f7cc7b88c6..26c6bbbaf6 100644 --- a/crypto/pem/pem_pkey.c +++ b/crypto/pem/pem_pkey.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/rsa/rsa_backend.c b/crypto/rsa/rsa_backend.c index 84f070a7ce..30b16f25c6 100644 --- a/crypto/rsa/rsa_backend.c +++ b/crypto/rsa/rsa_backend.c @@ -1,5 +1,5 @@ /* - * Copyright 2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/rsa/rsa_gen.c b/crypto/rsa/rsa_gen.c index 3a124e5b66..ccd07c33fb 100644 --- a/crypto/rsa/rsa_gen.c +++ b/crypto/rsa/rsa_gen.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/rsa/rsa_pss.c b/crypto/rsa/rsa_pss.c index 3a92ed04dd..be1ea1f599 100644 --- a/crypto/rsa/rsa_pss.c +++ b/crypto/rsa/rsa_pss.c @@ -1,5 +1,5 @@ /* - * Copyright 2005-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2005-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/rsa/rsa_ssl.c b/crypto/rsa/rsa_ssl.c index f89a083095..7cb743d219 100644 --- a/crypto/rsa/rsa_ssl.c +++ b/crypto/rsa/rsa_ssl.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/srp/srp_vfy.c b/crypto/srp/srp_vfy.c index 1dd0c554f4..0693a23be0 100644 --- a/crypto/srp/srp_vfy.c +++ b/crypto/srp/srp_vfy.c @@ -1,5 +1,5 @@ /* - * Copyright 2004-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2004-2021 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2004, EdelKey Project. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use diff --git a/crypto/stack/stack.c b/crypto/stack/stack.c index c50a55da14..4c234f5a74 100644 --- a/crypto/stack/stack.c +++ b/crypto/stack/stack.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/store/store_result.c b/crypto/store/store_result.c index 6ac77b77dd..b79126e1cb 100644 --- a/crypto/store/store_result.c +++ b/crypto/store/store_result.c @@ -1,5 +1,5 @@ /* - * Copyright 2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/threads_pthread.c b/crypto/threads_pthread.c index 68ec5dc1df..3004e1bd2f 100644 --- a/crypto/threads_pthread.c +++ b/crypto/threads_pthread.c @@ -1,5 +1,5 @@ /* - * Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/ts/ts_rsp_sign.c b/crypto/ts/ts_rsp_sign.c index 17024ea7bb..313b37ed06 100644 --- a/crypto/ts/ts_rsp_sign.c +++ b/crypto/ts/ts_rsp_sign.c @@ -1,5 +1,5 @@ /* - * Copyright 2006-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2006-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/dev/release.sh b/dev/release.sh index f3b8e09ee0..7a1ee4d270 100755 --- a/dev/release.sh +++ b/dev/release.sh @@ -1,5 +1,5 @@ #! /bin/bash -e -# Copyright 2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -801,7 +801,7 @@ release date in the tar file of any release. =head1 COPYRIGHT -Copyright 2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/internal/man3/evp_keymgmt_util_export_to_provider.pod b/doc/internal/man3/evp_keymgmt_util_export_to_provider.pod index f55980376e..4a6e9b31f5 100644 --- a/doc/internal/man3/evp_keymgmt_util_export_to_provider.pod +++ b/doc/internal/man3/evp_keymgmt_util_export_to_provider.pod @@ -88,7 +88,7 @@ L, L =head1 COPYRIGHT -Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/internal/man7/EVP_PKEY.pod b/doc/internal/man7/EVP_PKEY.pod index 7e7c292f85..022f3f0e4e 100644 --- a/doc/internal/man7/EVP_PKEY.pod +++ b/doc/internal/man7/EVP_PKEY.pod @@ -206,7 +206,7 @@ L =head1 COPYRIGHT -Copyright 2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man1/openssl-ciphers.pod.in b/doc/man1/openssl-ciphers.pod.in index baaf3c198f..3964cb525d 100644 --- a/doc/man1/openssl-ciphers.pod.in +++ b/doc/man1/openssl-ciphers.pod.in @@ -796,7 +796,7 @@ The B<-convert> option was added in OpenSSL 1.1.1. =head1 COPYRIGHT -Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man1/openssl-dgst.pod.in b/doc/man1/openssl-dgst.pod.in index b976ad45d8..4b0653912d 100644 --- a/doc/man1/openssl-dgst.pod.in +++ b/doc/man1/openssl-dgst.pod.in @@ -263,7 +263,7 @@ The B<-engine> and B<-engine_impl> options were deprecated in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man1/openssl-s_client.pod.in b/doc/man1/openssl-s_client.pod.in index d6b7caadfc..746f48a62d 100644 --- a/doc/man1/openssl-s_client.pod.in +++ b/doc/man1/openssl-s_client.pod.in @@ -918,7 +918,7 @@ The B<-engine> option was deprecated in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man1/openssl-srp.pod.in b/doc/man1/openssl-srp.pod.in index 6ce5ebdf0d..cb210880e0 100644 --- a/doc/man1/openssl-srp.pod.in +++ b/doc/man1/openssl-srp.pod.in @@ -86,7 +86,7 @@ The B<-engine> option was deprecated in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2017-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2017-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/BN_generate_prime.pod b/doc/man3/BN_generate_prime.pod index 288969c525..ef797e5971 100644 --- a/doc/man3/BN_generate_prime.pod +++ b/doc/man3/BN_generate_prime.pod @@ -243,7 +243,7 @@ BN_check_prime() was added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/BN_rand.pod b/doc/man3/BN_rand.pod index 38ef8f47f0..1c50c692b9 100644 --- a/doc/man3/BN_rand.pod +++ b/doc/man3/BN_rand.pod @@ -113,7 +113,7 @@ BN_priv_rand_range_ex() functions were added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/DEFINE_STACK_OF.pod b/doc/man3/DEFINE_STACK_OF.pod index b5908fead5..ad990f2cdb 100644 --- a/doc/man3/DEFINE_STACK_OF.pod +++ b/doc/man3/DEFINE_STACK_OF.pod @@ -272,7 +272,7 @@ B_reserve>() and B_new_reserve>() were added in OpenSSL =head1 COPYRIGHT -Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EVP_DigestInit.pod b/doc/man3/EVP_DigestInit.pod index 28572f23b3..025bee4f46 100644 --- a/doc/man3/EVP_DigestInit.pod +++ b/doc/man3/EVP_DigestInit.pod @@ -660,7 +660,7 @@ in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EVP_MAC.pod b/doc/man3/EVP_MAC.pod index 926c1fbd06..29f81831e4 100644 --- a/doc/man3/EVP_MAC.pod +++ b/doc/man3/EVP_MAC.pod @@ -417,7 +417,7 @@ These functions were added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2018-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2018-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EVP_PKEY_CTX_set_rsa_pss_keygen_md.pod b/doc/man3/EVP_PKEY_CTX_set_rsa_pss_keygen_md.pod index b842dcbd62..96610e4e72 100644 --- a/doc/man3/EVP_PKEY_CTX_set_rsa_pss_keygen_md.pod +++ b/doc/man3/EVP_PKEY_CTX_set_rsa_pss_keygen_md.pod @@ -95,7 +95,7 @@ L =head1 COPYRIGHT -Copyright 2017-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2017-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EVP_PKEY_check.pod b/doc/man3/EVP_PKEY_check.pod index ad2c2025cb..b5d33a41e3 100644 --- a/doc/man3/EVP_PKEY_check.pod +++ b/doc/man3/EVP_PKEY_check.pod @@ -65,7 +65,7 @@ EVP_PKEY_pairwise_check() were added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2006-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2006-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EVP_PKEY_gettable_params.pod b/doc/man3/EVP_PKEY_gettable_params.pod index 7a1eaaa548..da3d99d0bf 100644 --- a/doc/man3/EVP_PKEY_gettable_params.pod +++ b/doc/man3/EVP_PKEY_gettable_params.pod @@ -108,7 +108,7 @@ These functions were added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/OSSL_DECODER_CTX_new_for_pkey.pod b/doc/man3/OSSL_DECODER_CTX_new_for_pkey.pod index acb28f8306..695cdf78ed 100644 --- a/doc/man3/OSSL_DECODER_CTX_new_for_pkey.pod +++ b/doc/man3/OSSL_DECODER_CTX_new_for_pkey.pod @@ -128,7 +128,7 @@ The functions described here were added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/OSSL_ENCODER_CTX_new_for_pkey.pod b/doc/man3/OSSL_ENCODER_CTX_new_for_pkey.pod index dec48804c6..674b5c3799 100644 --- a/doc/man3/OSSL_ENCODER_CTX_new_for_pkey.pod +++ b/doc/man3/OSSL_ENCODER_CTX_new_for_pkey.pod @@ -164,7 +164,7 @@ The functions described here were added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/SRP_Calc_B.pod b/doc/man3/SRP_Calc_B.pod index e581505336..48eb018328 100644 --- a/doc/man3/SRP_Calc_B.pod +++ b/doc/man3/SRP_Calc_B.pod @@ -90,7 +90,7 @@ All of these functions were deprecated in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/SRP_VBASE_new.pod b/doc/man3/SRP_VBASE_new.pod index 710d48df24..0333bec6ea 100644 --- a/doc/man3/SRP_VBASE_new.pod +++ b/doc/man3/SRP_VBASE_new.pod @@ -98,7 +98,7 @@ All of these functions were deprecated in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2018 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2018-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/SRP_create_verifier.pod b/doc/man3/SRP_create_verifier.pod index bef9e77043..74d520199d 100644 --- a/doc/man3/SRP_create_verifier.pod +++ b/doc/man3/SRP_create_verifier.pod @@ -129,7 +129,7 @@ All of these functions were deprecated in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2018-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2018-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/SRP_user_pwd_new.pod b/doc/man3/SRP_user_pwd_new.pod index 6be2ed4f3a..3c7507f54d 100644 --- a/doc/man3/SRP_user_pwd_new.pod +++ b/doc/man3/SRP_user_pwd_new.pod @@ -67,7 +67,7 @@ These functions were made public in OpenSSL 3.0 and are deprecated. =head1 COPYRIGHT -Copyright 2018 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2018-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/SSL_CTX_set_srp_password.pod b/doc/man3/SSL_CTX_set_srp_password.pod index 9f08144467..720198a401 100644 --- a/doc/man3/SSL_CTX_set_srp_password.pod +++ b/doc/man3/SSL_CTX_set_srp_password.pod @@ -214,7 +214,7 @@ These functions were added in OpenSSL 1.0.1 and deprecated in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2018-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2018-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/SSL_write.pod b/doc/man3/SSL_write.pod index 9a5a6f0744..e03cce2ad6 100644 --- a/doc/man3/SSL_write.pod +++ b/doc/man3/SSL_write.pod @@ -146,7 +146,7 @@ The SSL_sendfile() function was added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/X509_STORE_CTX_get_error.pod b/doc/man3/X509_STORE_CTX_get_error.pod index 91e65f4af6..eb68f8a7fc 100644 --- a/doc/man3/X509_STORE_CTX_get_error.pod +++ b/doc/man3/X509_STORE_CTX_get_error.pod @@ -468,7 +468,7 @@ L. =head1 COPYRIGHT -Copyright 2009-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2009-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/X509_STORE_CTX_new.pod b/doc/man3/X509_STORE_CTX_new.pod index 3251c3b810..f2f6a01c44 100644 --- a/doc/man3/X509_STORE_CTX_new.pod +++ b/doc/man3/X509_STORE_CTX_new.pod @@ -186,7 +186,7 @@ There is no need to call X509_STORE_CTX_cleanup() explicitly since OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2009-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2009-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/X509_load_http.pod b/doc/man3/X509_load_http.pod index 47a0e74760..a890f31ad8 100644 --- a/doc/man3/X509_load_http.pod +++ b/doc/man3/X509_load_http.pod @@ -53,7 +53,7 @@ X509_load_http() and X509_CRL_load_http() were added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/X509_new.pod b/doc/man3/X509_new.pod index ab310bff57..a437b3f264 100644 --- a/doc/man3/X509_new.pod +++ b/doc/man3/X509_new.pod @@ -85,7 +85,7 @@ The function X509_new_ex() was added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2002-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2002-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man7/EVP_KDF-SSHKDF.pod b/doc/man7/EVP_KDF-SSHKDF.pod index 2b2f0cc227..f0e113c6c8 100644 --- a/doc/man7/EVP_KDF-SSHKDF.pod +++ b/doc/man7/EVP_KDF-SSHKDF.pod @@ -149,7 +149,7 @@ L =head1 COPYRIGHT -Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man7/EVP_KDF-X942-ASN1.pod b/doc/man7/EVP_KDF-X942-ASN1.pod index bc19b27508..b0e36133b4 100644 --- a/doc/man7/EVP_KDF-X942-ASN1.pod +++ b/doc/man7/EVP_KDF-X942-ASN1.pod @@ -144,7 +144,7 @@ This functionality was added to OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man7/EVP_MAC-HMAC.pod b/doc/man7/EVP_MAC-HMAC.pod index 8136bed000..fe63b329f9 100644 --- a/doc/man7/EVP_MAC-HMAC.pod +++ b/doc/man7/EVP_MAC-HMAC.pod @@ -63,7 +63,7 @@ L, L, L =head1 COPYRIGHT -Copyright 2018-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2018-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man7/EVP_MD-MDC2.pod b/doc/man7/EVP_MD-MDC2.pod index 53069557ea..c8f5cb5ec2 100644 --- a/doc/man7/EVP_MD-MDC2.pod +++ b/doc/man7/EVP_MD-MDC2.pod @@ -40,7 +40,7 @@ L, L, L =head1 COPYRIGHT -Copyright 2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man7/provider-kdf.pod b/doc/man7/provider-kdf.pod index be0bc7b51b..8e2069e34a 100644 --- a/doc/man7/provider-kdf.pod +++ b/doc/man7/provider-kdf.pod @@ -319,7 +319,7 @@ The provider KDF interface was introduced in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man7/provider-keymgmt.pod b/doc/man7/provider-keymgmt.pod index 4c1f032744..08d7df6d5b 100644 --- a/doc/man7/provider-keymgmt.pod +++ b/doc/man7/provider-keymgmt.pod @@ -403,7 +403,7 @@ The KEYMGMT interface was introduced in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man7/provider-mac.pod b/doc/man7/provider-mac.pod index f18a8c7fde..7ce2ad2a13 100644 --- a/doc/man7/provider-mac.pod +++ b/doc/man7/provider-mac.pod @@ -231,7 +231,7 @@ The provider MAC interface was introduced in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man7/provider-rand.pod b/doc/man7/provider-rand.pod index 795924e6b7..3250e3c11a 100644 --- a/doc/man7/provider-rand.pod +++ b/doc/man7/provider-rand.pod @@ -275,7 +275,7 @@ The provider RAND interface was introduced in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man7/provider-signature.pod b/doc/man7/provider-signature.pod index 222693854f..9c2a7d0c2b 100644 --- a/doc/man7/provider-signature.pod +++ b/doc/man7/provider-signature.pod @@ -407,7 +407,7 @@ The provider SIGNATURE interface was introduced in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/perlvars.pm b/doc/perlvars.pm index 47f813d51e..0be68e275d 100644 --- a/doc/perlvars.pm +++ b/doc/perlvars.pm @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/engines/e_afalg.txt b/engines/e_afalg.txt index 1126d74b98..37f023b87e 100644 --- a/engines/e_afalg.txt +++ b/engines/e_afalg.txt @@ -1,4 +1,4 @@ -# Copyright 1999-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/engines/e_afalg_err.h b/engines/e_afalg_err.h index e15f50d6cc..2070c04a1c 100644 --- a/engines/e_afalg_err.h +++ b/engines/e_afalg_err.h @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/engines/e_capi.txt b/engines/e_capi.txt index 731452d845..dc557eef98 100644 --- a/engines/e_capi.txt +++ b/engines/e_capi.txt @@ -1,4 +1,4 @@ -# Copyright 1999-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/engines/e_capi_err.h b/engines/e_capi_err.h index 2531e4586b..cd80c9be89 100644 --- a/engines/e_capi_err.h +++ b/engines/e_capi_err.h @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/engines/e_dasync.txt b/engines/e_dasync.txt index bd8d0a881b..d050a148c3 100644 --- a/engines/e_dasync.txt +++ b/engines/e_dasync.txt @@ -1,4 +1,4 @@ -# Copyright 1999-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/engines/e_dasync_err.h b/engines/e_dasync_err.h index 17fef2ee0a..7a067c6037 100644 --- a/engines/e_dasync_err.h +++ b/engines/e_dasync_err.h @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/engines/e_loader_attic.txt b/engines/e_loader_attic.txt index 63e43d1511..4fb8fdf5e8 100644 --- a/engines/e_loader_attic.txt +++ b/engines/e_loader_attic.txt @@ -1,4 +1,4 @@ -# Copyright 1999-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/engines/e_loader_attic_err.h b/engines/e_loader_attic_err.h index 3dd7557402..b4a144f4cb 100644 --- a/engines/e_loader_attic_err.h +++ b/engines/e_loader_attic_err.h @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/engines/e_ossltest.txt b/engines/e_ossltest.txt index c6450ce582..645917fe3b 100644 --- a/engines/e_ossltest.txt +++ b/engines/e_ossltest.txt @@ -1,4 +1,4 @@ -# Copyright 1999-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/engines/e_ossltest_err.h b/engines/e_ossltest_err.h index d1748e7427..c89409079b 100644 --- a/engines/e_ossltest_err.h +++ b/engines/e_ossltest_err.h @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/fuzz/x509.c b/fuzz/x509.c index bf2dfb826d..dd9075acd7 100644 --- a/fuzz/x509.c +++ b/fuzz/x509.c @@ -1,5 +1,5 @@ /* - * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"); * you may not use this file except in compliance with the License. diff --git a/include/crypto/aes_platform.h b/include/crypto/aes_platform.h index acd263f8de..b2b0b11877 100644 --- a/include/crypto/aes_platform.h +++ b/include/crypto/aes_platform.h @@ -1,5 +1,5 @@ /* - * Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/crypto/aria.h b/include/crypto/aria.h index dfd07013d0..857cf4b623 100644 --- a/include/crypto/aria.h +++ b/include/crypto/aria.h @@ -1,5 +1,5 @@ /* - * Copyright 2006-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2006-2021 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2017, Oracle and/or its affiliates. All rights reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use diff --git a/include/crypto/asn1_dsa.h b/include/crypto/asn1_dsa.h index 4d2399a45f..2657dae0f4 100644 --- a/include/crypto/asn1_dsa.h +++ b/include/crypto/asn1_dsa.h @@ -1,5 +1,5 @@ /* - * Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/crypto/async.h b/include/crypto/async.h index 691148858c..7bc0dbb65b 100644 --- a/include/crypto/async.h +++ b/include/crypto/async.h @@ -1,5 +1,5 @@ /* - * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/crypto/bn.h b/include/crypto/bn.h index 730854d7e1..eb42ccd0f5 100644 --- a/include/crypto/bn.h +++ b/include/crypto/bn.h @@ -1,5 +1,5 @@ /* - * Copyright 2014-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2014-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/crypto/bn_conf.h.in b/include/crypto/bn_conf.h.in index 9d244d52a3..dbc901b145 100644 --- a/include/crypto/bn_conf.h.in +++ b/include/crypto/bn_conf.h.in @@ -1,6 +1,6 @@ {- join("\n",map { "/* $_ */" } @autowarntext) -} /* - * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/crypto/chacha.h b/include/crypto/chacha.h index b789515b7e..d29998ffe4 100644 --- a/include/crypto/chacha.h +++ b/include/crypto/chacha.h @@ -1,5 +1,5 @@ /* - * Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/crypto/cmll_platform.h b/include/crypto/cmll_platform.h index 34fac61f07..527f216ca8 100644 --- a/include/crypto/cmll_platform.h +++ b/include/crypto/cmll_platform.h @@ -1,5 +1,5 @@ /* - * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/crypto/cms.h b/include/crypto/cms.h index 5a58407a11..f98f3cfbea 100644 --- a/include/crypto/cms.h +++ b/include/crypto/cms.h @@ -1,5 +1,5 @@ /* - * Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/crypto/cryptlib.h b/include/crypto/cryptlib.h index d70cd78415..2508801184 100644 --- a/include/crypto/cryptlib.h +++ b/include/crypto/cryptlib.h @@ -1,5 +1,5 @@ /* - * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/crypto/ctype.h b/include/crypto/ctype.h index 7117281215..cb6e81b56e 100644 --- a/include/crypto/ctype.h +++ b/include/crypto/ctype.h @@ -1,5 +1,5 @@ /* - * Copyright 2017 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2017-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/crypto/decoder.h b/include/crypto/decoder.h index a83615a8e6..d463d1e9b5 100644 --- a/include/crypto/decoder.h +++ b/include/crypto/decoder.h @@ -1,5 +1,5 @@ /* - * Copyright 2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/crypto/des_platform.h b/include/crypto/des_platform.h index 18bd2f8afd..24fdb90b2f 100644 --- a/include/crypto/des_platform.h +++ b/include/crypto/des_platform.h @@ -1,5 +1,5 @@ /* - * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/crypto/dh.h b/include/crypto/dh.h index 91a2db263a..5673bb7ad3 100644 --- a/include/crypto/dh.h +++ b/include/crypto/dh.h @@ -1,5 +1,5 @@ /* - * Copyright 2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/crypto/dsa.h b/include/crypto/dsa.h index 3da5696795..a47fbcd841 100644 --- a/include/crypto/dsa.h +++ b/include/crypto/dsa.h @@ -1,5 +1,5 @@ /* - * Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/crypto/dso_conf.h.in b/include/crypto/dso_conf.h.in index eba3deba66..12de11ade8 100644 --- a/include/crypto/dso_conf.h.in +++ b/include/crypto/dso_conf.h.in @@ -1,6 +1,6 @@ {- join("\n",map { "/* $_ */" } @autowarntext) -} /* - * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/crypto/ecx.h b/include/crypto/ecx.h index 663cdfc566..678cfcccea 100644 --- a/include/crypto/ecx.h +++ b/include/crypto/ecx.h @@ -1,5 +1,5 @@ /* - * Copyright 2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/crypto/err.h b/include/crypto/err.h index 9e72b5640c..7110276097 100644 --- a/include/crypto/err.h +++ b/include/crypto/err.h @@ -1,5 +1,5 @@ /* - * Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/crypto/ess.h b/include/crypto/ess.h index 74833f29a7..c13cd64222 100644 --- a/include/crypto/ess.h +++ b/include/crypto/ess.h @@ -1,5 +1,5 @@ /* - * Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/crypto/evp.h b/include/crypto/evp.h index 1017ace03d..0269d8da5a 100644 --- a/include/crypto/evp.h +++ b/include/crypto/evp.h @@ -1,5 +1,5 @@ /* - * Copyright 2015-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/crypto/lhash.h b/include/crypto/lhash.h index d7bd2c137f..f24838b10a 100644 --- a/include/crypto/lhash.h +++ b/include/crypto/lhash.h @@ -1,5 +1,5 @@ /* - * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2018-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/crypto/pem.h b/include/crypto/pem.h index 24e4787acc..4b02a00a85 100644 --- a/include/crypto/pem.h +++ b/include/crypto/pem.h @@ -1,5 +1,5 @@ /* - * Copyright 2018-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2018-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/crypto/pkcs7.h b/include/crypto/pkcs7.h index 17bb3cd72c..847866987e 100644 --- a/include/crypto/pkcs7.h +++ b/include/crypto/pkcs7.h @@ -1,5 +1,5 @@ /* - * Copyright 2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/crypto/poly1305.h b/include/crypto/poly1305.h index 86317bcf8a..ba54f3bdcb 100644 --- a/include/crypto/poly1305.h +++ b/include/crypto/poly1305.h @@ -1,5 +1,5 @@ /* - * Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/crypto/punycode.h b/include/crypto/punycode.h index 5b3074a348..f47eded262 100644 --- a/include/crypto/punycode.h +++ b/include/crypto/punycode.h @@ -1,5 +1,5 @@ /* - * Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/crypto/rand.h b/include/crypto/rand.h index 89505aa0ed..f093356d9d 100644 --- a/include/crypto/rand.h +++ b/include/crypto/rand.h @@ -1,5 +1,5 @@ /* - * Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/crypto/rand_pool.h b/include/crypto/rand_pool.h index 26e65c0436..a651d29988 100644 --- a/include/crypto/rand_pool.h +++ b/include/crypto/rand_pool.h @@ -1,5 +1,5 @@ /* - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/crypto/rsa.h b/include/crypto/rsa.h index 62087b347e..daf70c62d4 100644 --- a/include/crypto/rsa.h +++ b/include/crypto/rsa.h @@ -1,5 +1,5 @@ /* - * Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/crypto/security_bits.h b/include/crypto/security_bits.h index 90cb7d625f..3dc9e26ff3 100644 --- a/include/crypto/security_bits.h +++ b/include/crypto/security_bits.h @@ -1,5 +1,5 @@ /* - * Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/crypto/sha.h b/include/crypto/sha.h index 7c0276a23a..20823b8bca 100644 --- a/include/crypto/sha.h +++ b/include/crypto/sha.h @@ -1,5 +1,5 @@ /* - * Copyright 2018-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2018-2021 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use diff --git a/include/crypto/siphash.h b/include/crypto/siphash.h index bb4d614998..02f74c4ae2 100644 --- a/include/crypto/siphash.h +++ b/include/crypto/siphash.h @@ -1,5 +1,5 @@ /* - * Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2017-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/crypto/sm4.h b/include/crypto/sm4.h index 87be6daa91..8195ab165c 100644 --- a/include/crypto/sm4.h +++ b/include/crypto/sm4.h @@ -1,5 +1,5 @@ /* - * Copyright 2017 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2017-2021 The OpenSSL Project Authors. All Rights Reserved. * Copyright 2017 Ribose Inc. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use diff --git a/include/crypto/sparse_array.h b/include/crypto/sparse_array.h index ee49105167..87b5adec9c 100644 --- a/include/crypto/sparse_array.h +++ b/include/crypto/sparse_array.h @@ -1,5 +1,5 @@ /* - * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2019, Oracle and/or its affiliates. All rights reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use diff --git a/include/crypto/store.h b/include/crypto/store.h index 72d5a01a96..5c86660b30 100644 --- a/include/crypto/store.h +++ b/include/crypto/store.h @@ -1,5 +1,5 @@ /* - * Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/internal/asn1.h b/include/internal/asn1.h index 36d90e22b1..3143e3405f 100644 --- a/include/internal/asn1.h +++ b/include/internal/asn1.h @@ -1,5 +1,5 @@ /* - * Copyright 2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/internal/bio.h b/include/internal/bio.h index 12782c85a2..e057298318 100644 --- a/include/internal/bio.h +++ b/include/internal/bio.h @@ -1,5 +1,5 @@ /* - * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/internal/conf.h b/include/internal/conf.h index 44043613a4..81968c9885 100644 --- a/include/internal/conf.h +++ b/include/internal/conf.h @@ -1,5 +1,5 @@ /* - * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/internal/constant_time.h b/include/internal/constant_time.h index b50b10ba80..cb4ce80830 100644 --- a/include/internal/constant_time.h +++ b/include/internal/constant_time.h @@ -1,5 +1,5 @@ /* - * Copyright 2014-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2014-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/internal/core.h b/include/internal/core.h index 75bcfeb4e8..c3c2b74a63 100644 --- a/include/internal/core.h +++ b/include/internal/core.h @@ -1,5 +1,5 @@ /* - * Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/internal/dane.h b/include/internal/dane.h index 6639d2d97f..a3d78a7f80 100644 --- a/include/internal/dane.h +++ b/include/internal/dane.h @@ -1,5 +1,5 @@ /* - * Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/internal/deprecated.h b/include/internal/deprecated.h index a6de395702..a313a01545 100644 --- a/include/internal/deprecated.h +++ b/include/internal/deprecated.h @@ -1,5 +1,5 @@ /* - * Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/internal/dso.h b/include/internal/dso.h index d04a1c166e..160ddb98db 100644 --- a/include/internal/dso.h +++ b/include/internal/dso.h @@ -1,5 +1,5 @@ /* - * Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/internal/dsoerr.h b/include/internal/dsoerr.h index b503ae96a7..43f83d9ad8 100644 --- a/include/internal/dsoerr.h +++ b/include/internal/dsoerr.h @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/internal/endian.h b/include/internal/endian.h index 01b926d0bd..8b34e03e44 100644 --- a/include/internal/endian.h +++ b/include/internal/endian.h @@ -1,5 +1,5 @@ /* - * Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/internal/err.h b/include/internal/err.h index d5ad9abdf4..d8a308f0b4 100644 --- a/include/internal/err.h +++ b/include/internal/err.h @@ -1,5 +1,5 @@ /* - * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/internal/ffc.h b/include/internal/ffc.h index 4cffc720a6..f0ab31400b 100644 --- a/include/internal/ffc.h +++ b/include/internal/ffc.h @@ -1,5 +1,5 @@ /* - * Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/internal/nelem.h b/include/internal/nelem.h index f0a53c37d5..b758513b4c 100644 --- a/include/internal/nelem.h +++ b/include/internal/nelem.h @@ -1,5 +1,5 @@ /* - * Copyright 2017 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2017-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/internal/numbers.h b/include/internal/numbers.h index bade59fd89..fc93e59c4b 100644 --- a/include/internal/numbers.h +++ b/include/internal/numbers.h @@ -1,5 +1,5 @@ /* - * Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/internal/o_dir.h b/include/internal/o_dir.h index 90c247d65e..add34d14be 100644 --- a/include/internal/o_dir.h +++ b/include/internal/o_dir.h @@ -1,5 +1,5 @@ /* - * Copyright 2004-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2004-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/internal/packet.h b/include/internal/packet.h index efb1a702ef..108c65aad0 100644 --- a/include/internal/packet.h +++ b/include/internal/packet.h @@ -1,5 +1,5 @@ /* - * Copyright 2015-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/internal/param_build_set.h b/include/internal/param_build_set.h index a037ab8ee1..88782b0aa7 100644 --- a/include/internal/param_build_set.h +++ b/include/internal/param_build_set.h @@ -1,5 +1,5 @@ /* - * Copyright 2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/internal/passphrase.h b/include/internal/passphrase.h index f2d2614132..ee0be9b128 100644 --- a/include/internal/passphrase.h +++ b/include/internal/passphrase.h @@ -1,5 +1,5 @@ /* - * Copyright 2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/internal/property.h b/include/internal/property.h index a5335110a8..6e8b1a8259 100644 --- a/include/internal/property.h +++ b/include/internal/property.h @@ -1,5 +1,5 @@ /* - * Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2019, Oracle and/or its affiliates. All rights reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use diff --git a/include/internal/propertyerr.h b/include/internal/propertyerr.h index 3c009619eb..d73532ed6a 100644 --- a/include/internal/propertyerr.h +++ b/include/internal/propertyerr.h @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/internal/provider.h b/include/internal/provider.h index dc064fd70b..a91c515f04 100644 --- a/include/internal/provider.h +++ b/include/internal/provider.h @@ -1,5 +1,5 @@ /* - * Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/internal/refcount.h b/include/internal/refcount.h index e5c4aca167..ee506e592d 100644 --- a/include/internal/refcount.h +++ b/include/internal/refcount.h @@ -1,5 +1,5 @@ /* - * Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/internal/sha3.h b/include/internal/sha3.h index f564549b59..9bb6cf65f1 100644 --- a/include/internal/sha3.h +++ b/include/internal/sha3.h @@ -1,5 +1,5 @@ /* - * Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/internal/sizes.h b/include/internal/sizes.h index d9abb53788..f6496c8182 100644 --- a/include/internal/sizes.h +++ b/include/internal/sizes.h @@ -1,5 +1,5 @@ /* - * Copyright 2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/internal/sm3.h b/include/internal/sm3.h index b9b0636d01..f64eb8ad1a 100644 --- a/include/internal/sm3.h +++ b/include/internal/sm3.h @@ -1,5 +1,5 @@ /* - * Copyright 2017-2019 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2017-2021 The OpenSSL Project Authors. All Rights Reserved. * Copyright 2017 Ribose Inc. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use diff --git a/include/internal/sockets.h b/include/internal/sockets.h index 5d169b631d..5ef5ef1756 100644 --- a/include/internal/sockets.h +++ b/include/internal/sockets.h @@ -1,5 +1,5 @@ /* - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/internal/sslconf.h b/include/internal/sslconf.h index 2c2044c104..fd7f7e3331 100644 --- a/include/internal/sslconf.h +++ b/include/internal/sslconf.h @@ -1,5 +1,5 @@ /* - * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2018-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/internal/symhacks.h b/include/internal/symhacks.h index 425b644d3a..564351642f 100644 --- a/include/internal/symhacks.h +++ b/include/internal/symhacks.h @@ -1,5 +1,5 @@ /* - * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/internal/tlsgroups.h b/include/internal/tlsgroups.h index c5653bdbd3..8a35ced122 100644 --- a/include/internal/tlsgroups.h +++ b/include/internal/tlsgroups.h @@ -1,5 +1,5 @@ /* - * Copyright 2017-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2017-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/openssl/asn1err.h b/include/openssl/asn1err.h index b7bca90c44..1a20fe82c2 100644 --- a/include/openssl/asn1err.h +++ b/include/openssl/asn1err.h @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/openssl/asyncerr.h b/include/openssl/asyncerr.h index 1d9e79a850..c093f7be45 100644 --- a/include/openssl/asyncerr.h +++ b/include/openssl/asyncerr.h @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/openssl/bnerr.h b/include/openssl/bnerr.h index fb7a574290..847d326b09 100644 --- a/include/openssl/bnerr.h +++ b/include/openssl/bnerr.h @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/openssl/buffererr.h b/include/openssl/buffererr.h index 1db678ac2f..d18b1f8f07 100644 --- a/include/openssl/buffererr.h +++ b/include/openssl/buffererr.h @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/openssl/cmp_util.h b/include/openssl/cmp_util.h index 5de50d7a9a..9a168922bf 100644 --- a/include/openssl/cmp_util.h +++ b/include/openssl/cmp_util.h @@ -1,5 +1,5 @@ /* - * Copyright 2007-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2007-2021 The OpenSSL Project Authors. All Rights Reserved. * Copyright Nokia 2007-2019 * Copyright Siemens AG 2015-2019 * diff --git a/include/openssl/cmperr.h b/include/openssl/cmperr.h index 1aef080ce8..b8ac43e525 100644 --- a/include/openssl/cmperr.h +++ b/include/openssl/cmperr.h @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/openssl/cmserr.h b/include/openssl/cmserr.h index 8bf62ee628..418e8baff9 100644 --- a/include/openssl/cmserr.h +++ b/include/openssl/cmserr.h @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/openssl/comperr.h b/include/openssl/comperr.h index 8eff2d1d43..01dd3e6bc6 100644 --- a/include/openssl/comperr.h +++ b/include/openssl/comperr.h @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/openssl/conferr.h b/include/openssl/conferr.h index 76e2b925e2..bf5961e72a 100644 --- a/include/openssl/conferr.h +++ b/include/openssl/conferr.h @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/openssl/configuration.h.in b/include/openssl/configuration.h.in index c1a5f8c485..e4d4f526b3 100644 --- a/include/openssl/configuration.h.in +++ b/include/openssl/configuration.h.in @@ -1,7 +1,7 @@ /* * {- join("\n * ", @autowarntext) -} * - * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/openssl/core.h b/include/openssl/core.h index 9a183da4e8..41e0a70437 100644 --- a/include/openssl/core.h +++ b/include/openssl/core.h @@ -1,5 +1,5 @@ /* - * Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/openssl/core_dispatch.h b/include/openssl/core_dispatch.h index f9786e1d37..0377424434 100644 --- a/include/openssl/core_dispatch.h +++ b/include/openssl/core_dispatch.h @@ -1,5 +1,5 @@ /* - * Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/openssl/core_object.h b/include/openssl/core_object.h index 6b31a6b421..62ccf39d32 100644 --- a/include/openssl/core_object.h +++ b/include/openssl/core_object.h @@ -1,5 +1,5 @@ /* - * Copyright 2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/openssl/crmferr.h b/include/openssl/crmferr.h index c84e919935..b242b922ef 100644 --- a/include/openssl/crmferr.h +++ b/include/openssl/crmferr.h @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/openssl/crypto.h.in b/include/openssl/crypto.h.in index 356eaaabf1..d7c4dd7426 100644 --- a/include/openssl/crypto.h.in +++ b/include/openssl/crypto.h.in @@ -1,7 +1,7 @@ /* * {- join("\n * ", @autowarntext) -} * - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved * * Licensed under the Apache License 2.0 (the "License"). You may not use diff --git a/include/openssl/cryptoerr.h b/include/openssl/cryptoerr.h index 96141e75a2..8db3064ce2 100644 --- a/include/openssl/cryptoerr.h +++ b/include/openssl/cryptoerr.h @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/openssl/cryptoerr_legacy.h b/include/openssl/cryptoerr_legacy.h index b928e1d4b7..34bb3dfd1e 100644 --- a/include/openssl/cryptoerr_legacy.h +++ b/include/openssl/cryptoerr_legacy.h @@ -1,5 +1,5 @@ /* - * Copyright 2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/openssl/cterr.h b/include/openssl/cterr.h index 8ffff3b53a..935d32d8b1 100644 --- a/include/openssl/cterr.h +++ b/include/openssl/cterr.h @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/openssl/decoder.h b/include/openssl/decoder.h index 29ccb0a7ff..9f58cb2b39 100644 --- a/include/openssl/decoder.h +++ b/include/openssl/decoder.h @@ -1,5 +1,5 @@ /* - * Copyright 2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/openssl/decodererr.h b/include/openssl/decodererr.h index bead95c06c..886c3750fe 100644 --- a/include/openssl/decodererr.h +++ b/include/openssl/decodererr.h @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/openssl/dherr.h b/include/openssl/dherr.h index 0783a9dc5f..237de52522 100644 --- a/include/openssl/dherr.h +++ b/include/openssl/dherr.h @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/openssl/dsa.h b/include/openssl/dsa.h index eacc6caa28..5c0e4cddfa 100644 --- a/include/openssl/dsa.h +++ b/include/openssl/dsa.h @@ -1,5 +1,5 @@ /* - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/openssl/dsaerr.h b/include/openssl/dsaerr.h index 669cd6c87f..5f0ca8d12a 100644 --- a/include/openssl/dsaerr.h +++ b/include/openssl/dsaerr.h @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/openssl/ecerr.h b/include/openssl/ecerr.h index 0ebee3cf88..a017fbeb76 100644 --- a/include/openssl/ecerr.h +++ b/include/openssl/ecerr.h @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/openssl/encoder.h b/include/openssl/encoder.h index c6a300bd9c..bf212f9f80 100644 --- a/include/openssl/encoder.h +++ b/include/openssl/encoder.h @@ -1,5 +1,5 @@ /* - * Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/openssl/encodererr.h b/include/openssl/encodererr.h index 4f594c48f3..5e318b1453 100644 --- a/include/openssl/encodererr.h +++ b/include/openssl/encodererr.h @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/openssl/engineerr.h b/include/openssl/engineerr.h index 1a1798fb17..d439b6827e 100644 --- a/include/openssl/engineerr.h +++ b/include/openssl/engineerr.h @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/openssl/ess.h.in b/include/openssl/ess.h.in index 2522912f2f..6dd686ba77 100644 --- a/include/openssl/ess.h.in +++ b/include/openssl/ess.h.in @@ -1,7 +1,7 @@ /* * {- join("\n * ", @autowarntext) -} * - * Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/openssl/esserr.h b/include/openssl/esserr.h index e8f031f634..2eb82c1eb7 100644 --- a/include/openssl/esserr.h +++ b/include/openssl/esserr.h @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/openssl/fips_names.h b/include/openssl/fips_names.h index 4bd579cb3a..0fdf5440c7 100644 --- a/include/openssl/fips_names.h +++ b/include/openssl/fips_names.h @@ -1,5 +1,5 @@ /* - * Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/openssl/fipskey.h.in b/include/openssl/fipskey.h.in index 367fe20471..56b947e852 100644 --- a/include/openssl/fipskey.h.in +++ b/include/openssl/fipskey.h.in @@ -1,7 +1,7 @@ /* * {- join("\n * ", @autowarntext) -} * - * Copyright 2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/openssl/httperr.h b/include/openssl/httperr.h index 2ea4fa6c13..796bc15a49 100644 --- a/include/openssl/httperr.h +++ b/include/openssl/httperr.h @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/openssl/kdf.h b/include/openssl/kdf.h index f5a1dab62e..dd24ab04cd 100644 --- a/include/openssl/kdf.h +++ b/include/openssl/kdf.h @@ -1,5 +1,5 @@ /* - * Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/openssl/kdferr.h b/include/openssl/kdferr.h index 52d8e14a26..963d766dfc 100644 --- a/include/openssl/kdferr.h +++ b/include/openssl/kdferr.h @@ -1,5 +1,5 @@ /* - * Copyright 2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/openssl/macros.h b/include/openssl/macros.h index 4de30968d2..7d37798560 100644 --- a/include/openssl/macros.h +++ b/include/openssl/macros.h @@ -1,5 +1,5 @@ /* - * Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/openssl/objectserr.h b/include/openssl/objectserr.h index 82aaa99c03..585217f6f7 100644 --- a/include/openssl/objectserr.h +++ b/include/openssl/objectserr.h @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/openssl/ocsperr.h b/include/openssl/ocsperr.h index 3fb7aca7c4..46a0523c2d 100644 --- a/include/openssl/ocsperr.h +++ b/include/openssl/ocsperr.h @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/openssl/opensslconf.h b/include/openssl/opensslconf.h index 6a2de489b0..1e83371f1a 100644 --- a/include/openssl/opensslconf.h +++ b/include/openssl/opensslconf.h @@ -1,5 +1,5 @@ /* - * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/openssl/param_build.h b/include/openssl/param_build.h index eec500d340..fff5dc9864 100644 --- a/include/openssl/param_build.h +++ b/include/openssl/param_build.h @@ -1,5 +1,5 @@ /* - * Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2019, Oracle and/or its affiliates. All rights reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use diff --git a/include/openssl/pemerr.h b/include/openssl/pemerr.h index 57387aee31..16ca273a98 100644 --- a/include/openssl/pemerr.h +++ b/include/openssl/pemerr.h @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/openssl/pkcs12err.h b/include/openssl/pkcs12err.h index 491194f01f..933c83299a 100644 --- a/include/openssl/pkcs12err.h +++ b/include/openssl/pkcs12err.h @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/openssl/pkcs7err.h b/include/openssl/pkcs7err.h index 8b65aa0670..ceb1a50198 100644 --- a/include/openssl/pkcs7err.h +++ b/include/openssl/pkcs7err.h @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/openssl/provider.h b/include/openssl/provider.h index 3f2ce38701..723201e1c5 100644 --- a/include/openssl/provider.h +++ b/include/openssl/provider.h @@ -1,5 +1,5 @@ /* - * Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/openssl/randerr.h b/include/openssl/randerr.h index fb378b9fc8..3756ad17a8 100644 --- a/include/openssl/randerr.h +++ b/include/openssl/randerr.h @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/openssl/rsa.h b/include/openssl/rsa.h index 46cc9badec..0aeab1560a 100644 --- a/include/openssl/rsa.h +++ b/include/openssl/rsa.h @@ -1,5 +1,5 @@ /* - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/openssl/rsaerr.h b/include/openssl/rsaerr.h index 456082a60d..bc31d2fe65 100644 --- a/include/openssl/rsaerr.h +++ b/include/openssl/rsaerr.h @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/openssl/self_test.h b/include/openssl/self_test.h index 11722c3163..3b324b2bbe 100644 --- a/include/openssl/self_test.h +++ b/include/openssl/self_test.h @@ -1,5 +1,5 @@ /* - * Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/openssl/srp.h.in b/include/openssl/srp.h.in index 07b2e6fd5b..dfbe845b83 100644 --- a/include/openssl/srp.h.in +++ b/include/openssl/srp.h.in @@ -1,7 +1,7 @@ /* * {- join("\n * ", @autowarntext) -} * - * Copyright 2004-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2004-2021 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2004, EdelKey Project. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use diff --git a/include/openssl/sslerr_legacy.h b/include/openssl/sslerr_legacy.h index b687bf7d63..ccf6d3b30b 100644 --- a/include/openssl/sslerr_legacy.h +++ b/include/openssl/sslerr_legacy.h @@ -1,5 +1,5 @@ /* - * Copyright 2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/openssl/storeerr.h b/include/openssl/storeerr.h index 397c143616..45e781d2aa 100644 --- a/include/openssl/storeerr.h +++ b/include/openssl/storeerr.h @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/openssl/trace.h b/include/openssl/trace.h index 8bdc08b037..ad57babe4f 100644 --- a/include/openssl/trace.h +++ b/include/openssl/trace.h @@ -1,5 +1,5 @@ /* - * Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/openssl/tserr.h b/include/openssl/tserr.h index 4b46bb83e8..e1b943e42d 100644 --- a/include/openssl/tserr.h +++ b/include/openssl/tserr.h @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/openssl/uierr.h b/include/openssl/uierr.h index 692b480030..473b04ed11 100644 --- a/include/openssl/uierr.h +++ b/include/openssl/uierr.h @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/openssl/x509_vfy.h.in b/include/openssl/x509_vfy.h.in index 901b589adb..662a8b6ab8 100644 --- a/include/openssl/x509_vfy.h.in +++ b/include/openssl/x509_vfy.h.in @@ -1,7 +1,7 @@ /* * {- join("\n * ", @autowarntext) -} * - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/openssl/x509err.h b/include/openssl/x509err.h index d3ecbf978e..a56facd46b 100644 --- a/include/openssl/x509err.h +++ b/include/openssl/x509err.h @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/openssl/x509v3err.h b/include/openssl/x509v3err.h index 5a6f9c3e8c..1ae3a56209 100644 --- a/include/openssl/x509v3err.h +++ b/include/openssl/x509v3err.h @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/common/capabilities.c b/providers/common/capabilities.c index da3cf50820..d455d498ea 100644 --- a/providers/common/capabilities.c +++ b/providers/common/capabilities.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/common/der/der_rsa.h.in b/providers/common/der/der_rsa.h.in index 733b9d60d6..9341bfcf31 100644 --- a/providers/common/der/der_rsa.h.in +++ b/providers/common/der/der_rsa.h.in @@ -1,5 +1,5 @@ /* - * Copyright 2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/common/der/der_rsa_key.c b/providers/common/der/der_rsa_key.c index 70b8edb63b..fd9c58b456 100644 --- a/providers/common/der/der_rsa_key.c +++ b/providers/common/der/der_rsa_key.c @@ -1,5 +1,5 @@ /* - * Copyright 2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/common/der/der_rsa_sig.c b/providers/common/der/der_rsa_sig.c index 7fb69f87b0..aa49968a5b 100644 --- a/providers/common/der/der_rsa_sig.c +++ b/providers/common/der/der_rsa_sig.c @@ -1,5 +1,5 @@ /* - * Copyright 2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/common/provider_util.c b/providers/common/provider_util.c index 516ec46dd7..0df2addccb 100644 --- a/providers/common/provider_util.c +++ b/providers/common/provider_util.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/common/securitycheck.c b/providers/common/securitycheck.c index 547b74fe3a..3f8a742286 100644 --- a/providers/common/securitycheck.c +++ b/providers/common/securitycheck.c @@ -1,5 +1,5 @@ /* - * Copyright 2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/common/securitycheck_fips.c b/providers/common/securitycheck_fips.c index 35f82433db..42e5f46009 100644 --- a/providers/common/securitycheck_fips.c +++ b/providers/common/securitycheck_fips.c @@ -1,5 +1,5 @@ /* - * Copyright 2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/decoders.inc b/providers/decoders.inc index 4dc687c76f..a92abe03e2 100644 --- a/providers/decoders.inc +++ b/providers/decoders.inc @@ -1,5 +1,5 @@ /* - * Copyright 2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/defltprov.c b/providers/defltprov.c index c246ed42be..2649972c82 100644 --- a/providers/defltprov.c +++ b/providers/defltprov.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/encoders.inc b/providers/encoders.inc index 356e2f2f6b..e7d11c731b 100644 --- a/providers/encoders.inc +++ b/providers/encoders.inc @@ -1,5 +1,5 @@ /* - * Copyright 2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/fips/self_test.c b/providers/fips/self_test.c index 17053d6f9f..aa9bbc770e 100644 --- a/providers/fips/self_test.c +++ b/providers/fips/self_test.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/fips/self_test_data.inc b/providers/fips/self_test_data.inc index 7631d682e5..fc8bf2b54e 100644 --- a/providers/fips/self_test_data.inc +++ b/providers/fips/self_test_data.inc @@ -1,5 +1,5 @@ /* - * Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/ciphers/cipher_aes_cts.inc b/providers/implementations/ciphers/cipher_aes_cts.inc index f398534dda..fbd66eb257 100644 --- a/providers/implementations/ciphers/cipher_aes_cts.inc +++ b/providers/implementations/ciphers/cipher_aes_cts.inc @@ -1,5 +1,5 @@ /* - * Copyright 2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/ciphers/cipher_aes_hw.c b/providers/implementations/ciphers/cipher_aes_hw.c index 588e030417..d9b9b044b8 100644 --- a/providers/implementations/ciphers/cipher_aes_hw.c +++ b/providers/implementations/ciphers/cipher_aes_hw.c @@ -1,5 +1,5 @@ /* - * Copyright 2001-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2001-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/ciphers/cipher_aes_hw_aesni.inc b/providers/implementations/ciphers/cipher_aes_hw_aesni.inc index a2358b43f9..33b9046054 100644 --- a/providers/implementations/ciphers/cipher_aes_hw_aesni.inc +++ b/providers/implementations/ciphers/cipher_aes_hw_aesni.inc @@ -1,5 +1,5 @@ /* - * Copyright 2001-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2001-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/ciphers/cipher_aes_hw_s390x.inc b/providers/implementations/ciphers/cipher_aes_hw_s390x.inc index e0cc6a604c..c298dfafd7 100644 --- a/providers/implementations/ciphers/cipher_aes_hw_s390x.inc +++ b/providers/implementations/ciphers/cipher_aes_hw_s390x.inc @@ -1,5 +1,5 @@ /* - * Copyright 2001-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2001-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/ciphers/cipher_aes_hw_t4.inc b/providers/implementations/ciphers/cipher_aes_hw_t4.inc index 826ff0239d..28454fc508 100644 --- a/providers/implementations/ciphers/cipher_aes_hw_t4.inc +++ b/providers/implementations/ciphers/cipher_aes_hw_t4.inc @@ -1,5 +1,5 @@ /* - * Copyright 2001-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2001-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/ciphers/cipher_aes_siv.c b/providers/implementations/ciphers/cipher_aes_siv.c index 9a9adb02d9..25409bf0a8 100644 --- a/providers/implementations/ciphers/cipher_aes_siv.c +++ b/providers/implementations/ciphers/cipher_aes_siv.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/ciphers/cipher_aes_siv.h b/providers/implementations/ciphers/cipher_aes_siv.h index c0b2a903bc..4a682b77c4 100644 --- a/providers/implementations/ciphers/cipher_aes_siv.h +++ b/providers/implementations/ciphers/cipher_aes_siv.h @@ -1,5 +1,5 @@ /* - * Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/ciphers/cipher_aes_wrp.c b/providers/implementations/ciphers/cipher_aes_wrp.c index 967e12206b..4428ff0552 100644 --- a/providers/implementations/ciphers/cipher_aes_wrp.c +++ b/providers/implementations/ciphers/cipher_aes_wrp.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/ciphers/cipher_aes_xts.c b/providers/implementations/ciphers/cipher_aes_xts.c index c5699d645b..e4b18b2719 100644 --- a/providers/implementations/ciphers/cipher_aes_xts.c +++ b/providers/implementations/ciphers/cipher_aes_xts.c @@ -1,6 +1,6 @@ /* - * Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/ciphers/cipher_aria_hw.c b/providers/implementations/ciphers/cipher_aria_hw.c index 67a282f59c..8e114b3ba1 100644 --- a/providers/implementations/ciphers/cipher_aria_hw.c +++ b/providers/implementations/ciphers/cipher_aria_hw.c @@ -1,5 +1,5 @@ /* - * Copyright 2001-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2001-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/ciphers/cipher_blowfish.c b/providers/implementations/ciphers/cipher_blowfish.c index cf303bb863..9566f044a4 100644 --- a/providers/implementations/ciphers/cipher_blowfish.c +++ b/providers/implementations/ciphers/cipher_blowfish.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/ciphers/cipher_camellia_hw.c b/providers/implementations/ciphers/cipher_camellia_hw.c index 66a2b143c3..3ebf5b8d46 100644 --- a/providers/implementations/ciphers/cipher_camellia_hw.c +++ b/providers/implementations/ciphers/cipher_camellia_hw.c @@ -1,5 +1,5 @@ /* - * Copyright 2001-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2001-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/ciphers/cipher_camellia_hw_t4.inc b/providers/implementations/ciphers/cipher_camellia_hw_t4.inc index 032402a556..2dcf3fa18e 100644 --- a/providers/implementations/ciphers/cipher_camellia_hw_t4.inc +++ b/providers/implementations/ciphers/cipher_camellia_hw_t4.inc @@ -1,5 +1,5 @@ /* - * Copyright 2001-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2001-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/ciphers/cipher_cast5.c b/providers/implementations/ciphers/cipher_cast5.c index f5f7cba631..55081ccbe9 100644 --- a/providers/implementations/ciphers/cipher_cast5.c +++ b/providers/implementations/ciphers/cipher_cast5.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/ciphers/cipher_chacha20.c b/providers/implementations/ciphers/cipher_chacha20.c index 6b1fdb2bd5..bee1bb925b 100644 --- a/providers/implementations/ciphers/cipher_chacha20.c +++ b/providers/implementations/ciphers/cipher_chacha20.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/ciphers/cipher_chacha20_poly1305.c b/providers/implementations/ciphers/cipher_chacha20_poly1305.c index 46c20fd7c5..5d9ffad801 100644 --- a/providers/implementations/ciphers/cipher_chacha20_poly1305.c +++ b/providers/implementations/ciphers/cipher_chacha20_poly1305.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/ciphers/cipher_des.c b/providers/implementations/ciphers/cipher_des.c index 179ebd00ad..32cab17b3e 100644 --- a/providers/implementations/ciphers/cipher_des.c +++ b/providers/implementations/ciphers/cipher_des.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/ciphers/cipher_des.h b/providers/implementations/ciphers/cipher_des.h index f7a1f6d6cc..ad10f63d8b 100644 --- a/providers/implementations/ciphers/cipher_des.h +++ b/providers/implementations/ciphers/cipher_des.h @@ -1,5 +1,5 @@ /* - * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/ciphers/cipher_null.c b/providers/implementations/ciphers/cipher_null.c index 01db056983..9d33a26f8d 100644 --- a/providers/implementations/ciphers/cipher_null.c +++ b/providers/implementations/ciphers/cipher_null.c @@ -1,5 +1,5 @@ /* - * Copyright 2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/ciphers/cipher_rc2.c b/providers/implementations/ciphers/cipher_rc2.c index 6e25d1534a..d78b044247 100644 --- a/providers/implementations/ciphers/cipher_rc2.c +++ b/providers/implementations/ciphers/cipher_rc2.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/ciphers/cipher_rc4.c b/providers/implementations/ciphers/cipher_rc4.c index 18233bbac1..98937c0044 100644 --- a/providers/implementations/ciphers/cipher_rc4.c +++ b/providers/implementations/ciphers/cipher_rc4.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/ciphers/cipher_rc5.c b/providers/implementations/ciphers/cipher_rc5.c index db0dbaaf05..0d6f87ed63 100644 --- a/providers/implementations/ciphers/cipher_rc5.c +++ b/providers/implementations/ciphers/cipher_rc5.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/ciphers/cipher_tdes.c b/providers/implementations/ciphers/cipher_tdes.c index 6ab083db41..e63c143755 100644 --- a/providers/implementations/ciphers/cipher_tdes.c +++ b/providers/implementations/ciphers/cipher_tdes.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/ciphers/cipher_tdes.h b/providers/implementations/ciphers/cipher_tdes.h index 3c9147d45d..d3d885bd18 100644 --- a/providers/implementations/ciphers/cipher_tdes.h +++ b/providers/implementations/ciphers/cipher_tdes.h @@ -1,5 +1,5 @@ /* - * Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/ciphers/cipher_tdes_common.c b/providers/implementations/ciphers/cipher_tdes_common.c index 417bac13b2..f0fd03ff4b 100644 --- a/providers/implementations/ciphers/cipher_tdes_common.c +++ b/providers/implementations/ciphers/cipher_tdes_common.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/ciphers/cipher_tdes_default_hw.c b/providers/implementations/ciphers/cipher_tdes_default_hw.c index 77b08ebbe1..53cbbad571 100644 --- a/providers/implementations/ciphers/cipher_tdes_default_hw.c +++ b/providers/implementations/ciphers/cipher_tdes_default_hw.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/ciphers/cipher_tdes_wrap.c b/providers/implementations/ciphers/cipher_tdes_wrap.c index c0828a0c2c..be109129bd 100644 --- a/providers/implementations/ciphers/cipher_tdes_wrap.c +++ b/providers/implementations/ciphers/cipher_tdes_wrap.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/ciphers/ciphercommon_block.c b/providers/implementations/ciphers/ciphercommon_block.c index abc3c8517d..14f7503b36 100644 --- a/providers/implementations/ciphers/ciphercommon_block.c +++ b/providers/implementations/ciphers/ciphercommon_block.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/ciphers/ciphercommon_hw.c b/providers/implementations/ciphers/ciphercommon_hw.c index 8673e7b744..8452338da7 100644 --- a/providers/implementations/ciphers/ciphercommon_hw.c +++ b/providers/implementations/ciphers/ciphercommon_hw.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/digests/digestcommon.c b/providers/implementations/digests/digestcommon.c index 373b3bbf1c..5cd1d16200 100644 --- a/providers/implementations/digests/digestcommon.c +++ b/providers/implementations/digests/digestcommon.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/digests/mdc2_prov.c b/providers/implementations/digests/mdc2_prov.c index 8dc1d1af74..91f123d55f 100644 --- a/providers/implementations/digests/mdc2_prov.c +++ b/providers/implementations/digests/mdc2_prov.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/digests/sha2_prov.c b/providers/implementations/digests/sha2_prov.c index 4cff62131c..45fa643ed5 100644 --- a/providers/implementations/digests/sha2_prov.c +++ b/providers/implementations/digests/sha2_prov.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/digests/sha3_prov.c b/providers/implementations/digests/sha3_prov.c index cd8045f92c..d4d3befa5e 100644 --- a/providers/implementations/digests/sha3_prov.c +++ b/providers/implementations/digests/sha3_prov.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/encode_decode/decode_der2key.c b/providers/implementations/encode_decode/decode_der2key.c index 09776127d4..4018d2021b 100644 --- a/providers/implementations/encode_decode/decode_der2key.c +++ b/providers/implementations/encode_decode/decode_der2key.c @@ -1,5 +1,5 @@ /* - * Copyright 2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/encode_decode/decode_pem2der.c b/providers/implementations/encode_decode/decode_pem2der.c index cb6ebcefb6..73973e13ff 100644 --- a/providers/implementations/encode_decode/decode_pem2der.c +++ b/providers/implementations/encode_decode/decode_pem2der.c @@ -1,5 +1,5 @@ /* - * Copyright 2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/encode_decode/encode_key2any.c b/providers/implementations/encode_decode/encode_key2any.c index 8f868249ee..883c33334d 100644 --- a/providers/implementations/encode_decode/encode_key2any.c +++ b/providers/implementations/encode_decode/encode_key2any.c @@ -1,5 +1,5 @@ /* - * Copyright 2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/encode_decode/encode_key2text.c b/providers/implementations/encode_decode/encode_key2text.c index 05cccdce36..8be3478102 100644 --- a/providers/implementations/encode_decode/encode_key2text.c +++ b/providers/implementations/encode_decode/encode_key2text.c @@ -1,5 +1,5 @@ /* - * Copyright 2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/exchange/ecx_exch.c b/providers/implementations/exchange/ecx_exch.c index 3b082ab503..17118f0e6c 100644 --- a/providers/implementations/exchange/ecx_exch.c +++ b/providers/implementations/exchange/ecx_exch.c @@ -1,5 +1,5 @@ /* - * Copyright 2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/include/prov/ciphercommon_aead.h b/providers/implementations/include/prov/ciphercommon_aead.h index d2f4d78039..1d017175d3 100644 --- a/providers/implementations/include/prov/ciphercommon_aead.h +++ b/providers/implementations/include/prov/ciphercommon_aead.h @@ -1,5 +1,5 @@ /* - * Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/include/prov/digestcommon.h b/providers/implementations/include/prov/digestcommon.h index 894e7295e5..638fe3d4a4 100644 --- a/providers/implementations/include/prov/digestcommon.h +++ b/providers/implementations/include/prov/digestcommon.h @@ -1,5 +1,5 @@ /* - * Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/include/prov/implementations.h b/providers/implementations/include/prov/implementations.h index bdd0c243d6..8321dd92b4 100644 --- a/providers/implementations/include/prov/implementations.h +++ b/providers/implementations/include/prov/implementations.h @@ -1,5 +1,5 @@ /* - * Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/kdfs/hkdf.c b/providers/implementations/kdfs/hkdf.c index 5fa24b93e3..aae923b1db 100644 --- a/providers/implementations/kdfs/hkdf.c +++ b/providers/implementations/kdfs/hkdf.c @@ -1,5 +1,5 @@ /* - * Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/kdfs/kbkdf.c b/providers/implementations/kdfs/kbkdf.c index 2e1a96e28f..1dfae38d37 100644 --- a/providers/implementations/kdfs/kbkdf.c +++ b/providers/implementations/kdfs/kbkdf.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. * Copyright 2019 Red Hat, Inc. * * Licensed under the Apache License 2.0 (the "License"). You may not use diff --git a/providers/implementations/kdfs/pbkdf2.c b/providers/implementations/kdfs/pbkdf2.c index a3ecea2b03..a7f52f0756 100644 --- a/providers/implementations/kdfs/pbkdf2.c +++ b/providers/implementations/kdfs/pbkdf2.c @@ -1,5 +1,5 @@ /* - * Copyright 2018-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2018-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/kdfs/pkcs12kdf.c b/providers/implementations/kdfs/pkcs12kdf.c index b388efe786..67506c64ba 100644 --- a/providers/implementations/kdfs/pkcs12kdf.c +++ b/providers/implementations/kdfs/pkcs12kdf.c @@ -1,5 +1,5 @@ /* - * Copyright 1999-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/kdfs/scrypt.c b/providers/implementations/kdfs/scrypt.c index 3aba9f7955..207120fc77 100644 --- a/providers/implementations/kdfs/scrypt.c +++ b/providers/implementations/kdfs/scrypt.c @@ -1,5 +1,5 @@ /* - * Copyright 2017-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2017-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/kdfs/sshkdf.c b/providers/implementations/kdfs/sshkdf.c index 058f3b95b7..1caef4b7b8 100644 --- a/providers/implementations/kdfs/sshkdf.c +++ b/providers/implementations/kdfs/sshkdf.c @@ -1,5 +1,5 @@ /* - * Copyright 2018-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2018-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/kdfs/sskdf.c b/providers/implementations/kdfs/sskdf.c index 641aacbe97..e9f530a9ff 100644 --- a/providers/implementations/kdfs/sskdf.c +++ b/providers/implementations/kdfs/sskdf.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2019, Oracle and/or its affiliates. All rights reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use diff --git a/providers/implementations/kdfs/tls1_prf.c b/providers/implementations/kdfs/tls1_prf.c index 2cb825229b..b87cf73596 100644 --- a/providers/implementations/kdfs/tls1_prf.c +++ b/providers/implementations/kdfs/tls1_prf.c @@ -1,5 +1,5 @@ /* - * Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/kdfs/x942kdf.c b/providers/implementations/kdfs/x942kdf.c index 7f1f0e6c9d..00ee7cbdce 100644 --- a/providers/implementations/kdfs/x942kdf.c +++ b/providers/implementations/kdfs/x942kdf.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2019, Oracle and/or its affiliates. All rights reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use diff --git a/providers/implementations/kem/rsa_kem.c b/providers/implementations/kem/rsa_kem.c index 0007224072..0bf0607735 100644 --- a/providers/implementations/kem/rsa_kem.c +++ b/providers/implementations/kem/rsa_kem.c @@ -1,5 +1,5 @@ /* - * Copyright 2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/keymgmt/dh_kmgmt.c b/providers/implementations/keymgmt/dh_kmgmt.c index 007ab6a5b5..96886840f0 100644 --- a/providers/implementations/keymgmt/dh_kmgmt.c +++ b/providers/implementations/keymgmt/dh_kmgmt.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/keymgmt/dsa_kmgmt.c b/providers/implementations/keymgmt/dsa_kmgmt.c index 467f75bb55..a02a3e6b01 100644 --- a/providers/implementations/keymgmt/dsa_kmgmt.c +++ b/providers/implementations/keymgmt/dsa_kmgmt.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/keymgmt/ecx_kmgmt.c b/providers/implementations/keymgmt/ecx_kmgmt.c index 3c057f3da4..86deae8561 100644 --- a/providers/implementations/keymgmt/ecx_kmgmt.c +++ b/providers/implementations/keymgmt/ecx_kmgmt.c @@ -1,5 +1,5 @@ /* - * Copyright 2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/keymgmt/mac_legacy_kmgmt.c b/providers/implementations/keymgmt/mac_legacy_kmgmt.c index 0f7f65ddbb..77efe145d9 100644 --- a/providers/implementations/keymgmt/mac_legacy_kmgmt.c +++ b/providers/implementations/keymgmt/mac_legacy_kmgmt.c @@ -1,5 +1,5 @@ /* - * Copyright 2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/keymgmt/rsa_kmgmt.c b/providers/implementations/keymgmt/rsa_kmgmt.c index e4e10084b8..0d3782e830 100644 --- a/providers/implementations/keymgmt/rsa_kmgmt.c +++ b/providers/implementations/keymgmt/rsa_kmgmt.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/macs/blake2_mac_impl.c b/providers/implementations/macs/blake2_mac_impl.c index 4f57795500..d1f4e6331a 100644 --- a/providers/implementations/macs/blake2_mac_impl.c +++ b/providers/implementations/macs/blake2_mac_impl.c @@ -1,5 +1,5 @@ /* - * Copyright 2018-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2018-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/macs/gmac_prov.c b/providers/implementations/macs/gmac_prov.c index 1d5d26f170..691d1169b7 100644 --- a/providers/implementations/macs/gmac_prov.c +++ b/providers/implementations/macs/gmac_prov.c @@ -1,5 +1,5 @@ /* - * Copyright 2018-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2018-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/macs/hmac_prov.c b/providers/implementations/macs/hmac_prov.c index 3f9a862458..0412aedbef 100644 --- a/providers/implementations/macs/hmac_prov.c +++ b/providers/implementations/macs/hmac_prov.c @@ -1,5 +1,5 @@ /* - * Copyright 2018-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2018-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/macs/kmac_prov.c b/providers/implementations/macs/kmac_prov.c index 3a57dd0db6..d499644f57 100644 --- a/providers/implementations/macs/kmac_prov.c +++ b/providers/implementations/macs/kmac_prov.c @@ -1,5 +1,5 @@ /* - * Copyright 2018-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2018-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/macs/poly1305_prov.c b/providers/implementations/macs/poly1305_prov.c index b029dfefd4..27abb58a08 100644 --- a/providers/implementations/macs/poly1305_prov.c +++ b/providers/implementations/macs/poly1305_prov.c @@ -1,5 +1,5 @@ /* - * Copyright 2018-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2018-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/macs/siphash_prov.c b/providers/implementations/macs/siphash_prov.c index f2105a9c46..221db4b83b 100644 --- a/providers/implementations/macs/siphash_prov.c +++ b/providers/implementations/macs/siphash_prov.c @@ -1,5 +1,5 @@ /* - * Copyright 2018-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2018-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/rands/drbg.c b/providers/implementations/rands/drbg.c index 239000ec16..fc8ac52ac2 100644 --- a/providers/implementations/rands/drbg.c +++ b/providers/implementations/rands/drbg.c @@ -1,5 +1,5 @@ /* - * Copyright 2011-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2011-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/rands/drbg_ctr.c b/providers/implementations/rands/drbg_ctr.c index 1f5b14247b..127d85a2cc 100644 --- a/providers/implementations/rands/drbg_ctr.c +++ b/providers/implementations/rands/drbg_ctr.c @@ -1,5 +1,5 @@ /* - * Copyright 2011-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2011-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/rands/drbg_hash.c b/providers/implementations/rands/drbg_hash.c index c799ef107a..a181b8f97e 100644 --- a/providers/implementations/rands/drbg_hash.c +++ b/providers/implementations/rands/drbg_hash.c @@ -1,5 +1,5 @@ /* - * Copyright 2011-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2011-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/rands/drbg_hmac.c b/providers/implementations/rands/drbg_hmac.c index f166d69c51..16c5ae8711 100644 --- a/providers/implementations/rands/drbg_hmac.c +++ b/providers/implementations/rands/drbg_hmac.c @@ -1,5 +1,5 @@ /* - * Copyright 2011-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2011-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/rands/drbg_local.h b/providers/implementations/rands/drbg_local.h index ab8ad9586e..8bc5df89c2 100644 --- a/providers/implementations/rands/drbg_local.h +++ b/providers/implementations/rands/drbg_local.h @@ -1,5 +1,5 @@ /* - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/rands/seed_src.c b/providers/implementations/rands/seed_src.c index c93036cb60..06364b9074 100644 --- a/providers/implementations/rands/seed_src.c +++ b/providers/implementations/rands/seed_src.c @@ -1,5 +1,5 @@ /* - * Copyright 2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/rands/test_rng.c b/providers/implementations/rands/test_rng.c index 0c0e0e3b42..a1b847ee78 100644 --- a/providers/implementations/rands/test_rng.c +++ b/providers/implementations/rands/test_rng.c @@ -1,5 +1,5 @@ /* - * Copyright 2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/signature/dsa.c b/providers/implementations/signature/dsa.c index e6dd538708..620bfa845c 100644 --- a/providers/implementations/signature/dsa.c +++ b/providers/implementations/signature/dsa.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/signature/ecdsa.c b/providers/implementations/signature/ecdsa.c index aff3724435..74717c9b56 100644 --- a/providers/implementations/signature/ecdsa.c +++ b/providers/implementations/signature/ecdsa.c @@ -1,5 +1,5 @@ /* - * Copyright 2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/signature/eddsa.c b/providers/implementations/signature/eddsa.c index 0409ed1892..9813545381 100644 --- a/providers/implementations/signature/eddsa.c +++ b/providers/implementations/signature/eddsa.c @@ -1,5 +1,5 @@ /* - * Copyright 2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/signature/rsa.c b/providers/implementations/signature/rsa.c index a69981a36a..a19dc0129c 100644 --- a/providers/implementations/signature/rsa.c +++ b/providers/implementations/signature/rsa.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/signature/sm2sig.c b/providers/implementations/signature/sm2sig.c index a3709ff074..84c3853f23 100644 --- a/providers/implementations/signature/sm2sig.c +++ b/providers/implementations/signature/sm2sig.c @@ -1,5 +1,5 @@ /* - * Copyright 2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/ssl/record/ssl3_record.c b/ssl/record/ssl3_record.c index 8ada303838..3b2ae1f835 100644 --- a/ssl/record/ssl3_record.c +++ b/ssl/record/ssl3_record.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/ssl/ssl_conf.c b/ssl/ssl_conf.c index 12e765c3be..2408f2b194 100644 --- a/ssl/ssl_conf.c +++ b/ssl/ssl_conf.c @@ -1,5 +1,5 @@ /* - * Copyright 2012-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2012-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c index 3e4353b90e..b216e29f26 100644 --- a/ssl/statem/extensions_clnt.c +++ b/ssl/statem/extensions_clnt.c @@ -1,5 +1,5 @@ /* - * Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/ssl/statem/extensions_cust.c b/ssl/statem/extensions_cust.c index 738051e1da..a00194bf33 100644 --- a/ssl/statem/extensions_cust.c +++ b/ssl/statem/extensions_cust.c @@ -1,5 +1,5 @@ /* - * Copyright 2014-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2014-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c index 56fcbd03c1..28fb039424 100644 --- a/ssl/statem/extensions_srvr.c +++ b/ssl/statem/extensions_srvr.c @@ -1,5 +1,5 @@ /* - * Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c index 6e491c978a..ba1fe75070 100644 --- a/ssl/statem/statem_lib.c +++ b/ssl/statem/statem_lib.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved * * Licensed under the Apache License 2.0 (the "License"). You may not use diff --git a/ssl/t1_trce.c b/ssl/t1_trce.c index 19ec1eabf5..405b1e6864 100644 --- a/ssl/t1_trce.c +++ b/ssl/t1_trce.c @@ -1,5 +1,5 @@ /* - * Copyright 2012-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2012-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/ssl/tls_srp.c b/ssl/tls_srp.c index 1d9f4d29f6..430cd7dae8 100644 --- a/ssl/tls_srp.c +++ b/ssl/tls_srp.c @@ -1,5 +1,5 @@ /* - * Copyright 2004-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2004-2021 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2004, EdelKey Project. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use diff --git a/test/acvp_test.c b/test/acvp_test.c index 2dc01aeeae..6d7360b5b6 100644 --- a/test/acvp_test.c +++ b/test/acvp_test.c @@ -1,5 +1,5 @@ /* - * Copyright 2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/test/cipher_overhead_test.c b/test/cipher_overhead_test.c index 2231a215fd..2001b33295 100644 --- a/test/cipher_overhead_test.c +++ b/test/cipher_overhead_test.c @@ -1,5 +1,5 @@ /* - * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/test/danetest.c b/test/danetest.c index 49bcfb2570..7d4b0c88a7 100644 --- a/test/danetest.c +++ b/test/danetest.c @@ -1,5 +1,5 @@ /* - * Copyright 2015-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/test/ec_internal_test.c b/test/ec_internal_test.c index 345ce199c5..e2ea65b885 100644 --- a/test/ec_internal_test.c +++ b/test/ec_internal_test.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/test/endecode_test.c b/test/endecode_test.c index b5da47d338..c3a86e38d5 100644 --- a/test/endecode_test.c +++ b/test/endecode_test.c @@ -1,5 +1,5 @@ /* - * Copyright 2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/test/endecoder_legacy_test.c b/test/endecoder_legacy_test.c index 64bbea0ad1..cdf86530ce 100644 --- a/test/endecoder_legacy_test.c +++ b/test/endecoder_legacy_test.c @@ -1,5 +1,5 @@ /* - * Copyright 2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/test/evp_kdf_test.c b/test/evp_kdf_test.c index 37d4653577..621351f187 100644 --- a/test/evp_kdf_test.c +++ b/test/evp_kdf_test.c @@ -1,5 +1,5 @@ /* - * Copyright 2018-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2018-2021 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2018-2020, Oracle and/or its affiliates. All rights reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use diff --git a/test/evp_pkey_provided_test.c b/test/evp_pkey_provided_test.c index 62a9346eb4..e2c28d3565 100644 --- a/test/evp_pkey_provided_test.c +++ b/test/evp_pkey_provided_test.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/test/filterprov.c b/test/filterprov.c index 93ebca70ae..71606ecc93 100644 --- a/test/filterprov.c +++ b/test/filterprov.c @@ -1,5 +1,5 @@ /* - * Copyright 2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/test/helpers/handshake.h b/test/helpers/handshake.h index 04ff874623..78b03f9f4b 100644 --- a/test/helpers/handshake.h +++ b/test/helpers/handshake.h @@ -1,5 +1,5 @@ /* - * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/test/helpers/predefined_dhparams.c b/test/helpers/predefined_dhparams.c index 1a19470081..378d7b56e0 100644 --- a/test/helpers/predefined_dhparams.c +++ b/test/helpers/predefined_dhparams.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/test/helpers/ssltestlib.c b/test/helpers/ssltestlib.c index e339d7972c..693084e739 100644 --- a/test/helpers/ssltestlib.c +++ b/test/helpers/ssltestlib.c @@ -1,5 +1,5 @@ /* - * Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/test/params_test.c b/test/params_test.c index 913df9eb8a..9729ab892b 100644 --- a/test/params_test.c +++ b/test/params_test.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"); * you may not use this file except in compliance with the License. diff --git a/test/recipes/06-test_algorithmid.t b/test/recipes/06-test_algorithmid.t index 7d56c09150..f70c1d2a23 100644 --- a/test/recipes/06-test_algorithmid.t +++ b/test/recipes/06-test_algorithmid.t @@ -1,6 +1,6 @@ #! /usr/bin/perl -# Copyright 2018 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2018-2021 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/test/recipes/15-test_genrsa.t b/test/recipes/15-test_genrsa.t index 16bad16d65..504e279f75 100644 --- a/test/recipes/15-test_genrsa.t +++ b/test/recipes/15-test_genrsa.t @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2017-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2017-2021 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/test/recipes/20-test_dhparam_check.t b/test/recipes/20-test_dhparam_check.t index 086e9de938..2f1dec1f10 100644 --- a/test/recipes/20-test_dhparam_check.t +++ b/test/recipes/20-test_dhparam_check.t @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2017-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2017-2021 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/test/recipes/20-test_mac.t b/test/recipes/20-test_mac.t index 61f6161b0c..fac72cfaaf 100644 --- a/test/recipes/20-test_mac.t +++ b/test/recipes/20-test_mac.t @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2018-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2018-2021 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/test/recipes/25-test_verify.t b/test/recipes/25-test_verify.t index 15bdda91e2..4b0cb40729 100644 --- a/test/recipes/25-test_verify.t +++ b/test/recipes/25-test_verify.t @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2015-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/test/recipes/30-test_evp_data/evpkdf_x942.txt b/test/recipes/30-test_evp_data/evpkdf_x942.txt index b695c64f5b..34d4329735 100644 --- a/test/recipes/30-test_evp_data/evpkdf_x942.txt +++ b/test/recipes/30-test_evp_data/evpkdf_x942.txt @@ -1,5 +1,5 @@ # -# Copyright 2001-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2001-2021 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/test/recipes/30-test_evp_data/evprand.txt b/test/recipes/30-test_evp_data/evprand.txt index f504dc3e0b..3d31762617 100644 --- a/test/recipes/30-test_evp_data/evprand.txt +++ b/test/recipes/30-test_evp_data/evprand.txt @@ -1,5 +1,5 @@ # -# Copyright 2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/test/recipes/70-test_comp.t b/test/recipes/70-test_comp.t index abd41d756c..eeee29ac5c 100644 --- a/test/recipes/70-test_comp.t +++ b/test/recipes/70-test_comp.t @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2017-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2017-2021 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/test/recipes/70-test_key_share.t b/test/recipes/70-test_key_share.t index 7ecba99ee8..ec722c7fcd 100644 --- a/test/recipes/70-test_key_share.t +++ b/test/recipes/70-test_key_share.t @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/test/recipes/70-test_sslcbcpadding.t b/test/recipes/70-test_sslcbcpadding.t index 273093244c..7a1b3ba995 100644 --- a/test/recipes/70-test_sslcbcpadding.t +++ b/test/recipes/70-test_sslcbcpadding.t @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/test/recipes/70-test_sslextension.t b/test/recipes/70-test_sslextension.t index 2d6262f2d4..451ffa671f 100644 --- a/test/recipes/70-test_sslextension.t +++ b/test/recipes/70-test_sslextension.t @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2015-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/test/recipes/70-test_sslrecords.t b/test/recipes/70-test_sslrecords.t index 4a0e3e6b78..729a41856d 100644 --- a/test/recipes/70-test_sslrecords.t +++ b/test/recipes/70-test_sslrecords.t @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/test/recipes/70-test_sslsigalgs.t b/test/recipes/70-test_sslsigalgs.t index 609c88e716..48b9e43c3b 100644 --- a/test/recipes/70-test_sslsigalgs.t +++ b/test/recipes/70-test_sslsigalgs.t @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/test/recipes/70-test_sslsignature.t b/test/recipes/70-test_sslsignature.t index 147dd38bf2..a9a77d5b8f 100644 --- a/test/recipes/70-test_sslsignature.t +++ b/test/recipes/70-test_sslsignature.t @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/test/recipes/70-test_sslversions.t b/test/recipes/70-test_sslversions.t index 0a67fe1006..2123860d9c 100644 --- a/test/recipes/70-test_sslversions.t +++ b/test/recipes/70-test_sslversions.t @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2015-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/test/recipes/70-test_tls13alerts.t b/test/recipes/70-test_tls13alerts.t index c6c9d25f8d..44d026c202 100644 --- a/test/recipes/70-test_tls13alerts.t +++ b/test/recipes/70-test_tls13alerts.t @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2018 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2018-2021 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/test/recipes/70-test_tls13cookie.t b/test/recipes/70-test_tls13cookie.t index 2036583fda..a4b2a6222b 100644 --- a/test/recipes/70-test_tls13cookie.t +++ b/test/recipes/70-test_tls13cookie.t @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2017-2021 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/test/recipes/70-test_tls13downgrade.t b/test/recipes/70-test_tls13downgrade.t index 63902a58e6..9e10a9c9c4 100644 --- a/test/recipes/70-test_tls13downgrade.t +++ b/test/recipes/70-test_tls13downgrade.t @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2017-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2017-2021 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/test/recipes/70-test_tls13hrr.t b/test/recipes/70-test_tls13hrr.t index 0423bc3c36..845d40aed9 100644 --- a/test/recipes/70-test_tls13hrr.t +++ b/test/recipes/70-test_tls13hrr.t @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2017-2021 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/test/recipes/70-test_tls13kexmodes.t b/test/recipes/70-test_tls13kexmodes.t index da4f3f3865..44f29055a2 100644 --- a/test/recipes/70-test_tls13kexmodes.t +++ b/test/recipes/70-test_tls13kexmodes.t @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2017-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2017-2021 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/test/recipes/70-test_tls13psk.t b/test/recipes/70-test_tls13psk.t index 2f750d858b..d24d52e35c 100644 --- a/test/recipes/70-test_tls13psk.t +++ b/test/recipes/70-test_tls13psk.t @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2017-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2017-2021 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/test/recipes/70-test_tlsextms.t b/test/recipes/70-test_tlsextms.t index d567b15552..20f980648d 100644 --- a/test/recipes/70-test_tlsextms.t +++ b/test/recipes/70-test_tlsextms.t @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/test/recipes/80-test_cmp_http.t b/test/recipes/80-test_cmp_http.t index 1dc76e5fd3..88c3b3c750 100644 --- a/test/recipes/80-test_cmp_http.t +++ b/test/recipes/80-test_cmp_http.t @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2007-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2007-2021 The OpenSSL Project Authors. All Rights Reserved. # Copyright Nokia 2007-2019 # Copyright Siemens AG 2015-2019 # diff --git a/test/recipes/81-test_cmp_cli.t b/test/recipes/81-test_cmp_cli.t index 667cd55236..03ad986e78 100644 --- a/test/recipes/81-test_cmp_cli.t +++ b/test/recipes/81-test_cmp_cli.t @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2007-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2007-2021 The OpenSSL Project Authors. All Rights Reserved. # Copyright Nokia 2007-2019 # Copyright Siemens AG 2015-2019 # diff --git a/test/recipes/90-test_fipsload.t b/test/recipes/90-test_fipsload.t index 0e08837ad2..1ebf1b8a3c 100644 --- a/test/recipes/90-test_fipsload.t +++ b/test/recipes/90-test_fipsload.t @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/test/recipes/90-test_tls13ccs.t b/test/recipes/90-test_tls13ccs.t index 3bd65b8ba0..25be04f72e 100644 --- a/test/recipes/90-test_tls13ccs.t +++ b/test/recipes/90-test_tls13ccs.t @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2017 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2017-2021 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/test/recipes/90-test_tls13encryption.t b/test/recipes/90-test_tls13encryption.t index 45b7b8a9aa..7e4037e508 100644 --- a/test/recipes/90-test_tls13encryption.t +++ b/test/recipes/90-test_tls13encryption.t @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/test/recipes/90-test_tls13secrets.t b/test/recipes/90-test_tls13secrets.t index 13af681bf0..0adef9a9f5 100644 --- a/test/recipes/90-test_tls13secrets.t +++ b/test/recipes/90-test_tls13secrets.t @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/test/recordlentest.c b/test/recordlentest.c index daf19bb8f3..8567964ce1 100644 --- a/test/recordlentest.c +++ b/test/recordlentest.c @@ -1,5 +1,5 @@ /* - * Copyright 2017-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2017-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/test/rsa_test.c b/test/rsa_test.c index 095cddd8aa..5e3a66233c 100644 --- a/test/rsa_test.c +++ b/test/rsa_test.c @@ -1,5 +1,5 @@ /* - * Copyright 1999-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/test/run_tests.pl b/test/run_tests.pl index aa29888967..3d72a218bf 100644 --- a/test/run_tests.pl +++ b/test/run_tests.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2015-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/test/servername_test.c b/test/servername_test.c index d6fb7b5bb6..ddf0417bc6 100644 --- a/test/servername_test.c +++ b/test/servername_test.c @@ -1,5 +1,5 @@ /* - * Copyright 2017-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2017-2021 The OpenSSL Project Authors. All Rights Reserved. * Copyright 2017 BaishanCloud. All rights reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use diff --git a/test/srptest.c b/test/srptest.c index ac42094d65..fe3f97b132 100644 --- a/test/srptest.c +++ b/test/srptest.c @@ -1,5 +1,5 @@ /* - * Copyright 2011-2017 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2011-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/test/ssl-tests/27-ticket-appdata.cnf.in b/test/ssl-tests/27-ticket-appdata.cnf.in index d9e861933f..9117e03e70 100644 --- a/test/ssl-tests/27-ticket-appdata.cnf.in +++ b/test/ssl-tests/27-ticket-appdata.cnf.in @@ -1,5 +1,5 @@ # -*- mode: perl; -*- -# Copyright 2018-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2018-2021 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/test/ssl-tests/protocol_version.pm b/test/ssl-tests/protocol_version.pm index 70c5722469..9e9b9a892d 100644 --- a/test/ssl-tests/protocol_version.pm +++ b/test/ssl-tests/protocol_version.pm @@ -1,5 +1,5 @@ # -*- mode: perl; -*- -# Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/test/ssl_test.c b/test/ssl_test.c index cefcfb569f..9ff766a268 100644 --- a/test/ssl_test.c +++ b/test/ssl_test.c @@ -1,5 +1,5 @@ /* - * Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/test/stack_test.c b/test/stack_test.c index e59acd353b..3d60ef654e 100644 --- a/test/stack_test.c +++ b/test/stack_test.c @@ -1,5 +1,5 @@ /* - * Copyright 2017-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2017-2021 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2017, Oracle and/or its affiliates. All rights reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use diff --git a/test/tls-provider.c b/test/tls-provider.c index 64c855f4a9..e8da24be0b 100644 --- a/test/tls-provider.c +++ b/test/tls-provider.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/util/mkerr.pl b/util/mkerr.pl index 7d912477b8..e297797b6a 100755 --- a/util/mkerr.pl +++ b/util/mkerr.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 1999-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/util/mknum.pl b/util/mknum.pl index 19d9d55108..f661a9122d 100644 --- a/util/mknum.pl +++ b/util/mknum.pl @@ -1,6 +1,6 @@ #! /usr/bin/env perl -# Copyright 2018-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2018-2021 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/util/perl/OpenSSL/Ordinals.pm b/util/perl/OpenSSL/Ordinals.pm index f2517da7d8..66bf30dd50 100644 --- a/util/perl/OpenSSL/Ordinals.pm +++ b/util/perl/OpenSSL/Ordinals.pm @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2018-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2018-2021 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/util/perl/OpenSSL/ParseC.pm b/util/perl/OpenSSL/ParseC.pm index 0abb469d9a..ee127e88c8 100644 --- a/util/perl/OpenSSL/ParseC.pm +++ b/util/perl/OpenSSL/ParseC.pm @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2018-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2018-2021 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy From matt at openssl.org Thu Feb 18 15:24:02 2021 From: matt at openssl.org (Matt Caswell) Date: Thu, 18 Feb 2021 15:24:02 +0000 Subject: [openssl] master update Message-ID: <1613661842.398998.12899.nullmailer@dev.openssl.org> The branch master has been updated via 937984efc6ed1664e5aeb0e06067d31520066960 (commit) via b467d394eb11ac94500d9f003426f5fa75d60c3c (commit) from a28d06f3e9cbc5594c7985c99a0c6bac5261ae67 (commit) - Log ----------------------------------------------------------------- commit 937984efc6ed1664e5aeb0e06067d31520066960 Author: Matt Caswell Date: Thu Feb 18 15:09:04 2021 +0000 Prepare for 3.0 alpha 13 Reviewed-by: Tomas Mraz commit b467d394eb11ac94500d9f003426f5fa75d60c3c Author: Matt Caswell Date: Thu Feb 18 15:08:53 2021 +0000 Prepare for release of 3.0 alpha 12 Reviewed-by: Tomas Mraz ----------------------------------------------------------------------- Summary of changes: VERSION.dat | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/VERSION.dat b/VERSION.dat index a39467470d..e54cbf764d 100644 --- a/VERSION.dat +++ b/VERSION.dat @@ -1,7 +1,7 @@ MAJOR=3 MINOR=0 PATCH=0 -PRE_RELEASE_TAG=alpha12-dev +PRE_RELEASE_TAG=alpha13-dev BUILD_METADATA= RELEASE_DATE="" SHLIB_VERSION=3 From matt at openssl.org Thu Feb 18 15:24:18 2021 From: matt at openssl.org (Matt Caswell) Date: Thu, 18 Feb 2021 15:24:18 +0000 Subject: [openssl] openssl-3.0.0-alpha12 create Message-ID: <1613661858.011485.13867.nullmailer@dev.openssl.org> The annotated tag openssl-3.0.0-alpha12 has been created at ba908b36f412d1a4a26aefee3841e276c09b5413 (tag) tagging b467d394eb11ac94500d9f003426f5fa75d60c3c (commit) replaces openssl-3.0.0-alpha11 tagged by Matt Caswell on Thu Feb 18 15:08:54 2021 +0000 - Log ----------------------------------------------------------------- OpenSSL 3.0.0-alpha12 release tag -----BEGIN PGP SIGNATURE----- iQFFBAABCAAvFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAmAugwYRHG1hdHRAb3Bl bnNzbC5vcmcACgkQ2cTSbQ5gRJEqoggAq+1HjMo/su4rXEcxn6kH3kRMJUNKe887 tky9dlzVjCJH7cWQm8tVGlmcvqmYqXvW0Wj2oImKWlrFifcIhQcrhmtw/hDHLd5l zaf/yrILs19B8zenw9gCKEQe1TY2JJ6YorvVXE8GtdgaOl+JMM6LSC69Js+m9Ffl ij7NxZJYGEcdPNlWjdf0kdy5WrrGU7SO4vpKe983LvNWsd8TaOFCghPCruSgpg72 tkFMtoRQeng1ukBivOQf2GTrlzL8OQ9+I7OX4gCh7/WN228uOVaRU23Bot5EP1nR +qkyox8L32zbvivlzEWB+5kq3VSjbLWf5LRhkc50jumwDM00LkyZuQ== =oN+j -----END PGP SIGNATURE----- Armin Fuerst (1): apps/ca: Properly handle certificate expiration times in do_updatedb Beat Bolli (1): README-ENGINES: fix the link to the provider API README Benjamin Kaduk (3): Remove unused 'peer_type' from SSL_SESSION x509_vfy: remove redundant stack allocation RSA: avoid dereferencing possibly-NULL parameter in initializers Daniel Bevenius (1): EVP: fix keygen for EVP_PKEY_RSA_PSS Disconnect3d (1): passwd.c: use the actual ROUNDS_DEFAULT macro Dmitry Belyavskiy (2): DH/DHX parameter check using pkeyparam DSA parameter check using pkeyparam Dr. David von Oheimb (28): obj_xref: rsassaPss must map to 'undef rsassaPss' (not 'undef rsaEncryption') Fix rsa_pss_asn1_meth to refert to rsa_sig_info_set check_sig_alg_match(): weaken sig nid comparison to allow RSA{,PSS} key verify RSA-PSS OSSL_HTTP_REQ_CTX_nbio(): Revert to having state var that keeps req len still to send Fix not backwards-compat X509_http_nbio() and X509_CRL_http_nbio() HTTP: Fix mistakes and unclarities on maxline and max_resp_len params HTTP: add more error detection to low-level API Constify OSSL_HTTP_REQ_CTX_get0_mem_bio() OSSL_HTTP_REQ_CTX.pod and OSSL_HTTP_transfer.pod: various improvements openssl.pod: Add documentation for using the loader_attic engine apps/cmp.c: check and exit on engine load error test/recipes: split 81_test_cmp_cli.t, add test using -engine loader_attic run_tests.pl: Improve diagnostics on the use of HARNESS_JOBS Allow NULL arg to OPENSSL_sk_{dup,deep_copy} returning empty stack x509_vfy.c: Improve coding style and comments all over the file Add X509_STORE_CTX_verify(), which takes the first untrusted cert as default target mknum.pl: Exclude duplicate entries and include source file name in diagnostics x509_vfy.c: Fix various coding style and documentation style nits x509_vfy: Clarify relevance of ctx->error also on successful verification X509_get_pubkey_parameters(): Correct failure behavior and its use x509_vfy.c: Sort out return values 0 vs. -1 (failure/internal error) x509_vfy.c: Make chain_build() error diagnostics to the point X509_STORE_CTX_get1_issuer(): Make preference on expired certs consistent with find_issuer() X509_STORE_CTX_cleanup(): Use internally so no need to call explicitly apps/ca.c: Make sure ext_ctx structure gets initialized apps/cmp.c: Improve initialization of ext_ctx structure w.r.t. CSR x509_vfy: fix mem leaks in chain_build() on malloc error Coverify CID 1473068 chain_build(): Call verify_cb_cert() if a preliminary error has become final Dr. Matthias St. Pierre (6): Add some missing committers to the AUTHORS list Revise some renamings of NOTES and README files Reformat some NOTES and README files Unify the markdown links to the NOTES and README files Add deprecation note to the README-ENGINES file Add a skeleton README-PROVIDERS file FdaSilvaYY (3): include/crypto: add a few missing #pragma once directives include/openssl: add a few missing #pragma once directives include/internal: add a few missing #pragma once directives Jay Satiro (1): NOTES-WINDOWS: fix typo Job Snijders (2): Add some PKIX-RPKI objects Add OID for draft-ietf-opsawg-finding-geofeeds detached CMS signature Jon Spillett (1): Switch to BIO_snprintf to avoid missing symbol problems on Windows Juergen Christ (3): Fix cipher reinit on s390x if no key is specified Fix parameter types in sshkdf Remove superfluous EVP_KDF_CTRL_ defines. KOBAYASHI Ittoku (1): Match description with actual output of dgst Matt Caswell (38): Ensure EC keys with a private key but without a public key can be created Test that EC keys without a public key in them work as expected Add a multi-thread test for shared EVP_PKEYs Refactor RAND_get0_primary() locking Avoid races by caching exported ciphers in the init function Always ensure we hold ctx->lock when calling CRYPTO_get_ex_data() Ensure access to FIPS_state and rate_limit is appropriately locked Ensure the EVP_PKEY operation_cache is appropriately locked Add a CI job to run the threads test with threads sanitizer on Remove some TODO(OpenSSL1.2) references Remove a DSA related TODO Remove OPENSSL_NO_DH guards from libssl Ensure default supported groups works even with no-ec and no-dh Make supported_groups code independent of EC and DH Stop disabling TLSv1.3 if ec and dh are disabled Check for availability of ciphersuites at run time Remove compile time guard checking from ssl3_get_req_cert_type Add the nist group names as aliases for the normal TLS group names Make sure we don't use sigalgs that are not available Remove OPENSSL_NO_EC guards from libssl Remove all OPENSSL_NO_XXX from libssl where XXX is a crypto alg Fix the cipher_overhead_test Deprecate the low level SRP APIs Deprecate the libssl level SRP APIs Update documentation following deprecation of SRP Run DH_check_ex() not DH_check_params_ex() when checking params Implement EVP_PKEY_param_check_quick() and use it in libssl Fix the dhparam_check test Document the newly added function EVP_PKEY_param_check_quick() Fix Null pointer deref in X509_issuer_and_serial_hash() Test that X509_issuer_and_serial_hash doesn't crash Refactor rsa_test Fix the RSA_SSLV23_PADDING padding type Fix rsa_test to properly test RSA_SSLV23_PADDING Don't overflow the output length in EVP_CipherUpdate calls Update CHANGES and NEWS for new release Update copyright year Prepare for release of 3.0 alpha 12 Nicola Tuveri (2): [doc/man3] Fix typo in DESCRIPTION of OSSL_ENCODER_properties [doc/man3][OSSL_ENCODER] Move NOTES to the bottom Oleksandr Tymoshenko (1): Handle partial data re-sending on ktls/sendfile on FreeBSD Pauli (21): Fix a use after free issue when a provider context is being used and isn't cached Fix race condition & allow operation cache to grow. test: turn off parallel tests in verbose mode. test: add an option to output timing information from tests. EVP: fix reference counting for digest operations. CI: add a non-caching CI loop Prov: add an option to force provider fetches to not be cached. EVP: fix reference counting for EVP_CIPHER. test: fix no-cache problem with the quality comparison for KDFs. changes: add a CHANGES.md entry for the OSSL_FORCE_NO_CACHE_FETCH option. test: filter provider honours the no_cache setting. test: add import and export key management hooks for the TLS provider. Add a configure time option to disable the fetch cache. Remove an unnecessary free call. test: DRBG test with long seed. err: generated error files RNG seed: add get_entropy hook for seeding. RNG test: add get_entropy hook for testing. core: add get_entropy and clear_entropy calls to RAND rand: update DRBGs to use the get_entropy call for seeding doc: document the two new RAND functions Petr Gotthard (4): apps/openssl: add -propquery command line option Enhanced integer parsing in OSSL_PARAM_allocate_from_text Fix propquery handling in EVP_DigestSignInit_ex Replace SSL_CTX_new by SSL_CTX_new_ex in apps/s_server + s_client Randall S. Becker (1): Enable fipsload test on NonStop x86. Rich Salz (9): Deprecate X509_certificate_type Deprecate EVP_MD_CTX_{set_}update_fn() Don't make pthreads mutexes recursive. Fetch algorithm after loading providers Fetch alg, etc., after loading providers Load rand state after loading providers Process digest option after loading providers Fetch cipher after loading providers Allow -rand to be repeated Richard Levitte (27): Prepare for 3.0 alpha 12 Fix some odd names in our provider source code PROV: Add SM2 encoders and decoders, as well as support functionality CORE & PROV: clean away OSSL_FUNC_mac_size() EVP: Don't find standard EVP_PKEY_METHODs automatically EVP: Fix evp_pkey_ctx_store_cached_data() to handle provider backed EVP_PKEY_CTX EC: Reverse the default asn1_flag in a new EC_GROUP EVP: Make EVP_PKEY_set_params() increment the dirty count EVP: Adapt the other EVP_PKEY_set_xxx_param() functions EVP: Modify the checks in EVP_PKEY_{set,get}_xxx_param() functions EVP: Adapt EVP_PKEY_{set1,get1}_encoded_public_key() ERR: clean away everything related to _F_ macros from util/mkerr.pl ERR: Rebuild all generated error headers and source files Remove the old DEPRECATEDIN macros dev/release.sh: Fix typo EVP: use evp_pkey_copy_downgraded() in EVP_PKEY_copy_parameters() TEST: Add an algorithm ID tester for libcrypto vs provider DOCS: Remove the "global" dependency on writing .pod files from .pod.in Makefile template: Allow separate generation of .pod.in -> .pod PROV: Fix encoding of MDWithRSAEncryption signature AlgorithmID Configuration: ensure that 'no-tests' works correctly Use ERR_R_*_LIB instead of ERR_LIB_* as reason code for sub-libraries DOCS: Update the internal documentation on EVP_PKEY. Configurations/descrip.mms.tmpl: avoid enormous PIPE commands VMS documentation fixes TEST: Add missing initialization Fix backward incompatibility revolving around OSSL_HTTP_REQ_CTX_sendreq_d2i() Sahana Prasad (1): DH: Make DH_bits(), DH_size(), and DH_security_bits() check that there are key parameters Shane Lontis (10): Simplify the EVP_PKEY_XXX_fromdata_XX methods. Change the ASN1 variant of x942kdf so that it can test acvp data. Replace MAC flags OSSL_MAC_PARAM_FLAGS with separate param fields. Replace provider cipher flags with separate param fields Replace provider digest flags with separate param fields Remove dead code in rsa_pkey_ctrl. Add docs for ASN1_item_sign and ASN1_item_verify functions Fix external symbols in the provider cipher implementations. Fix external symbols in the provider digest implementations. Fix external symbols related to provider related security checks for keys and digests. Tomas Mraz (16): rsa_kmgmt: Return OSSL_PKEY_PARAM_DEFAULT_DIGEST for unrestricted PSS keys dh_cms_set_peerkey: Pad the public key to p size Add diacritics to my name in CHANGES.md apps/ecparam: Avoid crash when parameters fail to load provider-signature.pod: Fix formatting. RSA: properly generate algorithm identifier for RSA-PSS signatures Deprecate BN_pseudo_rand() and BN_pseudo_rand_range() CHANGES.md: Mention RSA key generation slowdown related changes Move the PROV_R reason codes to a public header Various cleanup of PROV_R_ reason codes Rename internal providercommonerr.h to less mouthful proverr.h tls_valid_group: Add missing dereference of okfortls13 ssl_test: Add testcases for disallowing non-TLS1.3 curves with TLS1.3 Do not match RFC 5114 groups without q as it is significant Rename OSSL_ENCODER_CTX_new_by_EVP_PKEY and OSSL_DECODER_CTX_new_by_EVP_PKEY dsa_check: Perform simple parameter check if seed is not available zekeevans-mf (1): Add deep copy of propq field in mac_dupctx to avoid double free ----------------------------------------------------------------------- From matt at openssl.org Thu Feb 18 15:34:01 2021 From: matt at openssl.org (Matt Caswell) Date: Thu, 18 Feb 2021 15:34:01 +0000 Subject: [web] master update Message-ID: <1613662441.303409.3004.nullmailer@dev.openssl.org> The branch master has been updated via 534023923c6dc5b0d26ea9a1fd28456f80afd311 (commit) from 5db03e20c8e936a62f1ee71b7178b4844c5ad838 (commit) - Log ----------------------------------------------------------------- commit 534023923c6dc5b0d26ea9a1fd28456f80afd311 Author: Matt Caswell Date: Thu Feb 18 15:16:04 2021 +0000 Update newsflash for 3.0 alpha 12 release Reviewed-by: Mark J. Cox Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/web/pull/220) ----------------------------------------------------------------------- Summary of changes: news/newsflash.txt | 1 + 1 file changed, 1 insertion(+) diff --git a/news/newsflash.txt b/news/newsflash.txt index 16f4f7c..89e7ae8 100644 --- a/news/newsflash.txt +++ b/news/newsflash.txt @@ -5,6 +5,7 @@ # headings. URL paths must all be absolute. Date: Item +18-Feb-2021: Alpha 12 of OpenSSL 3.0 is now available: please download and test it 16-Feb-2021: OpenSSL 1.1.1j is now available, including bug and security fixes 28-Jan-2021: Alpha 11 of OpenSSL 3.0 is now available: please download and test it 07-Jan-2021: Alpha 10 of OpenSSL 3.0 is now available: please download and test it From dev at ddvo.net Thu Feb 18 15:50:36 2021 From: dev at ddvo.net (dev at ddvo.net) Date: Thu, 18 Feb 2021 15:50:36 +0000 Subject: [openssl] master update Message-ID: <1613663436.111505.25588.nullmailer@dev.openssl.org> The branch master has been updated via c1be4d617cf9435e8326ebba643aa4d7cbcb3645 (commit) via daf1300b80443b6bf0dec19085056ec407925d89 (commit) from 937984efc6ed1664e5aeb0e06067d31520066960 (commit) - Log ----------------------------------------------------------------- commit c1be4d617cf9435e8326ebba643aa4d7cbcb3645 Author: Dr. David von Oheimb Date: Wed Feb 17 12:29:39 2021 +0100 Rename internal X509_add_cert_new() to ossl_x509_add_cert_new() Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14039) commit daf1300b80443b6bf0dec19085056ec407925d89 Author: Dr. David von Oheimb Date: Wed Dec 23 16:06:05 2020 +0100 Add internal X509_add_certs_new(), which simplifies matters Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14039) ----------------------------------------------------------------------- Summary of changes: crypto/cmp/cmp_ctx.c | 16 ++++++---------- crypto/cmp/cmp_local.h | 1 + crypto/cmp/cmp_msg.c | 12 ++++-------- crypto/cmp/cmp_protect.c | 17 ++++++----------- crypto/cmp/cmp_util.c | 8 +++----- crypto/cmp/cmp_vfy.c | 1 - crypto/cms/cms_lib.c | 4 ++-- crypto/cms/cms_sd.c | 6 +++--- crypto/ocsp/ocsp_cl.c | 2 +- crypto/ocsp/ocsp_local.h | 2 +- crypto/ocsp/ocsp_srv.c | 2 +- crypto/ocsp/ocsp_vfy.c | 4 ---- crypto/pkcs12/p12_kiss.c | 4 ++-- crypto/pkcs7/pk7_lib.c | 2 +- crypto/x509/x509_cmp.c | 23 +++++++++++++++++------ crypto/x509/x509_vfy.c | 2 +- include/crypto/x509.h | 4 +++- test/helpers/cmp_testlib.h | 1 - 18 files changed, 52 insertions(+), 59 deletions(-) diff --git a/crypto/cmp/cmp_ctx.c b/crypto/cmp/cmp_ctx.c index 26274611a8..e65dabe323 100644 --- a/crypto/cmp/cmp_ctx.c +++ b/crypto/cmp/cmp_ctx.c @@ -12,7 +12,6 @@ #include #include #include /* for OCSP_REVOKED_STATUS_* */ -#include "crypto/x509.h" /* for x509v3_cache_extensions() */ #include "cmp_local.h" @@ -65,15 +64,14 @@ STACK_OF(X509) *OSSL_CMP_CTX_get0_untrusted(const OSSL_CMP_CTX *ctx) */ int OSSL_CMP_CTX_set1_untrusted(OSSL_CMP_CTX *ctx, STACK_OF(X509) *certs) { - STACK_OF(X509) *untrusted; + STACK_OF(X509) *untrusted = NULL; + if (ctx == NULL) { ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT); return 0; } - if ((untrusted = sk_X509_new_null()) == NULL) - return 0; - if (X509_add_certs(untrusted, certs, - X509_ADD_FLAG_UP_REF | X509_ADD_FLAG_NO_DUP) != 1) + if (!ossl_x509_add_certs_new(&untrusted, certs, + X509_ADD_FLAG_UP_REF | X509_ADD_FLAG_NO_DUP)) goto err; sk_X509_pop_free(ctx->untrusted, X509_free); ctx->untrusted = untrusted; @@ -731,10 +729,8 @@ int OSSL_CMP_CTX_build_cert_chain(OSSL_CMP_CTX *ctx, X509_STORE *own_trusted, return 0; } - if (ctx->untrusted != NULL ? - !X509_add_certs(ctx->untrusted, candidates, - X509_ADD_FLAG_UP_REF | X509_ADD_FLAG_NO_DUP) : - !OSSL_CMP_CTX_set1_untrusted(ctx, candidates)) + if (!ossl_x509_add_certs_new(&ctx->untrusted, candidates, + X509_ADD_FLAG_UP_REF | X509_ADD_FLAG_NO_DUP)) return 0; ossl_cmp_debug(ctx, "trying to build chain for own CMP signer cert"); diff --git a/crypto/cmp/cmp_local.h b/crypto/cmp/cmp_local.h index c615865864..a4d3cf9ea4 100644 --- a/crypto/cmp/cmp_local.h +++ b/crypto/cmp/cmp_local.h @@ -23,6 +23,7 @@ # include # include # include +# include "crypto/x509.h" /* * this structure is used to store the context for CMP sessions diff --git a/crypto/cmp/cmp_msg.c b/crypto/cmp/cmp_msg.c index 4e94d5c1fd..36256b3d1d 100644 --- a/crypto/cmp/cmp_msg.c +++ b/crypto/cmp/cmp_msg.c @@ -19,7 +19,6 @@ #include #include #include -#include "crypto/x509.h" /* for x509_set0_libctx() */ OSSL_CMP_PKIHEADER *OSSL_CMP_MSG_get0_header(const OSSL_CMP_MSG *msg) { @@ -466,13 +465,10 @@ OSSL_CMP_MSG *ossl_cmp_certrep_new(OSSL_CMP_CTX *ctx, int bodytype, if (bodytype == OSSL_CMP_PKIBODY_IP && caPubs != NULL && (repMsg->caPubs = X509_chain_up_ref(caPubs)) == NULL) goto err; - if (sk_X509_num(chain) > 0) { - msg->extraCerts = sk_X509_new_reserve(NULL, sk_X509_num(chain)); - if (msg->extraCerts == NULL - || !X509_add_certs(msg->extraCerts, chain, - X509_ADD_FLAG_UP_REF | X509_ADD_FLAG_NO_DUP)) - goto err; - } + if (sk_X509_num(chain) > 0 + && !ossl_x509_add_certs_new(&msg->extraCerts, chain, + X509_ADD_FLAG_UP_REF | X509_ADD_FLAG_NO_DUP)) + goto err; if (!unprotectedErrors || ossl_cmp_pkisi_get_status(si) != OSSL_CMP_PKISTATUS_rejection) diff --git a/crypto/cmp/cmp_protect.c b/crypto/cmp/cmp_protect.c index fce2ebc468..dcc0232e01 100644 --- a/crypto/cmp/cmp_protect.c +++ b/crypto/cmp/cmp_protect.c @@ -134,14 +134,10 @@ int ossl_cmp_msg_add_extraCerts(OSSL_CMP_CTX *ctx, OSSL_CMP_MSG *msg) if (!ossl_assert(ctx != NULL && msg != NULL)) return 0; - if (msg->extraCerts == NULL - && (msg->extraCerts = sk_X509_new_null()) == NULL) - return 0; - /* Add first ctx->cert and its chain if using signature-based protection */ if (!ctx->unprotectedSend && ctx->secretValue == NULL && ctx->cert != NULL && ctx->pkey != NULL) { - int flags_prepend = X509_ADD_FLAG_UP_REF | X509_ADD_FLAG_NO_DUP + int prepend = X509_ADD_FLAG_UP_REF | X509_ADD_FLAG_NO_DUP | X509_ADD_FLAG_PREPEND | X509_ADD_FLAG_NO_SS; /* if not yet done try to build chain using available untrusted certs */ @@ -162,20 +158,19 @@ int ossl_cmp_msg_add_extraCerts(OSSL_CMP_CTX *ctx, OSSL_CMP_MSG *msg) } } if (ctx->chain != NULL) { - if (!X509_add_certs(msg->extraCerts, ctx->chain, flags_prepend)) + if (!ossl_x509_add_certs_new(&msg->extraCerts, ctx->chain, prepend)) return 0; } else { /* make sure that at least our own signer cert is included first */ - if (!X509_add_cert(msg->extraCerts, ctx->cert, flags_prepend)) + if (!ossl_x509_add_cert_new(&msg->extraCerts, ctx->cert, prepend)) return 0; - ossl_cmp_debug(ctx, - "fallback: adding just own CMP signer cert"); + ossl_cmp_debug(ctx, "fallback: adding just own CMP signer cert"); } } /* add any additional certificates from ctx->extraCertsOut */ - if (!X509_add_certs(msg->extraCerts, ctx->extraCertsOut, - X509_ADD_FLAG_UP_REF | X509_ADD_FLAG_NO_DUP)) + if (!ossl_x509_add_certs_new(&msg->extraCerts, ctx->extraCertsOut, + X509_ADD_FLAG_UP_REF | X509_ADD_FLAG_NO_DUP)) return 0; /* in case extraCerts are empty list avoid empty ASN.1 sequence */ diff --git a/crypto/cmp/cmp_util.c b/crypto/cmp/cmp_util.c index 4f9714a64a..d246047943 100644 --- a/crypto/cmp/cmp_util.c +++ b/crypto/cmp/cmp_util.c @@ -248,11 +248,9 @@ STACK_OF(X509) chain = X509_STORE_CTX_get0_chain(csc); /* result list to store the up_ref'ed not self-signed certificates */ - if ((result = sk_X509_new_null()) == NULL) - goto err; - if (!X509_add_certs(result, chain, - X509_ADD_FLAG_UP_REF | X509_ADD_FLAG_NO_DUP - | X509_ADD_FLAG_NO_SS)) { + if (!ossl_x509_add_certs_new(&result, chain, + X509_ADD_FLAG_UP_REF | X509_ADD_FLAG_NO_DUP + | X509_ADD_FLAG_NO_SS)) { sk_X509_free(result); result = NULL; } diff --git a/crypto/cmp/cmp_vfy.c b/crypto/cmp/cmp_vfy.c index 8b6e856d1a..f525c691de 100644 --- a/crypto/cmp/cmp_vfy.c +++ b/crypto/cmp/cmp_vfy.c @@ -20,7 +20,6 @@ #include #include #include -#include "crypto/x509.h" /* Verify a message protected by signature according to RFC section 5.1.3.3 */ static int verify_signature(const OSSL_CMP_CTX *cmp_ctx, diff --git a/crypto/cms/cms_lib.c b/crypto/cms/cms_lib.c index 8c4f252ee8..3e2907fc16 100644 --- a/crypto/cms/cms_lib.c +++ b/crypto/cms/cms_lib.c @@ -627,8 +627,8 @@ STACK_OF(X509) *CMS_get1_certs(CMS_ContentInfo *cms) for (i = 0; i < sk_CMS_CertificateChoices_num(*pcerts); i++) { cch = sk_CMS_CertificateChoices_value(*pcerts, i); if (cch->type == 0) { - if (!X509_add_cert_new(&certs, cch->d.certificate, - X509_ADD_FLAG_UP_REF)) { + if (!ossl_x509_add_cert_new(&certs, cch->d.certificate, + X509_ADD_FLAG_UP_REF)) { sk_X509_pop_free(certs, X509_free); return NULL; } diff --git a/crypto/cms/cms_sd.c b/crypto/cms/cms_sd.c index 57dd85d561..b0519f3894 100644 --- a/crypto/cms/cms_sd.c +++ b/crypto/cms/cms_sd.c @@ -20,7 +20,7 @@ #include "crypto/evp.h" #include "crypto/cms.h" #include "crypto/ess.h" -#include "crypto/x509.h" /* for X509_add_cert_new() */ +#include "crypto/x509.h" /* for ossl_x509_add_cert_new() */ /* CMS SignedData Utilities */ @@ -509,8 +509,8 @@ STACK_OF(X509) *CMS_get0_signers(CMS_ContentInfo *cms) for (i = 0; i < sk_CMS_SignerInfo_num(sinfos); i++) { si = sk_CMS_SignerInfo_value(sinfos, i); if (si->signer != NULL) { - if (!X509_add_cert_new(&signers, si->signer, - X509_ADD_FLAG_DEFAULT)) { + if (!ossl_x509_add_cert_new(&signers, si->signer, + X509_ADD_FLAG_DEFAULT)) { sk_X509_free(signers); return NULL; } diff --git a/crypto/ocsp/ocsp_cl.c b/crypto/ocsp/ocsp_cl.c index 2d4bd036ad..40d26fb871 100644 --- a/crypto/ocsp/ocsp_cl.c +++ b/crypto/ocsp/ocsp_cl.c @@ -77,7 +77,7 @@ int OCSP_request_add1_cert(OCSP_REQUEST *req, X509 *cert) return 0; if (cert == NULL) return 1; - return X509_add_cert_new(&sig->certs, cert, X509_ADD_FLAG_UP_REF); + return ossl_x509_add_cert_new(&sig->certs, cert, X509_ADD_FLAG_UP_REF); } /* diff --git a/crypto/ocsp/ocsp_local.h b/crypto/ocsp/ocsp_local.h index 1e7de1384f..a7e6e86685 100644 --- a/crypto/ocsp/ocsp_local.h +++ b/crypto/ocsp/ocsp_local.h @@ -7,7 +7,7 @@ * https://www.openssl.org/source/license.html */ -#include "crypto/x509.h" /* for X509_add_cert_new() */ +#include "crypto/x509.h" /* for ossl_x509_add_cert_new() */ /*- CertID ::= SEQUENCE { * hashAlgorithm AlgorithmIdentifier, diff --git a/crypto/ocsp/ocsp_srv.c b/crypto/ocsp/ocsp_srv.c index 2c8b38f723..4a864f2d79 100644 --- a/crypto/ocsp/ocsp_srv.c +++ b/crypto/ocsp/ocsp_srv.c @@ -158,7 +158,7 @@ OCSP_SINGLERESP *OCSP_basic_add1_status(OCSP_BASICRESP *rsp, int OCSP_basic_add1_cert(OCSP_BASICRESP *resp, X509 *cert) { - return X509_add_cert_new(&resp->certs, cert, X509_ADD_FLAG_UP_REF); + return ossl_x509_add_cert_new(&resp->certs, cert, X509_ADD_FLAG_UP_REF); } /* diff --git a/crypto/ocsp/ocsp_vfy.c b/crypto/ocsp/ocsp_vfy.c index cd9274dd31..544748851f 100644 --- a/crypto/ocsp/ocsp_vfy.c +++ b/crypto/ocsp/ocsp_vfy.c @@ -118,10 +118,6 @@ int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs, goto end; if (!X509_add_certs(untrusted, certs, X509_ADD_FLAG_DEFAULT)) goto end; - } else if (certs != NULL) { - untrusted = certs; - } else { - untrusted = bs->certs; } ret = ocsp_verify_signer(signer, 1, st, flags, untrusted, &chain); if (ret <= 0) diff --git a/crypto/pkcs12/p12_kiss.c b/crypto/pkcs12/p12_kiss.c index 9b2e8a55c5..140a690cbb 100644 --- a/crypto/pkcs12/p12_kiss.c +++ b/crypto/pkcs12/p12_kiss.c @@ -10,7 +10,7 @@ #include #include "internal/cryptlib.h" #include -#include "crypto/x509.h" /* for X509_add_cert_new() */ +#include "crypto/x509.h" /* for ossl_x509_add_cert_new() */ /* Simplified PKCS#12 routines */ @@ -104,7 +104,7 @@ int PKCS12_parse(PKCS12 *p12, const char *pass, EVP_PKEY **pkey, X509 **cert, } if (ca != NULL) { - if (!X509_add_cert_new(ca, x, X509_ADD_FLAG_DEFAULT)) + if (!ossl_x509_add_cert_new(ca, x, X509_ADD_FLAG_DEFAULT)) goto err; continue; } diff --git a/crypto/pkcs7/pk7_lib.c b/crypto/pkcs7/pk7_lib.c index baecff28fa..95aab3368a 100644 --- a/crypto/pkcs7/pk7_lib.c +++ b/crypto/pkcs7/pk7_lib.c @@ -257,7 +257,7 @@ int PKCS7_add_certificate(PKCS7 *p7, X509 *x509) return 0; } - return X509_add_cert_new(sk, x509, X509_ADD_FLAG_UP_REF); + return ossl_x509_add_cert_new(sk, x509, X509_ADD_FLAG_UP_REF); } int PKCS7_add_crl(PKCS7 *p7, X509_CRL *crl) diff --git a/crypto/x509/x509_cmp.c b/crypto/x509/x509_cmp.c index a74311e92d..c29fe3cc5f 100644 --- a/crypto/x509/x509_cmp.c +++ b/crypto/x509/x509_cmp.c @@ -175,14 +175,14 @@ int X509_cmp(const X509 *a, const X509 *b) return rv < 0 ? -1 : rv > 0; } -int X509_add_cert_new(STACK_OF(X509) **sk, X509 *cert, int flags) +int ossl_x509_add_cert_new(STACK_OF(X509) **p_sk, X509 *cert, int flags) { - if (*sk == NULL - && (*sk = sk_X509_new_null()) == NULL) { + if (*p_sk == NULL + && (*p_sk = sk_X509_new_null()) == NULL) { ERR_raise(ERR_LIB_X509, ERR_R_MALLOC_FAILURE); return 0; } - return X509_add_cert(*sk, cert, flags); + return X509_add_cert(*p_sk, cert, flags); } int X509_add_cert(STACK_OF(X509) *sk, X509 *cert, int flags) @@ -218,14 +218,25 @@ int X509_add_cert(STACK_OF(X509) *sk, X509 *cert, int flags) int X509_add_certs(STACK_OF(X509) *sk, STACK_OF(X509) *certs, int flags) /* compiler would allow 'const' for the list of certs, yet they are up-ref'ed */ { - int n = sk_X509_num(certs); /* certs may be NULL */ + if (sk == NULL) { + ERR_raise(ERR_LIB_X509, ERR_R_PASSED_NULL_PARAMETER); + return 0; + } + return ossl_x509_add_certs_new(&sk, certs, flags); +} + +int ossl_x509_add_certs_new(STACK_OF(X509) **p_sk, STACK_OF(X509) *certs, + int flags) +/* compiler would allow 'const' for the list of certs, yet they are up-ref'ed */ +{ + int n = sk_X509_num(certs /* may be NULL */); int i; for (i = 0; i < n; i++) { int j = (flags & X509_ADD_FLAG_PREPEND) == 0 ? i : n - 1 - i; /* if prepend, add certs in reverse order to keep original order */ - if (!X509_add_cert(sk, sk_X509_value(certs, j), flags)) + if (!ossl_x509_add_cert_new(p_sk, sk_X509_value(certs, j), flags)) return 0; } return 1; diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c index 83dddeeb3d..f4f78eec9d 100644 --- a/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c @@ -281,7 +281,7 @@ int X509_verify_cert(X509_STORE_CTX *ctx) return -1; } - if (!X509_add_cert_new(&ctx->chain, ctx->cert, X509_ADD_FLAG_UP_REF)) { + if (!ossl_x509_add_cert_new(&ctx->chain, ctx->cert, X509_ADD_FLAG_UP_REF)) { ctx->error = X509_V_ERR_OUT_OF_MEM; return -1; } diff --git a/include/crypto/x509.h b/include/crypto/x509.h index 93cb814017..809f6e328e 100644 --- a/include/crypto/x509.h +++ b/include/crypto/x509.h @@ -318,7 +318,9 @@ int x509_init_sig_info(X509 *x); int asn1_item_digest_ex(const ASN1_ITEM *it, const EVP_MD *type, void *data, unsigned char *md, unsigned int *len, OSSL_LIB_CTX *libctx, const char *propq); -int X509_add_cert_new(STACK_OF(X509) **sk, X509 *cert, int flags); +int ossl_x509_add_cert_new(STACK_OF(X509) **sk, X509 *cert, int flags); +int ossl_x509_add_certs_new(STACK_OF(X509) **p_sk, STACK_OF(X509) *certs, + int flags); int X509_PUBKEY_get0_libctx(OSSL_LIB_CTX **plibctx, const char **ppropq, const X509_PUBKEY *key); diff --git a/test/helpers/cmp_testlib.h b/test/helpers/cmp_testlib.h index cb881465bc..681b06ae22 100644 --- a/test/helpers/cmp_testlib.h +++ b/test/helpers/cmp_testlib.h @@ -15,7 +15,6 @@ # include # include # include -# include "crypto/x509.h" /* for x509_set0_libctx() and x509_dup_ex() */ # include "../../crypto/cmp/cmp_local.h" # include "../testutil.h" From levitte at openssl.org Thu Feb 18 15:58:26 2021 From: levitte at openssl.org (Richard Levitte) Date: Thu, 18 Feb 2021 15:58:26 +0000 Subject: [openssl] master update Message-ID: <1613663906.101356.28589.nullmailer@dev.openssl.org> The branch master has been updated via 3262300a2c2351c6706f37b89fef015430988a31 (commit) via 247a1786e25dbf77548168572e383d57aa743af4 (commit) from c1be4d617cf9435e8326ebba643aa4d7cbcb3645 (commit) - Log ----------------------------------------------------------------- commit 3262300a2c2351c6706f37b89fef015430988a31 Author: Richard Levitte Date: Sat Feb 13 06:49:05 2021 +0100 Adjust the few places where the string length was confused Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14168) commit 247a1786e25dbf77548168572e383d57aa743af4 Author: Richard Levitte Date: Fri Feb 12 20:30:40 2021 +0100 OSSL_PARAM: Correct the assumptions on the UTF8 string length When the string "ABCDEFGH" is passed, what's considered its data, this? { 'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H' } or this? { 'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', '\0' } If it's passed as a pass phrase, should the terminating NUL byte be considered part of the pass phrase, or not? Our treatment of OSSL_PARAMs with the data type OSSL_PARAM_UTF8_STRING set the length of the string to include the terminating NUL byte, which is quite confusing. What should the recipient of such a string believe? Instead of perpetuating this confusion, we change the assumption to set the OSSL_PARAM to the length of the string, not including the terminating NUL byte, thereby giving it the same value as a strlen() call would give. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14168) ----------------------------------------------------------------------- Summary of changes: crypto/params.c | 57 +++++++++++++++++++------- doc/man3/OSSL_PARAM.pod | 7 ++++ doc/man3/OSSL_PARAM_int.pod | 20 +++++---- doc/man7/EVP_KDF-SSHKDF.pod | 2 +- providers/fips/self_test.c | 3 +- providers/implementations/rands/drbg_ctr.c | 10 +++-- test/evp_kdf_test.c | 19 ++++----- test/params_api_test.c | 5 ++- test/params_test.c | 66 +++++++++++++++--------------- 9 files changed, 113 insertions(+), 76 deletions(-) diff --git a/crypto/params.c b/crypto/params.c index e28affe708..a3263e93c3 100644 --- a/crypto/params.c +++ b/crypto/params.c @@ -1070,15 +1070,21 @@ OSSL_PARAM OSSL_PARAM_construct_double(const char *key, double *buf) return ossl_param_construct(key, OSSL_PARAM_REAL, buf, sizeof(double)); } -static int get_string_internal(const OSSL_PARAM *p, void **val, size_t max_len, - size_t *used_len, unsigned int type) +static int get_string_internal(const OSSL_PARAM *p, void **val, + size_t *max_len, size_t *used_len, + unsigned int type) { - size_t sz; + size_t sz, alloc_sz; if ((val == NULL && used_len == NULL) || p == NULL || p->data_type != type) return 0; sz = p->data_size; + /* + * If the input size is 0, or the input string needs NUL byte + * termination, allocate an extra byte. + */ + alloc_sz = sz + (type == OSSL_PARAM_UTF8_STRING || sz == 0); if (used_len != NULL) *used_len = sz; @@ -1090,16 +1096,15 @@ static int get_string_internal(const OSSL_PARAM *p, void **val, size_t max_len, return 1; if (*val == NULL) { - char *const q = OPENSSL_malloc(sz > 0 ? sz : 1); + char *const q = OPENSSL_malloc(alloc_sz); if (q == NULL) return 0; *val = q; - if (sz != 0) - memcpy(q, p->data, sz); - return 1; + *max_len = alloc_sz; } - if (max_len < sz) + + if (*max_len < sz) return 0; memcpy(*val, p->data, sz); return 1; @@ -1107,14 +1112,35 @@ static int get_string_internal(const OSSL_PARAM *p, void **val, size_t max_len, int OSSL_PARAM_get_utf8_string(const OSSL_PARAM *p, char **val, size_t max_len) { - return get_string_internal(p, (void **)val, max_len, NULL, - OSSL_PARAM_UTF8_STRING); + int ret = get_string_internal(p, (void **)val, &max_len, NULL, + OSSL_PARAM_UTF8_STRING); + + /* + * We try to ensure that the copied string is terminated with a + * NUL byte. That should be easy, just place a NUL byte at + * |((char*)*val)[p->data_size]|. + * Unfortunately, we have seen cases where |p->data_size| doesn't + * correctly reflect the length of the string, and just happens + * to be out of bounds according to |max_len|, so in that case, we + * make the extra step of trying to find the true length of the + * string that |p->data| points at, and use that as an index to + * place the NUL byte in |*val|. + */ + size_t data_length = p->data_size; + + if (data_length >= max_len) + data_length = OPENSSL_strnlen(p->data, data_length); + if (data_length >= max_len) + return 0; /* No space for a terminating NUL byte */ + ((char *)*val)[data_length] = '\0'; + + return ret; } int OSSL_PARAM_get_octet_string(const OSSL_PARAM *p, void **val, size_t max_len, size_t *used_len) { - return get_string_internal(p, val, max_len, used_len, + return get_string_internal(p, val, &max_len, used_len, OSSL_PARAM_OCTET_STRING); } @@ -1128,6 +1154,9 @@ static int set_string_internal(OSSL_PARAM *p, const void *val, size_t len, return 0; memcpy(p->data, val, len); + /* If possible within the size of p->data, add a NUL terminator byte */ + if (type == OSSL_PARAM_UTF8_STRING && p->data_size > len) + ((char *)p->data)[len] = '\0'; return 1; } @@ -1139,7 +1168,7 @@ int OSSL_PARAM_set_utf8_string(OSSL_PARAM *p, const char *val) p->return_size = 0; if (val == NULL) return 0; - return set_string_internal(p, val, strlen(val) + 1, OSSL_PARAM_UTF8_STRING); + return set_string_internal(p, val, strlen(val), OSSL_PARAM_UTF8_STRING); } int OSSL_PARAM_set_octet_string(OSSL_PARAM *p, const void *val, @@ -1158,7 +1187,7 @@ OSSL_PARAM OSSL_PARAM_construct_utf8_string(const char *key, char *buf, size_t bsize) { if (buf != NULL && bsize == 0) - bsize = strlen(buf) + 1; + bsize = strlen(buf); return ossl_param_construct(key, OSSL_PARAM_UTF8_STRING, buf, bsize); } @@ -1207,7 +1236,7 @@ int OSSL_PARAM_set_utf8_ptr(OSSL_PARAM *p, const char *val) return 0; p->return_size = 0; return set_ptr_internal(p, val, OSSL_PARAM_UTF8_PTR, - val == NULL ? 0 : strlen(val) + 1); + val == NULL ? 0 : strlen(val)); } int OSSL_PARAM_set_octet_ptr(OSSL_PARAM *p, const void *val, diff --git a/doc/man3/OSSL_PARAM.pod b/doc/man3/OSSL_PARAM.pod index fdf376a206..99f4e2ce62 100644 --- a/doc/man3/OSSL_PARAM.pod +++ b/doc/man3/OSSL_PARAM.pod @@ -97,6 +97,13 @@ setting parameters) or shall (when requesting parameters) be stored, and I is its size in bytes. The organization of the data depends on the parameter type and flag. +The I needs special attention with the parameter type +B in relation to C strings. When setting +parameters, the size should be set to the length of the string, not +counting the terminating NUL byte. When requesting parameters, the +size should be set to the size of the buffer to be populated, which +should accomodate enough space for a terminating NUL byte. + When I, it's acceptable for I to be NULL. This can be used by the I to figure out dynamically exactly how much buffer space is needed to store the parameter data. diff --git a/doc/man3/OSSL_PARAM_int.pod b/doc/man3/OSSL_PARAM_int.pod index d637d94f8a..25b87014b7 100644 --- a/doc/man3/OSSL_PARAM_int.pod +++ b/doc/man3/OSSL_PARAM_int.pod @@ -184,8 +184,7 @@ size I is created. OSSL_PARAM_construct_utf8_string() is a function that constructs a UTF8 string OSSL_PARAM structure. A parameter with name I, storage I and size I is created. -If I is zero, the string length is determined using strlen(3) + 1 for the -null termination byte. +If I is zero, the string length is determined using strlen(3). Generally pass zero for I instead of calling strlen(3) yourself. OSSL_PARAM_construct_octet_string() is a function that constructs an OCTET @@ -232,15 +231,18 @@ will be assigned the size the parameter's I buffer should have. OSSL_PARAM_get_utf8_string() retrieves a UTF8 string from the parameter pointed to by I

. -The string is either stored into I<*val> with a length limit of I or, -in the case when I<*val> is NULL, memory is allocated for the string and -I is ignored. +The string is stored into I<*val> with a size limit of I, +which must be large enough to accomodate a terminating NUL byte, +otherwise this function will fail. +If I<*val> is NULL, memory is allocated for the string and I +is ignored. If memory is allocated by this function, it must be freed by the caller. OSSL_PARAM_set_utf8_string() sets a UTF8 string from the parameter pointed to by I

to the value referenced by I. If the parameter's I field is NULL, then only its I field -will be assigned the size the parameter's I buffer should have. +will be assigned the minimum size the parameter's I buffer should have +to accomodate the string, including a terminating NUL byte. OSSL_PARAM_get_octet_string() retrieves an OCTET string from the parameter pointed to by I

. @@ -334,11 +336,11 @@ This example is for setting parameters on some object: #include const char *foo = "some string"; - size_t foo_l = strlen(foo) + 1; + size_t foo_l = strlen(foo); const char bar[] = "some other string"; const OSSL_PARAM set[] = { OSSL_PARAM_utf8_ptr("foo", &foo, foo_l), - OSSL_PARAM_utf8_string("bar", bar, sizeof(bar)), + OSSL_PARAM_utf8_string("bar", bar, sizeof(bar) - 1), OSSL_PARAM_END }; @@ -366,7 +368,7 @@ could fill in the parameters like this: if ((p = OSSL_PARAM_locate(params, "foo")) != NULL) OSSL_PARAM_set_utf8_ptr(p, "foo value"); if ((p = OSSL_PARAM_locate(params, "bar")) != NULL) - OSSL_PARAM_set_utf8_ptr(p, "bar value"); + OSSL_PARAM_set_utf8_string(p, "bar value"); if ((p = OSSL_PARAM_locate(params, "cookie")) != NULL) OSSL_PARAM_set_utf8_ptr(p, "cookie value"); diff --git a/doc/man7/EVP_KDF-SSHKDF.pod b/doc/man7/EVP_KDF-SSHKDF.pod index f0e113c6c8..a2ff902cce 100644 --- a/doc/man7/EVP_KDF-SSHKDF.pod +++ b/doc/man7/EVP_KDF-SSHKDF.pod @@ -124,7 +124,7 @@ This example derives an 8 byte IV using SHA-256 with a 1K "key" and appropriate *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SALT, session_id, (size_t)32); *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_SSHKDF_TYPE, - type, sizeof(type)); + type, sizeof(type) - 1); *p = OSSL_PARAM_construct_end(); if (EVP_KDF_CTX_set_params(kctx, params) <= 0) /* Error */ diff --git a/providers/fips/self_test.c b/providers/fips/self_test.c index aa9bbc770e..1848686ae3 100644 --- a/providers/fips/self_test.c +++ b/providers/fips/self_test.c @@ -182,8 +182,7 @@ static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex if (ctx == NULL) goto err; - *p++ = OSSL_PARAM_construct_utf8_string("digest", DIGEST_NAME, - strlen(DIGEST_NAME) + 1); + *p++ = OSSL_PARAM_construct_utf8_string("digest", DIGEST_NAME, 0); *p++ = OSSL_PARAM_construct_octet_string("key", fixed_key, sizeof(fixed_key)); *p = OSSL_PARAM_construct_end(); diff --git a/providers/implementations/rands/drbg_ctr.c b/providers/implementations/rands/drbg_ctr.c index 127d85a2cc..e10b4378b5 100644 --- a/providers/implementations/rands/drbg_ctr.c +++ b/providers/implementations/rands/drbg_ctr.c @@ -685,19 +685,21 @@ static int drbg_ctr_set_ctx_params(void *vctx, const OSSL_PARAM params[]) if ((p = OSSL_PARAM_locate_const(params, OSSL_DRBG_PARAM_CIPHER)) != NULL) { const char *base = (const char *)p->data; + size_t ctr_str_len = sizeof("CTR") - 1; + size_t ecb_str_len = sizeof("ECB") - 1; if (p->data_type != OSSL_PARAM_UTF8_STRING - || p->data_size < 3) + || p->data_size < ctr_str_len) return 0; - if (strcasecmp("CTR", base + p->data_size - sizeof("CTR")) != 0) { + if (strcasecmp("CTR", base + p->data_size - ctr_str_len) != 0) { ERR_raise(ERR_LIB_PROV, PROV_R_REQUIRE_CTR_MODE_CIPHER); return 0; } - if ((ecb = OPENSSL_strdup(base)) == NULL) { + if ((ecb = OPENSSL_strndup(base, p->data_size)) == NULL) { ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE); return 0; } - strcpy(ecb + p->data_size - sizeof("ECB"), "ECB"); + strcpy(ecb + p->data_size - ecb_str_len, "ECB"); EVP_CIPHER_free(ctr->cipher_ecb); EVP_CIPHER_free(ctr->cipher_ctr); ctr->cipher_ctr = EVP_CIPHER_fetch(libctx, base, propquery); diff --git a/test/evp_kdf_test.c b/test/evp_kdf_test.c index 621351f187..cb387bc71d 100644 --- a/test/evp_kdf_test.c +++ b/test/evp_kdf_test.c @@ -638,7 +638,7 @@ static int test_kdf_ss_hash(void) }; *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST, - (char *)"sha224", sizeof("sha224")); + (char *)"sha224", 0); *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY, z, sizeof(z)); *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_INFO, other, sizeof(other)); @@ -692,7 +692,7 @@ static int test_kdf_x963(void) }; *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST, - (char *)"sha512", sizeof("sha512")); + (char *)"sha512", 0); *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY, z, sizeof(z)); *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_INFO, shared, sizeof(shared)); @@ -1135,10 +1135,9 @@ static int test_kdf_ss_hmac(void) }; *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_MAC, - (char *)OSSL_MAC_NAME_HMAC, - sizeof(OSSL_MAC_NAME_HMAC)); + (char *)OSSL_MAC_NAME_HMAC, 0); *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST, - (char *)"sha256", sizeof("sha256")); + (char *)"sha256", 0); *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY, z, sizeof(z)); *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_INFO, other, sizeof(other)); @@ -1182,8 +1181,7 @@ static int test_kdf_ss_kmac(void) }; *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_MAC, - (char *)OSSL_MAC_NAME_KMAC128, - sizeof(OSSL_MAC_NAME_KMAC128)); + (char *)OSSL_MAC_NAME_KMAC128, 0); *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY, z, sizeof(z)); *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_INFO, other, sizeof(other)); @@ -1239,7 +1237,7 @@ static int test_kdf_sshkdf(void) }; *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST, - (char *)"sha256", sizeof("sha256")); + (char *)"sha256", 0); *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY, key, sizeof(key)); *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SSHKDF_XCGHASH, @@ -1247,7 +1245,7 @@ static int test_kdf_sshkdf(void) *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SSHKDF_SESSION_ID, sessid, sizeof(sessid)); *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_SSHKDF_TYPE, - kdftype, sizeof(kdftype)); + kdftype, 0); *p = OSSL_PARAM_construct_end(); ret = @@ -1368,8 +1366,7 @@ static int test_kdf_krb5kdf(void) }; *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_CIPHER, - (char *)"AES-128-CBC", - sizeof("AES-128-CBC")); + (char *)"AES-128-CBC", 0); *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY, key, sizeof(key)); *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_CONSTANT, diff --git a/test/params_api_test.c b/test/params_api_test.c index 0a68b9c462..2d69b5c327 100644 --- a/test/params_api_test.c +++ b/test/params_api_test.c @@ -538,7 +538,7 @@ static int test_param_construct(void) bufp = NULL; if (!TEST_ptr(cp = OSSL_PARAM_locate(params, "utf8str")) || !TEST_true(OSSL_PARAM_set_utf8_string(cp, "abcdef")) - || !TEST_size_t_eq(cp->return_size, sizeof("abcdef")) + || !TEST_size_t_eq(cp->return_size, sizeof("abcdef") - 1) || !TEST_true(OSSL_PARAM_get_utf8_string(cp, &bufp, 0)) || !TEST_str_eq(bufp, "abcdef")) goto err; @@ -548,10 +548,11 @@ static int test_param_construct(void) || !TEST_str_eq(buf2, "abcdef")) goto err; /* UTF8 pointer */ + /* Note that the size of a UTF8 string does *NOT* include the NUL byte */ bufp = buf; if (!TEST_ptr(cp = OSSL_PARAM_locate(params, "utf8ptr")) || !TEST_true(OSSL_PARAM_set_utf8_ptr(cp, "tuvwxyz")) - || !TEST_size_t_eq(cp->return_size, sizeof("tuvwxyz")) + || !TEST_size_t_eq(cp->return_size, sizeof("tuvwxyz") - 1) || !TEST_str_eq(bufp, "tuvwxyz") || !TEST_true(OSSL_PARAM_get_utf8_ptr(cp, (const char **)&bufp2)) || !TEST_ptr_eq(bufp2, bufp)) diff --git a/test/params_test.c b/test/params_test.c index 9729ab892b..dd2d13b862 100644 --- a/test/params_test.c +++ b/test/params_test.c @@ -141,9 +141,20 @@ static int raw_set_params(void *vobj, const OSSL_PARAM *params) if (!TEST_ptr(obj->p4 = OPENSSL_strndup(params->data, params->data_size))) return 0; + obj->p4_l = strlen(obj->p4); } else if (strcmp(params->key, "p5") == 0) { - strncpy(obj->p5, params->data, params->data_size); - obj->p5_l = strlen(obj->p5) + 1; + /* + * Protect obj->p5 against too much data. This should not + * happen, we don't use that long strings. + */ + size_t data_length = + OPENSSL_strnlen(params->data, params->data_size); + + if (!TEST_size_t_lt(data_length, sizeof(obj->p5))) + return 0; + strncpy(obj->p5, params->data, data_length); + obj->p5[data_length] = '\0'; + obj->p5_l = strlen(obj->p5); } else if (strcmp(params->key, "p6") == 0) { obj->p6 = *(const char **)params->data; obj->p6_l = params->data_size; @@ -164,36 +175,22 @@ static int raw_get_params(void *vobj, OSSL_PARAM *params) params->return_size = sizeof(obj->p2); *(double *)params->data = obj->p2; } else if (strcmp(params->key, "p3") == 0) { - size_t bytes = BN_num_bytes(obj->p3); - - params->return_size = bytes; - if (!TEST_size_t_ge(params->data_size, bytes)) + params->return_size = BN_num_bytes(obj->p3); + if (!TEST_size_t_ge(params->data_size, params->return_size)) return 0; - BN_bn2nativepad(obj->p3, params->data, bytes); + BN_bn2nativepad(obj->p3, params->data, params->return_size); } else if (strcmp(params->key, "p4") == 0) { - size_t bytes = strlen(obj->p4) + 1; - - params->return_size = bytes; - if (!TEST_size_t_ge(params->data_size, bytes)) + params->return_size = strlen(obj->p4); + if (!TEST_size_t_gt(params->data_size, params->return_size)) return 0; strcpy(params->data, obj->p4); } else if (strcmp(params->key, "p5") == 0) { - size_t bytes = strlen(obj->p5) + 1; - - params->return_size = bytes; - if (!TEST_size_t_ge(params->data_size, bytes)) + params->return_size = strlen(obj->p5); + if (!TEST_size_t_gt(params->data_size, params->return_size)) return 0; strcpy(params->data, obj->p5); } else if (strcmp(params->key, "p6") == 0) { - /* - * We COULD also use OPENSSL_FULL_VERSION_STR directly and - * use sizeof(OPENSSL_FULL_VERSION_STR) instead of calling - * strlen(). - * The caller wouldn't know the difference. - */ - size_t bytes = strlen(obj->p6) + 1; - - params->return_size = bytes; + params->return_size = strlen(obj->p6); *(const char **)params->data = obj->p6; } @@ -229,12 +226,12 @@ static int api_set_params(void *vobj, const OSSL_PARAM *params) char *p5_ptr = obj->p5; if (!TEST_true(OSSL_PARAM_get_utf8_string(p, &p5_ptr, sizeof(obj->p5)))) return 0; - obj->p5_l = strlen(obj->p5) + 1; + obj->p5_l = strlen(obj->p5); } if ((p = OSSL_PARAM_locate_const(params, "p6")) != NULL) { if (!TEST_true(OSSL_PARAM_get_utf8_ptr(p, &obj->p6))) return 0; - obj->p6_l = strlen(obj->p6) + 1; + obj->p6_l = strlen(obj->p6); } return 1; @@ -353,8 +350,8 @@ static OSSL_PARAM static_raw_params[] = { { "p3", OSSL_PARAM_UNSIGNED_INTEGER, &bignumbin, sizeof(bignumbin), 0 }, { "p4", OSSL_PARAM_UTF8_STRING, &app_p4, sizeof(app_p4), 0 }, { "p5", OSSL_PARAM_UTF8_STRING, &app_p5, sizeof(app_p5), 0 }, - /* sizeof(app_p6_init), because we know that's what we're using */ - { "p6", OSSL_PARAM_UTF8_PTR, &app_p6, sizeof(app_p6_init), 0 }, + /* sizeof(app_p6_init) - 1, because we know that's what we're using */ + { "p6", OSSL_PARAM_UTF8_PTR, &app_p6, sizeof(app_p6_init) - 1, 0 }, { "foo", OSSL_PARAM_OCTET_STRING, &foo, sizeof(foo), 0 }, { NULL, 0, NULL, 0, 0 } }; @@ -366,7 +363,8 @@ static OSSL_PARAM static_api_params[] = { OSSL_PARAM_DEFN("p4", OSSL_PARAM_UTF8_STRING, &app_p4, sizeof(app_p4)), OSSL_PARAM_DEFN("p5", OSSL_PARAM_UTF8_STRING, &app_p5, sizeof(app_p5)), /* sizeof(app_p6_init), because we know that's what we're using */ - OSSL_PARAM_DEFN("p6", OSSL_PARAM_UTF8_PTR, &app_p6, sizeof(app_p6_init)), + OSSL_PARAM_DEFN("p6", OSSL_PARAM_UTF8_PTR, &app_p6, + sizeof(app_p6_init) - 1), OSSL_PARAM_DEFN("foo", OSSL_PARAM_OCTET_STRING, &foo, sizeof(foo)), OSSL_PARAM_END }; @@ -461,10 +459,12 @@ static int test_case_variant(OSSL_PARAM *params, const struct provider_dispatch_ || !TEST_BN_eq(app_p3, verify_p3) /* "provider" value */ || !TEST_str_eq(app_p4, p4_init) /* "provider" value */ || !TEST_ptr(p = OSSL_PARAM_locate(params, "p5")) - || !TEST_size_t_eq(p->return_size, sizeof(p5_init)) /* "provider" value */ + || !TEST_size_t_eq(p->return_size, + sizeof(p5_init) - 1) /* "provider" value */ || !TEST_str_eq(app_p5, p5_init) /* "provider" value */ || !TEST_ptr(p = OSSL_PARAM_locate(params, "p6")) - || !TEST_size_t_eq(p->return_size, sizeof(p6_init)) /* "provider" value */ + || !TEST_size_t_eq(p->return_size, + sizeof(p6_init) - 1) /* "provider" value */ || !TEST_str_eq(app_p6, p6_init) /* "provider" value */ || !TEST_char_eq(foo[0], app_foo_init) /* Should remain untouched */ || !TEST_ptr(p = OSSL_PARAM_locate(params, "foo"))) @@ -511,11 +511,11 @@ static int test_case_variant(OSSL_PARAM *params, const struct provider_dispatch_ || !TEST_str_eq(app_p4, app_p4_init) /* app value */ || !TEST_ptr(p = OSSL_PARAM_locate(params, "p5")) || !TEST_size_t_eq(p->return_size, - sizeof(app_p5_init)) /* app value */ + sizeof(app_p5_init) - 1) /* app value */ || !TEST_str_eq(app_p5, app_p5_init) /* app value */ || !TEST_ptr(p = OSSL_PARAM_locate(params, "p6")) || !TEST_size_t_eq(p->return_size, - sizeof(app_p6_init)) /* app value */ + sizeof(app_p6_init) - 1) /* app value */ || !TEST_str_eq(app_p6, app_p6_init) /* app value */ || !TEST_char_eq(foo[0], app_foo_init) /* Should remain untouched */ || !TEST_ptr(p = OSSL_PARAM_locate(params, "foo"))) From matt at openssl.org Thu Feb 18 16:18:33 2021 From: matt at openssl.org (Matt Caswell) Date: Thu, 18 Feb 2021 16:18:33 +0000 Subject: [openssl] master update Message-ID: <1613665113.194401.21205.nullmailer@dev.openssl.org> The branch master has been updated via 70793dbbb983b0f95da30b79e8c8744289062499 (commit) via 3a2171f6aa0f72ca95210fa80d92214315d1e744 (commit) from 3262300a2c2351c6706f37b89fef015430988a31 (commit) - Log ----------------------------------------------------------------- commit 70793dbbb983b0f95da30b79e8c8744289062499 Author: Matt Caswell Date: Sat Feb 13 14:24:15 2021 +0000 Pass the object type and data structure from the pem2der decoder The pem2der decoder can infer certain information about the endoded der data based on the PEM headers. This information should be passed to the next decoders in the chain to ensure we end up loading the correct type of thing. Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/14191) commit 3a2171f6aa0f72ca95210fa80d92214315d1e744 Author: Matt Caswell Date: Thu Feb 11 16:32:58 2021 +0000 Don't forget the type of thing we are loading The apps helper function load_key_certs_crls() is a general purpose function for loading different types of objects from a given URI. It sets up an OSSL_STORE and calls OSSL_STORE_expect() so that the store knows what type of thing to expect to load. Unfortunately this wasn't working and was always setting "expect" to 0 - which means "anything". Fixes #13709 Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/14191) ----------------------------------------------------------------------- Summary of changes: apps/lib/apps.c | 37 +++++++++---- crypto/store/store_result.c | 10 +++- .../implementations/encode_decode/decode_pem2der.c | 64 +++++++++++++++++----- test/recipes/20-test_cli_fips.t | 59 ++++++++++++++++---- 4 files changed, 132 insertions(+), 38 deletions(-) diff --git a/apps/lib/apps.c b/apps/lib/apps.c index f53f1b2003..7c1015737d 100644 --- a/apps/lib/apps.c +++ b/apps/lib/apps.c @@ -730,11 +730,11 @@ int load_key_certs_crls(const char *uri, int maybe_stdin, return 0; } - if (pcerts != NULL && *pcerts == NULL - && (*pcerts = sk_X509_new_null()) == NULL) { - BIO_printf(bio_err, "Out of memory loading"); - goto end; - } else { + if (pcerts != NULL) { + if (*pcerts == NULL && (*pcerts = sk_X509_new_null()) == NULL) { + BIO_printf(bio_err, "Out of memory loading"); + goto end; + } cnt_expectations++; expect = OSSL_STORE_INFO_CERT; } @@ -743,11 +743,11 @@ int load_key_certs_crls(const char *uri, int maybe_stdin, cnt_expectations++; expect = OSSL_STORE_INFO_CRL; } - if (pcrls != NULL && *pcrls == NULL - && (*pcrls = sk_X509_CRL_new_null()) == NULL) { - BIO_printf(bio_err, "Out of memory loading"); - goto end; - } else { + if (pcrls != NULL) { + if (*pcrls == NULL && (*pcrls = sk_X509_CRL_new_null()) == NULL) { + BIO_printf(bio_err, "Out of memory loading"); + goto end; + } cnt_expectations++; expect = OSSL_STORE_INFO_CRL; } @@ -787,8 +787,21 @@ int load_key_certs_crls(const char *uri, int maybe_stdin, OSSL_STORE_INFO *info = OSSL_STORE_load(ctx); int type, ok = 1; - if (info == NULL) - break; + /* + * This can happen (for example) if we attempt to load a file with + * multiple different types of things in it - but the thing we just + * tried to load wasn't one of the ones we wanted, e.g. if we're trying + * to load a certificate but the file has both the private key and the + * certificate in it. We just retry until eof. + */ + if (info == NULL) { + if (OSSL_STORE_error(ctx)) { + ERR_print_errors(bio_err); + ERR_clear_error(); + } + continue; + } + type = OSSL_STORE_INFO_get_type(info); switch (type) { case OSSL_STORE_INFO_PKEY: diff --git a/crypto/store/store_result.c b/crypto/store/store_result.c index b79126e1cb..64b0e814b3 100644 --- a/crypto/store/store_result.c +++ b/crypto/store/store_result.c @@ -62,6 +62,7 @@ struct extracted_param_data_st { int object_type; const char *data_type; + const char *data_structure; const char *utf8_data; const void *octet_data; size_t octet_data_size; @@ -128,6 +129,10 @@ int ossl_store_handle_load_result(const OSSL_PARAM params[], void *arg) &helper_data.octet_data_size) && !OSSL_PARAM_get_utf8_string_ptr(p, &helper_data.utf8_data)) return 0; + p = OSSL_PARAM_locate_const(params, OSSL_OBJECT_PARAM_DATA_STRUCTURE); + if (p != NULL + && !OSSL_PARAM_get_utf8_string_ptr(p, &helper_data.data_structure)) + return 0; p = OSSL_PARAM_locate_const(params, OSSL_OBJECT_PARAM_REFERENCE); if (p != NULL && !OSSL_PARAM_get_octet_string_ptr(p, &helper_data.ref, &helper_data.ref_size)) @@ -274,8 +279,9 @@ static EVP_PKEY *try_key_value(struct extracted_param_data_st *data, } decoderctx = - OSSL_DECODER_CTX_new_for_pkey(&pk, "DER", NULL, data->data_type, - selection, libctx, propq); + OSSL_DECODER_CTX_new_for_pkey(&pk, "DER", data->data_structure, + data->data_type, selection, libctx, + propq); (void)OSSL_DECODER_CTX_set_passphrase_cb(decoderctx, cb, cbarg); /* No error if this couldn't be decoded */ diff --git a/providers/implementations/encode_decode/decode_pem2der.c b/providers/implementations/encode_decode/decode_pem2der.c index 73973e13ff..895015a56b 100644 --- a/providers/implementations/encode_decode/decode_pem2der.c +++ b/providers/implementations/encode_decode/decode_pem2der.c @@ -17,6 +17,7 @@ #include #include +#include #include #include #include @@ -114,20 +115,23 @@ static int pem2der_decode(void *vctx, OSSL_CORE_BIO *cin, int selection, OSSL_CALLBACK *data_cb, void *data_cbarg, OSSL_PASSPHRASE_CALLBACK *pw_cb, void *pw_cbarg) { - /* Strings to peal off the pem name */ - static const char *pealable_pem_name_endings[] = { + /* Strings to peel off the pem name */ + static struct peelablee_pem_name_endings_st { + const char *ending; + const char *data_structure; + } peelable_pem_name_endings[] = { /* * These entries should be in longest to shortest order to avoid * mixups. */ - "ENCRYPTED PRIVATE KEY", - "PRIVATE KEY", - "PUBLIC KEY", - "PARAMETERS" + { "ENCRYPTED PRIVATE KEY", "pkcs8" }, + { "PRIVATE KEY", "pkcs8" }, + { "PUBLIC KEY", "SubjectPublicKeyInfo" }, + { "PARAMETERS", NULL } /* * Libcrypto currently only supports decoding keys with provider side - * decoders, so we don't try to peal any other PEM name. That's an + * decoders, so we don't try to peel any other PEM name. That's an * exercise for when libcrypto starts to treat other types of objects * via providers. */ @@ -138,6 +142,8 @@ static int pem2der_decode(void *vctx, OSSL_CORE_BIO *cin, int selection, unsigned char *der = NULL; long der_len = 0; int ok = 0; + int objtype = OSSL_OBJECT_UNKNOWN; + const char *data_structure = NULL; if (read_pem(ctx->provctx, cin, &pem_name, &pem_header, &der, &der_len) <= 0) @@ -166,15 +172,15 @@ static int pem2der_decode(void *vctx, OSSL_CORE_BIO *cin, int selection, * no further purpose. */ for (i = 0, pem_name_len = strlen(pem_name); - i < OSSL_NELEM(pealable_pem_name_endings); + i < OSSL_NELEM(peelable_pem_name_endings); i++) { - size_t peal_len = strlen(pealable_pem_name_endings[i]); + size_t peel_len = strlen(peelable_pem_name_endings[i].ending); size_t pem_name_offset; - if (peal_len <= pem_name_len) { - pem_name_offset = pem_name_len - peal_len; + if (peel_len <= pem_name_len) { + pem_name_offset = pem_name_len - peel_len; if (strcmp(pem_name + pem_name_offset, - pealable_pem_name_endings[i]) == 0) { + peelable_pem_name_endings[i].ending) == 0) { do { pem_name[pem_name_offset] = '\0'; @@ -185,21 +191,53 @@ static int pem2der_decode(void *vctx, OSSL_CORE_BIO *cin, int selection, OPENSSL_free(pem_name); pem_name = NULL; } + /* All of these peelable endings are for EVP_PKEYs */ + objtype = OSSL_OBJECT_PKEY; + if (pem_name == NULL) { + data_structure = peelable_pem_name_endings[i].data_structure; + if (data_structure == NULL) + goto end; + } else { + /* + * If there is an algorithm name prefix then it is a + * type-specific data structure + */ + data_structure = "type-specific"; + } break; } } } + /* If we don't know the object type yet check if it's one we know about */ + if (objtype == OSSL_OBJECT_UNKNOWN) { + if (strcmp(pem_name, PEM_STRING_X509) == 0 + || strcmp(pem_name, PEM_STRING_X509_TRUSTED) == 0 + || strcmp(pem_name, PEM_STRING_X509_OLD) == 0) + objtype = OSSL_OBJECT_CERT; + else if (strcmp(pem_name, PEM_STRING_X509_CRL) == 0) + objtype = OSSL_OBJECT_CRL; + } + { - OSSL_PARAM params[3], *p = params; + OSSL_PARAM params[5], *p = params; if (pem_name != NULL) *p++ = OSSL_PARAM_construct_utf8_string(OSSL_OBJECT_PARAM_DATA_TYPE, pem_name, 0); + + /* We expect this to be read only so casting away the const is ok */ + if (data_structure != NULL) + *p++ = + OSSL_PARAM_construct_utf8_string(OSSL_OBJECT_PARAM_DATA_STRUCTURE, + (char *)data_structure, 0); *p++ = OSSL_PARAM_construct_octet_string(OSSL_OBJECT_PARAM_DATA, der, der_len); + *p++ = + OSSL_PARAM_construct_int(OSSL_OBJECT_PARAM_TYPE, &objtype); + *p = OSSL_PARAM_construct_end(); ok = data_cb(params, data_cbarg); diff --git a/test/recipes/20-test_cli_fips.t b/test/recipes/20-test_cli_fips.t index 364c9d2bde..591b497027 100644 --- a/test/recipes/20-test_cli_fips.t +++ b/test/recipes/20-test_cli_fips.t @@ -64,11 +64,27 @@ ok(run(app(['openssl', 'list', '-asymcipher-algorithms', '-verbose'])), ok(run(app(['openssl', 'list', '-key-managers', '-verbose', '-select', 'DSA' ])), "provider listing of one item in the keymanager"); +sub pubfrompriv { + my $prefix = shift; + my $key = shift; + my $pub_key = shift; + my $type = shift; + + ok(run(app(['openssl', 'pkey', + '-in', $key, + '-pubout', + '-out', $pub_key])), + $prefix.': '."Create the public key with $type parameters"); + +} + my $tsignverify_count = 8; sub tsignverify { my $prefix = shift; my $fips_key = shift; + my $fips_pub_key = shift; my $nonfips_key = shift; + my $nonfips_pub_key = shift; my $fips_sigfile = $prefix.'.fips.sig'; my $nonfips_sigfile = $prefix.'.nonfips.sig'; my $sigfile = ''; @@ -88,7 +104,7 @@ sub tsignverify { $testtext = $prefix.': '. 'Verify something with a FIPS key'; ok(run(app(['openssl', 'dgst', '-sha256', - '-verify', $fips_key, + '-verify', $fips_pub_key, '-signature', $sigfile, $tbs_data])), $testtext); @@ -97,7 +113,7 @@ sub tsignverify { 'Verify a valid signature against the wrong data with a FIPS key'. ' (should fail)'; ok(!run(app(['openssl', 'dgst', '-sha256', - '-verify', $fips_key, + '-verify', $fips_pub_key, '-signature', $sigfile, $bogus_data])), $testtext); @@ -118,7 +134,7 @@ sub tsignverify { 'Verify something with a non-FIPS key'. ' with the default provider'; ok(run(app(['openssl', 'dgst', '-sha256', - '-verify', $nonfips_key, + '-verify', $nonfips_pub_key, '-signature', $sigfile, $tbs_data])), $testtext); @@ -138,7 +154,7 @@ sub tsignverify { 'Verify something with a non-FIPS key'. ' (should fail)'; ok(!run(app(['openssl', 'dgst', '-sha256', - '-verify', $nonfips_key, + '-verify', $nonfips_pub_key, '-signature', $sigfile, $tbs_data])), $testtext); @@ -147,7 +163,7 @@ sub tsignverify { 'Verify a valid signature against the wrong data with a non-FIPS key'. ' (should fail)'; ok(!run(app(['openssl', 'dgst', '-sha256', - '-verify', $nonfips_key, + '-verify', $nonfips_pub_key, '-signature', $sigfile, $bogus_data])), $testtext); @@ -161,12 +177,14 @@ SKIP : { my $testtext_prefix = 'EC'; my $a_fips_curve = 'prime256v1'; my $fips_key = $testtext_prefix.'.fips.priv.pem'; + my $fips_pub_key = $testtext_prefix.'.fips.pub.pem'; my $a_nonfips_curve = 'brainpoolP256r1'; my $nonfips_key = $testtext_prefix.'.nonfips.priv.pem'; + my $nonfips_pub_key = $testtext_prefix.'.nonfips.pub.pem'; my $testtext = ''; my $curvename = ''; - plan tests => 3 + $tsignverify_count; + plan tests => 5 + $tsignverify_count; $ENV{OPENSSL_CONF} = $defaultconf; $curvename = $a_nonfips_curve; @@ -177,6 +195,8 @@ SKIP : { '-out', $nonfips_key])), $testtext); + pubfrompriv($testtext_prefix, $nonfips_key, $nonfips_pub_key, "non-FIPS"); + $ENV{OPENSSL_CONF} = $fipsconf; $curvename = $a_fips_curve; @@ -187,6 +207,8 @@ SKIP : { '-out', $fips_key])), $testtext); + pubfrompriv($testtext_prefix, $fips_key, $fips_pub_key, "FIPS"); + $curvename = $a_nonfips_curve; $testtext = $testtext_prefix.': '. 'Generate a key with a non-FIPS algorithm'. @@ -196,7 +218,8 @@ SKIP : { '-out', $testtext_prefix.'.'.$curvename.'.priv.pem'])), $testtext); - tsignverify($testtext_prefix, $fips_key, $nonfips_key); + tsignverify($testtext_prefix, $fips_key, $fips_pub_key, $nonfips_key, + $nonfips_pub_key); }; } @@ -207,10 +230,12 @@ SKIP: { subtest RSA => sub { my $testtext_prefix = 'RSA'; my $fips_key = $testtext_prefix.'.fips.priv.pem'; + my $fips_pub_key = $testtext_prefix.'.fips.pub.pem'; my $nonfips_key = $testtext_prefix.'.nonfips.priv.pem'; + my $nonfips_pub_key = $testtext_prefix.'.nonfips.pub.pem'; my $testtext = ''; - plan tests => 3 + $tsignverify_count; + plan tests => 5 + $tsignverify_count; $ENV{OPENSSL_CONF} = $defaultconf; $testtext = $testtext_prefix.': '. @@ -220,6 +245,8 @@ SKIP: { '-out', $nonfips_key])), $testtext); + pubfrompriv($testtext_prefix, $nonfips_key, $nonfips_pub_key, "non-FIPS"); + $ENV{OPENSSL_CONF} = $fipsconf; $testtext = $testtext_prefix.': '. @@ -229,6 +256,8 @@ SKIP: { '-out', $fips_key])), $testtext); + pubfrompriv($testtext_prefix, $fips_key, $fips_pub_key, "FIPS"); + $testtext = $testtext_prefix.': '. 'Generate a key with a non-FIPS algorithm'. ' (should fail)'; @@ -237,7 +266,8 @@ SKIP: { '-out', $testtext_prefix.'.fail.priv.pem'])), $testtext); - tsignverify($testtext_prefix, $fips_key, $nonfips_key); + tsignverify($testtext_prefix, $fips_key, $fips_pub_key, $nonfips_key, + $nonfips_pub_key); }; } @@ -248,12 +278,14 @@ SKIP : { subtest DSA => sub { my $testtext_prefix = 'DSA'; my $fips_key = $testtext_prefix.'.fips.priv.pem'; + my $fips_pub_key = $testtext_prefix.'.fips.pub.pem'; my $nonfips_key = $testtext_prefix.'.nonfips.priv.pem'; + my $nonfips_pub_key = $testtext_prefix.'.nonfips.pub.pem'; my $testtext = ''; my $fips_param = $testtext_prefix.'.fips.param.pem'; my $nonfips_param = $testtext_prefix.'.nonfips.param.pem'; - plan tests => 6 + $tsignverify_count; + plan tests => 8 + $tsignverify_count; $ENV{OPENSSL_CONF} = $defaultconf; @@ -295,6 +327,8 @@ SKIP : { '-out', $nonfips_key])), $testtext); + pubfrompriv($testtext_prefix, $nonfips_key, $nonfips_pub_key, "non-FIPS"); + $ENV{OPENSSL_CONF} = $fipsconf; $testtext = $testtext_prefix.': '. @@ -305,6 +339,8 @@ SKIP : { '-out', $fips_key])), $testtext); + pubfrompriv($testtext_prefix, $fips_key, $fips_pub_key, "FIPS"); + $testtext = $testtext_prefix.': '. 'Generate a key with non-FIPS parameters'. ' (should fail)'; @@ -314,6 +350,7 @@ SKIP : { '-out', $testtext_prefix.'.fail.priv.pem'])), $testtext); - tsignverify($testtext_prefix, $fips_key, $nonfips_key); + tsignverify($testtext_prefix, $fips_key, $fips_pub_key, $nonfips_key, + $nonfips_pub_key); }; } From tomas at openssl.org Thu Feb 18 16:22:03 2021 From: tomas at openssl.org (tomas at openssl.org) Date: Thu, 18 Feb 2021 16:22:03 +0000 Subject: [openssl] master update Message-ID: <1613665323.453858.22820.nullmailer@dev.openssl.org> The branch master has been updated via 458d168cd48ab57ffd8e6c8322073e4a77d03d26 (commit) via 125107e8ea9110e9cfae493a27b58f8704d390e9 (commit) from 70793dbbb983b0f95da30b79e8c8744289062499 (commit) - Log ----------------------------------------------------------------- commit 458d168cd48ab57ffd8e6c8322073e4a77d03d26 Author: Georg H?llrigl Date: Fri Feb 12 19:26:20 2021 +0100 rfc2606 compliant example domains for x509v3_config.pod Reviewed-by: Ben Kaduk Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14210) commit 125107e8ea9110e9cfae493a27b58f8704d390e9 Author: georg-x Date: Fri Feb 12 19:15:00 2021 +0100 Various improvements of doc/man5/x509v3_config.pod include is the better word Co-authored-by: kaduk Reviewed-by: Ben Kaduk Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14210) ----------------------------------------------------------------------- Summary of changes: doc/man5/x509v3_config.pod | 36 ++++++++++++++++++++++-------------- 1 file changed, 22 insertions(+), 14 deletions(-) diff --git a/doc/man5/x509v3_config.pod b/doc/man5/x509v3_config.pod index 134051da9a..f8bc6d0ff1 100644 --- a/doc/man5/x509v3_config.pod +++ b/doc/man5/x509v3_config.pod @@ -79,8 +79,8 @@ section. In this example: subjectAltName = @alt_section [alt_section] - email = steve at here - email = steve at there + email = steve at example.com + email = steve at example.org will only recognize the last value. To specify multiple values append a numeric identifier, as shown here: @@ -89,8 +89,8 @@ numeric identifier, as shown here: subjectAltName = @alt_section [alt_section] - email.1 = steve at here - email.2 = steve at there + email.1 = steve at example.com + email.2 = steve at example.org The syntax of raw extensions is defined by the source code that parses the extension but should be documened. @@ -237,13 +237,13 @@ using the syntax in L. Examples: - subjectAltName = email:copy, email:my at other.address, URI:http://my.url.here/ + subjectAltName = email:copy, email:my at example.com, URI:http://my.example.com/ subjectAltName = IP:192.168.7.1 subjectAltName = IP:13::17 - subjectAltName = email:my at other.address, RID:1.2.3.4 + subjectAltName = email:my at example.com, RID:1.2.3.4 subjectAltName = otherName:1.2.3.4;UTF8:some other identifier @@ -284,9 +284,17 @@ B, where B is an object identifier (although only a few values are well-known) and B has the same syntax as subject alternative name (except that B is not supported). +Possible values for access_id include B (OCSP responder), +B (CA Issuers), +B (AD Time Stamping), +B (ad dvcs), +B (CA Repository). + Examples: - authorityInfoAccess = OCSP;URI:http://ocsp.my.host/ + authorityInfoAccess = OCSP;URI:http://ocsp.example.com/,caIssuers;URI:http://myca.example.com/ca.cer + + authorityInfoAccess = OCSP;URI:http://ocsp.example.com/ =head2 CRL distribution points @@ -330,9 +338,9 @@ Only one of B or B should be specified. Simple examples: - crlDistributionPoints = URI:http://myhost.com/myca.crl + crlDistributionPoints = URI:http://example.com/myca.crl - crlDistributionPoints = URI:http://my.com/my.crl, URI:http://oth.com/my.crl + crlDistributionPoints = URI:http://example.com/myca.crl, URI:http://example.org/my.crl Full distribution point example: @@ -340,7 +348,7 @@ Full distribution point example: crlDistributionPoints = crldp1_section [crldp1_section] - fullname = URI:http://myhost.com/myca.crl + fullname = URI:http://example.com/myca.crl CRLissuer = dirName:issuer_sect reasons = keyCompromise, CACompromise @@ -386,7 +394,7 @@ Example: issuingDistributionPoint = critical, @idp_section [idp_section] - fullname = URI:http://myhost.com/myca.crl + fullname = URI:http://example.com/myca.crl indirectCRL = TRUE onlysomereasons = keyCompromise, CACompromise @@ -429,8 +437,8 @@ Example: [polsect] policyIdentifier = 1.3.5.8 - CPS.1 = "http://my.host.name/" - CPS.2 = "http://my.your.name/" + CPS.1 = "http://my.host.example.com/" + CPS.2 = "http://my.your.example.com/" userNotice.1 = @notice [notice] @@ -475,7 +483,7 @@ Examples: nameConstraints = permitted;IP:192.168.0.0/255.255.0.0 - nameConstraints = permitted;email:.somedomain.com + nameConstraints = permitted;email:.example.com nameConstraints = excluded;email:.com From no-reply at appveyor.com Thu Feb 18 16:40:20 2021 From: no-reply at appveyor.com (AppVeyor) Date: Thu, 18 Feb 2021 16:40:20 +0000 Subject: Build failed: openssl master.39984 Message-ID: <20210218164020.1.105EE65A3A0B9673@appveyor.com> An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Thu Feb 18 17:58:20 2021 From: no-reply at appveyor.com (AppVeyor) Date: Thu, 18 Feb 2021 17:58:20 +0000 Subject: Build completed: openssl master.39985 Message-ID: <20210218175820.1.CB527FF3256E1BA4@appveyor.com> An HTML attachment was scrubbed... URL: From kaduk at mit.edu Thu Feb 18 21:51:26 2021 From: kaduk at mit.edu (kaduk at mit.edu) Date: Thu, 18 Feb 2021 21:51:26 +0000 Subject: [openssl] OpenSSL_1_1_1-stable update Message-ID: <1613685086.730035.28252.nullmailer@dev.openssl.org> The branch OpenSSL_1_1_1-stable has been updated via a12c6442f24a32867c971b6feb5db61d01b02c1f (commit) via b6de54b2c1062f15819174784d9bd53c85c432d3 (commit) from 01cf4f868e08f82daa16d049fa7d241d8089c8d8 (commit) - Log ----------------------------------------------------------------- commit a12c6442f24a32867c971b6feb5db61d01b02c1f Author: John Baldwin Date: Thu Jan 7 14:09:41 2021 -0800 Close /dev/crypto file descriptor after CRIOGET ioctl(). Reviewed-by: Matt Caswell Reviewed-by: Ben Kaduk (cherry picked from commit 3ddf44ea5a2c1c8c55f4f4072a611791c79d4e7c) Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/13853) commit b6de54b2c1062f15819174784d9bd53c85c432d3 Author: John Baldwin Date: Fri Nov 20 17:07:35 2020 -0800 Use CRIOGET to fetch a crypto descriptor when present. FreeBSD's current /dev/crypto implementation requires that consumers clone a separate file descriptor via the CRIOGET ioctl that can then be used with other ioctls such as CIOCGSESSION. Reviewed-by: Matt Caswell Reviewed-by: Ben Kaduk (cherry picked from commit b39c215decf6e68c28cb64dcfaf5ae5a7e8d35b4) Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/13853) ----------------------------------------------------------------------- Summary of changes: crypto/engine/eng_devcrypto.c | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/crypto/engine/eng_devcrypto.c b/crypto/engine/eng_devcrypto.c index 49e9ce1af3..997271e150 100644 --- a/crypto/engine/eng_devcrypto.c +++ b/crypto/engine/eng_devcrypto.c @@ -758,8 +758,9 @@ static int devcrypto_unload(ENGINE *e) void engine_load_devcrypto_int() { ENGINE *e = NULL; + int fd; - if ((cfd = open("/dev/crypto", O_RDWR, 0)) < 0) { + if ((fd = open("/dev/crypto", O_RDWR, 0)) < 0) { #ifndef ENGINE_DEVCRYPTO_DEBUG if (errno != ENOENT) #endif @@ -767,6 +768,18 @@ void engine_load_devcrypto_int() return; } +#ifdef CRIOGET + if (ioctl(fd, CRIOGET, &cfd) < 0) { + fprintf(stderr, "Could not create crypto fd: %s\n", strerror(errno)); + close(fd); + cfd = -1; + return; + } + close(fd); +#else + cfd = fd; +#endif + if ((e = ENGINE_new()) == NULL || !ENGINE_set_destroy_function(e, devcrypto_unload)) { ENGINE_free(e); From openssl at openssl.org Fri Feb 19 01:05:20 2021 From: openssl at openssl.org (OpenSSL run-checker) Date: Fri, 19 Feb 2021 01:05:20 +0000 Subject: Still FAILED build of OpenSSL branch master with options -d enable-fuzz-afl no-shared no-module Message-ID: <1613696720.328679.3782716.nullmailer@run.openssl.org> Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=afl-clang-fast ../openssl/config -d enable-fuzz-afl no-shared no-module Commit log since last time: adc11e1b9c x509_vfy: fix mem leaks in chain_build() on malloc error Coverify CID 1473068 b51bed05c2 apps/cmp.c: Improve initialization of ext_ctx structure w.r.t. CSR d44a8a16c8 apps/ca.c: Make sure ext_ctx structure gets initialized fe75766c9c Rename OSSL_ENCODER_CTX_new_by_EVP_PKEY and OSSL_DECODER_CTX_new_by_EVP_PKEY e5ac413b2d Fix backward incompatibility revolving around OSSL_HTTP_REQ_CTX_sendreq_d2i() 3a962b2093 [doc/man3][OSSL_ENCODER] Move NOTES to the bottom 851b06b705 [doc/man3] Fix typo in DESCRIPTION of OSSL_ENCODER_properties 68883d9db8 doc: document the two new RAND functions 335e85f542 rand: update DRBGs to use the get_entropy call for seeding 78436fd146 core: add get_entropy and clear_entropy calls to RAND e2730b8426 RNG test: add get_entropy hook for testing. 9ed185a926 RNG seed: add get_entropy hook for seeding. 381289f6c7 err: generated error files 79d68c4fb4 test: DRBG test with long seed. 574ca403c8 Replace SSL_CTX_new by SSL_CTX_new_ex in apps/s_server + s_client 5b888e931b Fix propquery handling in EVP_DigestSignInit_ex 55e9d8cfff TEST: Add missing initialization c913dbd716 Update CHANGES and NEWS for new release c9fb704cf3 Don't overflow the output length in EVP_CipherUpdate calls c1ddd392cf Fix rsa_test to properly test RSA_SSLV23_PADDING d9461cbe87 Fix the RSA_SSLV23_PADDING padding type 4357b6174a Refactor rsa_test 55869f594f Test that X509_issuer_and_serial_hash doesn't crash 8130d654d1 Fix Null pointer deref in X509_issuer_and_serial_hash() c9e955dd50 Do not match RFC 5114 groups without q as it is significant 62829f9f26 README-ENGINES: fix the link to the provider API README 9dc9c7f2d7 Document the newly added function EVP_PKEY_param_check_quick() 0217e53e33 Fix the dhparam_check test 899e25643d Implement EVP_PKEY_param_check_quick() and use it in libssl aee73562d1 Run DH_check_ex() not DH_check_params_ex() when checking params 93e43f4c47 RSA: avoid dereferencing possibly-NULL parameter in initializers 63ae847679 x509_vfy: remove redundant stack allocation 99c166a1b0 Add docs for ASN1_item_sign and ASN1_item_verify functions Build log ended with (last 100 lines): ../../../../../enable-fuzz-afl/util/wrap.pl ../../../../../enable-fuzz-afl/apps/openssl cmp -config ../Mock/test.cnf -section 'Mock enrollment' -certout ../../../../../enable-fuzz-afl/test-runs/test_cmp_http/test.cert.pem -proxy '' -no_proxy 127.0.0.1 -cmd ir -newkey new.key -newkeypass 'pass:' -popo -1 -certout ../../../../../enable-fuzz-afl/test-runs/test_cmp_http/test.certout_popo5.pem -out_trusted root.crt => 0 not ok 47 - popo NONE # ------------------------------------------------------------------------------ # Failed test 'popo NONE' # at ../openssl/test/recipes/80-test_cmp_http.t line 145. # cmp_main:../openssl/apps/cmp.c:2687:CMP info: using section(s) 'Mock enrollment' of OpenSSL configuration file '../Mock/test.cnf' # opt_str:../openssl/apps/cmp.c:2286:CMP warning: argument of -proxy option is empty string, resetting option # warn_cert_msg:../openssl/apps/cmp.c:694:CMP warning: certificate from 'trusted.crt' with subject '/O=openssl_cmp' is not a CA cert # setup_client_ctx:../openssl/apps/cmp.c:2003:CMP info: will contact http://127.0.0.1:1700/pkix/ # send_receive_check:../openssl/crypto/cmp/cmp_client.c:165:CMP info: sending IR # send_receive_check:../openssl/crypto/cmp/cmp_client.c:183:CMP info: received IP # send_receive_check:../openssl/crypto/cmp/cmp_client.c:165:CMP info: sending CERTCONF # send_receive_check:../openssl/crypto/cmp/cmp_client.c:183:CMP info: received PKICONF # save_free_certs:../openssl/apps/cmp.c:2053:CMP info: received 1 enrolled certificate(s), saving to file '../../../../../enable-fuzz-afl/test-runs/test_cmp_http/test.certout_popo6.pem' ../../../../../enable-fuzz-afl/util/wrap.pl ../../../../../enable-fuzz-afl/apps/openssl cmp -config ../Mock/test.cnf -section 'Mock enrollment' -certout ../../../../../enable-fuzz-afl/test-runs/test_cmp_http/test.cert.pem -proxy '' -no_proxy 127.0.0.1 -cmd ir -newkey new.key -newkeypass 'pass:' -popo 2 -certout ../../../../../enable-fuzz-afl/test-runs/test_cmp_http/test.certout_popo6.pem -out_trusted root.crt => 0 not ok 48 - popo KEYENC not supported # ------------------------------------------------------------------------------ # Looks like you failed 3 tests of 92. not ok 5 - CMP app CLI Mock enrollment # ------------------------------------------------------------------------------ # # Failed test 'CMP app CLI Mock enrollment # ' # at /home/openssl/run-checker/enable-fuzz-afl/../openssl/util/perl/OpenSSL/Test.pm line 1335. # Looks like you failed 3 tests of 5.80-test_cmp_http.t ................. Dubious, test returned 3 (wstat 768, 0x300) Failed 3/5 subtests # 80-test_cms.t ...................... ok 80-test_cmsapi.t ................... ok 80-test_ct.t ....................... ok 80-test_dane.t ..................... ok 80-test_dtls.t ..................... ok 80-test_dtls_mtu.t ................. ok 80-test_dtlsv1listen.t ............. ok 80-test_http.t ..................... ok 80-test_ocsp.t ..................... ok 80-test_pkcs12.t ................... ok 80-test_ssl_new.t .................. ok 80-test_ssl_old.t .................. ok 80-test_ssl_test_ctx.t ............. ok 80-test_sslcorrupt.t ............... ok 80-test_tsa.t ...................... ok 80-test_x509aux.t .................. ok 81-test_cmp_cli.t .................. ok 90-test_asn1_time.t ................ ok 90-test_async.t .................... ok 90-test_bio_enc.t .................. ok 90-test_bio_memleak.t .............. ok 90-test_constant_time.t ............ ok 90-test_fatalerr.t ................. ok 90-test_fipsload.t ................. skipped: Test only supported in a shared build 90-test_gmdiff.t ................... ok 90-test_gost.t ..................... skipped: GOST support is disabled in this OpenSSL build 90-test_ige.t ...................... ok 90-test_includes.t ................. ok 90-test_memleak.t .................. ok 90-test_overhead.t ................. ok 90-test_secmem.t ................... ok 90-test_shlibload.t ................ skipped: Test only supported in a shared build 90-test_srp.t ...................... ok 90-test_sslapi.t ................... ok 90-test_sslbuffers.t ............... ok 90-test_store.t .................... ok 90-test_sysdefault.t ............... ok 90-test_threads.t .................. ok 90-test_time_offset.t .............. ok 90-test_tls13ccs.t ................. ok 90-test_tls13encryption.t .......... ok 90-test_tls13secrets.t ............. skipped: tls13secrets is not supported in this build 90-test_v3name.t ................... ok 91-test_pkey_check.t ............... ok 95-test_external_boringssl.t ....... skipped: No external tests in this configuration 95-test_external_gost_engine.t ..... skipped: No external tests in this configuration 95-test_external_krb5.t ............ skipped: No external tests in this configuration 95-test_external_pyca.t ............ skipped: No external tests in this configuration 99-test_ecstress.t ................. ok 99-test_fuzz_asn1.t ................ ok 99-test_fuzz_asn1parse.t ........... ok 99-test_fuzz_bignum.t .............. ok 99-test_fuzz_bndiv.t ............... ok 99-test_fuzz_client.t .............. ok 99-test_fuzz_cmp.t ................. ok 99-test_fuzz_cms.t ................. ok 99-test_fuzz_conf.t ................ ok 99-test_fuzz_crl.t ................. ok 99-test_fuzz_ct.t .................. ok 99-test_fuzz_server.t .............. ok 99-test_fuzz_x509.t ................ ok Test Summary Report ------------------- 80-test_cmp_http.t (Wstat: 768 Tests: 5 Failed: 3) Failed tests: 2-3, 5 Non-zero exit status: 3 Files=231, Tests=2702, 717 wallclock secs (10.16 usr 1.37 sys + 635.83 cusr 75.64 csys = 723.00 CPU) Result: FAIL make[1]: *** [Makefile:2476: _tests] Error 1 make[1]: Leaving directory '/home/openssl/run-checker/enable-fuzz-afl' make: *** [Makefile:2473: tests] Error 2 From pauli at openssl.org Fri Feb 19 01:06:50 2021 From: pauli at openssl.org (Dr. Paul Dale) Date: Fri, 19 Feb 2021 01:06:50 +0000 Subject: [openssl] master update Message-ID: <1613696810.989226.26329.nullmailer@dev.openssl.org> The branch master has been updated via ef33889e1878739a8355e8ba027b3ed21a917898 (commit) from 458d168cd48ab57ffd8e6c8322073e4a77d03d26 (commit) - Log ----------------------------------------------------------------- commit ef33889e1878739a8355e8ba027b3ed21a917898 Author: Pauli Date: Thu Feb 18 09:55:11 2021 +1000 doc: remove notes section in OSSL_ENCODER.pod Fixes #14212 The note wasn't adding anything useful. Reviewed-by: Tim Hudson (Merged from https://github.com/openssl/openssl/pull/14220) ----------------------------------------------------------------------- Summary of changes: doc/man3/OSSL_ENCODER.pod | 6 ------ 1 file changed, 6 deletions(-) diff --git a/doc/man3/OSSL_ENCODER.pod b/doc/man3/OSSL_ENCODER.pod index 6952d850f4..2c68d1a761 100644 --- a/doc/man3/OSSL_ENCODER.pod +++ b/doc/man3/OSSL_ENCODER.pod @@ -108,12 +108,6 @@ otherwise 0. OSSL_ENCODER_number() returns an integer. -=head1 NOTES - -OSSL_ENCODER_fetch() may be called implicitly by other fetching -functions, using the same library context and properties. -Any other API that uses keys will typically do this. - =head1 SEE ALSO L, L, L, From shane.lontis at oracle.com Fri Feb 19 09:25:12 2021 From: shane.lontis at oracle.com (shane.lontis at oracle.com) Date: Fri, 19 Feb 2021 09:25:12 +0000 Subject: [openssl] master update Message-ID: <1613726712.099242.21752.nullmailer@dev.openssl.org> The branch master has been updated via 576892d78f80cf9a169e7f766319c843e430f378 (commit) from ef33889e1878739a8355e8ba027b3ed21a917898 (commit) - Log ----------------------------------------------------------------- commit 576892d78f80cf9a169e7f766319c843e430f378 Author: Shane Lontis Date: Wed Dec 2 17:52:24 2020 +1000 Fix d2i_AutoPrivateKey_ex so that is uses the new decoder (and produces non legacy keys). Fixes #13522 Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/13591) ----------------------------------------------------------------------- Summary of changes: crypto/asn1/d2i_pr.c | 100 +++++++++++---------- include/crypto/evp.h | 4 + .../implementations/encode_decode/decode_der2key.c | 5 +- .../implementations/encode_decode/encode_key2any.c | 24 ++++- test/evp_extra_test2.c | 84 ++++++++++++++++- 5 files changed, 162 insertions(+), 55 deletions(-) diff --git a/crypto/asn1/d2i_pr.c b/crypto/asn1/d2i_pr.c index dfe770cb7f..21ae90e8e2 100644 --- a/crypto/asn1/d2i_pr.c +++ b/crypto/asn1/d2i_pr.c @@ -15,15 +15,60 @@ #include #include #include +#include #include #include #include #include "crypto/asn1.h" #include "crypto/evp.h" +#include "internal/asn1.h" -EVP_PKEY *d2i_PrivateKey_ex(int type, EVP_PKEY **a, const unsigned char **pp, +EVP_PKEY *d2i_PrivateKey_ex(int keytype, EVP_PKEY **a, const unsigned char **pp, long length, OSSL_LIB_CTX *libctx, const char *propq) +{ + OSSL_DECODER_CTX *dctx = NULL; + size_t len = length; + EVP_PKEY *pkey = NULL; + EVP_PKEY **ppkey = &pkey; + const char *key_name = NULL; + const char *input_structures[] = { "type-specific", "pkcs8", NULL }; + int i, ret; + + if (keytype != EVP_PKEY_NONE) { + key_name = evp_pkey_type2name(keytype); + if (key_name == NULL) + return NULL; + } + if (a != NULL && *a != NULL) + ppkey = a; + + for (i = 0; i < (int)OSSL_NELEM(input_structures); ++i) { + dctx = OSSL_DECODER_CTX_new_by_EVP_PKEY(ppkey, "DER", + input_structures[i], key_name, + EVP_PKEY_KEYPAIR, libctx, propq); + if (dctx == NULL) + return NULL; + + ret = OSSL_DECODER_from_data(dctx, pp, &len); + OSSL_DECODER_CTX_free(dctx); + if (ret) { + if (*ppkey != NULL + && evp_keymgmt_util_has(*ppkey, OSSL_KEYMGMT_SELECT_PRIVATE_KEY)) + return *ppkey; + goto err; + } + } + /* Fall through to error if all decodes failed */ +err: + if (ppkey != a) + EVP_PKEY_free(*ppkey); + return NULL; +} + +EVP_PKEY *evp_privatekey_from_binary(int keytype, EVP_PKEY **a, + const unsigned char **pp, long length, + OSSL_LIB_CTX *libctx, const char *propq) { EVP_PKEY *ret; const unsigned char *p = *pp; @@ -41,7 +86,7 @@ EVP_PKEY *d2i_PrivateKey_ex(int type, EVP_PKEY **a, const unsigned char **pp, #endif } - if (!EVP_PKEY_set_type(ret, type)) { + if (!EVP_PKEY_set_type(ret, keytype)) { ERR_raise(ERR_LIB_ASN1, ASN1_R_UNKNOWN_PUBLIC_KEY_TYPE); goto err; } @@ -67,7 +112,7 @@ EVP_PKEY *d2i_PrivateKey_ex(int type, EVP_PKEY **a, const unsigned char **pp, EVP_PKEY_free(ret); ret = tmp; ERR_pop_to_mark(); - if (EVP_PKEY_type(type) != EVP_PKEY_base_id(ret)) + if (EVP_PKEY_type(keytype) != EVP_PKEY_base_id(ret)) goto err; } else { ERR_clear_last_mark(); @@ -94,57 +139,14 @@ EVP_PKEY *d2i_PrivateKey(int type, EVP_PKEY **a, const unsigned char **pp, } /* - * This works like d2i_PrivateKey() except it automatically works out the - * type + * This works like d2i_PrivateKey() except it passes the keytype as + * EVP_PKEY_NONE, which then figures out the type during decoding. */ - EVP_PKEY *d2i_AutoPrivateKey_ex(EVP_PKEY **a, const unsigned char **pp, long length, OSSL_LIB_CTX *libctx, const char *propq) { - STACK_OF(ASN1_TYPE) *inkey; - const unsigned char *p; - int keytype; - p = *pp; - /* - * Dirty trick: read in the ASN1 data into a STACK_OF(ASN1_TYPE): by - * analyzing it we can determine the passed structure: this assumes the - * input is surrounded by an ASN1 SEQUENCE. - */ - inkey = d2i_ASN1_SEQUENCE_ANY(NULL, &p, length); - p = *pp; - /* - * Since we only need to discern "traditional format" RSA and DSA keys we - * can just count the elements. - */ - if (sk_ASN1_TYPE_num(inkey) == 6) { - keytype = EVP_PKEY_DSA; - } else if (sk_ASN1_TYPE_num(inkey) == 4) { - keytype = EVP_PKEY_EC; - } else if (sk_ASN1_TYPE_num(inkey) == 3) { /* This seems to be PKCS8, not - * traditional format */ - PKCS8_PRIV_KEY_INFO *p8 = d2i_PKCS8_PRIV_KEY_INFO(NULL, &p, length); - EVP_PKEY *ret; - - sk_ASN1_TYPE_pop_free(inkey, ASN1_TYPE_free); - if (p8 == NULL) { - ERR_raise(ERR_LIB_ASN1, ASN1_R_UNSUPPORTED_PUBLIC_KEY_TYPE); - return NULL; - } - ret = EVP_PKCS82PKEY_ex(p8, libctx, propq); - PKCS8_PRIV_KEY_INFO_free(p8); - if (ret == NULL) - return NULL; - *pp = p; - if (a) { - *a = ret; - } - return ret; - } else { - keytype = EVP_PKEY_RSA; - } - sk_ASN1_TYPE_pop_free(inkey, ASN1_TYPE_free); - return d2i_PrivateKey_ex(keytype, a, pp, length, libctx, propq); + return d2i_PrivateKey_ex(EVP_PKEY_NONE, a, pp, length, libctx, propq); } EVP_PKEY *d2i_AutoPrivateKey(EVP_PKEY **a, const unsigned char **pp, diff --git a/include/crypto/evp.h b/include/crypto/evp.h index 0269d8da5a..7f28edd6c2 100644 --- a/include/crypto/evp.h +++ b/include/crypto/evp.h @@ -854,4 +854,8 @@ int evp_set_default_properties_int(OSSL_LIB_CTX *libctx, const char *propq, void evp_md_ctx_clear_digest(EVP_MD_CTX *ctx, int force); +EVP_PKEY *evp_privatekey_from_binary(int keytype, EVP_PKEY **a, + const unsigned char **pp, long length, + OSSL_LIB_CTX *libctx, const char *propq); + #endif /* OSSL_CRYPTO_EVP_H */ diff --git a/providers/implementations/encode_decode/decode_der2key.c b/providers/implementations/encode_decode/decode_der2key.c index 4018d2021b..466a73f908 100644 --- a/providers/implementations/encode_decode/decode_der2key.c +++ b/providers/implementations/encode_decode/decode_der2key.c @@ -28,6 +28,7 @@ #include "crypto/dh.h" #include "crypto/dsa.h" #include "crypto/ec.h" +#include "crypto/evp.h" #include "crypto/ecx.h" #include "crypto/rsa.h" #include "prov/bio.h" @@ -321,8 +322,8 @@ static int der2key_decode(void *vctx, OSSL_CORE_BIO *cin, int selection, if ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0) { derp = der; - pkey = d2i_PrivateKey_ex(ctx->desc->evp_type, NULL, &derp, der_len, - libctx, NULL); + pkey = evp_privatekey_from_binary(ctx->desc->evp_type, NULL, + &derp, der_len, libctx, NULL); } if (pkey == NULL diff --git a/providers/implementations/encode_decode/encode_key2any.c b/providers/implementations/encode_decode/encode_key2any.c index 883c33334d..32d99837b2 100644 --- a/providers/implementations/encode_decode/encode_key2any.c +++ b/providers/implementations/encode_decode/encode_key2any.c @@ -60,6 +60,20 @@ typedef int key_to_der_fn(BIO *out, const void *key, struct key2any_ctx_st *ctx); typedef int write_bio_of_void_fn(BIO *bp, const void *x); + +/* Free the blob allocated during key_to_paramstring_fn */ +static void free_asn1_data(int type, void *data) +{ + switch(type) { + case V_ASN1_OBJECT: + ASN1_OBJECT_free(data); + break; + case V_ASN1_SEQUENCE: + ASN1_STRING_free(data); + break; + } +} + static PKCS8_PRIV_KEY_INFO *key_to_p8info(const void *key, int key_nid, void *params, int params_type, i2d_of_void *k2d) @@ -70,7 +84,6 @@ static PKCS8_PRIV_KEY_INFO *key_to_p8info(const void *key, int key_nid, /* The final PKCS#8 info */ PKCS8_PRIV_KEY_INFO *p8info = NULL; - if ((p8info = PKCS8_PRIV_KEY_INFO_new()) == NULL || (derlen = k2d(key, &der)) <= 0 || !PKCS8_pkey_set0(p8info, OBJ_nid2obj(key_nid), 0, @@ -113,6 +126,9 @@ static X509_SIG *key_to_encp8(const void *key, int key_nid, key_to_p8info(key, key_nid, params, params_type, k2d); X509_SIG *p8 = p8info_to_encp8(p8info, ctx); + if (p8info == NULL) + free_asn1_data(params_type, params); + PKCS8_PRIV_KEY_INFO_free(p8info); return p8; } @@ -174,6 +190,8 @@ static int key_to_pkcs8_der_priv_bio(BIO *out, const void *key, if (p8info != NULL) ret = i2d_PKCS8_PRIV_KEY_INFO_bio(out, p8info); + else + free_asn1_data(strtype, str); PKCS8_PRIV_KEY_INFO_free(p8info); } @@ -208,6 +226,8 @@ static int key_to_pkcs8_pem_priv_bio(BIO *out, const void *key, if (p8info != NULL) ret = PEM_write_bio_PKCS8_PRIV_KEY_INFO(out, p8info); + else + free_asn1_data(strtype, str); PKCS8_PRIV_KEY_INFO_free(p8info); } @@ -259,6 +279,8 @@ static int key_to_spki_pem_pub_bio(BIO *out, const void *key, if (xpk != NULL) ret = PEM_write_bio_X509_PUBKEY(out, xpk); + else + free_asn1_data(strtype, str); /* Also frees |str| */ X509_PUBKEY_free(xpk); diff --git a/test/evp_extra_test2.c b/test/evp_extra_test2.c index 9181061247..bb8e897536 100644 --- a/test/evp_extra_test2.c +++ b/test/evp_extra_test2.c @@ -17,6 +17,7 @@ #include #include #include +#include #include "testutil.h" #include "internal/nelem.h" @@ -141,6 +142,58 @@ static const unsigned char kExampleRSAKeyPKCS8[] = { 0x08, 0xf1, 0x2d, 0x86, 0x9d, 0xa5, 0x20, 0x1b, 0xe5, 0xdf, }; +#ifndef OPENSSL_NO_DH +static const unsigned char kExampleDHPrivateKeyDER[] = { + 0x30, 0x82, 0x02, 0x26, 0x02, 0x01, 0x00, 0x30, 0x82, 0x01, 0x17, 0x06, + 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x03, 0x01, 0x30, 0x82, + 0x01, 0x08, 0x02, 0x82, 0x01, 0x01, 0x00, 0xD8, 0x4B, 0x0F, 0x0E, 0x6B, + 0x79, 0xE9, 0x23, 0x4E, 0xE4, 0xBE, 0x9A, 0x8F, 0x7A, 0x5C, 0xA3, 0x20, + 0xD0, 0x86, 0x6B, 0x95, 0x78, 0x39, 0x59, 0x7A, 0x11, 0x2A, 0x5B, 0x87, + 0xA4, 0xFB, 0x2F, 0x99, 0xD0, 0x57, 0xF5, 0xE1, 0xA3, 0xAF, 0x41, 0xD1, + 0xCD, 0xA3, 0x94, 0xBB, 0xE5, 0x5A, 0x68, 0xE2, 0xEE, 0x69, 0x56, 0x51, + 0xB2, 0xEE, 0xF2, 0xFE, 0x10, 0xC9, 0x55, 0xE3, 0x82, 0x3C, 0x50, 0x0D, + 0xF5, 0x82, 0x73, 0xE4, 0xD6, 0x3E, 0x45, 0xB4, 0x89, 0x80, 0xE4, 0xF0, + 0x99, 0x85, 0x2B, 0x4B, 0xF9, 0xB8, 0xFD, 0x2C, 0x3C, 0x49, 0x2E, 0xB3, + 0x56, 0x7E, 0x99, 0x07, 0xD3, 0xF7, 0xD9, 0xE4, 0x0C, 0x64, 0xC5, 0x7D, + 0x03, 0x8E, 0x05, 0x3C, 0x0A, 0x40, 0x17, 0xAD, 0xA8, 0x0F, 0x9B, 0xF4, + 0x8B, 0xA7, 0xDB, 0x16, 0x4F, 0x4A, 0x57, 0x0B, 0x89, 0x80, 0x0B, 0x9F, + 0x26, 0x56, 0x3F, 0x1D, 0xFA, 0x52, 0x2D, 0x1A, 0x9E, 0xDC, 0x42, 0xA3, + 0x2E, 0xA9, 0x87, 0xE3, 0x8B, 0x45, 0x5E, 0xEE, 0x99, 0xB8, 0x30, 0x15, + 0x58, 0xA3, 0x5F, 0xB5, 0x69, 0xD8, 0x0C, 0xE8, 0x6B, 0x36, 0xD8, 0xAB, + 0xD8, 0xE4, 0x77, 0x46, 0x13, 0xA2, 0x15, 0xB3, 0x9C, 0xAD, 0x99, 0x91, + 0xE5, 0xA3, 0x30, 0x7D, 0x40, 0x70, 0xB3, 0x32, 0x5E, 0xAF, 0x96, 0x8D, + 0xE6, 0x3F, 0x47, 0xA3, 0x18, 0xDA, 0xE1, 0x9A, 0x20, 0x11, 0xE1, 0x49, + 0x51, 0x45, 0xE3, 0x8C, 0xA5, 0x56, 0x39, 0x67, 0xCB, 0x9D, 0xCF, 0xBA, + 0xF4, 0x46, 0x4E, 0x0A, 0xB6, 0x0B, 0xA9, 0xB4, 0xF6, 0xF1, 0x6A, 0xC8, + 0x63, 0xE2, 0xB4, 0xB2, 0x9F, 0x44, 0xAA, 0x0A, 0xDA, 0x53, 0xF7, 0x52, + 0x14, 0x57, 0xEE, 0x2C, 0x5D, 0x31, 0x9C, 0x27, 0x03, 0x64, 0x9E, 0xC0, + 0x1E, 0x4B, 0x1B, 0x4F, 0xEE, 0xA6, 0x3F, 0xC1, 0x3E, 0x61, 0x93, 0x02, + 0x01, 0x02, 0x04, 0x82, 0x01, 0x04, 0x02, 0x82, 0x01, 0x00, 0x7E, 0xC2, + 0x04, 0xF9, 0x95, 0xC7, 0xEF, 0x96, 0xBE, 0xA0, 0x9D, 0x2D, 0xC3, 0x0C, + 0x3A, 0x67, 0x02, 0x7C, 0x7D, 0x3B, 0xC9, 0xB1, 0xDE, 0x13, 0x97, 0x64, + 0xEF, 0x87, 0x80, 0x4F, 0xBF, 0xA2, 0xAC, 0x18, 0x6B, 0xD5, 0xB2, 0x42, + 0x0F, 0xDA, 0x28, 0x40, 0x93, 0x40, 0xB2, 0x1E, 0x80, 0xB0, 0x6C, 0xDE, + 0x9C, 0x54, 0xA4, 0xB4, 0x68, 0x29, 0xE0, 0x13, 0x57, 0x1D, 0xC9, 0x87, + 0xC0, 0xDE, 0x2F, 0x1D, 0x72, 0xF0, 0xC0, 0xE4, 0x4E, 0x04, 0x48, 0xF5, + 0x2D, 0x8D, 0x9A, 0x1B, 0xE5, 0xEB, 0x06, 0xAB, 0x7C, 0x74, 0x10, 0x3C, + 0xA8, 0x2D, 0x39, 0xBC, 0xE3, 0x15, 0x3E, 0x63, 0x37, 0x8C, 0x1B, 0xF1, + 0xB3, 0x99, 0xB6, 0xAE, 0x5A, 0xEB, 0xB3, 0x3D, 0x30, 0x39, 0x69, 0xDB, + 0xF2, 0x4F, 0x94, 0xB7, 0x71, 0xAF, 0xBA, 0x5C, 0x1F, 0xF8, 0x6B, 0xE5, + 0xD1, 0xB1, 0x00, 0x81, 0xE2, 0x6D, 0xEC, 0x65, 0xF7, 0x7E, 0xCE, 0x03, + 0x84, 0x68, 0x42, 0x6A, 0x8B, 0x47, 0x8E, 0x4A, 0x88, 0xDE, 0x82, 0xDD, + 0xAF, 0xA9, 0x6F, 0x18, 0xF7, 0xC6, 0xE2, 0xB9, 0x97, 0xCE, 0x47, 0x8F, + 0x85, 0x19, 0x61, 0x42, 0x67, 0x21, 0x7D, 0x13, 0x6E, 0xB5, 0x5A, 0x62, + 0xF3, 0x08, 0xE2, 0x70, 0x3B, 0x0E, 0x85, 0x3C, 0xA1, 0xD3, 0xED, 0x7A, + 0x43, 0xD6, 0xDE, 0x30, 0x5C, 0x48, 0xB2, 0x99, 0xAB, 0x3E, 0x65, 0xA6, + 0x66, 0x80, 0x22, 0xFF, 0x92, 0xC1, 0x42, 0x1C, 0x30, 0x87, 0x74, 0x1E, + 0x53, 0x57, 0x7C, 0xF8, 0x77, 0x51, 0xF1, 0x74, 0x16, 0xF4, 0x45, 0x26, + 0x77, 0x0A, 0x05, 0x96, 0x13, 0x12, 0x06, 0x86, 0x2B, 0xB8, 0x49, 0x82, + 0x69, 0x43, 0x0A, 0x57, 0xA7, 0x30, 0x19, 0x4C, 0xB8, 0x47, 0x82, 0x6E, + 0x64, 0x7A, 0x06, 0x13, 0x5A, 0x82, 0x98, 0xD6, 0x7A, 0x09, 0xEC, 0x03, + 0x8D, 0x03 +}; +#endif /* OPENSSL_NO_DH */ + #ifndef OPENSSL_NO_EC /* * kExampleECKeyDER is a sample EC private key encoded as an ECPrivateKey @@ -183,7 +236,10 @@ static APK_DATA keydata[] = { {kExampleRSAKeyPKCS8, sizeof(kExampleRSAKeyPKCS8), EVP_PKEY_RSA}, #ifndef OPENSSL_NO_EC {kExampleECKeyDER, sizeof(kExampleECKeyDER), EVP_PKEY_EC}, - {kExampleECKey2DER, sizeof(kExampleECKey2DER), EVP_PKEY_EC} + {kExampleECKey2DER, sizeof(kExampleECKey2DER), EVP_PKEY_EC}, +#endif +#ifndef OPENSSL_NO_DH + {kExampleDHPrivateKeyDER, sizeof(kExampleDHPrivateKeyDER), EVP_PKEY_DH}, #endif }; @@ -197,6 +253,9 @@ static int test_d2i_AutoPrivateKey_ex(int i) const unsigned char *input = ak->kder; size_t input_len = ak->size; int expected_id = ak->evptype; + BIGNUM *p_bn = NULL; + BIGNUM *g_bn = NULL; + BIGNUM *priv_bn = NULL; p = input; if (!TEST_ptr(pkey = d2i_AutoPrivateKey_ex(NULL, &p, input_len, mainctx, @@ -205,9 +264,28 @@ static int test_d2i_AutoPrivateKey_ex(int i) || !TEST_int_eq(EVP_PKEY_id(pkey), expected_id)) goto done; - ret = 1; + if (ak->evptype == EVP_PKEY_RSA) { + if (!TEST_true(EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_D, + &priv_bn))) + goto done; + } else { + if (!TEST_true(EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_PRIV_KEY, + &priv_bn))) + goto done; + } + + if (ak->evptype == EVP_PKEY_DH) { + if (!TEST_true(EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_FFC_P, &p_bn)) + || !TEST_true(EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_FFC_G, + &g_bn))) + goto done; + } - done: + ret = 1; +done: + BN_free(p_bn); + BN_free(g_bn); + BN_free(priv_bn); EVP_PKEY_free(pkey); return ret; } From shane.lontis at oracle.com Fri Feb 19 09:30:51 2021 From: shane.lontis at oracle.com (shane.lontis at oracle.com) Date: Fri, 19 Feb 2021 09:30:51 +0000 Subject: [openssl] master update Message-ID: <1613727051.386111.23627.nullmailer@dev.openssl.org> The branch master has been updated via eabb3014165a1319ceb8a69cc135feb99f288293 (commit) from 576892d78f80cf9a169e7f766319c843e430f378 (commit) - Log ----------------------------------------------------------------- commit eabb3014165a1319ceb8a69cc135feb99f288293 Author: Shane Lontis Date: Wed Feb 17 13:13:51 2021 +1000 Fix DH ASN1 decode so that it detects named groups. The dh->nid was not being set if the loaded p,g matched an inbuilt named group for "DH". NOTE: The "DHX" related path already worked since it calls DH_set0_pqg() (which does the name group check). This bug was detected when new tests were added for dh5114 groups, combined with the no-cache tests i.e. loading+import+export set the nid, but just loading did not. Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/14207) ----------------------------------------------------------------------- Summary of changes: crypto/dh/dh_asn1.c | 4 ++-- test/recipes/20-test_dhparam_check.t | 24 +++++++++++++++++++++- .../valid/dh_ffdhe2048.pem | 8 ++++++++ .../valid/dhx_ffdhe2048.pem | 13 ++++++++++++ 4 files changed, 46 insertions(+), 3 deletions(-) create mode 100644 test/recipes/20-test_dhparam_check_data/valid/dh_ffdhe2048.pem create mode 100644 test/recipes/20-test_dhparam_check_data/valid/dhx_ffdhe2048.pem diff --git a/crypto/dh/dh_asn1.c b/crypto/dh/dh_asn1.c index 81899de5d6..68013219e7 100644 --- a/crypto/dh/dh_asn1.c +++ b/crypto/dh/dh_asn1.c @@ -19,6 +19,7 @@ #include "dh_local.h" #include #include +#include "crypto/dh.h" /* Override the default free and new methods */ static int dh_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, @@ -38,6 +39,7 @@ static int dh_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, DH_clear_flags(dh, DH_FLAG_TYPE_MASK); DH_set_flags(dh, DH_FLAG_TYPE_DH); + dh_cache_named_group(dh); dh->dirty_cnt++; } return 1; @@ -88,8 +90,6 @@ int i2d_int_dhx(const int_dhx942_dh *a, unsigned char **pp); IMPLEMENT_ASN1_ENCODE_FUNCTIONS_fname(int_dhx942_dh, DHxparams, int_dhx) -/* Application public function: read in X9.42 DH parameters into DH structure */ - DH *d2i_DHxparams(DH **a, const unsigned char **pp, long length) { FFC_PARAMS *params; diff --git a/test/recipes/20-test_dhparam_check.t b/test/recipes/20-test_dhparam_check.t index 2f1dec1f10..f3882ad2b3 100644 --- a/test/recipes/20-test_dhparam_check.t +++ b/test/recipes/20-test_dhparam_check.t @@ -56,13 +56,17 @@ mkdir -p $TESTDIR ./util/opensslwrap.sh genpkey -genparam -algorithm DHX -pkeyopt pbits:3072 -pkeyopt qbits:224 -pkeyopt type:fips186_2 -out $TESTDIR/dhx_p3072_q224_t1862.pem ./util/opensslwrap.sh genpkey -genparam -algorithm DHX -pkeyopt pbits:3072 -pkeyopt qbits:256 -pkeyopt type:fips186_2 -out $TESTDIR/dhx_p3072_q256_t1862.pem +./util/opensslwrap.sh genpkey -genparam -algorithm DH -pkeyopt group:ffdhe2048 -out $TESTDIR/dh_ffdhe2048.pem +./util/opensslwrap.sh genpkey -genparam -algorithm DHX -pkeyopt group:ffdhe2048 -out $TESTDIR/dhx_ffdhe2048.pem + + =cut my @valid = glob(data_file("valid", "*.pem")); my @invalid = glob(data_file("invalid", "*.pem")); my $num_tests = scalar @valid + scalar @invalid; -plan tests => 2 * $num_tests; +plan tests => 2 + 2 * $num_tests; foreach (@valid) { ok(run(app([qw{openssl dhparam -noout -check -in}, $_]))); @@ -73,3 +77,21 @@ foreach (@invalid) { ok(!run(app([qw{openssl dhparam -noout -check -in}, $_]))); ok(!run(app([qw{openssl pkeyparam -noout -check -in}, $_]))); } + +my $tmpfile = 'out.txt'; + +sub contains { + my $expected = shift; + my $found = 0; + open(my $in, '<', $tmpfile) or die "Could not open file $tmpfile"; + while(<$in>) { + $found = 1 if m/$expected/; # output must include $expected + } + close $in; + return $found; +} + +# Check that if we load dh params with only a 'p' and 'g' that it detects +# that this is actually a valid named group. +ok(run(app([qw{openssl pkeyparam -text -in}, data_file("valid/dh_ffdhe2048.pem")], stdout => $tmpfile))); +ok(contains("ffdhe2048")) diff --git a/test/recipes/20-test_dhparam_check_data/valid/dh_ffdhe2048.pem b/test/recipes/20-test_dhparam_check_data/valid/dh_ffdhe2048.pem new file mode 100644 index 0000000000..24260bf846 --- /dev/null +++ b/test/recipes/20-test_dhparam_check_data/valid/dh_ffdhe2048.pem @@ -0,0 +1,8 @@ +-----BEGIN DH PARAMETERS----- +MIIBDAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz ++8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a +87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7 +YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi +7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD +ssbzSibBsu/6iGtCOGEoXJf//////////wIBAgICB/8= +-----END DH PARAMETERS----- diff --git a/test/recipes/20-test_dhparam_check_data/valid/dhx_ffdhe2048.pem b/test/recipes/20-test_dhparam_check_data/valid/dhx_ffdhe2048.pem new file mode 100644 index 0000000000..5a30fa003d --- /dev/null +++ b/test/recipes/20-test_dhparam_check_data/valid/dhx_ffdhe2048.pem @@ -0,0 +1,13 @@ +-----BEGIN X9.42 DH PARAMETERS----- +MIICDAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz ++8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a +87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7 +YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi +7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD +ssbzSibBsu/6iGtCOGEoXJf//////////wIBAgKCAQB//////////9b8KixRXaVN +V+4rEBOennjsXOLB5xabStTwmyCKMhn95knO5xJNn3y+l/GxsYY67HtA2QFXYjC9 +ae+Paur+srCSGfqPr4M3aEKxsqqe9o152quJrz+r5JrMJ4Y4cHNFu/FTRO159/Q5 +DvisUJtW85qYVmUnpB08vV4FWMFZkn2w6IRUpdlkcf3ctW1bsGv6NA6noVHvHKb6 +Vyt287G5XYyFg9PkdwU2uE8BfnDm+/F2YBoCZpQaF7DIuX9OdMLB/8cniRl3eUDB +4f8djaY31rmd2v5eF2EQAuLHeMG+i0HZY3mlE2DZd/1ENaEcMJQuS/////////// +-----END X9.42 DH PARAMETERS----- From levitte at openssl.org Fri Feb 19 09:32:57 2021 From: levitte at openssl.org (Richard Levitte) Date: Fri, 19 Feb 2021 09:32:57 +0000 Subject: [tools] master update Message-ID: <1613727177.130796.25039.nullmailer@dev.openssl.org> The branch master has been updated via e1fc98e1c15660ad4d51526cc6da9c44e2f49cd4 (commit) from af3ebdeb6cc591cf92a3790ae091a11bf8da7e9a (commit) - Log ----------------------------------------------------------------- commit e1fc98e1c15660ad4d51526cc6da9c44e2f49cd4 Author: Richard Levitte Date: Tue Nov 17 11:53:30 2020 +0100 New releasing instructions, HOWTO-make-a-release.md README.md in $TOOLS/release-tools/ isn't obvious to discover. It has also aged considerably, at least in terms of OpenSSL 3.0, so needs a serious update. Co-authored-by: Matthias St. Pierre Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/tools/pull/75) ----------------------------------------------------------------------- Summary of changes: HOWTO-make-a-release.md | 400 +++++++++++++++++++++++++++++++++++++++++++++ README | 8 +- release-tools/mkrelease.pl | 0 3 files changed, 406 insertions(+), 2 deletions(-) create mode 100644 HOWTO-make-a-release.md mode change 100644 => 100755 release-tools/mkrelease.pl diff --git a/HOWTO-make-a-release.md b/HOWTO-make-a-release.md new file mode 100644 index 0000000..012256e --- /dev/null +++ b/HOWTO-make-a-release.md @@ -0,0 +1,400 @@ +# HOW TO MAKE A RELEASE + +This file documents how to make an OpenSSL release. Please fix any errors +you find while doing, or just after, your next release! + +Releases are done by one person, with a second person acting as the reviewer +and additional tester. + +# Table of contents + +- [Prerequisites](#prerequisites) + - [Software](#software) + - [Repositories](#repositories) + - [PGP / GnuPG key](#pgp-gnupg-key) + - [SSH access](#check-your-access) + - [A method for reviewing](#a-way-to-reviewing) +- [Pre-publishing tasks](#pre-publishing-tasks) + - [Freeze the source repository](#freeze-the-source-repository) [the day before release] + - [Prepare your repository checkouts](#prepare-your-repository-checkouts) + - [Make sure that the openssl source is up to date](#make-sure-that-the-openssl-source-is-up-to-date) + - [Generate the tarball and announcement text](#generating-the-tarball-and-announcement-text) + - [OpenSSL 3.0 and on](#openssl-3.0-and-on) + - [OpenSSL before 3.0](#openssl-before-3.0) + - [Update the website locally](#update-the-website-locally) [do not push] +- [Publish the release](#publish-the-release) +- [Post-publishing tasks](#post-publishing-tasks) + - [Check the website](#check-the-website) + - [Send the announcement mail](#send-the-announcement-mail) + - [Send out the Security Advisory](#send-out-the-security-advisory) + - [Unfreeze the source repository](#unfreeze-the-source-repository) + - [Security fixes](#security-fixes) + - [Keep in touch](#keep-in-touch) + + +# Prerequisites + +## Software + +Apart from the basic operating system utilities, you must have the following +programs in you `$PATH`: + +- openssl +- ssh +- gpg +- git + +(note: this may not be a complete list) + +## Repositories + +You must have access to the following repositories: + +- `openssl-git at git.openssl.org:openssl.git` + + This is the usual main source repository + +- `openssl-git at git.openssl.org:openssl-web.git` + + This is the website repository + +- `openssl-git at git.openssl.org:tools.git` + + This contains certain common tools + +## PGP / GnuPG key + +You must have a PGP / GnuPG key, and its fingerprint should be present in +the file `doc/fingerprints.txt` in the source of the immediately prior +OpenSSL release. + +## SSH access + +To perform a release, you must have appropriate access to OpenSSL's +development host, dev.openssl.org. To test this, try to log in with ssh: + + ssh dev.openssl.org + +You must also check that you can perform tasks as the user 'openssl' on +dev.openssl.org. When you have successfully logged in, test your access to +that user with sudo: + + sudo -u openssl id + +## A method for reviewing + +For reviewing to take place, the release person and the reviewer need a way +to share changes that are being applied. Most commonly, that's done as PRs +(for normal releases) or security advisories (for undisclosed security +fixes) through Github. + +Security advisories are created using the Github Security tab, and will +generate a private repository, to which you can add collaborators (the +reviewer, for instance), and use it to fix the issue via pull requests. +For more information, please read Github's [creating a security advisory], +including the "Next Steps" at the end of that page. + +[creating a security advisory]: + + +The release person and the reviewer are allowed to use other means to share +the commits to be reviewed if they desire. + +The release person and the reviewer must have a conversation to confirm or +figure out how the review shall be done. + +# Pre-publishing tasks + +Some of the actions in this section need to be repeated for each OpenSSL +version released. + +## Freeze the source repository + +The day before the release, freeze the main repository. This locks out +everyone but the named user, who is doing the release, from doing any +pushes. Someone other than the person doing the release should run the +command. For example: + + ssh openssl-git at git.openssl.org freeze openssl NAME + +## Prepare your repository checkouts + +You will need to checkout at least three working trees: + +- one for the website + + git clone openssl-git at git.openssl.org:openssl-web.git website + +- one for extra tools + + git clone openssl-git at git.openssl.org:tools.git tools + + The resulting directory will be referred to as `$TOOLS` + +- At least one for openssl source + + git clone openssl-git at git.openssl.org:openssl.git + + If you're doing multiple releases in one go, there are many ways to deal + with it. One possibility, available since git 2.5, is to use `git + worktree`: + + (cd openssl; + git worktree add ../openssl-1.1.1 OpenSSL_1_1_1-stable) + +## Make sure that the openssl source is up to date + +The person doing the release and the reviewer should both sanity-check the +source to be released at this point. Checks to consider include building +and verifying that make test passes on multiple plaforms - Linux, Windows, +etc. + +*NOTE: the files CHANGES and NEWS are called CHANGES.md and NEWS.md in +OpenSSL versions from version 3.0 and on* + +For each source checkout, make sure that the CHANGES and NEWS files have +been updated and reviewed. + +The NEWS file should contain a summary of any changes for the release; +for a security release, it's often simply a list of the CVEs addressed. +You should also update NEWS.md in the master branch to include details of +all releases. Only update the bullet points - do not change the release +date, keep it as **under development**. + +Add any security fixes to the tree and commit them. + +Make sure that the copyrights are updated. This script will update the +copyright markers and commit the changes (where $TOOLS stands for the +openssl-tools.git checkout directory): + + $TOOLS/release-tools/do-copyright-year + +Obtain approval for these commits from the reviewer and add the reviewed-by +headers as required. + +*Do* send the auto-generated commits to the reviewer and await their +approval. + +*Do not push* changes to the main source repo at this stage. +(the main source repo being `openssl-git at git.openssl.org:openssl.git`) + +## Generate the tarball and announcement text + +*The changes in this section should be made in your clone of the openssl +source repo* + +The method to generate a release tarball and announcement text has changed +with OpenSSL 3.0, so while we continue to make pre-3.0 OpenSSL releases, +there are two methods to be aware of. + +Both methods will leave a handful of files, most importantly the release +tarball. When they are done, they display a set of instructions on how to +perform the publishing tasks, *please take note of them*. + +After having run the release script, verify that its results are sensible. +Check the commits that were added, using for example `git log`. Check the +signed announcement .asc file. Check that the tarball length and hashes +match in the .md5, .sha1, .sha256, and review the announcment file. + +*Do* send the auto-generated commits to the reviewer and await their +approval. + +*Do not push* changes to the main source repo at this stage. +(the main source repo being `openssl-git at git.openssl.org:openssl.git`) + +### OpenSSL 3.0 and on + +The release generating script is in the OpenSSL source checkout, and is +generally called like this: + + dev/release.sh --reviewer=NAME + +This script has a multitude of other options that are useful for specific +cases, and is also self-documented: + +- To get a quick usage reminder: + + dev/release.sh --help + +- To get a man-page: + + dev/release.sh --manual + +### OpenSSL before 3.0 + +The release generating script is in the tools checkout, represented here +with $TOOLS, and is generally called like this: + + $TOOLS/release-tools/mkrelease.pl --reviewer=NAME + +The manual for that script is found in `$TOOLS/release-tools/MKRELEASE.md` + +## Update the website locally + +*The changes in this section should be made in your clone of the openssl +web repo* + +Update the news/newsflash.txt file. This normally is one or two lines. +Just copy and paste existing announcements making minor changes for the date +and version number as necessary. If there is an advisory then ensure you +include a link to it. + +Update the news/vulnerabilities.xml file if appropriate. + +If there is a Security Advisory then copy it into the news/secadv directory. + +*Do* send the commits to the reviewer and await their approval. + +Commit your changes, but *do not push* them to the website repo at this stage. +(the website repo being `openssl-git at git.openssl.org:openssl-web.git`) + +# Publish the release + +*BE CAREFUL* This section makes everything visible and is therefore largely +irreversible. If you are performing a dry run then DO NOT perform any steps +in this section. + +Check that the release has been uploaded properly. The release tarballs and +associated files should be in ~openssl/dist/new. They should be owned by +the openssl userid and world-readable. + +Copy the tarballs to appropriate directories. This can be done using the +do-release.pl script. See $TOOLS/release-tools/DO-RELEASE.md for a +description of the options. For example: + + sudo -u openssl perl ~openssl/do-release.pl --copy --move + +This will copy the relevant files to the website and move them from +`~openssl/dist/new` to `~openssl/dist/old` so they will not seen by a +subsequent release. Alternatively if you want to perform one release at a +time or copy/move the files manually, see below. + +The do-release.pl script will display the commands you will need to issue to +send the announcement emails later. Keep a note of those commands for +future reference. + +Verify that the tarballs are available via FTP: + + ftp://ftp.openssl.org/source/ + +And that they are ready for the website: + + ls /var/www/openssl/source + +*For OpenSSL 3.0 and on*, push your local changes to the main source repo as +instructed by `dev/release.sh`. You may want to sanity check the pushes by +inserting the `-n` (dry-run) option. + +*For OpenSSL before 3.0*, simply push your local changes to the main source +repo, and please do remember to push the release tags as well, which is done +separately with the `--tags` option. You may want to sanity check the +pushes by inserting the `-n` (dry-run) option. + +## Updating the website + +Push the website changes you made earlier to the OpenSSL website repo. When +you do this, the website will get updated and a script to flush the Akamai +CDN cache will be run. You can look at things on www-origin.openssl.org; +the CDN-hosted www.openssl.org should only be a few minutes delayed. + +# Post-publishing tasks + +## Check the website + +Verify that the release notes, which are built from the CHANGES.md file +in the release, have been updated. This is done automatically by the +commit-hook, but if you see a problem, try the following steps on +`dev.openssl.org`: + + cd /var/www/openssl + sudo -u openssl -H make relupd + sudo -u openssl -H ./bin/purge-one-hour + +Wait for a while for the Akamai flush to work (normally within a few minutes). +Have a look at the website and news announcement at: + +- +- + +Check the download page has updated properly: + +- + +Check the notes look sensible at: + +- + +Also check the notes here: + +- +- +- + +## Send the announcement mail + +Send out the announcements. Generic release announcement messages will be +created automatically by the build script and the commands you need to use +to send them were displayed when you executed do-release.pl above. +These should normally be sent from the openssl account. These are sent to +openssl-users, openssl-project, and openssl-announce. + +If do-release.pl was used with `--move` be sure to move the announcement +text files away from the staging directory after they have been sent. This +is done as follows (with VERSION replaced with the version of OpenSSL to +announce): + + sudo -u openssl \ + mutt -s "OpenSSL version VERSION published" \ + openssl-project openssl-users openssl-announce \ + < /home/openssl/dist/new/openssl-VERSION.txt.asc + sudo -u openssl \ + mv ~openssl/dist/new/openssl-VERSION.txt.asc ~openssl/dist/old + +## Send out the Security Advisory + +*The secadv file mentioned in this section is the Security Advisory +that you copied into the web repo, up in the section +[Update the website locally](#update-the-website-locally)* + +*This section is only applicable if this is a security release* + +Start with signing the Security Advisory as yourself: + + gpg --clearsign secadv_FILENAME.txt + +Then copy the result to the temporary directory on dev.openssl.org: + + scp secadv_FILENAME.txt.asc dev.openssl.org:/tmp + +To finish, log in on dev.openssl.org and send the signed Security +Advisory by email as the openssl user, and the remove it: + + sudo -u openssl mutt -s "OpenSSL Security Advisory" \ + openssl-project openssl-users openssl-announce \ + +and approve the messages. + +Check the mailing list messages have arrived. + +## Unfreeze the source repository. + + ssh openssl-git at git.openssl.org unfreeze openssl + +## Security fixes + +If this release includes security fixes with a CVE then you should inform +MITRE about them. See the instructions at the top of cvepool.txt in omc. + +Close the github advisory without pushing to github and remove the private +github fork if there was one. + +## Keep in touch + +Check mailing lists over the next few hours for reports of any success or +failure. If necessary fix these and in the worst case make another +release. + diff --git a/README b/README index 5aac518..1424950 100644 --- a/README +++ b/README @@ -1,3 +1,7 @@ -A collection of tools useful in OpenSSL development. +A collection of tools and instructions useful in OpenSSL development. -Each tool is in its own subdirectory and has its own README +Each set of tools is in its own subdirectory and has its own manuals +and READMEs. + +More generic instructions are in this top directory, called +HOWTO-something.md diff --git a/release-tools/mkrelease.pl b/release-tools/mkrelease.pl old mode 100644 new mode 100755 From shane.lontis at oracle.com Fri Feb 19 10:06:19 2021 From: shane.lontis at oracle.com (shane.lontis at oracle.com) Date: Fri, 19 Feb 2021 10:06:19 +0000 Subject: [openssl] master update Message-ID: <1613729179.928082.30921.nullmailer@dev.openssl.org> The branch master has been updated via 3352dc185fde9861b58ca7621b4062bb42ec1b55 (commit) from eabb3014165a1319ceb8a69cc135feb99f288293 (commit) - Log ----------------------------------------------------------------- commit 3352dc185fde9861b58ca7621b4062bb42ec1b55 Author: Shane Lontis Date: Fri Feb 19 19:43:16 2021 +1000 Fix merge problem in d2i_PrivateKey_ex Reviewed-by: Matt Caswell Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14243) ----------------------------------------------------------------------- Summary of changes: crypto/asn1/d2i_pr.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/crypto/asn1/d2i_pr.c b/crypto/asn1/d2i_pr.c index 21ae90e8e2..c657f0f3a7 100644 --- a/crypto/asn1/d2i_pr.c +++ b/crypto/asn1/d2i_pr.c @@ -44,9 +44,9 @@ EVP_PKEY *d2i_PrivateKey_ex(int keytype, EVP_PKEY **a, const unsigned char **pp, ppkey = a; for (i = 0; i < (int)OSSL_NELEM(input_structures); ++i) { - dctx = OSSL_DECODER_CTX_new_by_EVP_PKEY(ppkey, "DER", - input_structures[i], key_name, - EVP_PKEY_KEYPAIR, libctx, propq); + dctx = OSSL_DECODER_CTX_new_for_pkey(ppkey, "DER", + input_structures[i], key_name, + EVP_PKEY_KEYPAIR, libctx, propq); if (dctx == NULL) return NULL; From tomas at openssl.org Fri Feb 19 11:27:09 2021 From: tomas at openssl.org (tomas at openssl.org) Date: Fri, 19 Feb 2021 11:27:09 +0000 Subject: [openssl] master update Message-ID: <1613734029.621888.32457.nullmailer@dev.openssl.org> The branch master has been updated via 1d724b5e82ba36fb50fd24db3cd664da570daf84 (commit) from 3352dc185fde9861b58ca7621b4062bb42ec1b55 (commit) - Log ----------------------------------------------------------------- commit 1d724b5e82ba36fb50fd24db3cd664da570daf84 Author: Zhang Jinde Date: Thu Sep 24 14:48:28 2020 +0800 CRYPTO_gcm128_decrypt: fix mac or tag calculation The incorrect code is in #ifdef branch that is normally not compiled in. Signed-off-by: Zhang Jinde Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/12968) ----------------------------------------------------------------------- Summary of changes: crypto/modes/gcm128.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/crypto/modes/gcm128.c b/crypto/modes/gcm128.c index 4f52073d7f..a6147e41a1 100644 --- a/crypto/modes/gcm128.c +++ b/crypto/modes/gcm128.c @@ -1359,8 +1359,8 @@ int CRYPTO_gcm128_decrypt(GCM128_CONTEXT *ctx, else ctx->Yi.d[3] = ctr; for (i = 0; i < 16 / sizeof(size_t); ++i) { - size_t c = in[i]; - out[i] = c ^ ctx->EKi.t[i]; + size_t c = in_t[i]; + out_t[i] = c ^ ctx->EKi.t[i]; ctx->Xi.t[i] ^= c; } GCM_MUL(ctx); From tomas at openssl.org Fri Feb 19 11:28:01 2021 From: tomas at openssl.org (tomas at openssl.org) Date: Fri, 19 Feb 2021 11:28:01 +0000 Subject: [openssl] OpenSSL_1_1_1-stable update Message-ID: <1613734081.695407.1153.nullmailer@dev.openssl.org> The branch OpenSSL_1_1_1-stable has been updated via 8df5cc3339d10f91ccb395650a83c031c2795742 (commit) from a12c6442f24a32867c971b6feb5db61d01b02c1f (commit) - Log ----------------------------------------------------------------- commit 8df5cc3339d10f91ccb395650a83c031c2795742 Author: Zhang Jinde Date: Thu Sep 24 14:48:28 2020 +0800 CRYPTO_gcm128_decrypt: fix mac or tag calculation The incorrect code is in #ifdef branch that is normally not compiled in. Signed-off-by: Zhang Jinde Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/12968) (cherry picked from commit 1d724b5e82ba36fb50fd24db3cd664da570daf84) ----------------------------------------------------------------------- Summary of changes: crypto/modes/gcm128.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/crypto/modes/gcm128.c b/crypto/modes/gcm128.c index 0c0bf3cda5..4b29ead08c 100644 --- a/crypto/modes/gcm128.c +++ b/crypto/modes/gcm128.c @@ -1385,8 +1385,8 @@ int CRYPTO_gcm128_decrypt(GCM128_CONTEXT *ctx, else ctx->Yi.d[3] = ctr; for (i = 0; i < 16 / sizeof(size_t); ++i) { - size_t c = in[i]; - out[i] = c ^ ctx->EKi.t[i]; + size_t c = in_t[i]; + out_t[i] = c ^ ctx->EKi.t[i]; ctx->Xi.t[i] ^= c; } GCM_MUL(ctx); From tomas at openssl.org Fri Feb 19 12:56:15 2021 From: tomas at openssl.org (tomas at openssl.org) Date: Fri, 19 Feb 2021 12:56:15 +0000 Subject: [openssl] master update Message-ID: <1613739375.716546.15361.nullmailer@dev.openssl.org> The branch master has been updated via c2279499fd17673b631785887c339cf35f088c41 (commit) from 1d724b5e82ba36fb50fd24db3cd664da570daf84 (commit) - Log ----------------------------------------------------------------- commit c2279499fd17673b631785887c339cf35f088c41 Author: Chenglong Zhang Date: Wed Feb 10 17:52:29 2021 +0800 Fix speed sm2 bug Should create PKEY CTX with EVP_PKEY_SM2; each job should have its own sm2_pkey; loopargs[i].sigsize should be set after EVP_DigestSign(). Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14144) ----------------------------------------------------------------------- Summary of changes: apps/speed.c | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/apps/speed.c b/apps/speed.c index c41fca483f..e867448015 100644 --- a/apps/speed.c +++ b/apps/speed.c @@ -1283,12 +1283,14 @@ static int SM2_sign_loop(void *args) unsigned char *buf = tempargs->buf; EVP_MD_CTX **sm2ctx = tempargs->sm2_ctx; unsigned char *sm2sig = tempargs->buf2; - size_t sm2sigsize = tempargs->sigsize; - const size_t max_size = tempargs->sigsize; + size_t sm2sigsize; int ret, count; EVP_PKEY **sm2_pkey = tempargs->sm2_pkey; + const size_t max_size = EVP_PKEY_size(sm2_pkey[testnum]); for (count = 0; COND(sm2_c[testnum][0]); count++) { + sm2sigsize = max_size; + if (!EVP_DigestSignInit(sm2ctx[testnum], NULL, EVP_sm3(), NULL, sm2_pkey[testnum])) { BIO_printf(bio_err, "SM2 init sign failure\n"); @@ -1306,7 +1308,6 @@ static int SM2_sign_loop(void *args) } /* update the latest returned size and always use the fixed buffer size */ tempargs->sigsize = sm2sigsize; - sm2sigsize = max_size; } return count; @@ -3567,8 +3568,9 @@ int speed_main(int argc, char **argv) || loopargs[i].sm2_vfy_ctx[testnum] == NULL) break; - /* SM2 keys are generated as normal EC keys with a special curve */ - st = !((pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_EC, NULL)) == NULL + sm2_pkey = NULL; + + st = !((pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_SM2, NULL)) == NULL || EVP_PKEY_keygen_init(pctx) <= 0 || EVP_PKEY_CTX_set_ec_paramgen_curve_nid(pctx, sm2_curves[testnum].nid) <= 0 @@ -3615,11 +3617,9 @@ int speed_main(int argc, char **argv) op_count = 1; } else { for (i = 0; i < loopargs_len; i++) { - size_t sm2_sigsize = loopargs[i].sigsize; - /* Perform SM2 signature test */ st = EVP_DigestSign(loopargs[i].sm2_ctx[testnum], - loopargs[i].buf2, &sm2_sigsize, + loopargs[i].buf2, &loopargs[i].sigsize, loopargs[i].buf, 20); if (st == 0) break; From openssl at openssl.org Fri Feb 19 13:28:04 2021 From: openssl at openssl.org (OpenSSL run-checker) Date: Fri, 19 Feb 2021 13:28:04 +0000 Subject: Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-sock Message-ID: <1613741284.509550.1086879.nullmailer@run.openssl.org> Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-sock Commit log since last time: adc11e1b9c x509_vfy: fix mem leaks in chain_build() on malloc error Coverify CID 1473068 b51bed05c2 apps/cmp.c: Improve initialization of ext_ctx structure w.r.t. CSR d44a8a16c8 apps/ca.c: Make sure ext_ctx structure gets initialized fe75766c9c Rename OSSL_ENCODER_CTX_new_by_EVP_PKEY and OSSL_DECODER_CTX_new_by_EVP_PKEY e5ac413b2d Fix backward incompatibility revolving around OSSL_HTTP_REQ_CTX_sendreq_d2i() 3a962b2093 [doc/man3][OSSL_ENCODER] Move NOTES to the bottom 851b06b705 [doc/man3] Fix typo in DESCRIPTION of OSSL_ENCODER_properties 68883d9db8 doc: document the two new RAND functions 335e85f542 rand: update DRBGs to use the get_entropy call for seeding 78436fd146 core: add get_entropy and clear_entropy calls to RAND e2730b8426 RNG test: add get_entropy hook for testing. 9ed185a926 RNG seed: add get_entropy hook for seeding. 381289f6c7 err: generated error files 79d68c4fb4 test: DRBG test with long seed. 574ca403c8 Replace SSL_CTX_new by SSL_CTX_new_ex in apps/s_server + s_client 5b888e931b Fix propquery handling in EVP_DigestSignInit_ex 55e9d8cfff TEST: Add missing initialization c913dbd716 Update CHANGES and NEWS for new release c9fb704cf3 Don't overflow the output length in EVP_CipherUpdate calls c1ddd392cf Fix rsa_test to properly test RSA_SSLV23_PADDING d9461cbe87 Fix the RSA_SSLV23_PADDING padding type 4357b6174a Refactor rsa_test 55869f594f Test that X509_issuer_and_serial_hash doesn't crash 8130d654d1 Fix Null pointer deref in X509_issuer_and_serial_hash() c9e955dd50 Do not match RFC 5114 groups without q as it is significant 62829f9f26 README-ENGINES: fix the link to the provider API README 9dc9c7f2d7 Document the newly added function EVP_PKEY_param_check_quick() 0217e53e33 Fix the dhparam_check test 899e25643d Implement EVP_PKEY_param_check_quick() and use it in libssl aee73562d1 Run DH_check_ex() not DH_check_params_ex() when checking params 93e43f4c47 RSA: avoid dereferencing possibly-NULL parameter in initializers 63ae847679 x509_vfy: remove redundant stack allocation 99c166a1b0 Add docs for ASN1_item_sign and ASN1_item_verify functions Build log ended with (last 100 lines): 70-test_sslrecords.t ............... skipped: test_sslrecords needs the sock feature enabled 70-test_sslsessiontick.t ........... skipped: test_sslsessiontick needs the sock feature enabled 70-test_sslsigalgs.t ............... skipped: test_sslsigalgs needs the sock feature enabled 70-test_sslsignature.t ............. skipped: test_sslsignature needs the sock feature enabled 70-test_sslskewith0p.t ............. skipped: test_sslskewith0p needs the sock feature enabled 70-test_sslversions.t .............. skipped: test_sslversions needs the sock feature enabled 70-test_sslvertol.t ................ skipped: test_sslextension needs the sock feature enabled 70-test_tls13alerts.t .............. skipped: test_tls13alerts needs the sock feature enabled 70-test_tls13cookie.t .............. skipped: test_tls13cookie needs the sock feature enabled 70-test_tls13downgrade.t ........... skipped: test_tls13downgrade needs the sock feature enabled 70-test_tls13hrr.t ................. skipped: test_tls13hrr needs the sock feature enabled 70-test_tls13kexmodes.t ............ skipped: test_tls13kexmodes needs the sock feature enabled 70-test_tls13messages.t ............ skipped: test_tls13messages needs the sock feature enabled 70-test_tls13psk.t ................. skipped: test_tls13psk needs the sock feature enabled 70-test_tlsextms.t ................. skipped: test_tlsextms needs the sock feature enabled 70-test_verify_extra.t ............. ok 70-test_wpacket.t .................. ok 71-test_ssl_ctx.t .................. ok 80-test_ca.t ....................... ok 80-test_cipherbytes.t .............. ok 80-test_cipherlist.t ............... ok 80-test_ciphername.t ............... ok Label not found for "last SKIP" at /usr/share/perl/5.30/Test/More.pm line 1372. # Looks like your test exited with 1 just after 5.80-test_cmp_http.t ................. Dubious, test returned 1 (wstat 256, 0x100) All 5 subtests passed (less 5 skipped subtests: 0 okay) # 80-test_cms.t ...................... ok 80-test_cmsapi.t ................... ok 80-test_ct.t ....................... ok 80-test_dane.t ..................... ok 80-test_dtls.t ..................... skipped: No DTLS protocols are supported by this OpenSSL build 80-test_dtls_mtu.t ................. skipped: test_dtls_mtu needs DTLS and PSK support enabled 80-test_dtlsv1listen.t ............. ok 80-test_http.t ..................... ok 80-test_ocsp.t ..................... ok 80-test_pkcs12.t ................... ok 80-test_ssl_new.t .................. ok 80-test_ssl_old.t .................. ok 80-test_ssl_test_ctx.t ............. ok 80-test_sslcorrupt.t ............... ok 80-test_tsa.t ...................... ok 80-test_x509aux.t .................. ok 81-test_cmp_cli.t .................. ok 90-test_asn1_time.t ................ ok 90-test_async.t .................... ok 90-test_bio_enc.t .................. ok 90-test_bio_memleak.t .............. ok 90-test_constant_time.t ............ ok 90-test_fatalerr.t ................. ok 90-test_fipsload.t ................. ok 90-test_gmdiff.t ................... ok 90-test_gost.t ..................... ok 90-test_ige.t ...................... ok 90-test_includes.t ................. ok 90-test_memleak.t .................. ok 90-test_overhead.t ................. ok 90-test_secmem.t ................... ok 90-test_shlibload.t ................ ok 90-test_srp.t ...................... ok 90-test_sslapi.t ................... ok 90-test_sslbuffers.t ............... ok 90-test_store.t .................... ok 90-test_sysdefault.t ............... ok 90-test_threads.t .................. ok 90-test_time_offset.t .............. ok 90-test_tls13ccs.t ................. ok 90-test_tls13encryption.t .......... ok 90-test_tls13secrets.t ............. ok 90-test_v3name.t ................... ok 91-test_pkey_check.t ............... ok 95-test_external_boringssl.t ....... skipped: No external tests in this configuration 95-test_external_gost_engine.t ..... skipped: No external tests in this configuration 95-test_external_krb5.t ............ skipped: No external tests in this configuration 95-test_external_pyca.t ............ skipped: No external tests in this configuration 99-test_ecstress.t ................. ok 99-test_fuzz_asn1.t ................ ok 99-test_fuzz_asn1parse.t ........... ok 99-test_fuzz_bignum.t .............. ok 99-test_fuzz_bndiv.t ............... ok 99-test_fuzz_client.t .............. ok 99-test_fuzz_cmp.t ................. ok 99-test_fuzz_cms.t ................. ok 99-test_fuzz_conf.t ................ ok 99-test_fuzz_crl.t ................. ok 99-test_fuzz_ct.t .................. ok 99-test_fuzz_server.t .............. ok 99-test_fuzz_x509.t ................ ok Test Summary Report ------------------- 80-test_cmp_http.t (Wstat: 256 Tests: 5 Failed: 0) Non-zero exit status: 1 Files=231, Tests=3074, 800 wallclock secs (11.05 usr 1.33 sys + 733.85 cusr 74.68 csys = 820.91 CPU) Result: FAIL make[1]: *** [Makefile:3265: _tests] Error 1 make[1]: Leaving directory '/home/openssl/run-checker/no-sock' make: *** [Makefile:3262: tests] Error 2 From no-reply at appveyor.com Fri Feb 19 14:48:29 2021 From: no-reply at appveyor.com (AppVeyor) Date: Fri, 19 Feb 2021 14:48:29 +0000 Subject: Build failed: openssl master.40026 Message-ID: <20210219144829.1.51E5977757528DFC@appveyor.com> An HTML attachment was scrubbed... URL: From dev at ddvo.net Fri Feb 19 15:58:40 2021 From: dev at ddvo.net (dev at ddvo.net) Date: Fri, 19 Feb 2021 15:58:40 +0000 Subject: [openssl] master update Message-ID: <1613750320.883789.17003.nullmailer@dev.openssl.org> The branch master has been updated via 5e128ed1209335fb72fe50a68640331e354cbea6 (commit) via a3361c3755f4127a8017acf84aa924a5b8e52ff9 (commit) from c2279499fd17673b631785887c339cf35f088c41 (commit) - Log ----------------------------------------------------------------- commit 5e128ed1209335fb72fe50a68640331e354cbea6 Author: Dr. David von Oheimb Date: Wed Jan 20 20:41:15 2021 +0100 CMP: Fix total_timeout behavior; small doc and diagnostic improvements Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14019) commit a3361c3755f4127a8017acf84aa924a5b8e52ff9 Author: Dr. David von Oheimb Date: Sat Jan 23 12:52:21 2021 +0100 81-test_cmp_cli_data: fixup on CSR test cases Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14019) ----------------------------------------------------------------------- Summary of changes: apps/cmp.c | 31 ++++++---- crypto/cmp/cmp_client.c | 71 +++++++++++----------- crypto/cmp/cmp_msg.c | 4 ++ doc/man1/openssl-cmp.pod.in | 16 ++--- test/recipes/80-test_cmp_http_data/Mock/csr.pem | 21 +++++-- .../80-test_cmp_http_data/test_commands.csv | 2 +- .../80-test_cmp_http_data/test_enrollment.csv | 4 +- 7 files changed, 82 insertions(+), 67 deletions(-) diff --git a/apps/cmp.c b/apps/cmp.c index 887ec5d22e..5778fd95a7 100644 --- a/apps/cmp.c +++ b/apps/cmp.c @@ -697,12 +697,13 @@ static void warn_cert_msg(const char *uri, X509 *cert, const char *msg) static void warn_cert(const char *uri, X509 *cert, int warn_EE) { + uint32_t ex_flags = X509_get_extension_flags(cert); int res = X509_cmp_timeframe(vpm, X509_get0_notBefore(cert), X509_get0_notAfter(cert)); if (res != 0) warn_cert_msg(uri, cert, res > 0 ? "has expired" : "not yet valid"); - if (warn_EE && (X509_get_extension_flags(cert) & EXFLAG_CA) == 0) + if (warn_EE && (ex_flags & EXFLAG_V1) == 0 && (ex_flags & EXFLAG_CA) == 0) warn_cert_msg(uri, cert, "is not a CA cert"); } @@ -788,14 +789,14 @@ static int write_PKIMESSAGE(const OSSL_CMP_MSG *msg, char **filenames) return 0; } if (*filenames == NULL) { - CMP_err("Not enough file names provided for writing PKIMessage"); + CMP_err("not enough file names provided for writing PKIMessage"); return 0; } file = *filenames; *filenames = next_item(file); if (OSSL_CMP_MSG_write(file, msg) < 0) { - CMP_err1("Cannot write PKIMessage to file '%s'", file); + CMP_err1("cannot write PKIMessage to file '%s'", file); return 0; } return 1; @@ -812,7 +813,7 @@ static OSSL_CMP_MSG *read_PKIMESSAGE(char **filenames) return NULL; } if (*filenames == NULL) { - CMP_err("Not enough file names provided for reading PKIMessage"); + CMP_err("not enough file names provided for reading PKIMessage"); return NULL; } @@ -821,7 +822,7 @@ static OSSL_CMP_MSG *read_PKIMESSAGE(char **filenames) ret = OSSL_CMP_MSG_read(file); if (ret == NULL) - CMP_err1("Cannot read PKIMessage from file '%s'", file); + CMP_err1("cannot read PKIMessage from file '%s'", file); return ret; } @@ -1654,9 +1655,9 @@ static int setup_request_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine) if (opt_csr != NULL) { if (opt_cmd == CMP_GENM) { - CMP_warn("-csr option is ignored for genm command"); + CMP_warn("-csr option is ignored for command 'genm'"); } else { - csr = load_csr_autofmt(opt_csr, "PKCS#10 CSR for p10cr"); + csr = load_csr_autofmt(opt_csr, "PKCS#10 CSR"); if (csr == NULL) return 0; if (!OSSL_CMP_CTX_set1_p10CSR(ctx, csr)) { @@ -1737,10 +1738,14 @@ static int setup_request_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine) if (opt_oldcert != NULL) { if (opt_cmd == CMP_GENM) { - CMP_warn("-oldcert option is ignored for genm command"); + CMP_warn("-oldcert option is ignored for command 'genm'"); } else { X509 *oldcert = load_cert_pwd(opt_oldcert, opt_keypass, - "certificate to be updated/revoked"); + opt_cmd == CMP_KUR ? + "certificate to be updated" : + opt_cmd == CMP_RR ? + "certificate to be revoked" : + "reference certificate (oldcert)"); /* opt_keypass needed if opt_oldcert is an encrypted PKCS#12 file */ if (oldcert == NULL) @@ -1892,7 +1897,7 @@ static int setup_client_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine) char *ref_cert = opt_oldcert != NULL ? opt_oldcert : opt_cert; if (ref_cert == NULL && opt_csr == NULL) { - CMP_err("missing -oldcert or -csr option for certificate to be updated"); + CMP_err("missing -oldcert for certificate to be updated and no fallback -csr given"); goto err; } if (opt_subject != NULL) @@ -1901,11 +1906,11 @@ static int setup_client_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine) } if (opt_cmd == CMP_RR) { if (opt_oldcert == NULL && opt_csr == NULL) { - CMP_err("missing certificate to be revoked and no fallback -csr given"); + CMP_err("missing -oldcert for certificate to be revoked and no fallback -csr given"); goto err; } if (opt_oldcert != NULL && opt_csr != NULL) - CMP_warn("Ignoring -csr since certificate to be revoked is given"); + CMP_warn("ignoring -csr since certificate to be revoked is given"); } if (opt_cmd == CMP_P10CR && opt_csr == NULL) { CMP_err("missing PKCS#10 CSR for p10cr"); @@ -2787,7 +2792,7 @@ int cmp_main(int argc, char **argv) if (req != NULL) { if (strcmp(path, "") != 0 && strcmp(path, "pkix/") != 0) { (void)http_server_send_status(cbio, 404, "Not Found"); - CMP_err1("Expecting empty path or 'pkix/' but got '%s'", + CMP_err1("expecting empty path or 'pkix/' but got '%s'", path); OPENSSL_free(path); OSSL_CMP_MSG_free(req); diff --git a/crypto/cmp/cmp_client.c b/crypto/cmp/cmp_client.c index 985a474c48..00c5256013 100644 --- a/crypto/cmp/cmp_client.c +++ b/crypto/cmp/cmp_client.c @@ -129,6 +129,9 @@ static int save_statusInfo(OSSL_CMP_CTX *ctx, OSSL_CMP_PKISI *si) static int send_receive_check(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *req, OSSL_CMP_MSG **rep, int expected_type) { + int is_enrollment = IS_CREP(expected_type) + || expected_type == OSSL_CMP_PKIBODY_POLLREP + || expected_type == OSSL_CMP_PKIBODY_PKICONF; const char *req_type_str = ossl_cmp_bodytype_to_string(ossl_cmp_msg_get_bodytype(req)); const char *expected_type_str = ossl_cmp_bodytype_to_string(expected_type); @@ -143,14 +146,13 @@ static int send_receive_check(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *req, *rep = NULL; msg_timeout = ctx->msg_timeout; /* backup original value */ - if ((IS_CREP(expected_type) || expected_type == OSSL_CMP_PKIBODY_POLLREP) - && ctx->total_timeout > 0 /* timeout is not infinite */) { + if (is_enrollment && ctx->total_timeout > 0 /* timeout is not infinite */) { if (now >= ctx->end_time) { ERR_raise(ERR_LIB_CMP, CMP_R_TOTAL_TIMEOUT); return 0; } if (!ossl_assert(ctx->end_time - time(NULL) < INT_MAX)) { - /* cannot really happen due to the assignment in do_certreq_seq() */ + /* actually cannot happen due to assignment in initial_certreq() */ ERR_raise(ERR_LIB_CMP, CMP_R_INVALID_ARGS); return 0; } @@ -168,7 +170,9 @@ static int send_receive_check(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *req, ctx->msg_timeout = msg_timeout; /* restore original value */ if (*rep == NULL) { - ERR_raise_data(ERR_LIB_CMP, CMP_R_TRANSFER_ERROR, /* or receiving response */ + ERR_raise_data(ERR_LIB_CMP, + ctx->total_timeout > 0 && time(NULL) >= ctx->end_time ? + CMP_R_TOTAL_TIMEOUT : CMP_R_TRANSFER_ERROR, "request sent: %s, expected response: %s", req_type_str, expected_type_str); return 0; @@ -641,10 +645,32 @@ static int cert_response(OSSL_CMP_CTX *ctx, int sleep, int rid, return ret; } +static int initial_certreq(OSSL_CMP_CTX *ctx, + int req_type, const OSSL_CRMF_MSG *crm, + OSSL_CMP_MSG **p_rep, int rep_type) +{ + OSSL_CMP_MSG *req; + int res; + + ctx->status = -1; + if (!ossl_cmp_ctx_set0_newCert(ctx, NULL)) + return 0; + + if (ctx->total_timeout > 0) /* else ctx->end_time is not used */ + ctx->end_time = time(NULL) + ctx->total_timeout; + + /* also checks if all necessary options are set */ + if ((req = ossl_cmp_certreq_new(ctx, req_type, crm)) == NULL) + return 0; + + res = send_receive_check(ctx, req, p_rep, rep_type); + OSSL_CMP_MSG_free(req); + return res; +} + int OSSL_CMP_try_certreq(OSSL_CMP_CTX *ctx, int req_type, const OSSL_CRMF_MSG *crm, int *checkAfter) { - OSSL_CMP_MSG *req = NULL; OSSL_CMP_MSG *rep = NULL; int is_p10 = req_type == OSSL_CMP_PKIBODY_P10CR; int rid = is_p10 ? -1 : OSSL_CMP_CERTREQID; @@ -657,18 +683,7 @@ int OSSL_CMP_try_certreq(OSSL_CMP_CTX *ctx, int req_type, } if (ctx->status != OSSL_CMP_PKISTATUS_waiting) { /* not polling already */ - ctx->status = -1; - if (!ossl_cmp_ctx_set0_newCert(ctx, NULL)) - return 0; - - if (ctx->total_timeout > 0) /* else ctx->end_time is not used */ - ctx->end_time = time(NULL) + ctx->total_timeout; - - req = ossl_cmp_certreq_new(ctx, req_type, crm); - if (req == NULL) /* also checks if all necessary options are set */ - return 0; - - if (!send_receive_check(ctx, req, &rep, rep_type)) + if (!initial_certreq(ctx, req_type, crm, &rep, rep_type)) goto err; } else { if (req_type < 0) @@ -684,7 +699,6 @@ int OSSL_CMP_try_certreq(OSSL_CMP_CTX *ctx, int req_type, req_type, rep_type); err: - OSSL_CMP_MSG_free(req); OSSL_CMP_MSG_free(rep); return res; } @@ -701,7 +715,6 @@ X509 *OSSL_CMP_exec_certreq(OSSL_CMP_CTX *ctx, int req_type, const OSSL_CRMF_MSG *crm) { - OSSL_CMP_MSG *req = NULL; OSSL_CMP_MSG *rep = NULL; int is_p10 = req_type == OSSL_CMP_PKIBODY_P10CR; int rid = is_p10 ? -1 : OSSL_CMP_CERTREQID; @@ -712,23 +725,8 @@ X509 *OSSL_CMP_exec_certreq(OSSL_CMP_CTX *ctx, int req_type, ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT); return NULL; } - if (is_p10 && crm != NULL) { - ERR_raise(ERR_LIB_CMP, CMP_R_INVALID_ARGS); - return NULL; - } - - ctx->status = -1; - if (!ossl_cmp_ctx_set0_newCert(ctx, NULL)) - return NULL; - - if (ctx->total_timeout > 0) /* else ctx->end_time is not used */ - ctx->end_time = time(NULL) + ctx->total_timeout; - /* OSSL_CMP_certreq_new() also checks if all necessary options are set */ - if ((req = ossl_cmp_certreq_new(ctx, req_type, crm)) == NULL) - goto err; - - if (!send_receive_check(ctx, req, &rep, rep_type)) + if (!initial_certreq(ctx, req_type, crm, &rep, rep_type)) goto err; if (cert_response(ctx, 1 /* sleep */, rid, &rep, NULL, req_type, rep_type) @@ -737,7 +735,6 @@ X509 *OSSL_CMP_exec_certreq(OSSL_CMP_CTX *ctx, int req_type, result = ctx->newCert; err: - OSSL_CMP_MSG_free(req); OSSL_CMP_MSG_free(rep); return result; } @@ -818,7 +815,7 @@ int OSSL_CMP_exec_RR_ses(OSSL_CMP_CTX *ctx) goto err; } - /* check any pretent CertId in optional revCerts field */ + /* check any present CertId in optional revCerts field */ if (sk_OSSL_CRMF_CERTID_num(rrep->revCerts) >= 1) { OSSL_CRMF_CERTID *cid; OSSL_CRMF_CERTTEMPLATE *tmpl = diff --git a/crypto/cmp/cmp_msg.c b/crypto/cmp/cmp_msg.c index 36256b3d1d..8514336801 100644 --- a/crypto/cmp/cmp_msg.c +++ b/crypto/cmp/cmp_msg.c @@ -352,6 +352,10 @@ OSSL_CMP_MSG *ossl_cmp_certreq_new(OSSL_CMP_CTX *ctx, int type, ERR_raise(ERR_LIB_CMP, CMP_R_INVALID_ARGS); return NULL; } + if (type == OSSL_CMP_PKIBODY_P10CR && crm != NULL) { + ERR_raise(ERR_LIB_CMP, CMP_R_INVALID_ARGS); + return NULL; + } if ((msg = ossl_cmp_msg_create(ctx, type)) == NULL) goto err; diff --git a/doc/man1/openssl-cmp.pod.in b/doc/man1/openssl-cmp.pod.in index 9800de6465..dcb3ceedac 100644 --- a/doc/man1/openssl-cmp.pod.in +++ b/doc/man1/openssl-cmp.pod.in @@ -218,9 +218,9 @@ initialized to the PKI hierarchy. B requests issuing an additional certificate similarly to B but using PKCS#10 CSR format. -B requests a (key) update for an existing, given certificate. +B requests a (key) update for an existing certificate. -B requests revocation of an existing, given certificate. +B requests revocation of an existing certificate. B requests information using a General Message, where optionally included Bs may be used to state which info is of interest. @@ -344,10 +344,10 @@ is provided via the B<-newkey> or B<-key> options. =item B<-csr> I PKCS#10 CSR in PEM or DER format containing a certificate request. -When used with a with B<-cmd> I used directly in a legacy P10CR message. -When used with B<-cmd> I, I, or I, it is tranformed into the +With B<-cmd> I it is used directly in a legacy P10CR message. +When used with B<-cmd> I, I, or I, it is transformed into the respective regular CMP request. -It may also be used with B<-cmd> I to specifiy the certificate to be revoked +It may also be used with B<-cmd> I to specify the certificate to be revoked via the included subject and public key. =item B<-out_trusted> I|I @@ -392,12 +392,12 @@ The file where the chain of the newly enrolled certificate should be saved. The certificate to be updated (i.e., renewed or re-keyed) in Key Update Request (KUR) messages or to be revoked in Revocation Request (RR) messages. For RR the certificate to be revoked can also be specified using B<-csr>. -For KUR certificate to be updated defaults to B<-cert>, and the resulting certificate is called -I. +For KUR the certificate to be updated defaults to B<-cert>, +and the resulting certificate is called I. The reference certificate, if any, is also used for deriving default subject DN and Subject Alternative Names and the -default issuer entry in the requested certificate template of a IR/CR/KUR. +default issuer entry in the requested certificate template of an IR/CR/KUR. Its subject is used as sender of outgoing messages if B<-cert> is not given. Its issuer is used as default recipient in CMP message headers if neither B<-recipient>, B<-srvcert>, nor B<-issuer> is given. diff --git a/test/recipes/80-test_cmp_http_data/Mock/csr.pem b/test/recipes/80-test_cmp_http_data/Mock/csr.pem index 8d20bc011c..f8591522b0 100644 --- a/test/recipes/80-test_cmp_http_data/Mock/csr.pem +++ b/test/recipes/80-test_cmp_http_data/Mock/csr.pem @@ -1,8 +1,17 @@ -----BEGIN CERTIFICATE REQUEST----- -MIHxMIGXAgEAMAwxCjAIBgNVBAMMAXgwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNC -AAQe6gjg9c+IFRkK35/7OgK5/rcoUMPxDKkgzNq6DtUm5l3BTZIZO6xe8OvI503Z -+mntgoUUvD7JNn6mDq0V3LuMoCkwJwYJKoZIhvcNAQkOMRowGDAJBgNVHRMEAjAA -MAsGA1UdDwQEAwID6DAKBggqhkjOPQQDAgNJADBGAiEA6UNz3byazvlD6yIFySFM -NKQv+YWWHphH3bIcT7NbvLwCIQCWc8ONyVmhz0tlsXtXEkBvPeWNeaIb+GPH9Dp5 -GvQuEw== +MIICszCCAZ0CAQAwVDELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNvbWUtU3RhdGUx +ITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDENMAsGA1UEAxMEbGVh +ZjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL9EKPVgvwSgO9C7UCXc +FRkl6q/Xbrd3EJohc02/0mlpXYzk9bETQxcUs3UyY1P/HCAxGb2kyMEcT/3bVUC4 +3PuI861MM/dzbmWJbBFlBFIOC6537NDc+dMh5OKyYVcVo2/CIv8EQVYlhxRMT+ws +E5F4k3JQtWwqk7lpI8Rd7YU307LbUcmO6jZM9iaTcdILg/L+KLUKGIwOQBGbyuCF +y8DsMaJecQUzLyK77339pJIfnOzgtkFW1E6MP6KaY6iCgsdpmjRwrSxUyRC3938L +USSybMuHyhj9P+pKWXPEqfPFiuAeBWrhfSFdQpqACVAtbycYWoByCn1bRY1FrPBj +6G0CAwEAAaAcMBoGCSqGSIb3DQEJDjENMAswCQYDVR0TBAIwADALBgkqhkiG9w0B +AQsDggEBAK7GB08OLpPGY2QWJ++vZhqbFZAO4Y3/PsfnzKjM7OFyA6lJafqGXjmO +U+R63oHAJYhThKrpo4X91YTUgL8HI8eicM+vn3HQDRw2DKgoQcpTk9y3Hqj4YEhA +gRLzvd4Pe7kowVtNKzqjQA2WcerZC+5XEYd88JisB1Vxijm7KmYsmili3MbR3row +idelrt6UfyH23ytfurZvOOvawpm3Z8bilh6SY1WNSlRKwSntY9DOw8izTiimGlru +A+TwtQ5zObWfxB5oLQib13ttCh+0rZ7zAy35txFkiOAmUUYIyng6A8zsE4RO2RCa +BYjeQvaCjBl0fn24JCWKxuT7xtkCzXc= -----END CERTIFICATE REQUEST----- diff --git a/test/recipes/80-test_cmp_http_data/test_commands.csv b/test/recipes/80-test_cmp_http_data/test_commands.csv index 7feaebcdd0..ae9514db97 100644 --- a/test/recipes/80-test_cmp_http_data/test_commands.csv +++ b/test/recipes/80-test_cmp_http_data/test_commands.csv @@ -36,7 +36,7 @@ expected,description, -section,val, -cmd,val,val2, -cacertsout,val,val2, -infoty 0, --- use csr for revocation ----, -section,, -cmd,rr,,BLANK,,,BLANK,,,BLANK,,BLANK, -revreason,0, -csr,csr.pem 0, --- get certificate for revocation ----, -section,, -cmd,cr,,BLANK,,,BLANK,,,BLANK,,BLANK, 1,without oldcert, -section,, -cmd,rr,,BLANK,,,BLANK,,,BLANK,,BLANK, -1,oldcert is directory, -section,, -cmd,rr,,BLANK,,,BLANK,,, -oldcert,dir/,BLANK,cmp +1,oldcert is directory, -section,, -cmd,rr,,BLANK,,,BLANK,,, -oldcert,dir/,BLANK, 1,oldcert file nonexistent, -section,, -cmd,rr,,BLANK,,,BLANK,,, -oldcert,idontexist,BLANK, 1,empty oldcert file, -section,, -cmd,rr,,BLANK,,,BLANK,,, -oldcert,empty.txt,BLANK, 1,oldcert and key do not match, -section,, -cmd,rr,,BLANK,,,BLANK,,, -oldcert,trusted.crt, -revreason,0 diff --git a/test/recipes/80-test_cmp_http_data/test_enrollment.csv b/test/recipes/80-test_cmp_http_data/test_enrollment.csv index d8d6cd2c6c..146fb0c1e1 100644 --- a/test/recipes/80-test_cmp_http_data/test_enrollment.csv +++ b/test/recipes/80-test_cmp_http_data/test_enrollment.csv @@ -85,8 +85,8 @@ expected,description, -section,val, -cmd,val, -newkey,val,val, -newkeypass,val, 1,oldcert empty file, -section,, -cmd,ir, -newkey,new.key,, -newkeypass,pass:,,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,, -certout,_RESULT_DIR/test.certout_oldcert4.pem,, -out_trusted,root.crt,, -oldcert,empty.txt,BLANK,,, 1,oldcert random contents, -section,, -cmd,ir, -newkey,new.key,, -newkeypass,pass:,,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,, -certout,_RESULT_DIR/test.certout_oldcert5.pem,, -out_trusted,root.crt,, -oldcert,random.bin,BLANK,,, ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, -0,csr used in ir, -section,, -cmd,ir, -newkey,new.key,, -newkeypass,pass:,,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,, -certout,_RESULT_DIR/test.certout_csr_ignored.pem,, -out_trusted,root.crt,,BLANK,, -csr,csr.pem,, -0,p10cr csr, -section,, -cmd,p10cr, -newkey,new.key,, -newkeypass,pass:,,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,, -certout,_RESULT_DIR/test.certout_p10cr.pem,, -out_trusted,root.crt,,BLANK,, -csr,csr.pem,, +0,csr used in ir, -section,, -cmd,ir, -newkey,new.key,, -newkeypass,pass:,,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,, -certout,_RESULT_DIR/test.certout_csr.pem,, -out_trusted,root.crt,,BLANK,, -csr,csr.pem,, +0,p10cr csr present, -section,, -cmd,p10cr,BLANK,,, BLANK,,,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,, -certout,_RESULT_DIR/test.certout_p10cr.pem,, -out_trusted,root.crt,,BLANK,, -csr,csr.pem,, 1,p10cr csr missing, -section,, -cmd,p10cr, -newkey,new.key,, -newkeypass,pass:,,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,, -certout,_RESULT_DIR/test.certout_p10cr1.pem,, -out_trusted,root.crt,,BLANK,,BLANK,,, 1,p10cr csr missing arg, -section,, -cmd,p10cr, -newkey,new.key,, -newkeypass,pass:,,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,, -certout,_RESULT_DIR/test.certout_p10cr1.pem,, -out_trusted,root.crt,,BLANK,, -csr,,, 1,p10cr csr directory, -section,, -cmd,p10cr, -newkey,new.key,, -newkeypass,pass:,,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,, -certout,_RESULT_DIR/test.certout_p10cr2.pem,, -out_trusted,root.crt,,BLANK,, -csr,dir/,, From no-reply at appveyor.com Fri Feb 19 16:26:13 2021 From: no-reply at appveyor.com (AppVeyor) Date: Fri, 19 Feb 2021 16:26:13 +0000 Subject: Build failed: openssl master.40030 Message-ID: <20210219162613.1.61E4E14971ED207A@appveyor.com> An HTML attachment was scrubbed... URL: From tomas at openssl.org Fri Feb 19 17:05:26 2021 From: tomas at openssl.org (tomas at openssl.org) Date: Fri, 19 Feb 2021 17:05:26 +0000 Subject: [openssl] master update Message-ID: <1613754326.504987.15451.nullmailer@dev.openssl.org> The branch master has been updated via f16e52b67c9261bdc7e1284a50502a802921ac6d (commit) from 5e128ed1209335fb72fe50a68640331e354cbea6 (commit) - Log ----------------------------------------------------------------- commit f16e52b67c9261bdc7e1284a50502a802921ac6d Author: John Baldwin Date: Fri Jan 29 10:34:49 2021 -0800 Correct the return value of BIO_get_ktls_*(). BIO_get_ktls_send() and BIO_get_ktls_recv() are documented as returning either 0 or 1. However, they were actually returning the internal value of the associated BIO flag for the true case instead of 1. Also trim redundant ternary operators. Reviewed-by: Shane Lontis Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14023) ----------------------------------------------------------------------- Summary of changes: crypto/bio/bss_conn.c | 6 +++--- crypto/bio/bss_fd.c | 2 +- crypto/bio/bss_sock.c | 6 +++--- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/crypto/bio/bss_conn.c b/crypto/bio/bss_conn.c index c7bd0a329f..5b0a69486b 100644 --- a/crypto/bio/bss_conn.c +++ b/crypto/bio/bss_conn.c @@ -536,7 +536,7 @@ static long conn_ctrl(BIO *b, int cmd, long num, void *ptr) } break; case BIO_CTRL_EOF: - ret = (b->flags & BIO_FLAGS_IN_EOF) != 0 ? 1 : 0; + ret = (b->flags & BIO_FLAGS_IN_EOF) != 0; break; # ifndef OPENSSL_NO_KTLS case BIO_CTRL_SET_KTLS: @@ -546,9 +546,9 @@ static long conn_ctrl(BIO *b, int cmd, long num, void *ptr) BIO_set_ktls_flag(b, num); break; case BIO_CTRL_GET_KTLS_SEND: - return BIO_should_ktls_flag(b, 1); + return BIO_should_ktls_flag(b, 1) != 0; case BIO_CTRL_GET_KTLS_RECV: - return BIO_should_ktls_flag(b, 0); + return BIO_should_ktls_flag(b, 0) != 0; case BIO_CTRL_SET_KTLS_TX_SEND_CTRL_MSG: BIO_set_ktls_ctrl_msg_flag(b); data->record_type = num; diff --git a/crypto/bio/bss_fd.c b/crypto/bio/bss_fd.c index e1cb62d80c..f0498a0969 100644 --- a/crypto/bio/bss_fd.c +++ b/crypto/bio/bss_fd.c @@ -189,7 +189,7 @@ static long fd_ctrl(BIO *b, int cmd, long num, void *ptr) ret = 1; break; case BIO_CTRL_EOF: - ret = (b->flags & BIO_FLAGS_IN_EOF) != 0 ? 1 : 0; + ret = (b->flags & BIO_FLAGS_IN_EOF) != 0; break; default: ret = 0; diff --git a/crypto/bio/bss_sock.c b/crypto/bio/bss_sock.c index d3eaa6b19e..11a020d8dc 100644 --- a/crypto/bio/bss_sock.c +++ b/crypto/bio/bss_sock.c @@ -191,9 +191,9 @@ static long sock_ctrl(BIO *b, int cmd, long num, void *ptr) BIO_set_ktls_flag(b, num); break; case BIO_CTRL_GET_KTLS_SEND: - return BIO_should_ktls_flag(b, 1); + return BIO_should_ktls_flag(b, 1) != 0; case BIO_CTRL_GET_KTLS_RECV: - return BIO_should_ktls_flag(b, 0); + return BIO_should_ktls_flag(b, 0) != 0; case BIO_CTRL_SET_KTLS_TX_SEND_CTRL_MSG: BIO_set_ktls_ctrl_msg_flag(b); b->ptr = (void *)num; @@ -205,7 +205,7 @@ static long sock_ctrl(BIO *b, int cmd, long num, void *ptr) break; # endif case BIO_CTRL_EOF: - ret = (b->flags & BIO_FLAGS_IN_EOF) != 0 ? 1 : 0; + ret = (b->flags & BIO_FLAGS_IN_EOF) != 0; break; default: ret = 0; From openssl at openssl.org Fri Feb 19 23:13:21 2021 From: openssl at openssl.org (OpenSSL run-checker) Date: Fri, 19 Feb 2021 23:13:21 +0000 Subject: Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-tls1_2 Message-ID: <1613776401.773233.2196672.nullmailer@run.openssl.org> Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-tls1_2 Commit log since last time: adc11e1b9c x509_vfy: fix mem leaks in chain_build() on malloc error Coverify CID 1473068 b51bed05c2 apps/cmp.c: Improve initialization of ext_ctx structure w.r.t. CSR d44a8a16c8 apps/ca.c: Make sure ext_ctx structure gets initialized fe75766c9c Rename OSSL_ENCODER_CTX_new_by_EVP_PKEY and OSSL_DECODER_CTX_new_by_EVP_PKEY e5ac413b2d Fix backward incompatibility revolving around OSSL_HTTP_REQ_CTX_sendreq_d2i() 3a962b2093 [doc/man3][OSSL_ENCODER] Move NOTES to the bottom 851b06b705 [doc/man3] Fix typo in DESCRIPTION of OSSL_ENCODER_properties 68883d9db8 doc: document the two new RAND functions 335e85f542 rand: update DRBGs to use the get_entropy call for seeding 78436fd146 core: add get_entropy and clear_entropy calls to RAND e2730b8426 RNG test: add get_entropy hook for testing. 9ed185a926 RNG seed: add get_entropy hook for seeding. 381289f6c7 err: generated error files 79d68c4fb4 test: DRBG test with long seed. 574ca403c8 Replace SSL_CTX_new by SSL_CTX_new_ex in apps/s_server + s_client 5b888e931b Fix propquery handling in EVP_DigestSignInit_ex 55e9d8cfff TEST: Add missing initialization c913dbd716 Update CHANGES and NEWS for new release c9fb704cf3 Don't overflow the output length in EVP_CipherUpdate calls c1ddd392cf Fix rsa_test to properly test RSA_SSLV23_PADDING d9461cbe87 Fix the RSA_SSLV23_PADDING padding type 4357b6174a Refactor rsa_test 55869f594f Test that X509_issuer_and_serial_hash doesn't crash 8130d654d1 Fix Null pointer deref in X509_issuer_and_serial_hash() c9e955dd50 Do not match RFC 5114 groups without q as it is significant 62829f9f26 README-ENGINES: fix the link to the provider API README 9dc9c7f2d7 Document the newly added function EVP_PKEY_param_check_quick() 0217e53e33 Fix the dhparam_check test 899e25643d Implement EVP_PKEY_param_check_quick() and use it in libssl aee73562d1 Run DH_check_ex() not DH_check_params_ex() when checking params 93e43f4c47 RSA: avoid dereferencing possibly-NULL parameter in initializers 63ae847679 x509_vfy: remove redundant stack allocation 99c166a1b0 Add docs for ASN1_item_sign and ASN1_item_verify functions Build log ended with (last 100 lines): (less 4 skipped subtests: 2 okay) 70-test_sslmessages.t .............. skipped: test_sslmessages needs TLS enabled 70-test_sslrecords.t ............... skipped: test_sslrecords needs TLSv1.2 enabled 70-test_sslsessiontick.t ........... skipped: test_sslsessiontick needs SSLv3, TLSv1, TLSv1.1 or TLSv1.2 enabled 70-test_sslsigalgs.t ............... ok 70-test_sslsignature.t ............. ok 70-test_sslskewith0p.t ............. ok 70-test_sslversions.t .............. skipped: test_sslversions needs TLS1.3, TLS1.2 and TLS1.1 enabled 70-test_sslvertol.t ................ ok 70-test_tls13alerts.t .............. ok 70-test_tls13cookie.t .............. ok 70-test_tls13downgrade.t ........... skipped: test_tls13downgrade needs TLS1.3 and TLS1.2 enabled 70-test_tls13hrr.t ................. ok 70-test_tls13kexmodes.t ............ ok 70-test_tls13messages.t ............ ok 70-test_tls13psk.t ................. ok 70-test_tlsextms.t ................. skipped: test_tlsextms needs TLSv1.0, TLSv1.1 or TLSv1.2 enabled 70-test_verify_extra.t ............. ok 70-test_wpacket.t .................. ok 71-test_ssl_ctx.t .................. ok 80-test_ca.t ....................... ok 80-test_cipherbytes.t .............. ok 80-test_cipherlist.t ............... ok 80-test_ciphername.t ............... ok # 80-test_cmp_http.t ................. ok # 80-test_cms.t ...................... ok 80-test_cmsapi.t ................... ok 80-test_ct.t ....................... ok 80-test_dane.t ..................... ok 80-test_dtls.t ..................... ok 80-test_dtls_mtu.t ................. ok 80-test_dtlsv1listen.t ............. ok 80-test_http.t ..................... ok 80-test_ocsp.t ..................... ok 80-test_pkcs12.t ................... ok 80-test_ssl_new.t .................. ok 80-test_ssl_old.t .................. ok 80-test_ssl_test_ctx.t ............. ok 80-test_sslcorrupt.t ............... ok 80-test_tsa.t ...................... ok 80-test_x509aux.t .................. ok 81-test_cmp_cli.t .................. ok 90-test_asn1_time.t ................ ok 90-test_async.t .................... ok 90-test_bio_enc.t .................. ok 90-test_bio_memleak.t .............. ok 90-test_constant_time.t ............ ok 90-test_fatalerr.t ................. ok 90-test_fipsload.t ................. ok 90-test_gmdiff.t ................... ok 90-test_gost.t ..................... skipped: TLSv1.3 or TLSv1.2 are disabled in this OpenSSL build 90-test_ige.t ...................... ok 90-test_includes.t ................. ok 90-test_memleak.t .................. ok 90-test_overhead.t ................. ok 90-test_secmem.t ................... ok 90-test_shlibload.t ................ ok 90-test_srp.t ...................... ok 90-test_sslapi.t ................... ok 90-test_sslbuffers.t ............... ok 90-test_store.t .................... ok 90-test_sysdefault.t ............... skipped: test_sysdefault is not supported in this build 90-test_threads.t .................. ok 90-test_time_offset.t .............. ok 90-test_tls13ccs.t ................. ok 90-test_tls13encryption.t .......... ok 90-test_tls13secrets.t ............. ok 90-test_v3name.t ................... ok 91-test_pkey_check.t ............... ok 95-test_external_boringssl.t ....... skipped: No external tests in this configuration 95-test_external_gost_engine.t ..... skipped: No external tests in this configuration 95-test_external_krb5.t ............ skipped: No external tests in this configuration 95-test_external_pyca.t ............ skipped: No external tests in this configuration 99-test_ecstress.t ................. ok 99-test_fuzz_asn1.t ................ ok 99-test_fuzz_asn1parse.t ........... ok 99-test_fuzz_bignum.t .............. ok 99-test_fuzz_bndiv.t ............... ok 99-test_fuzz_client.t .............. ok 99-test_fuzz_cmp.t ................. ok 99-test_fuzz_cms.t ................. ok 99-test_fuzz_conf.t ................ ok 99-test_fuzz_crl.t ................. ok 99-test_fuzz_ct.t .................. ok 99-test_fuzz_server.t .............. ok 99-test_fuzz_x509.t ................ ok Test Summary Report ------------------- 70-test_sslextension.t (Wstat: 256 Tests: 7 Failed: 1) Failed test: 2 Non-zero exit status: 1 Parse errors: Bad plan. You planned 8 tests but ran 7. Files=231, Tests=3180, 877 wallclock secs (12.75 usr 1.44 sys + 793.19 cusr 87.14 csys = 894.52 CPU) Result: FAIL make[1]: *** [Makefile:3273: _tests] Error 1 make[1]: Leaving directory '/home/openssl/run-checker/no-tls1_2' make: *** [Makefile:3270: tests] Error 2 From openssl at openssl.org Sat Feb 20 00:04:49 2021 From: openssl at openssl.org (OpenSSL run-checker) Date: Sat, 20 Feb 2021 00:04:49 +0000 Subject: Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-dtls1_2 Message-ID: <1613779489.398449.2302805.nullmailer@run.openssl.org> Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-dtls1_2 Commit log since last time: adc11e1b9c x509_vfy: fix mem leaks in chain_build() on malloc error Coverify CID 1473068 b51bed05c2 apps/cmp.c: Improve initialization of ext_ctx structure w.r.t. CSR d44a8a16c8 apps/ca.c: Make sure ext_ctx structure gets initialized fe75766c9c Rename OSSL_ENCODER_CTX_new_by_EVP_PKEY and OSSL_DECODER_CTX_new_by_EVP_PKEY e5ac413b2d Fix backward incompatibility revolving around OSSL_HTTP_REQ_CTX_sendreq_d2i() 3a962b2093 [doc/man3][OSSL_ENCODER] Move NOTES to the bottom 851b06b705 [doc/man3] Fix typo in DESCRIPTION of OSSL_ENCODER_properties 68883d9db8 doc: document the two new RAND functions 335e85f542 rand: update DRBGs to use the get_entropy call for seeding 78436fd146 core: add get_entropy and clear_entropy calls to RAND e2730b8426 RNG test: add get_entropy hook for testing. 9ed185a926 RNG seed: add get_entropy hook for seeding. 381289f6c7 err: generated error files 79d68c4fb4 test: DRBG test with long seed. 574ca403c8 Replace SSL_CTX_new by SSL_CTX_new_ex in apps/s_server + s_client 5b888e931b Fix propquery handling in EVP_DigestSignInit_ex 55e9d8cfff TEST: Add missing initialization c913dbd716 Update CHANGES and NEWS for new release c9fb704cf3 Don't overflow the output length in EVP_CipherUpdate calls c1ddd392cf Fix rsa_test to properly test RSA_SSLV23_PADDING d9461cbe87 Fix the RSA_SSLV23_PADDING padding type 4357b6174a Refactor rsa_test 55869f594f Test that X509_issuer_and_serial_hash doesn't crash 8130d654d1 Fix Null pointer deref in X509_issuer_and_serial_hash() c9e955dd50 Do not match RFC 5114 groups without q as it is significant 62829f9f26 README-ENGINES: fix the link to the provider API README 9dc9c7f2d7 Document the newly added function EVP_PKEY_param_check_quick() 0217e53e33 Fix the dhparam_check test 899e25643d Implement EVP_PKEY_param_check_quick() and use it in libssl aee73562d1 Run DH_check_ex() not DH_check_params_ex() when checking params 93e43f4c47 RSA: avoid dereferencing possibly-NULL parameter in initializers 63ae847679 x509_vfy: remove redundant stack allocation 99c166a1b0 Add docs for ASN1_item_sign and ASN1_item_verify functions Build log ended with (last 100 lines): # SSL_accept() failed -1, 1 # 80212B53397F0000:error:0A000076:SSL routines:tls_choose_sigalg:no suitable signature algorithm:../openssl/ssl/t1_lib.c:3306: # INFO: @ ../openssl/test/helpers/ssltestlib.c:957 # SSL_connect() failed -1, 1 # 80212B53397F0000:error:0A000438:SSL routines:dtls1_read_bytes:tlsv1 alert internal error:../openssl/ssl/record/rec_layer_d1.c:613:SSL alert number 80 # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:6577 # false not ok 2 - iteration 2 # ------------------------------------------------------------------------------ not ok 54 - test_ssl_pending # ------------------------------------------------------------------------------ ../../util/wrap.pl ../../test/sslapitest ../../../openssl/test/certs ../../../openssl/test/recipes/90-test_sslapi_data/passwd.txt /tmp/gMdHc35m4N default ../../../openssl/test/default.cnf => 1 not ok 1 - running sslapitest # ------------------------------------------------------------------------------ # INFO: @ ../openssl/test/helpers/ssltestlib.c:957 # SSL_connect() failed -1, 1 # 80312ED3FB7F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # INFO: @ ../openssl/test/helpers/ssltestlib.c:975 # SSL_accept() failed -1, 1 # 80312ED3FB7F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:947 # false not ok 3 - test_large_message_dtls # ------------------------------------------------------------------------------ # INFO: @ ../openssl/test/helpers/ssltestlib.c:957 # SSL_connect() failed -1, 1 # 80312ED3FB7F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # INFO: @ ../openssl/test/helpers/ssltestlib.c:975 # SSL_accept() failed -1, 1 # 80312ED3FB7F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:1428 # false # ERROR: (bool) 'execute_cleanse_plaintext(DTLS_server_method(), DTLS_client_method(), DTLS1_VERSION, 0) == true' failed @ ../openssl/test/sslapitest.c:1506 # false not ok 4 - test_cleanse_plaintext # ------------------------------------------------------------------------------ # INFO: @ ../openssl/test/helpers/ssltestlib.c:957 # SSL_connect() failed -1, 1 # 80312ED3FB7F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # INFO: @ ../openssl/test/helpers/ssltestlib.c:975 # SSL_accept() failed -1, 1 # 80312ED3FB7F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:6577 # false not ok 2 - iteration 2 # ------------------------------------------------------------------------------ not ok 54 - test_ssl_pending # ------------------------------------------------------------------------------ ../../util/wrap.pl ../../test/sslapitest ../../../openssl/test/certs ../../../openssl/test/recipes/90-test_sslapi_data/passwd.txt /tmp/gMdHc35m4N fips ../../../openssl/test/fips-and-base.cnf => 1 not ok 3 - running sslapitest # ------------------------------------------------------------------------------ # Failed test 'running sslapitest' # at ../openssl/test/recipes/90-test_sslapi.t line 45. # Looks like you failed 2 tests of 3.90-test_sslapi.t ................... Dubious, test returned 2 (wstat 512, 0x200) Failed 2/3 subtests 90-test_sslbuffers.t ............... ok 90-test_store.t .................... ok 90-test_sysdefault.t ............... ok 90-test_threads.t .................. ok 90-test_time_offset.t .............. ok 90-test_tls13ccs.t ................. ok 90-test_tls13encryption.t .......... ok 90-test_tls13secrets.t ............. ok 90-test_v3name.t ................... ok 91-test_pkey_check.t ............... ok 95-test_external_boringssl.t ....... skipped: No external tests in this configuration 95-test_external_gost_engine.t ..... skipped: No external tests in this configuration 95-test_external_krb5.t ............ skipped: No external tests in this configuration 95-test_external_pyca.t ............ skipped: No external tests in this configuration 99-test_ecstress.t ................. ok 99-test_fuzz_asn1.t ................ ok 99-test_fuzz_asn1parse.t ........... ok 99-test_fuzz_bignum.t .............. ok 99-test_fuzz_bndiv.t ............... ok 99-test_fuzz_client.t .............. ok 99-test_fuzz_cmp.t ................. ok 99-test_fuzz_cms.t ................. ok 99-test_fuzz_conf.t ................ ok 99-test_fuzz_crl.t ................. ok 99-test_fuzz_ct.t .................. ok 99-test_fuzz_server.t .............. ok 99-test_fuzz_x509.t ................ ok Test Summary Report ------------------- 80-test_dtls.t (Wstat: 256 Tests: 1 Failed: 1) Failed test: 1 Non-zero exit status: 1 80-test_ssl_new.t (Wstat: 768 Tests: 31 Failed: 3) Failed tests: 8, 17, 19 Non-zero exit status: 3 90-test_sslapi.t (Wstat: 512 Tests: 3 Failed: 2) Failed tests: 1, 3 Non-zero exit status: 2 Files=231, Tests=3266, 961 wallclock secs (14.41 usr 1.42 sys + 864.96 cusr 95.57 csys = 976.36 CPU) Result: FAIL make[1]: *** [Makefile:3262: _tests] Error 1 make[1]: Leaving directory '/home/openssl/run-checker/no-dtls1_2' make: *** [Makefile:3259: tests] Error 2 From openssl at openssl.org Sat Feb 20 01:45:49 2021 From: openssl at openssl.org (OpenSSL run-checker) Date: Sat, 20 Feb 2021 01:45:49 +0000 Subject: Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-tls1_2-method Message-ID: <1613785549.619782.2509825.nullmailer@run.openssl.org> Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-tls1_2-method Commit log since last time: adc11e1b9c x509_vfy: fix mem leaks in chain_build() on malloc error Coverify CID 1473068 b51bed05c2 apps/cmp.c: Improve initialization of ext_ctx structure w.r.t. CSR d44a8a16c8 apps/ca.c: Make sure ext_ctx structure gets initialized fe75766c9c Rename OSSL_ENCODER_CTX_new_by_EVP_PKEY and OSSL_DECODER_CTX_new_by_EVP_PKEY e5ac413b2d Fix backward incompatibility revolving around OSSL_HTTP_REQ_CTX_sendreq_d2i() 3a962b2093 [doc/man3][OSSL_ENCODER] Move NOTES to the bottom 851b06b705 [doc/man3] Fix typo in DESCRIPTION of OSSL_ENCODER_properties 68883d9db8 doc: document the two new RAND functions 335e85f542 rand: update DRBGs to use the get_entropy call for seeding 78436fd146 core: add get_entropy and clear_entropy calls to RAND e2730b8426 RNG test: add get_entropy hook for testing. 9ed185a926 RNG seed: add get_entropy hook for seeding. 381289f6c7 err: generated error files 79d68c4fb4 test: DRBG test with long seed. 574ca403c8 Replace SSL_CTX_new by SSL_CTX_new_ex in apps/s_server + s_client 5b888e931b Fix propquery handling in EVP_DigestSignInit_ex 55e9d8cfff TEST: Add missing initialization c913dbd716 Update CHANGES and NEWS for new release c9fb704cf3 Don't overflow the output length in EVP_CipherUpdate calls c1ddd392cf Fix rsa_test to properly test RSA_SSLV23_PADDING d9461cbe87 Fix the RSA_SSLV23_PADDING padding type 4357b6174a Refactor rsa_test 55869f594f Test that X509_issuer_and_serial_hash doesn't crash 8130d654d1 Fix Null pointer deref in X509_issuer_and_serial_hash() c9e955dd50 Do not match RFC 5114 groups without q as it is significant 62829f9f26 README-ENGINES: fix the link to the provider API README 9dc9c7f2d7 Document the newly added function EVP_PKEY_param_check_quick() 0217e53e33 Fix the dhparam_check test 899e25643d Implement EVP_PKEY_param_check_quick() and use it in libssl aee73562d1 Run DH_check_ex() not DH_check_params_ex() when checking params 93e43f4c47 RSA: avoid dereferencing possibly-NULL parameter in initializers 63ae847679 x509_vfy: remove redundant stack allocation 99c166a1b0 Add docs for ASN1_item_sign and ASN1_item_verify functions Build log ended with (last 100 lines): (less 4 skipped subtests: 2 okay) 70-test_sslmessages.t .............. skipped: test_sslmessages needs TLS enabled 70-test_sslrecords.t ............... skipped: test_sslrecords needs TLSv1.2 enabled 70-test_sslsessiontick.t ........... skipped: test_sslsessiontick needs SSLv3, TLSv1, TLSv1.1 or TLSv1.2 enabled 70-test_sslsigalgs.t ............... ok 70-test_sslsignature.t ............. ok 70-test_sslskewith0p.t ............. ok 70-test_sslversions.t .............. skipped: test_sslversions needs TLS1.3, TLS1.2 and TLS1.1 enabled 70-test_sslvertol.t ................ ok 70-test_tls13alerts.t .............. ok 70-test_tls13cookie.t .............. ok 70-test_tls13downgrade.t ........... skipped: test_tls13downgrade needs TLS1.3 and TLS1.2 enabled 70-test_tls13hrr.t ................. ok 70-test_tls13kexmodes.t ............ ok 70-test_tls13messages.t ............ ok 70-test_tls13psk.t ................. ok 70-test_tlsextms.t ................. skipped: test_tlsextms needs TLSv1.0, TLSv1.1 or TLSv1.2 enabled 70-test_verify_extra.t ............. ok 70-test_wpacket.t .................. ok 71-test_ssl_ctx.t .................. ok 80-test_ca.t ....................... ok 80-test_cipherbytes.t .............. ok 80-test_cipherlist.t ............... ok 80-test_ciphername.t ............... ok # 80-test_cmp_http.t ................. ok # 80-test_cms.t ...................... ok 80-test_cmsapi.t ................... ok 80-test_ct.t ....................... ok 80-test_dane.t ..................... ok 80-test_dtls.t ..................... ok 80-test_dtls_mtu.t ................. ok 80-test_dtlsv1listen.t ............. ok 80-test_http.t ..................... ok 80-test_ocsp.t ..................... ok 80-test_pkcs12.t ................... ok 80-test_ssl_new.t .................. ok 80-test_ssl_old.t .................. ok 80-test_ssl_test_ctx.t ............. ok 80-test_sslcorrupt.t ............... ok 80-test_tsa.t ...................... ok 80-test_x509aux.t .................. ok 81-test_cmp_cli.t .................. ok 90-test_asn1_time.t ................ ok 90-test_async.t .................... ok 90-test_bio_enc.t .................. ok 90-test_bio_memleak.t .............. ok 90-test_constant_time.t ............ ok 90-test_fatalerr.t ................. ok 90-test_fipsload.t ................. ok 90-test_gmdiff.t ................... ok 90-test_gost.t ..................... skipped: TLSv1.3 or TLSv1.2 are disabled in this OpenSSL build 90-test_ige.t ...................... ok 90-test_includes.t ................. ok 90-test_memleak.t .................. ok 90-test_overhead.t ................. ok 90-test_secmem.t ................... ok 90-test_shlibload.t ................ ok 90-test_srp.t ...................... ok 90-test_sslapi.t ................... ok 90-test_sslbuffers.t ............... ok 90-test_store.t .................... ok 90-test_sysdefault.t ............... skipped: test_sysdefault is not supported in this build 90-test_threads.t .................. ok 90-test_time_offset.t .............. ok 90-test_tls13ccs.t ................. ok 90-test_tls13encryption.t .......... ok 90-test_tls13secrets.t ............. ok 90-test_v3name.t ................... ok 91-test_pkey_check.t ............... ok 95-test_external_boringssl.t ....... skipped: No external tests in this configuration 95-test_external_gost_engine.t ..... skipped: No external tests in this configuration 95-test_external_krb5.t ............ skipped: No external tests in this configuration 95-test_external_pyca.t ............ skipped: No external tests in this configuration 99-test_ecstress.t ................. ok 99-test_fuzz_asn1.t ................ ok 99-test_fuzz_asn1parse.t ........... ok 99-test_fuzz_bignum.t .............. ok 99-test_fuzz_bndiv.t ............... ok 99-test_fuzz_client.t .............. ok 99-test_fuzz_cmp.t ................. ok 99-test_fuzz_cms.t ................. ok 99-test_fuzz_conf.t ................ ok 99-test_fuzz_crl.t ................. ok 99-test_fuzz_ct.t .................. ok 99-test_fuzz_server.t .............. ok 99-test_fuzz_x509.t ................ ok Test Summary Report ------------------- 70-test_sslextension.t (Wstat: 256 Tests: 7 Failed: 1) Failed test: 2 Non-zero exit status: 1 Parse errors: Bad plan. You planned 8 tests but ran 7. Files=231, Tests=3180, 781 wallclock secs (11.94 usr 1.33 sys + 699.72 cusr 83.09 csys = 796.08 CPU) Result: FAIL make[1]: *** [Makefile:3274: _tests] Error 1 make[1]: Leaving directory '/home/openssl/run-checker/no-tls1_2-method' make: *** [Makefile:3271: tests] Error 2 From openssl at openssl.org Sat Feb 20 02:39:13 2021 From: openssl at openssl.org (OpenSSL run-checker) Date: Sat, 20 Feb 2021 02:39:13 +0000 Subject: Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-dtls1_2-method Message-ID: <1613788753.467476.2615832.nullmailer@run.openssl.org> Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-dtls1_2-method Commit log since last time: adc11e1b9c x509_vfy: fix mem leaks in chain_build() on malloc error Coverify CID 1473068 b51bed05c2 apps/cmp.c: Improve initialization of ext_ctx structure w.r.t. CSR d44a8a16c8 apps/ca.c: Make sure ext_ctx structure gets initialized fe75766c9c Rename OSSL_ENCODER_CTX_new_by_EVP_PKEY and OSSL_DECODER_CTX_new_by_EVP_PKEY e5ac413b2d Fix backward incompatibility revolving around OSSL_HTTP_REQ_CTX_sendreq_d2i() 3a962b2093 [doc/man3][OSSL_ENCODER] Move NOTES to the bottom 851b06b705 [doc/man3] Fix typo in DESCRIPTION of OSSL_ENCODER_properties 68883d9db8 doc: document the two new RAND functions 335e85f542 rand: update DRBGs to use the get_entropy call for seeding 78436fd146 core: add get_entropy and clear_entropy calls to RAND e2730b8426 RNG test: add get_entropy hook for testing. 9ed185a926 RNG seed: add get_entropy hook for seeding. 381289f6c7 err: generated error files 79d68c4fb4 test: DRBG test with long seed. 574ca403c8 Replace SSL_CTX_new by SSL_CTX_new_ex in apps/s_server + s_client 5b888e931b Fix propquery handling in EVP_DigestSignInit_ex 55e9d8cfff TEST: Add missing initialization c913dbd716 Update CHANGES and NEWS for new release c9fb704cf3 Don't overflow the output length in EVP_CipherUpdate calls c1ddd392cf Fix rsa_test to properly test RSA_SSLV23_PADDING d9461cbe87 Fix the RSA_SSLV23_PADDING padding type 4357b6174a Refactor rsa_test 55869f594f Test that X509_issuer_and_serial_hash doesn't crash 8130d654d1 Fix Null pointer deref in X509_issuer_and_serial_hash() c9e955dd50 Do not match RFC 5114 groups without q as it is significant 62829f9f26 README-ENGINES: fix the link to the provider API README 9dc9c7f2d7 Document the newly added function EVP_PKEY_param_check_quick() 0217e53e33 Fix the dhparam_check test 899e25643d Implement EVP_PKEY_param_check_quick() and use it in libssl aee73562d1 Run DH_check_ex() not DH_check_params_ex() when checking params 93e43f4c47 RSA: avoid dereferencing possibly-NULL parameter in initializers 63ae847679 x509_vfy: remove redundant stack allocation 99c166a1b0 Add docs for ASN1_item_sign and ASN1_item_verify functions Build log ended with (last 100 lines): # SSL_accept() failed -1, 1 # 80514C40667F0000:error:0A000076:SSL routines:tls_choose_sigalg:no suitable signature algorithm:../openssl/ssl/t1_lib.c:3306: # INFO: @ ../openssl/test/helpers/ssltestlib.c:957 # SSL_connect() failed -1, 1 # 80514C40667F0000:error:0A000438:SSL routines:dtls1_read_bytes:tlsv1 alert internal error:../openssl/ssl/record/rec_layer_d1.c:613:SSL alert number 80 # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:6577 # false not ok 2 - iteration 2 # ------------------------------------------------------------------------------ not ok 54 - test_ssl_pending # ------------------------------------------------------------------------------ ../../util/wrap.pl ../../test/sslapitest ../../../openssl/test/certs ../../../openssl/test/recipes/90-test_sslapi_data/passwd.txt /tmp/ODIRtiuEiK default ../../../openssl/test/default.cnf => 1 not ok 1 - running sslapitest # ------------------------------------------------------------------------------ # INFO: @ ../openssl/test/helpers/ssltestlib.c:957 # SSL_connect() failed -1, 1 # 80F18436807F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # INFO: @ ../openssl/test/helpers/ssltestlib.c:975 # SSL_accept() failed -1, 1 # 80F18436807F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:947 # false not ok 3 - test_large_message_dtls # ------------------------------------------------------------------------------ # INFO: @ ../openssl/test/helpers/ssltestlib.c:957 # SSL_connect() failed -1, 1 # 80F18436807F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # INFO: @ ../openssl/test/helpers/ssltestlib.c:975 # SSL_accept() failed -1, 1 # 80F18436807F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:1428 # false # ERROR: (bool) 'execute_cleanse_plaintext(DTLS_server_method(), DTLS_client_method(), DTLS1_VERSION, 0) == true' failed @ ../openssl/test/sslapitest.c:1506 # false not ok 4 - test_cleanse_plaintext # ------------------------------------------------------------------------------ # INFO: @ ../openssl/test/helpers/ssltestlib.c:957 # SSL_connect() failed -1, 1 # 80F18436807F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # INFO: @ ../openssl/test/helpers/ssltestlib.c:975 # SSL_accept() failed -1, 1 # 80F18436807F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:6577 # false not ok 2 - iteration 2 # ------------------------------------------------------------------------------ not ok 54 - test_ssl_pending # ------------------------------------------------------------------------------ ../../util/wrap.pl ../../test/sslapitest ../../../openssl/test/certs ../../../openssl/test/recipes/90-test_sslapi_data/passwd.txt /tmp/ODIRtiuEiK fips ../../../openssl/test/fips-and-base.cnf => 1 not ok 3 - running sslapitest # ------------------------------------------------------------------------------ # Failed test 'running sslapitest' # at ../openssl/test/recipes/90-test_sslapi.t line 45. # Looks like you failed 2 tests of 3.90-test_sslapi.t ................... Dubious, test returned 2 (wstat 512, 0x200) Failed 2/3 subtests 90-test_sslbuffers.t ............... ok 90-test_store.t .................... ok 90-test_sysdefault.t ............... ok 90-test_threads.t .................. ok 90-test_time_offset.t .............. ok 90-test_tls13ccs.t ................. ok 90-test_tls13encryption.t .......... ok 90-test_tls13secrets.t ............. ok 90-test_v3name.t ................... ok 91-test_pkey_check.t ............... ok 95-test_external_boringssl.t ....... skipped: No external tests in this configuration 95-test_external_gost_engine.t ..... skipped: No external tests in this configuration 95-test_external_krb5.t ............ skipped: No external tests in this configuration 95-test_external_pyca.t ............ skipped: No external tests in this configuration 99-test_ecstress.t ................. ok 99-test_fuzz_asn1.t ................ ok 99-test_fuzz_asn1parse.t ........... ok 99-test_fuzz_bignum.t .............. ok 99-test_fuzz_bndiv.t ............... ok 99-test_fuzz_client.t .............. ok 99-test_fuzz_cmp.t ................. ok 99-test_fuzz_cms.t ................. ok 99-test_fuzz_conf.t ................ ok 99-test_fuzz_crl.t ................. ok 99-test_fuzz_ct.t .................. ok 99-test_fuzz_server.t .............. ok 99-test_fuzz_x509.t ................ ok Test Summary Report ------------------- 80-test_dtls.t (Wstat: 256 Tests: 1 Failed: 1) Failed test: 1 Non-zero exit status: 1 80-test_ssl_new.t (Wstat: 768 Tests: 31 Failed: 3) Failed tests: 8, 17, 19 Non-zero exit status: 3 90-test_sslapi.t (Wstat: 512 Tests: 3 Failed: 2) Failed tests: 1, 3 Non-zero exit status: 2 Files=231, Tests=3266, 916 wallclock secs (14.45 usr 1.43 sys + 816.10 cusr 95.88 csys = 927.86 CPU) Result: FAIL make[1]: *** [Makefile:3258: _tests] Error 1 make[1]: Leaving directory '/home/openssl/run-checker/no-dtls1_2-method' make: *** [Makefile:3255: tests] Error 2 From openssl at openssl.org Sat Feb 20 03:30:46 2021 From: openssl at openssl.org (OpenSSL run-checker) Date: Sat, 20 Feb 2021 03:30:46 +0000 Subject: Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-tls1_3 Message-ID: <1613791846.979678.2720573.nullmailer@run.openssl.org> Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-tls1_3 Commit log since last time: adc11e1b9c x509_vfy: fix mem leaks in chain_build() on malloc error Coverify CID 1473068 b51bed05c2 apps/cmp.c: Improve initialization of ext_ctx structure w.r.t. CSR d44a8a16c8 apps/ca.c: Make sure ext_ctx structure gets initialized fe75766c9c Rename OSSL_ENCODER_CTX_new_by_EVP_PKEY and OSSL_DECODER_CTX_new_by_EVP_PKEY e5ac413b2d Fix backward incompatibility revolving around OSSL_HTTP_REQ_CTX_sendreq_d2i() 3a962b2093 [doc/man3][OSSL_ENCODER] Move NOTES to the bottom 851b06b705 [doc/man3] Fix typo in DESCRIPTION of OSSL_ENCODER_properties 68883d9db8 doc: document the two new RAND functions 335e85f542 rand: update DRBGs to use the get_entropy call for seeding 78436fd146 core: add get_entropy and clear_entropy calls to RAND e2730b8426 RNG test: add get_entropy hook for testing. 9ed185a926 RNG seed: add get_entropy hook for seeding. 381289f6c7 err: generated error files 79d68c4fb4 test: DRBG test with long seed. 574ca403c8 Replace SSL_CTX_new by SSL_CTX_new_ex in apps/s_server + s_client 5b888e931b Fix propquery handling in EVP_DigestSignInit_ex 55e9d8cfff TEST: Add missing initialization c913dbd716 Update CHANGES and NEWS for new release c9fb704cf3 Don't overflow the output length in EVP_CipherUpdate calls c1ddd392cf Fix rsa_test to properly test RSA_SSLV23_PADDING d9461cbe87 Fix the RSA_SSLV23_PADDING padding type 4357b6174a Refactor rsa_test 55869f594f Test that X509_issuer_and_serial_hash doesn't crash 8130d654d1 Fix Null pointer deref in X509_issuer_and_serial_hash() c9e955dd50 Do not match RFC 5114 groups without q as it is significant 62829f9f26 README-ENGINES: fix the link to the provider API README 9dc9c7f2d7 Document the newly added function EVP_PKEY_param_check_quick() 0217e53e33 Fix the dhparam_check test 899e25643d Implement EVP_PKEY_param_check_quick() and use it in libssl aee73562d1 Run DH_check_ex() not DH_check_params_ex() when checking params 93e43f4c47 RSA: avoid dereferencing possibly-NULL parameter in initializers 63ae847679 x509_vfy: remove redundant stack allocation 99c166a1b0 Add docs for ASN1_item_sign and ASN1_item_verify functions Build log ended with (last 100 lines): # INFO: @ ../openssl/test/ssl_test.c:117 # Protocol mismatch: expected TLSv1.3, got TLSv1.2. # not ok 2 - iteration 2 # ------------------------------------------------------------------------------ # ERROR: (int) 'result->client_protocol == test_ctx->expected_protocol' failed @ ../openssl/test/ssl_test.c:114 # [771] compared to [772] # INFO: @ ../openssl/test/ssl_test.c:117 # Protocol mismatch: expected TLSv1.3, got TLSv1.2. # not ok 3 - iteration 3 # ------------------------------------------------------------------------------ # ERROR: (int) 'result->client_protocol == test_ctx->expected_protocol' failed @ ../openssl/test/ssl_test.c:114 # [771] compared to [772] # INFO: @ ../openssl/test/ssl_test.c:117 # Protocol mismatch: expected TLSv1.3, got TLSv1.2. # not ok 4 - iteration 4 # ------------------------------------------------------------------------------ # ERROR: (int) 'result->client_protocol == test_ctx->expected_protocol' failed @ ../openssl/test/ssl_test.c:114 # [771] compared to [772] # INFO: @ ../openssl/test/ssl_test.c:117 # Protocol mismatch: expected TLSv1.3, got TLSv1.2. # not ok 5 - iteration 5 # ------------------------------------------------------------------------------ not ok 1 - test_handshake # ------------------------------------------------------------------------------ ../../util/wrap.pl ../../test/ssl_test 14-curves.cnf.fips fips ../../../openssl/test/fips-and-base.cnf => 1 not ok 9 - running ssl_test 14-curves.cnf # ------------------------------------------------------------------------------ # Failed test 'running ssl_test 14-curves.cnf' # at ../openssl/test/recipes/80-test_ssl_new.t line 176. # Looks like you failed 3 tests of 9. not ok 15 - Test configuration 14-curves.cnf # ------------------------------------------------------------------------------ # Looks like you failed 1 test of 31.80-test_ssl_new.t .................. Dubious, test returned 1 (wstat 256, 0x100) Failed 1/31 subtests 80-test_ssl_old.t .................. ok 80-test_ssl_test_ctx.t ............. ok 80-test_sslcorrupt.t ............... ok 80-test_tsa.t ...................... ok 80-test_x509aux.t .................. ok 81-test_cmp_cli.t .................. ok 90-test_asn1_time.t ................ ok 90-test_async.t .................... ok 90-test_bio_enc.t .................. ok 90-test_bio_memleak.t .............. ok 90-test_constant_time.t ............ ok 90-test_fatalerr.t ................. ok 90-test_fipsload.t ................. ok 90-test_gmdiff.t ................... ok 90-test_gost.t ..................... skipped: TLSv1.3 or TLSv1.2 are disabled in this OpenSSL build 90-test_ige.t ...................... ok 90-test_includes.t ................. ok 90-test_memleak.t .................. ok 90-test_overhead.t ................. ok 90-test_secmem.t ................... ok 90-test_shlibload.t ................ ok 90-test_srp.t ...................... ok 90-test_sslapi.t ................... ok 90-test_sslbuffers.t ............... ok 90-test_store.t .................... ok 90-test_sysdefault.t ............... ok 90-test_threads.t .................. ok 90-test_time_offset.t .............. ok 90-test_tls13ccs.t ................. skipped: test_tls13ccs is not supported in this build 90-test_tls13encryption.t .......... skipped: tls13encryption is not supported in this build 90-test_tls13secrets.t ............. skipped: tls13secrets is not supported in this build 90-test_v3name.t ................... ok 91-test_pkey_check.t ............... ok 95-test_external_boringssl.t ....... skipped: No external tests in this configuration 95-test_external_gost_engine.t ..... skipped: No external tests in this configuration 95-test_external_krb5.t ............ skipped: No external tests in this configuration 95-test_external_pyca.t ............ skipped: No external tests in this configuration 99-test_ecstress.t ................. ok 99-test_fuzz_asn1.t ................ ok 99-test_fuzz_asn1parse.t ........... ok 99-test_fuzz_bignum.t .............. ok 99-test_fuzz_bndiv.t ............... ok 99-test_fuzz_client.t .............. ok 99-test_fuzz_cmp.t ................. ok 99-test_fuzz_cms.t ................. ok 99-test_fuzz_conf.t ................ ok 99-test_fuzz_crl.t ................. ok 99-test_fuzz_ct.t .................. ok 99-test_fuzz_server.t .............. ok 99-test_fuzz_x509.t ................ ok Test Summary Report ------------------- 80-test_ssl_new.t (Wstat: 256 Tests: 31 Failed: 1) Failed test: 15 Non-zero exit status: 1 Files=231, Tests=3189, 879 wallclock secs (12.80 usr 1.36 sys + 787.82 cusr 91.66 csys = 893.64 CPU) Result: FAIL make[1]: *** [Makefile:3262: _tests] Error 1 make[1]: Leaving directory '/home/openssl/run-checker/no-tls1_3' make: *** [Makefile:3259: tests] Error 2 From no-reply at appveyor.com Sat Feb 20 13:46:04 2021 From: no-reply at appveyor.com (AppVeyor) Date: Sat, 20 Feb 2021 13:46:04 +0000 Subject: Build failed: openssl master.40074 Message-ID: <20210220134604.1.704E8E1529F54EB8@appveyor.com> An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Sat Feb 20 15:05:48 2021 From: no-reply at appveyor.com (AppVeyor) Date: Sat, 20 Feb 2021 15:05:48 +0000 Subject: Build failed: openssl master.40075 Message-ID: <20210220150548.1.E11162982B8901AD@appveyor.com> An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Sat Feb 20 16:22:08 2021 From: no-reply at appveyor.com (AppVeyor) Date: Sat, 20 Feb 2021 16:22:08 +0000 Subject: Build completed: openssl master.40076 Message-ID: <20210220162208.1.0DAB1DE86A8AABA5@appveyor.com> An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Sat Feb 20 17:07:20 2021 From: no-reply at appveyor.com (AppVeyor) Date: Sat, 20 Feb 2021 17:07:20 +0000 Subject: Build failed: openssl master.40078 Message-ID: <20210220170720.1.EF853D128F73281F@appveyor.com> An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Sat Feb 20 18:29:30 2021 From: no-reply at appveyor.com (AppVeyor) Date: Sat, 20 Feb 2021 18:29:30 +0000 Subject: Build completed: openssl master.40079 Message-ID: <20210220182930.1.232F270117F3B3A4@appveyor.com> An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Sat Feb 20 19:45:11 2021 From: no-reply at appveyor.com (AppVeyor) Date: Sat, 20 Feb 2021 19:45:11 +0000 Subject: Build failed: openssl master.40082 Message-ID: <20210220194511.1.7839FB0E69193F01@appveyor.com> An HTML attachment was scrubbed... URL: From levitte at openssl.org Sat Feb 20 20:16:04 2021 From: levitte at openssl.org (Richard Levitte) Date: Sat, 20 Feb 2021 20:16:04 +0000 Subject: [openssl] master update Message-ID: <1613852164.163274.9792.nullmailer@dev.openssl.org> The branch master has been updated via 57acc56bdcdf2a7f084cf480f6f1d8f250735b0c (commit) via acf497b53b0a349af13ca5e89665f331e1096af8 (commit) from f16e52b67c9261bdc7e1284a50502a802921ac6d (commit) - Log ----------------------------------------------------------------- commit 57acc56bdcdf2a7f084cf480f6f1d8f250735b0c Author: Richard Levitte Date: Fri Feb 19 10:16:04 2021 +0100 DECODER: Add better tracing of the chain walking process Reviewed-by: Matt Caswell Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/14233) commit acf497b53b0a349af13ca5e89665f331e1096af8 Author: Richard Levitte Date: Thu Feb 18 13:18:53 2021 +0100 DECODER: Use the data structure from the last decoder to select the next Any decoder can now also declare the name of the data structure for the object it decoded in the OSSL_PARAM array they pass back to the decoding process. The decoding process will use that as another criterion to select the next decoder in the chain to consider. Together with declaring the data type, this becomes a means to refine how the decoded data is treated along the chain. Fixes #13539 Reviewed-by: Matt Caswell Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/14233) ----------------------------------------------------------------------- Summary of changes: crypto/encode_decode/decoder_lib.c | 135 +++++++++++++++++++++++++++++++++---- 1 file changed, 123 insertions(+), 12 deletions(-) diff --git a/crypto/encode_decode/decoder_lib.c b/crypto/encode_decode/decoder_lib.c index 8e9af13bbb..6503b46d63 100644 --- a/crypto/encode_decode/decoder_lib.c +++ b/crypto/encode_decode/decoder_lib.c @@ -28,6 +28,8 @@ struct decoder_process_data_st { /* Index of the current decoder instance to be processed */ size_t current_decoder_inst_index; + /* For tracing, count recursion level */ + size_t recursion; }; static int decoder_process(const OSSL_PARAM params[], void *arg); @@ -512,20 +514,34 @@ static int decoder_process(const OSSL_PARAM params[], void *arg) int err, ok = 0; /* For recursions */ struct decoder_process_data_st new_data; - const char *object_type = NULL; + const char *data_type = NULL; + const char *data_structure = NULL; memset(&new_data, 0, sizeof(new_data)); new_data.ctx = data->ctx; + new_data.recursion = data->recursion + 1; + +#define LEVEL_STR ">>>>>>>>>>>>>>>>" +#define LEVEL (new_data.recursion < sizeof(LEVEL_STR) \ + ? &LEVEL_STR[sizeof(LEVEL_STR) - new_data.recursion - 1] \ + : LEVEL_STR "...") if (params == NULL) { /* First iteration, where we prepare for what is to come */ + OSSL_TRACE_BEGIN(DECODER) { + BIO_printf(trc_out, + "(ctx %p) starting to walk the decoder chain\n", + (void *)new_data.ctx); + } OSSL_TRACE_END(DECODER); + data->current_decoder_inst_index = OSSL_DECODER_CTX_get_num_decoders(ctx); bio = data->bio; } else { const OSSL_PARAM *p; + const char *trace_data_structure; decoder_inst = sk_OSSL_DECODER_INSTANCE_value(ctx->decoder_insts, @@ -555,10 +571,42 @@ static int decoder_process(const OSSL_PARAM params[], void *arg) goto end; bio = new_data.bio; - /* Get the object type if there is one */ + /* Get the data type if there is one */ p = OSSL_PARAM_locate_const(params, OSSL_OBJECT_PARAM_DATA_TYPE); - if (p != NULL && !OSSL_PARAM_get_utf8_string_ptr(p, &object_type)) + if (p != NULL && !OSSL_PARAM_get_utf8_string_ptr(p, &data_type)) goto end; + + /* Get the data structure if there is one */ + p = OSSL_PARAM_locate_const(params, OSSL_OBJECT_PARAM_DATA_STRUCTURE); + if (p != NULL && !OSSL_PARAM_get_utf8_string_ptr(p, &data_structure)) + goto end; + + /* + * If the data structure is "type-specific" and the data type is + * given, we drop the data structure. The reasoning is that the + * data type is already enough to find the applicable next decoder, + * so an additional "type-specific" data structure is extraneous. + * + * Furthermore, if the OSSL_DECODER caller asked for a type specific + * structure under another name, such as "DH", we get a mismatch + * if the data structure we just received is "type-specific". + * There's only so much you can do without infusing this code with + * too special knowledge. + */ + trace_data_structure = data_structure; + if (data_type != NULL + && strcasecmp(data_structure, "type-specific") == 0) + data_structure = NULL; + + OSSL_TRACE_BEGIN(DECODER) { + BIO_printf(trc_out, + "(ctx %p) %s incoming from previous decoder (%p):\n" + " data type: %s, data structure: %s%s\n", + (void *)new_data.ctx, LEVEL, (void *)decoder, + data_type, trace_data_structure, + (trace_data_structure == data_structure + ? "" : " (dropped)")); + } OSSL_TRACE_END(DECODER); } /* @@ -582,6 +630,19 @@ static int decoder_process(const OSSL_PARAM params[], void *arg) OSSL_DECODER_INSTANCE_get_decoder_ctx(new_decoder_inst); const char *new_input_type = OSSL_DECODER_INSTANCE_get_input_type(new_decoder_inst); + int n_i_s_was_set = 0; /* We don't care here */ + const char *new_input_structure = + OSSL_DECODER_INSTANCE_get_input_structure(new_decoder_inst, + &n_i_s_was_set); + + OSSL_TRACE_BEGIN(DECODER) { + BIO_printf(trc_out, + "(ctx %p) %s [%u] Considering decoder instance %p, which has:\n" + " input type: %s, input structure: %s, decoder: %p\n", + (void *)new_data.ctx, LEVEL, (unsigned int)i, + (void *)new_decoder_inst, new_input_type, + new_input_structure, (void *)new_decoder); + } OSSL_TRACE_END(DECODER); /* * If |decoder| is NULL, it means we've just started, and the caller @@ -589,24 +650,60 @@ static int decoder_process(const OSSL_PARAM params[], void *arg) * that's the case, we do this extra check. */ if (decoder == NULL && ctx->start_input_type != NULL - && strcasecmp(ctx->start_input_type, new_input_type) != 0) + && strcasecmp(ctx->start_input_type, new_input_type) != 0) { + OSSL_TRACE_BEGIN(DECODER) { + BIO_printf(trc_out, + "(ctx %p) %s [%u] the start input type '%s' doesn't match the input type of the considered decoder, skipping...\n", + (void *)new_data.ctx, LEVEL, (unsigned int)i, + ctx->start_input_type); + } OSSL_TRACE_END(DECODER); continue; + } /* * If we have a previous decoder, we check that the input type * of the next to be used matches the type of this previous one. - * input_type is a cache of the parameter "input-type" value for - * that decoder. + * |new_input_type| holds the value of the "input-type" parameter + * for the decoder we're currently considering. */ - if (decoder != NULL && !OSSL_DECODER_is_a(decoder, new_input_type)) + if (decoder != NULL && !OSSL_DECODER_is_a(decoder, new_input_type)) { + OSSL_TRACE_BEGIN(DECODER) { + BIO_printf(trc_out, + "(ctx %p) %s [%u] the input type doesn't match the name of the previous decoder (%p), skipping...\n", + (void *)new_data.ctx, LEVEL, (unsigned int)i, + (void *)decoder); + } OSSL_TRACE_END(DECODER); continue; + } /* - * If the previous decoder gave us an object type, we check to see + * If the previous decoder gave us a data type, we check to see * if that matches the decoder we're currently considering. */ - if (object_type != NULL && !OSSL_DECODER_is_a(new_decoder, object_type)) + if (data_type != NULL && !OSSL_DECODER_is_a(new_decoder, data_type)) { + OSSL_TRACE_BEGIN(DECODER) { + BIO_printf(trc_out, + "(ctx %p) %s [%u] the previous decoder's data type doesn't match the name of the considered decoder, skipping...\n", + (void *)new_data.ctx, LEVEL, (unsigned int)i); + } OSSL_TRACE_END(DECODER); continue; + } + + /* + * If the previous decoder gave us a data structure name, we check + * to see that it matches the input data structure of the decoder + * we're currently considering. + */ + if (data_structure != NULL + && (new_input_structure == NULL + || strcasecmp(data_structure, new_input_structure) != 0)) { + OSSL_TRACE_BEGIN(DECODER) { + BIO_printf(trc_out, + "(ctx %p) %s [%u] the previous decoder's data structure doesn't match the input structure of the considered decoder, skipping...\n", + (void *)new_data.ctx, LEVEL, (unsigned int)i); + } OSSL_TRACE_END(DECODER); + continue; + } /* * Checking the return value of BIO_reset() or BIO_seek() is unsafe. @@ -623,6 +720,13 @@ static int decoder_process(const OSSL_PARAM params[], void *arg) goto end; /* Recurse */ + OSSL_TRACE_BEGIN(DECODER) { + BIO_printf(trc_out, + "(ctx %p) %s [%u] Running decoder instance %p\n", + (void *)new_data.ctx, LEVEL, (unsigned int)i, + (void *)new_decoder_inst); + } OSSL_TRACE_END(DECODER); + new_data.current_decoder_inst_index = i; ok = new_decoder->decode(new_decoderctx, (OSSL_CORE_BIO *)bio, new_data.ctx->selection, @@ -632,12 +736,19 @@ static int decoder_process(const OSSL_PARAM params[], void *arg) OSSL_TRACE_BEGIN(DECODER) { BIO_printf(trc_out, - "(ctx %p) Running decoder instance %p => %d\n", - (void *)new_data.ctx, (void *)new_decoder_inst, ok); + "(ctx %p) %s [%u] Running decoder instance %p => %d\n", + (void *)new_data.ctx, LEVEL, (unsigned int)i, + (void *)new_decoder_inst, ok); } OSSL_TRACE_END(DECODER); if (ok) break; + + /* + * These errors are assumed to come from ossl_store_handle_load_result() + * in crypto/store/store_result.c. They are currently considered fatal + * errors, so we preserve them in the error queue and stop. + */ err = ERR_peek_last_error(); if ((ERR_GET_LIB(err) == ERR_LIB_EVP && ERR_GET_REASON(err) == EVP_R_UNSUPPORTED_PRIVATE_KEY_ALGORITHM) @@ -647,7 +758,7 @@ static int decoder_process(const OSSL_PARAM params[], void *arg) #endif || (ERR_GET_LIB(err) == ERR_LIB_X509 && ERR_GET_REASON(err) == X509_R_UNSUPPORTED_ALGORITHM)) - break; /* fatal error; preserve it on the error queue and stop */ + goto end; } end: From no-reply at appveyor.com Sat Feb 20 23:06:43 2021 From: no-reply at appveyor.com (AppVeyor) Date: Sat, 20 Feb 2021 23:06:43 +0000 Subject: Build completed: openssl master.40083 Message-ID: <20210220230643.1.D34201D8354C1F2D@appveyor.com> An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Sat Feb 20 23:51:27 2021 From: no-reply at appveyor.com (AppVeyor) Date: Sat, 20 Feb 2021 23:51:27 +0000 Subject: Build failed: openssl master.40084 Message-ID: <20210220235127.1.29224A2CE991F19C@appveyor.com> An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Sun Feb 21 03:33:16 2021 From: no-reply at appveyor.com (AppVeyor) Date: Sun, 21 Feb 2021 03:33:16 +0000 Subject: Build completed: openssl master.40085 Message-ID: <20210221033316.1.3DE2A7E61B6FB6A0@appveyor.com> An HTML attachment was scrubbed... URL: From scan-admin at coverity.com Sun Feb 21 07:51:25 2021 From: scan-admin at coverity.com (scan-admin at coverity.com) Date: Sun, 21 Feb 2021 07:51:25 +0000 (UTC) Subject: Coverity Scan: Analysis completed for openssl/openssl Message-ID: <603210fcdcdad_228b9a2ab949004f60704fd@prd-scan-dashboard-0.mail> Your request for analysis of openssl/openssl has been completed successfully. The results are available at https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoN-2BQSVjTtaSz8wS4wOr7HlekBtV1P4YRtWclMVkCdvAA-3D-3DEX0z_MulOTlHne1IxTRELXXnGni8d68xSVF-2BUCe3a7Ux-2BjeEoEaryMSw7i34frsmoyGjJw-2FTCX2c0oOvQKJdELFrDZnT3mGdoo9K2ufehGuSBXnEIH-2Fo2YccIQcSWo5SztDCeUizQ-2FvGx8dFjA1N-2FcA9NITjwqA2vZt1wT5QYR7yL7Wc6VqP4cUct9e-2F9haVRhcwLKIMqt-2Bba6EOFw3tVCeJ409y3I4nhaTNW9aQ2539C4Mo-3D Build ID: 370789 Analysis Summary: New defects found: 11 Defects eliminated: 8 If you have difficulty understanding any defects, email us at scan-admin at coverity.com, or post your question to StackOverflow at https://u15810271.ct.sendgrid.net/ls/click?upn=CTPegkVN6peWFCMEieYYmPWIi1E4yUS9EoqKFcNAiqhRq8qmgeBE-2Bdt3uvFRAFXd-2FlwX83-2FVVdybfzIMOby0qA-3D-3DQmqk_MulOTlHne1IxTRELXXnGni8d68xSVF-2BUCe3a7Ux-2BjeEoEaryMSw7i34frsmoyGjJw-2FTCX2c0oOvQKJdELFrDZgmhslzZLURd-2ByeNcd5ERXvg1QV3ZZubi9zOv52tuLv4OY3djdV1BrDkNemMwPWEtEfrJBqV-2FdYa2JU54-2F68oVuKjPiMGzzuFuhysIg9Bg8MCSUB9jXPSN2eiuHwlKS2bjiZ6gs2O1TY7g9-2BXTTfoTg-3D From scan-admin at coverity.com Sun Feb 21 07:53:27 2021 From: scan-admin at coverity.com (scan-admin at coverity.com) Date: Sun, 21 Feb 2021 07:53:27 +0000 (UTC) Subject: Coverity Scan: Analysis completed for OpenSSL-1.0.2 Message-ID: <60321176e7b49_228dda2ab949004f6070467@prd-scan-dashboard-0.mail> Your request for analysis of OpenSSL-1.0.2 has been completed successfully. The results are available at https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoN-2BQSVjTtaSz8wS4wOr7Hlun-2FGpeF2rhqKLKnzox0Gkw-3D-3DN260_MulOTlHne1IxTRELXXnGni8d68xSVF-2BUCe3a7Ux-2BjeHNeY-2FSfqSMDw8ps3QoRt3qERUmMt0jTLed-2BrW85qVrO-2Bf0g160nnhCd9XPVeaVlfdi0QqNrABstYXOWUzRbOVHxabqJ-2BS28GTj-2FtLNRlmczHh8H0ALXY-2BM6vPZ0KEfkxAr4tm9h-2Bndd5HMgdRpPbrtitIBTVAJAWMIiWJ5XlwbIDw4DW0nyDkVry8DqznZkVj0PiFfCaot-2BOvAMmSU6fwr Build ID: 370790 Analysis Summary: New defects found: 0 Defects eliminated: 0 From pauli at openssl.org Sun Feb 21 12:04:48 2021 From: pauli at openssl.org (Dr. Paul Dale) Date: Sun, 21 Feb 2021 12:04:48 +0000 Subject: [openssl] master update Message-ID: <1613909088.650911.27124.nullmailer@dev.openssl.org> The branch master has been updated via 937a62323b67bfff59c795e90df3acf66bb4579a (commit) from 57acc56bdcdf2a7f084cf480f6f1d8f250735b0c (commit) - Log ----------------------------------------------------------------- commit 937a62323b67bfff59c795e90df3acf66bb4579a Author: jwalch Date: Fri Feb 19 17:58:17 2021 -0500 -Wunused-function cleanup core_dispatch.h seems to be the source of some compiler warnings with legacy applications in alpha12 now that it is implicitly exported via evp.h Reviewed-by: Matt Caswell Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/14260) ----------------------------------------------------------------------- Summary of changes: include/openssl/core_dispatch.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/openssl/core_dispatch.h b/include/openssl/core_dispatch.h index 0377424434..c4e109156f 100644 --- a/include/openssl/core_dispatch.h +++ b/include/openssl/core_dispatch.h @@ -44,7 +44,7 @@ extern "C" { */ #define OSSL_CORE_MAKE_FUNC(type,name,args) \ typedef type (OSSL_FUNC_##name##_fn)args; \ - static ossl_inline \ + static ossl_unused ossl_inline \ OSSL_FUNC_##name##_fn *OSSL_FUNC_##name(const OSSL_DISPATCH *opf) \ { \ return (OSSL_FUNC_##name##_fn *)opf->function; \ From no-reply at appveyor.com Sun Feb 21 18:29:56 2021 From: no-reply at appveyor.com (AppVeyor) Date: Sun, 21 Feb 2021 18:29:56 +0000 Subject: Build failed: openssl master.40087 Message-ID: <20210221182956.1.EE83220D1B5AEC03@appveyor.com> An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Sun Feb 21 19:19:40 2021 From: no-reply at appveyor.com (AppVeyor) Date: Sun, 21 Feb 2021 19:19:40 +0000 Subject: Build failed: openssl master.40090 Message-ID: <20210221191940.1.E2DBC39AF67FE9C4@appveyor.com> An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Mon Feb 22 00:33:35 2021 From: no-reply at appveyor.com (AppVeyor) Date: Mon, 22 Feb 2021 00:33:35 +0000 Subject: Build failed: openssl master.40093 Message-ID: <20210222003335.1.25F5A7EEA8EF7270@appveyor.com> An HTML attachment was scrubbed... URL: From openssl at openssl.org Mon Feb 22 01:18:50 2021 From: openssl at openssl.org (OpenSSL run-checker) Date: Mon, 22 Feb 2021 01:18:50 +0000 Subject: Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-asm Message-ID: <1613956730.265206.3238793.nullmailer@run.openssl.org> Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-asm Commit log since last time: 937a62323b -Wunused-function cleanup 57acc56bdc DECODER: Add better tracing of the chain walking process acf497b53b DECODER: Use the data structure from the last decoder to select the next f16e52b67c Correct the return value of BIO_get_ktls_*(). 5e128ed120 CMP: Fix total_timeout behavior; small doc and diagnostic improvements a3361c3755 81-test_cmp_cli_data: fixup on CSR test cases c2279499fd Fix speed sm2 bug 1d724b5e82 CRYPTO_gcm128_decrypt: fix mac or tag calculation 3352dc185f Fix merge problem in d2i_PrivateKey_ex eabb301416 Fix DH ASN1 decode so that it detects named groups. 576892d78f Fix d2i_AutoPrivateKey_ex so that is uses the new decoder (and produces non legacy keys). ef33889e18 doc: remove notes section in OSSL_ENCODER.pod 458d168cd4 rfc2606 compliant example domains for x509v3_config.pod 125107e8ea Various improvements of doc/man5/x509v3_config.pod 70793dbbb9 Pass the object type and data structure from the pem2der decoder 3a2171f6aa Don't forget the type of thing we are loading 3262300a2c Adjust the few places where the string length was confused 247a1786e2 OSSL_PARAM: Correct the assumptions on the UTF8 string length c1be4d617c Rename internal X509_add_cert_new() to ossl_x509_add_cert_new() daf1300b80 Add internal X509_add_certs_new(), which simplifies matters 937984efc6 Prepare for 3.0 alpha 13 b467d394eb Prepare for release of 3.0 alpha 12 a28d06f3e9 Update copyright year 7b676cc8c6 Fix external symbols related to provider related security checks for keys and digests. 47c076acfc Fix external symbols in the provider digest implementations. bcb61b39b4 Add deep copy of propq field in mac_dupctx to avoid double free 5d8ffebbcd DH: Make DH_bits(), DH_size(), and DH_security_bits() check that there are key parameters 0b3139e815 chain_build(): Call verify_cb_cert() if a preliminary error has become final ba37b82045 dsa_check: Perform simple parameter check if seed is not available ebcaf110b2 DSA parameter check using pkeyparam e36b3c2f75 Fix external symbols in the provider cipher implementations. Build log ended with (last 100 lines): ${LDCMD:-clang} -pthread -m64 -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -L. \ -o test/sslapitest \ test/helpers/sslapitest-bin-ssltestlib.o \ test/sslapitest-bin-filterprov.o \ test/sslapitest-bin-sslapitest.o \ test/sslapitest-bin-tls-provider.o \ -lssl test/libtestutil.a -lcrypto -ldl -pthread rm -f test/sslbuffertest ${LDCMD:-clang} -pthread -m64 -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -L. \ -o test/sslbuffertest \ test/helpers/sslbuffertest-bin-ssltestlib.o \ test/sslbuffertest-bin-sslbuffertest.o \ -lssl test/libtestutil.a -lcrypto -ldl -pthread rm -f test/sslcorrupttest ${LDCMD:-clang} -pthread -m64 -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -L. \ -o test/sslcorrupttest \ test/helpers/sslcorrupttest-bin-ssltestlib.o \ test/sslcorrupttest-bin-sslcorrupttest.o \ -lssl test/libtestutil.a -lcrypto -ldl -pthread rm -f test/sysdefaulttest ${LDCMD:-clang} -pthread -m64 -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -L. \ -o test/sysdefaulttest \ test/sysdefaulttest-bin-sysdefaulttest.o \ -lssl test/libtestutil.a -lcrypto -ldl -pthread rm -f test/tls13ccstest ${LDCMD:-clang} -pthread -m64 -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -L. \ -o test/tls13ccstest \ test/helpers/tls13ccstest-bin-ssltestlib.o \ test/tls13ccstest-bin-tls13ccstest.o \ -lssl test/libtestutil.a -lcrypto -ldl -pthread rm -f test/tls13secretstest rm -f test/uitest ${LDCMD:-clang} -pthread -m64 -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -L. \ -o test/tls13secretstest \ crypto/tls13secretstest-bin-packet.o \ ssl/tls13secretstest-bin-tls13_enc.o \ test/tls13secretstest-bin-tls13secretstest.o \ -lssl test/libtestutil.a -lcrypto -ldl -pthread ${LDCMD:-clang} -pthread -m64 -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -L. \ -o test/uitest \ apps/lib/uitest-bin-apps_ui.o test/uitest-bin-uitest.o \ -lssl test/libtestutil.a -lcrypto -ldl -pthread make[1]: Leaving directory '/home/openssl/run-checker/no-asm' $ make test make depend && make _tests make[1]: Entering directory '/home/openssl/run-checker/no-asm' make[1]: Leaving directory '/home/openssl/run-checker/no-asm' make[1]: Entering directory '/home/openssl/run-checker/no-asm' ( SRCTOP=../openssl \ BLDTOP=. \ PERL="/usr/bin/perl" \ FIPSKEY="f4556650ac31d35461610bac4ed81b1a181b2d8a43ea2854cbae22ca74560813" \ EXE_EXT= \ /usr/bin/perl ../openssl/test/run_tests.pl ) 01-test_abort.t .................... ok 01-test_sanity.t ................... ok 01-test_symbol_presence.t .......... ok 01-test_test.t ..................... ok 02-test_errstr.t ................... ok 02-test_internal_context.t ......... ok 02-test_internal_ctype.t ........... ok 02-test_internal_keymgmt.t ......... ok 02-test_internal_provider.t ........ ok 02-test_lhash.t .................... ok 02-test_ordinals.t ................. ok 02-test_sparse_array.t ............. ok 02-test_stack.t .................... ok 03-test_exdata.t ................... ok 03-test_fipsinstall.t .............. ok 03-test_internal_asn1.t ............ ok 03-test_internal_asn1_dsa.t ........ ok 03-test_internal_bn.t .............. ok 03-test_internal_chacha.t .......... ok 03-test_internal_curve448.t ........ ok 03-test_internal_ec.t .............. ok 03-test_internal_ffc.t ............. ok 03-test_internal_mdc2.t ............ ok 03-test_internal_modes.t ........... ok 03-test_internal_namemap.t ......... ok 03-test_internal_poly1305.t ........ ok 03-test_internal_rsa_sp800_56b.t ... ok 03-test_internal_siphash.t ......... ok 03-test_internal_sm2.t ............. ok 03-test_internal_sm4.t ............. ok 03-test_internal_ssl_cert_table.t .. ok 03-test_internal_x509.t ............ ok 03-test_params_api.t ............... ok 03-test_property.t ................. ok 03-test_ui.t ....................... ok 04-test_asn1_decode.t .............. ok 04-test_asn1_encode.t .............. ok 04-test_asn1_string_table.t ........ ok 04-test_bio_callback.t ............. ok 04-test_bioprint.t ................. ok 04-test_conf.t ..................... ok 04-test_encoder_decoder.t .......... ok make[1]: *** wait: No child processes. Stop. make[1]: *** Waiting for unfinished jobs.... make[1]: *** wait: No child processes. Stop. make: *** [Makefile:3266: tests] Terminated From no-reply at appveyor.com Mon Feb 22 01:51:41 2021 From: no-reply at appveyor.com (AppVeyor) Date: Mon, 22 Feb 2021 01:51:41 +0000 Subject: Build completed: openssl master.40094 Message-ID: <20210222015141.1.3B988C8A74ED9963@appveyor.com> An HTML attachment was scrubbed... URL: From openssl at openssl.org Mon Feb 22 02:15:16 2021 From: openssl at openssl.org (OpenSSL run-checker) Date: Mon, 22 Feb 2021 02:15:16 +0000 Subject: Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-autoerrinit Message-ID: <1613960116.145320.3352370.nullmailer@run.openssl.org> Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-autoerrinit Commit log since last time: 937a62323b -Wunused-function cleanup 57acc56bdc DECODER: Add better tracing of the chain walking process acf497b53b DECODER: Use the data structure from the last decoder to select the next f16e52b67c Correct the return value of BIO_get_ktls_*(). 5e128ed120 CMP: Fix total_timeout behavior; small doc and diagnostic improvements a3361c3755 81-test_cmp_cli_data: fixup on CSR test cases c2279499fd Fix speed sm2 bug 1d724b5e82 CRYPTO_gcm128_decrypt: fix mac or tag calculation 3352dc185f Fix merge problem in d2i_PrivateKey_ex eabb301416 Fix DH ASN1 decode so that it detects named groups. 576892d78f Fix d2i_AutoPrivateKey_ex so that is uses the new decoder (and produces non legacy keys). ef33889e18 doc: remove notes section in OSSL_ENCODER.pod 458d168cd4 rfc2606 compliant example domains for x509v3_config.pod 125107e8ea Various improvements of doc/man5/x509v3_config.pod 70793dbbb9 Pass the object type and data structure from the pem2der decoder 3a2171f6aa Don't forget the type of thing we are loading 3262300a2c Adjust the few places where the string length was confused 247a1786e2 OSSL_PARAM: Correct the assumptions on the UTF8 string length c1be4d617c Rename internal X509_add_cert_new() to ossl_x509_add_cert_new() daf1300b80 Add internal X509_add_certs_new(), which simplifies matters 937984efc6 Prepare for 3.0 alpha 13 b467d394eb Prepare for release of 3.0 alpha 12 a28d06f3e9 Update copyright year 7b676cc8c6 Fix external symbols related to provider related security checks for keys and digests. 47c076acfc Fix external symbols in the provider digest implementations. bcb61b39b4 Add deep copy of propq field in mac_dupctx to avoid double free 5d8ffebbcd DH: Make DH_bits(), DH_size(), and DH_security_bits() check that there are key parameters 0b3139e815 chain_build(): Call verify_cb_cert() if a preliminary error has become final ba37b82045 dsa_check: Perform simple parameter check if seed is not available ebcaf110b2 DSA parameter check using pkeyparam e36b3c2f75 Fix external symbols in the provider cipher implementations. Build log ended with (last 100 lines): 70-test_sslcertstatus.t ............ ok 70-test_sslextension.t ............. ok 70-test_sslmessages.t .............. ok 70-test_sslrecords.t ............... ok 70-test_sslsessiontick.t ........... ok 70-test_sslsigalgs.t ............... ok 70-test_sslsignature.t ............. ok 70-test_sslskewith0p.t ............. ok 70-test_sslversions.t .............. ok 70-test_sslvertol.t ................ ok 70-test_tls13alerts.t .............. ok 70-test_tls13cookie.t .............. ok 70-test_tls13downgrade.t ........... ok 70-test_tls13hrr.t ................. ok 70-test_tls13kexmodes.t ............ ok 70-test_tls13messages.t ............ ok 70-test_tls13psk.t ................. ok 70-test_tlsextms.t ................. ok 70-test_verify_extra.t ............. ok 70-test_wpacket.t .................. ok 71-test_ssl_ctx.t .................. ok 80-test_ca.t ....................... ok 80-test_cipherbytes.t .............. ok 80-test_cipherlist.t ............... ok 80-test_ciphername.t ............... ok # 80-test_cmp_http.t ................. ok # 80-test_cms.t ...................... ok 80-test_cmsapi.t ................... ok 80-test_ct.t ....................... ok 80-test_dane.t ..................... ok 80-test_dtls.t ..................... ok 80-test_dtls_mtu.t ................. ok 80-test_dtlsv1listen.t ............. ok 80-test_http.t ..................... ok 80-test_ocsp.t ..................... ok 80-test_pkcs12.t ................... ok 80-test_ssl_new.t .................. ok 80-test_ssl_old.t .................. ok 80-test_ssl_test_ctx.t ............. ok 80-test_sslcorrupt.t ............... ok 80-test_tsa.t ...................... ok 80-test_x509aux.t .................. ok 81-test_cmp_cli.t .................. ok 90-test_asn1_time.t ................ ok 90-test_async.t .................... ok 90-test_bio_enc.t .................. ok 90-test_bio_memleak.t .............. ok 90-test_constant_time.t ............ ok 90-test_fatalerr.t ................. ok 90-test_fipsload.t ................. ok 90-test_gmdiff.t ................... ok 90-test_gost.t ..................... ok 90-test_ige.t ...................... ok 90-test_includes.t ................. ok 90-test_memleak.t .................. ok 90-test_overhead.t ................. ok 90-test_secmem.t ................... ok 90-test_shlibload.t ................ ok 90-test_srp.t ...................... ok 90-test_sslapi.t ................... ok 90-test_sslbuffers.t ............... ok 90-test_store.t .................... ok 90-test_sysdefault.t ............... ok 90-test_threads.t .................. ok 90-test_time_offset.t .............. ok 90-test_tls13ccs.t ................. ok 90-test_tls13encryption.t .......... ok 90-test_tls13secrets.t ............. ok 90-test_v3name.t ................... ok 91-test_pkey_check.t ............... ok 95-test_external_boringssl.t ....... skipped: No external tests in this configuration 95-test_external_gost_engine.t ..... skipped: No external tests in this configuration 95-test_external_krb5.t ............ skipped: No external tests in this configuration 95-test_external_pyca.t ............ skipped: No external tests in this configuration 99-test_ecstress.t ................. ok 99-test_fuzz_asn1.t ................ ok 99-test_fuzz_asn1parse.t ........... ok 99-test_fuzz_bignum.t .............. ok 99-test_fuzz_bndiv.t ............... ok 99-test_fuzz_client.t .............. ok 99-test_fuzz_cmp.t ................. ok 99-test_fuzz_cms.t ................. ok 99-test_fuzz_conf.t ................ ok 99-test_fuzz_crl.t ................. ok 99-test_fuzz_ct.t .................. ok 99-test_fuzz_server.t .............. ok 99-test_fuzz_x509.t ................ ok Test Summary Report ------------------- 04-test_err.t (Wstat: 256 Tests: 1 Failed: 1) Failed test: 1 Non-zero exit status: 1 Files=232, Tests=3164, 949 wallclock secs (14.47 usr 1.39 sys + 852.62 cusr 92.92 csys = 961.40 CPU) Result: FAIL make[1]: *** [Makefile:3278: _tests] Error 1 make[1]: Leaving directory '/home/openssl/run-checker/no-autoerrinit' make: *** [Makefile:3275: tests] Error 2 From shane.lontis at oracle.com Mon Feb 22 03:31:29 2021 From: shane.lontis at oracle.com (shane.lontis at oracle.com) Date: Mon, 22 Feb 2021 03:31:29 +0000 Subject: [openssl] master update Message-ID: <1613964689.055931.13974.nullmailer@dev.openssl.org> The branch master has been updated via 681618cfc18b4f01f2c07e823308d30f6f47504b (commit) via 53155f1c814be6d8bfdd77333a16ec9cee7fc3bb (commit) from 937a62323b67bfff59c795e90df3acf66bb4579a (commit) - Log ----------------------------------------------------------------- commit 681618cfc18b4f01f2c07e823308d30f6f47504b Author: Shane Lontis Date: Fri Feb 19 17:29:29 2021 +1000 Fix external symbols for pkcs7. Partial fix for #12964 This adds ossl_ names for symbols related to pkcs7_* Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/14241) commit 53155f1c814be6d8bfdd77333a16ec9cee7fc3bb Author: Shane Lontis Date: Thu Feb 18 14:03:25 2021 +1000 Fix external symbols for cms. Partial fix for #12964 This adds ossl_ names for symbols related to cms_* and ess_* Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/14241) ----------------------------------------------------------------------- Summary of changes: crypto/cms/cms_cd.c | 7 ++- crypto/cms/cms_dd.c | 16 ++--- crypto/cms/cms_dh.c | 2 +- crypto/cms/cms_ec.c | 4 +- crypto/cms/cms_enc.c | 25 ++++---- crypto/cms/cms_env.c | 122 ++++++++++++++++++----------------- crypto/cms/cms_ess.c | 29 ++++----- crypto/cms/cms_io.c | 10 +-- crypto/cms/cms_kari.c | 57 +++++++++-------- crypto/cms/cms_lib.c | 66 +++++++++---------- crypto/cms/cms_local.h | 154 +++++++++++++++++++++++---------------------- crypto/cms/cms_pwri.c | 20 +++--- crypto/cms/cms_rsa.c | 4 +- crypto/cms/cms_sd.c | 90 +++++++++++++------------- crypto/cms/cms_smime.c | 41 ++++++------ crypto/ess/ess_asn1.c | 10 +-- crypto/ess/ess_lib.c | 28 ++++----- crypto/pkcs7/pk7_asn1.c | 2 +- crypto/pkcs7/pk7_doit.c | 40 ++++++------ crypto/pkcs7/pk7_lib.c | 20 +++--- crypto/pkcs7/pk7_local.h | 6 +- crypto/pkcs7/pk7_mime.c | 8 +-- crypto/pkcs7/pk7_smime.c | 8 +-- crypto/ts/ts_rsp_sign.c | 11 ++-- crypto/ts/ts_rsp_verify.c | 12 ++-- crypto/x509/x_all.c | 4 +- include/crypto/cms.h | 12 ++-- include/crypto/ess.h | 27 ++++---- include/crypto/pkcs7.h | 2 +- include/openssl/symhacks.h | 4 -- 30 files changed, 430 insertions(+), 411 deletions(-) diff --git a/crypto/cms/cms_cd.c b/crypto/cms/cms_cd.c index c781268659..de38288d09 100644 --- a/crypto/cms/cms_cd.c +++ b/crypto/cms/cms_cd.c @@ -21,8 +21,9 @@ /* CMS CompressedData Utilities */ -CMS_ContentInfo *cms_CompressedData_create(int comp_nid, OSSL_LIB_CTX *libctx, - const char *propq) +CMS_ContentInfo *ossl_cms_CompressedData_create(int comp_nid, + OSSL_LIB_CTX *libctx, + const char *propq) { CMS_ContentInfo *cms; CMS_CompressedData *cd; @@ -61,7 +62,7 @@ CMS_ContentInfo *cms_CompressedData_create(int comp_nid, OSSL_LIB_CTX *libctx, return NULL; } -BIO *cms_CompressedData_init_bio(const CMS_ContentInfo *cms) +BIO *ossl_cms_CompressedData_init_bio(const CMS_ContentInfo *cms) { CMS_CompressedData *cd; const ASN1_OBJECT *compoid; diff --git a/crypto/cms/cms_dd.c b/crypto/cms/cms_dd.c index 4eba827d62..31b0a6f23f 100644 --- a/crypto/cms/cms_dd.c +++ b/crypto/cms/cms_dd.c @@ -17,9 +17,9 @@ /* CMS DigestedData Utilities */ -CMS_ContentInfo *cms_DigestedData_create(const EVP_MD *md, - OSSL_LIB_CTX *libctx, - const char *propq) +CMS_ContentInfo *ossl_cms_DigestedData_create(const EVP_MD *md, + OSSL_LIB_CTX *libctx, + const char *propq) { CMS_ContentInfo *cms; CMS_DigestedData *dd; @@ -48,14 +48,16 @@ CMS_ContentInfo *cms_DigestedData_create(const EVP_MD *md, return NULL; } -BIO *cms_DigestedData_init_bio(const CMS_ContentInfo *cms) +BIO *ossl_cms_DigestedData_init_bio(const CMS_ContentInfo *cms) { CMS_DigestedData *dd = cms->d.digestedData; - return cms_DigestAlgorithm_init_bio(dd->digestAlgorithm, cms_get0_cmsctx(cms)); + return ossl_cms_DigestAlgorithm_init_bio(dd->digestAlgorithm, + ossl_cms_get0_cmsctx(cms)); } -int cms_DigestedData_do_final(const CMS_ContentInfo *cms, BIO *chain, int verify) +int ossl_cms_DigestedData_do_final(const CMS_ContentInfo *cms, BIO *chain, + int verify) { EVP_MD_CTX *mctx = EVP_MD_CTX_new(); unsigned char md[EVP_MAX_MD_SIZE]; @@ -70,7 +72,7 @@ int cms_DigestedData_do_final(const CMS_ContentInfo *cms, BIO *chain, int verify dd = cms->d.digestedData; - if (!cms_DigestAlgorithm_find_ctx(mctx, chain, dd->digestAlgorithm)) + if (!ossl_cms_DigestAlgorithm_find_ctx(mctx, chain, dd->digestAlgorithm)) goto err; if (EVP_DigestFinal_ex(mctx, md, &mdlen) <= 0) diff --git a/crypto/cms/cms_dh.c b/crypto/cms/cms_dh.c index e55b4a062f..95ce8e8351 100644 --- a/crypto/cms/cms_dh.c +++ b/crypto/cms/cms_dh.c @@ -327,7 +327,7 @@ static int dh_cms_encrypt(CMS_RecipientInfo *ri) return rv; } -int cms_dh_envelope(CMS_RecipientInfo *ri, int decrypt) +int ossl_cms_dh_envelope(CMS_RecipientInfo *ri, int decrypt) { assert(decrypt == 0 || decrypt == 1); diff --git a/crypto/cms/cms_ec.c b/crypto/cms/cms_ec.c index a4c6da6069..096eafd815 100644 --- a/crypto/cms/cms_ec.c +++ b/crypto/cms/cms_ec.c @@ -370,7 +370,7 @@ static int ecdh_cms_encrypt(CMS_RecipientInfo *ri) return rv; } -int cms_ecdh_envelope(CMS_RecipientInfo *ri, int decrypt) +int ossl_cms_ecdh_envelope(CMS_RecipientInfo *ri, int decrypt) { assert(decrypt == 0 || decrypt == 1); @@ -385,7 +385,7 @@ int cms_ecdh_envelope(CMS_RecipientInfo *ri, int decrypt) } /* ECDSA and DSA implementation is the same */ -int cms_ecdsa_dsa_sign(CMS_SignerInfo *si, int verify) +int ossl_cms_ecdsa_dsa_sign(CMS_SignerInfo *si, int verify) { assert(verify == 0 || verify == 1); diff --git a/crypto/cms/cms_enc.c b/crypto/cms/cms_enc.c index cf19b7604b..3bec60bcf0 100644 --- a/crypto/cms/cms_enc.c +++ b/crypto/cms/cms_enc.c @@ -21,8 +21,8 @@ /* Return BIO based on EncryptedContentInfo and key */ -BIO *cms_EncryptedContent_init_bio(CMS_EncryptedContentInfo *ec, - const CMS_CTX *cms_ctx) +BIO *ossl_cms_EncryptedContent_init_bio(CMS_EncryptedContentInfo *ec, + const CMS_CTX *cms_ctx) { BIO *b; EVP_CIPHER_CTX *ctx; @@ -37,8 +37,8 @@ BIO *cms_EncryptedContent_init_bio(CMS_EncryptedContentInfo *ec, size_t tkeylen = 0; int ok = 0; int enc, keep_key = 0; - OSSL_LIB_CTX *libctx = cms_ctx_get0_libctx(cms_ctx); - const char *propq = cms_ctx_get0_propq(cms_ctx); + OSSL_LIB_CTX *libctx = ossl_cms_ctx_get0_libctx(cms_ctx); + const char *propq = ossl_cms_ctx_get0_propq(cms_ctx); enc = ec->cipher ? 1 : 0; @@ -193,10 +193,10 @@ BIO *cms_EncryptedContent_init_bio(CMS_EncryptedContentInfo *ec, return NULL; } -int cms_EncryptedContent_init(CMS_EncryptedContentInfo *ec, - const EVP_CIPHER *cipher, - const unsigned char *key, size_t keylen, - const CMS_CTX *cms_ctx) +int ossl_cms_EncryptedContent_init(CMS_EncryptedContentInfo *ec, + const EVP_CIPHER *cipher, + const unsigned char *key, size_t keylen, + const CMS_CTX *cms_ctx) { ec->cipher = cipher; if (key) { @@ -234,14 +234,15 @@ int CMS_EncryptedData_set1_key(CMS_ContentInfo *cms, const EVP_CIPHER *ciph, return 0; } ec = cms->d.encryptedData->encryptedContentInfo; - return cms_EncryptedContent_init(ec, ciph, key, keylen, cms_get0_cmsctx(cms)); + return ossl_cms_EncryptedContent_init(ec, ciph, key, keylen, + ossl_cms_get0_cmsctx(cms)); } -BIO *cms_EncryptedData_init_bio(const CMS_ContentInfo *cms) +BIO *ossl_cms_EncryptedData_init_bio(const CMS_ContentInfo *cms) { CMS_EncryptedData *enc = cms->d.encryptedData; if (enc->encryptedContentInfo->cipher && enc->unprotectedAttrs) enc->version = 2; - return cms_EncryptedContent_init_bio(enc->encryptedContentInfo, - cms_get0_cmsctx(cms)); + return ossl_cms_EncryptedContent_init_bio(enc->encryptedContentInfo, + ossl_cms_get0_cmsctx(cms)); } diff --git a/crypto/cms/cms_env.c b/crypto/cms/cms_env.c index d133b15136..b0b9e4aaac 100644 --- a/crypto/cms/cms_env.c +++ b/crypto/cms/cms_env.c @@ -42,7 +42,7 @@ static int cms_get_enveloped_type(const CMS_ContentInfo *cms) } } -CMS_EnvelopedData *cms_get0_enveloped(CMS_ContentInfo *cms) +CMS_EnvelopedData *ossl_cms_get0_enveloped(CMS_ContentInfo *cms) { if (OBJ_obj2nid(cms->contentType) != NID_pkcs7_enveloped) { ERR_raise(ERR_LIB_CMS, CMS_R_CONTENT_TYPE_NOT_ENVELOPED_DATA); @@ -51,7 +51,7 @@ CMS_EnvelopedData *cms_get0_enveloped(CMS_ContentInfo *cms) return cms->d.envelopedData; } -CMS_AuthEnvelopedData *cms_get0_auth_enveloped(CMS_ContentInfo *cms) +CMS_AuthEnvelopedData *ossl_cms_get0_auth_enveloped(CMS_ContentInfo *cms) { if (OBJ_obj2nid(cms->contentType) != NID_id_smime_ct_authEnvelopedData) { ERR_raise(ERR_LIB_CMS, CMS_R_CONTENT_TYPE_NOT_ENVELOPED_DATA); @@ -75,7 +75,7 @@ static CMS_EnvelopedData *cms_enveloped_data_init(CMS_ContentInfo *cms) cms->contentType = OBJ_nid2obj(NID_pkcs7_enveloped); return cms->d.envelopedData; } - return cms_get0_enveloped(cms); + return ossl_cms_get0_enveloped(cms); } static CMS_AuthEnvelopedData * @@ -95,10 +95,10 @@ cms_auth_enveloped_data_init(CMS_ContentInfo *cms) cms->contentType = OBJ_nid2obj(NID_id_smime_ct_authEnvelopedData); return cms->d.authEnvelopedData; } - return cms_get0_auth_enveloped(cms); + return ossl_cms_get0_auth_enveloped(cms); } -int cms_env_asn1_ctrl(CMS_RecipientInfo *ri, int cmd) +int ossl_cms_env_asn1_ctrl(CMS_RecipientInfo *ri, int cmd) { EVP_PKEY *pkey; int i; @@ -116,11 +116,11 @@ int cms_env_asn1_ctrl(CMS_RecipientInfo *ri, int cmd) return 0; if (EVP_PKEY_is_a(pkey, "DHX") || EVP_PKEY_is_a(pkey, "DH")) - return cms_dh_envelope(ri, cmd); + return ossl_cms_dh_envelope(ri, cmd); else if (EVP_PKEY_is_a(pkey, "EC")) - return cms_ecdh_envelope(ri, cmd); + return ossl_cms_ecdh_envelope(ri, cmd); else if (EVP_PKEY_is_a(pkey, "RSA")) - return cms_rsa_envelope(ri, cmd); + return ossl_cms_rsa_envelope(ri, cmd); /* Something else? We'll give engines etc a chance to handle this */ if (pkey->ameth == NULL || pkey->ameth->pkey_ctrl == NULL) @@ -137,7 +137,7 @@ int cms_env_asn1_ctrl(CMS_RecipientInfo *ri, int cmd) return 1; } -CMS_EncryptedContentInfo* cms_get0_env_enc_content(const CMS_ContentInfo *cms) +CMS_EncryptedContentInfo* ossl_cms_get0_env_enc_content(const CMS_ContentInfo *cms) { switch (cms_get_enveloped_type(cms)) { case CMS_ENVELOPED_STANDARD: @@ -165,11 +165,11 @@ STACK_OF(CMS_RecipientInfo) *CMS_get0_RecipientInfos(CMS_ContentInfo *cms) } } -void cms_RecipientInfos_set_cmsctx(CMS_ContentInfo *cms) +void ossl_cms_RecipientInfos_set_cmsctx(CMS_ContentInfo *cms) { int i; CMS_RecipientInfo *ri; - const CMS_CTX *ctx = cms_get0_cmsctx(cms); + const CMS_CTX *ctx = ossl_cms_get0_cmsctx(cms); STACK_OF(CMS_RecipientInfo) *rinfos = CMS_get0_RecipientInfos(cms); for (i = 0; i < sk_CMS_RecipientInfo_num(rinfos); i++) { @@ -181,8 +181,9 @@ void cms_RecipientInfos_set_cmsctx(CMS_ContentInfo *cms) break; case CMS_RECIPINFO_TRANS: ri->d.ktri->cms_ctx = ctx; - x509_set0_libctx(ri->d.ktri->recip, cms_ctx_get0_libctx(ctx), - cms_ctx_get0_propq(ctx)); + x509_set0_libctx(ri->d.ktri->recip, + ossl_cms_ctx_get0_libctx(ctx), + ossl_cms_ctx_get0_propq(ctx)); break; case CMS_RECIPINFO_KEK: ri->d.kekri->cms_ctx = ctx; @@ -225,8 +226,8 @@ CMS_ContentInfo *CMS_EnvelopedData_create_ex(const EVP_CIPHER *cipher, if (env == NULL) goto merr; - if (!cms_EncryptedContent_init(env->encryptedContentInfo, cipher, NULL, 0, - cms_get0_cmsctx(cms))) + if (!ossl_cms_EncryptedContent_init(env->encryptedContentInfo, cipher, NULL, + 0, ossl_cms_get0_cmsctx(cms))) goto merr; return cms; merr: @@ -253,8 +254,9 @@ CMS_AuthEnvelopedData_create_ex(const EVP_CIPHER *cipher, OSSL_LIB_CTX *libctx, aenv = cms_auth_enveloped_data_init(cms); if (aenv == NULL) goto merr; - if (!cms_EncryptedContent_init(aenv->authEncryptedContentInfo, - cipher, NULL, 0, cms_get0_cmsctx(cms))) + if (!ossl_cms_EncryptedContent_init(aenv->authEncryptedContentInfo, + cipher, NULL, 0, + ossl_cms_get0_cmsctx(cms))) goto merr; return cms; merr: @@ -301,7 +303,7 @@ static int cms_RecipientInfo_ktri_init(CMS_RecipientInfo *ri, X509 *recip, * structure. */ - if (!cms_set1_SignerIdentifier(ktri->rid, recip, idtype, ctx)) + if (!ossl_cms_set1_SignerIdentifier(ktri->rid, recip, idtype, ctx)) return 0; X509_up_ref(recip); @@ -311,14 +313,14 @@ static int cms_RecipientInfo_ktri_init(CMS_RecipientInfo *ri, X509 *recip, ktri->recip = recip; if (flags & CMS_KEY_PARAM) { - ktri->pctx = EVP_PKEY_CTX_new_from_pkey(cms_ctx_get0_libctx(ctx), + ktri->pctx = EVP_PKEY_CTX_new_from_pkey(ossl_cms_ctx_get0_libctx(ctx), ktri->pkey, - cms_ctx_get0_propq(ctx)); + ossl_cms_ctx_get0_propq(ctx)); if (ktri->pctx == NULL) return 0; if (EVP_PKEY_encrypt_init(ktri->pctx) <= 0) return 0; - } else if (!cms_env_asn1_ctrl(ri, 0)) + } else if (!ossl_cms_env_asn1_ctrl(ri, 0)) return 0; return 1; } @@ -334,7 +336,7 @@ CMS_RecipientInfo *CMS_add1_recipient(CMS_ContentInfo *cms, X509 *recip, CMS_RecipientInfo *ri = NULL; STACK_OF(CMS_RecipientInfo) *ris; EVP_PKEY *pk = NULL; - const CMS_CTX *ctx = cms_get0_cmsctx(cms); + const CMS_CTX *ctx = ossl_cms_get0_cmsctx(cms); ris = CMS_get0_RecipientInfos(cms); if (ris == NULL) @@ -351,7 +353,7 @@ CMS_RecipientInfo *CMS_add1_recipient(CMS_ContentInfo *cms, X509 *recip, goto err; } - switch (cms_pkey_get_ri_type(pk)) { + switch (ossl_cms_pkey_get_ri_type(pk)) { case CMS_RECIPINFO_TRANS: if (!cms_RecipientInfo_ktri_init(ri, recip, pk, flags, ctx)) @@ -359,8 +361,8 @@ CMS_RecipientInfo *CMS_add1_recipient(CMS_ContentInfo *cms, X509 *recip, break; case CMS_RECIPINFO_AGREE: - if (!cms_RecipientInfo_kari_init(ri, recip, pk, originator, - originatorPrivKey, flags, ctx)) + if (!ossl_cms_RecipientInfo_kari_init(ri, recip, pk, originator, + originatorPrivKey, flags, ctx)) goto err; break; @@ -422,7 +424,8 @@ int CMS_RecipientInfo_ktri_get0_signer_id(CMS_RecipientInfo *ri, } ktri = ri->d.ktri; - return cms_SignerIdentifier_get0_signer_id(ktri->rid, keyid, issuer, sno); + return ossl_cms_SignerIdentifier_get0_signer_id(ktri->rid, keyid, issuer, + sno); } int CMS_RecipientInfo_ktri_cert_cmp(CMS_RecipientInfo *ri, X509 *cert) @@ -431,7 +434,7 @@ int CMS_RecipientInfo_ktri_cert_cmp(CMS_RecipientInfo *ri, X509 *cert) ERR_raise(ERR_LIB_CMS, CMS_R_NOT_KEY_TRANSPORT); return -2; } - return cms_SignerIdentifier_cert_cmp(ri->d.ktri->rid, cert); + return ossl_cms_SignerIdentifier_cert_cmp(ri->d.ktri->rid, cert); } int CMS_RecipientInfo_set0_pkey(CMS_RecipientInfo *ri, EVP_PKEY *pkey) @@ -455,7 +458,7 @@ static int cms_RecipientInfo_ktri_encrypt(const CMS_ContentInfo *cms, EVP_PKEY_CTX *pctx; unsigned char *ek = NULL; size_t eklen; - const CMS_CTX *ctx = cms_get0_cmsctx(cms); + const CMS_CTX *ctx = ossl_cms_get0_cmsctx(cms); int ret = 0; @@ -464,16 +467,17 @@ static int cms_RecipientInfo_ktri_encrypt(const CMS_ContentInfo *cms, return 0; } ktri = ri->d.ktri; - ec = cms_get0_env_enc_content(cms); + ec = ossl_cms_get0_env_enc_content(cms); pctx = ktri->pctx; if (pctx) { - if (!cms_env_asn1_ctrl(ri, 0)) + if (!ossl_cms_env_asn1_ctrl(ri, 0)) goto err; } else { - pctx = EVP_PKEY_CTX_new_from_pkey(cms_ctx_get0_libctx(ctx), ktri->pkey, - cms_ctx_get0_propq(ctx)); + pctx = EVP_PKEY_CTX_new_from_pkey(ossl_cms_ctx_get0_libctx(ctx), + ktri->pkey, + ossl_cms_ctx_get0_propq(ctx)); if (pctx == NULL) return 0; @@ -526,11 +530,11 @@ static int cms_RecipientInfo_ktri_decrypt(CMS_ContentInfo *cms, const EVP_CIPHER *cipher = NULL; EVP_CIPHER *fetched_cipher = NULL; CMS_EncryptedContentInfo *ec; - const CMS_CTX *ctx = cms_get0_cmsctx(cms); - OSSL_LIB_CTX *libctx = cms_ctx_get0_libctx(ctx); - const char *propq = cms_ctx_get0_propq(ctx); + const CMS_CTX *ctx = ossl_cms_get0_cmsctx(cms); + OSSL_LIB_CTX *libctx = ossl_cms_ctx_get0_libctx(ctx); + const char *propq = ossl_cms_ctx_get0_propq(ctx); - ec = cms_get0_env_enc_content(cms); + ec = ossl_cms_get0_env_enc_content(cms); if (ktri->pkey == NULL) { ERR_raise(ERR_LIB_CMS, CMS_R_NO_PRIVATE_KEY); @@ -567,7 +571,7 @@ static int cms_RecipientInfo_ktri_decrypt(CMS_ContentInfo *cms, if (EVP_PKEY_decrypt_init(ktri->pctx) <= 0) goto err; - if (!cms_env_asn1_ctrl(ri, 1)) + if (!ossl_cms_env_asn1_ctrl(ri, 1)) goto err; if (EVP_PKEY_CTX_ctrl(ktri->pctx, -1, EVP_PKEY_OP_DECRYPT, @@ -813,8 +817,8 @@ static EVP_CIPHER *cms_get_key_wrap_cipher(size_t keylen, const CMS_CTX *ctx) default: return NULL; } - return EVP_CIPHER_fetch(cms_ctx_get0_libctx(ctx), alg, - cms_ctx_get0_propq(ctx)); + return EVP_CIPHER_fetch(ossl_cms_ctx_get0_libctx(ctx), alg, + ossl_cms_ctx_get0_propq(ctx)); } @@ -831,9 +835,9 @@ static int cms_RecipientInfo_kekri_encrypt(const CMS_ContentInfo *cms, EVP_CIPHER *cipher = NULL; int outlen = 0; EVP_CIPHER_CTX *ctx = NULL; - const CMS_CTX *cms_ctx = cms_get0_cmsctx(cms); + const CMS_CTX *cms_ctx = ossl_cms_get0_cmsctx(cms); - ec = cms_get0_env_enc_content(cms); + ec = ossl_cms_get0_env_enc_content(cms); if (ec == NULL) return 0; @@ -902,9 +906,9 @@ static int cms_RecipientInfo_kekri_decrypt(CMS_ContentInfo *cms, EVP_CIPHER *cipher = NULL; int outlen = 0; EVP_CIPHER_CTX *ctx = NULL; - const CMS_CTX *cms_ctx = cms_get0_cmsctx(cms); + const CMS_CTX *cms_ctx = ossl_cms_get0_cmsctx(cms); - ec = cms_get0_env_enc_content(cms); + ec = ossl_cms_get0_env_enc_content(cms); if (ec == NULL) return 0; @@ -980,7 +984,7 @@ int CMS_RecipientInfo_decrypt(CMS_ContentInfo *cms, CMS_RecipientInfo *ri) return cms_RecipientInfo_kekri_decrypt(cms, ri); case CMS_RECIPINFO_PASS: - return cms_RecipientInfo_pwri_crypt(cms, ri, 0); + return ossl_cms_RecipientInfo_pwri_crypt(cms, ri, 0); default: ERR_raise(ERR_LIB_CMS, CMS_R_UNSUPPORTED_RECIPIENTINFO_TYPE); @@ -995,13 +999,13 @@ int CMS_RecipientInfo_encrypt(const CMS_ContentInfo *cms, CMS_RecipientInfo *ri) return cms_RecipientInfo_ktri_encrypt(cms, ri); case CMS_RECIPINFO_AGREE: - return cms_RecipientInfo_kari_encrypt(cms, ri); + return ossl_cms_RecipientInfo_kari_encrypt(cms, ri); case CMS_RECIPINFO_KEK: return cms_RecipientInfo_kekri_encrypt(cms, ri); case CMS_RECIPINFO_PASS: - return cms_RecipientInfo_pwri_crypt(cms, ri, 1); + return ossl_cms_RecipientInfo_pwri_crypt(cms, ri, 1); default: ERR_raise(ERR_LIB_CMS, CMS_R_UNSUPPORTED_RECIPIENT_TYPE); @@ -1097,7 +1101,8 @@ static void cms_env_clear_ec(CMS_EncryptedContentInfo *ec) static BIO *cms_EnvelopedData_Decryption_init_bio(CMS_ContentInfo *cms) { CMS_EncryptedContentInfo *ec = cms->d.envelopedData->encryptedContentInfo; - BIO *contentBio = cms_EncryptedContent_init_bio(ec, cms_get0_cmsctx(cms)); + BIO *contentBio = ossl_cms_EncryptedContent_init_bio(ec, + ossl_cms_get0_cmsctx(cms)); EVP_CIPHER_CTX *ctx = NULL; if (contentBio == NULL) @@ -1112,7 +1117,8 @@ static BIO *cms_EnvelopedData_Decryption_init_bio(CMS_ContentInfo *cms) * If the selected cipher supports unprotected attributes, * deal with it using special ctrl function */ - if ((EVP_CIPHER_flags(EVP_CIPHER_CTX_cipher(ctx)) & EVP_CIPH_FLAG_CIPHER_WITH_MAC) + if ((EVP_CIPHER_flags(EVP_CIPHER_CTX_cipher(ctx)) + & EVP_CIPH_FLAG_CIPHER_WITH_MAC) && EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_PROCESS_UNPROTECTED, 0, cms->d.envelopedData->unprotectedAttrs) <= 0) { BIO_free(contentBio); @@ -1132,7 +1138,7 @@ static BIO *cms_EnvelopedData_Encryption_init_bio(CMS_ContentInfo *cms) /* Get BIO first to set up key */ ec = env->encryptedContentInfo; - ret = cms_EncryptedContent_init_bio(ec, cms_get0_cmsctx(cms)); + ret = ossl_cms_EncryptedContent_init_bio(ec, ossl_cms_get0_cmsctx(cms)); /* If error end of processing */ if (!ret) @@ -1158,7 +1164,7 @@ static BIO *cms_EnvelopedData_Encryption_init_bio(CMS_ContentInfo *cms) return NULL; } -BIO *cms_EnvelopedData_init_bio(CMS_ContentInfo *cms) +BIO *ossl_cms_EnvelopedData_init_bio(CMS_ContentInfo *cms) { if (cms->d.envelopedData->encryptedContentInfo->cipher != NULL) { /* If cipher is set it's encryption */ @@ -1169,7 +1175,7 @@ BIO *cms_EnvelopedData_init_bio(CMS_ContentInfo *cms) return cms_EnvelopedData_Decryption_init_bio(cms); } -BIO *cms_AuthEnvelopedData_init_bio(CMS_ContentInfo *cms) +BIO *ossl_cms_AuthEnvelopedData_init_bio(CMS_ContentInfo *cms) { CMS_EncryptedContentInfo *ec; STACK_OF(CMS_RecipientInfo) *rinfos; @@ -1184,7 +1190,7 @@ BIO *cms_AuthEnvelopedData_init_bio(CMS_ContentInfo *cms) ec->tag = aenv->mac->data; ec->taglen = aenv->mac->length; } - ret = cms_EncryptedContent_init_bio(ec, cms_get0_cmsctx(cms)); + ret = ossl_cms_EncryptedContent_init_bio(ec, ossl_cms_get0_cmsctx(cms)); /* If error or no cipher end of processing */ if (ret == NULL || ec->cipher == NULL) @@ -1210,13 +1216,13 @@ BIO *cms_AuthEnvelopedData_init_bio(CMS_ContentInfo *cms) return NULL; } -int cms_EnvelopedData_final(CMS_ContentInfo *cms, BIO *chain) +int ossl_cms_EnvelopedData_final(CMS_ContentInfo *cms, BIO *chain) { CMS_EnvelopedData *env = NULL; EVP_CIPHER_CTX *ctx = NULL; BIO *mbio = BIO_find_type(chain, BIO_TYPE_CIPHER); - env = cms_get0_enveloped(cms); + env = ossl_cms_get0_enveloped(cms); if (env == NULL) return 0; @@ -1251,7 +1257,7 @@ int cms_EnvelopedData_final(CMS_ContentInfo *cms, BIO *chain) return 1; } -int cms_AuthEnvelopedData_final(CMS_ContentInfo *cms, BIO *cmsbio) +int ossl_cms_AuthEnvelopedData_final(CMS_ContentInfo *cms, BIO *cmsbio) { EVP_CIPHER_CTX *ctx; unsigned char *tag = NULL; @@ -1289,7 +1295,7 @@ err: * retain compatibility with previous behaviour if the ctrl value isn't * supported we assume key transport. */ -int cms_pkey_get_ri_type(EVP_PKEY *pk) +int ossl_cms_pkey_get_ri_type(EVP_PKEY *pk) { /* Check types that we know about */ if (EVP_PKEY_is_a(pk, "DH")) @@ -1316,7 +1322,7 @@ int cms_pkey_get_ri_type(EVP_PKEY *pk) return CMS_RECIPINFO_TRANS; } -int cms_pkey_is_ri_type_supported(EVP_PKEY *pk, int ri_type) +int ossl_cms_pkey_is_ri_type_supported(EVP_PKEY *pk, int ri_type) { int supportedRiType; @@ -1329,7 +1335,7 @@ int cms_pkey_is_ri_type_supported(EVP_PKEY *pk, int ri_type) return r; } - supportedRiType = cms_pkey_get_ri_type(pk); + supportedRiType = ossl_cms_pkey_get_ri_type(pk); if (supportedRiType < 0) return 0; diff --git a/crypto/cms/cms_ess.c b/crypto/cms/cms_ess.c index 2cdad46efb..b8b0076e03 100644 --- a/crypto/cms/cms_ess.c +++ b/crypto/cms/cms_ess.c @@ -52,18 +52,19 @@ int CMS_get1_ReceiptRequest(CMS_SignerInfo *si, CMS_ReceiptRequest **prr) the |cert_ids|(Hash+IssuerID) list from this ESS_SIGNING_CERT. Derived from ts_check_signing_certs() */ -int ess_check_signing_certs(CMS_SignerInfo *si, STACK_OF(X509) *chain) +int ossl_ess_check_signing_certs(CMS_SignerInfo *si, STACK_OF(X509) *chain) { ESS_SIGNING_CERT *ss = NULL; ESS_SIGNING_CERT_V2 *ssv2 = NULL; X509 *cert; int i = 0, ret = 0; - if (cms_signerinfo_get_signing_cert(si, &ss) > 0 && ss->cert_ids != NULL) { + if (ossl_cms_signerinfo_get_signing_cert(si, &ss) > 0 + && ss->cert_ids != NULL) { STACK_OF(ESS_CERT_ID) *cert_ids = ss->cert_ids; cert = sk_X509_value(chain, 0); - if (ess_find_cert(cert_ids, cert) != 0) + if (ossl_ess_find_cert(cert_ids, cert) != 0) goto err; /* @@ -74,16 +75,16 @@ int ess_check_signing_certs(CMS_SignerInfo *si, STACK_OF(X509) *chain) /* for each chain cert, try to find its cert id */ for (i = 1; i < sk_X509_num(chain); ++i) { cert = sk_X509_value(chain, i); - if (ess_find_cert(cert_ids, cert) < 0) + if (ossl_ess_find_cert(cert_ids, cert) < 0) goto err; } } - } else if (cms_signerinfo_get_signing_cert_v2(si, &ssv2) > 0 + } else if (ossl_cms_signerinfo_get_signing_cert_v2(si, &ssv2) > 0 && ssv2->cert_ids!= NULL) { STACK_OF(ESS_CERT_ID_V2) *cert_ids_v2 = ssv2->cert_ids; cert = sk_X509_value(chain, 0); - if (ess_find_cert_v2(cert_ids_v2, cert) != 0) + if (ossl_ess_find_cert_v2(cert_ids_v2, cert) != 0) goto err; /* @@ -94,7 +95,7 @@ int ess_check_signing_certs(CMS_SignerInfo *si, STACK_OF(X509) *chain) /* for each chain cert, try to find its cert id */ for (i = 1; i < sk_X509_num(chain); ++i) { cert = sk_X509_value(chain, i); - if (ess_find_cert_v2(cert_ids_v2, cert) < 0) + if (ossl_ess_find_cert_v2(cert_ids_v2, cert) < 0) goto err; } } @@ -220,15 +221,15 @@ static int cms_msgSigDigest(CMS_SignerInfo *si, return 0; if (!asn1_item_digest_ex(ASN1_ITEM_rptr(CMS_Attributes_Verify), md, si->signedAttrs, dig, diglen, - cms_ctx_get0_libctx(si->cms_ctx), - cms_ctx_get0_propq(si->cms_ctx))) + ossl_cms_ctx_get0_libctx(si->cms_ctx), + ossl_cms_ctx_get0_propq(si->cms_ctx))) return 0; return 1; } /* Add a msgSigDigest attribute to a SignerInfo */ -int cms_msgSigDigest_add1(CMS_SignerInfo *dest, CMS_SignerInfo *src) +int ossl_cms_msgSigDigest_add1(CMS_SignerInfo *dest, CMS_SignerInfo *src) { unsigned char dig[EVP_MAX_MD_SIZE]; unsigned int diglen; @@ -247,7 +248,7 @@ int cms_msgSigDigest_add1(CMS_SignerInfo *dest, CMS_SignerInfo *src) /* Verify signed receipt after it has already passed normal CMS verify */ -int cms_Receipt_verify(CMS_ContentInfo *cms, CMS_ContentInfo *req_cms) +int ossl_cms_Receipt_verify(CMS_ContentInfo *cms, CMS_ContentInfo *req_cms) { int r = 0, i; CMS_ReceiptRequest *rr = NULL; @@ -376,7 +377,7 @@ int cms_Receipt_verify(CMS_ContentInfo *cms, CMS_ContentInfo *req_cms) * SignedData ContentInfo. */ -ASN1_OCTET_STRING *cms_encode_Receipt(CMS_SignerInfo *si) +ASN1_OCTET_STRING *ossl_cms_encode_Receipt(CMS_SignerInfo *si) { CMS_Receipt rct; CMS_ReceiptRequest *rr = NULL; @@ -418,7 +419,7 @@ ASN1_OCTET_STRING *cms_encode_Receipt(CMS_SignerInfo *si) * Add signer certificate's V2 digest |sc| to a SignerInfo structure |si| */ -int cms_add1_signing_cert_v2(CMS_SignerInfo *si, ESS_SIGNING_CERT_V2 *sc) +int ossl_cms_add1_signing_cert_v2(CMS_SignerInfo *si, ESS_SIGNING_CERT_V2 *sc) { ASN1_STRING *seq = NULL; unsigned char *p, *pp = NULL; @@ -450,7 +451,7 @@ int cms_add1_signing_cert_v2(CMS_SignerInfo *si, ESS_SIGNING_CERT_V2 *sc) * Add signer certificate's digest |sc| to a SignerInfo structure |si| */ -int cms_add1_signing_cert(CMS_SignerInfo *si, ESS_SIGNING_CERT *sc) +int ossl_cms_add1_signing_cert(CMS_SignerInfo *si, ESS_SIGNING_CERT *sc) { ASN1_STRING *seq = NULL; unsigned char *p, *pp = NULL; diff --git a/crypto/cms/cms_io.c b/crypto/cms/cms_io.c index 39c44d8416..6b71ddfa90 100644 --- a/crypto/cms/cms_io.c +++ b/crypto/cms/cms_io.c @@ -39,7 +39,7 @@ CMS_ContentInfo *d2i_CMS_bio(BIO *bp, CMS_ContentInfo **cms) ci = ASN1_item_d2i_bio(ASN1_ITEM_rptr(CMS_ContentInfo), bp, cms); if (ci != NULL) - cms_resolve_libctx(ci); + ossl_cms_resolve_libctx(ci); return ci; } @@ -76,7 +76,7 @@ int SMIME_write_CMS(BIO *bio, CMS_ContentInfo *cms, BIO *data, int flags) STACK_OF(X509_ALGOR) *mdalgs; int ctype_nid = OBJ_obj2nid(cms->contentType); int econt_nid = OBJ_obj2nid(CMS_get0_eContentType(cms)); - const CMS_CTX *ctx = cms_get0_cmsctx(cms); + const CMS_CTX *ctx = ossl_cms_get0_cmsctx(cms); if (ctype_nid == NID_pkcs7_signed) mdalgs = cms->d.signedData->digestAlgorithms; @@ -86,8 +86,8 @@ int SMIME_write_CMS(BIO *bio, CMS_ContentInfo *cms, BIO *data, int flags) return SMIME_write_ASN1_ex(bio, (ASN1_VALUE *)cms, data, flags, ctype_nid, econt_nid, mdalgs, ASN1_ITEM_rptr(CMS_ContentInfo), - cms_ctx_get0_libctx(ctx), - cms_ctx_get0_propq(ctx)); + ossl_cms_ctx_get0_libctx(ctx), + ossl_cms_ctx_get0_propq(ctx)); } CMS_ContentInfo *SMIME_read_CMS_ex(BIO *bio, BIO **bcont, CMS_ContentInfo **cms) @@ -98,7 +98,7 @@ CMS_ContentInfo *SMIME_read_CMS_ex(BIO *bio, BIO **bcont, CMS_ContentInfo **cms) ASN1_ITEM_rptr(CMS_ContentInfo), (ASN1_VALUE **)cms); if (ci != NULL) - cms_resolve_libctx(ci); + ossl_cms_resolve_libctx(ci); return ci; } diff --git a/crypto/cms/cms_kari.c b/crypto/cms/cms_kari.c index 304a5f88e9..1422f350b0 100644 --- a/crypto/cms/cms_kari.c +++ b/crypto/cms/cms_kari.c @@ -104,9 +104,9 @@ int CMS_RecipientInfo_kari_orig_id_cmp(CMS_RecipientInfo *ri, X509 *cert) } oik = ri->d.kari->originator; if (oik->type == CMS_OIK_ISSUER_SERIAL) - return cms_ias_cert_cmp(oik->d.issuerAndSerialNumber, cert); + return ossl_cms_ias_cert_cmp(oik->d.issuerAndSerialNumber, cert); else if (oik->type == CMS_OIK_KEYIDENTIFIER) - return cms_keyid_cert_cmp(oik->d.subjectKeyIdentifier, cert); + return ossl_cms_keyid_cert_cmp(oik->d.subjectKeyIdentifier, cert); return -1; } @@ -151,14 +151,16 @@ int CMS_RecipientEncryptedKey_cert_cmp(CMS_RecipientEncryptedKey *rek, CMS_KeyAgreeRecipientIdentifier *rid = rek->rid; if (rid->type == CMS_REK_ISSUER_SERIAL) - return cms_ias_cert_cmp(rid->d.issuerAndSerialNumber, cert); + return ossl_cms_ias_cert_cmp(rid->d.issuerAndSerialNumber, cert); else if (rid->type == CMS_REK_KEYIDENTIFIER) - return cms_keyid_cert_cmp(rid->d.rKeyId->subjectKeyIdentifier, cert); + return ossl_cms_keyid_cert_cmp(rid->d.rKeyId->subjectKeyIdentifier, + cert); else return -1; } -int CMS_RecipientInfo_kari_set0_pkey_and_peer(CMS_RecipientInfo *ri, EVP_PKEY *pk, X509 *peer) +int CMS_RecipientInfo_kari_set0_pkey_and_peer(CMS_RecipientInfo *ri, + EVP_PKEY *pk, X509 *peer) { EVP_PKEY_CTX *pctx; CMS_KeyAgreeRecipientInfo *kari = ri->d.kari; @@ -168,8 +170,9 @@ int CMS_RecipientInfo_kari_set0_pkey_and_peer(CMS_RecipientInfo *ri, EVP_PKEY *p if (pk == NULL) return 1; - pctx = EVP_PKEY_CTX_new_from_pkey(cms_ctx_get0_libctx(kari->cms_ctx), pk, - cms_ctx_get0_propq(kari->cms_ctx)); + pctx = EVP_PKEY_CTX_new_from_pkey(ossl_cms_ctx_get0_libctx(kari->cms_ctx), + pk, + ossl_cms_ctx_get0_propq(kari->cms_ctx)); if (pctx == NULL || EVP_PKEY_derive_init(pctx) <= 0) goto err; @@ -260,12 +263,12 @@ int CMS_RecipientInfo_kari_decrypt(CMS_ContentInfo *cms, enckeylen = rek->encryptedKey->length; enckey = rek->encryptedKey->data; /* Setup all parameters to derive KEK */ - if (!cms_env_asn1_ctrl(ri, 1)) + if (!ossl_cms_env_asn1_ctrl(ri, 1)) goto err; /* Attempt to decrypt CEK */ if (!cms_kek_cipher(&cek, &ceklen, enckey, enckeylen, ri->d.kari, 0)) goto err; - ec = cms_get0_env_enc_content(cms); + ec = ossl_cms_get0_env_enc_content(cms); OPENSSL_clear_free(ec->key, ec->keylen); ec->key = cek; ec->keylen = ceklen; @@ -284,8 +287,8 @@ static int cms_kari_create_ephemeral_key(CMS_KeyAgreeRecipientInfo *kari, EVP_PKEY *ekey = NULL; int rv = 0; const CMS_CTX *ctx = kari->cms_ctx; - OSSL_LIB_CTX *libctx = cms_ctx_get0_libctx(ctx); - const char *propq = cms_ctx_get0_propq(ctx); + OSSL_LIB_CTX *libctx = ossl_cms_ctx_get0_libctx(ctx); + const char *propq = ossl_cms_ctx_get0_propq(ctx); pctx = EVP_PKEY_CTX_new_from_pkey(libctx, pk, propq); if (pctx == NULL) @@ -317,9 +320,9 @@ static int cms_kari_set_originator_private_key(CMS_KeyAgreeRecipientInfo *kari, int rv = 0; const CMS_CTX *ctx = kari->cms_ctx; - pctx = EVP_PKEY_CTX_new_from_pkey(cms_ctx_get0_libctx(ctx), + pctx = EVP_PKEY_CTX_new_from_pkey(ossl_cms_ctx_get0_libctx(ctx), originatorPrivKey, - cms_ctx_get0_propq(ctx)); + ossl_cms_ctx_get0_propq(ctx)); if (pctx == NULL) goto err; if (EVP_PKEY_derive_init(pctx) <= 0) @@ -335,10 +338,10 @@ static int cms_kari_set_originator_private_key(CMS_KeyAgreeRecipientInfo *kari, /* Initialise a kari based on passed certificate and key */ -int cms_RecipientInfo_kari_init(CMS_RecipientInfo *ri, X509 *recip, - EVP_PKEY *recipPubKey, X509 *originator, - EVP_PKEY *originatorPrivKey, unsigned int flags, - const CMS_CTX *ctx) +int ossl_cms_RecipientInfo_kari_init(CMS_RecipientInfo *ri, X509 *recip, + EVP_PKEY *recipPubKey, X509 *originator, + EVP_PKEY *originatorPrivKey, + unsigned int flags, const CMS_CTX *ctx) { CMS_KeyAgreeRecipientInfo *kari; CMS_RecipientEncryptedKey *rek = NULL; @@ -366,11 +369,11 @@ int cms_RecipientInfo_kari_init(CMS_RecipientInfo *ri, X509 *recip, rek->rid->d.rKeyId = M_ASN1_new_of(CMS_RecipientKeyIdentifier); if (rek->rid->d.rKeyId == NULL) return 0; - if (!cms_set1_keyid(&rek->rid->d.rKeyId->subjectKeyIdentifier, recip)) + if (!ossl_cms_set1_keyid(&rek->rid->d.rKeyId->subjectKeyIdentifier, recip)) return 0; } else { rek->rid->type = CMS_REK_ISSUER_SERIAL; - if (!cms_set1_ias(&rek->rid->d.issuerAndSerialNumber, recip)) + if (!ossl_cms_set1_ias(&rek->rid->d.issuerAndSerialNumber, recip)) return 0; } @@ -390,11 +393,11 @@ int cms_RecipientInfo_kari_init(CMS_RecipientInfo *ri, X509 *recip, oik->d.subjectKeyIdentifier = ASN1_OCTET_STRING_new(); if (oik->d.subjectKeyIdentifier == NULL) return 0; - if (!cms_set1_keyid(&oik->d.subjectKeyIdentifier, originator)) + if (!ossl_cms_set1_keyid(&oik->d.subjectKeyIdentifier, originator)) return 0; } else { oik->type = CMS_REK_ISSUER_SERIAL; - if (!cms_set1_ias(&oik->d.issuerAndSerialNumber, originator)) + if (!ossl_cms_set1_ias(&oik->d.issuerAndSerialNumber, originator)) return 0; } @@ -459,9 +462,9 @@ static int cms_wrap_init(CMS_KeyAgreeRecipientInfo *kari, else kekcipher_name = SN_id_aes256_wrap; enc: - fetched_kekcipher = EVP_CIPHER_fetch(cms_ctx_get0_libctx(cms_ctx), + fetched_kekcipher = EVP_CIPHER_fetch(ossl_cms_ctx_get0_libctx(cms_ctx), kekcipher_name, - cms_ctx_get0_propq(cms_ctx)); + ossl_cms_ctx_get0_propq(cms_ctx)); if (fetched_kekcipher == NULL) return 0; ret = EVP_EncryptInit_ex(ctx, fetched_kekcipher, NULL, NULL, NULL); @@ -471,8 +474,8 @@ enc: /* Encrypt content key in key agreement recipient info */ -int cms_RecipientInfo_kari_encrypt(const CMS_ContentInfo *cms, - CMS_RecipientInfo *ri) +int ossl_cms_RecipientInfo_kari_encrypt(const CMS_ContentInfo *cms, + CMS_RecipientInfo *ri) { CMS_KeyAgreeRecipientInfo *kari; CMS_EncryptedContentInfo *ec; @@ -486,7 +489,7 @@ int cms_RecipientInfo_kari_encrypt(const CMS_ContentInfo *cms, } kari = ri->d.kari; reks = kari->recipientEncryptedKeys; - ec = cms_get0_env_enc_content(cms); + ec = ossl_cms_get0_env_enc_content(cms); /* Initialise wrap algorithm parameters */ if (!cms_wrap_init(kari, ec->cipher)) return 0; @@ -502,7 +505,7 @@ int cms_RecipientInfo_kari_encrypt(const CMS_ContentInfo *cms, return 0; } /* Initialise KDF algorithm */ - if (!cms_env_asn1_ctrl(ri, 0)) + if (!ossl_cms_env_asn1_ctrl(ri, 0)) return 0; /* For each rek, derive KEK, encrypt CEK */ for (i = 0; i < sk_CMS_RecipientEncryptedKey_num(reks); i++) { diff --git a/crypto/cms/cms_lib.c b/crypto/cms/cms_lib.c index 3e2907fc16..03e6c631ef 100644 --- a/crypto/cms/cms_lib.c +++ b/crypto/cms/cms_lib.c @@ -31,7 +31,7 @@ CMS_ContentInfo *d2i_CMS_ContentInfo(CMS_ContentInfo **a, ci = (CMS_ContentInfo *)ASN1_item_d2i((ASN1_VALUE **)a, in, len, (CMS_ContentInfo_it())); if (ci != NULL) - cms_resolve_libctx(ci); + ossl_cms_resolve_libctx(ci); return ci; } @@ -73,32 +73,32 @@ void CMS_ContentInfo_free(CMS_ContentInfo *cms) } } -const CMS_CTX *cms_get0_cmsctx(const CMS_ContentInfo *cms) +const CMS_CTX *ossl_cms_get0_cmsctx(const CMS_ContentInfo *cms) { return cms != NULL ? &cms->ctx : NULL; } -OSSL_LIB_CTX *cms_ctx_get0_libctx(const CMS_CTX *ctx) +OSSL_LIB_CTX *ossl_cms_ctx_get0_libctx(const CMS_CTX *ctx) { return ctx != NULL ? ctx->libctx : NULL; } -const char *cms_ctx_get0_propq(const CMS_CTX *ctx) +const char *ossl_cms_ctx_get0_propq(const CMS_CTX *ctx) { return ctx != NULL ? ctx->propq : NULL; } -void cms_resolve_libctx(CMS_ContentInfo *ci) +void ossl_cms_resolve_libctx(CMS_ContentInfo *ci) { int i; CMS_CertificateChoices *cch; STACK_OF(CMS_CertificateChoices) **pcerts; - const CMS_CTX *ctx = cms_get0_cmsctx(ci); - OSSL_LIB_CTX *libctx = cms_ctx_get0_libctx(ctx); - const char *propq = cms_ctx_get0_propq(ctx); + const CMS_CTX *ctx = ossl_cms_get0_cmsctx(ci); + OSSL_LIB_CTX *libctx = ossl_cms_ctx_get0_libctx(ctx); + const char *propq = ossl_cms_ctx_get0_propq(ctx); - cms_SignerInfos_set_cmsctx(ci); - cms_RecipientInfos_set_cmsctx(ci); + ossl_cms_SignerInfos_set_cmsctx(ci); + ossl_cms_RecipientInfos_set_cmsctx(ci); pcerts = cms_get0_certificate_choices(ci); if (pcerts != NULL) { @@ -115,7 +115,7 @@ const ASN1_OBJECT *CMS_get0_type(const CMS_ContentInfo *cms) return cms->contentType; } -CMS_ContentInfo *cms_Data_create(OSSL_LIB_CTX *libctx, const char *propq) +CMS_ContentInfo *ossl_cms_Data_create(OSSL_LIB_CTX *libctx, const char *propq) { CMS_ContentInfo *cms = CMS_ContentInfo_new_ex(libctx, propq); @@ -127,7 +127,7 @@ CMS_ContentInfo *cms_Data_create(OSSL_LIB_CTX *libctx, const char *propq) return cms; } -BIO *cms_content_bio(CMS_ContentInfo *cms) +BIO *ossl_cms_content_bio(CMS_ContentInfo *cms) { ASN1_OCTET_STRING **pos = CMS_get0_content(cms); @@ -151,7 +151,7 @@ BIO *CMS_dataInit(CMS_ContentInfo *cms, BIO *icont) if (icont) cont = icont; else - cont = cms_content_bio(cms); + cont = ossl_cms_content_bio(cms); if (!cont) { ERR_raise(ERR_LIB_CMS, CMS_R_NO_CONTENT); return NULL; @@ -162,28 +162,28 @@ BIO *CMS_dataInit(CMS_ContentInfo *cms, BIO *icont) return cont; case NID_pkcs7_signed: - cmsbio = cms_SignedData_init_bio(cms); + cmsbio = ossl_cms_SignedData_init_bio(cms); break; case NID_pkcs7_digest: - cmsbio = cms_DigestedData_init_bio(cms); + cmsbio = ossl_cms_DigestedData_init_bio(cms); break; #ifdef ZLIB case NID_id_smime_ct_compressedData: - cmsbio = cms_CompressedData_init_bio(cms); + cmsbio = ossl_cms_CompressedData_init_bio(cms); break; #endif case NID_pkcs7_encrypted: - cmsbio = cms_EncryptedData_init_bio(cms); + cmsbio = ossl_cms_EncryptedData_init_bio(cms); break; case NID_pkcs7_enveloped: - cmsbio = cms_EnvelopedData_init_bio(cms); + cmsbio = ossl_cms_EnvelopedData_init_bio(cms); break; case NID_id_smime_ct_authEnvelopedData: - cmsbio = cms_AuthEnvelopedData_init_bio(cms); + cmsbio = ossl_cms_AuthEnvelopedData_init_bio(cms); break; default: @@ -234,16 +234,16 @@ int CMS_dataFinal(CMS_ContentInfo *cms, BIO *cmsbio) return 1; case NID_pkcs7_enveloped: - return cms_EnvelopedData_final(cms, cmsbio); + return ossl_cms_EnvelopedData_final(cms, cmsbio); case NID_id_smime_ct_authEnvelopedData: - return cms_AuthEnvelopedData_final(cms, cmsbio); + return ossl_cms_AuthEnvelopedData_final(cms, cmsbio); case NID_pkcs7_signed: - return cms_SignedData_final(cms, cmsbio); + return ossl_cms_SignedData_final(cms, cmsbio); case NID_pkcs7_digest: - return cms_DigestedData_do_final(cms, cmsbio, 0); + return ossl_cms_DigestedData_do_final(cms, cmsbio, 0); default: ERR_raise(ERR_LIB_CMS, CMS_R_UNSUPPORTED_TYPE); @@ -396,8 +396,8 @@ int CMS_set_detached(CMS_ContentInfo *cms, int detached) /* Create a digest BIO from an X509_ALGOR structure */ -BIO *cms_DigestAlgorithm_init_bio(X509_ALGOR *digestAlgorithm, - const CMS_CTX *ctx) +BIO *ossl_cms_DigestAlgorithm_init_bio(X509_ALGOR *digestAlgorithm, + const CMS_CTX *ctx) { BIO *mdbio = NULL; const ASN1_OBJECT *digestoid; @@ -409,8 +409,8 @@ BIO *cms_DigestAlgorithm_init_bio(X509_ALGOR *digestAlgorithm, alg = OBJ_nid2sn(OBJ_obj2nid(digestoid)); (void)ERR_set_mark(); - fetched_digest = EVP_MD_fetch(cms_ctx_get0_libctx(ctx), alg, - cms_ctx_get0_propq(ctx)); + fetched_digest = EVP_MD_fetch(ossl_cms_ctx_get0_libctx(ctx), alg, + ossl_cms_ctx_get0_propq(ctx)); if (fetched_digest != NULL) digest = fetched_digest; @@ -438,8 +438,8 @@ BIO *cms_DigestAlgorithm_init_bio(X509_ALGOR *digestAlgorithm, /* Locate a message digest content from a BIO chain based on SignerInfo */ -int cms_DigestAlgorithm_find_ctx(EVP_MD_CTX *mctx, BIO *chain, - X509_ALGOR *mdalg) +int ossl_cms_DigestAlgorithm_find_ctx(EVP_MD_CTX *mctx, BIO *chain, + X509_ALGOR *mdalg) { int nid; const ASN1_OBJECT *mdoid; @@ -666,7 +666,7 @@ STACK_OF(X509_CRL) *CMS_get1_crls(CMS_ContentInfo *cms) return crls; } -int cms_ias_cert_cmp(CMS_IssuerAndSerialNumber *ias, X509 *cert) +int ossl_cms_ias_cert_cmp(CMS_IssuerAndSerialNumber *ias, X509 *cert) { int ret; ret = X509_NAME_cmp(ias->issuer, X509_get_issuer_name(cert)); @@ -675,7 +675,7 @@ int cms_ias_cert_cmp(CMS_IssuerAndSerialNumber *ias, X509 *cert) return ASN1_INTEGER_cmp(ias->serialNumber, X509_get0_serialNumber(cert)); } -int cms_keyid_cert_cmp(ASN1_OCTET_STRING *keyid, X509 *cert) +int ossl_cms_keyid_cert_cmp(ASN1_OCTET_STRING *keyid, X509 *cert) { const ASN1_OCTET_STRING *cert_keyid = X509_get0_subject_key_id(cert); @@ -684,7 +684,7 @@ int cms_keyid_cert_cmp(ASN1_OCTET_STRING *keyid, X509 *cert) return ASN1_OCTET_STRING_cmp(keyid, cert_keyid); } -int cms_set1_ias(CMS_IssuerAndSerialNumber **pias, X509 *cert) +int ossl_cms_set1_ias(CMS_IssuerAndSerialNumber **pias, X509 *cert) { CMS_IssuerAndSerialNumber *ias; ias = M_ASN1_new_of(CMS_IssuerAndSerialNumber); @@ -703,7 +703,7 @@ int cms_set1_ias(CMS_IssuerAndSerialNumber **pias, X509 *cert) return 0; } -int cms_set1_keyid(ASN1_OCTET_STRING **pkeyid, X509 *cert) +int ossl_cms_set1_keyid(ASN1_OCTET_STRING **pkeyid, X509 *cert) { ASN1_OCTET_STRING *keyid = NULL; const ASN1_OCTET_STRING *cert_keyid; diff --git a/crypto/cms/cms_local.h b/crypto/cms/cms_local.h index 3dfeb72689..82b4be5d19 100644 --- a/crypto/cms/cms_local.h +++ b/crypto/cms/cms_local.h @@ -388,96 +388,98 @@ DECLARE_ASN1_ALLOC_FUNCTIONS(CMS_IssuerAndSerialNumber) # define CMS_OIK_KEYIDENTIFIER 1 # define CMS_OIK_PUBKEY 2 -BIO *cms_content_bio(CMS_ContentInfo *cms); -const CMS_CTX *cms_get0_cmsctx(const CMS_ContentInfo *cms); -OSSL_LIB_CTX *cms_ctx_get0_libctx(const CMS_CTX *ctx); -const char *cms_ctx_get0_propq(const CMS_CTX *ctx); -void cms_resolve_libctx(CMS_ContentInfo *ci); - -CMS_ContentInfo *cms_Data_create(OSSL_LIB_CTX *ctx, const char *propq); - -CMS_ContentInfo *cms_DigestedData_create(const EVP_MD *md, - OSSL_LIB_CTX *libctx, - const char *propq); -BIO *cms_DigestedData_init_bio(const CMS_ContentInfo *cms); -int cms_DigestedData_do_final(const CMS_ContentInfo *cms, - BIO *chain, int verify); - -BIO *cms_SignedData_init_bio(CMS_ContentInfo *cms); -int cms_SignedData_final(CMS_ContentInfo *cms, BIO *chain); -int cms_set1_SignerIdentifier(CMS_SignerIdentifier *sid, X509 *cert, - int type, const CMS_CTX *ctx); -int cms_SignerIdentifier_get0_signer_id(CMS_SignerIdentifier *sid, - ASN1_OCTET_STRING **keyid, - X509_NAME **issuer, - ASN1_INTEGER **sno); -int cms_SignerIdentifier_cert_cmp(CMS_SignerIdentifier *sid, X509 *cert); - -CMS_ContentInfo *cms_CompressedData_create(int comp_nid, OSSL_LIB_CTX *libctx, - const char *propq); -BIO *cms_CompressedData_init_bio(const CMS_ContentInfo *cms); - -BIO *cms_DigestAlgorithm_init_bio(X509_ALGOR *digestAlgorithm, - const CMS_CTX *ctx); -int cms_DigestAlgorithm_find_ctx(EVP_MD_CTX *mctx, BIO *chain, - X509_ALGOR *mdalg); - -int cms_ias_cert_cmp(CMS_IssuerAndSerialNumber *ias, X509 *cert); -int cms_keyid_cert_cmp(ASN1_OCTET_STRING *keyid, X509 *cert); -int cms_set1_ias(CMS_IssuerAndSerialNumber **pias, X509 *cert); -int cms_set1_keyid(ASN1_OCTET_STRING **pkeyid, X509 *cert); - -BIO *cms_EncryptedContent_init_bio(CMS_EncryptedContentInfo *ec, +BIO *ossl_cms_content_bio(CMS_ContentInfo *cms); +const CMS_CTX *ossl_cms_get0_cmsctx(const CMS_ContentInfo *cms); +OSSL_LIB_CTX *ossl_cms_ctx_get0_libctx(const CMS_CTX *ctx); +const char *ossl_cms_ctx_get0_propq(const CMS_CTX *ctx); +void ossl_cms_resolve_libctx(CMS_ContentInfo *ci); + +CMS_ContentInfo *ossl_cms_Data_create(OSSL_LIB_CTX *ctx, const char *propq); + +CMS_ContentInfo *ossl_cms_DigestedData_create(const EVP_MD *md, + OSSL_LIB_CTX *libctx, + const char *propq); +BIO *ossl_cms_DigestedData_init_bio(const CMS_ContentInfo *cms); +int ossl_cms_DigestedData_do_final(const CMS_ContentInfo *cms, + BIO *chain, int verify); + +BIO *ossl_cms_SignedData_init_bio(CMS_ContentInfo *cms); +int ossl_cms_SignedData_final(CMS_ContentInfo *cms, BIO *chain); +int ossl_cms_set1_SignerIdentifier(CMS_SignerIdentifier *sid, X509 *cert, + int type, const CMS_CTX *ctx); +int ossl_cms_SignerIdentifier_get0_signer_id(CMS_SignerIdentifier *sid, + ASN1_OCTET_STRING **keyid, + X509_NAME **issuer, + ASN1_INTEGER **sno); +int ossl_cms_SignerIdentifier_cert_cmp(CMS_SignerIdentifier *sid, X509 *cert); + +CMS_ContentInfo *ossl_cms_CompressedData_create(int comp_nid, + OSSL_LIB_CTX *libctx, + const char *propq); +BIO *ossl_cms_CompressedData_init_bio(const CMS_ContentInfo *cms); + +BIO *ossl_cms_DigestAlgorithm_init_bio(X509_ALGOR *digestAlgorithm, + const CMS_CTX *ctx); +int ossl_cms_DigestAlgorithm_find_ctx(EVP_MD_CTX *mctx, BIO *chain, + X509_ALGOR *mdalg); + +int ossl_cms_ias_cert_cmp(CMS_IssuerAndSerialNumber *ias, X509 *cert); +int ossl_cms_keyid_cert_cmp(ASN1_OCTET_STRING *keyid, X509 *cert); +int ossl_cms_set1_ias(CMS_IssuerAndSerialNumber **pias, X509 *cert); +int ossl_cms_set1_keyid(ASN1_OCTET_STRING **pkeyid, X509 *cert); + +BIO *ossl_cms_EncryptedContent_init_bio(CMS_EncryptedContentInfo *ec, + const CMS_CTX *ctx); +BIO *ossl_cms_EncryptedData_init_bio(const CMS_ContentInfo *cms); +int ossl_cms_EncryptedContent_init(CMS_EncryptedContentInfo *ec, + const EVP_CIPHER *cipher, + const unsigned char *key, size_t keylen, const CMS_CTX *ctx); -BIO *cms_EncryptedData_init_bio(const CMS_ContentInfo *cms); -int cms_EncryptedContent_init(CMS_EncryptedContentInfo *ec, - const EVP_CIPHER *cipher, - const unsigned char *key, size_t keylen, - const CMS_CTX *ctx); - -int cms_Receipt_verify(CMS_ContentInfo *cms, CMS_ContentInfo *req_cms); -int cms_msgSigDigest_add1(CMS_SignerInfo *dest, CMS_SignerInfo *src); -ASN1_OCTET_STRING *cms_encode_Receipt(CMS_SignerInfo *si); - -BIO *cms_EnvelopedData_init_bio(CMS_ContentInfo *cms); -int cms_EnvelopedData_final(CMS_ContentInfo *cms, BIO *chain); -BIO *cms_AuthEnvelopedData_init_bio(CMS_ContentInfo *cms); -int cms_AuthEnvelopedData_final(CMS_ContentInfo *cms, BIO *cmsbio); -CMS_EnvelopedData *cms_get0_enveloped(CMS_ContentInfo *cms); -CMS_AuthEnvelopedData *cms_get0_auth_enveloped(CMS_ContentInfo *cms); -CMS_EncryptedContentInfo* cms_get0_env_enc_content(const CMS_ContentInfo *cms); + +int ossl_cms_Receipt_verify(CMS_ContentInfo *cms, CMS_ContentInfo *req_cms); +int ossl_cms_msgSigDigest_add1(CMS_SignerInfo *dest, CMS_SignerInfo *src); +ASN1_OCTET_STRING *ossl_cms_encode_Receipt(CMS_SignerInfo *si); + +BIO *ossl_cms_EnvelopedData_init_bio(CMS_ContentInfo *cms); +int ossl_cms_EnvelopedData_final(CMS_ContentInfo *cms, BIO *chain); +BIO *ossl_cms_AuthEnvelopedData_init_bio(CMS_ContentInfo *cms); +int ossl_cms_AuthEnvelopedData_final(CMS_ContentInfo *cms, BIO *cmsbio); +CMS_EnvelopedData *ossl_cms_get0_enveloped(CMS_ContentInfo *cms); +CMS_AuthEnvelopedData *ossl_cms_get0_auth_enveloped(CMS_ContentInfo *cms); +CMS_EncryptedContentInfo *ossl_cms_get0_env_enc_content(const CMS_ContentInfo *cms); /* RecipientInfo routines */ -int cms_env_asn1_ctrl(CMS_RecipientInfo *ri, int cmd); -int cms_pkey_get_ri_type(EVP_PKEY *pk); -int cms_pkey_is_ri_type_supported(EVP_PKEY *pk, int ri_type); +int ossl_cms_env_asn1_ctrl(CMS_RecipientInfo *ri, int cmd); +int ossl_cms_pkey_get_ri_type(EVP_PKEY *pk); +int ossl_cms_pkey_is_ri_type_supported(EVP_PKEY *pk, int ri_type); -void cms_RecipientInfos_set_cmsctx(CMS_ContentInfo *cms); +void ossl_cms_RecipientInfos_set_cmsctx(CMS_ContentInfo *cms); /* KARI routines */ -int cms_RecipientInfo_kari_init(CMS_RecipientInfo *ri, X509 *recip, - EVP_PKEY *recipPubKey, X509 *originator, - EVP_PKEY *originatorPrivKey, unsigned int flags, - const CMS_CTX *ctx); -int cms_RecipientInfo_kari_encrypt(const CMS_ContentInfo *cms, - CMS_RecipientInfo *ri); +int ossl_cms_RecipientInfo_kari_init(CMS_RecipientInfo *ri, X509 *recip, + EVP_PKEY *recipPubKey, X509 *originator, + EVP_PKEY *originatorPrivKey, + unsigned int flags, + const CMS_CTX *ctx); +int ossl_cms_RecipientInfo_kari_encrypt(const CMS_ContentInfo *cms, + CMS_RecipientInfo *ri); /* PWRI routines */ -int cms_RecipientInfo_pwri_crypt(const CMS_ContentInfo *cms, - CMS_RecipientInfo *ri, int en_de); +int ossl_cms_RecipientInfo_pwri_crypt(const CMS_ContentInfo *cms, + CMS_RecipientInfo *ri, int en_de); /* SignerInfo routines */ int CMS_si_check_attributes(const CMS_SignerInfo *si); -void cms_SignerInfos_set_cmsctx(CMS_ContentInfo *cms); +void ossl_cms_SignerInfos_set_cmsctx(CMS_ContentInfo *cms); /* ESS routines */ -int ess_check_signing_certs(CMS_SignerInfo *si, STACK_OF(X509) *chain); +int ossl_ess_check_signing_certs(CMS_SignerInfo *si, STACK_OF(X509) *chain); -int cms_dh_envelope(CMS_RecipientInfo *ri, int decrypt); -int cms_ecdh_envelope(CMS_RecipientInfo *ri, int decrypt); -int cms_rsa_envelope(CMS_RecipientInfo *ri, int decrypt); -int cms_ecdsa_dsa_sign(CMS_SignerInfo *si, int verify); -int cms_rsa_sign(CMS_SignerInfo *si, int verify); +int ossl_cms_dh_envelope(CMS_RecipientInfo *ri, int decrypt); +int ossl_cms_ecdh_envelope(CMS_RecipientInfo *ri, int decrypt); +int ossl_cms_rsa_envelope(CMS_RecipientInfo *ri, int decrypt); +int ossl_cms_ecdsa_dsa_sign(CMS_SignerInfo *si, int verify); +int ossl_cms_rsa_sign(CMS_SignerInfo *si, int verify); DECLARE_ASN1_ITEM(CMS_CertificateChoices) DECLARE_ASN1_ITEM(CMS_DigestedData) diff --git a/crypto/cms/cms_pwri.c b/crypto/cms/cms_pwri.c index 1f5111435f..cea1e404c0 100644 --- a/crypto/cms/cms_pwri.c +++ b/crypto/cms/cms_pwri.c @@ -50,9 +50,9 @@ CMS_RecipientInfo *CMS_add0_recipient_password(CMS_ContentInfo *cms, X509_ALGOR *encalg = NULL; unsigned char iv[EVP_MAX_IV_LENGTH]; int ivlen; - const CMS_CTX *cms_ctx = cms_get0_cmsctx(cms); + const CMS_CTX *cms_ctx = ossl_cms_get0_cmsctx(cms); - ec = cms_get0_env_enc_content(cms); + ec = ossl_cms_get0_env_enc_content(cms); if (ec == NULL) return NULL; ris = CMS_get0_RecipientInfos(cms); @@ -93,7 +93,7 @@ CMS_RecipientInfo *CMS_add0_recipient_password(CMS_ContentInfo *cms, ivlen = EVP_CIPHER_CTX_iv_length(ctx); if (ivlen > 0) { - if (RAND_bytes_ex(cms_ctx_get0_libctx(cms_ctx), iv, ivlen) <= 0) + if (RAND_bytes_ex(ossl_cms_ctx_get0_libctx(cms_ctx), iv, ivlen) <= 0) goto err; if (EVP_EncryptInit_ex(ctx, NULL, NULL, NULL, iv) <= 0) { ERR_raise(ERR_LIB_CMS, ERR_R_EVP_LIB); @@ -262,7 +262,7 @@ static int kek_wrap_key(unsigned char *out, size_t *outlen, memcpy(out + 4, in, inlen); /* Add random padding to end */ if (olen > inlen + 4 - && RAND_bytes_ex(cms_ctx_get0_libctx(cms_ctx), out + 4 + inlen, + && RAND_bytes_ex(ossl_cms_ctx_get0_libctx(cms_ctx), out + 4 + inlen, olen - 4 - inlen) <= 0) return 0; /* Encrypt twice */ @@ -278,8 +278,8 @@ static int kek_wrap_key(unsigned char *out, size_t *outlen, /* Encrypt/Decrypt content key in PWRI recipient info */ -int cms_RecipientInfo_pwri_crypt(const CMS_ContentInfo *cms, - CMS_RecipientInfo *ri, int en_de) +int ossl_cms_RecipientInfo_pwri_crypt(const CMS_ContentInfo *cms, + CMS_RecipientInfo *ri, int en_de) { CMS_EncryptedContentInfo *ec; CMS_PasswordRecipientInfo *pwri; @@ -290,9 +290,9 @@ int cms_RecipientInfo_pwri_crypt(const CMS_ContentInfo *cms, EVP_CIPHER *kekcipher; unsigned char *key = NULL; size_t keylen; - const CMS_CTX *cms_ctx = cms_get0_cmsctx(cms); + const CMS_CTX *cms_ctx = ossl_cms_get0_cmsctx(cms); - ec = cms_get0_env_enc_content(cms); + ec = ossl_cms_get0_env_enc_content(cms); pwri = ri->d.pwri; @@ -316,8 +316,8 @@ int cms_RecipientInfo_pwri_crypt(const CMS_ContentInfo *cms, } name = OBJ_nid2sn(OBJ_obj2nid(kekalg->algorithm)); - kekcipher = EVP_CIPHER_fetch(cms_ctx_get0_libctx(cms_ctx), name, - cms_ctx_get0_propq(cms_ctx)); + kekcipher = EVP_CIPHER_fetch(ossl_cms_ctx_get0_libctx(cms_ctx), name, + ossl_cms_ctx_get0_propq(cms_ctx)); if (kekcipher == NULL) { ERR_raise(ERR_LIB_CMS, CMS_R_UNKNOWN_CIPHER); diff --git a/crypto/cms/cms_rsa.c b/crypto/cms/cms_rsa.c index 92619fcdd1..f9e9bffe21 100644 --- a/crypto/cms/cms_rsa.c +++ b/crypto/cms/cms_rsa.c @@ -172,7 +172,7 @@ static int rsa_cms_encrypt(CMS_RecipientInfo *ri) return rv; } -int cms_rsa_envelope(CMS_RecipientInfo *ri, int decrypt) +int ossl_cms_rsa_envelope(CMS_RecipientInfo *ri, int decrypt) { assert(decrypt == 0 || decrypt == 1); @@ -238,7 +238,7 @@ static int rsa_cms_verify(CMS_SignerInfo *si) return 0; } -int cms_rsa_sign(CMS_SignerInfo *si, int verify) +int ossl_cms_rsa_sign(CMS_SignerInfo *si, int verify) { assert(verify == 0 || verify == 1); diff --git a/crypto/cms/cms_sd.c b/crypto/cms/cms_sd.c index b0519f3894..cc980d4e58 100644 --- a/crypto/cms/cms_sd.c +++ b/crypto/cms/cms_sd.c @@ -175,17 +175,17 @@ static int cms_copy_messageDigest(CMS_ContentInfo *cms, CMS_SignerInfo *si) return 0; } -int cms_set1_SignerIdentifier(CMS_SignerIdentifier *sid, X509 *cert, int type, - const CMS_CTX *ctx) +int ossl_cms_set1_SignerIdentifier(CMS_SignerIdentifier *sid, X509 *cert, + int type, const CMS_CTX *ctx) { switch (type) { case CMS_SIGNERINFO_ISSUER_SERIAL: - if (!cms_set1_ias(&sid->d.issuerAndSerialNumber, cert)) + if (!ossl_cms_set1_ias(&sid->d.issuerAndSerialNumber, cert)) return 0; break; case CMS_SIGNERINFO_KEYIDENTIFIER: - if (!cms_set1_keyid(&sid->d.subjectKeyIdentifier, cert)) + if (!ossl_cms_set1_keyid(&sid->d.subjectKeyIdentifier, cert)) return 0; break; @@ -199,10 +199,10 @@ int cms_set1_SignerIdentifier(CMS_SignerIdentifier *sid, X509 *cert, int type, return 1; } -int cms_SignerIdentifier_get0_signer_id(CMS_SignerIdentifier *sid, - ASN1_OCTET_STRING **keyid, - X509_NAME **issuer, - ASN1_INTEGER **sno) +int ossl_cms_SignerIdentifier_get0_signer_id(CMS_SignerIdentifier *sid, + ASN1_OCTET_STRING **keyid, + X509_NAME **issuer, + ASN1_INTEGER **sno) { if (sid->type == CMS_SIGNERINFO_ISSUER_SERIAL) { if (issuer) @@ -217,12 +217,12 @@ int cms_SignerIdentifier_get0_signer_id(CMS_SignerIdentifier *sid, return 1; } -int cms_SignerIdentifier_cert_cmp(CMS_SignerIdentifier *sid, X509 *cert) +int ossl_cms_SignerIdentifier_cert_cmp(CMS_SignerIdentifier *sid, X509 *cert) { if (sid->type == CMS_SIGNERINFO_ISSUER_SERIAL) - return cms_ias_cert_cmp(sid->d.issuerAndSerialNumber, cert); + return ossl_cms_ias_cert_cmp(sid->d.issuerAndSerialNumber, cert); else if (sid->type == CMS_SIGNERINFO_KEYIDENTIFIER) - return cms_keyid_cert_cmp(sid->d.subjectKeyIdentifier, cert); + return ossl_cms_keyid_cert_cmp(sid->d.subjectKeyIdentifier, cert); else return -1; } @@ -233,9 +233,9 @@ static int cms_sd_asn1_ctrl(CMS_SignerInfo *si, int cmd) int i; if (EVP_PKEY_is_a(pkey, "DSA") || EVP_PKEY_is_a(pkey, "EC")) - return cms_ecdsa_dsa_sign(si, cmd); + return ossl_cms_ecdsa_dsa_sign(si, cmd); else if (EVP_PKEY_is_a(pkey, "RSA") || EVP_PKEY_is_a(pkey, "RSA-PSS")) - return cms_rsa_sign(si, cmd); + return ossl_cms_rsa_sign(si, cmd); /* Something else? We'll give engines etc a chance to handle this */ if (pkey->ameth == NULL || pkey->ameth->pkey_ctrl == NULL) @@ -260,7 +260,7 @@ CMS_SignerInfo *CMS_add1_signer(CMS_ContentInfo *cms, CMS_SignerInfo *si = NULL; X509_ALGOR *alg; int i, type; - const CMS_CTX *ctx = cms_get0_cmsctx(cms); + const CMS_CTX *ctx = ossl_cms_get0_cmsctx(cms); if (!X509_check_private_key(signer, pk)) { ERR_raise(ERR_LIB_CMS, CMS_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE); @@ -299,7 +299,7 @@ CMS_SignerInfo *CMS_add1_signer(CMS_ContentInfo *cms, si->version = 1; } - if (!cms_set1_SignerIdentifier(si->sid, signer, type, ctx)) + if (!ossl_cms_set1_SignerIdentifier(si->sid, signer, type, ctx)) goto err; if (md == NULL) { @@ -373,16 +373,16 @@ CMS_SignerInfo *CMS_add1_signer(CMS_ContentInfo *cms, int add_sc; if (md == EVP_sha1() || md == NULL) { - if ((sc = ESS_SIGNING_CERT_new_init(signer, - NULL, 1)) == NULL) + if ((sc = ossl_ess_signing_cert_new_init(signer, + NULL, 1)) == NULL) goto err; - add_sc = cms_add1_signing_cert(si, sc); + add_sc = ossl_cms_add1_signing_cert(si, sc); ESS_SIGNING_CERT_free(sc); } else { - if ((sc2 = ESS_SIGNING_CERT_V2_new_init(md, signer, - NULL, 1)) == NULL) + if ((sc2 = ossl_ess_signing_cert_v2_new_init(md, signer, + NULL, 1)) == NULL) goto err; - add_sc = cms_add1_signing_cert_v2(si, sc2); + add_sc = ossl_cms_add1_signing_cert_v2(si, sc2); ESS_SIGNING_CERT_V2_free(sc2); } if (!add_sc) @@ -407,9 +407,9 @@ CMS_SignerInfo *CMS_add1_signer(CMS_ContentInfo *cms, if (flags & CMS_KEY_PARAM) { if (flags & CMS_NOATTR) { - si->pctx = EVP_PKEY_CTX_new_from_pkey(cms_ctx_get0_libctx(ctx), + si->pctx = EVP_PKEY_CTX_new_from_pkey(ossl_cms_ctx_get0_libctx(ctx), si->pkey, - cms_ctx_get0_propq(ctx)); + ossl_cms_ctx_get0_propq(ctx)); if (si->pctx == NULL) goto err; if (EVP_PKEY_sign_init(si->pctx) <= 0) @@ -417,8 +417,9 @@ CMS_SignerInfo *CMS_add1_signer(CMS_ContentInfo *cms, if (EVP_PKEY_CTX_set_signature_md(si->pctx, md) <= 0) goto err; } else if (EVP_DigestSignInit_ex(si->mctx, &si->pctx, EVP_MD_name(md), - cms_ctx_get0_libctx(ctx), - cms_ctx_get0_propq(ctx), pk) <= 0) { + ossl_cms_ctx_get0_libctx(ctx), + ossl_cms_ctx_get0_propq(ctx), + pk) <= 0) { goto err; } } @@ -438,12 +439,12 @@ CMS_SignerInfo *CMS_add1_signer(CMS_ContentInfo *cms, } -void cms_SignerInfos_set_cmsctx(CMS_ContentInfo *cms) +void ossl_cms_SignerInfos_set_cmsctx(CMS_ContentInfo *cms) { int i; CMS_SignerInfo *si; STACK_OF(CMS_SignerInfo) *sinfos = CMS_get0_SignerInfos(cms); - const CMS_CTX *ctx = cms_get0_cmsctx(cms); + const CMS_CTX *ctx = ossl_cms_get0_cmsctx(cms); for (i = 0; i < sk_CMS_SignerInfo_num(sinfos); i++) { si = sk_CMS_SignerInfo_value(sinfos, i); @@ -534,12 +535,12 @@ int CMS_SignerInfo_get0_signer_id(CMS_SignerInfo *si, ASN1_OCTET_STRING **keyid, X509_NAME **issuer, ASN1_INTEGER **sno) { - return cms_SignerIdentifier_get0_signer_id(si->sid, keyid, issuer, sno); + return ossl_cms_SignerIdentifier_get0_signer_id(si->sid, keyid, issuer, sno); } int CMS_SignerInfo_cert_cmp(CMS_SignerInfo *si, X509 *cert) { - return cms_SignerIdentifier_cert_cmp(si->sid, cert); + return ossl_cms_SignerIdentifier_cert_cmp(si->sid, cert); } int CMS_set1_signers_certs(CMS_ContentInfo *cms, STACK_OF(X509) *scerts, @@ -614,7 +615,7 @@ static int cms_SignerInfo_content_sign(CMS_ContentInfo *cms, EVP_MD_CTX *mctx = EVP_MD_CTX_new(); int r = 0; EVP_PKEY_CTX *pctx = NULL; - const CMS_CTX *ctx = cms_get0_cmsctx(cms); + const CMS_CTX *ctx = ossl_cms_get0_cmsctx(cms); if (mctx == NULL) { ERR_raise(ERR_LIB_CMS, ERR_R_MALLOC_FAILURE); @@ -626,7 +627,7 @@ static int cms_SignerInfo_content_sign(CMS_ContentInfo *cms, goto err; } - if (!cms_DigestAlgorithm_find_ctx(mctx, chain, si->digestAlgorithm)) + if (!ossl_cms_DigestAlgorithm_find_ctx(mctx, chain, si->digestAlgorithm)) goto err; /* Set SignerInfo algorithm details if we used custom parameter */ if (si->pctx && !cms_sd_asn1_ctrl(si, 0)) @@ -681,8 +682,8 @@ static int cms_SignerInfo_content_sign(CMS_ContentInfo *cms, goto err; } if (!EVP_SignFinal_ex(mctx, sig, &siglen, si->pkey, - cms_ctx_get0_libctx(ctx), - cms_ctx_get0_propq(ctx))) { + ossl_cms_ctx_get0_libctx(ctx), + ossl_cms_ctx_get0_propq(ctx))) { ERR_raise(ERR_LIB_CMS, CMS_R_SIGNFINAL_ERROR); OPENSSL_free(sig); goto err; @@ -699,7 +700,7 @@ static int cms_SignerInfo_content_sign(CMS_ContentInfo *cms, } -int cms_SignedData_final(CMS_ContentInfo *cms, BIO *chain) +int ossl_cms_SignedData_final(CMS_ContentInfo *cms, BIO *chain) { STACK_OF(CMS_SignerInfo) *sinfos; CMS_SignerInfo *si; @@ -740,8 +741,9 @@ int CMS_SignerInfo_sign(CMS_SignerInfo *si) pctx = si->pctx; else { EVP_MD_CTX_reset(mctx); - if (EVP_DigestSignInit_ex(mctx, &pctx, md_name, cms_ctx_get0_libctx(ctx), - cms_ctx_get0_propq(ctx), si->pkey) <= 0) + if (EVP_DigestSignInit_ex(mctx, &pctx, md_name, + ossl_cms_ctx_get0_libctx(ctx), + ossl_cms_ctx_get0_propq(ctx), si->pkey) <= 0) goto err; si->pctx = pctx; } @@ -818,8 +820,8 @@ int CMS_SignerInfo_verify(CMS_SignerInfo *si) const EVP_MD *md; EVP_MD *fetched_md = NULL; const CMS_CTX *ctx = si->cms_ctx; - OSSL_LIB_CTX *libctx = cms_ctx_get0_libctx(ctx); - const char *propq = cms_ctx_get0_propq(ctx); + OSSL_LIB_CTX *libctx = ossl_cms_ctx_get0_libctx(ctx); + const char *propq = ossl_cms_ctx_get0_propq(ctx); if (si->pkey == NULL) { ERR_raise(ERR_LIB_CMS, CMS_R_NO_PUBLIC_KEY); @@ -879,7 +881,7 @@ int CMS_SignerInfo_verify(CMS_SignerInfo *si) /* Create a chain of digest BIOs from a CMS ContentInfo */ -BIO *cms_SignedData_init_bio(CMS_ContentInfo *cms) +BIO *ossl_cms_SignedData_init_bio(CMS_ContentInfo *cms) { int i; CMS_SignedData *sd; @@ -895,7 +897,8 @@ BIO *cms_SignedData_init_bio(CMS_ContentInfo *cms) BIO *mdbio; digestAlgorithm = sk_X509_ALGOR_value(sd->digestAlgorithms, i); - mdbio = cms_DigestAlgorithm_init_bio(digestAlgorithm, cms_get0_cmsctx(cms)); + mdbio = ossl_cms_DigestAlgorithm_init_bio(digestAlgorithm, + ossl_cms_get0_cmsctx(cms)); if (mdbio == NULL) goto err; if (chain != NULL) @@ -933,7 +936,7 @@ int CMS_SignerInfo_verify_content(CMS_SignerInfo *si, BIO *chain) } } - if (!cms_DigestAlgorithm_find_ctx(mctx, chain, si->digestAlgorithm)) + if (!ossl_cms_DigestAlgorithm_find_ctx(mctx, chain, si->digestAlgorithm)) goto err; if (EVP_DigestFinal_ex(mctx, mval, &mlen) <= 0) { @@ -958,8 +961,9 @@ int CMS_SignerInfo_verify_content(CMS_SignerInfo *si, BIO *chain) const EVP_MD *md = EVP_MD_CTX_md(mctx); const CMS_CTX *ctx = si->cms_ctx; - pkctx = EVP_PKEY_CTX_new_from_pkey(cms_ctx_get0_libctx(ctx), si->pkey, - cms_ctx_get0_propq(ctx)); + pkctx = EVP_PKEY_CTX_new_from_pkey(ossl_cms_ctx_get0_libctx(ctx), + si->pkey, + ossl_cms_ctx_get0_propq(ctx)); if (pkctx == NULL) goto err; if (EVP_PKEY_verify_init(pkctx) <= 0) diff --git a/crypto/cms/cms_smime.c b/crypto/cms/cms_smime.c index 3967988932..ac4ad2d490 100644 --- a/crypto/cms/cms_smime.c +++ b/crypto/cms/cms_smime.c @@ -121,7 +121,7 @@ int CMS_data(CMS_ContentInfo *cms, BIO *out, unsigned int flags) CMS_ContentInfo *CMS_data_create_ex(BIO *in, unsigned int flags, OSSL_LIB_CTX *libctx, const char *propq) { - CMS_ContentInfo *cms = cms_Data_create(libctx, propq); + CMS_ContentInfo *cms = ossl_cms_Data_create(libctx, propq); if (cms == NULL) return NULL; @@ -158,7 +158,7 @@ int CMS_digest_verify(CMS_ContentInfo *cms, BIO *dcont, BIO *out, r = cms_copy_content(out, cont, flags); if (r) - r = cms_DigestedData_do_final(cms, cont, 1); + r = ossl_cms_DigestedData_do_final(cms, cont, 1); do_free_upto(cont, dcont); return r; } @@ -171,7 +171,7 @@ CMS_ContentInfo *CMS_digest_create_ex(BIO *in, const EVP_MD *md, if (md == NULL) md = EVP_sha1(); - cms = cms_DigestedData_create(md, ctx, propq); + cms = ossl_cms_DigestedData_create(md, ctx, propq); if (cms == NULL) return NULL; @@ -264,8 +264,8 @@ static int cms_signerinfo_verify_cert(CMS_SignerInfo *si, X509 *signer; int i, j, r = 0; - ctx = X509_STORE_CTX_new_ex(cms_ctx_get0_libctx(cms_ctx), - cms_ctx_get0_propq(cms_ctx)); + ctx = X509_STORE_CTX_new_ex(ossl_cms_ctx_get0_libctx(cms_ctx), + ossl_cms_ctx_get0_propq(cms_ctx)); if (ctx == NULL) { ERR_raise(ERR_LIB_CMS, ERR_R_MALLOC_FAILURE); goto err; @@ -309,7 +309,7 @@ int CMS_verify(CMS_ContentInfo *cms, STACK_OF(X509) *certs, int i, scount = 0, ret = 0; BIO *cmsbio = NULL, *tmpin = NULL, *tmpout = NULL; int cadesVerify = (flags & CMS_CADES) != 0; - const CMS_CTX *ctx = cms_get0_cmsctx(cms); + const CMS_CTX *ctx = ossl_cms_get0_cmsctx(cms); if (dcont == NULL && !check_content(cms)) return 0; @@ -381,7 +381,7 @@ int CMS_verify(CMS_ContentInfo *cms, STACK_OF(X509) *certs, if (cadesVerify) { STACK_OF(X509) *si_chain = si_chains ? si_chains[i] : NULL; - if (ess_check_signing_certs(si, si_chain) <= 0) + if (ossl_ess_check_signing_certs(si, si_chain) <= 0) goto err; } } @@ -493,7 +493,7 @@ int CMS_verify_receipt(CMS_ContentInfo *rcms, CMS_ContentInfo *ocms, r = CMS_verify(rcms, certs, store, NULL, NULL, flags); if (r <= 0) return r; - return cms_Receipt_verify(rcms, ocms); + return ossl_cms_Receipt_verify(rcms, ocms); } CMS_ContentInfo *CMS_sign_ex(X509 *signcert, EVP_PKEY *pkey, @@ -568,8 +568,9 @@ CMS_ContentInfo *CMS_sign_receipt(CMS_SignerInfo *si, /* Initialize signed data */ - cms = CMS_sign_ex(NULL, NULL, certs, NULL, flags, cms_ctx_get0_libctx(ctx), - cms_ctx_get0_propq(ctx)); + cms = CMS_sign_ex(NULL, NULL, certs, NULL, flags, + ossl_cms_ctx_get0_libctx(ctx), + ossl_cms_ctx_get0_propq(ctx)); if (cms == NULL) goto err; @@ -583,7 +584,7 @@ CMS_ContentInfo *CMS_sign_receipt(CMS_SignerInfo *si, goto err; } - os = cms_encode_Receipt(si); + os = ossl_cms_encode_Receipt(si); if (os == NULL) goto err; @@ -594,7 +595,7 @@ CMS_ContentInfo *CMS_sign_receipt(CMS_SignerInfo *si, /* Add msgSigDigest attribute */ - if (!cms_msgSigDigest_add1(rct_si, si)) + if (!ossl_cms_msgSigDigest_add1(rct_si, si)) goto err; /* Finalize structure */ @@ -700,9 +701,9 @@ int CMS_decrypt_set1_pkey_and_peer(CMS_ContentInfo *cms, EVP_PKEY *pk, ris = CMS_get0_RecipientInfos(cms); if (ris != NULL) - debug = cms_get0_env_enc_content(cms)->debug; + debug = ossl_cms_get0_env_enc_content(cms)->debug; - cms_pkey_ri_type = cms_pkey_get_ri_type(pk); + cms_pkey_ri_type = ossl_cms_pkey_get_ri_type(pk); if (cms_pkey_ri_type == CMS_RECIPINFO_NONE) { ERR_raise(ERR_LIB_CMS, CMS_R_NOT_SUPPORTED_FOR_THIS_KEY_TYPE); return 0; @@ -713,7 +714,7 @@ int CMS_decrypt_set1_pkey_and_peer(CMS_ContentInfo *cms, EVP_PKEY *pk, ri = sk_CMS_RecipientInfo_value(ris, i); ri_type = CMS_RecipientInfo_type(ri); - if (!cms_pkey_is_ri_type_supported(pk, ri_type)) + if (!ossl_cms_pkey_is_ri_type_supported(pk, ri_type)) continue; match_ri = 1; if (ri_type == CMS_RECIPINFO_AGREE) { @@ -846,13 +847,13 @@ int CMS_decrypt(CMS_ContentInfo *cms, EVP_PKEY *pk, X509 *cert, if (dcont == NULL && !check_content(cms)) return 0; if (flags & CMS_DEBUG_DECRYPT) - cms_get0_env_enc_content(cms)->debug = 1; + ossl_cms_get0_env_enc_content(cms)->debug = 1; else - cms_get0_env_enc_content(cms)->debug = 0; + ossl_cms_get0_env_enc_content(cms)->debug = 0; if (cert == NULL) - cms_get0_env_enc_content(cms)->havenocert = 1; + ossl_cms_get0_env_enc_content(cms)->havenocert = 1; else - cms_get0_env_enc_content(cms)->havenocert = 0; + ossl_cms_get0_env_enc_content(cms)->havenocert = 0; if (pk == NULL && cert == NULL && dcont == NULL && out == NULL) return 1; if (pk != NULL && !CMS_decrypt_set1_pkey(cms, pk, cert)) @@ -920,7 +921,7 @@ CMS_ContentInfo *CMS_compress(BIO *in, int comp_nid, unsigned int flags) if (comp_nid <= 0) comp_nid = NID_zlib_compression; - cms = cms_CompressedData_create(comp_nid, NULL, NULL); + cms = ossl_cms_CompressedData_create(comp_nid, NULL, NULL); if (cms == NULL) return NULL; diff --git a/crypto/ess/ess_asn1.c b/crypto/ess/ess_asn1.c index a8d13a3a20..37bac4e707 100644 --- a/crypto/ess/ess_asn1.c +++ b/crypto/ess/ess_asn1.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -65,8 +65,8 @@ IMPLEMENT_ASN1_DUP_FUNCTION(ESS_SIGNING_CERT_V2) * Returns < 0 if attribute is not found, 1 if found, or * -1 on attribute parsing failure. */ -int cms_signerinfo_get_signing_cert_v2(CMS_SignerInfo *si, - ESS_SIGNING_CERT_V2 **psc) +int ossl_cms_signerinfo_get_signing_cert_v2(CMS_SignerInfo *si, + ESS_SIGNING_CERT_V2 **psc) { ASN1_STRING *str; ESS_SIGNING_CERT_V2 *sc; @@ -92,8 +92,8 @@ int cms_signerinfo_get_signing_cert_v2(CMS_SignerInfo *si, * Returns < 0 if attribute is not found, 1 if found, or * -1 on attribute parsing failure. */ -int cms_signerinfo_get_signing_cert(CMS_SignerInfo *si, - ESS_SIGNING_CERT **psc) +int ossl_cms_signerinfo_get_signing_cert(CMS_SignerInfo *si, + ESS_SIGNING_CERT **psc) { ASN1_STRING *str; ESS_SIGNING_CERT *sc; diff --git a/crypto/ess/ess_lib.c b/crypto/ess/ess_lib.c index 1301c9ed85..46004cc8da 100644 --- a/crypto/ess/ess_lib.c +++ b/crypto/ess/ess_lib.c @@ -18,9 +18,9 @@ static ESS_CERT_ID *ESS_CERT_ID_new_init(X509 *cert, int issuer_needed); static ESS_CERT_ID_V2 *ESS_CERT_ID_V2_new_init(const EVP_MD *hash_alg, X509 *cert, int issuer_needed); -ESS_SIGNING_CERT *ESS_SIGNING_CERT_new_init(X509 *signcert, - STACK_OF(X509) *certs, - int issuer_needed) +ESS_SIGNING_CERT *ossl_ess_signing_cert_new_init(X509 *signcert, + STACK_OF(X509) *certs, + int issuer_needed) { ESS_CERT_ID *cid = NULL; ESS_SIGNING_CERT *sc; @@ -96,10 +96,10 @@ static ESS_CERT_ID *ESS_CERT_ID_new_init(X509 *cert, int issuer_needed) return NULL; } -ESS_SIGNING_CERT_V2 *ESS_SIGNING_CERT_V2_new_init(const EVP_MD *hash_alg, - X509 *signcert, - STACK_OF(X509) *certs, - int issuer_needed) +ESS_SIGNING_CERT_V2 *ossl_ess_signing_cert_v2_new_init(const EVP_MD *hash_alg, + X509 *signcert, + STACK_OF(X509) *certs, + int issuer_needed) { ESS_CERT_ID_V2 *cid = NULL; ESS_SIGNING_CERT_V2 *sc; @@ -192,7 +192,7 @@ static ESS_CERT_ID_V2 *ESS_CERT_ID_V2_new_init(const EVP_MD *hash_alg, return NULL; } -ESS_SIGNING_CERT *ESS_SIGNING_CERT_get(PKCS7_SIGNER_INFO *si) +ESS_SIGNING_CERT *ossl_ess_signing_cert_get(PKCS7_SIGNER_INFO *si) { ASN1_TYPE *attr; const unsigned char *p; @@ -204,7 +204,7 @@ ESS_SIGNING_CERT *ESS_SIGNING_CERT_get(PKCS7_SIGNER_INFO *si) return d2i_ESS_SIGNING_CERT(NULL, &p, attr->value.sequence->length); } -ESS_SIGNING_CERT_V2 *ESS_SIGNING_CERT_V2_get(PKCS7_SIGNER_INFO *si) +ESS_SIGNING_CERT_V2 *ossl_ess_signing_cert_v2_get(PKCS7_SIGNER_INFO *si) { ASN1_TYPE *attr; const unsigned char *p; @@ -216,7 +216,7 @@ ESS_SIGNING_CERT_V2 *ESS_SIGNING_CERT_V2_get(PKCS7_SIGNER_INFO *si) return d2i_ESS_SIGNING_CERT_V2(NULL, &p, attr->value.sequence->length); } -int ESS_SIGNING_CERT_add(PKCS7_SIGNER_INFO *si, ESS_SIGNING_CERT *sc) +int ossl_ess_signing_cert_add(PKCS7_SIGNER_INFO *si, ESS_SIGNING_CERT *sc) { ASN1_STRING *seq = NULL; unsigned char *p, *pp = NULL; @@ -245,8 +245,7 @@ int ESS_SIGNING_CERT_add(PKCS7_SIGNER_INFO *si, ESS_SIGNING_CERT *sc) return 0; } -int ESS_SIGNING_CERT_V2_add(PKCS7_SIGNER_INFO *si, - ESS_SIGNING_CERT_V2 *sc) +int ossl_ess_signing_cert_v2_add(PKCS7_SIGNER_INFO *si, ESS_SIGNING_CERT_V2 *sc) { ASN1_STRING *seq = NULL; unsigned char *p, *pp = NULL; @@ -291,7 +290,7 @@ static int ess_issuer_serial_cmp(const ESS_ISSUER_SERIAL *is, const X509 *cert) } /* Returns < 0 if certificate is not found, certificate index otherwise. */ -int ess_find_cert(const STACK_OF(ESS_CERT_ID) *cert_ids, X509 *cert) +int ossl_ess_find_cert(const STACK_OF(ESS_CERT_ID) *cert_ids, X509 *cert) { int i; unsigned char cert_sha1[SHA_DIGEST_LENGTH]; @@ -324,7 +323,8 @@ int ess_find_cert(const STACK_OF(ESS_CERT_ID) *cert_ids, X509 *cert) } /* Returns < 0 if certificate is not found, certificate index otherwise. */ -int ess_find_cert_v2(const STACK_OF(ESS_CERT_ID_V2) *cert_ids, const X509 *cert) +int ossl_ess_find_cert_v2(const STACK_OF(ESS_CERT_ID_V2) *cert_ids, + const X509 *cert) { int i; unsigned char cert_digest[EVP_MAX_MD_SIZE]; diff --git a/crypto/pkcs7/pk7_asn1.c b/crypto/pkcs7/pk7_asn1.c index 3d6e524248..60ad5b1e76 100644 --- a/crypto/pkcs7/pk7_asn1.c +++ b/crypto/pkcs7/pk7_asn1.c @@ -69,7 +69,7 @@ PKCS7 *d2i_PKCS7(PKCS7 **a, const unsigned char **in, long len) ret = (PKCS7 *)ASN1_item_d2i((ASN1_VALUE **)a, in, len, (PKCS7_it())); if (ret != NULL) - pkcs7_resolve_libctx(ret); + ossl_pkcs7_resolve_libctx(ret); return ret; } diff --git a/crypto/pkcs7/pk7_doit.c b/crypto/pkcs7/pk7_doit.c index a979544aeb..ab23100f49 100644 --- a/crypto/pkcs7/pk7_doit.c +++ b/crypto/pkcs7/pk7_doit.c @@ -69,8 +69,8 @@ static int pkcs7_bio_add_digest(BIO **pbio, X509_ALGOR *alg, name = OBJ_nid2sn(OBJ_obj2nid(alg->algorithm)); (void)ERR_set_mark(); - fetched = EVP_MD_fetch(pkcs7_ctx_get0_libctx(ctx), name, - pkcs7_ctx_get0_propq(ctx)); + fetched = EVP_MD_fetch(ossl_pkcs7_ctx_get0_libctx(ctx), name, + ossl_pkcs7_ctx_get0_propq(ctx)); if (fetched != NULL) md = fetched; else @@ -114,8 +114,8 @@ static int pkcs7_encode_rinfo(PKCS7_RECIP_INFO *ri, if (pkey == NULL) return 0; - pctx = EVP_PKEY_CTX_new_from_pkey(pkcs7_ctx_get0_libctx(ctx), pkey, - pkcs7_ctx_get0_propq(ctx)); + pctx = EVP_PKEY_CTX_new_from_pkey(ossl_pkcs7_ctx_get0_libctx(ctx), pkey, + ossl_pkcs7_ctx_get0_propq(ctx)); if (pctx == NULL) return 0; @@ -163,8 +163,8 @@ static int pkcs7_decrypt_rinfo(unsigned char **pek, int *peklen, int ret = -1; const PKCS7_CTX *ctx = ri->ctx; - pctx = EVP_PKEY_CTX_new_from_pkey(pkcs7_ctx_get0_libctx(ctx), pkey, - pkcs7_ctx_get0_propq(ctx)); + pctx = EVP_PKEY_CTX_new_from_pkey(ossl_pkcs7_ctx_get0_libctx(ctx), pkey, + ossl_pkcs7_ctx_get0_propq(ctx)); if (pctx == NULL) return -1; @@ -232,9 +232,9 @@ BIO *PKCS7_dataInit(PKCS7 *p7, BIO *bio) ERR_raise(ERR_LIB_PKCS7, PKCS7_R_INVALID_NULL_POINTER); return NULL; } - p7_ctx = pkcs7_get0_ctx(p7); - libctx = pkcs7_ctx_get0_libctx(p7_ctx); - propq = pkcs7_ctx_get0_propq(p7_ctx); + p7_ctx = ossl_pkcs7_get0_ctx(p7); + libctx = ossl_pkcs7_ctx_get0_libctx(p7_ctx); + propq = ossl_pkcs7_ctx_get0_propq(p7_ctx); /* * The content field in the PKCS7 ContentInfo is optional, but that really @@ -426,9 +426,9 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert) return NULL; } - p7_ctx = pkcs7_get0_ctx(p7); - libctx = pkcs7_ctx_get0_libctx(p7_ctx); - propq = pkcs7_ctx_get0_propq(p7_ctx); + p7_ctx = ossl_pkcs7_get0_ctx(p7); + libctx = ossl_pkcs7_ctx_get0_libctx(p7_ctx); + propq = ossl_pkcs7_ctx_get0_propq(p7_ctx); if (p7->d.ptr == NULL) { ERR_raise(ERR_LIB_PKCS7, PKCS7_R_NO_CONTENT); @@ -744,7 +744,7 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio) return 0; } - p7_ctx = pkcs7_get0_ctx(p7); + p7_ctx = ossl_pkcs7_get0_ctx(p7); if (p7->d.ptr == NULL) { ERR_raise(ERR_LIB_PKCS7, PKCS7_R_NO_CONTENT); @@ -854,8 +854,8 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio) goto err; if (!EVP_SignFinal_ex(ctx_tmp, abuf, &abuflen, si->pkey, - pkcs7_ctx_get0_libctx(p7_ctx), - pkcs7_ctx_get0_propq(p7_ctx))) { + ossl_pkcs7_ctx_get0_libctx(p7_ctx), + ossl_pkcs7_ctx_get0_propq(p7_ctx))) { OPENSSL_free(abuf); ERR_raise(ERR_LIB_PKCS7, ERR_R_EVP_LIB); goto err; @@ -927,8 +927,8 @@ int PKCS7_SIGNER_INFO_sign(PKCS7_SIGNER_INFO *si) } if (EVP_DigestSignInit_ex(mctx, &pctx, EVP_MD_name(md), - pkcs7_ctx_get0_libctx(ctx), - pkcs7_ctx_get0_propq(ctx), si->pkey) <= 0) + ossl_pkcs7_ctx_get0_libctx(ctx), + ossl_pkcs7_ctx_get0_propq(ctx), si->pkey) <= 0) goto err; /* @@ -1073,9 +1073,9 @@ int PKCS7_signatureVerify(BIO *bio, PKCS7 *p7, PKCS7_SIGNER_INFO *si, STACK_OF(X509_ATTRIBUTE) *sk; BIO *btmp; EVP_PKEY *pkey; - const PKCS7_CTX *ctx = pkcs7_get0_ctx(p7); - OSSL_LIB_CTX *libctx = pkcs7_ctx_get0_libctx(ctx); - const char *propq = pkcs7_ctx_get0_propq(ctx); + const PKCS7_CTX *ctx = ossl_pkcs7_get0_ctx(p7); + OSSL_LIB_CTX *libctx = ossl_pkcs7_ctx_get0_libctx(ctx); + const char *propq = ossl_pkcs7_ctx_get0_propq(ctx); mdc_tmp = EVP_MD_CTX_new(); if (mdc_tmp == NULL) { diff --git a/crypto/pkcs7/pk7_lib.c b/crypto/pkcs7/pk7_lib.c index 95aab3368a..39e1c983e8 100644 --- a/crypto/pkcs7/pk7_lib.c +++ b/crypto/pkcs7/pk7_lib.c @@ -233,7 +233,7 @@ int PKCS7_add_signer(PKCS7 *p7, PKCS7_SIGNER_INFO *psi) } } - psi->ctx = pkcs7_get0_ctx(p7); + psi->ctx = ossl_pkcs7_get0_ctx(p7); if (!sk_PKCS7_SIGNER_INFO_push(signer_sk, psi)) return 0; return 1; @@ -425,12 +425,12 @@ static STACK_OF(PKCS7_RECIP_INFO) *pkcs7_get_recipient_info(const PKCS7 *p7) * Set up the library context into any loaded structure that needs it. * i.e loaded X509 objects. */ -void pkcs7_resolve_libctx(PKCS7 *p7) +void ossl_pkcs7_resolve_libctx(PKCS7 *p7) { int i; - const PKCS7_CTX *ctx = pkcs7_get0_ctx(p7); - OSSL_LIB_CTX *libctx = pkcs7_ctx_get0_libctx(ctx); - const char *propq = pkcs7_ctx_get0_propq(ctx); + const PKCS7_CTX *ctx = ossl_pkcs7_get0_ctx(p7); + OSSL_LIB_CTX *libctx = ossl_pkcs7_ctx_get0_libctx(ctx); + const char *propq = ossl_pkcs7_ctx_get0_propq(ctx); STACK_OF(PKCS7_RECIP_INFO) *rinfos = pkcs7_get_recipient_info(p7); STACK_OF(PKCS7_SIGNER_INFO) *sinfos = PKCS7_get_signer_info(p7); STACK_OF(X509) *certs = pkcs7_get_signer_certs(p7); @@ -455,16 +455,16 @@ void pkcs7_resolve_libctx(PKCS7 *p7) } } -const PKCS7_CTX *pkcs7_get0_ctx(const PKCS7 *p7) +const PKCS7_CTX *ossl_pkcs7_get0_ctx(const PKCS7 *p7) { return p7 != NULL ? &p7->ctx : NULL; } -OSSL_LIB_CTX *pkcs7_ctx_get0_libctx(const PKCS7_CTX *ctx) +OSSL_LIB_CTX *ossl_pkcs7_ctx_get0_libctx(const PKCS7_CTX *ctx) { return ctx != NULL ? ctx->libctx : NULL; } -const char *pkcs7_ctx_get0_propq(const PKCS7_CTX *ctx) +const char *ossl_pkcs7_ctx_get0_propq(const PKCS7_CTX *ctx) { return ctx != NULL ? ctx->propq : NULL; } @@ -524,7 +524,7 @@ PKCS7_RECIP_INFO *PKCS7_add_recipient(PKCS7 *p7, X509 *x509) goto err; if (!PKCS7_add_recipient_info(p7, ri)) goto err; - ri->ctx = pkcs7_get0_ctx(p7); + ri->ctx = ossl_pkcs7_get0_ctx(p7); return ri; err: PKCS7_RECIP_INFO_free(ri); @@ -656,7 +656,7 @@ int PKCS7_set_cipher(PKCS7 *p7, const EVP_CIPHER *cipher) } ec->cipher = cipher; - ec->ctx = pkcs7_get0_ctx(p7); + ec->ctx = ossl_pkcs7_get0_ctx(p7); return 1; } diff --git a/crypto/pkcs7/pk7_local.h b/crypto/pkcs7/pk7_local.h index 5db0127e1d..77c6fbcf26 100644 --- a/crypto/pkcs7/pk7_local.h +++ b/crypto/pkcs7/pk7_local.h @@ -9,6 +9,6 @@ #include "crypto/pkcs7.h" -const PKCS7_CTX *pkcs7_get0_ctx(const PKCS7 *p7); -OSSL_LIB_CTX *pkcs7_ctx_get0_libctx(const PKCS7_CTX *ctx); -const char *pkcs7_ctx_get0_propq(const PKCS7_CTX *ctx); +const PKCS7_CTX *ossl_pkcs7_get0_ctx(const PKCS7 *p7); +OSSL_LIB_CTX *ossl_pkcs7_ctx_get0_libctx(const PKCS7_CTX *ctx); +const char *ossl_pkcs7_ctx_get0_propq(const PKCS7_CTX *ctx); diff --git a/crypto/pkcs7/pk7_mime.c b/crypto/pkcs7/pk7_mime.c index 98f9e2483a..e191e4e3b8 100644 --- a/crypto/pkcs7/pk7_mime.c +++ b/crypto/pkcs7/pk7_mime.c @@ -31,7 +31,7 @@ int SMIME_write_PKCS7(BIO *bio, PKCS7 *p7, BIO *data, int flags) { STACK_OF(X509_ALGOR) *mdalgs; int ctype_nid = OBJ_obj2nid(p7->type); - const PKCS7_CTX *ctx = pkcs7_get0_ctx(p7); + const PKCS7_CTX *ctx = ossl_pkcs7_get0_ctx(p7); if (ctype_nid == NID_pkcs7_signed) mdalgs = p7->d.sign->md_algs; @@ -42,8 +42,8 @@ int SMIME_write_PKCS7(BIO *bio, PKCS7 *p7, BIO *data, int flags) return SMIME_write_ASN1_ex(bio, (ASN1_VALUE *)p7, data, flags, ctype_nid, NID_undef, mdalgs, ASN1_ITEM_rptr(PKCS7), - pkcs7_ctx_get0_libctx(ctx), - pkcs7_ctx_get0_propq(ctx)); + ossl_pkcs7_ctx_get0_libctx(ctx), + ossl_pkcs7_ctx_get0_propq(ctx)); } PKCS7 *SMIME_read_PKCS7_ex(BIO *bio, BIO **bcont, PKCS7 **p7) @@ -53,7 +53,7 @@ PKCS7 *SMIME_read_PKCS7_ex(BIO *bio, BIO **bcont, PKCS7 **p7) ret = (PKCS7 *)SMIME_read_ASN1_ex(bio, bcont, ASN1_ITEM_rptr(PKCS7), (ASN1_VALUE **)p7); if (ret != NULL) - pkcs7_resolve_libctx(ret); + ossl_pkcs7_resolve_libctx(ret); return ret; } diff --git a/crypto/pkcs7/pk7_smime.c b/crypto/pkcs7/pk7_smime.c index f6853513e0..8bc83bc9f4 100644 --- a/crypto/pkcs7/pk7_smime.c +++ b/crypto/pkcs7/pk7_smime.c @@ -131,7 +131,7 @@ PKCS7_SIGNER_INFO *PKCS7_sign_add_signer(PKCS7 *p7, X509 *signcert, return NULL; } - si->ctx = pkcs7_get0_ctx(p7); + si->ctx = ossl_pkcs7_get0_ctx(p7); if (!(flags & PKCS7_NOCERTS)) { if (!PKCS7_add_certificate(p7, signcert)) goto err; @@ -265,9 +265,9 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store, return 0; /* Now verify the certificates */ - p7_ctx = pkcs7_get0_ctx(p7); - cert_ctx = X509_STORE_CTX_new_ex(pkcs7_ctx_get0_libctx(p7_ctx), - pkcs7_ctx_get0_propq(p7_ctx)); + p7_ctx = ossl_pkcs7_get0_ctx(p7); + cert_ctx = X509_STORE_CTX_new_ex(ossl_pkcs7_ctx_get0_libctx(p7_ctx), + ossl_pkcs7_ctx_get0_propq(p7_ctx)); if (cert_ctx == NULL) goto err; if (!(flags & PKCS7_NOVERIFY)) diff --git a/crypto/ts/ts_rsp_sign.c b/crypto/ts/ts_rsp_sign.c index 313b37ed06..0bbe0e2b6c 100644 --- a/crypto/ts/ts_rsp_sign.c +++ b/crypto/ts/ts_rsp_sign.c @@ -664,20 +664,21 @@ static int ts_RESP_sign(TS_RESP_CTX *ctx) certs = ctx->flags & TS_ESS_CERT_ID_CHAIN ? ctx->certs : NULL; if (ctx->ess_cert_id_digest == NULL || ctx->ess_cert_id_digest == EVP_sha1()) { - if ((sc = ESS_SIGNING_CERT_new_init(ctx->signer_cert, certs, 0)) == NULL) + if ((sc = ossl_ess_signing_cert_new_init(ctx->signer_cert, + certs, 0)) == NULL) goto err; - if (!ESS_SIGNING_CERT_add(si, sc)) { + if (!ossl_ess_signing_cert_add(si, sc)) { ERR_raise(ERR_LIB_TS, TS_R_ESS_ADD_SIGNING_CERT_ERROR); goto err; } } else { - sc2 = ESS_SIGNING_CERT_V2_new_init(ctx->ess_cert_id_digest, - ctx->signer_cert, certs, 0); + sc2 = ossl_ess_signing_cert_v2_new_init(ctx->ess_cert_id_digest, + ctx->signer_cert, certs, 0); if (sc2 == NULL) goto err; - if (!ESS_SIGNING_CERT_V2_add(si, sc2)) { + if (!ossl_ess_signing_cert_v2_add(si, sc2)) { ERR_raise(ERR_LIB_TS, TS_R_ESS_ADD_SIGNING_CERT_V2_ERROR); goto err; } diff --git a/crypto/ts/ts_rsp_verify.c b/crypto/ts/ts_rsp_verify.c index 8e097a3336..bba335a684 100644 --- a/crypto/ts/ts_rsp_verify.c +++ b/crypto/ts/ts_rsp_verify.c @@ -197,9 +197,9 @@ end: static int ts_check_signing_certs(PKCS7_SIGNER_INFO *si, STACK_OF(X509) *chain) { - ESS_SIGNING_CERT *ss = ESS_SIGNING_CERT_get(si); + ESS_SIGNING_CERT *ss = ossl_ess_signing_cert_get(si); STACK_OF(ESS_CERT_ID) *cert_ids = NULL; - ESS_SIGNING_CERT_V2 *ssv2 = ESS_SIGNING_CERT_V2_get(si); + ESS_SIGNING_CERT_V2 *ssv2 = ossl_ess_signing_cert_v2_get(si); STACK_OF(ESS_CERT_ID_V2) *cert_ids_v2 = NULL; X509 *cert; int i = 0; @@ -208,7 +208,7 @@ static int ts_check_signing_certs(PKCS7_SIGNER_INFO *si, if (ss != NULL) { cert_ids = ss->cert_ids; cert = sk_X509_value(chain, 0); - if (ess_find_cert(cert_ids, cert) != 0) + if (ossl_ess_find_cert(cert_ids, cert) != 0) goto err; /* @@ -218,14 +218,14 @@ static int ts_check_signing_certs(PKCS7_SIGNER_INFO *si, if (sk_ESS_CERT_ID_num(cert_ids) > 1) { for (i = 1; i < sk_X509_num(chain); ++i) { cert = sk_X509_value(chain, i); - if (ess_find_cert(cert_ids, cert) < 0) + if (ossl_ess_find_cert(cert_ids, cert) < 0) goto err; } } } else if (ssv2 != NULL) { cert_ids_v2 = ssv2->cert_ids; cert = sk_X509_value(chain, 0); - if (ess_find_cert_v2(cert_ids_v2, cert) != 0) + if (ossl_ess_find_cert_v2(cert_ids_v2, cert) != 0) goto err; /* @@ -235,7 +235,7 @@ static int ts_check_signing_certs(PKCS7_SIGNER_INFO *si, if (sk_ESS_CERT_ID_V2_num(cert_ids_v2) > 1) { for (i = 1; i < sk_X509_num(chain); ++i) { cert = sk_X509_value(chain, i); - if (ess_find_cert_v2(cert_ids_v2, cert) < 0) + if (ossl_ess_find_cert_v2(cert_ids_v2, cert) < 0) goto err; } } diff --git a/crypto/x509/x_all.c b/crypto/x509/x_all.c index 0894d3a736..d80e50219e 100644 --- a/crypto/x509/x_all.c +++ b/crypto/x509/x_all.c @@ -179,7 +179,7 @@ PKCS7 *d2i_PKCS7_fp(FILE *fp, PKCS7 **p7) ret = ASN1_item_d2i_fp(ASN1_ITEM_rptr(PKCS7), fp, p7); if (ret != NULL) - pkcs7_resolve_libctx(ret); + ossl_pkcs7_resolve_libctx(ret); return ret; } @@ -195,7 +195,7 @@ PKCS7 *d2i_PKCS7_bio(BIO *bp, PKCS7 **p7) ret = ASN1_item_d2i_bio(ASN1_ITEM_rptr(PKCS7), bp, p7); if (ret != NULL) - pkcs7_resolve_libctx(ret); + ossl_pkcs7_resolve_libctx(ret); return ret; } diff --git a/include/crypto/cms.h b/include/crypto/cms.h index f98f3cfbea..f1cf6bd6bf 100644 --- a/include/crypto/cms.h +++ b/include/crypto/cms.h @@ -15,13 +15,13 @@ /* internal CMS-ESS related stuff */ -int cms_add1_signing_cert(CMS_SignerInfo *si, ESS_SIGNING_CERT *sc); -int cms_add1_signing_cert_v2(CMS_SignerInfo *si, ESS_SIGNING_CERT_V2 *sc); +int ossl_cms_add1_signing_cert(CMS_SignerInfo *si, ESS_SIGNING_CERT *sc); +int ossl_cms_add1_signing_cert_v2(CMS_SignerInfo *si, ESS_SIGNING_CERT_V2 *sc); -int cms_signerinfo_get_signing_cert_v2(CMS_SignerInfo *si, - ESS_SIGNING_CERT_V2 **psc); -int cms_signerinfo_get_signing_cert(CMS_SignerInfo *si, - ESS_SIGNING_CERT **psc); +int ossl_cms_signerinfo_get_signing_cert_v2(CMS_SignerInfo *si, + ESS_SIGNING_CERT_V2 **psc); +int ossl_cms_signerinfo_get_signing_cert(CMS_SignerInfo *si, + ESS_SIGNING_CERT **psc); # endif /* OPENSSL_NO_CMS */ #endif diff --git a/include/crypto/ess.h b/include/crypto/ess.h index c13cd64222..5abd229869 100644 --- a/include/crypto/ess.h +++ b/include/crypto/ess.h @@ -13,24 +13,25 @@ /* internal ESS related stuff */ -ESS_SIGNING_CERT *ESS_SIGNING_CERT_get(PKCS7_SIGNER_INFO *si); -int ESS_SIGNING_CERT_add(PKCS7_SIGNER_INFO *si, ESS_SIGNING_CERT *sc); +ESS_SIGNING_CERT *ossl_ess_signing_cert_get(PKCS7_SIGNER_INFO *si); +int ossl_ess_signing_cert_add(PKCS7_SIGNER_INFO *si, ESS_SIGNING_CERT *sc); -ESS_SIGNING_CERT *ESS_SIGNING_CERT_new_init(X509 *signcert, - STACK_OF(X509) *certs, - int issuer_needed); +ESS_SIGNING_CERT *ossl_ess_signing_cert_new_init(X509 *signcert, + STACK_OF(X509) *certs, + int issuer_needed); -ESS_SIGNING_CERT_V2 *ESS_SIGNING_CERT_V2_get(PKCS7_SIGNER_INFO *si); -int ESS_SIGNING_CERT_V2_add(PKCS7_SIGNER_INFO *si, ESS_SIGNING_CERT_V2 *sc); +ESS_SIGNING_CERT_V2 *ossl_ess_signing_cert_v2_get(PKCS7_SIGNER_INFO *si); +int ossl_ess_signing_cert_v2_add(PKCS7_SIGNER_INFO *si, ESS_SIGNING_CERT_V2 *sc); -ESS_SIGNING_CERT_V2 *ESS_SIGNING_CERT_V2_new_init(const EVP_MD *hash_alg, - X509 *signcert, - STACK_OF(X509) *certs, - int issuer_needed); +ESS_SIGNING_CERT_V2 *ossl_ess_signing_cert_v2_new_init(const EVP_MD *hash_alg, + X509 *signcert, + STACK_OF(X509) *certs, + int issuer_needed); /* Returns < 0 if certificate is not found, certificate index otherwise. */ -int ess_find_cert_v2(const STACK_OF(ESS_CERT_ID_V2) *cert_ids, const X509 *cert); -int ess_find_cert(const STACK_OF(ESS_CERT_ID) *cert_ids, X509 *cert); +int ossl_ess_find_cert_v2(const STACK_OF(ESS_CERT_ID_V2) *cert_ids, + const X509 *cert); +int ossl_ess_find_cert(const STACK_OF(ESS_CERT_ID) *cert_ids, X509 *cert); /*- * IssuerSerial ::= SEQUENCE { diff --git a/include/crypto/pkcs7.h b/include/crypto/pkcs7.h index 847866987e..c63246c663 100644 --- a/include/crypto/pkcs7.h +++ b/include/crypto/pkcs7.h @@ -11,6 +11,6 @@ # define OSSL_CRYPTO_PKCS7_H # pragma once -void pkcs7_resolve_libctx(PKCS7 *p7); +void ossl_pkcs7_resolve_libctx(PKCS7 *p7); #endif diff --git a/include/openssl/symhacks.h b/include/openssl/symhacks.h index d3eacc293f..b2ae379525 100644 --- a/include/openssl/symhacks.h +++ b/include/openssl/symhacks.h @@ -34,10 +34,6 @@ # undef i2d_ECPKPARAMETERS # define i2d_ECPKPARAMETERS i2d_UC_ECPKPARAMETERS -/* This one clashes with CMS_data_create */ -# undef cms_Data_create -# define cms_Data_create priv_cms_Data_create - # endif #endif /* ! defined HEADER_VMS_IDHACKS_H */ From shane.lontis at oracle.com Mon Feb 22 03:40:16 2021 From: shane.lontis at oracle.com (shane.lontis at oracle.com) Date: Mon, 22 Feb 2021 03:40:16 +0000 Subject: [openssl] master update Message-ID: <1613965216.378215.16200.nullmailer@dev.openssl.org> The branch master has been updated via 4718326a46ad460fefc5cc240a8599af4b5993c7 (commit) from 681618cfc18b4f01f2c07e823308d30f6f47504b (commit) - Log ----------------------------------------------------------------- commit 4718326a46ad460fefc5cc240a8599af4b5993c7 Author: Shane Lontis Date: Wed Feb 17 13:00:34 2021 +1000 Add EVP_PKEY_public_check_quick. Adding the EVP_PKEY_param_check_quick() reminded me that there are also partial checks for public keys as part of SP800-56A for FFC (DH named safe prime groups) and ECC. The code was mainly already there and just needed to be plumbed into the validate methods. Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/14206) ----------------------------------------------------------------------- Summary of changes: crypto/dh/dh_group_params.c | 11 +++++++++ crypto/ec/ec_key.c | 37 ++++++++++++++++++---------- crypto/evp/pmeth_check.c | 14 +++++++++-- doc/man3/EVP_PKEY_check.pod | 14 ++++++++--- include/crypto/dh.h | 1 + include/crypto/ec.h | 1 + include/openssl/evp.h | 1 + providers/implementations/keymgmt/dh_kmgmt.c | 13 +++++++--- providers/implementations/keymgmt/ec_kmgmt.c | 16 +++++++++--- util/libcrypto.num | 1 + 10 files changed, 84 insertions(+), 25 deletions(-) diff --git a/crypto/dh/dh_group_params.c b/crypto/dh/dh_group_params.c index a752cf9a98..0f66d8969d 100644 --- a/crypto/dh/dh_group_params.c +++ b/crypto/dh/dh_group_params.c @@ -81,6 +81,17 @@ void dh_cache_named_group(DH *dh) } } +int ossl_dh_is_named_safe_prime_group(const DH *dh) +{ + int id = DH_get_nid(dh); + + /* + * Exclude RFC5114 groups (id = 1..3) since they do not have + * q = (p - 1) / 2 + */ + return (id > 3); +} + int DH_get_nid(const DH *dh) { if (dh == NULL) diff --git a/crypto/ec/ec_key.c b/crypto/ec/ec_key.c index ec0b6bda85..30c524726d 100644 --- a/crypto/ec/ec_key.c +++ b/crypto/ec/ec_key.c @@ -442,15 +442,11 @@ err: } /* - * ECC Key validation as specified in SP800-56A R3. - * Section 5.6.2.3.3 ECC Full Public-Key Validation. + * ECC Partial Public-Key Validation as specified in SP800-56A R3 + * Section 5.6.2.3.4 ECC Partial Public-Key Validation Routine. */ -int ec_key_public_check(const EC_KEY *eckey, BN_CTX *ctx) +int ec_key_public_check_quick(const EC_KEY *eckey, BN_CTX *ctx) { - int ret = 0; - EC_POINT *point = NULL; - const BIGNUM *order = NULL; - if (eckey == NULL || eckey->group == NULL || eckey->pub_key == NULL) { ERR_raise(ERR_LIB_EC, ERR_R_PASSED_NULL_PARAMETER); return 0; @@ -462,21 +458,36 @@ int ec_key_public_check(const EC_KEY *eckey, BN_CTX *ctx) return 0; } - point = EC_POINT_new(eckey->group); - if (point == NULL) - return 0; - /* 5.6.2.3.3 (Step 2) Test if the public key is in range */ if (!ec_key_public_range_check(ctx, eckey)) { ERR_raise(ERR_LIB_EC, EC_R_COORDINATES_OUT_OF_RANGE); - goto err; + return 0; } /* 5.6.2.3.3 (Step 3) is the pub_key on the elliptic curve */ if (EC_POINT_is_on_curve(eckey->group, eckey->pub_key, ctx) <= 0) { ERR_raise(ERR_LIB_EC, EC_R_POINT_IS_NOT_ON_CURVE); - goto err; + return 0; } + return 1; +} + +/* + * ECC Key validation as specified in SP800-56A R3. + * Section 5.6.2.3.3 ECC Full Public-Key Validation Routine. + */ +int ec_key_public_check(const EC_KEY *eckey, BN_CTX *ctx) +{ + int ret = 0; + EC_POINT *point = NULL; + const BIGNUM *order = NULL; + + if (!ec_key_public_check_quick(eckey, ctx)) + return 0; + + point = EC_POINT_new(eckey->group); + if (point == NULL) + return 0; order = eckey->group->order; if (BN_is_zero(order)) { diff --git a/crypto/evp/pmeth_check.c b/crypto/evp/pmeth_check.c index 61e6db655d..112965e794 100644 --- a/crypto/evp/pmeth_check.c +++ b/crypto/evp/pmeth_check.c @@ -42,7 +42,7 @@ static int try_provided_check(EVP_PKEY_CTX *ctx, int selection, int checktype) return evp_keymgmt_validate(keymgmt, keydata, selection, checktype); } -int EVP_PKEY_public_check(EVP_PKEY_CTX *ctx) +static int evp_pkey_public_check_combined(EVP_PKEY_CTX *ctx, int checktype) { EVP_PKEY *pkey = ctx->pkey; int ok; @@ -53,7 +53,7 @@ int EVP_PKEY_public_check(EVP_PKEY_CTX *ctx) } if ((ok = try_provided_check(ctx, OSSL_KEYMGMT_SELECT_PUBLIC_KEY, - OSSL_KEYMGMT_VALIDATE_FULL_CHECK)) != -1) + checktype)) != -1) return ok; if (pkey->type == EVP_PKEY_NONE) @@ -76,6 +76,16 @@ int EVP_PKEY_public_check(EVP_PKEY_CTX *ctx) return -2; } +int EVP_PKEY_public_check(EVP_PKEY_CTX *ctx) +{ + return evp_pkey_public_check_combined(ctx, OSSL_KEYMGMT_VALIDATE_FULL_CHECK); +} + +int EVP_PKEY_public_check_quick(EVP_PKEY_CTX *ctx) +{ + return evp_pkey_public_check_combined(ctx, OSSL_KEYMGMT_VALIDATE_QUICK_CHECK); +} + static int evp_pkey_param_check_combined(EVP_PKEY_CTX *ctx, int checktype) { EVP_PKEY *pkey = ctx->pkey; diff --git a/doc/man3/EVP_PKEY_check.pod b/doc/man3/EVP_PKEY_check.pod index b5d33a41e3..4f91f8f9a2 100644 --- a/doc/man3/EVP_PKEY_check.pod +++ b/doc/man3/EVP_PKEY_check.pod @@ -3,7 +3,8 @@ =head1 NAME EVP_PKEY_check, EVP_PKEY_param_check, EVP_PKEY_param_check_quick, -EVP_PKEY_public_check, EVP_PKEY_private_check, EVP_PKEY_pairwise_check +EVP_PKEY_public_check, EVP_PKEY_public_check_quick, EVP_PKEY_private_check, +EVP_PKEY_pairwise_check - key and parameter validation functions =head1 SYNOPSIS @@ -14,6 +15,7 @@ EVP_PKEY_public_check, EVP_PKEY_private_check, EVP_PKEY_pairwise_check int EVP_PKEY_param_check(EVP_PKEY_CTX *ctx); int EVP_PKEY_param_check_quick(EVP_PKEY_CTX *ctx); int EVP_PKEY_public_check(EVP_PKEY_CTX *ctx); + int EVP_PKEY_public_check_quick(EVP_PKEY_CTX *ctx); int EVP_PKEY_private_check(EVP_PKEY_CTX *ctx); int EVP_PKEY_pairwise_check(EVP_PKEY_CTX *ctx); @@ -30,6 +32,12 @@ provided then this function call does the same thing as EVP_PKEY_param_check(). EVP_PKEY_public_check() validates the public component of the key given by B. +EVP_PKEY_public_check_quick() validates the public component of the key +given by B like EVP_PKEY_public_check() does. However some algorithm +implementations may offer a quicker form of validation that omits some checks in +order to perform a lightweight sanity check of the key. If a quicker form is not +provided then this function call does the same thing as EVP_PKEY_public_check(). + EVP_PKEY_private_check() validates the private component of the key given by B. EVP_PKEY_pairwise_check() validates that the public and private components have @@ -60,8 +68,8 @@ L, EVP_PKEY_check(), EVP_PKEY_public_check() and EVP_PKEY_param_check() were added in OpenSSL 1.1.1. -EVP_PKEY_param_check_quick(), EVP_PKEY_private_check() and -EVP_PKEY_pairwise_check() were added in OpenSSL 3.0. +EVP_PKEY_param_check_quick(), EVP_PKEY_public_check_quick(), +EVP_PKEY_private_check() and EVP_PKEY_pairwise_check() were added in OpenSSL 3.0. =head1 COPYRIGHT diff --git a/include/crypto/dh.h b/include/crypto/dh.h index 5673bb7ad3..eca2a03056 100644 --- a/include/crypto/dh.h +++ b/include/crypto/dh.h @@ -28,6 +28,7 @@ int dh_get_named_group_uid_from_size(int pbits); const char *dh_gen_type_id2name(int id); int dh_gen_type_name2id(const char *name); void dh_cache_named_group(DH *dh); +int ossl_dh_is_named_safe_prime_group(const DH *dh); FFC_PARAMS *dh_get0_params(DH *dh); int dh_get0_nid(const DH *dh); diff --git a/include/crypto/ec.h b/include/crypto/ec.h index 682311b26d..347474a37b 100644 --- a/include/crypto/ec.h +++ b/include/crypto/ec.h @@ -60,6 +60,7 @@ int ecdh_KDF_X9_63(unsigned char *out, size_t outlen, const EVP_MD *md, OSSL_LIB_CTX *libctx, const char *propq); int ec_key_public_check(const EC_KEY *eckey, BN_CTX *ctx); +int ec_key_public_check_quick(const EC_KEY *eckey, BN_CTX *ctx); int ec_key_private_check(const EC_KEY *eckey); int ec_key_pairwise_check(const EC_KEY *eckey, BN_CTX *ctx); OSSL_LIB_CTX *ec_key_get_libctx(const EC_KEY *eckey); diff --git a/include/openssl/evp.h b/include/openssl/evp.h index aeff6de4f7..bdce18c5ee 100644 --- a/include/openssl/evp.h +++ b/include/openssl/evp.h @@ -1827,6 +1827,7 @@ int EVP_PKEY_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY **ppkey); int EVP_PKEY_gen(EVP_PKEY_CTX *ctx, EVP_PKEY **ppkey); int EVP_PKEY_check(EVP_PKEY_CTX *ctx); int EVP_PKEY_public_check(EVP_PKEY_CTX *ctx); +int EVP_PKEY_public_check_quick(EVP_PKEY_CTX *ctx); int EVP_PKEY_param_check(EVP_PKEY_CTX *ctx); int EVP_PKEY_param_check_quick(EVP_PKEY_CTX *ctx); int EVP_PKEY_private_check(EVP_PKEY_CTX *ctx); diff --git a/providers/implementations/keymgmt/dh_kmgmt.c b/providers/implementations/keymgmt/dh_kmgmt.c index 96886840f0..a967309644 100644 --- a/providers/implementations/keymgmt/dh_kmgmt.c +++ b/providers/implementations/keymgmt/dh_kmgmt.c @@ -345,14 +345,21 @@ static int dh_set_params(void *key, const OSSL_PARAM params[]) return 1; } -static int dh_validate_public(const DH *dh) +static int dh_validate_public(const DH *dh, int checktype) { const BIGNUM *pub_key = NULL; + int res = 0; DH_get0_key(dh, &pub_key, NULL); if (pub_key == NULL) return 0; - return DH_check_pub_key_ex(dh, pub_key); + + /* The partial test is only valid for named group's with q = (p - 1) / 2 */ + if (checktype == OSSL_KEYMGMT_VALIDATE_QUICK_CHECK + && ossl_dh_is_named_safe_prime_group(dh)) + return dh_check_pub_key_partial(dh, pub_key, &res); + + return DH_check_pub_key(dh, pub_key, &res); } static int dh_validate_private(const DH *dh) @@ -390,7 +397,7 @@ static int dh_validate(const void *keydata, int selection, int checktype) } if ((selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) != 0) - ok = ok && dh_validate_public(dh); + ok = ok && dh_validate_public(dh, checktype); if ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0) ok = ok && dh_validate_private(dh); diff --git a/providers/implementations/keymgmt/ec_kmgmt.c b/providers/implementations/keymgmt/ec_kmgmt.c index 33abdc8692..f612d8ed0e 100644 --- a/providers/implementations/keymgmt/ec_kmgmt.c +++ b/providers/implementations/keymgmt/ec_kmgmt.c @@ -852,8 +852,12 @@ int sm2_validate(const void *keydata, int selection, int checktype) if ((selection & OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS) != 0) ok = ok && EC_GROUP_check(EC_KEY_get0_group(eck), ctx); - if ((selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) != 0) - ok = ok && ec_key_public_check(eck, ctx); + if ((selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) != 0) { + if (checktype == OSSL_KEYMGMT_VALIDATE_QUICK_CHECK) + ok = ok && ec_key_public_check_quick(eck, ctx); + else + ok = ok && ec_key_public_check(eck, ctx); + } if ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0) ok = ok && sm2_key_private_check(eck); @@ -894,8 +898,12 @@ int ec_validate(const void *keydata, int selection, int checktype) ok = ok && EC_GROUP_check(EC_KEY_get0_group(eck), ctx); } - if ((selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) != 0) - ok = ok && ec_key_public_check(eck, ctx); + if ((selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) != 0) { + if (checktype == OSSL_KEYMGMT_VALIDATE_QUICK_CHECK) + ok = ok && ec_key_public_check_quick(eck, ctx); + else + ok = ok && ec_key_public_check(eck, ctx); + } if ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0) ok = ok && ec_key_private_check(eck); diff --git a/util/libcrypto.num b/util/libcrypto.num index c2e5c75486..b602ee4978 100644 --- a/util/libcrypto.num +++ b/util/libcrypto.num @@ -5299,3 +5299,4 @@ EVP_PKEY_get_params ? 3_0_0 EXIST::FUNCTION: EVP_PKEY_fromdata_init ? 3_0_0 EXIST::FUNCTION: EVP_PKEY_fromdata_settable ? 3_0_0 EXIST::FUNCTION: EVP_PKEY_param_check_quick ? 3_0_0 EXIST::FUNCTION: +EVP_PKEY_public_check_quick ? 3_0_0 EXIST::FUNCTION: From no-reply at appveyor.com Mon Feb 22 03:53:22 2021 From: no-reply at appveyor.com (AppVeyor) Date: Mon, 22 Feb 2021 03:53:22 +0000 Subject: Build failed: openssl master.40096 Message-ID: <20210222035322.1.ACACD14837950D43@appveyor.com> An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Mon Feb 22 05:10:58 2021 From: no-reply at appveyor.com (AppVeyor) Date: Mon, 22 Feb 2021 05:10:58 +0000 Subject: Build completed: openssl master.40097 Message-ID: <20210222051058.1.AB2713C2C4F101DD@appveyor.com> An HTML attachment was scrubbed... URL: From dev at ddvo.net Mon Feb 22 07:50:46 2021 From: dev at ddvo.net (dev at ddvo.net) Date: Mon, 22 Feb 2021 07:50:46 +0000 Subject: [openssl] master update Message-ID: <1613980246.358661.12188.nullmailer@dev.openssl.org> The branch master has been updated via 7f90026b3fca9cfd3d9098d358d949d37509a2e5 (commit) from 4718326a46ad460fefc5cc240a8599af4b5993c7 (commit) - Log ----------------------------------------------------------------- commit 7f90026b3fca9cfd3d9098d358d949d37509a2e5 Author: Dr. David von Oheimb Date: Thu Jan 21 12:36:58 2021 +0100 Handle NULL result of ERR_reason_error_string() in some apps Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/13920) ----------------------------------------------------------------------- Summary of changes: apps/pkey.c | 11 ++--------- apps/pkeyparam.c | 10 ++-------- apps/rsa.c | 13 +++---------- crypto/bio/b_sock2.c | 2 +- crypto/cmp/cmp_util.c | 25 ++++++++++++++++++++----- test/cmp_ctx_test.c | 6 +++--- 6 files changed, 31 insertions(+), 36 deletions(-) diff --git a/apps/pkey.c b/apps/pkey.c index 1a53447401..5cf0abe04b 100644 --- a/apps/pkey.c +++ b/apps/pkey.c @@ -258,15 +258,8 @@ int pkey_main(int argc, char **argv) * Note: at least for RSA keys if this function returns * -1, there will be no error reasons. */ - unsigned long err; - - BIO_printf(out, "Key is invalid\n"); - - while ((err = ERR_peek_error()) != 0) { - BIO_printf(out, "Detailed error: %s\n", - ERR_reason_error_string(err)); - ERR_get_error(); /* remove err from error stack */ - } + BIO_printf(bio_err, "Key is invalid\n"); + ERR_print_errors(bio_err); goto end; } } diff --git a/apps/pkeyparam.c b/apps/pkeyparam.c index 42de552753..ef1a082d62 100644 --- a/apps/pkeyparam.c +++ b/apps/pkeyparam.c @@ -52,7 +52,6 @@ int pkeyparam_main(int argc, char **argv) int text = 0, noout = 0, ret = EXIT_FAILURE, check = 0, r; OPTION_CHOICE o; char *infile = NULL, *outfile = NULL, *prog; - unsigned long err; prog = opt_init(argc, argv, pkeyparam_options); while ((o = opt_next()) != OPT_EOF) { @@ -125,13 +124,8 @@ int pkeyparam_main(int argc, char **argv) * Note: at least for RSA keys if this function returns * -1, there will be no error reasons. */ - BIO_printf(out, "Parameters are invalid\n"); - - while ((err = ERR_peek_error()) != 0) { - BIO_printf(out, "Detailed error: %s\n", - ERR_reason_error_string(err)); - ERR_get_error(); /* remove err from error stack */ - } + BIO_printf(bio_err, "Parameters are invalid\n"); + ERR_print_errors(bio_err); goto end; } } diff --git a/apps/rsa.c b/apps/rsa.c index 499013bae4..251f84f210 100644 --- a/apps/rsa.c +++ b/apps/rsa.c @@ -259,7 +259,7 @@ int rsa_main(int argc, char **argv) pctx = EVP_PKEY_CTX_new_from_pkey(NULL, pkey, NULL); if (pctx == NULL) { - BIO_printf(out, "RSA unable to create PKEY context\n"); + BIO_printf(bio_err, "RSA unable to create PKEY context\n"); ERR_print_errors(bio_err); goto end; } @@ -269,15 +269,8 @@ int rsa_main(int argc, char **argv) if (r == 1) { BIO_printf(out, "RSA key ok\n"); } else if (r == 0) { - unsigned long err; - - while ((err = ERR_peek_error()) != 0 && - ERR_GET_LIB(err) == ERR_LIB_RSA && - ERR_GET_REASON(err) != ERR_R_MALLOC_FAILURE) { - BIO_printf(out, "RSA key error: %s\n", - ERR_reason_error_string(err)); - ERR_get_error(); /* remove err from error stack */ - } + BIO_printf(bio_err, "RSA key not ok\n"); + ERR_print_errors(bio_err); } else if (r == -1) { ERR_print_errors(bio_err); goto end; diff --git a/crypto/bio/b_sock2.c b/crypto/bio/b_sock2.c index c9f7c2cfe5..1817d9dd0f 100644 --- a/crypto/bio/b_sock2.c +++ b/crypto/bio/b_sock2.c @@ -175,7 +175,7 @@ int BIO_bind(int sock, const BIO_ADDR *addr, int options) # endif if (bind(sock, BIO_ADDR_sockaddr(addr), BIO_ADDR_sockaddr_size(addr)) != 0) { - ERR_raise_data(ERR_LIB_SYS, get_last_socket_error(), + ERR_raise_data(ERR_LIB_SYS, get_last_socket_error() /* may be 0 */, "calling bind()"); ERR_raise(ERR_LIB_BIO, BIO_R_UNABLE_TO_BIND_SOCKET); return 0; diff --git a/crypto/cmp/cmp_util.c b/crypto/cmp/cmp_util.c index d246047943..81c7d02d88 100644 --- a/crypto/cmp/cmp_util.c +++ b/crypto/cmp/cmp_util.c @@ -155,12 +155,27 @@ void OSSL_CMP_print_errors_cb(OSSL_CMP_log_cb_t log_fn) while ((err = ERR_get_error_all(&file, &line, &func, &data, &flags)) != 0) { const char *component = improve_location_name(func, ERR_lib_error_string(err)); + unsigned long reason = ERR_GET_REASON(err); + const char *rs = NULL; + char rsbuf[256]; + +#ifndef OPENSSL_NO_ERR + if (ERR_SYSTEM_ERROR(err)) { + if (openssl_strerror_r(reason, rsbuf, sizeof(rsbuf))) + rs = rsbuf; + } else { + rs = ERR_reason_error_string(err); + } +#endif + if (rs == NULL) { + BIO_snprintf(rsbuf, sizeof(rsbuf), "reason(%lu)", reason); + rs = rsbuf; + } + if (data != NULL && (flags & ERR_TXT_STRING) != 0) + BIO_snprintf(msg, sizeof(msg), "%s:%s", rs, data); + else + BIO_snprintf(msg, sizeof(msg), "%s", rs); - if (!(flags & ERR_TXT_STRING)) - data = NULL; - BIO_snprintf(msg, sizeof(msg), "%s%s%s", ERR_reason_error_string(err), - data == NULL || *data == '\0' ? "" : " : ", - data == NULL ? "" : data); if (log_fn == NULL) { #ifndef OPENSSL_NO_STDIO BIO *bio = BIO_new_fp(stderr, BIO_NOCLOSE); diff --git a/test/cmp_ctx_test.c b/test/cmp_ctx_test.c index 3ea3013abe..e841f029ce 100644 --- a/test/cmp_ctx_test.c +++ b/test/cmp_ctx_test.c @@ -158,8 +158,8 @@ static int execute_CTX_print_errors_test(OSSL_CMP_CTX_TEST_FIXTURE *fixture) ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT); base_err_msg_size += strlen("NULL_ARGUMENT"); expected_size = base_err_msg_size; - ossl_cmp_add_error_data("data1"); /* should prepend separator " : " */ - expected_size += strlen(" : " "data1"); + ossl_cmp_add_error_data("data1"); /* should prepend separator ":" */ + expected_size += strlen(":" "data1"); ossl_cmp_add_error_data("data2"); /* should prepend separator " : " */ expected_size += strlen(" : " "data2"); ossl_cmp_add_error_line("new line"); /* should prepend separator "\n" */ @@ -169,7 +169,7 @@ static int execute_CTX_print_errors_test(OSSL_CMP_CTX_TEST_FIXTURE *fixture) res = 0; ERR_raise(ERR_LIB_CMP, CMP_R_INVALID_ARGS); - base_err_msg_size = strlen("INVALID_ARGS") + strlen(" : "); + base_err_msg_size = strlen("INVALID_ARGS") + strlen(":"); expected_size = base_err_msg_size; while (expected_size < 4096) { /* force split */ ERR_add_error_txt(STR_SEP, max_str_literal); From openssl at openssl.org Mon Feb 22 08:35:15 2021 From: openssl at openssl.org (OpenSSL run-checker) Date: Mon, 22 Feb 2021 08:35:15 +0000 Subject: Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-des Message-ID: <1613982915.835909.4088190.nullmailer@run.openssl.org> Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-des Commit log since last time: 937a62323b -Wunused-function cleanup 57acc56bdc DECODER: Add better tracing of the chain walking process acf497b53b DECODER: Use the data structure from the last decoder to select the next f16e52b67c Correct the return value of BIO_get_ktls_*(). 5e128ed120 CMP: Fix total_timeout behavior; small doc and diagnostic improvements a3361c3755 81-test_cmp_cli_data: fixup on CSR test cases c2279499fd Fix speed sm2 bug 1d724b5e82 CRYPTO_gcm128_decrypt: fix mac or tag calculation 3352dc185f Fix merge problem in d2i_PrivateKey_ex eabb301416 Fix DH ASN1 decode so that it detects named groups. 576892d78f Fix d2i_AutoPrivateKey_ex so that is uses the new decoder (and produces non legacy keys). ef33889e18 doc: remove notes section in OSSL_ENCODER.pod 458d168cd4 rfc2606 compliant example domains for x509v3_config.pod 125107e8ea Various improvements of doc/man5/x509v3_config.pod 70793dbbb9 Pass the object type and data structure from the pem2der decoder 3a2171f6aa Don't forget the type of thing we are loading 3262300a2c Adjust the few places where the string length was confused 247a1786e2 OSSL_PARAM: Correct the assumptions on the UTF8 string length c1be4d617c Rename internal X509_add_cert_new() to ossl_x509_add_cert_new() daf1300b80 Add internal X509_add_certs_new(), which simplifies matters 937984efc6 Prepare for 3.0 alpha 13 b467d394eb Prepare for release of 3.0 alpha 12 a28d06f3e9 Update copyright year 7b676cc8c6 Fix external symbols related to provider related security checks for keys and digests. 47c076acfc Fix external symbols in the provider digest implementations. bcb61b39b4 Add deep copy of propq field in mac_dupctx to avoid double free 5d8ffebbcd DH: Make DH_bits(), DH_size(), and DH_security_bits() check that there are key parameters 0b3139e815 chain_build(): Call verify_cb_cert() if a preliminary error has become final ba37b82045 dsa_check: Perform simple parameter check if seed is not available ebcaf110b2 DSA parameter check using pkeyparam e36b3c2f75 Fix external symbols in the provider cipher implementations. Build log ended with (last 100 lines): 70-test_sslrecords.t ............... ok 70-test_sslsessiontick.t ........... ok 70-test_sslsigalgs.t ............... ok 70-test_sslsignature.t ............. ok 70-test_sslskewith0p.t ............. ok 70-test_sslversions.t .............. ok 70-test_sslvertol.t ................ ok 70-test_tls13alerts.t .............. ok 70-test_tls13cookie.t .............. ok 70-test_tls13downgrade.t ........... ok 70-test_tls13hrr.t ................. ok 70-test_tls13kexmodes.t ............ ok 70-test_tls13messages.t ............ ok 70-test_tls13psk.t ................. ok 70-test_tlsextms.t ................. ok 70-test_verify_extra.t ............. ok 70-test_wpacket.t .................. ok 71-test_ssl_ctx.t .................. ok 80-test_ca.t ....................... ok 80-test_cipherbytes.t .............. ok 80-test_cipherlist.t ............... ok 80-test_ciphername.t ............... ok # 80-test_cmp_http.t ................. ok # 80-test_cms.t ...................... ok 80-test_cmsapi.t ................... ok 80-test_ct.t ....................... ok 80-test_dane.t ..................... ok 80-test_dtls.t ..................... ok 80-test_dtls_mtu.t ................. ok 80-test_dtlsv1listen.t ............. ok 80-test_http.t ..................... ok 80-test_ocsp.t ..................... ok 80-test_pkcs12.t ................... skipped: The PKCS12 command line utility is not supported by this OpenSSL build 80-test_ssl_new.t .................. ok 80-test_ssl_old.t .................. ok 80-test_ssl_test_ctx.t ............. ok 80-test_sslcorrupt.t ............... ok 80-test_tsa.t ...................... ok 80-test_x509aux.t .................. ok 81-test_cmp_cli.t .................. ok 90-test_asn1_time.t ................ ok 90-test_async.t .................... ok 90-test_bio_enc.t .................. ok 90-test_bio_memleak.t .............. ok 90-test_constant_time.t ............ ok 90-test_fatalerr.t ................. ok 90-test_fipsload.t ................. ok 90-test_gmdiff.t ................... ok 90-test_gost.t ..................... ok 90-test_ige.t ...................... ok 90-test_includes.t ................. ok 90-test_memleak.t .................. ok 90-test_overhead.t ................. ok 90-test_secmem.t ................... ok 90-test_shlibload.t ................ ok 90-test_srp.t ...................... ok 90-test_sslapi.t ................... ok 90-test_sslbuffers.t ............... ok 90-test_store.t .................... ok 90-test_sysdefault.t ............... ok 90-test_threads.t .................. ok 90-test_time_offset.t .............. ok 90-test_tls13ccs.t ................. ok 90-test_tls13encryption.t .......... ok 90-test_tls13secrets.t ............. ok 90-test_v3name.t ................... ok 91-test_pkey_check.t ............... ok 95-test_external_boringssl.t ....... skipped: No external tests in this configuration 95-test_external_gost_engine.t ..... skipped: No external tests in this configuration 95-test_external_krb5.t ............ skipped: No external tests in this configuration 95-test_external_pyca.t ............ skipped: No external tests in this configuration 99-test_ecstress.t ................. ok 99-test_fuzz_asn1.t ................ ok 99-test_fuzz_asn1parse.t ........... ok 99-test_fuzz_bignum.t .............. ok 99-test_fuzz_bndiv.t ............... ok 99-test_fuzz_client.t .............. ok 99-test_fuzz_cmp.t ................. ok 99-test_fuzz_cms.t ................. ok 99-test_fuzz_conf.t ................ ok 99-test_fuzz_crl.t ................. ok 99-test_fuzz_ct.t .................. ok 99-test_fuzz_server.t .............. ok 99-test_fuzz_x509.t ................ ok Test Summary Report ------------------- 30-test_evp.t (Wstat: 512 Tests: 90 Failed: 2) Failed tests: 14, 40 Non-zero exit status: 2 30-test_evp_kdf.t (Wstat: 256 Tests: 1 Failed: 1) Failed test: 1 Non-zero exit status: 1 Files=232, Tests=3166, 1149 wallclock secs (13.88 usr 1.41 sys + 1060.50 cusr 84.02 csys = 1159.81 CPU) Result: FAIL make[1]: *** [Makefile:3208: _tests] Error 1 make[1]: Leaving directory '/home/openssl/run-checker/no-des' make: *** [Makefile:3205: tests] Error 2 From tomas at openssl.org Mon Feb 22 11:31:11 2021 From: tomas at openssl.org (tomas at openssl.org) Date: Mon, 22 Feb 2021 11:31:11 +0000 Subject: [openssl] master update Message-ID: <1613993471.296426.17975.nullmailer@dev.openssl.org> The branch master has been updated via 6ceaf67257bb33544867d0faa2d0c50ec862eba2 (commit) from 7f90026b3fca9cfd3d9098d358d949d37509a2e5 (commit) - Log ----------------------------------------------------------------- commit 6ceaf67257bb33544867d0faa2d0c50ec862eba2 Author: Petr Gotthard Date: Sun Jan 10 21:26:32 2021 +0100 Fix -pkeyopt handling in apps/pkeyutl -rawin The EVP_DigestSignInit and EVP_DigestVerifyInit actually have to be initialized before EVP_PKEY_CTX_ctrl_str is invoked. Otherwise, when the ctx not initialized, the ctrl command fails. Reviewed-by: Dmitry Belyavskiy Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13828) ----------------------------------------------------------------------- Summary of changes: apps/pkeyutl.c | 75 ++++++++++++++++++++---------------------- test/recipes/20-test_pkeyutl.t | 10 +++++- 2 files changed, 44 insertions(+), 41 deletions(-) diff --git a/apps/pkeyutl.c b/apps/pkeyutl.c index f1c73b6368..f2efa1d5b8 100644 --- a/apps/pkeyutl.c +++ b/apps/pkeyutl.c @@ -24,7 +24,8 @@ static EVP_PKEY_CTX *init_ctx(const char *kdfalg, int *pkeysize, const char *keyfile, int keyform, int key_type, char *passinarg, int pkey_op, ENGINE *e, const int impl, int rawin, EVP_PKEY **ppkey, - OSSL_LIB_CTX *libctx); + EVP_MD_CTX *mctx, const char *digestname, + OSSL_LIB_CTX *libctx, const char *propq); static int setup_peer(EVP_PKEY_CTX *ctx, int peerform, const char *file, ENGINE *e); @@ -33,8 +34,8 @@ static int do_keyop(EVP_PKEY_CTX *ctx, int pkey_op, unsigned char *out, size_t *poutlen, const unsigned char *in, size_t inlen); -static int do_raw_keyop(int pkey_op, EVP_PKEY_CTX *ctx, - const EVP_MD *md, EVP_PKEY *pkey, BIO *in, +static int do_raw_keyop(int pkey_op, EVP_MD_CTX *mctx, + EVP_PKEY *pkey, BIO *in, int filesize, unsigned char *sig, int siglen, unsigned char **out, size_t *poutlen); @@ -122,7 +123,7 @@ int pkeyutl_main(int argc, char **argv) STACK_OF(OPENSSL_STRING) *pkeyopts = NULL; STACK_OF(OPENSSL_STRING) *pkeyopts_passin = NULL; int rawin = 0; - const EVP_MD *md = NULL; + EVP_MD_CTX *mctx = NULL; int filesize = -1; OSSL_LIB_CTX *libctx = app_get0_libctx(); @@ -255,10 +256,6 @@ int pkeyutl_main(int argc, char **argv) goto opthelp; app_RAND_load(); - if (digestname != NULL) { - if (!opt_md(digestname, &md)) - goto end; - } if (rawin && pkey_op != EVP_PKEY_OP_SIGN && pkey_op != EVP_PKEY_OP_VERIFY) { BIO_printf(bio_err, @@ -267,7 +264,7 @@ int pkeyutl_main(int argc, char **argv) goto opthelp; } - if (md != NULL && !rawin) { + if (digestname != NULL && !rawin) { BIO_printf(bio_err, "%s: -digest can only be used with -rawin\n", prog); @@ -295,9 +292,16 @@ int pkeyutl_main(int argc, char **argv) "%s: no peer key given (-peerkey parameter).\n", prog); goto opthelp; } + + if (rawin) { + if ((mctx = EVP_MD_CTX_new()) == NULL) { + BIO_printf(bio_err, "Error: out of memory\n"); + goto end; + } + } ctx = init_ctx(kdfalg, &keysize, inkey, keyform, key_type, passinarg, pkey_op, e, engine_impl, rawin, &pkey, - libctx); + mctx, digestname, libctx, app_get0_propq()); if (ctx == NULL) { BIO_printf(bio_err, "%s: Error initializing context\n", prog); ERR_print_errors(bio_err); @@ -446,7 +450,7 @@ int pkeyutl_main(int argc, char **argv) if (pkey_op == EVP_PKEY_OP_VERIFY) { if (rawin) { - rv = do_raw_keyop(pkey_op, ctx, md, pkey, in, filesize, sig, siglen, + rv = do_raw_keyop(pkey_op, mctx, pkey, in, filesize, sig, siglen, NULL, 0); } else { rv = EVP_PKEY_verify(ctx, sig, (size_t)siglen, @@ -466,7 +470,7 @@ int pkeyutl_main(int argc, char **argv) } else { if (rawin) { /* rawin allocates the buffer in do_raw_keyop() */ - rv = do_raw_keyop(pkey_op, ctx, md, pkey, in, filesize, NULL, 0, + rv = do_raw_keyop(pkey_op, mctx, pkey, in, filesize, NULL, 0, &buf_out, (size_t *)&buf_outlen); } else { rv = do_keyop(ctx, pkey_op, NULL, (size_t *)&buf_outlen, @@ -500,6 +504,7 @@ int pkeyutl_main(int argc, char **argv) } end: + EVP_MD_CTX_free(mctx); EVP_PKEY_CTX_free(ctx); release_engine(e); BIO_free(in); @@ -517,8 +522,8 @@ static EVP_PKEY_CTX *init_ctx(const char *kdfalg, int *pkeysize, const char *keyfile, int keyform, int key_type, char *passinarg, int pkey_op, ENGINE *e, const int engine_impl, int rawin, - EVP_PKEY **ppkey, - OSSL_LIB_CTX *libctx) + EVP_PKEY **ppkey, EVP_MD_CTX *mctx, const char *digestname, + OSSL_LIB_CTX *libctx, const char *propq) { EVP_PKEY *pkey = NULL; EVP_PKEY_CTX *ctx = NULL; @@ -578,7 +583,7 @@ static EVP_PKEY_CTX *init_ctx(const char *kdfalg, int *pkeysize, if (impl != NULL) ctx = EVP_PKEY_CTX_new_id(kdfnid, impl); else - ctx = EVP_PKEY_CTX_new_from_name(libctx, kdfalg, app_get0_propq()); + ctx = EVP_PKEY_CTX_new_from_name(libctx, kdfalg, propq); } else { if (pkey == NULL) goto end; @@ -587,7 +592,7 @@ static EVP_PKEY_CTX *init_ctx(const char *kdfalg, int *pkeysize, if (impl != NULL) ctx = EVP_PKEY_CTX_new(pkey, impl); else - ctx = EVP_PKEY_CTX_new_from_pkey(libctx, pkey, app_get0_propq()); + ctx = EVP_PKEY_CTX_new_from_pkey(libctx, pkey, propq); if (ppkey != NULL) *ppkey = pkey; EVP_PKEY_free(pkey); @@ -596,13 +601,19 @@ static EVP_PKEY_CTX *init_ctx(const char *kdfalg, int *pkeysize, if (ctx == NULL) goto end; - /* - * If rawin then we don't need to actually initialise the EVP_PKEY_CTX - * itself. That will get initialised during EVP_DigestSignInit or - * EVP_DigestVerifyInit. - */ if (rawin) { - rv = 1; + EVP_MD_CTX_set_pkey_ctx(mctx, ctx); + + switch (pkey_op) { + case EVP_PKEY_OP_SIGN: + rv = EVP_DigestSignInit_ex(mctx, NULL, digestname, libctx, propq, pkey); + break; + + case EVP_PKEY_OP_VERIFY: + rv = EVP_DigestVerifyInit_ex(mctx, NULL, digestname, libctx, propq, pkey); + break; + } + } else { switch (pkey_op) { case EVP_PKEY_OP_SIGN: @@ -698,23 +709,16 @@ static int do_keyop(EVP_PKEY_CTX *ctx, int pkey_op, #define TBUF_MAXSIZE 2048 -static int do_raw_keyop(int pkey_op, EVP_PKEY_CTX *ctx, - const EVP_MD *md, EVP_PKEY *pkey, BIO *in, +static int do_raw_keyop(int pkey_op, EVP_MD_CTX *mctx, + EVP_PKEY *pkey, BIO *in, int filesize, unsigned char *sig, int siglen, unsigned char **out, size_t *poutlen) { int rv = 0; - EVP_MD_CTX *mctx = NULL; unsigned char tbuf[TBUF_MAXSIZE]; unsigned char *mbuf = NULL; int buf_len = 0; - if ((mctx = EVP_MD_CTX_new()) == NULL) { - BIO_printf(bio_err, "Error: out of memory\n"); - return rv; - } - EVP_MD_CTX_set_pkey_ctx(mctx, ctx); - /* Some algorithms only support oneshot digests */ if (EVP_PKEY_id(pkey) == EVP_PKEY_ED25519 || EVP_PKEY_id(pkey) == EVP_PKEY_ED448) { @@ -726,8 +730,6 @@ static int do_raw_keyop(int pkey_op, EVP_PKEY_CTX *ctx, mbuf = app_malloc(filesize, "oneshot sign/verify buffer"); switch(pkey_op) { case EVP_PKEY_OP_VERIFY: - if (EVP_DigestVerifyInit(mctx, NULL, md, NULL, pkey) != 1) - goto end; buf_len = BIO_read(in, mbuf, filesize); if (buf_len != filesize) { BIO_printf(bio_err, "Error reading raw input data\n"); @@ -736,8 +738,6 @@ static int do_raw_keyop(int pkey_op, EVP_PKEY_CTX *ctx, rv = EVP_DigestVerify(mctx, sig, (size_t)siglen, mbuf, buf_len); break; case EVP_PKEY_OP_SIGN: - if (EVP_DigestSignInit(mctx, NULL, md, NULL, pkey) != 1) - goto end; buf_len = BIO_read(in, mbuf, filesize); if (buf_len != filesize) { BIO_printf(bio_err, "Error reading raw input data\n"); @@ -755,8 +755,6 @@ static int do_raw_keyop(int pkey_op, EVP_PKEY_CTX *ctx, switch(pkey_op) { case EVP_PKEY_OP_VERIFY: - if (EVP_DigestVerifyInit(mctx, NULL, md, NULL, pkey) != 1) - goto end; for (;;) { buf_len = BIO_read(in, tbuf, TBUF_MAXSIZE); if (buf_len == 0) @@ -774,8 +772,6 @@ static int do_raw_keyop(int pkey_op, EVP_PKEY_CTX *ctx, rv = EVP_DigestVerifyFinal(mctx, sig, (size_t)siglen); break; case EVP_PKEY_OP_SIGN: - if (EVP_DigestSignInit(mctx, NULL, md, NULL, pkey) != 1) - goto end; for (;;) { buf_len = BIO_read(in, tbuf, TBUF_MAXSIZE); if (buf_len == 0) @@ -800,6 +796,5 @@ static int do_raw_keyop(int pkey_op, EVP_PKEY_CTX *ctx, end: OPENSSL_free(mbuf); - EVP_MD_CTX_free(mctx); return rv; } diff --git a/test/recipes/20-test_pkeyutl.t b/test/recipes/20-test_pkeyutl.t index 8c0614bc42..618088a577 100644 --- a/test/recipes/20-test_pkeyutl.t +++ b/test/recipes/20-test_pkeyutl.t @@ -16,7 +16,7 @@ use OpenSSL::Test::Utils; setup("test_pkeyutl"); -plan tests => 11; +plan tests => 12; # For the tests below we use the cert itself as the TBS file @@ -125,6 +125,14 @@ SKIP: { srctop_file("test","testrsapub.pem"), "-rawin", "-digest", "sha256"); }; + + subtest "RSA CLI signature and verification with pkeyopt" => sub { + tsignverify("RSA", + srctop_file("test","testrsa.pem"), + srctop_file("test","testrsapub.pem"), + "-rawin", "-digest", "sha256", + "-pkeyopt", "rsa_padding_mode:pss"); + }; } SKIP: { From matt at openssl.org Mon Feb 22 12:17:48 2021 From: matt at openssl.org (Matt Caswell) Date: Mon, 22 Feb 2021 12:17:48 +0000 Subject: [openssl] master update Message-ID: <1613996268.340634.26962.nullmailer@dev.openssl.org> The branch master has been updated via 636a93454db40fa56e0927403fd34795aa268baf (commit) via 510d01914126947f409ddb51a3660c2196921b58 (commit) via 18b207c798b1ce1a760015d17150130269fa3110 (commit) via 7e1d7fea395654fd169bdb3d01b2f56236ed13c1 (commit) via bc4d84abce0e08e84078f9113c2f3d555b52d317 (commit) from 6ceaf67257bb33544867d0faa2d0c50ec862eba2 (commit) - Log ----------------------------------------------------------------- commit 636a93454db40fa56e0927403fd34795aa268baf Author: Matt Caswell Date: Thu Feb 18 11:44:52 2021 +0000 Note that the OSSL_CORE_MAKE_FUNC macro is reserved The OSSL_CORE_MAKE_FUNC macro has been added since 1.1.1 and is undocumented. However it is not intended for application use and so we document it as "reserved". Fixes #13192 Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/14232) commit 510d01914126947f409ddb51a3660c2196921b58 Author: Matt Caswell Date: Wed Feb 17 17:41:10 2021 +0000 Document the OSSL_PARAM_DEFN macro This macro was added since 1.1.1 and was undocumented. Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/14232) commit 18b207c798b1ce1a760015d17150130269fa3110 Author: Matt Caswell Date: Wed Feb 17 17:22:35 2021 +0000 Add documentation for the macro OPENSSL_VERSION_PREREQ This macro was added since 1.1.1 but had no associated documentation. Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/14232) commit 7e1d7fea395654fd169bdb3d01b2f56236ed13c1 Author: Matt Caswell Date: Wed Feb 17 17:06:41 2021 +0000 Document OPENSSL_LH_flush() The function OPENSSL_LH_flush() was added since 1.1.1 and was undocumented. We also add documentation for some other OPENSSL_LH_*() functions at the same time. Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/14232) commit bc4d84abce0e08e84078f9113c2f3d555b52d317 Author: Matt Caswell Date: Wed Feb 17 16:37:40 2021 +0000 Suppress errors about undocumented asn1_d2i_read_bio asn1_d2i_read_bio is exported by libcrypto but is only intended for internal usage, and does not exist in our public headers. Therefore we suppress errors about it being a newly added undocumented symbol. Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/14232) ----------------------------------------------------------------------- Summary of changes: doc/man3/OPENSSL_LH_COMPFUNC.pod | 74 +++++++++++++++++++++++++++++----------- doc/man3/OSSL_CORE_MAKE_FUNC.pod | 38 +++++++++++++++++++++ doc/man3/OSSL_PARAM_int.pod | 37 ++++++++++++-------- doc/man3/OpenSSL_version.pod | 16 ++++++--- include/openssl/core_dispatch.h | 2 ++ util/missingcrypto.txt | 9 ----- util/missingmacro.txt | 2 -- util/other-internal.syms | 2 ++ util/other.syms | 2 ++ 9 files changed, 133 insertions(+), 49 deletions(-) create mode 100644 doc/man3/OSSL_CORE_MAKE_FUNC.pod diff --git a/doc/man3/OPENSSL_LH_COMPFUNC.pod b/doc/man3/OPENSSL_LH_COMPFUNC.pod index 3873ac0031..c109601597 100644 --- a/doc/man3/OPENSSL_LH_COMPFUNC.pod +++ b/doc/man3/OPENSSL_LH_COMPFUNC.pod @@ -8,7 +8,11 @@ LHASH_DOALL_ARG_FN_TYPE, IMPLEMENT_LHASH_HASH_FN, IMPLEMENT_LHASH_COMP_FN, lh_TYPE_new, lh_TYPE_free, lh_TYPE_flush, lh_TYPE_insert, lh_TYPE_delete, lh_TYPE_retrieve, -lh_TYPE_doall, lh_TYPE_doall_arg, lh_TYPE_error - dynamic hash table +lh_TYPE_doall, lh_TYPE_doall_arg, lh_TYPE_error, +OPENSSL_LH_new, OPENSSL_LH_free, OPENSSL_LH_flush, +OPENSSL_LH_insert, OPENSSL_LH_delete, OPENSSL_LH_retrieve, +OPENSSL_LH_doall, OPENSSL_LH_doall_arg, OPENSSL_LH_error +- dynamic hash table =head1 SYNOPSIS @@ -18,7 +22,7 @@ lh_TYPE_doall, lh_TYPE_doall_arg, lh_TYPE_error - dynamic hash table DECLARE_LHASH_OF(TYPE); - LHASH *lh_TYPE_new(OPENSSL_LH_HASHFUNC hash, OPENSSL_LH_COMPFUNC compare); + LHASH_OF(TYPE) *lh_TYPE_new(OPENSSL_LH_HASHFUNC hash, OPENSSL_LH_COMPFUNC compare); void lh_TYPE_free(LHASH_OF(TYPE) *table); void lh_TYPE_flush(LHASH_OF(TYPE) *table); @@ -37,6 +41,19 @@ lh_TYPE_doall, lh_TYPE_doall_arg, lh_TYPE_error - dynamic hash table typedef void (*OPENSSL_LH_DOALL_FUNC)(const void *); typedef void (*LHASH_DOALL_ARG_FN_TYPE)(const void *, const void *); + OPENSSL_LHASH *OPENSSL_LH_new(OPENSSL_LH_HASHFUNC h, OPENSSL_LH_COMPFUNC c); + void OPENSSL_LH_free(OPENSSL_LHASH *lh); + void OPENSSL_LH_flush(OPENSSL_LHASH *lh); + + void *OPENSSL_LH_insert(OPENSSL_LHASH *lh, void *data); + void *OPENSSL_LH_delete(OPENSSL_LHASH *lh, const void *data); + void *OPENSSL_LH_retrieve(OPENSSL_LHASH *lh, const void *data); + + void OPENSSL_LH_doall(OPENSSL_LHASH *lh, OPENSSL_LH_DOALL_FUNC func); + void OPENSSL_LH_doall_arg(OPENSSL_LHASH *lh, OPENSSL_LH_DOALL_FUNCARG func, void *arg); + + int OPENSSL_LH_error(OPENSSL_LHASH *lh); + =head1 DESCRIPTION This library implements type-checked dynamic hash tables. The hash @@ -162,34 +179,50 @@ that is provided by the caller): B_error>() can be used to determine if an error occurred in the last operation. +OPENSSL_LH_new() is the same as the B_new>() except that it is not +type specific. So instead of returning an B)> value it returns +a B. In the same way the functions OPENSSL_LH_free(), +OPENSSL_LH_flush(), OPENSSL_LH_insert(), OPENSSL_LH_delete(), +OPENSSL_LH_retrieve(), OPENSSL_LH_doall(), OPENSSL_LH_doall_arg(), and +OPENSSL_LH_error() are equivalent to the similarly named B> functions +except that they return or use a B where the equivalent B> +function returns or uses a B *> or B) *>. B> +functions are implemented as type checked wrappers around the B +functions. Most applications should not call the B functions +directly. + =head1 RETURN VALUES -B_new>() returns NULL on error, otherwise a pointer to the new -B structure. +B_new>() and OPENSSL_LH_new() return NULL on error, otherwise a +pointer to the new B structure. -When a hash table entry is replaced, B_insert>() returns the value -being replaced. NULL is returned on normal operation and on error. +When a hash table entry is replaced, B_insert>() or +OPENSSL_LH_insert() return the value being replaced. NULL is returned on normal +operation and on error. -B_delete>() returns the entry being deleted. NULL is returned if -there is no such value in the hash table. +B_delete>() and OPENSSL_LH_delete() return the entry being deleted. +NULL is returned if there is no such value in the hash table. -B_retrieve>() returns the hash table entry if it has been found, -NULL otherwise. +B_retrieve>() and OPENSSL_LH_retrieve() return the hash table entry +if it has been found, NULL otherwise. -B_error>() returns 1 if an error occurred in the last operation, 0 -otherwise. It's meaningful only after non-retrieve operations. +B_error>() and OPENSSL_LH_error() return 1 if an error occurred in +the last operation, 0 otherwise. It's meaningful only after non-retrieve +operations. -B_free>(), B_flush>(), B_doall>() and -B_doall_arg>() return no values. +B_free>(), OPENSSL_LH_free(), B_flush>(), +OPENSSL_LH_flush(), B_doall>() OPENSSL_LH_doall(), +B_doall_arg>() and OPENSSL_LH_doall_arg() return no values. =head1 NOTE The LHASH code is not thread safe. All updating operations, as well as -B_error>() call must be performed under a write lock. All retrieve -operations should be performed under a read lock, I accurate -usage statistics are desired. In which case, a write lock should be used -for retrieve operations as well. For output of the usage statistics, -using the functions from L, a read lock suffices. +B_error>() or OPENSSL_LH_error() calls must be performed under +a write lock. All retrieve operations should be performed under a read lock, +I accurate usage statistics are desired. In which case, a write lock +should be used for retrieve operations as well. For output of the usage +statistics, using the functions from L, a read lock +suffices. The LHASH code regards table entries as constant data. As such, it internally represents lh_insert()'d items with a "const void *" @@ -223,7 +256,8 @@ without any "const" qualifiers. =head1 BUGS -B_insert>() returns NULL both for success and error. +B_insert>() and OPENSSL_LH_insert() return NULL both for success +and error. =head1 SEE ALSO diff --git a/doc/man3/OSSL_CORE_MAKE_FUNC.pod b/doc/man3/OSSL_CORE_MAKE_FUNC.pod new file mode 100644 index 0000000000..409c19db62 --- /dev/null +++ b/doc/man3/OSSL_CORE_MAKE_FUNC.pod @@ -0,0 +1,38 @@ +=pod + +=head1 NAME + +OSSL_CORE_MAKE_FUNC - OpenSSL reserved symbols + +=head1 SYNOPSIS + + #include + + #define OSSL_CORE_MAKE_FUNC(type,name,args) + +=head1 DESCRIPTION + +There are certain macros that may appear in OpenSSL header files that are +reserved for internal use. They should not be used by applications or assumed +to exist. + +All the macros listed in the synopsis above are reserved. + +=head1 RETURN VALUES + +Not applicable. + +=head1 HISTORY + +The macros described here were added in OpenSSL 3.0. + +=head1 COPYRIGHT + +Copyright 2021 The OpenSSL Project Authors. All Rights Reserved. + +Licensed under the Apache License 2.0 (the "License"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file LICENSE in the source distribution or at +L. + +=cut diff --git a/doc/man3/OSSL_PARAM_int.pod b/doc/man3/OSSL_PARAM_int.pod index 25b87014b7..4f482ee610 100644 --- a/doc/man3/OSSL_PARAM_int.pod +++ b/doc/man3/OSSL_PARAM_int.pod @@ -7,7 +7,7 @@ OSSL_PARAM_long, OSSL_PARAM_size_t, OSSL_PARAM_time_t, OSSL_PARAM_uint, OSSL_PARAM_uint32, OSSL_PARAM_uint64, OSSL_PARAM_ulong, OSSL_PARAM_BN, OSSL_PARAM_utf8_string, OSSL_PARAM_octet_string, OSSL_PARAM_utf8_ptr, OSSL_PARAM_octet_ptr, -OSSL_PARAM_END, +OSSL_PARAM_END, OSSL_PARAM_DEFN, OSSL_PARAM_construct_double, OSSL_PARAM_construct_int, OSSL_PARAM_construct_int32, OSSL_PARAM_construct_int64, OSSL_PARAM_construct_long, OSSL_PARAM_construct_size_t, @@ -58,6 +58,9 @@ OSSL_PARAM_UNMODIFIED, OSSL_PARAM_modified, OSSL_PARAM_set_all_unmodified #define OSSL_PARAM_UNMODIFIED + #define OSSL_PARAM_DEFN(key, type, addr, sz) \ + { (key), (type), (addr), (sz), OSSL_PARAM_UNMODIFIED } + OSSL_PARAM OSSL_PARAM_construct_TYPE(const char *key, TYPE *buf); OSSL_PARAM OSSL_PARAM_construct_BN(const char *key, unsigned char *buf, size_t bsize); @@ -107,7 +110,7 @@ OSSL_PARAM_UNMODIFIED, OSSL_PARAM_modified, OSSL_PARAM_set_all_unmodified =head1 DESCRIPTION A collection of utility functions that simplify and add type safety to the -OSSL_PARAM arrays. The following B> names are supported: +B arrays. The following B> names are supported: =over 1 @@ -158,7 +161,7 @@ unsigned long int (ulong) =back OSSL_PARAM_TYPE() are a series of macros designed to assist initialising an -array of OSSL_PARAM structures. +array of B structures. Each of these macros defines a parameter of the specified B> with the provided I and parameter variable I

. @@ -169,40 +172,46 @@ A parameter with name I is defined. The storage for this parameter is at I
and is of I bytes. OSSL_PARAM_END provides an end of parameter list marker. -This should terminate all OSSL_PARAM arrays. +This should terminate all B arrays. + +The OSSL_PARAM_DEFN() macro provides the ability to construct a single +B (typically used in the construction of B arrays). The +I, I, I and I arguments correspond to the I, +I, I and I fields of the B structure as +described on the L page. -OSSL_PARAM_construct_TYPE() are a series of functions that create OSSL_PARAM +OSSL_PARAM_construct_TYPE() are a series of functions that create B records dynamically. A parameter with name I is created. The parameter will use storage pointed to by I and return size of I. OSSL_PARAM_construct_BN() is a function that constructs a large integer -OSSL_PARAM structure. +B structure. A parameter with name I, storage I, size I and return size I is created. OSSL_PARAM_construct_utf8_string() is a function that constructs a UTF8 -string OSSL_PARAM structure. +string B structure. A parameter with name I, storage I and size I is created. If I is zero, the string length is determined using strlen(3). Generally pass zero for I instead of calling strlen(3) yourself. OSSL_PARAM_construct_octet_string() is a function that constructs an OCTET -string OSSL_PARAM structure. +string B structure. A parameter with name I, storage I and size I is created. OSSL_PARAM_construct_utf8_ptr() is a function that constructs a UTF string -pointer OSSL_PARAM structure. +pointer B structure. A parameter with name I, storage pointer I<*buf> and size I is created. OSSL_PARAM_construct_octet_ptr() is a function that constructs an OCTET string -pointer OSSL_PARAM structure. +pointer B structure. A parameter with name I, storage pointer I<*buf> and size I is created. OSSL_PARAM_construct_end() is a function that constructs the terminating -OSSL_PARAM structure. +B structure. OSSL_PARAM_locate() is a function that searches an I of parameters for the one matching the I name. @@ -299,10 +308,10 @@ in the array I. OSSL_PARAM_construct_TYPE(), OSSL_PARAM_construct_BN(), OSSL_PARAM_construct_utf8_string(), OSSL_PARAM_construct_octet_string(), OSSL_PARAM_construct_utf8_ptr() and OSSL_PARAM_construct_octet_ptr() -return a populated OSSL_PARAM structure. +return a populated B structure. OSSL_PARAM_locate() and OSSL_PARAM_locate_const() return a pointer to -the matching OSSL_PARAM object. They return NULL on error or when +the matching B object. They return NULL on error or when no object matching I exists in the I. OSSL_PARAM_modified() returns 1 if the parameter was set and 0 otherwise. @@ -326,7 +335,7 @@ possible purposes. =head1 EXAMPLES Reusing the examples from L to just show how -C arrays can be handled using the macros and functions +B arrays can be handled using the macros and functions defined herein. =head2 Example 1 diff --git a/doc/man3/OpenSSL_version.pod b/doc/man3/OpenSSL_version.pod index a4ef1cfbaf..e28a35e73a 100644 --- a/doc/man3/OpenSSL_version.pod +++ b/doc/man3/OpenSSL_version.pod @@ -4,10 +4,10 @@ OPENSSL_VERSION_MAJOR, OPENSSL_VERSION_MINOR, OPENSSL_VERSION_PATCH, OPENSSL_VERSION_PRE_RELEASE, OPENSSL_VERSION_BUILD_METADATA, -OPENSSL_VERSION_TEXT, -OPENSSL_version_major, OPENSSL_version_minor, OPENSSL_version_patch, -OPENSSL_version_pre_release, OPENSSL_version_build_metadata, OpenSSL_version, -OPENSSL_VERSION_NUMBER, OpenSSL_version_num, OPENSSL_info +OPENSSL_VERSION_TEXT, OPENSSL_VERSION_PREREQ, OPENSSL_version_major, +OPENSSL_version_minor, OPENSSL_version_patch, OPENSSL_version_pre_release, +OPENSSL_version_build_metadata, OpenSSL_version, OPENSSL_VERSION_NUMBER, +OpenSSL_version_num, OPENSSL_info - get OpenSSL version number and other information =head1 SYNOPSIS @@ -24,6 +24,8 @@ OPENSSL_VERSION_NUMBER, OpenSSL_version_num, OPENSSL_info #define OPENSSL_VERSION_TEXT "OpenSSL x.y.z xx XXX xxxx" + #define OPENSSL_VERSION_PREREQ(maj,min) + #include unsigned int OPENSSL_version_major(void); @@ -73,6 +75,12 @@ B is a convenience macro to get a full descriptive version text, which includes B and the release date. +B is a useful macro for checking whether the OpenSSL +version for the headers in use is at least at the given pre-requisite major +(B) and minor (B) number or not. It will evaluate to true if the +header version number (B.B) is +greater than or equal to B.B. + =head2 Functions OPENSSL_version_major(), OPENSSL_version_minor(), OPENSSL_version_patch(), diff --git a/include/openssl/core_dispatch.h b/include/openssl/core_dispatch.h index c4e109156f..6f12d6fecf 100644 --- a/include/openssl/core_dispatch.h +++ b/include/openssl/core_dispatch.h @@ -41,6 +41,8 @@ extern "C" { * |type| is the return-type of the function, |name| is the name of the * function to fetch, and |args| is a parenthesized list of parameters * for the function (that is, it is |name|'s function signature). + * Note: This is considered a "reserved" internal macro. Applications should + * not use this or assume its existence. */ #define OSSL_CORE_MAKE_FUNC(type,name,args) \ typedef type (OSSL_FUNC_##name##_fn)args; \ diff --git a/util/missingcrypto.txt b/util/missingcrypto.txt index 85f03fc9cc..61d91b0c92 100644 --- a/util/missingcrypto.txt +++ b/util/missingcrypto.txt @@ -837,17 +837,8 @@ OCSP_response_status_str(3) OCSP_url_svcloc_new(3) OPENSSL_DIR_end(3) OPENSSL_DIR_read(3) -OPENSSL_LH_delete(3) -OPENSSL_LH_doall(3) -OPENSSL_LH_doall_arg(3) -OPENSSL_LH_error(3) -OPENSSL_LH_flush(3) -OPENSSL_LH_free(3) OPENSSL_LH_get_down_load(3) -OPENSSL_LH_insert(3) -OPENSSL_LH_new(3) OPENSSL_LH_num_items(3) -OPENSSL_LH_retrieve(3) OPENSSL_LH_set_down_load(3) OPENSSL_LH_strhash(3) OPENSSL_asc2uni(3) diff --git a/util/missingmacro.txt b/util/missingmacro.txt index 4cad414f3a..6b7f9fa2b3 100644 --- a/util/missingmacro.txt +++ b/util/missingmacro.txt @@ -99,8 +99,6 @@ PEM_write_bio_OCSP_REQUEST(3) PEM_write_bio_OCSP_RESPONSE(3) ASN1_BIT_STRING_digest(3) OCSP_CERTSTATUS_dup(3) -OPENSSL_VERSION_PREREQ(3) -OSSL_PARAM_DEFN(3) OSSL_PARAM_SIZED_int(3) OSSL_PARAM_SIZED_uint(3) OSSL_PARAM_SIZED_long(3) diff --git a/util/other-internal.syms b/util/other-internal.syms index 5688daa687..9f6a22e2ea 100644 --- a/util/other-internal.syms +++ b/util/other-internal.syms @@ -1,3 +1,5 @@ ossl_cmp_allow_unprotected_cb_t datatype # DEFINE_SPARSE_ARRAY_OF define +#Functions exported by libcrypto that don't exist in our public headers +asn1_d2i_read_bio internal diff --git a/util/other.syms b/util/other.syms index 670ba78938..54eeeb95cf 100644 --- a/util/other.syms +++ b/util/other.syms @@ -348,6 +348,7 @@ OPENSSL_VERSION_MINOR define OPENSSL_VERSION_NUMBER define deprecated 3.0.0 OPENSSL_VERSION_PATCH define OPENSSL_VERSION_PRE_RELEASE define +OPENSSL_VERSION_PREREQ define OPENSSL_VERSION_BUILD_METADATA define OPENSSL_VERSION_PRE_RELEASE_STR define OPENSSL_VERSION_BUILD_METADATA_STR define @@ -404,6 +405,7 @@ OSSL_CMP_SRV_certConf_cb_t datatype OSSL_CMP_SRV_genm_cb_t datatype OSSL_CMP_SRV_error_cb_t datatype OSSL_CMP_SRV_pollReq_cb_t datatype +OSSL_CORE_MAKE_FUNC define OSSL_PARAM_TYPE define OSSL_PARAM_octet_ptr define OSSL_PARAM_octet_string define From matt at openssl.org Mon Feb 22 12:24:33 2021 From: matt at openssl.org (Matt Caswell) Date: Mon, 22 Feb 2021 12:24:33 +0000 Subject: [openssl] master update Message-ID: <1613996673.521530.15949.nullmailer@dev.openssl.org> The branch master has been updated via f16f363a85baa6338744e20671c5a227844f2847 (commit) from 636a93454db40fa56e0927403fd34795aa268baf (commit) - Log ----------------------------------------------------------------- commit f16f363a85baa6338744e20671c5a227844f2847 Author: Matt Caswell Date: Fri Feb 19 15:57:01 2021 +0000 Fix no-tests on mingw Using the no-tests option on mingw in an out-of-source build tree was failing. Fixes #14246 Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14249) ----------------------------------------------------------------------- Summary of changes: Configurations/unix-Makefile.tmpl | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl index b2abee23e6..16d4337dab 100644 --- a/Configurations/unix-Makefile.tmpl +++ b/Configurations/unix-Makefile.tmpl @@ -1561,12 +1561,16 @@ EOF if (windowsdll()) { $recipe .= <<"EOF"; rm -f apps/$full - rm -f test/$full rm -f fuzz/$full cp -p $full apps/ - cp -p $full test/ cp -p $full fuzz/ EOF + if (!$disabled{tests}) { + $recipe .= <<"EOF"; + rm -f test/$full + cp -p $full test/ +EOF + } } $recipe .= <<"EOF" if defined $argfile; $argfile: $argfiledeps From openssl at openssl.org Tue Feb 23 02:07:48 2021 From: openssl at openssl.org (OpenSSL run-checker) Date: Tue, 23 Feb 2021 02:07:48 +0000 Subject: Still FAILED build of OpenSSL branch master with options -d enable-fuzz-afl no-shared no-module Message-ID: <1614046068.094505.1920161.nullmailer@run.openssl.org> Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=afl-clang-fast ../openssl/config -d enable-fuzz-afl no-shared no-module Commit log since last time: 937a62323b -Wunused-function cleanup 57acc56bdc DECODER: Add better tracing of the chain walking process acf497b53b DECODER: Use the data structure from the last decoder to select the next f16e52b67c Correct the return value of BIO_get_ktls_*(). 5e128ed120 CMP: Fix total_timeout behavior; small doc and diagnostic improvements a3361c3755 81-test_cmp_cli_data: fixup on CSR test cases c2279499fd Fix speed sm2 bug 1d724b5e82 CRYPTO_gcm128_decrypt: fix mac or tag calculation 3352dc185f Fix merge problem in d2i_PrivateKey_ex eabb301416 Fix DH ASN1 decode so that it detects named groups. 576892d78f Fix d2i_AutoPrivateKey_ex so that is uses the new decoder (and produces non legacy keys). ef33889e18 doc: remove notes section in OSSL_ENCODER.pod 458d168cd4 rfc2606 compliant example domains for x509v3_config.pod 125107e8ea Various improvements of doc/man5/x509v3_config.pod 70793dbbb9 Pass the object type and data structure from the pem2der decoder 3a2171f6aa Don't forget the type of thing we are loading 3262300a2c Adjust the few places where the string length was confused 247a1786e2 OSSL_PARAM: Correct the assumptions on the UTF8 string length c1be4d617c Rename internal X509_add_cert_new() to ossl_x509_add_cert_new() daf1300b80 Add internal X509_add_certs_new(), which simplifies matters 937984efc6 Prepare for 3.0 alpha 13 b467d394eb Prepare for release of 3.0 alpha 12 a28d06f3e9 Update copyright year 7b676cc8c6 Fix external symbols related to provider related security checks for keys and digests. 47c076acfc Fix external symbols in the provider digest implementations. bcb61b39b4 Add deep copy of propq field in mac_dupctx to avoid double free 5d8ffebbcd DH: Make DH_bits(), DH_size(), and DH_security_bits() check that there are key parameters 0b3139e815 chain_build(): Call verify_cb_cert() if a preliminary error has become final ba37b82045 dsa_check: Perform simple parameter check if seed is not available ebcaf110b2 DSA parameter check using pkeyparam e36b3c2f75 Fix external symbols in the provider cipher implementations. Build log ended with (last 100 lines): ../../../../../enable-fuzz-afl/util/wrap.pl ../../../../../enable-fuzz-afl/apps/openssl cmp -config ../Mock/test.cnf -section 'Mock enrollment' -certout ../../../../../enable-fuzz-afl/test-runs/test_cmp_http/test.cert.pem -proxy '' -no_proxy 127.0.0.1 -cmd ir -newkey new.key -newkeypass 'pass:' -popo -1 -certout ../../../../../enable-fuzz-afl/test-runs/test_cmp_http/test.certout_popo5.pem -out_trusted root.crt => 0 not ok 47 - popo NONE # ------------------------------------------------------------------------------ # Failed test 'popo NONE' # at ../openssl/test/recipes/80-test_cmp_http.t line 145. # cmp_main:../openssl/apps/cmp.c:2692:CMP info: using section(s) 'Mock enrollment' of OpenSSL configuration file '../Mock/test.cnf' # opt_str:../openssl/apps/cmp.c:2291:CMP warning: argument of -proxy option is empty string, resetting option # warn_cert_msg:../openssl/apps/cmp.c:694:CMP warning: certificate from 'trusted.crt' with subject '/O=openssl_cmp' is not a CA cert # setup_client_ctx:../openssl/apps/cmp.c:2008:CMP info: will contact http://127.0.0.1:1700/pkix/ # send_receive_check:../openssl/crypto/cmp/cmp_client.c:167:CMP info: sending IR # send_receive_check:../openssl/crypto/cmp/cmp_client.c:187:CMP info: received IP # send_receive_check:../openssl/crypto/cmp/cmp_client.c:167:CMP info: sending CERTCONF # send_receive_check:../openssl/crypto/cmp/cmp_client.c:187:CMP info: received PKICONF # save_free_certs:../openssl/apps/cmp.c:2058:CMP info: received 1 enrolled certificate(s), saving to file '../../../../../enable-fuzz-afl/test-runs/test_cmp_http/test.certout_popo6.pem' ../../../../../enable-fuzz-afl/util/wrap.pl ../../../../../enable-fuzz-afl/apps/openssl cmp -config ../Mock/test.cnf -section 'Mock enrollment' -certout ../../../../../enable-fuzz-afl/test-runs/test_cmp_http/test.cert.pem -proxy '' -no_proxy 127.0.0.1 -cmd ir -newkey new.key -newkeypass 'pass:' -popo 2 -certout ../../../../../enable-fuzz-afl/test-runs/test_cmp_http/test.certout_popo6.pem -out_trusted root.crt => 0 not ok 48 - popo KEYENC not supported # ------------------------------------------------------------------------------ # Looks like you failed 3 tests of 92. not ok 5 - CMP app CLI Mock enrollment # ------------------------------------------------------------------------------ # # Failed test 'CMP app CLI Mock enrollment # ' # at /home/openssl/run-checker/enable-fuzz-afl/../openssl/util/perl/OpenSSL/Test.pm line 1335. # Looks like you failed 3 tests of 5.80-test_cmp_http.t ................. Dubious, test returned 3 (wstat 768, 0x300) Failed 3/5 subtests # 80-test_cms.t ...................... ok 80-test_cmsapi.t ................... ok 80-test_ct.t ....................... ok 80-test_dane.t ..................... ok 80-test_dtls.t ..................... ok 80-test_dtls_mtu.t ................. ok 80-test_dtlsv1listen.t ............. ok 80-test_http.t ..................... ok 80-test_ocsp.t ..................... ok 80-test_pkcs12.t ................... ok 80-test_ssl_new.t .................. ok 80-test_ssl_old.t .................. ok 80-test_ssl_test_ctx.t ............. ok 80-test_sslcorrupt.t ............... ok 80-test_tsa.t ...................... ok 80-test_x509aux.t .................. ok 81-test_cmp_cli.t .................. ok 90-test_asn1_time.t ................ ok 90-test_async.t .................... ok 90-test_bio_enc.t .................. ok 90-test_bio_memleak.t .............. ok 90-test_constant_time.t ............ ok 90-test_fatalerr.t ................. ok 90-test_fipsload.t ................. skipped: Test only supported in a shared build 90-test_gmdiff.t ................... ok 90-test_gost.t ..................... skipped: GOST support is disabled in this OpenSSL build 90-test_ige.t ...................... ok 90-test_includes.t ................. ok 90-test_memleak.t .................. ok 90-test_overhead.t ................. ok 90-test_secmem.t ................... ok 90-test_shlibload.t ................ skipped: Test only supported in a shared build 90-test_srp.t ...................... ok 90-test_sslapi.t ................... ok 90-test_sslbuffers.t ............... ok 90-test_store.t .................... ok 90-test_sysdefault.t ............... ok 90-test_threads.t .................. ok 90-test_time_offset.t .............. ok 90-test_tls13ccs.t ................. ok 90-test_tls13encryption.t .......... ok 90-test_tls13secrets.t ............. skipped: tls13secrets is not supported in this build 90-test_v3name.t ................... ok 91-test_pkey_check.t ............... ok 95-test_external_boringssl.t ....... skipped: No external tests in this configuration 95-test_external_gost_engine.t ..... skipped: No external tests in this configuration 95-test_external_krb5.t ............ skipped: No external tests in this configuration 95-test_external_pyca.t ............ skipped: No external tests in this configuration 99-test_ecstress.t ................. ok 99-test_fuzz_asn1.t ................ ok 99-test_fuzz_asn1parse.t ........... ok 99-test_fuzz_bignum.t .............. ok 99-test_fuzz_bndiv.t ............... ok 99-test_fuzz_client.t .............. ok 99-test_fuzz_cmp.t ................. ok 99-test_fuzz_cms.t ................. ok 99-test_fuzz_conf.t ................ ok 99-test_fuzz_crl.t ................. ok 99-test_fuzz_ct.t .................. ok 99-test_fuzz_server.t .............. ok 99-test_fuzz_x509.t ................ ok Test Summary Report ------------------- 80-test_cmp_http.t (Wstat: 768 Tests: 5 Failed: 3) Failed tests: 2-3, 5 Non-zero exit status: 3 Files=232, Tests=2736, 776 wallclock secs (10.28 usr 1.30 sys + 683.09 cusr 73.42 csys = 768.09 CPU) Result: FAIL make[1]: *** [Makefile:2478: _tests] Error 1 make[1]: Leaving directory '/home/openssl/run-checker/enable-fuzz-afl' make: *** [Makefile:2475: tests] Error 2 From no-reply at appveyor.com Tue Feb 23 06:49:39 2021 From: no-reply at appveyor.com (AppVeyor) Date: Tue, 23 Feb 2021 06:49:39 +0000 Subject: Build failed: openssl master.40133 Message-ID: <20210223064939.1.9DC761019BD18B6F@appveyor.com> An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Tue Feb 23 08:04:58 2021 From: no-reply at appveyor.com (AppVeyor) Date: Tue, 23 Feb 2021 08:04:58 +0000 Subject: Build completed: openssl master.40134 Message-ID: <20210223080458.1.D9D5E868120A2A1A@appveyor.com> An HTML attachment was scrubbed... URL: From beldmit at gmail.com Tue Feb 23 08:28:00 2021 From: beldmit at gmail.com (beldmit at gmail.com) Date: Tue, 23 Feb 2021 08:28:00 +0000 Subject: [openssl] master update Message-ID: <1614068880.489133.17619.nullmailer@dev.openssl.org> The branch master has been updated via 444b25b1e96fa444ffe3a67671796cfc1b599735 (commit) from f16f363a85baa6338744e20671c5a227844f2847 (commit) - Log ----------------------------------------------------------------- commit 444b25b1e96fa444ffe3a67671796cfc1b599735 Author: Shane Lontis Date: Mon Feb 22 13:03:21 2021 +1000 Add back in legacy paths for d2i_PrivateKey/d2i_AutoPrivateKey. Fixes #14263 If the new decoder code fails, it now falls back to the old legacy code and tries that also. Tested manually using gost engine master. Reviewed-by: Richard Levitte Reviewed-by: Paul Dale Reviewed-by: Dmitry Belyavskiy (Merged from https://github.com/openssl/openssl/pull/14266) ----------------------------------------------------------------------- Summary of changes: crypto/asn1/d2i_pr.c | 84 ++++++++++++++++++++++++++++++++++++++++++++++++---- 1 file changed, 79 insertions(+), 5 deletions(-) diff --git a/crypto/asn1/d2i_pr.c b/crypto/asn1/d2i_pr.c index c657f0f3a7..4da5a0c9be 100644 --- a/crypto/asn1/d2i_pr.c +++ b/crypto/asn1/d2i_pr.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -23,9 +23,9 @@ #include "crypto/evp.h" #include "internal/asn1.h" -EVP_PKEY *d2i_PrivateKey_ex(int keytype, EVP_PKEY **a, const unsigned char **pp, - long length, OSSL_LIB_CTX *libctx, - const char *propq) +static EVP_PKEY * +d2i_PrivateKey_decoder(int keytype, EVP_PKEY **a, const unsigned char **pp, + long length, OSSL_LIB_CTX *libctx, const char *propq) { OSSL_DECODER_CTX *dctx = NULL; size_t len = length; @@ -44,6 +44,8 @@ EVP_PKEY *d2i_PrivateKey_ex(int keytype, EVP_PKEY **a, const unsigned char **pp, ppkey = a; for (i = 0; i < (int)OSSL_NELEM(input_structures); ++i) { + const unsigned char *p = *pp; + dctx = OSSL_DECODER_CTX_new_for_pkey(ppkey, "DER", input_structures[i], key_name, EVP_PKEY_KEYPAIR, libctx, propq); @@ -56,6 +58,7 @@ EVP_PKEY *d2i_PrivateKey_ex(int keytype, EVP_PKEY **a, const unsigned char **pp, if (*ppkey != NULL && evp_keymgmt_util_has(*ppkey, OSSL_KEYMGMT_SELECT_PRIVATE_KEY)) return *ppkey; + *pp = p; goto err; } } @@ -132,12 +135,77 @@ EVP_PKEY *evp_privatekey_from_binary(int keytype, EVP_PKEY **a, return NULL; } +EVP_PKEY *d2i_PrivateKey_ex(int keytype, EVP_PKEY **a, const unsigned char **pp, + long length, OSSL_LIB_CTX *libctx, + const char *propq) +{ + EVP_PKEY *ret; + + ret = d2i_PrivateKey_decoder(keytype, a, pp, length, libctx, propq); + /* try the legacy path if the decoder failed */ + if (ret == NULL) + ret = evp_privatekey_from_binary(keytype, a, pp, length, libctx, propq); + return ret; +} + EVP_PKEY *d2i_PrivateKey(int type, EVP_PKEY **a, const unsigned char **pp, long length) { return d2i_PrivateKey_ex(type, a, pp, length, NULL, NULL); } +static EVP_PKEY *d2i_AutoPrivateKey_legacy(EVP_PKEY **a, + const unsigned char **pp, + long length, + OSSL_LIB_CTX *libctx, + const char *propq) +{ + STACK_OF(ASN1_TYPE) *inkey; + const unsigned char *p; + int keytype; + + p = *pp; + /* + * Dirty trick: read in the ASN1 data into a STACK_OF(ASN1_TYPE): by + * analyzing it we can determine the passed structure: this assumes the + * input is surrounded by an ASN1 SEQUENCE. + */ + inkey = d2i_ASN1_SEQUENCE_ANY(NULL, &p, length); + p = *pp; + /* + * Since we only need to discern "traditional format" RSA and DSA keys we + * can just count the elements. + */ + if (sk_ASN1_TYPE_num(inkey) == 6) { + keytype = EVP_PKEY_DSA; + } else if (sk_ASN1_TYPE_num(inkey) == 4) { + keytype = EVP_PKEY_EC; + } else if (sk_ASN1_TYPE_num(inkey) == 3) { /* This seems to be PKCS8, not + * traditional format */ + PKCS8_PRIV_KEY_INFO *p8 = d2i_PKCS8_PRIV_KEY_INFO(NULL, &p, length); + EVP_PKEY *ret; + + sk_ASN1_TYPE_pop_free(inkey, ASN1_TYPE_free); + if (p8 == NULL) { + ERR_raise(ERR_LIB_ASN1, ASN1_R_UNSUPPORTED_PUBLIC_KEY_TYPE); + return NULL; + } + ret = EVP_PKCS82PKEY_ex(p8, libctx, propq); + PKCS8_PRIV_KEY_INFO_free(p8); + if (ret == NULL) + return NULL; + *pp = p; + if (a) { + *a = ret; + } + return ret; + } else { + keytype = EVP_PKEY_RSA; + } + sk_ASN1_TYPE_pop_free(inkey, ASN1_TYPE_free); + return evp_privatekey_from_binary(keytype, a, pp, length, libctx, propq); +} + /* * This works like d2i_PrivateKey() except it passes the keytype as * EVP_PKEY_NONE, which then figures out the type during decoding. @@ -146,7 +214,13 @@ EVP_PKEY *d2i_AutoPrivateKey_ex(EVP_PKEY **a, const unsigned char **pp, long length, OSSL_LIB_CTX *libctx, const char *propq) { - return d2i_PrivateKey_ex(EVP_PKEY_NONE, a, pp, length, libctx, propq); + EVP_PKEY *ret; + + ret = d2i_PrivateKey_decoder(EVP_PKEY_NONE, a, pp, length, libctx, propq); + /* try the legacy path if the decoder failed */ + if (ret == NULL) + ret = d2i_AutoPrivateKey_legacy(a, pp, length, libctx, propq); + return ret; } EVP_PKEY *d2i_AutoPrivateKey(EVP_PKEY **a, const unsigned char **pp, From levitte at openssl.org Tue Feb 23 08:35:08 2021 From: levitte at openssl.org (Richard Levitte) Date: Tue, 23 Feb 2021 08:35:08 +0000 Subject: [openssl] master update Message-ID: <1614069308.855313.20299.nullmailer@dev.openssl.org> The branch master has been updated via f627561cf5cc4963698bf975df8694543bcf826c (commit) via 9e1094ad3df16a7d9a1224925ed8a9c3f76b9bba (commit) from 444b25b1e96fa444ffe3a67671796cfc1b599735 (commit) - Log ----------------------------------------------------------------- commit f627561cf5cc4963698bf975df8694543bcf826c Author: Richard Levitte Date: Mon Feb 22 07:37:06 2021 +0100 util/perl/OpenSSL/config.pm: Add VMS specific C compiler settings That includes proper compiler version detection. Partially fixes #14247 Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/14270) commit 9e1094ad3df16a7d9a1224925ed8a9c3f76b9bba Author: Richard Levitte Date: Mon Feb 22 07:29:03 2021 +0100 util/perl/OpenSSL/config.pm: Fix determine_compiler_settings() There may be times when a compiler can't be detected, in which case determine_compiler_settings() bailed out too early, before platform specific fallbacks have a chance to set the record straight. That bail out has been moved to be done after the platform specific fallbacks. Furthermore, the attempt to check for gcc or clang and get their version number was done even if no compiler had been automatically detected or pre-specified via $CC. It now only does this when there is a compiler specified or detected. The platform specific fallbacks check the versions separately. Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/14270) ----------------------------------------------------------------------- Summary of changes: util/perl/OpenSSL/config.pm | 110 ++++++++++++++++++++++++++------------------ 1 file changed, 65 insertions(+), 45 deletions(-) diff --git a/util/perl/OpenSSL/config.pm b/util/perl/OpenSSL/config.pm index 776e448df4..d09d017c87 100755 --- a/util/perl/OpenSSL/config.pm +++ b/util/perl/OpenSSL/config.pm @@ -193,6 +193,8 @@ sub maybe_abort { # Look for ISC/SCO with its unique uname program sub is_sco_uname { + return undef unless IPC::Cmd::can_run('uname'); + open UNAME, "uname -X 2>/dev/null|" or return ''; my $line = ""; while ( ) { @@ -200,9 +202,11 @@ sub is_sco_uname { $line = $_ if m@^Release@; } close UNAME; - return "" if $line eq ''; + + return undef if $line eq ''; + my @fields = split(/\s+/, $line); - return $fields[2] // ''; + return $fields[2]; } sub get_sco_type { @@ -237,7 +241,7 @@ sub guess_system { # Special-cases for ISC, SCO, Unixware my $REL = is_sco_uname(); - if ( $REL ne "" ) { + if ( defined $REL ) { my $result = get_sco_type($REL); return eval "\"$result\"" if $result ne ''; } @@ -276,8 +280,8 @@ sub _pairs (@) { # Figure out CC, GCCVAR, etc. sub determine_compiler_settings { - # Make a copy and don't touch it. That helps determine if we're - # finding the compiler here + # Make a copy and don't touch it. That helps determine if we're finding + # the compiler here (false), or if it was set by the user (true. my $cc = $CC; # Set certain default @@ -293,51 +297,59 @@ sub determine_compiler_settings { } } - # Find the compiler vendor and version number for certain compilers - foreach my $pair (_pairs @cc_version) { - # Try to get the version number. - # Failure gets us undef or an empty string - my ( $k, $v ) = @$pair; - $v = $v->(); - - # If we got a version number, process it - if ($v) { - $CCVENDOR = $k; - - # The returned version is expected to be one of - # - # MAJOR - # MAJOR.MINOR - # MAJOR.MINOR.{whatever} - # - # We don't care what comes after MAJOR.MINOR. All we need is to - # have them calculated into a single number, using this formula: - # - # MAJOR * 100 + MINOR - # Here are a few examples of what we should get: - # - # 2.95.1 => 295 - # 3.1 => 301 - # 9 => 900 - my @numbers = split /\./, $v; - my @factors = (100, 1); - while (@numbers && @factors) { - $CCVER += shift(@numbers) * shift(@factors) + if ( $CC ) { + # Find the compiler vendor and version number for certain compilers + foreach my $pair (_pairs @cc_version) { + # Try to get the version number. + # Failure gets us undef or an empty string + my ( $k, $v ) = @$pair; + $v = $v->(); + + # If we got a version number, process it + if ($v) { + $CCVENDOR = $k; + + # The returned version is expected to be one of + # + # MAJOR + # MAJOR.MINOR + # MAJOR.MINOR.{whatever} + # + # We don't care what comes after MAJOR.MINOR. All we need is + # to have them calculated into a single number, using this + # formula: + # + # MAJOR * 100 + MINOR + # Here are a few examples of what we should get: + # + # 2.95.1 => 295 + # 3.1 => 301 + # 9 => 900 + my @numbers = split /\./, $v; + my @factors = (100, 1); + while (@numbers && @factors) { + $CCVER += shift(@numbers) * shift(@factors) + } + last; } - last; } } - # If no C compiler has been determined at this point, we die. Hard. - die <<_____ -ERROR! -No C compiler found, please specify one with the environment variable CC, -or configure with an explicit configuration target. -_____ - unless $CC; - - # Vendor specific overrides, only if we determined the compiler here + # Vendor specific overrides, only if we didn't determine the compiler here if ( ! $cc ) { + if ( $SYSTEM eq 'OpenVMS' ) { + my $v = `CC/VERSION NLA0:`; + if ($? == 0) { + my ($vendor, $version) = + ( $v =~ m/^([A-Z]+) C V([0-9\.-]+) on / ); + my ($major, $minor, $patch) = + ( $version =~ m/^([0-9]+)\.([0-9]+)-0*?(0|[1-9][0-9]*)$/ ); + $CC = 'CC'; + $CCVENDOR = $vendor; + $CCVER = ( $major * 100 + $minor ) * 100 + $patch; + } + } + if ( ${SYSTEM} eq 'AIX' ) { # favor vendor cc over gcc if (IPC::Cmd::can_run('cc')) { @@ -375,6 +387,14 @@ EOF } } + # If no C compiler has been determined at this point, we die. Hard. + die <<_____ +ERROR! +No C compiler found, please specify one with the environment variable CC, +or configure with an explicit configuration target. +_____ + unless $CC; + # On some systems, we assume a cc vendor if it's not already determined if ( ! $CCVENDOR ) { From levitte at openssl.org Tue Feb 23 12:45:36 2021 From: levitte at openssl.org (Richard Levitte) Date: Tue, 23 Feb 2021 12:45:36 +0000 Subject: [openssl] master update Message-ID: <1614084336.599605.10961.nullmailer@dev.openssl.org> The branch master has been updated via f5b00834dd11d766b9232e89e40884db8f3cd7ec (commit) via bbf4dc96fc4344e333d4e73bc2aba848e5bff84b (commit) via 13f91a7245d4271486c018b440940a696eaaa12d (commit) via df4592cbec2321bccd23393328f53894a08bf403 (commit) via 5524580b5c0796d3bcab55c4e5378c6ece4df63b (commit) via 6fcd92d3d72540bddb738e2b037dda9a157cfc5c (commit) via 513731299398f4597aa575154a973654bbc2e0ef (commit) via 9a1c4e41e8d3fd8fe9d1bd8eeb8b1e1df21da37f (commit) via 4d4928edd0758753e43294816ae6095975a6e5fa (commit) via e19246dc721a7a57c62d7dd39c70b6c87140b0ec (commit) via 6179dfc7c4bd850004c3b4b8220f3559573130d5 (commit) from f627561cf5cc4963698bf975df8694543bcf826c (commit) - Log ----------------------------------------------------------------- commit f5b00834dd11d766b9232e89e40884db8f3cd7ec Author: Richard Levitte Date: Wed Feb 10 19:00:05 2021 +0100 EVP: Adapt the EC_KEY specific EVP_PKEY_CTX setter / getter functions Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/13913) commit bbf4dc96fc4344e333d4e73bc2aba848e5bff84b Author: Richard Levitte Date: Wed Feb 10 18:58:01 2021 +0100 EVP: Make checks in evp_pkey_ctx_store_cached_data() more restricted It would check the keytype and optype before determining if it even supported the ctrl command number. This turned out to be disruptive, so we make it check that it supports the request ctrl command number first. Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/13913) commit 13f91a7245d4271486c018b440940a696eaaa12d Author: Richard Levitte Date: Mon Jan 25 15:38:32 2021 +0100 EVP: Adapt the RSA specific EVP_PKEY_CTX setter / getter functions Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/13913) commit df4592cbec2321bccd23393328f53894a08bf403 Author: Richard Levitte Date: Mon Jan 25 15:31:01 2021 +0100 EVP: Adapt the DH specific EVP_PKEY_CTX setter / getter functions Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/13913) commit 5524580b5c0796d3bcab55c4e5378c6ece4df63b Author: Richard Levitte Date: Wed Jan 20 23:13:45 2021 +0100 EVP: Adapt the EVP_PKEY_CTX ctrl functions legacy_ctrl_to_param() and legacy_ctrl_str_to_param() are now replaced with calls to evp_pkey_ctx_ctrl_to_param() and evp_pkey_ctx_ctrl_str_to_param(). Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/13913) commit 6fcd92d3d72540bddb738e2b037dda9a157cfc5c Author: Richard Levitte Date: Wed Jan 20 23:10:48 2021 +0100 EVP: Adapt diverse OSSL_PARAM setters and getters EVP_PKEY_get_group_name() now simply calls EVP_PKEY_get_utf8_string_param(). EVP_PKEY_CTX_set_group_name() now simply calls EVP_PKEY_CTX_set_params(). EVP_PKEY_get_bn_param(), EVP_PKEY_get_octet_string_param(), EVP_PKEY_get_utf8_string_param() and EVP_PKEY_get_int_param() can now handle legacy EVP_PKEYs by calling evp_pkey_get_params_to_ctrl(). EVP_PKEY_CTX_get_params() can now handle a legacy backed EVP_PKEY_CTX by calling evp_pkey_ctx_get_params_to_ctrl(). Note: EVP_PKEY_CTX_set_params() doesn't call the translator yet. Should it ever? Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/13913) commit 513731299398f4597aa575154a973654bbc2e0ef Author: Richard Levitte Date: Wed Feb 10 16:56:57 2021 +0100 EVP: Make evp_pkey_ctx_{set,get}_params_strict() legacy aware In the interest of calling these functions on legacy EVP_PKEY contexts, only check the settable / gettable params for provider side keys, leaving to the translated EVP_PKEY_CTX_ctrl() call check the ctrl commands on its own. Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/13913) commit 9a1c4e41e8d3fd8fe9d1bd8eeb8b1e1df21da37f Author: Richard Levitte Date: Wed Jan 20 23:04:53 2021 +0100 EVP: Implement data-driven translation between known ctrl and OSSL_PARAMs The idea is to make it as transparent as possible to call things like EVP_PKEY_CTX_ctrl() with a provider backed EVP_PKEY_CTX, or things like EVP_PKEY_get_bn_param() with a legacy EVP_PKEY. All these sorts of calls demand that we translate between ctrl commands and OSSL_PARAM keys, and treat the arguments appropriately. This implementation has it being as data driven as possible, thereby centralizing everything into one table of translation data, which supports both directions. Fixes #13528 Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/13913) commit 4d4928edd0758753e43294816ae6095975a6e5fa Author: Richard Levitte Date: Mon Feb 8 17:25:41 2021 +0100 EVP: make evp_pkey_is_assigned() usable in the FIPS module Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/13913) commit e19246dc721a7a57c62d7dd39c70b6c87140b0ec Author: Richard Levitte Date: Mon Jan 25 15:24:46 2021 +0100 EVP: Make evp_pkey_ctx_state() available to all of EVP This will help with transitioning diverse functions to be able to use the ctrl<->OSSL_PARAM translators. Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/13913) commit 6179dfc7c4bd850004c3b4b8220f3559573130d5 Author: Richard Levitte Date: Wed Feb 10 16:55:19 2021 +0100 EVP: Implement EVP_PKEY_CTX_is_a() This does what was previously done by looking at pctx->pmeth->pkey_id, but handles both legacy and provider side contexts, and is supposed to become a replacement for the old way. Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/13913) ----------------------------------------------------------------------- Summary of changes: crypto/evp/build.info | 2 +- crypto/evp/ctrl_params_translate.c | 2689 ++++++++++++++++++++++++++++++++++++ crypto/evp/dh_ctrl.c | 386 ++---- crypto/evp/ec_ctrl.c | 377 ++--- crypto/evp/evp_lib.c | 30 +- crypto/evp/p_lib.c | 99 +- crypto/evp/pmeth_lib.c | 543 ++------ crypto/rsa/rsa_lib.c | 671 +++------ doc/man3/EVP_PKEY_CTX_new.pod | 8 +- include/crypto/evp.h | 32 +- include/openssl/evp.h | 1 + util/libcrypto.num | 1 + 12 files changed, 3288 insertions(+), 1551 deletions(-) create mode 100644 crypto/evp/ctrl_params_translate.c diff --git a/crypto/evp/build.info b/crypto/evp/build.info index 4b3057873f..34551df4a3 100644 --- a/crypto/evp/build.info +++ b/crypto/evp/build.info @@ -15,7 +15,7 @@ SOURCE[../../libcrypto]=$COMMON\ evp_pkey.c evp_pbe.c p5_crpt.c p5_crpt2.c pbe_scrypt.c \ e_aes_cbc_hmac_sha1.c e_aes_cbc_hmac_sha256.c e_rc4_hmac_md5.c \ e_chacha20_poly1305.c \ - legacy_sha.c + legacy_sha.c ctrl_params_translate.c # Diverse type specific ctrl functions. They are kinda sorta legacy, kinda # sorta not. diff --git a/crypto/evp/ctrl_params_translate.c b/crypto/evp/ctrl_params_translate.c new file mode 100644 index 0000000000..1e7001809b --- /dev/null +++ b/crypto/evp/ctrl_params_translate.c @@ -0,0 +1,2689 @@ +/* + * Copyright 2021 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +/* + * Some ctrls depend on deprecated functionality. We trust that this is + * functionality that remains internally even when 'no-deprecated' is + * configured. When we drop #legacy EVP_PKEYs, this source should be + * possible to drop as well. + */ +#include "internal/deprecated.h" + +#include + +/* The following includes get us all the EVP_PKEY_CTRL macros */ +#include +#include +#include +#include +#include + +/* This include gets us all the OSSL_PARAM key string macros */ +#include + +#include +#include +#include +#include "internal/nelem.h" +#include "internal/cryptlib.h" +#include "internal/ffc.h" +#include "crypto/evp.h" +#include "crypto/dh.h" +#include "crypto/ec.h" + +#include "e_os.h" /* strcasecmp() for Windows */ + +struct translation_ctx_st; /* Forwarding */ +struct translation_st; /* Forwarding */ + +/* + * The fixup_args functions are called with the following parameters: + * + * |state| The state we're called in, explained further at the + * end of this comment. + * |translation| The translation item, to be pilfered for data as + * necessary. + * |ctx| The translation context, which contains copies of + * the following arguments, applicable according to + * the caller. All of the attributes in this context + * may be freely modified by the fixup_args function. + * For cleanup, call cleanup_translation_ctx(). + * + * The |state| tells the fixup_args function something about the caller and + * what they may expect: + * + * PKEY The fixup_args function has been called + * from an EVP_PKEY payload getter / setter, + * and is fully responsible for getting or + * setting the requested data. With this + * state, the fixup_args function is expected + * to use or modify |*params|, depending on + * |action_type|. + * + * PRE_CTRL_TO_PARAMS The fixup_args function has been called + * POST_CTRL_TO_PARAMS from EVP_PKEY_CTX_ctrl(), to help with + * translating the ctrl data to an OSSL_PARAM + * element or back. The calling sequence is + * as follows: + * + * 1. fixup_args(PRE_CTRL_TO_PARAMS, ...) + * 2. EVP_PKEY_CTX_set_params() or + * EVP_PKEY_CTX_get_params() + * 3. fixup_args(POST_CTRL_TO_PARAMS, ...) + * + * With the PRE_CTRL_TO_PARAMS state, the + * fixup_args function is expected to modify + * the passed |*params| in whatever way + * necessary, when |action_type == SET|. + * With the POST_CTRL_TO_PARAMS state, the + * fixup_args function is expected to modify + * the passed |p2| in whatever way necessary, + * when |action_type == GET|. + * + * The return value from the fixup_args call + * with the POST_CTRL_TO_PARAMS state becomes + * the return value back to EVP_PKEY_CTX_ctrl(). + * + * CLEANUP_CTRL_TO_PARAMS The cleanup_args functions has been called + * from EVP_PKEY_CTX_ctrl(), to clean up what + * the fixup_args function has done, if needed. + * + * + * PRE_CTRL_STR_TO_PARAMS The fixup_args function has been called + * POST_CTRL_STR_TO_PARAMS from EVP_PKEY_CTX_ctrl_str(), to help with + * translating the ctrl_str data to an + * OSSL_PARAM element or back. The calling + * sequence is as follows: + * + * 1. fixup_args(PRE_CTRL_STR_TO_PARAMS, ...) + * 2. EVP_PKEY_CTX_set_params() or + * EVP_PKEY_CTX_get_params() + * 3. fixup_args(POST_CTRL_STR_TO_PARAMS, ...) + * + * With the PRE_CTRL_STR_TO_PARAMS state, + * the fixup_args function is expected to + * modify the passed |*params| in whatever + * way necessary, when |action_type == SET|. + * With the POST_CTRL_STR_TO_PARAMS state, + * the fixup_args function is only expected + * to return a value. + * + * CLEANUP_CTRL_STR_TO_PARAMS The cleanup_args functions has been called + * from EVP_PKEY_CTX_ctrl_str(), to clean up + * what the fixup_args function has done, if + * needed. + * + * PRE_PARAMS_TO_CTRL The fixup_args function has been called + * POST_PARAMS_TO_CTRL from EVP_PKEY_CTX_get_params() or + * EVP_PKEY_CTX_set_params(), to help with + * translating the OSSL_PARAM data to the + * corresponding EVP_PKEY_CTX_ctrl() arguments + * or the other way around. The calling + * sequence is as follows: + * + * 1. fixup_args(PRE_PARAMS_TO_CTRL, ...) + * 2. EVP_PKEY_CTX_ctrl() + * 3. fixup_args(POST_PARAMS_TO_CTRL, ...) + * + * With the PRE_PARAMS_TO_CTRL state, the + * fixup_args function is expected to modify + * the passed |p1| and |p2| in whatever way + * necessary, when |action_type == SET|. + * With the POST_PARAMS_TO_CTRL state, the + * fixup_args function is expected to + * modify the passed |*params| in whatever + * way necessary, when |action_type == GET|. + * + * CLEANUP_PARAMS_TO_CTRL The cleanup_args functions has been called + * from EVP_PKEY_CTX_get_params() or + * EVP_PKEY_CTX_set_params(), to clean up what + * the fixup_args function has done, if needed. + */ +enum state { + PKEY, + PRE_CTRL_TO_PARAMS, POST_CTRL_TO_PARAMS, CLEANUP_CTRL_TO_PARAMS, + PRE_CTRL_STR_TO_PARAMS, POST_CTRL_STR_TO_PARAMS, CLEANUP_CTRL_STR_TO_PARAMS, + PRE_PARAMS_TO_CTRL, POST_PARAMS_TO_CTRL, CLEANUP_PARAMS_TO_CTRL, +}; +enum action { + NONE = 0, GET = 1, SET = 2 +}; +typedef int fixup_args_fn(enum state state, + const struct translation_st *translation, + struct translation_ctx_st *ctx); +typedef int cleanup_args_fn(enum state state, + const struct translation_st *translation, + struct translation_ctx_st *ctx); + +struct translation_ctx_st { + /* + * The EVP_PKEY_CTX, for calls on that structure, to be pilfered for data + * as necessary. + */ + EVP_PKEY_CTX *pctx; + /* + * The action type (GET or SET). This may be 0 in some cases, and should + * be modified by the fixup_args function in the PRE states. It should + * otherwise remain untouched once set. + */ + enum action action_type; + /* + * For ctrl to params translation, the actual ctrl command number used. + * For params to ctrl translation, 0. + */ + int ctrl_cmd; + /* + * For ctrl_str to params translation, the actual ctrl command string + * used. In this case, the (string) value is always passed as |p2|. + * For params to ctrl translation, this is NULL. Along with it is also + * and indicator whether it matched |ctrl_str| or |ctrl_hexstr| in the + * translation item. + */ + const char *ctrl_str; + int ishex; + /* the ctrl-style int argument. */ + int p1; + /* the ctrl-style void* argument. */ + void *p2; + /* a size, for passing back the |p2| size where applicable */ + size_t sz; + /* pointer to the OSSL_PARAM-style params array. */ + OSSL_PARAM *params; + + /*- + * The following are used entirely internally by the fixup_args functions + * and should not be touched by the callers, at all. + */ + + /* + * Copy of the ctrl-style void* argument, if the the fixup_args function + * needs to manipulate |p2| but wants to remember original. + */ + void *orig_p2; + /* Diverse types of storage for the needy. */ + char name_buf[OSSL_MAX_NAME_SIZE]; + void *allocated_buf; + void *bufp; + size_t buflen; +}; + +struct translation_st { + /*- + * What this table item does. + * + * If the item has this set to 0, it means that both GET and SET are + * supported, and |fixup_args| will determine which it is. This is to + * support translations of ctrls where the action type depends on the + * value of |p1| or |p2| (ctrls are really bi-directional, but are + * seldom used that way). + * + * This can be also used in the lookup template when it looks up by + * OSSL_PARAM key, to indicate if a setter or a getter called. + */ + enum action action_type; + + /*- + * Conditions, for params->ctrl translations. + * + * In table item, |keytype1| and |keytype2| can be set to -1 to indicate + * that this item supports all key types (or rather, that |fixup_args| + * will check and return an error if it's not supported). + * Any of these may be set to 0 to indicate that they are unset. + */ + int keytype1; /* The EVP_PKEY_XXX type, i.e. NIDs. #legacy */ + int keytype2; /* Another EVP_PKEY_XXX type, used for aliases */ + int optype; /* The operation type */ + + /* + * Lookup and translation attributes + * + * |ctrl_num|, |ctrl_str|, |ctrl_hexstr| and |param_key| are lookup + * attributes. + * + * |ctrl_num| may be 0 or that |param_key| may be NULL in the table item, + * but not at the same time. If they are, they are simply not used for + * lookup. + * When |ctrl_num| == 0, no ctrl will be called. Likewise, when + * |param_key| == NULL, no OSSL_PARAM setter/getter will be called. + * In that case the treatment of the translation item relies entirely on + * |fixup_args|, which is then assumed to have side effects. + * + * As a special case, it's possible to set |ctrl_hexstr| and assign NULL + * to |ctrl_str|. That will signal to default_fixup_args() that the + * value must always be interpreted as hex. + */ + int ctrl_num; /* EVP_PKEY_CTRL_xxx */ + const char *ctrl_str; /* The corresponding ctrl string */ + const char *ctrl_hexstr; /* The alternative "hex{str}" ctrl string */ + const char *param_key; /* The corresponding OSSL_PARAM key */ + /* + * The appropriate OSSL_PARAM data type. This may be 0 to indicate that + * this OSSL_PARAM may have more than one data type, depending on input + * material. In this case, |fixup_args| is expected to check and handle + * it. + */ + unsigned int param_data_type; + + /* + * Fixer functions + * + * |fixup_args| is always called before (for SET) or after (for GET) + * the actual ctrl / OSSL_PARAM function. + */ + fixup_args_fn *fixup_args; +}; + +/*- + * Fixer function implementations + * ============================== + */ + +/* + * default_check isn't a fixer per se, but rather a helper function to + * perform certain standard checks. + */ +static int default_check(enum state state, + const struct translation_st *translation, + const struct translation_ctx_st *ctx) +{ + switch (state) { + default: + break; + case PRE_CTRL_TO_PARAMS: + if (!ossl_assert(translation != NULL)) { + ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED); + return -2; + } + if (!ossl_assert(translation->param_key != 0) + || !ossl_assert(translation->param_data_type != 0)) { + ERR_raise(ERR_LIB_EVP, ERR_R_INTERNAL_ERROR); + return -1; + } + break; + case PRE_CTRL_STR_TO_PARAMS: + /* + * For ctrl_str to params translation, we allow direct use of + * OSSL_PARAM keys as ctrl_str keys. Therefore, it's possible that + * we end up with |translation == NULL|, which is fine. The fixup + * function will have to deal with it carefully. + */ + if (translation != NULL) { + if (!ossl_assert(translation->action_type != GET)) { + ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED); + return -2; + } + if (!ossl_assert(translation->param_key != NULL) + || !ossl_assert(translation->param_data_type != 0)) { + ERR_raise(ERR_LIB_EVP, ERR_R_INTERNAL_ERROR); + return 0; + } + } + break; + case PRE_PARAMS_TO_CTRL: + case POST_PARAMS_TO_CTRL: + if (!ossl_assert(translation != NULL)) { + ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED); + return -2; + } + if (!ossl_assert(translation->ctrl_num != 0) + || !ossl_assert(translation->param_data_type != 0)) { + ERR_raise(ERR_LIB_EVP, ERR_R_INTERNAL_ERROR); + return -1; + } + } + + /* Nothing else to check */ + return 1; +} + +/*- + * default_fixup_args fixes up all sorts of arguments, governed by the + * diverse attributes in the translation item. It covers all "standard" + * base ctrl functionality, meaning it can handle basic conversion of + * data between p1+p2 (SET) or return value+p2 (GET) as long as the values + * don't have extra semantics (such as NIDs, OIDs, that sort of stuff). + * Extra semantics must be handled via specific fixup_args functions. + * + * The following states and action type combinations have standard handling + * done in this function: + * + * PRE_CTRL_TO_PARAMS, 0 - ERROR. action type must be + * determined by a fixup function. + * PRE_CTRL_TO_PARAMS, SET | GET - |p1| and |p2| are converted to an + * OSSL_PARAM according to the data + * type given in |translattion|. + * For OSSL_PARAM_UNSIGNED_INTEGER, + * a BIGNUM passed as |p2| is accepted. + * POST_CTRL_TO_PARAMS, GET - If the OSSL_PARAM data type is a + * STRING or PTR type, |p1| is set + * to the OSSL_PARAM return size, and + * |p2| is set to the string. + * PRE_CTRL_STR_TO_PARAMS, !SET - ERROR. That combination is not + * supported. + * PRE_CTRL_STR_TO_PARAMS, SET - |p2| is taken as a string, and is + * converted to an OSSL_PARAM in a + * standard manner, guided by the + * param key and data type from + * |translation|. + * PRE_PARAMS_TO_CTRL, SET - the OSSL_PARAM is converted to + * |p1| and |p2| according to the + * data type given in |translation| + * For OSSL_PARAM_UNSIGNED_INTEGER, + * if |p2| is non-NULL, then |*p2| + * is assigned a BIGNUM, otherwise + * |p1| is assigned an unsigned int. + * POST_PARAMS_TO_CTRL, GET - |p1| and |p2| are converted to + * an OSSL_PARAM, in the same manner + * as for the combination of + * PRE_CTRL_TO_PARAMS, SET. + */ +static int default_fixup_args(enum state state, + const struct translation_st *translation, + struct translation_ctx_st *ctx) +{ + int ret; + + if ((ret = default_check(state, translation, ctx)) < 0) + return ret; + + switch (state) { + default: + /* For states this function should never have been called with */ + ERR_raise_data(ERR_LIB_EVP, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED, + "[action:%d, state:%d]", ctx->action_type, state); + return 0; + + /* + * PRE_CTRL_TO_PARAMS and POST_CTRL_TO_PARAMS handle ctrl to params + * translations. PRE_CTRL_TO_PARAMS is responsible for preparing + * |*params|, and POST_CTRL_TO_PARAMS is responsible for bringing the + * result back to |*p2| and the return value. + */ + case PRE_CTRL_TO_PARAMS: + /* This is ctrl to params translation, so we need an OSSL_PARAM key */ + if (ctx->action_type == NONE) { + /* + * No action type is an error here. That's a case for a + * special fixup function. + */ + ERR_raise_data(ERR_LIB_EVP, ERR_R_UNSUPPORTED, + "[action:%d, state:%d]", ctx->action_type, state); + return 0; + } + + if (translation->optype != 0) { + if ((EVP_PKEY_CTX_IS_SIGNATURE_OP(ctx->pctx) + && ctx->pctx->op.sig.sigprovctx == NULL) + || (EVP_PKEY_CTX_IS_DERIVE_OP(ctx->pctx) + && ctx->pctx->op.kex.exchprovctx == NULL) + || (EVP_PKEY_CTX_IS_ASYM_CIPHER_OP(ctx->pctx) + && ctx->pctx->op.ciph.ciphprovctx == NULL) + || (EVP_PKEY_CTX_IS_KEM_OP(ctx->pctx) + && ctx->pctx->op.encap.kemprovctx == NULL) + /* + * The following may be unnecessary, but we have them + * for good measure... + */ + || (EVP_PKEY_CTX_IS_GEN_OP(ctx->pctx) + && ctx->pctx->op.keymgmt.genctx == NULL) + || (EVP_PKEY_CTX_IS_FROMDATA_OP(ctx->pctx) + && ctx->pctx->op.keymgmt.genctx == NULL)) { + ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED); + /* Uses the same return values as EVP_PKEY_CTX_ctrl */ + return -2; + } + } + + /* + * OSSL_PARAM_construct_TYPE() works equally well for both SET and GET. + */ + switch (translation->param_data_type) { + case OSSL_PARAM_INTEGER: + *ctx->params = OSSL_PARAM_construct_int(translation->param_key, + &ctx->p1); + break; + case OSSL_PARAM_UNSIGNED_INTEGER: + /* + * BIGNUMs are passed via |p2|. For all ctrl's that just want + * to pass a simple integer via |p1|, |p2| is expected to be + * NULL. + * + * Note that this allocates a buffer, which the cleanup function + * must deallocate. + */ + if (ctx->p2 != NULL) { + if (ctx->action_type == SET) { + ctx->buflen = BN_num_bytes(ctx->p2); + if ((ctx->allocated_buf = + OPENSSL_malloc(ctx->buflen)) == NULL) { + ERR_raise(ERR_LIB_EVP, ERR_R_MALLOC_FAILURE); + return 0; + } + if (!BN_bn2nativepad(ctx->p2, + ctx->allocated_buf, ctx->buflen)) { + OPENSSL_free(ctx->allocated_buf); + ctx->allocated_buf = NULL; + return 0; + } + *ctx->params = + OSSL_PARAM_construct_BN(translation->param_key, + ctx->allocated_buf, + ctx->buflen); + } else { + /* + * No support for getting a BIGNUM by ctrl, this needs + * fixup_args function support. + */ + ERR_raise_data(ERR_LIB_EVP, ERR_R_UNSUPPORTED, + "[action:%d, state:%d] trying to get a " + "BIGNUM via ctrl call", + ctx->action_type, state); + return 0; + } + } else { + *ctx->params = + OSSL_PARAM_construct_uint(translation->param_key, + (unsigned int *)&ctx->p1); + } + break; + case OSSL_PARAM_UTF8_STRING: + *ctx->params = + OSSL_PARAM_construct_utf8_string(translation->param_key, + ctx->p2, (size_t)ctx->p1); + break; + case OSSL_PARAM_UTF8_PTR: + *ctx->params = + OSSL_PARAM_construct_utf8_ptr(translation->param_key, + ctx->p2, (size_t)ctx->p1); + break; + case OSSL_PARAM_OCTET_STRING: + *ctx->params = + OSSL_PARAM_construct_octet_string(translation->param_key, + ctx->p2, (size_t)ctx->p1); + break; + case OSSL_PARAM_OCTET_PTR: + *ctx->params = + OSSL_PARAM_construct_octet_ptr(translation->param_key, + ctx->p2, (size_t)ctx->p1); + break; + } + break; + case POST_CTRL_TO_PARAMS: + /* + * Because EVP_PKEY_CTX_ctrl() returns the length of certain objects + * as its return value, we need to ensure that we do it here as well, + * for the OSSL_PARAM data types where this makes sense. + */ + if (ctx->action_type == GET) { + switch (translation->param_data_type) { + case OSSL_PARAM_UTF8_STRING: + case OSSL_PARAM_UTF8_PTR: + case OSSL_PARAM_OCTET_STRING: + case OSSL_PARAM_OCTET_PTR: + ctx->p1 = (int)ctx->params[0].return_size; + break; + } + } + break; + + /* + * PRE_CTRL_STR_TO_PARAMS and POST_CTRL_STR_TO_PARAMS handle ctrl_str to + * params translations. PRE_CTRL_TO_PARAMS is responsible for preparing + * |*params|, and POST_CTRL_TO_PARAMS currently has nothing to do, since + * there's no support for getting data via ctrl_str calls. + */ + case PRE_CTRL_STR_TO_PARAMS: + { + /* This is ctrl_str to params translation */ + const char *tmp_ctrl_str = ctx->ctrl_str; + const char *orig_ctrl_str = ctx->ctrl_str; + const char *orig_value = ctx->p2; + const OSSL_PARAM *settable = NULL; + int exists = 0; + + /* Only setting is supported here */ + if (ctx->action_type != SET) { + ERR_raise_data(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED, + "[action:%d, state:%d] only setting allowed", + ctx->action_type, state); + return 0; + } + + /* + * If no translation exists, we simply pass the control string + * unmodified. + */ + if (translation != NULL) { + tmp_ctrl_str = ctx->ctrl_str = translation->param_key; + + if (ctx->ishex) { + strcpy(ctx->name_buf, "hex"); + if (OPENSSL_strlcat(ctx->name_buf, tmp_ctrl_str, + sizeof(ctx->name_buf)) <= 3) { + ERR_raise(ERR_LIB_EVP, ERR_R_INTERNAL_ERROR); + return -1; + } + tmp_ctrl_str = ctx->name_buf; + } + } + + settable = EVP_PKEY_CTX_settable_params(ctx->pctx); + if (!OSSL_PARAM_allocate_from_text(ctx->params, settable, + tmp_ctrl_str, + ctx->p2, strlen(ctx->p2), + &exists)) { + if (!exists) { + ERR_raise_data(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED, + "[action:%d, state:%d] name=%s, value=%s", + ctx->action_type, state, + orig_ctrl_str, orig_value); + return -2; + } + return 0; + } + ctx->allocated_buf = ctx->params->data; + ctx->buflen = ctx->params->data_size; + } + break; + case POST_CTRL_STR_TO_PARAMS: + /* Nothing to be done */ + break; + + /* + * PRE_PARAMS_TO_CTRL and POST_PARAMS_TO_CTRL handle params to ctrl + * translations. PRE_PARAMS_TO_CTRL is responsible for preparing + * |p1| and |p2|, and POST_PARAMS_TO_CTRL is responsible for bringing + * the EVP_PKEY_CTX_ctrl() return value (passed as |p1|) and |p2| back + * to |*params|. + * + * PKEY is treated just like POST_PARAMS_TO_CTRL, making it easy + * for the related fixup_args functions to just set |p1| and |p2| + * appropriately and leave it to this section of code to fix up + * |ctx->params| accordingly. + */ + case PKEY: + case POST_PARAMS_TO_CTRL: + ret = ctx->p1; + /* FALLTHRU */ + case PRE_PARAMS_TO_CTRL: + { + /* This is params to ctrl translation */ + if (state == PRE_PARAMS_TO_CTRL && ctx->action_type == SET) { + /* For the PRE state, only setting needs some work to be done */ + + /* When setting, we populate |p1| and |p2| from |*params| */ + switch (translation->param_data_type) { + case OSSL_PARAM_INTEGER: + return OSSL_PARAM_get_int(ctx->params, &ctx->p1); + case OSSL_PARAM_UNSIGNED_INTEGER: + if (ctx->p2 != NULL) { + /* BIGNUM passed down with p2 */ + if (!OSSL_PARAM_get_BN(ctx->params, ctx->p2)) + return 0; + } else { + /* Normal C unsigned int passed down */ + if (!OSSL_PARAM_get_uint(ctx->params, + (unsigned int *)&ctx->p1)) + return 0; + } + return 1; + case OSSL_PARAM_UTF8_STRING: + return OSSL_PARAM_get_utf8_string(ctx->params, + ctx->p2, ctx->sz); + case OSSL_PARAM_OCTET_STRING: + return OSSL_PARAM_get_octet_string(ctx->params, + ctx->p2, ctx->sz, + &ctx->sz); + case OSSL_PARAM_OCTET_PTR: + return OSSL_PARAM_get_octet_ptr(ctx->params, + ctx->p2, &ctx->sz); + default: + ERR_raise_data(ERR_LIB_EVP, ERR_R_UNSUPPORTED, + "[action:%d, state:%d] " + "unknown OSSL_PARAM data type %d", + ctx->action_type, state, + translation->param_data_type); + return 0; + } + } else if ((state == POST_PARAMS_TO_CTRL || state == PKEY) + && ctx->action_type == GET) { + /* For the POST state, only getting needs some work to be done */ + + /* When getting, we populate |*params| from |p1| and |p2| */ + switch (translation->param_data_type) { + case OSSL_PARAM_INTEGER: + return OSSL_PARAM_set_int(ctx->params, ctx->p1); + case OSSL_PARAM_UNSIGNED_INTEGER: + if (ctx->p2 != NULL) { + /* BIGNUM passed back */ + return OSSL_PARAM_set_BN(ctx->params, ctx->p2); + } else { + /* Normal C unsigned int passed back */ + return OSSL_PARAM_set_uint(ctx->params, + (unsigned int)ctx->p1); + } + return 0; + case OSSL_PARAM_UTF8_STRING: + return OSSL_PARAM_set_utf8_string(ctx->params, ctx->p2); + case OSSL_PARAM_OCTET_STRING: + return OSSL_PARAM_set_octet_string(ctx->params, ctx->p2, + (size_t)ctx->p1); + case OSSL_PARAM_OCTET_PTR: + return OSSL_PARAM_set_octet_ptr(ctx->params, ctx->p2, + (size_t)ctx->p1); + default: + ERR_raise_data(ERR_LIB_EVP, ERR_R_UNSUPPORTED, + "[action:%d, state:%d] " + "unsupported OSSL_PARAM data type %d", + ctx->action_type, state, + translation->param_data_type); + return 0; + } + } + } + /* Any other combination is simply pass-through */ + break; + } + return ret; +} + +static int +cleanup_translation_ctx(enum state state, + const struct translation_st *translation, + struct translation_ctx_st *ctx) +{ + if (ctx->allocated_buf != NULL) + OPENSSL_free(ctx->allocated_buf); + ctx->allocated_buf = NULL; + return 1; +} + +/* + * fix_cipher_md fixes up an EVP_CIPHER / EVP_MD to its name on SET, + * and cipher / md name to EVP_MD on GET. + */ +static const char *get_cipher_name(void *cipher) +{ + return EVP_CIPHER_name(cipher); +} + +static const char *get_md_name(void *md) +{ + return EVP_MD_name(md); +} + +static const void *get_cipher_by_name(OSSL_LIB_CTX *libctx, const char *name) +{ + return evp_get_cipherbyname_ex(libctx, name); +} + +static const void *get_md_by_name(OSSL_LIB_CTX *libctx, const char *name) +{ + return evp_get_digestbyname_ex(libctx, name); +} + +static int fix_cipher_md(enum state state, + const struct translation_st *translation, + struct translation_ctx_st *ctx, + const char *(*get_name)(void *algo), + const void *(*get_algo_by_name)(OSSL_LIB_CTX *libctx, + const char *name)) +{ + int ret = 1; + + if ((ret = default_check(state, translation, ctx)) <= 0) + return ret; + + if (state == PRE_CTRL_TO_PARAMS && ctx->action_type == GET) { + /* + * |ctx->p2| contains the address to an EVP_CIPHER or EVP_MD pointer + * to be filled in. We need to remember it, then make |ctx->p2| + * point at a buffer to be filled in with the name, and |ctx->p1| + * with its size. default_fixup_args() will take care of the rest + * for us. + */ + ctx->orig_p2 = ctx->p2; + ctx->p2 = ctx->name_buf; + ctx->p1 = sizeof(ctx->name_buf); + } else if (state == PRE_CTRL_TO_PARAMS && ctx->action_type == SET) { + /* + * In different parts of OpenSSL, this ctrl command is used + * differently. Some calls pass a NID as p1, others pass an + * EVP_CIPHER pointer as p2... + */ + ctx->p2 = (char *)(ctx->p2 == NULL + ? OBJ_nid2sn(ctx->p1) + : get_name(ctx->p2)); + ctx->p1 = strlen(ctx->p2); + } else if (state == POST_PARAMS_TO_CTRL && ctx->action_type == GET) { + ctx->p2 = (ctx->p2 == NULL ? "" : (char *)get_name(ctx->p2)); + ctx->p1 = strlen(ctx->p2); + } + + if ((ret = default_fixup_args(state, translation, ctx)) <= 0) + return ret; + + if (state == POST_CTRL_TO_PARAMS && ctx->action_type == GET) { + /* + * Here's how we re-use |ctx->orig_p2| that was set in the + * PRE_CTRL_TO_PARAMS state above. + */ + *(void **)ctx->orig_p2 = + (void *)get_algo_by_name(ctx->pctx->libctx, ctx->p2); + ctx->p1 = 1; + } else if (state == PRE_PARAMS_TO_CTRL && ctx->action_type == SET) { + ctx->p2 = (void *)get_algo_by_name(ctx->pctx->libctx, ctx->p2); + ctx->p1 = 0; + } + + return ret; +} + +static int fix_cipher(enum state state, + const struct translation_st *translation, + struct translation_ctx_st *ctx) +{ + return fix_cipher_md(state, translation, ctx, + get_cipher_name, get_cipher_by_name); +} + +static int fix_md(enum state state, + const struct translation_st *translation, + struct translation_ctx_st *ctx) +{ + return fix_cipher_md(state, translation, ctx, + get_md_name, get_md_by_name); +} + +static int fix_distid_len(enum state state, + const struct translation_st *translation, + struct translation_ctx_st *ctx) +{ + int ret = default_fixup_args(state, translation, ctx); + + if (ret > 0) { + ret = 0; + if ((state == POST_CTRL_TO_PARAMS + || state == POST_CTRL_STR_TO_PARAMS) && ctx->action_type == GET) { + *(size_t *)ctx->p2 = ctx->sz; + ret = 1; + } + } + return ret; +} + +struct kdf_type_map_st { + int kdf_type_num; + const char *kdf_type_str; +}; + +static int fix_kdf_type(enum state state, + const struct translation_st *translation, + struct translation_ctx_st *ctx, + const struct kdf_type_map_st *kdf_type_map) +{ + /* + * The EVP_PKEY_CTRL_DH_KDF_TYPE ctrl command is a bit special, in + * that it's used both for setting a value, and for getting it, all + * depending on the value if |p1|; if |p1| is -2, the backend is + * supposed to place the current kdf type in |p2|, and if not, |p1| + * is interpreted as the new kdf type. + */ + int ret = 0; + + if ((ret = default_check(state, translation, ctx)) <= 0) + return ret; + + if (state == PRE_CTRL_TO_PARAMS) { + /* + * In |translations|, the initial value for |ctx->action_type| must + * be NONE. + */ + if (!ossl_assert(ctx->action_type == NONE)) + return 0; + + /* The action type depends on the value of *p1 */ + if (ctx->p1 == -2) { + /* + * The OSSL_PARAMS getter needs space to store a copy of the kdf + * type string. We use |ctx->name_buf|, which has enough space + * allocated. + * + * (this wouldn't be needed if the OSSL_xxx_PARAM_KDF_TYPE + * had the data type OSSL_PARAM_UTF8_PTR) + */ + ctx->p2 = ctx->name_buf; + ctx->p1 = sizeof(ctx->name_buf); + ctx->action_type = GET; + } else { + ctx->action_type = SET; + } + } + + if ((ret = default_check(state, translation, ctx)) <= 0) + return ret; + + if ((state == PRE_CTRL_TO_PARAMS && ctx->action_type == SET) + || (state == POST_PARAMS_TO_CTRL && ctx->action_type == GET)) { + ret = -2; + /* Convert KDF type numbers to strings */ + for (; kdf_type_map->kdf_type_str != NULL; kdf_type_map++) + if (ctx->p1 == kdf_type_map->kdf_type_num) { + ctx->p2 = (char *)kdf_type_map->kdf_type_str; + ret = 1; + break; + } + if (ret <= 0) + goto end; + ctx->p1 = strlen(ctx->p2); + } + + if ((ret = default_fixup_args(state, translation, ctx)) <= 0) + return ret; + + if ((state == POST_CTRL_TO_PARAMS && ctx->action_type == GET) + || (state == PRE_PARAMS_TO_CTRL && ctx->action_type == SET)) { + ctx->p1 = ret = -1; + + /* Convert KDF type strings to numbers */ + for (; kdf_type_map->kdf_type_str != NULL; kdf_type_map++) + if (strcmp(ctx->p2, kdf_type_map->kdf_type_str) == 0) { + ctx->p1 = kdf_type_map->kdf_type_num; + ret = 1; + break; + } + ctx->p2 = NULL; + } else if (state == PRE_PARAMS_TO_CTRL && ctx->action_type == GET) { + ctx->p1 = -2; + } + end: + return ret; +} + +/* EVP_PKEY_CTRL_DH_KDF_TYPE */ +static int fix_dh_kdf_type(enum state state, + const struct translation_st *translation, + struct translation_ctx_st *ctx) +{ + static const struct kdf_type_map_st kdf_type_map[] = { + { EVP_PKEY_DH_KDF_NONE, "" }, + { EVP_PKEY_DH_KDF_X9_42, OSSL_KDF_NAME_X942KDF_ASN1 }, + { 0, NULL } + }; + + return fix_kdf_type(state, translation, ctx, kdf_type_map); +} + +/* EVP_PKEY_CTRL_EC_KDF_TYPE */ +static int fix_ec_kdf_type(enum state state, + const struct translation_st *translation, + struct translation_ctx_st *ctx) +{ + static const struct kdf_type_map_st kdf_type_map[] = { + { EVP_PKEY_ECDH_KDF_NONE, "" }, + { EVP_PKEY_ECDH_KDF_X9_63, OSSL_KDF_NAME_X963KDF }, + { 0, NULL } + }; + + return fix_kdf_type(state, translation, ctx, kdf_type_map); +} + +/* EVP_PKEY_CTRL_DH_KDF_OID, EVP_PKEY_CTRL_GET_DH_KDF_OID, ...??? */ +static int fix_oid(enum state state, + const struct translation_st *translation, + struct translation_ctx_st *ctx) +{ + int ret; + + if ((ret = default_check(state, translation, ctx)) <= 0) + return ret; + + if ((state == PRE_CTRL_TO_PARAMS && ctx->action_type == SET) + || (state == POST_PARAMS_TO_CTRL && ctx->action_type == GET)) { + /* + * We're translating from ctrl to params and setting the OID, or + * we're translating from params to ctrl and getting the OID. + * Either way, |ctx->p2| points at an ASN1_OBJECT, and needs to have + * that replaced with the corresponding name. + * default_fixup_args() will then be able to convert that to the + * corresponding OSSL_PARAM. + */ + ctx->p2 = (char *)OBJ_nid2sn(OBJ_obj2nid(ctx->p2)); + ctx->p1 = 0; /* let default_fixup_args() figure out the length */ + } + + if ((ret = default_fixup_args(state, translation, ctx)) <= 0) + return ret; + + if ((state == PRE_PARAMS_TO_CTRL && ctx->action_type == SET) + || (state == POST_CTRL_TO_PARAMS && ctx->action_type == GET)) { + /* + * We're translating from ctrl to params and setting the OID name, + * or we're translating from params to ctrl and getting the OID + * name. Either way, default_fixup_args() has placed the OID name + * in |ctx->p2|, all we need to do now is to replace that with the + * corresponding ASN1_OBJECT. + */ + ctx->p2 = (ASN1_OBJECT *)OBJ_txt2obj(ctx->p2, 0); + } + + return ret; +} + +/* EVP_PKEY_CTRL_DH_NID, ...??? */ +static int fix_dh_nid(enum state state, + const struct translation_st *translation, + struct translation_ctx_st *ctx) +{ + int ret; + + if ((ret = default_check(state, translation, ctx)) <= 0) + return ret; + + /* This is currently only settable */ + if (ctx->action_type != SET) + return 0; + + if (state == PRE_CTRL_TO_PARAMS) { + ctx->p2 = (char *)ossl_ffc_named_group_get_name + (ossl_ffc_uid_to_dh_named_group(ctx->p1)); + ctx->p1 = 0; + } + + if ((ret = default_fixup_args(state, translation, ctx)) <= 0) + return ret; + + if (state == PRE_PARAMS_TO_CTRL) { + ctx->p1 = + ossl_ffc_named_group_get_uid(ossl_ffc_name_to_dh_named_group(ctx->p2)); + ctx->p2 = NULL; + } + + return ret; +} + +/* EVP_PKEY_CTRL_DH_PARAMGEN_TYPE */ +static int fix_dh_paramgen_type(enum state state, + const struct translation_st *translation, + struct translation_ctx_st *ctx) +{ + int ret; + + if ((ret = default_check(state, translation, ctx)) <= 0) + return ret; + + /* This is currently only settable */ + if (ctx->action_type != SET) + return 0; + + if (state == PRE_CTRL_TO_PARAMS) { + ctx->p2 = (char *)dh_gen_type_id2name(ctx->p1); + ctx->p1 = 0; + } + + if ((ret = default_fixup_args(state, translation, ctx)) <= 0) + return ret; + + if (state == PRE_PARAMS_TO_CTRL) { + ctx->p1 = dh_gen_type_name2id(ctx->p2); + ctx->p2 = NULL; + } + + return ret; +} + +/* EVP_PKEY_CTRL_EC_PARAM_ENC */ +static int fix_ec_param_enc(enum state state, + const struct translation_st *translation, + struct translation_ctx_st *ctx) +{ + int ret; + + if ((ret = default_check(state, translation, ctx)) <= 0) + return ret; + + /* This is currently only settable */ + if (ctx->action_type != SET) + return 0; + + if (state == PRE_CTRL_TO_PARAMS) { + switch (ctx->p1) { + case OPENSSL_EC_EXPLICIT_CURVE: + ctx->p2 = OSSL_PKEY_EC_ENCODING_EXPLICIT; + break; + case OPENSSL_EC_NAMED_CURVE: + ctx->p2 = OSSL_PKEY_EC_ENCODING_GROUP; + break; + default: + ret = -2; + goto end; + } + ctx->p1 = 0; + } + + if ((ret = default_fixup_args(state, translation, ctx)) <= 0) + return ret; + + if (state == PRE_PARAMS_TO_CTRL) { + if (strcmp(ctx->p2, OSSL_PKEY_EC_ENCODING_EXPLICIT) == 0) + ctx->p1 = OPENSSL_EC_EXPLICIT_CURVE; + else if (strcmp(ctx->p2, OSSL_PKEY_EC_ENCODING_GROUP) == 0) + ctx->p1 = OPENSSL_EC_NAMED_CURVE; + else + ctx->p1 = ret = -2; + ctx->p2 = NULL; + } + + end: + if (ret == -2) + ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED); + return ret; +} + +/* EVP_PKEY_CTRL_EC_PARAMGEN_CURVE_NID */ +static int fix_ec_paramgen_curve_nid(enum state state, + const struct translation_st *translation, + struct translation_ctx_st *ctx) +{ + int ret; + + if ((ret = default_check(state, translation, ctx)) <= 0) + return ret; + + /* This is currently only settable */ + if (ctx->action_type != SET) + return 0; + + if (state == PRE_CTRL_TO_PARAMS) { + ctx->p2 = (char *)OBJ_nid2sn(ctx->p1); + ctx->p1 = 0; + } + + if ((ret = default_fixup_args(state, translation, ctx)) <= 0) + return ret; + + if (state == PRE_PARAMS_TO_CTRL) { + ctx->p1 = OBJ_sn2nid(ctx->p2); + ctx->p2 = NULL; + } + + return ret; +} + +/* EVP_PKEY_CTRL_EC_ECDH_COFACTOR */ +static int fix_ecdh_cofactor(enum state state, + const struct translation_st *translation, + struct translation_ctx_st *ctx) +{ + /* + * The EVP_PKEY_CTRL_EC_ECDH_COFACTOR ctrl command is a bit special, in + * that it's used both for setting a value, and for getting it, all + * depending on the value if |ctx->p1|; if |ctx->p1| is -2, the backend is + * supposed to place the current cofactor mode in |ctx->p2|, and if not, + * |ctx->p1| is interpreted as the new cofactor mode. + */ + int ret = 0; + + if (state == PRE_CTRL_TO_PARAMS) { + /* + * The initial value for |ctx->action_type| must be zero. + * evp_pkey_ctrl_to_params() takes it from the translation item. + */ + if (!ossl_assert(ctx->action_type == NONE)) + return 0; + + /* The action type depends on the value of ctx->p1 */ + if (ctx->p1 == -2) + ctx->action_type = GET; + else + ctx->action_type = SET; + } else if (state == PRE_CTRL_STR_TO_PARAMS) { + ctx->action_type = SET; + } else if (state == PRE_PARAMS_TO_CTRL) { + /* The initial value for |ctx->action_type| must not be zero. */ + if (!ossl_assert(ctx->action_type != NONE)) + return 0; + } + + if ((ret = default_check(state, translation, ctx)) <= 0) + return ret; + + if (state == PRE_CTRL_TO_PARAMS && ctx->action_type == SET) { + if (ctx->p1 < -1 || ctx->p1 > 1) { + /* Uses the same return value of pkey_ec_ctrl() */ + return -2; + } + } + + if ((ret = default_fixup_args(state, translation, ctx)) <= 0) + return ret; + + if (state == POST_CTRL_TO_PARAMS && ctx->action_type == GET) { + if (ctx->p1 < 0 || ctx->p1 > 1) { + /* + * The provider should return either 0 or 1, any other value is a + * provider error. + */ + ctx->p1 = ret = -1; + } + } else if (state == PRE_PARAMS_TO_CTRL && ctx->action_type == GET) { + ctx->p1 = -2; + } + + return ret; +} + +/* EVP_PKEY_CTRL_RSA_PADDING, EVP_PKEY_CTRL_GET_RSA_PADDING */ +static int fix_rsa_padding_mode(enum state state, + const struct translation_st *translation, + struct translation_ctx_st *ctx) +{ + static const OSSL_ITEM str_value_map[] = { + { RSA_PKCS1_PADDING, "pkcs1" }, + { RSA_SSLV23_PADDING, "sslv23" }, + { RSA_NO_PADDING, "none" }, + { RSA_PKCS1_OAEP_PADDING, "oaep" }, + { RSA_PKCS1_OAEP_PADDING, "oeap" }, + { RSA_X931_PADDING, "x931" }, + { RSA_PKCS1_PSS_PADDING, "pss" }, + /* Special case, will pass directly as an integer */ + { RSA_PKCS1_WITH_TLS_PADDING, NULL } + }; + int ret; + + if ((ret = default_check(state, translation, ctx)) <= 0) + return ret; + + if (state == PRE_CTRL_TO_PARAMS && ctx->action_type == GET) { + /* + * EVP_PKEY_CTRL_GET_RSA_PADDING returns the padding mode in the + * weirdest way for a ctrl. Instead of doing like all other ctrls + * that return a simple, i.e. just have that as a return value, + * this particular ctrl treats p2 as the address for the int to be + * returned. We must therefore remember |ctx->p2|, then make + * |ctx->p2| point at a buffer to be filled in with the name, and + * |ctx->p1| with its size. default_fixup_args() will take care + * of the rest for us, along with the POST_CTRL_TO_PARAMS && GET + * code section further down. + */ + ctx->orig_p2 = ctx->p2; + ctx->p2 = ctx->name_buf; + ctx->p1 = sizeof(ctx->name_buf); + } else if (state == PRE_CTRL_TO_PARAMS && ctx->action_type == SET) { + /* + * Ideally, we should use utf8 strings for the diverse padding modes. + * We only came here because someone called EVP_PKEY_CTX_ctrl(), + * though, and since that can reasonably be seen as legacy code + * that uses the diverse RSA macros for the padding mode, and we + * know that at least our providers can handle the numeric modes, + * we take the cheap route for now. + * + * The other solution would be to match |ctx->p1| against entries + * in str_value_map and pass the corresponding string. However, + * since we don't have a string for RSA_PKCS1_WITH_TLS_PADDING, + * we have to do this same hack at least for that one. + * + * Since the "official" data type for the RSA padding mode is utf8 + * string, we cannot count on default_fixup_args(). Instead, we + * build the OSSL_PARAM item ourselves and return immediately. + */ + ctx->params[0] = OSSL_PARAM_construct_int(translation->param_key, + &ctx->p1); + return 1; + } else if (state == POST_PARAMS_TO_CTRL && ctx->action_type == GET) { + size_t i; + + /* + * The EVP_PKEY_CTX_get_params() caller may have asked for a utf8 + * string, or may have asked for an integer of some sort. If they + * ask for an integer, we respond directly. If not, we translate + * the response from the ctrl function into a string. + */ + switch (ctx->params->data_type) { + case OSSL_PARAM_INTEGER: + return OSSL_PARAM_get_int(ctx->params, &ctx->p1); + case OSSL_PARAM_UNSIGNED_INTEGER: + return OSSL_PARAM_get_uint(ctx->params, (unsigned int *)&ctx->p1); + default: + break; + } + + for (i = 0; i < OSSL_NELEM(str_value_map); i++) { + if (ctx->p1 == (int)str_value_map[i].id) + break; + } + if (i == OSSL_NELEM(str_value_map)) { + ERR_raise_data(ERR_LIB_RSA, RSA_R_UNKNOWN_PADDING_TYPE, + "[action:%d, state:%d] padding number %d", + ctx->action_type, state, ctx->p1); + return -2; + } + /* + * If we don't have a string, we can't do anything. The caller + * should have asked for a number... + */ + if (str_value_map[i].ptr == NULL) { + ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED); + return -2; + } + ctx->p2 = str_value_map[i].ptr; + ctx->p1 = strlen(ctx->p2); + } + + if ((ret = default_fixup_args(state, translation, ctx)) <= 0) + return ret; + + if ((ctx->action_type == SET && state == PRE_PARAMS_TO_CTRL) + || (ctx->action_type == GET && state == POST_CTRL_TO_PARAMS)) { + size_t i; + + for (i = 0; i < OSSL_NELEM(str_value_map); i++) { + if (strcmp(ctx->p2, str_value_map[i].ptr) == 0) + break; + } + + if (i == OSSL_NELEM(str_value_map)) { + ERR_raise_data(ERR_LIB_RSA, RSA_R_UNKNOWN_PADDING_TYPE, + "[action:%d, state:%d] padding name %s", + ctx->action_type, state, ctx->p1); + ctx->p1 = ret = -2; + } else if (state == POST_CTRL_TO_PARAMS) { + /* EVP_PKEY_CTRL_GET_RSA_PADDING weirdness explained further up */ + *(int *)ctx->orig_p2 = str_value_map[i].id; + } else { + ctx->p1 = str_value_map[i].id; + } + ctx->p2 = NULL; + } + + return ret; +} + +/* EVP_PKEY_CTRL_RSA_PSS_SALTLEN, EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN */ +static int fix_rsa_pss_saltlen(enum state state, + const struct translation_st *translation, + struct translation_ctx_st *ctx) +{ + static const OSSL_ITEM str_value_map[] = { + { (unsigned int)RSA_PSS_SALTLEN_DIGEST, "digest" }, + { (unsigned int)RSA_PSS_SALTLEN_MAX, "max" }, + { (unsigned int)RSA_PSS_SALTLEN_AUTO, "auto" } + }; + int ret; + + if ((ret = default_check(state, translation, ctx)) <= 0) + return ret; + + if (state == PRE_CTRL_TO_PARAMS && ctx->action_type == GET) { + /* + * EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN returns the saltlen by filling + * in the int pointed at by p2. This is potentially as weird as + * the way EVP_PKEY_CTRL_GET_RSA_PADDING works, except that saltlen + * might be a negative value, so it wouldn't work as a legitimate + * return value. + * In any case, we must therefore remember |ctx->p2|, then make + * |ctx->p2| point at a buffer to be filled in with the name, and + * |ctx->p1| with its size. default_fixup_args() will take care + * of the rest for us, along with the POST_CTRL_TO_PARAMS && GET + * code section further down. + */ + ctx->orig_p2 = ctx->p2; + ctx->p2 = ctx->name_buf; + ctx->p1 = sizeof(ctx->name_buf); + } else if ((ctx->action_type == SET && state == PRE_CTRL_TO_PARAMS) + || (ctx->action_type == GET && state == POST_PARAMS_TO_CTRL)) { + size_t i; + + for (i = 0; i < OSSL_NELEM(str_value_map); i++) { + if (ctx->p1 == (int)str_value_map[i].id) + break; + } + if (i == OSSL_NELEM(str_value_map)) { + BIO_snprintf(ctx->name_buf, 5, "%d", ctx->p1); + } else { + strcpy(ctx->name_buf, str_value_map[i].ptr); + } + ctx->p2 = ctx->name_buf; + ctx->p1 = strlen(ctx->p2); + } + + if ((ret = default_fixup_args(state, translation, ctx)) <= 0) + return ret; + + if ((ctx->action_type == SET && state == PRE_PARAMS_TO_CTRL) + || (ctx->action_type == GET && state == POST_CTRL_TO_PARAMS)) { + size_t i; + + for (i = 0; i < OSSL_NELEM(str_value_map); i++) { + if (strcmp(ctx->p2, str_value_map[i].ptr) == 0) + break; + } + if (i == OSSL_NELEM(str_value_map)) { + ctx->p1 = atoi(ctx->p2); + } else if (state == POST_CTRL_TO_PARAMS) { + /* + * EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN weirdness explained further + * up + */ + *(int *)ctx->orig_p2 = str_value_map[i].id; + } else { + ctx->p1 = (int)str_value_map[i].id; + } + ctx->p2 = NULL; + } + + return ret; +} + +/* EVP_PKEY_CTRL_HKDF_MODE */ +static int fix_hkdf_mode(enum state state, + const struct translation_st *translation, + struct translation_ctx_st *ctx) +{ + static const OSSL_ITEM str_value_map[] = { + { EVP_KDF_HKDF_MODE_EXTRACT_AND_EXPAND, "EXTRACT_AND_EXPAND" }, + { EVP_KDF_HKDF_MODE_EXTRACT_ONLY, "EXTRACT_ONLY" }, + { EVP_KDF_HKDF_MODE_EXPAND_ONLY, "EXPAND_ONLY" } + }; + int ret; + + if ((ret = default_check(state, translation, ctx)) <= 0) + return ret; + + if ((ctx->action_type == SET && state == PRE_CTRL_TO_PARAMS) + || (ctx->action_type == GET && state == POST_PARAMS_TO_CTRL)) { + size_t i; + + for (i = 0; i < OSSL_NELEM(str_value_map); i++) { + if (ctx->p1 == (int)str_value_map[i].id) + break; + } + if (i == OSSL_NELEM(str_value_map)) + return 0; + ctx->p2 = str_value_map[i].ptr; + ctx->p1 = strlen(ctx->p2); + } + + if ((ret = default_fixup_args(state, translation, ctx)) <= 0) + return ret; + + if ((ctx->action_type == SET && state == PRE_PARAMS_TO_CTRL) + || (ctx->action_type == GET && state == POST_CTRL_TO_PARAMS)) { + size_t i; + + for (i = 0; i < OSSL_NELEM(str_value_map); i++) { + if (strcmp(ctx->p2, str_value_map[i].ptr) == 0) + break; + } + if (i == OSSL_NELEM(str_value_map)) + return 0; + if (state == POST_CTRL_TO_PARAMS) + ret = str_value_map[i].id; + else + ctx->p1 = str_value_map[i].id; + ctx->p2 = NULL; + } + + return 1; +} + +static int hack_pkcs7_cms(enum state state, + const struct translation_st *translation, + struct translation_ctx_st *ctx) +{ + int ret = 1; + + /* Make sure that this has no further effect */ + ctx->action_type = 0; + + switch (state) { + case PRE_CTRL_TO_PARAMS: + /* TODO (3.0) Temporary hack, this should probe */ + if (EVP_PKEY_is_a(EVP_PKEY_CTX_get0_pkey(ctx->pctx), "RSASSA-PSS")) { + ERR_raise(ERR_LIB_EVP, + EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE); + ret = -2; + } + break; + case POST_CTRL_TO_PARAMS: + break; + default: + ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED); + ret = -2; + break; + } + return ret; +} + +/*- + * Payload getters + * =============== + * + * These all get the data they want, then call default_fixup_args() as + * a post-ctrl GET fixup. They all get NULL ctx, ctrl_cmd, ctrl_str, + * p1, sz + */ + +/* Pilfering DH, DSA and EC_KEY */ +static int get_payload_group_name(enum state state, + const struct translation_st *translation, + struct translation_ctx_st *ctx) +{ + EVP_PKEY *pkey = ctx->p2; + + ctx->p2 = NULL; + switch (EVP_PKEY_base_id(pkey)) { +#ifndef OPENSSL_NO_DH + case EVP_PKEY_DH: + { + DH *dh = EVP_PKEY_get0_DH(pkey); + int uid = DH_get_nid(dh); + + if (uid != NID_undef) { + const DH_NAMED_GROUP *dh_group = + ossl_ffc_uid_to_dh_named_group(uid); + + ctx->p2 = (char *)ossl_ffc_named_group_get_name(dh_group); + } + } + break; +#endif +#ifndef OPENSSL_NO_EC + case EVP_PKEY_EC: + { + const EC_GROUP *grp = + EC_KEY_get0_group(EVP_PKEY_get0_EC_KEY(pkey)); + int nid = NID_undef; + + if (grp != NULL) + nid = EC_GROUP_get_curve_name(grp); + if (nid != NID_undef) + ctx->p2 = (char *)ec_curve_nid2name(nid); + } + break; +#endif + default: + ERR_raise(ERR_LIB_EVP, EVP_R_UNSUPPORTED_KEY_TYPE); + return 0; + } + + if (ctx->p2 != NULL) + ctx->p1 = strlen(ctx->p2); + return default_fixup_args(state, translation, ctx); +} + +static int get_payload_private_key(enum state state, + const struct translation_st *translation, + struct translation_ctx_st *ctx) +{ + EVP_PKEY *pkey = ctx->p2; + + ctx->p2 = NULL; + if (ctx->params->data_type != OSSL_PARAM_UNSIGNED_INTEGER) + return 0; + + switch (EVP_PKEY_base_id(pkey)) { +#ifndef OPENSSL_NO_DH + case EVP_PKEY_DH: + { + DH *dh = EVP_PKEY_get0_DH(pkey); + + ctx->p2 = (BIGNUM *)DH_get0_priv_key(dh); + } + break; +#endif +#ifndef OPENSSL_NO_EC + case EVP_PKEY_EC: + { + EC_KEY *ec = EVP_PKEY_get0_EC_KEY(pkey); + + ctx->p2 = (BIGNUM *)EC_KEY_get0_private_key(ec); + } + break; +#endif + default: + ERR_raise(ERR_LIB_EVP, EVP_R_UNSUPPORTED_KEY_TYPE); + return 0; + } + + return default_fixup_args(state, translation, ctx); +} + +static int get_payload_public_key(enum state state, + const struct translation_st *translation, + struct translation_ctx_st *ctx) +{ + EVP_PKEY *pkey = ctx->p2; + unsigned char *buf = NULL; + int ret; + + ctx->p2 = NULL; + switch (EVP_PKEY_base_id(pkey)) { +#ifndef OPENSSL_NO_DH + case EVP_PKEY_DH: + switch (ctx->params->data_type) { + case OSSL_PARAM_OCTET_STRING: + ctx->sz = dh_key2buf(EVP_PKEY_get0_DH(pkey), &buf, 0, 1); + ctx->p2 = buf; + break; + case OSSL_PARAM_UNSIGNED_INTEGER: + ctx->p2 = (void *)DH_get0_pub_key(EVP_PKEY_get0_DH(pkey)); + break; + default: + return 0; + } + break; +#endif +#ifndef OPENSSL_NO_DSA + case EVP_PKEY_DSA: + if (ctx->params->data_type == OSSL_PARAM_UNSIGNED_INTEGER) { + ctx->p2 = (void *)DSA_get0_pub_key(EVP_PKEY_get0_DSA(pkey)); + break; + } + return 0; +#endif +#ifndef OPENSSL_NO_EC + case EVP_PKEY_EC: + if (ctx->params->data_type == OSSL_PARAM_OCTET_STRING) { + EC_KEY *eckey = EVP_PKEY_get0_EC_KEY(pkey); + BN_CTX *bnctx = BN_CTX_new_ex(ec_key_get_libctx(eckey)); + const EC_GROUP *ecg = EC_KEY_get0_group(eckey); + const EC_POINT *point = EC_KEY_get0_public_key(eckey); + + ctx->sz = EC_POINT_point2buf(ecg, point, + POINT_CONVERSION_COMPRESSED, + &buf, bnctx); + ctx->p2 = buf; + break; + } + return 0; +#endif + default: + ERR_raise(ERR_LIB_EVP, EVP_R_UNSUPPORTED_KEY_TYPE); + return 0; + } + + ret = default_fixup_args(state, translation, ctx); + OPENSSL_free(buf); + return ret; +} + +static int get_payload_bn(enum state state, + const struct translation_st *translation, + struct translation_ctx_st *ctx, const BIGNUM *bn) +{ + if (bn == NULL) + return 0; + if (ctx->params->data_type != OSSL_PARAM_UNSIGNED_INTEGER) + return 0; + ctx->p2 = (BIGNUM *)bn; + + return default_fixup_args(state, translation, ctx); +} + +static int get_dh_dsa_payload_p(enum state state, + const struct translation_st *translation, + struct translation_ctx_st *ctx) +{ + const BIGNUM *bn = NULL; + EVP_PKEY *pkey = ctx->p2; + + switch (EVP_PKEY_base_id(pkey)) { +#ifndef OPENSSL_NO_DH + case EVP_PKEY_DH: + bn = DH_get0_p(EVP_PKEY_get0_DH(pkey)); + break; +#endif +#ifndef OPENSSL_NO_DSA + case EVP_PKEY_DSA: + bn = DSA_get0_p(EVP_PKEY_get0_DSA(pkey)); + break; +#endif + default: + ERR_raise(ERR_LIB_EVP, EVP_R_UNSUPPORTED_KEY_TYPE); + } + + return get_payload_bn(state, translation, ctx, bn); +} + +static int get_dh_dsa_payload_q(enum state state, + const struct translation_st *translation, + struct translation_ctx_st *ctx) +{ + const BIGNUM *bn = NULL; + + switch (EVP_PKEY_base_id(ctx->p2)) { +#ifndef OPENSSL_NO_DH + case EVP_PKEY_DH: + bn = DH_get0_q(EVP_PKEY_get0_DH(ctx->p2)); + break; +#endif +#ifndef OPENSSL_NO_DSA + case EVP_PKEY_DSA: + bn = DSA_get0_q(EVP_PKEY_get0_DSA(ctx->p2)); + break; +#endif + } + + return get_payload_bn(state, translation, ctx, bn); +} + +static int get_dh_dsa_payload_g(enum state state, + const struct translation_st *translation, + struct translation_ctx_st *ctx) +{ + const BIGNUM *bn = NULL; + + switch (EVP_PKEY_base_id(ctx->p2)) { +#ifndef OPENSSL_NO_DH + case EVP_PKEY_DH: + bn = DH_get0_g(EVP_PKEY_get0_DH(ctx->p2)); + break; +#endif +#ifndef OPENSSL_NO_DSA + case EVP_PKEY_DSA: + bn = DSA_get0_g(EVP_PKEY_get0_DSA(ctx->p2)); + break; +#endif + } + + return get_payload_bn(state, translation, ctx, bn); +} + +static int get_rsa_payload_n(enum state state, + const struct translation_st *translation, + struct translation_ctx_st *ctx) +{ + const BIGNUM *bn = NULL; + + if (EVP_PKEY_base_id(ctx->p2) != EVP_PKEY_RSA) + return 0; + bn = RSA_get0_n(EVP_PKEY_get0_RSA(ctx->p2)); + + return get_payload_bn(state, translation, ctx, bn); +} + +static int get_rsa_payload_e(enum state state, + const struct translation_st *translation, + struct translation_ctx_st *ctx) +{ + const BIGNUM *bn = NULL; + + if (EVP_PKEY_base_id(ctx->p2) != EVP_PKEY_RSA) + return 0; + bn = RSA_get0_e(EVP_PKEY_get0_RSA(ctx->p2)); + + return get_payload_bn(state, translation, ctx, bn); +} + +static int get_rsa_payload_d(enum state state, + const struct translation_st *translation, + struct translation_ctx_st *ctx) +{ + const BIGNUM *bn = NULL; + + if (EVP_PKEY_base_id(ctx->p2) != EVP_PKEY_RSA) + return 0; + bn = RSA_get0_d(EVP_PKEY_get0_RSA(ctx->p2)); + + return get_payload_bn(state, translation, ctx, bn); +} + +static int get_rsa_payload_factor(enum state state, + const struct translation_st *translation, + struct translation_ctx_st *ctx, + size_t factornum) +{ + const RSA *r = EVP_PKEY_get0_RSA(ctx->p2); + const BIGNUM *bn = NULL; + + switch (factornum) { + case 0: + bn = RSA_get0_p(r); + break; + case 1: + bn = RSA_get0_q(r); + break; + default: + { + size_t pnum = RSA_get_multi_prime_extra_count(r); + const BIGNUM *factors[10]; + + if (factornum - 2 < pnum + && RSA_get0_multi_prime_factors(r, factors)) + bn = factors[factornum - 2]; + } + break; + } + + return get_payload_bn(state, translation, ctx, bn); +} + +static int get_rsa_payload_exponent(enum state state, + const struct translation_st *translation, + struct translation_ctx_st *ctx, + size_t exponentnum) +{ + const RSA *r = EVP_PKEY_get0_RSA(ctx->p2); + const BIGNUM *bn = NULL; + + switch (exponentnum) { + case 0: + bn = RSA_get0_dmp1(r); + break; + case 1: + bn = RSA_get0_dmq1(r); + break; + default: + { + size_t pnum = RSA_get_multi_prime_extra_count(r); + const BIGNUM *exps[10], *coeffs[10]; + + if (exponentnum - 2 < pnum + && RSA_get0_multi_prime_crt_params(r, exps, coeffs)) + bn = exps[exponentnum - 2]; + } + break; + } + + return get_payload_bn(state, translation, ctx, bn); +} + +static int get_rsa_payload_coefficient(enum state state, + const struct translation_st *translation, + struct translation_ctx_st *ctx, + size_t coefficientnum) +{ + const RSA *r = EVP_PKEY_get0_RSA(ctx->p2); + const BIGNUM *bn = NULL; + + switch (coefficientnum) { + case 0: + bn = RSA_get0_iqmp(r); + break; + default: + { + size_t pnum = RSA_get_multi_prime_extra_count(r); + const BIGNUM *exps[10], *coeffs[10]; + + if (coefficientnum - 1 < pnum + && RSA_get0_multi_prime_crt_params(r, exps, coeffs)) + bn = coeffs[coefficientnum - 1]; + } + break; + } + + return get_payload_bn(state, translation, ctx, bn); +} + +#define IMPL_GET_RSA_PAYLOAD_FACTOR(n) \ + static int \ + get_rsa_payload_f##n(enum state state, \ + const struct translation_st *translation, \ + struct translation_ctx_st *ctx) \ + { \ + if (EVP_PKEY_base_id(ctx->p2) != EVP_PKEY_RSA) \ + return 0; \ + return get_rsa_payload_factor(state, translation, ctx, n - 1); \ + } + +#define IMPL_GET_RSA_PAYLOAD_EXPONENT(n) \ + static int \ + get_rsa_payload_e##n(enum state state, \ + const struct translation_st *translation, \ + struct translation_ctx_st *ctx) \ + { \ + if (EVP_PKEY_base_id(ctx->p2) != EVP_PKEY_RSA) \ + return 0; \ + return get_rsa_payload_exponent(state, translation, ctx, \ + n - 1); \ + } + +#define IMPL_GET_RSA_PAYLOAD_COEFFICIENT(n) \ + static int \ + get_rsa_payload_c##n(enum state state, \ + const struct translation_st *translation, \ + struct translation_ctx_st *ctx) \ + { \ + if (EVP_PKEY_base_id(ctx->p2) != EVP_PKEY_RSA) \ + return 0; \ + return get_rsa_payload_coefficient(state, translation, ctx, \ + n - 1); \ + } + +IMPL_GET_RSA_PAYLOAD_FACTOR(1) +IMPL_GET_RSA_PAYLOAD_FACTOR(2) +IMPL_GET_RSA_PAYLOAD_FACTOR(3) +IMPL_GET_RSA_PAYLOAD_FACTOR(4) +IMPL_GET_RSA_PAYLOAD_FACTOR(5) +IMPL_GET_RSA_PAYLOAD_FACTOR(6) +IMPL_GET_RSA_PAYLOAD_FACTOR(7) +IMPL_GET_RSA_PAYLOAD_FACTOR(8) +IMPL_GET_RSA_PAYLOAD_FACTOR(9) +IMPL_GET_RSA_PAYLOAD_FACTOR(10) +IMPL_GET_RSA_PAYLOAD_EXPONENT(1) +IMPL_GET_RSA_PAYLOAD_EXPONENT(2) +IMPL_GET_RSA_PAYLOAD_EXPONENT(3) +IMPL_GET_RSA_PAYLOAD_EXPONENT(4) +IMPL_GET_RSA_PAYLOAD_EXPONENT(5) +IMPL_GET_RSA_PAYLOAD_EXPONENT(6) +IMPL_GET_RSA_PAYLOAD_EXPONENT(7) +IMPL_GET_RSA_PAYLOAD_EXPONENT(8) +IMPL_GET_RSA_PAYLOAD_EXPONENT(9) +IMPL_GET_RSA_PAYLOAD_EXPONENT(10) +IMPL_GET_RSA_PAYLOAD_COEFFICIENT(1) +IMPL_GET_RSA_PAYLOAD_COEFFICIENT(2) +IMPL_GET_RSA_PAYLOAD_COEFFICIENT(3) +IMPL_GET_RSA_PAYLOAD_COEFFICIENT(4) +IMPL_GET_RSA_PAYLOAD_COEFFICIENT(5) +IMPL_GET_RSA_PAYLOAD_COEFFICIENT(6) +IMPL_GET_RSA_PAYLOAD_COEFFICIENT(7) +IMPL_GET_RSA_PAYLOAD_COEFFICIENT(8) +IMPL_GET_RSA_PAYLOAD_COEFFICIENT(9) + +/*- + * The translation table itself + * ============================ + */ + +static const struct translation_st evp_pkey_ctx_translations[] = { + /* + * DistID: we pass it to the backend as an octet string, + * but get it back as a pointer to an octet string. + * + * Note that the EVP_PKEY_CTRL_GET1_ID_LEN is purely for legacy purposes + * that has no separate counterpart in OSSL_PARAM terms, since we get + * the length of the DistID automatically when getting the DistID itself. + */ + { SET, -1, -1, EVP_PKEY_OP_TYPE_SIG, + EVP_PKEY_CTRL_SET1_ID, "distid", "hexdistid", + OSSL_PKEY_PARAM_DIST_ID, OSSL_PARAM_OCTET_STRING, NULL }, + { GET, -1, -1, -1, + EVP_PKEY_CTRL_GET1_ID, "distid", "hexdistid", + OSSL_PKEY_PARAM_DIST_ID, OSSL_PARAM_OCTET_PTR, NULL }, + { GET, -1, -1, -1, + EVP_PKEY_CTRL_GET1_ID_LEN, NULL, NULL, + OSSL_PKEY_PARAM_DIST_ID, OSSL_PARAM_OCTET_PTR, fix_distid_len }, + + /*- + * DH & DHX + * ======== + */ + + /* + * EVP_PKEY_CTRL_DH_KDF_TYPE is used both for setting and getting. The + * fixup function has to handle this... + */ + { NONE, EVP_PKEY_DHX, 0, EVP_PKEY_OP_DERIVE, + EVP_PKEY_CTRL_DH_KDF_TYPE, NULL, NULL, + OSSL_EXCHANGE_PARAM_KDF_TYPE, OSSL_PARAM_UTF8_STRING, + fix_dh_kdf_type }, + { SET, EVP_PKEY_DHX, 0, EVP_PKEY_OP_DERIVE, + EVP_PKEY_CTRL_DH_KDF_MD, NULL, NULL, + OSSL_EXCHANGE_PARAM_KDF_DIGEST, OSSL_PARAM_UTF8_STRING, fix_md }, + { GET, EVP_PKEY_DHX, 0, EVP_PKEY_OP_DERIVE, + EVP_PKEY_CTRL_GET_DH_KDF_MD, NULL, NULL, + OSSL_EXCHANGE_PARAM_KDF_DIGEST, OSSL_PARAM_UTF8_STRING, fix_md }, + { SET, EVP_PKEY_DHX, 0, EVP_PKEY_OP_DERIVE, + EVP_PKEY_CTRL_DH_KDF_OUTLEN, NULL, NULL, + OSSL_EXCHANGE_PARAM_KDF_OUTLEN, OSSL_PARAM_UNSIGNED_INTEGER, NULL }, + { GET, EVP_PKEY_DHX, 0, EVP_PKEY_OP_DERIVE, + EVP_PKEY_CTRL_GET_DH_KDF_OUTLEN, NULL, NULL, + OSSL_EXCHANGE_PARAM_KDF_OUTLEN, OSSL_PARAM_UNSIGNED_INTEGER, NULL }, + { SET, EVP_PKEY_DHX, 0, EVP_PKEY_OP_DERIVE, + EVP_PKEY_CTRL_DH_KDF_UKM, NULL, NULL, + OSSL_EXCHANGE_PARAM_KDF_UKM, OSSL_PARAM_OCTET_STRING, NULL }, + { GET, EVP_PKEY_DHX, 0, EVP_PKEY_OP_DERIVE, + EVP_PKEY_CTRL_GET_DH_KDF_UKM, NULL, NULL, + OSSL_EXCHANGE_PARAM_KDF_UKM, OSSL_PARAM_OCTET_PTR, NULL }, + { SET, EVP_PKEY_DHX, 0, EVP_PKEY_OP_DERIVE, + EVP_PKEY_CTRL_DH_KDF_OID, NULL, NULL, + OSSL_KDF_PARAM_CEK_ALG, OSSL_PARAM_UTF8_STRING, fix_oid }, + { GET, EVP_PKEY_DHX, 0, EVP_PKEY_OP_DERIVE, + EVP_PKEY_CTRL_GET_DH_KDF_OID, NULL, NULL, + OSSL_KDF_PARAM_CEK_ALG, OSSL_PARAM_UTF8_STRING, fix_oid }, + + { SET, EVP_PKEY_DH, 0, EVP_PKEY_OP_DERIVE, + EVP_PKEY_CTRL_DH_PAD, "dh_pad", NULL, + OSSL_EXCHANGE_PARAM_PAD, OSSL_PARAM_UNSIGNED_INTEGER, NULL }, + + { SET, EVP_PKEY_DH, 0, EVP_PKEY_OP_PARAMGEN | EVP_PKEY_OP_KEYGEN, + EVP_PKEY_CTRL_DH_NID, "dh_param", NULL, + OSSL_PKEY_PARAM_GROUP_NAME, OSSL_PARAM_UTF8_STRING, fix_dh_nid }, + { SET, EVP_PKEY_DH, 0, EVP_PKEY_OP_PARAMGEN, + EVP_PKEY_CTRL_DH_PARAMGEN_PRIME_LEN, NULL, NULL, + OSSL_PKEY_PARAM_FFC_PBITS, OSSL_PARAM_UNSIGNED_INTEGER, NULL }, + { SET, EVP_PKEY_DH, 0, EVP_PKEY_OP_PARAMGEN, + EVP_PKEY_CTRL_DH_PARAMGEN_SUBPRIME_LEN, "dh_paramgen_subprime_len", NULL, + OSSL_PKEY_PARAM_FFC_QBITS, OSSL_PARAM_UNSIGNED_INTEGER, NULL }, + { SET, EVP_PKEY_DH, 0, EVP_PKEY_OP_PARAMGEN, + EVP_PKEY_CTRL_DH_PARAMGEN_GENERATOR, "dh_paramgen_generator", NULL, + OSSL_PKEY_PARAM_DH_GENERATOR, OSSL_PARAM_INTEGER, NULL }, + { SET, EVP_PKEY_DH, 0, EVP_PKEY_OP_PARAMGEN, + EVP_PKEY_CTRL_DH_PARAMGEN_TYPE, "dh_paramgen_type", NULL, + OSSL_PKEY_PARAM_FFC_TYPE, OSSL_PARAM_UTF8_STRING, fix_dh_paramgen_type }, + /* + * This is know to be incorrect, will be fixed and enabled when the + * underlying code is corrected. + * Until then, we simply don't support it here. + */ +#if 0 + { SET, EVP_PKEY_DH, 0, EVP_PKEY_OP_PARAMGEN, + EVP_PKEY_CTRL_DH_RFC5114, "dh_rfc5114", NULL, + OSSL_PKEY_PARAM_GROUP_NAME, OSSL_PARAM_INTEGER, NULL }, +#endif + + /*- + * DSA + * === + */ + { SET, EVP_PKEY_DSA, 0, EVP_PKEY_OP_PARAMGEN, + EVP_PKEY_CTRL_DSA_PARAMGEN_BITS, "dsa_paramgen_bits", NULL, + OSSL_PKEY_PARAM_FFC_PBITS, OSSL_PARAM_UNSIGNED_INTEGER, NULL }, + { SET, EVP_PKEY_DSA, 0, EVP_PKEY_OP_PARAMGEN, + EVP_PKEY_CTRL_DSA_PARAMGEN_Q_BITS, "dsa_paramgen_q_bits", NULL, + OSSL_PKEY_PARAM_FFC_QBITS, OSSL_PARAM_UNSIGNED_INTEGER, NULL }, + { SET, EVP_PKEY_DSA, 0, EVP_PKEY_OP_PARAMGEN, + EVP_PKEY_CTRL_DSA_PARAMGEN_MD, "dsa_paramgen_md", NULL, + OSSL_PKEY_PARAM_FFC_DIGEST, OSSL_PARAM_UTF8_STRING, fix_md }, + + /*- + * EC + * == + */ + { SET, EVP_PKEY_EC, 0, EVP_PKEY_OP_PARAMGEN | EVP_PKEY_OP_KEYGEN, + EVP_PKEY_CTRL_EC_PARAM_ENC, "ec_param_enc", NULL, + OSSL_PKEY_PARAM_EC_ENCODING, OSSL_PARAM_UTF8_STRING, fix_ec_param_enc }, + { SET, EVP_PKEY_EC, 0, EVP_PKEY_OP_PARAMGEN | EVP_PKEY_OP_KEYGEN, + EVP_PKEY_CTRL_EC_PARAMGEN_CURVE_NID, "ec_paramgen_curve", NULL, + OSSL_PKEY_PARAM_GROUP_NAME, OSSL_PARAM_UTF8_STRING, + fix_ec_paramgen_curve_nid }, + /* + * EVP_PKEY_CTRL_EC_ECDH_COFACTOR and EVP_PKEY_CTRL_EC_KDF_TYPE are used + * both for setting and getting. The fixup function has to handle this... + */ + { NONE, EVP_PKEY_EC, 0, EVP_PKEY_OP_DERIVE, + EVP_PKEY_CTRL_EC_ECDH_COFACTOR, "ecdh_cofactor_mode", NULL, + OSSL_EXCHANGE_PARAM_EC_ECDH_COFACTOR_MODE, OSSL_PARAM_INTEGER, + fix_ecdh_cofactor }, + { NONE, EVP_PKEY_EC, 0, EVP_PKEY_OP_DERIVE, + EVP_PKEY_CTRL_EC_KDF_TYPE, NULL, NULL, + OSSL_EXCHANGE_PARAM_KDF_TYPE, OSSL_PARAM_UTF8_STRING, fix_ec_kdf_type }, + { SET, EVP_PKEY_EC, 0, EVP_PKEY_OP_DERIVE, + EVP_PKEY_CTRL_EC_KDF_MD, "ecdh_kdf_md", NULL, + OSSL_EXCHANGE_PARAM_KDF_DIGEST, OSSL_PARAM_UTF8_STRING, fix_md }, + { GET, EVP_PKEY_EC, 0, EVP_PKEY_OP_DERIVE, + EVP_PKEY_CTRL_GET_EC_KDF_MD, NULL, NULL, + OSSL_EXCHANGE_PARAM_KDF_DIGEST, OSSL_PARAM_UTF8_STRING, fix_md }, + { SET, EVP_PKEY_EC, 0, EVP_PKEY_OP_DERIVE, + EVP_PKEY_CTRL_EC_KDF_OUTLEN, NULL, NULL, + OSSL_EXCHANGE_PARAM_KDF_OUTLEN, OSSL_PARAM_UNSIGNED_INTEGER, NULL }, + { GET, EVP_PKEY_EC, 0, EVP_PKEY_OP_DERIVE, + EVP_PKEY_CTRL_GET_EC_KDF_OUTLEN, NULL, NULL, + OSSL_EXCHANGE_PARAM_KDF_OUTLEN, OSSL_PARAM_UNSIGNED_INTEGER, NULL }, + { SET, EVP_PKEY_EC, 0, EVP_PKEY_OP_DERIVE, + EVP_PKEY_CTRL_EC_KDF_UKM, NULL, NULL, + OSSL_EXCHANGE_PARAM_KDF_UKM, OSSL_PARAM_OCTET_STRING, NULL }, + { GET, EVP_PKEY_EC, 0, EVP_PKEY_OP_DERIVE, + EVP_PKEY_CTRL_GET_EC_KDF_UKM, NULL, NULL, + OSSL_EXCHANGE_PARAM_KDF_UKM, OSSL_PARAM_OCTET_PTR, NULL }, + + /*- + * RSA + * === + */ + + /* + * RSA padding modes are numeric with ctrls, strings with ctrl_strs, + * and can be both with OSSL_PARAM. We standardise on strings here, + * fix_rsa_padding_mode() does the work when the caller has a different + * idea. + */ + { SET, EVP_PKEY_RSA, EVP_PKEY_RSA_PSS, + EVP_PKEY_OP_TYPE_CRYPT | EVP_PKEY_OP_TYPE_SIG, + EVP_PKEY_CTRL_RSA_PADDING, "rsa_padding_mode", NULL, + OSSL_PKEY_PARAM_PAD_MODE, OSSL_PARAM_UTF8_STRING, fix_rsa_padding_mode }, + { GET, EVP_PKEY_RSA, EVP_PKEY_RSA_PSS, + EVP_PKEY_OP_TYPE_CRYPT | EVP_PKEY_OP_TYPE_SIG, + EVP_PKEY_CTRL_GET_RSA_PADDING, NULL, NULL, + OSSL_PKEY_PARAM_PAD_MODE, OSSL_PARAM_UTF8_STRING, fix_rsa_padding_mode }, + + { SET, EVP_PKEY_RSA, EVP_PKEY_RSA_PSS, + EVP_PKEY_OP_TYPE_CRYPT | EVP_PKEY_OP_TYPE_SIG, + EVP_PKEY_CTRL_RSA_MGF1_MD, "rsa_mgf1_md", NULL, + OSSL_PKEY_PARAM_MGF1_DIGEST, OSSL_PARAM_UTF8_STRING, fix_md }, + { GET, EVP_PKEY_RSA, EVP_PKEY_RSA_PSS, + EVP_PKEY_OP_TYPE_CRYPT | EVP_PKEY_OP_TYPE_SIG, + EVP_PKEY_CTRL_GET_RSA_MGF1_MD, NULL, NULL, + OSSL_PKEY_PARAM_MGF1_DIGEST, OSSL_PARAM_UTF8_STRING, fix_md }, + + /* + * RSA-PSS saltlen is essentially numeric, but certain values can be + * expressed as keywords (strings) with ctrl_str. The corresponding + * OSSL_PARAM allows both forms. + * fix_rsa_pss_saltlen() takes care of the distinction. + */ + { SET, EVP_PKEY_RSA, EVP_PKEY_RSA_PSS, EVP_PKEY_OP_TYPE_SIG, + EVP_PKEY_CTRL_RSA_PSS_SALTLEN, "rsa_pss_saltlen", NULL, + OSSL_PKEY_PARAM_RSA_PSS_SALTLEN, OSSL_PARAM_UTF8_STRING, + fix_rsa_pss_saltlen }, + { GET, EVP_PKEY_RSA, EVP_PKEY_RSA_PSS, EVP_PKEY_OP_TYPE_SIG, + EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN, NULL, NULL, + OSSL_PKEY_PARAM_RSA_PSS_SALTLEN, OSSL_PARAM_UTF8_STRING, + fix_rsa_pss_saltlen }, + + { SET, EVP_PKEY_RSA, 0, EVP_PKEY_OP_TYPE_CRYPT, + EVP_PKEY_CTRL_RSA_OAEP_MD, "rsa_oaep_md", NULL, + OSSL_ASYM_CIPHER_PARAM_OAEP_DIGEST, OSSL_PARAM_UTF8_STRING, fix_md }, + { GET, EVP_PKEY_RSA, 0, EVP_PKEY_OP_TYPE_CRYPT, + EVP_PKEY_CTRL_GET_RSA_OAEP_MD, NULL, NULL, + OSSL_ASYM_CIPHER_PARAM_OAEP_DIGEST, OSSL_PARAM_UTF8_STRING, fix_md }, + /* + * The "rsa_oaep_label" ctrl_str expects the value to always be hex. + * This is accomodated by default_fixup_args() above, which mimics that + * expectation for any translation item where |ctrl_str| is NULL and + * |ctrl_hexstr| is non-NULL. + */ + { SET, EVP_PKEY_RSA, 0, EVP_PKEY_OP_TYPE_CRYPT, + EVP_PKEY_CTRL_RSA_OAEP_LABEL, NULL, "rsa_oaep_label", + OSSL_ASYM_CIPHER_PARAM_OAEP_LABEL, OSSL_PARAM_OCTET_STRING, NULL }, + { GET, EVP_PKEY_RSA, 0, EVP_PKEY_OP_TYPE_CRYPT, + EVP_PKEY_CTRL_GET_RSA_OAEP_LABEL, NULL, NULL, + OSSL_ASYM_CIPHER_PARAM_OAEP_LABEL, OSSL_PARAM_OCTET_STRING, NULL }, + + { SET, EVP_PKEY_RSA_PSS, 0, EVP_PKEY_OP_TYPE_GEN, + EVP_PKEY_CTRL_MD, "rsa_pss_keygen_md", NULL, + OSSL_ALG_PARAM_DIGEST, OSSL_PARAM_UTF8_STRING, fix_md }, + { SET, EVP_PKEY_RSA_PSS, 0, EVP_PKEY_OP_TYPE_GEN, + EVP_PKEY_CTRL_RSA_MGF1_MD, "rsa_pss_keygen_mgf1_md", NULL, + OSSL_PKEY_PARAM_MGF1_DIGEST, OSSL_PARAM_UTF8_STRING, fix_md }, + { SET, EVP_PKEY_RSA_PSS, 0, EVP_PKEY_OP_TYPE_GEN, + EVP_PKEY_CTRL_RSA_PSS_SALTLEN, "rsa_pss_keygen_saltlen", NULL, + OSSL_SIGNATURE_PARAM_PSS_SALTLEN, OSSL_PARAM_INTEGER, NULL }, + { SET, EVP_PKEY_RSA, EVP_PKEY_RSA_PSS, EVP_PKEY_OP_KEYGEN, + EVP_PKEY_CTRL_RSA_KEYGEN_BITS, "rsa_keygen_bits", NULL, + OSSL_PKEY_PARAM_RSA_BITS, OSSL_PARAM_UNSIGNED_INTEGER, NULL }, + { SET, EVP_PKEY_RSA, 0, EVP_PKEY_OP_KEYGEN, + EVP_PKEY_CTRL_RSA_KEYGEN_PUBEXP, "rsa_keygen_pubexp", NULL, + OSSL_PKEY_PARAM_RSA_E, OSSL_PARAM_UNSIGNED_INTEGER, NULL }, + { SET, EVP_PKEY_RSA, 0, EVP_PKEY_OP_KEYGEN, + EVP_PKEY_CTRL_RSA_KEYGEN_PRIMES, "rsa_keygen_primes", NULL, + OSSL_PKEY_PARAM_RSA_PRIMES, OSSL_PARAM_UNSIGNED_INTEGER, NULL }, + + /* PKCS#7 and CMS hacks */ + { SET, -1, -1, EVP_PKEY_OP_ENCRYPT, + EVP_PKEY_CTRL_PKCS7_ENCRYPT, NULL, NULL, NULL, 0, hack_pkcs7_cms }, + { SET, -1, -1, EVP_PKEY_OP_DECRYPT, + EVP_PKEY_CTRL_PKCS7_DECRYPT, NULL, NULL, NULL, 0, hack_pkcs7_cms }, + { SET, -1, -1, EVP_PKEY_OP_ENCRYPT, + EVP_PKEY_CTRL_CMS_ENCRYPT, NULL, NULL, NULL, 0, hack_pkcs7_cms }, + { SET, -1, -1, EVP_PKEY_OP_DECRYPT, + EVP_PKEY_CTRL_CMS_DECRYPT, NULL, NULL, NULL, 0, hack_pkcs7_cms }, + + /*- + * TLS1-PRF + * ======== + */ + { SET, -1, -1, EVP_PKEY_OP_DERIVE, + EVP_PKEY_CTRL_TLS_MD, "md", NULL, + OSSL_KDF_PARAM_DIGEST, OSSL_PARAM_UTF8_STRING, fix_md }, + { SET, -1, -1, EVP_PKEY_OP_DERIVE, + EVP_PKEY_CTRL_TLS_SECRET, "secret", "hexsecret", + OSSL_KDF_PARAM_SECRET, OSSL_PARAM_OCTET_STRING, NULL }, + { SET, -1, -1, EVP_PKEY_OP_DERIVE, + EVP_PKEY_CTRL_TLS_SEED, "seed", "hexseed", + OSSL_KDF_PARAM_SEED, OSSL_PARAM_OCTET_STRING, NULL }, + + /*- + * HKDF + * ==== + */ + { SET, -1, -1, EVP_PKEY_OP_DERIVE, + EVP_PKEY_CTRL_HKDF_MD, "md", NULL, + OSSL_KDF_PARAM_DIGEST, OSSL_PARAM_UTF8_STRING, fix_md }, + { SET, -1, -1, EVP_PKEY_OP_DERIVE, + EVP_PKEY_CTRL_HKDF_SALT, "salt", "hexsalt", + OSSL_KDF_PARAM_SALT, OSSL_PARAM_OCTET_STRING, NULL }, + { SET, -1, -1, EVP_PKEY_OP_DERIVE, + EVP_PKEY_CTRL_HKDF_KEY, "key", "hexkey", + OSSL_KDF_PARAM_KEY, OSSL_PARAM_OCTET_STRING, NULL }, + { SET, -1, -1, EVP_PKEY_OP_DERIVE, + EVP_PKEY_CTRL_HKDF_INFO, "info", "hexinfo", + OSSL_KDF_PARAM_INFO, OSSL_PARAM_OCTET_STRING, NULL }, + { SET, -1, -1, EVP_PKEY_OP_DERIVE, + EVP_PKEY_CTRL_HKDF_MODE, "mode", NULL, + OSSL_KDF_PARAM_MODE, OSSL_PARAM_INTEGER, fix_hkdf_mode }, + + /*- + * Scrypt + * ====== + */ + { SET, -1, -1, EVP_PKEY_OP_DERIVE, + EVP_PKEY_CTRL_PASS, "pass", "hexpass", + OSSL_KDF_PARAM_PASSWORD, OSSL_PARAM_OCTET_STRING, NULL }, + { SET, -1, -1, EVP_PKEY_OP_DERIVE, + EVP_PKEY_CTRL_SCRYPT_SALT, "salt", "hexsalt", + OSSL_KDF_PARAM_SALT, OSSL_PARAM_OCTET_STRING, NULL }, + { SET, -1, -1, EVP_PKEY_OP_DERIVE, + EVP_PKEY_CTRL_SCRYPT_N, "N", NULL, + OSSL_KDF_PARAM_SCRYPT_N, OSSL_PARAM_UNSIGNED_INTEGER, NULL }, + { SET, -1, -1, EVP_PKEY_OP_DERIVE, + EVP_PKEY_CTRL_SCRYPT_R, "r", NULL, + OSSL_KDF_PARAM_SCRYPT_R, OSSL_PARAM_UNSIGNED_INTEGER, NULL }, + { SET, -1, -1, EVP_PKEY_OP_DERIVE, + EVP_PKEY_CTRL_SCRYPT_P, "p", NULL, + OSSL_KDF_PARAM_SCRYPT_P, OSSL_PARAM_UNSIGNED_INTEGER, NULL }, + { SET, -1, -1, EVP_PKEY_OP_DERIVE, + EVP_PKEY_CTRL_SCRYPT_MAXMEM_BYTES, "maxmem_bytes", NULL, + OSSL_KDF_PARAM_SCRYPT_MAXMEM, OSSL_PARAM_UNSIGNED_INTEGER, NULL }, + + { SET, -1, -1, EVP_PKEY_OP_KEYGEN, + EVP_PKEY_CTRL_CIPHER, NULL, NULL, + OSSL_PKEY_PARAM_CIPHER, OSSL_PARAM_UTF8_STRING, fix_cipher }, + { SET, -1, -1, EVP_PKEY_OP_KEYGEN, + EVP_PKEY_CTRL_SET_MAC_KEY, NULL, NULL, + OSSL_PKEY_PARAM_PRIV_KEY, OSSL_PARAM_OCTET_STRING, NULL }, + + { SET, -1, -1, EVP_PKEY_OP_TYPE_SIG, + EVP_PKEY_CTRL_MD, NULL, NULL, + OSSL_SIGNATURE_PARAM_DIGEST, OSSL_PARAM_UTF8_STRING, fix_md }, + { GET, -1, -1, EVP_PKEY_OP_TYPE_SIG, + EVP_PKEY_CTRL_GET_MD, NULL, NULL, + OSSL_SIGNATURE_PARAM_DIGEST, OSSL_PARAM_UTF8_STRING, fix_md }, +}; + +static const struct translation_st evp_pkey_translations[] = { + /* + * The following contain no ctrls, they are exclusively here to extract + * key payloads from legacy keys, using OSSL_PARAMs, and rely entirely + * on |fixup_args| to pass the actual data. The |fixup_args| should + * expect to get the EVP_PKEY pointer through |ctx->p2|. + */ + + /* DH, DSA & EC */ + { GET, -1, -1, -1, 0, NULL, NULL, + OSSL_PKEY_PARAM_GROUP_NAME, OSSL_PARAM_UTF8_STRING, + get_payload_group_name }, + { GET, -1, -1, -1, 0, NULL, NULL, + OSSL_PKEY_PARAM_PRIV_KEY, OSSL_PARAM_UNSIGNED_INTEGER, + get_payload_private_key }, + { GET, -1, -1, -1, 0, NULL, NULL, + OSSL_PKEY_PARAM_PUB_KEY, + 0 /* no data type, let get_payload_pub_key() handle that */, + get_payload_public_key }, + + /* DH and DSA */ + { GET, -1, -1, -1, 0, NULL, NULL, + OSSL_PKEY_PARAM_FFC_P, OSSL_PARAM_UNSIGNED_INTEGER, + get_dh_dsa_payload_p }, + { GET, -1, -1, -1, 0, NULL, NULL, + OSSL_PKEY_PARAM_FFC_G, OSSL_PARAM_UNSIGNED_INTEGER, + get_dh_dsa_payload_g }, + { GET, -1, -1, -1, 0, NULL, NULL, + OSSL_PKEY_PARAM_FFC_Q, OSSL_PARAM_UNSIGNED_INTEGER, + get_dh_dsa_payload_q }, + + /* RSA */ + { GET, -1, -1, -1, 0, NULL, NULL, + OSSL_PKEY_PARAM_RSA_N, OSSL_PARAM_UNSIGNED_INTEGER, + get_rsa_payload_n }, + { GET, -1, -1, -1, 0, NULL, NULL, + OSSL_PKEY_PARAM_RSA_E, OSSL_PARAM_UNSIGNED_INTEGER, + get_rsa_payload_e }, + { GET, -1, -1, -1, 0, NULL, NULL, + OSSL_PKEY_PARAM_RSA_D, OSSL_PARAM_UNSIGNED_INTEGER, + get_rsa_payload_d }, + { GET, -1, -1, -1, 0, NULL, NULL, + OSSL_PKEY_PARAM_RSA_FACTOR1, OSSL_PARAM_UNSIGNED_INTEGER, + get_rsa_payload_f1 }, + { GET, -1, -1, -1, 0, NULL, NULL, + OSSL_PKEY_PARAM_RSA_FACTOR2, OSSL_PARAM_UNSIGNED_INTEGER, + get_rsa_payload_f2 }, + { GET, -1, -1, -1, 0, NULL, NULL, + OSSL_PKEY_PARAM_RSA_FACTOR3, OSSL_PARAM_UNSIGNED_INTEGER, + get_rsa_payload_f3 }, + { GET, -1, -1, -1, 0, NULL, NULL, + OSSL_PKEY_PARAM_RSA_FACTOR4, OSSL_PARAM_UNSIGNED_INTEGER, + get_rsa_payload_f4 }, + { GET, -1, -1, -1, 0, NULL, NULL, + OSSL_PKEY_PARAM_RSA_FACTOR5, OSSL_PARAM_UNSIGNED_INTEGER, + get_rsa_payload_f5 }, + { GET, -1, -1, -1, 0, NULL, NULL, + OSSL_PKEY_PARAM_RSA_FACTOR6, OSSL_PARAM_UNSIGNED_INTEGER, + get_rsa_payload_f6 }, + { GET, -1, -1, -1, 0, NULL, NULL, + OSSL_PKEY_PARAM_RSA_FACTOR7, OSSL_PARAM_UNSIGNED_INTEGER, + get_rsa_payload_f7 }, + { GET, -1, -1, -1, 0, NULL, NULL, + OSSL_PKEY_PARAM_RSA_FACTOR8, OSSL_PARAM_UNSIGNED_INTEGER, + get_rsa_payload_f8 }, + { GET, -1, -1, -1, 0, NULL, NULL, + OSSL_PKEY_PARAM_RSA_FACTOR9, OSSL_PARAM_UNSIGNED_INTEGER, + get_rsa_payload_f9 }, + { GET, -1, -1, -1, 0, NULL, NULL, + OSSL_PKEY_PARAM_RSA_FACTOR10, OSSL_PARAM_UNSIGNED_INTEGER, + get_rsa_payload_f10 }, + { GET, -1, -1, -1, 0, NULL, NULL, + OSSL_PKEY_PARAM_RSA_EXPONENT1, OSSL_PARAM_UNSIGNED_INTEGER, + get_rsa_payload_e1 }, + { GET, -1, -1, -1, 0, NULL, NULL, + OSSL_PKEY_PARAM_RSA_EXPONENT2, OSSL_PARAM_UNSIGNED_INTEGER, + get_rsa_payload_e2 }, + { GET, -1, -1, -1, 0, NULL, NULL, + OSSL_PKEY_PARAM_RSA_EXPONENT3, OSSL_PARAM_UNSIGNED_INTEGER, + get_rsa_payload_e3 }, + { GET, -1, -1, -1, 0, NULL, NULL, + OSSL_PKEY_PARAM_RSA_EXPONENT4, OSSL_PARAM_UNSIGNED_INTEGER, + get_rsa_payload_e4 }, + { GET, -1, -1, -1, 0, NULL, NULL, + OSSL_PKEY_PARAM_RSA_EXPONENT5, OSSL_PARAM_UNSIGNED_INTEGER, + get_rsa_payload_e5 }, + { GET, -1, -1, -1, 0, NULL, NULL, + OSSL_PKEY_PARAM_RSA_EXPONENT6, OSSL_PARAM_UNSIGNED_INTEGER, + get_rsa_payload_e6 }, + { GET, -1, -1, -1, 0, NULL, NULL, + OSSL_PKEY_PARAM_RSA_EXPONENT7, OSSL_PARAM_UNSIGNED_INTEGER, + get_rsa_payload_e7 }, + { GET, -1, -1, -1, 0, NULL, NULL, + OSSL_PKEY_PARAM_RSA_EXPONENT8, OSSL_PARAM_UNSIGNED_INTEGER, + get_rsa_payload_e8 }, + { GET, -1, -1, -1, 0, NULL, NULL, + OSSL_PKEY_PARAM_RSA_EXPONENT9, OSSL_PARAM_UNSIGNED_INTEGER, + get_rsa_payload_e9 }, + { GET, -1, -1, -1, 0, NULL, NULL, + OSSL_PKEY_PARAM_RSA_EXPONENT10, OSSL_PARAM_UNSIGNED_INTEGER, + get_rsa_payload_e10 }, + { GET, -1, -1, -1, 0, NULL, NULL, + OSSL_PKEY_PARAM_RSA_COEFFICIENT1, OSSL_PARAM_UNSIGNED_INTEGER, + get_rsa_payload_c1 }, + { GET, -1, -1, -1, 0, NULL, NULL, + OSSL_PKEY_PARAM_RSA_COEFFICIENT2, OSSL_PARAM_UNSIGNED_INTEGER, + get_rsa_payload_c2 }, + { GET, -1, -1, -1, 0, NULL, NULL, + OSSL_PKEY_PARAM_RSA_COEFFICIENT3, OSSL_PARAM_UNSIGNED_INTEGER, + get_rsa_payload_c3 }, + { GET, -1, -1, -1, 0, NULL, NULL, + OSSL_PKEY_PARAM_RSA_COEFFICIENT4, OSSL_PARAM_UNSIGNED_INTEGER, + get_rsa_payload_c4 }, + { GET, -1, -1, -1, 0, NULL, NULL, + OSSL_PKEY_PARAM_RSA_COEFFICIENT5, OSSL_PARAM_UNSIGNED_INTEGER, + get_rsa_payload_c5 }, + { GET, -1, -1, -1, 0, NULL, NULL, + OSSL_PKEY_PARAM_RSA_COEFFICIENT6, OSSL_PARAM_UNSIGNED_INTEGER, + get_rsa_payload_c6 }, + { GET, -1, -1, -1, 0, NULL, NULL, + OSSL_PKEY_PARAM_RSA_COEFFICIENT7, OSSL_PARAM_UNSIGNED_INTEGER, + get_rsa_payload_c7 }, + { GET, -1, -1, -1, 0, NULL, NULL, + OSSL_PKEY_PARAM_RSA_COEFFICIENT8, OSSL_PARAM_UNSIGNED_INTEGER, + get_rsa_payload_c8 }, + { GET, -1, -1, -1, 0, NULL, NULL, + OSSL_PKEY_PARAM_RSA_COEFFICIENT9, OSSL_PARAM_UNSIGNED_INTEGER, + get_rsa_payload_c9 }, +}; + +static const struct translation_st * +lookup_translation(struct translation_st *tmpl, + const struct translation_st *translations, + size_t translations_num) +{ + size_t i; + + for (i = 0; i < translations_num; i++) { + const struct translation_st *item = &translations[i]; + + /* + * Sanity check the translation table item. + * + * 1. Either both keytypes are -1, or neither of them are. + * 2. TBA... + */ + if (!ossl_assert((item->keytype1 == -1) == (item->keytype2 == -1))) + continue; + + + /* + * Base search criteria: check that the optype and keytypes match, + * if relevant. All callers must synthesise these bits somehow. + */ + if (item->optype != -1 && (tmpl->optype & item->optype) == 0) + continue; + /* + * This expression is stunningly simple thanks to the sanity check + * above. + */ + if (item->keytype1 != -1 + && tmpl->keytype1 != item->keytype1 + && tmpl->keytype2 != item->keytype2) + continue; + + /* + * Done with the base search criteria, now we check the criteria for + * the individual types of translations: + * ctrl->params, ctrl_str->params, and params->ctrl + */ + if (tmpl->ctrl_num != 0) { + if (tmpl->ctrl_num != item->ctrl_num) + continue; + } else if (tmpl->ctrl_str != NULL) { + const char *ctrl_str = NULL; + const char *ctrl_hexstr = NULL; + + /* + * Search criteria that originates from a ctrl_str is only used + * for setting, never for getting. Therefore, we only look at + * the setter items. + */ + if (item->action_type != NONE + && item->action_type != SET) + continue; + /* + * At least one of the ctrl cmd names must be match the ctrl + * cmd name in the template. + */ + if (item->ctrl_str != NULL + && strcasecmp(tmpl->ctrl_str, item->ctrl_str) == 0) + ctrl_str = tmpl->ctrl_str; + else if (item->ctrl_hexstr != NULL + && strcasecmp(tmpl->ctrl_hexstr, item->ctrl_hexstr) == 0) + ctrl_hexstr = tmpl->ctrl_hexstr; + else + continue; + + /* Modify the template to signal which string matched */ + tmpl->ctrl_str = ctrl_str; + tmpl->ctrl_hexstr = ctrl_hexstr; + } else if (tmpl->param_key != NULL) { + /* + * Search criteria that originates from a OSSL_PARAM setter or + * getter. + * + * Ctrls were fundamentally bidirectional, with only the ctrl + * command macro name implying direction (if you're lucky). + * A few ctrl commands were even taking advantage of the + * bidirectional nature, making the direction depend in the + * value of the numeric argument. + * + * OSSL_PARAM functions are fundamentally different, in that + * setters and getters are separated, so the data direction is + * implied by the function that's used. The same OSSL_PARAM + * key name can therefore be used in both directions. We must + * therefore take the action type into account in this case. + */ + if ((item->action_type != NONE + && tmpl->action_type != item->action_type) + || (item->param_key != NULL + && strcasecmp(tmpl->param_key, item->param_key) != 0)) + continue; + } else { + return NULL; + } + + return item; + } + + return NULL; +} + +static const struct translation_st * +lookup_evp_pkey_ctx_translation(struct translation_st *tmpl) +{ + return lookup_translation(tmpl, evp_pkey_ctx_translations, + OSSL_NELEM(evp_pkey_ctx_translations)); +} + +static const struct translation_st * +lookup_evp_pkey_translation(struct translation_st *tmpl) +{ + return lookup_translation(tmpl, evp_pkey_translations, + OSSL_NELEM(evp_pkey_translations)); +} + +/* This must ONLY be called for provider side operations */ +int evp_pkey_ctx_ctrl_to_param(EVP_PKEY_CTX *pctx, + int keytype, int optype, + int cmd, int p1, void *p2) +{ + struct translation_ctx_st ctx = { 0, }; + struct translation_st tmpl = { 0, }; + const struct translation_st *translation = NULL; + OSSL_PARAM params[2] = { OSSL_PARAM_END, OSSL_PARAM_END }; + int ret; + fixup_args_fn *fixup = default_fixup_args; + + if (keytype == -1) + keytype = pctx->legacy_keytype; + tmpl.ctrl_num = cmd; + tmpl.keytype1 = tmpl.keytype2 = keytype; + tmpl.optype = optype; + translation = lookup_evp_pkey_ctx_translation(&tmpl); + + if (translation == NULL) { + ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED); + return -2; + } + + if (pctx->pmeth != NULL + && pctx->pmeth->pkey_id != translation->keytype1 + && pctx->pmeth->pkey_id != translation->keytype2) + return -1; + + if (translation->fixup_args != NULL) + fixup = translation->fixup_args; + ctx.action_type = translation->action_type; + ctx.ctrl_cmd = cmd; + ctx.p1 = p1; + ctx.p2 = p2; + ctx.pctx = pctx; + ctx.params = params; + + ret = fixup(PRE_CTRL_TO_PARAMS, translation, &ctx); + + if (ret > 0) { + switch (ctx.action_type) { + default: + /* fixup_args is expected to make sure this is dead code */ + break; + case GET: + ret = evp_pkey_ctx_get_params_strict(pctx, ctx.params); + break; + case SET: + ret = evp_pkey_ctx_set_params_strict(pctx, ctx.params); + break; + } + } + + /* + * In POST, we pass the return value as p1, allowing the fixup_args + * function to affect it by changing its value. + */ + if (ret > 0) { + ctx.p1 = ret; + fixup(POST_CTRL_TO_PARAMS, translation, &ctx); + ret = ctx.p1; + } + + cleanup_translation_ctx(POST_CTRL_TO_PARAMS, translation, &ctx); + + return ret; +} + +/* This must ONLY be called for provider side operations */ +int evp_pkey_ctx_ctrl_str_to_param(EVP_PKEY_CTX *pctx, + const char *name, const char *value) +{ + struct translation_ctx_st ctx = { 0, }; + struct translation_st tmpl = { 0, }; + const struct translation_st *translation = NULL; + OSSL_PARAM params[2] = { OSSL_PARAM_END, OSSL_PARAM_END }; + int keytype = pctx->legacy_keytype; + int optype = pctx->operation == 0 ? -1 : pctx->operation; + int ret; + fixup_args_fn *fixup = default_fixup_args; + + tmpl.action_type = SET; + tmpl.keytype1 = tmpl.keytype2 = keytype; + tmpl.optype = optype; + tmpl.ctrl_str = name; + tmpl.ctrl_hexstr = name; + translation = lookup_evp_pkey_ctx_translation(&tmpl); + + if (translation != NULL) { + if (translation->fixup_args != NULL) + fixup = translation->fixup_args; + ctx.action_type = translation->action_type; + ctx.ishex = (tmpl.ctrl_hexstr != NULL); + } else { + /* String controls really only support setting */ + ctx.action_type = SET; + } + ctx.ctrl_str = name; + ctx.p1 = (int)strlen(value); + ctx.p2 = (char *)value; + ctx.pctx = pctx; + ctx.params = params; + + ret = fixup(PRE_CTRL_STR_TO_PARAMS, translation, &ctx); + + if (ret > 0) { + switch (ctx.action_type) { + default: + /* fixup_args is expected to make sure this is dead code */ + break; + case GET: + /* + * this is dead code, but must be present, or some compilers + * will complain + */ + break; + case SET: + ret = evp_pkey_ctx_set_params_strict(pctx, ctx.params); + break; + } + } + + if (ret > 0) + ret = fixup(POST_CTRL_STR_TO_PARAMS, translation, &ctx); + + cleanup_translation_ctx(CLEANUP_CTRL_STR_TO_PARAMS, translation, &ctx); + + return ret; +} + +/* This must ONLY be called for legacy operations */ +static int evp_pkey_ctx_setget_params_to_ctrl(EVP_PKEY_CTX *pctx, + enum action action_type, + OSSL_PARAM *params) +{ + int keytype = pctx->legacy_keytype; + int optype = pctx->operation == 0 ? -1 : pctx->operation; + + for (; params != NULL && params->key != NULL; params++) { + struct translation_ctx_st ctx = { 0, }; + struct translation_st tmpl = { 0, }; + const struct translation_st *translation = NULL; + fixup_args_fn *fixup = default_fixup_args; + int ret; + + tmpl.action_type = action_type; + tmpl.keytype1 = tmpl.keytype2 = keytype; + tmpl.optype = optype; + tmpl.param_key = params->key; + translation = lookup_evp_pkey_ctx_translation(&tmpl); + + if (translation != NULL) { + if (translation->fixup_args != NULL) + fixup = translation->fixup_args; + ctx.action_type = translation->action_type; + } + ctx.pctx = pctx; + ctx.params = params; + + ret = fixup(PRE_PARAMS_TO_CTRL, translation, &ctx); + + if (ret > 0 && action_type != NONE) + ret = EVP_PKEY_CTX_ctrl(pctx, keytype, optype, + ctx.ctrl_cmd, ctx.p1, ctx.p2); + + /* + * In POST, we pass the return value as p1, allowing the fixup_args + * function to put it to good use, or maybe affect it. + */ + if (ret > 0) { + ctx.p1 = ret; + fixup(POST_PARAMS_TO_CTRL, translation, &ctx); + ret = ctx.p1; + } + + cleanup_translation_ctx(CLEANUP_PARAMS_TO_CTRL, translation, &ctx); + + if (ret <= 0) + return 0; + } + return 1; +} + +int evp_pkey_ctx_set_params_to_ctrl(EVP_PKEY_CTX *ctx, OSSL_PARAM *params) +{ + return evp_pkey_ctx_setget_params_to_ctrl(ctx, SET, params); +} + +int evp_pkey_ctx_get_params_to_ctrl(EVP_PKEY_CTX *ctx, OSSL_PARAM *params) +{ + return evp_pkey_ctx_setget_params_to_ctrl(ctx, GET, params); +} + +/* This must ONLY be called for legacy EVP_PKEYs */ +static int evp_pkey_setget_params_to_ctrl(const EVP_PKEY *pkey, + enum action action_type, + OSSL_PARAM *params) +{ + int ret = 1; + + for (; params != NULL && params->key != NULL; params++) { + struct translation_ctx_st ctx = { 0, }; + struct translation_st tmpl = { 0, }; + const struct translation_st *translation = NULL; + fixup_args_fn *fixup = default_fixup_args; + + tmpl.action_type = action_type; + tmpl.param_key = params->key; + translation = lookup_evp_pkey_translation(&tmpl); + + if (translation != NULL) { + if (translation->fixup_args != NULL) + fixup = translation->fixup_args; + ctx.action_type = translation->action_type; + } + ctx.p2 = (void *)pkey; + ctx.params = params; + + /* + * EVP_PKEY doesn't have any ctrl function, so we rely completely + * on fixup_args to do the whole work. Also, we currently only + * support getting. + */ + if (!ossl_assert(translation != NULL) + || !ossl_assert(translation->action_type == GET) + || !ossl_assert(translation->fixup_args != NULL)) { + return -2; + } + + ret = fixup(PKEY, translation, &ctx); + + cleanup_translation_ctx(PKEY, translation, &ctx); + } + return ret; +} + +int evp_pkey_get_params_to_ctrl(const EVP_PKEY *pkey, OSSL_PARAM *params) +{ + return evp_pkey_setget_params_to_ctrl(pkey, GET, params); +} + diff --git a/crypto/evp/dh_ctrl.c b/crypto/evp/dh_ctrl.c index c0268cb42c..abb724f72b 100644 --- a/crypto/evp/dh_ctrl.c +++ b/crypto/evp/dh_ctrl.c @@ -24,7 +24,7 @@ static int dh_paramgen_check(EVP_PKEY_CTX *ctx) return -2; } /* If key type not DH return error */ - if (ctx->pmeth != NULL + if (evp_pkey_ctx_is_legacy(ctx) && ctx->pmeth->pkey_id != EVP_PKEY_DH && ctx->pmeth->pkey_id != EVP_PKEY_DHX) return -1; @@ -39,7 +39,7 @@ static int dh_param_derive_check(EVP_PKEY_CTX *ctx) return -2; } /* If key type not DH return error */ - if (ctx->pmeth != NULL + if (evp_pkey_ctx_is_legacy(ctx) && ctx->pmeth->pkey_id != EVP_PKEY_DH && ctx->pmeth->pkey_id != EVP_PKEY_DHX) return -1; @@ -57,7 +57,7 @@ int EVP_PKEY_CTX_set_dh_paramgen_gindex(EVP_PKEY_CTX *ctx, int gindex) *p++ = OSSL_PARAM_construct_int(OSSL_PKEY_PARAM_FFC_GINDEX, &gindex); *p = OSSL_PARAM_construct_end(); - return EVP_PKEY_CTX_set_params(ctx, params); + return evp_pkey_ctx_set_params_strict(ctx, params); } int EVP_PKEY_CTX_set_dh_paramgen_seed(EVP_PKEY_CTX *ctx, @@ -74,31 +74,17 @@ int EVP_PKEY_CTX_set_dh_paramgen_seed(EVP_PKEY_CTX *ctx, (void *)seed, seedlen); *p = OSSL_PARAM_construct_end(); - return EVP_PKEY_CTX_set_params(ctx, params); + return evp_pkey_ctx_set_params_strict(ctx, params); } +/* + * This one is currently implemented as an EVP_PKEY_CTX_ctrl() wrapper, + * simply because that's easier. + */ int EVP_PKEY_CTX_set_dh_paramgen_type(EVP_PKEY_CTX *ctx, int typ) { - int ret; - OSSL_PARAM params[2], *p = params; - const char *name; - - if ((ret = dh_paramgen_check(ctx)) <= 0) - return ret; - - /* TODO(3.0): Remove this eventually when no more legacy */ - if (ctx->op.keymgmt.genctx == NULL) - return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_DH, EVP_PKEY_OP_PARAMGEN, - EVP_PKEY_CTRL_DH_PARAMGEN_TYPE, typ, NULL); - - name = dh_gen_type_id2name(typ); - if (name == NULL) - return 0; - *p++ = OSSL_PARAM_construct_utf8_string(OSSL_PKEY_PARAM_FFC_TYPE, - (char *) name, 0); - *p = OSSL_PARAM_construct_end(); - - return EVP_PKEY_CTX_set_params(ctx, params); + return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_DH, EVP_PKEY_OP_PARAMGEN, + EVP_PKEY_CTRL_DH_PARAMGEN_TYPE, typ, NULL); } int EVP_PKEY_CTX_set_dh_paramgen_prime_len(EVP_PKEY_CTX *ctx, int pbits) @@ -110,14 +96,9 @@ int EVP_PKEY_CTX_set_dh_paramgen_prime_len(EVP_PKEY_CTX *ctx, int pbits) if ((ret = dh_paramgen_check(ctx)) <= 0) return ret; - /* TODO(3.0): Remove this eventually when no more legacy */ - if (ctx->op.keymgmt.genctx == NULL) - return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_DH, EVP_PKEY_OP_PARAMGEN, - EVP_PKEY_CTRL_DH_PARAMGEN_PRIME_LEN, pbits, - NULL); *p++ = OSSL_PARAM_construct_size_t(OSSL_PKEY_PARAM_FFC_PBITS, &bits); *p = OSSL_PARAM_construct_end(); - return EVP_PKEY_CTX_set_params(ctx, params); + return evp_pkey_ctx_set_params_strict(ctx, params); } int EVP_PKEY_CTX_set_dh_paramgen_subprime_len(EVP_PKEY_CTX *ctx, int qbits) @@ -129,15 +110,10 @@ int EVP_PKEY_CTX_set_dh_paramgen_subprime_len(EVP_PKEY_CTX *ctx, int qbits) if ((ret = dh_paramgen_check(ctx)) <= 0) return ret; - /* TODO(3.0): Remove this eventually when no more legacy */ - if (ctx->op.keymgmt.genctx == NULL) - return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_DH, EVP_PKEY_OP_PARAMGEN, - EVP_PKEY_CTRL_DH_PARAMGEN_SUBPRIME_LEN, qbits, - NULL); *p++ = OSSL_PARAM_construct_size_t(OSSL_PKEY_PARAM_FFC_QBITS, &bits2); *p = OSSL_PARAM_construct_end(); - return EVP_PKEY_CTX_set_params(ctx, params); + return evp_pkey_ctx_set_params_strict(ctx, params); } int EVP_PKEY_CTX_set_dh_paramgen_generator(EVP_PKEY_CTX *ctx, int gen) @@ -148,37 +124,20 @@ int EVP_PKEY_CTX_set_dh_paramgen_generator(EVP_PKEY_CTX *ctx, int gen) if ((ret = dh_paramgen_check(ctx)) <= 0) return ret; - /* TODO(3.0): Remove this eventually when no more legacy */ - if (ctx->op.keymgmt.genctx == NULL) - return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_DH, EVP_PKEY_OP_PARAMGEN, - EVP_PKEY_CTRL_DH_PARAMGEN_GENERATOR, gen, NULL); *p++ = OSSL_PARAM_construct_int(OSSL_PKEY_PARAM_DH_GENERATOR, &gen); *p = OSSL_PARAM_construct_end(); - return EVP_PKEY_CTX_set_params(ctx, params); + return evp_pkey_ctx_set_params_strict(ctx, params); } +/* + * This one is currently implemented as an EVP_PKEY_CTX_ctrl() wrapper, + * simply because that's easier. + */ int EVP_PKEY_CTX_set_dh_rfc5114(EVP_PKEY_CTX *ctx, int gen) { - int ret; - OSSL_PARAM params[2], *p = params; - const char *name; - - if ((ret = dh_paramgen_check(ctx)) <= 0) - return ret; - - /* TODO(3.0): Remove this eventually when no more legacy */ - if (ctx->op.keymgmt.genctx == NULL) - return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_DHX, EVP_PKEY_OP_PARAMGEN, - EVP_PKEY_CTRL_DH_RFC5114, gen, NULL); - name = ossl_ffc_named_group_get_name(ossl_ffc_uid_to_dh_named_group(gen)); - if (name == NULL) - return 0; - - *p++ = OSSL_PARAM_construct_utf8_string(OSSL_PKEY_PARAM_GROUP_NAME, - (void *)name, 0); - *p = OSSL_PARAM_construct_end(); - return EVP_PKEY_CTX_set_params(ctx, params); + return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_DHX, EVP_PKEY_OP_PARAMGEN, + EVP_PKEY_CTRL_DH_RFC5114, gen, NULL); } int EVP_PKEY_CTX_set_dhx_rfc5114(EVP_PKEY_CTX *ctx, int gen) @@ -186,28 +145,17 @@ int EVP_PKEY_CTX_set_dhx_rfc5114(EVP_PKEY_CTX *ctx, int gen) return EVP_PKEY_CTX_set_dh_rfc5114(ctx, gen); } +/* + * This one is currently implemented as an EVP_PKEY_CTX_ctrl() wrapper, + * simply because that's easier. + * TODO(3.0) Should this be deprecated in favor of passing a name or an + * ASN1_OBJECT (which can be converted to text internally)? + */ int EVP_PKEY_CTX_set_dh_nid(EVP_PKEY_CTX *ctx, int nid) { - int ret; - OSSL_PARAM params[2], *p = params; - const char *name; - - if ((ret = dh_paramgen_check(ctx)) <= 0) - return ret; - - /* TODO(3.0): Remove this eventually when no more legacy */ - if (ctx->op.keymgmt.genctx == NULL) - return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_DH, - EVP_PKEY_OP_PARAMGEN | EVP_PKEY_OP_KEYGEN, - EVP_PKEY_CTRL_DH_NID, nid, NULL); - name = ossl_ffc_named_group_get_name(ossl_ffc_uid_to_dh_named_group(nid)); - if (name == NULL) - return 0; - - *p++ = OSSL_PARAM_construct_utf8_string(OSSL_PKEY_PARAM_GROUP_NAME, - (void *)name, 0); - *p = OSSL_PARAM_construct_end(); - return EVP_PKEY_CTX_set_params(ctx, params); + return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_DH, + EVP_PKEY_OP_PARAMGEN | EVP_PKEY_OP_KEYGEN, + EVP_PKEY_CTRL_DH_NID, nid, NULL); } int EVP_PKEY_CTX_set_dh_pad(EVP_PKEY_CTX *ctx, int pad) @@ -221,241 +169,91 @@ int EVP_PKEY_CTX_set_dh_pad(EVP_PKEY_CTX *ctx, int pad) return -2; } - /* TODO(3.0): Remove this eventually when no more legacy */ - if (ctx->op.kex.exchprovctx == NULL) - return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_DH, EVP_PKEY_OP_DERIVE, - EVP_PKEY_CTRL_DH_PAD, pad, NULL); - dh_pad_params[0] = OSSL_PARAM_construct_uint(OSSL_EXCHANGE_PARAM_PAD, &upad); dh_pad_params[1] = OSSL_PARAM_construct_end(); - return EVP_PKEY_CTX_set_params(ctx, dh_pad_params); + return evp_pkey_ctx_set_params_strict(ctx, dh_pad_params); } +/* + * This one is currently implemented as an EVP_PKEY_CTX_ctrl() wrapper, + * simply because that's easier. + * TODO(3.0) Should this be deprecated in favor of passing a name? + */ int EVP_PKEY_CTX_set_dh_kdf_type(EVP_PKEY_CTX *ctx, int kdf) { - int ret; - const char *kdf_type; - OSSL_PARAM params[2], *p = params; - - ret = dh_param_derive_check(ctx); - if (ret != 1) - return ret; - - /* TODO(3.0): Remove this eventually when no more legacy */ - if (ctx->op.kex.exchprovctx == NULL) - return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_DHX, EVP_PKEY_OP_DERIVE, - EVP_PKEY_CTRL_DH_KDF_TYPE, kdf, NULL); - switch (kdf) { - case EVP_PKEY_DH_KDF_NONE: - kdf_type = ""; - break; - case EVP_PKEY_DH_KDF_X9_42: - kdf_type = OSSL_KDF_NAME_X942KDF_ASN1; - break; - default: - return -2; - } - *p++ = OSSL_PARAM_construct_utf8_string(OSSL_EXCHANGE_PARAM_KDF_TYPE, - /* - * Cast away the const. This is read - * only so should be safe - */ - (char *)kdf_type, 0); - *p = OSSL_PARAM_construct_end(); - - ret = evp_pkey_ctx_set_params_strict(ctx, params); - if (ret == -2) { - ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED); - /* Uses the same return values as EVP_PKEY_CTX_ctrl */ - return -2; - } - - return ret; + return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_DHX, EVP_PKEY_OP_DERIVE, + EVP_PKEY_CTRL_DH_KDF_TYPE, kdf, NULL); } +/* + * This one is currently implemented as an EVP_PKEY_CTX_ctrl() wrapper, + * simply because that's easier. + * TODO(3.0) Should this be deprecated in favor of getting a name? + */ int EVP_PKEY_CTX_get_dh_kdf_type(EVP_PKEY_CTX *ctx) { - int ret; - char kdf_type[80]; /* 80 should be big enough */ - OSSL_PARAM params[2], *p = params; - - ret = dh_param_derive_check(ctx); - if (ret != 1) - return ret; - - /* TODO(3.0): Remove this eventually when no more legacy */ - if (ctx->op.kex.exchprovctx == NULL) - return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_DHX, EVP_PKEY_OP_DERIVE, - EVP_PKEY_CTRL_DH_KDF_TYPE, -2, NULL); - *p++ = OSSL_PARAM_construct_utf8_string(OSSL_EXCHANGE_PARAM_KDF_TYPE, - kdf_type, sizeof(kdf_type)); - *p = OSSL_PARAM_construct_end(); - - ret = evp_pkey_ctx_get_params_strict(ctx, params); - if (ret == -2) { - ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED); - /* Uses the same return values as EVP_PKEY_CTX_ctrl */ - return -2; - } else if (ret != 1) { - return -1; - } - - if (kdf_type[0] == '\0') - return EVP_PKEY_DH_KDF_NONE; - else if (strcmp(kdf_type, OSSL_KDF_NAME_X942KDF_ASN1) == 0) - return EVP_PKEY_DH_KDF_X9_42; - - return -1; + return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_DHX, EVP_PKEY_OP_DERIVE, + EVP_PKEY_CTRL_DH_KDF_TYPE, -2, NULL); } +/* + * This one is currently implemented as an EVP_PKEY_CTX_ctrl() wrapper, + * simply because that's easier. + */ int EVP_PKEY_CTX_set0_dh_kdf_oid(EVP_PKEY_CTX *ctx, ASN1_OBJECT *oid) { - int ret; - OSSL_PARAM params[2], *p = params; - const char *oid_name; - - ret = dh_param_derive_check(ctx); - if (ret != 1) - return ret; - - /* TODO(3.0): Remove this eventually when no more legacy */ - if (ctx->op.kex.exchprovctx == NULL) - return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_DHX, EVP_PKEY_OP_DERIVE, - EVP_PKEY_CTRL_DH_KDF_OID, 0, (void *)(oid)); - oid_name = OBJ_nid2sn(OBJ_obj2nid(oid)); - - *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_CEK_ALG, - (char *)oid_name, 0); - *p = OSSL_PARAM_construct_end(); - ret = evp_pkey_ctx_set_params_strict(ctx, params); - if (ret == -2) { - ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED); - /* Uses the same return values as EVP_PKEY_CTX_ctrl */ - return -2; - } - - return ret; + return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_DHX, EVP_PKEY_OP_DERIVE, + EVP_PKEY_CTRL_DH_KDF_OID, 0, (void *)(oid)); } +/* + * This one is currently implemented as an EVP_PKEY_CTX_ctrl() wrapper, + * simply because that's easier. + */ int EVP_PKEY_CTX_get0_dh_kdf_oid(EVP_PKEY_CTX *ctx, ASN1_OBJECT **oid) { - int ret, nid; - OSSL_PARAM params[2], *p = params; - char oid_name[80]; /* 80 should be big enough */ - - ret = dh_param_derive_check(ctx); - if (ret != 1) - return ret; - - /* TODO(3.0): Remove this eventually when no more legacy */ - if (ctx->op.kex.exchprovctx == NULL) - return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_DHX, EVP_PKEY_OP_DERIVE, - EVP_PKEY_CTRL_GET_DH_KDF_OID, 0, (void *)(oid)); - *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_CEK_ALG, - oid_name, sizeof(oid_name)); - *p = OSSL_PARAM_construct_end(); - - ret = evp_pkey_ctx_get_params_strict(ctx, params); - if (ret == -2) { - ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED); - /* Uses the same return values as EVP_PKEY_CTX_ctrl */ - return -2; - } else if (ret != 1) { - return -1; - } - nid = OBJ_sn2nid(oid_name); - if (nid == NID_undef) - nid = OBJ_ln2nid(oid_name); - *oid = (nid == NID_undef ? NULL : OBJ_nid2obj(nid)); - return *oid != NULL; + return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_DHX, EVP_PKEY_OP_DERIVE, + EVP_PKEY_CTRL_GET_DH_KDF_OID, 0, (void *)(oid)); } +/* + * This one is currently implemented as an EVP_PKEY_CTX_ctrl() wrapper, + * simply because that's easier. + * TODO(3.0) Should this be deprecated in favor of passing a name? + */ int EVP_PKEY_CTX_set_dh_kdf_md(EVP_PKEY_CTX *ctx, const EVP_MD *md) { - int ret; - OSSL_PARAM params[2], *p = params; - const char *md_name = NULL; - - ret = dh_param_derive_check(ctx); - if (ret != 1) - return ret; - - /* TODO(3.0): Remove this eventually when no more legacy */ - if (ctx->op.kex.exchprovctx == NULL) - return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_DHX, EVP_PKEY_OP_DERIVE, - EVP_PKEY_CTRL_DH_KDF_MD, 0, (void *)(md)); - md_name = (md == NULL) ? "" : EVP_MD_name(md); - - *p++ = OSSL_PARAM_construct_utf8_string(OSSL_EXCHANGE_PARAM_KDF_DIGEST, - /* - * Cast away the const. This is read - * only so should be safe - */ - (char *)md_name, 0); - *p = OSSL_PARAM_construct_end(); - - ret = evp_pkey_ctx_set_params_strict(ctx, params); - if (ret == -2) { - ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED); - /* Uses the same return values as EVP_PKEY_CTX_ctrl */ - return -2; - } - return ret; + return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_DHX, EVP_PKEY_OP_DERIVE, + EVP_PKEY_CTRL_DH_KDF_MD, 0, (void *)(md)); } +/* + * This one is currently implemented as an EVP_PKEY_CTX_ctrl() wrapper, + * simply because that's easier. + * TODO(3.0) Should this be deprecated in favor of getting a name? + */ int EVP_PKEY_CTX_get_dh_kdf_md(EVP_PKEY_CTX *ctx, const EVP_MD **pmd) { - int ret; - char name[80] = ""; /* 80 should be big enough */ - OSSL_PARAM params[2], *p = params; - - ret = dh_param_derive_check(ctx); - if (ret != 1) - return ret; - - /* TODO(3.0): Remove this eventually when no more legacy */ - if (ctx->op.kex.exchprovctx == NULL) return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_DHX, EVP_PKEY_OP_DERIVE, EVP_PKEY_CTRL_GET_DH_KDF_MD, 0, (void *)(pmd)); - *p++ = OSSL_PARAM_construct_utf8_string(OSSL_EXCHANGE_PARAM_KDF_DIGEST, - name, sizeof(name)); - *p = OSSL_PARAM_construct_end(); - - ret = evp_pkey_ctx_get_params_strict(ctx, params); - if (ret == -2) { - ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED); - /* Uses the same return values as EVP_PKEY_CTX_ctrl */ - return -2; - } else if (ret != 1) { - return -1; - } - - /* May be NULL meaning "unknown" */ - *pmd = EVP_get_digestbyname(name); - - return 1; } -int EVP_PKEY_CTX_set_dh_kdf_outlen(EVP_PKEY_CTX *ctx, int inlen) +int EVP_PKEY_CTX_set_dh_kdf_outlen(EVP_PKEY_CTX *ctx, int outlen) { int ret; - size_t len = inlen; + size_t len = outlen; OSSL_PARAM params[2], *p = params; ret = dh_param_derive_check(ctx); if (ret != 1) return ret; - /* TODO(3.0): Remove this eventually when no more legacy */ - if (ctx->op.kex.exchprovctx == NULL) - return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_DHX, EVP_PKEY_OP_DERIVE, - EVP_PKEY_CTRL_DH_KDF_OUTLEN, inlen, NULL); - if (inlen <= 0) { + if (outlen <= 0) { /* * This would ideally be -1 or 0, but we have to retain compatibility * with legacy behaviour of EVP_PKEY_CTX_ctrl() which returned -2 if - * in <= 0 + * inlen <= 0 */ return -2; } @@ -465,11 +263,8 @@ int EVP_PKEY_CTX_set_dh_kdf_outlen(EVP_PKEY_CTX *ctx, int inlen) *p = OSSL_PARAM_construct_end(); ret = evp_pkey_ctx_set_params_strict(ctx, params); - if (ret == -2) { + if (ret == -2) ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED); - /* Uses the same return values as EVP_PKEY_CTX_ctrl */ - return -2; - } return ret; } @@ -483,25 +278,14 @@ int EVP_PKEY_CTX_get_dh_kdf_outlen(EVP_PKEY_CTX *ctx, int *plen) if (ret != 1) return ret; - /* TODO(3.0): Remove this eventually when no more legacy */ - if (ctx->op.kex.exchprovctx == NULL) - return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_DHX, EVP_PKEY_OP_DERIVE, - EVP_PKEY_CTRL_GET_DH_KDF_OUTLEN, 0, - (void *)(plen)); *p++ = OSSL_PARAM_construct_size_t(OSSL_EXCHANGE_PARAM_KDF_OUTLEN, &len); *p = OSSL_PARAM_construct_end(); ret = evp_pkey_ctx_get_params_strict(ctx, params); - if (ret == -2) { + if (ret == -2) ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED); - /* Uses the same return values as EVP_PKEY_CTX_ctrl */ - return -2; - } else if (ret != 1) { - return -1; - } - - if (len > INT_MAX) + if (ret != 1 || len > INT_MAX) return -1; *plen = (int)len; @@ -521,11 +305,6 @@ int EVP_PKEY_CTX_set0_dh_kdf_ukm(EVP_PKEY_CTX *ctx, unsigned char *ukm, int len) if (ret != 1) return ret; - /* TODO(3.0): Remove this eventually when no more legacy */ - if (ctx->op.kex.exchprovctx == NULL) - return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_DHX, EVP_PKEY_OP_DERIVE, - EVP_PKEY_CTRL_DH_KDF_UKM, len, (void *)(ukm)); - *p++ = OSSL_PARAM_construct_octet_string(OSSL_EXCHANGE_PARAM_KDF_UKM, /* * Cast away the const. This is read @@ -536,11 +315,8 @@ int EVP_PKEY_CTX_set0_dh_kdf_ukm(EVP_PKEY_CTX *ctx, unsigned char *ukm, int len) *p = OSSL_PARAM_construct_end(); ret = evp_pkey_ctx_set_params_strict(ctx, params); - if (ret == -2) { + if (ret == -2) ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED); - /* Uses the same return values as EVP_PKEY_CTX_ctrl */ - return -2; - } if (ret == 1) OPENSSL_free(ukm); return ret; @@ -556,23 +332,15 @@ int EVP_PKEY_CTX_get0_dh_kdf_ukm(EVP_PKEY_CTX *ctx, unsigned char **pukm) if (ret != 1) return ret; - /* TODO(3.0): Remove this eventually when no more legacy */ - if (ctx->op.kex.exchprovctx == NULL) - return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_DHX, EVP_PKEY_OP_DERIVE, - EVP_PKEY_CTRL_GET_DH_KDF_UKM, 0, (void *)(pukm)); - *p++ = OSSL_PARAM_construct_octet_ptr(OSSL_EXCHANGE_PARAM_KDF_UKM, (void **)pukm, 0); *p = OSSL_PARAM_construct_end(); ret = evp_pkey_ctx_get_params_strict(ctx, params); - if (ret == -2) { + if (ret == -2) ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED); - /* Uses the same return values as EVP_PKEY_CTX_ctrl */ - return -2; - } else if (ret != 1) { + if (ret != 1) return -1; - } ukmlen = params[0].return_size; if (ukmlen > INT_MAX) diff --git a/crypto/evp/ec_ctrl.c b/crypto/evp/ec_ctrl.c index 9d35e5f6ba..17f1a8f288 100644 --- a/crypto/evp/ec_ctrl.c +++ b/crypto/evp/ec_ctrl.c @@ -32,7 +32,8 @@ int evp_pkey_ctx_getset_ecdh_param_checks(const EVP_PKEY_CTX *ctx) } /* If key type not EC return error */ - if (ctx->pmeth != NULL && ctx->pmeth->pkey_id != EVP_PKEY_EC) + if (evp_pkey_ctx_is_legacy(ctx) + && ctx->pmeth != NULL && ctx->pmeth->pkey_id != EVP_PKEY_EC) return -1; return 1; @@ -58,24 +59,13 @@ int EVP_PKEY_CTX_set_ecdh_cofactor_mode(EVP_PKEY_CTX *ctx, int cofactor_mode) return -2; } - /* TODO(3.0): Remove this eventually when no more legacy */ - if (ctx->op.kex.exchprovctx == NULL) - return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_EC, - EVP_PKEY_OP_DERIVE, - EVP_PKEY_CTRL_EC_ECDH_COFACTOR, - cofactor_mode, NULL); - *p++ = OSSL_PARAM_construct_int(OSSL_EXCHANGE_PARAM_EC_ECDH_COFACTOR_MODE, &cofactor_mode); *p++ = OSSL_PARAM_construct_end(); ret = evp_pkey_ctx_set_params_strict(ctx, params); - if (ret == -2) { + if (ret == -2) ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED); - /* Uses the same return values as EVP_PKEY_CTX_ctrl */ - return -2; - } - return ret; } @@ -88,207 +78,87 @@ int EVP_PKEY_CTX_get_ecdh_cofactor_mode(EVP_PKEY_CTX *ctx) if (ret != 1) return ret; - /* TODO(3.0): Remove this eventually when no more legacy */ - if (ctx->op.kex.exchprovctx == NULL) - return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_EC, - EVP_PKEY_OP_DERIVE, - EVP_PKEY_CTRL_EC_ECDH_COFACTOR, -2, NULL); - *p++ = OSSL_PARAM_construct_int(OSSL_EXCHANGE_PARAM_EC_ECDH_COFACTOR_MODE, &mode); *p++ = OSSL_PARAM_construct_end(); ret = evp_pkey_ctx_get_params_strict(ctx, params); - if (ret == -2) { - ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED); - /* Uses the same return values as EVP_PKEY_CTX_ctrl */ - return -2; - } else if (ret != 1) { - return -1; - } - if (mode < 0 || mode > 1) { - /* - * The provider should return either 0 or 1, any other value is a - * provider error. - */ - return -1; + switch (ret) { + case -2: + ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED); + break; + case 1: + ret = mode; + if (mode < 0 || mode > 1) { + /* + * The provider should return either 0 or 1, any other value is a + * provider error. + */ + ret = -1; + } + break; + default: + ret = -1; + break; } - return mode; + return ret; } +/* + * This one is currently implemented as an EVP_PKEY_CTX_ctrl() wrapper, + * simply because that's easier. + */ int EVP_PKEY_CTX_set_ecdh_kdf_type(EVP_PKEY_CTX *ctx, int kdf) { - int ret; - const char *kdf_type; - OSSL_PARAM params[2], *p = params; - - ret = evp_pkey_ctx_getset_ecdh_param_checks(ctx); - if (ret != 1) - return ret; - - switch (kdf) { - case EVP_PKEY_ECDH_KDF_NONE: - kdf_type = ""; - break; - case EVP_PKEY_ECDH_KDF_X9_63: - kdf_type = OSSL_KDF_NAME_X963KDF; - break; - default: - return -2; - } - - /* TODO(3.0): Remove this eventually when no more legacy */ - if (ctx->op.kex.exchprovctx == NULL) - return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_EC, - EVP_PKEY_OP_DERIVE, - EVP_PKEY_CTRL_EC_KDF_TYPE, kdf, NULL); - - *p++ = OSSL_PARAM_construct_utf8_string(OSSL_EXCHANGE_PARAM_KDF_TYPE, - /* - * Cast away the const. This is read - * only so should be safe - */ - (char *)kdf_type, 0); - *p++ = OSSL_PARAM_construct_end(); - - ret = evp_pkey_ctx_set_params_strict(ctx, params); - if (ret == -2) { - ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED); - /* Uses the same return values as EVP_PKEY_CTX_ctrl */ - return -2; - } - - return ret; + return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_EC, EVP_PKEY_OP_DERIVE, + EVP_PKEY_CTRL_EC_KDF_TYPE, kdf, NULL); } +/* + * This one is currently implemented as an EVP_PKEY_CTX_ctrl() wrapper, + * simply because that's easier. + */ int EVP_PKEY_CTX_get_ecdh_kdf_type(EVP_PKEY_CTX *ctx) { - int ret; - /* 80 should be big enough */ - char kdf_type[80]; - OSSL_PARAM params[2], *p = params; - - ret = evp_pkey_ctx_getset_ecdh_param_checks(ctx); - if (ret != 1) - return ret; - - /* TODO(3.0): Remove this eventually when no more legacy */ - if (ctx->op.kex.exchprovctx == NULL) - return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_EC, - EVP_PKEY_OP_DERIVE, - EVP_PKEY_CTRL_EC_KDF_TYPE, -2, NULL); - - *p++ = OSSL_PARAM_construct_utf8_string(OSSL_EXCHANGE_PARAM_KDF_TYPE, - kdf_type, sizeof(kdf_type)); - *p++ = OSSL_PARAM_construct_end(); - - ret = evp_pkey_ctx_get_params_strict(ctx, params); - if (ret == -2) { - ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED); - /* Uses the same return values as EVP_PKEY_CTX_ctrl */ - return -2; - } else if (ret != 1) { - return -1; - } - - if (kdf_type[0] == '\0') - return EVP_PKEY_ECDH_KDF_NONE; - else if (strcmp(kdf_type, OSSL_KDF_NAME_X963KDF) == 0) - return EVP_PKEY_ECDH_KDF_X9_63; - - return -1; + return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_EC, EVP_PKEY_OP_DERIVE, + EVP_PKEY_CTRL_EC_KDF_TYPE, -2, NULL); } +/* + * This one is currently implemented as an EVP_PKEY_CTX_ctrl() wrapper, + * simply because that's easier. + * TODO(3.0) Should this be deprecated in favor of passing a name? + */ int EVP_PKEY_CTX_set_ecdh_kdf_md(EVP_PKEY_CTX *ctx, const EVP_MD *md) { - int ret; - OSSL_PARAM params[2], *p = params; - const char *md_name = NULL; - - ret = evp_pkey_ctx_getset_ecdh_param_checks(ctx); - if (ret != 1) - return ret; - - /* TODO(3.0): Remove this eventually when no more legacy */ - if (ctx->op.kex.exchprovctx == NULL) - return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_EC, - EVP_PKEY_OP_DERIVE, - EVP_PKEY_CTRL_EC_KDF_MD, 0, (void *)(md)); - - md_name = (md == NULL) ? "" : EVP_MD_name(md); - - *p++ = OSSL_PARAM_construct_utf8_string(OSSL_EXCHANGE_PARAM_KDF_DIGEST, - /* - * Cast away the const. This is read - * only so should be safe - */ - (char *)md_name, 0); - *p++ = OSSL_PARAM_construct_end(); - - ret = evp_pkey_ctx_set_params_strict(ctx, params); - if (ret == -2) { - ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED); - /* Uses the same return values as EVP_PKEY_CTX_ctrl */ - return -2; - } - return ret; + return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_EC, EVP_PKEY_OP_DERIVE, + EVP_PKEY_CTRL_EC_KDF_MD, 0, (void *)(md)); } +/* + * This one is currently implemented as an EVP_PKEY_CTX_ctrl() wrapper, + * simply because that's easier. + * TODO(3.0) Should this be deprecated in favor of getting a name? + */ int EVP_PKEY_CTX_get_ecdh_kdf_md(EVP_PKEY_CTX *ctx, const EVP_MD **pmd) { - /* 80 should be big enough */ - char name[80] = ""; - int ret; - OSSL_PARAM params[2], *p = params; - - ret = evp_pkey_ctx_getset_ecdh_param_checks(ctx); - if (ret != 1) - return ret; - - /* TODO(3.0): Remove this eventually when no more legacy */ - if (ctx->op.kex.exchprovctx == NULL) - return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_EC, - EVP_PKEY_OP_DERIVE, - EVP_PKEY_CTRL_GET_EC_KDF_MD, 0, (void *)(pmd)); - - *p++ = OSSL_PARAM_construct_utf8_string(OSSL_EXCHANGE_PARAM_KDF_DIGEST, - name, sizeof(name)); - *p++ = OSSL_PARAM_construct_end(); - - ret = evp_pkey_ctx_get_params_strict(ctx, params); - if (ret == -2) { - ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED); - /* Uses the same return values as EVP_PKEY_CTX_ctrl */ - return -2; - } else if (ret != 1) { - return -1; - } - - /* May be NULL meaning "unknown" */ - *pmd = EVP_get_digestbyname(name); - - return 1; + return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_EC, EVP_PKEY_OP_DERIVE, + EVP_PKEY_CTRL_GET_EC_KDF_MD, 0, (void *)(pmd)); } -int EVP_PKEY_CTX_set_ecdh_kdf_outlen(EVP_PKEY_CTX *ctx, int in) +int EVP_PKEY_CTX_set_ecdh_kdf_outlen(EVP_PKEY_CTX *ctx, int outlen) { int ret; - size_t len = in; + size_t len = outlen; OSSL_PARAM params[2], *p = params; ret = evp_pkey_ctx_getset_ecdh_param_checks(ctx); if (ret != 1) return ret; - /* TODO(3.0): Remove this eventually when no more legacy */ - if (ctx->op.kex.exchprovctx == NULL) - return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_EC, - EVP_PKEY_OP_DERIVE, - EVP_PKEY_CTRL_EC_KDF_OUTLEN, in, NULL); - - if (in <= 0) { + if (outlen <= 0) { /* * This would ideally be -1 or 0, but we have to retain compatibility * with legacy behaviour of EVP_PKEY_CTX_ctrl() which returned -2 if @@ -302,11 +172,8 @@ int EVP_PKEY_CTX_set_ecdh_kdf_outlen(EVP_PKEY_CTX *ctx, int in) *p++ = OSSL_PARAM_construct_end(); ret = evp_pkey_ctx_set_params_strict(ctx, params); - if (ret == -2) { + if (ret == -2) ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED); - /* Uses the same return values as EVP_PKEY_CTX_ctrl */ - return -2; - } return ret; } @@ -320,32 +187,28 @@ int EVP_PKEY_CTX_get_ecdh_kdf_outlen(EVP_PKEY_CTX *ctx, int *plen) if (ret != 1) return ret; - /* TODO(3.0): Remove this eventually when no more legacy */ - if (ctx->op.kex.exchprovctx == NULL) - return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_EC, - EVP_PKEY_OP_DERIVE, - EVP_PKEY_CTRL_GET_EC_KDF_OUTLEN, 0, - (void *)(plen)); - *p++ = OSSL_PARAM_construct_size_t(OSSL_EXCHANGE_PARAM_KDF_OUTLEN, &len); *p++ = OSSL_PARAM_construct_end(); ret = evp_pkey_ctx_get_params_strict(ctx, params); - if (ret == -2) { + + switch (ret) { + case -2: ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED); - /* Uses the same return values as EVP_PKEY_CTX_ctrl */ - return -2; - } else if (ret != 1) { - return -1; + break; + case 1: + if (len <= INT_MAX) + *plen = (int)len; + else + ret = -1; + break; + default: + ret = -1; + break; } - if (len > INT_MAX) - return -1; - - *plen = (int)len; - - return 1; + return ret; } int EVP_PKEY_CTX_set0_ecdh_kdf_ukm(EVP_PKEY_CTX *ctx, unsigned char *ukm, int len) @@ -357,12 +220,6 @@ int EVP_PKEY_CTX_set0_ecdh_kdf_ukm(EVP_PKEY_CTX *ctx, unsigned char *ukm, int le if (ret != 1) return ret; - /* TODO(3.0): Remove this eventually when no more legacy */ - if (ctx->op.kex.exchprovctx == NULL) - return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_EC, - EVP_PKEY_OP_DERIVE, - EVP_PKEY_CTRL_EC_KDF_UKM, len, (void *)(ukm)); - *p++ = OSSL_PARAM_construct_octet_string(OSSL_EXCHANGE_PARAM_KDF_UKM, /* * Cast away the const. This is read @@ -373,13 +230,16 @@ int EVP_PKEY_CTX_set0_ecdh_kdf_ukm(EVP_PKEY_CTX *ctx, unsigned char *ukm, int le *p++ = OSSL_PARAM_construct_end(); ret = evp_pkey_ctx_set_params_strict(ctx, params); - if (ret == -2) { + + switch (ret) { + case -2: ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED); - /* Uses the same return values as EVP_PKEY_CTX_ctrl */ - return -2; - } - if (ret == 1) + break; + case 1: OPENSSL_free(ukm); + break; + } + return ret; } @@ -405,81 +265,46 @@ int EVP_PKEY_CTX_get0_ecdh_kdf_ukm(EVP_PKEY_CTX *ctx, unsigned char **pukm) *p++ = OSSL_PARAM_construct_end(); ret = evp_pkey_ctx_get_params_strict(ctx, params); - if (ret == -2) { - ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED); - /* Uses the same return values as EVP_PKEY_CTX_ctrl */ - return -2; - } else if (ret != 1) { - return -1; - } - ukmlen = params[0].return_size; - if (ukmlen > INT_MAX) - return -1; - - return (int)ukmlen; -} - -#ifndef FIPS_MODULE -int EVP_PKEY_CTX_set_ec_paramgen_curve_nid(EVP_PKEY_CTX *ctx, int nid) -{ - if (ctx == NULL || !EVP_PKEY_CTX_IS_GEN_OP(ctx)) { + switch (ret) { + case -2: ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED); - /* Uses the same return values as EVP_PKEY_CTX_ctrl */ - return -2; - } - - /* Legacy: if key type not EC return error */ - if (ctx->pmeth != NULL - && EVP_PKEY_type(ctx->pmeth->pkey_id) != EVP_PKEY_EC) - return -1; - - if (ctx->op.keymgmt.genctx == NULL) - return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_EC, - EVP_PKEY_OP_PARAMGEN|EVP_PKEY_OP_KEYGEN, - EVP_PKEY_CTRL_EC_PARAMGEN_CURVE_NID, - nid, NULL); - - return EVP_PKEY_CTX_set_group_name(ctx, OBJ_nid2sn(nid)); -} - -int evp_pkey_ctx_set_ec_param_enc_prov(EVP_PKEY_CTX *ctx, int param_enc) -{ - const char *enc = NULL; - OSSL_PARAM params[2], *p = params; - int ret = -2; /* Assume unsupported */ - - if (ctx == NULL - || !EVP_PKEY_CTX_IS_GEN_OP(ctx) - || ctx->op.keymgmt.genctx == NULL) - goto end; - - switch (param_enc) { - case OPENSSL_EC_EXPLICIT_CURVE: - enc = OSSL_PKEY_EC_ENCODING_EXPLICIT; break; - case OPENSSL_EC_NAMED_CURVE: - enc = OSSL_PKEY_EC_ENCODING_GROUP; + case 1: + ret = -1; + ukmlen = params[0].return_size; + if (ukmlen <= INT_MAX) + ret = (int)ukmlen; break; default: - goto end; + ret = -1; + break; } - *p++ = OSSL_PARAM_construct_utf8_string(OSSL_PKEY_PARAM_EC_ENCODING, - (char *)enc, 0); - *p = OSSL_PARAM_construct_end(); - - ret = evp_pkey_ctx_set_params_strict(ctx, params); - end: - if (ret == -2) - ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED); return ret; } +#ifndef FIPS_MODULE +/* + * This one is currently implemented as an EVP_PKEY_CTX_ctrl() wrapper, + * simply because that's easier. + * TODO(3.0) Should this be deprecated in favor of setting a name or an + * ASN1_OBJECT (which would be converted to text internally)? + */ +int EVP_PKEY_CTX_set_ec_paramgen_curve_nid(EVP_PKEY_CTX *ctx, int nid) +{ + return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_EC, EVP_PKEY_OP_TYPE_GEN, + EVP_PKEY_CTRL_EC_PARAMGEN_CURVE_NID, + nid, NULL); +} + +/* + * This one is currently implemented as an EVP_PKEY_CTX_ctrl() wrapper, + * simply because that's easier. + */ int EVP_PKEY_CTX_set_ec_param_enc(EVP_PKEY_CTX *ctx, int param_enc) { - return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_EC, - EVP_PKEY_OP_PARAMGEN|EVP_PKEY_OP_KEYGEN, + return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_EC, EVP_PKEY_OP_TYPE_GEN, EVP_PKEY_CTRL_EC_PARAM_ENC, param_enc, NULL); } #endif diff --git a/crypto/evp/evp_lib.c b/crypto/evp/evp_lib.c index 427ffc813a..f6598a8b3f 100644 --- a/crypto/evp/evp_lib.c +++ b/crypto/evp/evp_lib.c @@ -983,32 +983,8 @@ int EVP_CIPHER_CTX_test_flags(const EVP_CIPHER_CTX *ctx, int flags) int EVP_PKEY_CTX_set_group_name(EVP_PKEY_CTX *ctx, const char *name) { OSSL_PARAM params[] = { OSSL_PARAM_END, OSSL_PARAM_END }; - OSSL_PARAM *p = params; - - if (ctx == NULL) { - ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED); - /* Uses the same return values as EVP_PKEY_CTX_ctrl */ - return -2; - } - if (!EVP_PKEY_CTX_IS_GEN_OP(ctx)) { -#ifndef FIPS_MODULE - int nid; - - /* Could be a legacy key, try and convert to a ctrl */ - if (ctx->pmeth != NULL && (nid = OBJ_txt2nid(name)) != NID_undef) { - if (ctx->pmeth->pkey_id == EVP_PKEY_DH) - return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_DH, - EVP_PKEY_OP_PARAMGEN - | EVP_PKEY_OP_KEYGEN, - EVP_PKEY_CTRL_DH_NID, nid, NULL); - if (ctx->pmeth->pkey_id == EVP_PKEY_EC) - return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_EC, - EVP_PKEY_OP_PARAMGEN|EVP_PKEY_OP_KEYGEN, - EVP_PKEY_CTRL_EC_PARAMGEN_CURVE_NID, - nid, NULL); - } -#endif + if (ctx == NULL || !EVP_PKEY_CTX_IS_GEN_OP(ctx)) { ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED); /* Uses the same return values as EVP_PKEY_CTX_ctrl */ return -2; @@ -1017,8 +993,8 @@ int EVP_PKEY_CTX_set_group_name(EVP_PKEY_CTX *ctx, const char *name) if (name == NULL) return -1; - *p++ = OSSL_PARAM_construct_utf8_string(OSSL_PKEY_PARAM_GROUP_NAME, - (char *)name, 0); + params[0] = OSSL_PARAM_construct_utf8_string(OSSL_PKEY_PARAM_GROUP_NAME, + (char *)name, 0); return EVP_PKEY_CTX_set_params(ctx, params); } diff --git a/crypto/evp/p_lib.c b/crypto/evp/p_lib.c index e655adde05..653a3b7743 100644 --- a/crypto/evp/p_lib.c +++ b/crypto/evp/p_lib.c @@ -1228,60 +1228,8 @@ int EVP_PKEY_get_default_digest_name(EVP_PKEY *pkey, int EVP_PKEY_get_group_name(const EVP_PKEY *pkey, char *gname, size_t gname_sz, size_t *gname_len) { - if (evp_pkey_is_legacy(pkey)) { - const char *name = NULL; - - switch (EVP_PKEY_base_id(pkey)) { -#ifndef OPENSSL_NO_EC - case EVP_PKEY_EC: - { - const EC_GROUP *grp = EC_KEY_get0_group(EVP_PKEY_get0_EC_KEY(pkey)); - int nid = NID_undef; - - if (grp != NULL) - nid = EC_GROUP_get_curve_name(grp); - if (nid != NID_undef) - name = ec_curve_nid2name(nid); - } - break; -#endif -#ifndef OPENSSL_NO_DH - case EVP_PKEY_DH: - { - DH *dh = EVP_PKEY_get0_DH(pkey); - int uid = DH_get_nid(dh); - - if (uid != NID_undef) { - const DH_NAMED_GROUP *dh_group = - ossl_ffc_uid_to_dh_named_group(uid); - - name = ossl_ffc_named_group_get_name(dh_group); - } - } - break; -#endif - default: - break; - } - - if (gname_len != NULL) - *gname_len = (name == NULL ? 0 : strlen(name)); - if (name != NULL) { - if (gname != NULL) - OPENSSL_strlcpy(gname, name, gname_sz); - return 1; - } - } else if (evp_pkey_is_provided(pkey)) { - if (EVP_PKEY_get_utf8_string_param(pkey, OSSL_PKEY_PARAM_GROUP_NAME, - gname, gname_sz, gname_len)) - return 1; - } else { - ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_KEY); - return 0; - } - - ERR_raise(ERR_LIB_EVP, EVP_R_UNSUPPORTED_KEY_TYPE); - return 0; + return EVP_PKEY_get_utf8_string_param(pkey, OSSL_PKEY_PARAM_GROUP_NAME, + gname, gname_sz, gname_len); } int EVP_PKEY_supports_digest_nid(EVP_PKEY *pkey, int nid) @@ -2144,7 +2092,7 @@ int EVP_PKEY_set_bn_param(EVP_PKEY *pkey, const char *key_name, if (key_name == NULL || bn == NULL || pkey == NULL - || !evp_pkey_is_provided(pkey)) + || !evp_pkey_is_assigned(pkey)) return 0; bsize = BN_num_bytes(bn); @@ -2194,12 +2142,28 @@ const OSSL_PARAM *EVP_PKEY_settable_params(const EVP_PKEY *pkey) int EVP_PKEY_set_params(EVP_PKEY *pkey, OSSL_PARAM params[]) { - if (pkey == NULL) - return 0; - - pkey->dirty_cnt++; - return evp_pkey_is_provided(pkey) - && evp_keymgmt_set_params(pkey->keymgmt, pkey->keydata, params); + if (pkey != NULL) { + if (evp_pkey_is_provided(pkey)) { + pkey->dirty_cnt++; + return evp_keymgmt_set_params(pkey->keymgmt, pkey->keydata, params); + } +#ifndef FIPS_MODULE + /* + * TODO? + * We will hopefully never find the need to set individual data in + * EVP_PKEYs with a legacy internal key, but we can't be entirely + * sure. This bit of code can be enabled if we find the need. If + * not, it can safely be removed when #legacy support is removed. + */ +# if 0 + else if (evp_pkey_is_legacy(pkey)) { + return evp_pkey_set_params_to_ctrl(pkey, params); + } +# endif +#endif + } + ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_KEY); + return 0; } const OSSL_PARAM *EVP_PKEY_gettable_params(const EVP_PKEY *pkey) @@ -2211,9 +2175,16 @@ const OSSL_PARAM *EVP_PKEY_gettable_params(const EVP_PKEY *pkey) int EVP_PKEY_get_params(const EVP_PKEY *pkey, OSSL_PARAM params[]) { - return pkey != NULL - && evp_pkey_is_provided(pkey) - && evp_keymgmt_get_params(pkey->keymgmt, pkey->keydata, params); + if (pkey != NULL) { + if (evp_pkey_is_provided(pkey)) + return evp_keymgmt_get_params(pkey->keymgmt, pkey->keydata, params); +#ifndef FIPS_MODULE + else if (evp_pkey_is_legacy(pkey)) + return evp_pkey_get_params_to_ctrl(pkey, params); +#endif + } + ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_KEY); + return 0; } #ifndef FIPS_MODULE diff --git a/crypto/evp/pmeth_lib.c b/crypto/evp/pmeth_lib.c index a933752071..500e056479 100644 --- a/crypto/evp/pmeth_lib.c +++ b/crypto/evp/pmeth_lib.c @@ -135,12 +135,26 @@ EVP_PKEY_METHOD *EVP_PKEY_meth_new(int id, int flags) return pmeth; } -/* Three possible states: */ -# define EVP_PKEY_STATE_UNKNOWN 0 -# define EVP_PKEY_STATE_LEGACY 1 -# define EVP_PKEY_STATE_PROVIDER 2 +static void help_get_legacy_alg_type_from_keymgmt(const char *keytype, + void *arg) +{ + int *type = arg; + + if (*type == NID_undef) + *type = evp_pkey_name2type(keytype); +} + +static int get_legacy_alg_type_from_keymgmt(const EVP_KEYMGMT *keymgmt) +{ + int type = NID_undef; + + EVP_KEYMGMT_names_do_all(keymgmt, help_get_legacy_alg_type_from_keymgmt, + &type); + return type; +} +#endif /* FIPS_MODULE */ -static int evp_pkey_ctx_state(EVP_PKEY_CTX *ctx) +int evp_pkey_ctx_state(const EVP_PKEY_CTX *ctx) { if (ctx->operation == EVP_PKEY_OP_UNDEFINED) return EVP_PKEY_STATE_UNKNOWN; @@ -160,25 +174,6 @@ static int evp_pkey_ctx_state(EVP_PKEY_CTX *ctx) return EVP_PKEY_STATE_LEGACY; } -static void help_get_legacy_alg_type_from_keymgmt(const char *keytype, - void *arg) -{ - int *type = arg; - - if (*type == NID_undef) - *type = evp_pkey_name2type(keytype); -} - -static int get_legacy_alg_type_from_keymgmt(const EVP_KEYMGMT *keymgmt) -{ - int type = NID_undef; - - EVP_KEYMGMT_names_do_all(keymgmt, help_get_legacy_alg_type_from_keymgmt, - &type); - return type; -} -#endif /* FIPS_MODULE */ - static EVP_PKEY_CTX *int_ctx_new(OSSL_LIB_CTX *libctx, EVP_PKEY *pkey, ENGINE *e, const char *keytype, const char *propquery, @@ -649,67 +644,94 @@ const EVP_PKEY_METHOD *EVP_PKEY_meth_get0(size_t idx) } #endif +int EVP_PKEY_CTX_is_a(EVP_PKEY_CTX *ctx, const char *keytype) +{ +#ifndef FIPS_MODULE + if (evp_pkey_ctx_is_legacy(ctx)) + return (ctx->pmeth->pkey_id == evp_pkey_name2type(keytype)); +#endif + return EVP_KEYMGMT_is_a(ctx->keymgmt, keytype); +} + int EVP_PKEY_CTX_set_params(EVP_PKEY_CTX *ctx, OSSL_PARAM *params) { - if (EVP_PKEY_CTX_IS_DERIVE_OP(ctx) - && ctx->op.kex.exchprovctx != NULL + switch (evp_pkey_ctx_state(ctx)) { + case EVP_PKEY_STATE_PROVIDER: + if (EVP_PKEY_CTX_IS_DERIVE_OP(ctx) && ctx->op.kex.exchange != NULL && ctx->op.kex.exchange->set_ctx_params != NULL) - return ctx->op.kex.exchange->set_ctx_params(ctx->op.kex.exchprovctx, - params); - if (EVP_PKEY_CTX_IS_SIGNATURE_OP(ctx) - && ctx->op.sig.sigprovctx != NULL + return + ctx->op.kex.exchange->set_ctx_params(ctx->op.kex.exchprovctx, + params); + if (EVP_PKEY_CTX_IS_SIGNATURE_OP(ctx) && ctx->op.sig.signature != NULL && ctx->op.sig.signature->set_ctx_params != NULL) - return ctx->op.sig.signature->set_ctx_params(ctx->op.sig.sigprovctx, - params); - if (EVP_PKEY_CTX_IS_ASYM_CIPHER_OP(ctx) - && ctx->op.ciph.ciphprovctx != NULL + return + ctx->op.sig.signature->set_ctx_params(ctx->op.sig.sigprovctx, + params); + if (EVP_PKEY_CTX_IS_ASYM_CIPHER_OP(ctx) && ctx->op.ciph.cipher != NULL && ctx->op.ciph.cipher->set_ctx_params != NULL) - return ctx->op.ciph.cipher->set_ctx_params(ctx->op.ciph.ciphprovctx, - params); - if (EVP_PKEY_CTX_IS_GEN_OP(ctx) - && ctx->op.keymgmt.genctx != NULL - && ctx->keymgmt != NULL - && ctx->keymgmt->gen_set_params != NULL) - return evp_keymgmt_gen_set_params(ctx->keymgmt, ctx->op.keymgmt.genctx, - params); - if (EVP_PKEY_CTX_IS_KEM_OP(ctx) - && ctx->op.encap.kemprovctx != NULL - && ctx->op.encap.kem != NULL - && ctx->op.encap.kem->set_ctx_params != NULL) - return ctx->op.encap.kem->set_ctx_params(ctx->op.encap.kemprovctx, - params); + return + ctx->op.ciph.cipher->set_ctx_params(ctx->op.ciph.ciphprovctx, + params); + if (EVP_PKEY_CTX_IS_GEN_OP(ctx) + && ctx->keymgmt != NULL + && ctx->keymgmt->gen_set_params != NULL) + return + evp_keymgmt_gen_set_params(ctx->keymgmt, ctx->op.keymgmt.genctx, + params); + if (EVP_PKEY_CTX_IS_KEM_OP(ctx) + && ctx->op.encap.kem != NULL + && ctx->op.encap.kem->set_ctx_params != NULL) + return + ctx->op.encap.kem->set_ctx_params(ctx->op.encap.kemprovctx, + params); + break; +#ifndef FIPS_MODULE + case EVP_PKEY_STATE_UNKNOWN: + case EVP_PKEY_STATE_LEGACY: + return evp_pkey_ctx_set_params_to_ctrl(ctx, params); +#endif + } return 0; } int EVP_PKEY_CTX_get_params(EVP_PKEY_CTX *ctx, OSSL_PARAM *params) { - if (EVP_PKEY_CTX_IS_DERIVE_OP(ctx) - && ctx->op.kex.exchprovctx != NULL + switch (evp_pkey_ctx_state(ctx)) { + case EVP_PKEY_STATE_PROVIDER: + if (EVP_PKEY_CTX_IS_DERIVE_OP(ctx) && ctx->op.kex.exchange != NULL && ctx->op.kex.exchange->get_ctx_params != NULL) - return ctx->op.kex.exchange->get_ctx_params(ctx->op.kex.exchprovctx, - params); - if (EVP_PKEY_CTX_IS_SIGNATURE_OP(ctx) - && ctx->op.sig.sigprovctx != NULL + return + ctx->op.kex.exchange->get_ctx_params(ctx->op.kex.exchprovctx, + params); + if (EVP_PKEY_CTX_IS_SIGNATURE_OP(ctx) && ctx->op.sig.signature != NULL && ctx->op.sig.signature->get_ctx_params != NULL) - return ctx->op.sig.signature->get_ctx_params(ctx->op.sig.sigprovctx, - params); - if (EVP_PKEY_CTX_IS_ASYM_CIPHER_OP(ctx) - && ctx->op.ciph.ciphprovctx != NULL + return + ctx->op.sig.signature->get_ctx_params(ctx->op.sig.sigprovctx, + params); + if (EVP_PKEY_CTX_IS_ASYM_CIPHER_OP(ctx) && ctx->op.ciph.cipher != NULL && ctx->op.ciph.cipher->get_ctx_params != NULL) - return ctx->op.ciph.cipher->get_ctx_params(ctx->op.ciph.ciphprovctx, - params); - if (EVP_PKEY_CTX_IS_KEM_OP(ctx) - && ctx->op.encap.kemprovctx != NULL - && ctx->op.encap.kem != NULL - && ctx->op.encap.kem->get_ctx_params != NULL) - return ctx->op.encap.kem->get_ctx_params(ctx->op.encap.kemprovctx, - params); + return + ctx->op.ciph.cipher->get_ctx_params(ctx->op.ciph.ciphprovctx, + params); + if (EVP_PKEY_CTX_IS_KEM_OP(ctx) + && ctx->op.encap.kem != NULL + && ctx->op.encap.kem->get_ctx_params != NULL) + return + ctx->op.encap.kem->get_ctx_params(ctx->op.encap.kemprovctx, + params); + break; +#ifndef FIPS_MODULE + case EVP_PKEY_STATE_UNKNOWN: + case EVP_PKEY_STATE_LEGACY: + return evp_pkey_ctx_get_params_to_ctrl(ctx, params); +#endif + } return 0; } @@ -797,16 +819,24 @@ const OSSL_PARAM *EVP_PKEY_CTX_settable_params(EVP_PKEY_CTX *ctx) */ int evp_pkey_ctx_set_params_strict(EVP_PKEY_CTX *ctx, OSSL_PARAM *params) { - const OSSL_PARAM *p; - if (ctx == NULL || params == NULL) return 0; - for (p = params; p->key != NULL; p++) { - /* Check the ctx actually understands this parameter */ - if (OSSL_PARAM_locate_const(EVP_PKEY_CTX_settable_params(ctx), - p->key) == NULL ) - return -2; + /* + * We only check for provider side EVP_PKEY_CTX. For #legacy, we + * depend on the translation that happens in EVP_PKEY_CTX_set_params() + * call, and that the resulting ctrl call will return -2 if it doesn't + * known the ctrl command number. + */ + if (evp_pkey_ctx_is_provided(ctx)) { + const OSSL_PARAM *settable = EVP_PKEY_CTX_settable_params(ctx); + const OSSL_PARAM *p; + + for (p = params; p->key != NULL; p++) { + /* Check the ctx actually understands this parameter */ + if (OSSL_PARAM_locate_const(settable, p->key) == NULL ) + return -2; + } } return EVP_PKEY_CTX_set_params(ctx, params); @@ -814,16 +844,24 @@ int evp_pkey_ctx_set_params_strict(EVP_PKEY_CTX *ctx, OSSL_PARAM *params) int evp_pkey_ctx_get_params_strict(EVP_PKEY_CTX *ctx, OSSL_PARAM *params) { - const OSSL_PARAM *p; - if (ctx == NULL || params == NULL) return 0; - for (p = params; p->key != NULL; p++ ) { - /* Check the ctx actually understands this parameter */ - if (OSSL_PARAM_locate_const(EVP_PKEY_CTX_gettable_params(ctx), - p->key) == NULL ) - return -2; + /* + * We only check for provider side EVP_PKEY_CTX. For #legacy, we + * depend on the translation that happens in EVP_PKEY_CTX_get_params() + * call, and that the resulting ctrl call will return -2 if it doesn't + * known the ctrl command number. + */ + if (evp_pkey_ctx_is_provided(ctx)) { + const OSSL_PARAM *gettable = EVP_PKEY_CTX_gettable_params(ctx); + const OSSL_PARAM *p; + + for (p = params; p->key != NULL; p++ ) { + /* Check the ctx actually understands this parameter */ + if (OSSL_PARAM_locate_const(gettable, p->key) == NULL ) + return -2; + } } return EVP_PKEY_CTX_get_params(ctx, params); @@ -1211,235 +1249,6 @@ int EVP_PKEY_CTX_get1_id_len(EVP_PKEY_CTX *ctx, size_t *id_len) EVP_PKEY_CTRL_GET1_ID_LEN, 0, (void*)id_len); } -static int legacy_ctrl_to_param(EVP_PKEY_CTX *ctx, int keytype, int optype, - int cmd, int p1, void *p2) -{ - switch (cmd) { - case EVP_PKEY_CTRL_SET1_ID: - return evp_pkey_ctx_set1_id_prov(ctx, p2, p1); - case EVP_PKEY_CTRL_GET1_ID: - return evp_pkey_ctx_get1_id_prov(ctx, p2); - case EVP_PKEY_CTRL_GET1_ID_LEN: - return evp_pkey_ctx_get1_id_len_prov(ctx, p2); - } - - if (keytype == EVP_PKEY_DHX) { - switch (cmd) { - case EVP_PKEY_CTRL_DH_KDF_TYPE: - return EVP_PKEY_CTX_set_dh_kdf_type(ctx, p1); - case EVP_PKEY_CTRL_DH_KDF_MD: - return EVP_PKEY_CTX_set_dh_kdf_md(ctx, p2); - case EVP_PKEY_CTRL_DH_KDF_OUTLEN: - return EVP_PKEY_CTX_set_dh_kdf_outlen(ctx, p1); - case EVP_PKEY_CTRL_DH_KDF_UKM: - return EVP_PKEY_CTX_set0_dh_kdf_ukm(ctx, p2, p1); - case EVP_PKEY_CTRL_DH_KDF_OID: - return EVP_PKEY_CTX_set0_dh_kdf_oid(ctx, p2); - case EVP_PKEY_CTRL_GET_DH_KDF_MD: - return EVP_PKEY_CTX_get_dh_kdf_md(ctx, p2); - case EVP_PKEY_CTRL_GET_DH_KDF_OUTLEN: - return EVP_PKEY_CTX_get_dh_kdf_outlen(ctx, p2); - case EVP_PKEY_CTRL_GET_DH_KDF_UKM: - return EVP_PKEY_CTX_get0_dh_kdf_ukm(ctx, p2); - case EVP_PKEY_CTRL_GET_DH_KDF_OID: - return EVP_PKEY_CTX_get0_dh_kdf_oid(ctx, p2); - } - } - if (keytype == EVP_PKEY_DH) { - switch (cmd) { - case EVP_PKEY_CTRL_DH_PAD: - return EVP_PKEY_CTX_set_dh_pad(ctx, p1); - case EVP_PKEY_CTRL_DH_PARAMGEN_PRIME_LEN: - return EVP_PKEY_CTX_set_dh_paramgen_prime_len(ctx, p1); - case EVP_PKEY_CTRL_DH_PARAMGEN_SUBPRIME_LEN: - return EVP_PKEY_CTX_set_dh_paramgen_subprime_len(ctx, p1); - case EVP_PKEY_CTRL_DH_PARAMGEN_GENERATOR: - return EVP_PKEY_CTX_set_dh_paramgen_generator(ctx, p1); - case EVP_PKEY_CTRL_DH_PARAMGEN_TYPE: - return EVP_PKEY_CTX_set_dh_paramgen_type(ctx, p1); - case EVP_PKEY_CTRL_DH_RFC5114: - return EVP_PKEY_CTX_set_dh_rfc5114(ctx, p1); - } - } - if (keytype == EVP_PKEY_DSA) { - switch (cmd) { - case EVP_PKEY_CTRL_DSA_PARAMGEN_BITS: - return EVP_PKEY_CTX_set_dsa_paramgen_bits(ctx, p1); - case EVP_PKEY_CTRL_DSA_PARAMGEN_Q_BITS: - return EVP_PKEY_CTX_set_dsa_paramgen_q_bits(ctx, p1); - case EVP_PKEY_CTRL_DSA_PARAMGEN_MD: - return EVP_PKEY_CTX_set_dsa_paramgen_md(ctx, p2); - } - } - if (keytype == EVP_PKEY_EC) { - switch (cmd) { - case EVP_PKEY_CTRL_EC_PARAM_ENC: - return evp_pkey_ctx_set_ec_param_enc_prov(ctx, p1); - case EVP_PKEY_CTRL_EC_PARAMGEN_CURVE_NID: - return EVP_PKEY_CTX_set_ec_paramgen_curve_nid(ctx, p1); - case EVP_PKEY_CTRL_EC_ECDH_COFACTOR: - if (p1 == -2) { - return EVP_PKEY_CTX_get_ecdh_cofactor_mode(ctx); - } else if (p1 < -1 || p1 > 1) { - /* Uses the same return values as EVP_PKEY_CTX_ctrl */ - return -2; - } else { - return EVP_PKEY_CTX_set_ecdh_cofactor_mode(ctx, p1); - } - case EVP_PKEY_CTRL_EC_KDF_TYPE: - if (p1 == -2) { - return EVP_PKEY_CTX_get_ecdh_kdf_type(ctx); - } else { - return EVP_PKEY_CTX_set_ecdh_kdf_type(ctx, p1); - } - case EVP_PKEY_CTRL_GET_EC_KDF_MD: - return EVP_PKEY_CTX_get_ecdh_kdf_md(ctx, p2); - case EVP_PKEY_CTRL_EC_KDF_MD: - return EVP_PKEY_CTX_set_ecdh_kdf_md(ctx, p2); - case EVP_PKEY_CTRL_GET_EC_KDF_OUTLEN: - return EVP_PKEY_CTX_get_ecdh_kdf_outlen(ctx, p2); - case EVP_PKEY_CTRL_EC_KDF_OUTLEN: - return EVP_PKEY_CTX_set_ecdh_kdf_outlen(ctx, p1); - case EVP_PKEY_CTRL_GET_EC_KDF_UKM: - return EVP_PKEY_CTX_get0_ecdh_kdf_ukm(ctx, p2); - case EVP_PKEY_CTRL_EC_KDF_UKM: - return EVP_PKEY_CTX_set0_ecdh_kdf_ukm(ctx, p2, p1); - } - } - if (keytype == EVP_PKEY_RSA) { - switch (cmd) { - case EVP_PKEY_CTRL_RSA_OAEP_MD: - return EVP_PKEY_CTX_set_rsa_oaep_md(ctx, p2); - case EVP_PKEY_CTRL_GET_RSA_OAEP_MD: - return EVP_PKEY_CTX_get_rsa_oaep_md(ctx, p2); - case EVP_PKEY_CTRL_RSA_MGF1_MD: - return EVP_PKEY_CTX_set_rsa_oaep_md(ctx, p2); - case EVP_PKEY_CTRL_RSA_OAEP_LABEL: - return EVP_PKEY_CTX_set0_rsa_oaep_label(ctx, p2, p1); - case EVP_PKEY_CTRL_GET_RSA_OAEP_LABEL: - return EVP_PKEY_CTX_get0_rsa_oaep_label(ctx, (unsigned char **)p2); - case EVP_PKEY_CTRL_RSA_KEYGEN_BITS: - return EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, p1); - case EVP_PKEY_CTRL_RSA_KEYGEN_PUBEXP: - return EVP_PKEY_CTX_set_rsa_keygen_pubexp(ctx, p2); - case EVP_PKEY_CTRL_RSA_KEYGEN_PRIMES: - return EVP_PKEY_CTX_set_rsa_keygen_primes(ctx, p1); - } - } - - if (keytype == EVP_PKEY_RSA_PSS) { - switch(cmd) { - case EVP_PKEY_CTRL_MD: - return EVP_PKEY_CTX_set_rsa_pss_keygen_md(ctx, p2); - } - } - - /* - * keytype == -1 is used when several key types share the same structure, - * or for generic controls that are the same across multiple key types. - */ - if (keytype == -1) { - if (optype == EVP_PKEY_OP_DERIVE) { - switch (cmd) { - /* TLS1-PRF */ - case EVP_PKEY_CTRL_TLS_MD: - return EVP_PKEY_CTX_set_tls1_prf_md(ctx, p2); - case EVP_PKEY_CTRL_TLS_SECRET: - return EVP_PKEY_CTX_set1_tls1_prf_secret(ctx, p2, p1); - case EVP_PKEY_CTRL_TLS_SEED: - return EVP_PKEY_CTX_add1_tls1_prf_seed(ctx, p2, p1); - - /* HKDF */ - case EVP_PKEY_CTRL_HKDF_MD: - return EVP_PKEY_CTX_set_hkdf_md(ctx, p2); - case EVP_PKEY_CTRL_HKDF_SALT : - return EVP_PKEY_CTX_set1_hkdf_salt(ctx, p2, p1); - case EVP_PKEY_CTRL_HKDF_KEY: - return EVP_PKEY_CTX_set1_hkdf_key(ctx, p2, p1); - case EVP_PKEY_CTRL_HKDF_INFO: - return EVP_PKEY_CTX_add1_hkdf_info(ctx, p2, p1); - case EVP_PKEY_CTRL_HKDF_MODE: - return EVP_PKEY_CTX_hkdf_mode(ctx, p1); - - /* Scrypt */ - case EVP_PKEY_CTRL_PASS: - return EVP_PKEY_CTX_set1_pbe_pass(ctx, p2, p1); - case EVP_PKEY_CTRL_SCRYPT_SALT: - return EVP_PKEY_CTX_set1_scrypt_salt(ctx, p2, p1); - case EVP_PKEY_CTRL_SCRYPT_N: - return EVP_PKEY_CTX_set_scrypt_N(ctx, p1); - case EVP_PKEY_CTRL_SCRYPT_R: - return EVP_PKEY_CTX_set_scrypt_r(ctx, p1); - case EVP_PKEY_CTRL_SCRYPT_P: - return EVP_PKEY_CTX_set_scrypt_p(ctx, p1); - case EVP_PKEY_CTRL_SCRYPT_MAXMEM_BYTES: - return EVP_PKEY_CTX_set_scrypt_maxmem_bytes(ctx, p1); - } - } else if (optype == EVP_PKEY_OP_KEYGEN) { - OSSL_PARAM params[2], *p = params; - - switch (cmd) { - case EVP_PKEY_CTRL_CIPHER: - { - char *ciphname = (char *)EVP_CIPHER_name(p2); - - *p++ = OSSL_PARAM_construct_utf8_string(OSSL_PKEY_PARAM_CIPHER, - ciphname, 0); - *p = OSSL_PARAM_construct_end(); - - return EVP_PKEY_CTX_set_params(ctx, params); - } - case EVP_PKEY_CTRL_SET_MAC_KEY: - { - *p++ = OSSL_PARAM_construct_octet_string(OSSL_PKEY_PARAM_PRIV_KEY, - p2, p1); - *p = OSSL_PARAM_construct_end(); - - return EVP_PKEY_CTX_set_params(ctx, params); - } - } - } - switch (cmd) { - case EVP_PKEY_CTRL_MD: - return EVP_PKEY_CTX_set_signature_md(ctx, p2); - case EVP_PKEY_CTRL_GET_MD: - return EVP_PKEY_CTX_get_signature_md(ctx, p2); - case EVP_PKEY_CTRL_RSA_PADDING: - return EVP_PKEY_CTX_set_rsa_padding(ctx, p1); - case EVP_PKEY_CTRL_GET_RSA_PADDING: - return EVP_PKEY_CTX_get_rsa_padding(ctx, p2); - case EVP_PKEY_CTRL_GET_RSA_MGF1_MD: - return EVP_PKEY_CTX_get_rsa_oaep_md(ctx, p2); - case EVP_PKEY_CTRL_RSA_PSS_SALTLEN: - return EVP_PKEY_CTX_set_rsa_pss_saltlen(ctx, p1); - case EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN: - return EVP_PKEY_CTX_get_rsa_pss_saltlen(ctx, p2); - case EVP_PKEY_CTRL_PKCS7_ENCRYPT: - case EVP_PKEY_CTRL_PKCS7_DECRYPT: -# ifndef OPENSSL_NO_CMS - case EVP_PKEY_CTRL_CMS_DECRYPT: - case EVP_PKEY_CTRL_CMS_ENCRYPT: -# endif - /* TODO (3.0) Temporary hack, this should probe */ - if (!EVP_PKEY_is_a(EVP_PKEY_CTX_get0_pkey(ctx), "RSASSA-PSS")) - return 1; - ERR_raise(ERR_LIB_EVP, - EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE); - return -2; - } - } - - /* - * GOST CMS format is different for different cipher algorithms. - * Most of other algorithms don't have such a difference - * so this ctrl is just ignored. - */ - if (cmd == EVP_PKEY_CTRL_CIPHER) - return -2; - - return 0; -} - static int evp_pkey_ctx_ctrl_int(EVP_PKEY_CTX *ctx, int keytype, int optype, int cmd, int p1, void *p2) { @@ -1464,7 +1273,7 @@ static int evp_pkey_ctx_ctrl_int(EVP_PKEY_CTX *ctx, int keytype, int optype, switch (evp_pkey_ctx_state(ctx)) { case EVP_PKEY_STATE_PROVIDER: - return legacy_ctrl_to_param(ctx, keytype, optype, cmd, p1, p2); + return evp_pkey_ctx_ctrl_to_param(ctx, keytype, optype, cmd, p1, p2); case EVP_PKEY_STATE_UNKNOWN: case EVP_PKEY_STATE_LEGACY: if (ctx->pmeth == NULL || ctx->pmeth->ctrl == NULL) { @@ -1517,96 +1326,6 @@ int EVP_PKEY_CTX_ctrl_uint64(EVP_PKEY_CTX *ctx, int keytype, int optype, return EVP_PKEY_CTX_ctrl(ctx, keytype, optype, cmd, 0, &value); } -static int legacy_ctrl_str_to_param(EVP_PKEY_CTX *ctx, const char *name, - const char *value) -{ - if (strcmp(name, "md") == 0) - name = OSSL_ALG_PARAM_DIGEST; - else if (strcmp(name, "rsa_padding_mode") == 0) - name = OSSL_ASYM_CIPHER_PARAM_PAD_MODE; - else if (strcmp(name, "rsa_mgf1_md") == 0) - name = OSSL_ASYM_CIPHER_PARAM_MGF1_DIGEST; - else if (strcmp(name, "rsa_oaep_md") == 0) - name = OSSL_ASYM_CIPHER_PARAM_OAEP_DIGEST; - else if (strcmp(name, "rsa_oaep_label") == 0) - name = OSSL_ASYM_CIPHER_PARAM_OAEP_LABEL; - else if (strcmp(name, "rsa_pss_saltlen") == 0) - name = OSSL_SIGNATURE_PARAM_PSS_SALTLEN; - else if (strcmp(name, "rsa_keygen_bits") == 0) - name = OSSL_PKEY_PARAM_RSA_BITS; - else if (strcmp(name, "rsa_keygen_pubexp") == 0) - name = OSSL_PKEY_PARAM_RSA_E; - else if (strcmp(name, "rsa_keygen_primes") == 0) - name = OSSL_PKEY_PARAM_RSA_PRIMES; - else if (strcmp(name, "rsa_pss_keygen_md") == 0) - name = OSSL_PKEY_PARAM_RSA_DIGEST; - else if (strcmp(name, "rsa_pss_keygen_mgf1_md") == 0) - name = OSSL_PKEY_PARAM_RSA_MGF1_DIGEST; - else if (strcmp(name, "rsa_pss_keygen_saltlen") == 0) - name = OSSL_PKEY_PARAM_RSA_PSS_SALTLEN; - else if (strcmp(name, "dsa_paramgen_bits") == 0) - name = OSSL_PKEY_PARAM_FFC_PBITS; - else if (strcmp(name, "dsa_paramgen_q_bits") == 0) - name = OSSL_PKEY_PARAM_FFC_QBITS; - else if (strcmp(name, "dsa_paramgen_md") == 0) - name = OSSL_PKEY_PARAM_FFC_DIGEST; - else if (strcmp(name, "dh_paramgen_generator") == 0) - name = OSSL_PKEY_PARAM_DH_GENERATOR; - else if (strcmp(name, "dh_paramgen_prime_len") == 0) - name = OSSL_PKEY_PARAM_FFC_PBITS; - else if (strcmp(name, "dh_paramgen_subprime_len") == 0) - name = OSSL_PKEY_PARAM_FFC_QBITS; - else if (strcmp(name, "dh_paramgen_type") == 0) { - name = OSSL_PKEY_PARAM_FFC_TYPE; - value = dh_gen_type_id2name(atoi(value)); - } else if (strcmp(name, "dh_param") == 0) - name = OSSL_PKEY_PARAM_GROUP_NAME; - else if (strcmp(name, "dh_rfc5114") == 0) { - int num = atoi(value); - - name = OSSL_PKEY_PARAM_GROUP_NAME; - value = - ossl_ffc_named_group_get_name(ossl_ffc_uid_to_dh_named_group(num)); - } else if (strcmp(name, "dh_pad") == 0) - name = OSSL_EXCHANGE_PARAM_PAD; - else if (strcmp(name, "ec_paramgen_curve") == 0) - name = OSSL_PKEY_PARAM_GROUP_NAME; - else if (strcmp(name, "ecdh_cofactor_mode") == 0) - name = OSSL_EXCHANGE_PARAM_EC_ECDH_COFACTOR_MODE; - else if (strcmp(name, "ecdh_kdf_md") == 0) - name = OSSL_EXCHANGE_PARAM_KDF_DIGEST; - else if (strcmp(name, "ec_param_enc") == 0) - name = OSSL_PKEY_PARAM_EC_ENCODING; - else if (strcmp(name, "N") == 0) - name = OSSL_KDF_PARAM_SCRYPT_N; - - { - /* - * TODO(3.0) reduce the code above to only translate known legacy - * string to the corresponding core name (see core_names.h), but - * otherwise leave it to this code block to do the actual work. - */ - const OSSL_PARAM *settable = EVP_PKEY_CTX_settable_params(ctx); - OSSL_PARAM params[2] = { OSSL_PARAM_END, OSSL_PARAM_END }; - int rv = 0; - int exists = 0; - - if (!OSSL_PARAM_allocate_from_text(¶ms[0], settable, name, value, - strlen(value), &exists)) { - if (!exists) { - ERR_raise_data(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED, - "name=%s,value=%s", name, value); - return -2; - } - return 0; - } - if (EVP_PKEY_CTX_set_params(ctx, params)) - rv = 1; - OPENSSL_free(params[0].data); - return rv; - } -} - static int evp_pkey_ctx_ctrl_str_int(EVP_PKEY_CTX *ctx, const char *name, const char *value) { @@ -1619,7 +1338,7 @@ static int evp_pkey_ctx_ctrl_str_int(EVP_PKEY_CTX *ctx, switch (evp_pkey_ctx_state(ctx)) { case EVP_PKEY_STATE_PROVIDER: - return legacy_ctrl_str_to_param(ctx, name, value); + return evp_pkey_ctx_ctrl_str_to_param(ctx, name, value); case EVP_PKEY_STATE_UNKNOWN: case EVP_PKEY_STATE_LEGACY: if (ctx == NULL || ctx->pmeth == NULL || ctx->pmeth->ctrl_str == NULL) { @@ -1684,6 +1403,19 @@ static int evp_pkey_ctx_store_cached_data(EVP_PKEY_CTX *ctx, int cmd, const char *name, const void *data, size_t data_len) { + /* + * Check that it's one of the supported commands. The ctrl commands + * number cases here must correspond to the cases in the bottom switch + * in this function. + */ + switch (cmd = decode_cmd(cmd, name)) { + case EVP_PKEY_CTRL_SET1_ID: + break; + default: + ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED); + return -2; + } + if (keytype != -1) { switch (evp_pkey_ctx_state(ctx)) { case EVP_PKEY_STATE_PROVIDER: @@ -1703,7 +1435,7 @@ static int evp_pkey_ctx_store_cached_data(EVP_PKEY_CTX *ctx, ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED); return -2; } - if (ctx->pmeth->pkey_id != keytype) { + if (EVP_PKEY_type(ctx->pmeth->pkey_id) != EVP_PKEY_type(keytype)) { ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_OPERATION); return -1; } @@ -1715,7 +1447,6 @@ static int evp_pkey_ctx_store_cached_data(EVP_PKEY_CTX *ctx, return -1; } - cmd = decode_cmd(cmd, name); switch (cmd) { case EVP_PKEY_CTRL_SET1_ID: evp_pkey_ctx_free_cached_data(ctx, cmd, name); @@ -1735,11 +1466,9 @@ static int evp_pkey_ctx_store_cached_data(EVP_PKEY_CTX *ctx, } ctx->cached_parameters.dist_id_set = 1; ctx->cached_parameters.dist_id_len = data_len; - return 1; + break; } - - ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED); - return -2; + return 1; } static void evp_pkey_ctx_free_cached_data(EVP_PKEY_CTX *ctx, diff --git a/crypto/rsa/rsa_lib.c b/crypto/rsa/rsa_lib.c index 6ca4f3a541..817372cbb7 100644 --- a/crypto/rsa/rsa_lib.c +++ b/crypto/rsa/rsa_lib.c @@ -838,399 +838,219 @@ int ossl_rsa_get0_all_params(RSA *r, STACK_OF(BIGNUM_const) *primes, } #ifndef FIPS_MODULE -int EVP_PKEY_CTX_set_rsa_padding(EVP_PKEY_CTX *ctx, int pad_mode) +/* Helpers to set or get diverse hash algorithm names */ +static int int_set_rsa_md_name(EVP_PKEY_CTX *ctx, + /* For checks */ + int keytype, int optype, + /* For EVP_PKEY_CTX_set_params() */ + const char *mdkey, const char *mdname, + const char *propkey, const char *mdprops) { - OSSL_PARAM pad_params[2], *p = pad_params; + OSSL_PARAM params[3], *p = params; - if (ctx == NULL) { + if (ctx == NULL || mdname == NULL || (ctx->operation & optype) == 0) { ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED); /* Uses the same return values as EVP_PKEY_CTX_ctrl */ return -2; } - /* If key type not RSA or RSA-PSS return error */ - if (ctx->pmeth != NULL - && ctx->pmeth->pkey_id != EVP_PKEY_RSA - && ctx->pmeth->pkey_id != EVP_PKEY_RSA_PSS) - return -1; - - /* TODO(3.0): Remove this eventually when no more legacy */ - if ((!EVP_PKEY_CTX_IS_ASYM_CIPHER_OP(ctx) - || ctx->op.ciph.ciphprovctx == NULL) - && (!EVP_PKEY_CTX_IS_SIGNATURE_OP(ctx) - || ctx->op.sig.sigprovctx == NULL)) - return EVP_PKEY_CTX_ctrl(ctx, -1, -1, EVP_PKEY_CTRL_RSA_PADDING, - pad_mode, NULL); + /* If key type not RSA return error */ + switch (keytype) { + case -1: + if (!EVP_PKEY_CTX_is_a(ctx, "RSA") + && !EVP_PKEY_CTX_is_a(ctx, "RSA-PSS")) + return -1; + break; + default: + if (!EVP_PKEY_CTX_is_a(ctx, evp_pkey_type2name(keytype))) + return -1; + break; + } - *p++ = OSSL_PARAM_construct_int(OSSL_PKEY_PARAM_PAD_MODE, &pad_mode); + /* Cast away the const. This is read only so should be safe */ + *p++ = OSSL_PARAM_construct_utf8_string(mdkey, (char *)mdname, 0); + if (evp_pkey_ctx_is_provided(ctx) && mdprops != NULL) { + /* Cast away the const. This is read only so should be safe */ + *p++ = OSSL_PARAM_construct_utf8_string(propkey, (char *)mdprops, 0); + } *p++ = OSSL_PARAM_construct_end(); - return EVP_PKEY_CTX_set_params(ctx, pad_params); + return evp_pkey_ctx_set_params_strict(ctx, params); } -int EVP_PKEY_CTX_get_rsa_padding(EVP_PKEY_CTX *ctx, int *pad_mode) +/* Helpers to set or get diverse hash algorithm names */ +static int int_get_rsa_md_name(EVP_PKEY_CTX *ctx, + /* For checks */ + int keytype, int optype, + /* For EVP_PKEY_CTX_get_params() */ + const char *mdkey, + char *mdname, size_t mdnamesize) { - OSSL_PARAM pad_params[2], *p = pad_params; + OSSL_PARAM params[2], *p = params; - if (ctx == NULL || pad_mode == NULL) { + if (ctx == NULL || mdname == NULL || (ctx->operation & optype) == 0) { ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED); /* Uses the same return values as EVP_PKEY_CTX_ctrl */ return -2; } - /* If key type not RSA or RSA-PSS return error */ - if (ctx->pmeth != NULL - && ctx->pmeth->pkey_id != EVP_PKEY_RSA - && ctx->pmeth->pkey_id != EVP_PKEY_RSA_PSS) - return -1; - - /* TODO(3.0): Remove this eventually when no more legacy */ - if ((!EVP_PKEY_CTX_IS_ASYM_CIPHER_OP(ctx) - || ctx->op.ciph.ciphprovctx == NULL) - && (!EVP_PKEY_CTX_IS_SIGNATURE_OP(ctx) - || ctx->op.sig.sigprovctx == NULL)) - return EVP_PKEY_CTX_ctrl(ctx, -1, -1, EVP_PKEY_CTRL_GET_RSA_PADDING, 0, - pad_mode); + /* If key type not RSA return error */ + switch (keytype) { + case -1: + if (!EVP_PKEY_CTX_is_a(ctx, "RSA") + && !EVP_PKEY_CTX_is_a(ctx, "RSA-PSS")) + return -1; + break; + default: + if (!EVP_PKEY_CTX_is_a(ctx, evp_pkey_type2name(keytype))) + return -1; + break; + } - *p++ = OSSL_PARAM_construct_int(OSSL_PKEY_PARAM_PAD_MODE, pad_mode); + /* Cast away the const. This is read only so should be safe */ + *p++ = OSSL_PARAM_construct_utf8_string(mdkey, (char *)mdname, mdnamesize); *p++ = OSSL_PARAM_construct_end(); - if (!EVP_PKEY_CTX_get_params(ctx, pad_params)) - return 0; + return evp_pkey_ctx_get_params_strict(ctx, params); +} - return 1; +/* + * This one is currently implemented as an EVP_PKEY_CTX_ctrl() wrapper, + * simply because that's easier. + * TODO(3.0) Should this be deprecated? + */ +int EVP_PKEY_CTX_set_rsa_padding(EVP_PKEY_CTX *ctx, int pad_mode) +{ + return RSA_pkey_ctx_ctrl(ctx, -1, EVP_PKEY_CTRL_RSA_PADDING, + pad_mode, NULL); +} +/* + * This one is currently implemented as an EVP_PKEY_CTX_ctrl() wrapper, + * simply because that's easier. + * TODO(3.0) Should this be deprecated? + */ +int EVP_PKEY_CTX_get_rsa_padding(EVP_PKEY_CTX *ctx, int *pad_mode) +{ + return RSA_pkey_ctx_ctrl(ctx, -1, EVP_PKEY_CTRL_GET_RSA_PADDING, + 0, pad_mode); } +/* + * This one is currently implemented as an EVP_PKEY_CTX_ctrl() wrapper, + * simply because that's easier. + * TODO(3.0) Should this be deprecated in favor of passing a name? + */ int EVP_PKEY_CTX_set_rsa_pss_keygen_md(EVP_PKEY_CTX *ctx, const EVP_MD *md) { - const char *name; - - if (ctx == NULL || md == NULL) { - ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED); - /* Uses the same return values as EVP_PKEY_CTX_ctrl */ - return -2; - } - - /* If key type not RSA return error */ - if (ctx->pmeth != NULL - && ctx->pmeth->pkey_id != EVP_PKEY_RSA - && ctx->pmeth->pkey_id != EVP_PKEY_RSA_PSS) - return -1; - - /* TODO(3.0): Remove this eventually when no more legacy */ - if (ctx->op.keymgmt.genctx == NULL) - return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA_PSS, EVP_PKEY_OP_KEYGEN, - EVP_PKEY_CTRL_MD, 0, (void *)md); - - name = EVP_MD_name(md); - - return EVP_PKEY_CTX_set_rsa_pss_keygen_md_name(ctx, name, NULL); + return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA_PSS, EVP_PKEY_OP_KEYGEN, + EVP_PKEY_CTRL_MD, 0, (void *)(md)); } int EVP_PKEY_CTX_set_rsa_pss_keygen_md_name(EVP_PKEY_CTX *ctx, const char *mdname, const char *mdprops) { - OSSL_PARAM rsa_params[3], *p = rsa_params; - - if (ctx == NULL || mdname == NULL) { - ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED); - /* Uses the same return values as EVP_PKEY_CTX_ctrl */ - return -2; - } - - /* If key type not RSA return error */ - if (ctx->pmeth != NULL - && ctx->pmeth->pkey_id != EVP_PKEY_RSA - && ctx->pmeth->pkey_id != EVP_PKEY_RSA_PSS) - return -1; - - - *p++ = OSSL_PARAM_construct_utf8_string(OSSL_PKEY_PARAM_RSA_DIGEST, - /* - * Cast away the const. This is read - * only so should be safe - */ - (char *)mdname, 0); - if (mdprops != NULL) { - *p++ = OSSL_PARAM_construct_utf8_string( - OSSL_PKEY_PARAM_RSA_DIGEST_PROPS, - /* - * Cast away the const. This is read only so should be safe - */ - (char *)mdprops, 0); - } - *p++ = OSSL_PARAM_construct_end(); - - return EVP_PKEY_CTX_set_params(ctx, rsa_params); + return int_set_rsa_md_name(ctx, EVP_PKEY_RSA_PSS, EVP_PKEY_OP_KEYGEN, + OSSL_PKEY_PARAM_RSA_DIGEST, mdname, + OSSL_PKEY_PARAM_RSA_DIGEST_PROPS, mdprops); } +/* + * This one is currently implemented as an EVP_PKEY_CTX_ctrl() wrapper, + * simply because that's easier. + * TODO(3.0) Should this be deprecated in favor of passing a name? + */ int EVP_PKEY_CTX_set_rsa_oaep_md(EVP_PKEY_CTX *ctx, const EVP_MD *md) { - const char *name; - - if (ctx == NULL || !EVP_PKEY_CTX_IS_ASYM_CIPHER_OP(ctx)) { - ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED); - /* Uses the same return values as EVP_PKEY_CTX_ctrl */ - return -2; - } - - /* If key type not RSA return error */ - if (ctx->pmeth != NULL && ctx->pmeth->pkey_id != EVP_PKEY_RSA) - return -1; - - /* TODO(3.0): Remove this eventually when no more legacy */ - if (ctx->op.ciph.ciphprovctx == NULL) - return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_CRYPT, - EVP_PKEY_CTRL_RSA_OAEP_MD, 0, (void *)md); - - name = (md == NULL) ? "" : EVP_MD_name(md); - - return EVP_PKEY_CTX_set_rsa_oaep_md_name(ctx, name, NULL); + return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_CRYPT, + EVP_PKEY_CTRL_RSA_OAEP_MD, 0, (void *)(md)); } int EVP_PKEY_CTX_set_rsa_oaep_md_name(EVP_PKEY_CTX *ctx, const char *mdname, const char *mdprops) { - OSSL_PARAM rsa_params[3], *p = rsa_params; - - if (ctx == NULL || !EVP_PKEY_CTX_IS_ASYM_CIPHER_OP(ctx)) { - ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED); - /* Uses the same return values as EVP_PKEY_CTX_ctrl */ - return -2; - } - - /* If key type not RSA return error */ - if (ctx->pmeth != NULL && ctx->pmeth->pkey_id != EVP_PKEY_RSA) - return -1; - - - *p++ = OSSL_PARAM_construct_utf8_string(OSSL_ASYM_CIPHER_PARAM_OAEP_DIGEST, - /* - * Cast away the const. This is read - * only so should be safe - */ - (char *)mdname, 0); - if (mdprops != NULL) { - *p++ = OSSL_PARAM_construct_utf8_string( - OSSL_ASYM_CIPHER_PARAM_OAEP_DIGEST_PROPS, - /* - * Cast away the const. This is read - * only so should be safe - */ - (char *)mdprops, 0); - } - *p++ = OSSL_PARAM_construct_end(); - - return EVP_PKEY_CTX_set_params(ctx, rsa_params); + return + int_set_rsa_md_name(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_CRYPT, + OSSL_ASYM_CIPHER_PARAM_OAEP_DIGEST, mdname, + OSSL_ASYM_CIPHER_PARAM_OAEP_DIGEST_PROPS, mdprops); } int EVP_PKEY_CTX_get_rsa_oaep_md_name(EVP_PKEY_CTX *ctx, char *name, - size_t namelen) + size_t namesize) { - OSSL_PARAM rsa_params[2], *p = rsa_params; - - if (ctx == NULL || !EVP_PKEY_CTX_IS_ASYM_CIPHER_OP(ctx)) { - ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED); - /* Uses the same return values as EVP_PKEY_CTX_ctrl */ - return -2; - } - - /* If key type not RSA return error */ - if (ctx->pmeth != NULL && ctx->pmeth->pkey_id != EVP_PKEY_RSA) - return -1; - - *p++ = OSSL_PARAM_construct_utf8_string(OSSL_ASYM_CIPHER_PARAM_OAEP_DIGEST, - name, namelen); - *p++ = OSSL_PARAM_construct_end(); - - if (!EVP_PKEY_CTX_get_params(ctx, rsa_params)) - return -1; - - return 1; + return int_get_rsa_md_name(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_CRYPT, + OSSL_ASYM_CIPHER_PARAM_OAEP_DIGEST, + name, namesize); } +/* + * This one is currently implemented as an EVP_PKEY_CTX_ctrl() wrapper, + * simply because that's easier. + * TODO(3.0) Should this be deprecated in favor of getting a name? + */ int EVP_PKEY_CTX_get_rsa_oaep_md(EVP_PKEY_CTX *ctx, const EVP_MD **md) { - /* 80 should be big enough */ - char name[80] = ""; - - if (ctx == NULL || md == NULL || !EVP_PKEY_CTX_IS_ASYM_CIPHER_OP(ctx)) { - ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED); - /* Uses the same return values as EVP_PKEY_CTX_ctrl */ - return -2; - } - - /* If key type not RSA return error */ - if (ctx->pmeth != NULL && ctx->pmeth->pkey_id != EVP_PKEY_RSA) - return -1; - - /* TODO(3.0): Remove this eventually when no more legacy */ - if (ctx->op.ciph.ciphprovctx == NULL) - return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_CRYPT, - EVP_PKEY_CTRL_GET_RSA_OAEP_MD, 0, (void *)md); - - if (EVP_PKEY_CTX_get_rsa_oaep_md_name(ctx, name, sizeof(name)) <= 0) - return -1; - - /* May be NULL meaning "unknown" */ - *md = evp_get_digestbyname_ex(ctx->libctx, name); - - return 1; + return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_CRYPT, + EVP_PKEY_CTRL_GET_RSA_OAEP_MD, 0, (void *)md); } -static int int_set_rsa_mgf1_md(EVP_PKEY_CTX *ctx, - /* For EVP_PKEY_CTX_ctrl() */ - int keytype, int optype, int cmd, - const EVP_MD *md, - /* For EVP_PKEY_CTX_set_params() */ - const char *mdname, const char *mdprops) +/* + * This one is currently implemented as an EVP_PKEY_CTX_ctrl() wrapper, + * simply because that's easier. + * TODO(3.0) Should this be deprecated in favor of passing a name? + */ +int EVP_PKEY_CTX_set_rsa_mgf1_md(EVP_PKEY_CTX *ctx, const EVP_MD *md) { - OSSL_PARAM rsa_params[3], *p = rsa_params; - - if (ctx == NULL || (ctx->operation & optype) == 0) { - ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED); - /* Uses the same return values as EVP_PKEY_CTX_ctrl */ - return -2; - } - - /* If key type not RSA return error */ - if (ctx->pmeth != NULL - && (keytype == -1 - ? (ctx->pmeth->pkey_id != EVP_PKEY_RSA - && ctx->pmeth->pkey_id != EVP_PKEY_RSA_PSS) - : ctx->pmeth->pkey_id != keytype)) - return -1; - - /* TODO(3.0): Remove this eventually when no more legacy */ - if (cmd != -1) { - if ((EVP_PKEY_CTX_IS_ASYM_CIPHER_OP(ctx) - && ctx->op.ciph.ciphprovctx == NULL) - || (EVP_PKEY_CTX_IS_SIGNATURE_OP(ctx) - && ctx->op.sig.sigprovctx == NULL) - || (EVP_PKEY_CTX_IS_GEN_OP(ctx) - && ctx->op.keymgmt.genctx == NULL)) - return EVP_PKEY_CTX_ctrl(ctx, keytype, optype, cmd, 0, (void *)md); - - mdname = (md == NULL) ? "" : EVP_MD_name(md); - } - - - *p++ = OSSL_PARAM_construct_utf8_string(OSSL_PKEY_PARAM_MGF1_DIGEST, - /* - * Cast away the const. This is - * read only so should be safe - */ - (char *)mdname, 0); - if (mdprops != NULL) { - *p++ = - OSSL_PARAM_construct_utf8_string(OSSL_PKEY_PARAM_MGF1_PROPERTIES, - /* - * Cast away the const. This is - * read only so should be safe - */ - (char *)mdprops, 0); - } - *p++ = OSSL_PARAM_construct_end(); - - return EVP_PKEY_CTX_set_params(ctx, rsa_params); + return RSA_pkey_ctx_ctrl(ctx, EVP_PKEY_OP_TYPE_SIG | EVP_PKEY_OP_TYPE_CRYPT, + EVP_PKEY_CTRL_RSA_MGF1_MD, 0, (void *)(md)); } -int EVP_PKEY_CTX_set_rsa_mgf1_md(EVP_PKEY_CTX *ctx, const EVP_MD *md) +int EVP_PKEY_CTX_set_rsa_mgf1_md_name(EVP_PKEY_CTX *ctx, const char *mdname, + const char *mdprops) { - return int_set_rsa_mgf1_md(ctx, -1, + return int_set_rsa_md_name(ctx, -1, EVP_PKEY_OP_TYPE_CRYPT | EVP_PKEY_OP_TYPE_SIG, - EVP_PKEY_CTRL_RSA_MGF1_MD, md, NULL, NULL); + OSSL_PKEY_PARAM_MGF1_DIGEST, mdname, + OSSL_PKEY_PARAM_MGF1_PROPERTIES, mdprops); } -int EVP_PKEY_CTX_set_rsa_mgf1_md_name(EVP_PKEY_CTX *ctx, const char *mdname, - const char *mdprops) +int EVP_PKEY_CTX_get_rsa_mgf1_md_name(EVP_PKEY_CTX *ctx, char *name, + size_t namesize) { - return int_set_rsa_mgf1_md(ctx, -1, + return int_get_rsa_md_name(ctx, -1, EVP_PKEY_OP_TYPE_CRYPT | EVP_PKEY_OP_TYPE_SIG, - -1, NULL, mdname, mdprops); + OSSL_PKEY_PARAM_MGF1_DIGEST, name, namesize); } +/* + * This one is currently implemented as an EVP_PKEY_CTX_ctrl() wrapper, + * simply because that's easier. + * TODO(3.0) Should this be deprecated in favor of passing a name? + */ int EVP_PKEY_CTX_set_rsa_pss_keygen_mgf1_md(EVP_PKEY_CTX *ctx, const EVP_MD *md) { - return int_set_rsa_mgf1_md(ctx, EVP_PKEY_RSA_PSS, - EVP_PKEY_OP_KEYGEN, EVP_PKEY_CTRL_RSA_MGF1_MD, - md, NULL, NULL); + return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA_PSS, EVP_PKEY_OP_KEYGEN, + EVP_PKEY_CTRL_RSA_MGF1_MD, 0, (void *)(md)); } int EVP_PKEY_CTX_set_rsa_pss_keygen_mgf1_md_name(EVP_PKEY_CTX *ctx, const char *mdname) { - return int_set_rsa_mgf1_md(ctx, EVP_PKEY_RSA_PSS, - EVP_PKEY_OP_TYPE_CRYPT | EVP_PKEY_OP_TYPE_SIG, - -1, NULL, mdname, NULL); -} - -int EVP_PKEY_CTX_get_rsa_mgf1_md_name(EVP_PKEY_CTX *ctx, char *name, - size_t namelen) -{ - OSSL_PARAM rsa_params[2], *p = rsa_params; - - if (ctx == NULL - || (!EVP_PKEY_CTX_IS_ASYM_CIPHER_OP(ctx) - && !EVP_PKEY_CTX_IS_SIGNATURE_OP(ctx))) { - ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED); - /* Uses the same return values as EVP_PKEY_CTX_ctrl */ - return -2; - } - - /* If key type not RSA or RSA-PSS return error */ - if (ctx->pmeth != NULL - && ctx->pmeth->pkey_id != EVP_PKEY_RSA - && ctx->pmeth->pkey_id != EVP_PKEY_RSA_PSS) - return -1; - - *p++ = OSSL_PARAM_construct_utf8_string(OSSL_PKEY_PARAM_MGF1_DIGEST, - name, namelen); - *p++ = OSSL_PARAM_construct_end(); - - if (!EVP_PKEY_CTX_get_params(ctx, rsa_params)) - return -1; - - return 1; + return int_set_rsa_md_name(ctx, EVP_PKEY_RSA_PSS, EVP_PKEY_OP_KEYGEN, + OSSL_PKEY_PARAM_MGF1_DIGEST, mdname, + NULL, NULL); } +/* + * This one is currently implemented as an EVP_PKEY_CTX_ctrl() wrapper, + * simply because that's easier. + * TODO(3.0) Should this be deprecated in favor of getting a name? + */ int EVP_PKEY_CTX_get_rsa_mgf1_md(EVP_PKEY_CTX *ctx, const EVP_MD **md) { - /* 80 should be big enough */ - char name[80] = ""; - - if (ctx == NULL - || (!EVP_PKEY_CTX_IS_ASYM_CIPHER_OP(ctx) - && !EVP_PKEY_CTX_IS_SIGNATURE_OP(ctx))) { - ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED); - /* Uses the same return values as EVP_PKEY_CTX_ctrl */ - return -2; - } - - /* If key type not RSA or RSA-PSS return error */ - if (ctx->pmeth != NULL - && ctx->pmeth->pkey_id != EVP_PKEY_RSA - && ctx->pmeth->pkey_id != EVP_PKEY_RSA_PSS) - return -1; - - /* TODO(3.0): Remove this eventually when no more legacy */ - if ((EVP_PKEY_CTX_IS_ASYM_CIPHER_OP(ctx) - && ctx->op.ciph.ciphprovctx == NULL) - || (EVP_PKEY_CTX_IS_SIGNATURE_OP(ctx) - && ctx->op.sig.sigprovctx == NULL)) - return EVP_PKEY_CTX_ctrl(ctx, -1, - EVP_PKEY_OP_TYPE_SIG | EVP_PKEY_OP_TYPE_CRYPT, - EVP_PKEY_CTRL_GET_RSA_MGF1_MD, 0, (void *)md); - - if (EVP_PKEY_CTX_get_rsa_mgf1_md_name(ctx, name, sizeof(name)) <= 0) - return -1; - - /* May be NULL meaning "unknown" */ - *md = evp_get_digestbyname_ex(ctx->libctx, name); - - return 1; + return RSA_pkey_ctx_ctrl(ctx, EVP_PKEY_OP_TYPE_SIG | EVP_PKEY_OP_TYPE_CRYPT, + EVP_PKEY_CTRL_GET_RSA_MGF1_MD, 0, (void *)(md)); } int EVP_PKEY_CTX_set0_rsa_oaep_label(EVP_PKEY_CTX *ctx, void *label, int llen) @@ -1244,27 +1064,20 @@ int EVP_PKEY_CTX_set0_rsa_oaep_label(EVP_PKEY_CTX *ctx, void *label, int llen) } /* If key type not RSA return error */ - if (ctx->pmeth != NULL && ctx->pmeth->pkey_id != EVP_PKEY_RSA) + if (!EVP_PKEY_CTX_is_a(ctx, "RSA")) return -1; - /* TODO(3.0): Remove this eventually when no more legacy */ - if (ctx->op.ciph.ciphprovctx == NULL) - return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_CRYPT, - EVP_PKEY_CTRL_RSA_OAEP_LABEL, llen, - (void *)label); + /* TODO(3.0) Shouldn't a set0 translate into setting an OCTET_PTR? */ + /* Cast away the const. This is read only so should be safe */ *p++ = OSSL_PARAM_construct_octet_string(OSSL_ASYM_CIPHER_PARAM_OAEP_LABEL, - /* - * Cast away the const. This is - * read only so should be safe - */ - (void *)label, - (size_t)llen); + (void *)label, (size_t)llen); *p++ = OSSL_PARAM_construct_end(); - if (!EVP_PKEY_CTX_set_params(ctx, rsa_params)) + if (!evp_pkey_ctx_set_params_strict(ctx, rsa_params)) return 0; + /* TODO(3.0) ????? */ OPENSSL_free(label); return 1; } @@ -1281,15 +1094,9 @@ int EVP_PKEY_CTX_get0_rsa_oaep_label(EVP_PKEY_CTX *ctx, unsigned char **label) } /* If key type not RSA return error */ - if (ctx->pmeth != NULL && ctx->pmeth->pkey_id != EVP_PKEY_RSA) + if (!EVP_PKEY_CTX_is_a(ctx, "RSA")) return -1; - /* TODO(3.0): Remove this eventually when no more legacy */ - if (ctx->op.ciph.ciphprovctx == NULL) - return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_CRYPT, - EVP_PKEY_CTRL_GET_RSA_OAEP_LABEL, 0, - (void *)label); - *p++ = OSSL_PARAM_construct_octet_ptr(OSSL_ASYM_CIPHER_PARAM_OAEP_LABEL, (void **)label, 0); *p++ = OSSL_PARAM_construct_end(); @@ -1304,84 +1111,63 @@ int EVP_PKEY_CTX_get0_rsa_oaep_label(EVP_PKEY_CTX *ctx, unsigned char **label) return (int)labellen; } -static int int_set_rsa_pss_saltlen(EVP_PKEY_CTX *ctx, int saltlen, - int keytype, int optype) -{ - OSSL_PARAM pad_params[2], *p = pad_params; - - if (ctx == NULL || (ctx->operation & optype) == 0) { - ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED); - /* Uses the same return values as EVP_PKEY_CTX_ctrl */ - return -2; - } - - /* If key type not RSA or RSA-PSS return error */ - if (ctx->pmeth != NULL - && (keytype == -1 - ? (ctx->pmeth->pkey_id != EVP_PKEY_RSA - && ctx->pmeth->pkey_id != EVP_PKEY_RSA_PSS) - : ctx->pmeth->pkey_id != keytype)) - return -1; - - /* TODO(3.0): Remove this eventually when no more legacy */ - if ((EVP_PKEY_CTX_IS_SIGNATURE_OP(ctx) - && ctx->op.sig.sigprovctx == NULL) - || (EVP_PKEY_CTX_IS_GEN_OP(ctx) - && ctx->op.keymgmt.genctx == NULL)) - return EVP_PKEY_CTX_ctrl(ctx, keytype, optype, - EVP_PKEY_CTRL_RSA_PSS_SALTLEN, - saltlen, NULL); - - *p++ = - OSSL_PARAM_construct_int(OSSL_SIGNATURE_PARAM_PSS_SALTLEN, &saltlen); - *p++ = OSSL_PARAM_construct_end(); - - return EVP_PKEY_CTX_set_params(ctx, pad_params); -} - +/* + * This one is currently implemented as an EVP_PKEY_CTX_ctrl() wrapper, + * simply because that's easier. + */ int EVP_PKEY_CTX_set_rsa_pss_saltlen(EVP_PKEY_CTX *ctx, int saltlen) { - return int_set_rsa_pss_saltlen(ctx, saltlen, -1, EVP_PKEY_OP_TYPE_SIG); + /* + * For some reason, the optype was set to this: + * + * EVP_PKEY_OP_SIGN|EVP_PKEY_OP_VERIFY + * + * However, we do use RSA-PSS with the whole gamut of diverse signature + * and verification operations, so the optype gets upgraded to this: + * + * EVP_PKEY_OP_TYPE_SIG + */ + return RSA_pkey_ctx_ctrl(ctx, EVP_PKEY_OP_TYPE_SIG, + EVP_PKEY_CTRL_RSA_PSS_SALTLEN, saltlen, NULL); } -int EVP_PKEY_CTX_set_rsa_pss_keygen_saltlen(EVP_PKEY_CTX *ctx, int saltlen) +/* + * This one is currently implemented as an EVP_PKEY_CTX_ctrl() wrapper, + * simply because that's easier. + */ +int EVP_PKEY_CTX_get_rsa_pss_saltlen(EVP_PKEY_CTX *ctx, int *saltlen) { - return int_set_rsa_pss_saltlen(ctx, saltlen, EVP_PKEY_RSA_PSS, - EVP_PKEY_OP_KEYGEN); + /* + * Because of circumstances, the optype is updated from: + * + * EVP_PKEY_OP_SIGN|EVP_PKEY_OP_VERIFY + * + * to: + * + * EVP_PKEY_OP_TYPE_SIG + */ + return RSA_pkey_ctx_ctrl(ctx, EVP_PKEY_OP_TYPE_SIG, + EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN, 0, saltlen); } -int EVP_PKEY_CTX_get_rsa_pss_saltlen(EVP_PKEY_CTX *ctx, int *saltlen) +int EVP_PKEY_CTX_set_rsa_pss_keygen_saltlen(EVP_PKEY_CTX *ctx, int saltlen) { OSSL_PARAM pad_params[2], *p = pad_params; - if (ctx == NULL || saltlen == NULL) { + if (ctx == NULL || !EVP_PKEY_CTX_IS_GEN_OP(ctx)) { ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED); /* Uses the same return values as EVP_PKEY_CTX_ctrl */ return -2; } - /* If key type not RSA or RSA-PSS return error */ - if (ctx->pmeth != NULL - && ctx->pmeth->pkey_id != EVP_PKEY_RSA - && ctx->pmeth->pkey_id != EVP_PKEY_RSA_PSS) + if (!EVP_PKEY_CTX_is_a(ctx, "RSA-PSS")) return -1; - /* TODO(3.0): Remove this eventually when no more legacy */ - if (!EVP_PKEY_CTX_IS_SIGNATURE_OP(ctx) - || ctx->op.sig.sigprovctx == NULL) - return EVP_PKEY_CTX_ctrl(ctx, -1, -1, - EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN, - 0, saltlen); - - *p++ = - OSSL_PARAM_construct_int(OSSL_SIGNATURE_PARAM_PSS_SALTLEN, saltlen); + *p++ = OSSL_PARAM_construct_int(OSSL_SIGNATURE_PARAM_PSS_SALTLEN, + &saltlen); *p++ = OSSL_PARAM_construct_end(); - if (!EVP_PKEY_CTX_get_params(ctx, pad_params)) - return 0; - - return 1; - + return evp_pkey_ctx_set_params_strict(ctx, pad_params); } int EVP_PKEY_CTX_set_rsa_keygen_bits(EVP_PKEY_CTX *ctx, int bits) @@ -1396,84 +1182,49 @@ int EVP_PKEY_CTX_set_rsa_keygen_bits(EVP_PKEY_CTX *ctx, int bits) } /* If key type not RSA return error */ - if (ctx->pmeth != NULL && ctx->pmeth->pkey_id != EVP_PKEY_RSA && - ctx->pmeth->pkey_id != EVP_PKEY_RSA_PSS) + if (!EVP_PKEY_CTX_is_a(ctx, "RSA") + && !EVP_PKEY_CTX_is_a(ctx, "RSA-PSS")) return -1; - /* TODO(3.0): Remove this eventually when no more legacy */ - if (ctx->op.keymgmt.genctx == NULL) - return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_KEYGEN, - EVP_PKEY_CTRL_RSA_KEYGEN_BITS, bits, NULL); - *p++ = OSSL_PARAM_construct_size_t(OSSL_PKEY_PARAM_RSA_BITS, &bits2); *p++ = OSSL_PARAM_construct_end(); - if (!EVP_PKEY_CTX_set_params(ctx, params)) - return 0; - - return 1; + return evp_pkey_ctx_set_params_strict(ctx, params); } -static int evp_pkey_ctx_set_rsa_keygen_pubexp_intern(EVP_PKEY_CTX *ctx, - BIGNUM *pubexp, - int copy) +int EVP_PKEY_CTX_set_rsa_keygen_pubexp(EVP_PKEY_CTX *ctx, BIGNUM *pubexp) { - OSSL_PARAM_BLD *tmpl; - OSSL_PARAM *params; - int ret; - - if (ctx == NULL || !EVP_PKEY_CTX_IS_GEN_OP(ctx)) { - ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED); - /* Uses the same return values as EVP_PKEY_CTX_ctrl */ - return -2; - } - - /* If key type not RSA return error */ - if (ctx->pmeth != NULL && ctx->pmeth->pkey_id != EVP_PKEY_RSA) - return -1; - - /* TODO(3.0): Remove this eventually when no more legacy */ - if (ctx->op.keymgmt.genctx == NULL) { - if (copy == 1) - pubexp = BN_dup(pubexp); - ret = EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_KEYGEN, + int ret = RSA_pkey_ctx_ctrl(ctx, EVP_PKEY_OP_KEYGEN, EVP_PKEY_CTRL_RSA_KEYGEN_PUBEXP, 0, pubexp); - if ((copy == 1) && (ret <= 0)) - BN_free(pubexp); - return ret; - } - - if ((tmpl = OSSL_PARAM_BLD_new()) == NULL) - return 0; - if (!OSSL_PARAM_BLD_push_BN(tmpl, OSSL_PKEY_PARAM_RSA_E, pubexp) - || (params = OSSL_PARAM_BLD_to_param(tmpl)) == NULL) { - OSSL_PARAM_BLD_free(tmpl); - return 0; - } - OSSL_PARAM_BLD_free(tmpl); - - ret = EVP_PKEY_CTX_set_params(ctx, params); - OSSL_PARAM_BLD_free_params(params); /* * Satisfy memory semantics for pre-3.0 callers of * EVP_PKEY_CTX_set_rsa_keygen_pubexp(): their expectation is that input * pubexp BIGNUM becomes managed by the EVP_PKEY_CTX on success. */ - if ((copy == 0) && (ret > 0)) + if (ret > 0 && evp_pkey_ctx_is_provided(ctx)) { + BN_free(ctx->rsa_pubexp); ctx->rsa_pubexp = pubexp; + } return ret; } -int EVP_PKEY_CTX_set_rsa_keygen_pubexp(EVP_PKEY_CTX *ctx, BIGNUM *pubexp) -{ - return evp_pkey_ctx_set_rsa_keygen_pubexp_intern(ctx, pubexp, 0); -} - int EVP_PKEY_CTX_set1_rsa_keygen_pubexp(EVP_PKEY_CTX *ctx, BIGNUM *pubexp) { - return evp_pkey_ctx_set_rsa_keygen_pubexp_intern(ctx, pubexp, 1); + int ret = 0; + + /* + * When we're dealing with a provider, there's no need to duplicate + * pubexp, as it gets copied when transforming to an OSSL_PARAM anyway. + */ + if (evp_pkey_ctx_is_legacy(ctx)) + pubexp = BN_dup(pubexp); + ret = EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_KEYGEN, + EVP_PKEY_CTRL_RSA_KEYGEN_PUBEXP, 0, pubexp); + if (evp_pkey_ctx_is_legacy(ctx) && ret <= 0) + BN_free(pubexp); + return ret; } int EVP_PKEY_CTX_set_rsa_keygen_primes(EVP_PKEY_CTX *ctx, int primes) @@ -1488,21 +1239,13 @@ int EVP_PKEY_CTX_set_rsa_keygen_primes(EVP_PKEY_CTX *ctx, int primes) } /* If key type not RSA return error */ - if (ctx->pmeth != NULL && ctx->pmeth->pkey_id != EVP_PKEY_RSA) + if (!EVP_PKEY_CTX_is_a(ctx, "RSA") + && !EVP_PKEY_CTX_is_a(ctx, "RSA-PSS")) return -1; - /* TODO(3.0): Remove this eventually when no more legacy */ - if (ctx->op.keymgmt.genctx == NULL) - return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_KEYGEN, - EVP_PKEY_CTRL_RSA_KEYGEN_PRIMES, primes, - NULL); - *p++ = OSSL_PARAM_construct_size_t(OSSL_PKEY_PARAM_RSA_PRIMES, &primes2); *p++ = OSSL_PARAM_construct_end(); - if (!EVP_PKEY_CTX_set_params(ctx, params)) - return 0; - - return 1; + return evp_pkey_ctx_set_params_strict(ctx, params); } #endif diff --git a/doc/man3/EVP_PKEY_CTX_new.pod b/doc/man3/EVP_PKEY_CTX_new.pod index 3342386d94..cb203dbd71 100644 --- a/doc/man3/EVP_PKEY_CTX_new.pod +++ b/doc/man3/EVP_PKEY_CTX_new.pod @@ -3,7 +3,8 @@ =head1 NAME EVP_PKEY_CTX_new, EVP_PKEY_CTX_new_id, EVP_PKEY_CTX_new_from_name, -EVP_PKEY_CTX_new_from_pkey, EVP_PKEY_CTX_dup, EVP_PKEY_CTX_free +EVP_PKEY_CTX_new_from_pkey, EVP_PKEY_CTX_dup, EVP_PKEY_CTX_free, +EVP_PKEY_CTX_is_a - public key algorithm context functions =head1 SYNOPSIS @@ -20,6 +21,7 @@ EVP_PKEY_CTX_new_from_pkey, EVP_PKEY_CTX_dup, EVP_PKEY_CTX_free const char *propquery); EVP_PKEY_CTX *EVP_PKEY_CTX_dup(const EVP_PKEY_CTX *ctx); void EVP_PKEY_CTX_free(EVP_PKEY_CTX *ctx); + int EVP_PKEY_CTX_is_a(EVP_PKEY_CTX *ctx, const char *keytype); =head1 DESCRIPTION @@ -53,6 +55,8 @@ keygen operation. EVP_PKEY_CTX_free() frees up the context I. If I is NULL, nothing is done. +EVP_PKEY_is_a() checks if the key type associated with I is I. + =head1 NOTES =head2 On B @@ -102,6 +106,8 @@ the newly allocated B structure or B if an error occurred. EVP_PKEY_CTX_free() does not return a value. +EVP_PKEY_CTX_is_a() returns 1 for true and 0 for false. + =head1 SEE ALSO L diff --git a/include/crypto/evp.h b/include/crypto/evp.h index 7f28edd6c2..0ed9a02396 100644 --- a/include/crypto/evp.h +++ b/include/crypto/evp.h @@ -23,7 +23,7 @@ #define EVP_MD_CTX_FLAG_KEEP_PKEY_CTX 0x0400 /* - * An EVP_PKEY can have the following support states: + * An EVP_PKEY_CTX can have the following support states: * * Supports legacy implementations only: * @@ -598,8 +598,13 @@ DEFINE_STACK_OF(OP_CACHE_ELEM) ((pk)->type == EVP_PKEY_NONE && (pk)->keymgmt == NULL) #define evp_pkey_is_typed(pk) \ ((pk)->type != EVP_PKEY_NONE || (pk)->keymgmt != NULL) -#define evp_pkey_is_assigned(pk) \ +#ifndef FIPS_MODULE +# define evp_pkey_is_assigned(pk) \ ((pk)->pkey.ptr != NULL || (pk)->keydata != NULL) +#else +# define evp_pkey_is_assigned(pk) \ + ((pk)->keydata != NULL) +#endif #define evp_pkey_is_legacy(pk) \ ((pk)->type != EVP_PKEY_NONE && (pk)->keymgmt == NULL) #define evp_pkey_is_provided(pk) \ @@ -700,6 +705,9 @@ struct evp_pkey_st { ((ctx)->operation == EVP_PKEY_OP_PARAMGEN \ || (ctx)->operation == EVP_PKEY_OP_KEYGEN) +#define EVP_PKEY_CTX_IS_FROMDATA_OP(ctx) \ + ((ctx)->operation == EVP_PKEY_OP_FROMDATA) + #define EVP_PKEY_CTX_IS_KEM_OP(ctx) \ ((ctx)->operation == EVP_PKEY_OP_ENCAPSULATE \ || (ctx)->operation == EVP_PKEY_OP_DECAPSULATE) @@ -858,4 +866,24 @@ EVP_PKEY *evp_privatekey_from_binary(int keytype, EVP_PKEY **a, const unsigned char **pp, long length, OSSL_LIB_CTX *libctx, const char *propq); +/* Three possible states: */ +# define EVP_PKEY_STATE_UNKNOWN 0 +# define EVP_PKEY_STATE_LEGACY 1 +# define EVP_PKEY_STATE_PROVIDER 2 +int evp_pkey_ctx_state(const EVP_PKEY_CTX *ctx); + +/* These two must ONLY be called for provider side operations */ +int evp_pkey_ctx_ctrl_to_param(EVP_PKEY_CTX *ctx, + int keytype, int optype, + int cmd, int p1, void *p2); +int evp_pkey_ctx_ctrl_str_to_param(EVP_PKEY_CTX *ctx, + const char *name, const char *value); + +/* These two must ONLY be called for legacy operations */ +int evp_pkey_ctx_set_params_to_ctrl(EVP_PKEY_CTX *ctx, OSSL_PARAM *params); +int evp_pkey_ctx_get_params_to_ctrl(EVP_PKEY_CTX *ctx, OSSL_PARAM *params); + +/* This must ONLY be called for legacy EVP_PKEYs */ +int evp_pkey_get_params_to_ctrl(const EVP_PKEY *pkey, OSSL_PARAM *params); + #endif /* OSSL_CRYPTO_EVP_H */ diff --git a/include/openssl/evp.h b/include/openssl/evp.h index bdce18c5ee..1bf244322e 100644 --- a/include/openssl/evp.h +++ b/include/openssl/evp.h @@ -1649,6 +1649,7 @@ EVP_PKEY_CTX *EVP_PKEY_CTX_new_from_pkey(OSSL_LIB_CTX *libctx, EVP_PKEY *pkey, const char *propquery); EVP_PKEY_CTX *EVP_PKEY_CTX_dup(const EVP_PKEY_CTX *ctx); void EVP_PKEY_CTX_free(EVP_PKEY_CTX *ctx); +int EVP_PKEY_CTX_is_a(EVP_PKEY_CTX *ctx, const char *keytype); int EVP_PKEY_CTX_get_params(EVP_PKEY_CTX *ctx, OSSL_PARAM *params); const OSSL_PARAM *EVP_PKEY_CTX_gettable_params(EVP_PKEY_CTX *ctx); diff --git a/util/libcrypto.num b/util/libcrypto.num index b602ee4978..a16b6e17eb 100644 --- a/util/libcrypto.num +++ b/util/libcrypto.num @@ -5300,3 +5300,4 @@ EVP_PKEY_fromdata_init ? 3_0_0 EXIST::FUNCTION: EVP_PKEY_fromdata_settable ? 3_0_0 EXIST::FUNCTION: EVP_PKEY_param_check_quick ? 3_0_0 EXIST::FUNCTION: EVP_PKEY_public_check_quick ? 3_0_0 EXIST::FUNCTION: +EVP_PKEY_CTX_is_a ? 3_0_0 EXIST::FUNCTION: From pauli at openssl.org Tue Feb 23 13:41:44 2021 From: pauli at openssl.org (Dr. Paul Dale) Date: Tue, 23 Feb 2021 13:41:44 +0000 Subject: [openssl] master update Message-ID: <1614087704.265022.13632.nullmailer@dev.openssl.org> The branch master has been updated via 1263154064d2a15253381353cf804e05af18ad1b (commit) via 299f5ff3b5f2a5a9b5666e36a6a01fc430de9198 (commit) via 332a245c04dff95f81cfa1f77e0f8a935794f5ee (commit) via d994ce12058d80f1f04257c30f89d04d5f6399e1 (commit) via b3ab537b3a4098857d2039d1d745fee0ea5a96e3 (commit) via 9c6ee56318d2fb1c5885fccb4f2c4dde83e8a2ea (commit) via f626c3ffae90cacc1044dbcf01c3379fceea61bc (commit) via 786b13fa7786db8f198c46090816d9a3e4ae72fb (commit) via de2ea978b5be4607c677aaefceebff39b1520e0a (commit) via 0a89ae97d96275994d96b560400d3fa97f752879 (commit) via ac60c84fc4551761743e087e2f51343181eb8e85 (commit) from f5b00834dd11d766b9232e89e40884db8f3cd7ec (commit) - Log ----------------------------------------------------------------- commit 1263154064d2a15253381353cf804e05af18ad1b Author: Pauli Date: Sat Feb 20 12:48:33 2021 +1000 changes: note the deprecation of RAND_METHOD APIs Reviewed-by: Tim Hudson (Merged from https://github.com/openssl/openssl/pull/13652) commit 299f5ff3b5f2a5a9b5666e36a6a01fc430de9198 Author: Pauli Date: Thu Feb 18 09:16:26 2021 +1000 provider: add option to load a provider without disabling the fallbacks. Add an argument to PROVIDER_try_load() that permits a provider to be loaded without changing the fallback status. This is useful when an additional provider needs to be loaded without perturbing any other setup. E.g. adding mock providers as part of unit testing. Reviewed-by: Tim Hudson (Merged from https://github.com/openssl/openssl/pull/13652) commit 332a245c04dff95f81cfa1f77e0f8a935794f5ee Author: Pauli Date: Wed Feb 17 11:55:13 2021 +1000 test: update tests to use the fake random number generator Reviewed-by: Tim Hudson (Merged from https://github.com/openssl/openssl/pull/13652) commit d994ce12058d80f1f04257c30f89d04d5f6399e1 Author: Pauli Date: Wed Feb 17 11:54:48 2021 +1000 test: make the DRBG test work without RAND_METHOD support. Reviewed-by: Tim Hudson (Merged from https://github.com/openssl/openssl/pull/13652) commit b3ab537b3a4098857d2039d1d745fee0ea5a96e3 Author: Pauli Date: Wed Feb 17 11:54:01 2021 +1000 test: add framework for generic fake random number generator Reviewed-by: Tim Hudson (Merged from https://github.com/openssl/openssl/pull/13652) commit 9c6ee56318d2fb1c5885fccb4f2c4dde83e8a2ea Author: Pauli Date: Tue Feb 16 13:32:07 2021 +1000 rand: add DRBG/seed setting functions Reviewed-by: Tim Hudson (Merged from https://github.com/openssl/openssl/pull/13652) commit f626c3ffae90cacc1044dbcf01c3379fceea61bc Author: Pauli Date: Mon Feb 22 09:45:37 2021 +1000 rand: allow lock/unlock functions to be absent Reviewed-by: Tim Hudson (Merged from https://github.com/openssl/openssl/pull/13652) commit 786b13fa7786db8f198c46090816d9a3e4ae72fb Author: Pauli Date: Thu Dec 10 12:05:11 2020 +1000 RAND_METHOD deprecation: code changes Reviewed-by: Tim Hudson (Merged from https://github.com/openssl/openssl/pull/13652) commit de2ea978b5be4607c677aaefceebff39b1520e0a Author: Pauli Date: Thu Dec 10 12:04:58 2020 +1000 RAND_METHOD deprecation: fuzzer Reviewed-by: Tim Hudson (Merged from https://github.com/openssl/openssl/pull/13652) commit 0a89ae97d96275994d96b560400d3fa97f752879 Author: Pauli Date: Thu Dec 10 12:04:45 2020 +1000 RAND_METHOD deprecation: tests Reviewed-by: Tim Hudson (Merged from https://github.com/openssl/openssl/pull/13652) commit ac60c84fc4551761743e087e2f51343181eb8e85 Author: Pauli Date: Thu Dec 10 12:04:27 2020 +1000 RAND_METHOD deprecation: documentation Reviewed-by: Tim Hudson (Merged from https://github.com/openssl/openssl/pull/13652) ----------------------------------------------------------------------- Summary of changes: CHANGES.md | 7 ++ crypto/evp/evp_rand.c | 7 +- crypto/provider.c | 7 +- crypto/provider_conf.c | 2 +- crypto/provider_core.c | 10 +- crypto/rand/build.info | 6 +- crypto/rand/rand_lib.c | 110 +++++++++++++++--- doc/internal/man3/ossl_provider_new.pod | 9 +- doc/man3/OSSL_PROVIDER.pod | 9 +- doc/man3/RAND_get0_primary.pod | 1 - doc/man3/RAND_set_DRBG_type.pod | 64 +++++++++++ doc/man3/RAND_set_rand_method.pod | 14 ++- doc/man7/RAND.pod | 10 +- fuzz/asn1.c | 5 +- fuzz/build.info | 20 ++-- fuzz/client.c | 5 +- fuzz/cmp.c | 4 +- fuzz/fuzz_rand.c | 164 +++++++++++++++++++++++++++ fuzz/fuzzer.h | 2 + fuzz/rand.inc | 40 ------- fuzz/server.c | 7 +- fuzz/x509.c | 5 +- include/internal/provider.h | 2 +- include/openssl/provider.h | 3 +- include/openssl/rand.h | 19 +++- test/build.info | 2 +- test/drbgtest.c | 7 ++ test/ecdsatest.c | 57 +++------- test/provider_internal_test.c | 2 +- test/sm2_internal_test.c | 46 ++++---- test/testutil.h | 5 + test/testutil/driver.c | 12 +- test/testutil/fake_random.c | 192 ++++++++++++++++++++++++++++++++ util/libcrypto.num | 10 +- 34 files changed, 671 insertions(+), 194 deletions(-) create mode 100644 doc/man3/RAND_set_DRBG_type.pod create mode 100644 fuzz/fuzz_rand.c delete mode 100644 fuzz/rand.inc create mode 100644 test/testutil/fake_random.c diff --git a/CHANGES.md b/CHANGES.md index e45cb3a1fd..0e9f27824c 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -23,6 +23,13 @@ OpenSSL 3.0 ### Changes between 1.1.1 and 3.0 [xx XXX xxxx] +* The RAND_METHOD APIs have been deprecated. The functions deprecated are: + RAND_OpenSSL(), RAND_get_rand_method(), RAND_set_rand_engine() and + RAND_set_rand_method(). Provider based random number generators should + be used instead via EVP_RAND(3). + + *Paul Dale* + * The SRP APIs have been deprecated. The old APIs do not work via providers, and there is no EVP interface to them. Unfortunately there is no replacement for these APIs at this time. diff --git a/crypto/evp/evp_rand.c b/crypto/evp/evp_rand.c index a1206c154f..4d18194a0b 100644 --- a/crypto/evp/evp_rand.c +++ b/crypto/evp/evp_rand.c @@ -117,7 +117,7 @@ static void *evp_rand_from_dispatch(int name_id, OSSL_PROVIDER *prov) { EVP_RAND *rand = NULL; - int fnrandcnt = 0, fnctxcnt = 0, fnlockcnt = 0; + int fnrandcnt = 0, fnctxcnt = 0, fnlockcnt = 0, fnenablelockcnt = 0; #ifdef FIPS_MODULE int fnzeroizecnt = 0; #endif @@ -174,7 +174,7 @@ static void *evp_rand_from_dispatch(int name_id, if (rand->enable_locking != NULL) break; rand->enable_locking = OSSL_FUNC_rand_enable_locking(fns); - fnlockcnt++; + fnenablelockcnt++; break; case OSSL_FUNC_RAND_LOCK: if (rand->lock != NULL) @@ -243,7 +243,8 @@ static void *evp_rand_from_dispatch(int name_id, */ if (fnrandcnt != 3 || fnctxcnt != 3 - || (fnlockcnt != 0 && fnlockcnt != 3) + || (fnenablelockcnt != 0 && fnenablelockcnt != 1) + || (fnlockcnt != 0 && fnlockcnt != 2) #ifdef FIPS_MODULE || fnzeroizecnt != 1 #endif diff --git a/crypto/provider.c b/crypto/provider.c index bd8f75a2c1..90c31f3ac5 100644 --- a/crypto/provider.c +++ b/crypto/provider.c @@ -13,7 +13,8 @@ #include #include "internal/provider.h" -OSSL_PROVIDER *OSSL_PROVIDER_try_load(OSSL_LIB_CTX *libctx, const char *name) +OSSL_PROVIDER *OSSL_PROVIDER_try_load(OSSL_LIB_CTX *libctx, const char *name, + int retain_fallbacks) { OSSL_PROVIDER *prov = NULL; @@ -22,7 +23,7 @@ OSSL_PROVIDER *OSSL_PROVIDER_try_load(OSSL_LIB_CTX *libctx, const char *name) && (prov = ossl_provider_new(libctx, name, NULL, 0)) == NULL) return NULL; - if (!ossl_provider_activate(prov)) { + if (!ossl_provider_activate(prov, retain_fallbacks)) { ossl_provider_free(prov); return NULL; } @@ -34,7 +35,7 @@ OSSL_PROVIDER *OSSL_PROVIDER_load(OSSL_LIB_CTX *libctx, const char *name) { /* Any attempt to load a provider disables auto-loading of defaults */ if (ossl_provider_disable_fallback_loading(libctx)) - return OSSL_PROVIDER_try_load(libctx, name); + return OSSL_PROVIDER_try_load(libctx, name, 0); return NULL; } diff --git a/crypto/provider_conf.c b/crypto/provider_conf.c index 709e7a1c51..cbae99a474 100644 --- a/crypto/provider_conf.c +++ b/crypto/provider_conf.c @@ -130,7 +130,7 @@ static int provider_conf_load(OSSL_LIB_CTX *libctx, const char *name, ok = provider_conf_params(prov, NULL, value, cnf); if (ok && activate) { - if (!ossl_provider_activate(prov)) { + if (!ossl_provider_activate(prov, 0)) { ok = 0; } else { if (activated_providers == NULL) diff --git a/crypto/provider_core.c b/crypto/provider_core.c index 627ff384e1..da751e60ce 100644 --- a/crypto/provider_core.c +++ b/crypto/provider_core.c @@ -667,14 +667,16 @@ static int provider_activate(OSSL_PROVIDER *prov) return 0; } -int ossl_provider_activate(OSSL_PROVIDER *prov) +int ossl_provider_activate(OSSL_PROVIDER *prov, int retain_fallbacks) { if (prov == NULL) return 0; if (provider_activate(prov)) { - CRYPTO_THREAD_write_lock(prov->store->lock); - prov->store->use_fallbacks = 0; - CRYPTO_THREAD_unlock(prov->store->lock); + if (!retain_fallbacks) { + CRYPTO_THREAD_write_lock(prov->store->lock); + prov->store->use_fallbacks = 0; + CRYPTO_THREAD_unlock(prov->store->lock); + } return 1; } return 0; diff --git a/crypto/rand/build.info b/crypto/rand/build.info index b9dc16a6c7..500667c332 100644 --- a/crypto/rand/build.info +++ b/crypto/rand/build.info @@ -1,12 +1,14 @@ LIBS=../../libcrypto -$COMMON=rand_lib.c rand_meth.c +$COMMON=rand_lib.c $CRYPTO=randfile.c rand_err.c rand_deprecated.c prov_seed.c rand_pool.c IF[{- !$disabled{'egd'} -}] $CRYPTO=$CRYPTO rand_egd.c ENDIF - +IF[{- !$disabled{'deprecated-3.0'} -}] + $COMMON=$COMMON rand_meth.c +ENDIF SOURCE[../../libcrypto]=$COMMON $CRYPTO SOURCE[../../providers/libfips.a]=$COMMON diff --git a/crypto/rand/rand_lib.c b/crypto/rand/rand_lib.c index 69afa9d2ea..2a4055f617 100644 --- a/crypto/rand/rand_lib.c +++ b/crypto/rand/rand_lib.c @@ -35,8 +35,10 @@ static ENGINE *funct_ref; static CRYPTO_RWLOCK *rand_engine_lock; # endif +# ifndef OPENSSL_NO_DEPRECATED_3_0 static CRYPTO_RWLOCK *rand_meth_lock; static const RAND_METHOD *default_RAND_meth; +# endif static CRYPTO_ONCE rand_init = CRYPTO_ONCE_STATIC_INIT; static int rand_inited = 0; @@ -49,9 +51,11 @@ DEFINE_RUN_ONCE_STATIC(do_rand_init) return 0; # endif +# ifndef OPENSSL_NO_DEPRECATED_3_0 rand_meth_lock = CRYPTO_THREAD_lock_new(); if (rand_meth_lock == NULL) goto err; +# endif if (!rand_pool_init()) goto err; @@ -60,8 +64,10 @@ DEFINE_RUN_ONCE_STATIC(do_rand_init) return 1; err: +# ifndef OPENSSL_NO_DEPRECATED_3_0 CRYPTO_THREAD_lock_free(rand_meth_lock); rand_meth_lock = NULL; +# endif # ifndef OPENSSL_NO_ENGINE CRYPTO_THREAD_lock_free(rand_engine_lock); rand_engine_lock = NULL; @@ -71,6 +77,7 @@ DEFINE_RUN_ONCE_STATIC(do_rand_init) void rand_cleanup_int(void) { +# ifndef OPENSSL_NO_DEPRECATED_3_0 const RAND_METHOD *meth = default_RAND_meth; if (!rand_inited) @@ -79,13 +86,16 @@ void rand_cleanup_int(void) if (meth != NULL && meth->cleanup != NULL) meth->cleanup(); RAND_set_rand_method(NULL); +# endif rand_pool_cleanup(); # ifndef OPENSSL_NO_ENGINE CRYPTO_THREAD_lock_free(rand_engine_lock); rand_engine_lock = NULL; # endif +# ifndef OPENSSL_NO_DEPRECATED_3_0 CRYPTO_THREAD_lock_free(rand_meth_lock); rand_meth_lock = NULL; +# endif rand_inited = 0; } @@ -109,13 +119,13 @@ void RAND_keep_random_devices_open(int keep) */ int RAND_poll(void) { +# ifndef OPENSSL_NO_DEPRECATED_3_0 const RAND_METHOD *meth = RAND_get_rand_method(); int ret = meth == RAND_OpenSSL(); if (meth == NULL) return 0; -#ifndef OPENSSL_NO_DEPRECATED_3_0 if (!ret) { /* fill random pool and seed the current legacy RNG */ RAND_POOL *pool = rand_pool_new(RAND_DRBG_STRENGTH, 1, @@ -138,20 +148,26 @@ int RAND_poll(void) err: rand_pool_free(pool); } -#endif return ret; +# else + static const char salt[] = "polling"; + + RAND_seed(salt, sizeof(salt)); + return 1; +# endif } +# ifndef OPENSSL_NO_DEPRECATED_3_0 int RAND_set_rand_method(const RAND_METHOD *meth) { if (!RUN_ONCE(&rand_init, do_rand_init)) return 0; CRYPTO_THREAD_write_lock(rand_meth_lock); -# ifndef OPENSSL_NO_ENGINE +# ifndef OPENSSL_NO_ENGINE ENGINE_finish(funct_ref); funct_ref = NULL; -# endif +# endif default_RAND_meth = meth; CRYPTO_THREAD_unlock(rand_meth_lock); return 1; @@ -166,7 +182,7 @@ const RAND_METHOD *RAND_get_rand_method(void) CRYPTO_THREAD_write_lock(rand_meth_lock); if (default_RAND_meth == NULL) { -# ifndef OPENSSL_NO_ENGINE +# ifndef OPENSSL_NO_ENGINE ENGINE *e; /* If we have an engine that can do RAND, use it. */ @@ -178,16 +194,16 @@ const RAND_METHOD *RAND_get_rand_method(void) ENGINE_finish(e); default_RAND_meth = &rand_meth; } -# else +# else default_RAND_meth = &rand_meth; -# endif +# endif } tmp_meth = default_RAND_meth; CRYPTO_THREAD_unlock(rand_meth_lock); return tmp_meth; } -# if !defined(OPENSSL_NO_ENGINE) +# if !defined(OPENSSL_NO_ENGINE) int RAND_set_rand_engine(ENGINE *engine) { const RAND_METHOD *tmp_meth = NULL; @@ -211,22 +227,40 @@ int RAND_set_rand_engine(ENGINE *engine) CRYPTO_THREAD_unlock(rand_engine_lock); return 1; } -# endif +# endif +# endif /* OPENSSL_NO_DEPRECATED_3_0 */ void RAND_seed(const void *buf, int num) { + EVP_RAND_CTX *drbg; +# ifndef OPENSSL_NO_DEPRECATED_3_0 const RAND_METHOD *meth = RAND_get_rand_method(); - if (meth != NULL && meth->seed != NULL) + if (meth != NULL && meth->seed != NULL) { meth->seed(buf, num); + return; + } +# endif + + drbg = RAND_get0_primary(NULL); + if (drbg != NULL && num > 0) + EVP_RAND_reseed(drbg, 0, NULL, 0, buf, num); } void RAND_add(const void *buf, int num, double randomness) { + EVP_RAND_CTX *drbg; +# ifndef OPENSSL_NO_DEPRECATED_3_0 const RAND_METHOD *meth = RAND_get_rand_method(); - if (meth != NULL && meth->add != NULL) + if (meth != NULL && meth->add != NULL) { meth->add(buf, num, randomness); + return; + } +# endif + drbg = RAND_get0_primary(NULL); + if (drbg != NULL && num > 0) + EVP_RAND_reseed(drbg, 0, NULL, 0, buf, num); } # if !defined(OPENSSL_NO_DEPRECATED_1_1_0) @@ -244,21 +278,25 @@ int RAND_pseudo_bytes(unsigned char *buf, int num) int RAND_status(void) { EVP_RAND_CTX *rand; +# ifndef OPENSSL_NO_DEPRECATED_3_0 const RAND_METHOD *meth = RAND_get_rand_method(); if (meth != NULL && meth != RAND_OpenSSL()) return meth->status != NULL ? meth->status() : 0; +# endif if ((rand = RAND_get0_primary(NULL)) == NULL) return 0; return EVP_RAND_state(rand) == EVP_RAND_STATE_READY; } -#else /* !FIPS_MODULE */ +# else /* !FIPS_MODULE */ +# ifndef OPENSSL_NO_DEPRECATED_3_0 const RAND_METHOD *RAND_get_rand_method(void) { return NULL; } +# endif #endif /* !FIPS_MODULE */ /* @@ -269,6 +307,7 @@ const RAND_METHOD *RAND_get_rand_method(void) int RAND_priv_bytes_ex(OSSL_LIB_CTX *ctx, unsigned char *buf, int num) { EVP_RAND_CTX *rand; +#ifndef OPENSSL_NO_DEPRECATED_3_0 const RAND_METHOD *meth = RAND_get_rand_method(); if (meth != NULL && meth != RAND_OpenSSL()) { @@ -277,6 +316,7 @@ int RAND_priv_bytes_ex(OSSL_LIB_CTX *ctx, unsigned char *buf, int num) ERR_raise(ERR_LIB_RAND, RAND_R_FUNC_NOT_IMPLEMENTED); return -1; } +#endif rand = RAND_get0_private(ctx); if (rand != NULL) @@ -293,6 +333,7 @@ int RAND_priv_bytes(unsigned char *buf, int num) int RAND_bytes_ex(OSSL_LIB_CTX *ctx, unsigned char *buf, int num) { EVP_RAND_CTX *rand; +#ifndef OPENSSL_NO_DEPRECATED_3_0 const RAND_METHOD *meth = RAND_get_rand_method(); if (meth != NULL && meth != RAND_OpenSSL()) { @@ -301,6 +342,7 @@ int RAND_bytes_ex(OSSL_LIB_CTX *ctx, unsigned char *buf, int num) ERR_raise(ERR_LIB_RAND, RAND_R_FUNC_NOT_IMPLEMENTED); return -1; } +#endif rand = RAND_get0_public(ctx); if (rand != NULL) @@ -670,11 +712,14 @@ EVP_RAND_CTX *RAND_get0_private(OSSL_LIB_CTX *ctx) #ifndef FIPS_MODULE static int random_set_string(char **p, const char *s) { - char *d = OPENSSL_strdup(s); + char *d = NULL; - if (d == NULL) { - ERR_raise(ERR_LIB_CRYPTO, ERR_R_MALLOC_FAILURE); - return 0; + if (s != NULL) { + d = OPENSSL_strdup(s); + if (d == NULL) { + ERR_raise(ERR_LIB_CRYPTO, ERR_R_MALLOC_FAILURE); + return 0; + } } OPENSSL_free(*p); *p = d; @@ -742,4 +787,37 @@ void ossl_random_add_conf_module(void) OSSL_TRACE(CONF, "Adding config module 'random'\n"); CONF_module_add("random", random_conf_init, random_conf_deinit); } + +int RAND_set_DRBG_type(OSSL_LIB_CTX *ctx, const char *drbg, const char *propq, + const char *cipher, const char *digest) +{ + RAND_GLOBAL *dgbl = rand_get_global(ctx); + + if (dgbl == NULL) + return 0; + if (dgbl->primary != NULL) { + ERR_raise(ERR_LIB_CRYPTO, RAND_R_ALREADY_INSTANTIATED); + return 0; + } + return random_set_string(&dgbl->rng_name, drbg) + && random_set_string(&dgbl->rng_propq, propq) + && random_set_string(&dgbl->rng_cipher, cipher) + && random_set_string(&dgbl->rng_digest, digest); +} + +int RAND_set_seed_source_type(OSSL_LIB_CTX *ctx, const char *seed, + const char *propq) +{ + RAND_GLOBAL *dgbl = rand_get_global(ctx); + + if (dgbl == NULL) + return 0; + if (dgbl->primary != NULL) { + ERR_raise(ERR_LIB_CRYPTO, RAND_R_ALREADY_INSTANTIATED); + return 0; + } + return random_set_string(&dgbl->seed_name, seed) + && random_set_string(&dgbl->seed_propq, propq); +} + #endif diff --git a/doc/internal/man3/ossl_provider_new.pod b/doc/internal/man3/ossl_provider_new.pod index d01673e767..d74ce57fef 100644 --- a/doc/internal/man3/ossl_provider_new.pod +++ b/doc/internal/man3/ossl_provider_new.pod @@ -40,7 +40,7 @@ ossl_provider_get_capabilities * Activate the Provider * If the Provider is a module, the module will be loaded */ - int ossl_provider_activate(OSSL_PROVIDER *prov); + int ossl_provider_activate(OSSL_PROVIDER *prov, int retain_fallbacks); int ossl_provider_deactivate(OSSL_PROVIDER *prov); /* Check if provider is available (activated) */ int ossl_provider_available(OSSL_PROVIDER *prov); @@ -178,6 +178,9 @@ be located in that module, and called. =back +If I is zero, fallbacks are disabled. If it is nonzero, +fallbacks are left unchanged. + ossl_provider_deactivate() "deactivates" the provider for the given provider object I by decrementing its activation count. When that count reaches zero, the activation flag is cleared. @@ -277,8 +280,8 @@ it has been incremented. ossl_provider_free() doesn't return any value. ossl_provider_set_module_path(), ossl_provider_set_fallback(), -ossl_provider_activate() and ossl_provider_deactivate() return 1 on -success, or 0 on error. +ossl_provider_activate(), ossl_provider_activate_leave_fallbacks() and +ossl_provider_deactivate() return 1 on success, or 0 on error. ossl_provider_available() return 1 if the provider is available, otherwise 0. diff --git a/doc/man3/OSSL_PROVIDER.pod b/doc/man3/OSSL_PROVIDER.pod index 81a2ac2bcb..e5c451259a 100644 --- a/doc/man3/OSSL_PROVIDER.pod +++ b/doc/man3/OSSL_PROVIDER.pod @@ -21,7 +21,8 @@ OSSL_PROVIDER_get_capabilities, OSSL_PROVIDER_self_test const char *path); OSSL_PROVIDER *OSSL_PROVIDER_load(OSSL_LIB_CTX *libctx, const char *name); - OSSL_PROVIDER *OSSL_PROVIDER_try_load(OSSL_LIB_CTX *libctx, const char *name); + OSSL_PROVIDER *OSSL_PROVIDER_try_load(OSSL_LIB_CTX *libctx, const char *name, + int retain_fallbacks); int OSSL_PROVIDER_unload(OSSL_PROVIDER *prov); int OSSL_PROVIDER_available(OSSL_LIB_CTX *libctx, const char *name); int OSSL_PROVIDER_do_all(OSSL_LIB_CTX *ctx, @@ -79,9 +80,9 @@ entry point, C. OSSL_PROVIDER_try_load() functions like OSSL_PROVIDER_load(), except that it does not disable the fallback providers if the provider cannot be -loaded and initialized. -If the provider loads successfully, however, the fallback providers are -disabled. +loaded and initialized or if I is zero. +If the provider loads successfully and I is nonzero, the +fallback providers are disabled. OSSL_PROVIDER_unload() unloads the given provider. For a provider added with OSSL_PROVIDER_add_builtin(), this simply diff --git a/doc/man3/RAND_get0_primary.pod b/doc/man3/RAND_get0_primary.pod index 5d84b330ab..cf0fae95f7 100644 --- a/doc/man3/RAND_get0_primary.pod +++ b/doc/man3/RAND_get0_primary.pod @@ -15,7 +15,6 @@ RAND_get0_private EVP_RAND_CTX *RAND_get0_public(OSSL_LIB_CTX *ctx); EVP_RAND_CTX *RAND_get0_private(OSSL_LIB_CTX *ctx); - =head1 DESCRIPTION The default RAND API implementation (RAND_OpenSSL()) utilizes three diff --git a/doc/man3/RAND_set_DRBG_type.pod b/doc/man3/RAND_set_DRBG_type.pod new file mode 100644 index 0000000000..f78c15ff45 --- /dev/null +++ b/doc/man3/RAND_set_DRBG_type.pod @@ -0,0 +1,64 @@ +=pod + +=head1 NAME + +RAND_set_DRBG_type, +RAND_set_seed_source_type +- specify the global random number generator types + +=head1 SYNOPSIS + + #include + + int RAND_set_DRBG_type(OSSL_LIB_CTX *ctx, const char *drbg, const char *propq, + const char *cipher, const char *digest); + int RAND_set_seed_source_type(OSSL_LIB_CTX *ctx, const char *seed, + const char *propq); + +=head1 DESCRIPTION + +RAND_set_DRBG_type() specifies the random bit generator that will be +used within the library context I. A generator of name I +with properties I will be fetched. It will be instantiated with +either I or I as its underlying cryptographic algorithm. +This specifies the type that will be used for the primary, public and +private random instances. + +RAND_set_seed_source_type() specifies the seed source that will be used +within the library context I. The seed source of name I +with properties I will be fetched and used to seed the primary +random big generator. + +=head1 RETURN VALUES + +These function return 1 on success and 0 on failure. + +=head1 NOTES + +These functions must be called before the random bit generators are first +created in the library context. They will return an error if the call +is made too late. + +The default DRBG is "CTR-DRBG" using the "AES-256-CTR" cipher. + +The default seed source is "SEED-SRC". + +=head1 SEE ALSO + +L, +L + +=head1 HISTORY + +These functions were added in OpenSSL 3.0. + +=head1 COPYRIGHT + +Copyright 2021 The OpenSSL Project Authors. All Rights Reserved. + +Licensed under the Apache License 2.0 (the "License"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file LICENSE in the source distribution or at +L. + +=cut diff --git a/doc/man3/RAND_set_rand_method.pod b/doc/man3/RAND_set_rand_method.pod index a989c1c9b4..755e25dde1 100644 --- a/doc/man3/RAND_set_rand_method.pod +++ b/doc/man3/RAND_set_rand_method.pod @@ -8,6 +8,10 @@ RAND_set_rand_method, RAND_get_rand_method, RAND_OpenSSL - select RAND method #include +Deprecated since OpenSSL 3.0, can be hidden entirely by defining +B with a suitable version value, see +L: + RAND_METHOD *RAND_OpenSSL(void); int RAND_set_rand_method(const RAND_METHOD *meth); @@ -16,6 +20,10 @@ RAND_set_rand_method, RAND_get_rand_method, RAND_OpenSSL - select RAND method =head1 DESCRIPTION +All of the functions described on this page are deprecated. +Applications should instead use L, +L and L. + A B specifies the functions that OpenSSL uses for random number generation. @@ -55,14 +63,16 @@ methods. =head1 SEE ALSO +L, +L, L, L, +L, L =head1 HISTORY -The ability for an B to replace the RAND API was deprecated in -OpenSSL 3.0. +All of these functions were deprecated in OpenSSL 3.0. =head1 COPYRIGHT diff --git a/doc/man7/RAND.pod b/doc/man7/RAND.pod index 7bad23a0ca..8ae55ccac8 100644 --- a/doc/man7/RAND.pod +++ b/doc/man7/RAND.pod @@ -46,8 +46,8 @@ possible about its internal state, and that a compromise of the "public" CSPRNG instance will not affect the secrecy of these private values. In the rare case where the default implementation does not satisfy your special -requirements, the default RAND method can be replaced by your own RAND -method using L. +requirements, the default RAND internals can be replaced by your own +L objects. Changing the default random generator should be necessary only in exceptional cases and is not recommended, unless you have a profound @@ -66,11 +66,9 @@ number generator (CSPRNG), which is described in [NIST SP 800-90A Rev. 1]. L, L, -L, -L, -L, L, -L +L, +L =head1 COPYRIGHT diff --git a/fuzz/asn1.c b/fuzz/asn1.c index 15a517a72c..449d851e68 100644 --- a/fuzz/asn1.c +++ b/fuzz/asn1.c @@ -40,8 +40,6 @@ #include #include "fuzzer.h" -#include "rand.inc" - static ASN1_ITEM_EXP *item_type[] = { ASN1_ITEM_ref(ACCESS_DESCRIPTION), #ifndef OPENSSL_NO_RFC3779 @@ -280,6 +278,7 @@ static ASN1_PCTX *pctx; int FuzzerInitialize(int *argc, char ***argv) { + FuzzerSetRand(); pctx = ASN1_PCTX_new(); ASN1_PCTX_set_flags(pctx, ASN1_PCTX_FLAGS_SHOW_ABSENT | ASN1_PCTX_FLAGS_SHOW_SEQUENCE | ASN1_PCTX_FLAGS_SHOW_SSOF | @@ -291,7 +290,6 @@ int FuzzerInitialize(int *argc, char ***argv) OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS, NULL); ERR_clear_error(); CRYPTO_free_ex_index(0, -1); - FuzzerSetRand(); return 1; } @@ -365,4 +363,5 @@ int FuzzerTestOneInput(const uint8_t *buf, size_t len) void FuzzerCleanup(void) { ASN1_PCTX_free(pctx); + FuzzerClearRand(); } diff --git a/fuzz/build.info b/fuzz/build.info index e52b8e3b57..7b26b8c152 100644 --- a/fuzz/build.info +++ b/fuzz/build.info @@ -23,7 +23,7 @@ IF[{- !$disabled{"fuzz-afl"} || !$disabled{"fuzz-libfuzzer"} -}] PROGRAMS{noinst}=ct ENDIF - SOURCE[asn1]=asn1.c driver.c + SOURCE[asn1]=asn1.c driver.c fuzz_rand.c INCLUDE[asn1]=../include {- $ex_inc -} DEPEND[asn1]=../libcrypto ../libssl {- $ex_lib -} @@ -39,11 +39,11 @@ IF[{- !$disabled{"fuzz-afl"} || !$disabled{"fuzz-libfuzzer"} -}] INCLUDE[bndiv]=../include {- $ex_inc -} DEPEND[bndiv]=../libcrypto {- $ex_lib -} - SOURCE[client]=client.c driver.c + SOURCE[client]=client.c driver.c fuzz_rand.c INCLUDE[client]=../include {- $ex_inc -} DEPEND[client]=../libcrypto ../libssl {- $ex_lib -} - SOURCE[cmp]=cmp.c driver.c + SOURCE[cmp]=cmp.c driver.c fuzz_rand.c INCLUDE[cmp]=../include {- $ex_inc -} DEPEND[cmp]=../libcrypto {- $ex_lib -} @@ -63,11 +63,11 @@ IF[{- !$disabled{"fuzz-afl"} || !$disabled{"fuzz-libfuzzer"} -}] INCLUDE[ct]=../include {- $ex_inc -} DEPEND[ct]=../libcrypto {- $ex_lib -} - SOURCE[server]=server.c driver.c + SOURCE[server]=server.c driver.c fuzz_rand.c INCLUDE[server]=../include {- $ex_inc -} DEPEND[server]=../libcrypto ../libssl {- $ex_lib -} - SOURCE[x509]=x509.c driver.c + SOURCE[x509]=x509.c driver.c fuzz_rand.c INCLUDE[x509]=../include {- $ex_inc -} DEPEND[x509]=../libcrypto {- $ex_lib -} ENDIF @@ -87,7 +87,7 @@ IF[{- !$disabled{tests} -}] PROGRAMS{noinst}=ct-test ENDIF - SOURCE[asn1-test]=asn1.c test-corpus.c + SOURCE[asn1-test]=asn1.c test-corpus.c fuzz_rand.c INCLUDE[asn1-test]=../include DEPEND[asn1-test]=../libcrypto ../libssl @@ -103,11 +103,11 @@ IF[{- !$disabled{tests} -}] INCLUDE[bndiv-test]=../include DEPEND[bndiv-test]=../libcrypto - SOURCE[client-test]=client.c test-corpus.c + SOURCE[client-test]=client.c test-corpus.c fuzz_rand.c INCLUDE[client-test]=../include DEPEND[client-test]=../libcrypto ../libssl - SOURCE[cmp-test]=cmp.c test-corpus.c + SOURCE[cmp-test]=cmp.c test-corpus.c fuzz_rand.c INCLUDE[cmp-test]=../include DEPEND[cmp-test]=../libcrypto.a # referring to static lib allows using non-exported functions @@ -128,11 +128,11 @@ IF[{- !$disabled{tests} -}] INCLUDE[ct-test]=../include DEPEND[ct-test]=../libcrypto - SOURCE[server-test]=server.c test-corpus.c + SOURCE[server-test]=server.c test-corpus.c fuzz_rand.c INCLUDE[server-test]=../include DEPEND[server-test]=../libcrypto ../libssl - SOURCE[x509-test]=x509.c test-corpus.c + SOURCE[x509-test]=x509.c test-corpus.c fuzz_rand.c INCLUDE[x509-test]=../include DEPEND[x509-test]=../libcrypto ENDIF diff --git a/fuzz/client.c b/fuzz/client.c index 2c2cd90fb8..007b0d6443 100644 --- a/fuzz/client.c +++ b/fuzz/client.c @@ -18,8 +18,6 @@ #include #include "fuzzer.h" -#include "rand.inc" - /* unused, to avoid warning. */ static int idx; @@ -42,12 +40,12 @@ int FuzzerInitialize(int *argc, char ***argv) { STACK_OF(SSL_COMP) *comp_methods; + FuzzerSetRand(); OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CRYPTO_STRINGS | OPENSSL_INIT_ASYNC, NULL); OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS, NULL); ERR_clear_error(); CRYPTO_free_ex_index(0, -1); idx = SSL_get_ex_data_X509_STORE_CTX_idx(); - FuzzerSetRand(); comp_methods = SSL_COMP_get_compression_methods(); if (comp_methods != NULL) sk_SSL_COMP_sort(comp_methods); @@ -99,4 +97,5 @@ int FuzzerTestOneInput(const uint8_t *buf, size_t len) void FuzzerCleanup(void) { + FuzzerClearRand(); } diff --git a/fuzz/cmp.c b/fuzz/cmp.c index ae4c1ec753..82a812baba 100644 --- a/fuzz/cmp.c +++ b/fuzz/cmp.c @@ -16,14 +16,13 @@ #include "../crypto/cmp/cmp_local.h" #include #include "fuzzer.h" -#include "rand.inc" int FuzzerInitialize(int *argc, char ***argv) { + FuzzerSetRand(); OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL); ERR_clear_error(); CRYPTO_free_ex_index(0, -1); - FuzzerSetRand(); return 1; } @@ -200,4 +199,5 @@ int FuzzerTestOneInput(const uint8_t *buf, size_t len) void FuzzerCleanup(void) { + FuzzerClearRand(); } diff --git a/fuzz/fuzz_rand.c b/fuzz/fuzz_rand.c new file mode 100644 index 0000000000..99c32509c6 --- /dev/null +++ b/fuzz/fuzz_rand.c @@ -0,0 +1,164 @@ +/* + * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * https://www.openssl.org/source/license.html + * or in the file LICENSE in the source distribution. + */ + +#include +#include +#include +#include "fuzzer.h" + +static OSSL_FUNC_rand_newctx_fn fuzz_rand_newctx; +static OSSL_FUNC_rand_freectx_fn fuzz_rand_freectx; +static OSSL_FUNC_rand_instantiate_fn fuzz_rand_instantiate; +static OSSL_FUNC_rand_uninstantiate_fn fuzz_rand_uninstantiate; +static OSSL_FUNC_rand_generate_fn fuzz_rand_generate; +static OSSL_FUNC_rand_gettable_ctx_params_fn fuzz_rand_gettable_ctx_params; +static OSSL_FUNC_rand_get_ctx_params_fn fuzz_rand_get_ctx_params; +static OSSL_FUNC_rand_enable_locking_fn fuzz_rand_enable_locking; + +static void *fuzz_rand_newctx( + void *provctx, void *parent, const OSSL_DISPATCH *parent_dispatch) +{ + int *st = OPENSSL_malloc(sizeof(*st)); + + if (st != NULL) + *st = EVP_RAND_STATE_UNINITIALISED; + return st; +} + +static void fuzz_rand_freectx(ossl_unused void *vrng) +{ + OPENSSL_free(vrng); +} + +static int fuzz_rand_instantiate(ossl_unused void *vrng, + ossl_unused unsigned int strength, + ossl_unused int prediction_resistance, + ossl_unused const unsigned char *pstr, + ossl_unused size_t pstr_len) +{ + *(int *)vrng = EVP_RAND_STATE_READY; + return 1; +} + +static int fuzz_rand_uninstantiate(ossl_unused void *vrng) +{ + *(int *)vrng = EVP_RAND_STATE_UNINITIALISED; + return 1; +} + +static int fuzz_rand_generate(ossl_unused void *vdrbg, + unsigned char *out, size_t outlen, + ossl_unused unsigned int strength, + ossl_unused int prediction_resistance, + ossl_unused const unsigned char *adin, + ossl_unused size_t adinlen) +{ + unsigned char val = 1; + size_t i; + + for (i = 0; i < outlen; i++) + out[i] = val++; + return 1; +} + +static int fuzz_rand_enable_locking(ossl_unused void *vrng) +{ + return 1; +} + +static int fuzz_rand_get_ctx_params(void *vrng, OSSL_PARAM params[]) +{ + OSSL_PARAM *p; + + p = OSSL_PARAM_locate(params, OSSL_RAND_PARAM_STATE); + if (p != NULL && !OSSL_PARAM_set_int(p, *(int *)vrng)) + return 0; + + p = OSSL_PARAM_locate(params, OSSL_RAND_PARAM_STRENGTH); + if (p != NULL && !OSSL_PARAM_set_int(p, 500)) + return 0; + + p = OSSL_PARAM_locate(params, OSSL_RAND_PARAM_MAX_REQUEST); + if (p != NULL && !OSSL_PARAM_set_size_t(p, INT_MAX)) + return 0; + return 1; +} + +static const OSSL_PARAM *fuzz_rand_gettable_ctx_params(ossl_unused void *provctx) +{ + static const OSSL_PARAM known_gettable_ctx_params[] = { + OSSL_PARAM_int(OSSL_RAND_PARAM_STATE, NULL), + OSSL_PARAM_uint(OSSL_RAND_PARAM_STRENGTH, NULL), + OSSL_PARAM_size_t(OSSL_RAND_PARAM_MAX_REQUEST, NULL), + OSSL_PARAM_END + }; + return known_gettable_ctx_params; +} + +static const OSSL_DISPATCH fuzz_rand_functions[] = { + { OSSL_FUNC_RAND_NEWCTX, (void (*)(void))fuzz_rand_newctx }, + { OSSL_FUNC_RAND_FREECTX, (void (*)(void))fuzz_rand_freectx }, + { OSSL_FUNC_RAND_INSTANTIATE, (void (*)(void))fuzz_rand_instantiate }, + { OSSL_FUNC_RAND_UNINSTANTIATE, (void (*)(void))fuzz_rand_uninstantiate }, + { OSSL_FUNC_RAND_GENERATE, (void (*)(void))fuzz_rand_generate }, + { OSSL_FUNC_RAND_ENABLE_LOCKING, (void (*)(void))fuzz_rand_enable_locking }, + { OSSL_FUNC_RAND_GETTABLE_CTX_PARAMS, + (void(*)(void))fuzz_rand_gettable_ctx_params }, + { OSSL_FUNC_RAND_GET_CTX_PARAMS, (void(*)(void))fuzz_rand_get_ctx_params }, + { 0, NULL } +}; + +static const OSSL_ALGORITHM fuzz_rand_rand[] = { + { "fuzz", "provider=fuzz-rand", fuzz_rand_functions }, + { NULL, NULL, NULL } +}; + +static const OSSL_ALGORITHM *fuzz_rand_query(void *provctx, + int operation_id, + int *no_cache) +{ + *no_cache = 0; + switch (operation_id) { + case OSSL_OP_RAND: + return fuzz_rand_rand; + } + return NULL; +} + +/* Functions we provide to the core */ +static const OSSL_DISPATCH fuzz_rand_method[] = { + { OSSL_FUNC_PROVIDER_TEARDOWN, (void (*)(void))OSSL_LIB_CTX_free }, + { OSSL_FUNC_PROVIDER_QUERY_OPERATION, (void (*)(void))fuzz_rand_query }, + { 0, NULL } +}; + +static int fuzz_rand_provider_init(const OSSL_CORE_HANDLE *handle, + const OSSL_DISPATCH *in, + const OSSL_DISPATCH **out, void **provctx) +{ + *provctx = OSSL_LIB_CTX_new(); + *out = fuzz_rand_method; + return 1; +} + +static OSSL_PROVIDER *r_prov; + +void FuzzerSetRand(void) +{ + if (!OSSL_PROVIDER_add_builtin(NULL, "fuzz-rand", fuzz_rand_provider_init) + || !RAND_set_DRBG_type(NULL, "fuzz", NULL, NULL, NULL) + || (r_prov = OSSL_PROVIDER_try_load(NULL, "fuzz-rand", 1)) == NULL) + exit(1); +} + +void FuzzerClearRand(void) +{ + OSSL_PROVIDER_unload(r_prov); +} diff --git a/fuzz/fuzzer.h b/fuzz/fuzzer.h index b4605f8c8f..517a8622d9 100644 --- a/fuzz/fuzzer.h +++ b/fuzz/fuzzer.h @@ -11,4 +11,6 @@ int FuzzerTestOneInput(const uint8_t *buf, size_t len); int FuzzerInitialize(int *argc, char ***argv); void FuzzerCleanup(void); + void FuzzerSetRand(void); +void FuzzerClearRand(void); diff --git a/fuzz/rand.inc b/fuzz/rand.inc deleted file mode 100644 index d0eebff896..0000000000 --- a/fuzz/rand.inc +++ /dev/null @@ -1,40 +0,0 @@ -/* - * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. - * - * Licensed under the Apache License 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * https://www.openssl.org/source/license.html - * or in the file LICENSE in the source distribution. - */ -#include - -static int fuzz_bytes(unsigned char *buf, int num) -{ - unsigned char val = 1; - - while (--num >= 0) - *buf++ = val++; - return 1; -} - -static int fuzz_status(void) -{ - return 1; -} - -static RAND_METHOD fuzz_rand_method = { - NULL, - fuzz_bytes, - NULL, - NULL, - fuzz_bytes, - fuzz_status -}; - -void FuzzerSetRand(void) -{ - RAND_set_rand_method(&fuzz_rand_method); -} - - diff --git a/fuzz/server.c b/fuzz/server.c index c381bbfae8..6234e15ccc 100644 --- a/fuzz/server.c +++ b/fuzz/server.c @@ -12,7 +12,7 @@ /* Test first part of SSL server handshake. */ -/* We need to use the deprecated RSA/EC low level calls */ +/* We need to use some deprecated APIs */ #define OPENSSL_SUPPRESS_DEPRECATED #include @@ -25,8 +25,6 @@ #include #include "fuzzer.h" -#include "rand.inc" - static const uint8_t kCertificateDER[] = { 0x30, 0x82, 0x02, 0xff, 0x30, 0x82, 0x01, 0xe7, 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x11, 0x00, 0xb1, 0x84, 0xee, 0x34, 0x99, 0x98, 0x76, 0xfb, @@ -495,12 +493,12 @@ int FuzzerInitialize(int *argc, char ***argv) { STACK_OF(SSL_COMP) *comp_methods; + FuzzerSetRand(); OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CRYPTO_STRINGS | OPENSSL_INIT_ASYNC, NULL); OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS, NULL); ERR_clear_error(); CRYPTO_free_ex_index(0, -1); idx = SSL_get_ex_data_X509_STORE_CTX_idx(); - FuzzerSetRand(); comp_methods = SSL_COMP_get_compression_methods(); if (comp_methods != NULL) sk_SSL_COMP_sort(comp_methods); @@ -663,4 +661,5 @@ int FuzzerTestOneInput(const uint8_t *buf, size_t len) void FuzzerCleanup(void) { + FuzzerClearRand(); } diff --git a/fuzz/x509.c b/fuzz/x509.c index dd9075acd7..78061d176a 100644 --- a/fuzz/x509.c +++ b/fuzz/x509.c @@ -14,14 +14,12 @@ #include #include "fuzzer.h" -#include "rand.inc" - int FuzzerInitialize(int *argc, char ***argv) { + FuzzerSetRand(); OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL); ERR_clear_error(); CRYPTO_free_ex_index(0, -1); - FuzzerSetRand(); return 1; } @@ -50,4 +48,5 @@ int FuzzerTestOneInput(const uint8_t *buf, size_t len) void FuzzerCleanup(void) { + FuzzerClearRand(); } diff --git a/include/internal/provider.h b/include/internal/provider.h index a91c515f04..fbe3154b53 100644 --- a/include/internal/provider.h +++ b/include/internal/provider.h @@ -49,7 +49,7 @@ int ossl_provider_disable_fallback_loading(OSSL_LIB_CTX *libctx); * Activate the Provider * If the Provider is a module, the module will be loaded */ -int ossl_provider_activate(OSSL_PROVIDER *prov); +int ossl_provider_activate(OSSL_PROVIDER *prov, int retain_fallbacks); int ossl_provider_deactivate(OSSL_PROVIDER *prov); /* Check if the provider is available (activated) */ int ossl_provider_available(OSSL_PROVIDER *prov); diff --git a/include/openssl/provider.h b/include/openssl/provider.h index 723201e1c5..a8720aaa7e 100644 --- a/include/openssl/provider.h +++ b/include/openssl/provider.h @@ -22,7 +22,8 @@ int OSSL_PROVIDER_set_default_search_path(OSSL_LIB_CTX *, const char *path); /* Load and unload a provider */ OSSL_PROVIDER *OSSL_PROVIDER_load(OSSL_LIB_CTX *, const char *name); -OSSL_PROVIDER *OSSL_PROVIDER_try_load(OSSL_LIB_CTX *, const char *name); +OSSL_PROVIDER *OSSL_PROVIDER_try_load(OSSL_LIB_CTX *, const char *name, + int retain_fallbacks); int OSSL_PROVIDER_unload(OSSL_PROVIDER *prov); int OSSL_PROVIDER_available(OSSL_LIB_CTX *, const char *name); int OSSL_PROVIDER_do_all(OSSL_LIB_CTX *ctx, diff --git a/include/openssl/rand.h b/include/openssl/rand.h index 2570b8463e..08593705c3 100644 --- a/include/openssl/rand.h +++ b/include/openssl/rand.h @@ -36,6 +36,7 @@ extern "C" { */ # define RAND_DRBG_STRENGTH 256 +# ifndef OPENSSL_NO_DEPRECATED_3_0 struct rand_meth_st { int (*seed) (const void *buf, int num); int (*bytes) (unsigned char *buf, int num); @@ -45,13 +46,14 @@ struct rand_meth_st { int (*status) (void); }; -int RAND_set_rand_method(const RAND_METHOD *meth); -const RAND_METHOD *RAND_get_rand_method(void); -# ifndef OPENSSL_NO_ENGINE -int RAND_set_rand_engine(ENGINE *engine); -# endif +OSSL_DEPRECATEDIN_3_0 int RAND_set_rand_method(const RAND_METHOD *meth); +OSSL_DEPRECATEDIN_3_0 const RAND_METHOD *RAND_get_rand_method(void); +# ifndef OPENSSL_NO_ENGINE +OSSL_DEPRECATEDIN_3_0 int RAND_set_rand_engine(ENGINE *engine); +# endif -RAND_METHOD *RAND_OpenSSL(void); +OSSL_DEPRECATEDIN_3_0 RAND_METHOD *RAND_OpenSSL(void); +# endif /* OPENSSL_NO_DEPRECATED_3_0 */ # ifndef OPENSSL_NO_DEPRECATED_1_1_0 # define RAND_cleanup() while(0) continue @@ -72,6 +74,11 @@ EVP_RAND_CTX *RAND_get0_primary(OSSL_LIB_CTX *ctx); EVP_RAND_CTX *RAND_get0_public(OSSL_LIB_CTX *ctx); EVP_RAND_CTX *RAND_get0_private(OSSL_LIB_CTX *ctx); +int RAND_set_DRBG_type(OSSL_LIB_CTX *ctx, const char *drbg, const char *propq, + const char *cipher, const char *digest); +int RAND_set_seed_source_type(OSSL_LIB_CTX *ctx, const char *seed, + const char *propq); + void RAND_seed(const void *buf, int num); void RAND_keep_random_devices_open(int keep); diff --git a/test/build.info b/test/build.info index 3f65d68b8c..5bf35dcb10 100644 --- a/test/build.info +++ b/test/build.info @@ -20,7 +20,7 @@ IF[{- !$disabled{tests} -}] LIBS{noinst,has_main}=libtestutil.a SOURCE[libtestutil.a]=testutil/basic_output.c testutil/output.c \ testutil/driver.c testutil/tests.c testutil/cb.c testutil/stanza.c \ - testutil/format_output.c testutil/load.c \ + testutil/format_output.c testutil/load.c testutil/fake_random.c \ testutil/test_cleanup.c testutil/main.c testutil/testutil_init.c \ testutil/options.c testutil/test_options.c testutil/provider.c \ testutil/apps_mem.c testutil/random.c $LIBAPPSSRC diff --git a/test/drbgtest.c b/test/drbgtest.c index 765c2d23df..1276f726cc 100644 --- a/test/drbgtest.c +++ b/test/drbgtest.c @@ -7,6 +7,9 @@ * https://www.openssl.org/source/license.html */ +/* We need to use some deprecated APIs */ +#define OPENSSL_SUPPRESS_DEPRECATED + #include #include "internal/nelem.h" #include @@ -44,6 +47,7 @@ */ static int gen_bytes(EVP_RAND_CTX *drbg, unsigned char *buf, int num) { +#ifndef OPENSSL_NO_DEPRECATED_3_0 const RAND_METHOD *meth = RAND_get_rand_method(); if (meth != NULL && meth != RAND_OpenSSL()) { @@ -51,6 +55,7 @@ static int gen_bytes(EVP_RAND_CTX *drbg, unsigned char *buf, int num) return meth->bytes(buf, num); return -1; } +#endif if (drbg != NULL) return EVP_RAND_generate(drbg, buf, num, 0, 0, NULL, 0); @@ -548,9 +553,11 @@ static int test_rand_reseed(void) if (crngt_skip()) return TEST_skip("CRNGT cannot be disabled"); +#ifndef OPENSSL_NO_DEPRECATED_3_0 /* Check whether RAND_OpenSSL() is the default method */ if (!TEST_ptr_eq(RAND_get_rand_method(), RAND_OpenSSL())) return 0; +#endif /* All three DRBGs should be non-null */ if (!TEST_ptr(primary = RAND_get0_primary(NULL)) diff --git a/test/ecdsatest.c b/test/ecdsatest.c index 8340d28912..d03eb6f01e 100644 --- a/test/ecdsatest.c +++ b/test/ecdsatest.c @@ -25,48 +25,18 @@ # include "internal/nelem.h" # include "ecdsatest.h" -/* functions to change the RAND_METHOD */ -static int fbytes(unsigned char *buf, int num); - -static RAND_METHOD fake_rand; -static const RAND_METHOD *old_rand; -static int use_fake = 0; static const char *numbers[2]; static size_t crv_len = 0; static EC_builtin_curve *curves = NULL; +static OSSL_PROVIDER *fake_rand = NULL; -static int change_rand(void) -{ - /* save old rand method */ - if (!TEST_ptr(old_rand = RAND_get_rand_method())) - return 0; - - fake_rand = *old_rand; - /* use own random function */ - fake_rand.bytes = fbytes; - /* set new RAND_METHOD */ - if (!TEST_true(RAND_set_rand_method(&fake_rand))) - return 0; - return 1; -} - -static int restore_rand(void) -{ - if (!TEST_true(RAND_set_rand_method(old_rand))) - return 0; - return 1; -} - -static int fbytes(unsigned char *buf, int num) +static int fbytes(unsigned char *buf, size_t num) { int ret = 0; static int fbytes_counter = 0; BIGNUM *tmp = NULL; - if (use_fake == 0) - return old_rand->bytes(buf, num); - - use_fake = 0; + fake_rand_set_callback(NULL); if (!TEST_ptr(tmp = BN_new()) || !TEST_int_lt(fbytes_counter, OSSL_NELEM(numbers)) @@ -140,13 +110,11 @@ static int x9_62_tests(int n) || !TEST_ptr(r = BN_new()) || !TEST_ptr(s = BN_new()) || !TEST_true(BN_hex2bn(&r, r_in)) - || !TEST_true(BN_hex2bn(&s, s_in)) - /* swap the RNG source */ - || !TEST_true(change_rand())) + || !TEST_true(BN_hex2bn(&s, s_in))) goto err; /* public key must match KAT */ - use_fake = 1; + fake_rand_set_callback(&fbytes); if (!TEST_true(EC_KEY_generate_key(key)) || !TEST_true(p_len = EC_KEY_key2buf(key, POINT_CONVERSION_UNCOMPRESSED, &pbuf, NULL)) @@ -156,7 +124,7 @@ static int x9_62_tests(int n) goto err; /* create the signature via ECDSA_sign_setup to avoid use of ECDSA nonces */ - use_fake = 1; + fake_rand_set_callback(&fbytes); if (!TEST_true(ECDSA_sign_setup(key, NULL, &kinv, &rp)) || !TEST_ptr(signature = ECDSA_do_sign_ex(digest, dgst_len, kinv, rp, key)) @@ -173,10 +141,6 @@ static int x9_62_tests(int n) ret = 1; err: - /* restore the RNG source */ - if (!TEST_true(restore_rand())) - ret = 0; - OPENSSL_free(message); OPENSSL_free(pbuf); OPENSSL_free(qbuf); @@ -393,11 +357,17 @@ int setup_tests(void) #ifdef OPENSSL_NO_EC TEST_note("Elliptic curves are disabled."); #else + fake_rand = fake_rand_start(NULL); + if (fake_rand == NULL) + return 0; + /* get a list of all internal curves */ crv_len = EC_get_builtin_curves(NULL, 0); if (!TEST_ptr(curves = OPENSSL_malloc(sizeof(*curves) * crv_len)) - || !TEST_true(EC_get_builtin_curves(curves, crv_len))) + || !TEST_true(EC_get_builtin_curves(curves, crv_len))) { + fake_rand_finish(fake_rand); return 0; + } ADD_ALL_TESTS(test_builtin_as_ec, crv_len); # ifndef OPENSSL_NO_SM2 ADD_ALL_TESTS(test_builtin_as_sm2, crv_len); @@ -410,6 +380,7 @@ int setup_tests(void) void cleanup_tests(void) { #ifndef OPENSSL_NO_EC + fake_rand_finish(fake_rand); OPENSSL_free(curves); #endif } diff --git a/test/provider_internal_test.c b/test/provider_internal_test.c index 4b2b6d5349..fc04d2d925 100644 --- a/test/provider_internal_test.c +++ b/test/provider_internal_test.c @@ -26,7 +26,7 @@ static int test_provider(OSSL_PROVIDER *prov, const char *expected_greeting) int ret = 0; ret = - TEST_true(ossl_provider_activate(prov)) + TEST_true(ossl_provider_activate(prov, 0)) && TEST_true(ossl_provider_get_params(prov, greeting_request)) && TEST_ptr(greeting = greeting_request[0].data) && TEST_size_t_gt(greeting_request[0].data_size, 0) diff --git a/test/sm2_internal_test.c b/test/sm2_internal_test.c index 7dae25cf9f..77b76e64f8 100644 --- a/test/sm2_internal_test.c +++ b/test/sm2_internal_test.c @@ -28,19 +28,14 @@ # include "crypto/sm2.h" -static RAND_METHOD fake_rand; -static const RAND_METHOD *saved_rand; - +static OSSL_PROVIDER *fake_rand = NULL; static uint8_t *fake_rand_bytes = NULL; static size_t fake_rand_bytes_offset = 0; static size_t fake_rand_size = 0; -static int get_faked_bytes(unsigned char *buf, int num) +static int get_faked_bytes(unsigned char *buf, size_t num) { - if (fake_rand_bytes == NULL) - return saved_rand->bytes(buf, num); - - if (!TEST_size_t_gt(fake_rand_size, 0)) + if (!TEST_ptr(fake_rand_bytes) || !TEST_size_t_gt(fake_rand_size, 0)) return 0; while (num-- > 0) { @@ -54,32 +49,24 @@ static int get_faked_bytes(unsigned char *buf, int num) static int start_fake_rand(const char *hex_bytes) { - /* save old rand method */ - if (!TEST_ptr(saved_rand = RAND_get_rand_method())) - return 0; - - fake_rand = *saved_rand; - /* use own random function */ - fake_rand.bytes = get_faked_bytes; - - fake_rand_bytes = OPENSSL_hexstr2buf(hex_bytes, NULL); + OPENSSL_free(fake_rand_bytes); fake_rand_bytes_offset = 0; fake_rand_size = strlen(hex_bytes) / 2; - - /* set new RAND_METHOD */ - if (!TEST_true(RAND_set_rand_method(&fake_rand))) + if (!TEST_ptr(fake_rand_bytes = OPENSSL_hexstr2buf(hex_bytes, NULL))) return 0; + + /* use own random function */ + fake_rand_set_callback(get_faked_bytes); return 1; + } -static int restore_rand(void) +static void restore_rand(void) { + fake_rand_set_callback(NULL); OPENSSL_free(fake_rand_bytes); fake_rand_bytes = NULL; fake_rand_bytes_offset = 0; - if (!TEST_true(RAND_set_rand_method(saved_rand))) - return 0; - return 1; } static EC_GROUP *create_EC_group(const char *p_hex, const char *a_hex, @@ -375,8 +362,19 @@ int setup_tests(void) #ifdef OPENSSL_NO_SM2 TEST_note("SM2 is disabled."); #else + fake_rand = fake_rand_start(NULL); + if (fake_rand == NULL) + return 0; + ADD_TEST(sm2_crypt_test); ADD_TEST(sm2_sig_test); #endif return 1; } + +void cleanup_tests(void) +{ +#ifdef OPENSSL_NO_SM2 + fake_rand_finish(fake_rand); +#endif +} diff --git a/test/testutil.h b/test/testutil.h index 491082c3f4..93c91a4a41 100644 --- a/test/testutil.h +++ b/test/testutil.h @@ -566,6 +566,11 @@ char *glue_strings(const char *list[], size_t *out_len); uint32_t test_random(void); void test_random_seed(uint32_t sd); +/* Fake non-secure random number generator */ +OSSL_PROVIDER *fake_rand_start(OSSL_LIB_CTX *libctx); +void fake_rand_finish(OSSL_PROVIDER *p); +void fake_rand_set_callback(int (*cb)(unsigned char *out, size_t outlen)); + /* Create a file path from a directory and a filename */ char *test_mk_file_path(const char *dir, const char *file); diff --git a/test/testutil/driver.c b/test/testutil/driver.c index 0b4332b492..467c3e8eb3 100644 --- a/test/testutil/driver.c +++ b/test/testutil/driver.c @@ -44,6 +44,8 @@ static int single_test = -1; static int single_iter = -1; static int level = 0; static int seed = 0; +static int rand_order = 0; + /* * A parameterised test runs a loop of test cases. * |num_test_cases| counts the total number of test cases @@ -103,8 +105,12 @@ int setup_test_framework(int argc, char *argv[]) if (TAP_levels != NULL) level = 4 * atoi(TAP_levels); test_adjust_streams_tap_level(level); - if (test_seed != NULL) + if (test_seed != NULL) { + rand_order = 1; set_seed(atoi(test_seed)); + } else { + set_seed(0); + } #if defined(OPENSSL_SYS_VMS) && defined(__DECC) argv = copy_argv(&argc, argv); @@ -294,7 +300,7 @@ int run_tests(const char *test_prog_name) for (i = 0; i < num_tests; i++) permute[i] = i; - if (seed != 0) + if (rand_order != 0) for (i = num_tests - 1; i >= 1; i--) { j = test_random() % (1 + i); ii = permute[j]; @@ -340,7 +346,7 @@ int run_tests(const char *test_prog_name) } j = -1; - if (seed == 0 || all_tests[i].num < 3) + if (rand_order == 0 || all_tests[i].num < 3) jstep = 1; else do diff --git a/test/testutil/fake_random.c b/test/testutil/fake_random.c new file mode 100644 index 0000000000..95a3023cd4 --- /dev/null +++ b/test/testutil/fake_random.c @@ -0,0 +1,192 @@ +/* + * Copyright 2021 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * https://www.openssl.org/source/license.html + * or in the file LICENSE in the source distribution. + */ + +#include +#include +#include +#include +#include "../testutil.h" + +typedef struct { + int (*cb)(unsigned char *out, size_t outlen); + int state; +} FAKE_RAND; + +static FAKE_RAND fake_rand; + +static OSSL_FUNC_rand_newctx_fn fake_rand_newctx; +static OSSL_FUNC_rand_freectx_fn fake_rand_freectx; +static OSSL_FUNC_rand_instantiate_fn fake_rand_instantiate; +static OSSL_FUNC_rand_uninstantiate_fn fake_rand_uninstantiate; +static OSSL_FUNC_rand_generate_fn fake_rand_generate; +static OSSL_FUNC_rand_gettable_ctx_params_fn fake_rand_gettable_ctx_params; +static OSSL_FUNC_rand_get_ctx_params_fn fake_rand_get_ctx_params; +static OSSL_FUNC_rand_enable_locking_fn fake_rand_enable_locking; + +static void *fake_rand_newctx(void *provctx, void *parent, + const OSSL_DISPATCH *parent_dispatch) +{ + fake_rand.cb = NULL; + fake_rand.state = EVP_RAND_STATE_UNINITIALISED; + return &fake_rand; +} + +static void fake_rand_freectx(void *vrng) +{ + FAKE_RAND *frng = (FAKE_RAND *)vrng; + + frng->cb = NULL; + frng->state = EVP_RAND_STATE_UNINITIALISED; +} + +static int fake_rand_instantiate(void *vrng, ossl_unused unsigned int strength, + ossl_unused int prediction_resistance, + ossl_unused const unsigned char *pstr, + size_t pstr_len) +{ + FAKE_RAND *frng = (FAKE_RAND *)vrng; + + frng->state = EVP_RAND_STATE_READY; + return 1; +} + +static int fake_rand_uninstantiate(void *vrng) +{ + FAKE_RAND *frng = (FAKE_RAND *)vrng; + + frng->state = EVP_RAND_STATE_UNINITIALISED; + return 1; +} + +static int fake_rand_generate(void *vrng, unsigned char *out, size_t outlen, + unsigned int strength, int prediction_resistance, + const unsigned char *adin, size_t adinlen) +{ + FAKE_RAND *frng = (FAKE_RAND *)vrng; + size_t l; + uint32_t r; + + if (frng->cb != NULL) + return (*frng->cb)(out, outlen); + while (outlen > 0) { + r = test_random(); + l = outlen < sizeof(r) ? outlen : sizeof(r); + + memcpy(out, &r, l); + out += l; + outlen -= l; + } + return 1; +} + +static int fake_rand_enable_locking(void *vrng) +{ + return 1; +} + +static int fake_rand_get_ctx_params(ossl_unused void *vrng, OSSL_PARAM params[]) +{ + FAKE_RAND *frng = (FAKE_RAND *)vrng; + OSSL_PARAM *p; + + p = OSSL_PARAM_locate(params, OSSL_RAND_PARAM_STATE); + if (p != NULL && !OSSL_PARAM_set_int(p, frng->state)) + return 0; + + p = OSSL_PARAM_locate(params, OSSL_RAND_PARAM_STRENGTH); + if (p != NULL && !OSSL_PARAM_set_int(p, 256)) + return 0; + + p = OSSL_PARAM_locate(params, OSSL_RAND_PARAM_MAX_REQUEST); + if (p != NULL && !OSSL_PARAM_set_size_t(p, INT_MAX)) + return 0; + return 1; +} + +static const OSSL_PARAM *fake_rand_gettable_ctx_params(void *vrng) +{ + static const OSSL_PARAM known_gettable_ctx_params[] = { + OSSL_PARAM_int(OSSL_RAND_PARAM_STATE, NULL), + OSSL_PARAM_uint(OSSL_RAND_PARAM_STRENGTH, NULL), + OSSL_PARAM_size_t(OSSL_RAND_PARAM_MAX_REQUEST, NULL), + OSSL_PARAM_END + }; + return known_gettable_ctx_params; +} + +static const OSSL_DISPATCH fake_rand_functions[] = { + { OSSL_FUNC_RAND_NEWCTX, (void (*)(void))fake_rand_newctx }, + { OSSL_FUNC_RAND_FREECTX, (void (*)(void))fake_rand_freectx }, + { OSSL_FUNC_RAND_INSTANTIATE, (void (*)(void))fake_rand_instantiate }, + { OSSL_FUNC_RAND_UNINSTANTIATE, (void (*)(void))fake_rand_uninstantiate }, + { OSSL_FUNC_RAND_GENERATE, (void (*)(void))fake_rand_generate }, + { OSSL_FUNC_RAND_ENABLE_LOCKING, (void (*)(void))fake_rand_enable_locking }, + { OSSL_FUNC_RAND_GETTABLE_CTX_PARAMS, + (void(*)(void))fake_rand_gettable_ctx_params }, + { OSSL_FUNC_RAND_GET_CTX_PARAMS, (void(*)(void))fake_rand_get_ctx_params }, + { 0, NULL } +}; + +static const OSSL_ALGORITHM fake_rand_rand[] = { + { "FAKE", "provider=fake", fake_rand_functions }, + { NULL, NULL, NULL } +}; + +static const OSSL_ALGORITHM *fake_rand_query(void *provctx, + int operation_id, + int *no_cache) +{ + *no_cache = 0; + switch (operation_id) { + case OSSL_OP_RAND: + return fake_rand_rand; + } + return NULL; +} + +/* Functions we provide to the core */ +static const OSSL_DISPATCH fake_rand_method[] = { + { OSSL_FUNC_PROVIDER_TEARDOWN, (void (*)(void))OSSL_LIB_CTX_free }, + { OSSL_FUNC_PROVIDER_QUERY_OPERATION, (void (*)(void))fake_rand_query }, + { 0, NULL } +}; + +static int fake_rand_provider_init(const OSSL_CORE_HANDLE *handle, + const OSSL_DISPATCH *in, + const OSSL_DISPATCH **out, void **provctx) +{ + if (!TEST_ptr(*provctx = OSSL_LIB_CTX_new())) + return 0; + *out = fake_rand_method; + return 1; +} + +OSSL_PROVIDER *fake_rand_start(OSSL_LIB_CTX *libctx) +{ + OSSL_PROVIDER *p; + + if (!TEST_true(OSSL_PROVIDER_add_builtin(libctx, "fake-rand", + fake_rand_provider_init)) + || !TEST_true(RAND_set_DRBG_type(libctx, "fake", NULL, NULL, NULL)) + || !TEST_ptr(p = OSSL_PROVIDER_try_load(libctx, "fake-rand", 1))) + return NULL; + return p; +} + +void fake_rand_finish(OSSL_PROVIDER *p) +{ + OSSL_PROVIDER_unload(p); +} + +void fake_rand_set_callback(int (*cb)(unsigned char *out, size_t outlen)) +{ + fake_rand.cb = cb; +} + diff --git a/util/libcrypto.num b/util/libcrypto.num index a16b6e17eb..25d8619471 100644 --- a/util/libcrypto.num +++ b/util/libcrypto.num @@ -73,7 +73,7 @@ NETSCAPE_SPKI_print 74 3_0_0 EXIST::FUNCTION: X509_set_pubkey 75 3_0_0 EXIST::FUNCTION: ASN1_item_print 76 3_0_0 EXIST::FUNCTION: CONF_set_nconf 77 3_0_0 EXIST::FUNCTION: -RAND_set_rand_method 78 3_0_0 EXIST::FUNCTION: +RAND_set_rand_method 78 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0 BN_GF2m_mod_mul 79 3_0_0 EXIST::FUNCTION:EC2M UI_add_input_boolean 80 3_0_0 EXIST::FUNCTION: ASN1_TIME_adj 81 3_0_0 EXIST::FUNCTION: @@ -167,7 +167,7 @@ EVP_MD_type 170 3_0_0 EXIST::FUNCTION: EVP_PKCS82PKEY 171 3_0_0 EXIST::FUNCTION: BN_generate_prime_ex 172 3_0_0 EXIST::FUNCTION: EVP_EncryptInit 173 3_0_0 EXIST::FUNCTION: -RAND_OpenSSL 174 3_0_0 EXIST::FUNCTION: +RAND_OpenSSL 174 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0 BN_uadd 175 3_0_0 EXIST::FUNCTION: EVP_PKEY_derive_init 176 3_0_0 EXIST::FUNCTION: PEM_write_bio_ASN1_stream 177 3_0_0 EXIST::FUNCTION: @@ -1397,7 +1397,7 @@ OCSP_RESPBYTES_it 1429 3_0_0 EXIST::FUNCTION:OCSP EVP_aes_192_wrap 1430 3_0_0 EXIST::FUNCTION: OCSP_CERTID_it 1431 3_0_0 EXIST::FUNCTION:OCSP ENGINE_get_RSA 1432 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,ENGINE -RAND_get_rand_method 1433 3_0_0 EXIST::FUNCTION: +RAND_get_rand_method 1433 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0 ERR_load_DSA_strings 1434 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,DSA ASN1_check_infinite_end 1435 3_0_0 EXIST::FUNCTION: i2d_PKCS7_DIGEST 1436 3_0_0 EXIST::FUNCTION: @@ -1746,7 +1746,7 @@ NAME_CONSTRAINTS_check 1786 3_0_0 EXIST::FUNCTION: X509_CERT_AUX_it 1787 3_0_0 EXIST::FUNCTION: X509_get_X509_PUBKEY 1789 3_0_0 EXIST::FUNCTION: TXT_DB_create_index 1790 3_0_0 EXIST::FUNCTION: -RAND_set_rand_engine 1791 3_0_0 EXIST::FUNCTION:ENGINE +RAND_set_rand_engine 1791 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,ENGINE X509_set_serialNumber 1792 3_0_0 EXIST::FUNCTION: BN_mod_exp_mont_consttime 1793 3_0_0 EXIST::FUNCTION: X509V3_parse_list 1794 3_0_0 EXIST::FUNCTION: @@ -5301,3 +5301,5 @@ EVP_PKEY_fromdata_settable ? 3_0_0 EXIST::FUNCTION: EVP_PKEY_param_check_quick ? 3_0_0 EXIST::FUNCTION: EVP_PKEY_public_check_quick ? 3_0_0 EXIST::FUNCTION: EVP_PKEY_CTX_is_a ? 3_0_0 EXIST::FUNCTION: +RAND_set_DRBG_type ? 3_0_0 EXIST::FUNCTION: +RAND_set_seed_source_type ? 3_0_0 EXIST::FUNCTION: From openssl at openssl.org Tue Feb 23 15:17:47 2021 From: openssl at openssl.org (OpenSSL run-checker) Date: Tue, 23 Feb 2021 15:17:47 +0000 Subject: Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-sock Message-ID: <1614093467.733598.3428565.nullmailer@run.openssl.org> Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-sock Commit log since last time: 937a62323b -Wunused-function cleanup 57acc56bdc DECODER: Add better tracing of the chain walking process acf497b53b DECODER: Use the data structure from the last decoder to select the next f16e52b67c Correct the return value of BIO_get_ktls_*(). 5e128ed120 CMP: Fix total_timeout behavior; small doc and diagnostic improvements a3361c3755 81-test_cmp_cli_data: fixup on CSR test cases c2279499fd Fix speed sm2 bug 1d724b5e82 CRYPTO_gcm128_decrypt: fix mac or tag calculation 3352dc185f Fix merge problem in d2i_PrivateKey_ex eabb301416 Fix DH ASN1 decode so that it detects named groups. 576892d78f Fix d2i_AutoPrivateKey_ex so that is uses the new decoder (and produces non legacy keys). ef33889e18 doc: remove notes section in OSSL_ENCODER.pod 458d168cd4 rfc2606 compliant example domains for x509v3_config.pod 125107e8ea Various improvements of doc/man5/x509v3_config.pod 70793dbbb9 Pass the object type and data structure from the pem2der decoder 3a2171f6aa Don't forget the type of thing we are loading 3262300a2c Adjust the few places where the string length was confused 247a1786e2 OSSL_PARAM: Correct the assumptions on the UTF8 string length c1be4d617c Rename internal X509_add_cert_new() to ossl_x509_add_cert_new() daf1300b80 Add internal X509_add_certs_new(), which simplifies matters 937984efc6 Prepare for 3.0 alpha 13 b467d394eb Prepare for release of 3.0 alpha 12 a28d06f3e9 Update copyright year 7b676cc8c6 Fix external symbols related to provider related security checks for keys and digests. 47c076acfc Fix external symbols in the provider digest implementations. bcb61b39b4 Add deep copy of propq field in mac_dupctx to avoid double free 5d8ffebbcd DH: Make DH_bits(), DH_size(), and DH_security_bits() check that there are key parameters 0b3139e815 chain_build(): Call verify_cb_cert() if a preliminary error has become final ba37b82045 dsa_check: Perform simple parameter check if seed is not available ebcaf110b2 DSA parameter check using pkeyparam e36b3c2f75 Fix external symbols in the provider cipher implementations. Build log ended with (last 100 lines): 70-test_sslrecords.t ............... skipped: test_sslrecords needs the sock feature enabled 70-test_sslsessiontick.t ........... skipped: test_sslsessiontick needs the sock feature enabled 70-test_sslsigalgs.t ............... skipped: test_sslsigalgs needs the sock feature enabled 70-test_sslsignature.t ............. skipped: test_sslsignature needs the sock feature enabled 70-test_sslskewith0p.t ............. skipped: test_sslskewith0p needs the sock feature enabled 70-test_sslversions.t .............. skipped: test_sslversions needs the sock feature enabled 70-test_sslvertol.t ................ skipped: test_sslextension needs the sock feature enabled 70-test_tls13alerts.t .............. skipped: test_tls13alerts needs the sock feature enabled 70-test_tls13cookie.t .............. skipped: test_tls13cookie needs the sock feature enabled 70-test_tls13downgrade.t ........... skipped: test_tls13downgrade needs the sock feature enabled 70-test_tls13hrr.t ................. skipped: test_tls13hrr needs the sock feature enabled 70-test_tls13kexmodes.t ............ skipped: test_tls13kexmodes needs the sock feature enabled 70-test_tls13messages.t ............ skipped: test_tls13messages needs the sock feature enabled 70-test_tls13psk.t ................. skipped: test_tls13psk needs the sock feature enabled 70-test_tlsextms.t ................. skipped: test_tlsextms needs the sock feature enabled 70-test_verify_extra.t ............. ok 70-test_wpacket.t .................. ok 71-test_ssl_ctx.t .................. ok 80-test_ca.t ....................... ok 80-test_cipherbytes.t .............. ok 80-test_cipherlist.t ............... ok 80-test_ciphername.t ............... ok Label not found for "last SKIP" at /usr/share/perl/5.30/Test/More.pm line 1372. # Looks like your test exited with 1 just after 5.80-test_cmp_http.t ................. Dubious, test returned 1 (wstat 256, 0x100) All 5 subtests passed (less 5 skipped subtests: 0 okay) # 80-test_cms.t ...................... ok 80-test_cmsapi.t ................... ok 80-test_ct.t ....................... ok 80-test_dane.t ..................... ok 80-test_dtls.t ..................... skipped: No DTLS protocols are supported by this OpenSSL build 80-test_dtls_mtu.t ................. skipped: test_dtls_mtu needs DTLS and PSK support enabled 80-test_dtlsv1listen.t ............. ok 80-test_http.t ..................... ok 80-test_ocsp.t ..................... ok 80-test_pkcs12.t ................... ok 80-test_ssl_new.t .................. ok 80-test_ssl_old.t .................. ok 80-test_ssl_test_ctx.t ............. ok 80-test_sslcorrupt.t ............... ok 80-test_tsa.t ...................... ok 80-test_x509aux.t .................. ok 81-test_cmp_cli.t .................. ok 90-test_asn1_time.t ................ ok 90-test_async.t .................... ok 90-test_bio_enc.t .................. ok 90-test_bio_memleak.t .............. ok 90-test_constant_time.t ............ ok 90-test_fatalerr.t ................. ok 90-test_fipsload.t ................. ok 90-test_gmdiff.t ................... ok 90-test_gost.t ..................... ok 90-test_ige.t ...................... ok 90-test_includes.t ................. ok 90-test_memleak.t .................. ok 90-test_overhead.t ................. ok 90-test_secmem.t ................... ok 90-test_shlibload.t ................ ok 90-test_srp.t ...................... ok 90-test_sslapi.t ................... ok 90-test_sslbuffers.t ............... ok 90-test_store.t .................... ok 90-test_sysdefault.t ............... ok 90-test_threads.t .................. ok 90-test_time_offset.t .............. ok 90-test_tls13ccs.t ................. ok 90-test_tls13encryption.t .......... ok 90-test_tls13secrets.t ............. ok 90-test_v3name.t ................... ok 91-test_pkey_check.t ............... ok 95-test_external_boringssl.t ....... skipped: No external tests in this configuration 95-test_external_gost_engine.t ..... skipped: No external tests in this configuration 95-test_external_krb5.t ............ skipped: No external tests in this configuration 95-test_external_pyca.t ............ skipped: No external tests in this configuration 99-test_ecstress.t ................. ok 99-test_fuzz_asn1.t ................ ok 99-test_fuzz_asn1parse.t ........... ok 99-test_fuzz_bignum.t .............. ok 99-test_fuzz_bndiv.t ............... ok 99-test_fuzz_client.t .............. ok 99-test_fuzz_cmp.t ................. ok 99-test_fuzz_cms.t ................. ok 99-test_fuzz_conf.t ................ ok 99-test_fuzz_crl.t ................. ok 99-test_fuzz_ct.t .................. ok 99-test_fuzz_server.t .............. ok 99-test_fuzz_x509.t ................ ok Test Summary Report ------------------- 80-test_cmp_http.t (Wstat: 256 Tests: 5 Failed: 0) Non-zero exit status: 1 Files=232, Tests=3108, 870 wallclock secs (10.70 usr 1.37 sys + 798.62 cusr 77.70 csys = 888.39 CPU) Result: FAIL make[1]: *** [Makefile:3258: _tests] Error 1 make[1]: Leaving directory '/home/openssl/run-checker/no-sock' make: *** [Makefile:3255: tests] Error 2 From levitte at openssl.org Tue Feb 23 17:27:42 2021 From: levitte at openssl.org (Richard Levitte) Date: Tue, 23 Feb 2021 17:27:42 +0000 Subject: [openssl] master update Message-ID: <1614101262.940517.10065.nullmailer@dev.openssl.org> The branch master has been updated via 4f6aeabd65bf13795823f4a6f4a03c815e9d096f (commit) via 7b9f8995f44482610d4f3452118e53c2f259511d (commit) from 1263154064d2a15253381353cf804e05af18ad1b (commit) - Log ----------------------------------------------------------------- commit 4f6aeabd65bf13795823f4a6f4a03c815e9d096f Author: Richard Levitte Date: Mon Feb 22 06:52:41 2021 +0100 make update Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14269) commit 7b9f8995f44482610d4f3452118e53c2f259511d Author: Richard Levitte Date: Mon Feb 22 06:49:24 2021 +0100 Generate doc/build.info with 'make update' rather than on the fly doc/build.info was essentially generated on the fly while running Configure, something that takes a huge amount of time on slower file systems (such as Windows). Instead, we generate it with 'make update', saving the user from having to wait for too long, at the small price for developers to have to run 'make update' whenever they write a new manual file. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14269) ----------------------------------------------------------------------- Summary of changes: Configurations/unix-Makefile.tmpl | 11 +- doc/build.info | 4545 ++++++++++++++++++++++++++++++++++++- doc/{build.info => build.info.in} | 2 + 3 files changed, 4494 insertions(+), 64 deletions(-) copy doc/{build.info => build.info.in} (97%) diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl index 16d4337dab..b0aff03ad1 100644 --- a/Configurations/unix-Makefile.tmpl +++ b/Configurations/unix-Makefile.tmpl @@ -1022,11 +1022,15 @@ uninstall_html_docs: # Developer targets (note: these are only available on Unix) ######### -update: generate errors ordinals +# It's important that generate_buildinfo comes after ordinals, as ordinals +# is sensitive to build.info changes. +update: generate errors ordinals generate_buildinfo generate: generate_apps generate_crypto_bn generate_crypto_objects \ generate_crypto_conf generate_crypto_asn1 generate_fuzz_oids +generate_buildinfo: generate_doc_buildinfo + .PHONY: doc-nits cmd-nits md-nits doc-nits: build_generated_pods $(PERL) $(SRCDIR)/util/find-doc-nits -n -l -e @@ -1089,6 +1093,11 @@ generate_fuzz_oids: crypto/objects/obj_dat.h \ > fuzz/oids.txt ) +generate_doc_buildinfo: + ( $(PERL) -I$(BLDDIR) -Mconfigdata \ + $(SRCDIR)/util/dofile.pl -o Makefile \ + $(SRCDIR)/doc/build.info.in > $(SRCDIR)/doc/build.info ) + # Set to -force to force a rebuild ERROR_REBUILD= errors: diff --git a/doc/build.info b/doc/build.info index 267629040d..20e2e82398 100644 --- a/doc/build.info +++ b/doc/build.info @@ -1,66 +1,4485 @@ SUBDIRS = man1 -{- - use File::Spec::Functions qw(:DEFAULT abs2rel rel2abs); - use File::Basename; +DEPEND[html/man1/CA.pl.html]=man1/CA.pl.pod +GENERATE[html/man1/CA.pl.html]=man1/CA.pl.pod +DEPEND[man/man1/CA.pl.1]=man1/CA.pl.pod +GENERATE[man/man1/CA.pl.1]=man1/CA.pl.pod +DEPEND[html/man1/openssl-asn1parse.html]=man1/openssl-asn1parse.pod +GENERATE[html/man1/openssl-asn1parse.html]=man1/openssl-asn1parse.pod +DEPEND[man/man1/openssl-asn1parse.1]=man1/openssl-asn1parse.pod +GENERATE[man/man1/openssl-asn1parse.1]=man1/openssl-asn1parse.pod +DEPEND[man1/openssl-asn1parse.pod]{pod}=man1/openssl-asn1parse.pod.in +GENERATE[man1/openssl-asn1parse.pod]=man1/openssl-asn1parse.pod.in +DEPEND[html/man1/openssl-ca.html]=man1/openssl-ca.pod +GENERATE[html/man1/openssl-ca.html]=man1/openssl-ca.pod +DEPEND[man/man1/openssl-ca.1]=man1/openssl-ca.pod +GENERATE[man/man1/openssl-ca.1]=man1/openssl-ca.pod +DEPEND[man1/openssl-ca.pod]{pod}=man1/openssl-ca.pod.in +GENERATE[man1/openssl-ca.pod]=man1/openssl-ca.pod.in +DEPEND[html/man1/openssl-ciphers.html]=man1/openssl-ciphers.pod +GENERATE[html/man1/openssl-ciphers.html]=man1/openssl-ciphers.pod +DEPEND[man/man1/openssl-ciphers.1]=man1/openssl-ciphers.pod +GENERATE[man/man1/openssl-ciphers.1]=man1/openssl-ciphers.pod +DEPEND[man1/openssl-ciphers.pod]{pod}=man1/openssl-ciphers.pod.in +GENERATE[man1/openssl-ciphers.pod]=man1/openssl-ciphers.pod.in +DEPEND[html/man1/openssl-cmds.html]=man1/openssl-cmds.pod +GENERATE[html/man1/openssl-cmds.html]=man1/openssl-cmds.pod +DEPEND[man/man1/openssl-cmds.1]=man1/openssl-cmds.pod +GENERATE[man/man1/openssl-cmds.1]=man1/openssl-cmds.pod +DEPEND[man1/openssl-cmds.pod]{pod}=man1/openssl-cmds.pod.in +GENERATE[man1/openssl-cmds.pod]=man1/openssl-cmds.pod.in +DEPEND[html/man1/openssl-cmp.html]=man1/openssl-cmp.pod +GENERATE[html/man1/openssl-cmp.html]=man1/openssl-cmp.pod +DEPEND[man/man1/openssl-cmp.1]=man1/openssl-cmp.pod +GENERATE[man/man1/openssl-cmp.1]=man1/openssl-cmp.pod +DEPEND[man1/openssl-cmp.pod]{pod}=man1/openssl-cmp.pod.in +GENERATE[man1/openssl-cmp.pod]=man1/openssl-cmp.pod.in +DEPEND[html/man1/openssl-cms.html]=man1/openssl-cms.pod +GENERATE[html/man1/openssl-cms.html]=man1/openssl-cms.pod +DEPEND[man/man1/openssl-cms.1]=man1/openssl-cms.pod +GENERATE[man/man1/openssl-cms.1]=man1/openssl-cms.pod +DEPEND[man1/openssl-cms.pod]{pod}=man1/openssl-cms.pod.in +GENERATE[man1/openssl-cms.pod]=man1/openssl-cms.pod.in +DEPEND[html/man1/openssl-crl.html]=man1/openssl-crl.pod +GENERATE[html/man1/openssl-crl.html]=man1/openssl-crl.pod +DEPEND[man/man1/openssl-crl.1]=man1/openssl-crl.pod +GENERATE[man/man1/openssl-crl.1]=man1/openssl-crl.pod +DEPEND[man1/openssl-crl.pod]{pod}=man1/openssl-crl.pod.in +GENERATE[man1/openssl-crl.pod]=man1/openssl-crl.pod.in +DEPEND[html/man1/openssl-crl2pkcs7.html]=man1/openssl-crl2pkcs7.pod +GENERATE[html/man1/openssl-crl2pkcs7.html]=man1/openssl-crl2pkcs7.pod +DEPEND[man/man1/openssl-crl2pkcs7.1]=man1/openssl-crl2pkcs7.pod +GENERATE[man/man1/openssl-crl2pkcs7.1]=man1/openssl-crl2pkcs7.pod +DEPEND[man1/openssl-crl2pkcs7.pod]{pod}=man1/openssl-crl2pkcs7.pod.in +GENERATE[man1/openssl-crl2pkcs7.pod]=man1/openssl-crl2pkcs7.pod.in +DEPEND[html/man1/openssl-dgst.html]=man1/openssl-dgst.pod +GENERATE[html/man1/openssl-dgst.html]=man1/openssl-dgst.pod +DEPEND[man/man1/openssl-dgst.1]=man1/openssl-dgst.pod +GENERATE[man/man1/openssl-dgst.1]=man1/openssl-dgst.pod +DEPEND[man1/openssl-dgst.pod]{pod}=man1/openssl-dgst.pod.in +GENERATE[man1/openssl-dgst.pod]=man1/openssl-dgst.pod.in +DEPEND[html/man1/openssl-dhparam.html]=man1/openssl-dhparam.pod +GENERATE[html/man1/openssl-dhparam.html]=man1/openssl-dhparam.pod +DEPEND[man/man1/openssl-dhparam.1]=man1/openssl-dhparam.pod +GENERATE[man/man1/openssl-dhparam.1]=man1/openssl-dhparam.pod +DEPEND[man1/openssl-dhparam.pod]{pod}=man1/openssl-dhparam.pod.in +GENERATE[man1/openssl-dhparam.pod]=man1/openssl-dhparam.pod.in +DEPEND[html/man1/openssl-dsa.html]=man1/openssl-dsa.pod +GENERATE[html/man1/openssl-dsa.html]=man1/openssl-dsa.pod +DEPEND[man/man1/openssl-dsa.1]=man1/openssl-dsa.pod +GENERATE[man/man1/openssl-dsa.1]=man1/openssl-dsa.pod +DEPEND[man1/openssl-dsa.pod]{pod}=man1/openssl-dsa.pod.in +GENERATE[man1/openssl-dsa.pod]=man1/openssl-dsa.pod.in +DEPEND[html/man1/openssl-dsaparam.html]=man1/openssl-dsaparam.pod +GENERATE[html/man1/openssl-dsaparam.html]=man1/openssl-dsaparam.pod +DEPEND[man/man1/openssl-dsaparam.1]=man1/openssl-dsaparam.pod +GENERATE[man/man1/openssl-dsaparam.1]=man1/openssl-dsaparam.pod +DEPEND[man1/openssl-dsaparam.pod]{pod}=man1/openssl-dsaparam.pod.in +GENERATE[man1/openssl-dsaparam.pod]=man1/openssl-dsaparam.pod.in +DEPEND[html/man1/openssl-ec.html]=man1/openssl-ec.pod +GENERATE[html/man1/openssl-ec.html]=man1/openssl-ec.pod +DEPEND[man/man1/openssl-ec.1]=man1/openssl-ec.pod +GENERATE[man/man1/openssl-ec.1]=man1/openssl-ec.pod +DEPEND[man1/openssl-ec.pod]{pod}=man1/openssl-ec.pod.in +GENERATE[man1/openssl-ec.pod]=man1/openssl-ec.pod.in +DEPEND[html/man1/openssl-ecparam.html]=man1/openssl-ecparam.pod +GENERATE[html/man1/openssl-ecparam.html]=man1/openssl-ecparam.pod +DEPEND[man/man1/openssl-ecparam.1]=man1/openssl-ecparam.pod +GENERATE[man/man1/openssl-ecparam.1]=man1/openssl-ecparam.pod +DEPEND[man1/openssl-ecparam.pod]{pod}=man1/openssl-ecparam.pod.in +GENERATE[man1/openssl-ecparam.pod]=man1/openssl-ecparam.pod.in +DEPEND[html/man1/openssl-enc.html]=man1/openssl-enc.pod +GENERATE[html/man1/openssl-enc.html]=man1/openssl-enc.pod +DEPEND[man/man1/openssl-enc.1]=man1/openssl-enc.pod +GENERATE[man/man1/openssl-enc.1]=man1/openssl-enc.pod +DEPEND[man1/openssl-enc.pod]{pod}=man1/openssl-enc.pod.in +GENERATE[man1/openssl-enc.pod]=man1/openssl-enc.pod.in +DEPEND[html/man1/openssl-engine.html]=man1/openssl-engine.pod +GENERATE[html/man1/openssl-engine.html]=man1/openssl-engine.pod +DEPEND[man/man1/openssl-engine.1]=man1/openssl-engine.pod +GENERATE[man/man1/openssl-engine.1]=man1/openssl-engine.pod +DEPEND[man1/openssl-engine.pod]{pod}=man1/openssl-engine.pod.in +GENERATE[man1/openssl-engine.pod]=man1/openssl-engine.pod.in +DEPEND[html/man1/openssl-errstr.html]=man1/openssl-errstr.pod +GENERATE[html/man1/openssl-errstr.html]=man1/openssl-errstr.pod +DEPEND[man/man1/openssl-errstr.1]=man1/openssl-errstr.pod +GENERATE[man/man1/openssl-errstr.1]=man1/openssl-errstr.pod +DEPEND[man1/openssl-errstr.pod]{pod}=man1/openssl-errstr.pod.in +GENERATE[man1/openssl-errstr.pod]=man1/openssl-errstr.pod.in +DEPEND[html/man1/openssl-fipsinstall.html]=man1/openssl-fipsinstall.pod +GENERATE[html/man1/openssl-fipsinstall.html]=man1/openssl-fipsinstall.pod +DEPEND[man/man1/openssl-fipsinstall.1]=man1/openssl-fipsinstall.pod +GENERATE[man/man1/openssl-fipsinstall.1]=man1/openssl-fipsinstall.pod +DEPEND[man1/openssl-fipsinstall.pod]{pod}=man1/openssl-fipsinstall.pod.in +GENERATE[man1/openssl-fipsinstall.pod]=man1/openssl-fipsinstall.pod.in +DEPEND[html/man1/openssl-format-options.html]=man1/openssl-format-options.pod +GENERATE[html/man1/openssl-format-options.html]=man1/openssl-format-options.pod +DEPEND[man/man1/openssl-format-options.1]=man1/openssl-format-options.pod +GENERATE[man/man1/openssl-format-options.1]=man1/openssl-format-options.pod +DEPEND[html/man1/openssl-gendsa.html]=man1/openssl-gendsa.pod +GENERATE[html/man1/openssl-gendsa.html]=man1/openssl-gendsa.pod +DEPEND[man/man1/openssl-gendsa.1]=man1/openssl-gendsa.pod +GENERATE[man/man1/openssl-gendsa.1]=man1/openssl-gendsa.pod +DEPEND[man1/openssl-gendsa.pod]{pod}=man1/openssl-gendsa.pod.in +GENERATE[man1/openssl-gendsa.pod]=man1/openssl-gendsa.pod.in +DEPEND[html/man1/openssl-genpkey.html]=man1/openssl-genpkey.pod +GENERATE[html/man1/openssl-genpkey.html]=man1/openssl-genpkey.pod +DEPEND[man/man1/openssl-genpkey.1]=man1/openssl-genpkey.pod +GENERATE[man/man1/openssl-genpkey.1]=man1/openssl-genpkey.pod +DEPEND[man1/openssl-genpkey.pod]{pod}=man1/openssl-genpkey.pod.in +GENERATE[man1/openssl-genpkey.pod]=man1/openssl-genpkey.pod.in +DEPEND[html/man1/openssl-genrsa.html]=man1/openssl-genrsa.pod +GENERATE[html/man1/openssl-genrsa.html]=man1/openssl-genrsa.pod +DEPEND[man/man1/openssl-genrsa.1]=man1/openssl-genrsa.pod +GENERATE[man/man1/openssl-genrsa.1]=man1/openssl-genrsa.pod +DEPEND[man1/openssl-genrsa.pod]{pod}=man1/openssl-genrsa.pod.in +GENERATE[man1/openssl-genrsa.pod]=man1/openssl-genrsa.pod.in +DEPEND[html/man1/openssl-info.html]=man1/openssl-info.pod +GENERATE[html/man1/openssl-info.html]=man1/openssl-info.pod +DEPEND[man/man1/openssl-info.1]=man1/openssl-info.pod +GENERATE[man/man1/openssl-info.1]=man1/openssl-info.pod +DEPEND[man1/openssl-info.pod]{pod}=man1/openssl-info.pod.in +GENERATE[man1/openssl-info.pod]=man1/openssl-info.pod.in +DEPEND[html/man1/openssl-kdf.html]=man1/openssl-kdf.pod +GENERATE[html/man1/openssl-kdf.html]=man1/openssl-kdf.pod +DEPEND[man/man1/openssl-kdf.1]=man1/openssl-kdf.pod +GENERATE[man/man1/openssl-kdf.1]=man1/openssl-kdf.pod +DEPEND[man1/openssl-kdf.pod]{pod}=man1/openssl-kdf.pod.in +GENERATE[man1/openssl-kdf.pod]=man1/openssl-kdf.pod.in +DEPEND[html/man1/openssl-list.html]=man1/openssl-list.pod +GENERATE[html/man1/openssl-list.html]=man1/openssl-list.pod +DEPEND[man/man1/openssl-list.1]=man1/openssl-list.pod +GENERATE[man/man1/openssl-list.1]=man1/openssl-list.pod +DEPEND[man1/openssl-list.pod]{pod}=man1/openssl-list.pod.in +GENERATE[man1/openssl-list.pod]=man1/openssl-list.pod.in +DEPEND[html/man1/openssl-mac.html]=man1/openssl-mac.pod +GENERATE[html/man1/openssl-mac.html]=man1/openssl-mac.pod +DEPEND[man/man1/openssl-mac.1]=man1/openssl-mac.pod +GENERATE[man/man1/openssl-mac.1]=man1/openssl-mac.pod +DEPEND[man1/openssl-mac.pod]{pod}=man1/openssl-mac.pod.in +GENERATE[man1/openssl-mac.pod]=man1/openssl-mac.pod.in +DEPEND[html/man1/openssl-namedisplay-options.html]=man1/openssl-namedisplay-options.pod +GENERATE[html/man1/openssl-namedisplay-options.html]=man1/openssl-namedisplay-options.pod +DEPEND[man/man1/openssl-namedisplay-options.1]=man1/openssl-namedisplay-options.pod +GENERATE[man/man1/openssl-namedisplay-options.1]=man1/openssl-namedisplay-options.pod +DEPEND[html/man1/openssl-nseq.html]=man1/openssl-nseq.pod +GENERATE[html/man1/openssl-nseq.html]=man1/openssl-nseq.pod +DEPEND[man/man1/openssl-nseq.1]=man1/openssl-nseq.pod +GENERATE[man/man1/openssl-nseq.1]=man1/openssl-nseq.pod +DEPEND[man1/openssl-nseq.pod]{pod}=man1/openssl-nseq.pod.in +GENERATE[man1/openssl-nseq.pod]=man1/openssl-nseq.pod.in +DEPEND[html/man1/openssl-ocsp.html]=man1/openssl-ocsp.pod +GENERATE[html/man1/openssl-ocsp.html]=man1/openssl-ocsp.pod +DEPEND[man/man1/openssl-ocsp.1]=man1/openssl-ocsp.pod +GENERATE[man/man1/openssl-ocsp.1]=man1/openssl-ocsp.pod +DEPEND[man1/openssl-ocsp.pod]{pod}=man1/openssl-ocsp.pod.in +GENERATE[man1/openssl-ocsp.pod]=man1/openssl-ocsp.pod.in +DEPEND[html/man1/openssl-passphrase-options.html]=man1/openssl-passphrase-options.pod +GENERATE[html/man1/openssl-passphrase-options.html]=man1/openssl-passphrase-options.pod +DEPEND[man/man1/openssl-passphrase-options.1]=man1/openssl-passphrase-options.pod +GENERATE[man/man1/openssl-passphrase-options.1]=man1/openssl-passphrase-options.pod +DEPEND[html/man1/openssl-passwd.html]=man1/openssl-passwd.pod +GENERATE[html/man1/openssl-passwd.html]=man1/openssl-passwd.pod +DEPEND[man/man1/openssl-passwd.1]=man1/openssl-passwd.pod +GENERATE[man/man1/openssl-passwd.1]=man1/openssl-passwd.pod +DEPEND[man1/openssl-passwd.pod]{pod}=man1/openssl-passwd.pod.in +GENERATE[man1/openssl-passwd.pod]=man1/openssl-passwd.pod.in +DEPEND[html/man1/openssl-pkcs12.html]=man1/openssl-pkcs12.pod +GENERATE[html/man1/openssl-pkcs12.html]=man1/openssl-pkcs12.pod +DEPEND[man/man1/openssl-pkcs12.1]=man1/openssl-pkcs12.pod +GENERATE[man/man1/openssl-pkcs12.1]=man1/openssl-pkcs12.pod +DEPEND[man1/openssl-pkcs12.pod]{pod}=man1/openssl-pkcs12.pod.in +GENERATE[man1/openssl-pkcs12.pod]=man1/openssl-pkcs12.pod.in +DEPEND[html/man1/openssl-pkcs7.html]=man1/openssl-pkcs7.pod +GENERATE[html/man1/openssl-pkcs7.html]=man1/openssl-pkcs7.pod +DEPEND[man/man1/openssl-pkcs7.1]=man1/openssl-pkcs7.pod +GENERATE[man/man1/openssl-pkcs7.1]=man1/openssl-pkcs7.pod +DEPEND[man1/openssl-pkcs7.pod]{pod}=man1/openssl-pkcs7.pod.in +GENERATE[man1/openssl-pkcs7.pod]=man1/openssl-pkcs7.pod.in +DEPEND[html/man1/openssl-pkcs8.html]=man1/openssl-pkcs8.pod +GENERATE[html/man1/openssl-pkcs8.html]=man1/openssl-pkcs8.pod +DEPEND[man/man1/openssl-pkcs8.1]=man1/openssl-pkcs8.pod +GENERATE[man/man1/openssl-pkcs8.1]=man1/openssl-pkcs8.pod +DEPEND[man1/openssl-pkcs8.pod]{pod}=man1/openssl-pkcs8.pod.in +GENERATE[man1/openssl-pkcs8.pod]=man1/openssl-pkcs8.pod.in +DEPEND[html/man1/openssl-pkey.html]=man1/openssl-pkey.pod +GENERATE[html/man1/openssl-pkey.html]=man1/openssl-pkey.pod +DEPEND[man/man1/openssl-pkey.1]=man1/openssl-pkey.pod +GENERATE[man/man1/openssl-pkey.1]=man1/openssl-pkey.pod +DEPEND[man1/openssl-pkey.pod]{pod}=man1/openssl-pkey.pod.in +GENERATE[man1/openssl-pkey.pod]=man1/openssl-pkey.pod.in +DEPEND[html/man1/openssl-pkeyparam.html]=man1/openssl-pkeyparam.pod +GENERATE[html/man1/openssl-pkeyparam.html]=man1/openssl-pkeyparam.pod +DEPEND[man/man1/openssl-pkeyparam.1]=man1/openssl-pkeyparam.pod +GENERATE[man/man1/openssl-pkeyparam.1]=man1/openssl-pkeyparam.pod +DEPEND[man1/openssl-pkeyparam.pod]{pod}=man1/openssl-pkeyparam.pod.in +GENERATE[man1/openssl-pkeyparam.pod]=man1/openssl-pkeyparam.pod.in +DEPEND[html/man1/openssl-pkeyutl.html]=man1/openssl-pkeyutl.pod +GENERATE[html/man1/openssl-pkeyutl.html]=man1/openssl-pkeyutl.pod +DEPEND[man/man1/openssl-pkeyutl.1]=man1/openssl-pkeyutl.pod +GENERATE[man/man1/openssl-pkeyutl.1]=man1/openssl-pkeyutl.pod +DEPEND[man1/openssl-pkeyutl.pod]{pod}=man1/openssl-pkeyutl.pod.in +GENERATE[man1/openssl-pkeyutl.pod]=man1/openssl-pkeyutl.pod.in +DEPEND[html/man1/openssl-prime.html]=man1/openssl-prime.pod +GENERATE[html/man1/openssl-prime.html]=man1/openssl-prime.pod +DEPEND[man/man1/openssl-prime.1]=man1/openssl-prime.pod +GENERATE[man/man1/openssl-prime.1]=man1/openssl-prime.pod +DEPEND[man1/openssl-prime.pod]{pod}=man1/openssl-prime.pod.in +GENERATE[man1/openssl-prime.pod]=man1/openssl-prime.pod.in +DEPEND[html/man1/openssl-rand.html]=man1/openssl-rand.pod +GENERATE[html/man1/openssl-rand.html]=man1/openssl-rand.pod +DEPEND[man/man1/openssl-rand.1]=man1/openssl-rand.pod +GENERATE[man/man1/openssl-rand.1]=man1/openssl-rand.pod +DEPEND[man1/openssl-rand.pod]{pod}=man1/openssl-rand.pod.in +GENERATE[man1/openssl-rand.pod]=man1/openssl-rand.pod.in +DEPEND[html/man1/openssl-rehash.html]=man1/openssl-rehash.pod +GENERATE[html/man1/openssl-rehash.html]=man1/openssl-rehash.pod +DEPEND[man/man1/openssl-rehash.1]=man1/openssl-rehash.pod +GENERATE[man/man1/openssl-rehash.1]=man1/openssl-rehash.pod +DEPEND[man1/openssl-rehash.pod]{pod}=man1/openssl-rehash.pod.in +GENERATE[man1/openssl-rehash.pod]=man1/openssl-rehash.pod.in +DEPEND[html/man1/openssl-req.html]=man1/openssl-req.pod +GENERATE[html/man1/openssl-req.html]=man1/openssl-req.pod +DEPEND[man/man1/openssl-req.1]=man1/openssl-req.pod +GENERATE[man/man1/openssl-req.1]=man1/openssl-req.pod +DEPEND[man1/openssl-req.pod]{pod}=man1/openssl-req.pod.in +GENERATE[man1/openssl-req.pod]=man1/openssl-req.pod.in +DEPEND[html/man1/openssl-rsa.html]=man1/openssl-rsa.pod +GENERATE[html/man1/openssl-rsa.html]=man1/openssl-rsa.pod +DEPEND[man/man1/openssl-rsa.1]=man1/openssl-rsa.pod +GENERATE[man/man1/openssl-rsa.1]=man1/openssl-rsa.pod +DEPEND[man1/openssl-rsa.pod]{pod}=man1/openssl-rsa.pod.in +GENERATE[man1/openssl-rsa.pod]=man1/openssl-rsa.pod.in +DEPEND[html/man1/openssl-rsautl.html]=man1/openssl-rsautl.pod +GENERATE[html/man1/openssl-rsautl.html]=man1/openssl-rsautl.pod +DEPEND[man/man1/openssl-rsautl.1]=man1/openssl-rsautl.pod +GENERATE[man/man1/openssl-rsautl.1]=man1/openssl-rsautl.pod +DEPEND[man1/openssl-rsautl.pod]{pod}=man1/openssl-rsautl.pod.in +GENERATE[man1/openssl-rsautl.pod]=man1/openssl-rsautl.pod.in +DEPEND[html/man1/openssl-s_client.html]=man1/openssl-s_client.pod +GENERATE[html/man1/openssl-s_client.html]=man1/openssl-s_client.pod +DEPEND[man/man1/openssl-s_client.1]=man1/openssl-s_client.pod +GENERATE[man/man1/openssl-s_client.1]=man1/openssl-s_client.pod +DEPEND[man1/openssl-s_client.pod]{pod}=man1/openssl-s_client.pod.in +GENERATE[man1/openssl-s_client.pod]=man1/openssl-s_client.pod.in +DEPEND[html/man1/openssl-s_server.html]=man1/openssl-s_server.pod +GENERATE[html/man1/openssl-s_server.html]=man1/openssl-s_server.pod +DEPEND[man/man1/openssl-s_server.1]=man1/openssl-s_server.pod +GENERATE[man/man1/openssl-s_server.1]=man1/openssl-s_server.pod +DEPEND[man1/openssl-s_server.pod]{pod}=man1/openssl-s_server.pod.in +GENERATE[man1/openssl-s_server.pod]=man1/openssl-s_server.pod.in +DEPEND[html/man1/openssl-s_time.html]=man1/openssl-s_time.pod +GENERATE[html/man1/openssl-s_time.html]=man1/openssl-s_time.pod +DEPEND[man/man1/openssl-s_time.1]=man1/openssl-s_time.pod +GENERATE[man/man1/openssl-s_time.1]=man1/openssl-s_time.pod +DEPEND[man1/openssl-s_time.pod]{pod}=man1/openssl-s_time.pod.in +GENERATE[man1/openssl-s_time.pod]=man1/openssl-s_time.pod.in +DEPEND[html/man1/openssl-sess_id.html]=man1/openssl-sess_id.pod +GENERATE[html/man1/openssl-sess_id.html]=man1/openssl-sess_id.pod +DEPEND[man/man1/openssl-sess_id.1]=man1/openssl-sess_id.pod +GENERATE[man/man1/openssl-sess_id.1]=man1/openssl-sess_id.pod +DEPEND[man1/openssl-sess_id.pod]{pod}=man1/openssl-sess_id.pod.in +GENERATE[man1/openssl-sess_id.pod]=man1/openssl-sess_id.pod.in +DEPEND[html/man1/openssl-smime.html]=man1/openssl-smime.pod +GENERATE[html/man1/openssl-smime.html]=man1/openssl-smime.pod +DEPEND[man/man1/openssl-smime.1]=man1/openssl-smime.pod +GENERATE[man/man1/openssl-smime.1]=man1/openssl-smime.pod +DEPEND[man1/openssl-smime.pod]{pod}=man1/openssl-smime.pod.in +GENERATE[man1/openssl-smime.pod]=man1/openssl-smime.pod.in +DEPEND[html/man1/openssl-speed.html]=man1/openssl-speed.pod +GENERATE[html/man1/openssl-speed.html]=man1/openssl-speed.pod +DEPEND[man/man1/openssl-speed.1]=man1/openssl-speed.pod +GENERATE[man/man1/openssl-speed.1]=man1/openssl-speed.pod +DEPEND[man1/openssl-speed.pod]{pod}=man1/openssl-speed.pod.in +GENERATE[man1/openssl-speed.pod]=man1/openssl-speed.pod.in +DEPEND[html/man1/openssl-spkac.html]=man1/openssl-spkac.pod +GENERATE[html/man1/openssl-spkac.html]=man1/openssl-spkac.pod +DEPEND[man/man1/openssl-spkac.1]=man1/openssl-spkac.pod +GENERATE[man/man1/openssl-spkac.1]=man1/openssl-spkac.pod +DEPEND[man1/openssl-spkac.pod]{pod}=man1/openssl-spkac.pod.in +GENERATE[man1/openssl-spkac.pod]=man1/openssl-spkac.pod.in +DEPEND[html/man1/openssl-srp.html]=man1/openssl-srp.pod +GENERATE[html/man1/openssl-srp.html]=man1/openssl-srp.pod +DEPEND[man/man1/openssl-srp.1]=man1/openssl-srp.pod +GENERATE[man/man1/openssl-srp.1]=man1/openssl-srp.pod +DEPEND[man1/openssl-srp.pod]{pod}=man1/openssl-srp.pod.in +GENERATE[man1/openssl-srp.pod]=man1/openssl-srp.pod.in +DEPEND[html/man1/openssl-storeutl.html]=man1/openssl-storeutl.pod +GENERATE[html/man1/openssl-storeutl.html]=man1/openssl-storeutl.pod +DEPEND[man/man1/openssl-storeutl.1]=man1/openssl-storeutl.pod +GENERATE[man/man1/openssl-storeutl.1]=man1/openssl-storeutl.pod +DEPEND[man1/openssl-storeutl.pod]{pod}=man1/openssl-storeutl.pod.in +GENERATE[man1/openssl-storeutl.pod]=man1/openssl-storeutl.pod.in +DEPEND[html/man1/openssl-ts.html]=man1/openssl-ts.pod +GENERATE[html/man1/openssl-ts.html]=man1/openssl-ts.pod +DEPEND[man/man1/openssl-ts.1]=man1/openssl-ts.pod +GENERATE[man/man1/openssl-ts.1]=man1/openssl-ts.pod +DEPEND[man1/openssl-ts.pod]{pod}=man1/openssl-ts.pod.in +GENERATE[man1/openssl-ts.pod]=man1/openssl-ts.pod.in +DEPEND[html/man1/openssl-verification-options.html]=man1/openssl-verification-options.pod +GENERATE[html/man1/openssl-verification-options.html]=man1/openssl-verification-options.pod +DEPEND[man/man1/openssl-verification-options.1]=man1/openssl-verification-options.pod +GENERATE[man/man1/openssl-verification-options.1]=man1/openssl-verification-options.pod +DEPEND[html/man1/openssl-verify.html]=man1/openssl-verify.pod +GENERATE[html/man1/openssl-verify.html]=man1/openssl-verify.pod +DEPEND[man/man1/openssl-verify.1]=man1/openssl-verify.pod +GENERATE[man/man1/openssl-verify.1]=man1/openssl-verify.pod +DEPEND[man1/openssl-verify.pod]{pod}=man1/openssl-verify.pod.in +GENERATE[man1/openssl-verify.pod]=man1/openssl-verify.pod.in +DEPEND[html/man1/openssl-version.html]=man1/openssl-version.pod +GENERATE[html/man1/openssl-version.html]=man1/openssl-version.pod +DEPEND[man/man1/openssl-version.1]=man1/openssl-version.pod +GENERATE[man/man1/openssl-version.1]=man1/openssl-version.pod +DEPEND[man1/openssl-version.pod]{pod}=man1/openssl-version.pod.in +GENERATE[man1/openssl-version.pod]=man1/openssl-version.pod.in +DEPEND[html/man1/openssl-x509.html]=man1/openssl-x509.pod +GENERATE[html/man1/openssl-x509.html]=man1/openssl-x509.pod +DEPEND[man/man1/openssl-x509.1]=man1/openssl-x509.pod +GENERATE[man/man1/openssl-x509.1]=man1/openssl-x509.pod +DEPEND[man1/openssl-x509.pod]{pod}=man1/openssl-x509.pod.in +GENERATE[man1/openssl-x509.pod]=man1/openssl-x509.pod.in +DEPEND[html/man1/openssl.html]=man1/openssl.pod +GENERATE[html/man1/openssl.html]=man1/openssl.pod +DEPEND[man/man1/openssl.1]=man1/openssl.pod +GENERATE[man/man1/openssl.1]=man1/openssl.pod +DEPEND[html/man1/tsget.html]=man1/tsget.pod +GENERATE[html/man1/tsget.html]=man1/tsget.pod +DEPEND[man/man1/tsget.1]=man1/tsget.pod +GENERATE[man/man1/tsget.1]=man1/tsget.pod +HTMLDOCS[man1]=html/man1/CA.pl.html \ +html/man1/openssl-asn1parse.html \ +html/man1/openssl-ca.html \ +html/man1/openssl-ciphers.html \ +html/man1/openssl-cmds.html \ +html/man1/openssl-cmp.html \ +html/man1/openssl-cms.html \ +html/man1/openssl-crl.html \ +html/man1/openssl-crl2pkcs7.html \ +html/man1/openssl-dgst.html \ +html/man1/openssl-dhparam.html \ +html/man1/openssl-dsa.html \ +html/man1/openssl-dsaparam.html \ +html/man1/openssl-ec.html \ +html/man1/openssl-ecparam.html \ +html/man1/openssl-enc.html \ +html/man1/openssl-engine.html \ +html/man1/openssl-errstr.html \ +html/man1/openssl-fipsinstall.html \ +html/man1/openssl-format-options.html \ +html/man1/openssl-gendsa.html \ +html/man1/openssl-genpkey.html \ +html/man1/openssl-genrsa.html \ +html/man1/openssl-info.html \ +html/man1/openssl-kdf.html \ +html/man1/openssl-list.html \ +html/man1/openssl-mac.html \ +html/man1/openssl-namedisplay-options.html \ +html/man1/openssl-nseq.html \ +html/man1/openssl-ocsp.html \ +html/man1/openssl-passphrase-options.html \ +html/man1/openssl-passwd.html \ +html/man1/openssl-pkcs12.html \ +html/man1/openssl-pkcs7.html \ +html/man1/openssl-pkcs8.html \ +html/man1/openssl-pkey.html \ +html/man1/openssl-pkeyparam.html \ +html/man1/openssl-pkeyutl.html \ +html/man1/openssl-prime.html \ +html/man1/openssl-rand.html \ +html/man1/openssl-rehash.html \ +html/man1/openssl-req.html \ +html/man1/openssl-rsa.html \ +html/man1/openssl-rsautl.html \ +html/man1/openssl-s_client.html \ +html/man1/openssl-s_server.html \ +html/man1/openssl-s_time.html \ +html/man1/openssl-sess_id.html \ +html/man1/openssl-smime.html \ +html/man1/openssl-speed.html \ +html/man1/openssl-spkac.html \ +html/man1/openssl-srp.html \ +html/man1/openssl-storeutl.html \ +html/man1/openssl-ts.html \ +html/man1/openssl-verification-options.html \ +html/man1/openssl-verify.html \ +html/man1/openssl-version.html \ +html/man1/openssl-x509.html \ +html/man1/openssl.html \ +html/man1/tsget.html +MANDOCS[man1]=man/man1/CA.pl.1 \ +man/man1/openssl-asn1parse.1 \ +man/man1/openssl-ca.1 \ +man/man1/openssl-ciphers.1 \ +man/man1/openssl-cmds.1 \ +man/man1/openssl-cmp.1 \ +man/man1/openssl-cms.1 \ +man/man1/openssl-crl.1 \ +man/man1/openssl-crl2pkcs7.1 \ +man/man1/openssl-dgst.1 \ +man/man1/openssl-dhparam.1 \ +man/man1/openssl-dsa.1 \ +man/man1/openssl-dsaparam.1 \ +man/man1/openssl-ec.1 \ +man/man1/openssl-ecparam.1 \ +man/man1/openssl-enc.1 \ +man/man1/openssl-engine.1 \ +man/man1/openssl-errstr.1 \ +man/man1/openssl-fipsinstall.1 \ +man/man1/openssl-format-options.1 \ +man/man1/openssl-gendsa.1 \ +man/man1/openssl-genpkey.1 \ +man/man1/openssl-genrsa.1 \ +man/man1/openssl-info.1 \ +man/man1/openssl-kdf.1 \ +man/man1/openssl-list.1 \ +man/man1/openssl-mac.1 \ +man/man1/openssl-namedisplay-options.1 \ +man/man1/openssl-nseq.1 \ +man/man1/openssl-ocsp.1 \ +man/man1/openssl-passphrase-options.1 \ +man/man1/openssl-passwd.1 \ +man/man1/openssl-pkcs12.1 \ +man/man1/openssl-pkcs7.1 \ +man/man1/openssl-pkcs8.1 \ +man/man1/openssl-pkey.1 \ +man/man1/openssl-pkeyparam.1 \ +man/man1/openssl-pkeyutl.1 \ +man/man1/openssl-prime.1 \ +man/man1/openssl-rand.1 \ +man/man1/openssl-rehash.1 \ +man/man1/openssl-req.1 \ +man/man1/openssl-rsa.1 \ +man/man1/openssl-rsautl.1 \ +man/man1/openssl-s_client.1 \ +man/man1/openssl-s_server.1 \ +man/man1/openssl-s_time.1 \ +man/man1/openssl-sess_id.1 \ +man/man1/openssl-smime.1 \ +man/man1/openssl-speed.1 \ +man/man1/openssl-spkac.1 \ +man/man1/openssl-srp.1 \ +man/man1/openssl-storeutl.1 \ +man/man1/openssl-ts.1 \ +man/man1/openssl-verification-options.1 \ +man/man1/openssl-verify.1 \ +man/man1/openssl-version.1 \ +man/man1/openssl-x509.1 \ +man/man1/openssl.1 \ +man/man1/tsget.1 +DEPEND[html/man3/ADMISSIONS.html]=man3/ADMISSIONS.pod +GENERATE[html/man3/ADMISSIONS.html]=man3/ADMISSIONS.pod +DEPEND[man/man3/ADMISSIONS.3]=man3/ADMISSIONS.pod +GENERATE[man/man3/ADMISSIONS.3]=man3/ADMISSIONS.pod +DEPEND[html/man3/ASN1_INTEGER_get_int64.html]=man3/ASN1_INTEGER_get_int64.pod +GENERATE[html/man3/ASN1_INTEGER_get_int64.html]=man3/ASN1_INTEGER_get_int64.pod +DEPEND[man/man3/ASN1_INTEGER_get_int64.3]=man3/ASN1_INTEGER_get_int64.pod +GENERATE[man/man3/ASN1_INTEGER_get_int64.3]=man3/ASN1_INTEGER_get_int64.pod +DEPEND[html/man3/ASN1_INTEGER_new.html]=man3/ASN1_INTEGER_new.pod +GENERATE[html/man3/ASN1_INTEGER_new.html]=man3/ASN1_INTEGER_new.pod +DEPEND[man/man3/ASN1_INTEGER_new.3]=man3/ASN1_INTEGER_new.pod +GENERATE[man/man3/ASN1_INTEGER_new.3]=man3/ASN1_INTEGER_new.pod +DEPEND[html/man3/ASN1_ITEM_lookup.html]=man3/ASN1_ITEM_lookup.pod +GENERATE[html/man3/ASN1_ITEM_lookup.html]=man3/ASN1_ITEM_lookup.pod +DEPEND[man/man3/ASN1_ITEM_lookup.3]=man3/ASN1_ITEM_lookup.pod +GENERATE[man/man3/ASN1_ITEM_lookup.3]=man3/ASN1_ITEM_lookup.pod +DEPEND[html/man3/ASN1_OBJECT_new.html]=man3/ASN1_OBJECT_new.pod +GENERATE[html/man3/ASN1_OBJECT_new.html]=man3/ASN1_OBJECT_new.pod +DEPEND[man/man3/ASN1_OBJECT_new.3]=man3/ASN1_OBJECT_new.pod +GENERATE[man/man3/ASN1_OBJECT_new.3]=man3/ASN1_OBJECT_new.pod +DEPEND[html/man3/ASN1_STRING_TABLE_add.html]=man3/ASN1_STRING_TABLE_add.pod +GENERATE[html/man3/ASN1_STRING_TABLE_add.html]=man3/ASN1_STRING_TABLE_add.pod +DEPEND[man/man3/ASN1_STRING_TABLE_add.3]=man3/ASN1_STRING_TABLE_add.pod +GENERATE[man/man3/ASN1_STRING_TABLE_add.3]=man3/ASN1_STRING_TABLE_add.pod +DEPEND[html/man3/ASN1_STRING_length.html]=man3/ASN1_STRING_length.pod +GENERATE[html/man3/ASN1_STRING_length.html]=man3/ASN1_STRING_length.pod +DEPEND[man/man3/ASN1_STRING_length.3]=man3/ASN1_STRING_length.pod +GENERATE[man/man3/ASN1_STRING_length.3]=man3/ASN1_STRING_length.pod +DEPEND[html/man3/ASN1_STRING_new.html]=man3/ASN1_STRING_new.pod +GENERATE[html/man3/ASN1_STRING_new.html]=man3/ASN1_STRING_new.pod +DEPEND[man/man3/ASN1_STRING_new.3]=man3/ASN1_STRING_new.pod +GENERATE[man/man3/ASN1_STRING_new.3]=man3/ASN1_STRING_new.pod +DEPEND[html/man3/ASN1_STRING_print_ex.html]=man3/ASN1_STRING_print_ex.pod +GENERATE[html/man3/ASN1_STRING_print_ex.html]=man3/ASN1_STRING_print_ex.pod +DEPEND[man/man3/ASN1_STRING_print_ex.3]=man3/ASN1_STRING_print_ex.pod +GENERATE[man/man3/ASN1_STRING_print_ex.3]=man3/ASN1_STRING_print_ex.pod +DEPEND[html/man3/ASN1_TIME_set.html]=man3/ASN1_TIME_set.pod +GENERATE[html/man3/ASN1_TIME_set.html]=man3/ASN1_TIME_set.pod +DEPEND[man/man3/ASN1_TIME_set.3]=man3/ASN1_TIME_set.pod +GENERATE[man/man3/ASN1_TIME_set.3]=man3/ASN1_TIME_set.pod +DEPEND[html/man3/ASN1_TYPE_get.html]=man3/ASN1_TYPE_get.pod +GENERATE[html/man3/ASN1_TYPE_get.html]=man3/ASN1_TYPE_get.pod +DEPEND[man/man3/ASN1_TYPE_get.3]=man3/ASN1_TYPE_get.pod +GENERATE[man/man3/ASN1_TYPE_get.3]=man3/ASN1_TYPE_get.pod +DEPEND[html/man3/ASN1_generate_nconf.html]=man3/ASN1_generate_nconf.pod +GENERATE[html/man3/ASN1_generate_nconf.html]=man3/ASN1_generate_nconf.pod +DEPEND[man/man3/ASN1_generate_nconf.3]=man3/ASN1_generate_nconf.pod +GENERATE[man/man3/ASN1_generate_nconf.3]=man3/ASN1_generate_nconf.pod +DEPEND[html/man3/ASN1_item_sign.html]=man3/ASN1_item_sign.pod +GENERATE[html/man3/ASN1_item_sign.html]=man3/ASN1_item_sign.pod +DEPEND[man/man3/ASN1_item_sign.3]=man3/ASN1_item_sign.pod +GENERATE[man/man3/ASN1_item_sign.3]=man3/ASN1_item_sign.pod +DEPEND[html/man3/ASYNC_WAIT_CTX_new.html]=man3/ASYNC_WAIT_CTX_new.pod +GENERATE[html/man3/ASYNC_WAIT_CTX_new.html]=man3/ASYNC_WAIT_CTX_new.pod +DEPEND[man/man3/ASYNC_WAIT_CTX_new.3]=man3/ASYNC_WAIT_CTX_new.pod +GENERATE[man/man3/ASYNC_WAIT_CTX_new.3]=man3/ASYNC_WAIT_CTX_new.pod +DEPEND[html/man3/ASYNC_start_job.html]=man3/ASYNC_start_job.pod +GENERATE[html/man3/ASYNC_start_job.html]=man3/ASYNC_start_job.pod +DEPEND[man/man3/ASYNC_start_job.3]=man3/ASYNC_start_job.pod +GENERATE[man/man3/ASYNC_start_job.3]=man3/ASYNC_start_job.pod +DEPEND[html/man3/BF_encrypt.html]=man3/BF_encrypt.pod +GENERATE[html/man3/BF_encrypt.html]=man3/BF_encrypt.pod +DEPEND[man/man3/BF_encrypt.3]=man3/BF_encrypt.pod +GENERATE[man/man3/BF_encrypt.3]=man3/BF_encrypt.pod +DEPEND[html/man3/BIO_ADDR.html]=man3/BIO_ADDR.pod +GENERATE[html/man3/BIO_ADDR.html]=man3/BIO_ADDR.pod +DEPEND[man/man3/BIO_ADDR.3]=man3/BIO_ADDR.pod +GENERATE[man/man3/BIO_ADDR.3]=man3/BIO_ADDR.pod +DEPEND[html/man3/BIO_ADDRINFO.html]=man3/BIO_ADDRINFO.pod +GENERATE[html/man3/BIO_ADDRINFO.html]=man3/BIO_ADDRINFO.pod +DEPEND[man/man3/BIO_ADDRINFO.3]=man3/BIO_ADDRINFO.pod +GENERATE[man/man3/BIO_ADDRINFO.3]=man3/BIO_ADDRINFO.pod +DEPEND[html/man3/BIO_connect.html]=man3/BIO_connect.pod +GENERATE[html/man3/BIO_connect.html]=man3/BIO_connect.pod +DEPEND[man/man3/BIO_connect.3]=man3/BIO_connect.pod +GENERATE[man/man3/BIO_connect.3]=man3/BIO_connect.pod +DEPEND[html/man3/BIO_ctrl.html]=man3/BIO_ctrl.pod +GENERATE[html/man3/BIO_ctrl.html]=man3/BIO_ctrl.pod +DEPEND[man/man3/BIO_ctrl.3]=man3/BIO_ctrl.pod +GENERATE[man/man3/BIO_ctrl.3]=man3/BIO_ctrl.pod +DEPEND[html/man3/BIO_f_base64.html]=man3/BIO_f_base64.pod +GENERATE[html/man3/BIO_f_base64.html]=man3/BIO_f_base64.pod +DEPEND[man/man3/BIO_f_base64.3]=man3/BIO_f_base64.pod +GENERATE[man/man3/BIO_f_base64.3]=man3/BIO_f_base64.pod +DEPEND[html/man3/BIO_f_buffer.html]=man3/BIO_f_buffer.pod +GENERATE[html/man3/BIO_f_buffer.html]=man3/BIO_f_buffer.pod +DEPEND[man/man3/BIO_f_buffer.3]=man3/BIO_f_buffer.pod +GENERATE[man/man3/BIO_f_buffer.3]=man3/BIO_f_buffer.pod +DEPEND[html/man3/BIO_f_cipher.html]=man3/BIO_f_cipher.pod +GENERATE[html/man3/BIO_f_cipher.html]=man3/BIO_f_cipher.pod +DEPEND[man/man3/BIO_f_cipher.3]=man3/BIO_f_cipher.pod +GENERATE[man/man3/BIO_f_cipher.3]=man3/BIO_f_cipher.pod +DEPEND[html/man3/BIO_f_md.html]=man3/BIO_f_md.pod +GENERATE[html/man3/BIO_f_md.html]=man3/BIO_f_md.pod +DEPEND[man/man3/BIO_f_md.3]=man3/BIO_f_md.pod +GENERATE[man/man3/BIO_f_md.3]=man3/BIO_f_md.pod +DEPEND[html/man3/BIO_f_null.html]=man3/BIO_f_null.pod +GENERATE[html/man3/BIO_f_null.html]=man3/BIO_f_null.pod +DEPEND[man/man3/BIO_f_null.3]=man3/BIO_f_null.pod +GENERATE[man/man3/BIO_f_null.3]=man3/BIO_f_null.pod +DEPEND[html/man3/BIO_f_prefix.html]=man3/BIO_f_prefix.pod +GENERATE[html/man3/BIO_f_prefix.html]=man3/BIO_f_prefix.pod +DEPEND[man/man3/BIO_f_prefix.3]=man3/BIO_f_prefix.pod +GENERATE[man/man3/BIO_f_prefix.3]=man3/BIO_f_prefix.pod +DEPEND[html/man3/BIO_f_ssl.html]=man3/BIO_f_ssl.pod +GENERATE[html/man3/BIO_f_ssl.html]=man3/BIO_f_ssl.pod +DEPEND[man/man3/BIO_f_ssl.3]=man3/BIO_f_ssl.pod +GENERATE[man/man3/BIO_f_ssl.3]=man3/BIO_f_ssl.pod +DEPEND[html/man3/BIO_find_type.html]=man3/BIO_find_type.pod +GENERATE[html/man3/BIO_find_type.html]=man3/BIO_find_type.pod +DEPEND[man/man3/BIO_find_type.3]=man3/BIO_find_type.pod +GENERATE[man/man3/BIO_find_type.3]=man3/BIO_find_type.pod +DEPEND[html/man3/BIO_get_data.html]=man3/BIO_get_data.pod +GENERATE[html/man3/BIO_get_data.html]=man3/BIO_get_data.pod +DEPEND[man/man3/BIO_get_data.3]=man3/BIO_get_data.pod +GENERATE[man/man3/BIO_get_data.3]=man3/BIO_get_data.pod +DEPEND[html/man3/BIO_get_ex_new_index.html]=man3/BIO_get_ex_new_index.pod +GENERATE[html/man3/BIO_get_ex_new_index.html]=man3/BIO_get_ex_new_index.pod +DEPEND[man/man3/BIO_get_ex_new_index.3]=man3/BIO_get_ex_new_index.pod +GENERATE[man/man3/BIO_get_ex_new_index.3]=man3/BIO_get_ex_new_index.pod +DEPEND[html/man3/BIO_meth_new.html]=man3/BIO_meth_new.pod +GENERATE[html/man3/BIO_meth_new.html]=man3/BIO_meth_new.pod +DEPEND[man/man3/BIO_meth_new.3]=man3/BIO_meth_new.pod +GENERATE[man/man3/BIO_meth_new.3]=man3/BIO_meth_new.pod +DEPEND[html/man3/BIO_new.html]=man3/BIO_new.pod +GENERATE[html/man3/BIO_new.html]=man3/BIO_new.pod +DEPEND[man/man3/BIO_new.3]=man3/BIO_new.pod +GENERATE[man/man3/BIO_new.3]=man3/BIO_new.pod +DEPEND[html/man3/BIO_new_CMS.html]=man3/BIO_new_CMS.pod +GENERATE[html/man3/BIO_new_CMS.html]=man3/BIO_new_CMS.pod +DEPEND[man/man3/BIO_new_CMS.3]=man3/BIO_new_CMS.pod +GENERATE[man/man3/BIO_new_CMS.3]=man3/BIO_new_CMS.pod +DEPEND[html/man3/BIO_parse_hostserv.html]=man3/BIO_parse_hostserv.pod +GENERATE[html/man3/BIO_parse_hostserv.html]=man3/BIO_parse_hostserv.pod +DEPEND[man/man3/BIO_parse_hostserv.3]=man3/BIO_parse_hostserv.pod +GENERATE[man/man3/BIO_parse_hostserv.3]=man3/BIO_parse_hostserv.pod +DEPEND[html/man3/BIO_printf.html]=man3/BIO_printf.pod +GENERATE[html/man3/BIO_printf.html]=man3/BIO_printf.pod +DEPEND[man/man3/BIO_printf.3]=man3/BIO_printf.pod +GENERATE[man/man3/BIO_printf.3]=man3/BIO_printf.pod +DEPEND[html/man3/BIO_push.html]=man3/BIO_push.pod +GENERATE[html/man3/BIO_push.html]=man3/BIO_push.pod +DEPEND[man/man3/BIO_push.3]=man3/BIO_push.pod +GENERATE[man/man3/BIO_push.3]=man3/BIO_push.pod +DEPEND[html/man3/BIO_read.html]=man3/BIO_read.pod +GENERATE[html/man3/BIO_read.html]=man3/BIO_read.pod +DEPEND[man/man3/BIO_read.3]=man3/BIO_read.pod +GENERATE[man/man3/BIO_read.3]=man3/BIO_read.pod +DEPEND[html/man3/BIO_s_accept.html]=man3/BIO_s_accept.pod +GENERATE[html/man3/BIO_s_accept.html]=man3/BIO_s_accept.pod +DEPEND[man/man3/BIO_s_accept.3]=man3/BIO_s_accept.pod +GENERATE[man/man3/BIO_s_accept.3]=man3/BIO_s_accept.pod +DEPEND[html/man3/BIO_s_bio.html]=man3/BIO_s_bio.pod +GENERATE[html/man3/BIO_s_bio.html]=man3/BIO_s_bio.pod +DEPEND[man/man3/BIO_s_bio.3]=man3/BIO_s_bio.pod +GENERATE[man/man3/BIO_s_bio.3]=man3/BIO_s_bio.pod +DEPEND[html/man3/BIO_s_connect.html]=man3/BIO_s_connect.pod +GENERATE[html/man3/BIO_s_connect.html]=man3/BIO_s_connect.pod +DEPEND[man/man3/BIO_s_connect.3]=man3/BIO_s_connect.pod +GENERATE[man/man3/BIO_s_connect.3]=man3/BIO_s_connect.pod +DEPEND[html/man3/BIO_s_fd.html]=man3/BIO_s_fd.pod +GENERATE[html/man3/BIO_s_fd.html]=man3/BIO_s_fd.pod +DEPEND[man/man3/BIO_s_fd.3]=man3/BIO_s_fd.pod +GENERATE[man/man3/BIO_s_fd.3]=man3/BIO_s_fd.pod +DEPEND[html/man3/BIO_s_file.html]=man3/BIO_s_file.pod +GENERATE[html/man3/BIO_s_file.html]=man3/BIO_s_file.pod +DEPEND[man/man3/BIO_s_file.3]=man3/BIO_s_file.pod +GENERATE[man/man3/BIO_s_file.3]=man3/BIO_s_file.pod +DEPEND[html/man3/BIO_s_mem.html]=man3/BIO_s_mem.pod +GENERATE[html/man3/BIO_s_mem.html]=man3/BIO_s_mem.pod +DEPEND[man/man3/BIO_s_mem.3]=man3/BIO_s_mem.pod +GENERATE[man/man3/BIO_s_mem.3]=man3/BIO_s_mem.pod +DEPEND[html/man3/BIO_s_null.html]=man3/BIO_s_null.pod +GENERATE[html/man3/BIO_s_null.html]=man3/BIO_s_null.pod +DEPEND[man/man3/BIO_s_null.3]=man3/BIO_s_null.pod +GENERATE[man/man3/BIO_s_null.3]=man3/BIO_s_null.pod +DEPEND[html/man3/BIO_s_socket.html]=man3/BIO_s_socket.pod +GENERATE[html/man3/BIO_s_socket.html]=man3/BIO_s_socket.pod +DEPEND[man/man3/BIO_s_socket.3]=man3/BIO_s_socket.pod +GENERATE[man/man3/BIO_s_socket.3]=man3/BIO_s_socket.pod +DEPEND[html/man3/BIO_set_callback.html]=man3/BIO_set_callback.pod +GENERATE[html/man3/BIO_set_callback.html]=man3/BIO_set_callback.pod +DEPEND[man/man3/BIO_set_callback.3]=man3/BIO_set_callback.pod +GENERATE[man/man3/BIO_set_callback.3]=man3/BIO_set_callback.pod +DEPEND[html/man3/BIO_should_retry.html]=man3/BIO_should_retry.pod +GENERATE[html/man3/BIO_should_retry.html]=man3/BIO_should_retry.pod +DEPEND[man/man3/BIO_should_retry.3]=man3/BIO_should_retry.pod +GENERATE[man/man3/BIO_should_retry.3]=man3/BIO_should_retry.pod +DEPEND[html/man3/BIO_socket_wait.html]=man3/BIO_socket_wait.pod +GENERATE[html/man3/BIO_socket_wait.html]=man3/BIO_socket_wait.pod +DEPEND[man/man3/BIO_socket_wait.3]=man3/BIO_socket_wait.pod +GENERATE[man/man3/BIO_socket_wait.3]=man3/BIO_socket_wait.pod +DEPEND[html/man3/BN_BLINDING_new.html]=man3/BN_BLINDING_new.pod +GENERATE[html/man3/BN_BLINDING_new.html]=man3/BN_BLINDING_new.pod +DEPEND[man/man3/BN_BLINDING_new.3]=man3/BN_BLINDING_new.pod +GENERATE[man/man3/BN_BLINDING_new.3]=man3/BN_BLINDING_new.pod +DEPEND[html/man3/BN_CTX_new.html]=man3/BN_CTX_new.pod +GENERATE[html/man3/BN_CTX_new.html]=man3/BN_CTX_new.pod +DEPEND[man/man3/BN_CTX_new.3]=man3/BN_CTX_new.pod +GENERATE[man/man3/BN_CTX_new.3]=man3/BN_CTX_new.pod +DEPEND[html/man3/BN_CTX_start.html]=man3/BN_CTX_start.pod +GENERATE[html/man3/BN_CTX_start.html]=man3/BN_CTX_start.pod +DEPEND[man/man3/BN_CTX_start.3]=man3/BN_CTX_start.pod +GENERATE[man/man3/BN_CTX_start.3]=man3/BN_CTX_start.pod +DEPEND[html/man3/BN_add.html]=man3/BN_add.pod +GENERATE[html/man3/BN_add.html]=man3/BN_add.pod +DEPEND[man/man3/BN_add.3]=man3/BN_add.pod +GENERATE[man/man3/BN_add.3]=man3/BN_add.pod +DEPEND[html/man3/BN_add_word.html]=man3/BN_add_word.pod +GENERATE[html/man3/BN_add_word.html]=man3/BN_add_word.pod +DEPEND[man/man3/BN_add_word.3]=man3/BN_add_word.pod +GENERATE[man/man3/BN_add_word.3]=man3/BN_add_word.pod +DEPEND[html/man3/BN_bn2bin.html]=man3/BN_bn2bin.pod +GENERATE[html/man3/BN_bn2bin.html]=man3/BN_bn2bin.pod +DEPEND[man/man3/BN_bn2bin.3]=man3/BN_bn2bin.pod +GENERATE[man/man3/BN_bn2bin.3]=man3/BN_bn2bin.pod +DEPEND[html/man3/BN_cmp.html]=man3/BN_cmp.pod +GENERATE[html/man3/BN_cmp.html]=man3/BN_cmp.pod +DEPEND[man/man3/BN_cmp.3]=man3/BN_cmp.pod +GENERATE[man/man3/BN_cmp.3]=man3/BN_cmp.pod +DEPEND[html/man3/BN_copy.html]=man3/BN_copy.pod +GENERATE[html/man3/BN_copy.html]=man3/BN_copy.pod +DEPEND[man/man3/BN_copy.3]=man3/BN_copy.pod +GENERATE[man/man3/BN_copy.3]=man3/BN_copy.pod +DEPEND[html/man3/BN_generate_prime.html]=man3/BN_generate_prime.pod +GENERATE[html/man3/BN_generate_prime.html]=man3/BN_generate_prime.pod +DEPEND[man/man3/BN_generate_prime.3]=man3/BN_generate_prime.pod +GENERATE[man/man3/BN_generate_prime.3]=man3/BN_generate_prime.pod +DEPEND[html/man3/BN_mod_inverse.html]=man3/BN_mod_inverse.pod +GENERATE[html/man3/BN_mod_inverse.html]=man3/BN_mod_inverse.pod +DEPEND[man/man3/BN_mod_inverse.3]=man3/BN_mod_inverse.pod +GENERATE[man/man3/BN_mod_inverse.3]=man3/BN_mod_inverse.pod +DEPEND[html/man3/BN_mod_mul_montgomery.html]=man3/BN_mod_mul_montgomery.pod +GENERATE[html/man3/BN_mod_mul_montgomery.html]=man3/BN_mod_mul_montgomery.pod +DEPEND[man/man3/BN_mod_mul_montgomery.3]=man3/BN_mod_mul_montgomery.pod +GENERATE[man/man3/BN_mod_mul_montgomery.3]=man3/BN_mod_mul_montgomery.pod +DEPEND[html/man3/BN_mod_mul_reciprocal.html]=man3/BN_mod_mul_reciprocal.pod +GENERATE[html/man3/BN_mod_mul_reciprocal.html]=man3/BN_mod_mul_reciprocal.pod +DEPEND[man/man3/BN_mod_mul_reciprocal.3]=man3/BN_mod_mul_reciprocal.pod +GENERATE[man/man3/BN_mod_mul_reciprocal.3]=man3/BN_mod_mul_reciprocal.pod +DEPEND[html/man3/BN_new.html]=man3/BN_new.pod +GENERATE[html/man3/BN_new.html]=man3/BN_new.pod +DEPEND[man/man3/BN_new.3]=man3/BN_new.pod +GENERATE[man/man3/BN_new.3]=man3/BN_new.pod +DEPEND[html/man3/BN_num_bytes.html]=man3/BN_num_bytes.pod +GENERATE[html/man3/BN_num_bytes.html]=man3/BN_num_bytes.pod +DEPEND[man/man3/BN_num_bytes.3]=man3/BN_num_bytes.pod +GENERATE[man/man3/BN_num_bytes.3]=man3/BN_num_bytes.pod +DEPEND[html/man3/BN_rand.html]=man3/BN_rand.pod +GENERATE[html/man3/BN_rand.html]=man3/BN_rand.pod +DEPEND[man/man3/BN_rand.3]=man3/BN_rand.pod +GENERATE[man/man3/BN_rand.3]=man3/BN_rand.pod +DEPEND[html/man3/BN_security_bits.html]=man3/BN_security_bits.pod +GENERATE[html/man3/BN_security_bits.html]=man3/BN_security_bits.pod +DEPEND[man/man3/BN_security_bits.3]=man3/BN_security_bits.pod +GENERATE[man/man3/BN_security_bits.3]=man3/BN_security_bits.pod +DEPEND[html/man3/BN_set_bit.html]=man3/BN_set_bit.pod +GENERATE[html/man3/BN_set_bit.html]=man3/BN_set_bit.pod +DEPEND[man/man3/BN_set_bit.3]=man3/BN_set_bit.pod +GENERATE[man/man3/BN_set_bit.3]=man3/BN_set_bit.pod +DEPEND[html/man3/BN_swap.html]=man3/BN_swap.pod +GENERATE[html/man3/BN_swap.html]=man3/BN_swap.pod +DEPEND[man/man3/BN_swap.3]=man3/BN_swap.pod +GENERATE[man/man3/BN_swap.3]=man3/BN_swap.pod +DEPEND[html/man3/BN_zero.html]=man3/BN_zero.pod +GENERATE[html/man3/BN_zero.html]=man3/BN_zero.pod +DEPEND[man/man3/BN_zero.3]=man3/BN_zero.pod +GENERATE[man/man3/BN_zero.3]=man3/BN_zero.pod +DEPEND[html/man3/BUF_MEM_new.html]=man3/BUF_MEM_new.pod +GENERATE[html/man3/BUF_MEM_new.html]=man3/BUF_MEM_new.pod +DEPEND[man/man3/BUF_MEM_new.3]=man3/BUF_MEM_new.pod +GENERATE[man/man3/BUF_MEM_new.3]=man3/BUF_MEM_new.pod +DEPEND[html/man3/CMS_EncryptedData_decrypt.html]=man3/CMS_EncryptedData_decrypt.pod +GENERATE[html/man3/CMS_EncryptedData_decrypt.html]=man3/CMS_EncryptedData_decrypt.pod +DEPEND[man/man3/CMS_EncryptedData_decrypt.3]=man3/CMS_EncryptedData_decrypt.pod +GENERATE[man/man3/CMS_EncryptedData_decrypt.3]=man3/CMS_EncryptedData_decrypt.pod +DEPEND[html/man3/CMS_EncryptedData_encrypt.html]=man3/CMS_EncryptedData_encrypt.pod +GENERATE[html/man3/CMS_EncryptedData_encrypt.html]=man3/CMS_EncryptedData_encrypt.pod +DEPEND[man/man3/CMS_EncryptedData_encrypt.3]=man3/CMS_EncryptedData_encrypt.pod +GENERATE[man/man3/CMS_EncryptedData_encrypt.3]=man3/CMS_EncryptedData_encrypt.pod +DEPEND[html/man3/CMS_EnvelopedData_create.html]=man3/CMS_EnvelopedData_create.pod +GENERATE[html/man3/CMS_EnvelopedData_create.html]=man3/CMS_EnvelopedData_create.pod +DEPEND[man/man3/CMS_EnvelopedData_create.3]=man3/CMS_EnvelopedData_create.pod +GENERATE[man/man3/CMS_EnvelopedData_create.3]=man3/CMS_EnvelopedData_create.pod +DEPEND[html/man3/CMS_add0_cert.html]=man3/CMS_add0_cert.pod +GENERATE[html/man3/CMS_add0_cert.html]=man3/CMS_add0_cert.pod +DEPEND[man/man3/CMS_add0_cert.3]=man3/CMS_add0_cert.pod +GENERATE[man/man3/CMS_add0_cert.3]=man3/CMS_add0_cert.pod +DEPEND[html/man3/CMS_add1_recipient_cert.html]=man3/CMS_add1_recipient_cert.pod +GENERATE[html/man3/CMS_add1_recipient_cert.html]=man3/CMS_add1_recipient_cert.pod +DEPEND[man/man3/CMS_add1_recipient_cert.3]=man3/CMS_add1_recipient_cert.pod +GENERATE[man/man3/CMS_add1_recipient_cert.3]=man3/CMS_add1_recipient_cert.pod +DEPEND[html/man3/CMS_add1_signer.html]=man3/CMS_add1_signer.pod +GENERATE[html/man3/CMS_add1_signer.html]=man3/CMS_add1_signer.pod +DEPEND[man/man3/CMS_add1_signer.3]=man3/CMS_add1_signer.pod +GENERATE[man/man3/CMS_add1_signer.3]=man3/CMS_add1_signer.pod +DEPEND[html/man3/CMS_compress.html]=man3/CMS_compress.pod +GENERATE[html/man3/CMS_compress.html]=man3/CMS_compress.pod +DEPEND[man/man3/CMS_compress.3]=man3/CMS_compress.pod +GENERATE[man/man3/CMS_compress.3]=man3/CMS_compress.pod +DEPEND[html/man3/CMS_data_create.html]=man3/CMS_data_create.pod +GENERATE[html/man3/CMS_data_create.html]=man3/CMS_data_create.pod +DEPEND[man/man3/CMS_data_create.3]=man3/CMS_data_create.pod +GENERATE[man/man3/CMS_data_create.3]=man3/CMS_data_create.pod +DEPEND[html/man3/CMS_decrypt.html]=man3/CMS_decrypt.pod +GENERATE[html/man3/CMS_decrypt.html]=man3/CMS_decrypt.pod +DEPEND[man/man3/CMS_decrypt.3]=man3/CMS_decrypt.pod +GENERATE[man/man3/CMS_decrypt.3]=man3/CMS_decrypt.pod +DEPEND[html/man3/CMS_digest_create.html]=man3/CMS_digest_create.pod +GENERATE[html/man3/CMS_digest_create.html]=man3/CMS_digest_create.pod +DEPEND[man/man3/CMS_digest_create.3]=man3/CMS_digest_create.pod +GENERATE[man/man3/CMS_digest_create.3]=man3/CMS_digest_create.pod +DEPEND[html/man3/CMS_encrypt.html]=man3/CMS_encrypt.pod +GENERATE[html/man3/CMS_encrypt.html]=man3/CMS_encrypt.pod +DEPEND[man/man3/CMS_encrypt.3]=man3/CMS_encrypt.pod +GENERATE[man/man3/CMS_encrypt.3]=man3/CMS_encrypt.pod +DEPEND[html/man3/CMS_final.html]=man3/CMS_final.pod +GENERATE[html/man3/CMS_final.html]=man3/CMS_final.pod +DEPEND[man/man3/CMS_final.3]=man3/CMS_final.pod +GENERATE[man/man3/CMS_final.3]=man3/CMS_final.pod +DEPEND[html/man3/CMS_get0_RecipientInfos.html]=man3/CMS_get0_RecipientInfos.pod +GENERATE[html/man3/CMS_get0_RecipientInfos.html]=man3/CMS_get0_RecipientInfos.pod +DEPEND[man/man3/CMS_get0_RecipientInfos.3]=man3/CMS_get0_RecipientInfos.pod +GENERATE[man/man3/CMS_get0_RecipientInfos.3]=man3/CMS_get0_RecipientInfos.pod +DEPEND[html/man3/CMS_get0_SignerInfos.html]=man3/CMS_get0_SignerInfos.pod +GENERATE[html/man3/CMS_get0_SignerInfos.html]=man3/CMS_get0_SignerInfos.pod +DEPEND[man/man3/CMS_get0_SignerInfos.3]=man3/CMS_get0_SignerInfos.pod +GENERATE[man/man3/CMS_get0_SignerInfos.3]=man3/CMS_get0_SignerInfos.pod +DEPEND[html/man3/CMS_get0_type.html]=man3/CMS_get0_type.pod +GENERATE[html/man3/CMS_get0_type.html]=man3/CMS_get0_type.pod +DEPEND[man/man3/CMS_get0_type.3]=man3/CMS_get0_type.pod +GENERATE[man/man3/CMS_get0_type.3]=man3/CMS_get0_type.pod +DEPEND[html/man3/CMS_get1_ReceiptRequest.html]=man3/CMS_get1_ReceiptRequest.pod +GENERATE[html/man3/CMS_get1_ReceiptRequest.html]=man3/CMS_get1_ReceiptRequest.pod +DEPEND[man/man3/CMS_get1_ReceiptRequest.3]=man3/CMS_get1_ReceiptRequest.pod +GENERATE[man/man3/CMS_get1_ReceiptRequest.3]=man3/CMS_get1_ReceiptRequest.pod +DEPEND[html/man3/CMS_sign.html]=man3/CMS_sign.pod +GENERATE[html/man3/CMS_sign.html]=man3/CMS_sign.pod +DEPEND[man/man3/CMS_sign.3]=man3/CMS_sign.pod +GENERATE[man/man3/CMS_sign.3]=man3/CMS_sign.pod +DEPEND[html/man3/CMS_sign_receipt.html]=man3/CMS_sign_receipt.pod +GENERATE[html/man3/CMS_sign_receipt.html]=man3/CMS_sign_receipt.pod +DEPEND[man/man3/CMS_sign_receipt.3]=man3/CMS_sign_receipt.pod +GENERATE[man/man3/CMS_sign_receipt.3]=man3/CMS_sign_receipt.pod +DEPEND[html/man3/CMS_uncompress.html]=man3/CMS_uncompress.pod +GENERATE[html/man3/CMS_uncompress.html]=man3/CMS_uncompress.pod +DEPEND[man/man3/CMS_uncompress.3]=man3/CMS_uncompress.pod +GENERATE[man/man3/CMS_uncompress.3]=man3/CMS_uncompress.pod +DEPEND[html/man3/CMS_verify.html]=man3/CMS_verify.pod +GENERATE[html/man3/CMS_verify.html]=man3/CMS_verify.pod +DEPEND[man/man3/CMS_verify.3]=man3/CMS_verify.pod +GENERATE[man/man3/CMS_verify.3]=man3/CMS_verify.pod +DEPEND[html/man3/CMS_verify_receipt.html]=man3/CMS_verify_receipt.pod +GENERATE[html/man3/CMS_verify_receipt.html]=man3/CMS_verify_receipt.pod +DEPEND[man/man3/CMS_verify_receipt.3]=man3/CMS_verify_receipt.pod +GENERATE[man/man3/CMS_verify_receipt.3]=man3/CMS_verify_receipt.pod +DEPEND[html/man3/CONF_modules_free.html]=man3/CONF_modules_free.pod +GENERATE[html/man3/CONF_modules_free.html]=man3/CONF_modules_free.pod +DEPEND[man/man3/CONF_modules_free.3]=man3/CONF_modules_free.pod +GENERATE[man/man3/CONF_modules_free.3]=man3/CONF_modules_free.pod +DEPEND[html/man3/CONF_modules_load_file.html]=man3/CONF_modules_load_file.pod +GENERATE[html/man3/CONF_modules_load_file.html]=man3/CONF_modules_load_file.pod +DEPEND[man/man3/CONF_modules_load_file.3]=man3/CONF_modules_load_file.pod +GENERATE[man/man3/CONF_modules_load_file.3]=man3/CONF_modules_load_file.pod +DEPEND[html/man3/CRYPTO_THREAD_run_once.html]=man3/CRYPTO_THREAD_run_once.pod +GENERATE[html/man3/CRYPTO_THREAD_run_once.html]=man3/CRYPTO_THREAD_run_once.pod +DEPEND[man/man3/CRYPTO_THREAD_run_once.3]=man3/CRYPTO_THREAD_run_once.pod +GENERATE[man/man3/CRYPTO_THREAD_run_once.3]=man3/CRYPTO_THREAD_run_once.pod +DEPEND[html/man3/CRYPTO_get_ex_new_index.html]=man3/CRYPTO_get_ex_new_index.pod +GENERATE[html/man3/CRYPTO_get_ex_new_index.html]=man3/CRYPTO_get_ex_new_index.pod +DEPEND[man/man3/CRYPTO_get_ex_new_index.3]=man3/CRYPTO_get_ex_new_index.pod +GENERATE[man/man3/CRYPTO_get_ex_new_index.3]=man3/CRYPTO_get_ex_new_index.pod +DEPEND[html/man3/CRYPTO_memcmp.html]=man3/CRYPTO_memcmp.pod +GENERATE[html/man3/CRYPTO_memcmp.html]=man3/CRYPTO_memcmp.pod +DEPEND[man/man3/CRYPTO_memcmp.3]=man3/CRYPTO_memcmp.pod +GENERATE[man/man3/CRYPTO_memcmp.3]=man3/CRYPTO_memcmp.pod +DEPEND[html/man3/CTLOG_STORE_get0_log_by_id.html]=man3/CTLOG_STORE_get0_log_by_id.pod +GENERATE[html/man3/CTLOG_STORE_get0_log_by_id.html]=man3/CTLOG_STORE_get0_log_by_id.pod +DEPEND[man/man3/CTLOG_STORE_get0_log_by_id.3]=man3/CTLOG_STORE_get0_log_by_id.pod +GENERATE[man/man3/CTLOG_STORE_get0_log_by_id.3]=man3/CTLOG_STORE_get0_log_by_id.pod +DEPEND[html/man3/CTLOG_STORE_new.html]=man3/CTLOG_STORE_new.pod +GENERATE[html/man3/CTLOG_STORE_new.html]=man3/CTLOG_STORE_new.pod +DEPEND[man/man3/CTLOG_STORE_new.3]=man3/CTLOG_STORE_new.pod +GENERATE[man/man3/CTLOG_STORE_new.3]=man3/CTLOG_STORE_new.pod +DEPEND[html/man3/CTLOG_new.html]=man3/CTLOG_new.pod +GENERATE[html/man3/CTLOG_new.html]=man3/CTLOG_new.pod +DEPEND[man/man3/CTLOG_new.3]=man3/CTLOG_new.pod +GENERATE[man/man3/CTLOG_new.3]=man3/CTLOG_new.pod +DEPEND[html/man3/CT_POLICY_EVAL_CTX_new.html]=man3/CT_POLICY_EVAL_CTX_new.pod +GENERATE[html/man3/CT_POLICY_EVAL_CTX_new.html]=man3/CT_POLICY_EVAL_CTX_new.pod +DEPEND[man/man3/CT_POLICY_EVAL_CTX_new.3]=man3/CT_POLICY_EVAL_CTX_new.pod +GENERATE[man/man3/CT_POLICY_EVAL_CTX_new.3]=man3/CT_POLICY_EVAL_CTX_new.pod +DEPEND[html/man3/DEFINE_STACK_OF.html]=man3/DEFINE_STACK_OF.pod +GENERATE[html/man3/DEFINE_STACK_OF.html]=man3/DEFINE_STACK_OF.pod +DEPEND[man/man3/DEFINE_STACK_OF.3]=man3/DEFINE_STACK_OF.pod +GENERATE[man/man3/DEFINE_STACK_OF.3]=man3/DEFINE_STACK_OF.pod +DEPEND[html/man3/DES_random_key.html]=man3/DES_random_key.pod +GENERATE[html/man3/DES_random_key.html]=man3/DES_random_key.pod +DEPEND[man/man3/DES_random_key.3]=man3/DES_random_key.pod +GENERATE[man/man3/DES_random_key.3]=man3/DES_random_key.pod +DEPEND[html/man3/DH_generate_key.html]=man3/DH_generate_key.pod +GENERATE[html/man3/DH_generate_key.html]=man3/DH_generate_key.pod +DEPEND[man/man3/DH_generate_key.3]=man3/DH_generate_key.pod +GENERATE[man/man3/DH_generate_key.3]=man3/DH_generate_key.pod +DEPEND[html/man3/DH_generate_parameters.html]=man3/DH_generate_parameters.pod +GENERATE[html/man3/DH_generate_parameters.html]=man3/DH_generate_parameters.pod +DEPEND[man/man3/DH_generate_parameters.3]=man3/DH_generate_parameters.pod +GENERATE[man/man3/DH_generate_parameters.3]=man3/DH_generate_parameters.pod +DEPEND[html/man3/DH_get0_pqg.html]=man3/DH_get0_pqg.pod +GENERATE[html/man3/DH_get0_pqg.html]=man3/DH_get0_pqg.pod +DEPEND[man/man3/DH_get0_pqg.3]=man3/DH_get0_pqg.pod +GENERATE[man/man3/DH_get0_pqg.3]=man3/DH_get0_pqg.pod +DEPEND[html/man3/DH_get_1024_160.html]=man3/DH_get_1024_160.pod +GENERATE[html/man3/DH_get_1024_160.html]=man3/DH_get_1024_160.pod +DEPEND[man/man3/DH_get_1024_160.3]=man3/DH_get_1024_160.pod +GENERATE[man/man3/DH_get_1024_160.3]=man3/DH_get_1024_160.pod +DEPEND[html/man3/DH_meth_new.html]=man3/DH_meth_new.pod +GENERATE[html/man3/DH_meth_new.html]=man3/DH_meth_new.pod +DEPEND[man/man3/DH_meth_new.3]=man3/DH_meth_new.pod +GENERATE[man/man3/DH_meth_new.3]=man3/DH_meth_new.pod +DEPEND[html/man3/DH_new.html]=man3/DH_new.pod +GENERATE[html/man3/DH_new.html]=man3/DH_new.pod +DEPEND[man/man3/DH_new.3]=man3/DH_new.pod +GENERATE[man/man3/DH_new.3]=man3/DH_new.pod +DEPEND[html/man3/DH_new_by_nid.html]=man3/DH_new_by_nid.pod +GENERATE[html/man3/DH_new_by_nid.html]=man3/DH_new_by_nid.pod +DEPEND[man/man3/DH_new_by_nid.3]=man3/DH_new_by_nid.pod +GENERATE[man/man3/DH_new_by_nid.3]=man3/DH_new_by_nid.pod +DEPEND[html/man3/DH_set_method.html]=man3/DH_set_method.pod +GENERATE[html/man3/DH_set_method.html]=man3/DH_set_method.pod +DEPEND[man/man3/DH_set_method.3]=man3/DH_set_method.pod +GENERATE[man/man3/DH_set_method.3]=man3/DH_set_method.pod +DEPEND[html/man3/DH_size.html]=man3/DH_size.pod +GENERATE[html/man3/DH_size.html]=man3/DH_size.pod +DEPEND[man/man3/DH_size.3]=man3/DH_size.pod +GENERATE[man/man3/DH_size.3]=man3/DH_size.pod +DEPEND[html/man3/DSA_SIG_new.html]=man3/DSA_SIG_new.pod +GENERATE[html/man3/DSA_SIG_new.html]=man3/DSA_SIG_new.pod +DEPEND[man/man3/DSA_SIG_new.3]=man3/DSA_SIG_new.pod +GENERATE[man/man3/DSA_SIG_new.3]=man3/DSA_SIG_new.pod +DEPEND[html/man3/DSA_do_sign.html]=man3/DSA_do_sign.pod +GENERATE[html/man3/DSA_do_sign.html]=man3/DSA_do_sign.pod +DEPEND[man/man3/DSA_do_sign.3]=man3/DSA_do_sign.pod +GENERATE[man/man3/DSA_do_sign.3]=man3/DSA_do_sign.pod +DEPEND[html/man3/DSA_dup_DH.html]=man3/DSA_dup_DH.pod +GENERATE[html/man3/DSA_dup_DH.html]=man3/DSA_dup_DH.pod +DEPEND[man/man3/DSA_dup_DH.3]=man3/DSA_dup_DH.pod +GENERATE[man/man3/DSA_dup_DH.3]=man3/DSA_dup_DH.pod +DEPEND[html/man3/DSA_generate_key.html]=man3/DSA_generate_key.pod +GENERATE[html/man3/DSA_generate_key.html]=man3/DSA_generate_key.pod +DEPEND[man/man3/DSA_generate_key.3]=man3/DSA_generate_key.pod +GENERATE[man/man3/DSA_generate_key.3]=man3/DSA_generate_key.pod +DEPEND[html/man3/DSA_generate_parameters.html]=man3/DSA_generate_parameters.pod +GENERATE[html/man3/DSA_generate_parameters.html]=man3/DSA_generate_parameters.pod +DEPEND[man/man3/DSA_generate_parameters.3]=man3/DSA_generate_parameters.pod +GENERATE[man/man3/DSA_generate_parameters.3]=man3/DSA_generate_parameters.pod +DEPEND[html/man3/DSA_get0_pqg.html]=man3/DSA_get0_pqg.pod +GENERATE[html/man3/DSA_get0_pqg.html]=man3/DSA_get0_pqg.pod +DEPEND[man/man3/DSA_get0_pqg.3]=man3/DSA_get0_pqg.pod +GENERATE[man/man3/DSA_get0_pqg.3]=man3/DSA_get0_pqg.pod +DEPEND[html/man3/DSA_meth_new.html]=man3/DSA_meth_new.pod +GENERATE[html/man3/DSA_meth_new.html]=man3/DSA_meth_new.pod +DEPEND[man/man3/DSA_meth_new.3]=man3/DSA_meth_new.pod +GENERATE[man/man3/DSA_meth_new.3]=man3/DSA_meth_new.pod +DEPEND[html/man3/DSA_new.html]=man3/DSA_new.pod +GENERATE[html/man3/DSA_new.html]=man3/DSA_new.pod +DEPEND[man/man3/DSA_new.3]=man3/DSA_new.pod +GENERATE[man/man3/DSA_new.3]=man3/DSA_new.pod +DEPEND[html/man3/DSA_set_method.html]=man3/DSA_set_method.pod +GENERATE[html/man3/DSA_set_method.html]=man3/DSA_set_method.pod +DEPEND[man/man3/DSA_set_method.3]=man3/DSA_set_method.pod +GENERATE[man/man3/DSA_set_method.3]=man3/DSA_set_method.pod +DEPEND[html/man3/DSA_sign.html]=man3/DSA_sign.pod +GENERATE[html/man3/DSA_sign.html]=man3/DSA_sign.pod +DEPEND[man/man3/DSA_sign.3]=man3/DSA_sign.pod +GENERATE[man/man3/DSA_sign.3]=man3/DSA_sign.pod +DEPEND[html/man3/DSA_size.html]=man3/DSA_size.pod +GENERATE[html/man3/DSA_size.html]=man3/DSA_size.pod +DEPEND[man/man3/DSA_size.3]=man3/DSA_size.pod +GENERATE[man/man3/DSA_size.3]=man3/DSA_size.pod +DEPEND[html/man3/DTLS_get_data_mtu.html]=man3/DTLS_get_data_mtu.pod +GENERATE[html/man3/DTLS_get_data_mtu.html]=man3/DTLS_get_data_mtu.pod +DEPEND[man/man3/DTLS_get_data_mtu.3]=man3/DTLS_get_data_mtu.pod +GENERATE[man/man3/DTLS_get_data_mtu.3]=man3/DTLS_get_data_mtu.pod +DEPEND[html/man3/DTLS_set_timer_cb.html]=man3/DTLS_set_timer_cb.pod +GENERATE[html/man3/DTLS_set_timer_cb.html]=man3/DTLS_set_timer_cb.pod +DEPEND[man/man3/DTLS_set_timer_cb.3]=man3/DTLS_set_timer_cb.pod +GENERATE[man/man3/DTLS_set_timer_cb.3]=man3/DTLS_set_timer_cb.pod +DEPEND[html/man3/DTLSv1_listen.html]=man3/DTLSv1_listen.pod +GENERATE[html/man3/DTLSv1_listen.html]=man3/DTLSv1_listen.pod +DEPEND[man/man3/DTLSv1_listen.3]=man3/DTLSv1_listen.pod +GENERATE[man/man3/DTLSv1_listen.3]=man3/DTLSv1_listen.pod +DEPEND[html/man3/ECDSA_SIG_new.html]=man3/ECDSA_SIG_new.pod +GENERATE[html/man3/ECDSA_SIG_new.html]=man3/ECDSA_SIG_new.pod +DEPEND[man/man3/ECDSA_SIG_new.3]=man3/ECDSA_SIG_new.pod +GENERATE[man/man3/ECDSA_SIG_new.3]=man3/ECDSA_SIG_new.pod +DEPEND[html/man3/ECPKParameters_print.html]=man3/ECPKParameters_print.pod +GENERATE[html/man3/ECPKParameters_print.html]=man3/ECPKParameters_print.pod +DEPEND[man/man3/ECPKParameters_print.3]=man3/ECPKParameters_print.pod +GENERATE[man/man3/ECPKParameters_print.3]=man3/ECPKParameters_print.pod +DEPEND[html/man3/EC_GFp_simple_method.html]=man3/EC_GFp_simple_method.pod +GENERATE[html/man3/EC_GFp_simple_method.html]=man3/EC_GFp_simple_method.pod +DEPEND[man/man3/EC_GFp_simple_method.3]=man3/EC_GFp_simple_method.pod +GENERATE[man/man3/EC_GFp_simple_method.3]=man3/EC_GFp_simple_method.pod +DEPEND[html/man3/EC_GROUP_copy.html]=man3/EC_GROUP_copy.pod +GENERATE[html/man3/EC_GROUP_copy.html]=man3/EC_GROUP_copy.pod +DEPEND[man/man3/EC_GROUP_copy.3]=man3/EC_GROUP_copy.pod +GENERATE[man/man3/EC_GROUP_copy.3]=man3/EC_GROUP_copy.pod +DEPEND[html/man3/EC_GROUP_new.html]=man3/EC_GROUP_new.pod +GENERATE[html/man3/EC_GROUP_new.html]=man3/EC_GROUP_new.pod +DEPEND[man/man3/EC_GROUP_new.3]=man3/EC_GROUP_new.pod +GENERATE[man/man3/EC_GROUP_new.3]=man3/EC_GROUP_new.pod +DEPEND[html/man3/EC_KEY_get_enc_flags.html]=man3/EC_KEY_get_enc_flags.pod +GENERATE[html/man3/EC_KEY_get_enc_flags.html]=man3/EC_KEY_get_enc_flags.pod +DEPEND[man/man3/EC_KEY_get_enc_flags.3]=man3/EC_KEY_get_enc_flags.pod +GENERATE[man/man3/EC_KEY_get_enc_flags.3]=man3/EC_KEY_get_enc_flags.pod +DEPEND[html/man3/EC_KEY_new.html]=man3/EC_KEY_new.pod +GENERATE[html/man3/EC_KEY_new.html]=man3/EC_KEY_new.pod +DEPEND[man/man3/EC_KEY_new.3]=man3/EC_KEY_new.pod +GENERATE[man/man3/EC_KEY_new.3]=man3/EC_KEY_new.pod +DEPEND[html/man3/EC_POINT_add.html]=man3/EC_POINT_add.pod +GENERATE[html/man3/EC_POINT_add.html]=man3/EC_POINT_add.pod +DEPEND[man/man3/EC_POINT_add.3]=man3/EC_POINT_add.pod +GENERATE[man/man3/EC_POINT_add.3]=man3/EC_POINT_add.pod +DEPEND[html/man3/EC_POINT_new.html]=man3/EC_POINT_new.pod +GENERATE[html/man3/EC_POINT_new.html]=man3/EC_POINT_new.pod +DEPEND[man/man3/EC_POINT_new.3]=man3/EC_POINT_new.pod +GENERATE[man/man3/EC_POINT_new.3]=man3/EC_POINT_new.pod +DEPEND[html/man3/ENGINE_add.html]=man3/ENGINE_add.pod +GENERATE[html/man3/ENGINE_add.html]=man3/ENGINE_add.pod +DEPEND[man/man3/ENGINE_add.3]=man3/ENGINE_add.pod +GENERATE[man/man3/ENGINE_add.3]=man3/ENGINE_add.pod +DEPEND[html/man3/ERR_GET_LIB.html]=man3/ERR_GET_LIB.pod +GENERATE[html/man3/ERR_GET_LIB.html]=man3/ERR_GET_LIB.pod +DEPEND[man/man3/ERR_GET_LIB.3]=man3/ERR_GET_LIB.pod +GENERATE[man/man3/ERR_GET_LIB.3]=man3/ERR_GET_LIB.pod +DEPEND[html/man3/ERR_clear_error.html]=man3/ERR_clear_error.pod +GENERATE[html/man3/ERR_clear_error.html]=man3/ERR_clear_error.pod +DEPEND[man/man3/ERR_clear_error.3]=man3/ERR_clear_error.pod +GENERATE[man/man3/ERR_clear_error.3]=man3/ERR_clear_error.pod +DEPEND[html/man3/ERR_error_string.html]=man3/ERR_error_string.pod +GENERATE[html/man3/ERR_error_string.html]=man3/ERR_error_string.pod +DEPEND[man/man3/ERR_error_string.3]=man3/ERR_error_string.pod +GENERATE[man/man3/ERR_error_string.3]=man3/ERR_error_string.pod +DEPEND[html/man3/ERR_get_error.html]=man3/ERR_get_error.pod +GENERATE[html/man3/ERR_get_error.html]=man3/ERR_get_error.pod +DEPEND[man/man3/ERR_get_error.3]=man3/ERR_get_error.pod +GENERATE[man/man3/ERR_get_error.3]=man3/ERR_get_error.pod +DEPEND[html/man3/ERR_load_crypto_strings.html]=man3/ERR_load_crypto_strings.pod +GENERATE[html/man3/ERR_load_crypto_strings.html]=man3/ERR_load_crypto_strings.pod +DEPEND[man/man3/ERR_load_crypto_strings.3]=man3/ERR_load_crypto_strings.pod +GENERATE[man/man3/ERR_load_crypto_strings.3]=man3/ERR_load_crypto_strings.pod +DEPEND[html/man3/ERR_load_strings.html]=man3/ERR_load_strings.pod +GENERATE[html/man3/ERR_load_strings.html]=man3/ERR_load_strings.pod +DEPEND[man/man3/ERR_load_strings.3]=man3/ERR_load_strings.pod +GENERATE[man/man3/ERR_load_strings.3]=man3/ERR_load_strings.pod +DEPEND[html/man3/ERR_new.html]=man3/ERR_new.pod +GENERATE[html/man3/ERR_new.html]=man3/ERR_new.pod +DEPEND[man/man3/ERR_new.3]=man3/ERR_new.pod +GENERATE[man/man3/ERR_new.3]=man3/ERR_new.pod +DEPEND[html/man3/ERR_print_errors.html]=man3/ERR_print_errors.pod +GENERATE[html/man3/ERR_print_errors.html]=man3/ERR_print_errors.pod +DEPEND[man/man3/ERR_print_errors.3]=man3/ERR_print_errors.pod +GENERATE[man/man3/ERR_print_errors.3]=man3/ERR_print_errors.pod +DEPEND[html/man3/ERR_put_error.html]=man3/ERR_put_error.pod +GENERATE[html/man3/ERR_put_error.html]=man3/ERR_put_error.pod +DEPEND[man/man3/ERR_put_error.3]=man3/ERR_put_error.pod +GENERATE[man/man3/ERR_put_error.3]=man3/ERR_put_error.pod +DEPEND[html/man3/ERR_remove_state.html]=man3/ERR_remove_state.pod +GENERATE[html/man3/ERR_remove_state.html]=man3/ERR_remove_state.pod +DEPEND[man/man3/ERR_remove_state.3]=man3/ERR_remove_state.pod +GENERATE[man/man3/ERR_remove_state.3]=man3/ERR_remove_state.pod +DEPEND[html/man3/ERR_set_mark.html]=man3/ERR_set_mark.pod +GENERATE[html/man3/ERR_set_mark.html]=man3/ERR_set_mark.pod +DEPEND[man/man3/ERR_set_mark.3]=man3/ERR_set_mark.pod +GENERATE[man/man3/ERR_set_mark.3]=man3/ERR_set_mark.pod +DEPEND[html/man3/EVP_ASYM_CIPHER_free.html]=man3/EVP_ASYM_CIPHER_free.pod +GENERATE[html/man3/EVP_ASYM_CIPHER_free.html]=man3/EVP_ASYM_CIPHER_free.pod +DEPEND[man/man3/EVP_ASYM_CIPHER_free.3]=man3/EVP_ASYM_CIPHER_free.pod +GENERATE[man/man3/EVP_ASYM_CIPHER_free.3]=man3/EVP_ASYM_CIPHER_free.pod +DEPEND[html/man3/EVP_BytesToKey.html]=man3/EVP_BytesToKey.pod +GENERATE[html/man3/EVP_BytesToKey.html]=man3/EVP_BytesToKey.pod +DEPEND[man/man3/EVP_BytesToKey.3]=man3/EVP_BytesToKey.pod +GENERATE[man/man3/EVP_BytesToKey.3]=man3/EVP_BytesToKey.pod +DEPEND[html/man3/EVP_CIPHER_CTX_get_cipher_data.html]=man3/EVP_CIPHER_CTX_get_cipher_data.pod +GENERATE[html/man3/EVP_CIPHER_CTX_get_cipher_data.html]=man3/EVP_CIPHER_CTX_get_cipher_data.pod +DEPEND[man/man3/EVP_CIPHER_CTX_get_cipher_data.3]=man3/EVP_CIPHER_CTX_get_cipher_data.pod +GENERATE[man/man3/EVP_CIPHER_CTX_get_cipher_data.3]=man3/EVP_CIPHER_CTX_get_cipher_data.pod +DEPEND[html/man3/EVP_CIPHER_CTX_get_original_iv.html]=man3/EVP_CIPHER_CTX_get_original_iv.pod +GENERATE[html/man3/EVP_CIPHER_CTX_get_original_iv.html]=man3/EVP_CIPHER_CTX_get_original_iv.pod +DEPEND[man/man3/EVP_CIPHER_CTX_get_original_iv.3]=man3/EVP_CIPHER_CTX_get_original_iv.pod +GENERATE[man/man3/EVP_CIPHER_CTX_get_original_iv.3]=man3/EVP_CIPHER_CTX_get_original_iv.pod +DEPEND[html/man3/EVP_CIPHER_meth_new.html]=man3/EVP_CIPHER_meth_new.pod +GENERATE[html/man3/EVP_CIPHER_meth_new.html]=man3/EVP_CIPHER_meth_new.pod +DEPEND[man/man3/EVP_CIPHER_meth_new.3]=man3/EVP_CIPHER_meth_new.pod +GENERATE[man/man3/EVP_CIPHER_meth_new.3]=man3/EVP_CIPHER_meth_new.pod +DEPEND[html/man3/EVP_DigestInit.html]=man3/EVP_DigestInit.pod +GENERATE[html/man3/EVP_DigestInit.html]=man3/EVP_DigestInit.pod +DEPEND[man/man3/EVP_DigestInit.3]=man3/EVP_DigestInit.pod +GENERATE[man/man3/EVP_DigestInit.3]=man3/EVP_DigestInit.pod +DEPEND[html/man3/EVP_DigestSignInit.html]=man3/EVP_DigestSignInit.pod +GENERATE[html/man3/EVP_DigestSignInit.html]=man3/EVP_DigestSignInit.pod +DEPEND[man/man3/EVP_DigestSignInit.3]=man3/EVP_DigestSignInit.pod +GENERATE[man/man3/EVP_DigestSignInit.3]=man3/EVP_DigestSignInit.pod +DEPEND[html/man3/EVP_DigestVerifyInit.html]=man3/EVP_DigestVerifyInit.pod +GENERATE[html/man3/EVP_DigestVerifyInit.html]=man3/EVP_DigestVerifyInit.pod +DEPEND[man/man3/EVP_DigestVerifyInit.3]=man3/EVP_DigestVerifyInit.pod +GENERATE[man/man3/EVP_DigestVerifyInit.3]=man3/EVP_DigestVerifyInit.pod +DEPEND[html/man3/EVP_EncodeInit.html]=man3/EVP_EncodeInit.pod +GENERATE[html/man3/EVP_EncodeInit.html]=man3/EVP_EncodeInit.pod +DEPEND[man/man3/EVP_EncodeInit.3]=man3/EVP_EncodeInit.pod +GENERATE[man/man3/EVP_EncodeInit.3]=man3/EVP_EncodeInit.pod +DEPEND[html/man3/EVP_EncryptInit.html]=man3/EVP_EncryptInit.pod +GENERATE[html/man3/EVP_EncryptInit.html]=man3/EVP_EncryptInit.pod +DEPEND[man/man3/EVP_EncryptInit.3]=man3/EVP_EncryptInit.pod +GENERATE[man/man3/EVP_EncryptInit.3]=man3/EVP_EncryptInit.pod +DEPEND[html/man3/EVP_KDF.html]=man3/EVP_KDF.pod +GENERATE[html/man3/EVP_KDF.html]=man3/EVP_KDF.pod +DEPEND[man/man3/EVP_KDF.3]=man3/EVP_KDF.pod +GENERATE[man/man3/EVP_KDF.3]=man3/EVP_KDF.pod +DEPEND[html/man3/EVP_KEM_free.html]=man3/EVP_KEM_free.pod +GENERATE[html/man3/EVP_KEM_free.html]=man3/EVP_KEM_free.pod +DEPEND[man/man3/EVP_KEM_free.3]=man3/EVP_KEM_free.pod +GENERATE[man/man3/EVP_KEM_free.3]=man3/EVP_KEM_free.pod +DEPEND[html/man3/EVP_KEYEXCH_free.html]=man3/EVP_KEYEXCH_free.pod +GENERATE[html/man3/EVP_KEYEXCH_free.html]=man3/EVP_KEYEXCH_free.pod +DEPEND[man/man3/EVP_KEYEXCH_free.3]=man3/EVP_KEYEXCH_free.pod +GENERATE[man/man3/EVP_KEYEXCH_free.3]=man3/EVP_KEYEXCH_free.pod +DEPEND[html/man3/EVP_KEYMGMT.html]=man3/EVP_KEYMGMT.pod +GENERATE[html/man3/EVP_KEYMGMT.html]=man3/EVP_KEYMGMT.pod +DEPEND[man/man3/EVP_KEYMGMT.3]=man3/EVP_KEYMGMT.pod +GENERATE[man/man3/EVP_KEYMGMT.3]=man3/EVP_KEYMGMT.pod +DEPEND[html/man3/EVP_MAC.html]=man3/EVP_MAC.pod +GENERATE[html/man3/EVP_MAC.html]=man3/EVP_MAC.pod +DEPEND[man/man3/EVP_MAC.3]=man3/EVP_MAC.pod +GENERATE[man/man3/EVP_MAC.3]=man3/EVP_MAC.pod +DEPEND[html/man3/EVP_MD_meth_new.html]=man3/EVP_MD_meth_new.pod +GENERATE[html/man3/EVP_MD_meth_new.html]=man3/EVP_MD_meth_new.pod +DEPEND[man/man3/EVP_MD_meth_new.3]=man3/EVP_MD_meth_new.pod +GENERATE[man/man3/EVP_MD_meth_new.3]=man3/EVP_MD_meth_new.pod +DEPEND[html/man3/EVP_OpenInit.html]=man3/EVP_OpenInit.pod +GENERATE[html/man3/EVP_OpenInit.html]=man3/EVP_OpenInit.pod +DEPEND[man/man3/EVP_OpenInit.3]=man3/EVP_OpenInit.pod +GENERATE[man/man3/EVP_OpenInit.3]=man3/EVP_OpenInit.pod +DEPEND[html/man3/EVP_PKEY2PKCS8.html]=man3/EVP_PKEY2PKCS8.pod +GENERATE[html/man3/EVP_PKEY2PKCS8.html]=man3/EVP_PKEY2PKCS8.pod +DEPEND[man/man3/EVP_PKEY2PKCS8.3]=man3/EVP_PKEY2PKCS8.pod +GENERATE[man/man3/EVP_PKEY2PKCS8.3]=man3/EVP_PKEY2PKCS8.pod +DEPEND[html/man3/EVP_PKEY_ASN1_METHOD.html]=man3/EVP_PKEY_ASN1_METHOD.pod +GENERATE[html/man3/EVP_PKEY_ASN1_METHOD.html]=man3/EVP_PKEY_ASN1_METHOD.pod +DEPEND[man/man3/EVP_PKEY_ASN1_METHOD.3]=man3/EVP_PKEY_ASN1_METHOD.pod +GENERATE[man/man3/EVP_PKEY_ASN1_METHOD.3]=man3/EVP_PKEY_ASN1_METHOD.pod +DEPEND[html/man3/EVP_PKEY_CTX_ctrl.html]=man3/EVP_PKEY_CTX_ctrl.pod +GENERATE[html/man3/EVP_PKEY_CTX_ctrl.html]=man3/EVP_PKEY_CTX_ctrl.pod +DEPEND[man/man3/EVP_PKEY_CTX_ctrl.3]=man3/EVP_PKEY_CTX_ctrl.pod +GENERATE[man/man3/EVP_PKEY_CTX_ctrl.3]=man3/EVP_PKEY_CTX_ctrl.pod +DEPEND[html/man3/EVP_PKEY_CTX_get0_libctx.html]=man3/EVP_PKEY_CTX_get0_libctx.pod +GENERATE[html/man3/EVP_PKEY_CTX_get0_libctx.html]=man3/EVP_PKEY_CTX_get0_libctx.pod +DEPEND[man/man3/EVP_PKEY_CTX_get0_libctx.3]=man3/EVP_PKEY_CTX_get0_libctx.pod +GENERATE[man/man3/EVP_PKEY_CTX_get0_libctx.3]=man3/EVP_PKEY_CTX_get0_libctx.pod +DEPEND[html/man3/EVP_PKEY_CTX_new.html]=man3/EVP_PKEY_CTX_new.pod +GENERATE[html/man3/EVP_PKEY_CTX_new.html]=man3/EVP_PKEY_CTX_new.pod +DEPEND[man/man3/EVP_PKEY_CTX_new.3]=man3/EVP_PKEY_CTX_new.pod +GENERATE[man/man3/EVP_PKEY_CTX_new.3]=man3/EVP_PKEY_CTX_new.pod +DEPEND[html/man3/EVP_PKEY_CTX_set1_pbe_pass.html]=man3/EVP_PKEY_CTX_set1_pbe_pass.pod +GENERATE[html/man3/EVP_PKEY_CTX_set1_pbe_pass.html]=man3/EVP_PKEY_CTX_set1_pbe_pass.pod +DEPEND[man/man3/EVP_PKEY_CTX_set1_pbe_pass.3]=man3/EVP_PKEY_CTX_set1_pbe_pass.pod +GENERATE[man/man3/EVP_PKEY_CTX_set1_pbe_pass.3]=man3/EVP_PKEY_CTX_set1_pbe_pass.pod +DEPEND[html/man3/EVP_PKEY_CTX_set_hkdf_md.html]=man3/EVP_PKEY_CTX_set_hkdf_md.pod +GENERATE[html/man3/EVP_PKEY_CTX_set_hkdf_md.html]=man3/EVP_PKEY_CTX_set_hkdf_md.pod +DEPEND[man/man3/EVP_PKEY_CTX_set_hkdf_md.3]=man3/EVP_PKEY_CTX_set_hkdf_md.pod +GENERATE[man/man3/EVP_PKEY_CTX_set_hkdf_md.3]=man3/EVP_PKEY_CTX_set_hkdf_md.pod +DEPEND[html/man3/EVP_PKEY_CTX_set_params.html]=man3/EVP_PKEY_CTX_set_params.pod +GENERATE[html/man3/EVP_PKEY_CTX_set_params.html]=man3/EVP_PKEY_CTX_set_params.pod +DEPEND[man/man3/EVP_PKEY_CTX_set_params.3]=man3/EVP_PKEY_CTX_set_params.pod +GENERATE[man/man3/EVP_PKEY_CTX_set_params.3]=man3/EVP_PKEY_CTX_set_params.pod +DEPEND[html/man3/EVP_PKEY_CTX_set_rsa_pss_keygen_md.html]=man3/EVP_PKEY_CTX_set_rsa_pss_keygen_md.pod +GENERATE[html/man3/EVP_PKEY_CTX_set_rsa_pss_keygen_md.html]=man3/EVP_PKEY_CTX_set_rsa_pss_keygen_md.pod +DEPEND[man/man3/EVP_PKEY_CTX_set_rsa_pss_keygen_md.3]=man3/EVP_PKEY_CTX_set_rsa_pss_keygen_md.pod +GENERATE[man/man3/EVP_PKEY_CTX_set_rsa_pss_keygen_md.3]=man3/EVP_PKEY_CTX_set_rsa_pss_keygen_md.pod +DEPEND[html/man3/EVP_PKEY_CTX_set_scrypt_N.html]=man3/EVP_PKEY_CTX_set_scrypt_N.pod +GENERATE[html/man3/EVP_PKEY_CTX_set_scrypt_N.html]=man3/EVP_PKEY_CTX_set_scrypt_N.pod +DEPEND[man/man3/EVP_PKEY_CTX_set_scrypt_N.3]=man3/EVP_PKEY_CTX_set_scrypt_N.pod +GENERATE[man/man3/EVP_PKEY_CTX_set_scrypt_N.3]=man3/EVP_PKEY_CTX_set_scrypt_N.pod +DEPEND[html/man3/EVP_PKEY_CTX_set_tls1_prf_md.html]=man3/EVP_PKEY_CTX_set_tls1_prf_md.pod +GENERATE[html/man3/EVP_PKEY_CTX_set_tls1_prf_md.html]=man3/EVP_PKEY_CTX_set_tls1_prf_md.pod +DEPEND[man/man3/EVP_PKEY_CTX_set_tls1_prf_md.3]=man3/EVP_PKEY_CTX_set_tls1_prf_md.pod +GENERATE[man/man3/EVP_PKEY_CTX_set_tls1_prf_md.3]=man3/EVP_PKEY_CTX_set_tls1_prf_md.pod +DEPEND[html/man3/EVP_PKEY_asn1_get_count.html]=man3/EVP_PKEY_asn1_get_count.pod +GENERATE[html/man3/EVP_PKEY_asn1_get_count.html]=man3/EVP_PKEY_asn1_get_count.pod +DEPEND[man/man3/EVP_PKEY_asn1_get_count.3]=man3/EVP_PKEY_asn1_get_count.pod +GENERATE[man/man3/EVP_PKEY_asn1_get_count.3]=man3/EVP_PKEY_asn1_get_count.pod +DEPEND[html/man3/EVP_PKEY_check.html]=man3/EVP_PKEY_check.pod +GENERATE[html/man3/EVP_PKEY_check.html]=man3/EVP_PKEY_check.pod +DEPEND[man/man3/EVP_PKEY_check.3]=man3/EVP_PKEY_check.pod +GENERATE[man/man3/EVP_PKEY_check.3]=man3/EVP_PKEY_check.pod +DEPEND[html/man3/EVP_PKEY_copy_parameters.html]=man3/EVP_PKEY_copy_parameters.pod +GENERATE[html/man3/EVP_PKEY_copy_parameters.html]=man3/EVP_PKEY_copy_parameters.pod +DEPEND[man/man3/EVP_PKEY_copy_parameters.3]=man3/EVP_PKEY_copy_parameters.pod +GENERATE[man/man3/EVP_PKEY_copy_parameters.3]=man3/EVP_PKEY_copy_parameters.pod +DEPEND[html/man3/EVP_PKEY_decapsulate.html]=man3/EVP_PKEY_decapsulate.pod +GENERATE[html/man3/EVP_PKEY_decapsulate.html]=man3/EVP_PKEY_decapsulate.pod +DEPEND[man/man3/EVP_PKEY_decapsulate.3]=man3/EVP_PKEY_decapsulate.pod +GENERATE[man/man3/EVP_PKEY_decapsulate.3]=man3/EVP_PKEY_decapsulate.pod +DEPEND[html/man3/EVP_PKEY_decrypt.html]=man3/EVP_PKEY_decrypt.pod +GENERATE[html/man3/EVP_PKEY_decrypt.html]=man3/EVP_PKEY_decrypt.pod +DEPEND[man/man3/EVP_PKEY_decrypt.3]=man3/EVP_PKEY_decrypt.pod +GENERATE[man/man3/EVP_PKEY_decrypt.3]=man3/EVP_PKEY_decrypt.pod +DEPEND[html/man3/EVP_PKEY_derive.html]=man3/EVP_PKEY_derive.pod +GENERATE[html/man3/EVP_PKEY_derive.html]=man3/EVP_PKEY_derive.pod +DEPEND[man/man3/EVP_PKEY_derive.3]=man3/EVP_PKEY_derive.pod +GENERATE[man/man3/EVP_PKEY_derive.3]=man3/EVP_PKEY_derive.pod +DEPEND[html/man3/EVP_PKEY_encapsulate.html]=man3/EVP_PKEY_encapsulate.pod +GENERATE[html/man3/EVP_PKEY_encapsulate.html]=man3/EVP_PKEY_encapsulate.pod +DEPEND[man/man3/EVP_PKEY_encapsulate.3]=man3/EVP_PKEY_encapsulate.pod +GENERATE[man/man3/EVP_PKEY_encapsulate.3]=man3/EVP_PKEY_encapsulate.pod +DEPEND[html/man3/EVP_PKEY_encrypt.html]=man3/EVP_PKEY_encrypt.pod +GENERATE[html/man3/EVP_PKEY_encrypt.html]=man3/EVP_PKEY_encrypt.pod +DEPEND[man/man3/EVP_PKEY_encrypt.3]=man3/EVP_PKEY_encrypt.pod +GENERATE[man/man3/EVP_PKEY_encrypt.3]=man3/EVP_PKEY_encrypt.pod +DEPEND[html/man3/EVP_PKEY_fromdata.html]=man3/EVP_PKEY_fromdata.pod +GENERATE[html/man3/EVP_PKEY_fromdata.html]=man3/EVP_PKEY_fromdata.pod +DEPEND[man/man3/EVP_PKEY_fromdata.3]=man3/EVP_PKEY_fromdata.pod +GENERATE[man/man3/EVP_PKEY_fromdata.3]=man3/EVP_PKEY_fromdata.pod +DEPEND[html/man3/EVP_PKEY_gen.html]=man3/EVP_PKEY_gen.pod +GENERATE[html/man3/EVP_PKEY_gen.html]=man3/EVP_PKEY_gen.pod +DEPEND[man/man3/EVP_PKEY_gen.3]=man3/EVP_PKEY_gen.pod +GENERATE[man/man3/EVP_PKEY_gen.3]=man3/EVP_PKEY_gen.pod +DEPEND[html/man3/EVP_PKEY_get_default_digest_nid.html]=man3/EVP_PKEY_get_default_digest_nid.pod +GENERATE[html/man3/EVP_PKEY_get_default_digest_nid.html]=man3/EVP_PKEY_get_default_digest_nid.pod +DEPEND[man/man3/EVP_PKEY_get_default_digest_nid.3]=man3/EVP_PKEY_get_default_digest_nid.pod +GENERATE[man/man3/EVP_PKEY_get_default_digest_nid.3]=man3/EVP_PKEY_get_default_digest_nid.pod +DEPEND[html/man3/EVP_PKEY_get_field_type.html]=man3/EVP_PKEY_get_field_type.pod +GENERATE[html/man3/EVP_PKEY_get_field_type.html]=man3/EVP_PKEY_get_field_type.pod +DEPEND[man/man3/EVP_PKEY_get_field_type.3]=man3/EVP_PKEY_get_field_type.pod +GENERATE[man/man3/EVP_PKEY_get_field_type.3]=man3/EVP_PKEY_get_field_type.pod +DEPEND[html/man3/EVP_PKEY_get_group_name.html]=man3/EVP_PKEY_get_group_name.pod +GENERATE[html/man3/EVP_PKEY_get_group_name.html]=man3/EVP_PKEY_get_group_name.pod +DEPEND[man/man3/EVP_PKEY_get_group_name.3]=man3/EVP_PKEY_get_group_name.pod +GENERATE[man/man3/EVP_PKEY_get_group_name.3]=man3/EVP_PKEY_get_group_name.pod +DEPEND[html/man3/EVP_PKEY_gettable_params.html]=man3/EVP_PKEY_gettable_params.pod +GENERATE[html/man3/EVP_PKEY_gettable_params.html]=man3/EVP_PKEY_gettable_params.pod +DEPEND[man/man3/EVP_PKEY_gettable_params.3]=man3/EVP_PKEY_gettable_params.pod +GENERATE[man/man3/EVP_PKEY_gettable_params.3]=man3/EVP_PKEY_gettable_params.pod +DEPEND[html/man3/EVP_PKEY_is_a.html]=man3/EVP_PKEY_is_a.pod +GENERATE[html/man3/EVP_PKEY_is_a.html]=man3/EVP_PKEY_is_a.pod +DEPEND[man/man3/EVP_PKEY_is_a.3]=man3/EVP_PKEY_is_a.pod +GENERATE[man/man3/EVP_PKEY_is_a.3]=man3/EVP_PKEY_is_a.pod +DEPEND[html/man3/EVP_PKEY_meth_get_count.html]=man3/EVP_PKEY_meth_get_count.pod +GENERATE[html/man3/EVP_PKEY_meth_get_count.html]=man3/EVP_PKEY_meth_get_count.pod +DEPEND[man/man3/EVP_PKEY_meth_get_count.3]=man3/EVP_PKEY_meth_get_count.pod +GENERATE[man/man3/EVP_PKEY_meth_get_count.3]=man3/EVP_PKEY_meth_get_count.pod +DEPEND[html/man3/EVP_PKEY_meth_new.html]=man3/EVP_PKEY_meth_new.pod +GENERATE[html/man3/EVP_PKEY_meth_new.html]=man3/EVP_PKEY_meth_new.pod +DEPEND[man/man3/EVP_PKEY_meth_new.3]=man3/EVP_PKEY_meth_new.pod +GENERATE[man/man3/EVP_PKEY_meth_new.3]=man3/EVP_PKEY_meth_new.pod +DEPEND[html/man3/EVP_PKEY_new.html]=man3/EVP_PKEY_new.pod +GENERATE[html/man3/EVP_PKEY_new.html]=man3/EVP_PKEY_new.pod +DEPEND[man/man3/EVP_PKEY_new.3]=man3/EVP_PKEY_new.pod +GENERATE[man/man3/EVP_PKEY_new.3]=man3/EVP_PKEY_new.pod +DEPEND[html/man3/EVP_PKEY_print_private.html]=man3/EVP_PKEY_print_private.pod +GENERATE[html/man3/EVP_PKEY_print_private.html]=man3/EVP_PKEY_print_private.pod +DEPEND[man/man3/EVP_PKEY_print_private.3]=man3/EVP_PKEY_print_private.pod +GENERATE[man/man3/EVP_PKEY_print_private.3]=man3/EVP_PKEY_print_private.pod +DEPEND[html/man3/EVP_PKEY_set1_RSA.html]=man3/EVP_PKEY_set1_RSA.pod +GENERATE[html/man3/EVP_PKEY_set1_RSA.html]=man3/EVP_PKEY_set1_RSA.pod +DEPEND[man/man3/EVP_PKEY_set1_RSA.3]=man3/EVP_PKEY_set1_RSA.pod +GENERATE[man/man3/EVP_PKEY_set1_RSA.3]=man3/EVP_PKEY_set1_RSA.pod +DEPEND[html/man3/EVP_PKEY_set1_encoded_public_key.html]=man3/EVP_PKEY_set1_encoded_public_key.pod +GENERATE[html/man3/EVP_PKEY_set1_encoded_public_key.html]=man3/EVP_PKEY_set1_encoded_public_key.pod +DEPEND[man/man3/EVP_PKEY_set1_encoded_public_key.3]=man3/EVP_PKEY_set1_encoded_public_key.pod +GENERATE[man/man3/EVP_PKEY_set1_encoded_public_key.3]=man3/EVP_PKEY_set1_encoded_public_key.pod +DEPEND[html/man3/EVP_PKEY_set_type.html]=man3/EVP_PKEY_set_type.pod +GENERATE[html/man3/EVP_PKEY_set_type.html]=man3/EVP_PKEY_set_type.pod +DEPEND[man/man3/EVP_PKEY_set_type.3]=man3/EVP_PKEY_set_type.pod +GENERATE[man/man3/EVP_PKEY_set_type.3]=man3/EVP_PKEY_set_type.pod +DEPEND[html/man3/EVP_PKEY_settable_params.html]=man3/EVP_PKEY_settable_params.pod +GENERATE[html/man3/EVP_PKEY_settable_params.html]=man3/EVP_PKEY_settable_params.pod +DEPEND[man/man3/EVP_PKEY_settable_params.3]=man3/EVP_PKEY_settable_params.pod +GENERATE[man/man3/EVP_PKEY_settable_params.3]=man3/EVP_PKEY_settable_params.pod +DEPEND[html/man3/EVP_PKEY_sign.html]=man3/EVP_PKEY_sign.pod +GENERATE[html/man3/EVP_PKEY_sign.html]=man3/EVP_PKEY_sign.pod +DEPEND[man/man3/EVP_PKEY_sign.3]=man3/EVP_PKEY_sign.pod +GENERATE[man/man3/EVP_PKEY_sign.3]=man3/EVP_PKEY_sign.pod +DEPEND[html/man3/EVP_PKEY_size.html]=man3/EVP_PKEY_size.pod +GENERATE[html/man3/EVP_PKEY_size.html]=man3/EVP_PKEY_size.pod +DEPEND[man/man3/EVP_PKEY_size.3]=man3/EVP_PKEY_size.pod +GENERATE[man/man3/EVP_PKEY_size.3]=man3/EVP_PKEY_size.pod +DEPEND[html/man3/EVP_PKEY_supports_digest_nid.html]=man3/EVP_PKEY_supports_digest_nid.pod +GENERATE[html/man3/EVP_PKEY_supports_digest_nid.html]=man3/EVP_PKEY_supports_digest_nid.pod +DEPEND[man/man3/EVP_PKEY_supports_digest_nid.3]=man3/EVP_PKEY_supports_digest_nid.pod +GENERATE[man/man3/EVP_PKEY_supports_digest_nid.3]=man3/EVP_PKEY_supports_digest_nid.pod +DEPEND[html/man3/EVP_PKEY_verify.html]=man3/EVP_PKEY_verify.pod +GENERATE[html/man3/EVP_PKEY_verify.html]=man3/EVP_PKEY_verify.pod +DEPEND[man/man3/EVP_PKEY_verify.3]=man3/EVP_PKEY_verify.pod +GENERATE[man/man3/EVP_PKEY_verify.3]=man3/EVP_PKEY_verify.pod +DEPEND[html/man3/EVP_PKEY_verify_recover.html]=man3/EVP_PKEY_verify_recover.pod +GENERATE[html/man3/EVP_PKEY_verify_recover.html]=man3/EVP_PKEY_verify_recover.pod +DEPEND[man/man3/EVP_PKEY_verify_recover.3]=man3/EVP_PKEY_verify_recover.pod +GENERATE[man/man3/EVP_PKEY_verify_recover.3]=man3/EVP_PKEY_verify_recover.pod +DEPEND[html/man3/EVP_RAND.html]=man3/EVP_RAND.pod +GENERATE[html/man3/EVP_RAND.html]=man3/EVP_RAND.pod +DEPEND[man/man3/EVP_RAND.3]=man3/EVP_RAND.pod +GENERATE[man/man3/EVP_RAND.3]=man3/EVP_RAND.pod +DEPEND[html/man3/EVP_SIGNATURE_free.html]=man3/EVP_SIGNATURE_free.pod +GENERATE[html/man3/EVP_SIGNATURE_free.html]=man3/EVP_SIGNATURE_free.pod +DEPEND[man/man3/EVP_SIGNATURE_free.3]=man3/EVP_SIGNATURE_free.pod +GENERATE[man/man3/EVP_SIGNATURE_free.3]=man3/EVP_SIGNATURE_free.pod +DEPEND[html/man3/EVP_SealInit.html]=man3/EVP_SealInit.pod +GENERATE[html/man3/EVP_SealInit.html]=man3/EVP_SealInit.pod +DEPEND[man/man3/EVP_SealInit.3]=man3/EVP_SealInit.pod +GENERATE[man/man3/EVP_SealInit.3]=man3/EVP_SealInit.pod +DEPEND[html/man3/EVP_SignInit.html]=man3/EVP_SignInit.pod +GENERATE[html/man3/EVP_SignInit.html]=man3/EVP_SignInit.pod +DEPEND[man/man3/EVP_SignInit.3]=man3/EVP_SignInit.pod +GENERATE[man/man3/EVP_SignInit.3]=man3/EVP_SignInit.pod +DEPEND[html/man3/EVP_VerifyInit.html]=man3/EVP_VerifyInit.pod +GENERATE[html/man3/EVP_VerifyInit.html]=man3/EVP_VerifyInit.pod +DEPEND[man/man3/EVP_VerifyInit.3]=man3/EVP_VerifyInit.pod +GENERATE[man/man3/EVP_VerifyInit.3]=man3/EVP_VerifyInit.pod +DEPEND[html/man3/EVP_aes_128_gcm.html]=man3/EVP_aes_128_gcm.pod +GENERATE[html/man3/EVP_aes_128_gcm.html]=man3/EVP_aes_128_gcm.pod +DEPEND[man/man3/EVP_aes_128_gcm.3]=man3/EVP_aes_128_gcm.pod +GENERATE[man/man3/EVP_aes_128_gcm.3]=man3/EVP_aes_128_gcm.pod +DEPEND[html/man3/EVP_aria_128_gcm.html]=man3/EVP_aria_128_gcm.pod +GENERATE[html/man3/EVP_aria_128_gcm.html]=man3/EVP_aria_128_gcm.pod +DEPEND[man/man3/EVP_aria_128_gcm.3]=man3/EVP_aria_128_gcm.pod +GENERATE[man/man3/EVP_aria_128_gcm.3]=man3/EVP_aria_128_gcm.pod +DEPEND[html/man3/EVP_bf_cbc.html]=man3/EVP_bf_cbc.pod +GENERATE[html/man3/EVP_bf_cbc.html]=man3/EVP_bf_cbc.pod +DEPEND[man/man3/EVP_bf_cbc.3]=man3/EVP_bf_cbc.pod +GENERATE[man/man3/EVP_bf_cbc.3]=man3/EVP_bf_cbc.pod +DEPEND[html/man3/EVP_blake2b512.html]=man3/EVP_blake2b512.pod +GENERATE[html/man3/EVP_blake2b512.html]=man3/EVP_blake2b512.pod +DEPEND[man/man3/EVP_blake2b512.3]=man3/EVP_blake2b512.pod +GENERATE[man/man3/EVP_blake2b512.3]=man3/EVP_blake2b512.pod +DEPEND[html/man3/EVP_camellia_128_ecb.html]=man3/EVP_camellia_128_ecb.pod +GENERATE[html/man3/EVP_camellia_128_ecb.html]=man3/EVP_camellia_128_ecb.pod +DEPEND[man/man3/EVP_camellia_128_ecb.3]=man3/EVP_camellia_128_ecb.pod +GENERATE[man/man3/EVP_camellia_128_ecb.3]=man3/EVP_camellia_128_ecb.pod +DEPEND[html/man3/EVP_cast5_cbc.html]=man3/EVP_cast5_cbc.pod +GENERATE[html/man3/EVP_cast5_cbc.html]=man3/EVP_cast5_cbc.pod +DEPEND[man/man3/EVP_cast5_cbc.3]=man3/EVP_cast5_cbc.pod +GENERATE[man/man3/EVP_cast5_cbc.3]=man3/EVP_cast5_cbc.pod +DEPEND[html/man3/EVP_chacha20.html]=man3/EVP_chacha20.pod +GENERATE[html/man3/EVP_chacha20.html]=man3/EVP_chacha20.pod +DEPEND[man/man3/EVP_chacha20.3]=man3/EVP_chacha20.pod +GENERATE[man/man3/EVP_chacha20.3]=man3/EVP_chacha20.pod +DEPEND[html/man3/EVP_des_cbc.html]=man3/EVP_des_cbc.pod +GENERATE[html/man3/EVP_des_cbc.html]=man3/EVP_des_cbc.pod +DEPEND[man/man3/EVP_des_cbc.3]=man3/EVP_des_cbc.pod +GENERATE[man/man3/EVP_des_cbc.3]=man3/EVP_des_cbc.pod +DEPEND[html/man3/EVP_desx_cbc.html]=man3/EVP_desx_cbc.pod +GENERATE[html/man3/EVP_desx_cbc.html]=man3/EVP_desx_cbc.pod +DEPEND[man/man3/EVP_desx_cbc.3]=man3/EVP_desx_cbc.pod +GENERATE[man/man3/EVP_desx_cbc.3]=man3/EVP_desx_cbc.pod +DEPEND[html/man3/EVP_idea_cbc.html]=man3/EVP_idea_cbc.pod +GENERATE[html/man3/EVP_idea_cbc.html]=man3/EVP_idea_cbc.pod +DEPEND[man/man3/EVP_idea_cbc.3]=man3/EVP_idea_cbc.pod +GENERATE[man/man3/EVP_idea_cbc.3]=man3/EVP_idea_cbc.pod +DEPEND[html/man3/EVP_md2.html]=man3/EVP_md2.pod +GENERATE[html/man3/EVP_md2.html]=man3/EVP_md2.pod +DEPEND[man/man3/EVP_md2.3]=man3/EVP_md2.pod +GENERATE[man/man3/EVP_md2.3]=man3/EVP_md2.pod +DEPEND[html/man3/EVP_md4.html]=man3/EVP_md4.pod +GENERATE[html/man3/EVP_md4.html]=man3/EVP_md4.pod +DEPEND[man/man3/EVP_md4.3]=man3/EVP_md4.pod +GENERATE[man/man3/EVP_md4.3]=man3/EVP_md4.pod +DEPEND[html/man3/EVP_md5.html]=man3/EVP_md5.pod +GENERATE[html/man3/EVP_md5.html]=man3/EVP_md5.pod +DEPEND[man/man3/EVP_md5.3]=man3/EVP_md5.pod +GENERATE[man/man3/EVP_md5.3]=man3/EVP_md5.pod +DEPEND[html/man3/EVP_mdc2.html]=man3/EVP_mdc2.pod +GENERATE[html/man3/EVP_mdc2.html]=man3/EVP_mdc2.pod +DEPEND[man/man3/EVP_mdc2.3]=man3/EVP_mdc2.pod +GENERATE[man/man3/EVP_mdc2.3]=man3/EVP_mdc2.pod +DEPEND[html/man3/EVP_rc2_cbc.html]=man3/EVP_rc2_cbc.pod +GENERATE[html/man3/EVP_rc2_cbc.html]=man3/EVP_rc2_cbc.pod +DEPEND[man/man3/EVP_rc2_cbc.3]=man3/EVP_rc2_cbc.pod +GENERATE[man/man3/EVP_rc2_cbc.3]=man3/EVP_rc2_cbc.pod +DEPEND[html/man3/EVP_rc4.html]=man3/EVP_rc4.pod +GENERATE[html/man3/EVP_rc4.html]=man3/EVP_rc4.pod +DEPEND[man/man3/EVP_rc4.3]=man3/EVP_rc4.pod +GENERATE[man/man3/EVP_rc4.3]=man3/EVP_rc4.pod +DEPEND[html/man3/EVP_rc5_32_12_16_cbc.html]=man3/EVP_rc5_32_12_16_cbc.pod +GENERATE[html/man3/EVP_rc5_32_12_16_cbc.html]=man3/EVP_rc5_32_12_16_cbc.pod +DEPEND[man/man3/EVP_rc5_32_12_16_cbc.3]=man3/EVP_rc5_32_12_16_cbc.pod +GENERATE[man/man3/EVP_rc5_32_12_16_cbc.3]=man3/EVP_rc5_32_12_16_cbc.pod +DEPEND[html/man3/EVP_ripemd160.html]=man3/EVP_ripemd160.pod +GENERATE[html/man3/EVP_ripemd160.html]=man3/EVP_ripemd160.pod +DEPEND[man/man3/EVP_ripemd160.3]=man3/EVP_ripemd160.pod +GENERATE[man/man3/EVP_ripemd160.3]=man3/EVP_ripemd160.pod +DEPEND[html/man3/EVP_seed_cbc.html]=man3/EVP_seed_cbc.pod +GENERATE[html/man3/EVP_seed_cbc.html]=man3/EVP_seed_cbc.pod +DEPEND[man/man3/EVP_seed_cbc.3]=man3/EVP_seed_cbc.pod +GENERATE[man/man3/EVP_seed_cbc.3]=man3/EVP_seed_cbc.pod +DEPEND[html/man3/EVP_set_default_properties.html]=man3/EVP_set_default_properties.pod +GENERATE[html/man3/EVP_set_default_properties.html]=man3/EVP_set_default_properties.pod +DEPEND[man/man3/EVP_set_default_properties.3]=man3/EVP_set_default_properties.pod +GENERATE[man/man3/EVP_set_default_properties.3]=man3/EVP_set_default_properties.pod +DEPEND[html/man3/EVP_sha1.html]=man3/EVP_sha1.pod +GENERATE[html/man3/EVP_sha1.html]=man3/EVP_sha1.pod +DEPEND[man/man3/EVP_sha1.3]=man3/EVP_sha1.pod +GENERATE[man/man3/EVP_sha1.3]=man3/EVP_sha1.pod +DEPEND[html/man3/EVP_sha224.html]=man3/EVP_sha224.pod +GENERATE[html/man3/EVP_sha224.html]=man3/EVP_sha224.pod +DEPEND[man/man3/EVP_sha224.3]=man3/EVP_sha224.pod +GENERATE[man/man3/EVP_sha224.3]=man3/EVP_sha224.pod +DEPEND[html/man3/EVP_sha3_224.html]=man3/EVP_sha3_224.pod +GENERATE[html/man3/EVP_sha3_224.html]=man3/EVP_sha3_224.pod +DEPEND[man/man3/EVP_sha3_224.3]=man3/EVP_sha3_224.pod +GENERATE[man/man3/EVP_sha3_224.3]=man3/EVP_sha3_224.pod +DEPEND[html/man3/EVP_sm3.html]=man3/EVP_sm3.pod +GENERATE[html/man3/EVP_sm3.html]=man3/EVP_sm3.pod +DEPEND[man/man3/EVP_sm3.3]=man3/EVP_sm3.pod +GENERATE[man/man3/EVP_sm3.3]=man3/EVP_sm3.pod +DEPEND[html/man3/EVP_sm4_cbc.html]=man3/EVP_sm4_cbc.pod +GENERATE[html/man3/EVP_sm4_cbc.html]=man3/EVP_sm4_cbc.pod +DEPEND[man/man3/EVP_sm4_cbc.3]=man3/EVP_sm4_cbc.pod +GENERATE[man/man3/EVP_sm4_cbc.3]=man3/EVP_sm4_cbc.pod +DEPEND[html/man3/EVP_whirlpool.html]=man3/EVP_whirlpool.pod +GENERATE[html/man3/EVP_whirlpool.html]=man3/EVP_whirlpool.pod +DEPEND[man/man3/EVP_whirlpool.3]=man3/EVP_whirlpool.pod +GENERATE[man/man3/EVP_whirlpool.3]=man3/EVP_whirlpool.pod +DEPEND[html/man3/HMAC.html]=man3/HMAC.pod +GENERATE[html/man3/HMAC.html]=man3/HMAC.pod +DEPEND[man/man3/HMAC.3]=man3/HMAC.pod +GENERATE[man/man3/HMAC.3]=man3/HMAC.pod +DEPEND[html/man3/MD5.html]=man3/MD5.pod +GENERATE[html/man3/MD5.html]=man3/MD5.pod +DEPEND[man/man3/MD5.3]=man3/MD5.pod +GENERATE[man/man3/MD5.3]=man3/MD5.pod +DEPEND[html/man3/MDC2_Init.html]=man3/MDC2_Init.pod +GENERATE[html/man3/MDC2_Init.html]=man3/MDC2_Init.pod +DEPEND[man/man3/MDC2_Init.3]=man3/MDC2_Init.pod +GENERATE[man/man3/MDC2_Init.3]=man3/MDC2_Init.pod +DEPEND[html/man3/NCONF_new_ex.html]=man3/NCONF_new_ex.pod +GENERATE[html/man3/NCONF_new_ex.html]=man3/NCONF_new_ex.pod +DEPEND[man/man3/NCONF_new_ex.3]=man3/NCONF_new_ex.pod +GENERATE[man/man3/NCONF_new_ex.3]=man3/NCONF_new_ex.pod +DEPEND[html/man3/OBJ_nid2obj.html]=man3/OBJ_nid2obj.pod +GENERATE[html/man3/OBJ_nid2obj.html]=man3/OBJ_nid2obj.pod +DEPEND[man/man3/OBJ_nid2obj.3]=man3/OBJ_nid2obj.pod +GENERATE[man/man3/OBJ_nid2obj.3]=man3/OBJ_nid2obj.pod +DEPEND[html/man3/OCSP_REQUEST_new.html]=man3/OCSP_REQUEST_new.pod +GENERATE[html/man3/OCSP_REQUEST_new.html]=man3/OCSP_REQUEST_new.pod +DEPEND[man/man3/OCSP_REQUEST_new.3]=man3/OCSP_REQUEST_new.pod +GENERATE[man/man3/OCSP_REQUEST_new.3]=man3/OCSP_REQUEST_new.pod +DEPEND[html/man3/OCSP_cert_to_id.html]=man3/OCSP_cert_to_id.pod +GENERATE[html/man3/OCSP_cert_to_id.html]=man3/OCSP_cert_to_id.pod +DEPEND[man/man3/OCSP_cert_to_id.3]=man3/OCSP_cert_to_id.pod +GENERATE[man/man3/OCSP_cert_to_id.3]=man3/OCSP_cert_to_id.pod +DEPEND[html/man3/OCSP_request_add1_nonce.html]=man3/OCSP_request_add1_nonce.pod +GENERATE[html/man3/OCSP_request_add1_nonce.html]=man3/OCSP_request_add1_nonce.pod +DEPEND[man/man3/OCSP_request_add1_nonce.3]=man3/OCSP_request_add1_nonce.pod +GENERATE[man/man3/OCSP_request_add1_nonce.3]=man3/OCSP_request_add1_nonce.pod +DEPEND[html/man3/OCSP_resp_find_status.html]=man3/OCSP_resp_find_status.pod +GENERATE[html/man3/OCSP_resp_find_status.html]=man3/OCSP_resp_find_status.pod +DEPEND[man/man3/OCSP_resp_find_status.3]=man3/OCSP_resp_find_status.pod +GENERATE[man/man3/OCSP_resp_find_status.3]=man3/OCSP_resp_find_status.pod +DEPEND[html/man3/OCSP_response_status.html]=man3/OCSP_response_status.pod +GENERATE[html/man3/OCSP_response_status.html]=man3/OCSP_response_status.pod +DEPEND[man/man3/OCSP_response_status.3]=man3/OCSP_response_status.pod +GENERATE[man/man3/OCSP_response_status.3]=man3/OCSP_response_status.pod +DEPEND[html/man3/OCSP_sendreq_new.html]=man3/OCSP_sendreq_new.pod +GENERATE[html/man3/OCSP_sendreq_new.html]=man3/OCSP_sendreq_new.pod +DEPEND[man/man3/OCSP_sendreq_new.3]=man3/OCSP_sendreq_new.pod +GENERATE[man/man3/OCSP_sendreq_new.3]=man3/OCSP_sendreq_new.pod +DEPEND[html/man3/OPENSSL_Applink.html]=man3/OPENSSL_Applink.pod +GENERATE[html/man3/OPENSSL_Applink.html]=man3/OPENSSL_Applink.pod +DEPEND[man/man3/OPENSSL_Applink.3]=man3/OPENSSL_Applink.pod +GENERATE[man/man3/OPENSSL_Applink.3]=man3/OPENSSL_Applink.pod +DEPEND[html/man3/OPENSSL_FILE.html]=man3/OPENSSL_FILE.pod +GENERATE[html/man3/OPENSSL_FILE.html]=man3/OPENSSL_FILE.pod +DEPEND[man/man3/OPENSSL_FILE.3]=man3/OPENSSL_FILE.pod +GENERATE[man/man3/OPENSSL_FILE.3]=man3/OPENSSL_FILE.pod +DEPEND[html/man3/OPENSSL_LH_COMPFUNC.html]=man3/OPENSSL_LH_COMPFUNC.pod +GENERATE[html/man3/OPENSSL_LH_COMPFUNC.html]=man3/OPENSSL_LH_COMPFUNC.pod +DEPEND[man/man3/OPENSSL_LH_COMPFUNC.3]=man3/OPENSSL_LH_COMPFUNC.pod +GENERATE[man/man3/OPENSSL_LH_COMPFUNC.3]=man3/OPENSSL_LH_COMPFUNC.pod +DEPEND[html/man3/OPENSSL_LH_stats.html]=man3/OPENSSL_LH_stats.pod +GENERATE[html/man3/OPENSSL_LH_stats.html]=man3/OPENSSL_LH_stats.pod +DEPEND[man/man3/OPENSSL_LH_stats.3]=man3/OPENSSL_LH_stats.pod +GENERATE[man/man3/OPENSSL_LH_stats.3]=man3/OPENSSL_LH_stats.pod +DEPEND[html/man3/OPENSSL_config.html]=man3/OPENSSL_config.pod +GENERATE[html/man3/OPENSSL_config.html]=man3/OPENSSL_config.pod +DEPEND[man/man3/OPENSSL_config.3]=man3/OPENSSL_config.pod +GENERATE[man/man3/OPENSSL_config.3]=man3/OPENSSL_config.pod +DEPEND[html/man3/OPENSSL_fork_prepare.html]=man3/OPENSSL_fork_prepare.pod +GENERATE[html/man3/OPENSSL_fork_prepare.html]=man3/OPENSSL_fork_prepare.pod +DEPEND[man/man3/OPENSSL_fork_prepare.3]=man3/OPENSSL_fork_prepare.pod +GENERATE[man/man3/OPENSSL_fork_prepare.3]=man3/OPENSSL_fork_prepare.pod +DEPEND[html/man3/OPENSSL_hexchar2int.html]=man3/OPENSSL_hexchar2int.pod +GENERATE[html/man3/OPENSSL_hexchar2int.html]=man3/OPENSSL_hexchar2int.pod +DEPEND[man/man3/OPENSSL_hexchar2int.3]=man3/OPENSSL_hexchar2int.pod +GENERATE[man/man3/OPENSSL_hexchar2int.3]=man3/OPENSSL_hexchar2int.pod +DEPEND[html/man3/OPENSSL_ia32cap.html]=man3/OPENSSL_ia32cap.pod +GENERATE[html/man3/OPENSSL_ia32cap.html]=man3/OPENSSL_ia32cap.pod +DEPEND[man/man3/OPENSSL_ia32cap.3]=man3/OPENSSL_ia32cap.pod +GENERATE[man/man3/OPENSSL_ia32cap.3]=man3/OPENSSL_ia32cap.pod +DEPEND[html/man3/OPENSSL_init_crypto.html]=man3/OPENSSL_init_crypto.pod +GENERATE[html/man3/OPENSSL_init_crypto.html]=man3/OPENSSL_init_crypto.pod +DEPEND[man/man3/OPENSSL_init_crypto.3]=man3/OPENSSL_init_crypto.pod +GENERATE[man/man3/OPENSSL_init_crypto.3]=man3/OPENSSL_init_crypto.pod +DEPEND[html/man3/OPENSSL_init_ssl.html]=man3/OPENSSL_init_ssl.pod +GENERATE[html/man3/OPENSSL_init_ssl.html]=man3/OPENSSL_init_ssl.pod +DEPEND[man/man3/OPENSSL_init_ssl.3]=man3/OPENSSL_init_ssl.pod +GENERATE[man/man3/OPENSSL_init_ssl.3]=man3/OPENSSL_init_ssl.pod +DEPEND[html/man3/OPENSSL_instrument_bus.html]=man3/OPENSSL_instrument_bus.pod +GENERATE[html/man3/OPENSSL_instrument_bus.html]=man3/OPENSSL_instrument_bus.pod +DEPEND[man/man3/OPENSSL_instrument_bus.3]=man3/OPENSSL_instrument_bus.pod +GENERATE[man/man3/OPENSSL_instrument_bus.3]=man3/OPENSSL_instrument_bus.pod +DEPEND[html/man3/OPENSSL_load_builtin_modules.html]=man3/OPENSSL_load_builtin_modules.pod +GENERATE[html/man3/OPENSSL_load_builtin_modules.html]=man3/OPENSSL_load_builtin_modules.pod +DEPEND[man/man3/OPENSSL_load_builtin_modules.3]=man3/OPENSSL_load_builtin_modules.pod +GENERATE[man/man3/OPENSSL_load_builtin_modules.3]=man3/OPENSSL_load_builtin_modules.pod +DEPEND[html/man3/OPENSSL_malloc.html]=man3/OPENSSL_malloc.pod +GENERATE[html/man3/OPENSSL_malloc.html]=man3/OPENSSL_malloc.pod +DEPEND[man/man3/OPENSSL_malloc.3]=man3/OPENSSL_malloc.pod +GENERATE[man/man3/OPENSSL_malloc.3]=man3/OPENSSL_malloc.pod +DEPEND[html/man3/OPENSSL_s390xcap.html]=man3/OPENSSL_s390xcap.pod +GENERATE[html/man3/OPENSSL_s390xcap.html]=man3/OPENSSL_s390xcap.pod +DEPEND[man/man3/OPENSSL_s390xcap.3]=man3/OPENSSL_s390xcap.pod +GENERATE[man/man3/OPENSSL_s390xcap.3]=man3/OPENSSL_s390xcap.pod +DEPEND[html/man3/OPENSSL_secure_malloc.html]=man3/OPENSSL_secure_malloc.pod +GENERATE[html/man3/OPENSSL_secure_malloc.html]=man3/OPENSSL_secure_malloc.pod +DEPEND[man/man3/OPENSSL_secure_malloc.3]=man3/OPENSSL_secure_malloc.pod +GENERATE[man/man3/OPENSSL_secure_malloc.3]=man3/OPENSSL_secure_malloc.pod +DEPEND[html/man3/OSSL_CMP_CTX_new.html]=man3/OSSL_CMP_CTX_new.pod +GENERATE[html/man3/OSSL_CMP_CTX_new.html]=man3/OSSL_CMP_CTX_new.pod +DEPEND[man/man3/OSSL_CMP_CTX_new.3]=man3/OSSL_CMP_CTX_new.pod +GENERATE[man/man3/OSSL_CMP_CTX_new.3]=man3/OSSL_CMP_CTX_new.pod +DEPEND[html/man3/OSSL_CMP_HDR_get0_transactionID.html]=man3/OSSL_CMP_HDR_get0_transactionID.pod +GENERATE[html/man3/OSSL_CMP_HDR_get0_transactionID.html]=man3/OSSL_CMP_HDR_get0_transactionID.pod +DEPEND[man/man3/OSSL_CMP_HDR_get0_transactionID.3]=man3/OSSL_CMP_HDR_get0_transactionID.pod +GENERATE[man/man3/OSSL_CMP_HDR_get0_transactionID.3]=man3/OSSL_CMP_HDR_get0_transactionID.pod +DEPEND[html/man3/OSSL_CMP_ITAV_set0.html]=man3/OSSL_CMP_ITAV_set0.pod +GENERATE[html/man3/OSSL_CMP_ITAV_set0.html]=man3/OSSL_CMP_ITAV_set0.pod +DEPEND[man/man3/OSSL_CMP_ITAV_set0.3]=man3/OSSL_CMP_ITAV_set0.pod +GENERATE[man/man3/OSSL_CMP_ITAV_set0.3]=man3/OSSL_CMP_ITAV_set0.pod +DEPEND[html/man3/OSSL_CMP_MSG_get0_header.html]=man3/OSSL_CMP_MSG_get0_header.pod +GENERATE[html/man3/OSSL_CMP_MSG_get0_header.html]=man3/OSSL_CMP_MSG_get0_header.pod +DEPEND[man/man3/OSSL_CMP_MSG_get0_header.3]=man3/OSSL_CMP_MSG_get0_header.pod +GENERATE[man/man3/OSSL_CMP_MSG_get0_header.3]=man3/OSSL_CMP_MSG_get0_header.pod +DEPEND[html/man3/OSSL_CMP_MSG_http_perform.html]=man3/OSSL_CMP_MSG_http_perform.pod +GENERATE[html/man3/OSSL_CMP_MSG_http_perform.html]=man3/OSSL_CMP_MSG_http_perform.pod +DEPEND[man/man3/OSSL_CMP_MSG_http_perform.3]=man3/OSSL_CMP_MSG_http_perform.pod +GENERATE[man/man3/OSSL_CMP_MSG_http_perform.3]=man3/OSSL_CMP_MSG_http_perform.pod +DEPEND[html/man3/OSSL_CMP_SRV_CTX_new.html]=man3/OSSL_CMP_SRV_CTX_new.pod +GENERATE[html/man3/OSSL_CMP_SRV_CTX_new.html]=man3/OSSL_CMP_SRV_CTX_new.pod +DEPEND[man/man3/OSSL_CMP_SRV_CTX_new.3]=man3/OSSL_CMP_SRV_CTX_new.pod +GENERATE[man/man3/OSSL_CMP_SRV_CTX_new.3]=man3/OSSL_CMP_SRV_CTX_new.pod +DEPEND[html/man3/OSSL_CMP_STATUSINFO_new.html]=man3/OSSL_CMP_STATUSINFO_new.pod +GENERATE[html/man3/OSSL_CMP_STATUSINFO_new.html]=man3/OSSL_CMP_STATUSINFO_new.pod +DEPEND[man/man3/OSSL_CMP_STATUSINFO_new.3]=man3/OSSL_CMP_STATUSINFO_new.pod +GENERATE[man/man3/OSSL_CMP_STATUSINFO_new.3]=man3/OSSL_CMP_STATUSINFO_new.pod +DEPEND[html/man3/OSSL_CMP_exec_certreq.html]=man3/OSSL_CMP_exec_certreq.pod +GENERATE[html/man3/OSSL_CMP_exec_certreq.html]=man3/OSSL_CMP_exec_certreq.pod +DEPEND[man/man3/OSSL_CMP_exec_certreq.3]=man3/OSSL_CMP_exec_certreq.pod +GENERATE[man/man3/OSSL_CMP_exec_certreq.3]=man3/OSSL_CMP_exec_certreq.pod +DEPEND[html/man3/OSSL_CMP_log_open.html]=man3/OSSL_CMP_log_open.pod +GENERATE[html/man3/OSSL_CMP_log_open.html]=man3/OSSL_CMP_log_open.pod +DEPEND[man/man3/OSSL_CMP_log_open.3]=man3/OSSL_CMP_log_open.pod +GENERATE[man/man3/OSSL_CMP_log_open.3]=man3/OSSL_CMP_log_open.pod +DEPEND[html/man3/OSSL_CMP_validate_msg.html]=man3/OSSL_CMP_validate_msg.pod +GENERATE[html/man3/OSSL_CMP_validate_msg.html]=man3/OSSL_CMP_validate_msg.pod +DEPEND[man/man3/OSSL_CMP_validate_msg.3]=man3/OSSL_CMP_validate_msg.pod +GENERATE[man/man3/OSSL_CMP_validate_msg.3]=man3/OSSL_CMP_validate_msg.pod +DEPEND[html/man3/OSSL_CRMF_MSG_get0_tmpl.html]=man3/OSSL_CRMF_MSG_get0_tmpl.pod +GENERATE[html/man3/OSSL_CRMF_MSG_get0_tmpl.html]=man3/OSSL_CRMF_MSG_get0_tmpl.pod +DEPEND[man/man3/OSSL_CRMF_MSG_get0_tmpl.3]=man3/OSSL_CRMF_MSG_get0_tmpl.pod +GENERATE[man/man3/OSSL_CRMF_MSG_get0_tmpl.3]=man3/OSSL_CRMF_MSG_get0_tmpl.pod +DEPEND[html/man3/OSSL_CRMF_MSG_set0_validity.html]=man3/OSSL_CRMF_MSG_set0_validity.pod +GENERATE[html/man3/OSSL_CRMF_MSG_set0_validity.html]=man3/OSSL_CRMF_MSG_set0_validity.pod +DEPEND[man/man3/OSSL_CRMF_MSG_set0_validity.3]=man3/OSSL_CRMF_MSG_set0_validity.pod +GENERATE[man/man3/OSSL_CRMF_MSG_set0_validity.3]=man3/OSSL_CRMF_MSG_set0_validity.pod +DEPEND[html/man3/OSSL_CRMF_MSG_set1_regCtrl_regToken.html]=man3/OSSL_CRMF_MSG_set1_regCtrl_regToken.pod +GENERATE[html/man3/OSSL_CRMF_MSG_set1_regCtrl_regToken.html]=man3/OSSL_CRMF_MSG_set1_regCtrl_regToken.pod +DEPEND[man/man3/OSSL_CRMF_MSG_set1_regCtrl_regToken.3]=man3/OSSL_CRMF_MSG_set1_regCtrl_regToken.pod +GENERATE[man/man3/OSSL_CRMF_MSG_set1_regCtrl_regToken.3]=man3/OSSL_CRMF_MSG_set1_regCtrl_regToken.pod +DEPEND[html/man3/OSSL_CRMF_MSG_set1_regInfo_certReq.html]=man3/OSSL_CRMF_MSG_set1_regInfo_certReq.pod +GENERATE[html/man3/OSSL_CRMF_MSG_set1_regInfo_certReq.html]=man3/OSSL_CRMF_MSG_set1_regInfo_certReq.pod +DEPEND[man/man3/OSSL_CRMF_MSG_set1_regInfo_certReq.3]=man3/OSSL_CRMF_MSG_set1_regInfo_certReq.pod +GENERATE[man/man3/OSSL_CRMF_MSG_set1_regInfo_certReq.3]=man3/OSSL_CRMF_MSG_set1_regInfo_certReq.pod +DEPEND[html/man3/OSSL_CRMF_pbmp_new.html]=man3/OSSL_CRMF_pbmp_new.pod +GENERATE[html/man3/OSSL_CRMF_pbmp_new.html]=man3/OSSL_CRMF_pbmp_new.pod +DEPEND[man/man3/OSSL_CRMF_pbmp_new.3]=man3/OSSL_CRMF_pbmp_new.pod +GENERATE[man/man3/OSSL_CRMF_pbmp_new.3]=man3/OSSL_CRMF_pbmp_new.pod +DEPEND[html/man3/OSSL_DECODER.html]=man3/OSSL_DECODER.pod +GENERATE[html/man3/OSSL_DECODER.html]=man3/OSSL_DECODER.pod +DEPEND[man/man3/OSSL_DECODER.3]=man3/OSSL_DECODER.pod +GENERATE[man/man3/OSSL_DECODER.3]=man3/OSSL_DECODER.pod +DEPEND[html/man3/OSSL_DECODER_CTX.html]=man3/OSSL_DECODER_CTX.pod +GENERATE[html/man3/OSSL_DECODER_CTX.html]=man3/OSSL_DECODER_CTX.pod +DEPEND[man/man3/OSSL_DECODER_CTX.3]=man3/OSSL_DECODER_CTX.pod +GENERATE[man/man3/OSSL_DECODER_CTX.3]=man3/OSSL_DECODER_CTX.pod +DEPEND[html/man3/OSSL_DECODER_CTX_new_for_pkey.html]=man3/OSSL_DECODER_CTX_new_for_pkey.pod +GENERATE[html/man3/OSSL_DECODER_CTX_new_for_pkey.html]=man3/OSSL_DECODER_CTX_new_for_pkey.pod +DEPEND[man/man3/OSSL_DECODER_CTX_new_for_pkey.3]=man3/OSSL_DECODER_CTX_new_for_pkey.pod +GENERATE[man/man3/OSSL_DECODER_CTX_new_for_pkey.3]=man3/OSSL_DECODER_CTX_new_for_pkey.pod +DEPEND[html/man3/OSSL_DECODER_from_bio.html]=man3/OSSL_DECODER_from_bio.pod +GENERATE[html/man3/OSSL_DECODER_from_bio.html]=man3/OSSL_DECODER_from_bio.pod +DEPEND[man/man3/OSSL_DECODER_from_bio.3]=man3/OSSL_DECODER_from_bio.pod +GENERATE[man/man3/OSSL_DECODER_from_bio.3]=man3/OSSL_DECODER_from_bio.pod +DEPEND[html/man3/OSSL_ENCODER.html]=man3/OSSL_ENCODER.pod +GENERATE[html/man3/OSSL_ENCODER.html]=man3/OSSL_ENCODER.pod +DEPEND[man/man3/OSSL_ENCODER.3]=man3/OSSL_ENCODER.pod +GENERATE[man/man3/OSSL_ENCODER.3]=man3/OSSL_ENCODER.pod +DEPEND[html/man3/OSSL_ENCODER_CTX.html]=man3/OSSL_ENCODER_CTX.pod +GENERATE[html/man3/OSSL_ENCODER_CTX.html]=man3/OSSL_ENCODER_CTX.pod +DEPEND[man/man3/OSSL_ENCODER_CTX.3]=man3/OSSL_ENCODER_CTX.pod +GENERATE[man/man3/OSSL_ENCODER_CTX.3]=man3/OSSL_ENCODER_CTX.pod +DEPEND[html/man3/OSSL_ENCODER_CTX_new_for_pkey.html]=man3/OSSL_ENCODER_CTX_new_for_pkey.pod +GENERATE[html/man3/OSSL_ENCODER_CTX_new_for_pkey.html]=man3/OSSL_ENCODER_CTX_new_for_pkey.pod +DEPEND[man/man3/OSSL_ENCODER_CTX_new_for_pkey.3]=man3/OSSL_ENCODER_CTX_new_for_pkey.pod +GENERATE[man/man3/OSSL_ENCODER_CTX_new_for_pkey.3]=man3/OSSL_ENCODER_CTX_new_for_pkey.pod +DEPEND[html/man3/OSSL_ENCODER_to_bio.html]=man3/OSSL_ENCODER_to_bio.pod +GENERATE[html/man3/OSSL_ENCODER_to_bio.html]=man3/OSSL_ENCODER_to_bio.pod +DEPEND[man/man3/OSSL_ENCODER_to_bio.3]=man3/OSSL_ENCODER_to_bio.pod +GENERATE[man/man3/OSSL_ENCODER_to_bio.3]=man3/OSSL_ENCODER_to_bio.pod +DEPEND[html/man3/OSSL_HTTP_REQ_CTX.html]=man3/OSSL_HTTP_REQ_CTX.pod +GENERATE[html/man3/OSSL_HTTP_REQ_CTX.html]=man3/OSSL_HTTP_REQ_CTX.pod +DEPEND[man/man3/OSSL_HTTP_REQ_CTX.3]=man3/OSSL_HTTP_REQ_CTX.pod +GENERATE[man/man3/OSSL_HTTP_REQ_CTX.3]=man3/OSSL_HTTP_REQ_CTX.pod +DEPEND[html/man3/OSSL_HTTP_transfer.html]=man3/OSSL_HTTP_transfer.pod +GENERATE[html/man3/OSSL_HTTP_transfer.html]=man3/OSSL_HTTP_transfer.pod +DEPEND[man/man3/OSSL_HTTP_transfer.3]=man3/OSSL_HTTP_transfer.pod +GENERATE[man/man3/OSSL_HTTP_transfer.3]=man3/OSSL_HTTP_transfer.pod +DEPEND[html/man3/OSSL_LIB_CTX.html]=man3/OSSL_LIB_CTX.pod +GENERATE[html/man3/OSSL_LIB_CTX.html]=man3/OSSL_LIB_CTX.pod +DEPEND[man/man3/OSSL_LIB_CTX.3]=man3/OSSL_LIB_CTX.pod +GENERATE[man/man3/OSSL_LIB_CTX.3]=man3/OSSL_LIB_CTX.pod +DEPEND[html/man3/OSSL_PARAM.html]=man3/OSSL_PARAM.pod +GENERATE[html/man3/OSSL_PARAM.html]=man3/OSSL_PARAM.pod +DEPEND[man/man3/OSSL_PARAM.3]=man3/OSSL_PARAM.pod +GENERATE[man/man3/OSSL_PARAM.3]=man3/OSSL_PARAM.pod +DEPEND[html/man3/OSSL_PARAM_BLD.html]=man3/OSSL_PARAM_BLD.pod +GENERATE[html/man3/OSSL_PARAM_BLD.html]=man3/OSSL_PARAM_BLD.pod +DEPEND[man/man3/OSSL_PARAM_BLD.3]=man3/OSSL_PARAM_BLD.pod +GENERATE[man/man3/OSSL_PARAM_BLD.3]=man3/OSSL_PARAM_BLD.pod +DEPEND[html/man3/OSSL_PARAM_allocate_from_text.html]=man3/OSSL_PARAM_allocate_from_text.pod +GENERATE[html/man3/OSSL_PARAM_allocate_from_text.html]=man3/OSSL_PARAM_allocate_from_text.pod +DEPEND[man/man3/OSSL_PARAM_allocate_from_text.3]=man3/OSSL_PARAM_allocate_from_text.pod +GENERATE[man/man3/OSSL_PARAM_allocate_from_text.3]=man3/OSSL_PARAM_allocate_from_text.pod +DEPEND[html/man3/OSSL_PARAM_int.html]=man3/OSSL_PARAM_int.pod +GENERATE[html/man3/OSSL_PARAM_int.html]=man3/OSSL_PARAM_int.pod +DEPEND[man/man3/OSSL_PARAM_int.3]=man3/OSSL_PARAM_int.pod +GENERATE[man/man3/OSSL_PARAM_int.3]=man3/OSSL_PARAM_int.pod +DEPEND[html/man3/OSSL_PROVIDER.html]=man3/OSSL_PROVIDER.pod +GENERATE[html/man3/OSSL_PROVIDER.html]=man3/OSSL_PROVIDER.pod +DEPEND[man/man3/OSSL_PROVIDER.3]=man3/OSSL_PROVIDER.pod +GENERATE[man/man3/OSSL_PROVIDER.3]=man3/OSSL_PROVIDER.pod +DEPEND[html/man3/OSSL_SELF_TEST_new.html]=man3/OSSL_SELF_TEST_new.pod +GENERATE[html/man3/OSSL_SELF_TEST_new.html]=man3/OSSL_SELF_TEST_new.pod +DEPEND[man/man3/OSSL_SELF_TEST_new.3]=man3/OSSL_SELF_TEST_new.pod +GENERATE[man/man3/OSSL_SELF_TEST_new.3]=man3/OSSL_SELF_TEST_new.pod +DEPEND[html/man3/OSSL_SELF_TEST_set_callback.html]=man3/OSSL_SELF_TEST_set_callback.pod +GENERATE[html/man3/OSSL_SELF_TEST_set_callback.html]=man3/OSSL_SELF_TEST_set_callback.pod +DEPEND[man/man3/OSSL_SELF_TEST_set_callback.3]=man3/OSSL_SELF_TEST_set_callback.pod +GENERATE[man/man3/OSSL_SELF_TEST_set_callback.3]=man3/OSSL_SELF_TEST_set_callback.pod +DEPEND[html/man3/OSSL_STORE_INFO.html]=man3/OSSL_STORE_INFO.pod +GENERATE[html/man3/OSSL_STORE_INFO.html]=man3/OSSL_STORE_INFO.pod +DEPEND[man/man3/OSSL_STORE_INFO.3]=man3/OSSL_STORE_INFO.pod +GENERATE[man/man3/OSSL_STORE_INFO.3]=man3/OSSL_STORE_INFO.pod +DEPEND[html/man3/OSSL_STORE_LOADER.html]=man3/OSSL_STORE_LOADER.pod +GENERATE[html/man3/OSSL_STORE_LOADER.html]=man3/OSSL_STORE_LOADER.pod +DEPEND[man/man3/OSSL_STORE_LOADER.3]=man3/OSSL_STORE_LOADER.pod +GENERATE[man/man3/OSSL_STORE_LOADER.3]=man3/OSSL_STORE_LOADER.pod +DEPEND[html/man3/OSSL_STORE_SEARCH.html]=man3/OSSL_STORE_SEARCH.pod +GENERATE[html/man3/OSSL_STORE_SEARCH.html]=man3/OSSL_STORE_SEARCH.pod +DEPEND[man/man3/OSSL_STORE_SEARCH.3]=man3/OSSL_STORE_SEARCH.pod +GENERATE[man/man3/OSSL_STORE_SEARCH.3]=man3/OSSL_STORE_SEARCH.pod +DEPEND[html/man3/OSSL_STORE_attach.html]=man3/OSSL_STORE_attach.pod +GENERATE[html/man3/OSSL_STORE_attach.html]=man3/OSSL_STORE_attach.pod +DEPEND[man/man3/OSSL_STORE_attach.3]=man3/OSSL_STORE_attach.pod +GENERATE[man/man3/OSSL_STORE_attach.3]=man3/OSSL_STORE_attach.pod +DEPEND[html/man3/OSSL_STORE_expect.html]=man3/OSSL_STORE_expect.pod +GENERATE[html/man3/OSSL_STORE_expect.html]=man3/OSSL_STORE_expect.pod +DEPEND[man/man3/OSSL_STORE_expect.3]=man3/OSSL_STORE_expect.pod +GENERATE[man/man3/OSSL_STORE_expect.3]=man3/OSSL_STORE_expect.pod +DEPEND[html/man3/OSSL_STORE_open.html]=man3/OSSL_STORE_open.pod +GENERATE[html/man3/OSSL_STORE_open.html]=man3/OSSL_STORE_open.pod +DEPEND[man/man3/OSSL_STORE_open.3]=man3/OSSL_STORE_open.pod +GENERATE[man/man3/OSSL_STORE_open.3]=man3/OSSL_STORE_open.pod +DEPEND[html/man3/OSSL_trace_enabled.html]=man3/OSSL_trace_enabled.pod +GENERATE[html/man3/OSSL_trace_enabled.html]=man3/OSSL_trace_enabled.pod +DEPEND[man/man3/OSSL_trace_enabled.3]=man3/OSSL_trace_enabled.pod +GENERATE[man/man3/OSSL_trace_enabled.3]=man3/OSSL_trace_enabled.pod +DEPEND[html/man3/OSSL_trace_get_category_num.html]=man3/OSSL_trace_get_category_num.pod +GENERATE[html/man3/OSSL_trace_get_category_num.html]=man3/OSSL_trace_get_category_num.pod +DEPEND[man/man3/OSSL_trace_get_category_num.3]=man3/OSSL_trace_get_category_num.pod +GENERATE[man/man3/OSSL_trace_get_category_num.3]=man3/OSSL_trace_get_category_num.pod +DEPEND[html/man3/OSSL_trace_set_channel.html]=man3/OSSL_trace_set_channel.pod +GENERATE[html/man3/OSSL_trace_set_channel.html]=man3/OSSL_trace_set_channel.pod +DEPEND[man/man3/OSSL_trace_set_channel.3]=man3/OSSL_trace_set_channel.pod +GENERATE[man/man3/OSSL_trace_set_channel.3]=man3/OSSL_trace_set_channel.pod +DEPEND[html/man3/OpenSSL_add_all_algorithms.html]=man3/OpenSSL_add_all_algorithms.pod +GENERATE[html/man3/OpenSSL_add_all_algorithms.html]=man3/OpenSSL_add_all_algorithms.pod +DEPEND[man/man3/OpenSSL_add_all_algorithms.3]=man3/OpenSSL_add_all_algorithms.pod +GENERATE[man/man3/OpenSSL_add_all_algorithms.3]=man3/OpenSSL_add_all_algorithms.pod +DEPEND[html/man3/OpenSSL_version.html]=man3/OpenSSL_version.pod +GENERATE[html/man3/OpenSSL_version.html]=man3/OpenSSL_version.pod +DEPEND[man/man3/OpenSSL_version.3]=man3/OpenSSL_version.pod +GENERATE[man/man3/OpenSSL_version.3]=man3/OpenSSL_version.pod +DEPEND[html/man3/PEM_X509_INFO_read_bio_ex.html]=man3/PEM_X509_INFO_read_bio_ex.pod +GENERATE[html/man3/PEM_X509_INFO_read_bio_ex.html]=man3/PEM_X509_INFO_read_bio_ex.pod +DEPEND[man/man3/PEM_X509_INFO_read_bio_ex.3]=man3/PEM_X509_INFO_read_bio_ex.pod +GENERATE[man/man3/PEM_X509_INFO_read_bio_ex.3]=man3/PEM_X509_INFO_read_bio_ex.pod +DEPEND[html/man3/PEM_bytes_read_bio.html]=man3/PEM_bytes_read_bio.pod +GENERATE[html/man3/PEM_bytes_read_bio.html]=man3/PEM_bytes_read_bio.pod +DEPEND[man/man3/PEM_bytes_read_bio.3]=man3/PEM_bytes_read_bio.pod +GENERATE[man/man3/PEM_bytes_read_bio.3]=man3/PEM_bytes_read_bio.pod +DEPEND[html/man3/PEM_read.html]=man3/PEM_read.pod +GENERATE[html/man3/PEM_read.html]=man3/PEM_read.pod +DEPEND[man/man3/PEM_read.3]=man3/PEM_read.pod +GENERATE[man/man3/PEM_read.3]=man3/PEM_read.pod +DEPEND[html/man3/PEM_read_CMS.html]=man3/PEM_read_CMS.pod +GENERATE[html/man3/PEM_read_CMS.html]=man3/PEM_read_CMS.pod +DEPEND[man/man3/PEM_read_CMS.3]=man3/PEM_read_CMS.pod +GENERATE[man/man3/PEM_read_CMS.3]=man3/PEM_read_CMS.pod +DEPEND[html/man3/PEM_read_bio_PrivateKey.html]=man3/PEM_read_bio_PrivateKey.pod +GENERATE[html/man3/PEM_read_bio_PrivateKey.html]=man3/PEM_read_bio_PrivateKey.pod +DEPEND[man/man3/PEM_read_bio_PrivateKey.3]=man3/PEM_read_bio_PrivateKey.pod +GENERATE[man/man3/PEM_read_bio_PrivateKey.3]=man3/PEM_read_bio_PrivateKey.pod +DEPEND[html/man3/PEM_read_bio_ex.html]=man3/PEM_read_bio_ex.pod +GENERATE[html/man3/PEM_read_bio_ex.html]=man3/PEM_read_bio_ex.pod +DEPEND[man/man3/PEM_read_bio_ex.3]=man3/PEM_read_bio_ex.pod +GENERATE[man/man3/PEM_read_bio_ex.3]=man3/PEM_read_bio_ex.pod +DEPEND[html/man3/PEM_write_bio_CMS_stream.html]=man3/PEM_write_bio_CMS_stream.pod +GENERATE[html/man3/PEM_write_bio_CMS_stream.html]=man3/PEM_write_bio_CMS_stream.pod +DEPEND[man/man3/PEM_write_bio_CMS_stream.3]=man3/PEM_write_bio_CMS_stream.pod +GENERATE[man/man3/PEM_write_bio_CMS_stream.3]=man3/PEM_write_bio_CMS_stream.pod +DEPEND[html/man3/PEM_write_bio_PKCS7_stream.html]=man3/PEM_write_bio_PKCS7_stream.pod +GENERATE[html/man3/PEM_write_bio_PKCS7_stream.html]=man3/PEM_write_bio_PKCS7_stream.pod +DEPEND[man/man3/PEM_write_bio_PKCS7_stream.3]=man3/PEM_write_bio_PKCS7_stream.pod +GENERATE[man/man3/PEM_write_bio_PKCS7_stream.3]=man3/PEM_write_bio_PKCS7_stream.pod +DEPEND[html/man3/PKCS12_SAFEBAG_create_cert.html]=man3/PKCS12_SAFEBAG_create_cert.pod +GENERATE[html/man3/PKCS12_SAFEBAG_create_cert.html]=man3/PKCS12_SAFEBAG_create_cert.pod +DEPEND[man/man3/PKCS12_SAFEBAG_create_cert.3]=man3/PKCS12_SAFEBAG_create_cert.pod +GENERATE[man/man3/PKCS12_SAFEBAG_create_cert.3]=man3/PKCS12_SAFEBAG_create_cert.pod +DEPEND[html/man3/PKCS12_SAFEBAG_get0_attrs.html]=man3/PKCS12_SAFEBAG_get0_attrs.pod +GENERATE[html/man3/PKCS12_SAFEBAG_get0_attrs.html]=man3/PKCS12_SAFEBAG_get0_attrs.pod +DEPEND[man/man3/PKCS12_SAFEBAG_get0_attrs.3]=man3/PKCS12_SAFEBAG_get0_attrs.pod +GENERATE[man/man3/PKCS12_SAFEBAG_get0_attrs.3]=man3/PKCS12_SAFEBAG_get0_attrs.pod +DEPEND[html/man3/PKCS12_SAFEBAG_get1_cert.html]=man3/PKCS12_SAFEBAG_get1_cert.pod +GENERATE[html/man3/PKCS12_SAFEBAG_get1_cert.html]=man3/PKCS12_SAFEBAG_get1_cert.pod +DEPEND[man/man3/PKCS12_SAFEBAG_get1_cert.3]=man3/PKCS12_SAFEBAG_get1_cert.pod +GENERATE[man/man3/PKCS12_SAFEBAG_get1_cert.3]=man3/PKCS12_SAFEBAG_get1_cert.pod +DEPEND[html/man3/PKCS12_add1_attr_by_NID.html]=man3/PKCS12_add1_attr_by_NID.pod +GENERATE[html/man3/PKCS12_add1_attr_by_NID.html]=man3/PKCS12_add1_attr_by_NID.pod +DEPEND[man/man3/PKCS12_add1_attr_by_NID.3]=man3/PKCS12_add1_attr_by_NID.pod +GENERATE[man/man3/PKCS12_add1_attr_by_NID.3]=man3/PKCS12_add1_attr_by_NID.pod +DEPEND[html/man3/PKCS12_add_CSPName_asc.html]=man3/PKCS12_add_CSPName_asc.pod +GENERATE[html/man3/PKCS12_add_CSPName_asc.html]=man3/PKCS12_add_CSPName_asc.pod +DEPEND[man/man3/PKCS12_add_CSPName_asc.3]=man3/PKCS12_add_CSPName_asc.pod +GENERATE[man/man3/PKCS12_add_CSPName_asc.3]=man3/PKCS12_add_CSPName_asc.pod +DEPEND[html/man3/PKCS12_add_cert.html]=man3/PKCS12_add_cert.pod +GENERATE[html/man3/PKCS12_add_cert.html]=man3/PKCS12_add_cert.pod +DEPEND[man/man3/PKCS12_add_cert.3]=man3/PKCS12_add_cert.pod +GENERATE[man/man3/PKCS12_add_cert.3]=man3/PKCS12_add_cert.pod +DEPEND[html/man3/PKCS12_add_friendlyname_asc.html]=man3/PKCS12_add_friendlyname_asc.pod +GENERATE[html/man3/PKCS12_add_friendlyname_asc.html]=man3/PKCS12_add_friendlyname_asc.pod +DEPEND[man/man3/PKCS12_add_friendlyname_asc.3]=man3/PKCS12_add_friendlyname_asc.pod +GENERATE[man/man3/PKCS12_add_friendlyname_asc.3]=man3/PKCS12_add_friendlyname_asc.pod +DEPEND[html/man3/PKCS12_add_localkeyid.html]=man3/PKCS12_add_localkeyid.pod +GENERATE[html/man3/PKCS12_add_localkeyid.html]=man3/PKCS12_add_localkeyid.pod +DEPEND[man/man3/PKCS12_add_localkeyid.3]=man3/PKCS12_add_localkeyid.pod +GENERATE[man/man3/PKCS12_add_localkeyid.3]=man3/PKCS12_add_localkeyid.pod +DEPEND[html/man3/PKCS12_add_safe.html]=man3/PKCS12_add_safe.pod +GENERATE[html/man3/PKCS12_add_safe.html]=man3/PKCS12_add_safe.pod +DEPEND[man/man3/PKCS12_add_safe.3]=man3/PKCS12_add_safe.pod +GENERATE[man/man3/PKCS12_add_safe.3]=man3/PKCS12_add_safe.pod +DEPEND[html/man3/PKCS12_create.html]=man3/PKCS12_create.pod +GENERATE[html/man3/PKCS12_create.html]=man3/PKCS12_create.pod +DEPEND[man/man3/PKCS12_create.3]=man3/PKCS12_create.pod +GENERATE[man/man3/PKCS12_create.3]=man3/PKCS12_create.pod +DEPEND[html/man3/PKCS12_get_friendlyname.html]=man3/PKCS12_get_friendlyname.pod +GENERATE[html/man3/PKCS12_get_friendlyname.html]=man3/PKCS12_get_friendlyname.pod +DEPEND[man/man3/PKCS12_get_friendlyname.3]=man3/PKCS12_get_friendlyname.pod +GENERATE[man/man3/PKCS12_get_friendlyname.3]=man3/PKCS12_get_friendlyname.pod +DEPEND[html/man3/PKCS12_newpass.html]=man3/PKCS12_newpass.pod +GENERATE[html/man3/PKCS12_newpass.html]=man3/PKCS12_newpass.pod +DEPEND[man/man3/PKCS12_newpass.3]=man3/PKCS12_newpass.pod +GENERATE[man/man3/PKCS12_newpass.3]=man3/PKCS12_newpass.pod +DEPEND[html/man3/PKCS12_parse.html]=man3/PKCS12_parse.pod +GENERATE[html/man3/PKCS12_parse.html]=man3/PKCS12_parse.pod +DEPEND[man/man3/PKCS12_parse.3]=man3/PKCS12_parse.pod +GENERATE[man/man3/PKCS12_parse.3]=man3/PKCS12_parse.pod +DEPEND[html/man3/PKCS5_PBKDF2_HMAC.html]=man3/PKCS5_PBKDF2_HMAC.pod +GENERATE[html/man3/PKCS5_PBKDF2_HMAC.html]=man3/PKCS5_PBKDF2_HMAC.pod +DEPEND[man/man3/PKCS5_PBKDF2_HMAC.3]=man3/PKCS5_PBKDF2_HMAC.pod +GENERATE[man/man3/PKCS5_PBKDF2_HMAC.3]=man3/PKCS5_PBKDF2_HMAC.pod +DEPEND[html/man3/PKCS7_decrypt.html]=man3/PKCS7_decrypt.pod +GENERATE[html/man3/PKCS7_decrypt.html]=man3/PKCS7_decrypt.pod +DEPEND[man/man3/PKCS7_decrypt.3]=man3/PKCS7_decrypt.pod +GENERATE[man/man3/PKCS7_decrypt.3]=man3/PKCS7_decrypt.pod +DEPEND[html/man3/PKCS7_encrypt.html]=man3/PKCS7_encrypt.pod +GENERATE[html/man3/PKCS7_encrypt.html]=man3/PKCS7_encrypt.pod +DEPEND[man/man3/PKCS7_encrypt.3]=man3/PKCS7_encrypt.pod +GENERATE[man/man3/PKCS7_encrypt.3]=man3/PKCS7_encrypt.pod +DEPEND[html/man3/PKCS7_get_octet_string.html]=man3/PKCS7_get_octet_string.pod +GENERATE[html/man3/PKCS7_get_octet_string.html]=man3/PKCS7_get_octet_string.pod +DEPEND[man/man3/PKCS7_get_octet_string.3]=man3/PKCS7_get_octet_string.pod +GENERATE[man/man3/PKCS7_get_octet_string.3]=man3/PKCS7_get_octet_string.pod +DEPEND[html/man3/PKCS7_sign.html]=man3/PKCS7_sign.pod +GENERATE[html/man3/PKCS7_sign.html]=man3/PKCS7_sign.pod +DEPEND[man/man3/PKCS7_sign.3]=man3/PKCS7_sign.pod +GENERATE[man/man3/PKCS7_sign.3]=man3/PKCS7_sign.pod +DEPEND[html/man3/PKCS7_sign_add_signer.html]=man3/PKCS7_sign_add_signer.pod +GENERATE[html/man3/PKCS7_sign_add_signer.html]=man3/PKCS7_sign_add_signer.pod +DEPEND[man/man3/PKCS7_sign_add_signer.3]=man3/PKCS7_sign_add_signer.pod +GENERATE[man/man3/PKCS7_sign_add_signer.3]=man3/PKCS7_sign_add_signer.pod +DEPEND[html/man3/PKCS7_type_is_other.html]=man3/PKCS7_type_is_other.pod +GENERATE[html/man3/PKCS7_type_is_other.html]=man3/PKCS7_type_is_other.pod +DEPEND[man/man3/PKCS7_type_is_other.3]=man3/PKCS7_type_is_other.pod +GENERATE[man/man3/PKCS7_type_is_other.3]=man3/PKCS7_type_is_other.pod +DEPEND[html/man3/PKCS7_verify.html]=man3/PKCS7_verify.pod +GENERATE[html/man3/PKCS7_verify.html]=man3/PKCS7_verify.pod +DEPEND[man/man3/PKCS7_verify.3]=man3/PKCS7_verify.pod +GENERATE[man/man3/PKCS7_verify.3]=man3/PKCS7_verify.pod +DEPEND[html/man3/PKCS8_pkey_add1_attr.html]=man3/PKCS8_pkey_add1_attr.pod +GENERATE[html/man3/PKCS8_pkey_add1_attr.html]=man3/PKCS8_pkey_add1_attr.pod +DEPEND[man/man3/PKCS8_pkey_add1_attr.3]=man3/PKCS8_pkey_add1_attr.pod +GENERATE[man/man3/PKCS8_pkey_add1_attr.3]=man3/PKCS8_pkey_add1_attr.pod +DEPEND[html/man3/RAND_add.html]=man3/RAND_add.pod +GENERATE[html/man3/RAND_add.html]=man3/RAND_add.pod +DEPEND[man/man3/RAND_add.3]=man3/RAND_add.pod +GENERATE[man/man3/RAND_add.3]=man3/RAND_add.pod +DEPEND[html/man3/RAND_bytes.html]=man3/RAND_bytes.pod +GENERATE[html/man3/RAND_bytes.html]=man3/RAND_bytes.pod +DEPEND[man/man3/RAND_bytes.3]=man3/RAND_bytes.pod +GENERATE[man/man3/RAND_bytes.3]=man3/RAND_bytes.pod +DEPEND[html/man3/RAND_cleanup.html]=man3/RAND_cleanup.pod +GENERATE[html/man3/RAND_cleanup.html]=man3/RAND_cleanup.pod +DEPEND[man/man3/RAND_cleanup.3]=man3/RAND_cleanup.pod +GENERATE[man/man3/RAND_cleanup.3]=man3/RAND_cleanup.pod +DEPEND[html/man3/RAND_egd.html]=man3/RAND_egd.pod +GENERATE[html/man3/RAND_egd.html]=man3/RAND_egd.pod +DEPEND[man/man3/RAND_egd.3]=man3/RAND_egd.pod +GENERATE[man/man3/RAND_egd.3]=man3/RAND_egd.pod +DEPEND[html/man3/RAND_get0_primary.html]=man3/RAND_get0_primary.pod +GENERATE[html/man3/RAND_get0_primary.html]=man3/RAND_get0_primary.pod +DEPEND[man/man3/RAND_get0_primary.3]=man3/RAND_get0_primary.pod +GENERATE[man/man3/RAND_get0_primary.3]=man3/RAND_get0_primary.pod +DEPEND[html/man3/RAND_load_file.html]=man3/RAND_load_file.pod +GENERATE[html/man3/RAND_load_file.html]=man3/RAND_load_file.pod +DEPEND[man/man3/RAND_load_file.3]=man3/RAND_load_file.pod +GENERATE[man/man3/RAND_load_file.3]=man3/RAND_load_file.pod +DEPEND[html/man3/RAND_set_rand_method.html]=man3/RAND_set_rand_method.pod +GENERATE[html/man3/RAND_set_rand_method.html]=man3/RAND_set_rand_method.pod +DEPEND[man/man3/RAND_set_rand_method.3]=man3/RAND_set_rand_method.pod +GENERATE[man/man3/RAND_set_rand_method.3]=man3/RAND_set_rand_method.pod +DEPEND[html/man3/RC4_set_key.html]=man3/RC4_set_key.pod +GENERATE[html/man3/RC4_set_key.html]=man3/RC4_set_key.pod +DEPEND[man/man3/RC4_set_key.3]=man3/RC4_set_key.pod +GENERATE[man/man3/RC4_set_key.3]=man3/RC4_set_key.pod +DEPEND[html/man3/RIPEMD160_Init.html]=man3/RIPEMD160_Init.pod +GENERATE[html/man3/RIPEMD160_Init.html]=man3/RIPEMD160_Init.pod +DEPEND[man/man3/RIPEMD160_Init.3]=man3/RIPEMD160_Init.pod +GENERATE[man/man3/RIPEMD160_Init.3]=man3/RIPEMD160_Init.pod +DEPEND[html/man3/RSA_blinding_on.html]=man3/RSA_blinding_on.pod +GENERATE[html/man3/RSA_blinding_on.html]=man3/RSA_blinding_on.pod +DEPEND[man/man3/RSA_blinding_on.3]=man3/RSA_blinding_on.pod +GENERATE[man/man3/RSA_blinding_on.3]=man3/RSA_blinding_on.pod +DEPEND[html/man3/RSA_check_key.html]=man3/RSA_check_key.pod +GENERATE[html/man3/RSA_check_key.html]=man3/RSA_check_key.pod +DEPEND[man/man3/RSA_check_key.3]=man3/RSA_check_key.pod +GENERATE[man/man3/RSA_check_key.3]=man3/RSA_check_key.pod +DEPEND[html/man3/RSA_generate_key.html]=man3/RSA_generate_key.pod +GENERATE[html/man3/RSA_generate_key.html]=man3/RSA_generate_key.pod +DEPEND[man/man3/RSA_generate_key.3]=man3/RSA_generate_key.pod +GENERATE[man/man3/RSA_generate_key.3]=man3/RSA_generate_key.pod +DEPEND[html/man3/RSA_get0_key.html]=man3/RSA_get0_key.pod +GENERATE[html/man3/RSA_get0_key.html]=man3/RSA_get0_key.pod +DEPEND[man/man3/RSA_get0_key.3]=man3/RSA_get0_key.pod +GENERATE[man/man3/RSA_get0_key.3]=man3/RSA_get0_key.pod +DEPEND[html/man3/RSA_meth_new.html]=man3/RSA_meth_new.pod +GENERATE[html/man3/RSA_meth_new.html]=man3/RSA_meth_new.pod +DEPEND[man/man3/RSA_meth_new.3]=man3/RSA_meth_new.pod +GENERATE[man/man3/RSA_meth_new.3]=man3/RSA_meth_new.pod +DEPEND[html/man3/RSA_new.html]=man3/RSA_new.pod +GENERATE[html/man3/RSA_new.html]=man3/RSA_new.pod +DEPEND[man/man3/RSA_new.3]=man3/RSA_new.pod +GENERATE[man/man3/RSA_new.3]=man3/RSA_new.pod +DEPEND[html/man3/RSA_padding_add_PKCS1_type_1.html]=man3/RSA_padding_add_PKCS1_type_1.pod +GENERATE[html/man3/RSA_padding_add_PKCS1_type_1.html]=man3/RSA_padding_add_PKCS1_type_1.pod +DEPEND[man/man3/RSA_padding_add_PKCS1_type_1.3]=man3/RSA_padding_add_PKCS1_type_1.pod +GENERATE[man/man3/RSA_padding_add_PKCS1_type_1.3]=man3/RSA_padding_add_PKCS1_type_1.pod +DEPEND[html/man3/RSA_print.html]=man3/RSA_print.pod +GENERATE[html/man3/RSA_print.html]=man3/RSA_print.pod +DEPEND[man/man3/RSA_print.3]=man3/RSA_print.pod +GENERATE[man/man3/RSA_print.3]=man3/RSA_print.pod +DEPEND[html/man3/RSA_private_encrypt.html]=man3/RSA_private_encrypt.pod +GENERATE[html/man3/RSA_private_encrypt.html]=man3/RSA_private_encrypt.pod +DEPEND[man/man3/RSA_private_encrypt.3]=man3/RSA_private_encrypt.pod +GENERATE[man/man3/RSA_private_encrypt.3]=man3/RSA_private_encrypt.pod +DEPEND[html/man3/RSA_public_encrypt.html]=man3/RSA_public_encrypt.pod +GENERATE[html/man3/RSA_public_encrypt.html]=man3/RSA_public_encrypt.pod +DEPEND[man/man3/RSA_public_encrypt.3]=man3/RSA_public_encrypt.pod +GENERATE[man/man3/RSA_public_encrypt.3]=man3/RSA_public_encrypt.pod +DEPEND[html/man3/RSA_set_method.html]=man3/RSA_set_method.pod +GENERATE[html/man3/RSA_set_method.html]=man3/RSA_set_method.pod +DEPEND[man/man3/RSA_set_method.3]=man3/RSA_set_method.pod +GENERATE[man/man3/RSA_set_method.3]=man3/RSA_set_method.pod +DEPEND[html/man3/RSA_sign.html]=man3/RSA_sign.pod +GENERATE[html/man3/RSA_sign.html]=man3/RSA_sign.pod +DEPEND[man/man3/RSA_sign.3]=man3/RSA_sign.pod +GENERATE[man/man3/RSA_sign.3]=man3/RSA_sign.pod +DEPEND[html/man3/RSA_sign_ASN1_OCTET_STRING.html]=man3/RSA_sign_ASN1_OCTET_STRING.pod +GENERATE[html/man3/RSA_sign_ASN1_OCTET_STRING.html]=man3/RSA_sign_ASN1_OCTET_STRING.pod +DEPEND[man/man3/RSA_sign_ASN1_OCTET_STRING.3]=man3/RSA_sign_ASN1_OCTET_STRING.pod +GENERATE[man/man3/RSA_sign_ASN1_OCTET_STRING.3]=man3/RSA_sign_ASN1_OCTET_STRING.pod +DEPEND[html/man3/RSA_size.html]=man3/RSA_size.pod +GENERATE[html/man3/RSA_size.html]=man3/RSA_size.pod +DEPEND[man/man3/RSA_size.3]=man3/RSA_size.pod +GENERATE[man/man3/RSA_size.3]=man3/RSA_size.pod +DEPEND[html/man3/SCT_new.html]=man3/SCT_new.pod +GENERATE[html/man3/SCT_new.html]=man3/SCT_new.pod +DEPEND[man/man3/SCT_new.3]=man3/SCT_new.pod +GENERATE[man/man3/SCT_new.3]=man3/SCT_new.pod +DEPEND[html/man3/SCT_print.html]=man3/SCT_print.pod +GENERATE[html/man3/SCT_print.html]=man3/SCT_print.pod +DEPEND[man/man3/SCT_print.3]=man3/SCT_print.pod +GENERATE[man/man3/SCT_print.3]=man3/SCT_print.pod +DEPEND[html/man3/SCT_validate.html]=man3/SCT_validate.pod +GENERATE[html/man3/SCT_validate.html]=man3/SCT_validate.pod +DEPEND[man/man3/SCT_validate.3]=man3/SCT_validate.pod +GENERATE[man/man3/SCT_validate.3]=man3/SCT_validate.pod +DEPEND[html/man3/SHA256_Init.html]=man3/SHA256_Init.pod +GENERATE[html/man3/SHA256_Init.html]=man3/SHA256_Init.pod +DEPEND[man/man3/SHA256_Init.3]=man3/SHA256_Init.pod +GENERATE[man/man3/SHA256_Init.3]=man3/SHA256_Init.pod +DEPEND[html/man3/SMIME_read_ASN1.html]=man3/SMIME_read_ASN1.pod +GENERATE[html/man3/SMIME_read_ASN1.html]=man3/SMIME_read_ASN1.pod +DEPEND[man/man3/SMIME_read_ASN1.3]=man3/SMIME_read_ASN1.pod +GENERATE[man/man3/SMIME_read_ASN1.3]=man3/SMIME_read_ASN1.pod +DEPEND[html/man3/SMIME_read_CMS.html]=man3/SMIME_read_CMS.pod +GENERATE[html/man3/SMIME_read_CMS.html]=man3/SMIME_read_CMS.pod +DEPEND[man/man3/SMIME_read_CMS.3]=man3/SMIME_read_CMS.pod +GENERATE[man/man3/SMIME_read_CMS.3]=man3/SMIME_read_CMS.pod +DEPEND[html/man3/SMIME_read_PKCS7.html]=man3/SMIME_read_PKCS7.pod +GENERATE[html/man3/SMIME_read_PKCS7.html]=man3/SMIME_read_PKCS7.pod +DEPEND[man/man3/SMIME_read_PKCS7.3]=man3/SMIME_read_PKCS7.pod +GENERATE[man/man3/SMIME_read_PKCS7.3]=man3/SMIME_read_PKCS7.pod +DEPEND[html/man3/SMIME_write_ASN1.html]=man3/SMIME_write_ASN1.pod +GENERATE[html/man3/SMIME_write_ASN1.html]=man3/SMIME_write_ASN1.pod +DEPEND[man/man3/SMIME_write_ASN1.3]=man3/SMIME_write_ASN1.pod +GENERATE[man/man3/SMIME_write_ASN1.3]=man3/SMIME_write_ASN1.pod +DEPEND[html/man3/SMIME_write_CMS.html]=man3/SMIME_write_CMS.pod +GENERATE[html/man3/SMIME_write_CMS.html]=man3/SMIME_write_CMS.pod +DEPEND[man/man3/SMIME_write_CMS.3]=man3/SMIME_write_CMS.pod +GENERATE[man/man3/SMIME_write_CMS.3]=man3/SMIME_write_CMS.pod +DEPEND[html/man3/SMIME_write_PKCS7.html]=man3/SMIME_write_PKCS7.pod +GENERATE[html/man3/SMIME_write_PKCS7.html]=man3/SMIME_write_PKCS7.pod +DEPEND[man/man3/SMIME_write_PKCS7.3]=man3/SMIME_write_PKCS7.pod +GENERATE[man/man3/SMIME_write_PKCS7.3]=man3/SMIME_write_PKCS7.pod +DEPEND[html/man3/SRP_Calc_B.html]=man3/SRP_Calc_B.pod +GENERATE[html/man3/SRP_Calc_B.html]=man3/SRP_Calc_B.pod +DEPEND[man/man3/SRP_Calc_B.3]=man3/SRP_Calc_B.pod +GENERATE[man/man3/SRP_Calc_B.3]=man3/SRP_Calc_B.pod +DEPEND[html/man3/SRP_VBASE_new.html]=man3/SRP_VBASE_new.pod +GENERATE[html/man3/SRP_VBASE_new.html]=man3/SRP_VBASE_new.pod +DEPEND[man/man3/SRP_VBASE_new.3]=man3/SRP_VBASE_new.pod +GENERATE[man/man3/SRP_VBASE_new.3]=man3/SRP_VBASE_new.pod +DEPEND[html/man3/SRP_create_verifier.html]=man3/SRP_create_verifier.pod +GENERATE[html/man3/SRP_create_verifier.html]=man3/SRP_create_verifier.pod +DEPEND[man/man3/SRP_create_verifier.3]=man3/SRP_create_verifier.pod +GENERATE[man/man3/SRP_create_verifier.3]=man3/SRP_create_verifier.pod +DEPEND[html/man3/SRP_user_pwd_new.html]=man3/SRP_user_pwd_new.pod +GENERATE[html/man3/SRP_user_pwd_new.html]=man3/SRP_user_pwd_new.pod +DEPEND[man/man3/SRP_user_pwd_new.3]=man3/SRP_user_pwd_new.pod +GENERATE[man/man3/SRP_user_pwd_new.3]=man3/SRP_user_pwd_new.pod +DEPEND[html/man3/SSL_CIPHER_get_name.html]=man3/SSL_CIPHER_get_name.pod +GENERATE[html/man3/SSL_CIPHER_get_name.html]=man3/SSL_CIPHER_get_name.pod +DEPEND[man/man3/SSL_CIPHER_get_name.3]=man3/SSL_CIPHER_get_name.pod +GENERATE[man/man3/SSL_CIPHER_get_name.3]=man3/SSL_CIPHER_get_name.pod +DEPEND[html/man3/SSL_COMP_add_compression_method.html]=man3/SSL_COMP_add_compression_method.pod +GENERATE[html/man3/SSL_COMP_add_compression_method.html]=man3/SSL_COMP_add_compression_method.pod +DEPEND[man/man3/SSL_COMP_add_compression_method.3]=man3/SSL_COMP_add_compression_method.pod +GENERATE[man/man3/SSL_COMP_add_compression_method.3]=man3/SSL_COMP_add_compression_method.pod +DEPEND[html/man3/SSL_CONF_CTX_new.html]=man3/SSL_CONF_CTX_new.pod +GENERATE[html/man3/SSL_CONF_CTX_new.html]=man3/SSL_CONF_CTX_new.pod +DEPEND[man/man3/SSL_CONF_CTX_new.3]=man3/SSL_CONF_CTX_new.pod +GENERATE[man/man3/SSL_CONF_CTX_new.3]=man3/SSL_CONF_CTX_new.pod +DEPEND[html/man3/SSL_CONF_CTX_set1_prefix.html]=man3/SSL_CONF_CTX_set1_prefix.pod +GENERATE[html/man3/SSL_CONF_CTX_set1_prefix.html]=man3/SSL_CONF_CTX_set1_prefix.pod +DEPEND[man/man3/SSL_CONF_CTX_set1_prefix.3]=man3/SSL_CONF_CTX_set1_prefix.pod +GENERATE[man/man3/SSL_CONF_CTX_set1_prefix.3]=man3/SSL_CONF_CTX_set1_prefix.pod +DEPEND[html/man3/SSL_CONF_CTX_set_flags.html]=man3/SSL_CONF_CTX_set_flags.pod +GENERATE[html/man3/SSL_CONF_CTX_set_flags.html]=man3/SSL_CONF_CTX_set_flags.pod +DEPEND[man/man3/SSL_CONF_CTX_set_flags.3]=man3/SSL_CONF_CTX_set_flags.pod +GENERATE[man/man3/SSL_CONF_CTX_set_flags.3]=man3/SSL_CONF_CTX_set_flags.pod +DEPEND[html/man3/SSL_CONF_CTX_set_ssl_ctx.html]=man3/SSL_CONF_CTX_set_ssl_ctx.pod +GENERATE[html/man3/SSL_CONF_CTX_set_ssl_ctx.html]=man3/SSL_CONF_CTX_set_ssl_ctx.pod +DEPEND[man/man3/SSL_CONF_CTX_set_ssl_ctx.3]=man3/SSL_CONF_CTX_set_ssl_ctx.pod +GENERATE[man/man3/SSL_CONF_CTX_set_ssl_ctx.3]=man3/SSL_CONF_CTX_set_ssl_ctx.pod +DEPEND[html/man3/SSL_CONF_cmd.html]=man3/SSL_CONF_cmd.pod +GENERATE[html/man3/SSL_CONF_cmd.html]=man3/SSL_CONF_cmd.pod +DEPEND[man/man3/SSL_CONF_cmd.3]=man3/SSL_CONF_cmd.pod +GENERATE[man/man3/SSL_CONF_cmd.3]=man3/SSL_CONF_cmd.pod +DEPEND[html/man3/SSL_CONF_cmd_argv.html]=man3/SSL_CONF_cmd_argv.pod +GENERATE[html/man3/SSL_CONF_cmd_argv.html]=man3/SSL_CONF_cmd_argv.pod +DEPEND[man/man3/SSL_CONF_cmd_argv.3]=man3/SSL_CONF_cmd_argv.pod +GENERATE[man/man3/SSL_CONF_cmd_argv.3]=man3/SSL_CONF_cmd_argv.pod +DEPEND[html/man3/SSL_CTX_add1_chain_cert.html]=man3/SSL_CTX_add1_chain_cert.pod +GENERATE[html/man3/SSL_CTX_add1_chain_cert.html]=man3/SSL_CTX_add1_chain_cert.pod +DEPEND[man/man3/SSL_CTX_add1_chain_cert.3]=man3/SSL_CTX_add1_chain_cert.pod +GENERATE[man/man3/SSL_CTX_add1_chain_cert.3]=man3/SSL_CTX_add1_chain_cert.pod +DEPEND[html/man3/SSL_CTX_add_extra_chain_cert.html]=man3/SSL_CTX_add_extra_chain_cert.pod +GENERATE[html/man3/SSL_CTX_add_extra_chain_cert.html]=man3/SSL_CTX_add_extra_chain_cert.pod +DEPEND[man/man3/SSL_CTX_add_extra_chain_cert.3]=man3/SSL_CTX_add_extra_chain_cert.pod +GENERATE[man/man3/SSL_CTX_add_extra_chain_cert.3]=man3/SSL_CTX_add_extra_chain_cert.pod +DEPEND[html/man3/SSL_CTX_add_session.html]=man3/SSL_CTX_add_session.pod +GENERATE[html/man3/SSL_CTX_add_session.html]=man3/SSL_CTX_add_session.pod +DEPEND[man/man3/SSL_CTX_add_session.3]=man3/SSL_CTX_add_session.pod +GENERATE[man/man3/SSL_CTX_add_session.3]=man3/SSL_CTX_add_session.pod +DEPEND[html/man3/SSL_CTX_config.html]=man3/SSL_CTX_config.pod +GENERATE[html/man3/SSL_CTX_config.html]=man3/SSL_CTX_config.pod +DEPEND[man/man3/SSL_CTX_config.3]=man3/SSL_CTX_config.pod +GENERATE[man/man3/SSL_CTX_config.3]=man3/SSL_CTX_config.pod +DEPEND[html/man3/SSL_CTX_ctrl.html]=man3/SSL_CTX_ctrl.pod +GENERATE[html/man3/SSL_CTX_ctrl.html]=man3/SSL_CTX_ctrl.pod +DEPEND[man/man3/SSL_CTX_ctrl.3]=man3/SSL_CTX_ctrl.pod +GENERATE[man/man3/SSL_CTX_ctrl.3]=man3/SSL_CTX_ctrl.pod +DEPEND[html/man3/SSL_CTX_dane_enable.html]=man3/SSL_CTX_dane_enable.pod +GENERATE[html/man3/SSL_CTX_dane_enable.html]=man3/SSL_CTX_dane_enable.pod +DEPEND[man/man3/SSL_CTX_dane_enable.3]=man3/SSL_CTX_dane_enable.pod +GENERATE[man/man3/SSL_CTX_dane_enable.3]=man3/SSL_CTX_dane_enable.pod +DEPEND[html/man3/SSL_CTX_flush_sessions.html]=man3/SSL_CTX_flush_sessions.pod +GENERATE[html/man3/SSL_CTX_flush_sessions.html]=man3/SSL_CTX_flush_sessions.pod +DEPEND[man/man3/SSL_CTX_flush_sessions.3]=man3/SSL_CTX_flush_sessions.pod +GENERATE[man/man3/SSL_CTX_flush_sessions.3]=man3/SSL_CTX_flush_sessions.pod +DEPEND[html/man3/SSL_CTX_free.html]=man3/SSL_CTX_free.pod +GENERATE[html/man3/SSL_CTX_free.html]=man3/SSL_CTX_free.pod +DEPEND[man/man3/SSL_CTX_free.3]=man3/SSL_CTX_free.pod +GENERATE[man/man3/SSL_CTX_free.3]=man3/SSL_CTX_free.pod +DEPEND[html/man3/SSL_CTX_get0_param.html]=man3/SSL_CTX_get0_param.pod +GENERATE[html/man3/SSL_CTX_get0_param.html]=man3/SSL_CTX_get0_param.pod +DEPEND[man/man3/SSL_CTX_get0_param.3]=man3/SSL_CTX_get0_param.pod +GENERATE[man/man3/SSL_CTX_get0_param.3]=man3/SSL_CTX_get0_param.pod +DEPEND[html/man3/SSL_CTX_get_verify_mode.html]=man3/SSL_CTX_get_verify_mode.pod +GENERATE[html/man3/SSL_CTX_get_verify_mode.html]=man3/SSL_CTX_get_verify_mode.pod +DEPEND[man/man3/SSL_CTX_get_verify_mode.3]=man3/SSL_CTX_get_verify_mode.pod +GENERATE[man/man3/SSL_CTX_get_verify_mode.3]=man3/SSL_CTX_get_verify_mode.pod +DEPEND[html/man3/SSL_CTX_has_client_custom_ext.html]=man3/SSL_CTX_has_client_custom_ext.pod +GENERATE[html/man3/SSL_CTX_has_client_custom_ext.html]=man3/SSL_CTX_has_client_custom_ext.pod +DEPEND[man/man3/SSL_CTX_has_client_custom_ext.3]=man3/SSL_CTX_has_client_custom_ext.pod +GENERATE[man/man3/SSL_CTX_has_client_custom_ext.3]=man3/SSL_CTX_has_client_custom_ext.pod +DEPEND[html/man3/SSL_CTX_load_verify_locations.html]=man3/SSL_CTX_load_verify_locations.pod +GENERATE[html/man3/SSL_CTX_load_verify_locations.html]=man3/SSL_CTX_load_verify_locations.pod +DEPEND[man/man3/SSL_CTX_load_verify_locations.3]=man3/SSL_CTX_load_verify_locations.pod +GENERATE[man/man3/SSL_CTX_load_verify_locations.3]=man3/SSL_CTX_load_verify_locations.pod +DEPEND[html/man3/SSL_CTX_new.html]=man3/SSL_CTX_new.pod +GENERATE[html/man3/SSL_CTX_new.html]=man3/SSL_CTX_new.pod +DEPEND[man/man3/SSL_CTX_new.3]=man3/SSL_CTX_new.pod +GENERATE[man/man3/SSL_CTX_new.3]=man3/SSL_CTX_new.pod +DEPEND[html/man3/SSL_CTX_sess_number.html]=man3/SSL_CTX_sess_number.pod +GENERATE[html/man3/SSL_CTX_sess_number.html]=man3/SSL_CTX_sess_number.pod +DEPEND[man/man3/SSL_CTX_sess_number.3]=man3/SSL_CTX_sess_number.pod +GENERATE[man/man3/SSL_CTX_sess_number.3]=man3/SSL_CTX_sess_number.pod +DEPEND[html/man3/SSL_CTX_sess_set_cache_size.html]=man3/SSL_CTX_sess_set_cache_size.pod +GENERATE[html/man3/SSL_CTX_sess_set_cache_size.html]=man3/SSL_CTX_sess_set_cache_size.pod +DEPEND[man/man3/SSL_CTX_sess_set_cache_size.3]=man3/SSL_CTX_sess_set_cache_size.pod +GENERATE[man/man3/SSL_CTX_sess_set_cache_size.3]=man3/SSL_CTX_sess_set_cache_size.pod +DEPEND[html/man3/SSL_CTX_sess_set_get_cb.html]=man3/SSL_CTX_sess_set_get_cb.pod +GENERATE[html/man3/SSL_CTX_sess_set_get_cb.html]=man3/SSL_CTX_sess_set_get_cb.pod +DEPEND[man/man3/SSL_CTX_sess_set_get_cb.3]=man3/SSL_CTX_sess_set_get_cb.pod +GENERATE[man/man3/SSL_CTX_sess_set_get_cb.3]=man3/SSL_CTX_sess_set_get_cb.pod +DEPEND[html/man3/SSL_CTX_sessions.html]=man3/SSL_CTX_sessions.pod +GENERATE[html/man3/SSL_CTX_sessions.html]=man3/SSL_CTX_sessions.pod +DEPEND[man/man3/SSL_CTX_sessions.3]=man3/SSL_CTX_sessions.pod +GENERATE[man/man3/SSL_CTX_sessions.3]=man3/SSL_CTX_sessions.pod +DEPEND[html/man3/SSL_CTX_set0_CA_list.html]=man3/SSL_CTX_set0_CA_list.pod +GENERATE[html/man3/SSL_CTX_set0_CA_list.html]=man3/SSL_CTX_set0_CA_list.pod +DEPEND[man/man3/SSL_CTX_set0_CA_list.3]=man3/SSL_CTX_set0_CA_list.pod +GENERATE[man/man3/SSL_CTX_set0_CA_list.3]=man3/SSL_CTX_set0_CA_list.pod +DEPEND[html/man3/SSL_CTX_set1_curves.html]=man3/SSL_CTX_set1_curves.pod +GENERATE[html/man3/SSL_CTX_set1_curves.html]=man3/SSL_CTX_set1_curves.pod +DEPEND[man/man3/SSL_CTX_set1_curves.3]=man3/SSL_CTX_set1_curves.pod +GENERATE[man/man3/SSL_CTX_set1_curves.3]=man3/SSL_CTX_set1_curves.pod +DEPEND[html/man3/SSL_CTX_set1_sigalgs.html]=man3/SSL_CTX_set1_sigalgs.pod +GENERATE[html/man3/SSL_CTX_set1_sigalgs.html]=man3/SSL_CTX_set1_sigalgs.pod +DEPEND[man/man3/SSL_CTX_set1_sigalgs.3]=man3/SSL_CTX_set1_sigalgs.pod +GENERATE[man/man3/SSL_CTX_set1_sigalgs.3]=man3/SSL_CTX_set1_sigalgs.pod +DEPEND[html/man3/SSL_CTX_set1_verify_cert_store.html]=man3/SSL_CTX_set1_verify_cert_store.pod +GENERATE[html/man3/SSL_CTX_set1_verify_cert_store.html]=man3/SSL_CTX_set1_verify_cert_store.pod +DEPEND[man/man3/SSL_CTX_set1_verify_cert_store.3]=man3/SSL_CTX_set1_verify_cert_store.pod +GENERATE[man/man3/SSL_CTX_set1_verify_cert_store.3]=man3/SSL_CTX_set1_verify_cert_store.pod +DEPEND[html/man3/SSL_CTX_set_alpn_select_cb.html]=man3/SSL_CTX_set_alpn_select_cb.pod +GENERATE[html/man3/SSL_CTX_set_alpn_select_cb.html]=man3/SSL_CTX_set_alpn_select_cb.pod +DEPEND[man/man3/SSL_CTX_set_alpn_select_cb.3]=man3/SSL_CTX_set_alpn_select_cb.pod +GENERATE[man/man3/SSL_CTX_set_alpn_select_cb.3]=man3/SSL_CTX_set_alpn_select_cb.pod +DEPEND[html/man3/SSL_CTX_set_cert_cb.html]=man3/SSL_CTX_set_cert_cb.pod +GENERATE[html/man3/SSL_CTX_set_cert_cb.html]=man3/SSL_CTX_set_cert_cb.pod +DEPEND[man/man3/SSL_CTX_set_cert_cb.3]=man3/SSL_CTX_set_cert_cb.pod +GENERATE[man/man3/SSL_CTX_set_cert_cb.3]=man3/SSL_CTX_set_cert_cb.pod +DEPEND[html/man3/SSL_CTX_set_cert_store.html]=man3/SSL_CTX_set_cert_store.pod +GENERATE[html/man3/SSL_CTX_set_cert_store.html]=man3/SSL_CTX_set_cert_store.pod +DEPEND[man/man3/SSL_CTX_set_cert_store.3]=man3/SSL_CTX_set_cert_store.pod +GENERATE[man/man3/SSL_CTX_set_cert_store.3]=man3/SSL_CTX_set_cert_store.pod +DEPEND[html/man3/SSL_CTX_set_cert_verify_callback.html]=man3/SSL_CTX_set_cert_verify_callback.pod +GENERATE[html/man3/SSL_CTX_set_cert_verify_callback.html]=man3/SSL_CTX_set_cert_verify_callback.pod +DEPEND[man/man3/SSL_CTX_set_cert_verify_callback.3]=man3/SSL_CTX_set_cert_verify_callback.pod +GENERATE[man/man3/SSL_CTX_set_cert_verify_callback.3]=man3/SSL_CTX_set_cert_verify_callback.pod +DEPEND[html/man3/SSL_CTX_set_cipher_list.html]=man3/SSL_CTX_set_cipher_list.pod +GENERATE[html/man3/SSL_CTX_set_cipher_list.html]=man3/SSL_CTX_set_cipher_list.pod +DEPEND[man/man3/SSL_CTX_set_cipher_list.3]=man3/SSL_CTX_set_cipher_list.pod +GENERATE[man/man3/SSL_CTX_set_cipher_list.3]=man3/SSL_CTX_set_cipher_list.pod +DEPEND[html/man3/SSL_CTX_set_client_cert_cb.html]=man3/SSL_CTX_set_client_cert_cb.pod +GENERATE[html/man3/SSL_CTX_set_client_cert_cb.html]=man3/SSL_CTX_set_client_cert_cb.pod +DEPEND[man/man3/SSL_CTX_set_client_cert_cb.3]=man3/SSL_CTX_set_client_cert_cb.pod +GENERATE[man/man3/SSL_CTX_set_client_cert_cb.3]=man3/SSL_CTX_set_client_cert_cb.pod +DEPEND[html/man3/SSL_CTX_set_client_hello_cb.html]=man3/SSL_CTX_set_client_hello_cb.pod +GENERATE[html/man3/SSL_CTX_set_client_hello_cb.html]=man3/SSL_CTX_set_client_hello_cb.pod +DEPEND[man/man3/SSL_CTX_set_client_hello_cb.3]=man3/SSL_CTX_set_client_hello_cb.pod +GENERATE[man/man3/SSL_CTX_set_client_hello_cb.3]=man3/SSL_CTX_set_client_hello_cb.pod +DEPEND[html/man3/SSL_CTX_set_ct_validation_callback.html]=man3/SSL_CTX_set_ct_validation_callback.pod +GENERATE[html/man3/SSL_CTX_set_ct_validation_callback.html]=man3/SSL_CTX_set_ct_validation_callback.pod +DEPEND[man/man3/SSL_CTX_set_ct_validation_callback.3]=man3/SSL_CTX_set_ct_validation_callback.pod +GENERATE[man/man3/SSL_CTX_set_ct_validation_callback.3]=man3/SSL_CTX_set_ct_validation_callback.pod +DEPEND[html/man3/SSL_CTX_set_ctlog_list_file.html]=man3/SSL_CTX_set_ctlog_list_file.pod +GENERATE[html/man3/SSL_CTX_set_ctlog_list_file.html]=man3/SSL_CTX_set_ctlog_list_file.pod +DEPEND[man/man3/SSL_CTX_set_ctlog_list_file.3]=man3/SSL_CTX_set_ctlog_list_file.pod +GENERATE[man/man3/SSL_CTX_set_ctlog_list_file.3]=man3/SSL_CTX_set_ctlog_list_file.pod +DEPEND[html/man3/SSL_CTX_set_default_passwd_cb.html]=man3/SSL_CTX_set_default_passwd_cb.pod +GENERATE[html/man3/SSL_CTX_set_default_passwd_cb.html]=man3/SSL_CTX_set_default_passwd_cb.pod +DEPEND[man/man3/SSL_CTX_set_default_passwd_cb.3]=man3/SSL_CTX_set_default_passwd_cb.pod +GENERATE[man/man3/SSL_CTX_set_default_passwd_cb.3]=man3/SSL_CTX_set_default_passwd_cb.pod +DEPEND[html/man3/SSL_CTX_set_generate_session_id.html]=man3/SSL_CTX_set_generate_session_id.pod +GENERATE[html/man3/SSL_CTX_set_generate_session_id.html]=man3/SSL_CTX_set_generate_session_id.pod +DEPEND[man/man3/SSL_CTX_set_generate_session_id.3]=man3/SSL_CTX_set_generate_session_id.pod +GENERATE[man/man3/SSL_CTX_set_generate_session_id.3]=man3/SSL_CTX_set_generate_session_id.pod +DEPEND[html/man3/SSL_CTX_set_info_callback.html]=man3/SSL_CTX_set_info_callback.pod +GENERATE[html/man3/SSL_CTX_set_info_callback.html]=man3/SSL_CTX_set_info_callback.pod +DEPEND[man/man3/SSL_CTX_set_info_callback.3]=man3/SSL_CTX_set_info_callback.pod +GENERATE[man/man3/SSL_CTX_set_info_callback.3]=man3/SSL_CTX_set_info_callback.pod +DEPEND[html/man3/SSL_CTX_set_keylog_callback.html]=man3/SSL_CTX_set_keylog_callback.pod +GENERATE[html/man3/SSL_CTX_set_keylog_callback.html]=man3/SSL_CTX_set_keylog_callback.pod +DEPEND[man/man3/SSL_CTX_set_keylog_callback.3]=man3/SSL_CTX_set_keylog_callback.pod +GENERATE[man/man3/SSL_CTX_set_keylog_callback.3]=man3/SSL_CTX_set_keylog_callback.pod +DEPEND[html/man3/SSL_CTX_set_max_cert_list.html]=man3/SSL_CTX_set_max_cert_list.pod +GENERATE[html/man3/SSL_CTX_set_max_cert_list.html]=man3/SSL_CTX_set_max_cert_list.pod +DEPEND[man/man3/SSL_CTX_set_max_cert_list.3]=man3/SSL_CTX_set_max_cert_list.pod +GENERATE[man/man3/SSL_CTX_set_max_cert_list.3]=man3/SSL_CTX_set_max_cert_list.pod +DEPEND[html/man3/SSL_CTX_set_min_proto_version.html]=man3/SSL_CTX_set_min_proto_version.pod +GENERATE[html/man3/SSL_CTX_set_min_proto_version.html]=man3/SSL_CTX_set_min_proto_version.pod +DEPEND[man/man3/SSL_CTX_set_min_proto_version.3]=man3/SSL_CTX_set_min_proto_version.pod +GENERATE[man/man3/SSL_CTX_set_min_proto_version.3]=man3/SSL_CTX_set_min_proto_version.pod +DEPEND[html/man3/SSL_CTX_set_mode.html]=man3/SSL_CTX_set_mode.pod +GENERATE[html/man3/SSL_CTX_set_mode.html]=man3/SSL_CTX_set_mode.pod +DEPEND[man/man3/SSL_CTX_set_mode.3]=man3/SSL_CTX_set_mode.pod +GENERATE[man/man3/SSL_CTX_set_mode.3]=man3/SSL_CTX_set_mode.pod +DEPEND[html/man3/SSL_CTX_set_msg_callback.html]=man3/SSL_CTX_set_msg_callback.pod +GENERATE[html/man3/SSL_CTX_set_msg_callback.html]=man3/SSL_CTX_set_msg_callback.pod +DEPEND[man/man3/SSL_CTX_set_msg_callback.3]=man3/SSL_CTX_set_msg_callback.pod +GENERATE[man/man3/SSL_CTX_set_msg_callback.3]=man3/SSL_CTX_set_msg_callback.pod +DEPEND[html/man3/SSL_CTX_set_num_tickets.html]=man3/SSL_CTX_set_num_tickets.pod +GENERATE[html/man3/SSL_CTX_set_num_tickets.html]=man3/SSL_CTX_set_num_tickets.pod +DEPEND[man/man3/SSL_CTX_set_num_tickets.3]=man3/SSL_CTX_set_num_tickets.pod +GENERATE[man/man3/SSL_CTX_set_num_tickets.3]=man3/SSL_CTX_set_num_tickets.pod +DEPEND[html/man3/SSL_CTX_set_options.html]=man3/SSL_CTX_set_options.pod +GENERATE[html/man3/SSL_CTX_set_options.html]=man3/SSL_CTX_set_options.pod +DEPEND[man/man3/SSL_CTX_set_options.3]=man3/SSL_CTX_set_options.pod +GENERATE[man/man3/SSL_CTX_set_options.3]=man3/SSL_CTX_set_options.pod +DEPEND[html/man3/SSL_CTX_set_psk_client_callback.html]=man3/SSL_CTX_set_psk_client_callback.pod +GENERATE[html/man3/SSL_CTX_set_psk_client_callback.html]=man3/SSL_CTX_set_psk_client_callback.pod +DEPEND[man/man3/SSL_CTX_set_psk_client_callback.3]=man3/SSL_CTX_set_psk_client_callback.pod +GENERATE[man/man3/SSL_CTX_set_psk_client_callback.3]=man3/SSL_CTX_set_psk_client_callback.pod +DEPEND[html/man3/SSL_CTX_set_quiet_shutdown.html]=man3/SSL_CTX_set_quiet_shutdown.pod +GENERATE[html/man3/SSL_CTX_set_quiet_shutdown.html]=man3/SSL_CTX_set_quiet_shutdown.pod +DEPEND[man/man3/SSL_CTX_set_quiet_shutdown.3]=man3/SSL_CTX_set_quiet_shutdown.pod +GENERATE[man/man3/SSL_CTX_set_quiet_shutdown.3]=man3/SSL_CTX_set_quiet_shutdown.pod +DEPEND[html/man3/SSL_CTX_set_read_ahead.html]=man3/SSL_CTX_set_read_ahead.pod +GENERATE[html/man3/SSL_CTX_set_read_ahead.html]=man3/SSL_CTX_set_read_ahead.pod +DEPEND[man/man3/SSL_CTX_set_read_ahead.3]=man3/SSL_CTX_set_read_ahead.pod +GENERATE[man/man3/SSL_CTX_set_read_ahead.3]=man3/SSL_CTX_set_read_ahead.pod +DEPEND[html/man3/SSL_CTX_set_record_padding_callback.html]=man3/SSL_CTX_set_record_padding_callback.pod +GENERATE[html/man3/SSL_CTX_set_record_padding_callback.html]=man3/SSL_CTX_set_record_padding_callback.pod +DEPEND[man/man3/SSL_CTX_set_record_padding_callback.3]=man3/SSL_CTX_set_record_padding_callback.pod +GENERATE[man/man3/SSL_CTX_set_record_padding_callback.3]=man3/SSL_CTX_set_record_padding_callback.pod +DEPEND[html/man3/SSL_CTX_set_security_level.html]=man3/SSL_CTX_set_security_level.pod +GENERATE[html/man3/SSL_CTX_set_security_level.html]=man3/SSL_CTX_set_security_level.pod +DEPEND[man/man3/SSL_CTX_set_security_level.3]=man3/SSL_CTX_set_security_level.pod +GENERATE[man/man3/SSL_CTX_set_security_level.3]=man3/SSL_CTX_set_security_level.pod +DEPEND[html/man3/SSL_CTX_set_session_cache_mode.html]=man3/SSL_CTX_set_session_cache_mode.pod +GENERATE[html/man3/SSL_CTX_set_session_cache_mode.html]=man3/SSL_CTX_set_session_cache_mode.pod +DEPEND[man/man3/SSL_CTX_set_session_cache_mode.3]=man3/SSL_CTX_set_session_cache_mode.pod +GENERATE[man/man3/SSL_CTX_set_session_cache_mode.3]=man3/SSL_CTX_set_session_cache_mode.pod +DEPEND[html/man3/SSL_CTX_set_session_id_context.html]=man3/SSL_CTX_set_session_id_context.pod +GENERATE[html/man3/SSL_CTX_set_session_id_context.html]=man3/SSL_CTX_set_session_id_context.pod +DEPEND[man/man3/SSL_CTX_set_session_id_context.3]=man3/SSL_CTX_set_session_id_context.pod +GENERATE[man/man3/SSL_CTX_set_session_id_context.3]=man3/SSL_CTX_set_session_id_context.pod +DEPEND[html/man3/SSL_CTX_set_session_ticket_cb.html]=man3/SSL_CTX_set_session_ticket_cb.pod +GENERATE[html/man3/SSL_CTX_set_session_ticket_cb.html]=man3/SSL_CTX_set_session_ticket_cb.pod +DEPEND[man/man3/SSL_CTX_set_session_ticket_cb.3]=man3/SSL_CTX_set_session_ticket_cb.pod +GENERATE[man/man3/SSL_CTX_set_session_ticket_cb.3]=man3/SSL_CTX_set_session_ticket_cb.pod +DEPEND[html/man3/SSL_CTX_set_split_send_fragment.html]=man3/SSL_CTX_set_split_send_fragment.pod +GENERATE[html/man3/SSL_CTX_set_split_send_fragment.html]=man3/SSL_CTX_set_split_send_fragment.pod +DEPEND[man/man3/SSL_CTX_set_split_send_fragment.3]=man3/SSL_CTX_set_split_send_fragment.pod +GENERATE[man/man3/SSL_CTX_set_split_send_fragment.3]=man3/SSL_CTX_set_split_send_fragment.pod +DEPEND[html/man3/SSL_CTX_set_srp_password.html]=man3/SSL_CTX_set_srp_password.pod +GENERATE[html/man3/SSL_CTX_set_srp_password.html]=man3/SSL_CTX_set_srp_password.pod +DEPEND[man/man3/SSL_CTX_set_srp_password.3]=man3/SSL_CTX_set_srp_password.pod +GENERATE[man/man3/SSL_CTX_set_srp_password.3]=man3/SSL_CTX_set_srp_password.pod +DEPEND[html/man3/SSL_CTX_set_ssl_version.html]=man3/SSL_CTX_set_ssl_version.pod +GENERATE[html/man3/SSL_CTX_set_ssl_version.html]=man3/SSL_CTX_set_ssl_version.pod +DEPEND[man/man3/SSL_CTX_set_ssl_version.3]=man3/SSL_CTX_set_ssl_version.pod +GENERATE[man/man3/SSL_CTX_set_ssl_version.3]=man3/SSL_CTX_set_ssl_version.pod +DEPEND[html/man3/SSL_CTX_set_stateless_cookie_generate_cb.html]=man3/SSL_CTX_set_stateless_cookie_generate_cb.pod +GENERATE[html/man3/SSL_CTX_set_stateless_cookie_generate_cb.html]=man3/SSL_CTX_set_stateless_cookie_generate_cb.pod +DEPEND[man/man3/SSL_CTX_set_stateless_cookie_generate_cb.3]=man3/SSL_CTX_set_stateless_cookie_generate_cb.pod +GENERATE[man/man3/SSL_CTX_set_stateless_cookie_generate_cb.3]=man3/SSL_CTX_set_stateless_cookie_generate_cb.pod +DEPEND[html/man3/SSL_CTX_set_timeout.html]=man3/SSL_CTX_set_timeout.pod +GENERATE[html/man3/SSL_CTX_set_timeout.html]=man3/SSL_CTX_set_timeout.pod +DEPEND[man/man3/SSL_CTX_set_timeout.3]=man3/SSL_CTX_set_timeout.pod +GENERATE[man/man3/SSL_CTX_set_timeout.3]=man3/SSL_CTX_set_timeout.pod +DEPEND[html/man3/SSL_CTX_set_tlsext_servername_callback.html]=man3/SSL_CTX_set_tlsext_servername_callback.pod +GENERATE[html/man3/SSL_CTX_set_tlsext_servername_callback.html]=man3/SSL_CTX_set_tlsext_servername_callback.pod +DEPEND[man/man3/SSL_CTX_set_tlsext_servername_callback.3]=man3/SSL_CTX_set_tlsext_servername_callback.pod +GENERATE[man/man3/SSL_CTX_set_tlsext_servername_callback.3]=man3/SSL_CTX_set_tlsext_servername_callback.pod +DEPEND[html/man3/SSL_CTX_set_tlsext_status_cb.html]=man3/SSL_CTX_set_tlsext_status_cb.pod +GENERATE[html/man3/SSL_CTX_set_tlsext_status_cb.html]=man3/SSL_CTX_set_tlsext_status_cb.pod +DEPEND[man/man3/SSL_CTX_set_tlsext_status_cb.3]=man3/SSL_CTX_set_tlsext_status_cb.pod +GENERATE[man/man3/SSL_CTX_set_tlsext_status_cb.3]=man3/SSL_CTX_set_tlsext_status_cb.pod +DEPEND[html/man3/SSL_CTX_set_tlsext_ticket_key_cb.html]=man3/SSL_CTX_set_tlsext_ticket_key_cb.pod +GENERATE[html/man3/SSL_CTX_set_tlsext_ticket_key_cb.html]=man3/SSL_CTX_set_tlsext_ticket_key_cb.pod +DEPEND[man/man3/SSL_CTX_set_tlsext_ticket_key_cb.3]=man3/SSL_CTX_set_tlsext_ticket_key_cb.pod +GENERATE[man/man3/SSL_CTX_set_tlsext_ticket_key_cb.3]=man3/SSL_CTX_set_tlsext_ticket_key_cb.pod +DEPEND[html/man3/SSL_CTX_set_tlsext_use_srtp.html]=man3/SSL_CTX_set_tlsext_use_srtp.pod +GENERATE[html/man3/SSL_CTX_set_tlsext_use_srtp.html]=man3/SSL_CTX_set_tlsext_use_srtp.pod +DEPEND[man/man3/SSL_CTX_set_tlsext_use_srtp.3]=man3/SSL_CTX_set_tlsext_use_srtp.pod +GENERATE[man/man3/SSL_CTX_set_tlsext_use_srtp.3]=man3/SSL_CTX_set_tlsext_use_srtp.pod +DEPEND[html/man3/SSL_CTX_set_tmp_dh_callback.html]=man3/SSL_CTX_set_tmp_dh_callback.pod +GENERATE[html/man3/SSL_CTX_set_tmp_dh_callback.html]=man3/SSL_CTX_set_tmp_dh_callback.pod +DEPEND[man/man3/SSL_CTX_set_tmp_dh_callback.3]=man3/SSL_CTX_set_tmp_dh_callback.pod +GENERATE[man/man3/SSL_CTX_set_tmp_dh_callback.3]=man3/SSL_CTX_set_tmp_dh_callback.pod +DEPEND[html/man3/SSL_CTX_set_tmp_ecdh.html]=man3/SSL_CTX_set_tmp_ecdh.pod +GENERATE[html/man3/SSL_CTX_set_tmp_ecdh.html]=man3/SSL_CTX_set_tmp_ecdh.pod +DEPEND[man/man3/SSL_CTX_set_tmp_ecdh.3]=man3/SSL_CTX_set_tmp_ecdh.pod +GENERATE[man/man3/SSL_CTX_set_tmp_ecdh.3]=man3/SSL_CTX_set_tmp_ecdh.pod +DEPEND[html/man3/SSL_CTX_set_verify.html]=man3/SSL_CTX_set_verify.pod +GENERATE[html/man3/SSL_CTX_set_verify.html]=man3/SSL_CTX_set_verify.pod +DEPEND[man/man3/SSL_CTX_set_verify.3]=man3/SSL_CTX_set_verify.pod +GENERATE[man/man3/SSL_CTX_set_verify.3]=man3/SSL_CTX_set_verify.pod +DEPEND[html/man3/SSL_CTX_use_certificate.html]=man3/SSL_CTX_use_certificate.pod +GENERATE[html/man3/SSL_CTX_use_certificate.html]=man3/SSL_CTX_use_certificate.pod +DEPEND[man/man3/SSL_CTX_use_certificate.3]=man3/SSL_CTX_use_certificate.pod +GENERATE[man/man3/SSL_CTX_use_certificate.3]=man3/SSL_CTX_use_certificate.pod +DEPEND[html/man3/SSL_CTX_use_psk_identity_hint.html]=man3/SSL_CTX_use_psk_identity_hint.pod +GENERATE[html/man3/SSL_CTX_use_psk_identity_hint.html]=man3/SSL_CTX_use_psk_identity_hint.pod +DEPEND[man/man3/SSL_CTX_use_psk_identity_hint.3]=man3/SSL_CTX_use_psk_identity_hint.pod +GENERATE[man/man3/SSL_CTX_use_psk_identity_hint.3]=man3/SSL_CTX_use_psk_identity_hint.pod +DEPEND[html/man3/SSL_CTX_use_serverinfo.html]=man3/SSL_CTX_use_serverinfo.pod +GENERATE[html/man3/SSL_CTX_use_serverinfo.html]=man3/SSL_CTX_use_serverinfo.pod +DEPEND[man/man3/SSL_CTX_use_serverinfo.3]=man3/SSL_CTX_use_serverinfo.pod +GENERATE[man/man3/SSL_CTX_use_serverinfo.3]=man3/SSL_CTX_use_serverinfo.pod +DEPEND[html/man3/SSL_SESSION_free.html]=man3/SSL_SESSION_free.pod +GENERATE[html/man3/SSL_SESSION_free.html]=man3/SSL_SESSION_free.pod +DEPEND[man/man3/SSL_SESSION_free.3]=man3/SSL_SESSION_free.pod +GENERATE[man/man3/SSL_SESSION_free.3]=man3/SSL_SESSION_free.pod +DEPEND[html/man3/SSL_SESSION_get0_cipher.html]=man3/SSL_SESSION_get0_cipher.pod +GENERATE[html/man3/SSL_SESSION_get0_cipher.html]=man3/SSL_SESSION_get0_cipher.pod +DEPEND[man/man3/SSL_SESSION_get0_cipher.3]=man3/SSL_SESSION_get0_cipher.pod +GENERATE[man/man3/SSL_SESSION_get0_cipher.3]=man3/SSL_SESSION_get0_cipher.pod +DEPEND[html/man3/SSL_SESSION_get0_hostname.html]=man3/SSL_SESSION_get0_hostname.pod +GENERATE[html/man3/SSL_SESSION_get0_hostname.html]=man3/SSL_SESSION_get0_hostname.pod +DEPEND[man/man3/SSL_SESSION_get0_hostname.3]=man3/SSL_SESSION_get0_hostname.pod +GENERATE[man/man3/SSL_SESSION_get0_hostname.3]=man3/SSL_SESSION_get0_hostname.pod +DEPEND[html/man3/SSL_SESSION_get0_id_context.html]=man3/SSL_SESSION_get0_id_context.pod +GENERATE[html/man3/SSL_SESSION_get0_id_context.html]=man3/SSL_SESSION_get0_id_context.pod +DEPEND[man/man3/SSL_SESSION_get0_id_context.3]=man3/SSL_SESSION_get0_id_context.pod +GENERATE[man/man3/SSL_SESSION_get0_id_context.3]=man3/SSL_SESSION_get0_id_context.pod +DEPEND[html/man3/SSL_SESSION_get0_peer.html]=man3/SSL_SESSION_get0_peer.pod +GENERATE[html/man3/SSL_SESSION_get0_peer.html]=man3/SSL_SESSION_get0_peer.pod +DEPEND[man/man3/SSL_SESSION_get0_peer.3]=man3/SSL_SESSION_get0_peer.pod +GENERATE[man/man3/SSL_SESSION_get0_peer.3]=man3/SSL_SESSION_get0_peer.pod +DEPEND[html/man3/SSL_SESSION_get_compress_id.html]=man3/SSL_SESSION_get_compress_id.pod +GENERATE[html/man3/SSL_SESSION_get_compress_id.html]=man3/SSL_SESSION_get_compress_id.pod +DEPEND[man/man3/SSL_SESSION_get_compress_id.3]=man3/SSL_SESSION_get_compress_id.pod +GENERATE[man/man3/SSL_SESSION_get_compress_id.3]=man3/SSL_SESSION_get_compress_id.pod +DEPEND[html/man3/SSL_SESSION_get_protocol_version.html]=man3/SSL_SESSION_get_protocol_version.pod +GENERATE[html/man3/SSL_SESSION_get_protocol_version.html]=man3/SSL_SESSION_get_protocol_version.pod +DEPEND[man/man3/SSL_SESSION_get_protocol_version.3]=man3/SSL_SESSION_get_protocol_version.pod +GENERATE[man/man3/SSL_SESSION_get_protocol_version.3]=man3/SSL_SESSION_get_protocol_version.pod +DEPEND[html/man3/SSL_SESSION_get_time.html]=man3/SSL_SESSION_get_time.pod +GENERATE[html/man3/SSL_SESSION_get_time.html]=man3/SSL_SESSION_get_time.pod +DEPEND[man/man3/SSL_SESSION_get_time.3]=man3/SSL_SESSION_get_time.pod +GENERATE[man/man3/SSL_SESSION_get_time.3]=man3/SSL_SESSION_get_time.pod +DEPEND[html/man3/SSL_SESSION_has_ticket.html]=man3/SSL_SESSION_has_ticket.pod +GENERATE[html/man3/SSL_SESSION_has_ticket.html]=man3/SSL_SESSION_has_ticket.pod +DEPEND[man/man3/SSL_SESSION_has_ticket.3]=man3/SSL_SESSION_has_ticket.pod +GENERATE[man/man3/SSL_SESSION_has_ticket.3]=man3/SSL_SESSION_has_ticket.pod +DEPEND[html/man3/SSL_SESSION_is_resumable.html]=man3/SSL_SESSION_is_resumable.pod +GENERATE[html/man3/SSL_SESSION_is_resumable.html]=man3/SSL_SESSION_is_resumable.pod +DEPEND[man/man3/SSL_SESSION_is_resumable.3]=man3/SSL_SESSION_is_resumable.pod +GENERATE[man/man3/SSL_SESSION_is_resumable.3]=man3/SSL_SESSION_is_resumable.pod +DEPEND[html/man3/SSL_SESSION_print.html]=man3/SSL_SESSION_print.pod +GENERATE[html/man3/SSL_SESSION_print.html]=man3/SSL_SESSION_print.pod +DEPEND[man/man3/SSL_SESSION_print.3]=man3/SSL_SESSION_print.pod +GENERATE[man/man3/SSL_SESSION_print.3]=man3/SSL_SESSION_print.pod +DEPEND[html/man3/SSL_SESSION_set1_id.html]=man3/SSL_SESSION_set1_id.pod +GENERATE[html/man3/SSL_SESSION_set1_id.html]=man3/SSL_SESSION_set1_id.pod +DEPEND[man/man3/SSL_SESSION_set1_id.3]=man3/SSL_SESSION_set1_id.pod +GENERATE[man/man3/SSL_SESSION_set1_id.3]=man3/SSL_SESSION_set1_id.pod +DEPEND[html/man3/SSL_accept.html]=man3/SSL_accept.pod +GENERATE[html/man3/SSL_accept.html]=man3/SSL_accept.pod +DEPEND[man/man3/SSL_accept.3]=man3/SSL_accept.pod +GENERATE[man/man3/SSL_accept.3]=man3/SSL_accept.pod +DEPEND[html/man3/SSL_alert_type_string.html]=man3/SSL_alert_type_string.pod +GENERATE[html/man3/SSL_alert_type_string.html]=man3/SSL_alert_type_string.pod +DEPEND[man/man3/SSL_alert_type_string.3]=man3/SSL_alert_type_string.pod +GENERATE[man/man3/SSL_alert_type_string.3]=man3/SSL_alert_type_string.pod +DEPEND[html/man3/SSL_alloc_buffers.html]=man3/SSL_alloc_buffers.pod +GENERATE[html/man3/SSL_alloc_buffers.html]=man3/SSL_alloc_buffers.pod +DEPEND[man/man3/SSL_alloc_buffers.3]=man3/SSL_alloc_buffers.pod +GENERATE[man/man3/SSL_alloc_buffers.3]=man3/SSL_alloc_buffers.pod +DEPEND[html/man3/SSL_check_chain.html]=man3/SSL_check_chain.pod +GENERATE[html/man3/SSL_check_chain.html]=man3/SSL_check_chain.pod +DEPEND[man/man3/SSL_check_chain.3]=man3/SSL_check_chain.pod +GENERATE[man/man3/SSL_check_chain.3]=man3/SSL_check_chain.pod +DEPEND[html/man3/SSL_clear.html]=man3/SSL_clear.pod +GENERATE[html/man3/SSL_clear.html]=man3/SSL_clear.pod +DEPEND[man/man3/SSL_clear.3]=man3/SSL_clear.pod +GENERATE[man/man3/SSL_clear.3]=man3/SSL_clear.pod +DEPEND[html/man3/SSL_connect.html]=man3/SSL_connect.pod +GENERATE[html/man3/SSL_connect.html]=man3/SSL_connect.pod +DEPEND[man/man3/SSL_connect.3]=man3/SSL_connect.pod +GENERATE[man/man3/SSL_connect.3]=man3/SSL_connect.pod +DEPEND[html/man3/SSL_do_handshake.html]=man3/SSL_do_handshake.pod +GENERATE[html/man3/SSL_do_handshake.html]=man3/SSL_do_handshake.pod +DEPEND[man/man3/SSL_do_handshake.3]=man3/SSL_do_handshake.pod +GENERATE[man/man3/SSL_do_handshake.3]=man3/SSL_do_handshake.pod +DEPEND[html/man3/SSL_export_keying_material.html]=man3/SSL_export_keying_material.pod +GENERATE[html/man3/SSL_export_keying_material.html]=man3/SSL_export_keying_material.pod +DEPEND[man/man3/SSL_export_keying_material.3]=man3/SSL_export_keying_material.pod +GENERATE[man/man3/SSL_export_keying_material.3]=man3/SSL_export_keying_material.pod +DEPEND[html/man3/SSL_extension_supported.html]=man3/SSL_extension_supported.pod +GENERATE[html/man3/SSL_extension_supported.html]=man3/SSL_extension_supported.pod +DEPEND[man/man3/SSL_extension_supported.3]=man3/SSL_extension_supported.pod +GENERATE[man/man3/SSL_extension_supported.3]=man3/SSL_extension_supported.pod +DEPEND[html/man3/SSL_free.html]=man3/SSL_free.pod +GENERATE[html/man3/SSL_free.html]=man3/SSL_free.pod +DEPEND[man/man3/SSL_free.3]=man3/SSL_free.pod +GENERATE[man/man3/SSL_free.3]=man3/SSL_free.pod +DEPEND[html/man3/SSL_get0_peer_scts.html]=man3/SSL_get0_peer_scts.pod +GENERATE[html/man3/SSL_get0_peer_scts.html]=man3/SSL_get0_peer_scts.pod +DEPEND[man/man3/SSL_get0_peer_scts.3]=man3/SSL_get0_peer_scts.pod +GENERATE[man/man3/SSL_get0_peer_scts.3]=man3/SSL_get0_peer_scts.pod +DEPEND[html/man3/SSL_get_SSL_CTX.html]=man3/SSL_get_SSL_CTX.pod +GENERATE[html/man3/SSL_get_SSL_CTX.html]=man3/SSL_get_SSL_CTX.pod +DEPEND[man/man3/SSL_get_SSL_CTX.3]=man3/SSL_get_SSL_CTX.pod +GENERATE[man/man3/SSL_get_SSL_CTX.3]=man3/SSL_get_SSL_CTX.pod +DEPEND[html/man3/SSL_get_all_async_fds.html]=man3/SSL_get_all_async_fds.pod +GENERATE[html/man3/SSL_get_all_async_fds.html]=man3/SSL_get_all_async_fds.pod +DEPEND[man/man3/SSL_get_all_async_fds.3]=man3/SSL_get_all_async_fds.pod +GENERATE[man/man3/SSL_get_all_async_fds.3]=man3/SSL_get_all_async_fds.pod +DEPEND[html/man3/SSL_get_ciphers.html]=man3/SSL_get_ciphers.pod +GENERATE[html/man3/SSL_get_ciphers.html]=man3/SSL_get_ciphers.pod +DEPEND[man/man3/SSL_get_ciphers.3]=man3/SSL_get_ciphers.pod +GENERATE[man/man3/SSL_get_ciphers.3]=man3/SSL_get_ciphers.pod +DEPEND[html/man3/SSL_get_client_random.html]=man3/SSL_get_client_random.pod +GENERATE[html/man3/SSL_get_client_random.html]=man3/SSL_get_client_random.pod +DEPEND[man/man3/SSL_get_client_random.3]=man3/SSL_get_client_random.pod +GENERATE[man/man3/SSL_get_client_random.3]=man3/SSL_get_client_random.pod +DEPEND[html/man3/SSL_get_current_cipher.html]=man3/SSL_get_current_cipher.pod +GENERATE[html/man3/SSL_get_current_cipher.html]=man3/SSL_get_current_cipher.pod +DEPEND[man/man3/SSL_get_current_cipher.3]=man3/SSL_get_current_cipher.pod +GENERATE[man/man3/SSL_get_current_cipher.3]=man3/SSL_get_current_cipher.pod +DEPEND[html/man3/SSL_get_default_timeout.html]=man3/SSL_get_default_timeout.pod +GENERATE[html/man3/SSL_get_default_timeout.html]=man3/SSL_get_default_timeout.pod +DEPEND[man/man3/SSL_get_default_timeout.3]=man3/SSL_get_default_timeout.pod +GENERATE[man/man3/SSL_get_default_timeout.3]=man3/SSL_get_default_timeout.pod +DEPEND[html/man3/SSL_get_error.html]=man3/SSL_get_error.pod +GENERATE[html/man3/SSL_get_error.html]=man3/SSL_get_error.pod +DEPEND[man/man3/SSL_get_error.3]=man3/SSL_get_error.pod +GENERATE[man/man3/SSL_get_error.3]=man3/SSL_get_error.pod +DEPEND[html/man3/SSL_get_extms_support.html]=man3/SSL_get_extms_support.pod +GENERATE[html/man3/SSL_get_extms_support.html]=man3/SSL_get_extms_support.pod +DEPEND[man/man3/SSL_get_extms_support.3]=man3/SSL_get_extms_support.pod +GENERATE[man/man3/SSL_get_extms_support.3]=man3/SSL_get_extms_support.pod +DEPEND[html/man3/SSL_get_fd.html]=man3/SSL_get_fd.pod +GENERATE[html/man3/SSL_get_fd.html]=man3/SSL_get_fd.pod +DEPEND[man/man3/SSL_get_fd.3]=man3/SSL_get_fd.pod +GENERATE[man/man3/SSL_get_fd.3]=man3/SSL_get_fd.pod +DEPEND[html/man3/SSL_get_peer_cert_chain.html]=man3/SSL_get_peer_cert_chain.pod +GENERATE[html/man3/SSL_get_peer_cert_chain.html]=man3/SSL_get_peer_cert_chain.pod +DEPEND[man/man3/SSL_get_peer_cert_chain.3]=man3/SSL_get_peer_cert_chain.pod +GENERATE[man/man3/SSL_get_peer_cert_chain.3]=man3/SSL_get_peer_cert_chain.pod +DEPEND[html/man3/SSL_get_peer_certificate.html]=man3/SSL_get_peer_certificate.pod +GENERATE[html/man3/SSL_get_peer_certificate.html]=man3/SSL_get_peer_certificate.pod +DEPEND[man/man3/SSL_get_peer_certificate.3]=man3/SSL_get_peer_certificate.pod +GENERATE[man/man3/SSL_get_peer_certificate.3]=man3/SSL_get_peer_certificate.pod +DEPEND[html/man3/SSL_get_peer_signature_nid.html]=man3/SSL_get_peer_signature_nid.pod +GENERATE[html/man3/SSL_get_peer_signature_nid.html]=man3/SSL_get_peer_signature_nid.pod +DEPEND[man/man3/SSL_get_peer_signature_nid.3]=man3/SSL_get_peer_signature_nid.pod +GENERATE[man/man3/SSL_get_peer_signature_nid.3]=man3/SSL_get_peer_signature_nid.pod +DEPEND[html/man3/SSL_get_peer_tmp_key.html]=man3/SSL_get_peer_tmp_key.pod +GENERATE[html/man3/SSL_get_peer_tmp_key.html]=man3/SSL_get_peer_tmp_key.pod +DEPEND[man/man3/SSL_get_peer_tmp_key.3]=man3/SSL_get_peer_tmp_key.pod +GENERATE[man/man3/SSL_get_peer_tmp_key.3]=man3/SSL_get_peer_tmp_key.pod +DEPEND[html/man3/SSL_get_psk_identity.html]=man3/SSL_get_psk_identity.pod +GENERATE[html/man3/SSL_get_psk_identity.html]=man3/SSL_get_psk_identity.pod +DEPEND[man/man3/SSL_get_psk_identity.3]=man3/SSL_get_psk_identity.pod +GENERATE[man/man3/SSL_get_psk_identity.3]=man3/SSL_get_psk_identity.pod +DEPEND[html/man3/SSL_get_rbio.html]=man3/SSL_get_rbio.pod +GENERATE[html/man3/SSL_get_rbio.html]=man3/SSL_get_rbio.pod +DEPEND[man/man3/SSL_get_rbio.3]=man3/SSL_get_rbio.pod +GENERATE[man/man3/SSL_get_rbio.3]=man3/SSL_get_rbio.pod +DEPEND[html/man3/SSL_get_session.html]=man3/SSL_get_session.pod +GENERATE[html/man3/SSL_get_session.html]=man3/SSL_get_session.pod +DEPEND[man/man3/SSL_get_session.3]=man3/SSL_get_session.pod +GENERATE[man/man3/SSL_get_session.3]=man3/SSL_get_session.pod +DEPEND[html/man3/SSL_get_shared_sigalgs.html]=man3/SSL_get_shared_sigalgs.pod +GENERATE[html/man3/SSL_get_shared_sigalgs.html]=man3/SSL_get_shared_sigalgs.pod +DEPEND[man/man3/SSL_get_shared_sigalgs.3]=man3/SSL_get_shared_sigalgs.pod +GENERATE[man/man3/SSL_get_shared_sigalgs.3]=man3/SSL_get_shared_sigalgs.pod +DEPEND[html/man3/SSL_get_verify_result.html]=man3/SSL_get_verify_result.pod +GENERATE[html/man3/SSL_get_verify_result.html]=man3/SSL_get_verify_result.pod +DEPEND[man/man3/SSL_get_verify_result.3]=man3/SSL_get_verify_result.pod +GENERATE[man/man3/SSL_get_verify_result.3]=man3/SSL_get_verify_result.pod +DEPEND[html/man3/SSL_get_version.html]=man3/SSL_get_version.pod +GENERATE[html/man3/SSL_get_version.html]=man3/SSL_get_version.pod +DEPEND[man/man3/SSL_get_version.3]=man3/SSL_get_version.pod +GENERATE[man/man3/SSL_get_version.3]=man3/SSL_get_version.pod +DEPEND[html/man3/SSL_group_to_name.html]=man3/SSL_group_to_name.pod +GENERATE[html/man3/SSL_group_to_name.html]=man3/SSL_group_to_name.pod +DEPEND[man/man3/SSL_group_to_name.3]=man3/SSL_group_to_name.pod +GENERATE[man/man3/SSL_group_to_name.3]=man3/SSL_group_to_name.pod +DEPEND[html/man3/SSL_in_init.html]=man3/SSL_in_init.pod +GENERATE[html/man3/SSL_in_init.html]=man3/SSL_in_init.pod +DEPEND[man/man3/SSL_in_init.3]=man3/SSL_in_init.pod +GENERATE[man/man3/SSL_in_init.3]=man3/SSL_in_init.pod +DEPEND[html/man3/SSL_key_update.html]=man3/SSL_key_update.pod +GENERATE[html/man3/SSL_key_update.html]=man3/SSL_key_update.pod +DEPEND[man/man3/SSL_key_update.3]=man3/SSL_key_update.pod +GENERATE[man/man3/SSL_key_update.3]=man3/SSL_key_update.pod +DEPEND[html/man3/SSL_library_init.html]=man3/SSL_library_init.pod +GENERATE[html/man3/SSL_library_init.html]=man3/SSL_library_init.pod +DEPEND[man/man3/SSL_library_init.3]=man3/SSL_library_init.pod +GENERATE[man/man3/SSL_library_init.3]=man3/SSL_library_init.pod +DEPEND[html/man3/SSL_load_client_CA_file.html]=man3/SSL_load_client_CA_file.pod +GENERATE[html/man3/SSL_load_client_CA_file.html]=man3/SSL_load_client_CA_file.pod +DEPEND[man/man3/SSL_load_client_CA_file.3]=man3/SSL_load_client_CA_file.pod +GENERATE[man/man3/SSL_load_client_CA_file.3]=man3/SSL_load_client_CA_file.pod +DEPEND[html/man3/SSL_new.html]=man3/SSL_new.pod +GENERATE[html/man3/SSL_new.html]=man3/SSL_new.pod +DEPEND[man/man3/SSL_new.3]=man3/SSL_new.pod +GENERATE[man/man3/SSL_new.3]=man3/SSL_new.pod +DEPEND[html/man3/SSL_pending.html]=man3/SSL_pending.pod +GENERATE[html/man3/SSL_pending.html]=man3/SSL_pending.pod +DEPEND[man/man3/SSL_pending.3]=man3/SSL_pending.pod +GENERATE[man/man3/SSL_pending.3]=man3/SSL_pending.pod +DEPEND[html/man3/SSL_read.html]=man3/SSL_read.pod +GENERATE[html/man3/SSL_read.html]=man3/SSL_read.pod +DEPEND[man/man3/SSL_read.3]=man3/SSL_read.pod +GENERATE[man/man3/SSL_read.3]=man3/SSL_read.pod +DEPEND[html/man3/SSL_read_early_data.html]=man3/SSL_read_early_data.pod +GENERATE[html/man3/SSL_read_early_data.html]=man3/SSL_read_early_data.pod +DEPEND[man/man3/SSL_read_early_data.3]=man3/SSL_read_early_data.pod +GENERATE[man/man3/SSL_read_early_data.3]=man3/SSL_read_early_data.pod +DEPEND[html/man3/SSL_rstate_string.html]=man3/SSL_rstate_string.pod +GENERATE[html/man3/SSL_rstate_string.html]=man3/SSL_rstate_string.pod +DEPEND[man/man3/SSL_rstate_string.3]=man3/SSL_rstate_string.pod +GENERATE[man/man3/SSL_rstate_string.3]=man3/SSL_rstate_string.pod +DEPEND[html/man3/SSL_session_reused.html]=man3/SSL_session_reused.pod +GENERATE[html/man3/SSL_session_reused.html]=man3/SSL_session_reused.pod +DEPEND[man/man3/SSL_session_reused.3]=man3/SSL_session_reused.pod +GENERATE[man/man3/SSL_session_reused.3]=man3/SSL_session_reused.pod +DEPEND[html/man3/SSL_set1_host.html]=man3/SSL_set1_host.pod +GENERATE[html/man3/SSL_set1_host.html]=man3/SSL_set1_host.pod +DEPEND[man/man3/SSL_set1_host.3]=man3/SSL_set1_host.pod +GENERATE[man/man3/SSL_set1_host.3]=man3/SSL_set1_host.pod +DEPEND[html/man3/SSL_set_async_callback.html]=man3/SSL_set_async_callback.pod +GENERATE[html/man3/SSL_set_async_callback.html]=man3/SSL_set_async_callback.pod +DEPEND[man/man3/SSL_set_async_callback.3]=man3/SSL_set_async_callback.pod +GENERATE[man/man3/SSL_set_async_callback.3]=man3/SSL_set_async_callback.pod +DEPEND[html/man3/SSL_set_bio.html]=man3/SSL_set_bio.pod +GENERATE[html/man3/SSL_set_bio.html]=man3/SSL_set_bio.pod +DEPEND[man/man3/SSL_set_bio.3]=man3/SSL_set_bio.pod +GENERATE[man/man3/SSL_set_bio.3]=man3/SSL_set_bio.pod +DEPEND[html/man3/SSL_set_connect_state.html]=man3/SSL_set_connect_state.pod +GENERATE[html/man3/SSL_set_connect_state.html]=man3/SSL_set_connect_state.pod +DEPEND[man/man3/SSL_set_connect_state.3]=man3/SSL_set_connect_state.pod +GENERATE[man/man3/SSL_set_connect_state.3]=man3/SSL_set_connect_state.pod +DEPEND[html/man3/SSL_set_fd.html]=man3/SSL_set_fd.pod +GENERATE[html/man3/SSL_set_fd.html]=man3/SSL_set_fd.pod +DEPEND[man/man3/SSL_set_fd.3]=man3/SSL_set_fd.pod +GENERATE[man/man3/SSL_set_fd.3]=man3/SSL_set_fd.pod +DEPEND[html/man3/SSL_set_session.html]=man3/SSL_set_session.pod +GENERATE[html/man3/SSL_set_session.html]=man3/SSL_set_session.pod +DEPEND[man/man3/SSL_set_session.3]=man3/SSL_set_session.pod +GENERATE[man/man3/SSL_set_session.3]=man3/SSL_set_session.pod +DEPEND[html/man3/SSL_set_shutdown.html]=man3/SSL_set_shutdown.pod +GENERATE[html/man3/SSL_set_shutdown.html]=man3/SSL_set_shutdown.pod +DEPEND[man/man3/SSL_set_shutdown.3]=man3/SSL_set_shutdown.pod +GENERATE[man/man3/SSL_set_shutdown.3]=man3/SSL_set_shutdown.pod +DEPEND[html/man3/SSL_set_verify_result.html]=man3/SSL_set_verify_result.pod +GENERATE[html/man3/SSL_set_verify_result.html]=man3/SSL_set_verify_result.pod +DEPEND[man/man3/SSL_set_verify_result.3]=man3/SSL_set_verify_result.pod +GENERATE[man/man3/SSL_set_verify_result.3]=man3/SSL_set_verify_result.pod +DEPEND[html/man3/SSL_shutdown.html]=man3/SSL_shutdown.pod +GENERATE[html/man3/SSL_shutdown.html]=man3/SSL_shutdown.pod +DEPEND[man/man3/SSL_shutdown.3]=man3/SSL_shutdown.pod +GENERATE[man/man3/SSL_shutdown.3]=man3/SSL_shutdown.pod +DEPEND[html/man3/SSL_state_string.html]=man3/SSL_state_string.pod +GENERATE[html/man3/SSL_state_string.html]=man3/SSL_state_string.pod +DEPEND[man/man3/SSL_state_string.3]=man3/SSL_state_string.pod +GENERATE[man/man3/SSL_state_string.3]=man3/SSL_state_string.pod +DEPEND[html/man3/SSL_want.html]=man3/SSL_want.pod +GENERATE[html/man3/SSL_want.html]=man3/SSL_want.pod +DEPEND[man/man3/SSL_want.3]=man3/SSL_want.pod +GENERATE[man/man3/SSL_want.3]=man3/SSL_want.pod +DEPEND[html/man3/SSL_write.html]=man3/SSL_write.pod +GENERATE[html/man3/SSL_write.html]=man3/SSL_write.pod +DEPEND[man/man3/SSL_write.3]=man3/SSL_write.pod +GENERATE[man/man3/SSL_write.3]=man3/SSL_write.pod +DEPEND[html/man3/TS_VERIFY_CTX_set_certs.html]=man3/TS_VERIFY_CTX_set_certs.pod +GENERATE[html/man3/TS_VERIFY_CTX_set_certs.html]=man3/TS_VERIFY_CTX_set_certs.pod +DEPEND[man/man3/TS_VERIFY_CTX_set_certs.3]=man3/TS_VERIFY_CTX_set_certs.pod +GENERATE[man/man3/TS_VERIFY_CTX_set_certs.3]=man3/TS_VERIFY_CTX_set_certs.pod +DEPEND[html/man3/UI_STRING.html]=man3/UI_STRING.pod +GENERATE[html/man3/UI_STRING.html]=man3/UI_STRING.pod +DEPEND[man/man3/UI_STRING.3]=man3/UI_STRING.pod +GENERATE[man/man3/UI_STRING.3]=man3/UI_STRING.pod +DEPEND[html/man3/UI_UTIL_read_pw.html]=man3/UI_UTIL_read_pw.pod +GENERATE[html/man3/UI_UTIL_read_pw.html]=man3/UI_UTIL_read_pw.pod +DEPEND[man/man3/UI_UTIL_read_pw.3]=man3/UI_UTIL_read_pw.pod +GENERATE[man/man3/UI_UTIL_read_pw.3]=man3/UI_UTIL_read_pw.pod +DEPEND[html/man3/UI_create_method.html]=man3/UI_create_method.pod +GENERATE[html/man3/UI_create_method.html]=man3/UI_create_method.pod +DEPEND[man/man3/UI_create_method.3]=man3/UI_create_method.pod +GENERATE[man/man3/UI_create_method.3]=man3/UI_create_method.pod +DEPEND[html/man3/UI_new.html]=man3/UI_new.pod +GENERATE[html/man3/UI_new.html]=man3/UI_new.pod +DEPEND[man/man3/UI_new.3]=man3/UI_new.pod +GENERATE[man/man3/UI_new.3]=man3/UI_new.pod +DEPEND[html/man3/X509V3_get_d2i.html]=man3/X509V3_get_d2i.pod +GENERATE[html/man3/X509V3_get_d2i.html]=man3/X509V3_get_d2i.pod +DEPEND[man/man3/X509V3_get_d2i.3]=man3/X509V3_get_d2i.pod +GENERATE[man/man3/X509V3_get_d2i.3]=man3/X509V3_get_d2i.pod +DEPEND[html/man3/X509V3_set_ctx.html]=man3/X509V3_set_ctx.pod +GENERATE[html/man3/X509V3_set_ctx.html]=man3/X509V3_set_ctx.pod +DEPEND[man/man3/X509V3_set_ctx.3]=man3/X509V3_set_ctx.pod +GENERATE[man/man3/X509V3_set_ctx.3]=man3/X509V3_set_ctx.pod +DEPEND[html/man3/X509_ALGOR_dup.html]=man3/X509_ALGOR_dup.pod +GENERATE[html/man3/X509_ALGOR_dup.html]=man3/X509_ALGOR_dup.pod +DEPEND[man/man3/X509_ALGOR_dup.3]=man3/X509_ALGOR_dup.pod +GENERATE[man/man3/X509_ALGOR_dup.3]=man3/X509_ALGOR_dup.pod +DEPEND[html/man3/X509_CRL_get0_by_serial.html]=man3/X509_CRL_get0_by_serial.pod +GENERATE[html/man3/X509_CRL_get0_by_serial.html]=man3/X509_CRL_get0_by_serial.pod +DEPEND[man/man3/X509_CRL_get0_by_serial.3]=man3/X509_CRL_get0_by_serial.pod +GENERATE[man/man3/X509_CRL_get0_by_serial.3]=man3/X509_CRL_get0_by_serial.pod +DEPEND[html/man3/X509_EXTENSION_set_object.html]=man3/X509_EXTENSION_set_object.pod +GENERATE[html/man3/X509_EXTENSION_set_object.html]=man3/X509_EXTENSION_set_object.pod +DEPEND[man/man3/X509_EXTENSION_set_object.3]=man3/X509_EXTENSION_set_object.pod +GENERATE[man/man3/X509_EXTENSION_set_object.3]=man3/X509_EXTENSION_set_object.pod +DEPEND[html/man3/X509_LOOKUP.html]=man3/X509_LOOKUP.pod +GENERATE[html/man3/X509_LOOKUP.html]=man3/X509_LOOKUP.pod +DEPEND[man/man3/X509_LOOKUP.3]=man3/X509_LOOKUP.pod +GENERATE[man/man3/X509_LOOKUP.3]=man3/X509_LOOKUP.pod +DEPEND[html/man3/X509_LOOKUP_hash_dir.html]=man3/X509_LOOKUP_hash_dir.pod +GENERATE[html/man3/X509_LOOKUP_hash_dir.html]=man3/X509_LOOKUP_hash_dir.pod +DEPEND[man/man3/X509_LOOKUP_hash_dir.3]=man3/X509_LOOKUP_hash_dir.pod +GENERATE[man/man3/X509_LOOKUP_hash_dir.3]=man3/X509_LOOKUP_hash_dir.pod +DEPEND[html/man3/X509_LOOKUP_meth_new.html]=man3/X509_LOOKUP_meth_new.pod +GENERATE[html/man3/X509_LOOKUP_meth_new.html]=man3/X509_LOOKUP_meth_new.pod +DEPEND[man/man3/X509_LOOKUP_meth_new.3]=man3/X509_LOOKUP_meth_new.pod +GENERATE[man/man3/X509_LOOKUP_meth_new.3]=man3/X509_LOOKUP_meth_new.pod +DEPEND[html/man3/X509_NAME_ENTRY_get_object.html]=man3/X509_NAME_ENTRY_get_object.pod +GENERATE[html/man3/X509_NAME_ENTRY_get_object.html]=man3/X509_NAME_ENTRY_get_object.pod +DEPEND[man/man3/X509_NAME_ENTRY_get_object.3]=man3/X509_NAME_ENTRY_get_object.pod +GENERATE[man/man3/X509_NAME_ENTRY_get_object.3]=man3/X509_NAME_ENTRY_get_object.pod +DEPEND[html/man3/X509_NAME_add_entry_by_txt.html]=man3/X509_NAME_add_entry_by_txt.pod +GENERATE[html/man3/X509_NAME_add_entry_by_txt.html]=man3/X509_NAME_add_entry_by_txt.pod +DEPEND[man/man3/X509_NAME_add_entry_by_txt.3]=man3/X509_NAME_add_entry_by_txt.pod +GENERATE[man/man3/X509_NAME_add_entry_by_txt.3]=man3/X509_NAME_add_entry_by_txt.pod +DEPEND[html/man3/X509_NAME_get0_der.html]=man3/X509_NAME_get0_der.pod +GENERATE[html/man3/X509_NAME_get0_der.html]=man3/X509_NAME_get0_der.pod +DEPEND[man/man3/X509_NAME_get0_der.3]=man3/X509_NAME_get0_der.pod +GENERATE[man/man3/X509_NAME_get0_der.3]=man3/X509_NAME_get0_der.pod +DEPEND[html/man3/X509_NAME_get_index_by_NID.html]=man3/X509_NAME_get_index_by_NID.pod +GENERATE[html/man3/X509_NAME_get_index_by_NID.html]=man3/X509_NAME_get_index_by_NID.pod +DEPEND[man/man3/X509_NAME_get_index_by_NID.3]=man3/X509_NAME_get_index_by_NID.pod +GENERATE[man/man3/X509_NAME_get_index_by_NID.3]=man3/X509_NAME_get_index_by_NID.pod +DEPEND[html/man3/X509_NAME_print_ex.html]=man3/X509_NAME_print_ex.pod +GENERATE[html/man3/X509_NAME_print_ex.html]=man3/X509_NAME_print_ex.pod +DEPEND[man/man3/X509_NAME_print_ex.3]=man3/X509_NAME_print_ex.pod +GENERATE[man/man3/X509_NAME_print_ex.3]=man3/X509_NAME_print_ex.pod +DEPEND[html/man3/X509_PUBKEY_new.html]=man3/X509_PUBKEY_new.pod +GENERATE[html/man3/X509_PUBKEY_new.html]=man3/X509_PUBKEY_new.pod +DEPEND[man/man3/X509_PUBKEY_new.3]=man3/X509_PUBKEY_new.pod +GENERATE[man/man3/X509_PUBKEY_new.3]=man3/X509_PUBKEY_new.pod +DEPEND[html/man3/X509_SIG_get0.html]=man3/X509_SIG_get0.pod +GENERATE[html/man3/X509_SIG_get0.html]=man3/X509_SIG_get0.pod +DEPEND[man/man3/X509_SIG_get0.3]=man3/X509_SIG_get0.pod +GENERATE[man/man3/X509_SIG_get0.3]=man3/X509_SIG_get0.pod +DEPEND[html/man3/X509_STORE_CTX_get_error.html]=man3/X509_STORE_CTX_get_error.pod +GENERATE[html/man3/X509_STORE_CTX_get_error.html]=man3/X509_STORE_CTX_get_error.pod +DEPEND[man/man3/X509_STORE_CTX_get_error.3]=man3/X509_STORE_CTX_get_error.pod +GENERATE[man/man3/X509_STORE_CTX_get_error.3]=man3/X509_STORE_CTX_get_error.pod +DEPEND[html/man3/X509_STORE_CTX_new.html]=man3/X509_STORE_CTX_new.pod +GENERATE[html/man3/X509_STORE_CTX_new.html]=man3/X509_STORE_CTX_new.pod +DEPEND[man/man3/X509_STORE_CTX_new.3]=man3/X509_STORE_CTX_new.pod +GENERATE[man/man3/X509_STORE_CTX_new.3]=man3/X509_STORE_CTX_new.pod +DEPEND[html/man3/X509_STORE_CTX_set_verify_cb.html]=man3/X509_STORE_CTX_set_verify_cb.pod +GENERATE[html/man3/X509_STORE_CTX_set_verify_cb.html]=man3/X509_STORE_CTX_set_verify_cb.pod +DEPEND[man/man3/X509_STORE_CTX_set_verify_cb.3]=man3/X509_STORE_CTX_set_verify_cb.pod +GENERATE[man/man3/X509_STORE_CTX_set_verify_cb.3]=man3/X509_STORE_CTX_set_verify_cb.pod +DEPEND[html/man3/X509_STORE_add_cert.html]=man3/X509_STORE_add_cert.pod +GENERATE[html/man3/X509_STORE_add_cert.html]=man3/X509_STORE_add_cert.pod +DEPEND[man/man3/X509_STORE_add_cert.3]=man3/X509_STORE_add_cert.pod +GENERATE[man/man3/X509_STORE_add_cert.3]=man3/X509_STORE_add_cert.pod +DEPEND[html/man3/X509_STORE_get0_param.html]=man3/X509_STORE_get0_param.pod +GENERATE[html/man3/X509_STORE_get0_param.html]=man3/X509_STORE_get0_param.pod +DEPEND[man/man3/X509_STORE_get0_param.3]=man3/X509_STORE_get0_param.pod +GENERATE[man/man3/X509_STORE_get0_param.3]=man3/X509_STORE_get0_param.pod +DEPEND[html/man3/X509_STORE_new.html]=man3/X509_STORE_new.pod +GENERATE[html/man3/X509_STORE_new.html]=man3/X509_STORE_new.pod +DEPEND[man/man3/X509_STORE_new.3]=man3/X509_STORE_new.pod +GENERATE[man/man3/X509_STORE_new.3]=man3/X509_STORE_new.pod +DEPEND[html/man3/X509_STORE_set_verify_cb_func.html]=man3/X509_STORE_set_verify_cb_func.pod +GENERATE[html/man3/X509_STORE_set_verify_cb_func.html]=man3/X509_STORE_set_verify_cb_func.pod +DEPEND[man/man3/X509_STORE_set_verify_cb_func.3]=man3/X509_STORE_set_verify_cb_func.pod +GENERATE[man/man3/X509_STORE_set_verify_cb_func.3]=man3/X509_STORE_set_verify_cb_func.pod +DEPEND[html/man3/X509_VERIFY_PARAM_set_flags.html]=man3/X509_VERIFY_PARAM_set_flags.pod +GENERATE[html/man3/X509_VERIFY_PARAM_set_flags.html]=man3/X509_VERIFY_PARAM_set_flags.pod +DEPEND[man/man3/X509_VERIFY_PARAM_set_flags.3]=man3/X509_VERIFY_PARAM_set_flags.pod +GENERATE[man/man3/X509_VERIFY_PARAM_set_flags.3]=man3/X509_VERIFY_PARAM_set_flags.pod +DEPEND[html/man3/X509_add_cert.html]=man3/X509_add_cert.pod +GENERATE[html/man3/X509_add_cert.html]=man3/X509_add_cert.pod +DEPEND[man/man3/X509_add_cert.3]=man3/X509_add_cert.pod +GENERATE[man/man3/X509_add_cert.3]=man3/X509_add_cert.pod +DEPEND[html/man3/X509_check_ca.html]=man3/X509_check_ca.pod +GENERATE[html/man3/X509_check_ca.html]=man3/X509_check_ca.pod +DEPEND[man/man3/X509_check_ca.3]=man3/X509_check_ca.pod +GENERATE[man/man3/X509_check_ca.3]=man3/X509_check_ca.pod +DEPEND[html/man3/X509_check_host.html]=man3/X509_check_host.pod +GENERATE[html/man3/X509_check_host.html]=man3/X509_check_host.pod +DEPEND[man/man3/X509_check_host.3]=man3/X509_check_host.pod +GENERATE[man/man3/X509_check_host.3]=man3/X509_check_host.pod +DEPEND[html/man3/X509_check_issued.html]=man3/X509_check_issued.pod +GENERATE[html/man3/X509_check_issued.html]=man3/X509_check_issued.pod +DEPEND[man/man3/X509_check_issued.3]=man3/X509_check_issued.pod +GENERATE[man/man3/X509_check_issued.3]=man3/X509_check_issued.pod +DEPEND[html/man3/X509_check_private_key.html]=man3/X509_check_private_key.pod +GENERATE[html/man3/X509_check_private_key.html]=man3/X509_check_private_key.pod +DEPEND[man/man3/X509_check_private_key.3]=man3/X509_check_private_key.pod +GENERATE[man/man3/X509_check_private_key.3]=man3/X509_check_private_key.pod +DEPEND[html/man3/X509_check_purpose.html]=man3/X509_check_purpose.pod +GENERATE[html/man3/X509_check_purpose.html]=man3/X509_check_purpose.pod +DEPEND[man/man3/X509_check_purpose.3]=man3/X509_check_purpose.pod +GENERATE[man/man3/X509_check_purpose.3]=man3/X509_check_purpose.pod +DEPEND[html/man3/X509_cmp.html]=man3/X509_cmp.pod +GENERATE[html/man3/X509_cmp.html]=man3/X509_cmp.pod +DEPEND[man/man3/X509_cmp.3]=man3/X509_cmp.pod +GENERATE[man/man3/X509_cmp.3]=man3/X509_cmp.pod +DEPEND[html/man3/X509_cmp_time.html]=man3/X509_cmp_time.pod +GENERATE[html/man3/X509_cmp_time.html]=man3/X509_cmp_time.pod +DEPEND[man/man3/X509_cmp_time.3]=man3/X509_cmp_time.pod +GENERATE[man/man3/X509_cmp_time.3]=man3/X509_cmp_time.pod +DEPEND[html/man3/X509_digest.html]=man3/X509_digest.pod +GENERATE[html/man3/X509_digest.html]=man3/X509_digest.pod +DEPEND[man/man3/X509_digest.3]=man3/X509_digest.pod +GENERATE[man/man3/X509_digest.3]=man3/X509_digest.pod +DEPEND[html/man3/X509_dup.html]=man3/X509_dup.pod +GENERATE[html/man3/X509_dup.html]=man3/X509_dup.pod +DEPEND[man/man3/X509_dup.3]=man3/X509_dup.pod +GENERATE[man/man3/X509_dup.3]=man3/X509_dup.pod +DEPEND[html/man3/X509_get0_distinguishing_id.html]=man3/X509_get0_distinguishing_id.pod +GENERATE[html/man3/X509_get0_distinguishing_id.html]=man3/X509_get0_distinguishing_id.pod +DEPEND[man/man3/X509_get0_distinguishing_id.3]=man3/X509_get0_distinguishing_id.pod +GENERATE[man/man3/X509_get0_distinguishing_id.3]=man3/X509_get0_distinguishing_id.pod +DEPEND[html/man3/X509_get0_notBefore.html]=man3/X509_get0_notBefore.pod +GENERATE[html/man3/X509_get0_notBefore.html]=man3/X509_get0_notBefore.pod +DEPEND[man/man3/X509_get0_notBefore.3]=man3/X509_get0_notBefore.pod +GENERATE[man/man3/X509_get0_notBefore.3]=man3/X509_get0_notBefore.pod +DEPEND[html/man3/X509_get0_signature.html]=man3/X509_get0_signature.pod +GENERATE[html/man3/X509_get0_signature.html]=man3/X509_get0_signature.pod +DEPEND[man/man3/X509_get0_signature.3]=man3/X509_get0_signature.pod +GENERATE[man/man3/X509_get0_signature.3]=man3/X509_get0_signature.pod +DEPEND[html/man3/X509_get0_uids.html]=man3/X509_get0_uids.pod +GENERATE[html/man3/X509_get0_uids.html]=man3/X509_get0_uids.pod +DEPEND[man/man3/X509_get0_uids.3]=man3/X509_get0_uids.pod +GENERATE[man/man3/X509_get0_uids.3]=man3/X509_get0_uids.pod +DEPEND[html/man3/X509_get_extension_flags.html]=man3/X509_get_extension_flags.pod +GENERATE[html/man3/X509_get_extension_flags.html]=man3/X509_get_extension_flags.pod +DEPEND[man/man3/X509_get_extension_flags.3]=man3/X509_get_extension_flags.pod +GENERATE[man/man3/X509_get_extension_flags.3]=man3/X509_get_extension_flags.pod +DEPEND[html/man3/X509_get_pubkey.html]=man3/X509_get_pubkey.pod +GENERATE[html/man3/X509_get_pubkey.html]=man3/X509_get_pubkey.pod +DEPEND[man/man3/X509_get_pubkey.3]=man3/X509_get_pubkey.pod +GENERATE[man/man3/X509_get_pubkey.3]=man3/X509_get_pubkey.pod +DEPEND[html/man3/X509_get_serialNumber.html]=man3/X509_get_serialNumber.pod +GENERATE[html/man3/X509_get_serialNumber.html]=man3/X509_get_serialNumber.pod +DEPEND[man/man3/X509_get_serialNumber.3]=man3/X509_get_serialNumber.pod +GENERATE[man/man3/X509_get_serialNumber.3]=man3/X509_get_serialNumber.pod +DEPEND[html/man3/X509_get_subject_name.html]=man3/X509_get_subject_name.pod +GENERATE[html/man3/X509_get_subject_name.html]=man3/X509_get_subject_name.pod +DEPEND[man/man3/X509_get_subject_name.3]=man3/X509_get_subject_name.pod +GENERATE[man/man3/X509_get_subject_name.3]=man3/X509_get_subject_name.pod +DEPEND[html/man3/X509_get_version.html]=man3/X509_get_version.pod +GENERATE[html/man3/X509_get_version.html]=man3/X509_get_version.pod +DEPEND[man/man3/X509_get_version.3]=man3/X509_get_version.pod +GENERATE[man/man3/X509_get_version.3]=man3/X509_get_version.pod +DEPEND[html/man3/X509_load_http.html]=man3/X509_load_http.pod +GENERATE[html/man3/X509_load_http.html]=man3/X509_load_http.pod +DEPEND[man/man3/X509_load_http.3]=man3/X509_load_http.pod +GENERATE[man/man3/X509_load_http.3]=man3/X509_load_http.pod +DEPEND[html/man3/X509_new.html]=man3/X509_new.pod +GENERATE[html/man3/X509_new.html]=man3/X509_new.pod +DEPEND[man/man3/X509_new.3]=man3/X509_new.pod +GENERATE[man/man3/X509_new.3]=man3/X509_new.pod +DEPEND[html/man3/X509_sign.html]=man3/X509_sign.pod +GENERATE[html/man3/X509_sign.html]=man3/X509_sign.pod +DEPEND[man/man3/X509_sign.3]=man3/X509_sign.pod +GENERATE[man/man3/X509_sign.3]=man3/X509_sign.pod +DEPEND[html/man3/X509_verify.html]=man3/X509_verify.pod +GENERATE[html/man3/X509_verify.html]=man3/X509_verify.pod +DEPEND[man/man3/X509_verify.3]=man3/X509_verify.pod +GENERATE[man/man3/X509_verify.3]=man3/X509_verify.pod +DEPEND[html/man3/X509_verify_cert.html]=man3/X509_verify_cert.pod +GENERATE[html/man3/X509_verify_cert.html]=man3/X509_verify_cert.pod +DEPEND[man/man3/X509_verify_cert.3]=man3/X509_verify_cert.pod +GENERATE[man/man3/X509_verify_cert.3]=man3/X509_verify_cert.pod +DEPEND[html/man3/X509v3_get_ext_by_NID.html]=man3/X509v3_get_ext_by_NID.pod +GENERATE[html/man3/X509v3_get_ext_by_NID.html]=man3/X509v3_get_ext_by_NID.pod +DEPEND[man/man3/X509v3_get_ext_by_NID.3]=man3/X509v3_get_ext_by_NID.pod +GENERATE[man/man3/X509v3_get_ext_by_NID.3]=man3/X509v3_get_ext_by_NID.pod +DEPEND[html/man3/d2i_PKCS8PrivateKey_bio.html]=man3/d2i_PKCS8PrivateKey_bio.pod +GENERATE[html/man3/d2i_PKCS8PrivateKey_bio.html]=man3/d2i_PKCS8PrivateKey_bio.pod +DEPEND[man/man3/d2i_PKCS8PrivateKey_bio.3]=man3/d2i_PKCS8PrivateKey_bio.pod +GENERATE[man/man3/d2i_PKCS8PrivateKey_bio.3]=man3/d2i_PKCS8PrivateKey_bio.pod +DEPEND[html/man3/d2i_PrivateKey.html]=man3/d2i_PrivateKey.pod +GENERATE[html/man3/d2i_PrivateKey.html]=man3/d2i_PrivateKey.pod +DEPEND[man/man3/d2i_PrivateKey.3]=man3/d2i_PrivateKey.pod +GENERATE[man/man3/d2i_PrivateKey.3]=man3/d2i_PrivateKey.pod +DEPEND[html/man3/d2i_RSAPrivateKey.html]=man3/d2i_RSAPrivateKey.pod +GENERATE[html/man3/d2i_RSAPrivateKey.html]=man3/d2i_RSAPrivateKey.pod +DEPEND[man/man3/d2i_RSAPrivateKey.3]=man3/d2i_RSAPrivateKey.pod +GENERATE[man/man3/d2i_RSAPrivateKey.3]=man3/d2i_RSAPrivateKey.pod +DEPEND[html/man3/d2i_SSL_SESSION.html]=man3/d2i_SSL_SESSION.pod +GENERATE[html/man3/d2i_SSL_SESSION.html]=man3/d2i_SSL_SESSION.pod +DEPEND[man/man3/d2i_SSL_SESSION.3]=man3/d2i_SSL_SESSION.pod +GENERATE[man/man3/d2i_SSL_SESSION.3]=man3/d2i_SSL_SESSION.pod +DEPEND[html/man3/d2i_X509.html]=man3/d2i_X509.pod +GENERATE[html/man3/d2i_X509.html]=man3/d2i_X509.pod +DEPEND[man/man3/d2i_X509.3]=man3/d2i_X509.pod +GENERATE[man/man3/d2i_X509.3]=man3/d2i_X509.pod +DEPEND[html/man3/i2d_CMS_bio_stream.html]=man3/i2d_CMS_bio_stream.pod +GENERATE[html/man3/i2d_CMS_bio_stream.html]=man3/i2d_CMS_bio_stream.pod +DEPEND[man/man3/i2d_CMS_bio_stream.3]=man3/i2d_CMS_bio_stream.pod +GENERATE[man/man3/i2d_CMS_bio_stream.3]=man3/i2d_CMS_bio_stream.pod +DEPEND[html/man3/i2d_PKCS7_bio_stream.html]=man3/i2d_PKCS7_bio_stream.pod +GENERATE[html/man3/i2d_PKCS7_bio_stream.html]=man3/i2d_PKCS7_bio_stream.pod +DEPEND[man/man3/i2d_PKCS7_bio_stream.3]=man3/i2d_PKCS7_bio_stream.pod +GENERATE[man/man3/i2d_PKCS7_bio_stream.3]=man3/i2d_PKCS7_bio_stream.pod +DEPEND[html/man3/i2d_re_X509_tbs.html]=man3/i2d_re_X509_tbs.pod +GENERATE[html/man3/i2d_re_X509_tbs.html]=man3/i2d_re_X509_tbs.pod +DEPEND[man/man3/i2d_re_X509_tbs.3]=man3/i2d_re_X509_tbs.pod +GENERATE[man/man3/i2d_re_X509_tbs.3]=man3/i2d_re_X509_tbs.pod +DEPEND[html/man3/o2i_SCT_LIST.html]=man3/o2i_SCT_LIST.pod +GENERATE[html/man3/o2i_SCT_LIST.html]=man3/o2i_SCT_LIST.pod +DEPEND[man/man3/o2i_SCT_LIST.3]=man3/o2i_SCT_LIST.pod +GENERATE[man/man3/o2i_SCT_LIST.3]=man3/o2i_SCT_LIST.pod +DEPEND[html/man3/s2i_ASN1_IA5STRING.html]=man3/s2i_ASN1_IA5STRING.pod +GENERATE[html/man3/s2i_ASN1_IA5STRING.html]=man3/s2i_ASN1_IA5STRING.pod +DEPEND[man/man3/s2i_ASN1_IA5STRING.3]=man3/s2i_ASN1_IA5STRING.pod +GENERATE[man/man3/s2i_ASN1_IA5STRING.3]=man3/s2i_ASN1_IA5STRING.pod +HTMLDOCS[man3]=html/man3/ADMISSIONS.html \ +html/man3/ASN1_INTEGER_get_int64.html \ +html/man3/ASN1_INTEGER_new.html \ +html/man3/ASN1_ITEM_lookup.html \ +html/man3/ASN1_OBJECT_new.html \ +html/man3/ASN1_STRING_TABLE_add.html \ +html/man3/ASN1_STRING_length.html \ +html/man3/ASN1_STRING_new.html \ +html/man3/ASN1_STRING_print_ex.html \ +html/man3/ASN1_TIME_set.html \ +html/man3/ASN1_TYPE_get.html \ +html/man3/ASN1_generate_nconf.html \ +html/man3/ASN1_item_sign.html \ +html/man3/ASYNC_WAIT_CTX_new.html \ +html/man3/ASYNC_start_job.html \ +html/man3/BF_encrypt.html \ +html/man3/BIO_ADDR.html \ +html/man3/BIO_ADDRINFO.html \ +html/man3/BIO_connect.html \ +html/man3/BIO_ctrl.html \ +html/man3/BIO_f_base64.html \ +html/man3/BIO_f_buffer.html \ +html/man3/BIO_f_cipher.html \ +html/man3/BIO_f_md.html \ +html/man3/BIO_f_null.html \ +html/man3/BIO_f_prefix.html \ +html/man3/BIO_f_ssl.html \ +html/man3/BIO_find_type.html \ +html/man3/BIO_get_data.html \ +html/man3/BIO_get_ex_new_index.html \ +html/man3/BIO_meth_new.html \ +html/man3/BIO_new.html \ +html/man3/BIO_new_CMS.html \ +html/man3/BIO_parse_hostserv.html \ +html/man3/BIO_printf.html \ +html/man3/BIO_push.html \ +html/man3/BIO_read.html \ +html/man3/BIO_s_accept.html \ +html/man3/BIO_s_bio.html \ +html/man3/BIO_s_connect.html \ +html/man3/BIO_s_fd.html \ +html/man3/BIO_s_file.html \ +html/man3/BIO_s_mem.html \ +html/man3/BIO_s_null.html \ +html/man3/BIO_s_socket.html \ +html/man3/BIO_set_callback.html \ +html/man3/BIO_should_retry.html \ +html/man3/BIO_socket_wait.html \ +html/man3/BN_BLINDING_new.html \ +html/man3/BN_CTX_new.html \ +html/man3/BN_CTX_start.html \ +html/man3/BN_add.html \ +html/man3/BN_add_word.html \ +html/man3/BN_bn2bin.html \ +html/man3/BN_cmp.html \ +html/man3/BN_copy.html \ +html/man3/BN_generate_prime.html \ +html/man3/BN_mod_inverse.html \ +html/man3/BN_mod_mul_montgomery.html \ +html/man3/BN_mod_mul_reciprocal.html \ +html/man3/BN_new.html \ +html/man3/BN_num_bytes.html \ +html/man3/BN_rand.html \ +html/man3/BN_security_bits.html \ +html/man3/BN_set_bit.html \ +html/man3/BN_swap.html \ +html/man3/BN_zero.html \ +html/man3/BUF_MEM_new.html \ +html/man3/CMS_EncryptedData_decrypt.html \ +html/man3/CMS_EncryptedData_encrypt.html \ +html/man3/CMS_EnvelopedData_create.html \ +html/man3/CMS_add0_cert.html \ +html/man3/CMS_add1_recipient_cert.html \ +html/man3/CMS_add1_signer.html \ +html/man3/CMS_compress.html \ +html/man3/CMS_data_create.html \ +html/man3/CMS_decrypt.html \ +html/man3/CMS_digest_create.html \ +html/man3/CMS_encrypt.html \ +html/man3/CMS_final.html \ +html/man3/CMS_get0_RecipientInfos.html \ +html/man3/CMS_get0_SignerInfos.html \ +html/man3/CMS_get0_type.html \ +html/man3/CMS_get1_ReceiptRequest.html \ +html/man3/CMS_sign.html \ +html/man3/CMS_sign_receipt.html \ +html/man3/CMS_uncompress.html \ +html/man3/CMS_verify.html \ +html/man3/CMS_verify_receipt.html \ +html/man3/CONF_modules_free.html \ +html/man3/CONF_modules_load_file.html \ +html/man3/CRYPTO_THREAD_run_once.html \ +html/man3/CRYPTO_get_ex_new_index.html \ +html/man3/CRYPTO_memcmp.html \ +html/man3/CTLOG_STORE_get0_log_by_id.html \ +html/man3/CTLOG_STORE_new.html \ +html/man3/CTLOG_new.html \ +html/man3/CT_POLICY_EVAL_CTX_new.html \ +html/man3/DEFINE_STACK_OF.html \ +html/man3/DES_random_key.html \ +html/man3/DH_generate_key.html \ +html/man3/DH_generate_parameters.html \ +html/man3/DH_get0_pqg.html \ +html/man3/DH_get_1024_160.html \ +html/man3/DH_meth_new.html \ +html/man3/DH_new.html \ +html/man3/DH_new_by_nid.html \ +html/man3/DH_set_method.html \ +html/man3/DH_size.html \ +html/man3/DSA_SIG_new.html \ +html/man3/DSA_do_sign.html \ +html/man3/DSA_dup_DH.html \ +html/man3/DSA_generate_key.html \ +html/man3/DSA_generate_parameters.html \ +html/man3/DSA_get0_pqg.html \ +html/man3/DSA_meth_new.html \ +html/man3/DSA_new.html \ +html/man3/DSA_set_method.html \ +html/man3/DSA_sign.html \ +html/man3/DSA_size.html \ +html/man3/DTLS_get_data_mtu.html \ +html/man3/DTLS_set_timer_cb.html \ +html/man3/DTLSv1_listen.html \ +html/man3/ECDSA_SIG_new.html \ +html/man3/ECPKParameters_print.html \ +html/man3/EC_GFp_simple_method.html \ +html/man3/EC_GROUP_copy.html \ +html/man3/EC_GROUP_new.html \ +html/man3/EC_KEY_get_enc_flags.html \ +html/man3/EC_KEY_new.html \ +html/man3/EC_POINT_add.html \ +html/man3/EC_POINT_new.html \ +html/man3/ENGINE_add.html \ +html/man3/ERR_GET_LIB.html \ +html/man3/ERR_clear_error.html \ +html/man3/ERR_error_string.html \ +html/man3/ERR_get_error.html \ +html/man3/ERR_load_crypto_strings.html \ +html/man3/ERR_load_strings.html \ +html/man3/ERR_new.html \ +html/man3/ERR_print_errors.html \ +html/man3/ERR_put_error.html \ +html/man3/ERR_remove_state.html \ +html/man3/ERR_set_mark.html \ +html/man3/EVP_ASYM_CIPHER_free.html \ +html/man3/EVP_BytesToKey.html \ +html/man3/EVP_CIPHER_CTX_get_cipher_data.html \ +html/man3/EVP_CIPHER_CTX_get_original_iv.html \ +html/man3/EVP_CIPHER_meth_new.html \ +html/man3/EVP_DigestInit.html \ +html/man3/EVP_DigestSignInit.html \ +html/man3/EVP_DigestVerifyInit.html \ +html/man3/EVP_EncodeInit.html \ +html/man3/EVP_EncryptInit.html \ +html/man3/EVP_KDF.html \ +html/man3/EVP_KEM_free.html \ +html/man3/EVP_KEYEXCH_free.html \ +html/man3/EVP_KEYMGMT.html \ +html/man3/EVP_MAC.html \ +html/man3/EVP_MD_meth_new.html \ +html/man3/EVP_OpenInit.html \ +html/man3/EVP_PKEY2PKCS8.html \ +html/man3/EVP_PKEY_ASN1_METHOD.html \ +html/man3/EVP_PKEY_CTX_ctrl.html \ +html/man3/EVP_PKEY_CTX_get0_libctx.html \ +html/man3/EVP_PKEY_CTX_new.html \ +html/man3/EVP_PKEY_CTX_set1_pbe_pass.html \ +html/man3/EVP_PKEY_CTX_set_hkdf_md.html \ +html/man3/EVP_PKEY_CTX_set_params.html \ +html/man3/EVP_PKEY_CTX_set_rsa_pss_keygen_md.html \ +html/man3/EVP_PKEY_CTX_set_scrypt_N.html \ +html/man3/EVP_PKEY_CTX_set_tls1_prf_md.html \ +html/man3/EVP_PKEY_asn1_get_count.html \ +html/man3/EVP_PKEY_check.html \ +html/man3/EVP_PKEY_copy_parameters.html \ +html/man3/EVP_PKEY_decapsulate.html \ +html/man3/EVP_PKEY_decrypt.html \ +html/man3/EVP_PKEY_derive.html \ +html/man3/EVP_PKEY_encapsulate.html \ +html/man3/EVP_PKEY_encrypt.html \ +html/man3/EVP_PKEY_fromdata.html \ +html/man3/EVP_PKEY_gen.html \ +html/man3/EVP_PKEY_get_default_digest_nid.html \ +html/man3/EVP_PKEY_get_field_type.html \ +html/man3/EVP_PKEY_get_group_name.html \ +html/man3/EVP_PKEY_gettable_params.html \ +html/man3/EVP_PKEY_is_a.html \ +html/man3/EVP_PKEY_meth_get_count.html \ +html/man3/EVP_PKEY_meth_new.html \ +html/man3/EVP_PKEY_new.html \ +html/man3/EVP_PKEY_print_private.html \ +html/man3/EVP_PKEY_set1_RSA.html \ +html/man3/EVP_PKEY_set1_encoded_public_key.html \ +html/man3/EVP_PKEY_set_type.html \ +html/man3/EVP_PKEY_settable_params.html \ +html/man3/EVP_PKEY_sign.html \ +html/man3/EVP_PKEY_size.html \ +html/man3/EVP_PKEY_supports_digest_nid.html \ +html/man3/EVP_PKEY_verify.html \ +html/man3/EVP_PKEY_verify_recover.html \ +html/man3/EVP_RAND.html \ +html/man3/EVP_SIGNATURE_free.html \ +html/man3/EVP_SealInit.html \ +html/man3/EVP_SignInit.html \ +html/man3/EVP_VerifyInit.html \ +html/man3/EVP_aes_128_gcm.html \ +html/man3/EVP_aria_128_gcm.html \ +html/man3/EVP_bf_cbc.html \ +html/man3/EVP_blake2b512.html \ +html/man3/EVP_camellia_128_ecb.html \ +html/man3/EVP_cast5_cbc.html \ +html/man3/EVP_chacha20.html \ +html/man3/EVP_des_cbc.html \ +html/man3/EVP_desx_cbc.html \ +html/man3/EVP_idea_cbc.html \ +html/man3/EVP_md2.html \ +html/man3/EVP_md4.html \ +html/man3/EVP_md5.html \ +html/man3/EVP_mdc2.html \ +html/man3/EVP_rc2_cbc.html \ +html/man3/EVP_rc4.html \ +html/man3/EVP_rc5_32_12_16_cbc.html \ +html/man3/EVP_ripemd160.html \ +html/man3/EVP_seed_cbc.html \ +html/man3/EVP_set_default_properties.html \ +html/man3/EVP_sha1.html \ +html/man3/EVP_sha224.html \ +html/man3/EVP_sha3_224.html \ +html/man3/EVP_sm3.html \ +html/man3/EVP_sm4_cbc.html \ +html/man3/EVP_whirlpool.html \ +html/man3/HMAC.html \ +html/man3/MD5.html \ +html/man3/MDC2_Init.html \ +html/man3/NCONF_new_ex.html \ +html/man3/OBJ_nid2obj.html \ +html/man3/OCSP_REQUEST_new.html \ +html/man3/OCSP_cert_to_id.html \ +html/man3/OCSP_request_add1_nonce.html \ +html/man3/OCSP_resp_find_status.html \ +html/man3/OCSP_response_status.html \ +html/man3/OCSP_sendreq_new.html \ +html/man3/OPENSSL_Applink.html \ +html/man3/OPENSSL_FILE.html \ +html/man3/OPENSSL_LH_COMPFUNC.html \ +html/man3/OPENSSL_LH_stats.html \ +html/man3/OPENSSL_config.html \ +html/man3/OPENSSL_fork_prepare.html \ +html/man3/OPENSSL_hexchar2int.html \ +html/man3/OPENSSL_ia32cap.html \ +html/man3/OPENSSL_init_crypto.html \ +html/man3/OPENSSL_init_ssl.html \ +html/man3/OPENSSL_instrument_bus.html \ +html/man3/OPENSSL_load_builtin_modules.html \ +html/man3/OPENSSL_malloc.html \ +html/man3/OPENSSL_s390xcap.html \ +html/man3/OPENSSL_secure_malloc.html \ +html/man3/OSSL_CMP_CTX_new.html \ +html/man3/OSSL_CMP_HDR_get0_transactionID.html \ +html/man3/OSSL_CMP_ITAV_set0.html \ +html/man3/OSSL_CMP_MSG_get0_header.html \ +html/man3/OSSL_CMP_MSG_http_perform.html \ +html/man3/OSSL_CMP_SRV_CTX_new.html \ +html/man3/OSSL_CMP_STATUSINFO_new.html \ +html/man3/OSSL_CMP_exec_certreq.html \ +html/man3/OSSL_CMP_log_open.html \ +html/man3/OSSL_CMP_validate_msg.html \ +html/man3/OSSL_CRMF_MSG_get0_tmpl.html \ +html/man3/OSSL_CRMF_MSG_set0_validity.html \ +html/man3/OSSL_CRMF_MSG_set1_regCtrl_regToken.html \ +html/man3/OSSL_CRMF_MSG_set1_regInfo_certReq.html \ +html/man3/OSSL_CRMF_pbmp_new.html \ +html/man3/OSSL_DECODER.html \ +html/man3/OSSL_DECODER_CTX.html \ +html/man3/OSSL_DECODER_CTX_new_for_pkey.html \ +html/man3/OSSL_DECODER_from_bio.html \ +html/man3/OSSL_ENCODER.html \ +html/man3/OSSL_ENCODER_CTX.html \ +html/man3/OSSL_ENCODER_CTX_new_for_pkey.html \ +html/man3/OSSL_ENCODER_to_bio.html \ +html/man3/OSSL_HTTP_REQ_CTX.html \ +html/man3/OSSL_HTTP_transfer.html \ +html/man3/OSSL_LIB_CTX.html \ +html/man3/OSSL_PARAM.html \ +html/man3/OSSL_PARAM_BLD.html \ +html/man3/OSSL_PARAM_allocate_from_text.html \ +html/man3/OSSL_PARAM_int.html \ +html/man3/OSSL_PROVIDER.html \ +html/man3/OSSL_SELF_TEST_new.html \ +html/man3/OSSL_SELF_TEST_set_callback.html \ +html/man3/OSSL_STORE_INFO.html \ +html/man3/OSSL_STORE_LOADER.html \ +html/man3/OSSL_STORE_SEARCH.html \ +html/man3/OSSL_STORE_attach.html \ +html/man3/OSSL_STORE_expect.html \ +html/man3/OSSL_STORE_open.html \ +html/man3/OSSL_trace_enabled.html \ +html/man3/OSSL_trace_get_category_num.html \ +html/man3/OSSL_trace_set_channel.html \ +html/man3/OpenSSL_add_all_algorithms.html \ +html/man3/OpenSSL_version.html \ +html/man3/PEM_X509_INFO_read_bio_ex.html \ +html/man3/PEM_bytes_read_bio.html \ +html/man3/PEM_read.html \ +html/man3/PEM_read_CMS.html \ +html/man3/PEM_read_bio_PrivateKey.html \ +html/man3/PEM_read_bio_ex.html \ +html/man3/PEM_write_bio_CMS_stream.html \ +html/man3/PEM_write_bio_PKCS7_stream.html \ +html/man3/PKCS12_SAFEBAG_create_cert.html \ +html/man3/PKCS12_SAFEBAG_get0_attrs.html \ +html/man3/PKCS12_SAFEBAG_get1_cert.html \ +html/man3/PKCS12_add1_attr_by_NID.html \ +html/man3/PKCS12_add_CSPName_asc.html \ +html/man3/PKCS12_add_cert.html \ +html/man3/PKCS12_add_friendlyname_asc.html \ +html/man3/PKCS12_add_localkeyid.html \ +html/man3/PKCS12_add_safe.html \ +html/man3/PKCS12_create.html \ +html/man3/PKCS12_get_friendlyname.html \ +html/man3/PKCS12_newpass.html \ +html/man3/PKCS12_parse.html \ +html/man3/PKCS5_PBKDF2_HMAC.html \ +html/man3/PKCS7_decrypt.html \ +html/man3/PKCS7_encrypt.html \ +html/man3/PKCS7_get_octet_string.html \ +html/man3/PKCS7_sign.html \ +html/man3/PKCS7_sign_add_signer.html \ +html/man3/PKCS7_type_is_other.html \ +html/man3/PKCS7_verify.html \ +html/man3/PKCS8_pkey_add1_attr.html \ +html/man3/RAND_add.html \ +html/man3/RAND_bytes.html \ +html/man3/RAND_cleanup.html \ +html/man3/RAND_egd.html \ +html/man3/RAND_get0_primary.html \ +html/man3/RAND_load_file.html \ +html/man3/RAND_set_rand_method.html \ +html/man3/RC4_set_key.html \ +html/man3/RIPEMD160_Init.html \ +html/man3/RSA_blinding_on.html \ +html/man3/RSA_check_key.html \ +html/man3/RSA_generate_key.html \ +html/man3/RSA_get0_key.html \ +html/man3/RSA_meth_new.html \ +html/man3/RSA_new.html \ +html/man3/RSA_padding_add_PKCS1_type_1.html \ +html/man3/RSA_print.html \ +html/man3/RSA_private_encrypt.html \ +html/man3/RSA_public_encrypt.html \ +html/man3/RSA_set_method.html \ +html/man3/RSA_sign.html \ +html/man3/RSA_sign_ASN1_OCTET_STRING.html \ +html/man3/RSA_size.html \ +html/man3/SCT_new.html \ +html/man3/SCT_print.html \ +html/man3/SCT_validate.html \ +html/man3/SHA256_Init.html \ +html/man3/SMIME_read_ASN1.html \ +html/man3/SMIME_read_CMS.html \ +html/man3/SMIME_read_PKCS7.html \ +html/man3/SMIME_write_ASN1.html \ +html/man3/SMIME_write_CMS.html \ +html/man3/SMIME_write_PKCS7.html \ +html/man3/SRP_Calc_B.html \ +html/man3/SRP_VBASE_new.html \ +html/man3/SRP_create_verifier.html \ +html/man3/SRP_user_pwd_new.html \ +html/man3/SSL_CIPHER_get_name.html \ +html/man3/SSL_COMP_add_compression_method.html \ +html/man3/SSL_CONF_CTX_new.html \ +html/man3/SSL_CONF_CTX_set1_prefix.html \ +html/man3/SSL_CONF_CTX_set_flags.html \ +html/man3/SSL_CONF_CTX_set_ssl_ctx.html \ +html/man3/SSL_CONF_cmd.html \ +html/man3/SSL_CONF_cmd_argv.html \ +html/man3/SSL_CTX_add1_chain_cert.html \ +html/man3/SSL_CTX_add_extra_chain_cert.html \ +html/man3/SSL_CTX_add_session.html \ +html/man3/SSL_CTX_config.html \ +html/man3/SSL_CTX_ctrl.html \ +html/man3/SSL_CTX_dane_enable.html \ +html/man3/SSL_CTX_flush_sessions.html \ +html/man3/SSL_CTX_free.html \ +html/man3/SSL_CTX_get0_param.html \ +html/man3/SSL_CTX_get_verify_mode.html \ +html/man3/SSL_CTX_has_client_custom_ext.html \ +html/man3/SSL_CTX_load_verify_locations.html \ +html/man3/SSL_CTX_new.html \ +html/man3/SSL_CTX_sess_number.html \ +html/man3/SSL_CTX_sess_set_cache_size.html \ +html/man3/SSL_CTX_sess_set_get_cb.html \ +html/man3/SSL_CTX_sessions.html \ +html/man3/SSL_CTX_set0_CA_list.html \ +html/man3/SSL_CTX_set1_curves.html \ +html/man3/SSL_CTX_set1_sigalgs.html \ +html/man3/SSL_CTX_set1_verify_cert_store.html \ +html/man3/SSL_CTX_set_alpn_select_cb.html \ +html/man3/SSL_CTX_set_cert_cb.html \ +html/man3/SSL_CTX_set_cert_store.html \ +html/man3/SSL_CTX_set_cert_verify_callback.html \ +html/man3/SSL_CTX_set_cipher_list.html \ +html/man3/SSL_CTX_set_client_cert_cb.html \ +html/man3/SSL_CTX_set_client_hello_cb.html \ +html/man3/SSL_CTX_set_ct_validation_callback.html \ +html/man3/SSL_CTX_set_ctlog_list_file.html \ +html/man3/SSL_CTX_set_default_passwd_cb.html \ +html/man3/SSL_CTX_set_generate_session_id.html \ +html/man3/SSL_CTX_set_info_callback.html \ +html/man3/SSL_CTX_set_keylog_callback.html \ +html/man3/SSL_CTX_set_max_cert_list.html \ +html/man3/SSL_CTX_set_min_proto_version.html \ +html/man3/SSL_CTX_set_mode.html \ +html/man3/SSL_CTX_set_msg_callback.html \ +html/man3/SSL_CTX_set_num_tickets.html \ +html/man3/SSL_CTX_set_options.html \ +html/man3/SSL_CTX_set_psk_client_callback.html \ +html/man3/SSL_CTX_set_quiet_shutdown.html \ +html/man3/SSL_CTX_set_read_ahead.html \ +html/man3/SSL_CTX_set_record_padding_callback.html \ +html/man3/SSL_CTX_set_security_level.html \ +html/man3/SSL_CTX_set_session_cache_mode.html \ +html/man3/SSL_CTX_set_session_id_context.html \ +html/man3/SSL_CTX_set_session_ticket_cb.html \ +html/man3/SSL_CTX_set_split_send_fragment.html \ +html/man3/SSL_CTX_set_srp_password.html \ +html/man3/SSL_CTX_set_ssl_version.html \ +html/man3/SSL_CTX_set_stateless_cookie_generate_cb.html \ +html/man3/SSL_CTX_set_timeout.html \ +html/man3/SSL_CTX_set_tlsext_servername_callback.html \ +html/man3/SSL_CTX_set_tlsext_status_cb.html \ +html/man3/SSL_CTX_set_tlsext_ticket_key_cb.html \ +html/man3/SSL_CTX_set_tlsext_use_srtp.html \ +html/man3/SSL_CTX_set_tmp_dh_callback.html \ +html/man3/SSL_CTX_set_tmp_ecdh.html \ +html/man3/SSL_CTX_set_verify.html \ +html/man3/SSL_CTX_use_certificate.html \ +html/man3/SSL_CTX_use_psk_identity_hint.html \ +html/man3/SSL_CTX_use_serverinfo.html \ +html/man3/SSL_SESSION_free.html \ +html/man3/SSL_SESSION_get0_cipher.html \ +html/man3/SSL_SESSION_get0_hostname.html \ +html/man3/SSL_SESSION_get0_id_context.html \ +html/man3/SSL_SESSION_get0_peer.html \ +html/man3/SSL_SESSION_get_compress_id.html \ +html/man3/SSL_SESSION_get_protocol_version.html \ +html/man3/SSL_SESSION_get_time.html \ +html/man3/SSL_SESSION_has_ticket.html \ +html/man3/SSL_SESSION_is_resumable.html \ +html/man3/SSL_SESSION_print.html \ +html/man3/SSL_SESSION_set1_id.html \ +html/man3/SSL_accept.html \ +html/man3/SSL_alert_type_string.html \ +html/man3/SSL_alloc_buffers.html \ +html/man3/SSL_check_chain.html \ +html/man3/SSL_clear.html \ +html/man3/SSL_connect.html \ +html/man3/SSL_do_handshake.html \ +html/man3/SSL_export_keying_material.html \ +html/man3/SSL_extension_supported.html \ +html/man3/SSL_free.html \ +html/man3/SSL_get0_peer_scts.html \ +html/man3/SSL_get_SSL_CTX.html \ +html/man3/SSL_get_all_async_fds.html \ +html/man3/SSL_get_ciphers.html \ +html/man3/SSL_get_client_random.html \ +html/man3/SSL_get_current_cipher.html \ +html/man3/SSL_get_default_timeout.html \ +html/man3/SSL_get_error.html \ +html/man3/SSL_get_extms_support.html \ +html/man3/SSL_get_fd.html \ +html/man3/SSL_get_peer_cert_chain.html \ +html/man3/SSL_get_peer_certificate.html \ +html/man3/SSL_get_peer_signature_nid.html \ +html/man3/SSL_get_peer_tmp_key.html \ +html/man3/SSL_get_psk_identity.html \ +html/man3/SSL_get_rbio.html \ +html/man3/SSL_get_session.html \ +html/man3/SSL_get_shared_sigalgs.html \ +html/man3/SSL_get_verify_result.html \ +html/man3/SSL_get_version.html \ +html/man3/SSL_group_to_name.html \ +html/man3/SSL_in_init.html \ +html/man3/SSL_key_update.html \ +html/man3/SSL_library_init.html \ +html/man3/SSL_load_client_CA_file.html \ +html/man3/SSL_new.html \ +html/man3/SSL_pending.html \ +html/man3/SSL_read.html \ +html/man3/SSL_read_early_data.html \ +html/man3/SSL_rstate_string.html \ +html/man3/SSL_session_reused.html \ +html/man3/SSL_set1_host.html \ +html/man3/SSL_set_async_callback.html \ +html/man3/SSL_set_bio.html \ +html/man3/SSL_set_connect_state.html \ +html/man3/SSL_set_fd.html \ +html/man3/SSL_set_session.html \ +html/man3/SSL_set_shutdown.html \ +html/man3/SSL_set_verify_result.html \ +html/man3/SSL_shutdown.html \ +html/man3/SSL_state_string.html \ +html/man3/SSL_want.html \ +html/man3/SSL_write.html \ +html/man3/TS_VERIFY_CTX_set_certs.html \ +html/man3/UI_STRING.html \ +html/man3/UI_UTIL_read_pw.html \ +html/man3/UI_create_method.html \ +html/man3/UI_new.html \ +html/man3/X509V3_get_d2i.html \ +html/man3/X509V3_set_ctx.html \ +html/man3/X509_ALGOR_dup.html \ +html/man3/X509_CRL_get0_by_serial.html \ +html/man3/X509_EXTENSION_set_object.html \ +html/man3/X509_LOOKUP.html \ +html/man3/X509_LOOKUP_hash_dir.html \ +html/man3/X509_LOOKUP_meth_new.html \ +html/man3/X509_NAME_ENTRY_get_object.html \ +html/man3/X509_NAME_add_entry_by_txt.html \ +html/man3/X509_NAME_get0_der.html \ +html/man3/X509_NAME_get_index_by_NID.html \ +html/man3/X509_NAME_print_ex.html \ +html/man3/X509_PUBKEY_new.html \ +html/man3/X509_SIG_get0.html \ +html/man3/X509_STORE_CTX_get_error.html \ +html/man3/X509_STORE_CTX_new.html \ +html/man3/X509_STORE_CTX_set_verify_cb.html \ +html/man3/X509_STORE_add_cert.html \ +html/man3/X509_STORE_get0_param.html \ +html/man3/X509_STORE_new.html \ +html/man3/X509_STORE_set_verify_cb_func.html \ +html/man3/X509_VERIFY_PARAM_set_flags.html \ +html/man3/X509_add_cert.html \ +html/man3/X509_check_ca.html \ +html/man3/X509_check_host.html \ +html/man3/X509_check_issued.html \ +html/man3/X509_check_private_key.html \ +html/man3/X509_check_purpose.html \ +html/man3/X509_cmp.html \ +html/man3/X509_cmp_time.html \ +html/man3/X509_digest.html \ +html/man3/X509_dup.html \ +html/man3/X509_get0_distinguishing_id.html \ +html/man3/X509_get0_notBefore.html \ +html/man3/X509_get0_signature.html \ +html/man3/X509_get0_uids.html \ +html/man3/X509_get_extension_flags.html \ +html/man3/X509_get_pubkey.html \ +html/man3/X509_get_serialNumber.html \ +html/man3/X509_get_subject_name.html \ +html/man3/X509_get_version.html \ +html/man3/X509_load_http.html \ +html/man3/X509_new.html \ +html/man3/X509_sign.html \ +html/man3/X509_verify.html \ +html/man3/X509_verify_cert.html \ +html/man3/X509v3_get_ext_by_NID.html \ +html/man3/d2i_PKCS8PrivateKey_bio.html \ +html/man3/d2i_PrivateKey.html \ +html/man3/d2i_RSAPrivateKey.html \ +html/man3/d2i_SSL_SESSION.html \ +html/man3/d2i_X509.html \ +html/man3/i2d_CMS_bio_stream.html \ +html/man3/i2d_PKCS7_bio_stream.html \ +html/man3/i2d_re_X509_tbs.html \ +html/man3/o2i_SCT_LIST.html \ +html/man3/s2i_ASN1_IA5STRING.html +MANDOCS[man3]=man/man3/ADMISSIONS.3 \ +man/man3/ASN1_INTEGER_get_int64.3 \ +man/man3/ASN1_INTEGER_new.3 \ +man/man3/ASN1_ITEM_lookup.3 \ +man/man3/ASN1_OBJECT_new.3 \ +man/man3/ASN1_STRING_TABLE_add.3 \ +man/man3/ASN1_STRING_length.3 \ +man/man3/ASN1_STRING_new.3 \ +man/man3/ASN1_STRING_print_ex.3 \ +man/man3/ASN1_TIME_set.3 \ +man/man3/ASN1_TYPE_get.3 \ +man/man3/ASN1_generate_nconf.3 \ +man/man3/ASN1_item_sign.3 \ +man/man3/ASYNC_WAIT_CTX_new.3 \ +man/man3/ASYNC_start_job.3 \ +man/man3/BF_encrypt.3 \ +man/man3/BIO_ADDR.3 \ +man/man3/BIO_ADDRINFO.3 \ +man/man3/BIO_connect.3 \ +man/man3/BIO_ctrl.3 \ +man/man3/BIO_f_base64.3 \ +man/man3/BIO_f_buffer.3 \ +man/man3/BIO_f_cipher.3 \ +man/man3/BIO_f_md.3 \ +man/man3/BIO_f_null.3 \ +man/man3/BIO_f_prefix.3 \ +man/man3/BIO_f_ssl.3 \ +man/man3/BIO_find_type.3 \ +man/man3/BIO_get_data.3 \ +man/man3/BIO_get_ex_new_index.3 \ +man/man3/BIO_meth_new.3 \ +man/man3/BIO_new.3 \ +man/man3/BIO_new_CMS.3 \ +man/man3/BIO_parse_hostserv.3 \ +man/man3/BIO_printf.3 \ +man/man3/BIO_push.3 \ +man/man3/BIO_read.3 \ +man/man3/BIO_s_accept.3 \ +man/man3/BIO_s_bio.3 \ +man/man3/BIO_s_connect.3 \ +man/man3/BIO_s_fd.3 \ +man/man3/BIO_s_file.3 \ +man/man3/BIO_s_mem.3 \ +man/man3/BIO_s_null.3 \ +man/man3/BIO_s_socket.3 \ +man/man3/BIO_set_callback.3 \ +man/man3/BIO_should_retry.3 \ +man/man3/BIO_socket_wait.3 \ +man/man3/BN_BLINDING_new.3 \ +man/man3/BN_CTX_new.3 \ +man/man3/BN_CTX_start.3 \ +man/man3/BN_add.3 \ +man/man3/BN_add_word.3 \ +man/man3/BN_bn2bin.3 \ +man/man3/BN_cmp.3 \ +man/man3/BN_copy.3 \ +man/man3/BN_generate_prime.3 \ +man/man3/BN_mod_inverse.3 \ +man/man3/BN_mod_mul_montgomery.3 \ +man/man3/BN_mod_mul_reciprocal.3 \ +man/man3/BN_new.3 \ +man/man3/BN_num_bytes.3 \ +man/man3/BN_rand.3 \ +man/man3/BN_security_bits.3 \ +man/man3/BN_set_bit.3 \ +man/man3/BN_swap.3 \ +man/man3/BN_zero.3 \ +man/man3/BUF_MEM_new.3 \ +man/man3/CMS_EncryptedData_decrypt.3 \ +man/man3/CMS_EncryptedData_encrypt.3 \ +man/man3/CMS_EnvelopedData_create.3 \ +man/man3/CMS_add0_cert.3 \ +man/man3/CMS_add1_recipient_cert.3 \ +man/man3/CMS_add1_signer.3 \ +man/man3/CMS_compress.3 \ +man/man3/CMS_data_create.3 \ +man/man3/CMS_decrypt.3 \ +man/man3/CMS_digest_create.3 \ +man/man3/CMS_encrypt.3 \ +man/man3/CMS_final.3 \ +man/man3/CMS_get0_RecipientInfos.3 \ +man/man3/CMS_get0_SignerInfos.3 \ +man/man3/CMS_get0_type.3 \ +man/man3/CMS_get1_ReceiptRequest.3 \ +man/man3/CMS_sign.3 \ +man/man3/CMS_sign_receipt.3 \ +man/man3/CMS_uncompress.3 \ +man/man3/CMS_verify.3 \ +man/man3/CMS_verify_receipt.3 \ +man/man3/CONF_modules_free.3 \ +man/man3/CONF_modules_load_file.3 \ +man/man3/CRYPTO_THREAD_run_once.3 \ +man/man3/CRYPTO_get_ex_new_index.3 \ +man/man3/CRYPTO_memcmp.3 \ +man/man3/CTLOG_STORE_get0_log_by_id.3 \ +man/man3/CTLOG_STORE_new.3 \ +man/man3/CTLOG_new.3 \ +man/man3/CT_POLICY_EVAL_CTX_new.3 \ +man/man3/DEFINE_STACK_OF.3 \ +man/man3/DES_random_key.3 \ +man/man3/DH_generate_key.3 \ +man/man3/DH_generate_parameters.3 \ +man/man3/DH_get0_pqg.3 \ +man/man3/DH_get_1024_160.3 \ +man/man3/DH_meth_new.3 \ +man/man3/DH_new.3 \ +man/man3/DH_new_by_nid.3 \ +man/man3/DH_set_method.3 \ +man/man3/DH_size.3 \ +man/man3/DSA_SIG_new.3 \ +man/man3/DSA_do_sign.3 \ +man/man3/DSA_dup_DH.3 \ +man/man3/DSA_generate_key.3 \ +man/man3/DSA_generate_parameters.3 \ +man/man3/DSA_get0_pqg.3 \ +man/man3/DSA_meth_new.3 \ +man/man3/DSA_new.3 \ +man/man3/DSA_set_method.3 \ +man/man3/DSA_sign.3 \ +man/man3/DSA_size.3 \ +man/man3/DTLS_get_data_mtu.3 \ +man/man3/DTLS_set_timer_cb.3 \ +man/man3/DTLSv1_listen.3 \ +man/man3/ECDSA_SIG_new.3 \ +man/man3/ECPKParameters_print.3 \ +man/man3/EC_GFp_simple_method.3 \ +man/man3/EC_GROUP_copy.3 \ +man/man3/EC_GROUP_new.3 \ +man/man3/EC_KEY_get_enc_flags.3 \ +man/man3/EC_KEY_new.3 \ +man/man3/EC_POINT_add.3 \ +man/man3/EC_POINT_new.3 \ +man/man3/ENGINE_add.3 \ +man/man3/ERR_GET_LIB.3 \ +man/man3/ERR_clear_error.3 \ +man/man3/ERR_error_string.3 \ +man/man3/ERR_get_error.3 \ +man/man3/ERR_load_crypto_strings.3 \ +man/man3/ERR_load_strings.3 \ +man/man3/ERR_new.3 \ +man/man3/ERR_print_errors.3 \ +man/man3/ERR_put_error.3 \ +man/man3/ERR_remove_state.3 \ +man/man3/ERR_set_mark.3 \ +man/man3/EVP_ASYM_CIPHER_free.3 \ +man/man3/EVP_BytesToKey.3 \ +man/man3/EVP_CIPHER_CTX_get_cipher_data.3 \ +man/man3/EVP_CIPHER_CTX_get_original_iv.3 \ +man/man3/EVP_CIPHER_meth_new.3 \ +man/man3/EVP_DigestInit.3 \ +man/man3/EVP_DigestSignInit.3 \ +man/man3/EVP_DigestVerifyInit.3 \ +man/man3/EVP_EncodeInit.3 \ +man/man3/EVP_EncryptInit.3 \ +man/man3/EVP_KDF.3 \ +man/man3/EVP_KEM_free.3 \ +man/man3/EVP_KEYEXCH_free.3 \ +man/man3/EVP_KEYMGMT.3 \ +man/man3/EVP_MAC.3 \ +man/man3/EVP_MD_meth_new.3 \ +man/man3/EVP_OpenInit.3 \ +man/man3/EVP_PKEY2PKCS8.3 \ +man/man3/EVP_PKEY_ASN1_METHOD.3 \ +man/man3/EVP_PKEY_CTX_ctrl.3 \ +man/man3/EVP_PKEY_CTX_get0_libctx.3 \ +man/man3/EVP_PKEY_CTX_new.3 \ +man/man3/EVP_PKEY_CTX_set1_pbe_pass.3 \ +man/man3/EVP_PKEY_CTX_set_hkdf_md.3 \ +man/man3/EVP_PKEY_CTX_set_params.3 \ +man/man3/EVP_PKEY_CTX_set_rsa_pss_keygen_md.3 \ +man/man3/EVP_PKEY_CTX_set_scrypt_N.3 \ +man/man3/EVP_PKEY_CTX_set_tls1_prf_md.3 \ +man/man3/EVP_PKEY_asn1_get_count.3 \ +man/man3/EVP_PKEY_check.3 \ +man/man3/EVP_PKEY_copy_parameters.3 \ +man/man3/EVP_PKEY_decapsulate.3 \ +man/man3/EVP_PKEY_decrypt.3 \ +man/man3/EVP_PKEY_derive.3 \ +man/man3/EVP_PKEY_encapsulate.3 \ +man/man3/EVP_PKEY_encrypt.3 \ +man/man3/EVP_PKEY_fromdata.3 \ +man/man3/EVP_PKEY_gen.3 \ +man/man3/EVP_PKEY_get_default_digest_nid.3 \ +man/man3/EVP_PKEY_get_field_type.3 \ +man/man3/EVP_PKEY_get_group_name.3 \ +man/man3/EVP_PKEY_gettable_params.3 \ +man/man3/EVP_PKEY_is_a.3 \ +man/man3/EVP_PKEY_meth_get_count.3 \ +man/man3/EVP_PKEY_meth_new.3 \ +man/man3/EVP_PKEY_new.3 \ +man/man3/EVP_PKEY_print_private.3 \ +man/man3/EVP_PKEY_set1_RSA.3 \ +man/man3/EVP_PKEY_set1_encoded_public_key.3 \ +man/man3/EVP_PKEY_set_type.3 \ +man/man3/EVP_PKEY_settable_params.3 \ +man/man3/EVP_PKEY_sign.3 \ +man/man3/EVP_PKEY_size.3 \ +man/man3/EVP_PKEY_supports_digest_nid.3 \ +man/man3/EVP_PKEY_verify.3 \ +man/man3/EVP_PKEY_verify_recover.3 \ +man/man3/EVP_RAND.3 \ +man/man3/EVP_SIGNATURE_free.3 \ +man/man3/EVP_SealInit.3 \ +man/man3/EVP_SignInit.3 \ +man/man3/EVP_VerifyInit.3 \ +man/man3/EVP_aes_128_gcm.3 \ +man/man3/EVP_aria_128_gcm.3 \ +man/man3/EVP_bf_cbc.3 \ +man/man3/EVP_blake2b512.3 \ +man/man3/EVP_camellia_128_ecb.3 \ +man/man3/EVP_cast5_cbc.3 \ +man/man3/EVP_chacha20.3 \ +man/man3/EVP_des_cbc.3 \ +man/man3/EVP_desx_cbc.3 \ +man/man3/EVP_idea_cbc.3 \ +man/man3/EVP_md2.3 \ +man/man3/EVP_md4.3 \ +man/man3/EVP_md5.3 \ +man/man3/EVP_mdc2.3 \ +man/man3/EVP_rc2_cbc.3 \ +man/man3/EVP_rc4.3 \ +man/man3/EVP_rc5_32_12_16_cbc.3 \ +man/man3/EVP_ripemd160.3 \ +man/man3/EVP_seed_cbc.3 \ +man/man3/EVP_set_default_properties.3 \ +man/man3/EVP_sha1.3 \ +man/man3/EVP_sha224.3 \ +man/man3/EVP_sha3_224.3 \ +man/man3/EVP_sm3.3 \ +man/man3/EVP_sm4_cbc.3 \ +man/man3/EVP_whirlpool.3 \ +man/man3/HMAC.3 \ +man/man3/MD5.3 \ +man/man3/MDC2_Init.3 \ +man/man3/NCONF_new_ex.3 \ +man/man3/OBJ_nid2obj.3 \ +man/man3/OCSP_REQUEST_new.3 \ +man/man3/OCSP_cert_to_id.3 \ +man/man3/OCSP_request_add1_nonce.3 \ +man/man3/OCSP_resp_find_status.3 \ +man/man3/OCSP_response_status.3 \ +man/man3/OCSP_sendreq_new.3 \ +man/man3/OPENSSL_Applink.3 \ +man/man3/OPENSSL_FILE.3 \ +man/man3/OPENSSL_LH_COMPFUNC.3 \ +man/man3/OPENSSL_LH_stats.3 \ +man/man3/OPENSSL_config.3 \ +man/man3/OPENSSL_fork_prepare.3 \ +man/man3/OPENSSL_hexchar2int.3 \ +man/man3/OPENSSL_ia32cap.3 \ +man/man3/OPENSSL_init_crypto.3 \ +man/man3/OPENSSL_init_ssl.3 \ +man/man3/OPENSSL_instrument_bus.3 \ +man/man3/OPENSSL_load_builtin_modules.3 \ +man/man3/OPENSSL_malloc.3 \ +man/man3/OPENSSL_s390xcap.3 \ +man/man3/OPENSSL_secure_malloc.3 \ +man/man3/OSSL_CMP_CTX_new.3 \ +man/man3/OSSL_CMP_HDR_get0_transactionID.3 \ +man/man3/OSSL_CMP_ITAV_set0.3 \ +man/man3/OSSL_CMP_MSG_get0_header.3 \ +man/man3/OSSL_CMP_MSG_http_perform.3 \ +man/man3/OSSL_CMP_SRV_CTX_new.3 \ +man/man3/OSSL_CMP_STATUSINFO_new.3 \ +man/man3/OSSL_CMP_exec_certreq.3 \ +man/man3/OSSL_CMP_log_open.3 \ +man/man3/OSSL_CMP_validate_msg.3 \ +man/man3/OSSL_CRMF_MSG_get0_tmpl.3 \ +man/man3/OSSL_CRMF_MSG_set0_validity.3 \ +man/man3/OSSL_CRMF_MSG_set1_regCtrl_regToken.3 \ +man/man3/OSSL_CRMF_MSG_set1_regInfo_certReq.3 \ +man/man3/OSSL_CRMF_pbmp_new.3 \ +man/man3/OSSL_DECODER.3 \ +man/man3/OSSL_DECODER_CTX.3 \ +man/man3/OSSL_DECODER_CTX_new_for_pkey.3 \ +man/man3/OSSL_DECODER_from_bio.3 \ +man/man3/OSSL_ENCODER.3 \ +man/man3/OSSL_ENCODER_CTX.3 \ +man/man3/OSSL_ENCODER_CTX_new_for_pkey.3 \ +man/man3/OSSL_ENCODER_to_bio.3 \ +man/man3/OSSL_HTTP_REQ_CTX.3 \ +man/man3/OSSL_HTTP_transfer.3 \ +man/man3/OSSL_LIB_CTX.3 \ +man/man3/OSSL_PARAM.3 \ +man/man3/OSSL_PARAM_BLD.3 \ +man/man3/OSSL_PARAM_allocate_from_text.3 \ +man/man3/OSSL_PARAM_int.3 \ +man/man3/OSSL_PROVIDER.3 \ +man/man3/OSSL_SELF_TEST_new.3 \ +man/man3/OSSL_SELF_TEST_set_callback.3 \ +man/man3/OSSL_STORE_INFO.3 \ +man/man3/OSSL_STORE_LOADER.3 \ +man/man3/OSSL_STORE_SEARCH.3 \ +man/man3/OSSL_STORE_attach.3 \ +man/man3/OSSL_STORE_expect.3 \ +man/man3/OSSL_STORE_open.3 \ +man/man3/OSSL_trace_enabled.3 \ +man/man3/OSSL_trace_get_category_num.3 \ +man/man3/OSSL_trace_set_channel.3 \ +man/man3/OpenSSL_add_all_algorithms.3 \ +man/man3/OpenSSL_version.3 \ +man/man3/PEM_X509_INFO_read_bio_ex.3 \ +man/man3/PEM_bytes_read_bio.3 \ +man/man3/PEM_read.3 \ +man/man3/PEM_read_CMS.3 \ +man/man3/PEM_read_bio_PrivateKey.3 \ +man/man3/PEM_read_bio_ex.3 \ +man/man3/PEM_write_bio_CMS_stream.3 \ +man/man3/PEM_write_bio_PKCS7_stream.3 \ +man/man3/PKCS12_SAFEBAG_create_cert.3 \ +man/man3/PKCS12_SAFEBAG_get0_attrs.3 \ +man/man3/PKCS12_SAFEBAG_get1_cert.3 \ +man/man3/PKCS12_add1_attr_by_NID.3 \ +man/man3/PKCS12_add_CSPName_asc.3 \ +man/man3/PKCS12_add_cert.3 \ +man/man3/PKCS12_add_friendlyname_asc.3 \ +man/man3/PKCS12_add_localkeyid.3 \ +man/man3/PKCS12_add_safe.3 \ +man/man3/PKCS12_create.3 \ +man/man3/PKCS12_get_friendlyname.3 \ +man/man3/PKCS12_newpass.3 \ +man/man3/PKCS12_parse.3 \ +man/man3/PKCS5_PBKDF2_HMAC.3 \ +man/man3/PKCS7_decrypt.3 \ +man/man3/PKCS7_encrypt.3 \ +man/man3/PKCS7_get_octet_string.3 \ +man/man3/PKCS7_sign.3 \ +man/man3/PKCS7_sign_add_signer.3 \ +man/man3/PKCS7_type_is_other.3 \ +man/man3/PKCS7_verify.3 \ +man/man3/PKCS8_pkey_add1_attr.3 \ +man/man3/RAND_add.3 \ +man/man3/RAND_bytes.3 \ +man/man3/RAND_cleanup.3 \ +man/man3/RAND_egd.3 \ +man/man3/RAND_get0_primary.3 \ +man/man3/RAND_load_file.3 \ +man/man3/RAND_set_rand_method.3 \ +man/man3/RC4_set_key.3 \ +man/man3/RIPEMD160_Init.3 \ +man/man3/RSA_blinding_on.3 \ +man/man3/RSA_check_key.3 \ +man/man3/RSA_generate_key.3 \ +man/man3/RSA_get0_key.3 \ +man/man3/RSA_meth_new.3 \ +man/man3/RSA_new.3 \ +man/man3/RSA_padding_add_PKCS1_type_1.3 \ +man/man3/RSA_print.3 \ +man/man3/RSA_private_encrypt.3 \ +man/man3/RSA_public_encrypt.3 \ +man/man3/RSA_set_method.3 \ +man/man3/RSA_sign.3 \ +man/man3/RSA_sign_ASN1_OCTET_STRING.3 \ +man/man3/RSA_size.3 \ +man/man3/SCT_new.3 \ +man/man3/SCT_print.3 \ +man/man3/SCT_validate.3 \ +man/man3/SHA256_Init.3 \ +man/man3/SMIME_read_ASN1.3 \ +man/man3/SMIME_read_CMS.3 \ +man/man3/SMIME_read_PKCS7.3 \ +man/man3/SMIME_write_ASN1.3 \ +man/man3/SMIME_write_CMS.3 \ +man/man3/SMIME_write_PKCS7.3 \ +man/man3/SRP_Calc_B.3 \ +man/man3/SRP_VBASE_new.3 \ +man/man3/SRP_create_verifier.3 \ +man/man3/SRP_user_pwd_new.3 \ +man/man3/SSL_CIPHER_get_name.3 \ +man/man3/SSL_COMP_add_compression_method.3 \ +man/man3/SSL_CONF_CTX_new.3 \ +man/man3/SSL_CONF_CTX_set1_prefix.3 \ +man/man3/SSL_CONF_CTX_set_flags.3 \ +man/man3/SSL_CONF_CTX_set_ssl_ctx.3 \ +man/man3/SSL_CONF_cmd.3 \ +man/man3/SSL_CONF_cmd_argv.3 \ +man/man3/SSL_CTX_add1_chain_cert.3 \ +man/man3/SSL_CTX_add_extra_chain_cert.3 \ +man/man3/SSL_CTX_add_session.3 \ +man/man3/SSL_CTX_config.3 \ +man/man3/SSL_CTX_ctrl.3 \ +man/man3/SSL_CTX_dane_enable.3 \ +man/man3/SSL_CTX_flush_sessions.3 \ +man/man3/SSL_CTX_free.3 \ +man/man3/SSL_CTX_get0_param.3 \ +man/man3/SSL_CTX_get_verify_mode.3 \ +man/man3/SSL_CTX_has_client_custom_ext.3 \ +man/man3/SSL_CTX_load_verify_locations.3 \ +man/man3/SSL_CTX_new.3 \ +man/man3/SSL_CTX_sess_number.3 \ +man/man3/SSL_CTX_sess_set_cache_size.3 \ +man/man3/SSL_CTX_sess_set_get_cb.3 \ +man/man3/SSL_CTX_sessions.3 \ +man/man3/SSL_CTX_set0_CA_list.3 \ +man/man3/SSL_CTX_set1_curves.3 \ +man/man3/SSL_CTX_set1_sigalgs.3 \ +man/man3/SSL_CTX_set1_verify_cert_store.3 \ +man/man3/SSL_CTX_set_alpn_select_cb.3 \ +man/man3/SSL_CTX_set_cert_cb.3 \ +man/man3/SSL_CTX_set_cert_store.3 \ +man/man3/SSL_CTX_set_cert_verify_callback.3 \ +man/man3/SSL_CTX_set_cipher_list.3 \ +man/man3/SSL_CTX_set_client_cert_cb.3 \ +man/man3/SSL_CTX_set_client_hello_cb.3 \ +man/man3/SSL_CTX_set_ct_validation_callback.3 \ +man/man3/SSL_CTX_set_ctlog_list_file.3 \ +man/man3/SSL_CTX_set_default_passwd_cb.3 \ +man/man3/SSL_CTX_set_generate_session_id.3 \ +man/man3/SSL_CTX_set_info_callback.3 \ +man/man3/SSL_CTX_set_keylog_callback.3 \ +man/man3/SSL_CTX_set_max_cert_list.3 \ +man/man3/SSL_CTX_set_min_proto_version.3 \ +man/man3/SSL_CTX_set_mode.3 \ +man/man3/SSL_CTX_set_msg_callback.3 \ +man/man3/SSL_CTX_set_num_tickets.3 \ +man/man3/SSL_CTX_set_options.3 \ +man/man3/SSL_CTX_set_psk_client_callback.3 \ +man/man3/SSL_CTX_set_quiet_shutdown.3 \ +man/man3/SSL_CTX_set_read_ahead.3 \ +man/man3/SSL_CTX_set_record_padding_callback.3 \ +man/man3/SSL_CTX_set_security_level.3 \ +man/man3/SSL_CTX_set_session_cache_mode.3 \ +man/man3/SSL_CTX_set_session_id_context.3 \ +man/man3/SSL_CTX_set_session_ticket_cb.3 \ +man/man3/SSL_CTX_set_split_send_fragment.3 \ +man/man3/SSL_CTX_set_srp_password.3 \ +man/man3/SSL_CTX_set_ssl_version.3 \ +man/man3/SSL_CTX_set_stateless_cookie_generate_cb.3 \ +man/man3/SSL_CTX_set_timeout.3 \ +man/man3/SSL_CTX_set_tlsext_servername_callback.3 \ +man/man3/SSL_CTX_set_tlsext_status_cb.3 \ +man/man3/SSL_CTX_set_tlsext_ticket_key_cb.3 \ +man/man3/SSL_CTX_set_tlsext_use_srtp.3 \ +man/man3/SSL_CTX_set_tmp_dh_callback.3 \ +man/man3/SSL_CTX_set_tmp_ecdh.3 \ +man/man3/SSL_CTX_set_verify.3 \ +man/man3/SSL_CTX_use_certificate.3 \ +man/man3/SSL_CTX_use_psk_identity_hint.3 \ +man/man3/SSL_CTX_use_serverinfo.3 \ +man/man3/SSL_SESSION_free.3 \ +man/man3/SSL_SESSION_get0_cipher.3 \ +man/man3/SSL_SESSION_get0_hostname.3 \ +man/man3/SSL_SESSION_get0_id_context.3 \ +man/man3/SSL_SESSION_get0_peer.3 \ +man/man3/SSL_SESSION_get_compress_id.3 \ +man/man3/SSL_SESSION_get_protocol_version.3 \ +man/man3/SSL_SESSION_get_time.3 \ +man/man3/SSL_SESSION_has_ticket.3 \ +man/man3/SSL_SESSION_is_resumable.3 \ +man/man3/SSL_SESSION_print.3 \ +man/man3/SSL_SESSION_set1_id.3 \ +man/man3/SSL_accept.3 \ +man/man3/SSL_alert_type_string.3 \ +man/man3/SSL_alloc_buffers.3 \ +man/man3/SSL_check_chain.3 \ +man/man3/SSL_clear.3 \ +man/man3/SSL_connect.3 \ +man/man3/SSL_do_handshake.3 \ +man/man3/SSL_export_keying_material.3 \ +man/man3/SSL_extension_supported.3 \ +man/man3/SSL_free.3 \ +man/man3/SSL_get0_peer_scts.3 \ +man/man3/SSL_get_SSL_CTX.3 \ +man/man3/SSL_get_all_async_fds.3 \ +man/man3/SSL_get_ciphers.3 \ +man/man3/SSL_get_client_random.3 \ +man/man3/SSL_get_current_cipher.3 \ +man/man3/SSL_get_default_timeout.3 \ +man/man3/SSL_get_error.3 \ +man/man3/SSL_get_extms_support.3 \ +man/man3/SSL_get_fd.3 \ +man/man3/SSL_get_peer_cert_chain.3 \ +man/man3/SSL_get_peer_certificate.3 \ +man/man3/SSL_get_peer_signature_nid.3 \ +man/man3/SSL_get_peer_tmp_key.3 \ +man/man3/SSL_get_psk_identity.3 \ +man/man3/SSL_get_rbio.3 \ +man/man3/SSL_get_session.3 \ +man/man3/SSL_get_shared_sigalgs.3 \ +man/man3/SSL_get_verify_result.3 \ +man/man3/SSL_get_version.3 \ +man/man3/SSL_group_to_name.3 \ +man/man3/SSL_in_init.3 \ +man/man3/SSL_key_update.3 \ +man/man3/SSL_library_init.3 \ +man/man3/SSL_load_client_CA_file.3 \ +man/man3/SSL_new.3 \ +man/man3/SSL_pending.3 \ +man/man3/SSL_read.3 \ +man/man3/SSL_read_early_data.3 \ +man/man3/SSL_rstate_string.3 \ +man/man3/SSL_session_reused.3 \ +man/man3/SSL_set1_host.3 \ +man/man3/SSL_set_async_callback.3 \ +man/man3/SSL_set_bio.3 \ +man/man3/SSL_set_connect_state.3 \ +man/man3/SSL_set_fd.3 \ +man/man3/SSL_set_session.3 \ +man/man3/SSL_set_shutdown.3 \ +man/man3/SSL_set_verify_result.3 \ +man/man3/SSL_shutdown.3 \ +man/man3/SSL_state_string.3 \ +man/man3/SSL_want.3 \ +man/man3/SSL_write.3 \ +man/man3/TS_VERIFY_CTX_set_certs.3 \ +man/man3/UI_STRING.3 \ +man/man3/UI_UTIL_read_pw.3 \ +man/man3/UI_create_method.3 \ +man/man3/UI_new.3 \ +man/man3/X509V3_get_d2i.3 \ +man/man3/X509V3_set_ctx.3 \ +man/man3/X509_ALGOR_dup.3 \ +man/man3/X509_CRL_get0_by_serial.3 \ +man/man3/X509_EXTENSION_set_object.3 \ +man/man3/X509_LOOKUP.3 \ +man/man3/X509_LOOKUP_hash_dir.3 \ +man/man3/X509_LOOKUP_meth_new.3 \ +man/man3/X509_NAME_ENTRY_get_object.3 \ +man/man3/X509_NAME_add_entry_by_txt.3 \ +man/man3/X509_NAME_get0_der.3 \ +man/man3/X509_NAME_get_index_by_NID.3 \ +man/man3/X509_NAME_print_ex.3 \ +man/man3/X509_PUBKEY_new.3 \ +man/man3/X509_SIG_get0.3 \ +man/man3/X509_STORE_CTX_get_error.3 \ +man/man3/X509_STORE_CTX_new.3 \ +man/man3/X509_STORE_CTX_set_verify_cb.3 \ +man/man3/X509_STORE_add_cert.3 \ +man/man3/X509_STORE_get0_param.3 \ +man/man3/X509_STORE_new.3 \ +man/man3/X509_STORE_set_verify_cb_func.3 \ +man/man3/X509_VERIFY_PARAM_set_flags.3 \ +man/man3/X509_add_cert.3 \ +man/man3/X509_check_ca.3 \ +man/man3/X509_check_host.3 \ +man/man3/X509_check_issued.3 \ +man/man3/X509_check_private_key.3 \ +man/man3/X509_check_purpose.3 \ +man/man3/X509_cmp.3 \ +man/man3/X509_cmp_time.3 \ +man/man3/X509_digest.3 \ +man/man3/X509_dup.3 \ +man/man3/X509_get0_distinguishing_id.3 \ +man/man3/X509_get0_notBefore.3 \ +man/man3/X509_get0_signature.3 \ +man/man3/X509_get0_uids.3 \ +man/man3/X509_get_extension_flags.3 \ +man/man3/X509_get_pubkey.3 \ +man/man3/X509_get_serialNumber.3 \ +man/man3/X509_get_subject_name.3 \ +man/man3/X509_get_version.3 \ +man/man3/X509_load_http.3 \ +man/man3/X509_new.3 \ +man/man3/X509_sign.3 \ +man/man3/X509_verify.3 \ +man/man3/X509_verify_cert.3 \ +man/man3/X509v3_get_ext_by_NID.3 \ +man/man3/d2i_PKCS8PrivateKey_bio.3 \ +man/man3/d2i_PrivateKey.3 \ +man/man3/d2i_RSAPrivateKey.3 \ +man/man3/d2i_SSL_SESSION.3 \ +man/man3/d2i_X509.3 \ +man/man3/i2d_CMS_bio_stream.3 \ +man/man3/i2d_PKCS7_bio_stream.3 \ +man/man3/i2d_re_X509_tbs.3 \ +man/man3/o2i_SCT_LIST.3 \ +man/man3/s2i_ASN1_IA5STRING.3 +DEPEND[html/man5/config.html]=man5/config.pod +GENERATE[html/man5/config.html]=man5/config.pod +DEPEND[man/man5/config.5]=man5/config.pod +GENERATE[man/man5/config.5]=man5/config.pod +DEPEND[html/man5/fips_config.html]=man5/fips_config.pod +GENERATE[html/man5/fips_config.html]=man5/fips_config.pod +DEPEND[man/man5/fips_config.5]=man5/fips_config.pod +GENERATE[man/man5/fips_config.5]=man5/fips_config.pod +DEPEND[html/man5/x509v3_config.html]=man5/x509v3_config.pod +GENERATE[html/man5/x509v3_config.html]=man5/x509v3_config.pod +DEPEND[man/man5/x509v3_config.5]=man5/x509v3_config.pod +GENERATE[man/man5/x509v3_config.5]=man5/x509v3_config.pod +HTMLDOCS[man5]=html/man5/config.html \ +html/man5/fips_config.html \ +html/man5/x509v3_config.html +MANDOCS[man5]=man/man5/config.5 \ +man/man5/fips_config.5 \ +man/man5/x509v3_config.5 +DEPEND[html/man7/EVP_ASYM_CIPHER-SM2.html]=man7/EVP_ASYM_CIPHER-SM2.pod +GENERATE[html/man7/EVP_ASYM_CIPHER-SM2.html]=man7/EVP_ASYM_CIPHER-SM2.pod +DEPEND[man/man7/EVP_ASYM_CIPHER-SM2.7]=man7/EVP_ASYM_CIPHER-SM2.pod +GENERATE[man/man7/EVP_ASYM_CIPHER-SM2.7]=man7/EVP_ASYM_CIPHER-SM2.pod +DEPEND[html/man7/EVP_KDF-HKDF.html]=man7/EVP_KDF-HKDF.pod +GENERATE[html/man7/EVP_KDF-HKDF.html]=man7/EVP_KDF-HKDF.pod +DEPEND[man/man7/EVP_KDF-HKDF.7]=man7/EVP_KDF-HKDF.pod +GENERATE[man/man7/EVP_KDF-HKDF.7]=man7/EVP_KDF-HKDF.pod +DEPEND[html/man7/EVP_KDF-KB.html]=man7/EVP_KDF-KB.pod +GENERATE[html/man7/EVP_KDF-KB.html]=man7/EVP_KDF-KB.pod +DEPEND[man/man7/EVP_KDF-KB.7]=man7/EVP_KDF-KB.pod +GENERATE[man/man7/EVP_KDF-KB.7]=man7/EVP_KDF-KB.pod +DEPEND[html/man7/EVP_KDF-KRB5KDF.html]=man7/EVP_KDF-KRB5KDF.pod +GENERATE[html/man7/EVP_KDF-KRB5KDF.html]=man7/EVP_KDF-KRB5KDF.pod +DEPEND[man/man7/EVP_KDF-KRB5KDF.7]=man7/EVP_KDF-KRB5KDF.pod +GENERATE[man/man7/EVP_KDF-KRB5KDF.7]=man7/EVP_KDF-KRB5KDF.pod +DEPEND[html/man7/EVP_KDF-PBKDF2.html]=man7/EVP_KDF-PBKDF2.pod +GENERATE[html/man7/EVP_KDF-PBKDF2.html]=man7/EVP_KDF-PBKDF2.pod +DEPEND[man/man7/EVP_KDF-PBKDF2.7]=man7/EVP_KDF-PBKDF2.pod +GENERATE[man/man7/EVP_KDF-PBKDF2.7]=man7/EVP_KDF-PBKDF2.pod +DEPEND[html/man7/EVP_KDF-PKCS12KDF.html]=man7/EVP_KDF-PKCS12KDF.pod +GENERATE[html/man7/EVP_KDF-PKCS12KDF.html]=man7/EVP_KDF-PKCS12KDF.pod +DEPEND[man/man7/EVP_KDF-PKCS12KDF.7]=man7/EVP_KDF-PKCS12KDF.pod +GENERATE[man/man7/EVP_KDF-PKCS12KDF.7]=man7/EVP_KDF-PKCS12KDF.pod +DEPEND[html/man7/EVP_KDF-SCRYPT.html]=man7/EVP_KDF-SCRYPT.pod +GENERATE[html/man7/EVP_KDF-SCRYPT.html]=man7/EVP_KDF-SCRYPT.pod +DEPEND[man/man7/EVP_KDF-SCRYPT.7]=man7/EVP_KDF-SCRYPT.pod +GENERATE[man/man7/EVP_KDF-SCRYPT.7]=man7/EVP_KDF-SCRYPT.pod +DEPEND[html/man7/EVP_KDF-SS.html]=man7/EVP_KDF-SS.pod +GENERATE[html/man7/EVP_KDF-SS.html]=man7/EVP_KDF-SS.pod +DEPEND[man/man7/EVP_KDF-SS.7]=man7/EVP_KDF-SS.pod +GENERATE[man/man7/EVP_KDF-SS.7]=man7/EVP_KDF-SS.pod +DEPEND[html/man7/EVP_KDF-SSHKDF.html]=man7/EVP_KDF-SSHKDF.pod +GENERATE[html/man7/EVP_KDF-SSHKDF.html]=man7/EVP_KDF-SSHKDF.pod +DEPEND[man/man7/EVP_KDF-SSHKDF.7]=man7/EVP_KDF-SSHKDF.pod +GENERATE[man/man7/EVP_KDF-SSHKDF.7]=man7/EVP_KDF-SSHKDF.pod +DEPEND[html/man7/EVP_KDF-TLS1_PRF.html]=man7/EVP_KDF-TLS1_PRF.pod +GENERATE[html/man7/EVP_KDF-TLS1_PRF.html]=man7/EVP_KDF-TLS1_PRF.pod +DEPEND[man/man7/EVP_KDF-TLS1_PRF.7]=man7/EVP_KDF-TLS1_PRF.pod +GENERATE[man/man7/EVP_KDF-TLS1_PRF.7]=man7/EVP_KDF-TLS1_PRF.pod +DEPEND[html/man7/EVP_KDF-X942-ASN1.html]=man7/EVP_KDF-X942-ASN1.pod +GENERATE[html/man7/EVP_KDF-X942-ASN1.html]=man7/EVP_KDF-X942-ASN1.pod +DEPEND[man/man7/EVP_KDF-X942-ASN1.7]=man7/EVP_KDF-X942-ASN1.pod +GENERATE[man/man7/EVP_KDF-X942-ASN1.7]=man7/EVP_KDF-X942-ASN1.pod +DEPEND[html/man7/EVP_KDF-X942-CONCAT.html]=man7/EVP_KDF-X942-CONCAT.pod +GENERATE[html/man7/EVP_KDF-X942-CONCAT.html]=man7/EVP_KDF-X942-CONCAT.pod +DEPEND[man/man7/EVP_KDF-X942-CONCAT.7]=man7/EVP_KDF-X942-CONCAT.pod +GENERATE[man/man7/EVP_KDF-X942-CONCAT.7]=man7/EVP_KDF-X942-CONCAT.pod +DEPEND[html/man7/EVP_KDF-X963.html]=man7/EVP_KDF-X963.pod +GENERATE[html/man7/EVP_KDF-X963.html]=man7/EVP_KDF-X963.pod +DEPEND[man/man7/EVP_KDF-X963.7]=man7/EVP_KDF-X963.pod +GENERATE[man/man7/EVP_KDF-X963.7]=man7/EVP_KDF-X963.pod +DEPEND[html/man7/EVP_KEM-RSA.html]=man7/EVP_KEM-RSA.pod +GENERATE[html/man7/EVP_KEM-RSA.html]=man7/EVP_KEM-RSA.pod +DEPEND[man/man7/EVP_KEM-RSA.7]=man7/EVP_KEM-RSA.pod +GENERATE[man/man7/EVP_KEM-RSA.7]=man7/EVP_KEM-RSA.pod +DEPEND[html/man7/EVP_KEYEXCH-DH.html]=man7/EVP_KEYEXCH-DH.pod +GENERATE[html/man7/EVP_KEYEXCH-DH.html]=man7/EVP_KEYEXCH-DH.pod +DEPEND[man/man7/EVP_KEYEXCH-DH.7]=man7/EVP_KEYEXCH-DH.pod +GENERATE[man/man7/EVP_KEYEXCH-DH.7]=man7/EVP_KEYEXCH-DH.pod +DEPEND[html/man7/EVP_KEYEXCH-ECDH.html]=man7/EVP_KEYEXCH-ECDH.pod +GENERATE[html/man7/EVP_KEYEXCH-ECDH.html]=man7/EVP_KEYEXCH-ECDH.pod +DEPEND[man/man7/EVP_KEYEXCH-ECDH.7]=man7/EVP_KEYEXCH-ECDH.pod +GENERATE[man/man7/EVP_KEYEXCH-ECDH.7]=man7/EVP_KEYEXCH-ECDH.pod +DEPEND[html/man7/EVP_KEYEXCH-X25519.html]=man7/EVP_KEYEXCH-X25519.pod +GENERATE[html/man7/EVP_KEYEXCH-X25519.html]=man7/EVP_KEYEXCH-X25519.pod +DEPEND[man/man7/EVP_KEYEXCH-X25519.7]=man7/EVP_KEYEXCH-X25519.pod +GENERATE[man/man7/EVP_KEYEXCH-X25519.7]=man7/EVP_KEYEXCH-X25519.pod +DEPEND[html/man7/EVP_MAC-BLAKE2.html]=man7/EVP_MAC-BLAKE2.pod +GENERATE[html/man7/EVP_MAC-BLAKE2.html]=man7/EVP_MAC-BLAKE2.pod +DEPEND[man/man7/EVP_MAC-BLAKE2.7]=man7/EVP_MAC-BLAKE2.pod +GENERATE[man/man7/EVP_MAC-BLAKE2.7]=man7/EVP_MAC-BLAKE2.pod +DEPEND[html/man7/EVP_MAC-CMAC.html]=man7/EVP_MAC-CMAC.pod +GENERATE[html/man7/EVP_MAC-CMAC.html]=man7/EVP_MAC-CMAC.pod +DEPEND[man/man7/EVP_MAC-CMAC.7]=man7/EVP_MAC-CMAC.pod +GENERATE[man/man7/EVP_MAC-CMAC.7]=man7/EVP_MAC-CMAC.pod +DEPEND[html/man7/EVP_MAC-GMAC.html]=man7/EVP_MAC-GMAC.pod +GENERATE[html/man7/EVP_MAC-GMAC.html]=man7/EVP_MAC-GMAC.pod +DEPEND[man/man7/EVP_MAC-GMAC.7]=man7/EVP_MAC-GMAC.pod +GENERATE[man/man7/EVP_MAC-GMAC.7]=man7/EVP_MAC-GMAC.pod +DEPEND[html/man7/EVP_MAC-HMAC.html]=man7/EVP_MAC-HMAC.pod +GENERATE[html/man7/EVP_MAC-HMAC.html]=man7/EVP_MAC-HMAC.pod +DEPEND[man/man7/EVP_MAC-HMAC.7]=man7/EVP_MAC-HMAC.pod +GENERATE[man/man7/EVP_MAC-HMAC.7]=man7/EVP_MAC-HMAC.pod +DEPEND[html/man7/EVP_MAC-KMAC.html]=man7/EVP_MAC-KMAC.pod +GENERATE[html/man7/EVP_MAC-KMAC.html]=man7/EVP_MAC-KMAC.pod +DEPEND[man/man7/EVP_MAC-KMAC.7]=man7/EVP_MAC-KMAC.pod +GENERATE[man/man7/EVP_MAC-KMAC.7]=man7/EVP_MAC-KMAC.pod +DEPEND[html/man7/EVP_MAC-Poly1305.html]=man7/EVP_MAC-Poly1305.pod +GENERATE[html/man7/EVP_MAC-Poly1305.html]=man7/EVP_MAC-Poly1305.pod +DEPEND[man/man7/EVP_MAC-Poly1305.7]=man7/EVP_MAC-Poly1305.pod +GENERATE[man/man7/EVP_MAC-Poly1305.7]=man7/EVP_MAC-Poly1305.pod +DEPEND[html/man7/EVP_MAC-Siphash.html]=man7/EVP_MAC-Siphash.pod +GENERATE[html/man7/EVP_MAC-Siphash.html]=man7/EVP_MAC-Siphash.pod +DEPEND[man/man7/EVP_MAC-Siphash.7]=man7/EVP_MAC-Siphash.pod +GENERATE[man/man7/EVP_MAC-Siphash.7]=man7/EVP_MAC-Siphash.pod +DEPEND[html/man7/EVP_MD-BLAKE2.html]=man7/EVP_MD-BLAKE2.pod +GENERATE[html/man7/EVP_MD-BLAKE2.html]=man7/EVP_MD-BLAKE2.pod +DEPEND[man/man7/EVP_MD-BLAKE2.7]=man7/EVP_MD-BLAKE2.pod +GENERATE[man/man7/EVP_MD-BLAKE2.7]=man7/EVP_MD-BLAKE2.pod +DEPEND[html/man7/EVP_MD-MD2.html]=man7/EVP_MD-MD2.pod +GENERATE[html/man7/EVP_MD-MD2.html]=man7/EVP_MD-MD2.pod +DEPEND[man/man7/EVP_MD-MD2.7]=man7/EVP_MD-MD2.pod +GENERATE[man/man7/EVP_MD-MD2.7]=man7/EVP_MD-MD2.pod +DEPEND[html/man7/EVP_MD-MD4.html]=man7/EVP_MD-MD4.pod +GENERATE[html/man7/EVP_MD-MD4.html]=man7/EVP_MD-MD4.pod +DEPEND[man/man7/EVP_MD-MD4.7]=man7/EVP_MD-MD4.pod +GENERATE[man/man7/EVP_MD-MD4.7]=man7/EVP_MD-MD4.pod +DEPEND[html/man7/EVP_MD-MD5-SHA1.html]=man7/EVP_MD-MD5-SHA1.pod +GENERATE[html/man7/EVP_MD-MD5-SHA1.html]=man7/EVP_MD-MD5-SHA1.pod +DEPEND[man/man7/EVP_MD-MD5-SHA1.7]=man7/EVP_MD-MD5-SHA1.pod +GENERATE[man/man7/EVP_MD-MD5-SHA1.7]=man7/EVP_MD-MD5-SHA1.pod +DEPEND[html/man7/EVP_MD-MD5.html]=man7/EVP_MD-MD5.pod +GENERATE[html/man7/EVP_MD-MD5.html]=man7/EVP_MD-MD5.pod +DEPEND[man/man7/EVP_MD-MD5.7]=man7/EVP_MD-MD5.pod +GENERATE[man/man7/EVP_MD-MD5.7]=man7/EVP_MD-MD5.pod +DEPEND[html/man7/EVP_MD-MDC2.html]=man7/EVP_MD-MDC2.pod +GENERATE[html/man7/EVP_MD-MDC2.html]=man7/EVP_MD-MDC2.pod +DEPEND[man/man7/EVP_MD-MDC2.7]=man7/EVP_MD-MDC2.pod +GENERATE[man/man7/EVP_MD-MDC2.7]=man7/EVP_MD-MDC2.pod +DEPEND[html/man7/EVP_MD-RIPEMD160.html]=man7/EVP_MD-RIPEMD160.pod +GENERATE[html/man7/EVP_MD-RIPEMD160.html]=man7/EVP_MD-RIPEMD160.pod +DEPEND[man/man7/EVP_MD-RIPEMD160.7]=man7/EVP_MD-RIPEMD160.pod +GENERATE[man/man7/EVP_MD-RIPEMD160.7]=man7/EVP_MD-RIPEMD160.pod +DEPEND[html/man7/EVP_MD-SHA1.html]=man7/EVP_MD-SHA1.pod +GENERATE[html/man7/EVP_MD-SHA1.html]=man7/EVP_MD-SHA1.pod +DEPEND[man/man7/EVP_MD-SHA1.7]=man7/EVP_MD-SHA1.pod +GENERATE[man/man7/EVP_MD-SHA1.7]=man7/EVP_MD-SHA1.pod +DEPEND[html/man7/EVP_MD-SHA2.html]=man7/EVP_MD-SHA2.pod +GENERATE[html/man7/EVP_MD-SHA2.html]=man7/EVP_MD-SHA2.pod +DEPEND[man/man7/EVP_MD-SHA2.7]=man7/EVP_MD-SHA2.pod +GENERATE[man/man7/EVP_MD-SHA2.7]=man7/EVP_MD-SHA2.pod +DEPEND[html/man7/EVP_MD-SHA3.html]=man7/EVP_MD-SHA3.pod +GENERATE[html/man7/EVP_MD-SHA3.html]=man7/EVP_MD-SHA3.pod +DEPEND[man/man7/EVP_MD-SHA3.7]=man7/EVP_MD-SHA3.pod +GENERATE[man/man7/EVP_MD-SHA3.7]=man7/EVP_MD-SHA3.pod +DEPEND[html/man7/EVP_MD-SHAKE.html]=man7/EVP_MD-SHAKE.pod +GENERATE[html/man7/EVP_MD-SHAKE.html]=man7/EVP_MD-SHAKE.pod +DEPEND[man/man7/EVP_MD-SHAKE.7]=man7/EVP_MD-SHAKE.pod +GENERATE[man/man7/EVP_MD-SHAKE.7]=man7/EVP_MD-SHAKE.pod +DEPEND[html/man7/EVP_MD-SM3.html]=man7/EVP_MD-SM3.pod +GENERATE[html/man7/EVP_MD-SM3.html]=man7/EVP_MD-SM3.pod +DEPEND[man/man7/EVP_MD-SM3.7]=man7/EVP_MD-SM3.pod +GENERATE[man/man7/EVP_MD-SM3.7]=man7/EVP_MD-SM3.pod +DEPEND[html/man7/EVP_MD-WHIRLPOOL.html]=man7/EVP_MD-WHIRLPOOL.pod +GENERATE[html/man7/EVP_MD-WHIRLPOOL.html]=man7/EVP_MD-WHIRLPOOL.pod +DEPEND[man/man7/EVP_MD-WHIRLPOOL.7]=man7/EVP_MD-WHIRLPOOL.pod +GENERATE[man/man7/EVP_MD-WHIRLPOOL.7]=man7/EVP_MD-WHIRLPOOL.pod +DEPEND[html/man7/EVP_MD-common.html]=man7/EVP_MD-common.pod +GENERATE[html/man7/EVP_MD-common.html]=man7/EVP_MD-common.pod +DEPEND[man/man7/EVP_MD-common.7]=man7/EVP_MD-common.pod +GENERATE[man/man7/EVP_MD-common.7]=man7/EVP_MD-common.pod +DEPEND[html/man7/EVP_PKEY-DH.html]=man7/EVP_PKEY-DH.pod +GENERATE[html/man7/EVP_PKEY-DH.html]=man7/EVP_PKEY-DH.pod +DEPEND[man/man7/EVP_PKEY-DH.7]=man7/EVP_PKEY-DH.pod +GENERATE[man/man7/EVP_PKEY-DH.7]=man7/EVP_PKEY-DH.pod +DEPEND[html/man7/EVP_PKEY-DSA.html]=man7/EVP_PKEY-DSA.pod +GENERATE[html/man7/EVP_PKEY-DSA.html]=man7/EVP_PKEY-DSA.pod +DEPEND[man/man7/EVP_PKEY-DSA.7]=man7/EVP_PKEY-DSA.pod +GENERATE[man/man7/EVP_PKEY-DSA.7]=man7/EVP_PKEY-DSA.pod +DEPEND[html/man7/EVP_PKEY-EC.html]=man7/EVP_PKEY-EC.pod +GENERATE[html/man7/EVP_PKEY-EC.html]=man7/EVP_PKEY-EC.pod +DEPEND[man/man7/EVP_PKEY-EC.7]=man7/EVP_PKEY-EC.pod +GENERATE[man/man7/EVP_PKEY-EC.7]=man7/EVP_PKEY-EC.pod +DEPEND[html/man7/EVP_PKEY-FFC.html]=man7/EVP_PKEY-FFC.pod +GENERATE[html/man7/EVP_PKEY-FFC.html]=man7/EVP_PKEY-FFC.pod +DEPEND[man/man7/EVP_PKEY-FFC.7]=man7/EVP_PKEY-FFC.pod +GENERATE[man/man7/EVP_PKEY-FFC.7]=man7/EVP_PKEY-FFC.pod +DEPEND[html/man7/EVP_PKEY-HMAC.html]=man7/EVP_PKEY-HMAC.pod +GENERATE[html/man7/EVP_PKEY-HMAC.html]=man7/EVP_PKEY-HMAC.pod +DEPEND[man/man7/EVP_PKEY-HMAC.7]=man7/EVP_PKEY-HMAC.pod +GENERATE[man/man7/EVP_PKEY-HMAC.7]=man7/EVP_PKEY-HMAC.pod +DEPEND[html/man7/EVP_PKEY-RSA.html]=man7/EVP_PKEY-RSA.pod +GENERATE[html/man7/EVP_PKEY-RSA.html]=man7/EVP_PKEY-RSA.pod +DEPEND[man/man7/EVP_PKEY-RSA.7]=man7/EVP_PKEY-RSA.pod +GENERATE[man/man7/EVP_PKEY-RSA.7]=man7/EVP_PKEY-RSA.pod +DEPEND[html/man7/EVP_PKEY-SM2.html]=man7/EVP_PKEY-SM2.pod +GENERATE[html/man7/EVP_PKEY-SM2.html]=man7/EVP_PKEY-SM2.pod +DEPEND[man/man7/EVP_PKEY-SM2.7]=man7/EVP_PKEY-SM2.pod +GENERATE[man/man7/EVP_PKEY-SM2.7]=man7/EVP_PKEY-SM2.pod +DEPEND[html/man7/EVP_PKEY-X25519.html]=man7/EVP_PKEY-X25519.pod +GENERATE[html/man7/EVP_PKEY-X25519.html]=man7/EVP_PKEY-X25519.pod +DEPEND[man/man7/EVP_PKEY-X25519.7]=man7/EVP_PKEY-X25519.pod +GENERATE[man/man7/EVP_PKEY-X25519.7]=man7/EVP_PKEY-X25519.pod +DEPEND[html/man7/EVP_RAND-CTR-DRBG.html]=man7/EVP_RAND-CTR-DRBG.pod +GENERATE[html/man7/EVP_RAND-CTR-DRBG.html]=man7/EVP_RAND-CTR-DRBG.pod +DEPEND[man/man7/EVP_RAND-CTR-DRBG.7]=man7/EVP_RAND-CTR-DRBG.pod +GENERATE[man/man7/EVP_RAND-CTR-DRBG.7]=man7/EVP_RAND-CTR-DRBG.pod +DEPEND[html/man7/EVP_RAND-HASH-DRBG.html]=man7/EVP_RAND-HASH-DRBG.pod +GENERATE[html/man7/EVP_RAND-HASH-DRBG.html]=man7/EVP_RAND-HASH-DRBG.pod +DEPEND[man/man7/EVP_RAND-HASH-DRBG.7]=man7/EVP_RAND-HASH-DRBG.pod +GENERATE[man/man7/EVP_RAND-HASH-DRBG.7]=man7/EVP_RAND-HASH-DRBG.pod +DEPEND[html/man7/EVP_RAND-HMAC-DRBG.html]=man7/EVP_RAND-HMAC-DRBG.pod +GENERATE[html/man7/EVP_RAND-HMAC-DRBG.html]=man7/EVP_RAND-HMAC-DRBG.pod +DEPEND[man/man7/EVP_RAND-HMAC-DRBG.7]=man7/EVP_RAND-HMAC-DRBG.pod +GENERATE[man/man7/EVP_RAND-HMAC-DRBG.7]=man7/EVP_RAND-HMAC-DRBG.pod +DEPEND[html/man7/EVP_RAND-SEED-SRC.html]=man7/EVP_RAND-SEED-SRC.pod +GENERATE[html/man7/EVP_RAND-SEED-SRC.html]=man7/EVP_RAND-SEED-SRC.pod +DEPEND[man/man7/EVP_RAND-SEED-SRC.7]=man7/EVP_RAND-SEED-SRC.pod +GENERATE[man/man7/EVP_RAND-SEED-SRC.7]=man7/EVP_RAND-SEED-SRC.pod +DEPEND[html/man7/EVP_RAND-TEST-RAND.html]=man7/EVP_RAND-TEST-RAND.pod +GENERATE[html/man7/EVP_RAND-TEST-RAND.html]=man7/EVP_RAND-TEST-RAND.pod +DEPEND[man/man7/EVP_RAND-TEST-RAND.7]=man7/EVP_RAND-TEST-RAND.pod +GENERATE[man/man7/EVP_RAND-TEST-RAND.7]=man7/EVP_RAND-TEST-RAND.pod +DEPEND[html/man7/EVP_RAND.html]=man7/EVP_RAND.pod +GENERATE[html/man7/EVP_RAND.html]=man7/EVP_RAND.pod +DEPEND[man/man7/EVP_RAND.7]=man7/EVP_RAND.pod +GENERATE[man/man7/EVP_RAND.7]=man7/EVP_RAND.pod +DEPEND[html/man7/EVP_SIGNATURE-DSA.html]=man7/EVP_SIGNATURE-DSA.pod +GENERATE[html/man7/EVP_SIGNATURE-DSA.html]=man7/EVP_SIGNATURE-DSA.pod +DEPEND[man/man7/EVP_SIGNATURE-DSA.7]=man7/EVP_SIGNATURE-DSA.pod +GENERATE[man/man7/EVP_SIGNATURE-DSA.7]=man7/EVP_SIGNATURE-DSA.pod +DEPEND[html/man7/EVP_SIGNATURE-ECDSA.html]=man7/EVP_SIGNATURE-ECDSA.pod +GENERATE[html/man7/EVP_SIGNATURE-ECDSA.html]=man7/EVP_SIGNATURE-ECDSA.pod +DEPEND[man/man7/EVP_SIGNATURE-ECDSA.7]=man7/EVP_SIGNATURE-ECDSA.pod +GENERATE[man/man7/EVP_SIGNATURE-ECDSA.7]=man7/EVP_SIGNATURE-ECDSA.pod +DEPEND[html/man7/EVP_SIGNATURE-ED25519.html]=man7/EVP_SIGNATURE-ED25519.pod +GENERATE[html/man7/EVP_SIGNATURE-ED25519.html]=man7/EVP_SIGNATURE-ED25519.pod +DEPEND[man/man7/EVP_SIGNATURE-ED25519.7]=man7/EVP_SIGNATURE-ED25519.pod +GENERATE[man/man7/EVP_SIGNATURE-ED25519.7]=man7/EVP_SIGNATURE-ED25519.pod +DEPEND[html/man7/EVP_SIGNATURE-HMAC.html]=man7/EVP_SIGNATURE-HMAC.pod +GENERATE[html/man7/EVP_SIGNATURE-HMAC.html]=man7/EVP_SIGNATURE-HMAC.pod +DEPEND[man/man7/EVP_SIGNATURE-HMAC.7]=man7/EVP_SIGNATURE-HMAC.pod +GENERATE[man/man7/EVP_SIGNATURE-HMAC.7]=man7/EVP_SIGNATURE-HMAC.pod +DEPEND[html/man7/EVP_SIGNATURE-RSA.html]=man7/EVP_SIGNATURE-RSA.pod +GENERATE[html/man7/EVP_SIGNATURE-RSA.html]=man7/EVP_SIGNATURE-RSA.pod +DEPEND[man/man7/EVP_SIGNATURE-RSA.7]=man7/EVP_SIGNATURE-RSA.pod +GENERATE[man/man7/EVP_SIGNATURE-RSA.7]=man7/EVP_SIGNATURE-RSA.pod +DEPEND[html/man7/OSSL_PROVIDER-FIPS.html]=man7/OSSL_PROVIDER-FIPS.pod +GENERATE[html/man7/OSSL_PROVIDER-FIPS.html]=man7/OSSL_PROVIDER-FIPS.pod +DEPEND[man/man7/OSSL_PROVIDER-FIPS.7]=man7/OSSL_PROVIDER-FIPS.pod +GENERATE[man/man7/OSSL_PROVIDER-FIPS.7]=man7/OSSL_PROVIDER-FIPS.pod +DEPEND[html/man7/OSSL_PROVIDER-base.html]=man7/OSSL_PROVIDER-base.pod +GENERATE[html/man7/OSSL_PROVIDER-base.html]=man7/OSSL_PROVIDER-base.pod +DEPEND[man/man7/OSSL_PROVIDER-base.7]=man7/OSSL_PROVIDER-base.pod +GENERATE[man/man7/OSSL_PROVIDER-base.7]=man7/OSSL_PROVIDER-base.pod +DEPEND[html/man7/OSSL_PROVIDER-default.html]=man7/OSSL_PROVIDER-default.pod +GENERATE[html/man7/OSSL_PROVIDER-default.html]=man7/OSSL_PROVIDER-default.pod +DEPEND[man/man7/OSSL_PROVIDER-default.7]=man7/OSSL_PROVIDER-default.pod +GENERATE[man/man7/OSSL_PROVIDER-default.7]=man7/OSSL_PROVIDER-default.pod +DEPEND[html/man7/OSSL_PROVIDER-legacy.html]=man7/OSSL_PROVIDER-legacy.pod +GENERATE[html/man7/OSSL_PROVIDER-legacy.html]=man7/OSSL_PROVIDER-legacy.pod +DEPEND[man/man7/OSSL_PROVIDER-legacy.7]=man7/OSSL_PROVIDER-legacy.pod +GENERATE[man/man7/OSSL_PROVIDER-legacy.7]=man7/OSSL_PROVIDER-legacy.pod +DEPEND[html/man7/OSSL_PROVIDER-null.html]=man7/OSSL_PROVIDER-null.pod +GENERATE[html/man7/OSSL_PROVIDER-null.html]=man7/OSSL_PROVIDER-null.pod +DEPEND[man/man7/OSSL_PROVIDER-null.7]=man7/OSSL_PROVIDER-null.pod +GENERATE[man/man7/OSSL_PROVIDER-null.7]=man7/OSSL_PROVIDER-null.pod +DEPEND[html/man7/RAND.html]=man7/RAND.pod +GENERATE[html/man7/RAND.html]=man7/RAND.pod +DEPEND[man/man7/RAND.7]=man7/RAND.pod +GENERATE[man/man7/RAND.7]=man7/RAND.pod +DEPEND[html/man7/RSA-PSS.html]=man7/RSA-PSS.pod +GENERATE[html/man7/RSA-PSS.html]=man7/RSA-PSS.pod +DEPEND[man/man7/RSA-PSS.7]=man7/RSA-PSS.pod +GENERATE[man/man7/RSA-PSS.7]=man7/RSA-PSS.pod +DEPEND[html/man7/X25519.html]=man7/X25519.pod +GENERATE[html/man7/X25519.html]=man7/X25519.pod +DEPEND[man/man7/X25519.7]=man7/X25519.pod +GENERATE[man/man7/X25519.7]=man7/X25519.pod +DEPEND[html/man7/bio.html]=man7/bio.pod +GENERATE[html/man7/bio.html]=man7/bio.pod +DEPEND[man/man7/bio.7]=man7/bio.pod +GENERATE[man/man7/bio.7]=man7/bio.pod +DEPEND[html/man7/crypto.html]=man7/crypto.pod +GENERATE[html/man7/crypto.html]=man7/crypto.pod +DEPEND[man/man7/crypto.7]=man7/crypto.pod +GENERATE[man/man7/crypto.7]=man7/crypto.pod +DEPEND[html/man7/ct.html]=man7/ct.pod +GENERATE[html/man7/ct.html]=man7/ct.pod +DEPEND[man/man7/ct.7]=man7/ct.pod +GENERATE[man/man7/ct.7]=man7/ct.pod +DEPEND[html/man7/des_modes.html]=man7/des_modes.pod +GENERATE[html/man7/des_modes.html]=man7/des_modes.pod +DEPEND[man/man7/des_modes.7]=man7/des_modes.pod +GENERATE[man/man7/des_modes.7]=man7/des_modes.pod +DEPEND[html/man7/evp.html]=man7/evp.pod +GENERATE[html/man7/evp.html]=man7/evp.pod +DEPEND[man/man7/evp.7]=man7/evp.pod +GENERATE[man/man7/evp.7]=man7/evp.pod +DEPEND[html/man7/openssl-core.h.html]=man7/openssl-core.h.pod +GENERATE[html/man7/openssl-core.h.html]=man7/openssl-core.h.pod +DEPEND[man/man7/openssl-core.h.7]=man7/openssl-core.h.pod +GENERATE[man/man7/openssl-core.h.7]=man7/openssl-core.h.pod +DEPEND[html/man7/openssl-core_dispatch.h.html]=man7/openssl-core_dispatch.h.pod +GENERATE[html/man7/openssl-core_dispatch.h.html]=man7/openssl-core_dispatch.h.pod +DEPEND[man/man7/openssl-core_dispatch.h.7]=man7/openssl-core_dispatch.h.pod +GENERATE[man/man7/openssl-core_dispatch.h.7]=man7/openssl-core_dispatch.h.pod +DEPEND[html/man7/openssl-core_names.h.html]=man7/openssl-core_names.h.pod +GENERATE[html/man7/openssl-core_names.h.html]=man7/openssl-core_names.h.pod +DEPEND[man/man7/openssl-core_names.h.7]=man7/openssl-core_names.h.pod +GENERATE[man/man7/openssl-core_names.h.7]=man7/openssl-core_names.h.pod +DEPEND[html/man7/openssl-env.html]=man7/openssl-env.pod +GENERATE[html/man7/openssl-env.html]=man7/openssl-env.pod +DEPEND[man/man7/openssl-env.7]=man7/openssl-env.pod +GENERATE[man/man7/openssl-env.7]=man7/openssl-env.pod +DEPEND[html/man7/openssl-glossary.html]=man7/openssl-glossary.pod +GENERATE[html/man7/openssl-glossary.html]=man7/openssl-glossary.pod +DEPEND[man/man7/openssl-glossary.7]=man7/openssl-glossary.pod +GENERATE[man/man7/openssl-glossary.7]=man7/openssl-glossary.pod +DEPEND[html/man7/openssl-threads.html]=man7/openssl-threads.pod +GENERATE[html/man7/openssl-threads.html]=man7/openssl-threads.pod +DEPEND[man/man7/openssl-threads.7]=man7/openssl-threads.pod +GENERATE[man/man7/openssl-threads.7]=man7/openssl-threads.pod +DEPEND[html/man7/openssl_user_macros.html]=man7/openssl_user_macros.pod +GENERATE[html/man7/openssl_user_macros.html]=man7/openssl_user_macros.pod +DEPEND[man/man7/openssl_user_macros.7]=man7/openssl_user_macros.pod +GENERATE[man/man7/openssl_user_macros.7]=man7/openssl_user_macros.pod +DEPEND[man7/openssl_user_macros.pod]{pod}=man7/openssl_user_macros.pod.in +GENERATE[man7/openssl_user_macros.pod]=man7/openssl_user_macros.pod.in +DEPEND[html/man7/ossl_store-file.html]=man7/ossl_store-file.pod +GENERATE[html/man7/ossl_store-file.html]=man7/ossl_store-file.pod +DEPEND[man/man7/ossl_store-file.7]=man7/ossl_store-file.pod +GENERATE[man/man7/ossl_store-file.7]=man7/ossl_store-file.pod +DEPEND[html/man7/ossl_store.html]=man7/ossl_store.pod +GENERATE[html/man7/ossl_store.html]=man7/ossl_store.pod +DEPEND[man/man7/ossl_store.7]=man7/ossl_store.pod +GENERATE[man/man7/ossl_store.7]=man7/ossl_store.pod +DEPEND[html/man7/passphrase-encoding.html]=man7/passphrase-encoding.pod +GENERATE[html/man7/passphrase-encoding.html]=man7/passphrase-encoding.pod +DEPEND[man/man7/passphrase-encoding.7]=man7/passphrase-encoding.pod +GENERATE[man/man7/passphrase-encoding.7]=man7/passphrase-encoding.pod +DEPEND[html/man7/property.html]=man7/property.pod +GENERATE[html/man7/property.html]=man7/property.pod +DEPEND[man/man7/property.7]=man7/property.pod +GENERATE[man/man7/property.7]=man7/property.pod +DEPEND[html/man7/provider-asym_cipher.html]=man7/provider-asym_cipher.pod +GENERATE[html/man7/provider-asym_cipher.html]=man7/provider-asym_cipher.pod +DEPEND[man/man7/provider-asym_cipher.7]=man7/provider-asym_cipher.pod +GENERATE[man/man7/provider-asym_cipher.7]=man7/provider-asym_cipher.pod +DEPEND[html/man7/provider-base.html]=man7/provider-base.pod +GENERATE[html/man7/provider-base.html]=man7/provider-base.pod +DEPEND[man/man7/provider-base.7]=man7/provider-base.pod +GENERATE[man/man7/provider-base.7]=man7/provider-base.pod +DEPEND[html/man7/provider-cipher.html]=man7/provider-cipher.pod +GENERATE[html/man7/provider-cipher.html]=man7/provider-cipher.pod +DEPEND[man/man7/provider-cipher.7]=man7/provider-cipher.pod +GENERATE[man/man7/provider-cipher.7]=man7/provider-cipher.pod +DEPEND[html/man7/provider-digest.html]=man7/provider-digest.pod +GENERATE[html/man7/provider-digest.html]=man7/provider-digest.pod +DEPEND[man/man7/provider-digest.7]=man7/provider-digest.pod +GENERATE[man/man7/provider-digest.7]=man7/provider-digest.pod +DEPEND[html/man7/provider-encoder.html]=man7/provider-encoder.pod +GENERATE[html/man7/provider-encoder.html]=man7/provider-encoder.pod +DEPEND[man/man7/provider-encoder.7]=man7/provider-encoder.pod +GENERATE[man/man7/provider-encoder.7]=man7/provider-encoder.pod +DEPEND[html/man7/provider-kdf.html]=man7/provider-kdf.pod +GENERATE[html/man7/provider-kdf.html]=man7/provider-kdf.pod +DEPEND[man/man7/provider-kdf.7]=man7/provider-kdf.pod +GENERATE[man/man7/provider-kdf.7]=man7/provider-kdf.pod +DEPEND[html/man7/provider-kem.html]=man7/provider-kem.pod +GENERATE[html/man7/provider-kem.html]=man7/provider-kem.pod +DEPEND[man/man7/provider-kem.7]=man7/provider-kem.pod +GENERATE[man/man7/provider-kem.7]=man7/provider-kem.pod +DEPEND[html/man7/provider-keyexch.html]=man7/provider-keyexch.pod +GENERATE[html/man7/provider-keyexch.html]=man7/provider-keyexch.pod +DEPEND[man/man7/provider-keyexch.7]=man7/provider-keyexch.pod +GENERATE[man/man7/provider-keyexch.7]=man7/provider-keyexch.pod +DEPEND[html/man7/provider-keymgmt.html]=man7/provider-keymgmt.pod +GENERATE[html/man7/provider-keymgmt.html]=man7/provider-keymgmt.pod +DEPEND[man/man7/provider-keymgmt.7]=man7/provider-keymgmt.pod +GENERATE[man/man7/provider-keymgmt.7]=man7/provider-keymgmt.pod +DEPEND[html/man7/provider-mac.html]=man7/provider-mac.pod +GENERATE[html/man7/provider-mac.html]=man7/provider-mac.pod +DEPEND[man/man7/provider-mac.7]=man7/provider-mac.pod +GENERATE[man/man7/provider-mac.7]=man7/provider-mac.pod +DEPEND[html/man7/provider-object.html]=man7/provider-object.pod +GENERATE[html/man7/provider-object.html]=man7/provider-object.pod +DEPEND[man/man7/provider-object.7]=man7/provider-object.pod +GENERATE[man/man7/provider-object.7]=man7/provider-object.pod +DEPEND[html/man7/provider-rand.html]=man7/provider-rand.pod +GENERATE[html/man7/provider-rand.html]=man7/provider-rand.pod +DEPEND[man/man7/provider-rand.7]=man7/provider-rand.pod +GENERATE[man/man7/provider-rand.7]=man7/provider-rand.pod +DEPEND[html/man7/provider-signature.html]=man7/provider-signature.pod +GENERATE[html/man7/provider-signature.html]=man7/provider-signature.pod +DEPEND[man/man7/provider-signature.7]=man7/provider-signature.pod +GENERATE[man/man7/provider-signature.7]=man7/provider-signature.pod +DEPEND[html/man7/provider-storemgmt.html]=man7/provider-storemgmt.pod +GENERATE[html/man7/provider-storemgmt.html]=man7/provider-storemgmt.pod +DEPEND[man/man7/provider-storemgmt.7]=man7/provider-storemgmt.pod +GENERATE[man/man7/provider-storemgmt.7]=man7/provider-storemgmt.pod +DEPEND[html/man7/provider.html]=man7/provider.pod +GENERATE[html/man7/provider.html]=man7/provider.pod +DEPEND[man/man7/provider.7]=man7/provider.pod +GENERATE[man/man7/provider.7]=man7/provider.pod +DEPEND[html/man7/proxy-certificates.html]=man7/proxy-certificates.pod +GENERATE[html/man7/proxy-certificates.html]=man7/proxy-certificates.pod +DEPEND[man/man7/proxy-certificates.7]=man7/proxy-certificates.pod +GENERATE[man/man7/proxy-certificates.7]=man7/proxy-certificates.pod +DEPEND[html/man7/ssl.html]=man7/ssl.pod +GENERATE[html/man7/ssl.html]=man7/ssl.pod +DEPEND[man/man7/ssl.7]=man7/ssl.pod +GENERATE[man/man7/ssl.7]=man7/ssl.pod +DEPEND[html/man7/x509.html]=man7/x509.pod +GENERATE[html/man7/x509.html]=man7/x509.pod +DEPEND[man/man7/x509.7]=man7/x509.pod +GENERATE[man/man7/x509.7]=man7/x509.pod +HTMLDOCS[man7]=html/man7/EVP_ASYM_CIPHER-SM2.html \ +html/man7/EVP_KDF-HKDF.html \ +html/man7/EVP_KDF-KB.html \ +html/man7/EVP_KDF-KRB5KDF.html \ +html/man7/EVP_KDF-PBKDF2.html \ +html/man7/EVP_KDF-PKCS12KDF.html \ +html/man7/EVP_KDF-SCRYPT.html \ +html/man7/EVP_KDF-SS.html \ +html/man7/EVP_KDF-SSHKDF.html \ +html/man7/EVP_KDF-TLS1_PRF.html \ +html/man7/EVP_KDF-X942-ASN1.html \ +html/man7/EVP_KDF-X942-CONCAT.html \ +html/man7/EVP_KDF-X963.html \ +html/man7/EVP_KEM-RSA.html \ +html/man7/EVP_KEYEXCH-DH.html \ +html/man7/EVP_KEYEXCH-ECDH.html \ +html/man7/EVP_KEYEXCH-X25519.html \ +html/man7/EVP_MAC-BLAKE2.html \ +html/man7/EVP_MAC-CMAC.html \ +html/man7/EVP_MAC-GMAC.html \ +html/man7/EVP_MAC-HMAC.html \ +html/man7/EVP_MAC-KMAC.html \ +html/man7/EVP_MAC-Poly1305.html \ +html/man7/EVP_MAC-Siphash.html \ +html/man7/EVP_MD-BLAKE2.html \ +html/man7/EVP_MD-MD2.html \ +html/man7/EVP_MD-MD4.html \ +html/man7/EVP_MD-MD5-SHA1.html \ +html/man7/EVP_MD-MD5.html \ +html/man7/EVP_MD-MDC2.html \ +html/man7/EVP_MD-RIPEMD160.html \ +html/man7/EVP_MD-SHA1.html \ +html/man7/EVP_MD-SHA2.html \ +html/man7/EVP_MD-SHA3.html \ +html/man7/EVP_MD-SHAKE.html \ +html/man7/EVP_MD-SM3.html \ +html/man7/EVP_MD-WHIRLPOOL.html \ +html/man7/EVP_MD-common.html \ +html/man7/EVP_PKEY-DH.html \ +html/man7/EVP_PKEY-DSA.html \ +html/man7/EVP_PKEY-EC.html \ +html/man7/EVP_PKEY-FFC.html \ +html/man7/EVP_PKEY-HMAC.html \ +html/man7/EVP_PKEY-RSA.html \ +html/man7/EVP_PKEY-SM2.html \ +html/man7/EVP_PKEY-X25519.html \ +html/man7/EVP_RAND-CTR-DRBG.html \ +html/man7/EVP_RAND-HASH-DRBG.html \ +html/man7/EVP_RAND-HMAC-DRBG.html \ +html/man7/EVP_RAND-SEED-SRC.html \ +html/man7/EVP_RAND-TEST-RAND.html \ +html/man7/EVP_RAND.html \ +html/man7/EVP_SIGNATURE-DSA.html \ +html/man7/EVP_SIGNATURE-ECDSA.html \ +html/man7/EVP_SIGNATURE-ED25519.html \ +html/man7/EVP_SIGNATURE-HMAC.html \ +html/man7/EVP_SIGNATURE-RSA.html \ +html/man7/OSSL_PROVIDER-FIPS.html \ +html/man7/OSSL_PROVIDER-base.html \ +html/man7/OSSL_PROVIDER-default.html \ +html/man7/OSSL_PROVIDER-legacy.html \ +html/man7/OSSL_PROVIDER-null.html \ +html/man7/RAND.html \ +html/man7/RSA-PSS.html \ +html/man7/X25519.html \ +html/man7/bio.html \ +html/man7/crypto.html \ +html/man7/ct.html \ +html/man7/des_modes.html \ +html/man7/evp.html \ +html/man7/openssl-core.h.html \ +html/man7/openssl-core_dispatch.h.html \ +html/man7/openssl-core_names.h.html \ +html/man7/openssl-env.html \ +html/man7/openssl-glossary.html \ +html/man7/openssl-threads.html \ +html/man7/openssl_user_macros.html \ +html/man7/ossl_store-file.html \ +html/man7/ossl_store.html \ +html/man7/passphrase-encoding.html \ +html/man7/property.html \ +html/man7/provider-asym_cipher.html \ +html/man7/provider-base.html \ +html/man7/provider-cipher.html \ +html/man7/provider-digest.html \ +html/man7/provider-encoder.html \ +html/man7/provider-kdf.html \ +html/man7/provider-kem.html \ +html/man7/provider-keyexch.html \ +html/man7/provider-keymgmt.html \ +html/man7/provider-mac.html \ +html/man7/provider-object.html \ +html/man7/provider-rand.html \ +html/man7/provider-signature.html \ +html/man7/provider-storemgmt.html \ +html/man7/provider.html \ +html/man7/proxy-certificates.html \ +html/man7/ssl.html \ +html/man7/x509.html +MANDOCS[man7]=man/man7/EVP_ASYM_CIPHER-SM2.7 \ +man/man7/EVP_KDF-HKDF.7 \ +man/man7/EVP_KDF-KB.7 \ +man/man7/EVP_KDF-KRB5KDF.7 \ +man/man7/EVP_KDF-PBKDF2.7 \ +man/man7/EVP_KDF-PKCS12KDF.7 \ +man/man7/EVP_KDF-SCRYPT.7 \ +man/man7/EVP_KDF-SS.7 \ +man/man7/EVP_KDF-SSHKDF.7 \ +man/man7/EVP_KDF-TLS1_PRF.7 \ +man/man7/EVP_KDF-X942-ASN1.7 \ +man/man7/EVP_KDF-X942-CONCAT.7 \ +man/man7/EVP_KDF-X963.7 \ +man/man7/EVP_KEM-RSA.7 \ +man/man7/EVP_KEYEXCH-DH.7 \ +man/man7/EVP_KEYEXCH-ECDH.7 \ +man/man7/EVP_KEYEXCH-X25519.7 \ +man/man7/EVP_MAC-BLAKE2.7 \ +man/man7/EVP_MAC-CMAC.7 \ +man/man7/EVP_MAC-GMAC.7 \ +man/man7/EVP_MAC-HMAC.7 \ +man/man7/EVP_MAC-KMAC.7 \ +man/man7/EVP_MAC-Poly1305.7 \ +man/man7/EVP_MAC-Siphash.7 \ +man/man7/EVP_MD-BLAKE2.7 \ +man/man7/EVP_MD-MD2.7 \ +man/man7/EVP_MD-MD4.7 \ +man/man7/EVP_MD-MD5-SHA1.7 \ +man/man7/EVP_MD-MD5.7 \ +man/man7/EVP_MD-MDC2.7 \ +man/man7/EVP_MD-RIPEMD160.7 \ +man/man7/EVP_MD-SHA1.7 \ +man/man7/EVP_MD-SHA2.7 \ +man/man7/EVP_MD-SHA3.7 \ +man/man7/EVP_MD-SHAKE.7 \ +man/man7/EVP_MD-SM3.7 \ +man/man7/EVP_MD-WHIRLPOOL.7 \ +man/man7/EVP_MD-common.7 \ +man/man7/EVP_PKEY-DH.7 \ +man/man7/EVP_PKEY-DSA.7 \ +man/man7/EVP_PKEY-EC.7 \ +man/man7/EVP_PKEY-FFC.7 \ +man/man7/EVP_PKEY-HMAC.7 \ +man/man7/EVP_PKEY-RSA.7 \ +man/man7/EVP_PKEY-SM2.7 \ +man/man7/EVP_PKEY-X25519.7 \ +man/man7/EVP_RAND-CTR-DRBG.7 \ +man/man7/EVP_RAND-HASH-DRBG.7 \ +man/man7/EVP_RAND-HMAC-DRBG.7 \ +man/man7/EVP_RAND-SEED-SRC.7 \ +man/man7/EVP_RAND-TEST-RAND.7 \ +man/man7/EVP_RAND.7 \ +man/man7/EVP_SIGNATURE-DSA.7 \ +man/man7/EVP_SIGNATURE-ECDSA.7 \ +man/man7/EVP_SIGNATURE-ED25519.7 \ +man/man7/EVP_SIGNATURE-HMAC.7 \ +man/man7/EVP_SIGNATURE-RSA.7 \ +man/man7/OSSL_PROVIDER-FIPS.7 \ +man/man7/OSSL_PROVIDER-base.7 \ +man/man7/OSSL_PROVIDER-default.7 \ +man/man7/OSSL_PROVIDER-legacy.7 \ +man/man7/OSSL_PROVIDER-null.7 \ +man/man7/RAND.7 \ +man/man7/RSA-PSS.7 \ +man/man7/X25519.7 \ +man/man7/bio.7 \ +man/man7/crypto.7 \ +man/man7/ct.7 \ +man/man7/des_modes.7 \ +man/man7/evp.7 \ +man/man7/openssl-core.h.7 \ +man/man7/openssl-core_dispatch.h.7 \ +man/man7/openssl-core_names.h.7 \ +man/man7/openssl-env.7 \ +man/man7/openssl-glossary.7 \ +man/man7/openssl-threads.7 \ +man/man7/openssl_user_macros.7 \ +man/man7/ossl_store-file.7 \ +man/man7/ossl_store.7 \ +man/man7/passphrase-encoding.7 \ +man/man7/property.7 \ +man/man7/provider-asym_cipher.7 \ +man/man7/provider-base.7 \ +man/man7/provider-cipher.7 \ +man/man7/provider-digest.7 \ +man/man7/provider-encoder.7 \ +man/man7/provider-kdf.7 \ +man/man7/provider-kem.7 \ +man/man7/provider-keyexch.7 \ +man/man7/provider-keymgmt.7 \ +man/man7/provider-mac.7 \ +man/man7/provider-object.7 \ +man/man7/provider-rand.7 \ +man/man7/provider-signature.7 \ +man/man7/provider-storemgmt.7 \ +man/man7/provider.7 \ +man/man7/proxy-certificates.7 \ +man/man7/ssl.7 \ +man/man7/x509.7 - foreach my $section ((1, 3, 5, 7)) { - my @htmlfiles = (); - my @manfiles = (); - my %podfiles = - map { $_ => 1 } glob catfile($sourcedir, "man$section", "*.pod"); - my %podinfiles = - map { $_ => 1 } glob catfile($sourcedir, "man$section", "*.pod.in"); - - foreach (keys %podinfiles) { - (my $p = $_) =~ s|\.in$||i; - $podfiles{$p} = 1; - } - - foreach my $p (sort keys %podfiles) { - my $podfile = abs2rel($p, $sourcedir); - my $podname = basename($podfile, '.pod'); - my $podinfile = $podinfiles{"$p.in"} ? "$podfile.in" : undef; - - my $podname = basename($podfile, ".pod"); - - my $htmlfile = abs2rel(catfile($buildtop, "doc", "html", "man$section", - "$podname.html"), - catdir($buildtop, "doc")); - my $manfile = abs2rel(catfile($buildtop, "doc", "man", "man$section", - "$podname.$section"), - catdir($buildtop, "doc")); - - # The build.info format requires file specs to be in Unix format. - # Especially, since VMS file specs use [ and ], the build.info parser - # will otherwise get terribly confused. - if ($^O eq 'VMS') { - $htmlfile = VMS::Filespec::unixify($htmlfile); - $manfile = VMS::Filespec::unixify($manfile); - $podfile = VMS::Filespec::unixify($podfile); - $podinfile = VMS::Filespec::unixify($podinfile) - if defined $podinfile; - } elsif ($^O eq 'MSWin32') { - $htmlfile =~ s|\\|/|g; - $manfile =~ s|\\|/|g; - $podfile =~ s|\\|/|g; - $podinfile =~ s|\\|/|g - if defined $podinfile; - } - push @htmlfiles, $htmlfile; - push @manfiles, $manfile; - $OUT .= << "_____"; -DEPEND[$htmlfile]=$podfile -GENERATE[$htmlfile]=$podfile -DEPEND[$manfile]=$podfile -GENERATE[$manfile]=$podfile -_____ - $OUT .= << "_____" if $podinfile; -DEPEND[$podfile]{pod}=$podinfile -GENERATE[$podfile]=$podinfile -_____ - } - $OUT .= "HTMLDOCS[man$section]=" . join(" \\\n", @htmlfiles) . "\n"; - $OUT .= "MANDOCS[man$section]=" . join(" \\\n", @manfiles) . "\n"; - } - -} diff --git a/doc/build.info b/doc/build.info.in similarity index 97% copy from doc/build.info copy to doc/build.info.in index 267629040d..408c168818 100644 --- a/doc/build.info +++ b/doc/build.info.in @@ -4,6 +4,8 @@ SUBDIRS = man1 use File::Spec::Functions qw(:DEFAULT abs2rel rel2abs); use File::Basename; + my $sourcedir = catdir($config{sourcedir}, 'doc'); + foreach my $section ((1, 3, 5, 7)) { my @htmlfiles = (); my @manfiles = (); From levitte at openssl.org Tue Feb 23 18:09:29 2021 From: levitte at openssl.org (Richard Levitte) Date: Tue, 23 Feb 2021 18:09:29 +0000 Subject: [openssl] master update Message-ID: <1614103769.186767.5845.nullmailer@dev.openssl.org> The branch master has been updated via 51d058cd9418508b48ec44dce6087ce730173832 (commit) from 4f6aeabd65bf13795823f4a6f4a03c815e9d096f (commit) - Log ----------------------------------------------------------------- commit 51d058cd9418508b48ec44dce6087ce730173832 Author: Richard Levitte Date: Thu Nov 26 21:21:02 2020 +0100 appveyor.yml: clarify conditions for building the plain configuration The "plain" configuration is only meant to be built for an '[extended tests]' commit, or on the master branch. This isn't at all clear from the scripts, and furthermore, we "skip" the plain configuration by running the OpenSSL configuration script... and then nothing more. Instead, we use AppVeyor configuration issues to specify when and when not to build the "plain" configuration, and leave it to the scripts to do the right thing using only $env:EXTENDED_TESTS. Fixes #7958 Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/13537) ----------------------------------------------------------------------- Summary of changes: appveyor.yml | 47 +++++++++++++++++++++++++++-------------------- 1 file changed, 27 insertions(+), 20 deletions(-) diff --git a/appveyor.yml b/appveyor.yml index f0dfc7f5ba..20d81c1b12 100644 --- a/appveyor.yml +++ b/appveyor.yml @@ -12,9 +12,29 @@ environment: configuration: - shared - - plain - minimal +for: + - + only_commits: + message: /\[extended tests\]/ + configuration: + - shared + - plain + - minimal + environment: + EXTENDED_TESTS: yes + - + branches: + only: + - master + configuration: + - shared + - plain + - minimal + environment: + EXTENDED_TESTS: yes + before_build: - ps: >- Install-Module VSSetup -Scope CurrentUser @@ -42,12 +62,6 @@ before_build: - perl ..\Configure %TARGET% no-makedepend %CONFIG_OPTS% - perl configdata.pm --dump - cd .. - - ps: >- - If (-not $env:APPVEYOR_PULL_REQUEST_NUMBER` - -or (&git log -1 $env:APPVEYOR_PULL_REQUEST_HEAD_COMMIT | - Select-String "\[extended tests\]") ) { - $env:EXTENDED_TESTS="yes" - } - ps: >- If ($env:BUILDONLY -or $env:MAKEVERBOSE) { $env:NMAKE="nmake" @@ -59,24 +73,17 @@ before_build: build_script: - cd _build - - ps: >- - If ($env:Configuration -Match "shared" -or $env:EXTENDED_TESTS) { - cmd /c "%NMAKE% build_all_generated 2>&1" - # Unfortunately, CL=/MP would not have parallelizing effect - cmd /c "%NMAKE% PERL=no-perl 2>&1" - } + - "%NMAKE% build_all_generated" + - "%NMAKE% PERL=no-perl" - cd .. test_script: - cd _build - ps: >- - If ($env:Configuration -Match "shared" -or $env:EXTENDED_TESTS) { - # Unfortunately, HARNESS_JOBS=4 would not have parallelizing effect - if ($env:EXTENDED_TESTS) { - cmd /c "%NMAKE% test HARNESS_VERBOSE_FAILURE=yes 2>&1" - } Else { - cmd /c "%NMAKE% test HARNESS_VERBOSE_FAILURE=yes TESTS=-test_fuzz 2>&1" - } + if ($env:EXTENDED_TESTS) { + cmd /c "%NMAKE% test VERBOSE_FAILURE=yes 2>&1" + } Else { + cmd /c "%NMAKE% test VERBOSE_FAILURE=yes TESTS=-test_fuzz 2>&1" } - ps: >- if ($env:EXTENDED_TESTS) { From pauli at openssl.org Tue Feb 23 22:16:11 2021 From: pauli at openssl.org (Dr. Paul Dale) Date: Tue, 23 Feb 2021 22:16:11 +0000 Subject: [openssl] master update Message-ID: <1614118571.883843.28887.nullmailer@dev.openssl.org> The branch master has been updated via 6eb7c748d115bd6ba89ceefd642de3deca8773ea (commit) from 51d058cd9418508b48ec44dce6087ce730173832 (commit) - Log ----------------------------------------------------------------- commit 6eb7c748d115bd6ba89ceefd642de3deca8773ea Author: Richard Levitte Date: Tue Feb 23 23:07:15 2021 +0100 make update Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/14292) ----------------------------------------------------------------------- Summary of changes: doc/build.info | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/doc/build.info b/doc/build.info index 20e2e82398..e753b06e12 100644 --- a/doc/build.info +++ b/doc/build.info @@ -1534,6 +1534,10 @@ DEPEND[html/man3/OSSL_CMP_validate_msg.html]=man3/OSSL_CMP_validate_msg.pod GENERATE[html/man3/OSSL_CMP_validate_msg.html]=man3/OSSL_CMP_validate_msg.pod DEPEND[man/man3/OSSL_CMP_validate_msg.3]=man3/OSSL_CMP_validate_msg.pod GENERATE[man/man3/OSSL_CMP_validate_msg.3]=man3/OSSL_CMP_validate_msg.pod +DEPEND[html/man3/OSSL_CORE_MAKE_FUNC.html]=man3/OSSL_CORE_MAKE_FUNC.pod +GENERATE[html/man3/OSSL_CORE_MAKE_FUNC.html]=man3/OSSL_CORE_MAKE_FUNC.pod +DEPEND[man/man3/OSSL_CORE_MAKE_FUNC.3]=man3/OSSL_CORE_MAKE_FUNC.pod +GENERATE[man/man3/OSSL_CORE_MAKE_FUNC.3]=man3/OSSL_CORE_MAKE_FUNC.pod DEPEND[html/man3/OSSL_CRMF_MSG_get0_tmpl.html]=man3/OSSL_CRMF_MSG_get0_tmpl.pod GENERATE[html/man3/OSSL_CRMF_MSG_get0_tmpl.html]=man3/OSSL_CRMF_MSG_get0_tmpl.pod DEPEND[man/man3/OSSL_CRMF_MSG_get0_tmpl.3]=man3/OSSL_CRMF_MSG_get0_tmpl.pod @@ -1814,6 +1818,10 @@ DEPEND[html/man3/RAND_load_file.html]=man3/RAND_load_file.pod GENERATE[html/man3/RAND_load_file.html]=man3/RAND_load_file.pod DEPEND[man/man3/RAND_load_file.3]=man3/RAND_load_file.pod GENERATE[man/man3/RAND_load_file.3]=man3/RAND_load_file.pod +DEPEND[html/man3/RAND_set_DRBG_type.html]=man3/RAND_set_DRBG_type.pod +GENERATE[html/man3/RAND_set_DRBG_type.html]=man3/RAND_set_DRBG_type.pod +DEPEND[man/man3/RAND_set_DRBG_type.3]=man3/RAND_set_DRBG_type.pod +GENERATE[man/man3/RAND_set_DRBG_type.3]=man3/RAND_set_DRBG_type.pod DEPEND[html/man3/RAND_set_rand_method.html]=man3/RAND_set_rand_method.pod GENERATE[html/man3/RAND_set_rand_method.html]=man3/RAND_set_rand_method.pod DEPEND[man/man3/RAND_set_rand_method.3]=man3/RAND_set_rand_method.pod @@ -3001,6 +3009,7 @@ html/man3/OSSL_CMP_STATUSINFO_new.html \ html/man3/OSSL_CMP_exec_certreq.html \ html/man3/OSSL_CMP_log_open.html \ html/man3/OSSL_CMP_validate_msg.html \ +html/man3/OSSL_CORE_MAKE_FUNC.html \ html/man3/OSSL_CRMF_MSG_get0_tmpl.html \ html/man3/OSSL_CRMF_MSG_set0_validity.html \ html/man3/OSSL_CRMF_MSG_set1_regCtrl_regToken.html \ @@ -3071,6 +3080,7 @@ html/man3/RAND_cleanup.html \ html/man3/RAND_egd.html \ html/man3/RAND_get0_primary.html \ html/man3/RAND_load_file.html \ +html/man3/RAND_set_DRBG_type.html \ html/man3/RAND_set_rand_method.html \ html/man3/RC4_set_key.html \ html/man3/RIPEMD160_Init.html \ @@ -3568,6 +3578,7 @@ man/man3/OSSL_CMP_STATUSINFO_new.3 \ man/man3/OSSL_CMP_exec_certreq.3 \ man/man3/OSSL_CMP_log_open.3 \ man/man3/OSSL_CMP_validate_msg.3 \ +man/man3/OSSL_CORE_MAKE_FUNC.3 \ man/man3/OSSL_CRMF_MSG_get0_tmpl.3 \ man/man3/OSSL_CRMF_MSG_set0_validity.3 \ man/man3/OSSL_CRMF_MSG_set1_regCtrl_regToken.3 \ @@ -3638,6 +3649,7 @@ man/man3/RAND_cleanup.3 \ man/man3/RAND_egd.3 \ man/man3/RAND_get0_primary.3 \ man/man3/RAND_load_file.3 \ +man/man3/RAND_set_DRBG_type.3 \ man/man3/RAND_set_rand_method.3 \ man/man3/RC4_set_key.3 \ man/man3/RIPEMD160_Init.3 \ From no-reply at appveyor.com Wed Feb 24 00:22:49 2021 From: no-reply at appveyor.com (AppVeyor) Date: Wed, 24 Feb 2021 00:22:49 +0000 Subject: Build failed: openssl master.40165 Message-ID: <20210224002249.1.C5275B0DB83200C8@appveyor.com> An HTML attachment was scrubbed... URL: From kaduk at mit.edu Wed Feb 24 00:40:23 2021 From: kaduk at mit.edu (kaduk at mit.edu) Date: Wed, 24 Feb 2021 00:40:23 +0000 Subject: [openssl] master update Message-ID: <1614127223.940186.14301.nullmailer@dev.openssl.org> The branch master has been updated via ce0b307ea01bc5e3e178cd4dba45f9bb9d4ba5df (commit) from 6eb7c748d115bd6ba89ceefd642de3deca8773ea (commit) - Log ----------------------------------------------------------------- commit ce0b307ea01bc5e3e178cd4dba45f9bb9d4ba5df Author: Benjamin Kaduk Date: Wed May 27 11:17:07 2020 -0700 Remove disabled TLS 1.3 ciphers from the SSL(_CTX) In ssl_create_cipher_list() we make a pass through the ciphers to remove those which are disabled in the current libctx. We are careful to not include such disabled TLS 1.3 ciphers in the final consolidated cipher list that we produce, but the disabled ciphers are still kept in the separate stack of TLS 1.3 ciphers associated with the SSL or SSL_CTX in question. This leads to confusing results where a cipher is present in the tls13_cipherlist but absent from the actual cipher list in use. Keep the books in order and remove the disabled ciphers from the 1.3 cipherlist at the same time we skip adding them to the active cipher list. Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/12037) ----------------------------------------------------------------------- Summary of changes: ssl/ssl_ciph.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c index d517799895..0b6f01ccc1 100644 --- a/ssl/ssl_ciph.c +++ b/ssl/ssl_ciph.c @@ -1625,8 +1625,11 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx, if ((sslc->algorithm_enc & disabled_enc) != 0 || (ssl_cipher_table_mac[sslc->algorithm2 & SSL_HANDSHAKE_MAC_MASK].mask - & ctx->disabled_mac_mask) != 0) + & ctx->disabled_mac_mask) != 0) { + sk_SSL_CIPHER_delete(tls13_ciphersuites, i); + i--; continue; + } if (!sk_SSL_CIPHER_push(cipherstack, sslc)) { sk_SSL_CIPHER_free(cipherstack); From openssl at openssl.org Wed Feb 24 01:07:21 2021 From: openssl at openssl.org (OpenSSL run-checker) Date: Wed, 24 Feb 2021 01:07:21 +0000 Subject: Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-tls1_2 Message-ID: <1614128841.855438.350837.nullmailer@run.openssl.org> Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-tls1_2 Commit log since last time: 937a62323b -Wunused-function cleanup 57acc56bdc DECODER: Add better tracing of the chain walking process acf497b53b DECODER: Use the data structure from the last decoder to select the next f16e52b67c Correct the return value of BIO_get_ktls_*(). 5e128ed120 CMP: Fix total_timeout behavior; small doc and diagnostic improvements a3361c3755 81-test_cmp_cli_data: fixup on CSR test cases c2279499fd Fix speed sm2 bug 1d724b5e82 CRYPTO_gcm128_decrypt: fix mac or tag calculation 3352dc185f Fix merge problem in d2i_PrivateKey_ex eabb301416 Fix DH ASN1 decode so that it detects named groups. 576892d78f Fix d2i_AutoPrivateKey_ex so that is uses the new decoder (and produces non legacy keys). ef33889e18 doc: remove notes section in OSSL_ENCODER.pod 458d168cd4 rfc2606 compliant example domains for x509v3_config.pod 125107e8ea Various improvements of doc/man5/x509v3_config.pod 70793dbbb9 Pass the object type and data structure from the pem2der decoder 3a2171f6aa Don't forget the type of thing we are loading 3262300a2c Adjust the few places where the string length was confused 247a1786e2 OSSL_PARAM: Correct the assumptions on the UTF8 string length c1be4d617c Rename internal X509_add_cert_new() to ossl_x509_add_cert_new() daf1300b80 Add internal X509_add_certs_new(), which simplifies matters 937984efc6 Prepare for 3.0 alpha 13 b467d394eb Prepare for release of 3.0 alpha 12 a28d06f3e9 Update copyright year 7b676cc8c6 Fix external symbols related to provider related security checks for keys and digests. 47c076acfc Fix external symbols in the provider digest implementations. bcb61b39b4 Add deep copy of propq field in mac_dupctx to avoid double free 5d8ffebbcd DH: Make DH_bits(), DH_size(), and DH_security_bits() check that there are key parameters 0b3139e815 chain_build(): Call verify_cb_cert() if a preliminary error has become final ba37b82045 dsa_check: Perform simple parameter check if seed is not available ebcaf110b2 DSA parameter check using pkeyparam e36b3c2f75 Fix external symbols in the provider cipher implementations. Build log ended with (last 100 lines): (less 4 skipped subtests: 2 okay) 70-test_sslmessages.t .............. skipped: test_sslmessages needs TLS enabled 70-test_sslrecords.t ............... skipped: test_sslrecords needs TLSv1.2 enabled 70-test_sslsessiontick.t ........... skipped: test_sslsessiontick needs SSLv3, TLSv1, TLSv1.1 or TLSv1.2 enabled 70-test_sslsigalgs.t ............... ok 70-test_sslsignature.t ............. ok 70-test_sslskewith0p.t ............. ok 70-test_sslversions.t .............. skipped: test_sslversions needs TLS1.3, TLS1.2 and TLS1.1 enabled 70-test_sslvertol.t ................ ok 70-test_tls13alerts.t .............. ok 70-test_tls13cookie.t .............. ok 70-test_tls13downgrade.t ........... skipped: test_tls13downgrade needs TLS1.3 and TLS1.2 enabled 70-test_tls13hrr.t ................. ok 70-test_tls13kexmodes.t ............ ok 70-test_tls13messages.t ............ ok 70-test_tls13psk.t ................. ok 70-test_tlsextms.t ................. skipped: test_tlsextms needs TLSv1.0, TLSv1.1 or TLSv1.2 enabled 70-test_verify_extra.t ............. ok 70-test_wpacket.t .................. ok 71-test_ssl_ctx.t .................. ok 80-test_ca.t ....................... ok 80-test_cipherbytes.t .............. ok 80-test_cipherlist.t ............... ok 80-test_ciphername.t ............... ok # 80-test_cmp_http.t ................. ok # 80-test_cms.t ...................... ok 80-test_cmsapi.t ................... ok 80-test_ct.t ....................... ok 80-test_dane.t ..................... ok 80-test_dtls.t ..................... ok 80-test_dtls_mtu.t ................. ok 80-test_dtlsv1listen.t ............. ok 80-test_http.t ..................... ok 80-test_ocsp.t ..................... ok 80-test_pkcs12.t ................... ok 80-test_ssl_new.t .................. ok 80-test_ssl_old.t .................. ok 80-test_ssl_test_ctx.t ............. ok 80-test_sslcorrupt.t ............... ok 80-test_tsa.t ...................... ok 80-test_x509aux.t .................. ok 81-test_cmp_cli.t .................. ok 90-test_asn1_time.t ................ ok 90-test_async.t .................... ok 90-test_bio_enc.t .................. ok 90-test_bio_memleak.t .............. ok 90-test_constant_time.t ............ ok 90-test_fatalerr.t ................. ok 90-test_fipsload.t ................. ok 90-test_gmdiff.t ................... ok 90-test_gost.t ..................... skipped: TLSv1.3 or TLSv1.2 are disabled in this OpenSSL build 90-test_ige.t ...................... ok 90-test_includes.t ................. ok 90-test_memleak.t .................. ok 90-test_overhead.t ................. ok 90-test_secmem.t ................... ok 90-test_shlibload.t ................ ok 90-test_srp.t ...................... ok 90-test_sslapi.t ................... ok 90-test_sslbuffers.t ............... ok 90-test_store.t .................... ok 90-test_sysdefault.t ............... skipped: test_sysdefault is not supported in this build 90-test_threads.t .................. ok 90-test_time_offset.t .............. ok 90-test_tls13ccs.t ................. ok 90-test_tls13encryption.t .......... ok 90-test_tls13secrets.t ............. ok 90-test_v3name.t ................... ok 91-test_pkey_check.t ............... ok 95-test_external_boringssl.t ....... skipped: No external tests in this configuration 95-test_external_gost_engine.t ..... skipped: No external tests in this configuration 95-test_external_krb5.t ............ skipped: No external tests in this configuration 95-test_external_pyca.t ............ skipped: No external tests in this configuration 99-test_ecstress.t ................. ok 99-test_fuzz_asn1.t ................ ok 99-test_fuzz_asn1parse.t ........... ok 99-test_fuzz_bignum.t .............. ok 99-test_fuzz_bndiv.t ............... ok 99-test_fuzz_client.t .............. ok 99-test_fuzz_cmp.t ................. ok 99-test_fuzz_cms.t ................. ok 99-test_fuzz_conf.t ................ ok 99-test_fuzz_crl.t ................. ok 99-test_fuzz_ct.t .................. ok 99-test_fuzz_server.t .............. ok 99-test_fuzz_x509.t ................ ok Test Summary Report ------------------- 70-test_sslextension.t (Wstat: 256 Tests: 7 Failed: 1) Failed test: 2 Non-zero exit status: 1 Parse errors: Bad plan. You planned 8 tests but ran 7. Files=232, Tests=3214, 920 wallclock secs (12.84 usr 1.42 sys + 832.25 cusr 86.04 csys = 932.55 CPU) Result: FAIL make[1]: *** [Makefile:3282: _tests] Error 1 make[1]: Leaving directory '/home/openssl/run-checker/no-tls1_2' make: *** [Makefile:3279: tests] Error 2 From openssl at openssl.org Wed Feb 24 02:01:34 2021 From: openssl at openssl.org (OpenSSL run-checker) Date: Wed, 24 Feb 2021 02:01:34 +0000 Subject: Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-dtls1_2 Message-ID: <1614132094.272834.456787.nullmailer@run.openssl.org> Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-dtls1_2 Commit log since last time: 937a62323b -Wunused-function cleanup 57acc56bdc DECODER: Add better tracing of the chain walking process acf497b53b DECODER: Use the data structure from the last decoder to select the next f16e52b67c Correct the return value of BIO_get_ktls_*(). 5e128ed120 CMP: Fix total_timeout behavior; small doc and diagnostic improvements a3361c3755 81-test_cmp_cli_data: fixup on CSR test cases c2279499fd Fix speed sm2 bug 1d724b5e82 CRYPTO_gcm128_decrypt: fix mac or tag calculation 3352dc185f Fix merge problem in d2i_PrivateKey_ex eabb301416 Fix DH ASN1 decode so that it detects named groups. 576892d78f Fix d2i_AutoPrivateKey_ex so that is uses the new decoder (and produces non legacy keys). ef33889e18 doc: remove notes section in OSSL_ENCODER.pod 458d168cd4 rfc2606 compliant example domains for x509v3_config.pod 125107e8ea Various improvements of doc/man5/x509v3_config.pod 70793dbbb9 Pass the object type and data structure from the pem2der decoder 3a2171f6aa Don't forget the type of thing we are loading 3262300a2c Adjust the few places where the string length was confused 247a1786e2 OSSL_PARAM: Correct the assumptions on the UTF8 string length c1be4d617c Rename internal X509_add_cert_new() to ossl_x509_add_cert_new() daf1300b80 Add internal X509_add_certs_new(), which simplifies matters 937984efc6 Prepare for 3.0 alpha 13 b467d394eb Prepare for release of 3.0 alpha 12 a28d06f3e9 Update copyright year 7b676cc8c6 Fix external symbols related to provider related security checks for keys and digests. 47c076acfc Fix external symbols in the provider digest implementations. bcb61b39b4 Add deep copy of propq field in mac_dupctx to avoid double free 5d8ffebbcd DH: Make DH_bits(), DH_size(), and DH_security_bits() check that there are key parameters 0b3139e815 chain_build(): Call verify_cb_cert() if a preliminary error has become final ba37b82045 dsa_check: Perform simple parameter check if seed is not available ebcaf110b2 DSA parameter check using pkeyparam e36b3c2f75 Fix external symbols in the provider cipher implementations. Build log ended with (last 100 lines): # SSL_accept() failed -1, 1 # 8051D96D287F0000:error:0A000076:SSL routines:tls_choose_sigalg:no suitable signature algorithm:../openssl/ssl/t1_lib.c:3306: # INFO: @ ../openssl/test/helpers/ssltestlib.c:957 # SSL_connect() failed -1, 1 # 8051D96D287F0000:error:0A000438:SSL routines:dtls1_read_bytes:tlsv1 alert internal error:../openssl/ssl/record/rec_layer_d1.c:613:SSL alert number 80 # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:6577 # false not ok 2 - iteration 2 # ------------------------------------------------------------------------------ not ok 54 - test_ssl_pending # ------------------------------------------------------------------------------ ../../util/wrap.pl ../../test/sslapitest ../../../openssl/test/certs ../../../openssl/test/recipes/90-test_sslapi_data/passwd.txt /tmp/do6ZaLpFMP default ../../../openssl/test/default.cnf => 1 not ok 1 - running sslapitest # ------------------------------------------------------------------------------ # INFO: @ ../openssl/test/helpers/ssltestlib.c:957 # SSL_connect() failed -1, 1 # 80C1D433F47F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # INFO: @ ../openssl/test/helpers/ssltestlib.c:975 # SSL_accept() failed -1, 1 # 80C1D433F47F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:947 # false not ok 3 - test_large_message_dtls # ------------------------------------------------------------------------------ # INFO: @ ../openssl/test/helpers/ssltestlib.c:957 # SSL_connect() failed -1, 1 # 80C1D433F47F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # INFO: @ ../openssl/test/helpers/ssltestlib.c:975 # SSL_accept() failed -1, 1 # 80C1D433F47F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:1428 # false # ERROR: (bool) 'execute_cleanse_plaintext(DTLS_server_method(), DTLS_client_method(), DTLS1_VERSION, 0) == true' failed @ ../openssl/test/sslapitest.c:1506 # false not ok 4 - test_cleanse_plaintext # ------------------------------------------------------------------------------ # INFO: @ ../openssl/test/helpers/ssltestlib.c:957 # SSL_connect() failed -1, 1 # 80C1D433F47F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # INFO: @ ../openssl/test/helpers/ssltestlib.c:975 # SSL_accept() failed -1, 1 # 80C1D433F47F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:6577 # false not ok 2 - iteration 2 # ------------------------------------------------------------------------------ not ok 54 - test_ssl_pending # ------------------------------------------------------------------------------ ../../util/wrap.pl ../../test/sslapitest ../../../openssl/test/certs ../../../openssl/test/recipes/90-test_sslapi_data/passwd.txt /tmp/do6ZaLpFMP fips ../../../openssl/test/fips-and-base.cnf => 1 not ok 3 - running sslapitest # ------------------------------------------------------------------------------ # Failed test 'running sslapitest' # at ../openssl/test/recipes/90-test_sslapi.t line 45. # Looks like you failed 2 tests of 3.90-test_sslapi.t ................... Dubious, test returned 2 (wstat 512, 0x200) Failed 2/3 subtests 90-test_sslbuffers.t ............... ok 90-test_store.t .................... ok 90-test_sysdefault.t ............... ok 90-test_threads.t .................. ok 90-test_time_offset.t .............. ok 90-test_tls13ccs.t ................. ok 90-test_tls13encryption.t .......... ok 90-test_tls13secrets.t ............. ok 90-test_v3name.t ................... ok 91-test_pkey_check.t ............... ok 95-test_external_boringssl.t ....... skipped: No external tests in this configuration 95-test_external_gost_engine.t ..... skipped: No external tests in this configuration 95-test_external_krb5.t ............ skipped: No external tests in this configuration 95-test_external_pyca.t ............ skipped: No external tests in this configuration 99-test_ecstress.t ................. ok 99-test_fuzz_asn1.t ................ ok 99-test_fuzz_asn1parse.t ........... ok 99-test_fuzz_bignum.t .............. ok 99-test_fuzz_bndiv.t ............... ok 99-test_fuzz_client.t .............. ok 99-test_fuzz_cmp.t ................. ok 99-test_fuzz_cms.t ................. ok 99-test_fuzz_conf.t ................ ok 99-test_fuzz_crl.t ................. ok 99-test_fuzz_ct.t .................. ok 99-test_fuzz_server.t .............. ok 99-test_fuzz_x509.t ................ ok Test Summary Report ------------------- 80-test_dtls.t (Wstat: 256 Tests: 1 Failed: 1) Failed test: 1 Non-zero exit status: 1 80-test_ssl_new.t (Wstat: 768 Tests: 31 Failed: 3) Failed tests: 8, 17, 19 Non-zero exit status: 3 90-test_sslapi.t (Wstat: 512 Tests: 3 Failed: 2) Failed tests: 1, 3 Non-zero exit status: 2 Files=232, Tests=3300, 948 wallclock secs (14.48 usr 1.32 sys + 851.55 cusr 93.30 csys = 960.65 CPU) Result: FAIL make[1]: *** [Makefile:3274: _tests] Error 1 make[1]: Leaving directory '/home/openssl/run-checker/no-dtls1_2' make: *** [Makefile:3271: tests] Error 2 From no-reply at appveyor.com Wed Feb 24 03:37:53 2021 From: no-reply at appveyor.com (AppVeyor) Date: Wed, 24 Feb 2021 03:37:53 +0000 Subject: Build failed: openssl master.40172 Message-ID: <20210224033753.1.BF43DB282487B925@appveyor.com> An HTML attachment was scrubbed... URL: From openssl at openssl.org Wed Feb 24 03:46:12 2021 From: openssl at openssl.org (OpenSSL run-checker) Date: Wed, 24 Feb 2021 03:46:12 +0000 Subject: Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-tls1_2-method Message-ID: <1614138372.201803.666399.nullmailer@run.openssl.org> Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-tls1_2-method Commit log since last time: 937a62323b -Wunused-function cleanup 57acc56bdc DECODER: Add better tracing of the chain walking process acf497b53b DECODER: Use the data structure from the last decoder to select the next f16e52b67c Correct the return value of BIO_get_ktls_*(). 5e128ed120 CMP: Fix total_timeout behavior; small doc and diagnostic improvements a3361c3755 81-test_cmp_cli_data: fixup on CSR test cases c2279499fd Fix speed sm2 bug 1d724b5e82 CRYPTO_gcm128_decrypt: fix mac or tag calculation 3352dc185f Fix merge problem in d2i_PrivateKey_ex eabb301416 Fix DH ASN1 decode so that it detects named groups. 576892d78f Fix d2i_AutoPrivateKey_ex so that is uses the new decoder (and produces non legacy keys). ef33889e18 doc: remove notes section in OSSL_ENCODER.pod 458d168cd4 rfc2606 compliant example domains for x509v3_config.pod 125107e8ea Various improvements of doc/man5/x509v3_config.pod 70793dbbb9 Pass the object type and data structure from the pem2der decoder 3a2171f6aa Don't forget the type of thing we are loading 3262300a2c Adjust the few places where the string length was confused 247a1786e2 OSSL_PARAM: Correct the assumptions on the UTF8 string length c1be4d617c Rename internal X509_add_cert_new() to ossl_x509_add_cert_new() daf1300b80 Add internal X509_add_certs_new(), which simplifies matters 937984efc6 Prepare for 3.0 alpha 13 b467d394eb Prepare for release of 3.0 alpha 12 a28d06f3e9 Update copyright year 7b676cc8c6 Fix external symbols related to provider related security checks for keys and digests. 47c076acfc Fix external symbols in the provider digest implementations. bcb61b39b4 Add deep copy of propq field in mac_dupctx to avoid double free 5d8ffebbcd DH: Make DH_bits(), DH_size(), and DH_security_bits() check that there are key parameters 0b3139e815 chain_build(): Call verify_cb_cert() if a preliminary error has become final ba37b82045 dsa_check: Perform simple parameter check if seed is not available ebcaf110b2 DSA parameter check using pkeyparam e36b3c2f75 Fix external symbols in the provider cipher implementations. Build log ended with (last 100 lines): (less 4 skipped subtests: 2 okay) 70-test_sslmessages.t .............. skipped: test_sslmessages needs TLS enabled 70-test_sslrecords.t ............... skipped: test_sslrecords needs TLSv1.2 enabled 70-test_sslsessiontick.t ........... skipped: test_sslsessiontick needs SSLv3, TLSv1, TLSv1.1 or TLSv1.2 enabled 70-test_sslsigalgs.t ............... ok 70-test_sslsignature.t ............. ok 70-test_sslskewith0p.t ............. ok 70-test_sslversions.t .............. skipped: test_sslversions needs TLS1.3, TLS1.2 and TLS1.1 enabled 70-test_sslvertol.t ................ ok 70-test_tls13alerts.t .............. ok 70-test_tls13cookie.t .............. ok 70-test_tls13downgrade.t ........... skipped: test_tls13downgrade needs TLS1.3 and TLS1.2 enabled 70-test_tls13hrr.t ................. ok 70-test_tls13kexmodes.t ............ ok 70-test_tls13messages.t ............ ok 70-test_tls13psk.t ................. ok 70-test_tlsextms.t ................. skipped: test_tlsextms needs TLSv1.0, TLSv1.1 or TLSv1.2 enabled 70-test_verify_extra.t ............. ok 70-test_wpacket.t .................. ok 71-test_ssl_ctx.t .................. ok 80-test_ca.t ....................... ok 80-test_cipherbytes.t .............. ok 80-test_cipherlist.t ............... ok 80-test_ciphername.t ............... ok # 80-test_cmp_http.t ................. ok # 80-test_cms.t ...................... ok 80-test_cmsapi.t ................... ok 80-test_ct.t ....................... ok 80-test_dane.t ..................... ok 80-test_dtls.t ..................... ok 80-test_dtls_mtu.t ................. ok 80-test_dtlsv1listen.t ............. ok 80-test_http.t ..................... ok 80-test_ocsp.t ..................... ok 80-test_pkcs12.t ................... ok 80-test_ssl_new.t .................. ok 80-test_ssl_old.t .................. ok 80-test_ssl_test_ctx.t ............. ok 80-test_sslcorrupt.t ............... ok 80-test_tsa.t ...................... ok 80-test_x509aux.t .................. ok 81-test_cmp_cli.t .................. ok 90-test_asn1_time.t ................ ok 90-test_async.t .................... ok 90-test_bio_enc.t .................. ok 90-test_bio_memleak.t .............. ok 90-test_constant_time.t ............ ok 90-test_fatalerr.t ................. ok 90-test_fipsload.t ................. ok 90-test_gmdiff.t ................... ok 90-test_gost.t ..................... skipped: TLSv1.3 or TLSv1.2 are disabled in this OpenSSL build 90-test_ige.t ...................... ok 90-test_includes.t ................. ok 90-test_memleak.t .................. ok 90-test_overhead.t ................. ok 90-test_secmem.t ................... ok 90-test_shlibload.t ................ ok 90-test_srp.t ...................... ok 90-test_sslapi.t ................... ok 90-test_sslbuffers.t ............... ok 90-test_store.t .................... ok 90-test_sysdefault.t ............... skipped: test_sysdefault is not supported in this build 90-test_threads.t .................. ok 90-test_time_offset.t .............. ok 90-test_tls13ccs.t ................. ok 90-test_tls13encryption.t .......... ok 90-test_tls13secrets.t ............. ok 90-test_v3name.t ................... ok 91-test_pkey_check.t ............... ok 95-test_external_boringssl.t ....... skipped: No external tests in this configuration 95-test_external_gost_engine.t ..... skipped: No external tests in this configuration 95-test_external_krb5.t ............ skipped: No external tests in this configuration 95-test_external_pyca.t ............ skipped: No external tests in this configuration 99-test_ecstress.t ................. ok 99-test_fuzz_asn1.t ................ ok 99-test_fuzz_asn1parse.t ........... ok 99-test_fuzz_bignum.t .............. ok 99-test_fuzz_bndiv.t ............... ok 99-test_fuzz_client.t .............. ok 99-test_fuzz_cmp.t ................. ok 99-test_fuzz_cms.t ................. ok 99-test_fuzz_conf.t ................ ok 99-test_fuzz_crl.t ................. ok 99-test_fuzz_ct.t .................. ok 99-test_fuzz_server.t .............. ok 99-test_fuzz_x509.t ................ ok Test Summary Report ------------------- 70-test_sslextension.t (Wstat: 256 Tests: 7 Failed: 1) Failed test: 2 Non-zero exit status: 1 Parse errors: Bad plan. You planned 8 tests but ran 7. Files=232, Tests=3214, 879 wallclock secs (12.56 usr 1.36 sys + 797.14 cusr 86.58 csys = 897.64 CPU) Result: FAIL make[1]: *** [Makefile:3273: _tests] Error 1 make[1]: Leaving directory '/home/openssl/run-checker/no-tls1_2-method' make: *** [Makefile:3270: tests] Error 2 From openssl at openssl.org Wed Feb 24 04:40:14 2021 From: openssl at openssl.org (OpenSSL run-checker) Date: Wed, 24 Feb 2021 04:40:14 +0000 Subject: Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-dtls1_2-method Message-ID: <1614141614.488681.772898.nullmailer@run.openssl.org> Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-dtls1_2-method Commit log since last time: 937a62323b -Wunused-function cleanup 57acc56bdc DECODER: Add better tracing of the chain walking process acf497b53b DECODER: Use the data structure from the last decoder to select the next f16e52b67c Correct the return value of BIO_get_ktls_*(). 5e128ed120 CMP: Fix total_timeout behavior; small doc and diagnostic improvements a3361c3755 81-test_cmp_cli_data: fixup on CSR test cases c2279499fd Fix speed sm2 bug 1d724b5e82 CRYPTO_gcm128_decrypt: fix mac or tag calculation 3352dc185f Fix merge problem in d2i_PrivateKey_ex eabb301416 Fix DH ASN1 decode so that it detects named groups. 576892d78f Fix d2i_AutoPrivateKey_ex so that is uses the new decoder (and produces non legacy keys). ef33889e18 doc: remove notes section in OSSL_ENCODER.pod 458d168cd4 rfc2606 compliant example domains for x509v3_config.pod 125107e8ea Various improvements of doc/man5/x509v3_config.pod 70793dbbb9 Pass the object type and data structure from the pem2der decoder 3a2171f6aa Don't forget the type of thing we are loading 3262300a2c Adjust the few places where the string length was confused 247a1786e2 OSSL_PARAM: Correct the assumptions on the UTF8 string length c1be4d617c Rename internal X509_add_cert_new() to ossl_x509_add_cert_new() daf1300b80 Add internal X509_add_certs_new(), which simplifies matters 937984efc6 Prepare for 3.0 alpha 13 b467d394eb Prepare for release of 3.0 alpha 12 a28d06f3e9 Update copyright year 7b676cc8c6 Fix external symbols related to provider related security checks for keys and digests. 47c076acfc Fix external symbols in the provider digest implementations. bcb61b39b4 Add deep copy of propq field in mac_dupctx to avoid double free 5d8ffebbcd DH: Make DH_bits(), DH_size(), and DH_security_bits() check that there are key parameters 0b3139e815 chain_build(): Call verify_cb_cert() if a preliminary error has become final ba37b82045 dsa_check: Perform simple parameter check if seed is not available ebcaf110b2 DSA parameter check using pkeyparam e36b3c2f75 Fix external symbols in the provider cipher implementations. Build log ended with (last 100 lines): # SSL_accept() failed -1, 1 # 80A17BBA657F0000:error:0A000076:SSL routines:tls_choose_sigalg:no suitable signature algorithm:../openssl/ssl/t1_lib.c:3306: # INFO: @ ../openssl/test/helpers/ssltestlib.c:957 # SSL_connect() failed -1, 1 # 80A17BBA657F0000:error:0A000438:SSL routines:dtls1_read_bytes:tlsv1 alert internal error:../openssl/ssl/record/rec_layer_d1.c:613:SSL alert number 80 # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:6577 # false not ok 2 - iteration 2 # ------------------------------------------------------------------------------ not ok 54 - test_ssl_pending # ------------------------------------------------------------------------------ ../../util/wrap.pl ../../test/sslapitest ../../../openssl/test/certs ../../../openssl/test/recipes/90-test_sslapi_data/passwd.txt /tmp/76NEmgTsYp default ../../../openssl/test/default.cnf => 1 not ok 1 - running sslapitest # ------------------------------------------------------------------------------ # INFO: @ ../openssl/test/helpers/ssltestlib.c:957 # SSL_connect() failed -1, 1 # 80C11F42C57F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # INFO: @ ../openssl/test/helpers/ssltestlib.c:975 # SSL_accept() failed -1, 1 # 80C11F42C57F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:947 # false not ok 3 - test_large_message_dtls # ------------------------------------------------------------------------------ # INFO: @ ../openssl/test/helpers/ssltestlib.c:957 # SSL_connect() failed -1, 1 # 80C11F42C57F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # INFO: @ ../openssl/test/helpers/ssltestlib.c:975 # SSL_accept() failed -1, 1 # 80C11F42C57F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:1428 # false # ERROR: (bool) 'execute_cleanse_plaintext(DTLS_server_method(), DTLS_client_method(), DTLS1_VERSION, 0) == true' failed @ ../openssl/test/sslapitest.c:1506 # false not ok 4 - test_cleanse_plaintext # ------------------------------------------------------------------------------ # INFO: @ ../openssl/test/helpers/ssltestlib.c:957 # SSL_connect() failed -1, 1 # 80C11F42C57F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # INFO: @ ../openssl/test/helpers/ssltestlib.c:975 # SSL_accept() failed -1, 1 # 80C11F42C57F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:6577 # false not ok 2 - iteration 2 # ------------------------------------------------------------------------------ not ok 54 - test_ssl_pending # ------------------------------------------------------------------------------ ../../util/wrap.pl ../../test/sslapitest ../../../openssl/test/certs ../../../openssl/test/recipes/90-test_sslapi_data/passwd.txt /tmp/76NEmgTsYp fips ../../../openssl/test/fips-and-base.cnf => 1 not ok 3 - running sslapitest # ------------------------------------------------------------------------------ # Failed test 'running sslapitest' # at ../openssl/test/recipes/90-test_sslapi.t line 45. # Looks like you failed 2 tests of 3.90-test_sslapi.t ................... Dubious, test returned 2 (wstat 512, 0x200) Failed 2/3 subtests 90-test_sslbuffers.t ............... ok 90-test_store.t .................... ok 90-test_sysdefault.t ............... ok 90-test_threads.t .................. ok 90-test_time_offset.t .............. ok 90-test_tls13ccs.t ................. ok 90-test_tls13encryption.t .......... ok 90-test_tls13secrets.t ............. ok 90-test_v3name.t ................... ok 91-test_pkey_check.t ............... ok 95-test_external_boringssl.t ....... skipped: No external tests in this configuration 95-test_external_gost_engine.t ..... skipped: No external tests in this configuration 95-test_external_krb5.t ............ skipped: No external tests in this configuration 95-test_external_pyca.t ............ skipped: No external tests in this configuration 99-test_ecstress.t ................. ok 99-test_fuzz_asn1.t ................ ok 99-test_fuzz_asn1parse.t ........... ok 99-test_fuzz_bignum.t .............. ok 99-test_fuzz_bndiv.t ............... ok 99-test_fuzz_client.t .............. ok 99-test_fuzz_cmp.t ................. ok 99-test_fuzz_cms.t ................. ok 99-test_fuzz_conf.t ................ ok 99-test_fuzz_crl.t ................. ok 99-test_fuzz_ct.t .................. ok 99-test_fuzz_server.t .............. ok 99-test_fuzz_x509.t ................ ok Test Summary Report ------------------- 80-test_dtls.t (Wstat: 256 Tests: 1 Failed: 1) Failed test: 1 Non-zero exit status: 1 80-test_ssl_new.t (Wstat: 768 Tests: 31 Failed: 3) Failed tests: 8, 17, 19 Non-zero exit status: 3 90-test_sslapi.t (Wstat: 512 Tests: 3 Failed: 2) Failed tests: 1, 3 Non-zero exit status: 2 Files=232, Tests=3300, 957 wallclock secs (14.60 usr 1.48 sys + 860.68 cusr 95.15 csys = 971.91 CPU) Result: FAIL make[1]: *** [Makefile:3284: _tests] Error 1 make[1]: Leaving directory '/home/openssl/run-checker/no-dtls1_2-method' make: *** [Makefile:3281: tests] Error 2 From openssl at openssl.org Wed Feb 24 05:34:05 2021 From: openssl at openssl.org (OpenSSL run-checker) Date: Wed, 24 Feb 2021 05:34:05 +0000 Subject: Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-tls1_3 Message-ID: <1614144845.056910.877737.nullmailer@run.openssl.org> Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-tls1_3 Commit log since last time: 937a62323b -Wunused-function cleanup 57acc56bdc DECODER: Add better tracing of the chain walking process acf497b53b DECODER: Use the data structure from the last decoder to select the next f16e52b67c Correct the return value of BIO_get_ktls_*(). 5e128ed120 CMP: Fix total_timeout behavior; small doc and diagnostic improvements a3361c3755 81-test_cmp_cli_data: fixup on CSR test cases c2279499fd Fix speed sm2 bug 1d724b5e82 CRYPTO_gcm128_decrypt: fix mac or tag calculation 3352dc185f Fix merge problem in d2i_PrivateKey_ex eabb301416 Fix DH ASN1 decode so that it detects named groups. 576892d78f Fix d2i_AutoPrivateKey_ex so that is uses the new decoder (and produces non legacy keys). ef33889e18 doc: remove notes section in OSSL_ENCODER.pod 458d168cd4 rfc2606 compliant example domains for x509v3_config.pod 125107e8ea Various improvements of doc/man5/x509v3_config.pod 70793dbbb9 Pass the object type and data structure from the pem2der decoder 3a2171f6aa Don't forget the type of thing we are loading 3262300a2c Adjust the few places where the string length was confused 247a1786e2 OSSL_PARAM: Correct the assumptions on the UTF8 string length c1be4d617c Rename internal X509_add_cert_new() to ossl_x509_add_cert_new() daf1300b80 Add internal X509_add_certs_new(), which simplifies matters 937984efc6 Prepare for 3.0 alpha 13 b467d394eb Prepare for release of 3.0 alpha 12 a28d06f3e9 Update copyright year 7b676cc8c6 Fix external symbols related to provider related security checks for keys and digests. 47c076acfc Fix external symbols in the provider digest implementations. bcb61b39b4 Add deep copy of propq field in mac_dupctx to avoid double free 5d8ffebbcd DH: Make DH_bits(), DH_size(), and DH_security_bits() check that there are key parameters 0b3139e815 chain_build(): Call verify_cb_cert() if a preliminary error has become final ba37b82045 dsa_check: Perform simple parameter check if seed is not available ebcaf110b2 DSA parameter check using pkeyparam e36b3c2f75 Fix external symbols in the provider cipher implementations. Build log ended with (last 100 lines): # INFO: @ ../openssl/test/ssl_test.c:117 # Protocol mismatch: expected TLSv1.3, got TLSv1.2. # not ok 2 - iteration 2 # ------------------------------------------------------------------------------ # ERROR: (int) 'result->client_protocol == test_ctx->expected_protocol' failed @ ../openssl/test/ssl_test.c:114 # [771] compared to [772] # INFO: @ ../openssl/test/ssl_test.c:117 # Protocol mismatch: expected TLSv1.3, got TLSv1.2. # not ok 3 - iteration 3 # ------------------------------------------------------------------------------ # ERROR: (int) 'result->client_protocol == test_ctx->expected_protocol' failed @ ../openssl/test/ssl_test.c:114 # [771] compared to [772] # INFO: @ ../openssl/test/ssl_test.c:117 # Protocol mismatch: expected TLSv1.3, got TLSv1.2. # not ok 4 - iteration 4 # ------------------------------------------------------------------------------ # ERROR: (int) 'result->client_protocol == test_ctx->expected_protocol' failed @ ../openssl/test/ssl_test.c:114 # [771] compared to [772] # INFO: @ ../openssl/test/ssl_test.c:117 # Protocol mismatch: expected TLSv1.3, got TLSv1.2. # not ok 5 - iteration 5 # ------------------------------------------------------------------------------ not ok 1 - test_handshake # ------------------------------------------------------------------------------ ../../util/wrap.pl ../../test/ssl_test 14-curves.cnf.fips fips ../../../openssl/test/fips-and-base.cnf => 1 not ok 9 - running ssl_test 14-curves.cnf # ------------------------------------------------------------------------------ # Failed test 'running ssl_test 14-curves.cnf' # at ../openssl/test/recipes/80-test_ssl_new.t line 176. # Looks like you failed 3 tests of 9. not ok 15 - Test configuration 14-curves.cnf # ------------------------------------------------------------------------------ # Looks like you failed 1 test of 31.80-test_ssl_new.t .................. Dubious, test returned 1 (wstat 256, 0x100) Failed 1/31 subtests 80-test_ssl_old.t .................. ok 80-test_ssl_test_ctx.t ............. ok 80-test_sslcorrupt.t ............... ok 80-test_tsa.t ...................... ok 80-test_x509aux.t .................. ok 81-test_cmp_cli.t .................. ok 90-test_asn1_time.t ................ ok 90-test_async.t .................... ok 90-test_bio_enc.t .................. ok 90-test_bio_memleak.t .............. ok 90-test_constant_time.t ............ ok 90-test_fatalerr.t ................. ok 90-test_fipsload.t ................. ok 90-test_gmdiff.t ................... ok 90-test_gost.t ..................... skipped: TLSv1.3 or TLSv1.2 are disabled in this OpenSSL build 90-test_ige.t ...................... ok 90-test_includes.t ................. ok 90-test_memleak.t .................. ok 90-test_overhead.t ................. ok 90-test_secmem.t ................... ok 90-test_shlibload.t ................ ok 90-test_srp.t ...................... ok 90-test_sslapi.t ................... ok 90-test_sslbuffers.t ............... ok 90-test_store.t .................... ok 90-test_sysdefault.t ............... ok 90-test_threads.t .................. ok 90-test_time_offset.t .............. ok 90-test_tls13ccs.t ................. skipped: test_tls13ccs is not supported in this build 90-test_tls13encryption.t .......... skipped: tls13encryption is not supported in this build 90-test_tls13secrets.t ............. skipped: tls13secrets is not supported in this build 90-test_v3name.t ................... ok 91-test_pkey_check.t ............... ok 95-test_external_boringssl.t ....... skipped: No external tests in this configuration 95-test_external_gost_engine.t ..... skipped: No external tests in this configuration 95-test_external_krb5.t ............ skipped: No external tests in this configuration 95-test_external_pyca.t ............ skipped: No external tests in this configuration 99-test_ecstress.t ................. ok 99-test_fuzz_asn1.t ................ ok 99-test_fuzz_asn1parse.t ........... ok 99-test_fuzz_bignum.t .............. ok 99-test_fuzz_bndiv.t ............... ok 99-test_fuzz_client.t .............. ok 99-test_fuzz_cmp.t ................. ok 99-test_fuzz_cms.t ................. ok 99-test_fuzz_conf.t ................ ok 99-test_fuzz_crl.t ................. ok 99-test_fuzz_ct.t .................. ok 99-test_fuzz_server.t .............. ok 99-test_fuzz_x509.t ................ ok Test Summary Report ------------------- 80-test_ssl_new.t (Wstat: 256 Tests: 31 Failed: 1) Failed test: 15 Non-zero exit status: 1 Files=232, Tests=3223, 1015 wallclock secs (13.48 usr 1.39 sys + 919.46 cusr 91.40 csys = 1025.73 CPU) Result: FAIL make[1]: *** [Makefile:3271: _tests] Error 1 make[1]: Leaving directory '/home/openssl/run-checker/no-tls1_3' make: *** [Makefile:3268: tests] Error 2 From levitte at openssl.org Wed Feb 24 09:18:08 2021 From: levitte at openssl.org (Richard Levitte) Date: Wed, 24 Feb 2021 09:18:08 +0000 Subject: [openssl] master update Message-ID: <1614158288.894878.12787.nullmailer@dev.openssl.org> The branch master has been updated via 10315851d0230646947213ac148747bc64c56798 (commit) from ce0b307ea01bc5e3e178cd4dba45f9bb9d4ba5df (commit) - Log ----------------------------------------------------------------- commit 10315851d0230646947213ac148747bc64c56798 Author: Richard Levitte Date: Thu Jan 28 09:00:58 2021 +0100 X509: Refactor X509_PUBKEY processing to include provider side keys When a SubjectPublicKeyInfo (SPKI) is decoded into an X509_PUBKEY structure, the corresponding EVP_PKEY is automatically added as well. This used to only support our built-in keytypes, and only in legacy form. This is now refactored by making The ASN1 implementation of the X509_PUBKEY an EXTERN_ASN1, resulting in a more manual implementation of the basic support routines. Specifically, the d2i routine will do what was done in the callback before, and try to interpret the input as an EVP_PKEY, first in legacy form, and then using OSSL_DECODER. Fixes #13893 Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/14281) ----------------------------------------------------------------------- Summary of changes: crypto/x509/x_pubkey.c | 231 +++++++++++++++++---- include/crypto/x509.h | 3 + .../implementations/encode_decode/decode_der2key.c | 3 +- 3 files changed, 196 insertions(+), 41 deletions(-) diff --git a/crypto/x509/x_pubkey.c b/crypto/x509/x_pubkey.c index 5d500f0690..8392540c73 100644 --- a/crypto/x509/x_pubkey.c +++ b/crypto/x509/x_pubkey.c @@ -22,17 +22,23 @@ #include "crypto/x509.h" #include #include +#include #include #include "internal/provider.h" +#include "internal/sizes.h" struct X509_pubkey_st { X509_ALGOR *algor; ASN1_BIT_STRING *public_key; + EVP_PKEY *pkey; /* extra data for the callback, used by d2i_PUBKEY_ex */ OSSL_LIB_CTX *libctx; char *propq; + + /* Flag to force legacy keys */ + unsigned int flag_force_legacy : 1; }; static int x509_pubkey_decode(EVP_PKEY **pk, const X509_PUBKEY *key); @@ -53,46 +59,172 @@ static int x509_pubkey_set0_libctx(X509_PUBKEY *x, OSSL_LIB_CTX *libctx, return 1; } -/* Minor tweak to operation: free up EVP_PKEY */ -static int pubkey_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, - void *exarg) +ASN1_SEQUENCE(X509_PUBKEY_INTERNAL) = { + ASN1_SIMPLE(X509_PUBKEY, algor, X509_ALGOR), + ASN1_SIMPLE(X509_PUBKEY, public_key, ASN1_BIT_STRING) +} static_ASN1_SEQUENCE_END_name(X509_PUBKEY, X509_PUBKEY_INTERNAL) + +static void x509_pubkey_ex_free(ASN1_VALUE **pval, const ASN1_ITEM *it) { X509_PUBKEY *pubkey = (X509_PUBKEY *)*pval; - if (operation == ASN1_OP_FREE_POST) { - OPENSSL_free(pubkey->propq); - EVP_PKEY_free(pubkey->pkey); - } else if (operation == ASN1_OP_D2I_POST) { - /* Attempt to decode public key and cache in pubkey structure. */ - EVP_PKEY_free(pubkey->pkey); - pubkey->pkey = NULL; - /* - * Opportunistically decode the key but remove any non fatal errors - * from the queue. Subsequent explicit attempts to decode/use the key - * will return an appropriate error. - */ - ERR_set_mark(); - if (x509_pubkey_decode(&pubkey->pkey, pubkey) == -1) { + X509_ALGOR_free(pubkey->algor); + ASN1_BIT_STRING_free(pubkey->public_key); + EVP_PKEY_free(pubkey->pkey); + OPENSSL_free(pubkey); + *pval = NULL; +} + +static int x509_pubkey_ex_populate(ASN1_VALUE **pval, const ASN1_ITEM *it) +{ + X509_PUBKEY *pubkey = (X509_PUBKEY *)*pval; + + return (pubkey->algor != NULL + || (pubkey->algor = X509_ALGOR_new()) != NULL) + && (pubkey->public_key != NULL + || (pubkey->public_key = ASN1_BIT_STRING_new()) != NULL); +} + +static int x509_pubkey_ex_new(ASN1_VALUE **pval, const ASN1_ITEM *it) +{ + X509_PUBKEY *ret; + + if ((ret = OPENSSL_zalloc(sizeof(*ret))) == NULL + || !x509_pubkey_ex_populate((ASN1_VALUE **)&ret, NULL)) { + x509_pubkey_ex_free((ASN1_VALUE **)&ret, NULL); + ERR_raise(ERR_LIB_ASN1, ERR_R_MALLOC_FAILURE); + } else { + *pval = (ASN1_VALUE *)ret; + } + + return ret != NULL; +} + +static int x509_pubkey_ex_d2i(ASN1_VALUE **pval, + const unsigned char **in, long len, + const ASN1_ITEM *it, int tag, int aclass, + char opt, ASN1_TLC *ctx) +{ + const unsigned char *in_saved = *in; + X509_PUBKEY *pubkey; + int ret; + OSSL_DECODER_CTX *dctx = NULL; + + if (*pval == NULL && !x509_pubkey_ex_new(pval, it)) + return 0; + if (!x509_pubkey_ex_populate(pval, NULL)) { + ERR_raise(ERR_LIB_ASN1, ERR_R_MALLOC_FAILURE); + return 0; + } + + /* This ensures that |*in| advances properly no matter what */ + if ((ret = ASN1_item_ex_d2i(pval, in, len, + ASN1_ITEM_rptr(X509_PUBKEY_INTERNAL), + tag, aclass, opt, ctx)) <= 0) + return ret; + + pubkey = (X509_PUBKEY *)*pval; + EVP_PKEY_free(pubkey->pkey); + pubkey->pkey = NULL; + + /* + * Opportunistically decode the key but remove any non fatal errors + * from the queue. Subsequent explicit attempts to decode/use the key + * will return an appropriate error. + */ + ERR_set_mark(); + + /* + * Try to decode with legacy method first. This ensures that engines + * aren't overriden by providers. + */ + if ((ret = x509_pubkey_decode(&pubkey->pkey, pubkey)) == -1) { + /* -1 indicates a fatal error, like malloc failure */ + ERR_clear_last_mark(); + goto end; + } + + /* Try to decode it into an EVP_PKEY with OSSL_DECODER */ + if (ret <= 0 && !pubkey->flag_force_legacy) { + const unsigned char *p = in_saved; + char txtoidname[OSSL_MAX_NAME_SIZE]; + + if (OBJ_obj2txt(txtoidname, sizeof(txtoidname), + pubkey->algor->algorithm, 0) <= 0) { ERR_clear_last_mark(); - return 0; + goto end; } - ERR_pop_to_mark(); - } else if (operation == ASN1_OP_DUP_POST) { - X509_PUBKEY *old = exarg; - - if (!x509_pubkey_set0_libctx(pubkey, old->libctx, old->propq)) - return 0; + if ((dctx = + OSSL_DECODER_CTX_new_for_pkey(&pubkey->pkey, + "DER", "SubjectPublicKeyInfo", + txtoidname, EVP_PKEY_PUBLIC_KEY, + pubkey->libctx, + pubkey->propq)) != NULL) + /* + * As said higher up, we're being opportunistic. In other words, + * we don't care about what the return value signals. + */ + OSSL_DECODER_from_data(dctx, &p, NULL); } - return 1; + + ERR_pop_to_mark(); + ret = 1; + end: + OSSL_DECODER_CTX_free(dctx); + return ret; } -ASN1_SEQUENCE_cb(X509_PUBKEY, pubkey_cb) = { - ASN1_SIMPLE(X509_PUBKEY, algor, X509_ALGOR), - ASN1_SIMPLE(X509_PUBKEY, public_key, ASN1_BIT_STRING) -} ASN1_SEQUENCE_END_cb(X509_PUBKEY, X509_PUBKEY) +static int x509_pubkey_ex_i2d(const ASN1_VALUE **pval, unsigned char **out, + const ASN1_ITEM *it, int tag, int aclass) +{ + return ASN1_item_ex_i2d(pval, out, ASN1_ITEM_rptr(X509_PUBKEY_INTERNAL), + tag, aclass); +} + +static int x509_pubkey_ex_print(BIO *out, const ASN1_VALUE **pval, int indent, + const char *fname, const ASN1_PCTX *pctx) +{ + return ASN1_item_print(out, *pval, indent, + ASN1_ITEM_rptr(X509_PUBKEY_INTERNAL), pctx); +} + +static const ASN1_EXTERN_FUNCS x509_pubkey_ff = { + NULL, + x509_pubkey_ex_new, + x509_pubkey_ex_free, + 0, /* Default clear behaviour is OK */ + x509_pubkey_ex_d2i, + x509_pubkey_ex_i2d, + x509_pubkey_ex_print +}; +IMPLEMENT_EXTERN_ASN1(X509_PUBKEY, V_ASN1_SEQUENCE, x509_pubkey_ff) IMPLEMENT_ASN1_FUNCTIONS(X509_PUBKEY) -IMPLEMENT_ASN1_DUP_FUNCTION(X509_PUBKEY) + +/* + * X509_PUBKEY_dup() must be implemented manually, because there is no + * support for it in ASN1_EXTERN_FUNCS. + */ +X509_PUBKEY *X509_PUBKEY_dup(const X509_PUBKEY *a) +{ + X509_PUBKEY *pubkey = NULL; + + if (!x509_pubkey_ex_new(NULL, ASN1_ITEM_rptr(X509_PUBKEY_INTERNAL)) + || !x509_pubkey_set0_libctx(pubkey, a->libctx, a->propq) + || (pubkey->algor = X509_ALGOR_dup(a->algor)) == NULL + || (pubkey->public_key = ASN1_BIT_STRING_new()) == NULL + || !ASN1_BIT_STRING_set(pubkey->public_key, + a->public_key->data, a->public_key->length) + || (a->pkey != NULL && !EVP_PKEY_up_ref(a->pkey))) { + x509_pubkey_ex_free((ASN1_VALUE **)&pubkey, + ASN1_ITEM_rptr(X509_PUBKEY_INTERNAL)); + ERR_raise(ERR_LIB_X509, ERR_R_MALLOC_FAILURE); + return NULL; + } + + pubkey->pkey = a->pkey; + return pubkey; +} /* TODO should better be called X509_PUBKEY_set1 */ int X509_PUBKEY_set(X509_PUBKEY **x, EVP_PKEY *pkey) @@ -175,9 +307,9 @@ int X509_PUBKEY_set(X509_PUBKEY **x, EVP_PKEY *pkey) * Attempt to decode a public key. * Returns 1 on success, 0 for a decode failure and -1 for a fatal * error e.g. malloc failure. + * + * This function is #legacy. */ - - static int x509_pubkey_decode(EVP_PKEY **ppkey, const X509_PUBKEY *key) { EVP_PKEY *pkey = EVP_PKEY_new(); @@ -256,9 +388,14 @@ EVP_PKEY *X509_PUBKEY_get(const X509_PUBKEY *key) * Now three pseudo ASN1 routines that take an EVP_PKEY structure and encode * or decode as X509_PUBKEY */ - -EVP_PKEY *d2i_PUBKEY_ex(EVP_PKEY **a, const unsigned char **pp, long length, - OSSL_LIB_CTX *libctx, const char *propq) +static EVP_PKEY *d2i_PUBKEY_int(EVP_PKEY **a, + const unsigned char **pp, long length, + OSSL_LIB_CTX *libctx, const char *propq, + unsigned int force_legacy, + X509_PUBKEY * + (*d2i_x509_pubkey)(X509_PUBKEY **a, + const unsigned char **in, + long len)) { X509_PUBKEY *xpk, *xpk2 = NULL, **pxpk = NULL; EVP_PKEY *pktmp = NULL; @@ -271,7 +408,7 @@ EVP_PKEY *d2i_PUBKEY_ex(EVP_PKEY **a, const unsigned char **pp, long length, * feature. It's not generally recommended, but is safe enough for * newly created structures. */ - if (libctx != NULL || propq != NULL) { + if (libctx != NULL || propq != NULL || force_legacy) { xpk2 = OPENSSL_zalloc(sizeof(*xpk2)); if (xpk2 == NULL) { ERR_raise(ERR_LIB_X509, ERR_R_MALLOC_FAILURE); @@ -279,9 +416,10 @@ EVP_PKEY *d2i_PUBKEY_ex(EVP_PKEY **a, const unsigned char **pp, long length, } if (!x509_pubkey_set0_libctx(xpk2, libctx, propq)) goto end; + xpk2->flag_force_legacy = !!force_legacy; pxpk = &xpk2; } - xpk = d2i_X509_PUBKEY(pxpk, &q, length); + xpk = d2i_x509_pubkey(pxpk, &q, length); if (xpk == NULL) goto end; pktmp = X509_PUBKEY_get(xpk); @@ -299,6 +437,19 @@ EVP_PKEY *d2i_PUBKEY_ex(EVP_PKEY **a, const unsigned char **pp, long length, return pktmp; } +/* For the algorithm specific d2i functions further down */ +EVP_PKEY *d2i_PUBKEY_legacy(EVP_PKEY **a, + const unsigned char **pp, long length) +{ + return d2i_PUBKEY_int(a, pp, length, NULL, NULL, 1, d2i_X509_PUBKEY); +} + +EVP_PKEY *d2i_PUBKEY_ex(EVP_PKEY **a, const unsigned char **pp, long length, + OSSL_LIB_CTX *libctx, const char *propq) +{ + return d2i_PUBKEY_int(a, pp, length, libctx, propq, 0, d2i_X509_PUBKEY); +} + EVP_PKEY *d2i_PUBKEY(EVP_PKEY **a, const unsigned char **pp, long length) { return d2i_PUBKEY_ex(a, pp, length, NULL, NULL); @@ -365,7 +516,7 @@ RSA *d2i_RSA_PUBKEY(RSA **a, const unsigned char **pp, long length) const unsigned char *q; q = *pp; - pkey = d2i_PUBKEY(NULL, &q, length); + pkey = d2i_PUBKEY_legacy(NULL, &q, length); if (pkey == NULL) return NULL; key = EVP_PKEY_get1_RSA(pkey); @@ -406,7 +557,7 @@ DSA *d2i_DSA_PUBKEY(DSA **a, const unsigned char **pp, long length) const unsigned char *q; q = *pp; - pkey = d2i_PUBKEY(NULL, &q, length); + pkey = d2i_PUBKEY_legacy(NULL, &q, length); if (pkey == NULL) return NULL; key = EVP_PKEY_get1_DSA(pkey); @@ -448,7 +599,7 @@ EC_KEY *d2i_EC_PUBKEY(EC_KEY **a, const unsigned char **pp, long length) const unsigned char *q; q = *pp; - pkey = d2i_PUBKEY(NULL, &q, length); + pkey = d2i_PUBKEY_legacy(NULL, &q, length); if (pkey == NULL) return NULL; key = EVP_PKEY_get1_EC_KEY(pkey); diff --git a/include/crypto/x509.h b/include/crypto/x509.h index 809f6e328e..67fd88dbc4 100644 --- a/include/crypto/x509.h +++ b/include/crypto/x509.h @@ -327,4 +327,7 @@ int X509_PUBKEY_get0_libctx(OSSL_LIB_CTX **plibctx, const char **ppropq, /* Calculate default key identifier according to RFC 5280 section 4.2.1.2 (1) */ ASN1_OCTET_STRING *x509_pubkey_hash(X509_PUBKEY *pubkey); +/* A variant of d2i_PUBKEY() that is guaranteed to only return legacy keys */ +EVP_PKEY *d2i_PUBKEY_legacy(EVP_PKEY **a, + const unsigned char **in, long length); #endif diff --git a/providers/implementations/encode_decode/decode_der2key.c b/providers/implementations/encode_decode/decode_der2key.c index 466a73f908..5073e660cd 100644 --- a/providers/implementations/encode_decode/decode_der2key.c +++ b/providers/implementations/encode_decode/decode_der2key.c @@ -31,6 +31,7 @@ #include "crypto/evp.h" #include "crypto/ecx.h" #include "crypto/rsa.h" +#include "crypto/x509.h" #include "prov/bio.h" #include "prov/implementations.h" #include "endecoder_local.h" @@ -330,7 +331,7 @@ static int der2key_decode(void *vctx, OSSL_CORE_BIO *cin, int selection, && (selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) != 0) { RESET_ERR_MARK(); derp = der; - pkey = d2i_PUBKEY_ex(NULL, &derp, der_len, libctx, NULL); + pkey = d2i_PUBKEY_legacy(NULL, &derp, der_len); } if (pkey != NULL) { From tomas at openssl.org Wed Feb 24 09:44:26 2021 From: tomas at openssl.org (tomas at openssl.org) Date: Wed, 24 Feb 2021 09:44:26 +0000 Subject: [openssl] master update Message-ID: <1614159866.666702.5388.nullmailer@dev.openssl.org> The branch master has been updated via 76e48c9d6667391189e22d674b2b3b8161ab9442 (commit) from 10315851d0230646947213ac148747bc64c56798 (commit) - Log ----------------------------------------------------------------- commit 76e48c9d6667391189e22d674b2b3b8161ab9442 Author: Tomas Mraz Date: Mon Feb 22 17:28:17 2021 +0100 Deprecated EVP_PKEY_CTX_get0_dh_kdf_ukm() and EVP_PKEY_CTX_get0_ecdh_kdf_ukm() The functions are not needed and require returning octet ptr parameters from providers that would like to support them which complicates provider implementations. Fixes #12985 Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/14279) ----------------------------------------------------------------------- Summary of changes: CHANGES.md | 13 +++++++++---- crypto/evp/dh_ctrl.c | 4 ++++ crypto/evp/ec_ctrl.c | 2 ++ doc/man3/EVP_PKEY_CTX_ctrl.pod | 13 +++++++++++-- doc/man7/EVP_KEYEXCH-DH.pod | 13 +++++++++++++ doc/man7/EVP_KEYEXCH-ECDH.pod | 5 ++++- include/openssl/core_names.h | 17 +++-------------- include/openssl/dh.h | 3 +++ include/openssl/ec.h | 3 +++ util/libcrypto.num | 4 ++-- 10 files changed, 54 insertions(+), 23 deletions(-) diff --git a/CHANGES.md b/CHANGES.md index 0e9f27824c..c7a2c0baa5 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -22,15 +22,20 @@ OpenSSL 3.0 ----------- ### Changes between 1.1.1 and 3.0 [xx XXX xxxx] + * Deprecated obsolete EVP_PKEY_CTX_get0_dh_kdf_ukm() and + EVP_PKEY_CTX_get0_ecdh_kdf_ukm() functions. They are not needed + and require returning octet ptr parameters from providers that + would like to support them which complicates provider implementations. -* The RAND_METHOD APIs have been deprecated. The functions deprecated are: + *Tom?? Mr?z* + + * The RAND_METHOD APIs have been deprecated. The functions deprecated are: RAND_OpenSSL(), RAND_get_rand_method(), RAND_set_rand_engine() and RAND_set_rand_method(). Provider based random number generators should be used instead via EVP_RAND(3). *Paul Dale* - -* The SRP APIs have been deprecated. The old APIs do not work via providers, + * The SRP APIs have been deprecated. The old APIs do not work via providers, and there is no EVP interface to them. Unfortunately there is no replacement for these APIs at this time. @@ -41,7 +46,7 @@ OpenSSL 3.0 at configuration time. *Paul Dale* - + * Combining the Configure options no-ec and no-dh no longer disables TLSv1.3. Typically if OpenSSL has no EC or DH algorithms then it cannot support connections with TLSv1.3. However OpenSSL now supports "pluggable" groups diff --git a/crypto/evp/dh_ctrl.c b/crypto/evp/dh_ctrl.c index abb724f72b..7eb0a8ee48 100644 --- a/crypto/evp/dh_ctrl.c +++ b/crypto/evp/dh_ctrl.c @@ -7,6 +7,8 @@ * https://www.openssl.org/source/license.html */ +#include "internal/deprecated.h" + #include #include #include @@ -322,6 +324,7 @@ int EVP_PKEY_CTX_set0_dh_kdf_ukm(EVP_PKEY_CTX *ctx, unsigned char *ukm, int len) return ret; } +#ifndef OPENSSL_NO_DEPRECATED_3_0 int EVP_PKEY_CTX_get0_dh_kdf_ukm(EVP_PKEY_CTX *ctx, unsigned char **pukm) { int ret; @@ -348,3 +351,4 @@ int EVP_PKEY_CTX_get0_dh_kdf_ukm(EVP_PKEY_CTX *ctx, unsigned char **pukm) return (int)ukmlen; } +#endif diff --git a/crypto/evp/ec_ctrl.c b/crypto/evp/ec_ctrl.c index 17f1a8f288..ff0c55d023 100644 --- a/crypto/evp/ec_ctrl.c +++ b/crypto/evp/ec_ctrl.c @@ -243,6 +243,7 @@ int EVP_PKEY_CTX_set0_ecdh_kdf_ukm(EVP_PKEY_CTX *ctx, unsigned char *ukm, int le return ret; } +#ifndef OPENSSL_NO_DEPRECATED_3_0 int EVP_PKEY_CTX_get0_ecdh_kdf_ukm(EVP_PKEY_CTX *ctx, unsigned char **pukm) { size_t ukmlen; @@ -283,6 +284,7 @@ int EVP_PKEY_CTX_get0_ecdh_kdf_ukm(EVP_PKEY_CTX *ctx, unsigned char **pukm) return ret; } +#endif #ifndef FIPS_MODULE /* diff --git a/doc/man3/EVP_PKEY_CTX_ctrl.pod b/doc/man3/EVP_PKEY_CTX_ctrl.pod index 1de332c3b3..54e4f5506e 100644 --- a/doc/man3/EVP_PKEY_CTX_ctrl.pod +++ b/doc/man3/EVP_PKEY_CTX_ctrl.pod @@ -157,7 +157,6 @@ EVP_PKEY_CTX_set_kem_op int EVP_PKEY_CTX_set_dh_kdf_outlen(EVP_PKEY_CTX *ctx, int len); int EVP_PKEY_CTX_get_dh_kdf_outlen(EVP_PKEY_CTX *ctx, int *len); int EVP_PKEY_CTX_set0_dh_kdf_ukm(EVP_PKEY_CTX *ctx, unsigned char *ukm, int len); - int EVP_PKEY_CTX_get0_dh_kdf_ukm(EVP_PKEY_CTX *ctx, unsigned char **ukm); #include @@ -172,7 +171,6 @@ EVP_PKEY_CTX_set_kem_op int EVP_PKEY_CTX_set_ecdh_kdf_outlen(EVP_PKEY_CTX *ctx, int len); int EVP_PKEY_CTX_get_ecdh_kdf_outlen(EVP_PKEY_CTX *ctx, int *len); int EVP_PKEY_CTX_set0_ecdh_kdf_ukm(EVP_PKEY_CTX *ctx, unsigned char *ukm, int len); - int EVP_PKEY_CTX_get0_ecdh_kdf_ukm(EVP_PKEY_CTX *ctx, unsigned char **ukm); int EVP_PKEY_CTX_set1_id(EVP_PKEY_CTX *ctx, void *id, size_t id_len); int EVP_PKEY_CTX_get1_id(EVP_PKEY_CTX *ctx, void *id); @@ -186,6 +184,14 @@ L: int EVP_PKEY_CTX_set_rsa_keygen_pubexp(EVP_PKEY_CTX *ctx, BIGNUM *pubexp); + #include + + int EVP_PKEY_CTX_get0_dh_kdf_ukm(EVP_PKEY_CTX *ctx, unsigned char **ukm); + + #include + + int EVP_PKEY_CTX_get0_ecdh_kdf_ukm(EVP_PKEY_CTX *ctx, unsigned char **ukm); + =head1 DESCRIPTION EVP_PKEY_CTX_ctrl() sends a control operation to the context I. The key @@ -669,6 +675,9 @@ added in OpenSSL 1.0.0. In OpenSSL 1.1.1 and below the functions were mostly macros. From OpenSSL 3.0 they are all functions. +EVP_PKEY_CTX_set_rsa_keygen_pubexp(), EVP_PKEY_CTX_get0_dh_kdf_ukm(), +and EVP_PKEY_CTX_get0_ecdh_kdf_ukm() were deprecated in OpenSSL 3.0. + =head1 COPYRIGHT Copyright 2006-2020 The OpenSSL Project Authors. All Rights Reserved. diff --git a/doc/man7/EVP_KEYEXCH-DH.pod b/doc/man7/EVP_KEYEXCH-DH.pod index 9e9cee7dce..4368c62140 100644 --- a/doc/man7/EVP_KEYEXCH-DH.pod +++ b/doc/man7/EVP_KEYEXCH-DH.pod @@ -17,6 +17,19 @@ Key exchange support for the B key type. See L. +=item "kdf-ukm" (B) + +Sets the User Key Material to be used as part of the selected Key Derivation +Function associated with the given key exchange ctx. + +=item "kdf-ukm" (B) + +Gets a pointer to the User Key Material to be used as part of the selected +Key Derivation Function associated with the given key exchange ctx. Providers +usually do not need to support this gettable parameter as its sole purpose +is to support functionality of the deprecated EVP_PKEY_CTX_get0_dh_kdf_ukm() +function. + =back =head1 EXAMPLES diff --git a/doc/man7/EVP_KEYEXCH-ECDH.pod b/doc/man7/EVP_KEYEXCH-ECDH.pod index 5ad6801263..001df6ba0c 100644 --- a/doc/man7/EVP_KEYEXCH-ECDH.pod +++ b/doc/man7/EVP_KEYEXCH-ECDH.pod @@ -60,7 +60,10 @@ Function associated with the given key exchange ctx. =item "kdf-ukm" (B) Gets a pointer to the User Key Material to be used as part of the selected -Key Derivation Function associated with the given key exchange ctx. +Key Derivation Function associated with the given key exchange ctx. Providers +usually do not need to support this gettable parameter as its sole purpose +is to support functionality of the deprecated EVP_PKEY_CTX_get0_ecdh_kdf_ukm() +function. =back diff --git a/include/openssl/core_names.h b/include/openssl/core_names.h index a9ab57dbff..cb8d83ba88 100644 --- a/include/openssl/core_names.h +++ b/include/openssl/core_names.h @@ -432,20 +432,8 @@ extern "C" { #define OSSL_EXCHANGE_PARAM_KDF_DIGEST "kdf-digest" /* utf8_string */ #define OSSL_EXCHANGE_PARAM_KDF_DIGEST_PROPS "kdf-digest-props" /* utf8_string */ #define OSSL_EXCHANGE_PARAM_KDF_OUTLEN "kdf-outlen" /* size_t */ - -/* - * TODO(3.0): improve this pattern - * - * Currently the sole internal user of OSSL_EXCHANGE_PARAM_KDF_UKM is - * EVP_PKEY_CTX_{set0,get0}_ecdh_kdf_ukm(): - * OSSL_EXCHANGE_PARAM_KDF_UKM is handled as a octet_string on set0, - * and as an octet_ptr on get0. - * - * This pattern is borrowed from the handling of - * OSSL_ASYM_CIPHER_PARAM_OAEP_LABEL in - * EVP_PKEY_CTX_{set0,get0}_rsa_oaep_label(). - */ -#define OSSL_EXCHANGE_PARAM_KDF_UKM "kdf-ukm" /* see note above */ +/* The following parameter is an octet_string on set and an octet_ptr on get */ +#define OSSL_EXCHANGE_PARAM_KDF_UKM "kdf-ukm" /* Signature parameters */ #define OSSL_SIGNATURE_PARAM_ALGORITHM_ID "algorithm-id" @@ -469,6 +457,7 @@ extern "C" { OSSL_PKEY_PARAM_MGF1_PROPERTIES #define OSSL_ASYM_CIPHER_PARAM_OAEP_DIGEST OSSL_ALG_PARAM_DIGEST #define OSSL_ASYM_CIPHER_PARAM_OAEP_DIGEST_PROPS "digest-props" +/* The following parameter is an octet_string on set and an octet_ptr on get */ #define OSSL_ASYM_CIPHER_PARAM_OAEP_LABEL "oaep-label" #define OSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION "tls-client-version" #define OSSL_ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION "tls-negotiated-version" diff --git a/include/openssl/dh.h b/include/openssl/dh.h index 67ba0aa687..d17f01334f 100644 --- a/include/openssl/dh.h +++ b/include/openssl/dh.h @@ -53,7 +53,10 @@ int EVP_PKEY_CTX_get_dh_kdf_md(EVP_PKEY_CTX *ctx, const EVP_MD **md); int EVP_PKEY_CTX_set_dh_kdf_outlen(EVP_PKEY_CTX *ctx, int len); int EVP_PKEY_CTX_get_dh_kdf_outlen(EVP_PKEY_CTX *ctx, int *len); int EVP_PKEY_CTX_set0_dh_kdf_ukm(EVP_PKEY_CTX *ctx, unsigned char *ukm, int len); +# ifndef OPENSSL_NO_DEPRECATED_3_0 +OSSL_DEPRECATEDIN_3_0 int EVP_PKEY_CTX_get0_dh_kdf_ukm(EVP_PKEY_CTX *ctx, unsigned char **ukm); +#endif # define EVP_PKEY_CTRL_DH_PARAMGEN_PRIME_LEN (EVP_PKEY_ALG_CTRL + 1) # define EVP_PKEY_CTRL_DH_PARAMGEN_GENERATOR (EVP_PKEY_ALG_CTRL + 2) diff --git a/include/openssl/ec.h b/include/openssl/ec.h index 5f93694f35..c503954b9c 100644 --- a/include/openssl/ec.h +++ b/include/openssl/ec.h @@ -44,7 +44,10 @@ int EVP_PKEY_CTX_get_ecdh_kdf_outlen(EVP_PKEY_CTX *ctx, int *len); int EVP_PKEY_CTX_set0_ecdh_kdf_ukm(EVP_PKEY_CTX *ctx, unsigned char *ukm, int len); +# ifndef OPENSSL_NO_DEPRECATED_3_0 +OSSL_DEPRECATEDIN_3_0 int EVP_PKEY_CTX_get0_ecdh_kdf_ukm(EVP_PKEY_CTX *ctx, unsigned char **ukm); +# endif # define EVP_PKEY_CTRL_EC_PARAMGEN_CURVE_NID (EVP_PKEY_ALG_CTRL + 1) # define EVP_PKEY_CTRL_EC_PARAM_ENC (EVP_PKEY_ALG_CTRL + 2) diff --git a/util/libcrypto.num b/util/libcrypto.num index 25d8619471..0403a6944b 100644 --- a/util/libcrypto.num +++ b/util/libcrypto.num @@ -4900,7 +4900,7 @@ EVP_PKEY_CTX_get_ecdh_kdf_md ? 3_0_0 EXIST::FUNCTION: EVP_PKEY_CTX_set_ecdh_kdf_outlen ? 3_0_0 EXIST::FUNCTION: EVP_PKEY_CTX_get_ecdh_kdf_outlen ? 3_0_0 EXIST::FUNCTION: EVP_PKEY_CTX_set0_ecdh_kdf_ukm ? 3_0_0 EXIST::FUNCTION: -EVP_PKEY_CTX_get0_ecdh_kdf_ukm ? 3_0_0 EXIST::FUNCTION: +EVP_PKEY_CTX_get0_ecdh_kdf_ukm ? 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0 EVP_PKEY_CTX_set_rsa_pss_saltlen ? 3_0_0 EXIST::FUNCTION: EVP_PKEY_CTX_get_rsa_pss_saltlen ? 3_0_0 EXIST::FUNCTION: d2i_ISSUER_SIGN_TOOL ? 3_0_0 EXIST::FUNCTION: @@ -5186,7 +5186,7 @@ EVP_PKEY_CTX_get_dh_kdf_md ? 3_0_0 EXIST::FUNCTION: EVP_PKEY_CTX_set_dh_kdf_outlen ? 3_0_0 EXIST::FUNCTION: EVP_PKEY_CTX_get_dh_kdf_outlen ? 3_0_0 EXIST::FUNCTION: EVP_PKEY_CTX_set0_dh_kdf_ukm ? 3_0_0 EXIST::FUNCTION: -EVP_PKEY_CTX_get0_dh_kdf_ukm ? 3_0_0 EXIST::FUNCTION: +EVP_PKEY_CTX_get0_dh_kdf_ukm ? 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0 EVP_CIPHER_CTX_get_updated_iv ? 3_0_0 EXIST::FUNCTION: EVP_CIPHER_CTX_get_original_iv ? 3_0_0 EXIST::FUNCTION: EVP_KEYMGMT_gettable_params ? 3_0_0 EXIST::FUNCTION: From pauli at openssl.org Wed Feb 24 11:23:05 2021 From: pauli at openssl.org (Dr. Paul Dale) Date: Wed, 24 Feb 2021 11:23:05 +0000 Subject: [openssl] master update Message-ID: <1614165785.369371.6523.nullmailer@dev.openssl.org> The branch master has been updated via 8b3facd7324b6c2f36f6414c0552da26378aae4a (commit) from 76e48c9d6667391189e22d674b2b3b8161ab9442 (commit) - Log ----------------------------------------------------------------- commit 8b3facd7324b6c2f36f6414c0552da26378aae4a Author: Pauli Date: Thu Feb 18 11:55:04 2021 +1000 rand: note that locking needs to be explicitly enabled. Fixes #13912 Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/14224) ----------------------------------------------------------------------- Summary of changes: doc/man3/EVP_RAND.pod | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/doc/man3/EVP_RAND.pod b/doc/man3/EVP_RAND.pod index c2940a3455..97114af0fb 100644 --- a/doc/man3/EVP_RAND.pod +++ b/doc/man3/EVP_RAND.pod @@ -311,6 +311,12 @@ or the properties in the case of B. =back +=head1 NOTES + +An B needs to have locking enabled if it acts as the parent of +more than one child and the children can be accessed concurrently. This must +be done by explicitly calling EVP_RAND_enable_locking(). + =head1 RETURN VALUES EVP_RAND_fetch() returns a pointer to a newly fetched B, or From pauli at openssl.org Wed Feb 24 11:25:04 2021 From: pauli at openssl.org (Dr. Paul Dale) Date: Wed, 24 Feb 2021 11:25:04 +0000 Subject: [openssl] master update Message-ID: <1614165904.816745.9751.nullmailer@dev.openssl.org> The branch master has been updated via b0001d0cf2539b9309712e3e04f407dcbb04352c (commit) from 8b3facd7324b6c2f36f6414c0552da26378aae4a (commit) - Log ----------------------------------------------------------------- commit b0001d0cf2539b9309712e3e04f407dcbb04352c Author: Pauli Date: Fri Sep 25 10:19:19 2020 +1000 provider: add an unquery function to allow providers to clean up. Without this, a provider has no way to know that an application has finished with the array it returned earlier. A non-caching provider requires this information. Fixes #12974 Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/12974) ----------------------------------------------------------------------- Summary of changes: crypto/core_algorithm.c | 1 + crypto/provider.c | 7 +++++ crypto/provider_core.c | 13 +++++++++ doc/internal/man3/ossl_provider_new.pod | 10 ++++++- doc/man3/OSSL_PROVIDER.pod | 11 ++++++-- doc/man7/provider-base.pod | 8 ++++++ include/internal/provider.h | 3 +++ include/openssl/core_dispatch.h | 9 ++++--- include/openssl/provider.h | 2 ++ test/filterprov.c | 42 ++++++++++++++++++++++++++---- test/{testutil/apps_mem.c => filterprov.h} | 15 ++++------- test/sslapitest.c | 7 ++--- util/libcrypto.num | 1 + 13 files changed, 103 insertions(+), 26 deletions(-) copy test/{testutil/apps_mem.c => filterprov.h} (51%) diff --git a/crypto/core_algorithm.c b/crypto/core_algorithm.c index ddb9e5ae43..59f6dddb14 100644 --- a/crypto/core_algorithm.c +++ b/crypto/core_algorithm.c @@ -65,6 +65,7 @@ static int algorithm_do_this(OSSL_PROVIDER *provider, void *cbdata) data->fn(provider, thismap, no_store, data->data); } } + ossl_provider_unquery_operation(provider, cur_operation, map); /* Do we fulfill post-conditions? */ if (data->post == NULL) { diff --git a/crypto/provider.c b/crypto/provider.c index 90c31f3ac5..8eca9d3581 100644 --- a/crypto/provider.c +++ b/crypto/provider.c @@ -76,6 +76,13 @@ const OSSL_ALGORITHM *OSSL_PROVIDER_query_operation(const OSSL_PROVIDER *prov, return ossl_provider_query_operation(prov, operation_id, no_cache); } +void OSSL_PROVIDER_unquery_operation(const OSSL_PROVIDER *prov, + int operation_id, + const OSSL_ALGORITHM *algs) +{ + ossl_provider_unquery_operation(prov, operation_id, algs); +} + void *OSSL_PROVIDER_get0_provider_ctx(const OSSL_PROVIDER *prov) { return ossl_provider_prov_ctx(prov); diff --git a/crypto/provider_core.c b/crypto/provider_core.c index da751e60ce..d210026e25 100644 --- a/crypto/provider_core.c +++ b/crypto/provider_core.c @@ -78,6 +78,7 @@ struct ossl_provider_st { OSSL_FUNC_provider_get_capabilities_fn *get_capabilities; OSSL_FUNC_provider_self_test_fn *self_test; OSSL_FUNC_provider_query_operation_fn *query_operation; + OSSL_FUNC_provider_unquery_operation_fn *unquery_operation; /* * Cache of bit to indicate of query_operation() has been called on @@ -571,6 +572,10 @@ static int provider_init(OSSL_PROVIDER *prov) prov->query_operation = OSSL_FUNC_provider_query_operation(provider_dispatch); break; + case OSSL_FUNC_PROVIDER_UNQUERY_OPERATION: + prov->unquery_operation = + OSSL_FUNC_provider_unquery_operation(provider_dispatch); + break; #ifndef OPENSSL_NO_ERR # ifndef FIPS_MODULE case OSSL_FUNC_PROVIDER_GET_REASON_STRINGS: @@ -929,6 +934,14 @@ const OSSL_ALGORITHM *ossl_provider_query_operation(const OSSL_PROVIDER *prov, return res; } +void ossl_provider_unquery_operation(const OSSL_PROVIDER *prov, + int operation_id, + const OSSL_ALGORITHM *algs) +{ + if (prov->unquery_operation != NULL) + prov->unquery_operation(prov->provctx, operation_id, algs); +} + int ossl_provider_set_operation_bit(OSSL_PROVIDER *provider, size_t bitnum) { size_t byte = bitnum / 8; diff --git a/doc/internal/man3/ossl_provider_new.pod b/doc/internal/man3/ossl_provider_new.pod index d74ce57fef..40a2ebe7e3 100644 --- a/doc/internal/man3/ossl_provider_new.pod +++ b/doc/internal/man3/ossl_provider_new.pod @@ -13,7 +13,8 @@ ossl_provider_name, ossl_provider_dso, ossl_provider_module_name, ossl_provider_module_path, ossl_provider_libctx, ossl_provider_teardown, ossl_provider_gettable_params, -ossl_provider_get_params, ossl_provider_query_operation, +ossl_provider_get_params, +ossl_provider_query_operation, ossl_provider_unquery_operation, ossl_provider_set_operation_bit, ossl_provider_test_operation_bit, ossl_provider_get_capabilities - internal provider routines @@ -72,6 +73,9 @@ ossl_provider_get_capabilities const OSSL_ALGORITHM *ossl_provider_query_operation(const OSSL_PROVIDER *prov, int operation_id, int *no_cache); + void ossl_provider_unquery_operation(const OSSL_PROVIDER *prov, + int operation_id, + const OSSL_ALGORITHM *algs); int ossl_provider_set_operation_bit(OSSL_PROVIDER *provider, size_t bitnum); int ossl_provider_test_operation_bit(OSSL_PROVIDER *provider, size_t bitnum, @@ -234,6 +238,10 @@ I function, if the provider has one. It should return an array of I for the given I. +ossl_provider_unquery_operation() informs the provider that the result of +ossl_provider_query_operation() is no longer going to be directly accessed and +that all relevant information has been copied. + ossl_provider_set_operation_bit() registers a 1 for operation I in a bitstring that's internal to I. diff --git a/doc/man3/OSSL_PROVIDER.pod b/doc/man3/OSSL_PROVIDER.pod index e5c451259a..d5317ee3f5 100644 --- a/doc/man3/OSSL_PROVIDER.pod +++ b/doc/man3/OSSL_PROVIDER.pod @@ -6,8 +6,8 @@ OSSL_PROVIDER_set_default_search_path, OSSL_PROVIDER, OSSL_PROVIDER_load, OSSL_PROVIDER_try_load, OSSL_PROVIDER_unload, OSSL_PROVIDER_available, OSSL_PROVIDER_do_all, OSSL_PROVIDER_gettable_params, OSSL_PROVIDER_get_params, -OSSL_PROVIDER_query_operation, OSSL_PROVIDER_get0_provider_ctx, -OSSL_PROVIDER_add_builtin, OSSL_PROVIDER_name, +OSSL_PROVIDER_query_operation, OSSL_PROVIDER_unquery_operation, +OSSL_PROVIDER_get0_provider_ctx, OSSL_PROVIDER_add_builtin, OSSL_PROVIDER_name, OSSL_PROVIDER_get_capabilities, OSSL_PROVIDER_self_test - provider routines @@ -35,6 +35,9 @@ OSSL_PROVIDER_get_capabilities, OSSL_PROVIDER_self_test const OSSL_ALGORITHM *OSSL_PROVIDER_query_operation(const OSSL_PROVIDER *prov, int operation_id, int *no_cache); + void OSSL_PROVIDER_unquery_operation(const OSSL_PROVIDER *prov, + int operation_id, + const OSSL_ALGORITHM *algs); void *OSSL_PROVIDER_get0_provider_ctx(const OSSL_PROVIDER *prov); int OSSL_PROVIDER_add_builtin(OSSL_LIB_CTX *libctx, const char *name, @@ -119,6 +122,10 @@ array of I for the given I terminated by an all NULL OSSL_ALGORITHM entry. This is considered a low-level function that most applications should not need to call. +OSSL_PROVIDER_unquery_operation() calls the provider's I +function (see L), if the provider has one. This is considered a +low-level function that most applications should not need to call. + OSSL_PROVIDER_get0_provider_ctx() returns the provider context for the given provider. The provider context is an opaque handle set by the provider itself and is passed back to the provider by libcrypto in various function calls. diff --git a/doc/man7/provider-base.pod b/doc/man7/provider-base.pod index 8659431437..3b4416dac0 100644 --- a/doc/man7/provider-base.pod +++ b/doc/man7/provider-base.pod @@ -86,6 +86,8 @@ provider-base const OSSL_ALGORITHM *provider_query_operation(void *provctx, int operation_id, const int *no_store); + void provider_unquery_operation(void *provctx, int operation_id, + const OSSL_ALGORITHM *algs); const OSSL_ITEM *provider_get_reason_strings(void *provctx); int provider_get_capabilities(void *provctx, const char *capability, OSSL_CALLBACK *cb, void *arg); @@ -154,6 +156,7 @@ F): provider_gettable_params OSSL_FUNC_PROVIDER_GETTABLE_PARAMS provider_get_params OSSL_FUNC_PROVIDER_GET_PARAMS provider_query_operation OSSL_FUNC_PROVIDER_QUERY_OPERATION + provider_unquery_operation OSSL_FUNC_PROVIDER_UNQUERY_OPERATION provider_get_reason_strings OSSL_FUNC_PROVIDER_GET_REASON_STRINGS provider_get_capabilities OSSL_FUNC_PROVIDER_GET_CAPABILITIES provider_self_test OSSL_FUNC_PROVIDER_SELF_TEST @@ -274,6 +277,11 @@ It should indicate if the core may store a reference to this array by setting I<*no_store> to 0 (core may store a reference) or 1 (core may not store a reference). +provider_unquery_operation() informs the provider that the result of a +provider_query_operation() is no longer directly required and that the function +pointers have been copied. The I should match that passed to +provider_query_operation() and I should be its return value. + provider_get_reason_strings() should return a constant B array that provides reason strings for reason codes the provider may use when reporting errors using core_put_error(). diff --git a/include/internal/provider.h b/include/internal/provider.h index fbe3154b53..7441bf26f0 100644 --- a/include/internal/provider.h +++ b/include/internal/provider.h @@ -83,6 +83,9 @@ int ossl_provider_self_test(const OSSL_PROVIDER *prov); const OSSL_ALGORITHM *ossl_provider_query_operation(const OSSL_PROVIDER *prov, int operation_id, int *no_cache); +void ossl_provider_unquery_operation(const OSSL_PROVIDER *prov, + int operation_id, + const OSSL_ALGORITHM *algs); /* Cache of bits to see if we already queried an operation */ int ossl_provider_set_operation_bit(OSSL_PROVIDER *provider, size_t bitnum); diff --git a/include/openssl/core_dispatch.h b/include/openssl/core_dispatch.h index 6f12d6fecf..4d1d89ca82 100644 --- a/include/openssl/core_dispatch.h +++ b/include/openssl/core_dispatch.h @@ -193,13 +193,16 @@ OSSL_CORE_MAKE_FUNC(int,provider_get_params,(void *provctx, # define OSSL_FUNC_PROVIDER_QUERY_OPERATION 1027 OSSL_CORE_MAKE_FUNC(const OSSL_ALGORITHM *,provider_query_operation, (void *provctx, int operation_id, int *no_store)) -# define OSSL_FUNC_PROVIDER_GET_REASON_STRINGS 1028 +# define OSSL_FUNC_PROVIDER_UNQUERY_OPERATION 1028 +OSSL_CORE_MAKE_FUNC(void, provider_unquery_operation, + (void *provctx, int operation_id, const OSSL_ALGORITHM *)) +# define OSSL_FUNC_PROVIDER_GET_REASON_STRINGS 1029 OSSL_CORE_MAKE_FUNC(const OSSL_ITEM *,provider_get_reason_strings, (void *provctx)) -# define OSSL_FUNC_PROVIDER_GET_CAPABILITIES 1029 +# define OSSL_FUNC_PROVIDER_GET_CAPABILITIES 1030 OSSL_CORE_MAKE_FUNC(int, provider_get_capabilities, (void *provctx, const char *capability, OSSL_CALLBACK *cb, void *arg)) -# define OSSL_FUNC_PROVIDER_SELF_TEST 1030 +# define OSSL_FUNC_PROVIDER_SELF_TEST 1031 OSSL_CORE_MAKE_FUNC(int, provider_self_test, (void *provctx)) /* Operations */ diff --git a/include/openssl/provider.h b/include/openssl/provider.h index a8720aaa7e..56b430710f 100644 --- a/include/openssl/provider.h +++ b/include/openssl/provider.h @@ -41,6 +41,8 @@ int OSSL_PROVIDER_get_capabilities(const OSSL_PROVIDER *prov, const OSSL_ALGORITHM *OSSL_PROVIDER_query_operation(const OSSL_PROVIDER *prov, int operation_id, int *no_cache); +void OSSL_PROVIDER_unquery_operation(const OSSL_PROVIDER *prov, + int operation_id, const OSSL_ALGORITHM *algs); void *OSSL_PROVIDER_get0_provider_ctx(const OSSL_PROVIDER *prov); /* Add a built in providers */ diff --git a/test/filterprov.c b/test/filterprov.c index 71606ecc93..e14c802b1d 100644 --- a/test/filterprov.c +++ b/test/filterprov.c @@ -14,13 +14,10 @@ #include #include -#include #include #include - -OSSL_provider_init_fn filter_provider_init; - -int filter_provider_set_filter(int operation, const char *name); +#include "testutil.h" +#include "filterprov.h" #define MAX_FILTERS 10 #define MAX_ALG_FILTERS 5 @@ -34,6 +31,8 @@ struct filter_prov_globals_st { } dispatch[MAX_FILTERS]; int num_dispatch; int no_cache; + unsigned long int query_count; + int error; }; static struct filter_prov_globals_st ourglobals; @@ -51,6 +50,7 @@ static struct filter_prov_globals_st *get_globals(void) static OSSL_FUNC_provider_gettable_params_fn filter_gettable_params; static OSSL_FUNC_provider_get_params_fn filter_get_params; static OSSL_FUNC_provider_query_operation_fn filter_query; +static OSSL_FUNC_provider_unquery_operation_fn filter_unquery; static OSSL_FUNC_provider_teardown_fn filter_teardown; static const OSSL_PARAM *filter_gettable_params(void *provctx) @@ -82,6 +82,7 @@ static const OSSL_ALGORITHM *filter_query(void *provctx, struct filter_prov_globals_st *globs = get_globals(); int i; + globs->query_count++; for (i = 0; i < globs->num_dispatch; i++) { if (globs->dispatch[i].operation == operation_id) { *no_cache = globs->no_cache; @@ -93,12 +94,30 @@ static const OSSL_ALGORITHM *filter_query(void *provctx, return OSSL_PROVIDER_query_operation(globs->deflt, operation_id, no_cache); } +static void filter_unquery(void *provctx, int operation_id, + const OSSL_ALGORITHM *algs) +{ + struct filter_prov_globals_st *globs = get_globals(); + int i; + + if (!TEST_ulong_gt(globs->query_count, 0)) + globs->error = 1; + else + globs->query_count--; + + for (i = 0; i < globs->num_dispatch; i++) + if (globs->dispatch[i].alg == algs) + return; + OSSL_PROVIDER_unquery_operation(globs->deflt, operation_id, algs); +} + static void filter_teardown(void *provctx) { struct filter_prov_globals_st *globs = get_globals(); OSSL_PROVIDER_unload(globs->deflt); OSSL_LIB_CTX_free(globs->libctx); + memset(globs, 0, sizeof(*globs)); } /* Functions we provide to the core */ @@ -106,6 +125,7 @@ static const OSSL_DISPATCH filter_dispatch_table[] = { { OSSL_FUNC_PROVIDER_GETTABLE_PARAMS, (void (*)(void))filter_gettable_params }, { OSSL_FUNC_PROVIDER_GET_PARAMS, (void (*)(void))filter_get_params }, { OSSL_FUNC_PROVIDER_QUERY_OPERATION, (void (*)(void))filter_query }, + { OSSL_FUNC_PROVIDER_UNQUERY_OPERATION, (void (*)(void))filter_unquery }, { OSSL_FUNC_PROVIDER_GET_CAPABILITIES, (void (*)(void))filter_get_capabilities }, { OSSL_FUNC_PROVIDER_TEARDOWN, (void (*)(void))filter_teardown }, { 0, NULL } @@ -201,6 +221,18 @@ int filter_provider_set_filter(int operation, const char *filterstr) ret = 1; err: + OSSL_PROVIDER_unquery_operation(globs->deflt, operation, provalgs); OPENSSL_free(filterstrtmp); return ret; } + +/* + * Test if a filter provider is in a clean finishing state. + * If it is return 1, otherwise return 0. + */ +int filter_provider_check_clean_finish(void) +{ + struct filter_prov_globals_st *globs = get_globals(); + + return TEST_ulong_eq(globs->query_count, 0) && !globs->error; +} diff --git a/test/testutil/apps_mem.c b/test/filterprov.h similarity index 51% copy from test/testutil/apps_mem.c copy to test/filterprov.h index fa60bc6848..3c63071556 100644 --- a/test/testutil/apps_mem.c +++ b/test/filterprov.h @@ -1,5 +1,5 @@ /* - * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -7,13 +7,8 @@ * https://www.openssl.org/source/license.html */ -#include "apps.h" +#include -/* shim that avoids sucking in too much from apps/apps.c */ - -void* app_malloc(int sz, const char *what) -{ - void *vp = OPENSSL_malloc(sz); - - return vp; -} +OSSL_provider_init_fn filter_provider_init; +int filter_provider_set_filter(int operation, const char *name); +int filter_provider_check_clean_finish(void); diff --git a/test/sslapitest.c b/test/sslapitest.c index 6f30a7efd1..b6eb6c16db 100644 --- a/test/sslapitest.c +++ b/test/sslapitest.c @@ -38,6 +38,7 @@ #include "internal/nelem.h" #include "internal/ktls.h" #include "../ssl/ssl_local.h" +#include "filterprov.h" #undef OSSL_NO_USABLE_TLS1_3 #if defined(OPENSSL_NO_TLS1_3) \ @@ -49,10 +50,6 @@ # define OSSL_NO_USABLE_TLS1_3 #endif -/* Defined in filterprov.c */ -OSSL_provider_init_fn filter_provider_init; -int filter_provider_set_filter(int operation, const char *name); - /* Defined in tls-provider.c */ int tls_provider_init(const OSSL_CORE_HANDLE *handle, const OSSL_DISPATCH *in, @@ -8058,7 +8055,7 @@ static int test_sigalgs_available(int idx) : NID_rsassaPss)) goto end; - testresult = 1; + testresult = filter_provider_check_clean_finish(); end: SSL_free(serverssl); diff --git a/util/libcrypto.num b/util/libcrypto.num index 0403a6944b..2f04e81152 100644 --- a/util/libcrypto.num +++ b/util/libcrypto.num @@ -5078,6 +5078,7 @@ X509_PUBKEY_eq ? 3_0_0 EXIST::FUNCTION: EVP_PKEY_eq ? 3_0_0 EXIST::FUNCTION: EVP_PKEY_parameters_eq ? 3_0_0 EXIST::FUNCTION: OSSL_PROVIDER_query_operation ? 3_0_0 EXIST::FUNCTION: +OSSL_PROVIDER_unquery_operation ? 3_0_0 EXIST::FUNCTION: OSSL_PROVIDER_get0_provider_ctx ? 3_0_0 EXIST::FUNCTION: OSSL_PROVIDER_get_capabilities ? 3_0_0 EXIST::FUNCTION: EC_GROUP_new_by_curve_name_ex ? 3_0_0 EXIST::FUNCTION:EC From matt at openssl.org Wed Feb 24 12:25:41 2021 From: matt at openssl.org (Matt Caswell) Date: Wed, 24 Feb 2021 12:25:41 +0000 Subject: [openssl] master update Message-ID: <1614169541.073609.26145.nullmailer@dev.openssl.org> The branch master has been updated via 81c15ed00bbe5cb4b864ad9b1fab12a26fa91201 (commit) via de4a88a979193e1f28c65c1f902828dd91d10ba5 (commit) from b0001d0cf2539b9309712e3e04f407dcbb04352c (commit) - Log ----------------------------------------------------------------- commit 81c15ed00bbe5cb4b864ad9b1fab12a26fa91201 Author: Matt Caswell Date: Tue Feb 16 10:10:26 2021 +0000 Test errors from a provider can still be accessed after unload Providers can create errors that may refer to const strings within the provider module itself. If the provider gets unloaded we need to be sure that we can still access the errors in the error stack. Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14213) commit de4a88a979193e1f28c65c1f902828dd91d10ba5 Author: Matt Caswell Date: Mon Feb 15 16:59:43 2021 +0000 Duplicate the file and func error strings Errors raised from a provider that is subsequently unloaded from memory may have references to strings representing the file and function that are no longer present because the provider is no longer in memory. This can cause crashes. To avoid this we duplicate the file and func strings. Fixes #13623 Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14213) ----------------------------------------------------------------------- Summary of changes: crypto/err/err.c | 2 +- crypto/err/err_local.h | 21 ++++++++++++-- include/openssl/err.h.in | 4 +-- test/build.info | 6 ++-- test/p_test.c | 73 ++++++++++++++++++++++++++++++++++++++++++++---- test/provider_test.c | 64 +++++++++++++++++++++++++++++++++--------- 6 files changed, 143 insertions(+), 27 deletions(-) diff --git a/crypto/err/err.c b/crypto/err/err.c index fe91ca7b5d..e5f9866813 100644 --- a/crypto/err/err.c +++ b/crypto/err/err.c @@ -190,7 +190,7 @@ static void ERR_STATE_free(ERR_STATE *s) if (s == NULL) return; for (i = 0; i < ERR_NUM_ERRORS; i++) { - err_clear_data(s, i, 1); + err_clear(s, i, 1); } OPENSSL_free(s); } diff --git a/crypto/err/err_local.h b/crypto/err/err_local.h index 03e05b7a1c..abb6996e13 100644 --- a/crypto/err/err_local.h +++ b/crypto/err/err_local.h @@ -48,9 +48,21 @@ static ossl_inline void err_set_debug(ERR_STATE *es, size_t i, const char *file, int line, const char *fn) { - es->err_file[i] = file; + /* + * We dup the file and fn strings because they may be provider owned. If the + * provider gets unloaded, they may not be valid anymore. + */ + OPENSSL_free(es->err_file[i]); + if (file == NULL || file[0] == '\0') + es->err_file[i] = NULL; + else + es->err_file[i] = OPENSSL_strdup(file); es->err_line[i] = line; - es->err_func[i] = fn; + OPENSSL_free(es->err_func[i]); + if (fn == NULL || fn[0] == '\0') + es->err_func[i] = NULL; + else + es->err_func[i] = OPENSSL_strdup(fn); } static ossl_inline void err_set_data(ERR_STATE *es, size_t i, @@ -67,8 +79,11 @@ static ossl_inline void err_clear(ERR_STATE *es, size_t i, int deall) es->err_marks[i] = 0; es->err_flags[i] = 0; es->err_buffer[i] = 0; - es->err_file[i] = NULL; es->err_line[i] = -1; + OPENSSL_free(es->err_file[i]); + es->err_file[i] = NULL; + OPENSSL_free(es->err_func[i]); + es->err_func[i] = NULL; } ERR_STATE *err_get_state_int(void); diff --git a/include/openssl/err.h.in b/include/openssl/err.h.in index c012f65d08..f7d5c174a1 100644 --- a/include/openssl/err.h.in +++ b/include/openssl/err.h.in @@ -62,9 +62,9 @@ struct err_state_st { char *err_data[ERR_NUM_ERRORS]; size_t err_data_size[ERR_NUM_ERRORS]; int err_data_flags[ERR_NUM_ERRORS]; - const char *err_file[ERR_NUM_ERRORS]; + char *err_file[ERR_NUM_ERRORS]; int err_line[ERR_NUM_ERRORS]; - const char *err_func[ERR_NUM_ERRORS]; + char *err_func[ERR_NUM_ERRORS]; int top, bottom; }; # endif diff --git a/test/build.info b/test/build.info index 5bf35dcb10..3b0fa12d20 100644 --- a/test/build.info +++ b/test/build.info @@ -762,17 +762,17 @@ IF[{- !$disabled{tests} -}] PROGRAMS{noinst}=provider_internal_test DEFINE[provider_internal_test]=PROVIDER_INIT_FUNCTION_NAME=p_test_init SOURCE[provider_internal_test]=provider_internal_test.c p_test.c - INCLUDE[provider_internal_test]=../include ../apps/include + INCLUDE[provider_internal_test]=../include ../apps/include .. DEPEND[provider_internal_test]=../libcrypto.a libtestutil.a PROGRAMS{noinst}=provider_test DEFINE[provider_test]=PROVIDER_INIT_FUNCTION_NAME=p_test_init SOURCE[provider_test]=provider_test.c p_test.c - INCLUDE[provider_test]=../include ../apps/include + INCLUDE[provider_test]=../include ../apps/include .. DEPEND[provider_test]=../libcrypto.a libtestutil.a IF[{- !$disabled{module} -}] MODULES{noinst}=p_test SOURCE[p_test]=p_test.c - INCLUDE[p_test]=../include + INCLUDE[p_test]=../include .. IF[{- defined $target{shared_defflag} -}] SOURCE[p_test]=p_test.ld GENERATE[p_test.ld]=../util/providers.num diff --git a/test/p_test.c b/test/p_test.c index dfd62ebd83..57597086aa 100644 --- a/test/p_test.c +++ b/test/p_test.c @@ -26,11 +26,22 @@ # define OSSL_provider_init PROVIDER_INIT_FUNCTION_NAME #endif +#include "e_os.h" #include #include +#include + +typedef struct p_test_ctx { + char *thisfile; + char *thisfunc; + const OSSL_CORE_HANDLE *handle; +} P_TEST_CTX; static OSSL_FUNC_core_gettable_params_fn *c_gettable_params = NULL; static OSSL_FUNC_core_get_params_fn *c_get_params = NULL; +static OSSL_FUNC_core_new_error_fn *c_new_error; +static OSSL_FUNC_core_set_error_debug_fn *c_set_error_debug; +static OSSL_FUNC_core_vset_error_fn *c_vset_error; /* Tell the core what params we provide and what type they are */ static const OSSL_PARAM p_param_types[] = { @@ -42,15 +53,17 @@ static const OSSL_PARAM p_param_types[] = { static OSSL_FUNC_provider_gettable_params_fn p_gettable_params; static OSSL_FUNC_provider_get_params_fn p_get_params; static OSSL_FUNC_provider_get_reason_strings_fn p_get_reason_strings; +static OSSL_FUNC_provider_teardown_fn p_teardown; static const OSSL_PARAM *p_gettable_params(void *_) { return p_param_types; } -static int p_get_params(void *vhand, OSSL_PARAM params[]) +static int p_get_params(void *provctx, OSSL_PARAM params[]) { - const OSSL_CORE_HANDLE *hand = vhand; + P_TEST_CTX *ctx = (P_TEST_CTX *)provctx; + const OSSL_CORE_HANDLE *hand = ctx->handle; OSSL_PARAM *p = params; int ok = 1; @@ -101,6 +114,14 @@ static int p_get_params(void *vhand, OSSL_PARAM params[]) return ok; } +static void p_set_error(int lib, int reason, const char *file, int line, + const char *func) +{ + c_new_error(NULL); + c_set_error_debug(NULL, file, line, func); + c_vset_error(NULL, ERR_PACK(lib, 0, reason), NULL, NULL); +} + static const OSSL_ITEM *p_get_reason_strings(void *_) { static const OSSL_ITEM reason_strings[] = { @@ -116,6 +137,7 @@ static const OSSL_DISPATCH p_test_table[] = { { OSSL_FUNC_PROVIDER_GET_PARAMS, (void (*)(void))p_get_params }, { OSSL_FUNC_PROVIDER_GET_REASON_STRINGS, (void (*)(void))p_get_reason_strings}, + { OSSL_FUNC_PROVIDER_TEARDOWN, (void (*)(void))p_teardown }, { 0, NULL } }; @@ -124,6 +146,8 @@ int OSSL_provider_init(const OSSL_CORE_HANDLE *handle, const OSSL_DISPATCH **out, void **provctx) { + P_TEST_CTX *ctx; + for (; in->function_id != 0; in++) { switch (in->function_id) { case OSSL_FUNC_CORE_GETTABLE_PARAMS: @@ -132,15 +156,54 @@ int OSSL_provider_init(const OSSL_CORE_HANDLE *handle, case OSSL_FUNC_CORE_GET_PARAMS: c_get_params = OSSL_FUNC_core_get_params(in); break; + case OSSL_FUNC_CORE_NEW_ERROR: + c_new_error = OSSL_FUNC_core_new_error(in); + break; + case OSSL_FUNC_CORE_SET_ERROR_DEBUG: + c_set_error_debug = OSSL_FUNC_core_set_error_debug(in); + break; + case OSSL_FUNC_CORE_VSET_ERROR: + c_vset_error = OSSL_FUNC_core_vset_error(in); + break; default: /* Just ignore anything we don't understand */ break; } } - /* Because we use this in get_params, we need to pass it back */ - *provctx = (void *)handle; - + /* + * We want to test that libcrypto doesn't use the file and func pointers + * that we provide to it via c_set_error_debug beyond the time that they + * are valid for. Therefore we dynamically allocate these strings now and + * free them again when the provider is torn down. If anything tries to + * use those strings after that point there will be a use-after-free and + * asan will complain (and hence the tests will fail). + * This file isn't linked against libcrypto, so we use malloc and strdup + * instead of OPENSSL_malloc and OPENSSL_strdup + */ + ctx = malloc(sizeof(*ctx)); + if (ctx == NULL) + return 0; + ctx->thisfile = strdup(OPENSSL_FILE); + ctx->thisfunc = strdup(OPENSSL_FUNC); + ctx->handle = handle; + + /* + * Set a spurious error to check error handling works correctly. This will + * be ignored + */ + p_set_error(ERR_LIB_PROV, 1, ctx->thisfile, OPENSSL_LINE, ctx->thisfunc); + + *provctx = (void *)ctx; *out = p_test_table; return 1; } + +static void p_teardown(void *provctx) +{ + P_TEST_CTX *ctx = (P_TEST_CTX *)provctx; + + free(ctx->thisfile); + free(ctx->thisfunc); + free(ctx); +} diff --git a/test/provider_test.c b/test/provider_test.c index acb9f2000e..7406bb4318 100644 --- a/test/provider_test.c +++ b/test/provider_test.c @@ -19,41 +19,79 @@ static OSSL_PARAM greeting_request[] = { { NULL, 0, NULL, 0, 0 } }; -static int test_provider(const char *name) +static int test_provider(OSSL_LIB_CTX **libctx, const char *name) { OSSL_PROVIDER *prov = NULL; const char *greeting = NULL; char expected_greeting[256]; + int ok = 0; + long err; BIO_snprintf(expected_greeting, sizeof(expected_greeting), "Hello OpenSSL %.20s, greetings from %s!", OPENSSL_VERSION_STR, name); - return - TEST_ptr(prov = OSSL_PROVIDER_load(NULL, name)) - && TEST_true(OSSL_PROVIDER_get_params(prov, greeting_request)) - && TEST_ptr(greeting = greeting_request[0].data) - && TEST_size_t_gt(greeting_request[0].data_size, 0) - && TEST_str_eq(greeting, expected_greeting) - && TEST_true(OSSL_PROVIDER_unload(prov)); + if (!TEST_ptr(prov = OSSL_PROVIDER_load(*libctx, name)) + || !TEST_true(OSSL_PROVIDER_get_params(prov, greeting_request)) + || !TEST_ptr(greeting = greeting_request[0].data) + || !TEST_size_t_gt(greeting_request[0].data_size, 0) + || !TEST_str_eq(greeting, expected_greeting) + || !TEST_true(OSSL_PROVIDER_unload(prov))) + goto err; + + prov = NULL; + + /* + * We must free the libctx to force the provider to really be unloaded from + * memory + */ + OSSL_LIB_CTX_free(*libctx); + *libctx = NULL; + + /* Make sure we got the error we were expecting */ + err = ERR_peek_last_error(); + if (!TEST_int_gt(err, 0) + || !TEST_int_eq(ERR_GET_REASON(err), 1)) + goto err; + + /* We print out all the data to make sure it can still be accessed */ + ERR_print_errors_fp(stderr); + ok = 1; + err: + OSSL_PROVIDER_unload(prov); + OSSL_LIB_CTX_free(*libctx); + *libctx = NULL; + return ok; } static int test_builtin_provider(void) { + OSSL_LIB_CTX *libctx = OSSL_LIB_CTX_new(); const char *name = "p_test_builtin"; + int ok; - return - TEST_true(OSSL_PROVIDER_add_builtin(NULL, name, - PROVIDER_INIT_FUNCTION_NAME)) - && test_provider(name); + ok = + TEST_ptr(libctx) + && TEST_true(OSSL_PROVIDER_add_builtin(libctx, name, + PROVIDER_INIT_FUNCTION_NAME)) + && test_provider(&libctx, name); + + OSSL_LIB_CTX_free(libctx); + + return ok; } #ifndef NO_PROVIDER_MODULE static int test_loaded_provider(void) { + OSSL_LIB_CTX *libctx = OSSL_LIB_CTX_new(); const char *name = "p_test"; - return test_provider(name); + if (!TEST_ptr(libctx)) + return 0; + + /* test_provider will free libctx as part of the test */ + return test_provider(&libctx, name); } #endif From pauli at openssl.org Wed Feb 24 14:07:02 2021 From: pauli at openssl.org (Dr. Paul Dale) Date: Wed, 24 Feb 2021 14:07:02 +0000 Subject: [openssl] master update Message-ID: <1614175622.865467.7283.nullmailer@dev.openssl.org> The branch master has been updated via af9f2ee339acd3958c0a8262e7e1012a632025da (commit) from 81c15ed00bbe5cb4b864ad9b1fab12a26fa91201 (commit) - Log ----------------------------------------------------------------- commit af9f2ee339acd3958c0a8262e7e1012a632025da Author: Daniel Bevenius Date: Tue Feb 23 13:30:13 2021 +0100 Fix typo in comment in DH_set0_pqg function Reviewed-by: Matt Caswell Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/14288) ----------------------------------------------------------------------- Summary of changes: crypto/dh/dh_lib.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/crypto/dh/dh_lib.c b/crypto/dh/dh_lib.c index 46aba02bad..e3db7a4929 100644 --- a/crypto/dh/dh_lib.c +++ b/crypto/dh/dh_lib.c @@ -222,7 +222,7 @@ void DH_get0_pqg(const DH *dh, int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g) { /* - * If the fields p and g in d are NULL, the corresponding input + * If the fields p and g in dh are NULL, the corresponding input * parameters MUST be non-NULL. q may remain NULL. */ if ((dh->params.p == NULL && p == NULL) From tomas at openssl.org Wed Feb 24 15:53:50 2021 From: tomas at openssl.org (tomas at openssl.org) Date: Wed, 24 Feb 2021 15:53:50 +0000 Subject: [openssl] master update Message-ID: <1614182030.651257.18268.nullmailer@dev.openssl.org> The branch master has been updated via 861f265a407d5de81c79b6917139e66cdfb0f367 (commit) via f3ccfc76fe3b73190e3de60fb8c8c39d88203db1 (commit) via a89cd8d87c48b1d3561ce74af79e1d4fbaa034b7 (commit) via ee1d7f1d25ef24f111f13dc742474cd9c39c2753 (commit) from af9f2ee339acd3958c0a8262e7e1012a632025da (commit) - Log ----------------------------------------------------------------- commit 861f265a407d5de81c79b6917139e66cdfb0f367 Author: Tomas Mraz Date: Mon Feb 22 13:20:28 2021 +0100 speed: Drop deprecated _options() calls Also correction of some code format issues. Reviewed-by: Paul Dale Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/14228) commit f3ccfc76fe3b73190e3de60fb8c8c39d88203db1 Author: Tomas Mraz Date: Thu Feb 18 10:48:18 2021 +0100 speed: Use EVP for ciphers, cmac, ghash, rsa, dsa, and ecdsa Fixes #13909 Reviewed-by: Paul Dale Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/14228) commit a89cd8d87c48b1d3561ce74af79e1d4fbaa034b7 Author: Tomas Mraz Date: Mon Feb 15 19:45:01 2021 +0100 speed: Adapt digests and hmac to always use non-deprecated APIs Reviewed-by: Paul Dale Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/14228) commit ee1d7f1d25ef24f111f13dc742474cd9c39c2753 Author: Tomas Mraz Date: Mon Feb 15 17:24:44 2021 +0100 speed: Drop code to handle platforms without SIGALRM (except for Windows where a separate thread stops the looping) Reviewed-by: Paul Dale Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/14228) ----------------------------------------------------------------------- Summary of changes: CHANGES.md | 7 + apps/speed.c | 2472 +++++++++++++++++++------------------------------------- apps/testdsa.h | 47 +- 3 files changed, 872 insertions(+), 1654 deletions(-) diff --git a/CHANGES.md b/CHANGES.md index c7a2c0baa5..335b492e4f 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -47,6 +47,13 @@ OpenSSL 3.0 *Paul Dale* + * The openssl speed command does not use low-level API calls anymore. This + implies some of the performance numbers might not be fully comparable + with the previous releases due to higher overhead. This applies + particularly to measuring performance on smaller data chunks. + + *Tom?? Mr?z* + * Combining the Configure options no-ec and no-dh no longer disables TLSv1.3. Typically if OpenSSL has no EC or DH algorithms then it cannot support connections with TLSv1.3. However OpenSSL now supports "pluggable" groups diff --git a/apps/speed.c b/apps/speed.c index e867448015..92eb0585fc 100644 --- a/apps/speed.c +++ b/apps/speed.c @@ -9,14 +9,16 @@ */ #undef SECONDS -#define SECONDS 3 -#define RSA_SECONDS 10 -#define DSA_SECONDS 10 -#define ECDSA_SECONDS 10 -#define ECDH_SECONDS 10 -#define EdDSA_SECONDS 10 -#define SM2_SECONDS 10 -#define FFDH_SECONDS 10 +#define SECONDS 3 +#define PKEY_SECONDS 10 + +#define RSA_SECONDS PKEY_SECONDS +#define DSA_SECONDS PKEY_SECONDS +#define ECDSA_SECONDS PKEY_SECONDS +#define ECDH_SECONDS PKEY_SECONDS +#define EdDSA_SECONDS PKEY_SECONDS +#define SM2_SECONDS PKEY_SECONDS +#define FFDH_SECONDS PKEY_SECONDS /* We need to use some deprecated APIs */ #define OPENSSL_SUPPRESS_DEPRECATED @@ -32,6 +34,7 @@ #include #include #include +#include #include #if !defined(OPENSSL_SYS_MSDOS) # include @@ -48,74 +51,14 @@ #endif #include -#ifndef OPENSSL_NO_DES -# include -#endif -#ifndef OPENSSL_NO_DEPRECATED_3_0 -#include -#endif -#ifndef OPENSSL_NO_CAMELLIA -# include -#endif -#ifndef OPENSSL_NO_MD2 -# include -#endif -#ifndef OPENSSL_NO_MDC2 -# include -#endif -#ifndef OPENSSL_NO_MD4 -# include -#endif -#ifndef OPENSSL_NO_MD5 -# include -#endif -#include -#ifndef OPENSSL_NO_CMAC -#include -#endif -#include -#ifndef OPENSSL_NO_RMD160 -# include -#endif -#ifndef OPENSSL_NO_WHIRLPOOL -# include -#endif -#ifndef OPENSSL_NO_RC4 -# include -#endif -#ifndef OPENSSL_NO_RC5 -# include -#endif -#ifndef OPENSSL_NO_RC2 -# include -#endif -#ifndef OPENSSL_NO_IDEA -# include -#endif -#ifndef OPENSSL_NO_SEED -# include -#endif -#ifndef OPENSSL_NO_BF -# include -#endif -#ifndef OPENSSL_NO_CAST -# include -#endif -#ifndef OPENSSL_NO_DEPRECATED_3_0 -# include -# include "./testrsa.h" -#endif +#include +#include "./testrsa.h" #ifndef OPENSSL_NO_DH # include #endif #include -#if !defined(OPENSSL_NO_DSA) && !defined(OPENSSL_NO_DEPRECATED_3_0) -# include -# include "./testdsa.h" -#endif -#ifndef OPENSSL_NO_EC -# include -#endif +#include +#include "./testdsa.h" #include #ifndef HAVE_FORK @@ -137,6 +80,10 @@ #define MISALIGN 64 #define MAX_FFDH_SIZE 1024 +#ifndef RSA_DEFAULT_PRIME_NUM +# define RSA_DEFAULT_PRIME_NUM 2 +#endif + typedef struct openssl_speed_sec_st { int sym; int rsa; @@ -155,13 +102,8 @@ static int usertime = 1; static double Time_F(int s); static void print_message(const char *s, long num, int length, int tm); -#if !defined(OPENSSL_NO_DEPRECATED_3_0) \ - || !defined(OPENSSL_NO_DSA) \ - || !defined(OPENSSL_NO_DH) \ - || !defined(OPENSSL_NO_EC) static void pkey_print_message(const char *str, const char *str2, long num, unsigned int bits, int sec); -#endif static void print_result(int alg, int run_no, int count, double time_used); #ifndef NO_FORK static int do_multi(int multi, int size_num); @@ -243,10 +185,7 @@ static double Time_F(int s) return ret; } #else -static double Time_F(int s) -{ - return app_tminterval(s, usertime); -} +# error "SIGALRM not defined and the platform is not Windows" #endif static void multiblock_speed(const EVP_CIPHER *evp_cipher, int lengths_single, @@ -296,12 +235,8 @@ const OPTIONS speed_options[] = { OPT_SECTION("Selection"), {"evp", OPT_EVP, 's', "Use EVP-named cipher or digest"}, -#ifndef OPENSSL_NO_DEPRECATED_3_0 {"hmac", OPT_HMAC, 's', "HMAC using EVP-named digest"}, -#endif -#if !defined(OPENSSL_NO_CMAC) && !defined(OPENSSL_NO_DEPRECATED_3_0) {"cmac", OPT_CMAC, 's', "CMAC using EVP-named cipher"}, -#endif {"decrypt", OPT_DECRYPT, '-', "Time decryption instead of encryption (only EVP)"}, {"aead", OPT_AEAD, '-', @@ -326,105 +261,68 @@ const OPTIONS speed_options[] = { }; enum { - D_MD2, D_MDC2, D_MD4, D_MD5 , D_HMAC, D_SHA1, D_RMD160, D_RC4, - D_CBC_DES, D_EDE3_DES, D_CBC_IDEA, D_CBC_SEED, + D_MD2, D_MDC2, D_MD4, D_MD5, D_SHA1, D_RMD160, + D_SHA256, D_SHA512, D_WHIRLPOOL, D_HMAC, + D_CBC_DES, D_EDE3_DES, D_RC4, D_CBC_IDEA, D_CBC_SEED, D_CBC_RC2, D_CBC_RC5, D_CBC_BF, D_CBC_CAST, D_CBC_128_AES, D_CBC_192_AES, D_CBC_256_AES, D_CBC_128_CML, D_CBC_192_CML, D_CBC_256_CML, - D_EVP, D_SHA256, D_SHA512, D_WHIRLPOOL, - D_IGE_128_AES, D_IGE_192_AES, D_IGE_256_AES, - D_GHASH, D_RAND, D_EVP_HMAC, D_EVP_CMAC, ALGOR_NUM + D_EVP, D_GHASH, D_RAND, D_EVP_CMAC, ALGOR_NUM }; /* name of algorithms to test. MUST BE KEEP IN SYNC with above enum ! */ static const char *names[ALGOR_NUM] = { - "md2", "mdc2", "md4", "md5", "hmac(md5)", "sha1", "rmd160", "rc4", - "des cbc", "des ede3", "idea cbc", "seed cbc", - "rc2 cbc", "rc5-32/12 cbc", "blowfish cbc", "cast cbc", - "aes-128 cbc", "aes-192 cbc", "aes-256 cbc", - "camellia-128 cbc", "camellia-192 cbc", "camellia-256 cbc", - "evp", "sha256", "sha512", "whirlpool", - "aes-128 ige", "aes-192 ige", "aes-256 ige", "ghash", - "rand", "hmac", "cmac" + "md2", "mdc2", "md4", "md5", "sha1", "rmd160", + "sha256", "sha512", "whirlpool", "hmac(md5)", + "des-cbc", "des-ede3", "rc4", "idea-cbc", "seed-cbc", + "rc2-cbc", "rc5-cbc", "blowfish", "cast-cbc", + "aes-128-cbc", "aes-192-cbc", "aes-256-cbc", + "camellia-128-cbc", "camellia-192-cbc", "camellia-256-cbc", + "evp", "ghash", "rand", "cmac" }; /* list of configured algorithm (remaining), with some few alias */ static const OPT_PAIR doit_choices[] = { -#if !defined(OPENSSL_NO_MD2) && !defined(OPENSSL_NO_DEPRECATED_3_0) {"md2", D_MD2}, -#endif -#if !defined(OPENSSL_NO_MDC2) && !defined(OPENSSL_NO_DEPRECATED_3_0) {"mdc2", D_MDC2}, -#endif -#if !defined(OPENSSL_NO_MD4) && !defined(OPENSSL_NO_DEPRECATED_3_0) {"md4", D_MD4}, -#endif -#if !defined(OPENSSL_NO_MD5) && !defined(OPENSSL_NO_DEPRECATED_3_0) {"md5", D_MD5}, -# ifndef OPENSSL_NO_DEPRECATED_3_0 {"hmac", D_HMAC}, -# endif -#endif -#ifndef OPENSSL_NO_DEPRECATED_3_0 {"sha1", D_SHA1}, {"sha256", D_SHA256}, {"sha512", D_SHA512}, -#endif -#if !defined(OPENSSL_NO_WHIRLPOOL) && !defined(OPENSSL_NO_DEPRECATED_3_0) {"whirlpool", D_WHIRLPOOL}, -#endif -#if !defined(OPENSSL_NO_RMD160) && !defined(OPENSSL_NO_DEPRECATED_3_0) {"ripemd", D_RMD160}, {"rmd160", D_RMD160}, {"ripemd160", D_RMD160}, -#endif -#if !defined(OPENSSL_NO_RC4) && !defined(OPENSSL_NO_DEPRECATED_3_0) {"rc4", D_RC4}, -#endif -#if !defined(OPENSSL_NO_DES) && !defined(OPENSSL_NO_DEPRECATED_3_0) {"des-cbc", D_CBC_DES}, {"des-ede3", D_EDE3_DES}, -#endif -#ifndef OPENSSL_NO_DEPRECATED_3_0 {"aes-128-cbc", D_CBC_128_AES}, {"aes-192-cbc", D_CBC_192_AES}, {"aes-256-cbc", D_CBC_256_AES}, - {"aes-128-ige", D_IGE_128_AES}, - {"aes-192-ige", D_IGE_192_AES}, - {"aes-256-ige", D_IGE_256_AES}, -#endif -#if !defined(OPENSSL_NO_RC2) && !defined(OPENSSL_NO_DEPRECATED_3_0) + {"camellia-128-cbc", D_CBC_128_CML}, + {"camellia-192-cbc", D_CBC_192_CML}, + {"camellia-256-cbc", D_CBC_256_CML}, {"rc2-cbc", D_CBC_RC2}, {"rc2", D_CBC_RC2}, -#endif -#if !defined(OPENSSL_NO_RC5) && !defined(OPENSSL_NO_DEPRECATED_3_0) {"rc5-cbc", D_CBC_RC5}, {"rc5", D_CBC_RC5}, -#endif -#if !defined(OPENSSL_NO_IDEA) && !defined(OPENSSL_NO_DEPRECATED_3_0) {"idea-cbc", D_CBC_IDEA}, {"idea", D_CBC_IDEA}, -#endif -#if !defined(OPENSSL_NO_SEED) && !defined(OPENSSL_NO_DEPRECATED_3_0) {"seed-cbc", D_CBC_SEED}, {"seed", D_CBC_SEED}, -#endif -#if !defined(OPENSSL_NO_BF) && !defined(OPENSSL_NO_DEPRECATED_3_0) {"bf-cbc", D_CBC_BF}, {"blowfish", D_CBC_BF}, {"bf", D_CBC_BF}, -#endif -#if !defined(OPENSSL_NO_CAST) && !defined(OPENSSL_NO_DEPRECATED_3_0) {"cast-cbc", D_CBC_CAST}, {"cast", D_CBC_CAST}, {"cast5", D_CBC_CAST}, -#endif {"ghash", D_GHASH}, {"rand", D_RAND} }; static double results[ALGOR_NUM][SIZE_NUM]; -#if !defined(OPENSSL_NO_DSA) && !defined(OPENSSL_NO_DEPRECATED_3_0) enum { R_DSA_512, R_DSA_1024, R_DSA_2048, DSA_NUM }; static const OPT_PAIR dsa_choices[DSA_NUM] = { {"dsa512", R_DSA_512}, @@ -432,9 +330,7 @@ static const OPT_PAIR dsa_choices[DSA_NUM] = { {"dsa2048", R_DSA_2048} }; static double dsa_results[DSA_NUM][2]; /* 2 ops: sign then verify */ -#endif /* OPENSSL_NO_DSA */ -#ifndef OPENSSL_NO_DEPRECATED_3_0 enum { R_RSA_512, R_RSA_1024, R_RSA_2048, R_RSA_3072, R_RSA_4096, R_RSA_7680, R_RSA_15360, RSA_NUM @@ -450,7 +346,6 @@ static const OPT_PAIR rsa_choices[RSA_NUM] = { }; static double rsa_results[RSA_NUM][2]; /* 2 ops: sign then verify */ -#endif /* OPENSSL_NO_DEPRECATED_3_0 */ #ifndef OPENSSL_NO_DH enum ff_params_t { @@ -468,13 +363,12 @@ static const OPT_PAIR ffdh_choices[FFDH_NUM] = { static double ffdh_results[FFDH_NUM][1]; /* 1 op: derivation */ #endif /* OPENSSL_NO_DH */ -#ifndef OPENSSL_NO_EC enum ec_curves_t { R_EC_P160, R_EC_P192, R_EC_P224, R_EC_P256, R_EC_P384, R_EC_P521, -# ifndef OPENSSL_NO_EC2M +#ifndef OPENSSL_NO_EC2M R_EC_K163, R_EC_K233, R_EC_K283, R_EC_K409, R_EC_K571, R_EC_B163, R_EC_B233, R_EC_B283, R_EC_B409, R_EC_B571, -# endif +#endif R_EC_BRP256R1, R_EC_BRP256T1, R_EC_BRP384R1, R_EC_BRP384T1, R_EC_BRP512R1, R_EC_BRP512T1, ECDSA_NUM }; @@ -486,7 +380,7 @@ static const OPT_PAIR ecdsa_choices[ECDSA_NUM] = { {"ecdsap256", R_EC_P256}, {"ecdsap384", R_EC_P384}, {"ecdsap521", R_EC_P521}, -# ifndef OPENSSL_NO_EC2M +#ifndef OPENSSL_NO_EC2M {"ecdsak163", R_EC_K163}, {"ecdsak233", R_EC_K233}, {"ecdsak283", R_EC_K283}, @@ -497,7 +391,7 @@ static const OPT_PAIR ecdsa_choices[ECDSA_NUM] = { {"ecdsab283", R_EC_B283}, {"ecdsab409", R_EC_B409}, {"ecdsab571", R_EC_B571}, -# endif +#endif {"ecdsabrp256r1", R_EC_BRP256R1}, {"ecdsabrp256t1", R_EC_BRP256T1}, {"ecdsabrp384r1", R_EC_BRP384R1}, @@ -514,7 +408,7 @@ static const OPT_PAIR ecdh_choices[EC_NUM] = { {"ecdhp256", R_EC_P256}, {"ecdhp384", R_EC_P384}, {"ecdhp521", R_EC_P521}, -# ifndef OPENSSL_NO_EC2M +#ifndef OPENSSL_NO_EC2M {"ecdhk163", R_EC_K163}, {"ecdhk233", R_EC_K233}, {"ecdhk283", R_EC_K283}, @@ -525,7 +419,7 @@ static const OPT_PAIR ecdh_choices[EC_NUM] = { {"ecdhb283", R_EC_B283}, {"ecdhb409", R_EC_B409}, {"ecdhb571", R_EC_B571}, -# endif +#endif {"ecdhbrp256r1", R_EC_BRP256R1}, {"ecdhbrp256t1", R_EC_BRP256T1}, {"ecdhbrp384r1", R_EC_BRP384R1}, @@ -547,24 +441,18 @@ static const OPT_PAIR eddsa_choices[EdDSA_NUM] = { }; static double eddsa_results[EdDSA_NUM][2]; /* 2 ops: sign then verify */ -# ifndef OPENSSL_NO_SM2 +#ifndef OPENSSL_NO_SM2 enum { R_EC_CURVESM2, SM2_NUM }; static const OPT_PAIR sm2_choices[SM2_NUM] = { {"curveSM2", R_EC_CURVESM2} }; -# define SM2_ID "TLSv1.3+GM+Cipher+Suite" -# define SM2_ID_LEN sizeof("TLSv1.3+GM+Cipher+Suite") - 1 +# define SM2_ID "TLSv1.3+GM+Cipher+Suite" +# define SM2_ID_LEN sizeof("TLSv1.3+GM+Cipher+Suite") - 1 static double sm2_results[SM2_NUM][2]; /* 2 ops: sign then verify */ -# endif /* OPENSSL_NO_SM2 */ -#endif /* OPENSSL_NO_EC */ +#endif /* OPENSSL_NO_SM2 */ -#ifndef SIGALRM -# define COND(d) (count < (d)) -# define COUNT(d) (d) -#else -# define COND(unused_cond) (run && count<0x7fffffff) -# define COUNT(d) (count) -#endif /* SIGALRM */ +#define COND(unused_cond) (run && count < 0x7fffffff) +#define COUNT(d) (count) typedef struct loopargs_st { ASYNC_JOB *inprogress_job; @@ -574,43 +462,31 @@ typedef struct loopargs_st { unsigned char *buf_malloc; unsigned char *buf2_malloc; unsigned char *key; - unsigned int siglen; size_t sigsize; -#ifndef OPENSSL_NO_DEPRECATED_3_0 - RSA *rsa_key[RSA_NUM]; -#endif -#if !defined(OPENSSL_NO_DSA) && !defined(OPENSSL_NO_DEPRECATED_3_0) - DSA *dsa_key[DSA_NUM]; -#endif -#ifndef OPENSSL_NO_EC -# ifndef OPENSSL_NO_DEPRECATED_3_0 - EC_KEY *ecdsa[ECDSA_NUM]; -# endif + EVP_PKEY_CTX *rsa_sign_ctx[RSA_NUM]; + EVP_PKEY_CTX *rsa_verify_ctx[RSA_NUM]; + EVP_PKEY_CTX *dsa_sign_ctx[DSA_NUM]; + EVP_PKEY_CTX *dsa_verify_ctx[DSA_NUM]; + EVP_PKEY_CTX *ecdsa_sign_ctx[ECDSA_NUM]; + EVP_PKEY_CTX *ecdsa_verify_ctx[ECDSA_NUM]; EVP_PKEY_CTX *ecdh_ctx[EC_NUM]; EVP_MD_CTX *eddsa_ctx[EdDSA_NUM]; EVP_MD_CTX *eddsa_ctx2[EdDSA_NUM]; -# ifndef OPENSSL_NO_SM2 +#ifndef OPENSSL_NO_SM2 EVP_MD_CTX *sm2_ctx[SM2_NUM]; EVP_MD_CTX *sm2_vfy_ctx[SM2_NUM]; EVP_PKEY *sm2_pkey[SM2_NUM]; -# endif +#endif unsigned char *secret_a; unsigned char *secret_b; size_t outlen[EC_NUM]; -#endif #ifndef OPENSSL_NO_DH EVP_PKEY_CTX *ffdh_ctx[FFDH_NUM]; unsigned char *secret_ff_a; unsigned char *secret_ff_b; #endif EVP_CIPHER_CTX *ctx; -#ifndef OPENSSL_NO_DEPRECATED_3_0 - HMAC_CTX *hctx; -#endif -#if !defined(OPENSSL_NO_CMAC) && !defined(OPENSSL_NO_DEPRECATED_3_0) - CMAC_CTX *cmac_ctx; -#endif - GCM128_CONTEXT *gcm_ctx; + EVP_MAC_CTX *mctx; } loopargs_t; static int run_benchmark(int async_jobs, int (*loop_function) (void *), loopargs_t * loopargs); @@ -620,277 +496,252 @@ static unsigned int testnum; /* Nb of iterations to do per algorithm and key-size */ static long c[ALGOR_NUM][SIZE_NUM]; -#if !defined(OPENSSL_NO_MD2) && !defined(OPENSSL_NO_DEPRECATED_3_0) -static int EVP_Digest_MD2_loop(void *args) +static char *evp_mac_mdname = "md5"; +static char *evp_hmac_name = NULL; +static const char *evp_md_name = NULL; +static char *evp_mac_ciphername = "aes-128-cbc"; +static char *evp_cmac_name = NULL; + +static EVP_MD *obtain_md(const char *name, int *fetched) { - loopargs_t *tempargs = *(loopargs_t **) args; - unsigned char *buf = tempargs->buf; - unsigned char md2[MD2_DIGEST_LENGTH]; - int count; + EVP_MD *md = NULL; - for (count = 0; COND(c[D_MD2][testnum]); count++) { - if (!EVP_Digest(buf, (size_t)lengths[testnum], md2, NULL, EVP_md2(), - NULL)) - return -1; + *fetched = 0; + /* Look through providers' digests */ + ERR_set_mark(); + md = EVP_MD_fetch(NULL, name, NULL); + ERR_pop_to_mark(); + if (md != NULL) { + *fetched = 1; + return md; } - return count; + + return (EVP_MD *)EVP_get_digestbyname(name); } -#endif -#if !defined(OPENSSL_NO_MDC2) && !defined(OPENSSL_NO_DEPRECATED_3_0) -static int EVP_Digest_MDC2_loop(void *args) +static int have_md(const char *name) { - loopargs_t *tempargs = *(loopargs_t **) args; - unsigned char *buf = tempargs->buf; - unsigned char mdc2[MDC2_DIGEST_LENGTH]; - int count; + int fetched = 0; + int ret = 0; + EVP_MD *md = obtain_md(name, &fetched); - for (count = 0; COND(c[D_MDC2][testnum]); count++) { - if (!EVP_Digest(buf, (size_t)lengths[testnum], mdc2, NULL, EVP_mdc2(), - NULL)) - return -1; + if (md != NULL) { + EVP_MD_CTX *ctx = EVP_MD_CTX_new(); + + if (ctx != NULL && EVP_DigestInit(ctx, md) > 0) + ret = 1; + EVP_MD_CTX_free(ctx); + if (fetched) + EVP_MD_free(md); } - return count; + return ret; } -#endif -#if !defined(OPENSSL_NO_MD4) && !defined(OPENSSL_NO_DEPRECATED_3_0) -static int EVP_Digest_MD4_loop(void *args) +static EVP_CIPHER *obtain_cipher(const char *name, int *fetched) { - loopargs_t *tempargs = *(loopargs_t **) args; - unsigned char *buf = tempargs->buf; - unsigned char md4[MD4_DIGEST_LENGTH]; - int count; + EVP_CIPHER *cipher = NULL; - for (count = 0; COND(c[D_MD4][testnum]); count++) { - if (!EVP_Digest(buf, (size_t)lengths[testnum], md4, NULL, EVP_md4(), - NULL)) - return -1; + *fetched = 0; + /* Look through providers' digests */ + ERR_set_mark(); + cipher = EVP_CIPHER_fetch(NULL, name, NULL); + ERR_pop_to_mark(); + if (cipher != NULL) { + *fetched = 1; + return cipher; } - return count; + + return (EVP_CIPHER *)EVP_get_cipherbyname(name); } -#endif -#if !defined(OPENSSL_NO_MD5) && !defined(OPENSSL_NO_DEPRECATED_3_0) -static int MD5_loop(void *args) +static int have_cipher(const char *name) { - loopargs_t *tempargs = *(loopargs_t **) args; - unsigned char *buf = tempargs->buf; - unsigned char md5[MD5_DIGEST_LENGTH]; - int count; - for (count = 0; COND(c[D_MD5][testnum]); count++) - MD5(buf, lengths[testnum], md5); - return count; + int fetched = 0; + int ret = 0; + EVP_CIPHER *cipher = obtain_cipher(name, &fetched); + + if (cipher != NULL) { + EVP_CIPHER_CTX *ctx = EVP_CIPHER_CTX_new(); + + if (ctx != NULL + && EVP_CipherInit_ex(ctx, cipher, NULL, NULL, NULL, 1) > 0) + ret = 1; + EVP_CIPHER_CTX_free(ctx); + if (fetched) + EVP_CIPHER_free(cipher); + } + return ret; } -# ifndef OPENSSL_NO_DEPRECATED_3_0 -static int HMAC_loop(void *args) +static int EVP_Digest_loop(const char *mdname, int algindex, void *args) { loopargs_t *tempargs = *(loopargs_t **) args; unsigned char *buf = tempargs->buf; - HMAC_CTX *hctx = tempargs->hctx; - unsigned char hmac[MD5_DIGEST_LENGTH]; - int count; - - for (count = 0; COND(c[D_HMAC][testnum]); count++) { - HMAC_Init_ex(hctx, NULL, 0, NULL, NULL); - HMAC_Update(hctx, buf, lengths[testnum]); - HMAC_Final(hctx, hmac, NULL); + unsigned char digest[EVP_MAX_MD_SIZE]; + int count, fetched = 0; + EVP_MD *md = obtain_md(mdname, &fetched); + + if (md == NULL) + return -1; + for (count = 0; COND(c[algindex][testnum]); count++) { + if (!EVP_Digest(buf, (size_t)lengths[testnum], digest, NULL, md, + NULL)) { + count = -1; + break; + } } + if (fetched) + EVP_MD_free(md); return count; } -# endif -#endif -#ifndef OPENSSL_NO_DEPRECATED_3_0 -static int SHA1_loop(void *args) +static int EVP_Digest_md_loop(void *args) { - loopargs_t *tempargs = *(loopargs_t **) args; - unsigned char *buf = tempargs->buf; - unsigned char sha[SHA_DIGEST_LENGTH]; - int count; - for (count = 0; COND(c[D_SHA1][testnum]); count++) - SHA1(buf, lengths[testnum], sha); - return count; + return EVP_Digest_loop(evp_md_name, D_EVP, args); } -static int SHA256_loop(void *args) +static int EVP_Digest_MD2_loop(void *args) { - loopargs_t *tempargs = *(loopargs_t **) args; - unsigned char *buf = tempargs->buf; - unsigned char sha256[SHA256_DIGEST_LENGTH]; - int count; - for (count = 0; COND(c[D_SHA256][testnum]); count++) - SHA256(buf, lengths[testnum], sha256); - return count; + return EVP_Digest_loop("md2", D_MD2, args); } -static int SHA512_loop(void *args) +static int EVP_Digest_MDC2_loop(void *args) { - loopargs_t *tempargs = *(loopargs_t **) args; - unsigned char *buf = tempargs->buf; - unsigned char sha512[SHA512_DIGEST_LENGTH]; - int count; - for (count = 0; COND(c[D_SHA512][testnum]); count++) - SHA512(buf, lengths[testnum], sha512); - return count; + return EVP_Digest_loop("mdc2", D_MDC2, args); } -#endif -#if !defined(OPENSSL_NO_WHIRLPOOL) && !defined(OPENSSL_NO_DEPRECATED_3_0) -static int WHIRLPOOL_loop(void *args) +static int EVP_Digest_MD4_loop(void *args) { - loopargs_t *tempargs = *(loopargs_t **) args; - unsigned char *buf = tempargs->buf; - unsigned char whirlpool[WHIRLPOOL_DIGEST_LENGTH]; - int count; - for (count = 0; COND(c[D_WHIRLPOOL][testnum]); count++) - WHIRLPOOL(buf, lengths[testnum], whirlpool); - return count; + return EVP_Digest_loop("md4", D_MD4, args); } -#endif -#if !defined(OPENSSL_NO_RMD160) && !defined(OPENSSL_NO_DEPRECATED_3_0) -static int EVP_Digest_RMD160_loop(void *args) +static int MD5_loop(void *args) +{ + return EVP_Digest_loop("md5", D_MD5, args); +} + +static int EVP_MAC_loop(int algindex, void *args) { loopargs_t *tempargs = *(loopargs_t **) args; unsigned char *buf = tempargs->buf; - unsigned char rmd160[RIPEMD160_DIGEST_LENGTH]; + EVP_MAC_CTX *mctx = tempargs->mctx; + unsigned char mac[EVP_MAX_MD_SIZE]; int count; - for (count = 0; COND(c[D_RMD160][testnum]); count++) { - if (!EVP_Digest(buf, (size_t)lengths[testnum], &(rmd160[0]), - NULL, EVP_ripemd160(), NULL)) + + for (count = 0; COND(c[algindex][testnum]); count++) { + size_t outl; + + if (!EVP_MAC_init(mctx) + || !EVP_MAC_update(mctx, buf, lengths[testnum]) + || !EVP_MAC_final(mctx, mac, &outl, sizeof(mac))) return -1; } return count; } -#endif -#if !defined(OPENSSL_NO_RC4) && !defined(OPENSSL_NO_DEPRECATED_3_0) -static RC4_KEY rc4_ks; -static int RC4_loop(void *args) +static int HMAC_loop(void *args) { - loopargs_t *tempargs = *(loopargs_t **) args; - unsigned char *buf = tempargs->buf; - int count; - for (count = 0; COND(c[D_RC4][testnum]); count++) - RC4(&rc4_ks, (size_t)lengths[testnum], buf, buf); - return count; + return EVP_MAC_loop(D_HMAC, args); } -#endif -#if !defined(OPENSSL_NO_DES) && !defined(OPENSSL_NO_DEPRECATED_3_0) -static unsigned char DES_iv[8]; -static DES_key_schedule sch[3]; -static int DES_ncbc_encrypt_loop(void *args) +static int CMAC_loop(void *args) { - loopargs_t *tempargs = *(loopargs_t **) args; - unsigned char *buf = tempargs->buf; - int count; - for (count = 0; COND(c[D_CBC_DES][testnum]); count++) - DES_ncbc_encrypt(buf, buf, lengths[testnum], &sch[0], - &DES_iv, DES_ENCRYPT); - return count; + return EVP_MAC_loop(D_EVP_CMAC, args); } -static int DES_ede3_cbc_encrypt_loop(void *args) +static int SHA1_loop(void *args) { - loopargs_t *tempargs = *(loopargs_t **) args; - unsigned char *buf = tempargs->buf; - int count; - for (count = 0; COND(c[D_EDE3_DES][testnum]); count++) - DES_ede3_cbc_encrypt(buf, buf, lengths[testnum], - &sch[0], &sch[1], &sch[2], &DES_iv, DES_ENCRYPT); - return count; + return EVP_Digest_loop("sha1", D_SHA1, args); } -#endif - -#define MAX_BLOCK_SIZE 128 - -static unsigned char iv[2 * MAX_BLOCK_SIZE / 8]; -#ifndef OPENSSL_NO_DEPRECATED_3_0 -static AES_KEY aes_ks1, aes_ks2, aes_ks3; -static int AES_cbc_128_encrypt_loop(void *args) +static int SHA256_loop(void *args) { - loopargs_t *tempargs = *(loopargs_t **) args; - unsigned char *buf = tempargs->buf; - int count; - for (count = 0; COND(c[D_CBC_128_AES][testnum]); count++) - AES_cbc_encrypt(buf, buf, - (size_t)lengths[testnum], &aes_ks1, iv, AES_ENCRYPT); - return count; + return EVP_Digest_loop("sha256", D_SHA256, args); } -static int AES_cbc_192_encrypt_loop(void *args) +static int SHA512_loop(void *args) { - loopargs_t *tempargs = *(loopargs_t **) args; - unsigned char *buf = tempargs->buf; - int count; - for (count = 0; COND(c[D_CBC_192_AES][testnum]); count++) - AES_cbc_encrypt(buf, buf, - (size_t)lengths[testnum], &aes_ks2, iv, AES_ENCRYPT); - return count; + return EVP_Digest_loop("sha512", D_SHA512, args); } -static int AES_cbc_256_encrypt_loop(void *args) +static int WHIRLPOOL_loop(void *args) { - loopargs_t *tempargs = *(loopargs_t **) args; - unsigned char *buf = tempargs->buf; - int count; - for (count = 0; COND(c[D_CBC_256_AES][testnum]); count++) - AES_cbc_encrypt(buf, buf, - (size_t)lengths[testnum], &aes_ks3, iv, AES_ENCRYPT); - return count; + return EVP_Digest_loop("whirlpool", D_WHIRLPOOL, args); } -static int AES_ige_128_encrypt_loop(void *args) +static int EVP_Digest_RMD160_loop(void *args) { - loopargs_t *tempargs = *(loopargs_t **) args; - unsigned char *buf = tempargs->buf; - unsigned char *buf2 = tempargs->buf2; - int count; - for (count = 0; COND(c[D_IGE_128_AES][testnum]); count++) - AES_ige_encrypt(buf, buf2, - (size_t)lengths[testnum], &aes_ks1, iv, AES_ENCRYPT); - return count; + return EVP_Digest_loop("ripemd160", D_RMD160, args); } -static int AES_ige_192_encrypt_loop(void *args) +static int algindex; + +static int EVP_Cipher_loop(void *args) { loopargs_t *tempargs = *(loopargs_t **) args; unsigned char *buf = tempargs->buf; - unsigned char *buf2 = tempargs->buf2; int count; - for (count = 0; COND(c[D_IGE_192_AES][testnum]); count++) - AES_ige_encrypt(buf, buf2, - (size_t)lengths[testnum], &aes_ks2, iv, AES_ENCRYPT); + + if (tempargs->ctx == NULL) + return -1; + for (count = 0; COND(c[algindex][testnum]); count++) + if (EVP_Cipher(tempargs->ctx, buf, buf, (size_t)lengths[testnum]) <= 0) + return -1; return count; } -static int AES_ige_256_encrypt_loop(void *args) +static int GHASH_loop(void *args) { loopargs_t *tempargs = *(loopargs_t **) args; unsigned char *buf = tempargs->buf; - unsigned char *buf2 = tempargs->buf2; + EVP_MAC_CTX *mctx = tempargs->mctx; int count; - for (count = 0; COND(c[D_IGE_256_AES][testnum]); count++) - AES_ige_encrypt(buf, buf2, - (size_t)lengths[testnum], &aes_ks3, iv, AES_ENCRYPT); + + /* just do the update in the loop to be comparable with 1.1.1 */ + for (count = 0; COND(c[D_GHASH][testnum]); count++) { + if (!EVP_MAC_update(mctx, buf, lengths[testnum])) + return -1; + } return count; } -static int CRYPTO_gcm128_aad_loop(void *args) +#define MAX_BLOCK_SIZE 128 + +static unsigned char iv[2 * MAX_BLOCK_SIZE / 8]; + +static EVP_CIPHER_CTX *init_evp_cipher_ctx(const char *ciphername, + const unsigned char *key, + int keylen) { - loopargs_t *tempargs = *(loopargs_t **) args; - unsigned char *buf = tempargs->buf; - GCM128_CONTEXT *gcm_ctx = tempargs->gcm_ctx; - int count; - for (count = 0; COND(c[D_GHASH][testnum]); count++) - CRYPTO_gcm128_aad(gcm_ctx, buf, lengths[testnum]); - return count; + EVP_CIPHER_CTX *ctx = NULL; + int fetched = 0; + EVP_CIPHER *cipher = obtain_cipher(ciphername, &fetched); + + if (cipher == NULL) + return NULL; + + if ((ctx = EVP_CIPHER_CTX_new()) == NULL) + goto end; + + if (!EVP_CipherInit_ex(ctx, cipher, NULL, NULL, NULL, 1)) { + EVP_CIPHER_CTX_free(ctx); + ctx = NULL; + goto end; + } + + EVP_CIPHER_CTX_set_key_length(ctx, keylen); + + if (!EVP_CipherInit_ex(ctx, NULL, NULL, key, iv, 1)) { + EVP_CIPHER_CTX_free(ctx); + ctx = NULL; + goto end; + } + +end: + if (fetched) + EVP_CIPHER_free(cipher); + return ctx; } -#endif static int RAND_bytes_loop(void *args) { @@ -1005,100 +856,40 @@ static int EVP_Update_loop_aead(void *args) return count; } -static EVP_MD *evp_md = NULL; -static int fetched_alg = 0; +static long rsa_c[RSA_NUM][2]; /* # RSA iteration test */ -static int EVP_Digest_loop(void *args) +static int RSA_sign_loop(void *args) { loopargs_t *tempargs = *(loopargs_t **) args; unsigned char *buf = tempargs->buf; - unsigned char md[EVP_MAX_MD_SIZE]; - int count; + unsigned char *buf2 = tempargs->buf2; + size_t *rsa_num = &tempargs->sigsize; + EVP_PKEY_CTX **rsa_sign_ctx = tempargs->rsa_sign_ctx; + int ret, count; - for (count = 0; COND(c[D_EVP][testnum]); count++) { - if (!EVP_Digest(buf, lengths[testnum], md, NULL, evp_md, NULL)) - return -1; + for (count = 0; COND(rsa_c[testnum][0]); count++) { + ret = EVP_PKEY_sign(rsa_sign_ctx[testnum], buf2, rsa_num, buf, 36); + if (ret <= 0) { + BIO_printf(bio_err, "RSA sign failure\n"); + ERR_print_errors(bio_err); + count = -1; + break; + } } return count; } -#ifndef OPENSSL_NO_DEPRECATED_3_0 -static const EVP_MD *evp_hmac_md = NULL; -static char *evp_hmac_name = NULL; -static int EVP_HMAC_loop(void *args) -{ - loopargs_t *tempargs = *(loopargs_t **) args; - unsigned char *buf = tempargs->buf; - unsigned char no_key[32]; - int count; - - for (count = 0; COND(c[D_EVP_HMAC][testnum]); count++) { - if (HMAC(evp_hmac_md, no_key, sizeof(no_key), buf, lengths[testnum], - NULL, NULL) == NULL) - return -1; - } - return count; -} -#endif - -#if !defined(OPENSSL_NO_CMAC) && !defined(OPENSSL_NO_DEPRECATED_3_0) -static const EVP_CIPHER *evp_cmac_cipher = NULL; -static char *evp_cmac_name = NULL; - -static int EVP_CMAC_loop(void *args) -{ - loopargs_t *tempargs = *(loopargs_t **) args; - unsigned char *buf = tempargs->buf; - CMAC_CTX *cmac_ctx = tempargs->cmac_ctx; - static const char key[16] = "This is a key..."; - unsigned char mac[16]; - size_t len = sizeof(mac); - int count; - - for (count = 0; COND(c[D_EVP_CMAC][testnum]); count++) { - if (!CMAC_Init(cmac_ctx, key, sizeof(key), evp_cmac_cipher, NULL) - || !CMAC_Update(cmac_ctx, buf, lengths[testnum]) - || !CMAC_Final(cmac_ctx, mac, &len)) - return -1; - } - return count; -} -#endif - -#ifndef OPENSSL_NO_DEPRECATED_3_0 -static long rsa_c[RSA_NUM][2]; /* # RSA iteration test */ - -static int RSA_sign_loop(void *args) +static int RSA_verify_loop(void *args) { loopargs_t *tempargs = *(loopargs_t **) args; unsigned char *buf = tempargs->buf; unsigned char *buf2 = tempargs->buf2; - unsigned int *rsa_num = &tempargs->siglen; - RSA **rsa_key = tempargs->rsa_key; + size_t rsa_num = tempargs->sigsize; + EVP_PKEY_CTX **rsa_verify_ctx = tempargs->rsa_verify_ctx; int ret, count; - for (count = 0; COND(rsa_c[testnum][0]); count++) { - ret = RSA_sign(NID_md5_sha1, buf, 36, buf2, rsa_num, rsa_key[testnum]); - if (ret == 0) { - BIO_printf(bio_err, "RSA sign failure\n"); - ERR_print_errors(bio_err); - count = -1; - break; - } - } - return count; -} -static int RSA_verify_loop(void *args) -{ - loopargs_t *tempargs = *(loopargs_t **) args; - unsigned char *buf = tempargs->buf; - unsigned char *buf2 = tempargs->buf2; - unsigned int rsa_num = tempargs->siglen; - RSA **rsa_key = tempargs->rsa_key; - int ret, count; for (count = 0; COND(rsa_c[testnum][1]); count++) { - ret = - RSA_verify(NID_md5_sha1, buf, 36, buf2, rsa_num, rsa_key[testnum]); + ret = EVP_PKEY_verify(rsa_verify_ctx[testnum], buf2, rsa_num, buf, 36); if (ret <= 0) { BIO_printf(bio_err, "RSA verify failure\n"); ERR_print_errors(bio_err); @@ -1108,39 +899,37 @@ static int RSA_verify_loop(void *args) } return count; } -#endif #ifndef OPENSSL_NO_DH static long ffdh_c[FFDH_NUM][1]; static int FFDH_derive_key_loop(void *args) { - loopargs_t *tempargs = *(loopargs_t **) args; - EVP_PKEY_CTX *ffdh_ctx = tempargs->ffdh_ctx[testnum]; - unsigned char *derived_secret = tempargs->secret_ff_a; - size_t outlen = MAX_FFDH_SIZE; - int count; - - for (count = 0; COND(ffdh_c[testnum][0]); count++) - EVP_PKEY_derive(ffdh_ctx, derived_secret, &outlen); + loopargs_t *tempargs = *(loopargs_t **) args; + EVP_PKEY_CTX *ffdh_ctx = tempargs->ffdh_ctx[testnum]; + unsigned char *derived_secret = tempargs->secret_ff_a; + size_t outlen = MAX_FFDH_SIZE; + int count; - return count; + for (count = 0; COND(ffdh_c[testnum][0]); count++) + EVP_PKEY_derive(ffdh_ctx, derived_secret, &outlen); + return count; } #endif /* OPENSSL_NO_DH */ -#if !defined(OPENSSL_NO_DSA) && !defined(OPENSSL_NO_DEPRECATED_3_0) static long dsa_c[DSA_NUM][2]; static int DSA_sign_loop(void *args) { loopargs_t *tempargs = *(loopargs_t **) args; unsigned char *buf = tempargs->buf; unsigned char *buf2 = tempargs->buf2; - DSA **dsa_key = tempargs->dsa_key; - unsigned int *siglen = &tempargs->siglen; + size_t *dsa_num = &tempargs->sigsize; + EVP_PKEY_CTX **dsa_sign_ctx = tempargs->dsa_sign_ctx; int ret, count; + for (count = 0; COND(dsa_c[testnum][0]); count++) { - ret = DSA_sign(0, buf, 20, buf2, siglen, dsa_key[testnum]); - if (ret == 0) { + ret = EVP_PKEY_sign(dsa_sign_ctx[testnum], buf2, dsa_num, buf, 20); + if (ret <= 0) { BIO_printf(bio_err, "DSA sign failure\n"); ERR_print_errors(bio_err); count = -1; @@ -1155,11 +944,12 @@ static int DSA_verify_loop(void *args) loopargs_t *tempargs = *(loopargs_t **) args; unsigned char *buf = tempargs->buf; unsigned char *buf2 = tempargs->buf2; - DSA **dsa_key = tempargs->dsa_key; - unsigned int siglen = tempargs->siglen; + size_t dsa_num = tempargs->sigsize; + EVP_PKEY_CTX **dsa_verify_ctx = tempargs->dsa_verify_ctx; int ret, count; + for (count = 0; COND(dsa_c[testnum][1]); count++) { - ret = DSA_verify(0, buf, 20, buf2, siglen, dsa_key[testnum]); + ret = EVP_PKEY_verify(dsa_verify_ctx[testnum], buf2, dsa_num, buf, 20); if (ret <= 0) { BIO_printf(bio_err, "DSA verify failure\n"); ERR_print_errors(bio_err); @@ -1169,22 +959,20 @@ static int DSA_verify_loop(void *args) } return count; } -#endif -#ifndef OPENSSL_NO_EC -# ifndef OPENSSL_NO_DEPRECATED_3_0 static long ecdsa_c[ECDSA_NUM][2]; static int ECDSA_sign_loop(void *args) { loopargs_t *tempargs = *(loopargs_t **) args; unsigned char *buf = tempargs->buf; - EC_KEY **ecdsa = tempargs->ecdsa; - unsigned char *ecdsasig = tempargs->buf2; - unsigned int *ecdsasiglen = &tempargs->siglen; + unsigned char *buf2 = tempargs->buf2; + size_t *ecdsa_num = &tempargs->sigsize; + EVP_PKEY_CTX **ecdsa_sign_ctx = tempargs->ecdsa_sign_ctx; int ret, count; + for (count = 0; COND(ecdsa_c[testnum][0]); count++) { - ret = ECDSA_sign(0, buf, 20, ecdsasig, ecdsasiglen, ecdsa[testnum]); - if (ret == 0) { + ret = EVP_PKEY_sign(ecdsa_sign_ctx[testnum], buf2, ecdsa_num, buf, 20); + if (ret <= 0) { BIO_printf(bio_err, "ECDSA sign failure\n"); ERR_print_errors(bio_err); count = -1; @@ -1198,13 +986,15 @@ static int ECDSA_verify_loop(void *args) { loopargs_t *tempargs = *(loopargs_t **) args; unsigned char *buf = tempargs->buf; - EC_KEY **ecdsa = tempargs->ecdsa; - unsigned char *ecdsasig = tempargs->buf2; - unsigned int ecdsasiglen = tempargs->siglen; + unsigned char *buf2 = tempargs->buf2; + size_t ecdsa_num = tempargs->sigsize; + EVP_PKEY_CTX **ecdsa_verify_ctx = tempargs->ecdsa_verify_ctx; int ret, count; + for (count = 0; COND(ecdsa_c[testnum][1]); count++) { - ret = ECDSA_verify(0, buf, 20, ecdsasig, ecdsasiglen, ecdsa[testnum]); - if (ret != 1) { + ret = EVP_PKEY_verify(ecdsa_verify_ctx[testnum], buf2, ecdsa_num, + buf, 20); + if (ret <= 0) { BIO_printf(bio_err, "ECDSA verify failure\n"); ERR_print_errors(bio_err); count = -1; @@ -1213,7 +1003,6 @@ static int ECDSA_verify_loop(void *args) } return count; } -# endif /* ******************************************************************** */ static long ecdh_c[EC_NUM][1]; @@ -1275,7 +1064,7 @@ static int EdDSA_verify_loop(void *args) return count; } -# ifndef OPENSSL_NO_SM2 +#ifndef OPENSSL_NO_SM2 static long sm2_c[SM2_NUM][2]; static int SM2_sign_loop(void *args) { @@ -1342,8 +1131,7 @@ static int SM2_verify_loop(void *args) } return count; } -# endif /* OPENSSL_NO_SM2 */ -#endif /* OPENSSL_NO_EC */ +#endif /* OPENSSL_NO_SM2 */ static int run_benchmark(int async_jobs, int (*loop_function) (void *), loopargs_t * loopargs) @@ -1496,36 +1284,84 @@ static int run_benchmark(int async_jobs, return error ? -1 : total_op_count; } -static EVP_MD *obtain_md(const char *name) +typedef struct ec_curve_st { + const char *name; + unsigned int nid; + unsigned int bits; + size_t sigsize; /* only used for EdDSA curves */ +} EC_CURVE; + +static EVP_PKEY *get_ecdsa(const EC_CURVE *curve) { - EVP_MD *md = NULL; + EVP_PKEY_CTX *kctx = NULL; + EVP_PKEY *key = NULL; - /* Look through providers' digests */ - ERR_set_mark(); - md = EVP_MD_fetch(NULL, name, NULL); - ERR_pop_to_mark(); - if (md != NULL) { - fetched_alg = 1; - return md; + /* Ensure that the error queue is empty */ + if (ERR_peek_error()) { + BIO_printf(bio_err, + "WARNING: the error queue contains previous unhandled errors.\n"); + ERR_print_errors(bio_err); } - return (EVP_MD *)EVP_get_digestbyname(name); -} + /* + * Let's try to create a ctx directly from the NID: this works for + * curves like Curve25519 that are not implemented through the low + * level EC interface. + * If this fails we try creating a EVP_PKEY_EC generic param ctx, + * then we set the curve by NID before deriving the actual keygen + * ctx for that specific curve. + */ + kctx = EVP_PKEY_CTX_new_id(curve->nid, NULL); + if (kctx == NULL) { + EVP_PKEY_CTX *pctx = NULL; + EVP_PKEY *params = NULL; + /* + * If we reach this code EVP_PKEY_CTX_new_id() failed and a + * "int_ctx_new:unsupported algorithm" error was added to the + * error queue. + * We remove it from the error queue as we are handling it. + */ + unsigned long error = ERR_peek_error(); + + if (error == ERR_peek_last_error() /* oldest and latest errors match */ + /* check that the error origin matches */ + && ERR_GET_LIB(error) == ERR_LIB_EVP + && (ERR_GET_REASON(error) == EVP_R_UNSUPPORTED_ALGORITHM + || ERR_GET_REASON(error) == ERR_R_UNSUPPORTED)) + ERR_get_error(); /* pop error from queue */ + if (ERR_peek_error()) { + BIO_printf(bio_err, + "Unhandled error in the error queue during EC key setup.\n"); + ERR_print_errors(bio_err); + return NULL; + } -static EVP_CIPHER *obtain_cipher(const char *name) -{ - EVP_CIPHER *cipher = NULL; + /* Create the context for parameter generation */ + if ((pctx = EVP_PKEY_CTX_new_from_name(NULL, "EC", NULL)) == NULL + || EVP_PKEY_paramgen_init(pctx) <= 0 + || EVP_PKEY_CTX_set_ec_paramgen_curve_nid(pctx, + curve->nid) <= 0 + || EVP_PKEY_paramgen(pctx, ¶ms) <= 0) { + BIO_printf(bio_err, "EC params init failure.\n"); + ERR_print_errors(bio_err); + EVP_PKEY_CTX_free(pctx); + return NULL; + } + EVP_PKEY_CTX_free(pctx); - /* Look through providers' ciphers */ - ERR_set_mark(); - cipher = EVP_CIPHER_fetch(NULL, name, NULL); - ERR_pop_to_mark(); - if (cipher != NULL) { - fetched_alg = 1; - return cipher; + /* Create the context for the key generation */ + kctx = EVP_PKEY_CTX_new(params, NULL); + EVP_PKEY_free(params); } - - return (EVP_CIPHER *)EVP_get_cipherbyname(name); + if (kctx == NULL + || EVP_PKEY_keygen_init(kctx) <= 0 + || EVP_PKEY_keygen(kctx, &key) <= 0) { + BIO_printf(bio_err, "EC key generation failure.\n"); + ERR_print_errors(bio_err); + key = NULL; + } + EVP_PKEY_CTX_free(kctx); + return key; } #define stop_it(do_it, test_num)\ @@ -1548,60 +1384,29 @@ int speed_main(int argc, char **argv) unsigned int i, k, loopargs_len = 0, async_jobs = 0; int keylen; int buflen; + int fetched_cipher = 0; + BIGNUM *bn = NULL; + EVP_PKEY_CTX *genctx = NULL; #ifndef NO_FORK int multi = 0; #endif -#if !defined(OPENSSL_NO_DEPRECATED_3_0) \ - || !defined(OPENSSL_NO_DSA) \ - || !defined(OPENSSL_NO_DH) \ - || !defined(OPENSSL_NO_EC) - long op_count = 1; -#endif + long op_count = 1; openssl_speed_sec_t seconds = { SECONDS, RSA_SECONDS, DSA_SECONDS, ECDSA_SECONDS, ECDH_SECONDS, EdDSA_SECONDS, SM2_SECONDS, FFDH_SECONDS }; - /* What follows are the buffers and key material. */ -#if !defined(OPENSSL_NO_RC5) && !defined(OPENSSL_NO_DEPRECATED_3_0) - RC5_32_KEY rc5_ks; -#endif -#if !defined(OPENSSL_NO_RC2) && !defined(OPENSSL_NO_DEPRECATED_3_0) - RC2_KEY rc2_ks; -#endif -#if !defined(OPENSSL_NO_IDEA) && !defined(OPENSSL_NO_DEPRECATED_3_0) - IDEA_KEY_SCHEDULE idea_ks; -#endif -#if !defined(OPENSSL_NO_SEED) && !defined(OPENSSL_NO_DEPRECATED_3_0) - SEED_KEY_SCHEDULE seed_ks; -#endif -#if !defined(OPENSSL_NO_BF) && !defined(OPENSSL_NO_DEPRECATED_3_0) - BF_KEY bf_ks; -#endif -#if !defined(OPENSSL_NO_CAST) && !defined(OPENSSL_NO_DEPRECATED_3_0) - CAST_KEY cast_ks; -#endif -#ifndef OPENSSL_NO_DEPRECATED_3_0 - static const unsigned char key16[16] = { - 0x12, 0x34, 0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0, - 0x34, 0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0, 0x12 - }; - static const unsigned char key24[24] = { - 0x12, 0x34, 0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0, - 0x34, 0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0, 0x12, - 0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0, 0x12, 0x34 - }; static const unsigned char key32[32] = { 0x12, 0x34, 0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0, 0x34, 0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0, 0x12, 0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0, 0x12, 0x34, 0x78, 0x9a, 0xbc, 0xde, 0xf0, 0x12, 0x34, 0x56 }; -#endif -#if !defined(OPENSSL_NO_CAMELLIA) && !defined(OPENSSL_NO_DEPRECATED_3_0) - CAMELLIA_KEY camellia_ks[3]; -#endif -#ifndef OPENSSL_NO_DEPRECATED_3_0 + static const unsigned char deskey[] = { + 0x12, 0x34, 0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0, /* key1 */ + 0x34, 0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0, 0x12, /* key2 */ + 0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0, 0x12, 0x34 /* key3 */ + }; static const struct { const unsigned char *data; unsigned int length; @@ -1611,13 +1416,12 @@ int speed_main(int argc, char **argv) { test1024, sizeof(test1024), 1024 }, { test2048, sizeof(test2048), 2048 }, { test3072, sizeof(test3072), 3072 }, - { test4096, sizeof(test4096), 4092 }, + { test4096, sizeof(test4096), 4096 }, { test7680, sizeof(test7680), 7680 }, { test15360, sizeof(test15360), 15360 } }; uint8_t rsa_doit[RSA_NUM] = { 0 }; int primes = RSA_DEFAULT_PRIME_NUM; -#endif #ifndef OPENSSL_NO_DH typedef struct ffdh_params_st { const char *name; @@ -1635,17 +1439,8 @@ int speed_main(int argc, char **argv) uint8_t ffdh_doit[FFDH_NUM] = { 0 }; #endif /* OPENSSL_NO_DH */ -#if !defined(OPENSSL_NO_DSA) && !defined(OPENSSL_NO_DEPRECATED_3_0) static const unsigned int dsa_bits[DSA_NUM] = { 512, 1024, 2048 }; uint8_t dsa_doit[DSA_NUM] = { 0 }; -#endif -#ifndef OPENSSL_NO_EC - typedef struct ec_curve_st { - const char *name; - unsigned int nid; - unsigned int bits; - size_t sigsize; /* only used for EdDSA curves */ - } EC_CURVE; /* * We only test over the following curves as they are representative, To * add tests over more curves, simply add the curve NID and curve name to @@ -1660,7 +1455,7 @@ int speed_main(int argc, char **argv) {"nistp256", NID_X9_62_prime256v1, 256}, {"nistp384", NID_secp384r1, 384}, {"nistp521", NID_secp521r1, 521}, -# ifndef OPENSSL_NO_EC2M +#ifndef OPENSSL_NO_EC2M /* Binary Curves */ {"nistk163", NID_sect163k1, 163}, {"nistk233", NID_sect233k1, 233}, @@ -1672,7 +1467,7 @@ int speed_main(int argc, char **argv) {"nistb283", NID_sect283r1, 283}, {"nistb409", NID_sect409r1, 409}, {"nistb571", NID_sect571r1, 571}, -# endif +#endif {"brainpoolP256r1", NID_brainpoolP256r1, 256}, {"brainpoolP256t1", NID_brainpoolP256t1, 256}, {"brainpoolP384r1", NID_brainpoolP384r1, 384}, @@ -1688,13 +1483,13 @@ int speed_main(int argc, char **argv) {"Ed25519", NID_ED25519, 253, 64}, {"Ed448", NID_ED448, 456, 114} }; -# ifndef OPENSSL_NO_SM2 +#ifndef OPENSSL_NO_SM2 static const EC_CURVE sm2_curves[SM2_NUM] = { /* SM2 */ {"CurveSM2", NID_sm2, 256} }; uint8_t sm2_doit[SM2_NUM] = { 0 }; -# endif +#endif uint8_t ecdsa_doit[ECDSA_NUM] = { 0 }; uint8_t ecdh_doit[EC_NUM] = { 0 }; uint8_t eddsa_doit[EdDSA_NUM] = { 0 }; @@ -1709,11 +1504,10 @@ int speed_main(int argc, char **argv) OPENSSL_assert(ec_curves[ECDSA_NUM - 1].nid == NID_brainpoolP512t1); OPENSSL_assert(strcmp(ecdsa_choices[ECDSA_NUM - 1].name, "ecdsabrp512t1") == 0); -# ifndef OPENSSL_NO_SM2 +#ifndef OPENSSL_NO_SM2 OPENSSL_assert(sm2_curves[SM2_NUM - 1].nid == NID_sm2); OPENSSL_assert(strcmp(sm2_choices[SM2_NUM - 1].name, "curveSM2") == 0); -# endif -#endif /* ndef OPENSSL_NO_EC */ +#endif prog = opt_init(argc, argv, speed_options); while ((o = opt_next()) != OPT_EOF) { @@ -1735,11 +1529,12 @@ int speed_main(int argc, char **argv) BIO_printf(bio_err, "%s: -evp option cannot be used more than once\n", prog); goto opterr; } - evp_md = NULL; - evp_cipher = obtain_cipher(opt_arg()); - if (evp_cipher == NULL) - evp_md = obtain_md(opt_arg()); - if (evp_cipher == NULL && evp_md == NULL) { + evp_cipher = obtain_cipher(opt_arg(), &fetched_cipher); + if (evp_cipher == NULL) { + if (have_md(opt_arg())) + evp_md_name = opt_arg(); + } + if (evp_cipher == NULL && evp_md_name == NULL) { BIO_printf(bio_err, "%s: %s is an unknown cipher or digest\n", prog, opt_arg()); @@ -1748,26 +1543,22 @@ int speed_main(int argc, char **argv) doit[D_EVP] = 1; break; case OPT_HMAC: -#ifndef OPENSSL_NO_DEPRECATED_3_0 - evp_hmac_md = EVP_get_digestbyname(opt_arg()); - if (evp_hmac_md == NULL) { + if (!have_md(opt_arg())) { BIO_printf(bio_err, "%s: %s is an unknown digest\n", prog, opt_arg()); goto end; } - doit[D_EVP_HMAC] = 1; + evp_mac_mdname = opt_arg(); + doit[D_HMAC] = 1; break; -#endif case OPT_CMAC: -#if !defined(OPENSSL_NO_CMAC) && !defined(OPENSSL_NO_DEPRECATED_3_0) - evp_cmac_cipher = EVP_get_cipherbyname(opt_arg()); - if (evp_cmac_cipher == NULL) { + if (!have_cipher(opt_arg())) { BIO_printf(bio_err, "%s: %s is an unknown cipher\n", prog, opt_arg()); goto end; } + evp_mac_ciphername = opt_arg(); doit[D_EVP_CMAC] = 1; -#endif break; case OPT_DECRYPT: decrypt = 1; @@ -1830,10 +1621,8 @@ int speed_main(int argc, char **argv) goto end; break; case OPT_PRIMES: -#ifndef OPENSSL_NO_DEPRECATED_3_0 if (!opt_int(opt_arg(), &primes)) goto end; -#endif break; case OPT_SECONDS: seconds.sym = seconds.rsa = seconds.dsa = seconds.ecdsa @@ -1863,12 +1652,10 @@ int speed_main(int argc, char **argv) doit[i] = 1; continue; } -#if !defined(OPENSSL_NO_DES) && !defined(OPENSSL_NO_DEPRECATED_3_0) if (strcmp(algo, "des") == 0) { doit[D_CBC_DES] = doit[D_EDE3_DES] = 1; continue; } -#endif if (strcmp(algo, "sha") == 0) { doit[D_SHA1] = doit[D_SHA256] = doit[D_SHA512] = 1; continue; @@ -1876,6 +1663,7 @@ int speed_main(int argc, char **argv) #ifndef OPENSSL_NO_DEPRECATED_3_0 if (strcmp(algo, "openssl") == 0) /* just for compatibility */ continue; +#endif if (strncmp(algo, "rsa", 3) == 0) { if (algo[3] == '\0') { memset(rsa_doit, 1, sizeof(rsa_doit)); @@ -1886,7 +1674,6 @@ int speed_main(int argc, char **argv) continue; } } -#endif #ifndef OPENSSL_NO_DH if (strncmp(algo, "ffdh", 4) == 0) { if (algo[4] == '\0') { @@ -1899,7 +1686,6 @@ int speed_main(int argc, char **argv) } } #endif -#if !defined(OPENSSL_NO_DSA) && !defined(OPENSSL_NO_DEPRECATED_3_0) if (strncmp(algo, "dsa", 3) == 0) { if (algo[3] == '\0') { memset(dsa_doit, 1, sizeof(dsa_doit)); @@ -1910,20 +1696,14 @@ int speed_main(int argc, char **argv) continue; } } -#endif -#ifndef OPENSSL_NO_DEPRECATED_3_0 if (strcmp(algo, "aes") == 0) { doit[D_CBC_128_AES] = doit[D_CBC_192_AES] = doit[D_CBC_256_AES] = 1; continue; } -#endif -#if !defined(OPENSSL_NO_CAMELLIA) && !defined(OPENSSL_NO_DEPRECATED_3_0) if (strcmp(algo, "camellia") == 0) { doit[D_CBC_128_CML] = doit[D_CBC_192_CML] = doit[D_CBC_256_CML] = 1; continue; } -#endif -#ifndef OPENSSL_NO_EC if (strncmp(algo, "ecdsa", 5) == 0) { if (algo[5] == '\0') { memset(ecdsa_doit, 1, sizeof(ecdsa_doit)); @@ -1952,7 +1732,7 @@ int speed_main(int argc, char **argv) eddsa_doit[i] = 2; continue; } -# ifndef OPENSSL_NO_SM2 +#ifndef OPENSSL_NO_SM2 if (strcmp(algo, "sm2") == 0) { memset(sm2_doit, 1, sizeof(sm2_doit)); continue; @@ -1961,8 +1741,7 @@ int speed_main(int argc, char **argv) sm2_doit[i] = 2; continue; } -# endif -#endif /* OPENSSL_NO_EC */ +#endif BIO_printf(bio_err, "%s: Unknown algorithm %s\n", prog, algo); goto end; } @@ -1981,8 +1760,8 @@ int speed_main(int argc, char **argv) } if (multiblock) { if (evp_cipher == NULL) { - BIO_printf(bio_err,"-mb can be used only with a multi-block" - " capable cipher\n"); + BIO_printf(bio_err, "-mb can be used only with a multi-block" + " capable cipher\n"); goto end; } else if (!(EVP_CIPHER_flags(evp_cipher) & EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK)) { @@ -2030,10 +1809,8 @@ int speed_main(int argc, char **argv) /* Align the start of buffers on a 64 byte boundary */ loopargs[i].buf = loopargs[i].buf_malloc + misalign; loopargs[i].buf2 = loopargs[i].buf2_malloc + misalign; -#ifndef OPENSSL_NO_EC loopargs[i].secret_a = app_malloc(MAX_ECDH_SIZE, "ECDH secret a"); loopargs[i].secret_b = app_malloc(MAX_ECDH_SIZE, "ECDH secret b"); -#endif #ifndef OPENSSL_NO_DH loopargs[i].secret_ff_a = app_malloc(MAX_FFDH_SIZE, "FFDH secret a"); loopargs[i].secret_ff_b = app_malloc(MAX_FFDH_SIZE, "FFDH secret b"); @@ -2049,34 +1826,39 @@ int speed_main(int argc, char **argv) e = setup_engine(engine_id, 0); /* No parameters; turn on everything. */ - if (argc == 0 && !doit[D_EVP] && !doit[D_EVP_HMAC] && !doit[D_EVP_CMAC]) { + if (argc == 0 && !doit[D_EVP] && !doit[D_HMAC] && !doit[D_EVP_CMAC]) { + EVP_MAC *mac; + memset(doit, 1, sizeof(doit)); - doit[D_EVP] = doit[D_EVP_HMAC] = doit[D_EVP_CMAC] = 0; -#if !defined(OPENSSL_NO_MDC2) && !defined(OPENSSL_NO_DEPRECATED_3_0) - doit[D_MDC2] = 0; -#endif -#if !defined(OPENSSL_NO_MD4) && !defined(OPENSSL_NO_DEPRECATED_3_0) - doit[D_MD4] = 0; -#endif -#if !defined(OPENSSL_NO_RMD160) && !defined(OPENSSL_NO_DEPRECATED_3_0) - doit[D_RMD160] = 0; -#endif -#ifndef OPENSSL_NO_DEPRECATED_3_0 + doit[D_EVP] = doit[D_EVP_CMAC] = 0; + ERR_set_mark(); + for (i = D_MD2; i <= D_WHIRLPOOL; i++) { + if (!have_md(names[i])) + doit[i] = 0; + } + for (i = D_CBC_DES; i <= D_CBC_256_CML; i++) { + if (!have_cipher(names[i])) + doit[i] = 0; + } + if ((mac = EVP_MAC_fetch(NULL, "GMAC", NULL)) != NULL) + EVP_MAC_free(mac); + else + doit[D_GHASH] = 0; + if ((mac = EVP_MAC_fetch(NULL, "HMAC", NULL)) != NULL) + EVP_MAC_free(mac); + else + doit[D_HMAC] = 0; + ERR_pop_to_mark(); memset(rsa_doit, 1, sizeof(rsa_doit)); -#endif #ifndef OPENSSL_NO_DH memset(ffdh_doit, 1, sizeof(ffdh_doit)); #endif -#if !defined(OPENSSL_NO_DSA) && !defined(OPENSSL_NO_DEPRECATED_3_0) memset(dsa_doit, 1, sizeof(dsa_doit)); -#endif -#ifndef OPENSSL_NO_EC memset(ecdsa_doit, 1, sizeof(ecdsa_doit)); memset(ecdh_doit, 1, sizeof(ecdh_doit)); memset(eddsa_doit, 1, sizeof(eddsa_doit)); -# ifndef OPENSSL_NO_SM2 +#ifndef OPENSSL_NO_SM2 memset(sm2_doit, 1, sizeof(sm2_doit)); -# endif #endif } for (i = 0; i < ALGOR_NUM; i++) @@ -2088,348 +1870,10 @@ int speed_main(int argc, char **argv) "You have chosen to measure elapsed time " "instead of user CPU time.\n"); -#ifndef OPENSSL_NO_DEPRECATED_3_0 - for (i = 0; i < loopargs_len; i++) { - if (primes > RSA_DEFAULT_PRIME_NUM) { - /* for multi-prime RSA, skip this */ - break; - } - for (k = 0; k < RSA_NUM; k++) { - const unsigned char *p = rsa_keys[k].data; - - loopargs[i].rsa_key[k] = - d2i_RSAPrivateKey(NULL, &p, rsa_keys[k].length); - if (loopargs[i].rsa_key[k] == NULL) { - BIO_printf(bio_err, - "internal error loading RSA key number %d\n", k); - goto end; - } - } - } -#endif -#if !defined(OPENSSL_NO_DSA) && !defined(OPENSSL_NO_DEPRECATED_3_0) - for (i = 0; i < loopargs_len; i++) { - loopargs[i].dsa_key[0] = get_dsa(512); - loopargs[i].dsa_key[1] = get_dsa(1024); - loopargs[i].dsa_key[2] = get_dsa(2048); - } -#endif -#if !defined(OPENSSL_NO_DES) && !defined(OPENSSL_NO_DEPRECATED_3_0) - if (doit[D_CBC_DES] || doit[D_EDE3_DES]) { - static DES_cblock keys[] = { - { 0x12, 0x34, 0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0 }, /* keys[0] */ - { 0x34, 0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0, 0x12 }, /* keys[1] */ - { 0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0, 0x12, 0x34 } /* keys[3] */ - }; - DES_set_key_unchecked(&keys[0], &sch[0]); - DES_set_key_unchecked(&keys[1], &sch[1]); - DES_set_key_unchecked(&keys[2], &sch[2]); - } -#endif -#ifndef OPENSSL_NO_DEPRECATED_3_0 - AES_set_encrypt_key(key16, 128, &aes_ks1); - AES_set_encrypt_key(key24, 192, &aes_ks2); - AES_set_encrypt_key(key32, 256, &aes_ks3); -#endif -#if !defined(OPENSSL_NO_CAMELLIA) && !defined(OPENSSL_NO_DEPRECATED_3_0) - if (doit[D_CBC_128_CML] || doit[D_CBC_192_CML] || doit[D_CBC_256_CML]) { - Camellia_set_key(key16, 128, &camellia_ks[0]); - Camellia_set_key(key24, 192, &camellia_ks[1]); - Camellia_set_key(key32, 256, &camellia_ks[2]); - } -#endif -#if !defined(OPENSSL_NO_IDEA) && !defined(OPENSSL_NO_DEPRECATED_3_0) - if (doit[D_CBC_IDEA]) - IDEA_set_encrypt_key(key16, &idea_ks); -#endif -#if !defined(OPENSSL_NO_SEED) && !defined(OPENSSL_NO_DEPRECATED_3_0) - if (doit[D_CBC_SEED]) - SEED_set_key(key16, &seed_ks); -#endif -#if !defined(OPENSSL_NO_RC4) && !defined(OPENSSL_NO_DEPRECATED_3_0) - if (doit[D_RC4]) - RC4_set_key(&rc4_ks, 16, key16); -#endif -#if !defined(OPENSSL_NO_RC2) && !defined(OPENSSL_NO_DEPRECATED_3_0) - if (doit[D_CBC_RC2]) - RC2_set_key(&rc2_ks, 16, key16, 128); -#endif -#if !defined(OPENSSL_NO_RC5) && !defined(OPENSSL_NO_DEPRECATED_3_0) - if (doit[D_CBC_RC5]) - if (!RC5_32_set_key(&rc5_ks, 16, key16, 12)) { - BIO_printf(bio_err, "Failed setting RC5 key\n"); - goto end; - } -#endif -#if !defined(OPENSSL_NO_BF) && !defined(OPENSSL_NO_DEPRECATED_3_0) - if (doit[D_CBC_BF]) - BF_set_key(&bf_ks, 16, key16); -#endif -#if !defined(OPENSSL_NO_CAST) && !defined(OPENSSL_NO_DEPRECATED_3_0) - if (doit[D_CBC_CAST]) - CAST_set_key(&cast_ks, 16, key16); -#endif -#ifndef SIGALRM -#if !defined(OPENSSL_NO_DES) && !defined(OPENSSL_NO_DEPRECATED_3_0) - BIO_printf(bio_err, "First we calculate the approximate speed ...\n"); - count = 10; - do { - long it; - count *= 2; - Time_F(START); - for (it = count; it; it--) - DES_ecb_encrypt((DES_cblock *)loopargs[0].buf, - (DES_cblock *)loopargs[0].buf, &sch, DES_ENCRYPT); - d = Time_F(STOP); - } while (d < 3); - c[D_MD2][0] = count / 10; - c[D_MDC2][0] = count / 10; - c[D_MD4][0] = count; - c[D_MD5][0] = count; - c[D_HMAC][0] = count; - c[D_SHA1][0] = count; - c[D_RMD160][0] = count; - c[D_RC4][0] = count * 5; - c[D_CBC_DES][0] = count; - c[D_EDE3_DES][0] = count / 3; - c[D_CBC_IDEA][0] = count; - c[D_CBC_SEED][0] = count; - c[D_CBC_RC2][0] = count; - c[D_CBC_RC5][0] = count; - c[D_CBC_BF][0] = count; - c[D_CBC_CAST][0] = count; - c[D_CBC_128_AES][0] = count; - c[D_CBC_192_AES][0] = count; - c[D_CBC_256_AES][0] = count; - c[D_CBC_128_CML][0] = count; - c[D_CBC_192_CML][0] = count; - c[D_CBC_256_CML][0] = count; - c[D_EVP][0] = count; - c[D_SHA256][0] = count; - c[D_SHA512][0] = count; - c[D_WHIRLPOOL][0] = count; - c[D_IGE_128_AES][0] = count; - c[D_IGE_192_AES][0] = count; - c[D_IGE_256_AES][0] = count; - c[D_GHASH][0] = count; - c[D_RAND][0] = count; - c[D_EVP_HMAC][0] = count; - c[D_EVP_CMAC][0] = count; - - for (i = 1; i < size_num; i++) { - long l0 = (long)lengths[0]; - long l1 = (long)lengths[i]; - - c[D_MD2][i] = c[D_MD2][0] * 4 * l0 / l1; - c[D_MDC2][i] = c[D_MDC2][0] * 4 * l0 / l1; - c[D_MD4][i] = c[D_MD4][0] * 4 * l0 / l1; - c[D_MD5][i] = c[D_MD5][0] * 4 * l0 / l1; - c[D_HMAC][i] = c[D_HMAC][0] * 4 * l0 / l1; - c[D_SHA1][i] = c[D_SHA1][0] * 4 * l0 / l1; - c[D_RMD160][i] = c[D_RMD160][0] * 4 * l0 / l1; - c[D_EVP][i] = = c[D_EVP][0] * 4 * l0 / l1; - c[D_SHA256][i] = c[D_SHA256][0] * 4 * l0 / l1; - c[D_SHA512][i] = c[D_SHA512][0] * 4 * l0 / l1; - c[D_WHIRLPOOL][i] = c[D_WHIRLPOOL][0] * 4 * l0 / l1; - c[D_GHASH][i] = c[D_GHASH][0] * 4 * l0 / l1; - c[D_RAND][i] = c[D_RAND][0] * 4 * l0 / l1; - c[D_EVP_HMAC][i] = = c[D_EVP_HMAC][0] * 4 * l0 / l1; - c[D_EVP_CMAC][i] = = c[D_EVP_CMAC][0] * 4 * l0 / l1; - - l0 = (long)lengths[i - 1]; - - c[D_RC4][i] = c[D_RC4][i - 1] * l0 / l1; - c[D_CBC_DES][i] = c[D_CBC_DES][i - 1] * l0 / l1; - c[D_EDE3_DES][i] = c[D_EDE3_DES][i - 1] * l0 / l1; - c[D_CBC_IDEA][i] = c[D_CBC_IDEA][i - 1] * l0 / l1; - c[D_CBC_SEED][i] = c[D_CBC_SEED][i - 1] * l0 / l1; - c[D_CBC_RC2][i] = c[D_CBC_RC2][i - 1] * l0 / l1; - c[D_CBC_RC5][i] = c[D_CBC_RC5][i - 1] * l0 / l1; - c[D_CBC_BF][i] = c[D_CBC_BF][i - 1] * l0 / l1; - c[D_CBC_CAST][i] = c[D_CBC_CAST][i - 1] * l0 / l1; - c[D_CBC_128_AES][i] = c[D_CBC_128_AES][i - 1] * l0 / l1; - c[D_CBC_192_AES][i] = c[D_CBC_192_AES][i - 1] * l0 / l1; - c[D_CBC_256_AES][i] = c[D_CBC_256_AES][i - 1] * l0 / l1; - c[D_CBC_128_CML][i] = c[D_CBC_128_CML][i - 1] * l0 / l1; - c[D_CBC_192_CML][i] = c[D_CBC_192_CML][i - 1] * l0 / l1; - c[D_CBC_256_CML][i] = c[D_CBC_256_CML][i - 1] * l0 / l1; - c[D_IGE_128_AES][i] = c[D_IGE_128_AES][i - 1] * l0 / l1; - c[D_IGE_192_AES][i] = c[D_IGE_192_AES][i - 1] * l0 / l1; - c[D_IGE_256_AES][i] = c[D_IGE_256_AES][i - 1] * l0 / l1; - } - -# ifndef OPENSSL_NO_DEPRECATED_3_0 - rsa_c[R_RSA_512][0] = count / 2000; - rsa_c[R_RSA_512][1] = count / 400; - for (i = 1; i < RSA_NUM; i++) { - rsa_c[i][0] = rsa_c[i - 1][0] / 8; - rsa_c[i][1] = rsa_c[i - 1][1] / 4; - if (rsa_doit[i] <= 1 && rsa_c[i][0] == 0) - rsa_doit[i] = 0; - else { - if (rsa_c[i][0] == 0) { - rsa_c[i][0] = 1; /* Set minimum iteration Nb to 1. */ - rsa_c[i][1] = 20; - } - } - } -# endif - -# if !defined(OPENSSL_NO_DSA) && !defined(OPENSSL_NO_DEPRECATED_3_0) - dsa_c[R_DSA_512][0] = count / 1000; - dsa_c[R_DSA_512][1] = count / 1000 / 2; - for (i = 1; i < DSA_NUM; i++) { - dsa_c[i][0] = dsa_c[i - 1][0] / 4; - dsa_c[i][1] = dsa_c[i - 1][1] / 4; - if (dsa_doit[i] <= 1 && dsa_c[i][0] == 0) - dsa_doit[i] = 0; - else { - if (dsa_c[i][0] == 0) { - dsa_c[i][0] = 1; /* Set minimum iteration Nb to 1. */ - dsa_c[i][1] = 1; - } - } - } -# endif - -# ifndef OPENSSL_NO_EC - ecdsa_c[R_EC_P160][0] = count / 1000; - ecdsa_c[R_EC_P160][1] = count / 1000 / 2; - for (i = R_EC_P192; i <= R_EC_P521; i++) { - ecdsa_c[i][0] = ecdsa_c[i - 1][0] / 2; - ecdsa_c[i][1] = ecdsa_c[i - 1][1] / 2; - if (ecdsa_doit[i] <= 1 && ecdsa_c[i][0] == 0) - ecdsa_doit[i] = 0; - else { - if (ecdsa_c[i][0] == 0) { - ecdsa_c[i][0] = 1; - ecdsa_c[i][1] = 1; - } - } - } -# ifndef OPENSSL_NO_EC2M - ecdsa_c[R_EC_K163][0] = count / 1000; - ecdsa_c[R_EC_K163][1] = count / 1000 / 2; - for (i = R_EC_K233; i <= R_EC_K571; i++) { - ecdsa_c[i][0] = ecdsa_c[i - 1][0] / 2; - ecdsa_c[i][1] = ecdsa_c[i - 1][1] / 2; - if (ecdsa_doit[i] <= 1 && ecdsa_c[i][0] == 0) - ecdsa_doit[i] = 0; - else { - if (ecdsa_c[i][0] == 0) { - ecdsa_c[i][0] = 1; - ecdsa_c[i][1] = 1; - } - } - } - ecdsa_c[R_EC_B163][0] = count / 1000; - ecdsa_c[R_EC_B163][1] = count / 1000 / 2; - for (i = R_EC_B233; i <= R_EC_B571; i++) { - ecdsa_c[i][0] = ecdsa_c[i - 1][0] / 2; - ecdsa_c[i][1] = ecdsa_c[i - 1][1] / 2; - if (ecdsa_doit[i] <= 1 && ecdsa_c[i][0] == 0) - ecdsa_doit[i] = 0; - else { - if (ecdsa_c[i][0] == 0) { - ecdsa_c[i][0] = 1; - ecdsa_c[i][1] = 1; - } - } - } -# endif - - ecdh_c[R_EC_P160][0] = count / 1000; - for (i = R_EC_P192; i <= R_EC_P521; i++) { - ecdh_c[i][0] = ecdh_c[i - 1][0] / 2; - if (ecdh_doit[i] <= 1 && ecdh_c[i][0] == 0) - ecdh_doit[i] = 0; - else { - if (ecdh_c[i][0] == 0) { - ecdh_c[i][0] = 1; - } - } - } -# ifndef OPENSSL_NO_EC2M - ecdh_c[R_EC_K163][0] = count / 1000; - for (i = R_EC_K233; i <= R_EC_K571; i++) { - ecdh_c[i][0] = ecdh_c[i - 1][0] / 2; - if (ecdh_doit[i] <= 1 && ecdh_c[i][0] == 0) - ecdh_doit[i] = 0; - else { - if (ecdh_c[i][0] == 0) { - ecdh_c[i][0] = 1; - } - } - } - ecdh_c[R_EC_B163][0] = count / 1000; - for (i = R_EC_B233; i <= R_EC_B571; i++) { - ecdh_c[i][0] = ecdh_c[i - 1][0] / 2; - if (ecdh_doit[i] <= 1 && ecdh_c[i][0] == 0) - ecdh_doit[i] = 0; - else { - if (ecdh_c[i][0] == 0) { - ecdh_c[i][0] = 1; - } - } - } -# endif - /* repeated code good to factorize */ - ecdh_c[R_EC_BRP256R1][0] = count / 1000; - for (i = R_EC_BRP384R1; i <= R_EC_BRP512R1; i += 2) { - ecdh_c[i][0] = ecdh_c[i - 2][0] / 2; - if (ecdh_doit[i] <= 1 && ecdh_c[i][0] == 0) - ecdh_doit[i] = 0; - else { - if (ecdh_c[i][0] == 0) { - ecdh_c[i][0] = 1; - } - } - } - ecdh_c[R_EC_BRP256T1][0] = count / 1000; - for (i = R_EC_BRP384T1; i <= R_EC_BRP512T1; i += 2) { - ecdh_c[i][0] = ecdh_c[i - 2][0] / 2; - if (ecdh_doit[i] <= 1 && ecdh_c[i][0] == 0) - ecdh_doit[i] = 0; - else { - if (ecdh_c[i][0] == 0) { - ecdh_c[i][0] = 1; - } - } - } - /* default iteration count for the last two EC Curves */ - ecdh_c[R_EC_X25519][0] = count / 1800; - ecdh_c[R_EC_X448][0] = count / 7200; - - eddsa_c[R_EC_Ed25519][0] = count / 1800; - eddsa_c[R_EC_Ed448][0] = count / 7200; - -# ifndef OPENSSL_NO_SM2 - sm2_c[R_EC_SM2P256][0] = count / 1800; -# endif -# endif /* OPENSSL_NO_EC */ - -# ifndef OPENSSL_NO_DH - ffdh_c[R_FFDH_2048][0] = count / 1000; - for (i = R_FFDH_3072; i <= R_FFDH_8192; i++) { - ffdh_c[i][0] = ffdh_c[i - 1][0] / 2; - if (ffdh_doit[i] <= 1 && ffdh_c[i][0] == 0) { - ffdh_doit[i] = 0; - } else { - if (ffdh_c[i][0] == 0) - ffdh_c[i][0] = 1; - } - } -# endif /* OPENSSL_NO_DH */ - -# else -/* not worth fixing */ -# error "You cannot disable DES on systems without SIGALRM." -# endif /* OPENSSL_NO_DES */ -#elif SIGALRM > 0 +#if SIGALRM > 0 signal(SIGALRM, alarmed); -#endif /* SIGALRM */ +#endif -#if !defined(OPENSSL_NO_MD2) && !defined(OPENSSL_NO_DEPRECATED_3_0) if (doit[D_MD2]) { for (testnum = 0; testnum < size_num; testnum++) { print_message(names[D_MD2], c[D_MD2][testnum], lengths[testnum], @@ -2438,10 +1882,11 @@ int speed_main(int argc, char **argv) count = run_benchmark(async_jobs, EVP_Digest_MD2_loop, loopargs); d = Time_F(STOP); print_result(D_MD2, testnum, count, d); + if (count < 0) + break; } } -#endif -#if !defined(OPENSSL_NO_MDC2) && !defined(OPENSSL_NO_DEPRECATED_3_0) + if (doit[D_MDC2]) { for (testnum = 0; testnum < size_num; testnum++) { print_message(names[D_MDC2], c[D_MDC2][testnum], lengths[testnum], @@ -2454,9 +1899,7 @@ int speed_main(int argc, char **argv) break; } } -#endif -#if !defined(OPENSSL_NO_MD4) && !defined(OPENSSL_NO_DEPRECATED_3_0) if (doit[D_MD4]) { for (testnum = 0; testnum < size_num; testnum++) { print_message(names[D_MD4], c[D_MD4][testnum], lengths[testnum], @@ -2469,9 +1912,7 @@ int speed_main(int argc, char **argv) break; } } -#endif -#if !defined(OPENSSL_NO_MD5) && !defined(OPENSSL_NO_DEPRECATED_3_0) if (doit[D_MD5]) { for (testnum = 0; testnum < size_num; testnum++) { print_message(names[D_MD5], c[D_MD5][testnum], lengths[testnum], @@ -2480,37 +1921,11 @@ int speed_main(int argc, char **argv) count = run_benchmark(async_jobs, MD5_loop, loopargs); d = Time_F(STOP); print_result(D_MD5, testnum, count, d); + if (count < 0) + break; } } -# ifndef OPENSSL_NO_DEPRECATED_3_0 - if (doit[D_HMAC]) { - static const char hmac_key[] = "This is a key..."; - int len = strlen(hmac_key); - - for (i = 0; i < loopargs_len; i++) { - loopargs[i].hctx = HMAC_CTX_new(); - if (loopargs[i].hctx == NULL) { - BIO_printf(bio_err, "HMAC malloc failure, exiting..."); - exit(1); - } - - HMAC_Init_ex(loopargs[i].hctx, hmac_key, len, EVP_md5(), NULL); - } - for (testnum = 0; testnum < size_num; testnum++) { - print_message(names[D_HMAC], c[D_HMAC][testnum], lengths[testnum], - seconds.sym); - Time_F(START); - count = run_benchmark(async_jobs, HMAC_loop, loopargs); - d = Time_F(STOP); - print_result(D_HMAC, testnum, count, d); - } - for (i = 0; i < loopargs_len; i++) - HMAC_CTX_free(loopargs[i].hctx); - } -# endif -#endif -#ifndef OPENSSL_NO_DEPRECATED_3_0 if (doit[D_SHA1]) { for (testnum = 0; testnum < size_num; testnum++) { print_message(names[D_SHA1], c[D_SHA1][testnum], lengths[testnum], @@ -2519,8 +1934,11 @@ int speed_main(int argc, char **argv) count = run_benchmark(async_jobs, SHA1_loop, loopargs); d = Time_F(STOP); print_result(D_SHA1, testnum, count, d); + if (count < 0) + break; } } + if (doit[D_SHA256]) { for (testnum = 0; testnum < size_num; testnum++) { print_message(names[D_SHA256], c[D_SHA256][testnum], @@ -2529,8 +1947,11 @@ int speed_main(int argc, char **argv) count = run_benchmark(async_jobs, SHA256_loop, loopargs); d = Time_F(STOP); print_result(D_SHA256, testnum, count, d); + if (count < 0) + break; } } + if (doit[D_SHA512]) { for (testnum = 0; testnum < size_num; testnum++) { print_message(names[D_SHA512], c[D_SHA512][testnum], @@ -2539,10 +1960,11 @@ int speed_main(int argc, char **argv) count = run_benchmark(async_jobs, SHA512_loop, loopargs); d = Time_F(STOP); print_result(D_SHA512, testnum, count, d); + if (count < 0) + break; } } -#endif -#if !defined(OPENSSL_NO_WHIRLPOOL) && !defined(OPENSSL_NO_DEPRECATED_3_0) + if (doit[D_WHIRLPOOL]) { for (testnum = 0; testnum < size_num; testnum++) { print_message(names[D_WHIRLPOOL], c[D_WHIRLPOOL][testnum], @@ -2551,11 +1973,11 @@ int speed_main(int argc, char **argv) count = run_benchmark(async_jobs, WHIRLPOOL_loop, loopargs); d = Time_F(STOP); print_result(D_WHIRLPOOL, testnum, count, d); + if (count < 0) + break; } } -#endif -#if !defined(OPENSSL_NO_RMD160) && !defined(OPENSSL_NO_DEPRECATED_3_0) if (doit[D_RMD160]) { for (testnum = 0; testnum < size_num; testnum++) { print_message(names[D_RMD160], c[D_RMD160][testnum], @@ -2568,320 +1990,213 @@ int speed_main(int argc, char **argv) break; } } -#endif -#if !defined(OPENSSL_NO_RC4) && !defined(OPENSSL_NO_DEPRECATED_3_0) - if (doit[D_RC4]) { + + if (doit[D_HMAC]) { + static const char hmac_key[] = "This is a key..."; + int len = strlen(hmac_key); + EVP_MAC *mac = EVP_MAC_fetch(NULL, "HMAC", NULL); + OSSL_PARAM params[3]; + + if (mac == NULL || evp_mac_mdname == NULL) + goto end; + + evp_hmac_name = app_malloc(sizeof("hmac()") + strlen(evp_mac_mdname), + "HMAC name"); + sprintf(evp_hmac_name, "hmac(%s)", evp_mac_mdname); + names[D_HMAC] = evp_hmac_name; + + params[0] = + OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST, + evp_mac_mdname, 0); + params[1] = + OSSL_PARAM_construct_octet_string(OSSL_MAC_PARAM_KEY, + (char *)hmac_key, len); + params[2] = OSSL_PARAM_construct_end(); + + for (i = 0; i < loopargs_len; i++) { + loopargs[i].mctx = EVP_MAC_CTX_new(mac); + if (loopargs[i].mctx == NULL) + goto end; + + if (!EVP_MAC_CTX_set_params(loopargs[i].mctx, params)) + goto end; + } for (testnum = 0; testnum < size_num; testnum++) { - print_message(names[D_RC4], c[D_RC4][testnum], lengths[testnum], + print_message(names[D_HMAC], c[D_HMAC][testnum], lengths[testnum], seconds.sym); Time_F(START); - count = run_benchmark(async_jobs, RC4_loop, loopargs); + count = run_benchmark(async_jobs, HMAC_loop, loopargs); d = Time_F(STOP); - print_result(D_RC4, testnum, count, d); + print_result(D_HMAC, testnum, count, d); + if (count < 0) + break; } + for (i = 0; i < loopargs_len; i++) + EVP_MAC_CTX_free(loopargs[i].mctx); + EVP_MAC_free(mac); } -#endif -#if !defined(OPENSSL_NO_DES) && !defined(OPENSSL_NO_DEPRECATED_3_0) + if (doit[D_CBC_DES]) { - for (testnum = 0; testnum < size_num; testnum++) { + int st = 1; + + for (i = 0; st && i < loopargs_len; i++) { + loopargs[i].ctx = init_evp_cipher_ctx("des-cbc", deskey, + sizeof(deskey) / 3); + st = loopargs[i].ctx != NULL; + } + algindex = D_CBC_DES; + for (testnum = 0; st && testnum < size_num; testnum++) { print_message(names[D_CBC_DES], c[D_CBC_DES][testnum], lengths[testnum], seconds.sym); Time_F(START); - count = run_benchmark(async_jobs, DES_ncbc_encrypt_loop, loopargs); + count = run_benchmark(async_jobs, EVP_Cipher_loop, loopargs); d = Time_F(STOP); print_result(D_CBC_DES, testnum, count, d); } + for (i = 0; i < loopargs_len; i++) + EVP_CIPHER_CTX_free(loopargs[i].ctx); } if (doit[D_EDE3_DES]) { - for (testnum = 0; testnum < size_num; testnum++) { - print_message(names[D_EDE3_DES], c[D_EDE3_DES][testnum], - lengths[testnum], seconds.sym); - Time_F(START); - count = - run_benchmark(async_jobs, DES_ede3_cbc_encrypt_loop, loopargs); - d = Time_F(STOP); - print_result(D_EDE3_DES, testnum, count, d); - } - } -#endif + int st = 1; -#ifndef OPENSSL_NO_DEPRECATED_3_0 - if (doit[D_CBC_128_AES]) { - for (testnum = 0; testnum < size_num; testnum++) { - print_message(names[D_CBC_128_AES], c[D_CBC_128_AES][testnum], - lengths[testnum], seconds.sym); - Time_F(START); - count = - run_benchmark(async_jobs, AES_cbc_128_encrypt_loop, loopargs); - d = Time_F(STOP); - print_result(D_CBC_128_AES, testnum, count, d); + for (i = 0; st && i < loopargs_len; i++) { + loopargs[i].ctx = init_evp_cipher_ctx("des-ede3-cbc", deskey, + sizeof(deskey)); + st = loopargs[i].ctx != NULL; } - } - if (doit[D_CBC_192_AES]) { - for (testnum = 0; testnum < size_num; testnum++) { - print_message(names[D_CBC_192_AES], c[D_CBC_192_AES][testnum], - lengths[testnum], seconds.sym); - Time_F(START); - count = - run_benchmark(async_jobs, AES_cbc_192_encrypt_loop, loopargs); - d = Time_F(STOP); - print_result(D_CBC_192_AES, testnum, count, d); - } - } - if (doit[D_CBC_256_AES]) { - for (testnum = 0; testnum < size_num; testnum++) { - print_message(names[D_CBC_256_AES], c[D_CBC_256_AES][testnum], + algindex = D_EDE3_DES; + for (testnum = 0; st && testnum < size_num; testnum++) { + print_message(names[D_EDE3_DES], c[D_EDE3_DES][testnum], lengths[testnum], seconds.sym); Time_F(START); count = - run_benchmark(async_jobs, AES_cbc_256_encrypt_loop, loopargs); + run_benchmark(async_jobs, EVP_Cipher_loop, loopargs); d = Time_F(STOP); - print_result(D_CBC_256_AES, testnum, count, d); + print_result(D_EDE3_DES, testnum, count, d); } + for (i = 0; i < loopargs_len; i++) + EVP_CIPHER_CTX_free(loopargs[i].ctx); } + for (k = 0; k < 3; k++) { + algindex = D_CBC_128_AES + k; + if (doit[algindex]) { + int st = 1; - if (doit[D_IGE_128_AES]) { - for (testnum = 0; testnum < size_num; testnum++) { - print_message(names[D_IGE_128_AES], c[D_IGE_128_AES][testnum], - lengths[testnum], seconds.sym); - Time_F(START); - count = - run_benchmark(async_jobs, AES_ige_128_encrypt_loop, loopargs); - d = Time_F(STOP); - print_result(D_IGE_128_AES, testnum, count, d); - } - } - if (doit[D_IGE_192_AES]) { - for (testnum = 0; testnum < size_num; testnum++) { - print_message(names[D_IGE_192_AES], c[D_IGE_192_AES][testnum], - lengths[testnum], seconds.sym); - Time_F(START); - count = - run_benchmark(async_jobs, AES_ige_192_encrypt_loop, loopargs); - d = Time_F(STOP); - print_result(D_IGE_192_AES, testnum, count, d); - } - } - if (doit[D_IGE_256_AES]) { - for (testnum = 0; testnum < size_num; testnum++) { - print_message(names[D_IGE_256_AES], c[D_IGE_256_AES][testnum], - lengths[testnum], seconds.sym); - Time_F(START); - count = - run_benchmark(async_jobs, AES_ige_256_encrypt_loop, loopargs); - d = Time_F(STOP); - print_result(D_IGE_256_AES, testnum, count, d); - } - } - if (doit[D_GHASH]) { - for (i = 0; i < loopargs_len; i++) { - loopargs[i].gcm_ctx = - CRYPTO_gcm128_new(&aes_ks1, (block128_f) AES_encrypt); - CRYPTO_gcm128_setiv(loopargs[i].gcm_ctx, - (unsigned char *)"0123456789ab", 12); - } - - for (testnum = 0; testnum < size_num; testnum++) { - print_message(names[D_GHASH], c[D_GHASH][testnum], - lengths[testnum], seconds.sym); - Time_F(START); - count = run_benchmark(async_jobs, CRYPTO_gcm128_aad_loop, loopargs); - d = Time_F(STOP); - print_result(D_GHASH, testnum, count, d); - } - for (i = 0; i < loopargs_len; i++) - CRYPTO_gcm128_release(loopargs[i].gcm_ctx); - } -#endif /* OPENSSL_NO_DEPRECATED_3_0 */ -#if !defined(OPENSSL_NO_CAMELLIA) && !defined(OPENSSL_NO_DEPRECATED_3_0) - if (doit[D_CBC_128_CML]) { - if (async_jobs > 0) { - BIO_printf(bio_err, "Async mode is not supported with %s\n", - names[D_CBC_128_CML]); - doit[D_CBC_128_CML] = 0; - } - for (testnum = 0; testnum < size_num && async_init == 0; testnum++) { - print_message(names[D_CBC_128_CML], c[D_CBC_128_CML][testnum], - lengths[testnum], seconds.sym); - Time_F(START); - for (count = 0; COND(c[D_CBC_128_CML][testnum]); count++) - Camellia_cbc_encrypt(loopargs[0].buf, loopargs[0].buf, - (size_t)lengths[testnum], &camellia_ks[0], - iv, CAMELLIA_ENCRYPT); - d = Time_F(STOP); - print_result(D_CBC_128_CML, testnum, count, d); - } - } - if (doit[D_CBC_192_CML]) { - if (async_jobs > 0) { - BIO_printf(bio_err, "Async mode is not supported with %s\n", - names[D_CBC_192_CML]); - doit[D_CBC_192_CML] = 0; - } - for (testnum = 0; testnum < size_num && async_init == 0; testnum++) { - print_message(names[D_CBC_192_CML], c[D_CBC_192_CML][testnum], - lengths[testnum], seconds.sym); - if (async_jobs > 0) { - BIO_printf(bio_err, "Async mode is not supported, exiting..."); - exit(1); - } - Time_F(START); - for (count = 0; COND(c[D_CBC_192_CML][testnum]); count++) - Camellia_cbc_encrypt(loopargs[0].buf, loopargs[0].buf, - (size_t)lengths[testnum], &camellia_ks[1], - iv, CAMELLIA_ENCRYPT); - d = Time_F(STOP); - print_result(D_CBC_192_CML, testnum, count, d); - } - } - if (doit[D_CBC_256_CML]) { - if (async_jobs > 0) { - BIO_printf(bio_err, "Async mode is not supported with %s\n", - names[D_CBC_256_CML]); - doit[D_CBC_256_CML] = 0; - } - for (testnum = 0; testnum < size_num && async_init == 0; testnum++) { - print_message(names[D_CBC_256_CML], c[D_CBC_256_CML][testnum], - lengths[testnum], seconds.sym); - Time_F(START); - for (count = 0; COND(c[D_CBC_256_CML][testnum]); count++) - Camellia_cbc_encrypt(loopargs[0].buf, loopargs[0].buf, - (size_t)lengths[testnum], &camellia_ks[2], - iv, CAMELLIA_ENCRYPT); - d = Time_F(STOP); - print_result(D_CBC_256_CML, testnum, count, d); - } - } -#endif -#if !defined(OPENSSL_NO_IDEA) && !defined(OPENSSL_NO_DEPRECATED_3_0) - if (doit[D_CBC_IDEA]) { - if (async_jobs > 0) { - BIO_printf(bio_err, "Async mode is not supported with %s\n", - names[D_CBC_IDEA]); - doit[D_CBC_IDEA] = 0; - } - for (testnum = 0; testnum < size_num && async_init == 0; testnum++) { - print_message(names[D_CBC_IDEA], c[D_CBC_IDEA][testnum], - lengths[testnum], seconds.sym); - Time_F(START); - for (count = 0; COND(c[D_CBC_IDEA][testnum]); count++) - IDEA_cbc_encrypt(loopargs[0].buf, loopargs[0].buf, - (size_t)lengths[testnum], &idea_ks, - iv, IDEA_ENCRYPT); - d = Time_F(STOP); - print_result(D_CBC_IDEA, testnum, count, d); - } - } -#endif -#if !defined(OPENSSL_NO_SEED) && !defined(OPENSSL_NO_DEPRECATED_3_0) - if (doit[D_CBC_SEED]) { - if (async_jobs > 0) { - BIO_printf(bio_err, "Async mode is not supported with %s\n", - names[D_CBC_SEED]); - doit[D_CBC_SEED] = 0; - } - for (testnum = 0; testnum < size_num && async_init == 0; testnum++) { - print_message(names[D_CBC_SEED], c[D_CBC_SEED][testnum], - lengths[testnum], seconds.sym); - Time_F(START); - for (count = 0; COND(c[D_CBC_SEED][testnum]); count++) - SEED_cbc_encrypt(loopargs[0].buf, loopargs[0].buf, - (size_t)lengths[testnum], &seed_ks, iv, 1); - d = Time_F(STOP); - print_result(D_CBC_SEED, testnum, count, d); - } - } -#endif -#if !defined(OPENSSL_NO_RC2) && !defined(OPENSSL_NO_DEPRECATED_3_0) - if (doit[D_CBC_RC2]) { - if (async_jobs > 0) { - BIO_printf(bio_err, "Async mode is not supported with %s\n", - names[D_CBC_RC2]); - doit[D_CBC_RC2] = 0; - } - for (testnum = 0; testnum < size_num && async_init == 0; testnum++) { - print_message(names[D_CBC_RC2], c[D_CBC_RC2][testnum], - lengths[testnum], seconds.sym); - if (async_jobs > 0) { - BIO_printf(bio_err, "Async mode is not supported, exiting..."); - exit(1); + keylen = 16 + i * 8; + for (i = 0; st && i < loopargs_len; i++) { + loopargs[i].ctx = init_evp_cipher_ctx(names[algindex], + key32, keylen); + st = loopargs[i].ctx != NULL; } - Time_F(START); - for (count = 0; COND(c[D_CBC_RC2][testnum]); count++) - RC2_cbc_encrypt(loopargs[0].buf, loopargs[0].buf, - (size_t)lengths[testnum], &rc2_ks, - iv, RC2_ENCRYPT); - d = Time_F(STOP); - print_result(D_CBC_RC2, testnum, count, d); + + for (testnum = 0; st && testnum < size_num; testnum++) { + print_message(names[algindex], c[algindex][testnum], + lengths[testnum], seconds.sym); + Time_F(START); + count = + run_benchmark(async_jobs, EVP_Cipher_loop, loopargs); + d = Time_F(STOP); + print_result(algindex, testnum, count, d); + } + for (i = 0; i < loopargs_len; i++) + EVP_CIPHER_CTX_free(loopargs[i].ctx); } } -#endif -#if !defined(OPENSSL_NO_RC5) && !defined(OPENSSL_NO_DEPRECATED_3_0) - if (doit[D_CBC_RC5]) { - if (async_jobs > 0) { - BIO_printf(bio_err, "Async mode is not supported with %s\n", - names[D_CBC_RC5]); - doit[D_CBC_RC5] = 0; - } - for (testnum = 0; testnum < size_num && async_init == 0; testnum++) { - print_message(names[D_CBC_RC5], c[D_CBC_RC5][testnum], - lengths[testnum], seconds.sym); - if (async_jobs > 0) { - BIO_printf(bio_err, "Async mode is not supported, exiting..."); - exit(1); + + for (k = 0; k < 3; k++) { + algindex = D_CBC_128_CML + k; + if (doit[algindex]) { + int st = 1; + + keylen = 16 + i * 8; + for (i = 0; st && i < loopargs_len; i++) { + loopargs[i].ctx = init_evp_cipher_ctx(names[algindex], + key32, keylen); + st = loopargs[i].ctx != NULL; } - Time_F(START); - for (count = 0; COND(c[D_CBC_RC5][testnum]); count++) - RC5_32_cbc_encrypt(loopargs[0].buf, loopargs[0].buf, - (size_t)lengths[testnum], &rc5_ks, - iv, RC5_ENCRYPT); - d = Time_F(STOP); - print_result(D_CBC_RC5, testnum, count, d); + + for (testnum = 0; st && testnum < size_num; testnum++) { + print_message(names[algindex], c[algindex][testnum], + lengths[testnum], seconds.sym); + Time_F(START); + count = + run_benchmark(async_jobs, EVP_Cipher_loop, loopargs); + d = Time_F(STOP); + print_result(algindex, testnum, count, d); + } + for (i = 0; i < loopargs_len; i++) + EVP_CIPHER_CTX_free(loopargs[i].ctx); } } -#endif -#if !defined(OPENSSL_NO_BF) && !defined(OPENSSL_NO_DEPRECATED_3_0) - if (doit[D_CBC_BF]) { - if (async_jobs > 0) { - BIO_printf(bio_err, "Async mode is not supported with %s\n", - names[D_CBC_BF]); - doit[D_CBC_BF] = 0; - } - for (testnum = 0; testnum < size_num && async_init == 0; testnum++) { - print_message(names[D_CBC_BF], c[D_CBC_BF][testnum], - lengths[testnum], seconds.sym); - Time_F(START); - for (count = 0; COND(c[D_CBC_BF][testnum]); count++) - BF_cbc_encrypt(loopargs[0].buf, loopargs[0].buf, - (size_t)lengths[testnum], &bf_ks, - iv, BF_ENCRYPT); - d = Time_F(STOP); - print_result(D_CBC_BF, testnum, count, d); + + for (algindex = D_RC4; algindex <= D_CBC_CAST; algindex++) { + if (doit[algindex]) { + int st = 1; + + keylen = 16; + for (i = 0; st && i < loopargs_len; i++) { + loopargs[i].ctx = init_evp_cipher_ctx(names[algindex], + key32, keylen); + st = loopargs[i].ctx != NULL; + } + + for (testnum = 0; st && testnum < size_num; testnum++) { + print_message(names[algindex], c[algindex][testnum], + lengths[testnum], seconds.sym); + Time_F(START); + count = + run_benchmark(async_jobs, EVP_Cipher_loop, loopargs); + d = Time_F(STOP); + print_result(algindex, testnum, count, d); + } + for (i = 0; i < loopargs_len; i++) + EVP_CIPHER_CTX_free(loopargs[i].ctx); } } -#endif -#if !defined(OPENSSL_NO_CAST) && !defined(OPENSSL_NO_DEPRECATED_3_0) - if (doit[D_CBC_CAST]) { - if (async_jobs > 0) { - BIO_printf(bio_err, "Async mode is not supported with %s\n", - names[D_CBC_CAST]); - doit[D_CBC_CAST] = 0; + if (doit[D_GHASH]) { + static const char gmac_iv[] = "0123456789ab"; + EVP_MAC *mac = EVP_MAC_fetch(NULL, "GMAC", NULL); + OSSL_PARAM params[4]; + + if (mac == NULL) + goto end; + + params[0] = OSSL_PARAM_construct_utf8_string(OSSL_ALG_PARAM_CIPHER, + "aes-128-gcm", 0); + params[1] = OSSL_PARAM_construct_octet_string(OSSL_MAC_PARAM_KEY, + (char *)key32, 16); + params[2] = OSSL_PARAM_construct_octet_string(OSSL_MAC_PARAM_IV, + (char *)gmac_iv, + sizeof(gmac_iv) - 1); + params[3] = OSSL_PARAM_construct_end(); + + for (i = 0; i < loopargs_len; i++) { + loopargs[i].mctx = EVP_MAC_CTX_new(mac); + if (loopargs[i].mctx == NULL) + goto end; + + if (!EVP_MAC_CTX_set_params(loopargs[i].mctx, params)) + goto end; + if (!EVP_MAC_init(loopargs[i].mctx)) + goto end; } - for (testnum = 0; testnum < size_num && async_init == 0; testnum++) { - print_message(names[D_CBC_CAST], c[D_CBC_CAST][testnum], - lengths[testnum], seconds.sym); + for (testnum = 0; testnum < size_num; testnum++) { + print_message(names[D_GHASH], c[D_GHASH][testnum], lengths[testnum], + seconds.sym); Time_F(START); - for (count = 0; COND(c[D_CBC_CAST][testnum]); count++) - CAST_cbc_encrypt(loopargs[0].buf, loopargs[0].buf, - (size_t)lengths[testnum], &cast_ks, - iv, CAST_ENCRYPT); + count = run_benchmark(async_jobs, GHASH_loop, loopargs); d = Time_F(STOP); - print_result(D_CBC_CAST, testnum, count, d); + print_result(D_GHASH, testnum, count, d); + if (count < 0) + break; } + for (i = 0; i < loopargs_len; i++) + EVP_MAC_CTX_free(loopargs[i].mctx); + EVP_MAC_free(mac); } -#endif + if (doit[D_RAND]) { for (testnum = 0; testnum < size_num; testnum++) { print_message(names[D_RAND], c[D_RAND][testnum], lengths[testnum], @@ -2949,126 +2264,131 @@ int speed_main(int argc, char **argv) /* SIV mode only allows for a single Update operation */ if (EVP_CIPHER_mode(evp_cipher) == EVP_CIPH_SIV_MODE) - EVP_CIPHER_CTX_ctrl(loopargs[k].ctx, EVP_CTRL_SET_SPEED, 1, NULL); + EVP_CIPHER_CTX_ctrl(loopargs[k].ctx, EVP_CTRL_SET_SPEED, + 1, NULL); } Time_F(START); count = run_benchmark(async_jobs, loopfunc, loopargs); d = Time_F(STOP); - for (k = 0; k < loopargs_len; k++) { + for (k = 0; k < loopargs_len; k++) EVP_CIPHER_CTX_free(loopargs[k].ctx); - } print_result(D_EVP, testnum, count, d); } - } else if (evp_md != NULL) { - names[D_EVP] = OBJ_nid2ln(EVP_MD_type(evp_md)); + } else if (evp_md_name != NULL) { + names[D_EVP] = evp_md_name; for (testnum = 0; testnum < size_num; testnum++) { print_message(names[D_EVP], c[D_EVP][testnum], lengths[testnum], seconds.sym); Time_F(START); - count = run_benchmark(async_jobs, EVP_Digest_loop, loopargs); + count = run_benchmark(async_jobs, EVP_Digest_md_loop, loopargs); d = Time_F(STOP); print_result(D_EVP, testnum, count, d); + if (count < 0) + break; } } } -#ifndef OPENSSL_NO_DEPRECATED_3_0 - if (doit[D_EVP_HMAC] && evp_hmac_md != NULL) { - const char *md_name = OBJ_nid2ln(EVP_MD_type(evp_hmac_md)); + if (doit[D_EVP_CMAC]) { + EVP_MAC *mac = EVP_MAC_fetch(NULL, "CMAC", NULL); + OSSL_PARAM params[3]; + EVP_CIPHER *cipher; + int fetched = 0; - evp_hmac_name = app_malloc(sizeof("HMAC()") + strlen(md_name), - "HMAC name"); - sprintf(evp_hmac_name, "HMAC(%s)", md_name); - names[D_EVP_HMAC] = evp_hmac_name; + if (mac == NULL || evp_mac_ciphername == NULL) + goto end; + if ((cipher = obtain_cipher(evp_mac_ciphername, &fetched)) == NULL) + goto end; - for (testnum = 0; testnum < size_num; testnum++) { - print_message(names[D_EVP_HMAC], c[D_EVP_HMAC][testnum], lengths[testnum], - seconds.sym); - Time_F(START); - count = run_benchmark(async_jobs, EVP_HMAC_loop, loopargs); - d = Time_F(STOP); - print_result(D_EVP_HMAC, testnum, count, d); + keylen = EVP_CIPHER_key_length(cipher); + if (fetched) + EVP_CIPHER_free(cipher); + if (keylen <= 0 || keylen > (int)sizeof(key32)) { + BIO_printf(bio_err, "\nRequested CMAC cipher with unsupported key length.\n"); + goto end; } - } -#endif - -#if !defined(OPENSSL_NO_CMAC) && !defined(OPENSSL_NO_DEPRECATED_3_0) - if (doit[D_EVP_CMAC] && evp_cmac_cipher != NULL) { - const char *cipher_name = OBJ_nid2ln(EVP_CIPHER_type(evp_cmac_cipher)); - - evp_cmac_name = app_malloc(sizeof("CMAC()") + strlen(cipher_name), - "CMAC name"); - sprintf(evp_cmac_name, "CMAC(%s)", cipher_name); + evp_cmac_name = app_malloc(sizeof("cmac()") + + strlen(evp_mac_ciphername), "CMAC name"); + sprintf(evp_cmac_name, "cmac(%s)", evp_mac_ciphername); names[D_EVP_CMAC] = evp_cmac_name; + params[0] = OSSL_PARAM_construct_utf8_string(OSSL_ALG_PARAM_CIPHER, + evp_mac_ciphername, 0); + params[1] = OSSL_PARAM_construct_octet_string(OSSL_MAC_PARAM_KEY, + (char *)key32, keylen); + params[2] = OSSL_PARAM_construct_end(); + for (i = 0; i < loopargs_len; i++) { - loopargs[i].cmac_ctx = CMAC_CTX_new(); - if (loopargs[i].cmac_ctx == NULL) { - BIO_printf(bio_err, "CMAC malloc failure, exiting..."); - exit(1); - } + loopargs[i].mctx = EVP_MAC_CTX_new(mac); + if (loopargs[i].mctx == NULL) + goto end; + + if (!EVP_MAC_CTX_set_params(loopargs[i].mctx, params)) + goto end; } + for (testnum = 0; testnum < size_num; testnum++) { - print_message(names[D_EVP_CMAC], c[D_EVP_CMAC][testnum], lengths[testnum], - seconds.sym); + print_message(names[D_EVP_CMAC], c[D_EVP_CMAC][testnum], + lengths[testnum], seconds.sym); Time_F(START); - count = run_benchmark(async_jobs, EVP_CMAC_loop, loopargs); + count = run_benchmark(async_jobs, CMAC_loop, loopargs); d = Time_F(STOP); print_result(D_EVP_CMAC, testnum, count, d); + if (count < 0) + break; } for (i = 0; i < loopargs_len; i++) - CMAC_CTX_free(loopargs[i].cmac_ctx); + EVP_MAC_CTX_free(loopargs[i].mctx); + EVP_MAC_free(mac); } -#endif for (i = 0; i < loopargs_len; i++) if (RAND_bytes(loopargs[i].buf, 36) <= 0) goto end; -#ifndef OPENSSL_NO_DEPRECATED_3_0 for (testnum = 0; testnum < RSA_NUM; testnum++) { + EVP_PKEY *rsa_key = NULL; int st = 0; + if (!rsa_doit[testnum]) continue; - for (i = 0; i < loopargs_len; i++) { - if (primes > RSA_DEFAULT_PRIME_NUM) { - /* we haven't set keys yet, generate multi-prime RSA keys */ - BIGNUM *bn = BN_new(); - - if (bn == NULL) - goto end; - if (!BN_set_word(bn, RSA_F4)) { - BN_free(bn); - goto end; - } - BIO_printf(bio_err, "Generate multi-prime RSA key for %s\n", - rsa_choices[testnum].name); + if (primes > RSA_DEFAULT_PRIME_NUM) { + /* we haven't set keys yet, generate multi-prime RSA keys */ + bn = BN_new(); + st = bn != NULL + && BN_set_word(bn, RSA_F4) + && init_gen_str(&genctx, "RSA", NULL, 0, NULL, NULL) + && EVP_PKEY_CTX_set_rsa_keygen_bits(genctx, rsa_keys[testnum].bits) > 0 + && EVP_PKEY_CTX_set1_rsa_keygen_pubexp(genctx, bn) > 0 + && EVP_PKEY_CTX_set_rsa_keygen_primes(genctx, primes) > 0 + && EVP_PKEY_keygen(genctx, &rsa_key); + BN_free(bn); + bn = NULL; + EVP_PKEY_CTX_free(genctx); + genctx = NULL; + } else { + const unsigned char *p = rsa_keys[testnum].data; - loopargs[i].rsa_key[testnum] = RSA_new(); - if (loopargs[i].rsa_key[testnum] == NULL) { - BN_free(bn); - goto end; - } + st = (rsa_key = d2i_PrivateKey(EVP_PKEY_RSA, NULL, &p, + rsa_keys[testnum].length)) != NULL; + } - if (!RSA_generate_multi_prime_key(loopargs[i].rsa_key[testnum], - rsa_keys[testnum].bits, - primes, bn, NULL)) { - BN_free(bn); - goto end; - } - BN_free(bn); - } - st = RSA_sign(NID_md5_sha1, loopargs[i].buf, 36, loopargs[i].buf2, - &loopargs[i].siglen, loopargs[i].rsa_key[testnum]); - if (st == 0) - break; + for (i = 0; st && i < loopargs_len; i++) { + loopargs[i].rsa_sign_ctx[testnum] = EVP_PKEY_CTX_new(rsa_key, NULL); + if (loopargs[i].rsa_sign_ctx[testnum] == NULL + || EVP_PKEY_sign_init(loopargs[i].rsa_sign_ctx[testnum]) <= 0 + || EVP_PKEY_sign(loopargs[i].rsa_sign_ctx[testnum], + loopargs[i].buf2, + &loopargs[i].sigsize, + loopargs[i].buf, 36) <= 0) + st = 0; } - if (st == 0) { + if (!st) { BIO_printf(bio_err, - "RSA sign failure. No RSA sign will be done.\n"); + "RSA sign setup failure. No RSA sign will be done.\n"); ERR_print_errors(bio_err); op_count = 1; } else { @@ -3087,15 +2407,20 @@ int speed_main(int argc, char **argv) op_count = count; } - for (i = 0; i < loopargs_len; i++) { - st = RSA_verify(NID_md5_sha1, loopargs[i].buf, 36, loopargs[i].buf2, - loopargs[i].siglen, loopargs[i].rsa_key[testnum]); - if (st <= 0) - break; + for (i = 0; st && i < loopargs_len; i++) { + loopargs[i].rsa_verify_ctx[testnum] = EVP_PKEY_CTX_new(rsa_key, + NULL); + if (loopargs[i].rsa_verify_ctx[testnum] == NULL + || EVP_PKEY_verify_init(loopargs[i].rsa_verify_ctx[testnum]) <= 0 + || EVP_PKEY_verify(loopargs[i].rsa_verify_ctx[testnum], + loopargs[i].buf2, + loopargs[i].sigsize, + loopargs[i].buf, 36) <= 0) + st = 0; } - if (st <= 0) { + if (!st) { BIO_printf(bio_err, - "RSA verify failure. No RSA verify will be done.\n"); + "RSA verify setup failure. No RSA verify will be done.\n"); ERR_print_errors(bio_err); rsa_doit[testnum] = 0; } else { @@ -3116,30 +2441,33 @@ int speed_main(int argc, char **argv) /* if longer than 10s, don't do any more */ stop_it(rsa_doit, testnum); } + EVP_PKEY_free(rsa_key); } -#endif /* OPENSSL_NO_DEPRECATED_3_0 */ - - for (i = 0; i < loopargs_len; i++) - if (RAND_bytes(loopargs[i].buf, 36) <= 0) - goto end; -#if !defined(OPENSSL_NO_DSA) && !defined(OPENSSL_NO_DEPRECATED_3_0) for (testnum = 0; testnum < DSA_NUM; testnum++) { - int st = 0; + EVP_PKEY *dsa_key = NULL; + int st; + if (!dsa_doit[testnum]) continue; - /* DSA_generate_key(dsa_key[testnum]); */ - /* DSA_sign_setup(dsa_key[testnum],NULL); */ - for (i = 0; i < loopargs_len; i++) { - st = DSA_sign(0, loopargs[i].buf, 20, loopargs[i].buf2, - &loopargs[i].siglen, loopargs[i].dsa_key[testnum]); - if (st == 0) - break; + st = (dsa_key = get_dsa(dsa_bits[testnum])) != NULL; + + for (i = 0; st && i < loopargs_len; i++) { + loopargs[i].dsa_sign_ctx[testnum] = EVP_PKEY_CTX_new(dsa_key, + NULL); + if (loopargs[i].dsa_sign_ctx[testnum] == NULL + || EVP_PKEY_sign_init(loopargs[i].dsa_sign_ctx[testnum]) <= 0 + + || EVP_PKEY_sign(loopargs[i].dsa_sign_ctx[testnum], + loopargs[i].buf2, + &loopargs[i].sigsize, + loopargs[i].buf, 20) <= 0) + st = 0; } - if (st == 0) { + if (!st) { BIO_printf(bio_err, - "DSA sign failure. No DSA sign will be done.\n"); + "DSA sign setup failure. No DSA sign will be done.\n"); ERR_print_errors(bio_err); op_count = 1; } else { @@ -3157,15 +2485,20 @@ int speed_main(int argc, char **argv) op_count = count; } - for (i = 0; i < loopargs_len; i++) { - st = DSA_verify(0, loopargs[i].buf, 20, loopargs[i].buf2, - loopargs[i].siglen, loopargs[i].dsa_key[testnum]); - if (st <= 0) - break; + for (i = 0; st && i < loopargs_len; i++) { + loopargs[i].dsa_verify_ctx[testnum] = EVP_PKEY_CTX_new(dsa_key, + NULL); + if (loopargs[i].dsa_verify_ctx[testnum] == NULL + || EVP_PKEY_verify_init(loopargs[i].dsa_verify_ctx[testnum]) <= 0 + || EVP_PKEY_verify(loopargs[i].dsa_verify_ctx[testnum], + loopargs[i].buf2, + loopargs[i].sigsize, + loopargs[i].buf, 36) <= 0) + st = 0; } - if (st <= 0) { + if (!st) { BIO_printf(bio_err, - "DSA verify failure. No DSA verify will be done.\n"); + "DSA verify setup failure. No DSA verify will be done.\n"); ERR_print_errors(bio_err); dsa_doit[testnum] = 0; } else { @@ -3186,93 +2519,85 @@ int speed_main(int argc, char **argv) /* if longer than 10s, don't do any more */ stop_it(dsa_doit, testnum); } + EVP_PKEY_free(dsa_key); } -#endif /* OPENSSL_NO_DSA */ -#ifndef OPENSSL_NO_EC -# ifndef OPENSSL_NO_DEPRECATED_3_0 for (testnum = 0; testnum < ECDSA_NUM; testnum++) { - int st = 1; + EVP_PKEY *ecdsa_key = NULL; + int st; if (!ecdsa_doit[testnum]) - continue; /* Ignore Curve */ - for (i = 0; i < loopargs_len; i++) { - loopargs[i].ecdsa[testnum] = - EC_KEY_new_by_curve_name(ec_curves[testnum].nid); - if (loopargs[i].ecdsa[testnum] == NULL) { + continue; + + st = (ecdsa_key = get_ecdsa(&ec_curves[testnum])) != NULL; + + for (i = 0; st && i < loopargs_len; i++) { + loopargs[i].ecdsa_sign_ctx[testnum] = EVP_PKEY_CTX_new(ecdsa_key, + NULL); + if (loopargs[i].ecdsa_sign_ctx[testnum] == NULL + || EVP_PKEY_sign_init(loopargs[i].ecdsa_sign_ctx[testnum]) <= 0 + + || EVP_PKEY_sign(loopargs[i].ecdsa_sign_ctx[testnum], + loopargs[i].buf2, + &loopargs[i].sigsize, + loopargs[i].buf, 20) <= 0) st = 0; - break; - } } - if (st == 0) { - BIO_printf(bio_err, "ECDSA failure.\n"); + if (!st) { + BIO_printf(bio_err, + "ECDSA sign setup failure. No ECDSA sign will be done.\n"); ERR_print_errors(bio_err); op_count = 1; } else { - for (i = 0; i < loopargs_len; i++) { - /* Perform ECDSA signature test */ - EC_KEY_generate_key(loopargs[i].ecdsa[testnum]); - st = ECDSA_sign(0, loopargs[i].buf, 20, loopargs[i].buf2, - &loopargs[i].siglen, - loopargs[i].ecdsa[testnum]); - if (st == 0) - break; - } - if (st == 0) { - BIO_printf(bio_err, - "ECDSA sign failure. No ECDSA sign will be done.\n"); - ERR_print_errors(bio_err); - op_count = 1; - } else { - pkey_print_message("sign", "ecdsa", - ecdsa_c[testnum][0], - ec_curves[testnum].bits, seconds.ecdsa); - Time_F(START); - count = run_benchmark(async_jobs, ECDSA_sign_loop, loopargs); - d = Time_F(STOP); - - BIO_printf(bio_err, - mr ? "+R5:%ld:%u:%.2f\n" : - "%ld %u bits ECDSA signs in %.2fs \n", - count, ec_curves[testnum].bits, d); - ecdsa_results[testnum][0] = (double)count / d; - op_count = count; - } + pkey_print_message("sign", "ecdsa", + ecdsa_c[testnum][0], ec_curves[testnum].bits, + seconds.ecdsa); + Time_F(START); + count = run_benchmark(async_jobs, ECDSA_sign_loop, loopargs); + d = Time_F(STOP); + BIO_printf(bio_err, + mr ? "+R5:%ld:%u:%.2f\n" + : "%ld %u bits ECDSA signs in %.2fs\n", + count, ec_curves[testnum].bits, d); + ecdsa_results[testnum][0] = (double)count / d; + op_count = count; + } - /* Perform ECDSA verification test */ - for (i = 0; i < loopargs_len; i++) { - st = ECDSA_verify(0, loopargs[i].buf, 20, loopargs[i].buf2, - loopargs[i].siglen, - loopargs[i].ecdsa[testnum]); - if (st != 1) - break; - } - if (st != 1) { - BIO_printf(bio_err, - "ECDSA verify failure. No ECDSA verify will be done.\n"); - ERR_print_errors(bio_err); - ecdsa_doit[testnum] = 0; - } else { - pkey_print_message("verify", "ecdsa", - ecdsa_c[testnum][1], - ec_curves[testnum].bits, seconds.ecdsa); - Time_F(START); - count = run_benchmark(async_jobs, ECDSA_verify_loop, loopargs); - d = Time_F(STOP); - BIO_printf(bio_err, - mr ? "+R6:%ld:%u:%.2f\n" - : "%ld %u bits ECDSA verify in %.2fs\n", - count, ec_curves[testnum].bits, d); - ecdsa_results[testnum][1] = (double)count / d; - } + for (i = 0; st && i < loopargs_len; i++) { + loopargs[i].ecdsa_verify_ctx[testnum] = EVP_PKEY_CTX_new(ecdsa_key, + NULL); + if (loopargs[i].ecdsa_verify_ctx[testnum] == NULL + || EVP_PKEY_verify_init(loopargs[i].ecdsa_verify_ctx[testnum]) <= 0 + || EVP_PKEY_verify(loopargs[i].ecdsa_verify_ctx[testnum], + loopargs[i].buf2, + loopargs[i].sigsize, + loopargs[i].buf, 20) <= 0) + st = 0; + } + if (!st) { + BIO_printf(bio_err, + "ECDSA verify setup failure. No ECDSA verify will be done.\n"); + ERR_print_errors(bio_err); + ecdsa_doit[testnum] = 0; + } else { + pkey_print_message("verify", "ecdsa", + ecdsa_c[testnum][1], ec_curves[testnum].bits, + seconds.ecdsa); + Time_F(START); + count = run_benchmark(async_jobs, ECDSA_verify_loop, loopargs); + d = Time_F(STOP); + BIO_printf(bio_err, + mr ? "+R6:%ld:%u:%.2f\n" + : "%ld %u bits ECDSA verify in %.2fs\n", + count, ec_curves[testnum].bits, d); + ecdsa_results[testnum][1] = (double)count / d; + } - if (op_count <= 1) { - /* if longer than 10s, don't do any more */ - stop_it(ecdsa_doit, testnum); - } + if (op_count <= 1) { + /* if longer than 10s, don't do any more */ + stop_it(ecdsa_doit, testnum); } } -# endif /* OPENSSL_NO_DEPRECATED_3_0 */ for (testnum = 0; testnum < EC_NUM; testnum++) { int ecdh_checks = 1; @@ -3281,7 +2606,6 @@ int speed_main(int argc, char **argv) continue; for (i = 0; i < loopargs_len; i++) { - EVP_PKEY_CTX *kctx = NULL; EVP_PKEY_CTX *test_ctx = NULL; EVP_PKEY_CTX *ctx = NULL; EVP_PKEY *key_A = NULL; @@ -3289,83 +2613,14 @@ int speed_main(int argc, char **argv) size_t outlen; size_t test_outlen; - /* Ensure that the error queue is empty */ - if (ERR_peek_error()) { - BIO_printf(bio_err, - "WARNING: the error queue contains previous unhandled errors.\n"); - ERR_print_errors(bio_err); - } - - /* Let's try to create a ctx directly from the NID: this works for - * curves like Curve25519 that are not implemented through the low - * level EC interface. - * If this fails we try creating a EVP_PKEY_EC generic param ctx, - * then we set the curve by NID before deriving the actual keygen - * ctx for that specific curve. */ - kctx = EVP_PKEY_CTX_new_id(ec_curves[testnum].nid, NULL); /* keygen ctx from NID */ - if (!kctx) { - EVP_PKEY_CTX *pctx = NULL; - EVP_PKEY *params = NULL; - - /* If we reach this code EVP_PKEY_CTX_new_id() failed and a - * "int_ctx_new:unsupported algorithm" error was added to the - * error queue. - * We remove it from the error queue as we are handling it. */ - unsigned long error = ERR_peek_error(); /* peek the latest error in the queue */ - if (error == ERR_peek_last_error() && /* oldest and latest errors match */ - /* check that the error origin matches */ - ERR_GET_LIB(error) == ERR_LIB_EVP && - ERR_GET_REASON(error) == EVP_R_UNSUPPORTED_ALGORITHM) - ERR_get_error(); /* pop error from queue */ - if (ERR_peek_error()) { - BIO_printf(bio_err, - "Unhandled error in the error queue during ECDH init.\n"); - ERR_print_errors(bio_err); - op_count = 1; - break; - } - - /* Create the context for parameter generation */ - if (!(pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_EC, NULL)) || - /* Initialise the parameter generation */ - !EVP_PKEY_paramgen_init(pctx) || - /* Set the curve by NID */ - !EVP_PKEY_CTX_set_ec_paramgen_curve_nid(pctx, - ec_curves - [testnum].nid) || - /* Create the parameter object params */ - !EVP_PKEY_paramgen(pctx, ¶ms)) { - ecdh_checks = 0; - BIO_printf(bio_err, "ECDH EC params init failure.\n"); - ERR_print_errors(bio_err); - op_count = 1; - break; - } - /* Create the context for the key generation */ - kctx = EVP_PKEY_CTX_new(params, NULL); - - EVP_PKEY_free(params); - params = NULL; - EVP_PKEY_CTX_free(pctx); - pctx = NULL; - } - if (kctx == NULL || /* keygen ctx is not null */ - EVP_PKEY_keygen_init(kctx) <= 0/* init keygen ctx */ ) { - ecdh_checks = 0; - BIO_printf(bio_err, "ECDH keygen failure.\n"); - ERR_print_errors(bio_err); - op_count = 1; - break; - } - - if (EVP_PKEY_keygen(kctx, &key_A) <= 0 || /* generate secret key A */ - EVP_PKEY_keygen(kctx, &key_B) <= 0 || /* generate secret key B */ - !(ctx = EVP_PKEY_CTX_new(key_A, NULL)) || /* derivation ctx from skeyA */ - EVP_PKEY_derive_init(ctx) <= 0 || /* init derivation ctx */ - EVP_PKEY_derive_set_peer(ctx, key_B) <= 0 || /* set peer pubkey in ctx */ - EVP_PKEY_derive(ctx, NULL, &outlen) <= 0 || /* determine max length */ - outlen == 0 || /* ensure outlen is a valid size */ - outlen > MAX_ECDH_SIZE /* avoid buffer overflow */ ) { + if ((key_A = get_ecdsa(&ec_curves[testnum])) == NULL /* generate secret key A */ + || (key_B = get_ecdsa(&ec_curves[testnum])) == NULL /* generate secret key B */ + || (ctx = EVP_PKEY_CTX_new(key_A, NULL)) == NULL /* derivation ctx from skeyA */ + || EVP_PKEY_derive_init(ctx) <= 0 /* init derivation ctx */ + || EVP_PKEY_derive_set_peer(ctx, key_B) <= 0 /* set peer pubkey in ctx */ + || EVP_PKEY_derive(ctx, NULL, &outlen) <= 0 /* determine max length */ + || outlen == 0 /* ensure outlen is a valid size */ + || outlen > MAX_ECDH_SIZE /* avoid buffer overflow */) { ecdh_checks = 0; BIO_printf(bio_err, "ECDH key generation failure.\n"); ERR_print_errors(bio_err); @@ -3373,17 +2628,19 @@ int speed_main(int argc, char **argv) break; } - /* Here we perform a test run, comparing the output of a*B and b*A; + /* + * Here we perform a test run, comparing the output of a*B and b*A; * we try this here and assume that further EVP_PKEY_derive calls * never fail, so we can skip checks in the actually benchmarked - * code, for maximum performance. */ - if (!(test_ctx = EVP_PKEY_CTX_new(key_B, NULL)) || /* test ctx from skeyB */ - !EVP_PKEY_derive_init(test_ctx) || /* init derivation test_ctx */ - !EVP_PKEY_derive_set_peer(test_ctx, key_A) || /* set peer pubkey in test_ctx */ - !EVP_PKEY_derive(test_ctx, NULL, &test_outlen) || /* determine max length */ - !EVP_PKEY_derive(ctx, loopargs[i].secret_a, &outlen) || /* compute a*B */ - !EVP_PKEY_derive(test_ctx, loopargs[i].secret_b, &test_outlen) || /* compute b*A */ - test_outlen != outlen /* compare output length */ ) { + * code, for maximum performance. + */ + if ((test_ctx = EVP_PKEY_CTX_new(key_B, NULL)) == NULL /* test ctx from skeyB */ + || !EVP_PKEY_derive_init(test_ctx) /* init derivation test_ctx */ + || !EVP_PKEY_derive_set_peer(test_ctx, key_A) /* set peer pubkey in test_ctx */ + || !EVP_PKEY_derive(test_ctx, NULL, &test_outlen) /* determine max length */ + || !EVP_PKEY_derive(ctx, loopargs[i].secret_a, &outlen) /* compute a*B */ + || !EVP_PKEY_derive(test_ctx, loopargs[i].secret_b, &test_outlen) /* compute b*A */ + || test_outlen != outlen /* compare output length */) { ecdh_checks = 0; BIO_printf(bio_err, "ECDH computation failure.\n"); ERR_print_errors(bio_err); @@ -3406,8 +2663,6 @@ int speed_main(int argc, char **argv) EVP_PKEY_free(key_A); EVP_PKEY_free(key_B); - EVP_PKEY_CTX_free(kctx); - kctx = NULL; EVP_PKEY_CTX_free(test_ctx); test_ctx = NULL; } @@ -3452,8 +2707,8 @@ int speed_main(int argc, char **argv) break; } - if ((ed_pctx = EVP_PKEY_CTX_new_id(ed_curves[testnum].nid, NULL)) - == NULL + if ((ed_pctx = EVP_PKEY_CTX_new_id(ed_curves[testnum].nid, + NULL)) == NULL || EVP_PKEY_keygen_init(ed_pctx) <= 0 || EVP_PKEY_keygen(ed_pctx, &ed_pkey) <= 0) { st = 0; @@ -3468,8 +2723,8 @@ int speed_main(int argc, char **argv) EVP_PKEY_free(ed_pkey); break; } - if (!EVP_DigestVerifyInit(loopargs[i].eddsa_ctx2[testnum], NULL, - NULL, NULL, ed_pkey)) { + if (!EVP_DigestVerifyInit(loopargs[i].eddsa_ctx2[testnum], NULL, + NULL, NULL, ed_pkey)) { st = 0; EVP_PKEY_free(ed_pkey); break; @@ -3548,7 +2803,7 @@ int speed_main(int argc, char **argv) } } -# ifndef OPENSSL_NO_SM2 +#ifndef OPENSSL_NO_SM2 for (testnum = 0; testnum < SM2_NUM; testnum++) { int st = 1; EVP_PKEY *sm2_pkey = NULL; @@ -3681,8 +2936,7 @@ int speed_main(int argc, char **argv) } } } -# endif /* OPENSSL_NO_SM2 */ -#endif /* OPENSSL_NO_EC */ +#endif /* OPENSSL_NO_SM2 */ #ifndef OPENSSL_NO_DH for (testnum = 0; testnum < FFDH_NUM; testnum++) { @@ -3758,11 +3012,13 @@ int speed_main(int argc, char **argv) EVP_PKEY_CTX_free(ffdh_ctx); - /* check if the derivation works correctly both ways so that + /* + * check if the derivation works correctly both ways so that * we know if future derive calls will fail, and we can skip - * error checking in benchmarked code */ + * error checking in benchmarked code + */ ffdh_ctx = EVP_PKEY_CTX_new(pkey_A, NULL); - if (!ffdh_ctx) { + if (ffdh_ctx == NULL) { BIO_printf(bio_err, "Error while allocating EVP_PKEY_CTX.\n"); ERR_print_errors(bio_err); op_count = 1; @@ -3857,7 +3113,7 @@ int speed_main(int argc, char **argv) ffdh_params[testnum].bits, d); ffdh_results[testnum][0] = (double)count / d; op_count = count; - }; + } if (op_count <= 1) { /* if longer than 10s, don't do any more */ stop_it(ffdh_doit, testnum); @@ -3872,34 +3128,15 @@ int speed_main(int argc, char **argv) printf("built on: %s\n", OpenSSL_version(OPENSSL_BUILT_ON)); printf("options:"); printf("%s ", BN_options()); -#if !defined(OPENSSL_NO_MD2) && !defined(OPENSSL_NO_DEPRECATED_3_0) - printf("%s ", MD2_options()); -#endif -#if !defined(OPENSSL_NO_RC4) && !defined(OPENSSL_NO_DEPRECATED_3_0) - printf("%s ", RC4_options()); -#endif -#if !defined(OPENSSL_NO_DES) && !defined(OPENSSL_NO_DEPRECATED_3_0) - printf("%s ", DES_options()); -#endif -#ifndef OPENSSL_NO_DEPRECATED_3_0 - printf("%s ", AES_options()); -#endif -#if !defined(OPENSSL_NO_IDEA) && !defined(OPENSSL_NO_DEPRECATED_3_0) - printf("%s ", IDEA_options()); -#endif -#if !defined(OPENSSL_NO_BF) && !defined(OPENSSL_NO_DEPRECATED_3_0) - printf("%s ", BF_options()); -#endif printf("\n%s\n", OpenSSL_version(OPENSSL_CFLAGS)); printf("%s\n", OpenSSL_version(OPENSSL_CPU_INFO)); } if (pr_header) { - if (mr) + if (mr) { printf("+H"); - else { - printf - ("The 'numbers' are in 1000s of bytes per second processed.\n"); + } else { + printf("The 'numbers' are in 1000s of bytes per second processed.\n"); printf("type "); } for (testnum = 0; testnum < size_num; testnum++) @@ -3922,7 +3159,6 @@ int speed_main(int argc, char **argv) } printf("\n"); } -#ifndef OPENSSL_NO_DEPRECATED_3_0 testnum = 1; for (k = 0; k < RSA_NUM; k++) { if (!rsa_doit[k]) @@ -3939,8 +3175,6 @@ int speed_main(int argc, char **argv) rsa_keys[k].bits, 1.0 / rsa_results[k][0], 1.0 / rsa_results[k][1], rsa_results[k][0], rsa_results[k][1]); } -#endif -#if !defined(OPENSSL_NO_DSA) && !defined(OPENSSL_NO_DEPRECATED_3_0) testnum = 1; for (k = 0; k < DSA_NUM; k++) { if (!dsa_doit[k]) @@ -3957,8 +3191,6 @@ int speed_main(int argc, char **argv) dsa_bits[k], 1.0 / dsa_results[k][0], 1.0 / dsa_results[k][1], dsa_results[k][0], dsa_results[k][1]); } -#endif -#ifndef OPENSSL_NO_EC testnum = 1; for (k = 0; k < OSSL_NELEM(ecdsa_doit); k++) { if (!ecdsa_doit[k]) @@ -4018,7 +3250,7 @@ int speed_main(int argc, char **argv) eddsa_results[k][0], eddsa_results[k][1]); } -# ifndef OPENSSL_NO_SM2 +#ifndef OPENSSL_NO_SM2 testnum = 1; for (k = 0; k < OSSL_NELEM(sm2_doit); k++) { if (!sm2_doit[k]) @@ -4038,8 +3270,7 @@ int speed_main(int argc, char **argv) 1.0 / sm2_results[k][0], 1.0 / sm2_results[k][1], sm2_results[k][0], sm2_results[k][1]); } -# endif -#endif /* OPENSSL_NO_EC */ +#endif #ifndef OPENSSL_NO_DH testnum = 1; for (k = 0; k < FFDH_NUM; k++) { @@ -4069,33 +3300,33 @@ int speed_main(int argc, char **argv) OPENSSL_free(loopargs[i].buf_malloc); OPENSSL_free(loopargs[i].buf2_malloc); -#ifndef OPENSSL_NO_DEPRECATED_3_0 - for (k = 0; k < RSA_NUM; k++) - RSA_free(loopargs[i].rsa_key[k]); -#endif + BN_free(bn); + EVP_PKEY_CTX_free(genctx); + for (k = 0; k < RSA_NUM; k++) { + EVP_PKEY_CTX_free(loopargs[i].rsa_sign_ctx[k]); + EVP_PKEY_CTX_free(loopargs[i].rsa_verify_ctx[k]); + } #ifndef OPENSSL_NO_DH OPENSSL_free(loopargs[i].secret_ff_a); OPENSSL_free(loopargs[i].secret_ff_b); - for (k = 0; k < FFDH_NUM; k++) { + for (k = 0; k < FFDH_NUM; k++) EVP_PKEY_CTX_free(loopargs[i].ffdh_ctx[k]); - } -#endif -#if !defined(OPENSSL_NO_DSA) && !defined(OPENSSL_NO_DEPRECATED_3_0) - for (k = 0; k < DSA_NUM; k++) - DSA_free(loopargs[i].dsa_key[k]); #endif -#ifndef OPENSSL_NO_EC -# if !defined(OPENSSL_NO_DEPRECATED_3_0) - for (k = 0; k < ECDSA_NUM; k++) - EC_KEY_free(loopargs[i].ecdsa[k]); -# endif + for (k = 0; k < DSA_NUM; k++) { + EVP_PKEY_CTX_free(loopargs[i].dsa_sign_ctx[k]); + EVP_PKEY_CTX_free(loopargs[i].dsa_verify_ctx[k]); + } + for (k = 0; k < ECDSA_NUM; k++) { + EVP_PKEY_CTX_free(loopargs[i].ecdsa_sign_ctx[k]); + EVP_PKEY_CTX_free(loopargs[i].ecdsa_verify_ctx[k]); + } for (k = 0; k < EC_NUM; k++) EVP_PKEY_CTX_free(loopargs[i].ecdh_ctx[k]); for (k = 0; k < EdDSA_NUM; k++) { EVP_MD_CTX_free(loopargs[i].eddsa_ctx[k]); EVP_MD_CTX_free(loopargs[i].eddsa_ctx2[k]); - } -# ifndef OPENSSL_NO_SM2 + } +#ifndef OPENSSL_NO_SM2 for (k = 0; k < SM2_NUM; k++) { EVP_PKEY_CTX *pctx = NULL; @@ -4112,17 +3343,12 @@ int speed_main(int argc, char **argv) /* free pkey */ EVP_PKEY_free(loopargs[i].sm2_pkey[k]); } -# endif +#endif OPENSSL_free(loopargs[i].secret_a); OPENSSL_free(loopargs[i].secret_b); -#endif } -#ifndef OPENSSL_NO_DEPRECATED_3_0 OPENSSL_free(evp_hmac_name); -#endif -#if !defined(OPENSSL_NO_CMAC) && !defined(OPENSSL_NO_DEPRECATED_3_0) OPENSSL_free(evp_cmac_name); -#endif if (async_jobs > 0) { for (i = 0; i < loopargs_len; i++) @@ -4134,8 +3360,7 @@ int speed_main(int argc, char **argv) } OPENSSL_free(loopargs); release_engine(e); - if (fetched_alg) { - EVP_MD_free(evp_md); + if (fetched_cipher) { EVP_CIPHER_free(evp_cipher); } return ret; @@ -4143,50 +3368,30 @@ int speed_main(int argc, char **argv) static void print_message(const char *s, long num, int length, int tm) { -#ifdef SIGALRM BIO_printf(bio_err, mr ? "+DT:%s:%d:%d\n" : "Doing %s for %ds on %d size blocks: ", s, tm, length); (void)BIO_flush(bio_err); run = 1; alarm(tm); -#else - BIO_printf(bio_err, - mr ? "+DN:%s:%ld:%d\n" - : "Doing %s %ld times on %d size blocks: ", s, num, length); - (void)BIO_flush(bio_err); -#endif } -#if !defined(OPENSSL_NO_DEPRECATED_3_0) \ - || !defined(OPENSSL_NO_DSA) \ - || !defined(OPENSSL_NO_DH) \ - || !defined(OPENSSL_NO_EC) static void pkey_print_message(const char *str, const char *str2, long num, unsigned int bits, int tm) { -# ifdef SIGALRM BIO_printf(bio_err, mr ? "+DTP:%d:%s:%s:%d\n" : "Doing %u bits %s %s's for %ds: ", bits, str, str2, tm); (void)BIO_flush(bio_err); run = 1; alarm(tm); -# else - BIO_printf(bio_err, - mr ? "+DNP:%ld:%d:%s:%s\n" - : "Doing %ld %u bits %s %s's: ", num, bits, str, str2); - (void)BIO_flush(bio_err); -# endif } -#endif static void print_result(int alg, int run_no, int count, double time_used) { if (count == -1) { BIO_printf(bio_err, "%s error!\n", names[alg]); ERR_print_errors(bio_err); - /* exit(1); disable exit until default provider enabled */ return; } BIO_printf(bio_err, @@ -4212,9 +3417,8 @@ static char *sstrsep(char **string, const char *delim) delim++; } - while (!isdelim[(unsigned char)(**string)]) { + while (!isdelim[(unsigned char)(**string)]) (*string)++; - } if (**string) { **string = 0; @@ -4285,9 +3489,7 @@ static int do_multi(int multi, int size_num) sstrsep(&p, sep); for (j = 0; j < size_num; ++j) results[alg][j] += atof(sstrsep(&p, sep)); - } -#ifndef OPENSSL_NO_DEPRECATED_3_0 - else if (strncmp(buf, "+F2:", 4) == 0) { + } else if (strncmp(buf, "+F2:", 4) == 0) { int k; double d; @@ -4300,10 +3502,7 @@ static int do_multi(int multi, int size_num) d = atof(sstrsep(&p, sep)); rsa_results[k][1] += d; - } -#endif -#if !defined(OPENSSL_NO_DSA) && !defined(OPENSSL_NO_DEPRECATED_3_0) - else if (strncmp(buf, "+F3:", 4) == 0) { + } else if (strncmp(buf, "+F3:", 4) == 0) { int k; double d; @@ -4316,10 +3515,7 @@ static int do_multi(int multi, int size_num) d = atof(sstrsep(&p, sep)); dsa_results[k][1] += d; - } -# endif -# ifndef OPENSSL_NO_EC - else if (strncmp(buf, "+F4:", 4) == 0) { + } else if (strncmp(buf, "+F4:", 4) == 0) { int k; double d; @@ -4356,9 +3552,8 @@ static int do_multi(int multi, int size_num) d = atof(sstrsep(&p, sep)); eddsa_results[k][1] += d; - } -# ifndef OPENSSL_NO_SM2 - else if (strncmp(buf, "+F7:", 4) == 0) { +# ifndef OPENSSL_NO_SM2 + } else if (strncmp(buf, "+F7:", 4) == 0) { int k; double d; @@ -4372,11 +3567,9 @@ static int do_multi(int multi, int size_num) d = atof(sstrsep(&p, sep)); sm2_results[k][1] += d; - } -# endif /* OPENSSL_NO_SM2 */ -# endif /* OPENSSL_NO_EC */ +# endif /* OPENSSL_NO_SM2 */ # ifndef OPENSSL_NO_DH - else if (strncmp(buf, "+F8:", 4) == 0) { + } else if (strncmp(buf, "+F8:", 4) == 0) { int k; double d; @@ -4386,14 +3579,13 @@ static int do_multi(int multi, int size_num) d = atof(sstrsep(&p, sep)); ffdh_results[k][0] += d; - } # endif /* OPENSSL_NO_DH */ - - else if (strncmp(buf, "+H:", 3) == 0) { + } else if (strncmp(buf, "+H:", 3) == 0) { ; - } else + } else { BIO_printf(bio_err, "Unknown type '%s' from child %d\n", buf, n); + } } fclose(f); diff --git a/apps/testdsa.h b/apps/testdsa.h index b7d288a66b..65028be46f 100644 --- a/apps/testdsa.h +++ b/apps/testdsa.h @@ -7,8 +7,10 @@ * https://www.openssl.org/source/license.html */ +#include + /* used by speed.c */ -DSA *get_dsa(int); +EVP_PKEY *get_dsa(int); static unsigned char dsa512_priv[] = { 0x65, 0xe5, 0xc7, 0x38, 0x60, 0x24, 0xb5, 0x89, 0xd4, 0x9c, 0xeb, 0x4c, @@ -211,11 +213,14 @@ typedef struct testdsa_st { st.q_l = sizeof(dsa##bits##_q); \ } while (0) -DSA *get_dsa(int dsa_bits) +EVP_PKEY *get_dsa(int dsa_bits) { - DSA *dsa; + EVP_PKEY *pkey = NULL; BIGNUM *priv_key, *pub_key, *p, *q, *g; + EVP_PKEY_CTX *pctx; testdsa dsa_t; + OSSL_PARAM_BLD *tmpl = NULL; + OSSL_PARAM *params = NULL; switch (dsa_bits) { case 512: @@ -231,30 +236,44 @@ DSA *get_dsa(int dsa_bits) return NULL; } - if ((dsa = DSA_new()) == NULL) + if ((pctx = EVP_PKEY_CTX_new_from_name(NULL, "DSA", NULL)) == NULL) return NULL; + priv_key = BN_bin2bn(dsa_t.priv, dsa_t.priv_l, NULL); pub_key = BN_bin2bn(dsa_t.pub, dsa_t.pub_l, NULL); p = BN_bin2bn(dsa_t.p, dsa_t.p_l, NULL); q = BN_bin2bn(dsa_t.q, dsa_t.q_l, NULL); g = BN_bin2bn(dsa_t.g, dsa_t.g_l, NULL); - if ((priv_key == NULL) || (pub_key == NULL) || (p == NULL) || (q == NULL) - || (g == NULL)) { + if (priv_key == NULL || pub_key == NULL || p == NULL || q == NULL + || g == NULL) { goto err; } - if (!DSA_set0_pqg(dsa, p, q, g)) - goto err; - - if (!DSA_set0_key(dsa, pub_key, priv_key)) + if ((tmpl = OSSL_PARAM_BLD_new()) == NULL + || !OSSL_PARAM_BLD_push_BN(tmpl, OSSL_PKEY_PARAM_FFC_P, + p) + || !OSSL_PARAM_BLD_push_BN(tmpl, OSSL_PKEY_PARAM_FFC_Q, + q) + || !OSSL_PARAM_BLD_push_BN(tmpl, OSSL_PKEY_PARAM_FFC_G, + g) + || !OSSL_PARAM_BLD_push_BN(tmpl, OSSL_PKEY_PARAM_PRIV_KEY, + priv_key) + || !OSSL_PARAM_BLD_push_BN(tmpl, OSSL_PKEY_PARAM_PUB_KEY, + pub_key) + || (params = OSSL_PARAM_BLD_to_param(tmpl)) == NULL) goto err; - return dsa; - err: - DSA_free(dsa); + if (EVP_PKEY_fromdata_init(pctx) <= 0 + || EVP_PKEY_fromdata(pctx, &pkey, EVP_PKEY_KEYPAIR, + params) <= 0) + pkey = NULL; +err: + OSSL_PARAM_BLD_free_params(params); + OSSL_PARAM_BLD_free(tmpl); BN_free(priv_key); BN_free(pub_key); BN_free(p); BN_free(q); BN_free(g); - return NULL; + EVP_PKEY_CTX_free(pctx); + return pkey; } From tomas at openssl.org Wed Feb 24 16:55:57 2021 From: tomas at openssl.org (tomas at openssl.org) Date: Wed, 24 Feb 2021 16:55:57 +0000 Subject: [openssl] master update Message-ID: <1614185757.271567.27773.nullmailer@dev.openssl.org> The branch master has been updated via da9988e0f5371cb7e2aeed9f3c9a6433a9acc595 (commit) via b300f1cb3d0d266eb837af2eab2cf97e5a418e56 (commit) via 53cefef62ba7b1262374874aa8ce0aa34419d8ff (commit) via 7415ffe36896a6cce6f83db5ec1c54e69213c5b1 (commit) from 861f265a407d5de81c79b6917139e66cdfb0f367 (commit) - Log ----------------------------------------------------------------- commit da9988e0f5371cb7e2aeed9f3c9a6433a9acc595 Author: Tomas Mraz Date: Tue Feb 23 16:52:49 2021 +0100 Cleanup of some of the EVP_PKEY_CTX_ctrl related TODOs Reviewed-by: Paul Dale Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/14290) commit b300f1cb3d0d266eb837af2eab2cf97e5a418e56 Author: Tomas Mraz Date: Tue Feb 23 16:52:21 2021 +0100 Fix missing EOL at the end of the rsa/build.info Reviewed-by: Paul Dale Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/14290) commit 53cefef62ba7b1262374874aa8ce0aa34419d8ff Author: Tomas Mraz Date: Tue Feb 23 16:51:43 2021 +0100 Remove inclusion of unnecessary header files Reviewed-by: Paul Dale Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/14290) commit 7415ffe36896a6cce6f83db5ec1c54e69213c5b1 Author: Tomas Mraz Date: Tue Feb 23 16:50:21 2021 +0100 Use strcasecmp when comparing kdf_type Reviewed-by: Paul Dale Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/14290) ----------------------------------------------------------------------- Summary of changes: crypto/dsa/dsa_lib.c | 8 +++----- crypto/evp/ctrl_params_translate.c | 2 +- crypto/evp/dh_ctrl.c | 2 -- crypto/evp/dsa_ctrl.c | 30 +++--------------------------- crypto/evp/ec_ctrl.c | 9 --------- crypto/rsa/build.info | 2 +- crypto/rsa/rsa_lib.c | 7 ++----- 7 files changed, 10 insertions(+), 50 deletions(-) diff --git a/crypto/dsa/dsa_lib.c b/crypto/dsa/dsa_lib.c index fd56203539..7e5be3208d 100644 --- a/crypto/dsa/dsa_lib.c +++ b/crypto/dsa/dsa_lib.c @@ -13,15 +13,13 @@ */ #include "internal/deprecated.h" -#include -#include "internal/cryptlib.h" -#include "internal/refcount.h" #include -#include #include -#include "dsa_local.h" +#include "internal/cryptlib.h" +#include "internal/refcount.h" #include "crypto/dsa.h" #include "crypto/dh.h" /* required by DSA_dup_DH() */ +#include "dsa_local.h" static DSA *dsa_new_intern(ENGINE *engine, OSSL_LIB_CTX *libctx); diff --git a/crypto/evp/ctrl_params_translate.c b/crypto/evp/ctrl_params_translate.c index 1e7001809b..04f8fdbcab 100644 --- a/crypto/evp/ctrl_params_translate.c +++ b/crypto/evp/ctrl_params_translate.c @@ -893,7 +893,7 @@ static int fix_kdf_type(enum state state, /* Convert KDF type strings to numbers */ for (; kdf_type_map->kdf_type_str != NULL; kdf_type_map++) - if (strcmp(ctx->p2, kdf_type_map->kdf_type_str) == 0) { + if (strcasecmp(ctx->p2, kdf_type_map->kdf_type_str) == 0) { ctx->p1 = kdf_type_map->kdf_type_num; ret = 1; break; diff --git a/crypto/evp/dh_ctrl.c b/crypto/evp/dh_ctrl.c index 7eb0a8ee48..57cd88b41b 100644 --- a/crypto/evp/dh_ctrl.c +++ b/crypto/evp/dh_ctrl.c @@ -9,8 +9,6 @@ #include "internal/deprecated.h" -#include -#include #include #include #include diff --git a/crypto/evp/dsa_ctrl.c b/crypto/evp/dsa_ctrl.c index cb7e543e02..5fa2300abb 100644 --- a/crypto/evp/dsa_ctrl.c +++ b/crypto/evp/dsa_ctrl.c @@ -82,13 +82,6 @@ int EVP_PKEY_CTX_set_dsa_paramgen_bits(EVP_PKEY_CTX *ctx, int nbits) if ((ret = dsa_paramgen_check(ctx)) <= 0) return ret; -#if !defined(FIPS_MODULE) - /* TODO(3.0): Remove this eventually when no more legacy */ - if (ctx->op.keymgmt.genctx == NULL) - return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_DSA, EVP_PKEY_OP_PARAMGEN, - EVP_PKEY_CTRL_DSA_PARAMGEN_BITS, nbits, NULL); -#endif - *p++ = OSSL_PARAM_construct_size_t(OSSL_PKEY_PARAM_FFC_PBITS, &bits); *p++ = OSSL_PARAM_construct_end(); @@ -104,13 +97,6 @@ int EVP_PKEY_CTX_set_dsa_paramgen_q_bits(EVP_PKEY_CTX *ctx, int qbits) if ((ret = dsa_paramgen_check(ctx)) <= 0) return ret; -#if !defined(FIPS_MODULE) - /* TODO(3.0): Remove this eventually when no more legacy */ - if (ctx->op.keymgmt.genctx == NULL) - return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_DSA, EVP_PKEY_OP_PARAMGEN, - EVP_PKEY_CTRL_DSA_PARAMGEN_Q_BITS, qbits, NULL); -#endif - *p++ = OSSL_PARAM_construct_size_t(OSSL_PKEY_PARAM_FFC_QBITS, &bits2); *p++ = OSSL_PARAM_construct_end(); @@ -127,16 +113,6 @@ int EVP_PKEY_CTX_set_dsa_paramgen_md_props(EVP_PKEY_CTX *ctx, if ((ret = dsa_paramgen_check(ctx)) <= 0) return ret; -#if !defined(FIPS_MODULE) - /* TODO(3.0): Remove this eventually when no more legacy */ - if (ctx->op.keymgmt.genctx == NULL) { - const EVP_MD *md = EVP_get_digestbyname(md_name); - - EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_DSA, EVP_PKEY_OP_PARAMGEN, - EVP_PKEY_CTRL_DSA_PARAMGEN_MD, 0, (void *)(md)); - } -#endif - *p++ = OSSL_PARAM_construct_utf8_string(OSSL_PKEY_PARAM_FFC_DIGEST, (char *)md_name, 0); if (md_properties != NULL) @@ -148,10 +124,10 @@ int EVP_PKEY_CTX_set_dsa_paramgen_md_props(EVP_PKEY_CTX *ctx, } #if !defined(FIPS_MODULE) +/* TODO(3.0): deprecate as this is needed only for legacy? */ int EVP_PKEY_CTX_set_dsa_paramgen_md(EVP_PKEY_CTX *ctx, const EVP_MD *md) { - const char *md_name = (md == NULL) ? "" : EVP_MD_name(md); - - return EVP_PKEY_CTX_set_dsa_paramgen_md_props(ctx, md_name, NULL); + return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_DSA, EVP_PKEY_OP_PARAMGEN, + EVP_PKEY_CTRL_DSA_PARAMGEN_MD, 0, (void *)(md)); } #endif diff --git a/crypto/evp/ec_ctrl.c b/crypto/evp/ec_ctrl.c index ff0c55d023..b8b5434ee6 100644 --- a/crypto/evp/ec_ctrl.c +++ b/crypto/evp/ec_ctrl.c @@ -9,8 +9,6 @@ #include "internal/deprecated.h" -#include - #include #include #include @@ -254,13 +252,6 @@ int EVP_PKEY_CTX_get0_ecdh_kdf_ukm(EVP_PKEY_CTX *ctx, unsigned char **pukm) if (ret != 1) return ret; - /* TODO(3.0): Remove this eventually when no more legacy */ - if (ctx->op.kex.exchprovctx == NULL) - return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_EC, - EVP_PKEY_OP_DERIVE, - EVP_PKEY_CTRL_GET_EC_KDF_UKM, 0, - (void *)(pukm)); - *p++ = OSSL_PARAM_construct_octet_ptr(OSSL_EXCHANGE_PARAM_KDF_UKM, (void **)pukm, 0); *p++ = OSSL_PARAM_construct_end(); diff --git a/crypto/rsa/build.info b/crypto/rsa/build.info index d97e07fa4c..f0c7668bf2 100644 --- a/crypto/rsa/build.info +++ b/crypto/rsa/build.info @@ -19,4 +19,4 @@ SOURCE[../../providers/libfips.a]=$COMMON IF[{- !$disabled{'acvp-tests'} -}] SOURCE[../../providers/libfips.a]=rsa_acvp_test_params.c -ENDIF \ No newline at end of file +ENDIF diff --git a/crypto/rsa/rsa_lib.c b/crypto/rsa/rsa_lib.c index 817372cbb7..530fdaa035 100644 --- a/crypto/rsa/rsa_lib.c +++ b/crypto/rsa/rsa_lib.c @@ -13,14 +13,13 @@ */ #include "internal/deprecated.h" -#include #include #include #include #include +#include #include "internal/cryptlib.h" #include "internal/refcount.h" -#include "openssl/param_build.h" #include "crypto/bn.h" #include "crypto/evp.h" #include "crypto/rsa.h" @@ -1067,8 +1066,6 @@ int EVP_PKEY_CTX_set0_rsa_oaep_label(EVP_PKEY_CTX *ctx, void *label, int llen) if (!EVP_PKEY_CTX_is_a(ctx, "RSA")) return -1; - /* TODO(3.0) Shouldn't a set0 translate into setting an OCTET_PTR? */ - /* Cast away the const. This is read only so should be safe */ *p++ = OSSL_PARAM_construct_octet_string(OSSL_ASYM_CIPHER_PARAM_OAEP_LABEL, (void *)label, (size_t)llen); @@ -1077,7 +1074,7 @@ int EVP_PKEY_CTX_set0_rsa_oaep_label(EVP_PKEY_CTX *ctx, void *label, int llen) if (!evp_pkey_ctx_set_params_strict(ctx, rsa_params)) return 0; - /* TODO(3.0) ????? */ + /* Ownership is supposed to be transfered to the callee. */ OPENSSL_free(label); return 1; } From levitte at openssl.org Wed Feb 24 18:50:53 2021 From: levitte at openssl.org (Richard Levitte) Date: Wed, 24 Feb 2021 18:50:53 +0000 Subject: [openssl] master update Message-ID: <1614192653.358593.19887.nullmailer@dev.openssl.org> The branch master has been updated via 6be27456e1346121b1fed797e92353733b59e16e (commit) via af8bd1d8359705c6a980c65b0c27c3e90fc43bea (commit) via a8eb71ad577bbbd41cea915315451f0ef9f11581 (commit) from da9988e0f5371cb7e2aeed9f3c9a6433a9acc595 (commit) - Log ----------------------------------------------------------------- commit 6be27456e1346121b1fed797e92353733b59e16e Author: Richard Levitte Date: Tue Feb 23 18:19:38 2021 +0100 Fix string termination and length setting in OSSL_PARAM_BLD_push_utf8_string() OSSL_PARAM_BLD_push_utf8_string() was still setting the length in bytes of the UTF8 string to include the terminating NUL byte, while recent changes excludes that byte from the length. It's still made to add a NUL byte at the end of the string no matter what. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14035) commit af8bd1d8359705c6a980c65b0c27c3e90fc43bea Author: Richard Levitte Date: Tue Feb 23 08:10:02 2021 +0100 Fix OSSL_PARAM_allocate_from_text() for OSSL_PARAM_UTF8_STRING OSSL_PARAM_allocate_from_text() was still setting the length in bytes of the UTF8 string to include the terminating NUL byte, while recent changes excludes that byte from the length. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14035) commit a8eb71ad577bbbd41cea915315451f0ef9f11581 Author: Richard Levitte Date: Mon Feb 1 08:58:58 2021 +0100 Allow the sshkdf type to be passed as a single character This partially reverts commit 270a5ce1d9ea579a2f1d45887971582b1ef2b6a1. This also slightly modifies the way diverse parameters in are specified in providers/fips/self_test_data.inc for better consistency. Fixes #14027 Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14035) ----------------------------------------------------------------------- Summary of changes: crypto/param_build.c | 10 ++++++---- crypto/params_from_text.c | 2 ++ doc/man7/EVP_KDF-SSHKDF.pod | 16 ++++++++-------- include/openssl/kdf.h | 14 ++++++-------- providers/fips/self_test_data.inc | 12 +++++++----- providers/fips/self_test_kats.c | 3 ++- providers/implementations/kdfs/sshkdf.c | 3 ++- test/evp_kdf_test.c | 4 ++-- 8 files changed, 35 insertions(+), 29 deletions(-) diff --git a/crypto/param_build.c b/crypto/param_build.c index ce9eaa1fec..954ff81e2a 100644 --- a/crypto/param_build.c +++ b/crypto/param_build.c @@ -74,7 +74,7 @@ static OSSL_PARAM_BLD_DEF *param_push(OSSL_PARAM_BLD *bld, const char *key, pd->key = key; pd->type = type; pd->size = size; - pd->alloc_blocks = bytes_to_blocks(size); + pd->alloc_blocks = bytes_to_blocks(alloc); if ((pd->secure = secure) != 0) bld->secure_blocks += pd->alloc_blocks; else @@ -242,12 +242,12 @@ int OSSL_PARAM_BLD_push_utf8_string(OSSL_PARAM_BLD *bld, const char *key, OSSL_PARAM_BLD_DEF *pd; if (bsize == 0) { - bsize = strlen(buf) + 1; + bsize = strlen(buf); } else if (bsize > INT_MAX) { ERR_raise(ERR_LIB_CRYPTO, CRYPTO_R_STRING_TOO_LONG); return 0; } - pd = param_push(bld, key, bsize, bsize, OSSL_PARAM_UTF8_STRING, 0); + pd = param_push(bld, key, bsize, bsize + 1, OSSL_PARAM_UTF8_STRING, 0); if (pd == NULL) return 0; pd->string = buf; @@ -260,7 +260,7 @@ int OSSL_PARAM_BLD_push_utf8_ptr(OSSL_PARAM_BLD *bld, const char *key, OSSL_PARAM_BLD_DEF *pd; if (bsize == 0) { - bsize = strlen(buf) + 1; + bsize = strlen(buf); } else if (bsize > INT_MAX) { ERR_raise(ERR_LIB_CRYPTO, CRYPTO_R_STRING_TOO_LONG); return 0; @@ -340,6 +340,8 @@ static OSSL_PARAM *param_bld_convert(OSSL_PARAM_BLD *bld, OSSL_PARAM *param, memcpy(p, pd->string, pd->size); else memset(p, 0, pd->size); + if (pd->type == OSSL_PARAM_UTF8_STRING) + ((char *)p)[pd->size] = '\0'; } else { /* Number, but could also be a NULL BIGNUM */ if (pd->size > sizeof(pd->num)) diff --git a/crypto/params_from_text.c b/crypto/params_from_text.c index b019744f9b..3ff94c7475 100644 --- a/crypto/params_from_text.c +++ b/crypto/params_from_text.c @@ -151,6 +151,8 @@ static int construct_from_text(OSSL_PARAM *to, const OSSL_PARAM *paramdef, #else strncpy(buf, value, buf_n); #endif + /* Don't count the terminating NUL byte as data */ + buf_n--; break; case OSSL_PARAM_OCTET_STRING: if (ishex) { diff --git a/doc/man7/EVP_KDF-SSHKDF.pod b/doc/man7/EVP_KDF-SSHKDF.pod index a2ff902cce..b782b6fa7c 100644 --- a/doc/man7/EVP_KDF-SSHKDF.pod +++ b/doc/man7/EVP_KDF-SSHKDF.pod @@ -51,32 +51,32 @@ There are six supported types: =item EVP_KDF_SSHKDF_TYPE_INITIAL_IV_CLI_TO_SRV The Initial IV from client to server. -Char array initializer of value {65, 0}, i.e., ASCII string "A". +A single char of value 65 (ASCII char 'A'). =item EVP_KDF_SSHKDF_TYPE_INITIAL_IV_SRV_TO_CLI The Initial IV from server to client -Char array initializer of value {66, 0}, i.e., ASCII string "B". +A single char of value 66 (ASCII char 'B'). =item EVP_KDF_SSHKDF_TYPE_ENCRYPTION_KEY_CLI_TO_SRV The Encryption Key from client to server -Char array initializer of value {67, 0}, i.e., ASCII string "C". +A single char of value 67 (ASCII char 'C'). =item EVP_KDF_SSHKDF_TYPE_ENCRYPTION_KEY_SRV_TO_CLI The Encryption Key from server to client -Char array initializer of value {68, 0}, i.e., ASCII string "D". +A single char of value 68 (ASCII char 'D'). =item EVP_KDF_SSHKDF_TYPE_INTEGRITY_KEY_CLI_TO_SRV The Integrity Key from client to server -Char array initializer of value {69, 0}, i.e., ASCII string "E". +A single char of value 69 (ASCII char 'E'). =item EVP_KDF_SSHKDF_TYPE_INTEGRITY_KEY_SRV_TO_CLI The Integrity Key from client to server -Char array initializer of value {70, 0}, i.e., ASCII string "F". +A single char of value 70 (ASCII char 'F'). =back @@ -103,7 +103,7 @@ This example derives an 8 byte IV using SHA-256 with a 1K "key" and appropriate EVP_KDF *kdf; EVP_KDF_CTX *kctx; - const char type[] = EVP_KDF_SSHKDF_TYPE_INITIAL_IV_CLI_TO_SRV; + const char type = EVP_KDF_SSHKDF_TYPE_INITIAL_IV_CLI_TO_SRV; unsigned char key[1024] = "01234..."; unsigned char xcghash[32] = "012345..."; unsigned char session_id[32] = "012345..."; @@ -124,7 +124,7 @@ This example derives an 8 byte IV using SHA-256 with a 1K "key" and appropriate *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SALT, session_id, (size_t)32); *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_SSHKDF_TYPE, - type, sizeof(type) - 1); + &type, sizeof(type)); *p = OSSL_PARAM_construct_end(); if (EVP_KDF_CTX_set_params(kctx, params) <= 0) /* Error */ diff --git a/include/openssl/kdf.h b/include/openssl/kdf.h index dd24ab04cd..eada3cf1ac 100644 --- a/include/openssl/kdf.h +++ b/include/openssl/kdf.h @@ -60,14 +60,12 @@ void EVP_KDF_names_do_all(const EVP_KDF *kdf, # define EVP_KDF_HKDF_MODE_EXTRACT_ONLY 1 # define EVP_KDF_HKDF_MODE_EXPAND_ONLY 2 -/* SSHKDF key exchange stages.*/ -/* See https://tools.ietf.org/html/rfc4253#section-7.2 */ -#define EVP_KDF_SSHKDF_TYPE_INITIAL_IV_CLI_TO_SRV {65, 0} -#define EVP_KDF_SSHKDF_TYPE_INITIAL_IV_SRV_TO_CLI {66, 0} -#define EVP_KDF_SSHKDF_TYPE_ENCRYPTION_KEY_CLI_TO_SRV {67, 0} -#define EVP_KDF_SSHKDF_TYPE_ENCRYPTION_KEY_SRV_TO_CLI {68, 0} -#define EVP_KDF_SSHKDF_TYPE_INTEGRITY_KEY_CLI_TO_SRV {69, 0} -#define EVP_KDF_SSHKDF_TYPE_INTEGRITY_KEY_SRV_TO_CLI {70, 0} +#define EVP_KDF_SSHKDF_TYPE_INITIAL_IV_CLI_TO_SRV 65 +#define EVP_KDF_SSHKDF_TYPE_INITIAL_IV_SRV_TO_CLI 66 +#define EVP_KDF_SSHKDF_TYPE_ENCRYPTION_KEY_CLI_TO_SRV 67 +#define EVP_KDF_SSHKDF_TYPE_ENCRYPTION_KEY_SRV_TO_CLI 68 +#define EVP_KDF_SSHKDF_TYPE_INTEGRITY_KEY_CLI_TO_SRV 69 +#define EVP_KDF_SSHKDF_TYPE_INTEGRITY_KEY_SRV_TO_CLI 70 /**** The legacy PKEY-based KDF API follows. ****/ diff --git a/providers/fips/self_test_data.inc b/providers/fips/self_test_data.inc index fc8bf2b54e..49ffb7aab6 100644 --- a/providers/fips/self_test_data.inc +++ b/providers/fips/self_test_data.inc @@ -8,8 +8,8 @@ */ /* Macros to build Self test data */ -#define ITM(x) x, sizeof(x) -#define ITM_STR(x) x, (sizeof(x) - 1) +#define ITM(x) ((void *)&x), sizeof(x) +#define ITM_STR(x) ((void *)&x), (sizeof(x) - 1) #define ST_KAT_PARAM_END() { "", 0, NULL, 0 } #define ST_KAT_PARAM_BIGNUM(name, data) \ @@ -18,8 +18,10 @@ { name, OSSL_PARAM_OCTET_STRING, ITM(data) } #define ST_KAT_PARAM_UTF8STRING(name, data) \ { name, OSSL_PARAM_UTF8_STRING, ITM_STR(data) } +#define ST_KAT_PARAM_UTF8CHAR(name, data) \ + { name, OSSL_PARAM_UTF8_STRING, ITM(data) } #define ST_KAT_PARAM_INT(name, i) \ - { name, OSSL_PARAM_INTEGER, &i, sizeof(i) } + { name, OSSL_PARAM_INTEGER, ITM(i) } /* used to store raw parameters for keys and algorithms */ typedef struct st_kat_param_st { @@ -351,7 +353,7 @@ static const ST_KAT_PARAM pbkdf2_params[] = { }; static const char sshkdf_digest[] = "SHA1"; -static const char sshkdf_type[] = EVP_KDF_SSHKDF_TYPE_INITIAL_IV_CLI_TO_SRV; +static const char sshkdf_type = EVP_KDF_SSHKDF_TYPE_INITIAL_IV_CLI_TO_SRV; static const unsigned char sshkdf_key[] = { 0x00, 0x00, 0x00, 0x80, 0x55, 0xba, 0xe9, 0x31, 0xc0, 0x7f, 0xd8, 0x24, 0xbf, 0x10, 0xad, 0xd1, @@ -386,7 +388,7 @@ static const unsigned char sshkdf_expected[] = { }; static const ST_KAT_PARAM sshkdf_params[] = { ST_KAT_PARAM_UTF8STRING(OSSL_KDF_PARAM_DIGEST, sshkdf_digest), - ST_KAT_PARAM_UTF8STRING(OSSL_KDF_PARAM_SSHKDF_TYPE, sshkdf_type), + ST_KAT_PARAM_UTF8CHAR(OSSL_KDF_PARAM_SSHKDF_TYPE, sshkdf_type), ST_KAT_PARAM_OCTET(OSSL_KDF_PARAM_KEY, sshkdf_key), ST_KAT_PARAM_OCTET(OSSL_KDF_PARAM_SSHKDF_XCGHASH, sshkdf_xcghash), ST_KAT_PARAM_OCTET(OSSL_KDF_PARAM_SSHKDF_SESSION_ID, sshkdf_session_id), diff --git a/providers/fips/self_test_kats.c b/providers/fips/self_test_kats.c index c408339298..79b78f0ba5 100644 --- a/providers/fips/self_test_kats.c +++ b/providers/fips/self_test_kats.c @@ -159,7 +159,8 @@ static int add_params(OSSL_PARAM_BLD *bld, const ST_KAT_PARAM *params, break; } case OSSL_PARAM_UTF8_STRING: { - if (!OSSL_PARAM_BLD_push_utf8_string(bld, p->name, p->data, 0)) + if (!OSSL_PARAM_BLD_push_utf8_string(bld, p->name, p->data, + p->data_len)) goto err; break; } diff --git a/providers/implementations/kdfs/sshkdf.c b/providers/implementations/kdfs/sshkdf.c index 1caef4b7b8..cc8f946390 100644 --- a/providers/implementations/kdfs/sshkdf.c +++ b/providers/implementations/kdfs/sshkdf.c @@ -159,7 +159,8 @@ static int kdf_sshkdf_set_ctx_params(void *vctx, const OSSL_PARAM params[]) if (!OSSL_PARAM_get_utf8_string_ptr(p, &kdftype)) return 0; - if (kdftype == NULL || kdftype[0] == '\0' || kdftype[1] != '\0') + /* Expect one character (byte in this case) */ + if (kdftype == NULL || p->data_size != 1) return 0; if (kdftype[0] < 65 || kdftype[0] > 70) { ERR_raise(ERR_LIB_PROV, PROV_R_VALUE_ERROR); diff --git a/test/evp_kdf_test.c b/test/evp_kdf_test.c index cb387bc71d..a1a2fadcce 100644 --- a/test/evp_kdf_test.c +++ b/test/evp_kdf_test.c @@ -1205,7 +1205,7 @@ static int test_kdf_sshkdf(void) int ret; EVP_KDF_CTX *kctx; OSSL_PARAM params[6], *p = params; - char kdftype[] = EVP_KDF_SSHKDF_TYPE_INITIAL_IV_CLI_TO_SRV; + char kdftype = EVP_KDF_SSHKDF_TYPE_INITIAL_IV_CLI_TO_SRV; unsigned char out[8]; /* Test data from NIST CAVS 14.1 test vectors */ static unsigned char key[] = { @@ -1245,7 +1245,7 @@ static int test_kdf_sshkdf(void) *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SSHKDF_SESSION_ID, sessid, sizeof(sessid)); *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_SSHKDF_TYPE, - kdftype, 0); + &kdftype, sizeof(kdftype)); *p = OSSL_PARAM_construct_end(); ret = From pauli at openssl.org Wed Feb 24 22:38:00 2021 From: pauli at openssl.org (Dr. Paul Dale) Date: Wed, 24 Feb 2021 22:38:00 +0000 Subject: [openssl] master update Message-ID: <1614206280.505706.17253.nullmailer@dev.openssl.org> The branch master has been updated via 5eb73cfb372a3701a25f9d4f5e109ba21669af61 (commit) via d84f5515faf3fe00ed5eeca7e7b8b041be863e90 (commit) from 6be27456e1346121b1fed797e92353733b59e16e (commit) - Log ----------------------------------------------------------------- commit 5eb73cfb372a3701a25f9d4f5e109ba21669af61 Author: Matt Caswell Date: Fri Feb 19 17:47:21 2021 +0000 Add a test for a names_do_all function Make sure that if we change the namemap part way through calling a names_do_all function it still works. Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/14250) commit d84f5515faf3fe00ed5eeca7e7b8b041be863e90 Author: Matt Caswell Date: Fri Feb 19 17:03:43 2021 +0000 Don't hold a lock when calling a callback in ossl_namemap_doall_names We don't want to hold a read lock when calling a user supplied callback. That callback could do anything so the risk of a deadlock is high. Instead we collect all the names first inside the read lock, and then subsequently call the user callback outside the read lock. Fixes #14225 Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/14250) ----------------------------------------------------------------------- Summary of changes: apps/list.c | 306 +++++++++++++++++---------------- crypto/core_namemap.c | 48 +++++- crypto/encode_decode/decoder_meth.c | 12 +- crypto/encode_decode/decoder_pkey.c | 8 +- crypto/encode_decode/encoder_meth.c | 12 +- crypto/evp/asymcipher.c | 10 +- crypto/evp/digest.c | 4 +- crypto/evp/evp_enc.c | 4 +- crypto/evp/evp_fetch.c | 8 +- crypto/evp/evp_lib.c | 20 ++- crypto/evp/evp_local.h | 6 +- crypto/evp/evp_rand.c | 10 +- crypto/evp/exchange.c | 10 +- crypto/evp/kdf_lib.c | 10 +- crypto/evp/kem.c | 10 +- crypto/evp/keymgmt_meth.c | 10 +- crypto/evp/mac_lib.c | 10 +- crypto/evp/names.c | 6 +- crypto/evp/p_lib.c | 19 +- crypto/evp/signature.c | 10 +- crypto/store/store_meth.c | 12 +- doc/internal/man3/ossl_namemap_new.pod | 9 +- doc/man3/EVP_ASYM_CIPHER_free.pod | 9 +- doc/man3/EVP_DigestInit.pod | 11 +- doc/man3/EVP_EncryptInit.pod | 9 +- doc/man3/EVP_KDF.pod | 9 +- doc/man3/EVP_KEM_free.pod | 7 +- doc/man3/EVP_KEYEXCH_free.pod | 9 +- doc/man3/EVP_KEYMGMT.pod | 9 +- doc/man3/EVP_MAC.pod | 9 +- doc/man3/EVP_PKEY_is_a.pod | 9 +- doc/man3/EVP_RAND.pod | 9 +- doc/man3/EVP_SIGNATURE_free.pod | 9 +- doc/man3/OSSL_DECODER.pod | 9 +- doc/man3/OSSL_ENCODER.pod | 9 +- doc/man3/OSSL_STORE_LOADER.pod | 9 +- include/internal/namemap.h | 6 +- include/openssl/decoder.h | 6 +- include/openssl/encoder.h | 6 +- include/openssl/evp.h | 58 +++---- include/openssl/kdf.h | 6 +- include/openssl/store.h | 6 +- test/evp_extra_test.c | 49 ++++++ 43 files changed, 494 insertions(+), 323 deletions(-) diff --git a/apps/list.c b/apps/list.c index 72c4205e9a..e16e2bf7bc 100644 --- a/apps/list.c +++ b/apps/list.c @@ -91,22 +91,23 @@ static void list_ciphers(void) continue; names = sk_OPENSSL_CSTRING_new(name_cmp); - EVP_CIPHER_names_do_all(c, collect_names, names); - BIO_printf(bio_out, " "); - print_names(bio_out, names); - sk_OPENSSL_CSTRING_free(names); - - BIO_printf(bio_out, " @ %s\n", - OSSL_PROVIDER_name(EVP_CIPHER_provider(c))); - - if (verbose) { - print_param_types("retrievable algorithm parameters", - EVP_CIPHER_gettable_params(c), 4); - print_param_types("retrievable operation parameters", - EVP_CIPHER_gettable_ctx_params(c), 4); - print_param_types("settable operation parameters", - EVP_CIPHER_settable_ctx_params(c), 4); + if (names != NULL && EVP_CIPHER_names_do_all(c, collect_names, names)) { + BIO_printf(bio_out, " "); + print_names(bio_out, names); + + BIO_printf(bio_out, " @ %s\n", + OSSL_PROVIDER_name(EVP_CIPHER_provider(c))); + + if (verbose) { + print_param_types("retrievable algorithm parameters", + EVP_CIPHER_gettable_params(c), 4); + print_param_types("retrievable operation parameters", + EVP_CIPHER_gettable_ctx_params(c), 4); + print_param_types("settable operation parameters", + EVP_CIPHER_settable_ctx_params(c), 4); + } } + sk_OPENSSL_CSTRING_free(names); } sk_EVP_CIPHER_pop_free(ciphers, EVP_CIPHER_free); } @@ -168,21 +169,22 @@ static void list_digests(void) continue; names = sk_OPENSSL_CSTRING_new(name_cmp); - EVP_MD_names_do_all(m, collect_names, names); - BIO_printf(bio_out, " "); - print_names(bio_out, names); - sk_OPENSSL_CSTRING_free(names); - - BIO_printf(bio_out, " @ %s\n", OSSL_PROVIDER_name(EVP_MD_provider(m))); - - if (verbose) { - print_param_types("retrievable algorithm parameters", - EVP_MD_gettable_params(m), 4); - print_param_types("retrievable operation parameters", - EVP_MD_gettable_ctx_params(m), 4); - print_param_types("settable operation parameters", - EVP_MD_settable_ctx_params(m), 4); + if (names != NULL && EVP_MD_names_do_all(m, collect_names, names)) { + BIO_printf(bio_out, " "); + print_names(bio_out, names); + + BIO_printf(bio_out, " @ %s\n", OSSL_PROVIDER_name(EVP_MD_provider(m))); + + if (verbose) { + print_param_types("retrievable algorithm parameters", + EVP_MD_gettable_params(m), 4); + print_param_types("retrievable operation parameters", + EVP_MD_gettable_ctx_params(m), 4); + print_param_types("settable operation parameters", + EVP_MD_settable_ctx_params(m), 4); + } } + sk_OPENSSL_CSTRING_free(names); } sk_EVP_MD_pop_free(digests, EVP_MD_free); } @@ -227,21 +229,22 @@ static void list_macs(void) continue; names = sk_OPENSSL_CSTRING_new(name_cmp); - EVP_MAC_names_do_all(m, collect_names, names); - BIO_printf(bio_out, " "); - print_names(bio_out, names); - sk_OPENSSL_CSTRING_free(names); - - BIO_printf(bio_out, " @ %s\n", OSSL_PROVIDER_name(EVP_MAC_provider(m))); - - if (verbose) { - print_param_types("retrievable algorithm parameters", - EVP_MAC_gettable_params(m), 4); - print_param_types("retrievable operation parameters", - EVP_MAC_gettable_ctx_params(m), 4); - print_param_types("settable operation parameters", - EVP_MAC_settable_ctx_params(m), 4); + if (names != NULL && EVP_MAC_names_do_all(m, collect_names, names)) { + BIO_printf(bio_out, " "); + print_names(bio_out, names); + + BIO_printf(bio_out, " @ %s\n", OSSL_PROVIDER_name(EVP_MAC_provider(m))); + + if (verbose) { + print_param_types("retrievable algorithm parameters", + EVP_MAC_gettable_params(m), 4); + print_param_types("retrievable operation parameters", + EVP_MAC_gettable_ctx_params(m), 4); + print_param_types("settable operation parameters", + EVP_MAC_settable_ctx_params(m), 4); + } } + sk_OPENSSL_CSTRING_free(names); } sk_EVP_MAC_pop_free(macs, EVP_MAC_free); } @@ -289,21 +292,22 @@ static void list_kdfs(void) continue; names = sk_OPENSSL_CSTRING_new(name_cmp); - EVP_KDF_names_do_all(k, collect_names, names); - BIO_printf(bio_out, " "); - print_names(bio_out, names); - sk_OPENSSL_CSTRING_free(names); - - BIO_printf(bio_out, " @ %s\n", OSSL_PROVIDER_name(EVP_KDF_provider(k))); - - if (verbose) { - print_param_types("retrievable algorithm parameters", - EVP_KDF_gettable_params(k), 4); - print_param_types("retrievable operation parameters", - EVP_KDF_gettable_ctx_params(k), 4); - print_param_types("settable operation parameters", - EVP_KDF_settable_ctx_params(k), 4); + if (names != NULL && EVP_KDF_names_do_all(k, collect_names, names)) { + BIO_printf(bio_out, " "); + print_names(bio_out, names); + + BIO_printf(bio_out, " @ %s\n", OSSL_PROVIDER_name(EVP_KDF_provider(k))); + + if (verbose) { + print_param_types("retrievable algorithm parameters", + EVP_KDF_gettable_params(k), 4); + print_param_types("retrievable operation parameters", + EVP_KDF_gettable_ctx_params(k), 4); + print_param_types("settable operation parameters", + EVP_KDF_settable_ctx_params(k), 4); + } } + sk_OPENSSL_CSTRING_free(names); } sk_EVP_KDF_pop_free(kdfs, EVP_KDF_free); } @@ -478,19 +482,20 @@ static void list_encoders(void) continue; names = sk_OPENSSL_CSTRING_new(name_cmp); - OSSL_ENCODER_names_do_all(k, collect_names, names); - BIO_printf(bio_out, " "); - print_names(bio_out, names); - sk_OPENSSL_CSTRING_free(names); + if (names != NULL && OSSL_ENCODER_names_do_all(k, collect_names, names)) { + BIO_printf(bio_out, " "); + print_names(bio_out, names); - BIO_printf(bio_out, " @ %s (%s)\n", - OSSL_PROVIDER_name(OSSL_ENCODER_provider(k)), - OSSL_ENCODER_properties(k)); + BIO_printf(bio_out, " @ %s (%s)\n", + OSSL_PROVIDER_name(OSSL_ENCODER_provider(k)), + OSSL_ENCODER_properties(k)); - if (verbose) { - print_param_types("settable operation parameters", - OSSL_ENCODER_settable_ctx_params(k), 4); + if (verbose) { + print_param_types("settable operation parameters", + OSSL_ENCODER_settable_ctx_params(k), 4); + } } + sk_OPENSSL_CSTRING_free(names); } sk_OSSL_ENCODER_pop_free(encoders, OSSL_ENCODER_free); } @@ -541,19 +546,20 @@ static void list_decoders(void) continue; names = sk_OPENSSL_CSTRING_new(name_cmp); - OSSL_DECODER_names_do_all(k, collect_names, names); - BIO_printf(bio_out, " "); - print_names(bio_out, names); - sk_OPENSSL_CSTRING_free(names); + if (names != NULL && OSSL_DECODER_names_do_all(k, collect_names, names)) { + BIO_printf(bio_out, " "); + print_names(bio_out, names); - BIO_printf(bio_out, " @ %s (%s)\n", - OSSL_PROVIDER_name(OSSL_DECODER_provider(k)), - OSSL_DECODER_properties(k)); + BIO_printf(bio_out, " @ %s (%s)\n", + OSSL_PROVIDER_name(OSSL_DECODER_provider(k)), + OSSL_DECODER_properties(k)); - if (verbose) { - print_param_types("settable operation parameters", - OSSL_DECODER_settable_ctx_params(k), 4); + if (verbose) { + print_param_types("settable operation parameters", + OSSL_DECODER_settable_ctx_params(k), 4); + } } + sk_OPENSSL_CSTRING_free(names); } sk_OSSL_DECODER_pop_free(decoders, OSSL_DECODER_free); } @@ -594,22 +600,23 @@ static void list_keymanagers(void) continue; names = sk_OPENSSL_CSTRING_new(name_cmp); - EVP_KEYMGMT_names_do_all(k, collect_names, names); - BIO_printf(bio_out, " "); - print_names(bio_out, names); - sk_OPENSSL_CSTRING_free(names); - - BIO_printf(bio_out, " @ %s\n", - OSSL_PROVIDER_name(EVP_KEYMGMT_provider(k))); - - if (verbose) { - print_param_types("settable key generation parameters", - EVP_KEYMGMT_gen_settable_params(k), 4); - print_param_types("settable operation parameters", - EVP_KEYMGMT_settable_params(k), 4); - print_param_types("retrievable operation parameters", - EVP_KEYMGMT_gettable_params(k), 4); + if (names != NULL && EVP_KEYMGMT_names_do_all(k, collect_names, names)) { + BIO_printf(bio_out, " "); + print_names(bio_out, names); + + BIO_printf(bio_out, " @ %s\n", + OSSL_PROVIDER_name(EVP_KEYMGMT_provider(k))); + + if (verbose) { + print_param_types("settable key generation parameters", + EVP_KEYMGMT_gen_settable_params(k), 4); + print_param_types("settable operation parameters", + EVP_KEYMGMT_settable_params(k), 4); + print_param_types("retrievable operation parameters", + EVP_KEYMGMT_gettable_params(k), 4); + } } + sk_OPENSSL_CSTRING_free(names); } sk_EVP_KEYMGMT_pop_free(km_stack, EVP_KEYMGMT_free); } @@ -650,21 +657,22 @@ static void list_signatures(void) continue; names = sk_OPENSSL_CSTRING_new(name_cmp); - EVP_SIGNATURE_names_do_all(k, collect_names, names); - count++; - BIO_printf(bio_out, " "); - print_names(bio_out, names); - sk_OPENSSL_CSTRING_free(names); - - BIO_printf(bio_out, " @ %s\n", - OSSL_PROVIDER_name(EVP_SIGNATURE_provider(k))); - - if (verbose) { - print_param_types("settable operation parameters", - EVP_SIGNATURE_settable_ctx_params(k), 4); - print_param_types("retrievable operation parameters", - EVP_SIGNATURE_gettable_ctx_params(k), 4); + if (names != NULL && EVP_SIGNATURE_names_do_all(k, collect_names, names)) { + count++; + BIO_printf(bio_out, " "); + print_names(bio_out, names); + + BIO_printf(bio_out, " @ %s\n", + OSSL_PROVIDER_name(EVP_SIGNATURE_provider(k))); + + if (verbose) { + print_param_types("settable operation parameters", + EVP_SIGNATURE_settable_ctx_params(k), 4); + print_param_types("retrievable operation parameters", + EVP_SIGNATURE_gettable_ctx_params(k), 4); + } } + sk_OPENSSL_CSTRING_free(names); } sk_EVP_SIGNATURE_pop_free(sig_stack, EVP_SIGNATURE_free); if (count == 0) @@ -707,20 +715,21 @@ static void list_kems(void) continue; names = sk_OPENSSL_CSTRING_new(name_cmp); - EVP_KEM_names_do_all(k, collect_names, names); - count++; - BIO_printf(bio_out, " "); - print_names(bio_out, names); - sk_OPENSSL_CSTRING_free(names); - - BIO_printf(bio_out, " @ %s\n", OSSL_PROVIDER_name(EVP_KEM_provider(k))); - - if (verbose) { - print_param_types("settable operation parameters", - EVP_KEM_settable_ctx_params(k), 4); - print_param_types("retrievable operation parameters", - EVP_KEM_gettable_ctx_params(k), 4); + if (names != NULL && EVP_KEM_names_do_all(k, collect_names, names)) { + count++; + BIO_printf(bio_out, " "); + print_names(bio_out, names); + + BIO_printf(bio_out, " @ %s\n", OSSL_PROVIDER_name(EVP_KEM_provider(k))); + + if (verbose) { + print_param_types("settable operation parameters", + EVP_KEM_settable_ctx_params(k), 4); + print_param_types("retrievable operation parameters", + EVP_KEM_gettable_ctx_params(k), 4); + } } + sk_OPENSSL_CSTRING_free(names); } sk_EVP_KEM_pop_free(kem_stack, EVP_KEM_free); if (count == 0) @@ -764,21 +773,23 @@ static void list_asymciphers(void) continue; names = sk_OPENSSL_CSTRING_new(name_cmp); - EVP_ASYM_CIPHER_names_do_all(k, collect_names, names); - count++; - BIO_printf(bio_out, " "); - print_names(bio_out, names); - sk_OPENSSL_CSTRING_free(names); - - BIO_printf(bio_out, " @ %s\n", - OSSL_PROVIDER_name(EVP_ASYM_CIPHER_provider(k))); - - if (verbose) { - print_param_types("settable operation parameters", - EVP_ASYM_CIPHER_settable_ctx_params(k), 4); - print_param_types("retrievable operation parameters", - EVP_ASYM_CIPHER_gettable_ctx_params(k), 4); + if (names != NULL + && EVP_ASYM_CIPHER_names_do_all(k, collect_names, names)) { + count++; + BIO_printf(bio_out, " "); + print_names(bio_out, names); + + BIO_printf(bio_out, " @ %s\n", + OSSL_PROVIDER_name(EVP_ASYM_CIPHER_provider(k))); + + if (verbose) { + print_param_types("settable operation parameters", + EVP_ASYM_CIPHER_settable_ctx_params(k), 4); + print_param_types("retrievable operation parameters", + EVP_ASYM_CIPHER_gettable_ctx_params(k), 4); + } } + sk_OPENSSL_CSTRING_free(names); } sk_EVP_ASYM_CIPHER_pop_free(asymciph_stack, EVP_ASYM_CIPHER_free); if (count == 0) @@ -821,21 +832,22 @@ static void list_keyexchanges(void) continue; names = sk_OPENSSL_CSTRING_new(name_cmp); - EVP_KEYEXCH_names_do_all(k, collect_names, names); - count++; - BIO_printf(bio_out, " "); - print_names(bio_out, names); - sk_OPENSSL_CSTRING_free(names); - - BIO_printf(bio_out, " @ %s\n", - OSSL_PROVIDER_name(EVP_KEYEXCH_provider(k))); - - if (verbose) { - print_param_types("settable operation parameters", - EVP_KEYEXCH_settable_ctx_params(k), 4); - print_param_types("retrievable operation parameters", - EVP_KEYEXCH_gettable_ctx_params(k), 4); + if (names != NULL && EVP_KEYEXCH_names_do_all(k, collect_names, names)) { + count++; + BIO_printf(bio_out, " "); + print_names(bio_out, names); + + BIO_printf(bio_out, " @ %s\n", + OSSL_PROVIDER_name(EVP_KEYEXCH_provider(k))); + + if (verbose) { + print_param_types("settable operation parameters", + EVP_KEYEXCH_settable_ctx_params(k), 4); + print_param_types("retrievable operation parameters", + EVP_KEYEXCH_gettable_ctx_params(k), 4); + } } + sk_OPENSSL_CSTRING_free(names); } sk_EVP_KEYEXCH_pop_free(kex_stack, EVP_KEYEXCH_free); if (count == 0) diff --git a/crypto/core_namemap.c b/crypto/core_namemap.c index 0cde909fc4..a81c2dec96 100644 --- a/crypto/core_namemap.c +++ b/crypto/core_namemap.c @@ -116,31 +116,60 @@ int ossl_namemap_empty(OSSL_NAMEMAP *namemap) typedef struct doall_names_data_st { int number; - void (*fn)(const char *name, void *data); - void *data; + const char **names; + int found; } DOALL_NAMES_DATA; static void do_name(const NAMENUM_ENTRY *namenum, DOALL_NAMES_DATA *data) { if (namenum->number == data->number) - data->fn(namenum->name, data->data); + data->names[data->found++] = namenum->name; } IMPLEMENT_LHASH_DOALL_ARG_CONST(NAMENUM_ENTRY, DOALL_NAMES_DATA); -void ossl_namemap_doall_names(const OSSL_NAMEMAP *namemap, int number, - void (*fn)(const char *name, void *data), - void *data) +/* + * Call the callback for all names in the namemap with the given number. + * A return value 1 means that the callback was called for all names. A + * return value of 0 means that the callback was not called for any names. + */ +int ossl_namemap_doall_names(const OSSL_NAMEMAP *namemap, int number, + void (*fn)(const char *name, void *data), + void *data) { DOALL_NAMES_DATA cbdata; + size_t num_names; + int i; cbdata.number = number; - cbdata.fn = fn; - cbdata.data = data; + cbdata.found = 0; + + /* + * We collect all the names first under a read lock. Subsequently we call + * the user function, so that we're not holding the read lock when in user + * code. This could lead to deadlocks. + */ CRYPTO_THREAD_read_lock(namemap->lock); + num_names = lh_NAMENUM_ENTRY_num_items(namemap->namenum); + + if (num_names == 0) { + CRYPTO_THREAD_unlock(namemap->lock); + return 0; + } + cbdata.names = OPENSSL_malloc(sizeof(*cbdata.names) * num_names); + if (cbdata.names == NULL) { + CRYPTO_THREAD_unlock(namemap->lock); + return 0; + } lh_NAMENUM_ENTRY_doall_DOALL_NAMES_DATA(namemap->namenum, do_name, &cbdata); CRYPTO_THREAD_unlock(namemap->lock); + + for (i = 0; i < cbdata.found; i++) + fn(cbdata.names[i], data); + + OPENSSL_free(cbdata.names); + return 1; } static int namemap_name2num_n(const OSSL_NAMEMAP *namemap, @@ -207,7 +236,8 @@ const char *ossl_namemap_num2name(const OSSL_NAMEMAP *namemap, int number, data.idx = idx; data.name = NULL; - ossl_namemap_doall_names(namemap, number, do_num2name, &data); + if (!ossl_namemap_doall_names(namemap, number, do_num2name, &data)) + return NULL; return data.name; } diff --git a/crypto/encode_decode/decoder_meth.c b/crypto/encode_decode/decoder_meth.c index 2f2f401b8c..6baf5836e8 100644 --- a/crypto/encode_decode/decoder_meth.c +++ b/crypto/encode_decode/decoder_meth.c @@ -473,19 +473,21 @@ void OSSL_DECODER_do_all_provided(OSSL_LIB_CTX *libctx, &data); } -void OSSL_DECODER_names_do_all(const OSSL_DECODER *decoder, - void (*fn)(const char *name, void *data), - void *data) +int OSSL_DECODER_names_do_all(const OSSL_DECODER *decoder, + void (*fn)(const char *name, void *data), + void *data) { if (decoder == NULL) - return; + return 0; if (decoder->base.prov != NULL) { OSSL_LIB_CTX *libctx = ossl_provider_libctx(decoder->base.prov); OSSL_NAMEMAP *namemap = ossl_namemap_stored(libctx); - ossl_namemap_doall_names(namemap, decoder->base.id, fn, data); + return ossl_namemap_doall_names(namemap, decoder->base.id, fn, data); } + + return 1; } const OSSL_PARAM * diff --git a/crypto/encode_decode/decoder_pkey.c b/crypto/encode_decode/decoder_pkey.c index ca9c507582..0fff6823bd 100644 --- a/crypto/encode_decode/decoder_pkey.c +++ b/crypto/encode_decode/decoder_pkey.c @@ -302,8 +302,12 @@ int ossl_decoder_ctx_setup_for_pkey(OSSL_DECODER_CTX *ctx, * If the key type is given by the caller, we only use the matching * KEYMGMTs, otherwise we use them all. */ - if (keytype == NULL || EVP_KEYMGMT_is_a(keymgmt, keytype)) - EVP_KEYMGMT_names_do_all(keymgmt, collect_name, names); + if (keytype == NULL || EVP_KEYMGMT_is_a(keymgmt, keytype)) { + if (!EVP_KEYMGMT_names_do_all(keymgmt, collect_name, names)) { + ERR_raise(ERR_LIB_OSSL_DECODER, ERR_R_INTERNAL_ERROR); + goto err; + } + } EVP_KEYMGMT_free(keymgmt); } diff --git a/crypto/encode_decode/encoder_meth.c b/crypto/encode_decode/encoder_meth.c index f1a6e89b83..191ca8640f 100644 --- a/crypto/encode_decode/encoder_meth.c +++ b/crypto/encode_decode/encoder_meth.c @@ -490,19 +490,21 @@ void OSSL_ENCODER_do_all_provided(OSSL_LIB_CTX *libctx, encoder_do_one, NULL, &data); } -void OSSL_ENCODER_names_do_all(const OSSL_ENCODER *encoder, - void (*fn)(const char *name, void *data), - void *data) +int OSSL_ENCODER_names_do_all(const OSSL_ENCODER *encoder, + void (*fn)(const char *name, void *data), + void *data) { if (encoder == NULL) - return; + return 0; if (encoder->base.prov != NULL) { OSSL_LIB_CTX *libctx = ossl_provider_libctx(encoder->base.prov); OSSL_NAMEMAP *namemap = ossl_namemap_stored(libctx); - ossl_namemap_doall_names(namemap, encoder->base.id, fn, data); + return ossl_namemap_doall_names(namemap, encoder->base.id, fn, data); } + + return 1; } const OSSL_PARAM * diff --git a/crypto/evp/asymcipher.c b/crypto/evp/asymcipher.c index 6ff49a0526..f096c19345 100644 --- a/crypto/evp/asymcipher.c +++ b/crypto/evp/asymcipher.c @@ -434,12 +434,14 @@ void EVP_ASYM_CIPHER_do_all_provided(OSSL_LIB_CTX *libctx, } -void EVP_ASYM_CIPHER_names_do_all(const EVP_ASYM_CIPHER *cipher, - void (*fn)(const char *name, void *data), - void *data) +int EVP_ASYM_CIPHER_names_do_all(const EVP_ASYM_CIPHER *cipher, + void (*fn)(const char *name, void *data), + void *data) { if (cipher->prov != NULL) - evp_names_do_all(cipher->prov, cipher->name_id, fn, data); + return evp_names_do_all(cipher->prov, cipher->name_id, fn, data); + + return 1; } const OSSL_PARAM *EVP_ASYM_CIPHER_gettable_ctx_params(const EVP_ASYM_CIPHER *cip) diff --git a/crypto/evp/digest.c b/crypto/evp/digest.c index 7346169be6..e322654241 100644 --- a/crypto/evp/digest.c +++ b/crypto/evp/digest.c @@ -881,8 +881,8 @@ static void *evp_md_from_dispatch(int name_id, #ifndef FIPS_MODULE /* TODO(3.x) get rid of the need for legacy NIDs */ md->type = NID_undef; - evp_names_do_all(prov, name_id, set_legacy_nid, &md->type); - if (md->type == -1) { + if (!evp_names_do_all(prov, name_id, set_legacy_nid, &md->type) + || md->type == -1) { ERR_raise(ERR_LIB_EVP, ERR_R_INTERNAL_ERROR); EVP_MD_free(md); return NULL; diff --git a/crypto/evp/evp_enc.c b/crypto/evp/evp_enc.c index b6aa36c5c2..ebb876a8dc 100644 --- a/crypto/evp/evp_enc.c +++ b/crypto/evp/evp_enc.c @@ -1395,8 +1395,8 @@ static void *evp_cipher_from_dispatch(const int name_id, #ifndef FIPS_MODULE /* TODO(3.x) get rid of the need for legacy NIDs */ cipher->nid = NID_undef; - evp_names_do_all(prov, name_id, set_legacy_nid, &cipher->nid); - if (cipher->nid == -1) { + if (!evp_names_do_all(prov, name_id, set_legacy_nid, &cipher->nid) + || cipher->nid == -1) { ERR_raise(ERR_LIB_EVP, ERR_R_INTERNAL_ERROR); EVP_CIPHER_free(cipher); return NULL; diff --git a/crypto/evp/evp_fetch.c b/crypto/evp/evp_fetch.c index 2f0d0e15b0..589c15fb1e 100644 --- a/crypto/evp/evp_fetch.c +++ b/crypto/evp/evp_fetch.c @@ -530,12 +530,12 @@ int evp_is_a(OSSL_PROVIDER *prov, int number, return ossl_namemap_name2num(namemap, name) == number; } -void evp_names_do_all(OSSL_PROVIDER *prov, int number, - void (*fn)(const char *name, void *data), - void *data) +int evp_names_do_all(OSSL_PROVIDER *prov, int number, + void (*fn)(const char *name, void *data), + void *data) { OSSL_LIB_CTX *libctx = ossl_provider_libctx(prov); OSSL_NAMEMAP *namemap = ossl_namemap_stored(libctx); - ossl_namemap_doall_names(namemap, number, fn, data); + return ossl_namemap_doall_names(namemap, number, fn, data); } diff --git a/crypto/evp/evp_lib.c b/crypto/evp/evp_lib.c index f6598a8b3f..fc2c65b578 100644 --- a/crypto/evp/evp_lib.c +++ b/crypto/evp/evp_lib.c @@ -644,12 +644,14 @@ const char *EVP_CIPHER_name(const EVP_CIPHER *cipher) #endif } -void EVP_CIPHER_names_do_all(const EVP_CIPHER *cipher, - void (*fn)(const char *name, void *data), - void *data) +int EVP_CIPHER_names_do_all(const EVP_CIPHER *cipher, + void (*fn)(const char *name, void *data), + void *data) { if (cipher->prov != NULL) - evp_names_do_all(cipher->prov, cipher->name_id, fn, data); + return evp_names_do_all(cipher->prov, cipher->name_id, fn, data); + + return 1; } const OSSL_PROVIDER *EVP_CIPHER_provider(const EVP_CIPHER *cipher) @@ -685,12 +687,14 @@ const char *EVP_MD_name(const EVP_MD *md) #endif } -void EVP_MD_names_do_all(const EVP_MD *md, - void (*fn)(const char *name, void *data), - void *data) +int EVP_MD_names_do_all(const EVP_MD *md, + void (*fn)(const char *name, void *data), + void *data) { if (md->prov != NULL) - evp_names_do_all(md->prov, md->name_id, fn, data); + return evp_names_do_all(md->prov, md->name_id, fn, data); + + return 1; } const OSSL_PROVIDER *EVP_MD_provider(const EVP_MD *md) diff --git a/crypto/evp/evp_local.h b/crypto/evp/evp_local.h index 0112cdca02..e0031a1d04 100644 --- a/crypto/evp/evp_local.h +++ b/crypto/evp/evp_local.h @@ -317,7 +317,7 @@ void evp_pkey_ctx_free_old_ops(EVP_PKEY_CTX *ctx); const char *evp_first_name(const OSSL_PROVIDER *prov, int name_id); int evp_is_a(OSSL_PROVIDER *prov, int number, const char *legacy_name, const char *name); -void evp_names_do_all(OSSL_PROVIDER *prov, int number, - void (*fn)(const char *name, void *data), - void *data); +int evp_names_do_all(OSSL_PROVIDER *prov, int number, + void (*fn)(const char *name, void *data), + void *data); int evp_cipher_cache_constants(EVP_CIPHER *cipher); diff --git a/crypto/evp/evp_rand.c b/crypto/evp/evp_rand.c index 4d18194a0b..b27f4e11a0 100644 --- a/crypto/evp/evp_rand.c +++ b/crypto/evp/evp_rand.c @@ -451,12 +451,14 @@ void EVP_RAND_do_all_provided(OSSL_LIB_CTX *libctx, evp_rand_from_dispatch, evp_rand_free); } -void EVP_RAND_names_do_all(const EVP_RAND *rand, - void (*fn)(const char *name, void *data), - void *data) +int EVP_RAND_names_do_all(const EVP_RAND *rand, + void (*fn)(const char *name, void *data), + void *data) { if (rand->prov != NULL) - evp_names_do_all(rand->prov, rand->name_id, fn, data); + return evp_names_do_all(rand->prov, rand->name_id, fn, data); + + return 1; } static int evp_rand_instantiate_locked diff --git a/crypto/evp/exchange.c b/crypto/evp/exchange.c index b82b7f8219..67f4c5389f 100644 --- a/crypto/evp/exchange.c +++ b/crypto/evp/exchange.c @@ -460,12 +460,14 @@ void EVP_KEYEXCH_do_all_provided(OSSL_LIB_CTX *libctx, (void (*)(void *))EVP_KEYEXCH_free); } -void EVP_KEYEXCH_names_do_all(const EVP_KEYEXCH *keyexch, - void (*fn)(const char *name, void *data), - void *data) +int EVP_KEYEXCH_names_do_all(const EVP_KEYEXCH *keyexch, + void (*fn)(const char *name, void *data), + void *data) { if (keyexch->prov != NULL) - evp_names_do_all(keyexch->prov, keyexch->name_id, fn, data); + return evp_names_do_all(keyexch->prov, keyexch->name_id, fn, data); + + return 1; } const OSSL_PARAM *EVP_KEYEXCH_gettable_ctx_params(const EVP_KEYEXCH *keyexch) diff --git a/crypto/evp/kdf_lib.c b/crypto/evp/kdf_lib.c index a8565ed25b..36f8eb2ea8 100644 --- a/crypto/evp/kdf_lib.c +++ b/crypto/evp/kdf_lib.c @@ -172,10 +172,12 @@ int EVP_KDF_CTX_set_params(EVP_KDF_CTX *ctx, const OSSL_PARAM params[]) return 1; } -void EVP_KDF_names_do_all(const EVP_KDF *kdf, - void (*fn)(const char *name, void *data), - void *data) +int EVP_KDF_names_do_all(const EVP_KDF *kdf, + void (*fn)(const char *name, void *data), + void *data) { if (kdf->prov != NULL) - evp_names_do_all(kdf->prov, kdf->name_id, fn, data); + return evp_names_do_all(kdf->prov, kdf->name_id, fn, data); + + return 1; } diff --git a/crypto/evp/kem.c b/crypto/evp/kem.c index 989ffa2414..2b81cc1586 100644 --- a/crypto/evp/kem.c +++ b/crypto/evp/kem.c @@ -349,12 +349,14 @@ void EVP_KEM_do_all_provided(OSSL_LIB_CTX *libctx, (void (*)(void *))EVP_KEM_free); } -void EVP_KEM_names_do_all(const EVP_KEM *kem, - void (*fn)(const char *name, void *data), - void *data) +int EVP_KEM_names_do_all(const EVP_KEM *kem, + void (*fn)(const char *name, void *data), + void *data) { if (kem->prov != NULL) - evp_names_do_all(kem->prov, kem->name_id, fn, data); + return evp_names_do_all(kem->prov, kem->name_id, fn, data); + + return 1; } const OSSL_PARAM *EVP_KEM_gettable_ctx_params(const EVP_KEM *kem) diff --git a/crypto/evp/keymgmt_meth.c b/crypto/evp/keymgmt_meth.c index c8c3d705c7..aecb7ec368 100644 --- a/crypto/evp/keymgmt_meth.c +++ b/crypto/evp/keymgmt_meth.c @@ -269,12 +269,14 @@ void EVP_KEYMGMT_do_all_provided(OSSL_LIB_CTX *libctx, (void (*)(void *))EVP_KEYMGMT_free); } -void EVP_KEYMGMT_names_do_all(const EVP_KEYMGMT *keymgmt, - void (*fn)(const char *name, void *data), - void *data) +int EVP_KEYMGMT_names_do_all(const EVP_KEYMGMT *keymgmt, + void (*fn)(const char *name, void *data), + void *data) { if (keymgmt->prov != NULL) - evp_names_do_all(keymgmt->prov, keymgmt->name_id, fn, data); + return evp_names_do_all(keymgmt->prov, keymgmt->name_id, fn, data); + + return 1; } /* diff --git a/crypto/evp/mac_lib.c b/crypto/evp/mac_lib.c index c5c12598d3..de4d3623ff 100644 --- a/crypto/evp/mac_lib.c +++ b/crypto/evp/mac_lib.c @@ -174,10 +174,12 @@ int EVP_MAC_is_a(const EVP_MAC *mac, const char *name) return evp_is_a(mac->prov, mac->name_id, NULL, name); } -void EVP_MAC_names_do_all(const EVP_MAC *mac, - void (*fn)(const char *name, void *data), - void *data) +int EVP_MAC_names_do_all(const EVP_MAC *mac, + void (*fn)(const char *name, void *data), + void *data) { if (mac->prov != NULL) - evp_names_do_all(mac->prov, mac->name_id, fn, data); + return evp_names_do_all(mac->prov, mac->name_id, fn, data); + + return 1; } diff --git a/crypto/evp/names.c b/crypto/evp/names.c index cb59813857..97fd1b8302 100644 --- a/crypto/evp/names.c +++ b/crypto/evp/names.c @@ -98,7 +98,8 @@ const EVP_CIPHER *evp_get_cipherbyname_ex(OSSL_LIB_CTX *libctx, if (id == 0) return NULL; - ossl_namemap_doall_names(namemap, id, cipher_from_name, &cp); + if (!ossl_namemap_doall_names(namemap, id, cipher_from_name, &cp)) + return NULL; return cp; } @@ -143,7 +144,8 @@ const EVP_MD *evp_get_digestbyname_ex(OSSL_LIB_CTX *libctx, const char *name) if (id == 0) return NULL; - ossl_namemap_doall_names(namemap, id, digest_from_name, &dp); + if (!ossl_namemap_doall_names(namemap, id, digest_from_name, &dp)) + return NULL; return dp; } diff --git a/crypto/evp/p_lib.c b/crypto/evp/p_lib.c index 653a3b7743..9f3256c191 100644 --- a/crypto/evp/p_lib.c +++ b/crypto/evp/p_lib.c @@ -982,20 +982,20 @@ int EVP_PKEY_is_a(const EVP_PKEY *pkey, const char *name) return EVP_KEYMGMT_is_a(pkey->keymgmt, name); } -void EVP_PKEY_typenames_do_all(const EVP_PKEY *pkey, - void (*fn)(const char *name, void *data), - void *data) +int EVP_PKEY_typenames_do_all(const EVP_PKEY *pkey, + void (*fn)(const char *name, void *data), + void *data) { if (!evp_pkey_is_typed(pkey)) - return; + return 0; if (!evp_pkey_is_provided(pkey)) { const char *name = OBJ_nid2sn(EVP_PKEY_id(pkey)); fn(name, data); - return; + return 1; } - EVP_KEYMGMT_names_do_all(pkey->keymgmt, fn, data); + return EVP_KEYMGMT_names_do_all(pkey->keymgmt, fn, data); } int EVP_PKEY_can_sign(const EVP_PKEY *pkey) @@ -1182,7 +1182,8 @@ static int legacy_asn1_ctrl_to_param(EVP_PKEY *pkey, int op, * We have the namemap number - now we need to find the * associated nid */ - ossl_namemap_doall_names(namemap, mdnum, mdname2nid, &nid); + if (!ossl_namemap_doall_names(namemap, mdnum, mdname2nid, &nid)) + return 0; *(int *)arg2 = nid; } return rv; @@ -1526,8 +1527,8 @@ int EVP_PKEY_set_type_by_keymgmt(EVP_PKEY *pkey, EVP_KEYMGMT *keymgmt) */ const char *str[2] = { NULL, NULL }; - EVP_KEYMGMT_names_do_all(keymgmt, find_ameth, &str); - if (str[1] != NULL) { + if (!EVP_KEYMGMT_names_do_all(keymgmt, find_ameth, &str) + || str[1] != NULL) { ERR_raise(ERR_LIB_EVP, ERR_R_INTERNAL_ERROR); return 0; } diff --git a/crypto/evp/signature.c b/crypto/evp/signature.c index 89dc7e465f..4a1692ce98 100644 --- a/crypto/evp/signature.c +++ b/crypto/evp/signature.c @@ -329,12 +329,14 @@ void EVP_SIGNATURE_do_all_provided(OSSL_LIB_CTX *libctx, } -void EVP_SIGNATURE_names_do_all(const EVP_SIGNATURE *signature, - void (*fn)(const char *name, void *data), - void *data) +int EVP_SIGNATURE_names_do_all(const EVP_SIGNATURE *signature, + void (*fn)(const char *name, void *data), + void *data) { if (signature->prov != NULL) - evp_names_do_all(signature->prov, signature->name_id, fn, data); + return evp_names_do_all(signature->prov, signature->name_id, fn, data); + + return 1; } const OSSL_PARAM *EVP_SIGNATURE_gettable_ctx_params(const EVP_SIGNATURE *sig) diff --git a/crypto/store/store_meth.c b/crypto/store/store_meth.c index d66b30f0ad..04f7249ddc 100644 --- a/crypto/store/store_meth.c +++ b/crypto/store/store_meth.c @@ -452,17 +452,19 @@ void OSSL_STORE_LOADER_do_all_provided(OSSL_LIB_CTX *libctx, &data); } -void OSSL_STORE_LOADER_names_do_all(const OSSL_STORE_LOADER *loader, - void (*fn)(const char *name, void *data), - void *data) +int OSSL_STORE_LOADER_names_do_all(const OSSL_STORE_LOADER *loader, + void (*fn)(const char *name, void *data), + void *data) { if (loader == NULL) - return; + return 0; if (loader->prov != NULL) { OSSL_LIB_CTX *libctx = ossl_provider_libctx(loader->prov); OSSL_NAMEMAP *namemap = ossl_namemap_stored(libctx); - ossl_namemap_doall_names(namemap, loader->scheme_id, fn, data); + return ossl_namemap_doall_names(namemap, loader->scheme_id, fn, data); } + + return 1; } diff --git a/doc/internal/man3/ossl_namemap_new.pod b/doc/internal/man3/ossl_namemap_new.pod index 7868dd5493..514ff5f8e6 100644 --- a/doc/internal/man3/ossl_namemap_new.pod +++ b/doc/internal/man3/ossl_namemap_new.pod @@ -25,9 +25,9 @@ ossl_namemap_doall_names int ossl_namemap_name2num(const OSSL_NAMEMAP *namemap, const char *name); int ossl_namemap_name2num_n(const OSSL_NAMEMAP *namemap, const char *name, size_t name_len); - void ossl_namemap_doall_names(const OSSL_NAMEMAP *namemap, int number, - void (*fn)(const char *name, void *data), - void *data); + int ossl_namemap_doall_names(const OSSL_NAMEMAP *namemap, int number, + void (*fn)(const char *name, void *data), + void *data); int ossl_namemap_add_names(OSSL_NAMEMAP *namemap, int number, const char *names, const char separator); @@ -98,6 +98,9 @@ ossl_namemap_name2num() and ossl_namemap_name2num_n() return the number corresponding to the given name, or 0 if it's undefined in the given B. +ossl_namemap_doall_names() returns 1 if the callback was called for all names. A +return value of 0 means that the callback was not called for any names. + ossl_namemap_add_names() returns the number associated with the added names, or zero on error. diff --git a/doc/man3/EVP_ASYM_CIPHER_free.pod b/doc/man3/EVP_ASYM_CIPHER_free.pod index 1476103b94..bf6c9f7c3e 100644 --- a/doc/man3/EVP_ASYM_CIPHER_free.pod +++ b/doc/man3/EVP_ASYM_CIPHER_free.pod @@ -23,9 +23,9 @@ EVP_ASYM_CIPHER_gettable_ctx_params, EVP_ASYM_CIPHER_settable_ctx_params void (*fn)(EVP_ASYM_CIPHER *cipher, void *arg), void *arg); - void EVP_ASYM_CIPHER_names_do_all(const EVP_ASYM_CIPHER *cipher, - void (*fn)(const char *name, void *data), - void *data); + int EVP_ASYM_CIPHER_names_do_all(const EVP_ASYM_CIPHER *cipher, + void (*fn)(const char *name, void *data), + void *data); const OSSL_PARAM *EVP_ASYM_CIPHER_gettable_ctx_params(const EVP_ASYM_CIPHER *cip); const OSSL_PARAM *EVP_ASYM_CIPHER_settable_ctx_params(const EVP_ASYM_CIPHER *cip); @@ -76,6 +76,9 @@ or B for failure. EVP_ASYM_CIPHER_up_ref() returns 1 for success or 0 otherwise. +EVP_ASYM_CIPHER_names_do_all() returns 1 if the callback was called for all +names. A return value of 0 means that the callback was not called for any names. + EVP_ASYM_CIPHER_gettable_ctx_params() and EVP_ASYM_CIPHER_settable_ctx_params() return a constant B array or NULL on error. diff --git a/doc/man3/EVP_DigestInit.pod b/doc/man3/EVP_DigestInit.pod index 025bee4f46..c4cecad3a7 100644 --- a/doc/man3/EVP_DigestInit.pod +++ b/doc/man3/EVP_DigestInit.pod @@ -64,9 +64,9 @@ EVP_MD_do_all_provided const char *EVP_MD_name(const EVP_MD *md); int EVP_MD_number(const EVP_MD *md); int EVP_MD_is_a(const EVP_MD *md, const char *name); - void EVP_MD_names_do_all(const EVP_MD *md, - void (*fn)(const char *name, void *data), - void *data); + int EVP_MD_names_do_all(const EVP_MD *md, + void (*fn)(const char *name, void *data), + void *data); const OSSL_PROVIDER *EVP_MD_provider(const EVP_MD *md); int EVP_MD_type(const EVP_MD *md); int EVP_MD_pkey_type(const EVP_MD *md); @@ -542,6 +542,11 @@ Returns either an B structure or NULL if an error occurs. This function has no return value. +=item EVP_MD_names_do_all() + +Returns 1 if the callback was called for all names. A return value of 0 means +that the callback was not called for any names. + =back =head1 NOTES diff --git a/doc/man3/EVP_EncryptInit.pod b/doc/man3/EVP_EncryptInit.pod index 9bac8a2b78..7cc9cebb51 100644 --- a/doc/man3/EVP_EncryptInit.pod +++ b/doc/man3/EVP_EncryptInit.pod @@ -125,9 +125,9 @@ EVP_CIPHER_do_all_provided int EVP_CIPHER_nid(const EVP_CIPHER *e); int EVP_CIPHER_number(const EVP_CIPHER *e); int EVP_CIPHER_is_a(const EVP_CIPHER *cipher, const char *name); - void EVP_CIPHER_names_do_all(const EVP_CIPHER *cipher, - void (*fn)(const char *name, void *data), - void *data); + int EVP_CIPHER_names_do_all(const EVP_CIPHER *cipher, + void (*fn)(const char *name, void *data), + void *data); const char *EVP_CIPHER_name(const EVP_CIPHER *cipher); const OSSL_PROVIDER *EVP_CIPHER_provider(const EVP_CIPHER *cipher); int EVP_CIPHER_block_size(const EVP_CIPHER *e); @@ -461,6 +461,9 @@ than zero for success and zero or a negative number on failure. EVP_CIPHER_CTX_rand_key() returns 1 for success. +EVP_CIPHER_names_do_all() returns 1 if the callback was called for all names. +A return value of 0 means that the callback was not called for any names. + =head1 CIPHER LISTING All algorithms have a fixed key length unless otherwise stated. diff --git a/doc/man3/EVP_KDF.pod b/doc/man3/EVP_KDF.pod index 103eafe8c1..3afc0bd9b1 100644 --- a/doc/man3/EVP_KDF.pod +++ b/doc/man3/EVP_KDF.pod @@ -36,9 +36,9 @@ EVP_KDF_gettable_params - EVP KDF routines void EVP_KDF_do_all_provided(OSSL_LIB_CTX *libctx, void (*fn)(EVP_KDF *kdf, void *arg), void *arg); - void EVP_KDF_names_do_all(const EVP_KDF *kdf, - void (*fn)(const char *name, void *data), - void *data); + int EVP_KDF_names_do_all(const EVP_KDF *kdf, + void (*fn)(const char *name, void *data), + void *data); int EVP_KDF_get_params(EVP_KDF *kdf, OSSL_PARAM params[]); int EVP_KDF_CTX_get_params(EVP_KDF_CTX *ctx, OSSL_PARAM params[]); int EVP_KDF_CTX_set_params(EVP_KDF_CTX *ctx, const OSSL_PARAM params[]); @@ -252,6 +252,9 @@ that the algorithm produces a variable amount of output; 0 to indicate failure. EVP_KDF_name() returns the name of the KDF, or NULL on error. +EVP_KDF_names_do_all() returns 1 if the callback was called for all names. A +return value of 0 means that the callback was not called for any names. + The remaining functions return 1 for success and 0 or a negative value for failure. In particular, a return value of -2 indicates the operation is not supported by the KDF algorithm. diff --git a/doc/man3/EVP_KEM_free.pod b/doc/man3/EVP_KEM_free.pod index 714a86e7ff..a485f85815 100644 --- a/doc/man3/EVP_KEM_free.pod +++ b/doc/man3/EVP_KEM_free.pod @@ -21,8 +21,8 @@ EVP_KEM_gettable_ctx_params, EVP_KEM_settable_ctx_params OSSL_PROVIDER *EVP_KEM_provider(const EVP_KEM *kem); void EVP_KEM_do_all_provided(OSSL_LIB_CTX *libctx, void (*fn)(EVP_KEM *kem, void *arg), void *arg); - void EVP_KEM_names_do_all(const EVP_KEM *kem, - void (*fn)(const char *name, void *data), void *data); + int EVP_KEM_names_do_all(const EVP_KEM *kem, + void (*fn)(const char *name, void *data), void *data); const OSSL_PARAM *EVP_KEM_gettable_ctx_params(const EVP_KEM *kem); const OSSL_PARAM *EVP_KEM_settable_ctx_params(const EVP_KEM *kem); @@ -70,6 +70,9 @@ failure. EVP_KEM_up_ref() returns 1 for success or 0 otherwise. +EVP_KEM_names_do_all() returns 1 if the callback was called for all names. A +return value of 0 means that the callback was not called for any names. + EVP_KEM_gettable_ctx_params() and EVP_KEM_settable_ctx_params() return a constant B array or NULL on error. diff --git a/doc/man3/EVP_KEYEXCH_free.pod b/doc/man3/EVP_KEYEXCH_free.pod index 9b133e03f0..ab8f38e077 100644 --- a/doc/man3/EVP_KEYEXCH_free.pod +++ b/doc/man3/EVP_KEYEXCH_free.pod @@ -22,9 +22,9 @@ EVP_KEYEXCH_gettable_ctx_params, EVP_KEYEXCH_settable_ctx_params void EVP_KEYEXCH_do_all_provided(OSSL_LIB_CTX *libctx, void (*fn)(EVP_KEYEXCH *exchange, void *arg), void *arg); - void EVP_KEYEXCH_names_do_all(const EVP_KEYEXCH *exchange, - void (*fn)(const char *name, void *data), - void *data); + int EVP_KEYEXCH_names_do_all(const EVP_KEYEXCH *exchange, + void (*fn)(const char *name, void *data), + void *data); const OSSL_PARAM *EVP_KEYEXCH_gettable_ctx_params(const EVP_KEYEXCH *keyexch); const OSSL_PARAM *EVP_KEYEXCH_settable_ctx_params(const EVP_KEYEXCH *keyexch); @@ -73,6 +73,9 @@ or NULL for failure. EVP_KEYEXCH_up_ref() returns 1 for success or 0 otherwise. +EVP_KEYEXCH_names_do_all() returns 1 if the callback was called for all +names. A return value of 0 means that the callback was not called for any names. + EVP_KEYEXCH_is_a() returns 1 of I was identifiable, otherwise 0. diff --git a/doc/man3/EVP_KEYMGMT.pod b/doc/man3/EVP_KEYMGMT.pod index e47591b217..e103b58e90 100644 --- a/doc/man3/EVP_KEYMGMT.pod +++ b/doc/man3/EVP_KEYMGMT.pod @@ -35,9 +35,9 @@ EVP_KEYMGMT_gen_settable_params void EVP_KEYMGMT_do_all_provided(OSSL_LIB_CTX *libctx, void (*fn)(EVP_KEYMGMT *keymgmt, void *arg), void *arg); - void EVP_KEYMGMT_names_do_all(const EVP_KEYMGMT *keymgmt, - void (*fn)(const char *name, void *data), - void *data); + int EVP_KEYMGMT_names_do_all(const EVP_KEYMGMT *keymgmt, + void (*fn)(const char *name, void *data), + void *data); const OSSL_PARAM *EVP_KEYMGMT_gettable_params(const EVP_KEYMGMT *keymgmt); const OSSL_PARAM *EVP_KEYMGMT_settable_params(const EVP_KEYMGMT *keymgmt); const OSSL_PARAM *EVP_KEYMGMT_gen_settable_params(const EVP_KEYMGMT *keymgmt); @@ -110,6 +110,9 @@ error. EVP_KEYMGMT_up_ref() returns 1 on success, or 0 on error. +EVP_KEYMGMT_names_do_all() returns 1 if the callback was called for all +names. A return value of 0 means that the callback was not called for any names. + EVP_KEYMGMT_free() doesn't return any value. EVP_KEYMGMT_provider() returns a pointer to a provider object, or NULL diff --git a/doc/man3/EVP_MAC.pod b/doc/man3/EVP_MAC.pod index 29f81831e4..ff7003b906 100644 --- a/doc/man3/EVP_MAC.pod +++ b/doc/man3/EVP_MAC.pod @@ -25,9 +25,9 @@ EVP_MAC_do_all_provided - EVP MAC routines int EVP_MAC_is_a(const EVP_MAC *mac, const char *name); int EVP_MAC_number(const EVP_MAC *mac); const char *EVP_MAC_name(const EVP_MAC *mac); - void EVP_MAC_names_do_all(const EVP_MAC *mac, - void (*fn)(const char *name, void *data), - void *data); + int EVP_MAC_names_do_all(const EVP_MAC *mac, + void (*fn)(const char *name, void *data), + void *data); const OSSL_PROVIDER *EVP_MAC_provider(const EVP_MAC *mac); int EVP_MAC_get_params(EVP_MAC *mac, OSSL_PARAM params[]); @@ -291,6 +291,9 @@ NULL if allocation failed. EVP_MAC_up_ref() returns 1 on success, 0 on error. +EVP_MAC_names_do_all() returns 1 if the callback was called for all names. A +return value of 0 means that the callback was not called for any names. + EVP_MAC_free() returns nothing at all. EVP_MAC_is_a() returns 1 if the given method can be identified with diff --git a/doc/man3/EVP_PKEY_is_a.pod b/doc/man3/EVP_PKEY_is_a.pod index 6ca64de6b3..228c312cee 100644 --- a/doc/man3/EVP_PKEY_is_a.pod +++ b/doc/man3/EVP_PKEY_is_a.pod @@ -12,9 +12,9 @@ EVP_PKEY_get0_first_alg_name int EVP_PKEY_is_a(const EVP_PKEY *pkey, const char *name); int EVP_PKEY_can_sign(const EVP_PKEY *pkey); - void EVP_PKEY_typenames_do_all(const EVP_PKEY *pkey, - void (*fn)(const char *name, void *data), - void *data); + int EVP_PKEY_typenames_do_all(const EVP_PKEY *pkey, + void (*fn)(const char *name, void *data), + void *data); const char *EVP_PKEY_get0_first_alg_name(const EVP_PKEY *key); =head1 DESCRIPTION @@ -46,6 +46,9 @@ supports signing, otherwise 0. EVP_PKEY_get0_first_alg_name() returns the name that is found or NULL on error. +EVP_PKEY_typenames_do_all() returns 1 if the callback was called for all names. +A return value of 0 means that the callback was not called for any names. + =head1 EXAMPLES =head2 EVP_PKEY_is_a() diff --git a/doc/man3/EVP_RAND.pod b/doc/man3/EVP_RAND.pod index 97114af0fb..df92629780 100644 --- a/doc/man3/EVP_RAND.pod +++ b/doc/man3/EVP_RAND.pod @@ -41,9 +41,9 @@ EVP_RAND_STATE_ERROR - EVP RAND routines void EVP_RAND_do_all_provided(OSSL_LIB_CTX *libctx, void (*fn)(EVP_RAND *rand, void *arg), void *arg); - void EVP_RAND_names_do_all(const EVP_RAND *rand, - void (*fn)(const char *name, void *data), - void *data); + int EVP_RAND_names_do_all(const EVP_RAND *rand, + void (*fn)(const char *name, void *data), + void *data); int EVP_RAND_instantiate(EVP_RAND_CTX *ctx, unsigned int strength, int prediction_resistance, @@ -335,6 +335,9 @@ for the specified algorithm. EVP_RAND_up_ref() returns 1 on success, 0 on error. +EVP_RAND_names_do_all() returns 1 if the callback was called for all names. A +return value of 0 means that the callback was not called for any names. + EVP_RAND_CTX_new() returns either the newly allocated B structure or NULL if an error occurred. diff --git a/doc/man3/EVP_SIGNATURE_free.pod b/doc/man3/EVP_SIGNATURE_free.pod index 5e745747e9..f5f06c8b4d 100644 --- a/doc/man3/EVP_SIGNATURE_free.pod +++ b/doc/man3/EVP_SIGNATURE_free.pod @@ -23,9 +23,9 @@ EVP_SIGNATURE_gettable_ctx_params, EVP_SIGNATURE_settable_ctx_params void (*fn)(EVP_SIGNATURE *signature, void *arg), void *arg); - void EVP_SIGNATURE_names_do_all(const EVP_SIGNATURE *signature, - void (*fn)(const char *name, void *data), - void *data); + int EVP_SIGNATURE_names_do_all(const EVP_SIGNATURE *signature, + void (*fn)(const char *name, void *data), + void *data); const OSSL_PARAM *EVP_SIGNATURE_gettable_ctx_params(const EVP_SIGNATURE *sig); const OSSL_PARAM *EVP_SIGNATURE_settable_ctx_params(const EVP_SIGNATURE *sig); @@ -76,6 +76,9 @@ or B for failure. EVP_SIGNATURE_up_ref() returns 1 for success or 0 otherwise. +EVP_SIGNATURE_names_do_all() returns 1 if the callback was called for all names. +A return value of 0 means that the callback was not called for any names. + EVP_SIGNATURE_gettable_ctx_params() and EVP_SIGNATURE_settable_ctx_params() return a constant B array or NULL on error. diff --git a/doc/man3/OSSL_DECODER.pod b/doc/man3/OSSL_DECODER.pod index 9bc2a035ae..d12dede535 100644 --- a/doc/man3/OSSL_DECODER.pod +++ b/doc/man3/OSSL_DECODER.pod @@ -33,9 +33,9 @@ OSSL_DECODER_get_params void OSSL_DECODER_do_all_provided(OSSL_LIB_CTX *libctx, void (*fn)(OSSL_DECODER *decoder, void *arg), void *arg); - void OSSL_DECODER_names_do_all(const OSSL_DECODER *decoder, - void (*fn)(const char *name, void *data), - void *data); + int OSSL_DECODER_names_do_all(const OSSL_DECODER *decoder, + void (*fn)(const char *name, void *data), + void *data); const OSSL_PARAM *OSSL_DECODER_gettable_params(OSSL_DECODER *decoder); int OSSL_DECODER_get_params(OSSL_DECODER_CTX *ctx, const OSSL_PARAM params[]); @@ -107,6 +107,9 @@ otherwise 0. OSSL_DECODER_number() returns an integer. +OSSL_DECODER_names_do_all() returns 1 if the callback was called for all +names. A return value of 0 means that the callback was not called for any names. + =head1 NOTES OSSL_DECODER_fetch() may be called implicitly by other fetching diff --git a/doc/man3/OSSL_ENCODER.pod b/doc/man3/OSSL_ENCODER.pod index 2c68d1a761..8515ff12f5 100644 --- a/doc/man3/OSSL_ENCODER.pod +++ b/doc/man3/OSSL_ENCODER.pod @@ -33,9 +33,9 @@ OSSL_ENCODER_get_params void OSSL_ENCODER_do_all_provided(OSSL_LIB_CTX *libctx, void (*fn)(OSSL_ENCODER *encoder, void *arg), void *arg); - void OSSL_ENCODER_names_do_all(const OSSL_ENCODER *encoder, - void (*fn)(const char *name, void *data), - void *data); + int OSSL_ENCODER_names_do_all(const OSSL_ENCODER *encoder, + void (*fn)(const char *name, void *data), + void *data); const OSSL_PARAM *OSSL_ENCODER_gettable_params(OSSL_ENCODER *encoder); int OSSL_ENCODER_get_params(OSSL_ENCODER_CTX *ctx, const OSSL_PARAM params[]); @@ -108,6 +108,9 @@ otherwise 0. OSSL_ENCODER_number() returns an integer. +OSSL_ENCODER_names_do_all() returns 1 if the callback was called for all +names. A return value of 0 means that the callback was not called for any names. + =head1 SEE ALSO L, L, L, diff --git a/doc/man3/OSSL_STORE_LOADER.pod b/doc/man3/OSSL_STORE_LOADER.pod index ad1a40a0a4..203286c70d 100644 --- a/doc/man3/OSSL_STORE_LOADER.pod +++ b/doc/man3/OSSL_STORE_LOADER.pod @@ -48,9 +48,9 @@ unregister STORE loaders for different URI schemes void (*fn)(OSSL_STORE_LOADER *loader, void *arg), void *arg); - void OSSL_STORE_LOADER_names_do_all(const OSSL_STORE_LOADER *loader, - void (*fn)(const char *name, void *data), - void *data); + int OSSL_STORE_LOADER_names_do_all(const OSSL_STORE_LOADER *loader, + void (*fn)(const char *name, void *data), + void *data); Deprecated since OpenSSL 3.0, can be hidden entirely by defining B with a suitable version value, see @@ -312,6 +312,9 @@ or NULL on error. OSSL_STORE_LOADER_up_ref() returns 1 on success, or 0 on error. +OSSL_STORE_LOADER_names_do_all() returns 1 if the callback was called for all +names. A return value of 0 means that the callback was not called for any names. + OSSL_STORE_LOADER_free() doesn't return any value. OSSL_STORE_LOADER_provider() returns a pointer to a provider object, or diff --git a/include/internal/namemap.h b/include/internal/namemap.h index 685ccb41c1..bbdc041173 100644 --- a/include/internal/namemap.h +++ b/include/internal/namemap.h @@ -31,9 +31,9 @@ int ossl_namemap_name2num_n(const OSSL_NAMEMAP *namemap, const char *name, size_t name_len); const char *ossl_namemap_num2name(const OSSL_NAMEMAP *namemap, int number, size_t idx); -void ossl_namemap_doall_names(const OSSL_NAMEMAP *namemap, int number, - void (*fn)(const char *name, void *data), - void *data); +int ossl_namemap_doall_names(const OSSL_NAMEMAP *namemap, int number, + void (*fn)(const char *name, void *data), + void *data); /* * A utility that handles several names in a string, divided by a given diff --git a/include/openssl/decoder.h b/include/openssl/decoder.h index 9f58cb2b39..fd7e7b52c7 100644 --- a/include/openssl/decoder.h +++ b/include/openssl/decoder.h @@ -39,9 +39,9 @@ int OSSL_DECODER_is_a(const OSSL_DECODER *encoder, const char *name); void OSSL_DECODER_do_all_provided(OSSL_LIB_CTX *libctx, void (*fn)(OSSL_DECODER *encoder, void *arg), void *arg); -void OSSL_DECODER_names_do_all(const OSSL_DECODER *encoder, - void (*fn)(const char *name, void *data), - void *data); +int OSSL_DECODER_names_do_all(const OSSL_DECODER *encoder, + void (*fn)(const char *name, void *data), + void *data); const OSSL_PARAM *OSSL_DECODER_gettable_params(OSSL_DECODER *decoder); int OSSL_DECODER_get_params(OSSL_DECODER *decoder, OSSL_PARAM params[]); diff --git a/include/openssl/encoder.h b/include/openssl/encoder.h index bf212f9f80..c533efa3ec 100644 --- a/include/openssl/encoder.h +++ b/include/openssl/encoder.h @@ -39,9 +39,9 @@ int OSSL_ENCODER_is_a(const OSSL_ENCODER *encoder, const char *name); void OSSL_ENCODER_do_all_provided(OSSL_LIB_CTX *libctx, void (*fn)(OSSL_ENCODER *encoder, void *arg), void *arg); -void OSSL_ENCODER_names_do_all(const OSSL_ENCODER *encoder, - void (*fn)(const char *name, void *data), - void *data); +int OSSL_ENCODER_names_do_all(const OSSL_ENCODER *encoder, + void (*fn)(const char *name, void *data), + void *data); const OSSL_PARAM *OSSL_ENCODER_gettable_params(OSSL_ENCODER *encoder); int OSSL_ENCODER_get_params(OSSL_ENCODER *encoder, OSSL_PARAM params[]); diff --git a/include/openssl/evp.h b/include/openssl/evp.h index 1bf244322e..38cfefd10b 100644 --- a/include/openssl/evp.h +++ b/include/openssl/evp.h @@ -524,9 +524,9 @@ int EVP_MD_type(const EVP_MD *md); const char *EVP_MD_name(const EVP_MD *md); int EVP_MD_number(const EVP_MD *md); int EVP_MD_is_a(const EVP_MD *md, const char *name); -void EVP_MD_names_do_all(const EVP_MD *md, - void (*fn)(const char *name, void *data), - void *data); +int EVP_MD_names_do_all(const EVP_MD *md, + void (*fn)(const char *name, void *data), + void *data); const OSSL_PROVIDER *EVP_MD_provider(const EVP_MD *md); int EVP_MD_pkey_type(const EVP_MD *md); int EVP_MD_size(const EVP_MD *md); @@ -555,9 +555,9 @@ int EVP_CIPHER_nid(const EVP_CIPHER *cipher); const char *EVP_CIPHER_name(const EVP_CIPHER *cipher); int EVP_CIPHER_number(const EVP_CIPHER *cipher); int EVP_CIPHER_is_a(const EVP_CIPHER *cipher, const char *name); -void EVP_CIPHER_names_do_all(const EVP_CIPHER *cipher, - void (*fn)(const char *name, void *data), - void *data); +int EVP_CIPHER_names_do_all(const EVP_CIPHER *cipher, + void (*fn)(const char *name, void *data), + void *data); const OSSL_PROVIDER *EVP_CIPHER_provider(const EVP_CIPHER *cipher); int EVP_CIPHER_block_size(const EVP_CIPHER *cipher); int EVP_CIPHER_impl_ctx_size(const EVP_CIPHER *cipher); @@ -1153,9 +1153,9 @@ const OSSL_PARAM *EVP_MAC_settable_ctx_params(const EVP_MAC *mac); void EVP_MAC_do_all_provided(OSSL_LIB_CTX *libctx, void (*fn)(EVP_MAC *mac, void *arg), void *arg); -void EVP_MAC_names_do_all(const EVP_MAC *mac, - void (*fn)(const char *name, void *data), - void *data); +int EVP_MAC_names_do_all(const EVP_MAC *mac, + void (*fn)(const char *name, void *data), + void *data); /* RAND stuff */ EVP_RAND *EVP_RAND_fetch(OSSL_LIB_CTX *libctx, const char *algorithm, @@ -1180,9 +1180,9 @@ const OSSL_PARAM *EVP_RAND_settable_ctx_params(const EVP_RAND *rand); void EVP_RAND_do_all_provided(OSSL_LIB_CTX *libctx, void (*fn)(EVP_RAND *rand, void *arg), void *arg); -void EVP_RAND_names_do_all(const EVP_RAND *rand, - void (*fn)(const char *name, void *data), - void *data); +int EVP_RAND_names_do_all(const EVP_RAND *rand, + void (*fn)(const char *name, void *data), + void *data); __owur int EVP_RAND_instantiate(EVP_RAND_CTX *ctx, unsigned int strength, int prediction_resistance, @@ -1217,9 +1217,9 @@ OSSL_DEPRECATEDIN_3_0 int EVP_PKEY_encrypt_old(unsigned char *enc_key, int key_len, EVP_PKEY *pub_key); #endif int EVP_PKEY_is_a(const EVP_PKEY *pkey, const char *name); -void EVP_PKEY_typenames_do_all(const EVP_PKEY *pkey, - void (*fn)(const char *name, void *data), - void *data); +int EVP_PKEY_typenames_do_all(const EVP_PKEY *pkey, + void (*fn)(const char *name, void *data), + void *data); int EVP_PKEY_type(int type); int EVP_PKEY_id(const EVP_PKEY *pkey); int EVP_PKEY_base_id(const EVP_PKEY *pkey); @@ -1633,9 +1633,9 @@ int EVP_KEYMGMT_is_a(const EVP_KEYMGMT *keymgmt, const char *name); void EVP_KEYMGMT_do_all_provided(OSSL_LIB_CTX *libctx, void (*fn)(EVP_KEYMGMT *keymgmt, void *arg), void *arg); -void EVP_KEYMGMT_names_do_all(const EVP_KEYMGMT *keymgmt, - void (*fn)(const char *name, void *data), - void *data); +int EVP_KEYMGMT_names_do_all(const EVP_KEYMGMT *keymgmt, + void (*fn)(const char *name, void *data), + void *data); const OSSL_PARAM *EVP_KEYMGMT_gettable_params(const EVP_KEYMGMT *keymgmt); const OSSL_PARAM *EVP_KEYMGMT_settable_params(const EVP_KEYMGMT *keymgmt); const OSSL_PARAM *EVP_KEYMGMT_gen_settable_params(const EVP_KEYMGMT *keymgmt); @@ -1716,9 +1716,9 @@ void EVP_SIGNATURE_do_all_provided(OSSL_LIB_CTX *libctx, void (*fn)(EVP_SIGNATURE *signature, void *data), void *data); -void EVP_SIGNATURE_names_do_all(const EVP_SIGNATURE *signature, - void (*fn)(const char *name, void *data), - void *data); +int EVP_SIGNATURE_names_do_all(const EVP_SIGNATURE *signature, + void (*fn)(const char *name, void *data), + void *data); const OSSL_PARAM *EVP_SIGNATURE_gettable_ctx_params(const EVP_SIGNATURE *sig); const OSSL_PARAM *EVP_SIGNATURE_settable_ctx_params(const EVP_SIGNATURE *sig); @@ -1733,9 +1733,9 @@ void EVP_ASYM_CIPHER_do_all_provided(OSSL_LIB_CTX *libctx, void (*fn)(EVP_ASYM_CIPHER *cipher, void *arg), void *arg); -void EVP_ASYM_CIPHER_names_do_all(const EVP_ASYM_CIPHER *cipher, - void (*fn)(const char *name, void *data), - void *data); +int EVP_ASYM_CIPHER_names_do_all(const EVP_ASYM_CIPHER *cipher, + void (*fn)(const char *name, void *data), + void *data); const OSSL_PARAM *EVP_ASYM_CIPHER_gettable_ctx_params(const EVP_ASYM_CIPHER *ciph); const OSSL_PARAM *EVP_ASYM_CIPHER_settable_ctx_params(const EVP_ASYM_CIPHER *ciph); @@ -1748,8 +1748,8 @@ int EVP_KEM_is_a(const EVP_KEM *wrap, const char *name); int EVP_KEM_number(const EVP_KEM *wrap); void EVP_KEM_do_all_provided(OSSL_LIB_CTX *libctx, void (*fn)(EVP_KEM *wrap, void *arg), void *arg); -void EVP_KEM_names_do_all(const EVP_KEM *wrap, - void (*fn)(const char *name, void *data), void *data); +int EVP_KEM_names_do_all(const EVP_KEM *wrap, + void (*fn)(const char *name, void *data), void *data); const OSSL_PARAM *EVP_KEM_gettable_ctx_params(const EVP_KEM *kem); const OSSL_PARAM *EVP_KEM_settable_ctx_params(const EVP_KEM *kem); @@ -1996,9 +1996,9 @@ int EVP_KEYEXCH_number(const EVP_KEYEXCH *keyexch); void EVP_KEYEXCH_do_all_provided(OSSL_LIB_CTX *libctx, void (*fn)(EVP_KEYEXCH *keyexch, void *data), void *data); -void EVP_KEYEXCH_names_do_all(const EVP_KEYEXCH *keyexch, - void (*fn)(const char *name, void *data), - void *data); +int EVP_KEYEXCH_names_do_all(const EVP_KEYEXCH *keyexch, + void (*fn)(const char *name, void *data), + void *data); const OSSL_PARAM *EVP_KEYEXCH_gettable_ctx_params(const EVP_KEYEXCH *keyexch); const OSSL_PARAM *EVP_KEYEXCH_settable_ctx_params(const EVP_KEYEXCH *keyexch); diff --git a/include/openssl/kdf.h b/include/openssl/kdf.h index eada3cf1ac..37c1736a8c 100644 --- a/include/openssl/kdf.h +++ b/include/openssl/kdf.h @@ -52,9 +52,9 @@ const OSSL_PARAM *EVP_KDF_settable_ctx_params(const EVP_KDF *kdf); void EVP_KDF_do_all_provided(OSSL_LIB_CTX *libctx, void (*fn)(EVP_KDF *kdf, void *arg), void *arg); -void EVP_KDF_names_do_all(const EVP_KDF *kdf, - void (*fn)(const char *name, void *data), - void *data); +int EVP_KDF_names_do_all(const EVP_KDF *kdf, + void (*fn)(const char *name, void *data), + void *data); # define EVP_KDF_HKDF_MODE_EXTRACT_AND_EXPAND 0 # define EVP_KDF_HKDF_MODE_EXTRACT_ONLY 1 diff --git a/include/openssl/store.h b/include/openssl/store.h index ae0aaa26d1..304532bde3 100644 --- a/include/openssl/store.h +++ b/include/openssl/store.h @@ -266,9 +266,9 @@ void OSSL_STORE_LOADER_do_all_provided(OSSL_LIB_CTX *libctx, void (*fn)(OSSL_STORE_LOADER *loader, void *arg), void *arg); -void OSSL_STORE_LOADER_names_do_all(const OSSL_STORE_LOADER *loader, - void (*fn)(const char *name, void *data), - void *data); +int OSSL_STORE_LOADER_names_do_all(const OSSL_STORE_LOADER *loader, + void (*fn)(const char *name, void *data), + void *data); /*- * Function to register a loader for the given URI scheme. diff --git a/test/evp_extra_test.c b/test/evp_extra_test.c index 2d32eb98da..a2490a9fe9 100644 --- a/test/evp_extra_test.c +++ b/test/evp_extra_test.c @@ -2439,6 +2439,53 @@ static int test_EVP_rsa_pss_with_keygen_bits(void) return ret; } +static int success = 1; +static void md_names(const char *name, void *vctx) +{ + OSSL_LIB_CTX *ctx = (OSSL_LIB_CTX *)vctx; + /* Force a namemap update */ + EVP_CIPHER *aes128 = EVP_CIPHER_fetch(ctx, "AES-128-CBC", NULL); + + if (!TEST_ptr(aes128)) + success = 0; + + EVP_CIPHER_free(aes128); +} + +/* + * Test that changing the namemap in a user callback works in a names_do_all + * function. + */ +static int test_names_do_all(void) +{ + /* We use a custom libctx so that we know the state of the namemap */ + OSSL_LIB_CTX *ctx = OSSL_LIB_CTX_new(); + EVP_MD *sha256 = NULL; + int testresult = 0; + + if (!TEST_ptr(ctx)) + goto err; + + sha256 = EVP_MD_fetch(ctx, "SHA2-256", NULL); + if (!TEST_ptr(sha256)) + goto err; + + /* + * We loop through all the names for a given digest. This should still work + * even if the namemap changes part way through. + */ + if (!TEST_true(EVP_MD_names_do_all(sha256, md_names, ctx))) + goto err; + + if (!TEST_true(success)) + goto err; + + testresult = 1; + err: + EVP_MD_free(sha256); + OSSL_LIB_CTX_free(ctx); + return testresult; +} int setup_tests(void) { @@ -2513,6 +2560,8 @@ int setup_tests(void) ADD_ALL_TESTS(test_evp_iv, 10); ADD_TEST(test_EVP_rsa_pss_with_keygen_bits); + ADD_TEST(test_names_do_all); + return 1; } From pauli at openssl.org Wed Feb 24 22:39:46 2021 From: pauli at openssl.org (Dr. Paul Dale) Date: Wed, 24 Feb 2021 22:39:46 +0000 Subject: [openssl] master update Message-ID: <1614206386.682649.20501.nullmailer@dev.openssl.org> The branch master has been updated via 75de54363506e2b2480fc6baf0cd45b1f7fc8816 (commit) from 5eb73cfb372a3701a25f9d4f5e109ba21669af61 (commit) - Log ----------------------------------------------------------------- commit 75de54363506e2b2480fc6baf0cd45b1f7fc8816 Author: jwalch Date: Fri Feb 19 13:02:27 2021 -0500 Fix an integer overflow in o_time.c If input offset_sec is sufficiently large (> INT32_MAX * SECS_PER_DAY, which is possible for a long on 64-bit platforms), then the first assignment contains an overflow. I think leaving offset_hms as an int is still safe. Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/14252) ----------------------------------------------------------------------- Summary of changes: crypto/o_time.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/crypto/o_time.c b/crypto/o_time.c index 632e19e367..f367945a18 100644 --- a/crypto/o_time.c +++ b/crypto/o_time.c @@ -133,8 +133,8 @@ int OPENSSL_gmtime_diff(int *pday, int *psec, static int julian_adj(const struct tm *tm, int off_day, long offset_sec, long *pday, int *psec) { - int offset_hms, offset_day; - long time_jd; + int offset_hms; + long offset_day, time_jd; int time_year, time_month, time_day; /* split offset into days and day seconds */ offset_day = offset_sec / SECS_PER_DAY; From pauli at openssl.org Wed Feb 24 22:42:38 2021 From: pauli at openssl.org (Dr. Paul Dale) Date: Wed, 24 Feb 2021 22:42:38 +0000 Subject: [openssl] OpenSSL_1_1_1-stable update Message-ID: <1614206558.365371.7557.nullmailer@dev.openssl.org> The branch OpenSSL_1_1_1-stable has been updated via 1102187a71f6aa8f72daf46c5d543c261b90c83b (commit) from 8df5cc3339d10f91ccb395650a83c031c2795742 (commit) - Log ----------------------------------------------------------------- commit 1102187a71f6aa8f72daf46c5d543c261b90c83b Author: jwalch Date: Fri Feb 19 13:02:27 2021 -0500 Fix an integer overflow in o_time.c If input offset_sec is sufficiently large (> INT32_MAX * SECS_PER_DAY, which is possible for a long on 64-bit platforms), then the first assignment contains an overflow. I think leaving offset_hms as an int is still safe. Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/14252) (cherry picked from commit 75de54363506e2b2480fc6baf0cd45b1f7fc8816) ----------------------------------------------------------------------- Summary of changes: crypto/o_time.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/crypto/o_time.c b/crypto/o_time.c index 3502edda62..6aafd67c46 100644 --- a/crypto/o_time.c +++ b/crypto/o_time.c @@ -133,8 +133,8 @@ int OPENSSL_gmtime_diff(int *pday, int *psec, static int julian_adj(const struct tm *tm, int off_day, long offset_sec, long *pday, int *psec) { - int offset_hms, offset_day; - long time_jd; + int offset_hms; + long offset_day, time_jd; int time_year, time_month, time_day; /* split offset into days and day seconds */ offset_day = offset_sec / SECS_PER_DAY; From openssl at openssl.org Thu Feb 25 01:13:16 2021 From: openssl at openssl.org (OpenSSL run-checker) Date: Thu, 25 Feb 2021 01:13:16 +0000 Subject: Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-asm Message-ID: <1614215596.022117.1305074.nullmailer@run.openssl.org> Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-asm Commit log since last time: 6be27456e1 Fix string termination and length setting in OSSL_PARAM_BLD_push_utf8_string() af8bd1d835 Fix OSSL_PARAM_allocate_from_text() for OSSL_PARAM_UTF8_STRING a8eb71ad57 Allow the sshkdf type to be passed as a single character da9988e0f5 Cleanup of some of the EVP_PKEY_CTX_ctrl related TODOs b300f1cb3d Fix missing EOL at the end of the rsa/build.info 53cefef62b Remove inclusion of unnecessary header files 7415ffe368 Use strcasecmp when comparing kdf_type 861f265a40 speed: Drop deprecated _options() calls f3ccfc76fe speed: Use EVP for ciphers, cmac, ghash, rsa, dsa, and ecdsa a89cd8d87c speed: Adapt digests and hmac to always use non-deprecated APIs ee1d7f1d25 speed: Drop code to handle platforms without SIGALRM af9f2ee339 Fix typo in comment in DH_set0_pqg function 81c15ed00b Test errors from a provider can still be accessed after unload de4a88a979 Duplicate the file and func error strings b0001d0cf2 provider: add an unquery function to allow providers to clean up. 8b3facd732 rand: note that locking needs to be explicitly enabled. 76e48c9d66 Deprecated EVP_PKEY_CTX_get0_dh_kdf_ukm() and EVP_PKEY_CTX_get0_ecdh_kdf_ukm() 10315851d0 X509: Refactor X509_PUBKEY processing to include provider side keys ce0b307ea0 Remove disabled TLS 1.3 ciphers from the SSL(_CTX) 6eb7c748d1 make update 51d058cd94 appveyor.yml: clarify conditions for building the plain configuration 4f6aeabd65 make update 7b9f8995f4 Generate doc/build.info with 'make update' rather than on the fly 1263154064 changes: note the deprecation of RAND_METHOD APIs 299f5ff3b5 provider: add option to load a provider without disabling the fallbacks. 332a245c04 test: update tests to use the fake random number generator d994ce1205 test: make the DRBG test work without RAND_METHOD support. b3ab537b3a test: add framework for generic fake random number generator 9c6ee56318 rand: add DRBG/seed setting functions f626c3ffae rand: allow lock/unlock functions to be absent 786b13fa77 RAND_METHOD deprecation: code changes de2ea978b5 RAND_METHOD deprecation: fuzzer 0a89ae97d9 RAND_METHOD deprecation: tests ac60c84fc4 RAND_METHOD deprecation: documentation f5b00834dd EVP: Adapt the EC_KEY specific EVP_PKEY_CTX setter / getter functions bbf4dc96fc EVP: Make checks in evp_pkey_ctx_store_cached_data() more restricted 13f91a7245 EVP: Adapt the RSA specific EVP_PKEY_CTX setter / getter functions df4592cbec EVP: Adapt the DH specific EVP_PKEY_CTX setter / getter functions 5524580b5c EVP: Adapt the EVP_PKEY_CTX ctrl functions 6fcd92d3d7 EVP: Adapt diverse OSSL_PARAM setters and getters 5137312993 EVP: Make evp_pkey_ctx_{set,get}_params_strict() legacy aware 9a1c4e41e8 EVP: Implement data-driven translation between known ctrl and OSSL_PARAMs 4d4928edd0 EVP: make evp_pkey_is_assigned() usable in the FIPS module e19246dc72 EVP: Make evp_pkey_ctx_state() available to all of EVP 6179dfc7c4 EVP: Implement EVP_PKEY_CTX_is_a() f627561cf5 util/perl/OpenSSL/config.pm: Add VMS specific C compiler settings 9e1094ad3d util/perl/OpenSSL/config.pm: Fix determine_compiler_settings() 444b25b1e9 Add back in legacy paths for d2i_PrivateKey/d2i_AutoPrivateKey. f16f363a85 Fix no-tests on mingw 636a93454d Note that the OSSL_CORE_MAKE_FUNC macro is reserved 510d019141 Document the OSSL_PARAM_DEFN macro 18b207c798 Add documentation for the macro OPENSSL_VERSION_PREREQ 7e1d7fea39 Document OPENSSL_LH_flush() bc4d84abce Suppress errors about undocumented asn1_d2i_read_bio 6ceaf67257 Fix -pkeyopt handling in apps/pkeyutl -rawin 7f90026b3f Handle NULL result of ERR_reason_error_string() in some apps 4718326a46 Add EVP_PKEY_public_check_quick. 681618cfc1 Fix external symbols for pkcs7. 53155f1c81 Fix external symbols for cms. Build log ended with (last 100 lines): -lssl test/libtestutil.a -lcrypto -ldl -pthread rm -f test/tls13ccstest ${LDCMD:-clang} -pthread -m64 -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -L. \ -o test/tls13ccstest \ test/helpers/tls13ccstest-bin-ssltestlib.o \ test/tls13ccstest-bin-tls13ccstest.o \ -lssl test/libtestutil.a -lcrypto -ldl -pthread rm -f test/tls13secretstest ${LDCMD:-clang} -pthread -m64 -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -L. \ -o test/tls13secretstest \ crypto/tls13secretstest-bin-packet.o \ ssl/tls13secretstest-bin-tls13_enc.o \ test/tls13secretstest-bin-tls13secretstest.o \ -lssl test/libtestutil.a -lcrypto -ldl -pthread rm -f test/uitest ${LDCMD:-clang} -pthread -m64 -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -L. \ -o test/uitest \ apps/lib/uitest-bin-apps_ui.o test/uitest-bin-uitest.o \ -lssl test/libtestutil.a -lcrypto -ldl -pthread make[1]: Leaving directory '/home/openssl/run-checker/no-asm' $ make test make depend && make _tests make[1]: Entering directory '/home/openssl/run-checker/no-asm' make[1]: Leaving directory '/home/openssl/run-checker/no-asm' make[1]: Entering directory '/home/openssl/run-checker/no-asm' ( SRCTOP=../openssl \ BLDTOP=. \ PERL="/usr/bin/perl" \ FIPSKEY="f4556650ac31d35461610bac4ed81b1a181b2d8a43ea2854cbae22ca74560813" \ EXE_EXT= \ /usr/bin/perl ../openssl/test/run_tests.pl ) 01-test_abort.t .................... ok 01-test_sanity.t ................... ok 01-test_symbol_presence.t .......... ok 01-test_test.t ..................... ok 02-test_errstr.t ................... ok 02-test_internal_context.t ......... ok 02-test_internal_ctype.t ........... ok 02-test_internal_keymgmt.t ......... ok 02-test_internal_provider.t ........ ok 02-test_lhash.t .................... ok 02-test_ordinals.t ................. ok 02-test_sparse_array.t ............. ok 02-test_stack.t .................... ok 03-test_exdata.t ................... ok 03-test_fipsinstall.t .............. ok 03-test_internal_asn1.t ............ ok 03-test_internal_asn1_dsa.t ........ ok 03-test_internal_bn.t .............. ok 03-test_internal_chacha.t .......... ok 03-test_internal_curve448.t ........ ok 03-test_internal_ec.t .............. ok 03-test_internal_ffc.t ............. ok 03-test_internal_mdc2.t ............ ok 03-test_internal_modes.t ........... ok 03-test_internal_namemap.t ......... ok 03-test_internal_poly1305.t ........ ok 03-test_internal_rsa_sp800_56b.t ... ok 03-test_internal_siphash.t ......... ok 03-test_internal_sm2.t ............. ok 03-test_internal_sm4.t ............. ok 03-test_internal_ssl_cert_table.t .. ok 03-test_internal_x509.t ............ ok 03-test_params_api.t ............... ok 03-test_property.t ................. ok 03-test_ui.t ....................... ok 04-test_asn1_decode.t .............. ok 04-test_asn1_encode.t .............. ok 04-test_asn1_string_table.t ........ ok 04-test_bio_callback.t ............. ok 04-test_bioprint.t ................. ok 04-test_conf.t ..................... ok 04-test_encoder_decoder.t .......... ok 04-test_encoder_decoder_legacy.t ... ok 04-test_err.t ...................... ok 04-test_hexstring.t ................ ok 04-test_param_build.t .............. ok 04-test_params.t ................... ok 04-test_params_conversion.t ........ ok 04-test_pem.t ...................... ok 04-test_pem_read_depr.t ............ ok 04-test_provider.t ................. ok 04-test_provider_fallback.t ........ ok 05-test_bf.t ....................... ok 05-test_cast.t ..................... ok 05-test_cmac.t ..................... ok 05-test_des.t ...................... ok 05-test_hmac.t ..................... ok 05-test_idea.t ..................... ok 05-test_rand.t ..................... ok 05-test_rc2.t ...................... ok 05-test_rc4.t ...................... ok 05-test_rc5.t ...................... skipped: rc5 is not supported by this OpenSSL build 06-test-rdrand.t ................... ok 06-test_algorithmid.t .............. ok 10-test_bn.t ....................... ok 10-test_exp.t ...................... ok 15-test_dh.t ....................... ok 15-test_dsa.t ...................... ok make[1]: *** [Makefile:3268: _tests] Terminated From openssl at openssl.org Thu Feb 25 02:08:38 2021 From: openssl at openssl.org (OpenSSL run-checker) Date: Thu, 25 Feb 2021 02:08:38 +0000 Subject: Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-autoerrinit Message-ID: <1614218918.328207.1418773.nullmailer@run.openssl.org> Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-autoerrinit Commit log since last time: 6be27456e1 Fix string termination and length setting in OSSL_PARAM_BLD_push_utf8_string() af8bd1d835 Fix OSSL_PARAM_allocate_from_text() for OSSL_PARAM_UTF8_STRING a8eb71ad57 Allow the sshkdf type to be passed as a single character da9988e0f5 Cleanup of some of the EVP_PKEY_CTX_ctrl related TODOs b300f1cb3d Fix missing EOL at the end of the rsa/build.info 53cefef62b Remove inclusion of unnecessary header files 7415ffe368 Use strcasecmp when comparing kdf_type 861f265a40 speed: Drop deprecated _options() calls f3ccfc76fe speed: Use EVP for ciphers, cmac, ghash, rsa, dsa, and ecdsa a89cd8d87c speed: Adapt digests and hmac to always use non-deprecated APIs ee1d7f1d25 speed: Drop code to handle platforms without SIGALRM af9f2ee339 Fix typo in comment in DH_set0_pqg function 81c15ed00b Test errors from a provider can still be accessed after unload de4a88a979 Duplicate the file and func error strings b0001d0cf2 provider: add an unquery function to allow providers to clean up. 8b3facd732 rand: note that locking needs to be explicitly enabled. 76e48c9d66 Deprecated EVP_PKEY_CTX_get0_dh_kdf_ukm() and EVP_PKEY_CTX_get0_ecdh_kdf_ukm() 10315851d0 X509: Refactor X509_PUBKEY processing to include provider side keys ce0b307ea0 Remove disabled TLS 1.3 ciphers from the SSL(_CTX) 6eb7c748d1 make update 51d058cd94 appveyor.yml: clarify conditions for building the plain configuration 4f6aeabd65 make update 7b9f8995f4 Generate doc/build.info with 'make update' rather than on the fly 1263154064 changes: note the deprecation of RAND_METHOD APIs 299f5ff3b5 provider: add option to load a provider without disabling the fallbacks. 332a245c04 test: update tests to use the fake random number generator d994ce1205 test: make the DRBG test work without RAND_METHOD support. b3ab537b3a test: add framework for generic fake random number generator 9c6ee56318 rand: add DRBG/seed setting functions f626c3ffae rand: allow lock/unlock functions to be absent 786b13fa77 RAND_METHOD deprecation: code changes de2ea978b5 RAND_METHOD deprecation: fuzzer 0a89ae97d9 RAND_METHOD deprecation: tests ac60c84fc4 RAND_METHOD deprecation: documentation f5b00834dd EVP: Adapt the EC_KEY specific EVP_PKEY_CTX setter / getter functions bbf4dc96fc EVP: Make checks in evp_pkey_ctx_store_cached_data() more restricted 13f91a7245 EVP: Adapt the RSA specific EVP_PKEY_CTX setter / getter functions df4592cbec EVP: Adapt the DH specific EVP_PKEY_CTX setter / getter functions 5524580b5c EVP: Adapt the EVP_PKEY_CTX ctrl functions 6fcd92d3d7 EVP: Adapt diverse OSSL_PARAM setters and getters 5137312993 EVP: Make evp_pkey_ctx_{set,get}_params_strict() legacy aware 9a1c4e41e8 EVP: Implement data-driven translation between known ctrl and OSSL_PARAMs 4d4928edd0 EVP: make evp_pkey_is_assigned() usable in the FIPS module e19246dc72 EVP: Make evp_pkey_ctx_state() available to all of EVP 6179dfc7c4 EVP: Implement EVP_PKEY_CTX_is_a() f627561cf5 util/perl/OpenSSL/config.pm: Add VMS specific C compiler settings 9e1094ad3d util/perl/OpenSSL/config.pm: Fix determine_compiler_settings() 444b25b1e9 Add back in legacy paths for d2i_PrivateKey/d2i_AutoPrivateKey. f16f363a85 Fix no-tests on mingw 636a93454d Note that the OSSL_CORE_MAKE_FUNC macro is reserved 510d019141 Document the OSSL_PARAM_DEFN macro 18b207c798 Add documentation for the macro OPENSSL_VERSION_PREREQ 7e1d7fea39 Document OPENSSL_LH_flush() bc4d84abce Suppress errors about undocumented asn1_d2i_read_bio 6ceaf67257 Fix -pkeyopt handling in apps/pkeyutl -rawin 7f90026b3f Handle NULL result of ERR_reason_error_string() in some apps 4718326a46 Add EVP_PKEY_public_check_quick. 681618cfc1 Fix external symbols for pkcs7. 53155f1c81 Fix external symbols for cms. Build log ended with (last 100 lines): 70-test_sslcertstatus.t ............ ok 70-test_sslextension.t ............. ok 70-test_sslmessages.t .............. ok 70-test_sslrecords.t ............... ok 70-test_sslsessiontick.t ........... ok 70-test_sslsigalgs.t ............... ok 70-test_sslsignature.t ............. ok 70-test_sslskewith0p.t ............. ok 70-test_sslversions.t .............. ok 70-test_sslvertol.t ................ ok 70-test_tls13alerts.t .............. ok 70-test_tls13cookie.t .............. ok 70-test_tls13downgrade.t ........... ok 70-test_tls13hrr.t ................. ok 70-test_tls13kexmodes.t ............ ok 70-test_tls13messages.t ............ ok 70-test_tls13psk.t ................. ok 70-test_tlsextms.t ................. ok 70-test_verify_extra.t ............. ok 70-test_wpacket.t .................. ok 71-test_ssl_ctx.t .................. ok 80-test_ca.t ....................... ok 80-test_cipherbytes.t .............. ok 80-test_cipherlist.t ............... ok 80-test_ciphername.t ............... ok # 80-test_cmp_http.t ................. ok # 80-test_cms.t ...................... ok 80-test_cmsapi.t ................... ok 80-test_ct.t ....................... ok 80-test_dane.t ..................... ok 80-test_dtls.t ..................... ok 80-test_dtls_mtu.t ................. ok 80-test_dtlsv1listen.t ............. ok 80-test_http.t ..................... ok 80-test_ocsp.t ..................... ok 80-test_pkcs12.t ................... ok 80-test_ssl_new.t .................. ok 80-test_ssl_old.t .................. ok 80-test_ssl_test_ctx.t ............. ok 80-test_sslcorrupt.t ............... ok 80-test_tsa.t ...................... ok 80-test_x509aux.t .................. ok 81-test_cmp_cli.t .................. ok 90-test_asn1_time.t ................ ok 90-test_async.t .................... ok 90-test_bio_enc.t .................. ok 90-test_bio_memleak.t .............. ok 90-test_constant_time.t ............ ok 90-test_fatalerr.t ................. ok 90-test_fipsload.t ................. ok 90-test_gmdiff.t ................... ok 90-test_gost.t ..................... ok 90-test_ige.t ...................... ok 90-test_includes.t ................. ok 90-test_memleak.t .................. ok 90-test_overhead.t ................. ok 90-test_secmem.t ................... ok 90-test_shlibload.t ................ ok 90-test_srp.t ...................... ok 90-test_sslapi.t ................... ok 90-test_sslbuffers.t ............... ok 90-test_store.t .................... ok 90-test_sysdefault.t ............... ok 90-test_threads.t .................. ok 90-test_time_offset.t .............. ok 90-test_tls13ccs.t ................. ok 90-test_tls13encryption.t .......... ok 90-test_tls13secrets.t ............. ok 90-test_v3name.t ................... ok 91-test_pkey_check.t ............... ok 95-test_external_boringssl.t ....... skipped: No external tests in this configuration 95-test_external_gost_engine.t ..... skipped: No external tests in this configuration 95-test_external_krb5.t ............ skipped: No external tests in this configuration 95-test_external_pyca.t ............ skipped: No external tests in this configuration 99-test_ecstress.t ................. ok 99-test_fuzz_asn1.t ................ ok 99-test_fuzz_asn1parse.t ........... ok 99-test_fuzz_bignum.t .............. ok 99-test_fuzz_bndiv.t ............... ok 99-test_fuzz_client.t .............. ok 99-test_fuzz_cmp.t ................. ok 99-test_fuzz_cms.t ................. ok 99-test_fuzz_conf.t ................ ok 99-test_fuzz_crl.t ................. ok 99-test_fuzz_ct.t .................. ok 99-test_fuzz_server.t .............. ok 99-test_fuzz_x509.t ................ ok Test Summary Report ------------------- 04-test_err.t (Wstat: 256 Tests: 1 Failed: 1) Failed test: 1 Non-zero exit status: 1 Files=232, Tests=3165, 936 wallclock secs (14.74 usr 1.35 sys + 844.33 cusr 87.96 csys = 948.38 CPU) Result: FAIL make[1]: *** [Makefile:3280: _tests] Error 1 make[1]: Leaving directory '/home/openssl/run-checker/no-autoerrinit' make: *** [Makefile:3277: tests] Error 2 From openssl at openssl.org Thu Feb 25 08:15:29 2021 From: openssl at openssl.org (OpenSSL run-checker) Date: Thu, 25 Feb 2021 08:15:29 +0000 Subject: Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-des Message-ID: <1614240929.691516.2155925.nullmailer@run.openssl.org> Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-des Commit log since last time: 6be27456e1 Fix string termination and length setting in OSSL_PARAM_BLD_push_utf8_string() af8bd1d835 Fix OSSL_PARAM_allocate_from_text() for OSSL_PARAM_UTF8_STRING a8eb71ad57 Allow the sshkdf type to be passed as a single character da9988e0f5 Cleanup of some of the EVP_PKEY_CTX_ctrl related TODOs b300f1cb3d Fix missing EOL at the end of the rsa/build.info 53cefef62b Remove inclusion of unnecessary header files 7415ffe368 Use strcasecmp when comparing kdf_type 861f265a40 speed: Drop deprecated _options() calls f3ccfc76fe speed: Use EVP for ciphers, cmac, ghash, rsa, dsa, and ecdsa a89cd8d87c speed: Adapt digests and hmac to always use non-deprecated APIs ee1d7f1d25 speed: Drop code to handle platforms without SIGALRM af9f2ee339 Fix typo in comment in DH_set0_pqg function 81c15ed00b Test errors from a provider can still be accessed after unload de4a88a979 Duplicate the file and func error strings b0001d0cf2 provider: add an unquery function to allow providers to clean up. 8b3facd732 rand: note that locking needs to be explicitly enabled. 76e48c9d66 Deprecated EVP_PKEY_CTX_get0_dh_kdf_ukm() and EVP_PKEY_CTX_get0_ecdh_kdf_ukm() 10315851d0 X509: Refactor X509_PUBKEY processing to include provider side keys ce0b307ea0 Remove disabled TLS 1.3 ciphers from the SSL(_CTX) 6eb7c748d1 make update 51d058cd94 appveyor.yml: clarify conditions for building the plain configuration 4f6aeabd65 make update 7b9f8995f4 Generate doc/build.info with 'make update' rather than on the fly 1263154064 changes: note the deprecation of RAND_METHOD APIs 299f5ff3b5 provider: add option to load a provider without disabling the fallbacks. 332a245c04 test: update tests to use the fake random number generator d994ce1205 test: make the DRBG test work without RAND_METHOD support. b3ab537b3a test: add framework for generic fake random number generator 9c6ee56318 rand: add DRBG/seed setting functions f626c3ffae rand: allow lock/unlock functions to be absent 786b13fa77 RAND_METHOD deprecation: code changes de2ea978b5 RAND_METHOD deprecation: fuzzer 0a89ae97d9 RAND_METHOD deprecation: tests ac60c84fc4 RAND_METHOD deprecation: documentation f5b00834dd EVP: Adapt the EC_KEY specific EVP_PKEY_CTX setter / getter functions bbf4dc96fc EVP: Make checks in evp_pkey_ctx_store_cached_data() more restricted 13f91a7245 EVP: Adapt the RSA specific EVP_PKEY_CTX setter / getter functions df4592cbec EVP: Adapt the DH specific EVP_PKEY_CTX setter / getter functions 5524580b5c EVP: Adapt the EVP_PKEY_CTX ctrl functions 6fcd92d3d7 EVP: Adapt diverse OSSL_PARAM setters and getters 5137312993 EVP: Make evp_pkey_ctx_{set,get}_params_strict() legacy aware 9a1c4e41e8 EVP: Implement data-driven translation between known ctrl and OSSL_PARAMs 4d4928edd0 EVP: make evp_pkey_is_assigned() usable in the FIPS module e19246dc72 EVP: Make evp_pkey_ctx_state() available to all of EVP 6179dfc7c4 EVP: Implement EVP_PKEY_CTX_is_a() f627561cf5 util/perl/OpenSSL/config.pm: Add VMS specific C compiler settings 9e1094ad3d util/perl/OpenSSL/config.pm: Fix determine_compiler_settings() 444b25b1e9 Add back in legacy paths for d2i_PrivateKey/d2i_AutoPrivateKey. f16f363a85 Fix no-tests on mingw 636a93454d Note that the OSSL_CORE_MAKE_FUNC macro is reserved 510d019141 Document the OSSL_PARAM_DEFN macro 18b207c798 Add documentation for the macro OPENSSL_VERSION_PREREQ 7e1d7fea39 Document OPENSSL_LH_flush() bc4d84abce Suppress errors about undocumented asn1_d2i_read_bio 6ceaf67257 Fix -pkeyopt handling in apps/pkeyutl -rawin 7f90026b3f Handle NULL result of ERR_reason_error_string() in some apps 4718326a46 Add EVP_PKEY_public_check_quick. 681618cfc1 Fix external symbols for pkcs7. 53155f1c81 Fix external symbols for cms. Build log ended with (last 100 lines): 70-test_sslrecords.t ............... ok 70-test_sslsessiontick.t ........... ok 70-test_sslsigalgs.t ............... ok 70-test_sslsignature.t ............. ok 70-test_sslskewith0p.t ............. ok 70-test_sslversions.t .............. ok 70-test_sslvertol.t ................ ok 70-test_tls13alerts.t .............. ok 70-test_tls13cookie.t .............. ok 70-test_tls13downgrade.t ........... ok 70-test_tls13hrr.t ................. ok 70-test_tls13kexmodes.t ............ ok 70-test_tls13messages.t ............ ok 70-test_tls13psk.t ................. ok 70-test_tlsextms.t ................. ok 70-test_verify_extra.t ............. ok 70-test_wpacket.t .................. ok 71-test_ssl_ctx.t .................. ok 80-test_ca.t ....................... ok 80-test_cipherbytes.t .............. ok 80-test_cipherlist.t ............... ok 80-test_ciphername.t ............... ok # 80-test_cmp_http.t ................. ok # 80-test_cms.t ...................... ok 80-test_cmsapi.t ................... ok 80-test_ct.t ....................... ok 80-test_dane.t ..................... ok 80-test_dtls.t ..................... ok 80-test_dtls_mtu.t ................. ok 80-test_dtlsv1listen.t ............. ok 80-test_http.t ..................... ok 80-test_ocsp.t ..................... ok 80-test_pkcs12.t ................... skipped: The PKCS12 command line utility is not supported by this OpenSSL build 80-test_ssl_new.t .................. ok 80-test_ssl_old.t .................. ok 80-test_ssl_test_ctx.t ............. ok 80-test_sslcorrupt.t ............... ok 80-test_tsa.t ...................... ok 80-test_x509aux.t .................. ok 81-test_cmp_cli.t .................. ok 90-test_asn1_time.t ................ ok 90-test_async.t .................... ok 90-test_bio_enc.t .................. ok 90-test_bio_memleak.t .............. ok 90-test_constant_time.t ............ ok 90-test_fatalerr.t ................. ok 90-test_fipsload.t ................. ok 90-test_gmdiff.t ................... ok 90-test_gost.t ..................... ok 90-test_ige.t ...................... ok 90-test_includes.t ................. ok 90-test_memleak.t .................. ok 90-test_overhead.t ................. ok 90-test_secmem.t ................... ok 90-test_shlibload.t ................ ok 90-test_srp.t ...................... ok 90-test_sslapi.t ................... ok 90-test_sslbuffers.t ............... ok 90-test_store.t .................... ok 90-test_sysdefault.t ............... ok 90-test_threads.t .................. ok 90-test_time_offset.t .............. ok 90-test_tls13ccs.t ................. ok 90-test_tls13encryption.t .......... ok 90-test_tls13secrets.t ............. ok 90-test_v3name.t ................... ok 91-test_pkey_check.t ............... ok 95-test_external_boringssl.t ....... skipped: No external tests in this configuration 95-test_external_gost_engine.t ..... skipped: No external tests in this configuration 95-test_external_krb5.t ............ skipped: No external tests in this configuration 95-test_external_pyca.t ............ skipped: No external tests in this configuration 99-test_ecstress.t ................. ok 99-test_fuzz_asn1.t ................ ok 99-test_fuzz_asn1parse.t ........... ok 99-test_fuzz_bignum.t .............. ok 99-test_fuzz_bndiv.t ............... ok 99-test_fuzz_client.t .............. ok 99-test_fuzz_cmp.t ................. ok 99-test_fuzz_cms.t ................. ok 99-test_fuzz_conf.t ................ ok 99-test_fuzz_crl.t ................. ok 99-test_fuzz_ct.t .................. ok 99-test_fuzz_server.t .............. ok 99-test_fuzz_x509.t ................ ok Test Summary Report ------------------- 30-test_evp.t (Wstat: 512 Tests: 90 Failed: 2) Failed tests: 14, 40 Non-zero exit status: 2 30-test_evp_kdf.t (Wstat: 256 Tests: 1 Failed: 1) Failed test: 1 Non-zero exit status: 1 Files=232, Tests=3167, 1004 wallclock secs (14.14 usr 1.39 sys + 913.23 cusr 86.79 csys = 1015.55 CPU) Result: FAIL make[1]: *** [Makefile:3221: _tests] Error 1 make[1]: Leaving directory '/home/openssl/run-checker/no-des' make: *** [Makefile:3218: tests] Error 2 From tomas at openssl.org Thu Feb 25 13:02:10 2021 From: tomas at openssl.org (tomas at openssl.org) Date: Thu, 25 Feb 2021 13:02:10 +0000 Subject: [openssl] master update Message-ID: <1614258130.433993.5583.nullmailer@dev.openssl.org> The branch master has been updated via 8cdc3425aff7447af868de8590053191b32ad454 (commit) via 0c84139c98bf81de2ec8e5aba8aef428ce6e1079 (commit) from 75de54363506e2b2480fc6baf0cd45b1f7fc8816 (commit) - Log ----------------------------------------------------------------- commit 8cdc3425aff7447af868de8590053191b32ad454 Author: Tomas Mraz Date: Wed Feb 24 16:44:41 2021 +0100 fake_random: Do not overwrite the callback on instatiation Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/14299) commit 0c84139c98bf81de2ec8e5aba8aef428ce6e1079 Author: Tomas Mraz Date: Wed Feb 24 12:32:40 2021 +0100 Ensure that the fake rand is initialized Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/14299) ----------------------------------------------------------------------- Summary of changes: test/testutil/fake_random.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/test/testutil/fake_random.c b/test/testutil/fake_random.c index 95a3023cd4..7e18e72d45 100644 --- a/test/testutil/fake_random.c +++ b/test/testutil/fake_random.c @@ -33,7 +33,6 @@ static OSSL_FUNC_rand_enable_locking_fn fake_rand_enable_locking; static void *fake_rand_newctx(void *provctx, void *parent, const OSSL_DISPATCH *parent_dispatch) { - fake_rand.cb = NULL; fake_rand.state = EVP_RAND_STATE_UNINITIALISED; return &fake_rand; } @@ -177,6 +176,14 @@ OSSL_PROVIDER *fake_rand_start(OSSL_LIB_CTX *libctx) || !TEST_true(RAND_set_DRBG_type(libctx, "fake", NULL, NULL, NULL)) || !TEST_ptr(p = OSSL_PROVIDER_try_load(libctx, "fake-rand", 1))) return NULL; + + /* Ensure that the fake rand is initialized. */ + if (!TEST_ptr(RAND_get0_private(libctx)) + || !TEST_ptr(RAND_get0_public(libctx))) { + OSSL_PROVIDER_unload(p); + return NULL; + } + return p; } From tomas at openssl.org Thu Feb 25 16:56:23 2021 From: tomas at openssl.org (tomas at openssl.org) Date: Thu, 25 Feb 2021 16:56:23 +0000 Subject: [openssl] master update Message-ID: <1614272183.664187.17550.nullmailer@dev.openssl.org> The branch master has been updated via 1cba86234aba9925ac01982c7aa8f9bc42f11a23 (commit) from 8cdc3425aff7447af868de8590053191b32ad454 (commit) - Log ----------------------------------------------------------------- commit 1cba86234aba9925ac01982c7aa8f9bc42f11a23 Author: Tomas Mraz Date: Wed Feb 24 17:45:55 2021 +0100 evp_extra_test: Do not manipulate providers in default context Otherwise the with OPENSSL_TEST_RAND_ORDER following tests will be broken. There is also no real need to do that. Fixes #14070 Reviewed-by: Paul Dale Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/14305) ----------------------------------------------------------------------- Summary of changes: test/evp_extra_test.c | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/test/evp_extra_test.c b/test/evp_extra_test.c index a2490a9fe9..845752fae4 100644 --- a/test/evp_extra_test.c +++ b/test/evp_extra_test.c @@ -2418,15 +2418,13 @@ err: static int test_EVP_rsa_pss_with_keygen_bits(void) { int ret; - OSSL_PROVIDER *provider; EVP_PKEY_CTX *ctx; EVP_PKEY *pkey; const EVP_MD *md; pkey = NULL; ret = 0; - provider = OSSL_PROVIDER_load(NULL, "default"); - md = EVP_get_digestbyname("sha256"); + md = EVP_get_digestbyname("sha256"); ret = TEST_ptr((ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_RSA_PSS, NULL))) && TEST_true(EVP_PKEY_keygen_init(ctx)) && TEST_int_gt(EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, 512), 0) @@ -2435,7 +2433,6 @@ static int test_EVP_rsa_pss_with_keygen_bits(void) EVP_PKEY_free(pkey); EVP_PKEY_CTX_free(ctx); - OSSL_PROVIDER_unload(provider); return ret; } From pauli at openssl.org Fri Feb 26 00:04:10 2021 From: pauli at openssl.org (Dr. Paul Dale) Date: Fri, 26 Feb 2021 00:04:10 +0000 Subject: [openssl] master update Message-ID: <1614297850.859970.11018.nullmailer@dev.openssl.org> The branch master has been updated via 2d968951227acd422f0e712035de3216d47fc980 (commit) from 1cba86234aba9925ac01982c7aa8f9bc42f11a23 (commit) - Log ----------------------------------------------------------------- commit 2d968951227acd422f0e712035de3216d47fc980 Author: Mark Date: Wed Feb 24 14:14:08 2021 +0100 Fix filename escaping in c_rehash CLA: trivial Reviewed-by: Richard Levitte Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/14301) ----------------------------------------------------------------------- Summary of changes: tools/c_rehash.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/c_rehash.in b/tools/c_rehash.in index ad72b51cfe..3e2e9c0f52 100644 --- a/tools/c_rehash.in +++ b/tools/c_rehash.in @@ -161,7 +161,7 @@ sub check_file { sub link_hash_cert { my $fname = $_[0]; - $fname =~ s/'/'\\''/g; + $fname =~ s/\"/\\\"/g; my ($hash, $fprint) = `"$openssl" x509 $x509hash -fingerprint -noout -in "$fname"`; chomp $hash; chomp $fprint; From pauli at openssl.org Fri Feb 26 00:04:48 2021 From: pauli at openssl.org (Dr. Paul Dale) Date: Fri, 26 Feb 2021 00:04:48 +0000 Subject: [openssl] OpenSSL_1_1_1-stable update Message-ID: <1614297888.517841.12107.nullmailer@dev.openssl.org> The branch OpenSSL_1_1_1-stable has been updated via 3a6e6b1f94ae41e2fd73483464c9c80ddcf30d17 (commit) from 1102187a71f6aa8f72daf46c5d543c261b90c83b (commit) - Log ----------------------------------------------------------------- commit 3a6e6b1f94ae41e2fd73483464c9c80ddcf30d17 Author: Mark Date: Wed Feb 24 14:14:08 2021 +0100 Fix filename escaping in c_rehash CLA: trivial Reviewed-by: Richard Levitte Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/14301) (cherry picked from commit 2d968951227acd422f0e712035de3216d47fc980) ----------------------------------------------------------------------- Summary of changes: tools/c_rehash.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/c_rehash.in b/tools/c_rehash.in index 421fd89208..d97cab0ed5 100644 --- a/tools/c_rehash.in +++ b/tools/c_rehash.in @@ -161,7 +161,7 @@ sub check_file { sub link_hash_cert { my $fname = $_[0]; - $fname =~ s/'/'\\''/g; + $fname =~ s/\"/\\\"/g; my ($hash, $fprint) = `"$openssl" x509 $x509hash -fingerprint -noout -in "$fname"`; chomp $hash; chomp $fprint; From shane.lontis at oracle.com Fri Feb 26 00:40:19 2021 From: shane.lontis at oracle.com (shane.lontis at oracle.com) Date: Fri, 26 Feb 2021 00:40:19 +0000 Subject: [openssl] master update Message-ID: <1614300019.949067.17667.nullmailer@dev.openssl.org> The branch master has been updated via 94553e85b68af4513a8ee89cd2a0d4e044d75139 (commit) from 2d968951227acd422f0e712035de3216d47fc980 (commit) - Log ----------------------------------------------------------------- commit 94553e85b68af4513a8ee89cd2a0d4e044d75139 Author: Shane Lontis Date: Fri Feb 19 19:15:41 2021 +1000 Fix external symbols for bn Partial fix for #12964 This adds ossl_ names for symbols related to bn_* Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/14296) ----------------------------------------------------------------------- Summary of changes: crypto/bn/bn_const.c | 12 +++++----- crypto/bn/bn_ctx.c | 2 +- crypto/bn/bn_dh.c | 14 ++++++----- crypto/bn/bn_prime.c | 8 +++---- crypto/bn/bn_rand.c | 4 ++-- crypto/bn/bn_rsa_fips186_4.c | 28 ++++++++++++---------- crypto/dh/dh_rfc5114.c | 6 ++--- crypto/ec/ec_cvt.c | 4 ++-- crypto/ffc/ffc_dh.c | 9 ++++--- crypto/ffc/ffc_params_generate.c | 4 ++-- crypto/rsa/rsa_sp800_56b_check.c | 11 +++++---- crypto/rsa/rsa_sp800_56b_gen.c | 8 +++---- include/crypto/bn.h | 31 ++++++++++++------------ include/crypto/bn_dh.h | 52 ++++++++++++++++++++-------------------- test/bn_internal_test.c | 8 ++++--- test/evp_libctx_test.c | 6 +++-- test/evp_pkey_provided_test.c | 8 +++---- 17 files changed, 114 insertions(+), 101 deletions(-) diff --git a/crypto/bn/bn_const.c b/crypto/bn/bn_const.c index 7d0a9f901e..06a40d6fba 100644 --- a/crypto/bn/bn_const.c +++ b/crypto/bn/bn_const.c @@ -84,7 +84,7 @@ BIGNUM *BN_get_rfc2409_prime_1024(BIGNUM *bn) BIGNUM *BN_get_rfc3526_prime_1536(BIGNUM *bn) { - return COPY_BN(bn, _bignum_modp_1536_p); + return COPY_BN(bn, ossl_bignum_modp_1536_p); } /*- @@ -97,7 +97,7 @@ BIGNUM *BN_get_rfc3526_prime_1536(BIGNUM *bn) BIGNUM *BN_get_rfc3526_prime_2048(BIGNUM *bn) { - return COPY_BN(bn, _bignum_modp_2048_p); + return COPY_BN(bn, ossl_bignum_modp_2048_p); } /*- @@ -110,7 +110,7 @@ BIGNUM *BN_get_rfc3526_prime_2048(BIGNUM *bn) BIGNUM *BN_get_rfc3526_prime_3072(BIGNUM *bn) { - return COPY_BN(bn, _bignum_modp_3072_p); + return COPY_BN(bn, ossl_bignum_modp_3072_p); } /*- @@ -123,7 +123,7 @@ BIGNUM *BN_get_rfc3526_prime_3072(BIGNUM *bn) BIGNUM *BN_get_rfc3526_prime_4096(BIGNUM *bn) { - return COPY_BN(bn, _bignum_modp_4096_p); + return COPY_BN(bn, ossl_bignum_modp_4096_p); } /*- @@ -136,7 +136,7 @@ BIGNUM *BN_get_rfc3526_prime_4096(BIGNUM *bn) BIGNUM *BN_get_rfc3526_prime_6144(BIGNUM *bn) { - return COPY_BN(bn, _bignum_modp_6144_p); + return COPY_BN(bn, ossl_bignum_modp_6144_p); } /*- @@ -149,5 +149,5 @@ BIGNUM *BN_get_rfc3526_prime_6144(BIGNUM *bn) BIGNUM *BN_get_rfc3526_prime_8192(BIGNUM *bn) { - return COPY_BN(bn, _bignum_modp_8192_p); + return COPY_BN(bn, ossl_bignum_modp_8192_p); } diff --git a/crypto/bn/bn_ctx.c b/crypto/bn/bn_ctx.c index 6234c51435..360b708221 100644 --- a/crypto/bn/bn_ctx.c +++ b/crypto/bn/bn_ctx.c @@ -249,7 +249,7 @@ BIGNUM *BN_CTX_get(BN_CTX *ctx) return ret; } -OSSL_LIB_CTX *bn_get_libctx(BN_CTX *ctx) +OSSL_LIB_CTX *ossl_bn_get_libctx(BN_CTX *ctx) { if (ctx == NULL) return NULL; diff --git a/crypto/bn/bn_dh.c b/crypto/bn/bn_dh.c index 9f5b80cb8e..58f545642e 100644 --- a/crypto/bn/bn_dh.c +++ b/crypto/bn/bn_dh.c @@ -1003,15 +1003,17 @@ static const BN_ULONG ffdhe8192_q[] = { /* Macro to make a BIGNUM from static data */ -# define make_dh_bn(x) extern const BIGNUM _bignum_##x; \ - const BIGNUM _bignum_##x = { (BN_ULONG *) x, \ - OSSL_NELEM(x),\ - OSSL_NELEM(x),\ - 0, BN_FLG_STATIC_DATA }; +# define make_dh_bn(x) \ + extern const BIGNUM ossl_bignum_##x; \ + const BIGNUM ossl_bignum_##x = { \ + (BN_ULONG *) x, \ + OSSL_NELEM(x), \ + OSSL_NELEM(x), \ + 0, BN_FLG_STATIC_DATA }; static const BN_ULONG value_2 = 2; -const BIGNUM _bignum_const_2 = { +const BIGNUM ossl_bignum_const_2 = { (BN_ULONG *)&value_2, 1, 1, 0, BN_FLG_STATIC_DATA }; diff --git a/crypto/bn/bn_prime.c b/crypto/bn/bn_prime.c index eba402d2f2..33a2c85129 100644 --- a/crypto/bn/bn_prime.c +++ b/crypto/bn/bn_prime.c @@ -62,7 +62,7 @@ static const BIGNUM _bignum_small_prime_factors = { BN_FLG_STATIC_DATA }; -const BIGNUM *bn_get0_small_factors(void) +const BIGNUM *ossl_bn_get0_small_factors(void) { return &_bignum_small_prime_factors; } @@ -308,7 +308,7 @@ static int bn_is_prime_int(const BIGNUM *w, int checks, BN_CTX *ctx, goto err; #endif - ret = bn_miller_rabin_is_prime(w, checks, ctx, cb, 0, &status); + ret = ossl_bn_miller_rabin_is_prime(w, checks, ctx, cb, 0, &status); if (!ret) goto err; ret = (status == BN_PRIMETEST_PROBABLY_PRIME); @@ -334,8 +334,8 @@ err: * * returns 0 if there was an error, otherwise it returns 1. */ -int bn_miller_rabin_is_prime(const BIGNUM *w, int iterations, BN_CTX *ctx, - BN_GENCB *cb, int enhanced, int *status) +int ossl_bn_miller_rabin_is_prime(const BIGNUM *w, int iterations, BN_CTX *ctx, + BN_GENCB *cb, int enhanced, int *status) { int i, j, a, ret = 0; BIGNUM *g, *w1, *w3, *x, *m, *z, *b; diff --git a/crypto/bn/bn_rand.c b/crypto/bn/bn_rand.c index 1f12e81fb7..79e44ab960 100644 --- a/crypto/bn/bn_rand.c +++ b/crypto/bn/bn_rand.c @@ -25,7 +25,7 @@ static int bnrand(BNRAND_FLAG flag, BIGNUM *rnd, int bits, int top, int bottom, { unsigned char *buf = NULL; int b, ret = 0, bit, bytes, mask; - OSSL_LIB_CTX *libctx = bn_get_libctx(ctx); + OSSL_LIB_CTX *libctx = ossl_bn_get_libctx(ctx); if (bits == 0) { if (top != BN_RAND_TOP_ANY || bottom != BN_RAND_BOTTOM_ANY) @@ -256,7 +256,7 @@ int BN_generate_dsa_nonce(BIGNUM *out, const BIGNUM *range, unsigned char *k_bytes = NULL; int ret = 0; EVP_MD *md = NULL; - OSSL_LIB_CTX *libctx = bn_get_libctx(ctx); + OSSL_LIB_CTX *libctx = ossl_bn_get_libctx(ctx); if (mdctx == NULL) goto err; diff --git a/crypto/bn/bn_rsa_fips186_4.c b/crypto/bn/bn_rsa_fips186_4.c index ab1e1f14ae..a49166b9c3 100644 --- a/crypto/bn/bn_rsa_fips186_4.c +++ b/crypto/bn/bn_rsa_fips186_4.c @@ -45,7 +45,7 @@ static const BN_ULONG inv_sqrt_2_val[] = { BN_DEF(0x754ABE9FUL, 0x597D89B3UL), BN_DEF(0xF9DE6484UL, 0xB504F333UL) }; -const BIGNUM bn_inv_sqrt_2 = { +const BIGNUM ossl_bn_inv_sqrt_2 = { (BN_ULONG *)inv_sqrt_2_val, OSSL_NELEM(inv_sqrt_2_val), OSSL_NELEM(inv_sqrt_2_val), @@ -147,11 +147,12 @@ err: * cb An optional BIGNUM callback. * Returns: 1 on success otherwise it returns 0. */ -int bn_rsa_fips186_4_gen_prob_primes(BIGNUM *p, BIGNUM *Xpout, - BIGNUM *p1, BIGNUM *p2, - const BIGNUM *Xp, const BIGNUM *Xp1, - const BIGNUM *Xp2, int nlen, - const BIGNUM *e, BN_CTX *ctx, BN_GENCB *cb) +int ossl_bn_rsa_fips186_4_gen_prob_primes(BIGNUM *p, BIGNUM *Xpout, + BIGNUM *p1, BIGNUM *p2, + const BIGNUM *Xp, const BIGNUM *Xp1, + const BIGNUM *Xp2, int nlen, + const BIGNUM *e, BN_CTX *ctx, + BN_GENCB *cb) { int ret = 0; BIGNUM *p1i = NULL, *p2i = NULL, *Xp1i = NULL, *Xp2i = NULL; @@ -197,7 +198,8 @@ int bn_rsa_fips186_4_gen_prob_primes(BIGNUM *p, BIGNUM *Xpout, bn_rsa_fips186_4_aux_prime_max_sum_size_for_prob_primes(nlen)) goto err; /* (Steps 4.3/5.3) - generate prime */ - if (!bn_rsa_fips186_4_derive_prime(p, Xpout, Xp, p1i, p2i, nlen, e, ctx, cb)) + if (!ossl_bn_rsa_fips186_4_derive_prime(p, Xpout, Xp, p1i, p2i, nlen, e, + ctx, cb)) goto err; ret = 1; err: @@ -235,9 +237,10 @@ err: * Assumptions: * Y, X, r1, r2, e are not NULL. */ -int bn_rsa_fips186_4_derive_prime(BIGNUM *Y, BIGNUM *X, const BIGNUM *Xin, - const BIGNUM *r1, const BIGNUM *r2, int nlen, - const BIGNUM *e, BN_CTX *ctx, BN_GENCB *cb) +int ossl_bn_rsa_fips186_4_derive_prime(BIGNUM *Y, BIGNUM *X, const BIGNUM *Xin, + const BIGNUM *r1, const BIGNUM *r2, + int nlen, const BIGNUM *e, BN_CTX *ctx, + BN_GENCB *cb) { int ret = 0; int i, imax; @@ -270,9 +273,10 @@ int bn_rsa_fips186_4_derive_prime(BIGNUM *Y, BIGNUM *X, const BIGNUM *Xin, * We only have the first 256 bit of 1/sqrt(2) */ if (Xin == NULL) { - if (bits < BN_num_bits(&bn_inv_sqrt_2)) + if (bits < BN_num_bits(&ossl_bn_inv_sqrt_2)) goto err; - if (!BN_lshift(base, &bn_inv_sqrt_2, bits - BN_num_bits(&bn_inv_sqrt_2)) + if (!BN_lshift(base, &ossl_bn_inv_sqrt_2, + bits - BN_num_bits(&ossl_bn_inv_sqrt_2)) || !BN_lshift(range, BN_value_one(), bits) || !BN_sub(range, range, base)) goto err; diff --git a/crypto/dh/dh_rfc5114.c b/crypto/dh/dh_rfc5114.c index 4e7daaefc7..c578a89a58 100644 --- a/crypto/dh/dh_rfc5114.c +++ b/crypto/dh/dh_rfc5114.c @@ -32,9 +32,9 @@ DH *DH_get_##x(void) \ \ if (dh == NULL) \ return NULL; \ - dh->params.p = BN_dup(&_bignum_dh##x##_p); \ - dh->params.g = BN_dup(&_bignum_dh##x##_g); \ - dh->params.q = BN_dup(&_bignum_dh##x##_q); \ + dh->params.p = BN_dup(&ossl_bignum_dh##x##_p); \ + dh->params.g = BN_dup(&ossl_bignum_dh##x##_g); \ + dh->params.q = BN_dup(&ossl_bignum_dh##x##_q); \ if (dh->params.p == NULL || dh->params.q == NULL || dh->params.g == NULL) {\ DH_free(dh); \ return NULL; \ diff --git a/crypto/ec/ec_cvt.c b/crypto/ec/ec_cvt.c index c841ad741d..00a5c48c8f 100644 --- a/crypto/ec/ec_cvt.c +++ b/crypto/ec/ec_cvt.c @@ -54,7 +54,7 @@ EC_GROUP *EC_GROUP_new_curve_GFp(const BIGNUM *p, const BIGNUM *a, meth = EC_GFp_mont_method(); #endif - ret = ec_group_new_ex(bn_get_libctx(ctx), NULL, meth); + ret = ec_group_new_ex(ossl_bn_get_libctx(ctx), NULL, meth); if (ret == NULL) return NULL; @@ -75,7 +75,7 @@ EC_GROUP *EC_GROUP_new_curve_GF2m(const BIGNUM *p, const BIGNUM *a, meth = EC_GF2m_simple_method(); - ret = ec_group_new_ex(bn_get_libctx(ctx), NULL, meth); + ret = ec_group_new_ex(ossl_bn_get_libctx(ctx), NULL, meth); if (ret == NULL) return NULL; diff --git a/crypto/ffc/ffc_dh.c b/crypto/ffc/ffc_dh.c index db472febb0..17888e9291 100644 --- a/crypto/ffc/ffc_dh.c +++ b/crypto/ffc/ffc_dh.c @@ -17,19 +17,22 @@ # define FFDHE(sz) { \ SN_ffdhe##sz, NID_ffdhe##sz, \ sz, \ - &_bignum_ffdhe##sz##_p, &_bignum_ffdhe##sz##_q, &_bignum_const_2, \ + &ossl_bignum_ffdhe##sz##_p, &ossl_bignum_ffdhe##sz##_q, \ + &ossl_bignum_const_2, \ } # define MODP(sz) { \ SN_modp_##sz, NID_modp_##sz, \ sz, \ - &_bignum_modp_##sz##_p, &_bignum_modp_##sz##_q, &_bignum_const_2 \ + &ossl_bignum_modp_##sz##_p, &ossl_bignum_modp_##sz##_q, \ + &ossl_bignum_const_2 \ } # define RFC5114(name, uid, sz, tag) { \ name, uid, \ sz, \ - &_bignum_dh##tag##_p, &_bignum_dh##tag##_q, &_bignum_dh##tag##_g \ + &ossl_bignum_dh##tag##_p, &ossl_bignum_dh##tag##_q, \ + &ossl_bignum_dh##tag##_g \ } #else diff --git a/crypto/ffc/ffc_params_generate.c b/crypto/ffc/ffc_params_generate.c index 2e50c2b801..e0ce7485cf 100644 --- a/crypto/ffc/ffc_params_generate.c +++ b/crypto/ffc/ffc_params_generate.c @@ -320,7 +320,7 @@ static int generate_q_fips186_4(BN_CTX *ctx, BIGNUM *q, const EVP_MD *evpmd, unsigned char md[EVP_MAX_MD_SIZE]; int mdsize = EVP_MD_size(evpmd); unsigned char *pmd; - OSSL_LIB_CTX *libctx = bn_get_libctx(ctx); + OSSL_LIB_CTX *libctx = ossl_bn_get_libctx(ctx); /* find q */ for (;;) { @@ -391,7 +391,7 @@ static int generate_q_fips186_2(BN_CTX *ctx, BIGNUM *q, const EVP_MD *evpmd, unsigned char buf2[EVP_MAX_MD_SIZE]; unsigned char md[EVP_MAX_MD_SIZE]; int i, r, ret = 0, m = *retm; - OSSL_LIB_CTX *libctx = bn_get_libctx(ctx); + OSSL_LIB_CTX *libctx = ossl_bn_get_libctx(ctx); /* find q */ for (;;) { diff --git a/crypto/rsa/rsa_sp800_56b_check.c b/crypto/rsa/rsa_sp800_56b_check.c index 173bc5e253..c2066236f9 100644 --- a/crypto/rsa/rsa_sp800_56b_check.c +++ b/crypto/rsa/rsa_sp800_56b_check.c @@ -92,7 +92,7 @@ int ossl_rsa_check_prime_factor_range(const BIGNUM *p, int nbits, BN_CTX *ctx) int shift; nbits >>= 1; - shift = nbits - BN_num_bits(&bn_inv_sqrt_2); + shift = nbits - BN_num_bits(&ossl_bn_inv_sqrt_2); /* Upper bound check */ if (BN_num_bits(p) != nbits) @@ -104,12 +104,12 @@ int ossl_rsa_check_prime_factor_range(const BIGNUM *p, int nbits, BN_CTX *ctx) goto err; /* set low = (?2)(2^(nbits/2 - 1) */ - if (!BN_copy(low, &bn_inv_sqrt_2)) + if (!BN_copy(low, &ossl_bn_inv_sqrt_2)) goto err; if (shift >= 0) { /* - * We don't have all the bits. bn_inv_sqrt_2 contains a rounded up + * We don't have all the bits. ossl_bn_inv_sqrt_2 contains a rounded up * value, so there is a very low probability that we'll reject a valid * value. */ @@ -329,12 +329,13 @@ int ossl_rsa_sp800_56b_check_public(const RSA *rsa) * The modulus is composite, but not a power of a prime. * The modulus has no factors smaller than 752. */ - if (!BN_gcd(gcd, rsa->n, bn_get0_small_factors(), ctx) || !BN_is_one(gcd)) { + if (!BN_gcd(gcd, rsa->n, ossl_bn_get0_small_factors(), ctx) + || !BN_is_one(gcd)) { ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_MODULUS); goto err; } - ret = bn_miller_rabin_is_prime(rsa->n, 0, ctx, NULL, 1, &status); + ret = ossl_bn_miller_rabin_is_prime(rsa->n, 0, ctx, NULL, 1, &status); if (ret != 1 || status != BN_PRIMETEST_COMPOSITE_NOT_POWER_OF_PRIME) { ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_MODULUS); ret = 0; diff --git a/crypto/rsa/rsa_sp800_56b_gen.c b/crypto/rsa/rsa_sp800_56b_gen.c index 3fffb3b80a..87fd4ad50c 100644 --- a/crypto/rsa/rsa_sp800_56b_gen.c +++ b/crypto/rsa/rsa_sp800_56b_gen.c @@ -121,13 +121,13 @@ int ossl_rsa_fips186_4_gen_prob_primes(RSA *rsa, RSA_ACVP_TEST *test, BN_set_flags(rsa->q, BN_FLG_CONSTTIME); /* (Step 4) Generate p, Xp */ - if (!bn_rsa_fips186_4_gen_prob_primes(rsa->p, Xpo, p1, p2, Xp, Xp1, Xp2, - nbits, e, ctx, cb)) + if (!ossl_bn_rsa_fips186_4_gen_prob_primes(rsa->p, Xpo, p1, p2, Xp, Xp1, Xp2, + nbits, e, ctx, cb)) goto err; for(;;) { /* (Step 5) Generate q, Xq*/ - if (!bn_rsa_fips186_4_gen_prob_primes(rsa->q, Xqo, q1, q2, Xq, Xq1, - Xq2, nbits, e, ctx, cb)) + if (!ossl_bn_rsa_fips186_4_gen_prob_primes(rsa->q, Xqo, q1, q2, Xq, Xq1, + Xq2, nbits, e, ctx, cb)) goto err; /* (Step 6) |Xp - Xq| > 2^(nbitlen/2 - 100) */ diff --git a/include/crypto/bn.h b/include/crypto/bn.h index eb42ccd0f5..cf69bea848 100644 --- a/include/crypto/bn.h +++ b/include/crypto/bn.h @@ -93,26 +93,25 @@ int bn_div_fixed_top(BIGNUM *dv, BIGNUM *rem, const BIGNUM *m, #define BN_PRIMETEST_COMPOSITE_NOT_POWER_OF_PRIME 2 #define BN_PRIMETEST_PROBABLY_PRIME 3 -int bn_miller_rabin_is_prime(const BIGNUM *w, int iterations, BN_CTX *ctx, - BN_GENCB *cb, int enhanced, int *status); +int ossl_bn_miller_rabin_is_prime(const BIGNUM *w, int iterations, BN_CTX *ctx, + BN_GENCB *cb, int enhanced, int *status); -const BIGNUM *bn_get0_small_factors(void); +const BIGNUM *ossl_bn_get0_small_factors(void); -int bn_rsa_fips186_4_prime_MR_min_checks(int nbits); +int ossl_bn_rsa_fips186_4_gen_prob_primes(BIGNUM *p, BIGNUM *Xpout, + BIGNUM *p1, BIGNUM *p2, + const BIGNUM *Xp, const BIGNUM *Xp1, + const BIGNUM *Xp2, int nlen, + const BIGNUM *e, BN_CTX *ctx, + BN_GENCB *cb); -int bn_rsa_fips186_4_gen_prob_primes(BIGNUM *p, BIGNUM *Xpout, - BIGNUM *p1, BIGNUM *p2, - const BIGNUM *Xp, const BIGNUM *Xp1, - const BIGNUM *Xp2, int nlen, - const BIGNUM *e, BN_CTX *ctx, - BN_GENCB *cb); +int ossl_bn_rsa_fips186_4_derive_prime(BIGNUM *Y, BIGNUM *X, const BIGNUM *Xin, + const BIGNUM *r1, const BIGNUM *r2, + int nlen, const BIGNUM *e, BN_CTX *ctx, + BN_GENCB *cb); -int bn_rsa_fips186_4_derive_prime(BIGNUM *Y, BIGNUM *X, const BIGNUM *Xin, - const BIGNUM *r1, const BIGNUM *r2, int nlen, - const BIGNUM *e, BN_CTX *ctx, BN_GENCB *cb); +OSSL_LIB_CTX *ossl_bn_get_libctx(BN_CTX *ctx); -OSSL_LIB_CTX *bn_get_libctx(BN_CTX *ctx); - -extern const BIGNUM bn_inv_sqrt_2; +extern const BIGNUM ossl_bn_inv_sqrt_2; #endif diff --git a/include/crypto/bn_dh.h b/include/crypto/bn_dh.h index b900c36651..e0506b753e 100644 --- a/include/crypto/bn_dh.h +++ b/include/crypto/bn_dh.h @@ -8,36 +8,36 @@ */ #define declare_dh_bn(x) \ - extern const BIGNUM _bignum_dh##x##_p; \ - extern const BIGNUM _bignum_dh##x##_q; \ - extern const BIGNUM _bignum_dh##x##_g; \ + extern const BIGNUM ossl_bignum_dh##x##_p; \ + extern const BIGNUM ossl_bignum_dh##x##_q; \ + extern const BIGNUM ossl_bignum_dh##x##_g; \ declare_dh_bn(1024_160) declare_dh_bn(2048_224) declare_dh_bn(2048_256) -extern const BIGNUM _bignum_const_2; +extern const BIGNUM ossl_bignum_const_2; -extern const BIGNUM _bignum_ffdhe2048_p; -extern const BIGNUM _bignum_ffdhe3072_p; -extern const BIGNUM _bignum_ffdhe4096_p; -extern const BIGNUM _bignum_ffdhe6144_p; -extern const BIGNUM _bignum_ffdhe8192_p; -extern const BIGNUM _bignum_ffdhe2048_q; -extern const BIGNUM _bignum_ffdhe3072_q; -extern const BIGNUM _bignum_ffdhe4096_q; -extern const BIGNUM _bignum_ffdhe6144_q; -extern const BIGNUM _bignum_ffdhe8192_q; +extern const BIGNUM ossl_bignum_ffdhe2048_p; +extern const BIGNUM ossl_bignum_ffdhe3072_p; +extern const BIGNUM ossl_bignum_ffdhe4096_p; +extern const BIGNUM ossl_bignum_ffdhe6144_p; +extern const BIGNUM ossl_bignum_ffdhe8192_p; +extern const BIGNUM ossl_bignum_ffdhe2048_q; +extern const BIGNUM ossl_bignum_ffdhe3072_q; +extern const BIGNUM ossl_bignum_ffdhe4096_q; +extern const BIGNUM ossl_bignum_ffdhe6144_q; +extern const BIGNUM ossl_bignum_ffdhe8192_q; -extern const BIGNUM _bignum_modp_1536_p; -extern const BIGNUM _bignum_modp_2048_p; -extern const BIGNUM _bignum_modp_3072_p; -extern const BIGNUM _bignum_modp_4096_p; -extern const BIGNUM _bignum_modp_6144_p; -extern const BIGNUM _bignum_modp_8192_p; -extern const BIGNUM _bignum_modp_1536_q; -extern const BIGNUM _bignum_modp_2048_q; -extern const BIGNUM _bignum_modp_3072_q; -extern const BIGNUM _bignum_modp_4096_q; -extern const BIGNUM _bignum_modp_6144_q; -extern const BIGNUM _bignum_modp_8192_q; +extern const BIGNUM ossl_bignum_modp_1536_p; +extern const BIGNUM ossl_bignum_modp_2048_p; +extern const BIGNUM ossl_bignum_modp_3072_p; +extern const BIGNUM ossl_bignum_modp_4096_p; +extern const BIGNUM ossl_bignum_modp_6144_p; +extern const BIGNUM ossl_bignum_modp_8192_p; +extern const BIGNUM ossl_bignum_modp_1536_q; +extern const BIGNUM ossl_bignum_modp_2048_q; +extern const BIGNUM ossl_bignum_modp_3072_q; +extern const BIGNUM ossl_bignum_modp_4096_q; +extern const BIGNUM ossl_bignum_modp_6144_q; +extern const BIGNUM ossl_bignum_modp_8192_q; diff --git a/test/bn_internal_test.c b/test/bn_internal_test.c index 2dda2345cb..952369c7a1 100644 --- a/test/bn_internal_test.c +++ b/test/bn_internal_test.c @@ -34,7 +34,8 @@ static int test_is_prime_enhanced(void) /* test passing a prime returns the correct status */ && TEST_true(BN_set_word(bn, 11)) /* return extra parameters related to composite */ - && TEST_true(bn_miller_rabin_is_prime(bn, 10, ctx, NULL, 1, &status)) + && TEST_true(ossl_bn_miller_rabin_is_prime(bn, 10, ctx, NULL, 1, + &status)) && TEST_int_eq(status, BN_PRIMETEST_PROBABLY_PRIME); BN_free(bn); return ret; @@ -53,7 +54,8 @@ static int test_is_composite_enhanced(int id) ret = TEST_ptr(bn = BN_new()) /* negative tests for different composite numbers */ && TEST_true(BN_set_word(bn, composites[id])) - && TEST_true(bn_miller_rabin_is_prime(bn, 10, ctx, NULL, 1, &status)) + && TEST_true(ossl_bn_miller_rabin_is_prime(bn, 10, ctx, NULL, 1, + &status)) && TEST_int_ne(status, BN_PRIMETEST_PROBABLY_PRIME); BN_free(bn); @@ -78,7 +80,7 @@ static int test_bn_small_factors(void) if (p > 751) break; } - ret = TEST_BN_eq(bn_get0_small_factors(), b); + ret = TEST_BN_eq(ossl_bn_get0_small_factors(), b); err: BN_free(b); return ret; diff --git a/test/evp_libctx_test.c b/test/evp_libctx_test.c index 302ec2c9b1..bd0ddb7371 100644 --- a/test/evp_libctx_test.c +++ b/test/evp_libctx_test.c @@ -93,7 +93,8 @@ static int test_dsa_param_keygen(int tstid) * these 'safe primes' should not be used normally for dsa *. */ static const BIGNUM *bn[] = { - &_bignum_dh2048_256_p, &_bignum_dh2048_256_q, &_bignum_dh2048_256_g + &ossl_bignum_dh2048_256_p, &ossl_bignum_dh2048_256_q, + &ossl_bignum_dh2048_256_g }; /* @@ -201,7 +202,8 @@ err: static int test_dh_safeprime_param_keygen(int tstid) { static const BIGNUM *bn[] = { - &_bignum_ffdhe2048_p, &_bignum_ffdhe2048_q, &_bignum_const_2 + &ossl_bignum_ffdhe2048_p, &ossl_bignum_ffdhe2048_q, + &ossl_bignum_const_2 }; return do_dh_param_keygen(tstid, bn); } diff --git a/test/evp_pkey_provided_test.c b/test/evp_pkey_provided_test.c index e2c28d3565..fd0dcdd38a 100644 --- a/test/evp_pkey_provided_test.c +++ b/test/evp_pkey_provided_test.c @@ -523,11 +523,11 @@ static int test_fromdata_dh_named_group(void) &priv_out)) || !TEST_BN_eq(priv, priv_out) || !TEST_true(EVP_PKEY_get_bn_param(pk, OSSL_PKEY_PARAM_FFC_P, &p)) - || !TEST_BN_eq(&_bignum_ffdhe2048_p, p) + || !TEST_BN_eq(&ossl_bignum_ffdhe2048_p, p) || !TEST_true(EVP_PKEY_get_bn_param(pk, OSSL_PKEY_PARAM_FFC_Q, &q)) || !TEST_ptr(q) || !TEST_true(EVP_PKEY_get_bn_param(pk, OSSL_PKEY_PARAM_FFC_G, &g)) - || !TEST_BN_eq(&_bignum_const_2, g) + || !TEST_BN_eq(&ossl_bignum_const_2, g) || !TEST_false(EVP_PKEY_get_bn_param(pk, OSSL_PKEY_PARAM_FFC_COFACTOR, &j)) || !TEST_ptr_null(j) @@ -667,11 +667,11 @@ static int test_fromdata_dh_fips186_4(void) &priv_out)) || !TEST_BN_eq(priv, priv_out) || !TEST_true(EVP_PKEY_get_bn_param(pk, OSSL_PKEY_PARAM_FFC_P, &p)) - || !TEST_BN_eq(&_bignum_ffdhe2048_p, p) + || !TEST_BN_eq(&ossl_bignum_ffdhe2048_p, p) || !TEST_true(EVP_PKEY_get_bn_param(pk, OSSL_PKEY_PARAM_FFC_Q, &q)) || !TEST_ptr(q) || !TEST_true(EVP_PKEY_get_bn_param(pk, OSSL_PKEY_PARAM_FFC_G, &g)) - || !TEST_BN_eq(&_bignum_const_2, g) + || !TEST_BN_eq(&ossl_bignum_const_2, g) || !TEST_false(EVP_PKEY_get_bn_param(pk, OSSL_PKEY_PARAM_FFC_COFACTOR, &j)) || !TEST_ptr_null(j) From shane.lontis at oracle.com Fri Feb 26 01:36:01 2021 From: shane.lontis at oracle.com (shane.lontis at oracle.com) Date: Fri, 26 Feb 2021 01:36:01 +0000 Subject: [openssl] master update Message-ID: <1614303361.499890.29386.nullmailer@dev.openssl.org> The branch master has been updated via 32ab57cbb4877ce7e6b4eb3f9b3cfbb0ff7cd10b (commit) via 5af02212a5331cc30389246bb94f97fbcdebc23a (commit) via 19dbb742cdf68d8ada6338a025491a3b46b9ebe1 (commit) from 94553e85b68af4513a8ee89cd2a0d4e044d75139 (commit) - Log ----------------------------------------------------------------- commit 32ab57cbb4877ce7e6b4eb3f9b3cfbb0ff7cd10b Author: Shane Lontis Date: Thu Feb 18 20:27:26 2021 +1000 Fix external symbols related to ec & sm2 keys Partial fix for #12964 This adds ossl_ names for the following symbols: ec_*, ecx_*, ecdh_*, ecdsa_*, sm2_* Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/14231) commit 5af02212a5331cc30389246bb94f97fbcdebc23a Author: Shane Lontis Date: Thu Feb 18 16:30:37 2021 +1000 Fix external symbols related to dsa keys Partial fix for #12964 This adds ossl_ names for the following symbols: dsa_check_pairwise, dsa_check_params, dsa_check_priv_key, dsa_check_pub_key, dsa_check_pub_key_partial, dsa_do_sign_int, dsa_ffc_params_fromdata, dsa_generate_ffc_parameters, dsa_generate_public_key, dsa_get0_params, dsa_key_fromdata, dsa_new_with_ctx, dsa_pkey_method, dsa_sign_int Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/14231) commit 19dbb742cdf68d8ada6338a025491a3b46b9ebe1 Author: Shane Lontis Date: Thu Feb 18 15:56:53 2021 +1000 Fix external symbols related to dh keys Partial fix for #12964 This adds ossl_ names for the following symbols: dh_new_by_nid_ex, dh_new_ex, dh_generate_ffc_parameters, dh_generate_public_key, dh_get_named_group_uid_from_size, dh_gen_type_id2name, dh_gen_type_name2id, dh_cache_named_group, dh_get0_params, dh_get0_nid, dh_params_fromdata, dh_key_fromdata, dh_params_todata, dh_key_todata, dh_check_pub_key_partial, dh_check_priv_key, dh_check_pairwise, dh_get_method, dh_buf2key, dh_key2buf, dh_KDF_X9_42_asn1, dh_pkey_method, dhx_pkey_method Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/14231) ----------------------------------------------------------------------- Summary of changes: crypto/dh/dh_ameth.c | 12 +- crypto/dh/dh_asn1.c | 2 +- crypto/dh/dh_backend.c | 14 +- crypto/dh/dh_check.c | 8 +- crypto/dh/dh_gen.c | 10 +- crypto/dh/dh_group_params.c | 8 +- crypto/dh/dh_kdf.c | 15 +- crypto/dh/dh_key.c | 11 +- crypto/dh/dh_lib.c | 10 +- crypto/dh/dh_pmeth.c | 4 +- crypto/dsa/dsa_ameth.c | 6 +- crypto/dsa/dsa_backend.c | 2 +- crypto/dsa/dsa_check.c | 12 +- crypto/dsa/dsa_gen.c | 12 +- crypto/dsa/dsa_key.c | 6 +- crypto/dsa/dsa_lib.c | 10 +- crypto/dsa/dsa_local.h | 2 +- crypto/dsa/dsa_ossl.c | 4 +- crypto/dsa/dsa_pmeth.c | 2 +- crypto/dsa/dsa_sign.c | 9 +- crypto/ec/ec2_oct.c | 21 +- crypto/ec/ec2_smpl.c | 180 ++++---- crypto/ec/ec_ameth.c | 8 +- crypto/ec/ec_asn1.c | 2 +- crypto/ec/ec_backend.c | 52 +-- crypto/ec/ec_check.c | 2 +- crypto/ec/ec_curve.c | 12 +- crypto/ec/ec_cvt.c | 4 +- crypto/ec/ec_key.c | 46 +- crypto/ec/ec_kmeth.c | 6 +- crypto/ec/ec_lib.c | 45 +- crypto/ec/ec_local.h | 498 +++++++++++---------- crypto/ec/ec_mult.c | 29 +- crypto/ec/ec_oct.c | 19 +- crypto/ec/ec_pmeth.c | 8 +- crypto/ec/ecdh_kdf.c | 13 +- crypto/ec/ecdh_ossl.c | 4 +- crypto/ec/ecdsa_ossl.c | 18 +- crypto/ec/ecp_mont.c | 133 +++--- crypto/ec/ecp_nist.c | 99 ++-- crypto/ec/ecp_nistp224.c | 160 +++---- crypto/ec/ecp_nistp256.c | 158 +++---- crypto/ec/ecp_nistp521.c | 164 +++---- crypto/ec/ecp_nistputil.c | 7 +- crypto/ec/ecp_nistz256.c | 76 ++-- crypto/ec/ecp_oct.c | 19 +- crypto/ec/ecp_s390x_nistp.c | 80 ++-- crypto/ec/ecp_smpl.c | 215 ++++----- crypto/ec/ecx_backend.c | 8 +- crypto/ec/ecx_key.c | 12 +- crypto/ec/ecx_meth.c | 58 +-- crypto/evp/ctrl_params_translate.c | 10 +- crypto/evp/dh_support.c | 4 +- crypto/evp/ec_support.c | 12 +- crypto/evp/p_lib.c | 4 +- crypto/evp/pmeth_lib.c | 17 +- crypto/sm2/sm2_crypt.c | 42 +- crypto/sm2/sm2_key.c | 2 +- crypto/sm2/sm2_sign.c | 58 +-- include/crypto/dh.h | 65 +-- include/crypto/dsa.h | 31 +- include/crypto/ec.h | 68 +-- include/crypto/ecx.h | 29 +- include/crypto/evp.h | 16 +- include/crypto/sm2.h | 66 +-- providers/implementations/asymciphers/sm2_enc.c | 8 +- .../implementations/encode_decode/decode_der2key.c | 20 +- .../encode_decode/encode_key2text.c | 12 +- providers/implementations/exchange/dh_exch.c | 14 +- providers/implementations/exchange/ecdh_exch.c | 14 +- providers/implementations/exchange/ecx_exch.c | 18 +- providers/implementations/keymgmt/dh_kmgmt.c | 54 +-- providers/implementations/keymgmt/dsa_kmgmt.c | 34 +- providers/implementations/keymgmt/ec_kmgmt.c | 68 +-- providers/implementations/keymgmt/ecx_kmgmt.c | 55 +-- providers/implementations/signature/dsa.c | 2 +- providers/implementations/signature/eddsa.c | 6 +- providers/implementations/signature/sm2sig.c | 7 +- test/ec_internal_test.c | 4 +- test/ffc_internal_test.c | 8 +- test/sm2_internal_test.c | 21 +- 81 files changed, 1565 insertions(+), 1519 deletions(-) diff --git a/crypto/dh/dh_ameth.c b/crypto/dh/dh_ameth.c index 1cf692ee13..338f308934 100644 --- a/crypto/dh/dh_ameth.c +++ b/crypto/dh/dh_ameth.c @@ -433,9 +433,9 @@ static int dh_pkey_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2) { switch (op) { case ASN1_PKEY_CTRL_SET1_TLS_ENCPT: - return dh_buf2key(EVP_PKEY_get0_DH(pkey), arg2, arg1); + return ossl_dh_buf2key(EVP_PKEY_get0_DH(pkey), arg2, arg1); case ASN1_PKEY_CTRL_GET1_TLS_ENCPT: - return dh_key2buf(EVP_PKEY_get0_DH(pkey), arg2, 0, 1); + return ossl_dh_key2buf(EVP_PKEY_get0_DH(pkey), arg2, 0, 1); default: return -2; } @@ -492,7 +492,7 @@ static int dh_pkey_export_to(const EVP_PKEY *from, void *to_keydata, * If the DH method is foreign, then we can't be sure of anything, and * can therefore not export or pretend to export. */ - if (dh_get_method(dh) != DH_OpenSSL()) + if (ossl_dh_get_method(dh) != DH_OpenSSL()) return 0; if (p == NULL || g == NULL) @@ -543,7 +543,7 @@ static int dh_pkey_import_from_type(const OSSL_PARAM params[], void *vpctx, { EVP_PKEY_CTX *pctx = vpctx; EVP_PKEY *pkey = EVP_PKEY_CTX_get0_pkey(pctx); - DH *dh = dh_new_ex(pctx->libctx); + DH *dh = ossl_dh_new_ex(pctx->libctx); if (dh == NULL) { ERR_raise(ERR_LIB_DH, ERR_R_MALLOC_FAILURE); @@ -552,8 +552,8 @@ static int dh_pkey_import_from_type(const OSSL_PARAM params[], void *vpctx, DH_clear_flags(dh, DH_FLAG_TYPE_MASK); DH_set_flags(dh, type == EVP_PKEY_DH ? DH_FLAG_TYPE_DH : DH_FLAG_TYPE_DHX); - if (!dh_params_fromdata(dh, params) - || !dh_key_fromdata(dh, params) + if (!ossl_dh_params_fromdata(dh, params) + || !ossl_dh_key_fromdata(dh, params) || !EVP_PKEY_assign(pkey, type, dh)) { DH_free(dh); return 0; diff --git a/crypto/dh/dh_asn1.c b/crypto/dh/dh_asn1.c index 68013219e7..5c8af108f5 100644 --- a/crypto/dh/dh_asn1.c +++ b/crypto/dh/dh_asn1.c @@ -39,7 +39,7 @@ static int dh_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, DH_clear_flags(dh, DH_FLAG_TYPE_MASK); DH_set_flags(dh, DH_FLAG_TYPE_DH); - dh_cache_named_group(dh); + ossl_dh_cache_named_group(dh); dh->dirty_cnt++; } return 1; diff --git a/crypto/dh/dh_backend.c b/crypto/dh/dh_backend.c index 41de7b9006..c848cb4870 100644 --- a/crypto/dh/dh_backend.c +++ b/crypto/dh/dh_backend.c @@ -30,17 +30,17 @@ static int dh_ffc_params_fromdata(DH *dh, const OSSL_PARAM params[]) if (dh == NULL) return 0; - ffc = dh_get0_params(dh); + ffc = ossl_dh_get0_params(dh); if (ffc == NULL) return 0; ret = ossl_ffc_params_fromdata(ffc, params); if (ret) - dh_cache_named_group(dh); /* This increments dh->dirty_cnt */ + ossl_dh_cache_named_group(dh); /* This increments dh->dirty_cnt */ return ret; } -int dh_params_fromdata(DH *dh, const OSSL_PARAM params[]) +int ossl_dh_params_fromdata(DH *dh, const OSSL_PARAM params[]) { const OSSL_PARAM *param_priv_len; long priv_len; @@ -58,7 +58,7 @@ int dh_params_fromdata(DH *dh, const OSSL_PARAM params[]) return 1; } -int dh_key_fromdata(DH *dh, const OSSL_PARAM params[]) +int ossl_dh_key_fromdata(DH *dh, const OSSL_PARAM params[]) { const OSSL_PARAM *param_priv_key, *param_pub_key; BIGNUM *priv_key = NULL, *pub_key = NULL; @@ -86,11 +86,11 @@ int dh_key_fromdata(DH *dh, const OSSL_PARAM params[]) return 0; } -int dh_params_todata(DH *dh, OSSL_PARAM_BLD *bld, OSSL_PARAM params[]) +int ossl_dh_params_todata(DH *dh, OSSL_PARAM_BLD *bld, OSSL_PARAM params[]) { long l = DH_get_length(dh); - if (!ossl_ffc_params_todata(dh_get0_params(dh), bld, params)) + if (!ossl_ffc_params_todata(ossl_dh_get0_params(dh), bld, params)) return 0; if (l > 0 && !ossl_param_build_set_long(bld, params, OSSL_PKEY_PARAM_DH_PRIV_LEN, l)) @@ -98,7 +98,7 @@ int dh_params_todata(DH *dh, OSSL_PARAM_BLD *bld, OSSL_PARAM params[]) return 1; } -int dh_key_todata(DH *dh, OSSL_PARAM_BLD *bld, OSSL_PARAM params[]) +int ossl_dh_key_todata(DH *dh, OSSL_PARAM_BLD *bld, OSSL_PARAM params[]) { const BIGNUM *priv = NULL, *pub = NULL; diff --git a/crypto/dh/dh_check.c b/crypto/dh/dh_check.c index 5cbbdbf8c5..90697340f7 100644 --- a/crypto/dh/dh_check.c +++ b/crypto/dh/dh_check.c @@ -243,12 +243,12 @@ int DH_check_pub_key(const DH *dh, const BIGNUM *pub_key, int *ret) * To only be used with ephemeral FFC public keys generated using the approved * safe-prime groups. */ -int dh_check_pub_key_partial(const DH *dh, const BIGNUM *pub_key, int *ret) +int ossl_dh_check_pub_key_partial(const DH *dh, const BIGNUM *pub_key, int *ret) { return ossl_ffc_validate_public_key_partial(&dh->params, pub_key, ret); } -int dh_check_priv_key(const DH *dh, const BIGNUM *priv_key, int *ret) +int ossl_dh_check_priv_key(const DH *dh, const BIGNUM *priv_key, int *ret) { int ok = 0; BIGNUM *two_powN = NULL, *upper; @@ -281,7 +281,7 @@ err: * FFC pairwise check from SP800-56A R3. * Section 5.6.2.1.4 Owner Assurance of Pair-wise Consistency */ -int dh_check_pairwise(const DH *dh) +int ossl_dh_check_pairwise(const DH *dh) { int ret = 0; BN_CTX *ctx = NULL; @@ -301,7 +301,7 @@ int dh_check_pairwise(const DH *dh) goto err; /* recalculate the public key = (g ^ priv) mod p */ - if (!dh_generate_public_key(ctx, dh, dh->priv_key, pub_key)) + if (!ossl_dh_generate_public_key(ctx, dh, dh->priv_key, pub_key)) goto err; /* check it matches the existing pubic_key */ ret = BN_cmp(pub_key, dh->pub_key) == 0; diff --git a/crypto/dh/dh_gen.c b/crypto/dh/dh_gen.c index bdc0dc79b8..aecf7195d8 100644 --- a/crypto/dh/dh_gen.c +++ b/crypto/dh/dh_gen.c @@ -35,8 +35,8 @@ static int dh_builtin_genparams(DH *ret, int prime_len, int generator, BN_GENCB *cb); #endif /* FIPS_MODULE */ -int dh_generate_ffc_parameters(DH *dh, int type, int pbits, int qbits, - BN_GENCB *cb) +int ossl_dh_generate_ffc_parameters(DH *dh, int type, int pbits, int qbits, + BN_GENCB *cb) { int ret, res; @@ -55,7 +55,7 @@ int dh_generate_ffc_parameters(DH *dh, int type, int pbits, int qbits, return ret; } -int dh_get_named_group_uid_from_size(int pbits) +int ossl_dh_get_named_group_uid_from_size(int pbits) { /* * Just choose an approved safe prime group. @@ -95,12 +95,12 @@ static int dh_gen_named_group(OSSL_LIB_CTX *libctx, DH *ret, int prime_len) { DH *dh; int ok = 0; - int nid = dh_get_named_group_uid_from_size(prime_len); + int nid = ossl_dh_get_named_group_uid_from_size(prime_len); if (nid == NID_undef) return 0; - dh = dh_new_by_nid_ex(libctx, nid); + dh = ossl_dh_new_by_nid_ex(libctx, nid); if (dh != NULL && ossl_ffc_params_copy(&ret->params, &dh->params)) { ok = 1; diff --git a/crypto/dh/dh_group_params.c b/crypto/dh/dh_group_params.c index 0f66d8969d..72082d6f50 100644 --- a/crypto/dh/dh_group_params.c +++ b/crypto/dh/dh_group_params.c @@ -27,7 +27,7 @@ static DH *dh_param_init(OSSL_LIB_CTX *libctx, const DH_NAMED_GROUP *group) { - DH *dh = dh_new_ex(libctx); + DH *dh = ossl_dh_new_ex(libctx); if (dh == NULL) return NULL; @@ -39,7 +39,7 @@ static DH *dh_param_init(OSSL_LIB_CTX *libctx, const DH_NAMED_GROUP *group) return dh; } -DH *dh_new_by_nid_ex(OSSL_LIB_CTX *libctx, int nid) +DH *ossl_dh_new_by_nid_ex(OSSL_LIB_CTX *libctx, int nid) { const DH_NAMED_GROUP *group; @@ -52,10 +52,10 @@ DH *dh_new_by_nid_ex(OSSL_LIB_CTX *libctx, int nid) DH *DH_new_by_nid(int nid) { - return dh_new_by_nid_ex(NULL, nid); + return ossl_dh_new_by_nid_ex(NULL, nid); } -void dh_cache_named_group(DH *dh) +void ossl_dh_cache_named_group(DH *dh) { const DH_NAMED_GROUP *group; diff --git a/crypto/dh/dh_kdf.c b/crypto/dh/dh_kdf.c index ea2cd6386c..e1753b0b69 100644 --- a/crypto/dh/dh_kdf.c +++ b/crypto/dh/dh_kdf.c @@ -25,11 +25,12 @@ #include /* Key derivation function from X9.63/SECG */ -int dh_KDF_X9_42_asn1(unsigned char *out, size_t outlen, - const unsigned char *Z, size_t Zlen, - const char *cek_alg, - const unsigned char *ukm, size_t ukmlen, const EVP_MD *md, - OSSL_LIB_CTX *libctx, const char *propq) +int ossl_dh_kdf_X9_42_asn1(unsigned char *out, size_t outlen, + const unsigned char *Z, size_t Zlen, + const char *cek_alg, + const unsigned char *ukm, size_t ukmlen, + const EVP_MD *md, + OSSL_LIB_CTX *libctx, const char *propq) { int ret = 0; EVP_KDF_CTX *kctx = NULL; @@ -78,7 +79,7 @@ int DH_KDF_X9_42(unsigned char *out, size_t outlen, if (key_alg == NULL) return 0; - return dh_KDF_X9_42_asn1(out, outlen, Z, Zlen, key_alg, - ukm, ukmlen, md, libctx, NULL); + return ossl_dh_kdf_X9_42_asn1(out, outlen, Z, Zlen, key_alg, + ukm, ukmlen, md, libctx, NULL); } #endif /* !defined(FIPS_MODULE) */ diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c index f8cbbd593b..f282a12b4c 100644 --- a/crypto/dh/dh_key.c +++ b/crypto/dh/dh_key.c @@ -210,8 +210,8 @@ int DH_generate_key(DH *dh) #endif } -int dh_generate_public_key(BN_CTX *ctx, const DH *dh, const BIGNUM *priv_key, - BIGNUM *pub_key) +int ossl_dh_generate_public_key(BN_CTX *ctx, const DH *dh, + const BIGNUM *priv_key, BIGNUM *pub_key) { int ret = 0; BIGNUM *prk = BN_new(); @@ -344,7 +344,7 @@ static int generate_key(DH *dh) } } - if (!dh_generate_public_key(ctx, dh, priv_key, pub_key)) + if (!ossl_dh_generate_public_key(ctx, dh, priv_key, pub_key)) goto err; dh->pub_key = pub_key; @@ -363,7 +363,7 @@ static int generate_key(DH *dh) return ok; } -int dh_buf2key(DH *dh, const unsigned char *buf, size_t len) +int ossl_dh_buf2key(DH *dh, const unsigned char *buf, size_t len) { int err_reason = DH_R_BN_ERROR; BIGNUM *pubkey = NULL; @@ -394,7 +394,8 @@ err: return 0; } -size_t dh_key2buf(const DH *dh, unsigned char **pbuf_out, size_t size, int alloc) +size_t ossl_dh_key2buf(const DH *dh, unsigned char **pbuf_out, size_t size, + int alloc) { const BIGNUM *pubkey; unsigned char *pbuf = NULL; diff --git a/crypto/dh/dh_lib.c b/crypto/dh/dh_lib.c index e3db7a4929..78b984157d 100644 --- a/crypto/dh/dh_lib.c +++ b/crypto/dh/dh_lib.c @@ -47,7 +47,7 @@ int DH_set_method(DH *dh, const DH_METHOD *meth) return 1; } -const DH_METHOD *dh_get_method(const DH *dh) +const DH_METHOD *ossl_dh_get_method(const DH *dh) { return dh->meth; } @@ -64,7 +64,7 @@ DH *DH_new_method(ENGINE *engine) } #endif /* !FIPS_MODULE */ -DH *dh_new_ex(OSSL_LIB_CTX *libctx) +DH *ossl_dh_new_ex(OSSL_LIB_CTX *libctx) { return dh_new_intern(NULL, libctx); } @@ -230,7 +230,7 @@ int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g) return 0; ossl_ffc_params_set0_pqg(&dh->params, p, q, g); - dh_cache_named_group(dh); + ossl_dh_cache_named_group(dh); dh->dirty_cnt++; return 1; } @@ -317,11 +317,11 @@ ENGINE *DH_get0_engine(DH *dh) } #endif /*FIPS_MODULE */ -FFC_PARAMS *dh_get0_params(DH *dh) +FFC_PARAMS *ossl_dh_get0_params(DH *dh) { return &dh->params; } -int dh_get0_nid(const DH *dh) +int ossl_dh_get0_nid(const DH *dh) { return dh->params.nid; } diff --git a/crypto/dh/dh_pmeth.c b/crypto/dh/dh_pmeth.c index 11f30ce702..4a18205a7f 100644 --- a/crypto/dh/dh_pmeth.c +++ b/crypto/dh/dh_pmeth.c @@ -509,7 +509,7 @@ static const EVP_PKEY_METHOD dh_pkey_meth = { pkey_dh_ctrl_str }; -const EVP_PKEY_METHOD *dh_pkey_method(void) +const EVP_PKEY_METHOD *ossl_dh_pkey_method(void) { return &dh_pkey_meth; } @@ -548,7 +548,7 @@ static const EVP_PKEY_METHOD dhx_pkey_meth = { pkey_dh_ctrl_str }; -const EVP_PKEY_METHOD *dhx_pkey_method(void) +const EVP_PKEY_METHOD *ossl_dhx_pkey_method(void) { return &dhx_pkey_meth; } diff --git a/crypto/dsa/dsa_ameth.c b/crypto/dsa/dsa_ameth.c index 3b35a7005e..c073f6b799 100644 --- a/crypto/dsa/dsa_ameth.c +++ b/crypto/dsa/dsa_ameth.c @@ -539,15 +539,15 @@ static int dsa_pkey_import_from(const OSSL_PARAM params[], void *vpctx) { EVP_PKEY_CTX *pctx = vpctx; EVP_PKEY *pkey = EVP_PKEY_CTX_get0_pkey(pctx); - DSA *dsa = dsa_new_with_ctx(pctx->libctx); + DSA *dsa = ossl_dsa_new(pctx->libctx); if (dsa == NULL) { ERR_raise(ERR_LIB_DSA, ERR_R_MALLOC_FAILURE); return 0; } - if (!dsa_ffc_params_fromdata(dsa, params) - || !dsa_key_fromdata(dsa, params) + if (!ossl_dsa_ffc_params_fromdata(dsa, params) + || !ossl_dsa_key_fromdata(dsa, params) || !EVP_PKEY_assign_DSA(pkey, dsa)) { DSA_free(dsa); return 0; diff --git a/crypto/dsa/dsa_backend.c b/crypto/dsa/dsa_backend.c index d24d08eebd..e6f8f3645e 100644 --- a/crypto/dsa/dsa_backend.c +++ b/crypto/dsa/dsa_backend.c @@ -22,7 +22,7 @@ * implementations alike. */ -int dsa_key_fromdata(DSA *dsa, const OSSL_PARAM params[]) +int ossl_dsa_key_fromdata(DSA *dsa, const OSSL_PARAM params[]) { const OSSL_PARAM *param_priv_key, *param_pub_key; BIGNUM *priv_key = NULL, *pub_key = NULL; diff --git a/crypto/dsa/dsa_check.c b/crypto/dsa/dsa_check.c index 7f56a785ab..705c7d22a0 100644 --- a/crypto/dsa/dsa_check.c +++ b/crypto/dsa/dsa_check.c @@ -19,7 +19,7 @@ #include "dsa_local.h" #include "crypto/dsa.h" -int dsa_check_params(const DSA *dsa, int checktype, int *ret) +int ossl_dsa_check_params(const DSA *dsa, int checktype, int *ret) { if (checktype == OSSL_KEYMGMT_VALIDATE_QUICK_CHECK) return ossl_ffc_params_simple_validate(dsa->libctx, &dsa->params, @@ -37,7 +37,7 @@ int dsa_check_params(const DSA *dsa, int checktype, int *ret) /* * See SP800-56Ar3 Section 5.6.2.3.1 : FFC Full public key validation. */ -int dsa_check_pub_key(const DSA *dsa, const BIGNUM *pub_key, int *ret) +int ossl_dsa_check_pub_key(const DSA *dsa, const BIGNUM *pub_key, int *ret) { return ossl_ffc_validate_public_key(&dsa->params, pub_key, ret); } @@ -47,12 +47,12 @@ int dsa_check_pub_key(const DSA *dsa, const BIGNUM *pub_key, int *ret) * To only be used with ephemeral FFC public keys generated using the approved * safe-prime groups. */ -int dsa_check_pub_key_partial(const DSA *dsa, const BIGNUM *pub_key, int *ret) +int ossl_dsa_check_pub_key_partial(const DSA *dsa, const BIGNUM *pub_key, int *ret) { return ossl_ffc_validate_public_key_partial(&dsa->params, pub_key, ret); } -int dsa_check_priv_key(const DSA *dsa, const BIGNUM *priv_key, int *ret) +int ossl_dsa_check_priv_key(const DSA *dsa, const BIGNUM *priv_key, int *ret) { *ret = 0; @@ -64,7 +64,7 @@ int dsa_check_priv_key(const DSA *dsa, const BIGNUM *priv_key, int *ret) * FFC pairwise check from SP800-56A R3. * Section 5.6.2.1.4 Owner Assurance of Pair-wise Consistency */ -int dsa_check_pairwise(const DSA *dsa) +int ossl_dsa_check_pairwise(const DSA *dsa) { int ret = 0; BN_CTX *ctx = NULL; @@ -84,7 +84,7 @@ int dsa_check_pairwise(const DSA *dsa) goto err; /* recalculate the public key = (g ^ priv) mod p */ - if (!dsa_generate_public_key(ctx, dsa, dsa->priv_key, pub_key)) + if (!ossl_dsa_generate_public_key(ctx, dsa, dsa->priv_key, pub_key)) goto err; /* check it matches the existing pubic_key */ ret = BN_cmp(pub_key, dsa->pub_key) == 0; diff --git a/crypto/dsa/dsa_gen.c b/crypto/dsa/dsa_gen.c index 9d6d9a8d4a..2be9f48e27 100644 --- a/crypto/dsa/dsa_gen.c +++ b/crypto/dsa/dsa_gen.c @@ -23,8 +23,8 @@ #include "crypto/dsa.h" #include "dsa_local.h" -int dsa_generate_ffc_parameters(DSA *dsa, int type, int pbits, int qbits, - BN_GENCB *cb) +int ossl_dsa_generate_ffc_parameters(DSA *dsa, int type, int pbits, int qbits, + BN_GENCB *cb) { int ret = 0, res; @@ -59,12 +59,12 @@ int DSA_generate_parameters_ex(DSA *dsa, int bits, /* The old code used FIPS 186-2 DSA Parameter generation */ if (bits <= 1024 && seed_len == 20) { - if (!dsa_generate_ffc_parameters(dsa, DSA_PARAMGEN_TYPE_FIPS_186_2, - bits, 160, cb)) + if (!ossl_dsa_generate_ffc_parameters(dsa, DSA_PARAMGEN_TYPE_FIPS_186_2, + bits, 160, cb)) return 0; } else { - if (!dsa_generate_ffc_parameters(dsa, DSA_PARAMGEN_TYPE_FIPS_186_4, - bits, 0, cb)) + if (!ossl_dsa_generate_ffc_parameters(dsa, DSA_PARAMGEN_TYPE_FIPS_186_4, + bits, 0, cb)) return 0; } diff --git a/crypto/dsa/dsa_key.c b/crypto/dsa/dsa_key.c index 8646d01957..2b7dc4e43d 100644 --- a/crypto/dsa/dsa_key.c +++ b/crypto/dsa/dsa_key.c @@ -40,8 +40,8 @@ int DSA_generate_key(DSA *dsa) return dsa_keygen(dsa, 0); } -int dsa_generate_public_key(BN_CTX *ctx, const DSA *dsa, const BIGNUM *priv_key, - BIGNUM *pub_key) +int ossl_dsa_generate_public_key(BN_CTX *ctx, const DSA *dsa, + const BIGNUM *priv_key, BIGNUM *pub_key) { int ret = 0; BIGNUM *prk = BN_new(); @@ -97,7 +97,7 @@ static int dsa_keygen(DSA *dsa, int pairwise_test) pub_key = dsa->pub_key; } - if (!dsa_generate_public_key(ctx, dsa, priv_key, pub_key)) + if (!ossl_dsa_generate_public_key(ctx, dsa, priv_key, pub_key)) goto err; dsa->priv_key = priv_key; diff --git a/crypto/dsa/dsa_lib.c b/crypto/dsa/dsa_lib.c index 7e5be3208d..5de633e11e 100644 --- a/crypto/dsa/dsa_lib.c +++ b/crypto/dsa/dsa_lib.c @@ -52,7 +52,7 @@ DH *DSA_dup_DH(const DSA *r) if (ret == NULL) goto err; - if (!ossl_ffc_params_copy(dh_get0_params(ret), &r->params)) + if (!ossl_ffc_params_copy(ossl_dh_get0_params(ret), &r->params)) goto err; if (r->pub_key != NULL) { @@ -190,7 +190,7 @@ DSA *DSA_new_method(ENGINE *engine) return dsa_new_intern(engine, NULL); } -DSA *dsa_new_with_ctx(OSSL_LIB_CTX *libctx) +DSA *ossl_dsa_new(OSSL_LIB_CTX *libctx) { return dsa_new_intern(NULL, libctx); } @@ -336,19 +336,19 @@ int DSA_bits(const DSA *dsa) return -1; } -FFC_PARAMS *dsa_get0_params(DSA *dsa) +FFC_PARAMS *ossl_dsa_get0_params(DSA *dsa) { return &dsa->params; } -int dsa_ffc_params_fromdata(DSA *dsa, const OSSL_PARAM params[]) +int ossl_dsa_ffc_params_fromdata(DSA *dsa, const OSSL_PARAM params[]) { int ret; FFC_PARAMS *ffc; if (dsa == NULL) return 0; - ffc = dsa_get0_params(dsa); + ffc = ossl_dsa_get0_params(dsa); if (ffc == NULL) return 0; diff --git a/crypto/dsa/dsa_local.h b/crypto/dsa/dsa_local.h index 240e84f11e..c4ed654b99 100644 --- a/crypto/dsa/dsa_local.h +++ b/crypto/dsa/dsa_local.h @@ -69,4 +69,4 @@ struct dsa_method { int (*dsa_keygen) (DSA *dsa); }; -DSA_SIG *dsa_do_sign_int(const unsigned char *dgst, int dlen, DSA *dsa); +DSA_SIG *ossl_dsa_do_sign_int(const unsigned char *dgst, int dlen, DSA *dsa); diff --git a/crypto/dsa/dsa_ossl.c b/crypto/dsa/dsa_ossl.c index bd51a2c716..2f8cbe8ad4 100644 --- a/crypto/dsa/dsa_ossl.c +++ b/crypto/dsa/dsa_ossl.c @@ -67,7 +67,7 @@ const DSA_METHOD *DSA_OpenSSL(void) return &openssl_dsa_meth; } -DSA_SIG *dsa_do_sign_int(const unsigned char *dgst, int dlen, DSA *dsa) +DSA_SIG *ossl_dsa_do_sign_int(const unsigned char *dgst, int dlen, DSA *dsa) { BIGNUM *kinv = NULL; BIGNUM *m, *blind, *blindm, *tmp; @@ -185,7 +185,7 @@ DSA_SIG *dsa_do_sign_int(const unsigned char *dgst, int dlen, DSA *dsa) static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa) { - return dsa_do_sign_int(dgst, dlen, dsa); + return ossl_dsa_do_sign_int(dgst, dlen, dsa); } static int dsa_sign_setup_no_digest(DSA *dsa, BN_CTX *ctx_in, diff --git a/crypto/dsa/dsa_pmeth.c b/crypto/dsa/dsa_pmeth.c index 909be63867..e5709b62c9 100644 --- a/crypto/dsa/dsa_pmeth.c +++ b/crypto/dsa/dsa_pmeth.c @@ -281,7 +281,7 @@ static const EVP_PKEY_METHOD dsa_pkey_meth = { pkey_dsa_ctrl_str }; -const EVP_PKEY_METHOD *dsa_pkey_method(void) +const EVP_PKEY_METHOD *ossl_dsa_pkey_method(void) { return &dsa_pkey_meth; } diff --git a/crypto/dsa/dsa_sign.c b/crypto/dsa/dsa_sign.c index 0f866c12fe..84817d3009 100644 --- a/crypto/dsa/dsa_sign.c +++ b/crypto/dsa/dsa_sign.c @@ -150,8 +150,8 @@ int DSA_SIG_set0(DSA_SIG *sig, BIGNUM *r, BIGNUM *s) return 1; } -int dsa_sign_int(int type, const unsigned char *dgst, - int dlen, unsigned char *sig, unsigned int *siglen, DSA *dsa) +int ossl_dsa_sign_int(int type, const unsigned char *dgst, int dlen, + unsigned char *sig, unsigned int *siglen, DSA *dsa) { DSA_SIG *s; @@ -159,7 +159,7 @@ int dsa_sign_int(int type, const unsigned char *dgst, if (dsa->libctx == NULL || dsa->meth != DSA_get_default_method()) s = DSA_do_sign(dgst, dlen, dsa); else - s = dsa_do_sign_int(dgst, dlen, dsa); + s = ossl_dsa_do_sign_int(dgst, dlen, dsa); if (s == NULL) { *siglen = 0; return 0; @@ -172,7 +172,7 @@ int dsa_sign_int(int type, const unsigned char *dgst, int DSA_sign(int type, const unsigned char *dgst, int dlen, unsigned char *sig, unsigned int *siglen, DSA *dsa) { - return dsa_sign_int(type, dgst, dlen, sig, siglen, dsa); + return ossl_dsa_sign_int(type, dgst, dlen, sig, siglen, dsa); } /* data has already been hashed (probably with SHA or SHA-1). */ @@ -206,4 +206,3 @@ int DSA_verify(int type, const unsigned char *dgst, int dgst_len, DSA_SIG_free(s); return ret; } - diff --git a/crypto/ec/ec2_oct.c b/crypto/ec/ec2_oct.c index 5cfe28325c..7d894c4bef 100644 --- a/crypto/ec/ec2_oct.c +++ b/crypto/ec/ec2_oct.c @@ -36,10 +36,10 @@ * the same method, but claim no priority date earlier than July 29, 1994 * (and additionally fail to cite the EUROCRYPT '92 publication as prior art). */ -int ec_GF2m_simple_set_compressed_coordinates(const EC_GROUP *group, - EC_POINT *point, - const BIGNUM *x_, int y_bit, - BN_CTX *ctx) +int ossl_ec_GF2m_simple_set_compressed_coordinates(const EC_GROUP *group, + EC_POINT *point, + const BIGNUM *x_, int y_bit, + BN_CTX *ctx) { BIGNUM *tmp, *x, *y, *z; int ret = 0, z0; @@ -122,9 +122,10 @@ int ec_GF2m_simple_set_compressed_coordinates(const EC_GROUP *group, * length will be returned. If the length len of buf is smaller than required * an error will be returned. */ -size_t ec_GF2m_simple_point2oct(const EC_GROUP *group, const EC_POINT *point, - point_conversion_form_t form, - unsigned char *buf, size_t len, BN_CTX *ctx) +size_t ossl_ec_GF2m_simple_point2oct(const EC_GROUP *group, + const EC_POINT *point, + point_conversion_form_t form, + unsigned char *buf, size_t len, BN_CTX *ctx) { size_t ret; int used_ctx = 0; @@ -252,9 +253,9 @@ size_t ec_GF2m_simple_point2oct(const EC_GROUP *group, const EC_POINT *point, * Converts an octet string representation to an EC_POINT. Note that the * simple implementation only uses affine coordinates. */ -int ec_GF2m_simple_oct2point(const EC_GROUP *group, EC_POINT *point, - const unsigned char *buf, size_t len, - BN_CTX *ctx) +int ossl_ec_GF2m_simple_oct2point(const EC_GROUP *group, EC_POINT *point, + const unsigned char *buf, size_t len, + BN_CTX *ctx) { point_conversion_form_t form; int y_bit, m; diff --git a/crypto/ec/ec2_smpl.c b/crypto/ec/ec2_smpl.c index abac2a5cae..f58ce3367f 100644 --- a/crypto/ec/ec2_smpl.c +++ b/crypto/ec/ec2_smpl.c @@ -25,7 +25,7 @@ * Initialize a GF(2^m)-based EC_GROUP structure. Note that all other members * are handled by EC_GROUP_new. */ -int ec_GF2m_simple_group_init(EC_GROUP *group) +int ossl_ec_GF2m_simple_group_init(EC_GROUP *group) { group->field = BN_new(); group->a = BN_new(); @@ -44,7 +44,7 @@ int ec_GF2m_simple_group_init(EC_GROUP *group) * Free a GF(2^m)-based EC_GROUP structure. Note that all other members are * handled by EC_GROUP_free. */ -void ec_GF2m_simple_group_finish(EC_GROUP *group) +void ossl_ec_GF2m_simple_group_finish(EC_GROUP *group) { BN_free(group->field); BN_free(group->a); @@ -55,7 +55,7 @@ void ec_GF2m_simple_group_finish(EC_GROUP *group) * Clear and free a GF(2^m)-based EC_GROUP structure. Note that all other * members are handled by EC_GROUP_clear_free. */ -void ec_GF2m_simple_group_clear_finish(EC_GROUP *group) +void ossl_ec_GF2m_simple_group_clear_finish(EC_GROUP *group) { BN_clear_free(group->field); BN_clear_free(group->a); @@ -72,7 +72,7 @@ void ec_GF2m_simple_group_clear_finish(EC_GROUP *group) * Copy a GF(2^m)-based EC_GROUP structure. Note that all other members are * handled by EC_GROUP_copy. */ -int ec_GF2m_simple_group_copy(EC_GROUP *dest, const EC_GROUP *src) +int ossl_ec_GF2m_simple_group_copy(EC_GROUP *dest, const EC_GROUP *src) { if (!BN_copy(dest->field, src->field)) return 0; @@ -98,9 +98,9 @@ int ec_GF2m_simple_group_copy(EC_GROUP *dest, const EC_GROUP *src) } /* Set the curve parameters of an EC_GROUP structure. */ -int ec_GF2m_simple_group_set_curve(EC_GROUP *group, - const BIGNUM *p, const BIGNUM *a, - const BIGNUM *b, BN_CTX *ctx) +int ossl_ec_GF2m_simple_group_set_curve(EC_GROUP *group, + const BIGNUM *p, const BIGNUM *a, + const BIGNUM *b, BN_CTX *ctx) { int ret = 0, i; @@ -138,8 +138,8 @@ int ec_GF2m_simple_group_set_curve(EC_GROUP *group, * Get the curve parameters of an EC_GROUP structure. If p, a, or b are NULL * then there values will not be set but the method will return with success. */ -int ec_GF2m_simple_group_get_curve(const EC_GROUP *group, BIGNUM *p, - BIGNUM *a, BIGNUM *b, BN_CTX *ctx) +int ossl_ec_GF2m_simple_group_get_curve(const EC_GROUP *group, BIGNUM *p, + BIGNUM *a, BIGNUM *b, BN_CTX *ctx) { int ret = 0; @@ -168,7 +168,7 @@ int ec_GF2m_simple_group_get_curve(const EC_GROUP *group, BIGNUM *p, * Gets the degree of the field. For a curve over GF(2^m) this is the value * m. */ -int ec_GF2m_simple_group_get_degree(const EC_GROUP *group) +int ossl_ec_GF2m_simple_group_get_degree(const EC_GROUP *group) { return BN_num_bits(group->field) - 1; } @@ -177,8 +177,8 @@ int ec_GF2m_simple_group_get_degree(const EC_GROUP *group) * Checks the discriminant of the curve. y^2 + x*y = x^3 + a*x^2 + b is an * elliptic curve <=> b != 0 (mod p) */ -int ec_GF2m_simple_group_check_discriminant(const EC_GROUP *group, - BN_CTX *ctx) +int ossl_ec_GF2m_simple_group_check_discriminant(const EC_GROUP *group, + BN_CTX *ctx) { int ret = 0; BIGNUM *b; @@ -219,7 +219,7 @@ int ec_GF2m_simple_group_check_discriminant(const EC_GROUP *group, } /* Initializes an EC_POINT. */ -int ec_GF2m_simple_point_init(EC_POINT *point) +int ossl_ec_GF2m_simple_point_init(EC_POINT *point) { point->X = BN_new(); point->Y = BN_new(); @@ -235,7 +235,7 @@ int ec_GF2m_simple_point_init(EC_POINT *point) } /* Frees an EC_POINT. */ -void ec_GF2m_simple_point_finish(EC_POINT *point) +void ossl_ec_GF2m_simple_point_finish(EC_POINT *point) { BN_free(point->X); BN_free(point->Y); @@ -243,7 +243,7 @@ void ec_GF2m_simple_point_finish(EC_POINT *point) } /* Clears and frees an EC_POINT. */ -void ec_GF2m_simple_point_clear_finish(EC_POINT *point) +void ossl_ec_GF2m_simple_point_clear_finish(EC_POINT *point) { BN_clear_free(point->X); BN_clear_free(point->Y); @@ -255,7 +255,7 @@ void ec_GF2m_simple_point_clear_finish(EC_POINT *point) * Copy the contents of one EC_POINT into another. Assumes dest is * initialized. */ -int ec_GF2m_simple_point_copy(EC_POINT *dest, const EC_POINT *src) +int ossl_ec_GF2m_simple_point_copy(EC_POINT *dest, const EC_POINT *src) { if (!BN_copy(dest->X, src->X)) return 0; @@ -273,8 +273,8 @@ int ec_GF2m_simple_point_copy(EC_POINT *dest, const EC_POINT *src) * Set an EC_POINT to the point at infinity. A point at infinity is * represented by having Z=0. */ -int ec_GF2m_simple_point_set_to_infinity(const EC_GROUP *group, - EC_POINT *point) +int ossl_ec_GF2m_simple_point_set_to_infinity(const EC_GROUP *group, + EC_POINT *point) { point->Z_is_one = 0; BN_zero(point->Z); @@ -285,10 +285,11 @@ int ec_GF2m_simple_point_set_to_infinity(const EC_GROUP *group, * Set the coordinates of an EC_POINT using affine coordinates. Note that * the simple implementation only uses affine coordinates. */ -int ec_GF2m_simple_point_set_affine_coordinates(const EC_GROUP *group, - EC_POINT *point, - const BIGNUM *x, - const BIGNUM *y, BN_CTX *ctx) +int ossl_ec_GF2m_simple_point_set_affine_coordinates(const EC_GROUP *group, + EC_POINT *point, + const BIGNUM *x, + const BIGNUM *y, + BN_CTX *ctx) { int ret = 0; if (x == NULL || y == NULL) { @@ -316,10 +317,10 @@ int ec_GF2m_simple_point_set_affine_coordinates(const EC_GROUP *group, * Gets the affine coordinates of an EC_POINT. Note that the simple * implementation only uses affine coordinates. */ -int ec_GF2m_simple_point_get_affine_coordinates(const EC_GROUP *group, - const EC_POINT *point, - BIGNUM *x, BIGNUM *y, - BN_CTX *ctx) +int ossl_ec_GF2m_simple_point_get_affine_coordinates(const EC_GROUP *group, + const EC_POINT *point, + BIGNUM *x, BIGNUM *y, + BN_CTX *ctx) { int ret = 0; @@ -352,8 +353,8 @@ int ec_GF2m_simple_point_get_affine_coordinates(const EC_GROUP *group, * Computes a + b and stores the result in r. r could be a or b, a could be * b. Uses algorithm A.10.2 of IEEE P1363. */ -int ec_GF2m_simple_add(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a, - const EC_POINT *b, BN_CTX *ctx) +int ossl_ec_GF2m_simple_add(const EC_GROUP *group, EC_POINT *r, + const EC_POINT *a, const EC_POINT *b, BN_CTX *ctx) { BIGNUM *x0, *y0, *x1, *y1, *x2, *y2, *s, *t; int ret = 0; @@ -473,13 +474,14 @@ int ec_GF2m_simple_add(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a, * Computes 2 * a and stores the result in r. r could be a. Uses algorithm * A.10.2 of IEEE P1363. */ -int ec_GF2m_simple_dbl(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a, - BN_CTX *ctx) +int ossl_ec_GF2m_simple_dbl(const EC_GROUP *group, EC_POINT *r, + const EC_POINT *a, BN_CTX *ctx) { - return ec_GF2m_simple_add(group, r, a, a, ctx); + return ossl_ec_GF2m_simple_add(group, r, a, a, ctx); } -int ec_GF2m_simple_invert(const EC_GROUP *group, EC_POINT *point, BN_CTX *ctx) +int ossl_ec_GF2m_simple_invert(const EC_GROUP *group, EC_POINT *point, + BN_CTX *ctx) { if (EC_POINT_is_at_infinity(group, point) || BN_is_zero(point->Y)) /* point is its own inverse */ @@ -492,8 +494,8 @@ int ec_GF2m_simple_invert(const EC_GROUP *group, EC_POINT *point, BN_CTX *ctx) } /* Indicates whether the given point is the point at infinity. */ -int ec_GF2m_simple_is_at_infinity(const EC_GROUP *group, - const EC_POINT *point) +int ossl_ec_GF2m_simple_is_at_infinity(const EC_GROUP *group, + const EC_POINT *point) { return BN_is_zero(point->Z); } @@ -503,8 +505,8 @@ int ec_GF2m_simple_is_at_infinity(const EC_GROUP *group, * in the EC_GROUP. A point is valid if it satisfies the Weierstrass equation: * y^2 + x*y = x^3 + a*x^2 + b. */ -int ec_GF2m_simple_is_on_curve(const EC_GROUP *group, const EC_POINT *point, - BN_CTX *ctx) +int ossl_ec_GF2m_simple_is_on_curve(const EC_GROUP *group, const EC_POINT *point, + BN_CTX *ctx) { int ret = -1; BIGNUM *lh, *y2; @@ -576,8 +578,8 @@ int ec_GF2m_simple_is_on_curve(const EC_GROUP *group, const EC_POINT *point, * 0 equal (in affine coordinates) * 1 not equal */ -int ec_GF2m_simple_cmp(const EC_GROUP *group, const EC_POINT *a, - const EC_POINT *b, BN_CTX *ctx) +int ossl_ec_GF2m_simple_cmp(const EC_GROUP *group, const EC_POINT *a, + const EC_POINT *b, BN_CTX *ctx) { BIGNUM *aX, *aY, *bX, *bY; int ret = -1; @@ -627,8 +629,8 @@ int ec_GF2m_simple_cmp(const EC_GROUP *group, const EC_POINT *a, } /* Forces the given EC_POINT to internally use affine coordinates. */ -int ec_GF2m_simple_make_affine(const EC_GROUP *group, EC_POINT *point, - BN_CTX *ctx) +int ossl_ec_GF2m_simple_make_affine(const EC_GROUP *group, EC_POINT *point, + BN_CTX *ctx) { BIGNUM *x, *y; int ret = 0; @@ -676,8 +678,8 @@ int ec_GF2m_simple_make_affine(const EC_GROUP *group, EC_POINT *point, /* * Forces each of the EC_POINTs in the given array to use affine coordinates. */ -int ec_GF2m_simple_points_make_affine(const EC_GROUP *group, size_t num, - EC_POINT *points[], BN_CTX *ctx) +int ossl_ec_GF2m_simple_points_make_affine(const EC_GROUP *group, size_t num, + EC_POINT *points[], BN_CTX *ctx) { size_t i; @@ -690,22 +692,22 @@ int ec_GF2m_simple_points_make_affine(const EC_GROUP *group, size_t num, } /* Wrapper to simple binary polynomial field multiplication implementation. */ -int ec_GF2m_simple_field_mul(const EC_GROUP *group, BIGNUM *r, - const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx) +int ossl_ec_GF2m_simple_field_mul(const EC_GROUP *group, BIGNUM *r, + const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx) { return BN_GF2m_mod_mul_arr(r, a, b, group->poly, ctx); } /* Wrapper to simple binary polynomial field squaring implementation. */ -int ec_GF2m_simple_field_sqr(const EC_GROUP *group, BIGNUM *r, - const BIGNUM *a, BN_CTX *ctx) +int ossl_ec_GF2m_simple_field_sqr(const EC_GROUP *group, BIGNUM *r, + const BIGNUM *a, BN_CTX *ctx) { return BN_GF2m_mod_sqr_arr(r, a, group->poly, ctx); } /* Wrapper to simple binary polynomial field division implementation. */ -int ec_GF2m_simple_field_div(const EC_GROUP *group, BIGNUM *r, - const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx) +int ossl_ec_GF2m_simple_field_div(const EC_GROUP *group, BIGNUM *r, + const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx) { return BN_GF2m_mod_div(r, a, b, group->field, ctx); } @@ -887,15 +889,15 @@ int ec_GF2m_simple_points_mul(const EC_GROUP *group, EC_POINT *r, * order or cofactor set to 0. */ if (num > 1 || BN_is_zero(group->order) || BN_is_zero(group->cofactor)) - return ec_wNAF_mul(group, r, scalar, num, points, scalars, ctx); + return ossl_ec_wNAF_mul(group, r, scalar, num, points, scalars, ctx); if (scalar != NULL && num == 0) /* Fixed point multiplication */ - return ec_scalar_mul_ladder(group, r, scalar, NULL, ctx); + return ossl_ec_scalar_mul_ladder(group, r, scalar, NULL, ctx); if (scalar == NULL && num == 1) /* Variable point multiplication */ - return ec_scalar_mul_ladder(group, r, scalars[0], points[0], ctx); + return ossl_ec_scalar_mul_ladder(group, r, scalars[0], points[0], ctx); /*- * Double point multiplication: @@ -907,8 +909,8 @@ int ec_GF2m_simple_points_mul(const EC_GROUP *group, EC_POINT *r, return 0; } - if (!ec_scalar_mul_ladder(group, t, scalar, NULL, ctx) - || !ec_scalar_mul_ladder(group, r, scalars[0], points[0], ctx) + if (!ossl_ec_scalar_mul_ladder(group, t, scalar, NULL, ctx) + || !ossl_ec_scalar_mul_ladder(group, r, scalars[0], points[0], ctx) || !EC_POINT_add(group, r, t, r, ctx)) goto err; @@ -939,55 +941,55 @@ const EC_METHOD *EC_GF2m_simple_method(void) static const EC_METHOD ret = { EC_FLAGS_DEFAULT_OCT, NID_X9_62_characteristic_two_field, - ec_GF2m_simple_group_init, - ec_GF2m_simple_group_finish, - ec_GF2m_simple_group_clear_finish, - ec_GF2m_simple_group_copy, - ec_GF2m_simple_group_set_curve, - ec_GF2m_simple_group_get_curve, - ec_GF2m_simple_group_get_degree, - ec_group_simple_order_bits, - ec_GF2m_simple_group_check_discriminant, - ec_GF2m_simple_point_init, - ec_GF2m_simple_point_finish, - ec_GF2m_simple_point_clear_finish, - ec_GF2m_simple_point_copy, - ec_GF2m_simple_point_set_to_infinity, - ec_GF2m_simple_point_set_affine_coordinates, - ec_GF2m_simple_point_get_affine_coordinates, + ossl_ec_GF2m_simple_group_init, + ossl_ec_GF2m_simple_group_finish, + ossl_ec_GF2m_simple_group_clear_finish, + ossl_ec_GF2m_simple_group_copy, + ossl_ec_GF2m_simple_group_set_curve, + ossl_ec_GF2m_simple_group_get_curve, + ossl_ec_GF2m_simple_group_get_degree, + ossl_ec_group_simple_order_bits, + ossl_ec_GF2m_simple_group_check_discriminant, + ossl_ec_GF2m_simple_point_init, + ossl_ec_GF2m_simple_point_finish, + ossl_ec_GF2m_simple_point_clear_finish, + ossl_ec_GF2m_simple_point_copy, + ossl_ec_GF2m_simple_point_set_to_infinity, + ossl_ec_GF2m_simple_point_set_affine_coordinates, + ossl_ec_GF2m_simple_point_get_affine_coordinates, 0, /* point_set_compressed_coordinates */ 0, /* point2oct */ 0, /* oct2point */ - ec_GF2m_simple_add, - ec_GF2m_simple_dbl, - ec_GF2m_simple_invert, - ec_GF2m_simple_is_at_infinity, - ec_GF2m_simple_is_on_curve, - ec_GF2m_simple_cmp, - ec_GF2m_simple_make_affine, - ec_GF2m_simple_points_make_affine, + ossl_ec_GF2m_simple_add, + ossl_ec_GF2m_simple_dbl, + ossl_ec_GF2m_simple_invert, + ossl_ec_GF2m_simple_is_at_infinity, + ossl_ec_GF2m_simple_is_on_curve, + ossl_ec_GF2m_simple_cmp, + ossl_ec_GF2m_simple_make_affine, + ossl_ec_GF2m_simple_points_make_affine, ec_GF2m_simple_points_mul, 0, /* precompute_mult */ 0, /* have_precompute_mult */ - ec_GF2m_simple_field_mul, - ec_GF2m_simple_field_sqr, - ec_GF2m_simple_field_div, + ossl_ec_GF2m_simple_field_mul, + ossl_ec_GF2m_simple_field_sqr, + ossl_ec_GF2m_simple_field_div, ec_GF2m_simple_field_inv, 0, /* field_encode */ 0, /* field_decode */ 0, /* field_set_to_one */ - ec_key_simple_priv2oct, - ec_key_simple_oct2priv, + ossl_ec_key_simple_priv2oct, + ossl_ec_key_simple_oct2priv, 0, /* set private */ - ec_key_simple_generate_key, - ec_key_simple_check_key, - ec_key_simple_generate_public_key, + ossl_ec_key_simple_generate_key, + ossl_ec_key_simple_check_key, + ossl_ec_key_simple_generate_public_key, 0, /* keycopy */ 0, /* keyfinish */ - ecdh_simple_compute_key, - ecdsa_simple_sign_setup, - ecdsa_simple_sign_sig, - ecdsa_simple_verify_sig, + ossl_ecdh_simple_compute_key, + ossl_ecdsa_simple_sign_setup, + ossl_ecdsa_simple_sign_sig, + ossl_ecdsa_simple_verify_sig, 0, /* field_inverse_mod_ord */ 0, /* blind_coordinates */ ec_GF2m_simple_ladder_pre, diff --git a/crypto/ec/ec_ameth.c b/crypto/ec/ec_ameth.c index fe1e1c9a8f..89241b97c1 100644 --- a/crypto/ec/ec_ameth.c +++ b/crypto/ec/ec_ameth.c @@ -584,7 +584,7 @@ int ec_pkey_export_to(const EVP_PKEY *from, void *to_keydata, BN_CTX_start(bnctx); /* export the domain parameters */ - if (!ec_group_todata(ecg, tmpl, NULL, libctx, propq, bnctx, &gen_buf)) + if (!ossl_ec_group_todata(ecg, tmpl, NULL, libctx, propq, bnctx, &gen_buf)) goto err; selection |= OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS; @@ -695,9 +695,9 @@ static int ec_pkey_import_from(const OSSL_PARAM params[], void *vpctx) return 0; } - if (!ec_group_fromdata(ec, params) - || !ec_key_otherparams_fromdata(ec, params) - || !ec_key_fromdata(ec, params, 1) + if (!ossl_ec_group_fromdata(ec, params) + || !ossl_ec_key_otherparams_fromdata(ec, params) + || !ossl_ec_key_fromdata(ec, params, 1) || !EVP_PKEY_assign_EC_KEY(pkey, ec)) { EC_KEY_free(ec); return 0; diff --git a/crypto/ec/ec_asn1.c b/crypto/ec/ec_asn1.c index cd38ab6b04..b66e4a8b57 100644 --- a/crypto/ec/ec_asn1.c +++ b/crypto/ec/ec_asn1.c @@ -768,7 +768,7 @@ EC_GROUP *EC_GROUP_new_from_ecparameters(const ECPARAMETERS *params) ERR_raise(ERR_LIB_EC, ERR_R_EC_LIB); goto err; } - if ((curve_name = ec_curve_nid_from_params(dup, ctx)) != NID_undef) { + if ((curve_name = ossl_ec_curve_nid_from_params(dup, ctx)) != NID_undef) { /* * The input explicit parameters successfully matched one of the * built-in curves: often for built-in curves we have specialized diff --git a/crypto/ec/ec_backend.c b/crypto/ec/ec_backend.c index 60c5687602..c4a5a81fda 100644 --- a/crypto/ec/ec_backend.c +++ b/crypto/ec/ec_backend.c @@ -41,7 +41,7 @@ static const OSSL_ITEM format_nameid_map[] = { { (int)POINT_CONVERSION_HYBRID, OSSL_PKEY_EC_POINT_CONVERSION_FORMAT_HYBRID }, }; -int ec_encoding_name2id(const char *name) +int ossl_ec_encoding_name2id(const char *name) { size_t i, sz; @@ -67,7 +67,7 @@ static char *ec_param_encoding_id2name(int id) return NULL; } -char *ec_check_group_type_id2name(int id) +char *ossl_ec_check_group_type_id2name(int id) { size_t i, sz; @@ -93,7 +93,7 @@ static int ec_check_group_type_name2id(const char *name) return -1; } -int ec_set_check_group_type_from_name(EC_KEY *ec, const char *name) +int ossl_ec_set_check_group_type_from_name(EC_KEY *ec, const char *name) { int flags = ec_check_group_type_name2id(name); @@ -119,11 +119,11 @@ static int ec_set_check_group_type_from_param(EC_KEY *ec, const OSSL_PARAM *p) break; } if (status) - return ec_set_check_group_type_from_name(ec, name); + return ossl_ec_set_check_group_type_from_name(ec, name); return 0; } -int ec_pt_format_name2id(const char *name) +int ossl_ec_pt_format_name2id(const char *name) { size_t i, sz; @@ -138,7 +138,7 @@ int ec_pt_format_name2id(const char *name) return -1; } -char *ec_pt_format_id2name(int id) +char *ossl_ec_pt_format_id2name(int id) { size_t i, sz; @@ -149,10 +149,10 @@ char *ec_pt_format_id2name(int id) return NULL; } -int ec_group_todata(const EC_GROUP *group, OSSL_PARAM_BLD *tmpl, - OSSL_PARAM params[], OSSL_LIB_CTX *libctx, - const char *propq, - BN_CTX *bnctx, unsigned char **genbuf) +int ossl_ec_group_todata(const EC_GROUP *group, OSSL_PARAM_BLD *tmpl, + OSSL_PARAM params[], OSSL_LIB_CTX *libctx, + const char *propq, + BN_CTX *bnctx, unsigned char **genbuf) { int ret = 0, curve_nid, encoding_flag; const char *field_type, *encoding_name, *pt_form_name; @@ -169,7 +169,7 @@ int ec_group_todata(const EC_GROUP *group, OSSL_PARAM_BLD *tmpl, } genform = EC_GROUP_get_point_conversion_form(group); - pt_form_name = ec_pt_format_id2name(genform); + pt_form_name = ossl_ec_pt_format_id2name(genform); if (pt_form_name == NULL || !ossl_param_build_set_utf8_string( tmpl, params, @@ -271,7 +271,7 @@ int ec_group_todata(const EC_GROUP *group, OSSL_PARAM_BLD *tmpl, #endif } else { /* named curve */ - const char *curve_name = ec_curve_nid2name(curve_nid); + const char *curve_name = ossl_ec_curve_nid2name(curve_nid); if (curve_name == NULL || !ossl_param_build_set_utf8_string(tmpl, params, @@ -291,7 +291,7 @@ err: * for legacy backends (EVP_PKEY_ASN1_METHOD and EVP_PKEY_METHOD) and provider * implementations alike. */ -int ec_set_ecdh_cofactor_mode(EC_KEY *ec, int mode) +int ossl_ec_set_ecdh_cofactor_mode(EC_KEY *ec, int mode) { const EC_GROUP *ecg = EC_KEY_get0_group(ec); const BIGNUM *cofactor; @@ -321,14 +321,14 @@ int ec_set_ecdh_cofactor_mode(EC_KEY *ec, int mode) } /* - * Callers of ec_key_fromdata MUST make sure that ec_key_params_fromdata has + * Callers of ossl_ec_key_fromdata MUST make sure that ec_key_params_fromdata has * been called before! * * This function only gets the bare keypair, domain parameters and other * parameters are treated separately, and domain parameters are required to * define a keypair. */ -int ec_key_fromdata(EC_KEY *ec, const OSSL_PARAM params[], int include_private) +int ossl_ec_key_fromdata(EC_KEY *ec, const OSSL_PARAM params[], int include_private) { const OSSL_PARAM *param_priv_key = NULL, *param_pub_key = NULL; BN_CTX *ctx = NULL; @@ -349,7 +349,7 @@ int ec_key_fromdata(EC_KEY *ec, const OSSL_PARAM params[], int include_private) param_priv_key = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_PRIV_KEY); - ctx = BN_CTX_new_ex(ec_key_get_libctx(ec)); + ctx = BN_CTX_new_ex(ossl_ec_key_get_libctx(ec)); if (ctx == NULL) goto err; @@ -431,7 +431,7 @@ int ec_key_fromdata(EC_KEY *ec, const OSSL_PARAM params[], int include_private) return ok; } -int ec_group_fromdata(EC_KEY *ec, const OSSL_PARAM params[]) +int ossl_ec_group_fromdata(EC_KEY *ec, const OSSL_PARAM params[]) { int ok = 0; EC_GROUP *group = NULL; @@ -439,8 +439,8 @@ int ec_group_fromdata(EC_KEY *ec, const OSSL_PARAM params[]) if (ec == NULL) return 0; - group = EC_GROUP_new_from_params(params, ec_key_get_libctx(ec), - ec_key_get0_propq(ec)); + group = EC_GROUP_new_from_params(params, ossl_ec_key_get_libctx(ec), + ossl_ec_key_get0_propq(ec)); if (!EC_KEY_set_group(ec, group)) goto err; @@ -457,7 +457,7 @@ static int ec_key_point_format_fromdata(EC_KEY *ec, const OSSL_PARAM params[]) p = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_EC_POINT_CONVERSION_FORMAT); if (p != NULL) { - if (!ec_pt_format_param2id(p, &format)) { + if (!ossl_ec_pt_format_param2id(p, &format)) { ECerr(0, EC_R_INVALID_FORM); return 0; } @@ -488,7 +488,7 @@ static int ec_set_include_public(EC_KEY *ec, int include) return 1; } -int ec_key_otherparams_fromdata(EC_KEY *ec, const OSSL_PARAM params[]) +int ossl_ec_key_otherparams_fromdata(EC_KEY *ec, const OSSL_PARAM params[]) { const OSSL_PARAM *p; @@ -500,7 +500,7 @@ int ec_key_otherparams_fromdata(EC_KEY *ec, const OSSL_PARAM params[]) int mode; if (!OSSL_PARAM_get_int(p, &mode) - || !ec_set_ecdh_cofactor_mode(ec, mode)) + || !ossl_ec_set_ecdh_cofactor_mode(ec, mode)) return 0; } @@ -519,7 +519,7 @@ int ec_key_otherparams_fromdata(EC_KEY *ec, const OSSL_PARAM params[]) return 1; } -int ec_encoding_param2id(const OSSL_PARAM *p, int *id) +int ossl_ec_encoding_param2id(const OSSL_PARAM *p, int *id) { const char *name = NULL; int status = 0; @@ -535,7 +535,7 @@ int ec_encoding_param2id(const OSSL_PARAM *p, int *id) break; } if (status) { - int i = ec_encoding_name2id(name); + int i = ossl_ec_encoding_name2id(name); if (i >= 0) { *id = i; @@ -545,7 +545,7 @@ int ec_encoding_param2id(const OSSL_PARAM *p, int *id) return 0; } -int ec_pt_format_param2id(const OSSL_PARAM *p, int *id) +int ossl_ec_pt_format_param2id(const OSSL_PARAM *p, int *id) { const char *name = NULL; int status = 0; @@ -561,7 +561,7 @@ int ec_pt_format_param2id(const OSSL_PARAM *p, int *id) break; } if (status) { - int i = ec_pt_format_name2id(name); + int i = ossl_ec_pt_format_name2id(name); if (i >= 0) { *id = i; diff --git a/crypto/ec/ec_check.c b/crypto/ec/ec_check.c index 6af002c0a8..1d25010394 100644 --- a/crypto/ec/ec_check.c +++ b/crypto/ec/ec_check.c @@ -35,7 +35,7 @@ int EC_GROUP_check_named_curve(const EC_GROUP *group, int nist_only, } } - nid = ec_curve_nid_from_params(group, ctx); + nid = ossl_ec_curve_nid_from_params(group, ctx); if (nid > 0 && nist_only && EC_curve_nid2nist(nid) == NULL) nid = NID_undef; diff --git a/crypto/ec/ec_curve.c b/crypto/ec/ec_curve.c index 2fedaf0490..31215dc7ab 100644 --- a/crypto/ec/ec_curve.c +++ b/crypto/ec/ec_curve.c @@ -3147,8 +3147,8 @@ static EC_GROUP *ec_group_new_from_data(OSSL_LIB_CTX *libctx, /* If no curve data curve method must handle everything */ if (curve.data == NULL) - return ec_group_new_ex(libctx, propq, - curve.meth != NULL ? curve.meth() : NULL); + return ossl_ec_group_new_ex(libctx, propq, + curve.meth != NULL ? curve.meth() : NULL); if ((ctx = BN_CTX_new_ex(libctx)) == NULL) { ERR_raise(ERR_LIB_EC, ERR_R_MALLOC_FAILURE); @@ -3170,7 +3170,7 @@ static EC_GROUP *ec_group_new_from_data(OSSL_LIB_CTX *libctx, if (curve.meth != 0) { meth = curve.meth(); - if (((group = ec_group_new_ex(libctx, propq, meth)) == NULL) || + if (((group = ossl_ec_group_new_ex(libctx, propq, meth)) == NULL) || (!(group->meth->group_set_curve(group, p, a, b, ctx)))) { ERR_raise(ERR_LIB_EC, ERR_R_EC_LIB); goto err; @@ -3286,12 +3286,12 @@ size_t EC_get_builtin_curves(EC_builtin_curve *r, size_t nitems) const char *EC_curve_nid2nist(int nid) { - return ec_curve_nid2nist_int(nid); + return ossl_ec_curve_nid2nist_int(nid); } int EC_curve_nist2nid(const char *name) { - return ec_curve_nist2nid_int(name); + return ossl_ec_curve_nist2nid_int(name); } #define NUM_BN_FIELDS 6 @@ -3303,7 +3303,7 @@ int EC_curve_nist2nid(const char *name) * Returns: The nid associated with the found named curve, or NID_undef * if not found. If there was an error it returns -1. */ -int ec_curve_nid_from_params(const EC_GROUP *group, BN_CTX *ctx) +int ossl_ec_curve_nid_from_params(const EC_GROUP *group, BN_CTX *ctx) { int ret = -1, nid, len, field_type, param_len; size_t i, seed_len; diff --git a/crypto/ec/ec_cvt.c b/crypto/ec/ec_cvt.c index 00a5c48c8f..30ee061123 100644 --- a/crypto/ec/ec_cvt.c +++ b/crypto/ec/ec_cvt.c @@ -54,7 +54,7 @@ EC_GROUP *EC_GROUP_new_curve_GFp(const BIGNUM *p, const BIGNUM *a, meth = EC_GFp_mont_method(); #endif - ret = ec_group_new_ex(ossl_bn_get_libctx(ctx), NULL, meth); + ret = ossl_ec_group_new_ex(ossl_bn_get_libctx(ctx), NULL, meth); if (ret == NULL) return NULL; @@ -75,7 +75,7 @@ EC_GROUP *EC_GROUP_new_curve_GF2m(const BIGNUM *p, const BIGNUM *a, meth = EC_GF2m_simple_method(); - ret = ec_group_new_ex(ossl_bn_get_libctx(ctx), NULL, meth); + ret = ossl_ec_group_new_ex(ossl_bn_get_libctx(ctx), NULL, meth); if (ret == NULL) return NULL; diff --git a/crypto/ec/ec_key.c b/crypto/ec/ec_key.c index 30c524726d..50b53f97ed 100644 --- a/crypto/ec/ec_key.c +++ b/crypto/ec/ec_key.c @@ -30,13 +30,13 @@ static int ecdsa_keygen_pairwise_test(EC_KEY *eckey, OSSL_CALLBACK *cb, #ifndef FIPS_MODULE EC_KEY *EC_KEY_new(void) { - return ec_key_new_method_int(NULL, NULL, NULL); + return ossl_ec_key_new_method_int(NULL, NULL, NULL); } #endif EC_KEY *EC_KEY_new_ex(OSSL_LIB_CTX *ctx, const char *propq) { - return ec_key_new_method_int(ctx, propq, NULL); + return ossl_ec_key_new_method_int(ctx, propq, NULL); } EC_KEY *EC_KEY_new_by_curve_name_ex(OSSL_LIB_CTX *ctx, const char *propq, @@ -122,7 +122,8 @@ EC_KEY *EC_KEY_copy(EC_KEY *dest, const EC_KEY *src) if (src->group != NULL) { /* clear the old group */ EC_GROUP_free(dest->group); - dest->group = ec_group_new_ex(src->libctx, src->propq, src->group->meth); + dest->group = ossl_ec_group_new_ex(src->libctx, src->propq, + src->group->meth); if (dest->group == NULL) return NULL; if (!EC_GROUP_copy(dest->group, src->group)) @@ -183,8 +184,8 @@ EC_KEY *EC_KEY_copy(EC_KEY *dest, const EC_KEY *src) EC_KEY *EC_KEY_dup(const EC_KEY *ec_key) { - EC_KEY *ret = ec_key_new_method_int(ec_key->libctx, ec_key->propq, - ec_key->engine); + EC_KEY *ret = ossl_ec_key_new_method_int(ec_key->libctx, ec_key->propq, + ec_key->engine); if (ret == NULL) return NULL; @@ -357,12 +358,12 @@ err: return ok; } -int ec_key_simple_generate_key(EC_KEY *eckey) +int ossl_ec_key_simple_generate_key(EC_KEY *eckey) { return ec_generate_key(eckey, 0); } -int ec_key_simple_generate_public_key(EC_KEY *eckey) +int ossl_ec_key_simple_generate_public_key(EC_KEY *eckey) { int ret; BN_CTX *ctx = BN_CTX_new_ex(eckey->libctx); @@ -445,7 +446,7 @@ err: * ECC Partial Public-Key Validation as specified in SP800-56A R3 * Section 5.6.2.3.4 ECC Partial Public-Key Validation Routine. */ -int ec_key_public_check_quick(const EC_KEY *eckey, BN_CTX *ctx) +int ossl_ec_key_public_check_quick(const EC_KEY *eckey, BN_CTX *ctx) { if (eckey == NULL || eckey->group == NULL || eckey->pub_key == NULL) { ERR_raise(ERR_LIB_EC, ERR_R_PASSED_NULL_PARAMETER); @@ -476,13 +477,13 @@ int ec_key_public_check_quick(const EC_KEY *eckey, BN_CTX *ctx) * ECC Key validation as specified in SP800-56A R3. * Section 5.6.2.3.3 ECC Full Public-Key Validation Routine. */ -int ec_key_public_check(const EC_KEY *eckey, BN_CTX *ctx) +int ossl_ec_key_public_check(const EC_KEY *eckey, BN_CTX *ctx) { int ret = 0; EC_POINT *point = NULL; const BIGNUM *order = NULL; - if (!ec_key_public_check_quick(eckey, ctx)) + if (!ossl_ec_key_public_check_quick(eckey, ctx)) return 0; point = EC_POINT_new(eckey->group); @@ -514,7 +515,7 @@ err: * Section 5.6.2.1.2 Owner Assurance of Private-Key Validity * The private key is in the range [1, order-1] */ -int ec_key_private_check(const EC_KEY *eckey) +int ossl_ec_key_private_check(const EC_KEY *eckey) { if (eckey == NULL || eckey->group == NULL || eckey->priv_key == NULL) { ERR_raise(ERR_LIB_EC, ERR_R_PASSED_NULL_PARAMETER); @@ -533,7 +534,7 @@ int ec_key_private_check(const EC_KEY *eckey) * Section 5.6.2.1.4 Owner Assurance of Pair-wise Consistency (b) * Check if generator * priv_key = pub_key */ -int ec_key_pairwise_check(const EC_KEY *eckey, BN_CTX *ctx) +int ossl_ec_key_pairwise_check(const EC_KEY *eckey, BN_CTX *ctx) { int ret = 0; EC_POINT *point = NULL; @@ -576,7 +577,7 @@ err: * an approved elliptic-curve group is used. * Returns 1 if the key is valid, otherwise it returns 0. */ -int ec_key_simple_check_key(const EC_KEY *eckey) +int ossl_ec_key_simple_check_key(const EC_KEY *eckey) { int ok = 0; BN_CTX *ctx = NULL; @@ -588,12 +589,12 @@ int ec_key_simple_check_key(const EC_KEY *eckey) if ((ctx = BN_CTX_new_ex(eckey->libctx)) == NULL) return 0; - if (!ec_key_public_check(eckey, ctx)) + if (!ossl_ec_key_public_check(eckey, ctx)) goto err; if (eckey->priv_key != NULL) { - if (!ec_key_private_check(eckey) - || !ec_key_pairwise_check(eckey, ctx)) + if (!ossl_ec_key_private_check(eckey) + || !ossl_ec_key_pairwise_check(eckey, ctx)) goto err; } ok = 1; @@ -660,17 +661,17 @@ int EC_KEY_set_public_key_affine_coordinates(EC_KEY *key, BIGNUM *x, } -OSSL_LIB_CTX *ec_key_get_libctx(const EC_KEY *key) +OSSL_LIB_CTX *ossl_ec_key_get_libctx(const EC_KEY *key) { return key->libctx; } -const char *ec_key_get0_propq(const EC_KEY *key) +const char *ossl_ec_key_get0_propq(const EC_KEY *key) { return key->propq; } -void ec_key_set0_libctx(EC_KEY *key, OSSL_LIB_CTX *libctx) +void ossl_ec_key_set0_libctx(EC_KEY *key, OSSL_LIB_CTX *libctx) { key->libctx = libctx; /* Do we need to propagate this to the group? */ @@ -903,8 +904,8 @@ size_t EC_KEY_priv2oct(const EC_KEY *eckey, return eckey->group->meth->priv2oct(eckey, buf, len); } -size_t ec_key_simple_priv2oct(const EC_KEY *eckey, - unsigned char *buf, size_t len) +size_t ossl_ec_key_simple_priv2oct(const EC_KEY *eckey, + unsigned char *buf, size_t len) { size_t buf_len; @@ -942,7 +943,8 @@ int EC_KEY_oct2priv(EC_KEY *eckey, const unsigned char *buf, size_t len) return ret; } -int ec_key_simple_oct2priv(EC_KEY *eckey, const unsigned char *buf, size_t len) +int ossl_ec_key_simple_oct2priv(EC_KEY *eckey, const unsigned char *buf, + size_t len) { if (eckey->priv_key == NULL) eckey->priv_key = BN_secure_new(); diff --git a/crypto/ec/ec_kmeth.c b/crypto/ec/ec_kmeth.c index ea3a077ad2..4298bcc401 100644 --- a/crypto/ec/ec_kmeth.c +++ b/crypto/ec/ec_kmeth.c @@ -76,8 +76,8 @@ int EC_KEY_set_method(EC_KEY *key, const EC_KEY_METHOD *meth) return 1; } -EC_KEY *ec_key_new_method_int(OSSL_LIB_CTX *libctx, const char *propq, - ENGINE *engine) +EC_KEY *ossl_ec_key_new_method_int(OSSL_LIB_CTX *libctx, const char *propq, + ENGINE *engine) { EC_KEY *ret = OPENSSL_zalloc(sizeof(*ret)); @@ -145,7 +145,7 @@ EC_KEY *ec_key_new_method_int(OSSL_LIB_CTX *libctx, const char *propq, #ifndef FIPS_MODULE EC_KEY *EC_KEY_new_method(ENGINE *engine) { - return ec_key_new_method_int(NULL, NULL, engine); + return ossl_ec_key_new_method_int(NULL, NULL, engine); } #endif diff --git a/crypto/ec/ec_lib.c b/crypto/ec/ec_lib.c index 71cb45ca19..3d3cf96962 100644 --- a/crypto/ec/ec_lib.c +++ b/crypto/ec/ec_lib.c @@ -26,8 +26,8 @@ /* functions for EC_GROUP objects */ -EC_GROUP *ec_group_new_ex(OSSL_LIB_CTX *libctx, const char *propq, - const EC_METHOD *meth) +EC_GROUP *ossl_ec_group_new_ex(OSSL_LIB_CTX *libctx, const char *propq, + const EC_METHOD *meth) { EC_GROUP *ret; @@ -81,7 +81,7 @@ EC_GROUP *ec_group_new_ex(OSSL_LIB_CTX *libctx, const char *propq, # ifndef FIPS_MODULE EC_GROUP *EC_GROUP_new(const EC_METHOD *meth) { - return ec_group_new_ex(NULL, NULL, meth); + return ossl_ec_group_new_ex(NULL, NULL, meth); } # endif #endif @@ -271,7 +271,7 @@ EC_GROUP *EC_GROUP_dup(const EC_GROUP *a) if (a == NULL) return NULL; - if ((t = ec_group_new_ex(a->libctx, a->propq, a->meth)) == NULL) + if ((t = ossl_ec_group_new_ex(a->libctx, a->propq, a->meth)) == NULL) return NULL; if (!EC_GROUP_copy(t, a)) goto err; @@ -836,7 +836,8 @@ int EC_POINT_set_Jprojective_coordinates_GFp(const EC_GROUP *group, ERR_raise(ERR_LIB_EC, EC_R_INCOMPATIBLE_OBJECTS); return 0; } - return ec_GFp_simple_set_Jprojective_coordinates_GFp(group, point, x, y, z, ctx); + return ossl_ec_GFp_simple_set_Jprojective_coordinates_GFp(group, point, + x, y, z, ctx); } int EC_POINT_get_Jprojective_coordinates_GFp(const EC_GROUP *group, @@ -852,7 +853,8 @@ int EC_POINT_get_Jprojective_coordinates_GFp(const EC_GROUP *group, ERR_raise(ERR_LIB_EC, EC_R_INCOMPATIBLE_OBJECTS); return 0; } - return ec_GFp_simple_get_Jprojective_coordinates_GFp(group, point, x, y, z, ctx); + return ossl_ec_GFp_simple_get_Jprojective_coordinates_GFp(group, point, + x, y, z, ctx); } #endif @@ -1101,7 +1103,7 @@ int EC_POINTs_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar, ret = group->meth->mul(group, r, scalar, num, points, scalars, ctx); else /* use default */ - ret = ec_wNAF_mul(group, r, scalar, num, points, scalars, ctx); + ret = ossl_ec_wNAF_mul(group, r, scalar, num, points, scalars, ctx); #ifndef FIPS_MODULE BN_CTX_free(new_ctx); @@ -1142,7 +1144,7 @@ int EC_POINT_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *g_scalar, ret = group->meth->mul(group, r, g_scalar, num, &point, &p_scalar, ctx); else /* use default */ - ret = ec_wNAF_mul(group, r, g_scalar, num, &point, &p_scalar, ctx); + ret = ossl_ec_wNAF_mul(group, r, g_scalar, num, &point, &p_scalar, ctx); #ifndef FIPS_MODULE BN_CTX_free(new_ctx); @@ -1155,7 +1157,7 @@ int EC_GROUP_precompute_mult(EC_GROUP *group, BN_CTX *ctx) { if (group->meth->mul == 0) /* use default */ - return ec_wNAF_precompute_mult(group, ctx); + return ossl_ec_wNAF_precompute_mult(group, ctx); if (group->meth->precompute_mult != 0) return group->meth->precompute_mult(group, ctx); @@ -1167,7 +1169,7 @@ int EC_GROUP_have_precompute_mult(const EC_GROUP *group) { if (group->meth->mul == 0) /* use default */ - return ec_wNAF_have_precompute_mult(group); + return ossl_ec_wNAF_have_precompute_mult(group); if (group->meth->have_precompute_mult != 0) return group->meth->have_precompute_mult(group); @@ -1222,7 +1224,7 @@ void *EC_KEY_get_ex_data(const EC_KEY *key, int idx) } #endif -int ec_group_simple_order_bits(const EC_GROUP *group) +int ossl_ec_group_simple_order_bits(const EC_GROUP *group) { if (group->order == NULL) return 0; @@ -1290,8 +1292,8 @@ static int ec_field_inverse_mod_ord(const EC_GROUP *group, BIGNUM *r, * EC_METHODs must implement their own field_inverse_mod_ord for * other functionality. */ -int ec_group_do_inverse_ord(const EC_GROUP *group, BIGNUM *res, - const BIGNUM *x, BN_CTX *ctx) +int ossl_ec_group_do_inverse_ord(const EC_GROUP *group, BIGNUM *res, + const BIGNUM *x, BN_CTX *ctx) { if (group->meth->field_inverse_mod_ord != NULL) return group->meth->field_inverse_mod_ord(group, res, x, ctx); @@ -1309,7 +1311,8 @@ int ec_group_do_inverse_ord(const EC_GROUP *group, BIGNUM *res, * This wrapper returns 1 in case the underlying EC_METHOD does not * support coordinate blinding. */ -int ec_point_blind_coordinates(const EC_GROUP *group, EC_POINT *p, BN_CTX *ctx) +int ossl_ec_point_blind_coordinates(const EC_GROUP *group, EC_POINT *p, + BN_CTX *ctx) { if (group->meth->blind_coordinates == NULL) return 1; /* ignore if not implemented */ @@ -1411,7 +1414,7 @@ static EC_GROUP *ec_group_explicit_to_named(const EC_GROUP *group, || EC_GROUP_set_seed(dup, NULL, 0) != 1 || !EC_GROUP_set_generator(dup, point, order, NULL)) goto err; - if ((curve_name_nid = ec_curve_nid_from_params(dup, ctx)) != NID_undef) { + if ((curve_name_nid = ossl_ec_curve_nid_from_params(dup, ctx)) != NID_undef) { /* * The input explicit parameters successfully matched one of the * built-in curves: often for built-in curves we have specialized @@ -1483,7 +1486,7 @@ static EC_GROUP *group_new_from_name(const OSSL_PARAM *p, } if (ok) { - nid = ec_curve_name2nid(curve_name); + nid = ossl_ec_curve_name2nid(curve_name); if (nid == NID_undef) { ERR_raise(ERR_LIB_EC, EC_R_INVALID_CURVE); return NULL; @@ -1495,14 +1498,14 @@ static EC_GROUP *group_new_from_name(const OSSL_PARAM *p, } /* These parameters can be set directly into an EC_GROUP */ -int ec_group_set_params(EC_GROUP *group, const OSSL_PARAM params[]) +int ossl_ec_group_set_params(EC_GROUP *group, const OSSL_PARAM params[]) { int encoding_flag = -1, format = -1; const OSSL_PARAM *p; p = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_EC_POINT_CONVERSION_FORMAT); if (p != NULL) { - if (!ec_pt_format_param2id(p, &format)) { + if (!ossl_ec_pt_format_param2id(p, &format)) { ECerr(0, EC_R_INVALID_FORM); return 0; } @@ -1511,7 +1514,7 @@ int ec_group_set_params(EC_GROUP *group, const OSSL_PARAM params[]) p = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_EC_ENCODING); if (p != NULL) { - if (!ec_encoding_param2id(p, &encoding_flag)) { + if (!ossl_ec_encoding_param2id(p, &encoding_flag)) { ECerr(0, EC_R_INVALID_FORM); return 0; } @@ -1549,7 +1552,7 @@ EC_GROUP *EC_GROUP_new_from_params(const OSSL_PARAM params[], if (ptmp != NULL) { group = group_new_from_name(ptmp, libctx, propq); if (group != NULL) { - if (!ec_group_set_params(group, params)) { + if (!ossl_ec_group_set_params(group, params)) { EC_GROUP_free(group); group = NULL; } @@ -1706,7 +1709,7 @@ EC_GROUP *EC_GROUP_new_from_params(const OSSL_PARAM params[], */ ptmp = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_EC_ENCODING); if (ptmp != NULL - && !ec_encoding_param2id(ptmp, &encoding_flag)) { + && !ossl_ec_encoding_param2id(ptmp, &encoding_flag)) { ECerr(0, EC_R_INVALID_ENCODING); return 0; } diff --git a/crypto/ec/ec_local.h b/crypto/ec/ec_local.h index 004cfbd8d4..7ab5bd649c 100644 --- a/crypto/ec/ec_local.h +++ b/crypto/ec/ec_local.h @@ -349,249 +349,249 @@ void EC_ec_pre_comp_free(EC_PRE_COMP *); * method functions in ec_mult.c (ec_lib.c uses these as defaults if * group->method->mul is 0) */ -int ec_wNAF_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar, - size_t num, const EC_POINT *points[], const BIGNUM *scalars[], - BN_CTX *); -int ec_wNAF_precompute_mult(EC_GROUP *group, BN_CTX *); -int ec_wNAF_have_precompute_mult(const EC_GROUP *group); +int ossl_ec_wNAF_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar, + size_t num, const EC_POINT *points[], + const BIGNUM *scalars[], BN_CTX *); +int ossl_ec_wNAF_precompute_mult(EC_GROUP *group, BN_CTX *); +int ossl_ec_wNAF_have_precompute_mult(const EC_GROUP *group); /* method functions in ecp_smpl.c */ -int ec_GFp_simple_group_init(EC_GROUP *); -void ec_GFp_simple_group_finish(EC_GROUP *); -void ec_GFp_simple_group_clear_finish(EC_GROUP *); -int ec_GFp_simple_group_copy(EC_GROUP *, const EC_GROUP *); -int ec_GFp_simple_group_set_curve(EC_GROUP *, const BIGNUM *p, - const BIGNUM *a, const BIGNUM *b, BN_CTX *); -int ec_GFp_simple_group_get_curve(const EC_GROUP *, BIGNUM *p, BIGNUM *a, - BIGNUM *b, BN_CTX *); -int ec_GFp_simple_group_get_degree(const EC_GROUP *); -int ec_GFp_simple_group_check_discriminant(const EC_GROUP *, BN_CTX *); -int ec_GFp_simple_point_init(EC_POINT *); -void ec_GFp_simple_point_finish(EC_POINT *); -void ec_GFp_simple_point_clear_finish(EC_POINT *); -int ec_GFp_simple_point_copy(EC_POINT *, const EC_POINT *); -int ec_GFp_simple_point_set_to_infinity(const EC_GROUP *, EC_POINT *); -int ec_GFp_simple_set_Jprojective_coordinates_GFp(const EC_GROUP *, - EC_POINT *, const BIGNUM *x, - const BIGNUM *y, - const BIGNUM *z, BN_CTX *); -int ec_GFp_simple_get_Jprojective_coordinates_GFp(const EC_GROUP *, - const EC_POINT *, BIGNUM *x, - BIGNUM *y, BIGNUM *z, +int ossl_ec_GFp_simple_group_init(EC_GROUP *); +void ossl_ec_GFp_simple_group_finish(EC_GROUP *); +void ossl_ec_GFp_simple_group_clear_finish(EC_GROUP *); +int ossl_ec_GFp_simple_group_copy(EC_GROUP *, const EC_GROUP *); +int ossl_ec_GFp_simple_group_set_curve(EC_GROUP *, const BIGNUM *p, + const BIGNUM *a, const BIGNUM *b, + BN_CTX *); +int ossl_ec_GFp_simple_group_get_curve(const EC_GROUP *, BIGNUM *p, BIGNUM *a, + BIGNUM *b, BN_CTX *); +int ossl_ec_GFp_simple_group_get_degree(const EC_GROUP *); +int ossl_ec_GFp_simple_group_check_discriminant(const EC_GROUP *, BN_CTX *); +int ossl_ec_GFp_simple_point_init(EC_POINT *); +void ossl_ec_GFp_simple_point_finish(EC_POINT *); +void ossl_ec_GFp_simple_point_clear_finish(EC_POINT *); +int ossl_ec_GFp_simple_point_copy(EC_POINT *, const EC_POINT *); +int ossl_ec_GFp_simple_point_set_to_infinity(const EC_GROUP *, EC_POINT *); +int ossl_ec_GFp_simple_set_Jprojective_coordinates_GFp(const EC_GROUP *, + EC_POINT *, + const BIGNUM *x, + const BIGNUM *y, + const BIGNUM *z, + BN_CTX *); +int ossl_ec_GFp_simple_get_Jprojective_coordinates_GFp(const EC_GROUP *, + const EC_POINT *, + BIGNUM *x, + BIGNUM *y, BIGNUM *z, + BN_CTX *); +int ossl_ec_GFp_simple_point_set_affine_coordinates(const EC_GROUP *, EC_POINT *, + const BIGNUM *x, + const BIGNUM *y, BN_CTX *); +int ossl_ec_GFp_simple_point_get_affine_coordinates(const EC_GROUP *, + const EC_POINT *, BIGNUM *x, + BIGNUM *y, BN_CTX *); +int ossl_ec_GFp_simple_set_compressed_coordinates(const EC_GROUP *, EC_POINT *, + const BIGNUM *x, int y_bit, BN_CTX *); -int ec_GFp_simple_point_set_affine_coordinates(const EC_GROUP *, EC_POINT *, - const BIGNUM *x, - const BIGNUM *y, BN_CTX *); -int ec_GFp_simple_point_get_affine_coordinates(const EC_GROUP *, - const EC_POINT *, BIGNUM *x, - BIGNUM *y, BN_CTX *); -int ec_GFp_simple_set_compressed_coordinates(const EC_GROUP *, EC_POINT *, - const BIGNUM *x, int y_bit, - BN_CTX *); -size_t ec_GFp_simple_point2oct(const EC_GROUP *, const EC_POINT *, - point_conversion_form_t form, - unsigned char *buf, size_t len, BN_CTX *); -int ec_GFp_simple_oct2point(const EC_GROUP *, EC_POINT *, - const unsigned char *buf, size_t len, BN_CTX *); -int ec_GFp_simple_add(const EC_GROUP *, EC_POINT *r, const EC_POINT *a, - const EC_POINT *b, BN_CTX *); -int ec_GFp_simple_dbl(const EC_GROUP *, EC_POINT *r, const EC_POINT *a, - BN_CTX *); -int ec_GFp_simple_invert(const EC_GROUP *, EC_POINT *, BN_CTX *); -int ec_GFp_simple_is_at_infinity(const EC_GROUP *, const EC_POINT *); -int ec_GFp_simple_is_on_curve(const EC_GROUP *, const EC_POINT *, BN_CTX *); -int ec_GFp_simple_cmp(const EC_GROUP *, const EC_POINT *a, const EC_POINT *b, - BN_CTX *); -int ec_GFp_simple_make_affine(const EC_GROUP *, EC_POINT *, BN_CTX *); -int ec_GFp_simple_points_make_affine(const EC_GROUP *, size_t num, - EC_POINT *[], BN_CTX *); -int ec_GFp_simple_field_mul(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, - const BIGNUM *b, BN_CTX *); -int ec_GFp_simple_field_sqr(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, - BN_CTX *); -int ec_GFp_simple_field_inv(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, - BN_CTX *); -int ec_GFp_simple_blind_coordinates(const EC_GROUP *group, EC_POINT *p, - BN_CTX *ctx); -int ec_GFp_simple_ladder_pre(const EC_GROUP *group, - EC_POINT *r, EC_POINT *s, - EC_POINT *p, BN_CTX *ctx); -int ec_GFp_simple_ladder_step(const EC_GROUP *group, - EC_POINT *r, EC_POINT *s, - EC_POINT *p, BN_CTX *ctx); -int ec_GFp_simple_ladder_post(const EC_GROUP *group, - EC_POINT *r, EC_POINT *s, - EC_POINT *p, BN_CTX *ctx); +size_t ossl_ec_GFp_simple_point2oct(const EC_GROUP *, const EC_POINT *, + point_conversion_form_t form, + unsigned char *buf, size_t len, BN_CTX *); +int ossl_ec_GFp_simple_oct2point(const EC_GROUP *, EC_POINT *, + const unsigned char *buf, size_t len, BN_CTX *); +int ossl_ec_GFp_simple_add(const EC_GROUP *, EC_POINT *r, const EC_POINT *a, + const EC_POINT *b, BN_CTX *); +int ossl_ec_GFp_simple_dbl(const EC_GROUP *, EC_POINT *r, const EC_POINT *a, + BN_CTX *); +int ossl_ec_GFp_simple_invert(const EC_GROUP *, EC_POINT *, BN_CTX *); +int ossl_ec_GFp_simple_is_at_infinity(const EC_GROUP *, const EC_POINT *); +int ossl_ec_GFp_simple_is_on_curve(const EC_GROUP *, const EC_POINT *, BN_CTX *); +int ossl_ec_GFp_simple_cmp(const EC_GROUP *, const EC_POINT *a, + const EC_POINT *b, BN_CTX *); +int ossl_ec_GFp_simple_make_affine(const EC_GROUP *, EC_POINT *, BN_CTX *); +int ossl_ec_GFp_simple_points_make_affine(const EC_GROUP *, size_t num, + EC_POINT *[], BN_CTX *); +int ossl_ec_GFp_simple_field_mul(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, + const BIGNUM *b, BN_CTX *); +int ossl_ec_GFp_simple_field_sqr(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, + BN_CTX *); +int ossl_ec_GFp_simple_field_inv(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, + BN_CTX *); +int ossl_ec_GFp_simple_blind_coordinates(const EC_GROUP *group, EC_POINT *p, + BN_CTX *ctx); +int ossl_ec_GFp_simple_ladder_pre(const EC_GROUP *group, + EC_POINT *r, EC_POINT *s, + EC_POINT *p, BN_CTX *ctx); +int ossl_ec_GFp_simple_ladder_step(const EC_GROUP *group, + EC_POINT *r, EC_POINT *s, + EC_POINT *p, BN_CTX *ctx); +int ossl_ec_GFp_simple_ladder_post(const EC_GROUP *group, + EC_POINT *r, EC_POINT *s, + EC_POINT *p, BN_CTX *ctx); /* method functions in ecp_mont.c */ -int ec_GFp_mont_group_init(EC_GROUP *); -int ec_GFp_mont_group_set_curve(EC_GROUP *, const BIGNUM *p, const BIGNUM *a, - const BIGNUM *b, BN_CTX *); -void ec_GFp_mont_group_finish(EC_GROUP *); -void ec_GFp_mont_group_clear_finish(EC_GROUP *); -int ec_GFp_mont_group_copy(EC_GROUP *, const EC_GROUP *); -int ec_GFp_mont_field_mul(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, - const BIGNUM *b, BN_CTX *); -int ec_GFp_mont_field_sqr(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, - BN_CTX *); -int ec_GFp_mont_field_inv(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, - BN_CTX *); -int ec_GFp_mont_field_encode(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, - BN_CTX *); -int ec_GFp_mont_field_decode(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, - BN_CTX *); -int ec_GFp_mont_field_set_to_one(const EC_GROUP *, BIGNUM *r, BN_CTX *); +int ossl_ec_GFp_mont_group_init(EC_GROUP *); +int ossl_ec_GFp_mont_group_set_curve(EC_GROUP *, const BIGNUM *p, + const BIGNUM *a, + const BIGNUM *b, BN_CTX *); +void ossl_ec_GFp_mont_group_finish(EC_GROUP *); +void ossl_ec_GFp_mont_group_clear_finish(EC_GROUP *); +int ossl_ec_GFp_mont_group_copy(EC_GROUP *, const EC_GROUP *); +int ossl_ec_GFp_mont_field_mul(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, + const BIGNUM *b, BN_CTX *); +int ossl_ec_GFp_mont_field_sqr(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, + BN_CTX *); +int ossl_ec_GFp_mont_field_inv(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, + BN_CTX *); +int ossl_ec_GFp_mont_field_encode(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, + BN_CTX *); +int ossl_ec_GFp_mont_field_decode(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, + BN_CTX *); +int ossl_ec_GFp_mont_field_set_to_one(const EC_GROUP *, BIGNUM *r, BN_CTX *); /* method functions in ecp_nist.c */ -int ec_GFp_nist_group_copy(EC_GROUP *dest, const EC_GROUP *src); -int ec_GFp_nist_group_set_curve(EC_GROUP *, const BIGNUM *p, const BIGNUM *a, - const BIGNUM *b, BN_CTX *); -int ec_GFp_nist_field_mul(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, - const BIGNUM *b, BN_CTX *); -int ec_GFp_nist_field_sqr(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, - BN_CTX *); +int ossl_ec_GFp_nist_group_copy(EC_GROUP *dest, const EC_GROUP *src); +int ossl_ec_GFp_nist_group_set_curve(EC_GROUP *, const BIGNUM *p, + const BIGNUM *a, const BIGNUM *b, BN_CTX *); +int ossl_ec_GFp_nist_field_mul(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, + const BIGNUM *b, BN_CTX *); +int ossl_ec_GFp_nist_field_sqr(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, + BN_CTX *); /* method functions in ec2_smpl.c */ -int ec_GF2m_simple_group_init(EC_GROUP *); -void ec_GF2m_simple_group_finish(EC_GROUP *); -void ec_GF2m_simple_group_clear_finish(EC_GROUP *); -int ec_GF2m_simple_group_copy(EC_GROUP *, const EC_GROUP *); -int ec_GF2m_simple_group_set_curve(EC_GROUP *, const BIGNUM *p, - const BIGNUM *a, const BIGNUM *b, - BN_CTX *); -int ec_GF2m_simple_group_get_curve(const EC_GROUP *, BIGNUM *p, BIGNUM *a, - BIGNUM *b, BN_CTX *); -int ec_GF2m_simple_group_get_degree(const EC_GROUP *); -int ec_GF2m_simple_group_check_discriminant(const EC_GROUP *, BN_CTX *); -int ec_GF2m_simple_point_init(EC_POINT *); -void ec_GF2m_simple_point_finish(EC_POINT *); -void ec_GF2m_simple_point_clear_finish(EC_POINT *); -int ec_GF2m_simple_point_copy(EC_POINT *, const EC_POINT *); -int ec_GF2m_simple_point_set_to_infinity(const EC_GROUP *, EC_POINT *); -int ec_GF2m_simple_point_set_affine_coordinates(const EC_GROUP *, EC_POINT *, - const BIGNUM *x, - const BIGNUM *y, BN_CTX *); -int ec_GF2m_simple_point_get_affine_coordinates(const EC_GROUP *, - const EC_POINT *, BIGNUM *x, - BIGNUM *y, BN_CTX *); -int ec_GF2m_simple_set_compressed_coordinates(const EC_GROUP *, EC_POINT *, - const BIGNUM *x, int y_bit, - BN_CTX *); -size_t ec_GF2m_simple_point2oct(const EC_GROUP *, const EC_POINT *, - point_conversion_form_t form, - unsigned char *buf, size_t len, BN_CTX *); -int ec_GF2m_simple_oct2point(const EC_GROUP *, EC_POINT *, - const unsigned char *buf, size_t len, BN_CTX *); -int ec_GF2m_simple_add(const EC_GROUP *, EC_POINT *r, const EC_POINT *a, - const EC_POINT *b, BN_CTX *); -int ec_GF2m_simple_dbl(const EC_GROUP *, EC_POINT *r, const EC_POINT *a, - BN_CTX *); -int ec_GF2m_simple_invert(const EC_GROUP *, EC_POINT *, BN_CTX *); -int ec_GF2m_simple_is_at_infinity(const EC_GROUP *, const EC_POINT *); -int ec_GF2m_simple_is_on_curve(const EC_GROUP *, const EC_POINT *, BN_CTX *); -int ec_GF2m_simple_cmp(const EC_GROUP *, const EC_POINT *a, const EC_POINT *b, - BN_CTX *); -int ec_GF2m_simple_make_affine(const EC_GROUP *, EC_POINT *, BN_CTX *); -int ec_GF2m_simple_points_make_affine(const EC_GROUP *, size_t num, - EC_POINT *[], BN_CTX *); -int ec_GF2m_simple_field_mul(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, - const BIGNUM *b, BN_CTX *); -int ec_GF2m_simple_field_sqr(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, - BN_CTX *); -int ec_GF2m_simple_field_div(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, - const BIGNUM *b, BN_CTX *); +int ossl_ec_GF2m_simple_group_init(EC_GROUP *); +void ossl_ec_GF2m_simple_group_finish(EC_GROUP *); +void ossl_ec_GF2m_simple_group_clear_finish(EC_GROUP *); +int ossl_ec_GF2m_simple_group_copy(EC_GROUP *, const EC_GROUP *); +int ossl_ec_GF2m_simple_group_set_curve(EC_GROUP *, const BIGNUM *p, + const BIGNUM *a, const BIGNUM *b, + BN_CTX *); +int ossl_ec_GF2m_simple_group_get_curve(const EC_GROUP *, BIGNUM *p, BIGNUM *a, + BIGNUM *b, BN_CTX *); +int ossl_ec_GF2m_simple_group_get_degree(const EC_GROUP *); +int ossl_ec_GF2m_simple_group_check_discriminant(const EC_GROUP *, BN_CTX *); +int ossl_ec_GF2m_simple_point_init(EC_POINT *); +void ossl_ec_GF2m_simple_point_finish(EC_POINT *); +void ossl_ec_GF2m_simple_point_clear_finish(EC_POINT *); +int ossl_ec_GF2m_simple_point_copy(EC_POINT *, const EC_POINT *); +int ossl_ec_GF2m_simple_point_set_to_infinity(const EC_GROUP *, EC_POINT *); +int ossl_ec_GF2m_simple_point_set_affine_coordinates(const EC_GROUP *, + EC_POINT *, + const BIGNUM *x, + const BIGNUM *y, BN_CTX *); +int ossl_ec_GF2m_simple_point_get_affine_coordinates(const EC_GROUP *, + const EC_POINT *, BIGNUM *x, + BIGNUM *y, BN_CTX *); +int ossl_ec_GF2m_simple_set_compressed_coordinates(const EC_GROUP *, EC_POINT *, + const BIGNUM *x, int y_bit, + BN_CTX *); +size_t ossl_ec_GF2m_simple_point2oct(const EC_GROUP *, const EC_POINT *, + point_conversion_form_t form, + unsigned char *buf, size_t len, BN_CTX *); +int ossl_ec_GF2m_simple_oct2point(const EC_GROUP *, EC_POINT *, + const unsigned char *buf, size_t len, BN_CTX *); +int ossl_ec_GF2m_simple_add(const EC_GROUP *, EC_POINT *r, const EC_POINT *a, + const EC_POINT *b, BN_CTX *); +int ossl_ec_GF2m_simple_dbl(const EC_GROUP *, EC_POINT *r, const EC_POINT *a, + BN_CTX *); +int ossl_ec_GF2m_simple_invert(const EC_GROUP *, EC_POINT *, BN_CTX *); +int ossl_ec_GF2m_simple_is_at_infinity(const EC_GROUP *, const EC_POINT *); +int ossl_ec_GF2m_simple_is_on_curve(const EC_GROUP *, const EC_POINT *, BN_CTX *); +int ossl_ec_GF2m_simple_cmp(const EC_GROUP *, const EC_POINT *a, + const EC_POINT *b, BN_CTX *); +int ossl_ec_GF2m_simple_make_affine(const EC_GROUP *, EC_POINT *, BN_CTX *); +int ossl_ec_GF2m_simple_points_make_affine(const EC_GROUP *, size_t num, + EC_POINT *[], BN_CTX *); +int ossl_ec_GF2m_simple_field_mul(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, + const BIGNUM *b, BN_CTX *); +int ossl_ec_GF2m_simple_field_sqr(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, + BN_CTX *); +int ossl_ec_GF2m_simple_field_div(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, + const BIGNUM *b, BN_CTX *); #ifndef OPENSSL_NO_EC_NISTP_64_GCC_128 /* method functions in ecp_nistp224.c */ -int ec_GFp_nistp224_group_init(EC_GROUP *group); -int ec_GFp_nistp224_group_set_curve(EC_GROUP *group, const BIGNUM *p, - const BIGNUM *a, const BIGNUM *n, - BN_CTX *); -int ec_GFp_nistp224_point_get_affine_coordinates(const EC_GROUP *group, - const EC_POINT *point, - BIGNUM *x, BIGNUM *y, - BN_CTX *ctx); -int ec_GFp_nistp224_mul(const EC_GROUP *group, EC_POINT *r, - const BIGNUM *scalar, size_t num, - const EC_POINT *points[], const BIGNUM *scalars[], - BN_CTX *); -int ec_GFp_nistp224_points_mul(const EC_GROUP *group, EC_POINT *r, - const BIGNUM *scalar, size_t num, - const EC_POINT *points[], - const BIGNUM *scalars[], BN_CTX *ctx); -int ec_GFp_nistp224_precompute_mult(EC_GROUP *group, BN_CTX *ctx); -int ec_GFp_nistp224_have_precompute_mult(const EC_GROUP *group); +int ossl_ec_GFp_nistp224_group_init(EC_GROUP *group); +int ossl_ec_GFp_nistp224_group_set_curve(EC_GROUP *group, const BIGNUM *p, + const BIGNUM *a, const BIGNUM *n, + BN_CTX *); +int ossl_ec_GFp_nistp224_point_get_affine_coordinates(const EC_GROUP *group, + const EC_POINT *point, + BIGNUM *x, BIGNUM *y, + BN_CTX *ctx); +int ossl_ec_GFp_nistp224_mul(const EC_GROUP *group, EC_POINT *r, + const BIGNUM *scalar, size_t num, + const EC_POINT *points[], const BIGNUM *scalars[], + BN_CTX *); +int ossl_ec_GFp_nistp224_points_mul(const EC_GROUP *group, EC_POINT *r, + const BIGNUM *scalar, size_t num, + const EC_POINT *points[], + const BIGNUM *scalars[], BN_CTX *ctx); +int ossl_ec_GFp_nistp224_precompute_mult(EC_GROUP *group, BN_CTX *ctx); +int ossl_ec_GFp_nistp224_have_precompute_mult(const EC_GROUP *group); /* method functions in ecp_nistp256.c */ -int ec_GFp_nistp256_group_init(EC_GROUP *group); -int ec_GFp_nistp256_group_set_curve(EC_GROUP *group, const BIGNUM *p, - const BIGNUM *a, const BIGNUM *n, - BN_CTX *); -int ec_GFp_nistp256_point_get_affine_coordinates(const EC_GROUP *group, - const EC_POINT *point, - BIGNUM *x, BIGNUM *y, - BN_CTX *ctx); -int ec_GFp_nistp256_mul(const EC_GROUP *group, EC_POINT *r, - const BIGNUM *scalar, size_t num, - const EC_POINT *points[], const BIGNUM *scalars[], - BN_CTX *); -int ec_GFp_nistp256_points_mul(const EC_GROUP *group, EC_POINT *r, - const BIGNUM *scalar, size_t num, - const EC_POINT *points[], - const BIGNUM *scalars[], BN_CTX *ctx); -int ec_GFp_nistp256_precompute_mult(EC_GROUP *group, BN_CTX *ctx); -int ec_GFp_nistp256_have_precompute_mult(const EC_GROUP *group); +int ossl_ec_GFp_nistp256_group_init(EC_GROUP *group); +int ossl_ec_GFp_nistp256_group_set_curve(EC_GROUP *group, const BIGNUM *p, + const BIGNUM *a, const BIGNUM *n, + BN_CTX *); +int ossl_ec_GFp_nistp256_point_get_affine_coordinates(const EC_GROUP *group, + const EC_POINT *point, + BIGNUM *x, BIGNUM *y, + BN_CTX *ctx); +int ossl_ec_GFp_nistp256_mul(const EC_GROUP *group, EC_POINT *r, + const BIGNUM *scalar, size_t num, + const EC_POINT *points[], const BIGNUM *scalars[], + BN_CTX *); +int ossl_ec_GFp_nistp256_points_mul(const EC_GROUP *group, EC_POINT *r, + const BIGNUM *scalar, size_t num, + const EC_POINT *points[], + const BIGNUM *scalars[], BN_CTX *ctx); +int ossl_ec_GFp_nistp256_precompute_mult(EC_GROUP *group, BN_CTX *ctx); +int ossl_ec_GFp_nistp256_have_precompute_mult(const EC_GROUP *group); /* method functions in ecp_nistp521.c */ -int ec_GFp_nistp521_group_init(EC_GROUP *group); -int ec_GFp_nistp521_group_set_curve(EC_GROUP *group, const BIGNUM *p, - const BIGNUM *a, const BIGNUM *n, - BN_CTX *); -int ec_GFp_nistp521_point_get_affine_coordinates(const EC_GROUP *group, - const EC_POINT *point, - BIGNUM *x, BIGNUM *y, - BN_CTX *ctx); -int ec_GFp_nistp521_mul(const EC_GROUP *group, EC_POINT *r, - const BIGNUM *scalar, size_t num, - const EC_POINT *points[], const BIGNUM *scalars[], - BN_CTX *); -int ec_GFp_nistp521_points_mul(const EC_GROUP *group, EC_POINT *r, - const BIGNUM *scalar, size_t num, - const EC_POINT *points[], - const BIGNUM *scalars[], BN_CTX *ctx); -int ec_GFp_nistp521_precompute_mult(EC_GROUP *group, BN_CTX *ctx); -int ec_GFp_nistp521_have_precompute_mult(const EC_GROUP *group); +int ossl_ec_GFp_nistp521_group_init(EC_GROUP *group); +int ossl_ec_GFp_nistp521_group_set_curve(EC_GROUP *group, const BIGNUM *p, + const BIGNUM *a, const BIGNUM *n, + BN_CTX *); +int ossl_ec_GFp_nistp521_point_get_affine_coordinates(const EC_GROUP *group, + const EC_POINT *point, + BIGNUM *x, BIGNUM *y, + BN_CTX *ctx); +int ossl_ec_GFp_nistp521_mul(const EC_GROUP *group, EC_POINT *r, + const BIGNUM *scalar, size_t num, + const EC_POINT *points[], const BIGNUM *scalars[], + BN_CTX *); +int ossl_ec_GFp_nistp521_points_mul(const EC_GROUP *group, EC_POINT *r, + const BIGNUM *scalar, size_t num, + const EC_POINT *points[], + const BIGNUM *scalars[], BN_CTX *ctx); +int ossl_ec_GFp_nistp521_precompute_mult(EC_GROUP *group, BN_CTX *ctx); +int ossl_ec_GFp_nistp521_have_precompute_mult(const EC_GROUP *group); /* utility functions in ecp_nistputil.c */ -void ec_GFp_nistp_points_make_affine_internal(size_t num, void *point_array, - size_t felem_size, - void *tmp_felems, - void (*felem_one) (void *out), - int (*felem_is_zero) (const void - *in), - void (*felem_assign) (void *out, - const void - *in), - void (*felem_square) (void *out, - const void - *in), - void (*felem_mul) (void *out, - const void - *in1, - const void - *in2), - void (*felem_inv) (void *out, - const void - *in), - void (*felem_contract) (void - *out, - const - void - *in)); -void ec_GFp_nistp_recode_scalar_bits(unsigned char *sign, - unsigned char *digit, unsigned char in); +void ossl_ec_GFp_nistp_points_make_affine_internal(size_t num, void *point_array, + size_t felem_size, + void *tmp_felems, + void (*felem_one) (void *out), + int (*felem_is_zero) + (const void *in), + void (*felem_assign) + (void *out, const void *in), + void (*felem_square) + (void *out, const void *in), + void (*felem_mul) + (void *out, + const void *in1, + const void *in2), + void (*felem_inv) + (void *out, const void *in), + void (*felem_contract) + (void *out, const void *in)); +void ossl_ec_GFp_nistp_recode_scalar_bits(unsigned char *sign, + unsigned char *digit, + unsigned char in); #endif -int ec_group_simple_order_bits(const EC_GROUP *group); +int ossl_ec_group_simple_order_bits(const EC_GROUP *group); /** * Creates a new EC_GROUP object @@ -601,8 +601,8 @@ int ec_group_simple_order_bits(const EC_GROUP *group); * \param meth EC_METHOD to use * \return newly created EC_GROUP object or NULL in case of an error. */ -EC_GROUP *ec_group_new_ex(OSSL_LIB_CTX *libctx, const char *propq, - const EC_METHOD *meth); +EC_GROUP *ossl_ec_group_new_ex(OSSL_LIB_CTX *libctx, const char *propq, + const EC_METHOD *meth); #ifdef ECP_NISTZ256_ASM /** Returns GFp methods using montgomery multiplication, with x86-64 optimized @@ -617,14 +617,15 @@ const EC_METHOD *EC_GFp_s390x_nistp384_method(void); const EC_METHOD *EC_GFp_s390x_nistp521_method(void); #endif -size_t ec_key_simple_priv2oct(const EC_KEY *eckey, - unsigned char *buf, size_t len); -int ec_key_simple_oct2priv(EC_KEY *eckey, const unsigned char *buf, size_t len); -int ec_key_simple_generate_key(EC_KEY *eckey); -int ec_key_simple_generate_public_key(EC_KEY *eckey); -int ec_key_simple_check_key(const EC_KEY *eckey); +size_t ossl_ec_key_simple_priv2oct(const EC_KEY *eckey, + unsigned char *buf, size_t len); +int ossl_ec_key_simple_oct2priv(EC_KEY *eckey, const unsigned char *buf, + size_t len); +int ossl_ec_key_simple_generate_key(EC_KEY *eckey); +int ossl_ec_key_simple_generate_public_key(EC_KEY *eckey); +int ossl_ec_key_simple_check_key(const EC_KEY *eckey); -int ec_curve_nid_from_params(const EC_GROUP *group, BN_CTX *ctx); +int ossl_ec_curve_nid_from_params(const EC_GROUP *group, BN_CTX *ctx); /* EC_METHOD definitions */ @@ -657,14 +658,14 @@ struct ec_key_method_st { #define EC_KEY_METHOD_DYNAMIC 1 -EC_KEY *ec_key_new_method_int(OSSL_LIB_CTX *libctx, const char *propq, - ENGINE *engine); +EC_KEY *ossl_ec_key_new_method_int(OSSL_LIB_CTX *libctx, const char *propq, + ENGINE *engine); int ossl_ec_key_gen(EC_KEY *eckey); int ossl_ecdh_compute_key(unsigned char **pout, size_t *poutlen, const EC_POINT *pub_key, const EC_KEY *ecdh); -int ecdh_simple_compute_key(unsigned char **pout, size_t *poutlen, - const EC_POINT *pub_key, const EC_KEY *ecdh); +int ossl_ecdh_simple_compute_key(unsigned char **pout, size_t *poutlen, + const EC_POINT *pub_key, const EC_KEY *ecdh); struct ECDSA_SIG_st { BIGNUM *r; @@ -683,13 +684,13 @@ int ossl_ecdsa_verify(int type, const unsigned char *dgst, int dgst_len, const unsigned char *sigbuf, int sig_len, EC_KEY *eckey); int ossl_ecdsa_verify_sig(const unsigned char *dgst, int dgst_len, const ECDSA_SIG *sig, EC_KEY *eckey); -int ecdsa_simple_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp, - BIGNUM **rp); -ECDSA_SIG *ecdsa_simple_sign_sig(const unsigned char *dgst, int dgst_len, - const BIGNUM *in_kinv, const BIGNUM *in_r, - EC_KEY *eckey); -int ecdsa_simple_verify_sig(const unsigned char *dgst, int dgst_len, - const ECDSA_SIG *sig, EC_KEY *eckey); +int ossl_ecdsa_simple_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp, + BIGNUM **rp); +ECDSA_SIG *ossl_ecdsa_simple_sign_sig(const unsigned char *dgst, int dgst_len, + const BIGNUM *in_kinv, const BIGNUM *in_r, + EC_KEY *eckey); +int ossl_ecdsa_simple_verify_sig(const unsigned char *dgst, int dgst_len, + const ECDSA_SIG *sig, EC_KEY *eckey); /*- @@ -721,11 +722,12 @@ int ecdsa_simple_verify_sig(const unsigned char *dgst, int dgst_len, * * Returns 1 on success, 0 otherwise. */ -int ec_scalar_mul_ladder(const EC_GROUP *group, EC_POINT *r, - const BIGNUM *scalar, const EC_POINT *point, - BN_CTX *ctx); +int ossl_ec_scalar_mul_ladder(const EC_GROUP *group, EC_POINT *r, + const BIGNUM *scalar, const EC_POINT *point, + BN_CTX *ctx); -int ec_point_blind_coordinates(const EC_GROUP *group, EC_POINT *p, BN_CTX *ctx); +int ossl_ec_point_blind_coordinates(const EC_GROUP *group, EC_POINT *p, + BN_CTX *ctx); static ossl_inline int ec_point_ladder_pre(const EC_GROUP *group, EC_POINT *r, EC_POINT *s, diff --git a/crypto/ec/ec_mult.c b/crypto/ec/ec_mult.c index c1df0b8af7..ed5d403270 100644 --- a/crypto/ec/ec_mult.c +++ b/crypto/ec/ec_mult.c @@ -142,9 +142,9 @@ void EC_ec_pre_comp_free(EC_PRE_COMP *pre) * * Returns 1 on success, 0 otherwise. */ -int ec_scalar_mul_ladder(const EC_GROUP *group, EC_POINT *r, - const BIGNUM *scalar, const EC_POINT *point, - BN_CTX *ctx) +int ossl_ec_scalar_mul_ladder(const EC_GROUP *group, EC_POINT *r, + const BIGNUM *scalar, const EC_POINT *point, + BN_CTX *ctx) { int i, cardinality_bits, group_top, kbit, pbit, Z_is_one; EC_POINT *p = NULL; @@ -407,9 +407,9 @@ int ec_scalar_mul_ladder(const EC_GROUP *group, EC_POINT *r, * scalar*generator * in the addition if scalar != NULL */ -int ec_wNAF_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar, - size_t num, const EC_POINT *points[], const BIGNUM *scalars[], - BN_CTX *ctx) +int ossl_ec_wNAF_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar, + size_t num, const EC_POINT *points[], + const BIGNUM *scalars[], BN_CTX *ctx) { const EC_POINT *generator = NULL; EC_POINT *tmp = NULL; @@ -450,7 +450,7 @@ int ec_wNAF_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar, * is why we ignore if BN_FLG_CONSTTIME is actually set and we * always call the ladder version. */ - return ec_scalar_mul_ladder(group, r, scalar, NULL, ctx); + return ossl_ec_scalar_mul_ladder(group, r, scalar, NULL, ctx); } if ((scalar == NULL) && (num == 1) && (scalars[0] != group->order)) { /*- @@ -460,7 +460,8 @@ int ec_wNAF_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar, * To protect the secret scalar, we ignore if BN_FLG_CONSTTIME is * actually set and we always call the ladder version. */ - return ec_scalar_mul_ladder(group, r, scalars[0], points[0], ctx); + return ossl_ec_scalar_mul_ladder(group, r, scalars[0], points[0], + ctx); } } @@ -753,11 +754,11 @@ int ec_wNAF_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar, * Apply coordinate blinding for EC_POINT. * * The underlying EC_METHOD can optionally implement this function: - * ec_point_blind_coordinates() returns 0 in case of errors or 1 on + * ossl_ec_point_blind_coordinates() returns 0 in case of errors or 1 on * success or if coordinate blinding is not implemented for this * group. */ - if (!ec_point_blind_coordinates(group, r, ctx)) { + if (!ossl_ec_point_blind_coordinates(group, r, ctx)) { ERR_raise(ERR_LIB_EC, EC_R_POINT_COORDINATES_BLIND_FAILURE); goto err; } @@ -807,9 +808,9 @@ int ec_wNAF_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar, } /*- - * ec_wNAF_precompute_mult() + * ossl_ec_wNAF_precompute_mult() * creates an EC_PRE_COMP object with preprecomputed multiples of the generator - * for use with wNAF splitting as implemented in ec_wNAF_mul(). + * for use with wNAF splitting as implemented in ossl_ec_wNAF_mul(). * * 'pre_comp->points' is an array of multiples of the generator * of the following form: @@ -826,7 +827,7 @@ int ec_wNAF_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar, * points[2^(w-1)*numblocks-1] = (2^(w-1)) * 2^(blocksize*(numblocks-1)) * generator * points[2^(w-1)*numblocks] = NULL */ -int ec_wNAF_precompute_mult(EC_GROUP *group, BN_CTX *ctx) +int ossl_ec_wNAF_precompute_mult(EC_GROUP *group, BN_CTX *ctx) { const EC_POINT *generator; EC_POINT *tmp_point = NULL, *base = NULL, **var; @@ -987,7 +988,7 @@ int ec_wNAF_precompute_mult(EC_GROUP *group, BN_CTX *ctx) return ret; } -int ec_wNAF_have_precompute_mult(const EC_GROUP *group) +int ossl_ec_wNAF_have_precompute_mult(const EC_GROUP *group) { return HAVEPRECOMP(group, ec); } diff --git a/crypto/ec/ec_oct.c b/crypto/ec/ec_oct.c index 0dbe299c41..cb9352d639 100644 --- a/crypto/ec/ec_oct.c +++ b/crypto/ec/ec_oct.c @@ -35,8 +35,8 @@ int EC_POINT_set_compressed_coordinates(const EC_GROUP *group, EC_POINT *point, } if (group->meth->flags & EC_FLAGS_DEFAULT_OCT) { if (group->meth->field_type == NID_X9_62_prime_field) - return ec_GFp_simple_set_compressed_coordinates(group, point, x, - y_bit, ctx); + return ossl_ec_GFp_simple_set_compressed_coordinates(group, point, x, + y_bit, ctx); else #ifdef OPENSSL_NO_EC2M { @@ -44,8 +44,8 @@ int EC_POINT_set_compressed_coordinates(const EC_GROUP *group, EC_POINT *point, return 0; } #else - return ec_GF2m_simple_set_compressed_coordinates(group, point, x, - y_bit, ctx); + return ossl_ec_GF2m_simple_set_compressed_coordinates(group, point, + x, y_bit, ctx); #endif } return group->meth->point_set_compressed_coordinates(group, point, x, @@ -85,7 +85,8 @@ size_t EC_POINT_point2oct(const EC_GROUP *group, const EC_POINT *point, } if (group->meth->flags & EC_FLAGS_DEFAULT_OCT) { if (group->meth->field_type == NID_X9_62_prime_field) - return ec_GFp_simple_point2oct(group, point, form, buf, len, ctx); + return ossl_ec_GFp_simple_point2oct(group, point, form, buf, len, + ctx); else #ifdef OPENSSL_NO_EC2M { @@ -93,8 +94,8 @@ size_t EC_POINT_point2oct(const EC_GROUP *group, const EC_POINT *point, return 0; } #else - return ec_GF2m_simple_point2oct(group, point, - form, buf, len, ctx); + return ossl_ec_GF2m_simple_point2oct(group, point, + form, buf, len, ctx); #endif } @@ -115,7 +116,7 @@ int EC_POINT_oct2point(const EC_GROUP *group, EC_POINT *point, } if (group->meth->flags & EC_FLAGS_DEFAULT_OCT) { if (group->meth->field_type == NID_X9_62_prime_field) - return ec_GFp_simple_oct2point(group, point, buf, len, ctx); + return ossl_ec_GFp_simple_oct2point(group, point, buf, len, ctx); else #ifdef OPENSSL_NO_EC2M { @@ -123,7 +124,7 @@ int EC_POINT_oct2point(const EC_GROUP *group, EC_POINT *point, return 0; } #else - return ec_GF2m_simple_oct2point(group, point, buf, len, ctx); + return ossl_ec_GF2m_simple_oct2point(group, point, buf, len, ctx); #endif } return group->meth->oct2point(group, point, buf, len, ctx); diff --git a/crypto/ec/ec_pmeth.c b/crypto/ec/ec_pmeth.c index d660bf8682..2280189e28 100644 --- a/crypto/ec/ec_pmeth.c +++ b/crypto/ec/ec_pmeth.c @@ -218,9 +218,9 @@ static int pkey_ec_kdf_derive(EVP_PKEY_CTX *ctx, if (!pkey_ec_derive(ctx, ktmp, &ktmplen)) goto err; /* Do KDF stuff */ - if (!ecdh_KDF_X9_63(key, *keylen, ktmp, ktmplen, - dctx->kdf_ukm, dctx->kdf_ukmlen, dctx->kdf_md, - ctx->libctx, ctx->propquery)) + if (!ossl_ecdh_kdf_X9_63(key, *keylen, ktmp, ktmplen, + dctx->kdf_ukm, dctx->kdf_ukmlen, dctx->kdf_md, + ctx->libctx, ctx->propquery)) goto err; rv = 1; @@ -486,7 +486,7 @@ static const EVP_PKEY_METHOD ec_pkey_meth = { pkey_ec_ctrl_str }; -const EVP_PKEY_METHOD *ec_pkey_method(void) +const EVP_PKEY_METHOD *ossl_ec_pkey_method(void) { return &ec_pkey_meth; } diff --git a/crypto/ec/ecdh_kdf.c b/crypto/ec/ecdh_kdf.c index df0858a032..60e976a95f 100644 --- a/crypto/ec/ecdh_kdf.c +++ b/crypto/ec/ecdh_kdf.c @@ -21,11 +21,11 @@ #include "ec_local.h" /* Key derivation function from X9.63/SECG */ -int ecdh_KDF_X9_63(unsigned char *out, size_t outlen, - const unsigned char *Z, size_t Zlen, - const unsigned char *sinfo, size_t sinfolen, - const EVP_MD *md, - OSSL_LIB_CTX *libctx, const char *propq) +int ossl_ecdh_kdf_X9_63(unsigned char *out, size_t outlen, + const unsigned char *Z, size_t Zlen, + const unsigned char *sinfo, size_t sinfolen, + const EVP_MD *md, + OSSL_LIB_CTX *libctx, const char *propq) { int ret = 0; EVP_KDF_CTX *kctx = NULL; @@ -60,6 +60,7 @@ int ECDH_KDF_X9_62(unsigned char *out, size_t outlen, const unsigned char *sinfo, size_t sinfolen, const EVP_MD *md) { - return ecdh_KDF_X9_63(out, outlen, Z, Zlen, sinfo, sinfolen, md, NULL, NULL); + return ossl_ecdh_kdf_X9_63(out, outlen, Z, Zlen, sinfo, sinfolen, md, NULL, + NULL); } #endif diff --git a/crypto/ec/ecdh_ossl.c b/crypto/ec/ecdh_ossl.c index a42fb55ddc..8a521fd4a5 100644 --- a/crypto/ec/ecdh_ossl.c +++ b/crypto/ec/ecdh_ossl.c @@ -46,8 +46,8 @@ int ossl_ecdh_compute_key(unsigned char **psec, size_t *pseclen, * See Section 5.7.1.2 "Elliptic Curve Cryptography Cofactor Diffie-Hellman * (ECC CDH) Primitive:". The steps listed below refer to SP800-56A. */ -int ecdh_simple_compute_key(unsigned char **pout, size_t *poutlen, - const EC_POINT *pub_key, const EC_KEY *ecdh) +int ossl_ecdh_simple_compute_key(unsigned char **pout, size_t *poutlen, + const EC_POINT *pub_key, const EC_KEY *ecdh) { BN_CTX *ctx; EC_POINT *tmp = NULL; diff --git a/crypto/ec/ecdsa_ossl.c b/crypto/ec/ecdsa_ossl.c index c697199cce..d6df93a7de 100644 --- a/crypto/ec/ecdsa_ossl.c +++ b/crypto/ec/ecdsa_ossl.c @@ -160,7 +160,7 @@ static int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, } while (BN_is_zero(r)); /* compute the inverse of k */ - if (!ec_group_do_inverse_ord(group, k, k, ctx)) { + if (!ossl_ec_group_do_inverse_ord(group, k, k, ctx)) { ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB); goto err; } @@ -184,15 +184,15 @@ static int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, return ret; } -int ecdsa_simple_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp, - BIGNUM **rp) +int ossl_ecdsa_simple_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp, + BIGNUM **rp) { return ecdsa_sign_setup(eckey, ctx_in, kinvp, rp, NULL, 0); } -ECDSA_SIG *ecdsa_simple_sign_sig(const unsigned char *dgst, int dgst_len, - const BIGNUM *in_kinv, const BIGNUM *in_r, - EC_KEY *eckey) +ECDSA_SIG *ossl_ecdsa_simple_sign_sig(const unsigned char *dgst, int dgst_len, + const BIGNUM *in_kinv, const BIGNUM *in_r, + EC_KEY *eckey) { int ok = 0, i; BIGNUM *kinv = NULL, *s, *m = NULL; @@ -353,8 +353,8 @@ int ossl_ecdsa_verify(int type, const unsigned char *dgst, int dgst_len, return ret; } -int ecdsa_simple_verify_sig(const unsigned char *dgst, int dgst_len, - const ECDSA_SIG *sig, EC_KEY *eckey) +int ossl_ecdsa_simple_verify_sig(const unsigned char *dgst, int dgst_len, + const ECDSA_SIG *sig, EC_KEY *eckey) { int ret = -1, i; BN_CTX *ctx; @@ -405,7 +405,7 @@ int ecdsa_simple_verify_sig(const unsigned char *dgst, int dgst_len, goto err; } /* calculate tmp1 = inv(S) mod order */ - if (!ec_group_do_inverse_ord(group, u2, sig->s, ctx)) { + if (!ossl_ec_group_do_inverse_ord(group, u2, sig->s, ctx)) { ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB); goto err; } diff --git a/crypto/ec/ecp_mont.c b/crypto/ec/ecp_mont.c index def39368e4..8dc1c2f0b3 100644 --- a/crypto/ec/ecp_mont.c +++ b/crypto/ec/ecp_mont.c @@ -23,99 +23,99 @@ const EC_METHOD *EC_GFp_mont_method(void) static const EC_METHOD ret = { EC_FLAGS_DEFAULT_OCT, NID_X9_62_prime_field, - ec_GFp_mont_group_init, - ec_GFp_mont_group_finish, - ec_GFp_mont_group_clear_finish, - ec_GFp_mont_group_copy, - ec_GFp_mont_group_set_curve, - ec_GFp_simple_group_get_curve, - ec_GFp_simple_group_get_degree, - ec_group_simple_order_bits, - ec_GFp_simple_group_check_discriminant, - ec_GFp_simple_point_init, - ec_GFp_simple_point_finish, - ec_GFp_simple_point_clear_finish, - ec_GFp_simple_point_copy, - ec_GFp_simple_point_set_to_infinity, - ec_GFp_simple_point_set_affine_coordinates, - ec_GFp_simple_point_get_affine_coordinates, + ossl_ec_GFp_mont_group_init, + ossl_ec_GFp_mont_group_finish, + ossl_ec_GFp_mont_group_clear_finish, + ossl_ec_GFp_mont_group_copy, + ossl_ec_GFp_mont_group_set_curve, + ossl_ec_GFp_simple_group_get_curve, + ossl_ec_GFp_simple_group_get_degree, + ossl_ec_group_simple_order_bits, + ossl_ec_GFp_simple_group_check_discriminant, + ossl_ec_GFp_simple_point_init, + ossl_ec_GFp_simple_point_finish, + ossl_ec_GFp_simple_point_clear_finish, + ossl_ec_GFp_simple_point_copy, + ossl_ec_GFp_simple_point_set_to_infinity, + ossl_ec_GFp_simple_point_set_affine_coordinates, + ossl_ec_GFp_simple_point_get_affine_coordinates, 0, 0, 0, - ec_GFp_simple_add, - ec_GFp_simple_dbl, - ec_GFp_simple_invert, - ec_GFp_simple_is_at_infinity, - ec_GFp_simple_is_on_curve, - ec_GFp_simple_cmp, - ec_GFp_simple_make_affine, - ec_GFp_simple_points_make_affine, + ossl_ec_GFp_simple_add, + ossl_ec_GFp_simple_dbl, + ossl_ec_GFp_simple_invert, + ossl_ec_GFp_simple_is_at_infinity, + ossl_ec_GFp_simple_is_on_curve, + ossl_ec_GFp_simple_cmp, + ossl_ec_GFp_simple_make_affine, + ossl_ec_GFp_simple_points_make_affine, 0 /* mul */ , 0 /* precompute_mult */ , 0 /* have_precompute_mult */ , - ec_GFp_mont_field_mul, - ec_GFp_mont_field_sqr, + ossl_ec_GFp_mont_field_mul, + ossl_ec_GFp_mont_field_sqr, 0 /* field_div */ , - ec_GFp_mont_field_inv, - ec_GFp_mont_field_encode, - ec_GFp_mont_field_decode, - ec_GFp_mont_field_set_to_one, - ec_key_simple_priv2oct, - ec_key_simple_oct2priv, + ossl_ec_GFp_mont_field_inv, + ossl_ec_GFp_mont_field_encode, + ossl_ec_GFp_mont_field_decode, + ossl_ec_GFp_mont_field_set_to_one, + ossl_ec_key_simple_priv2oct, + ossl_ec_key_simple_oct2priv, 0, /* set private */ - ec_key_simple_generate_key, - ec_key_simple_check_key, - ec_key_simple_generate_public_key, + ossl_ec_key_simple_generate_key, + ossl_ec_key_simple_check_key, + ossl_ec_key_simple_generate_public_key, 0, /* keycopy */ 0, /* keyfinish */ - ecdh_simple_compute_key, - ecdsa_simple_sign_setup, - ecdsa_simple_sign_sig, - ecdsa_simple_verify_sig, + ossl_ecdh_simple_compute_key, + ossl_ecdsa_simple_sign_setup, + ossl_ecdsa_simple_sign_sig, + ossl_ecdsa_simple_verify_sig, 0, /* field_inverse_mod_ord */ - ec_GFp_simple_blind_coordinates, - ec_GFp_simple_ladder_pre, - ec_GFp_simple_ladder_step, - ec_GFp_simple_ladder_post + ossl_ec_GFp_simple_blind_coordinates, + ossl_ec_GFp_simple_ladder_pre, + ossl_ec_GFp_simple_ladder_step, + ossl_ec_GFp_simple_ladder_post }; return &ret; } -int ec_GFp_mont_group_init(EC_GROUP *group) +int ossl_ec_GFp_mont_group_init(EC_GROUP *group) { int ok; - ok = ec_GFp_simple_group_init(group); + ok = ossl_ec_GFp_simple_group_init(group); group->field_data1 = NULL; group->field_data2 = NULL; return ok; } -void ec_GFp_mont_group_finish(EC_GROUP *group) +void ossl_ec_GFp_mont_group_finish(EC_GROUP *group) { BN_MONT_CTX_free(group->field_data1); group->field_data1 = NULL; BN_free(group->field_data2); group->field_data2 = NULL; - ec_GFp_simple_group_finish(group); + ossl_ec_GFp_simple_group_finish(group); } -void ec_GFp_mont_group_clear_finish(EC_GROUP *group) +void ossl_ec_GFp_mont_group_clear_finish(EC_GROUP *group) { BN_MONT_CTX_free(group->field_data1); group->field_data1 = NULL; BN_clear_free(group->field_data2); group->field_data2 = NULL; - ec_GFp_simple_group_clear_finish(group); + ossl_ec_GFp_simple_group_clear_finish(group); } -int ec_GFp_mont_group_copy(EC_GROUP *dest, const EC_GROUP *src) +int ossl_ec_GFp_mont_group_copy(EC_GROUP *dest, const EC_GROUP *src) { BN_MONT_CTX_free(dest->field_data1); dest->field_data1 = NULL; BN_clear_free(dest->field_data2); dest->field_data2 = NULL; - if (!ec_GFp_simple_group_copy(dest, src)) + if (!ossl_ec_GFp_simple_group_copy(dest, src)) return 0; if (src->field_data1 != NULL) { @@ -139,8 +139,9 @@ int ec_GFp_mont_group_copy(EC_GROUP *dest, const EC_GROUP *src) return 0; } -int ec_GFp_mont_group_set_curve(EC_GROUP *group, const BIGNUM *p, - const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx) +int ossl_ec_GFp_mont_group_set_curve(EC_GROUP *group, const BIGNUM *p, + const BIGNUM *a, const BIGNUM *b, + BN_CTX *ctx) { BN_CTX *new_ctx = NULL; BN_MONT_CTX *mont = NULL; @@ -176,7 +177,7 @@ int ec_GFp_mont_group_set_curve(EC_GROUP *group, const BIGNUM *p, group->field_data2 = one; one = NULL; - ret = ec_GFp_simple_group_set_curve(group, p, a, b, ctx); + ret = ossl_ec_GFp_simple_group_set_curve(group, p, a, b, ctx); if (!ret) { BN_MONT_CTX_free(group->field_data1); @@ -192,8 +193,8 @@ int ec_GFp_mont_group_set_curve(EC_GROUP *group, const BIGNUM *p, return ret; } -int ec_GFp_mont_field_mul(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a, - const BIGNUM *b, BN_CTX *ctx) +int ossl_ec_GFp_mont_field_mul(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a, + const BIGNUM *b, BN_CTX *ctx) { if (group->field_data1 == NULL) { ERR_raise(ERR_LIB_EC, EC_R_NOT_INITIALIZED); @@ -203,8 +204,8 @@ int ec_GFp_mont_field_mul(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a, return BN_mod_mul_montgomery(r, a, b, group->field_data1, ctx); } -int ec_GFp_mont_field_sqr(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a, - BN_CTX *ctx) +int ossl_ec_GFp_mont_field_sqr(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a, + BN_CTX *ctx) { if (group->field_data1 == NULL) { ERR_raise(ERR_LIB_EC, EC_R_NOT_INITIALIZED); @@ -219,8 +220,8 @@ int ec_GFp_mont_field_sqr(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a, * If a is zero (or equivalent), you'll get a EC_R_CANNOT_INVERT error. * We have a Mont structure, so SCA hardening is FLT inversion. */ -int ec_GFp_mont_field_inv(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a, - BN_CTX *ctx) +int ossl_ec_GFp_mont_field_inv(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a, + BN_CTX *ctx) { BIGNUM *e = NULL; BN_CTX *new_ctx = NULL; @@ -263,8 +264,8 @@ int ec_GFp_mont_field_inv(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a, return ret; } -int ec_GFp_mont_field_encode(const EC_GROUP *group, BIGNUM *r, - const BIGNUM *a, BN_CTX *ctx) +int ossl_ec_GFp_mont_field_encode(const EC_GROUP *group, BIGNUM *r, + const BIGNUM *a, BN_CTX *ctx) { if (group->field_data1 == NULL) { ERR_raise(ERR_LIB_EC, EC_R_NOT_INITIALIZED); @@ -274,8 +275,8 @@ int ec_GFp_mont_field_encode(const EC_GROUP *group, BIGNUM *r, return BN_to_montgomery(r, a, (BN_MONT_CTX *)group->field_data1, ctx); } -int ec_GFp_mont_field_decode(const EC_GROUP *group, BIGNUM *r, - const BIGNUM *a, BN_CTX *ctx) +int ossl_ec_GFp_mont_field_decode(const EC_GROUP *group, BIGNUM *r, + const BIGNUM *a, BN_CTX *ctx) { if (group->field_data1 == NULL) { ERR_raise(ERR_LIB_EC, EC_R_NOT_INITIALIZED); @@ -285,8 +286,8 @@ int ec_GFp_mont_field_decode(const EC_GROUP *group, BIGNUM *r, return BN_from_montgomery(r, a, group->field_data1, ctx); } -int ec_GFp_mont_field_set_to_one(const EC_GROUP *group, BIGNUM *r, - BN_CTX *ctx) +int ossl_ec_GFp_mont_field_set_to_one(const EC_GROUP *group, BIGNUM *r, + BN_CTX *ctx) { if (group->field_data2 == NULL) { ERR_raise(ERR_LIB_EC, EC_R_NOT_INITIALIZED); diff --git a/crypto/ec/ecp_nist.c b/crypto/ec/ecp_nist.c index 2809043dac..e41a67f647 100644 --- a/crypto/ec/ecp_nist.c +++ b/crypto/ec/ecp_nist.c @@ -25,72 +25,73 @@ const EC_METHOD *EC_GFp_nist_method(void) static const EC_METHOD ret = { EC_FLAGS_DEFAULT_OCT, NID_X9_62_prime_field, - ec_GFp_simple_group_init, - ec_GFp_simple_group_finish, - ec_GFp_simple_group_clear_finish, - ec_GFp_nist_group_copy, - ec_GFp_nist_group_set_curve, - ec_GFp_simple_group_get_curve, - ec_GFp_simple_group_get_degree, - ec_group_simple_order_bits, - ec_GFp_simple_group_check_discriminant, - ec_GFp_simple_point_init, - ec_GFp_simple_point_finish, - ec_GFp_simple_point_clear_finish, - ec_GFp_simple_point_copy, - ec_GFp_simple_point_set_to_infinity, - ec_GFp_simple_point_set_affine_coordinates, - ec_GFp_simple_point_get_affine_coordinates, + ossl_ec_GFp_simple_group_init, + ossl_ec_GFp_simple_group_finish, + ossl_ec_GFp_simple_group_clear_finish, + ossl_ec_GFp_nist_group_copy, + ossl_ec_GFp_nist_group_set_curve, + ossl_ec_GFp_simple_group_get_curve, + ossl_ec_GFp_simple_group_get_degree, + ossl_ec_group_simple_order_bits, + ossl_ec_GFp_simple_group_check_discriminant, + ossl_ec_GFp_simple_point_init, + ossl_ec_GFp_simple_point_finish, + ossl_ec_GFp_simple_point_clear_finish, + ossl_ec_GFp_simple_point_copy, + ossl_ec_GFp_simple_point_set_to_infinity, + ossl_ec_GFp_simple_point_set_affine_coordinates, + ossl_ec_GFp_simple_point_get_affine_coordinates, 0, 0, 0, - ec_GFp_simple_add, - ec_GFp_simple_dbl, - ec_GFp_simple_invert, - ec_GFp_simple_is_at_infinity, - ec_GFp_simple_is_on_curve, - ec_GFp_simple_cmp, - ec_GFp_simple_make_affine, - ec_GFp_simple_points_make_affine, + ossl_ec_GFp_simple_add, + ossl_ec_GFp_simple_dbl, + ossl_ec_GFp_simple_invert, + ossl_ec_GFp_simple_is_at_infinity, + ossl_ec_GFp_simple_is_on_curve, + ossl_ec_GFp_simple_cmp, + ossl_ec_GFp_simple_make_affine, + ossl_ec_GFp_simple_points_make_affine, 0 /* mul */ , 0 /* precompute_mult */ , 0 /* have_precompute_mult */ , - ec_GFp_nist_field_mul, - ec_GFp_nist_field_sqr, + ossl_ec_GFp_nist_field_mul, + ossl_ec_GFp_nist_field_sqr, 0 /* field_div */ , - ec_GFp_simple_field_inv, + ossl_ec_GFp_simple_field_inv, 0 /* field_encode */ , 0 /* field_decode */ , 0, /* field_set_to_one */ - ec_key_simple_priv2oct, - ec_key_simple_oct2priv, + ossl_ec_key_simple_priv2oct, + ossl_ec_key_simple_oct2priv, 0, /* set private */ - ec_key_simple_generate_key, - ec_key_simple_check_key, - ec_key_simple_generate_public_key, + ossl_ec_key_simple_generate_key, + ossl_ec_key_simple_check_key, + ossl_ec_key_simple_generate_public_key, 0, /* keycopy */ 0, /* keyfinish */ - ecdh_simple_compute_key, - ecdsa_simple_sign_setup, - ecdsa_simple_sign_sig, - ecdsa_simple_verify_sig, + ossl_ecdh_simple_compute_key, + ossl_ecdsa_simple_sign_setup, + ossl_ecdsa_simple_sign_sig, + ossl_ecdsa_simple_verify_sig, 0, /* field_inverse_mod_ord */ - ec_GFp_simple_blind_coordinates, - ec_GFp_simple_ladder_pre, - ec_GFp_simple_ladder_step, - ec_GFp_simple_ladder_post + ossl_ec_GFp_simple_blind_coordinates, + ossl_ec_GFp_simple_ladder_pre, + ossl_ec_GFp_simple_ladder_step, + ossl_ec_GFp_simple_ladder_post }; return &ret; } -int ec_GFp_nist_group_copy(EC_GROUP *dest, const EC_GROUP *src) +int ossl_ec_GFp_nist_group_copy(EC_GROUP *dest, const EC_GROUP *src) { dest->field_mod_func = src->field_mod_func; - return ec_GFp_simple_group_copy(dest, src); + return ossl_ec_GFp_simple_group_copy(dest, src); } -int ec_GFp_nist_group_set_curve(EC_GROUP *group, const BIGNUM *p, - const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx) +int ossl_ec_GFp_nist_group_set_curve(EC_GROUP *group, const BIGNUM *p, + const BIGNUM *a, const BIGNUM *b, + BN_CTX *ctx) { int ret = 0; BN_CTX *new_ctx = NULL; @@ -116,7 +117,7 @@ int ec_GFp_nist_group_set_curve(EC_GROUP *group, const BIGNUM *p, goto err; } - ret = ec_GFp_simple_group_set_curve(group, p, a, b, ctx); + ret = ossl_ec_GFp_simple_group_set_curve(group, p, a, b, ctx); err: BN_CTX_end(ctx); @@ -124,8 +125,8 @@ int ec_GFp_nist_group_set_curve(EC_GROUP *group, const BIGNUM *p, return ret; } -int ec_GFp_nist_field_mul(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a, - const BIGNUM *b, BN_CTX *ctx) +int ossl_ec_GFp_nist_field_mul(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a, + const BIGNUM *b, BN_CTX *ctx) { int ret = 0; BN_CTX *ctx_new = NULL; @@ -149,8 +150,8 @@ int ec_GFp_nist_field_mul(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a, return ret; } -int ec_GFp_nist_field_sqr(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a, - BN_CTX *ctx) +int ossl_ec_GFp_nist_field_sqr(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a, + BN_CTX *ctx) { int ret = 0; BN_CTX *ctx_new = NULL; diff --git a/crypto/ec/ecp_nistp224.c b/crypto/ec/ecp_nistp224.c index 40a9582921..aa470efd8d 100644 --- a/crypto/ec/ecp_nistp224.c +++ b/crypto/ec/ecp_nistp224.c @@ -248,55 +248,55 @@ const EC_METHOD *EC_GFp_nistp224_method(void) static const EC_METHOD ret = { EC_FLAGS_DEFAULT_OCT, NID_X9_62_prime_field, - ec_GFp_nistp224_group_init, - ec_GFp_simple_group_finish, - ec_GFp_simple_group_clear_finish, - ec_GFp_nist_group_copy, - ec_GFp_nistp224_group_set_curve, - ec_GFp_simple_group_get_curve, - ec_GFp_simple_group_get_degree, - ec_group_simple_order_bits, - ec_GFp_simple_group_check_discriminant, - ec_GFp_simple_point_init, - ec_GFp_simple_point_finish, - ec_GFp_simple_point_clear_finish, - ec_GFp_simple_point_copy, - ec_GFp_simple_point_set_to_infinity, - ec_GFp_simple_point_set_affine_coordinates, - ec_GFp_nistp224_point_get_affine_coordinates, + ossl_ec_GFp_nistp224_group_init, + ossl_ec_GFp_simple_group_finish, + ossl_ec_GFp_simple_group_clear_finish, + ossl_ec_GFp_nist_group_copy, + ossl_ec_GFp_nistp224_group_set_curve, + ossl_ec_GFp_simple_group_get_curve, + ossl_ec_GFp_simple_group_get_degree, + ossl_ec_group_simple_order_bits, + ossl_ec_GFp_simple_group_check_discriminant, + ossl_ec_GFp_simple_point_init, + ossl_ec_GFp_simple_point_finish, + ossl_ec_GFp_simple_point_clear_finish, + ossl_ec_GFp_simple_point_copy, + ossl_ec_GFp_simple_point_set_to_infinity, + ossl_ec_GFp_simple_point_set_affine_coordinates, + ossl_ec_GFp_nistp224_point_get_affine_coordinates, 0 /* point_set_compressed_coordinates */ , 0 /* point2oct */ , 0 /* oct2point */ , - ec_GFp_simple_add, - ec_GFp_simple_dbl, - ec_GFp_simple_invert, - ec_GFp_simple_is_at_infinity, - ec_GFp_simple_is_on_curve, - ec_GFp_simple_cmp, - ec_GFp_simple_make_affine, - ec_GFp_simple_points_make_affine, - ec_GFp_nistp224_points_mul, - ec_GFp_nistp224_precompute_mult, - ec_GFp_nistp224_have_precompute_mult, - ec_GFp_nist_field_mul, - ec_GFp_nist_field_sqr, + ossl_ec_GFp_simple_add, + ossl_ec_GFp_simple_dbl, + ossl_ec_GFp_simple_invert, + ossl_ec_GFp_simple_is_at_infinity, + ossl_ec_GFp_simple_is_on_curve, + ossl_ec_GFp_simple_cmp, + ossl_ec_GFp_simple_make_affine, + ossl_ec_GFp_simple_points_make_affine, + ossl_ec_GFp_nistp224_points_mul, + ossl_ec_GFp_nistp224_precompute_mult, + ossl_ec_GFp_nistp224_have_precompute_mult, + ossl_ec_GFp_nist_field_mul, + ossl_ec_GFp_nist_field_sqr, 0 /* field_div */ , - ec_GFp_simple_field_inv, + ossl_ec_GFp_simple_field_inv, 0 /* field_encode */ , 0 /* field_decode */ , 0, /* field_set_to_one */ - ec_key_simple_priv2oct, - ec_key_simple_oct2priv, + ossl_ec_key_simple_priv2oct, + ossl_ec_key_simple_oct2priv, 0, /* set private */ - ec_key_simple_generate_key, - ec_key_simple_check_key, - ec_key_simple_generate_public_key, + ossl_ec_key_simple_generate_key, + ossl_ec_key_simple_check_key, + ossl_ec_key_simple_generate_public_key, 0, /* keycopy */ 0, /* keyfinish */ - ecdh_simple_compute_key, - ecdsa_simple_sign_setup, - ecdsa_simple_sign_sig, - ecdsa_simple_verify_sig, + ossl_ecdh_simple_compute_key, + ossl_ecdsa_simple_sign_setup, + ossl_ecdsa_simple_sign_sig, + ossl_ecdsa_simple_verify_sig, 0, /* field_inverse_mod_ord */ 0, /* blind_coordinates */ 0, /* ladder_pre */ @@ -1207,7 +1207,7 @@ static void batch_mul(felem x_out, felem y_out, felem z_out, bits |= get_bit(scalars[num], i + 1) << 2; bits |= get_bit(scalars[num], i) << 1; bits |= get_bit(scalars[num], i - 1); - ec_GFp_nistp_recode_scalar_bits(&sign, &digit, bits); + ossl_ec_GFp_nistp_recode_scalar_bits(&sign, &digit, bits); /* select the point to add or subtract */ select_point(digit, 17, pre_comp[num], tmp); @@ -1286,17 +1286,17 @@ void EC_nistp224_pre_comp_free(NISTP224_PRE_COMP *p) * OPENSSL EC_METHOD FUNCTIONS */ -int ec_GFp_nistp224_group_init(EC_GROUP *group) +int ossl_ec_GFp_nistp224_group_init(EC_GROUP *group) { int ret; - ret = ec_GFp_simple_group_init(group); + ret = ossl_ec_GFp_simple_group_init(group); group->a_is_minus3 = 1; return ret; } -int ec_GFp_nistp224_group_set_curve(EC_GROUP *group, const BIGNUM *p, - const BIGNUM *a, const BIGNUM *b, - BN_CTX *ctx) +int ossl_ec_GFp_nistp224_group_set_curve(EC_GROUP *group, const BIGNUM *p, + const BIGNUM *a, const BIGNUM *b, + BN_CTX *ctx) { int ret = 0; BIGNUM *curve_p, *curve_a, *curve_b; @@ -1323,7 +1323,7 @@ int ec_GFp_nistp224_group_set_curve(EC_GROUP *group, const BIGNUM *p, goto err; } group->field_mod_func = BN_nist_mod_224; - ret = ec_GFp_simple_group_set_curve(group, p, a, b, ctx); + ret = ossl_ec_GFp_simple_group_set_curve(group, p, a, b, ctx); err: BN_CTX_end(ctx); #ifndef FIPS_MODULE @@ -1336,10 +1336,10 @@ int ec_GFp_nistp224_group_set_curve(EC_GROUP *group, const BIGNUM *p, * Takes the Jacobian coordinates (X, Y, Z) of a point and returns (X', Y') = * (X/Z^2, Y/Z^3) */ -int ec_GFp_nistp224_point_get_affine_coordinates(const EC_GROUP *group, - const EC_POINT *point, - BIGNUM *x, BIGNUM *y, - BN_CTX *ctx) +int ossl_ec_GFp_nistp224_point_get_affine_coordinates(const EC_GROUP *group, + const EC_POINT *point, + BIGNUM *x, BIGNUM *y, + BN_CTX *ctx) { felem z1, z2, x_in, y_in, x_out, y_out; widefelem tmp; @@ -1384,36 +1384,36 @@ static void make_points_affine(size_t num, felem points[ /* num */ ][3], * Runs in constant time, unless an input is the point at infinity (which * normally shouldn't happen). */ - ec_GFp_nistp_points_make_affine_internal(num, - points, - sizeof(felem), - tmp_felems, - (void (*)(void *))felem_one, - felem_is_zero_int, - (void (*)(void *, const void *)) - felem_assign, - (void (*)(void *, const void *)) - felem_square_reduce, (void (*) - (void *, - const void - *, - const void - *)) - felem_mul_reduce, - (void (*)(void *, const void *)) - felem_inv, - (void (*)(void *, const void *)) - felem_contract); + ossl_ec_GFp_nistp_points_make_affine_internal(num, + points, + sizeof(felem), + tmp_felems, + (void (*)(void *))felem_one, + felem_is_zero_int, + (void (*)(void *, const void *)) + felem_assign, + (void (*)(void *, const void *)) + felem_square_reduce, (void (*) + (void *, + const void + *, + const void + *)) + felem_mul_reduce, + (void (*)(void *, const void *)) + felem_inv, + (void (*)(void *, const void *)) + felem_contract); } /* * Computes scalar*generator + \sum scalars[i]*points[i], ignoring NULL * values Result is stored in r (r can equal one of the inputs). */ -int ec_GFp_nistp224_points_mul(const EC_GROUP *group, EC_POINT *r, - const BIGNUM *scalar, size_t num, - const EC_POINT *points[], - const BIGNUM *scalars[], BN_CTX *ctx) +int ossl_ec_GFp_nistp224_points_mul(const EC_GROUP *group, EC_POINT *r, + const BIGNUM *scalar, size_t num, + const EC_POINT *points[], + const BIGNUM *scalars[], BN_CTX *ctx) { int ret = 0; int j; @@ -1460,8 +1460,9 @@ int ec_GFp_nistp224_points_mul(const EC_GROUP *group, EC_POINT *r, ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB); goto err; } - if (!ec_GFp_simple_set_Jprojective_coordinates_GFp(group, generator, x, - y, z, ctx)) + if (!ossl_ec_GFp_simple_set_Jprojective_coordinates_GFp(group, + generator, + x, y, z, ctx)) goto err; if (0 == EC_POINT_cmp(group, generator, group->generator, ctx)) /* precomputation matches generator */ @@ -1595,7 +1596,8 @@ int ec_GFp_nistp224_points_mul(const EC_GROUP *group, EC_POINT *r, ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB); goto err; } - ret = ec_GFp_simple_set_Jprojective_coordinates_GFp(group, r, x, y, z, ctx); + ret = ossl_ec_GFp_simple_set_Jprojective_coordinates_GFp(group, r, x, y, z, + ctx); err: BN_CTX_end(ctx); @@ -1606,7 +1608,7 @@ int ec_GFp_nistp224_points_mul(const EC_GROUP *group, EC_POINT *r, return ret; } -int ec_GFp_nistp224_precompute_mult(EC_GROUP *group, BN_CTX *ctx) +int ossl_ec_GFp_nistp224_precompute_mult(EC_GROUP *group, BN_CTX *ctx) { int ret = 0; NISTP224_PRE_COMP *pre = NULL; @@ -1742,7 +1744,7 @@ int ec_GFp_nistp224_precompute_mult(EC_GROUP *group, BN_CTX *ctx) return ret; } -int ec_GFp_nistp224_have_precompute_mult(const EC_GROUP *group) +int ossl_ec_GFp_nistp224_have_precompute_mult(const EC_GROUP *group) { return HAVEPRECOMP(group, nistp224); } diff --git a/crypto/ec/ecp_nistp256.c b/crypto/ec/ecp_nistp256.c index f81481f0d3..7fed6ccf57 100644 --- a/crypto/ec/ecp_nistp256.c +++ b/crypto/ec/ecp_nistp256.c @@ -1743,7 +1743,7 @@ static void batch_mul(felem x_out, felem y_out, felem z_out, bits |= get_bit(scalars[num], i + 1) << 2; bits |= get_bit(scalars[num], i) << 1; bits |= get_bit(scalars[num], i - 1); - ec_GFp_nistp_recode_scalar_bits(&sign, &digit, bits); + ossl_ec_GFp_nistp_recode_scalar_bits(&sign, &digit, bits); /* * select the point to add or subtract, in constant time @@ -1784,55 +1784,55 @@ const EC_METHOD *EC_GFp_nistp256_method(void) static const EC_METHOD ret = { EC_FLAGS_DEFAULT_OCT, NID_X9_62_prime_field, - ec_GFp_nistp256_group_init, - ec_GFp_simple_group_finish, - ec_GFp_simple_group_clear_finish, - ec_GFp_nist_group_copy, - ec_GFp_nistp256_group_set_curve, - ec_GFp_simple_group_get_curve, - ec_GFp_simple_group_get_degree, - ec_group_simple_order_bits, - ec_GFp_simple_group_check_discriminant, - ec_GFp_simple_point_init, - ec_GFp_simple_point_finish, - ec_GFp_simple_point_clear_finish, - ec_GFp_simple_point_copy, - ec_GFp_simple_point_set_to_infinity, - ec_GFp_simple_point_set_affine_coordinates, - ec_GFp_nistp256_point_get_affine_coordinates, + ossl_ec_GFp_nistp256_group_init, + ossl_ec_GFp_simple_group_finish, + ossl_ec_GFp_simple_group_clear_finish, + ossl_ec_GFp_nist_group_copy, + ossl_ec_GFp_nistp256_group_set_curve, + ossl_ec_GFp_simple_group_get_curve, + ossl_ec_GFp_simple_group_get_degree, + ossl_ec_group_simple_order_bits, + ossl_ec_GFp_simple_group_check_discriminant, + ossl_ec_GFp_simple_point_init, + ossl_ec_GFp_simple_point_finish, + ossl_ec_GFp_simple_point_clear_finish, + ossl_ec_GFp_simple_point_copy, + ossl_ec_GFp_simple_point_set_to_infinity, + ossl_ec_GFp_simple_point_set_affine_coordinates, + ossl_ec_GFp_nistp256_point_get_affine_coordinates, 0 /* point_set_compressed_coordinates */ , 0 /* point2oct */ , 0 /* oct2point */ , - ec_GFp_simple_add, - ec_GFp_simple_dbl, - ec_GFp_simple_invert, - ec_GFp_simple_is_at_infinity, - ec_GFp_simple_is_on_curve, - ec_GFp_simple_cmp, - ec_GFp_simple_make_affine, - ec_GFp_simple_points_make_affine, - ec_GFp_nistp256_points_mul, - ec_GFp_nistp256_precompute_mult, - ec_GFp_nistp256_have_precompute_mult, - ec_GFp_nist_field_mul, - ec_GFp_nist_field_sqr, + ossl_ec_GFp_simple_add, + ossl_ec_GFp_simple_dbl, + ossl_ec_GFp_simple_invert, + ossl_ec_GFp_simple_is_at_infinity, + ossl_ec_GFp_simple_is_on_curve, + ossl_ec_GFp_simple_cmp, + ossl_ec_GFp_simple_make_affine, + ossl_ec_GFp_simple_points_make_affine, + ossl_ec_GFp_nistp256_points_mul, + ossl_ec_GFp_nistp256_precompute_mult, + ossl_ec_GFp_nistp256_have_precompute_mult, + ossl_ec_GFp_nist_field_mul, + ossl_ec_GFp_nist_field_sqr, 0 /* field_div */ , - ec_GFp_simple_field_inv, + ossl_ec_GFp_simple_field_inv, 0 /* field_encode */ , 0 /* field_decode */ , 0, /* field_set_to_one */ - ec_key_simple_priv2oct, - ec_key_simple_oct2priv, + ossl_ec_key_simple_priv2oct, + ossl_ec_key_simple_oct2priv, 0, /* set private */ - ec_key_simple_generate_key, - ec_key_simple_check_key, - ec_key_simple_generate_public_key, + ossl_ec_key_simple_generate_key, + ossl_ec_key_simple_check_key, + ossl_ec_key_simple_generate_public_key, 0, /* keycopy */ 0, /* keyfinish */ - ecdh_simple_compute_key, - ecdsa_simple_sign_setup, - ecdsa_simple_sign_sig, - ecdsa_simple_verify_sig, + ossl_ecdh_simple_compute_key, + ossl_ecdsa_simple_sign_setup, + ossl_ecdsa_simple_sign_sig, + ossl_ecdsa_simple_verify_sig, 0, /* field_inverse_mod_ord */ 0, /* blind_coordinates */ 0, /* ladder_pre */ @@ -1898,17 +1898,17 @@ void EC_nistp256_pre_comp_free(NISTP256_PRE_COMP *pre) * OPENSSL EC_METHOD FUNCTIONS */ -int ec_GFp_nistp256_group_init(EC_GROUP *group) +int ossl_ec_GFp_nistp256_group_init(EC_GROUP *group) { int ret; - ret = ec_GFp_simple_group_init(group); + ret = ossl_ec_GFp_simple_group_init(group); group->a_is_minus3 = 1; return ret; } -int ec_GFp_nistp256_group_set_curve(EC_GROUP *group, const BIGNUM *p, - const BIGNUM *a, const BIGNUM *b, - BN_CTX *ctx) +int ossl_ec_GFp_nistp256_group_set_curve(EC_GROUP *group, const BIGNUM *p, + const BIGNUM *a, const BIGNUM *b, + BN_CTX *ctx) { int ret = 0; BIGNUM *curve_p, *curve_a, *curve_b; @@ -1935,7 +1935,7 @@ int ec_GFp_nistp256_group_set_curve(EC_GROUP *group, const BIGNUM *p, goto err; } group->field_mod_func = BN_nist_mod_256; - ret = ec_GFp_simple_group_set_curve(group, p, a, b, ctx); + ret = ossl_ec_GFp_simple_group_set_curve(group, p, a, b, ctx); err: BN_CTX_end(ctx); #ifndef FIPS_MODULE @@ -1948,10 +1948,10 @@ int ec_GFp_nistp256_group_set_curve(EC_GROUP *group, const BIGNUM *p, * Takes the Jacobian coordinates (X, Y, Z) of a point and returns (X', Y') = * (X/Z^2, Y/Z^3) */ -int ec_GFp_nistp256_point_get_affine_coordinates(const EC_GROUP *group, - const EC_POINT *point, - BIGNUM *x, BIGNUM *y, - BN_CTX *ctx) +int ossl_ec_GFp_nistp256_point_get_affine_coordinates(const EC_GROUP *group, + const EC_POINT *point, + BIGNUM *x, BIGNUM *y, + BN_CTX *ctx) { felem z1, z2, x_in, y_in; smallfelem x_out, y_out; @@ -1998,35 +1998,35 @@ static void make_points_affine(size_t num, smallfelem points[][3], * Runs in constant time, unless an input is the point at infinity (which * normally shouldn't happen). */ - ec_GFp_nistp_points_make_affine_internal(num, - points, - sizeof(smallfelem), - tmp_smallfelems, - (void (*)(void *))smallfelem_one, - smallfelem_is_zero_int, - (void (*)(void *, const void *)) - smallfelem_assign, - (void (*)(void *, const void *)) - smallfelem_square_contract, - (void (*) - (void *, const void *, - const void *)) - smallfelem_mul_contract, - (void (*)(void *, const void *)) - smallfelem_inv_contract, - /* nothing to contract */ - (void (*)(void *, const void *)) - smallfelem_assign); + ossl_ec_GFp_nistp_points_make_affine_internal(num, + points, + sizeof(smallfelem), + tmp_smallfelems, + (void (*)(void *))smallfelem_one, + smallfelem_is_zero_int, + (void (*)(void *, const void *)) + smallfelem_assign, + (void (*)(void *, const void *)) + smallfelem_square_contract, + (void (*) + (void *, const void *, + const void *)) + smallfelem_mul_contract, + (void (*)(void *, const void *)) + smallfelem_inv_contract, + /* nothing to contract */ + (void (*)(void *, const void *)) + smallfelem_assign); } /* * Computes scalar*generator + \sum scalars[i]*points[i], ignoring NULL * values Result is stored in r (r can equal one of the inputs). */ -int ec_GFp_nistp256_points_mul(const EC_GROUP *group, EC_POINT *r, - const BIGNUM *scalar, size_t num, - const EC_POINT *points[], - const BIGNUM *scalars[], BN_CTX *ctx) +int ossl_ec_GFp_nistp256_points_mul(const EC_GROUP *group, EC_POINT *r, + const BIGNUM *scalar, size_t num, + const EC_POINT *points[], + const BIGNUM *scalars[], BN_CTX *ctx) { int ret = 0; int j; @@ -2074,8 +2074,9 @@ int ec_GFp_nistp256_points_mul(const EC_GROUP *group, EC_POINT *r, ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB); goto err; } - if (!ec_GFp_simple_set_Jprojective_coordinates_GFp(group, generator, x, - y, z, ctx)) + if (!ossl_ec_GFp_simple_set_Jprojective_coordinates_GFp(group, + generator, + x, y, z, ctx)) goto err; if (0 == EC_POINT_cmp(group, generator, group->generator, ctx)) /* precomputation matches generator */ @@ -2215,7 +2216,8 @@ int ec_GFp_nistp256_points_mul(const EC_GROUP *group, EC_POINT *r, ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB); goto err; } - ret = ec_GFp_simple_set_Jprojective_coordinates_GFp(group, r, x, y, z, ctx); + ret = ossl_ec_GFp_simple_set_Jprojective_coordinates_GFp(group, r, x, y, z, + ctx); err: BN_CTX_end(ctx); @@ -2226,7 +2228,7 @@ int ec_GFp_nistp256_points_mul(const EC_GROUP *group, EC_POINT *r, return ret; } -int ec_GFp_nistp256_precompute_mult(EC_GROUP *group, BN_CTX *ctx) +int ossl_ec_GFp_nistp256_precompute_mult(EC_GROUP *group, BN_CTX *ctx) { int ret = 0; NISTP256_PRE_COMP *pre = NULL; @@ -2373,7 +2375,7 @@ int ec_GFp_nistp256_precompute_mult(EC_GROUP *group, BN_CTX *ctx) return ret; } -int ec_GFp_nistp256_have_precompute_mult(const EC_GROUP *group) +int ossl_ec_GFp_nistp256_have_precompute_mult(const EC_GROUP *group) { return HAVEPRECOMP(group, nistp256); } diff --git a/crypto/ec/ecp_nistp521.c b/crypto/ec/ecp_nistp521.c index dc9312b957..5c64477e97 100644 --- a/crypto/ec/ecp_nistp521.c +++ b/crypto/ec/ecp_nistp521.c @@ -1269,8 +1269,8 @@ static void point_add(felem x3, felem y3, felem z3, * This is obviously not constant-time but it will almost-never happen * for ECDH / ECDSA. The case where it can happen is during scalar-mult * where the intermediate value gets very close to the group order. - * Since |ec_GFp_nistp_recode_scalar_bits| produces signed digits for - * the scalar, it's possible for the intermediate value to be a small + * Since |ossl_ec_GFp_nistp_recode_scalar_bits| produces signed digits + * for the scalar, it's possible for the intermediate value to be a small * negative multiple of the base point, and for the final signed digit * to be the same value. We believe that this only occurs for the scalar * 1fffffffffffffffffffffffffffffffffffffffffffffffffffffffffff @@ -1587,7 +1587,7 @@ static void batch_mul(felem x_out, felem y_out, felem z_out, bits |= get_bit(scalars[num], i + 1) << 2; bits |= get_bit(scalars[num], i) << 1; bits |= get_bit(scalars[num], i - 1); - ec_GFp_nistp_recode_scalar_bits(&sign, &digit, bits); + ossl_ec_GFp_nistp_recode_scalar_bits(&sign, &digit, bits); /* * select the point to add or subtract, in constant time @@ -1625,55 +1625,55 @@ const EC_METHOD *EC_GFp_nistp521_method(void) static const EC_METHOD ret = { EC_FLAGS_DEFAULT_OCT, NID_X9_62_prime_field, - ec_GFp_nistp521_group_init, - ec_GFp_simple_group_finish, - ec_GFp_simple_group_clear_finish, - ec_GFp_nist_group_copy, - ec_GFp_nistp521_group_set_curve, - ec_GFp_simple_group_get_curve, - ec_GFp_simple_group_get_degree, - ec_group_simple_order_bits, - ec_GFp_simple_group_check_discriminant, - ec_GFp_simple_point_init, - ec_GFp_simple_point_finish, - ec_GFp_simple_point_clear_finish, - ec_GFp_simple_point_copy, - ec_GFp_simple_point_set_to_infinity, - ec_GFp_simple_point_set_affine_coordinates, - ec_GFp_nistp521_point_get_affine_coordinates, + ossl_ec_GFp_nistp521_group_init, + ossl_ec_GFp_simple_group_finish, + ossl_ec_GFp_simple_group_clear_finish, + ossl_ec_GFp_nist_group_copy, + ossl_ec_GFp_nistp521_group_set_curve, + ossl_ec_GFp_simple_group_get_curve, + ossl_ec_GFp_simple_group_get_degree, + ossl_ec_group_simple_order_bits, + ossl_ec_GFp_simple_group_check_discriminant, + ossl_ec_GFp_simple_point_init, + ossl_ec_GFp_simple_point_finish, + ossl_ec_GFp_simple_point_clear_finish, + ossl_ec_GFp_simple_point_copy, + ossl_ec_GFp_simple_point_set_to_infinity, + ossl_ec_GFp_simple_point_set_affine_coordinates, + ossl_ec_GFp_nistp521_point_get_affine_coordinates, 0 /* point_set_compressed_coordinates */ , 0 /* point2oct */ , 0 /* oct2point */ , - ec_GFp_simple_add, - ec_GFp_simple_dbl, - ec_GFp_simple_invert, - ec_GFp_simple_is_at_infinity, - ec_GFp_simple_is_on_curve, - ec_GFp_simple_cmp, - ec_GFp_simple_make_affine, - ec_GFp_simple_points_make_affine, - ec_GFp_nistp521_points_mul, - ec_GFp_nistp521_precompute_mult, - ec_GFp_nistp521_have_precompute_mult, - ec_GFp_nist_field_mul, - ec_GFp_nist_field_sqr, + ossl_ec_GFp_simple_add, + ossl_ec_GFp_simple_dbl, + ossl_ec_GFp_simple_invert, + ossl_ec_GFp_simple_is_at_infinity, + ossl_ec_GFp_simple_is_on_curve, + ossl_ec_GFp_simple_cmp, + ossl_ec_GFp_simple_make_affine, + ossl_ec_GFp_simple_points_make_affine, + ossl_ec_GFp_nistp521_points_mul, + ossl_ec_GFp_nistp521_precompute_mult, + ossl_ec_GFp_nistp521_have_precompute_mult, + ossl_ec_GFp_nist_field_mul, + ossl_ec_GFp_nist_field_sqr, 0 /* field_div */ , - ec_GFp_simple_field_inv, + ossl_ec_GFp_simple_field_inv, 0 /* field_encode */ , 0 /* field_decode */ , 0, /* field_set_to_one */ - ec_key_simple_priv2oct, - ec_key_simple_oct2priv, + ossl_ec_key_simple_priv2oct, + ossl_ec_key_simple_oct2priv, 0, /* set private */ - ec_key_simple_generate_key, - ec_key_simple_check_key, - ec_key_simple_generate_public_key, + ossl_ec_key_simple_generate_key, + ossl_ec_key_simple_check_key, + ossl_ec_key_simple_generate_public_key, 0, /* keycopy */ 0, /* keyfinish */ - ecdh_simple_compute_key, - ecdsa_simple_sign_setup, - ecdsa_simple_sign_sig, - ecdsa_simple_verify_sig, + ossl_ecdh_simple_compute_key, + ossl_ecdsa_simple_sign_setup, + ossl_ecdsa_simple_sign_sig, + ossl_ecdsa_simple_verify_sig, 0, /* field_inverse_mod_ord */ 0, /* blind_coordinates */ 0, /* ladder_pre */ @@ -1739,17 +1739,17 @@ void EC_nistp521_pre_comp_free(NISTP521_PRE_COMP *p) * OPENSSL EC_METHOD FUNCTIONS */ -int ec_GFp_nistp521_group_init(EC_GROUP *group) +int ossl_ec_GFp_nistp521_group_init(EC_GROUP *group) { int ret; - ret = ec_GFp_simple_group_init(group); + ret = ossl_ec_GFp_simple_group_init(group); group->a_is_minus3 = 1; return ret; } -int ec_GFp_nistp521_group_set_curve(EC_GROUP *group, const BIGNUM *p, - const BIGNUM *a, const BIGNUM *b, - BN_CTX *ctx) +int ossl_ec_GFp_nistp521_group_set_curve(EC_GROUP *group, const BIGNUM *p, + const BIGNUM *a, const BIGNUM *b, + BN_CTX *ctx) { int ret = 0; BIGNUM *curve_p, *curve_a, *curve_b; @@ -1776,7 +1776,7 @@ int ec_GFp_nistp521_group_set_curve(EC_GROUP *group, const BIGNUM *p, goto err; } group->field_mod_func = BN_nist_mod_521; - ret = ec_GFp_simple_group_set_curve(group, p, a, b, ctx); + ret = ossl_ec_GFp_simple_group_set_curve(group, p, a, b, ctx); err: BN_CTX_end(ctx); #ifndef FIPS_MODULE @@ -1789,10 +1789,10 @@ int ec_GFp_nistp521_group_set_curve(EC_GROUP *group, const BIGNUM *p, * Takes the Jacobian coordinates (X, Y, Z) of a point and returns (X', Y') = * (X/Z^2, Y/Z^3) */ -int ec_GFp_nistp521_point_get_affine_coordinates(const EC_GROUP *group, - const EC_POINT *point, - BIGNUM *x, BIGNUM *y, - BN_CTX *ctx) +int ossl_ec_GFp_nistp521_point_get_affine_coordinates(const EC_GROUP *group, + const EC_POINT *point, + BIGNUM *x, BIGNUM *y, + BN_CTX *ctx) { felem z1, z2, x_in, y_in, x_out, y_out; largefelem tmp; @@ -1838,36 +1838,36 @@ static void make_points_affine(size_t num, felem points[][3], * Runs in constant time, unless an input is the point at infinity (which * normally shouldn't happen). */ - ec_GFp_nistp_points_make_affine_internal(num, - points, - sizeof(felem), - tmp_felems, - (void (*)(void *))felem_one, - felem_is_zero_int, - (void (*)(void *, const void *)) - felem_assign, - (void (*)(void *, const void *)) - felem_square_reduce, (void (*) - (void *, - const void - *, - const void - *)) - felem_mul_reduce, - (void (*)(void *, const void *)) - felem_inv, - (void (*)(void *, const void *)) - felem_contract); + ossl_ec_GFp_nistp_points_make_affine_internal(num, + points, + sizeof(felem), + tmp_felems, + (void (*)(void *))felem_one, + felem_is_zero_int, + (void (*)(void *, const void *)) + felem_assign, + (void (*)(void *, const void *)) + felem_square_reduce, (void (*) + (void *, + const void + *, + const void + *)) + felem_mul_reduce, + (void (*)(void *, const void *)) + felem_inv, + (void (*)(void *, const void *)) + felem_contract); } /* * Computes scalar*generator + \sum scalars[i]*points[i], ignoring NULL * values Result is stored in r (r can equal one of the inputs). */ -int ec_GFp_nistp521_points_mul(const EC_GROUP *group, EC_POINT *r, - const BIGNUM *scalar, size_t num, - const EC_POINT *points[], - const BIGNUM *scalars[], BN_CTX *ctx) +int ossl_ec_GFp_nistp521_points_mul(const EC_GROUP *group, EC_POINT *r, + const BIGNUM *scalar, size_t num, + const EC_POINT *points[], + const BIGNUM *scalars[], BN_CTX *ctx) { int ret = 0; int j; @@ -1914,8 +1914,9 @@ int ec_GFp_nistp521_points_mul(const EC_GROUP *group, EC_POINT *r, ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB); goto err; } - if (!ec_GFp_simple_set_Jprojective_coordinates_GFp(group, generator, x, - y, z, ctx)) + if (!ossl_ec_GFp_simple_set_Jprojective_coordinates_GFp(group, + generator, + x, y, z, ctx)) goto err; if (0 == EC_POINT_cmp(group, generator, group->generator, ctx)) /* precomputation matches generator */ @@ -2053,7 +2054,8 @@ int ec_GFp_nistp521_points_mul(const EC_GROUP *group, EC_POINT *r, ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB); goto err; } - ret = ec_GFp_simple_set_Jprojective_coordinates_GFp(group, r, x, y, z, ctx); + ret = ossl_ec_GFp_simple_set_Jprojective_coordinates_GFp(group, r, x, y, z, + ctx); err: BN_CTX_end(ctx); @@ -2064,7 +2066,7 @@ int ec_GFp_nistp521_points_mul(const EC_GROUP *group, EC_POINT *r, return ret; } -int ec_GFp_nistp521_precompute_mult(EC_GROUP *group, BN_CTX *ctx) +int ossl_ec_GFp_nistp521_precompute_mult(EC_GROUP *group, BN_CTX *ctx) { int ret = 0; NISTP521_PRE_COMP *pre = NULL; @@ -2180,7 +2182,7 @@ int ec_GFp_nistp521_precompute_mult(EC_GROUP *group, BN_CTX *ctx) return ret; } -int ec_GFp_nistp521_have_precompute_mult(const EC_GROUP *group) +int ossl_ec_GFp_nistp521_have_precompute_mult(const EC_GROUP *group) { return HAVEPRECOMP(group, nistp521); } diff --git a/crypto/ec/ecp_nistputil.c b/crypto/ec/ecp_nistputil.c index 814a3083c3..2c3dc26f6e 100644 --- a/crypto/ec/ecp_nistputil.c +++ b/crypto/ec/ecp_nistputil.c @@ -49,7 +49,8 @@ * of size 'felem_size'. tmp_felems needs to point to a temporary array of * 'num'+1 field elements for storage of intermediate values. */ -void ec_GFp_nistp_points_make_affine_internal(size_t num, void *point_array, +void +ossl_ec_GFp_nistp_points_make_affine_internal(size_t num, void *point_array, size_t felem_size, void *tmp_felems, void (*felem_one) (void *out), @@ -209,8 +210,8 @@ void ec_GFp_nistp_points_make_affine_internal(size_t num, void *point_array, * b_-1, has to be b_4 b_3 b_2 b_1 b_0 0. * */ -void ec_GFp_nistp_recode_scalar_bits(unsigned char *sign, - unsigned char *digit, unsigned char in) +void ossl_ec_GFp_nistp_recode_scalar_bits(unsigned char *sign, + unsigned char *digit, unsigned char in) { unsigned char s, d; diff --git a/crypto/ec/ecp_nistz256.c b/crypto/ec/ecp_nistz256.c index 64970d53bf..f348f97da1 100644 --- a/crypto/ec/ecp_nistz256.c +++ b/crypto/ec/ecp_nistz256.c @@ -1471,53 +1471,53 @@ const EC_METHOD *EC_GFp_nistz256_method(void) static const EC_METHOD ret = { EC_FLAGS_DEFAULT_OCT, NID_X9_62_prime_field, - ec_GFp_mont_group_init, - ec_GFp_mont_group_finish, - ec_GFp_mont_group_clear_finish, - ec_GFp_mont_group_copy, - ec_GFp_mont_group_set_curve, - ec_GFp_simple_group_get_curve, - ec_GFp_simple_group_get_degree, - ec_group_simple_order_bits, - ec_GFp_simple_group_check_discriminant, - ec_GFp_simple_point_init, - ec_GFp_simple_point_finish, - ec_GFp_simple_point_clear_finish, - ec_GFp_simple_point_copy, - ec_GFp_simple_point_set_to_infinity, - ec_GFp_simple_point_set_affine_coordinates, + ossl_ec_GFp_mont_group_init, + ossl_ec_GFp_mont_group_finish, + ossl_ec_GFp_mont_group_clear_finish, + ossl_ec_GFp_mont_group_copy, + ossl_ec_GFp_mont_group_set_curve, + ossl_ec_GFp_simple_group_get_curve, + ossl_ec_GFp_simple_group_get_degree, + ossl_ec_group_simple_order_bits, + ossl_ec_GFp_simple_group_check_discriminant, + ossl_ec_GFp_simple_point_init, + ossl_ec_GFp_simple_point_finish, + ossl_ec_GFp_simple_point_clear_finish, + ossl_ec_GFp_simple_point_copy, + ossl_ec_GFp_simple_point_set_to_infinity, + ossl_ec_GFp_simple_point_set_affine_coordinates, ecp_nistz256_get_affine, 0, 0, 0, - ec_GFp_simple_add, - ec_GFp_simple_dbl, - ec_GFp_simple_invert, - ec_GFp_simple_is_at_infinity, - ec_GFp_simple_is_on_curve, - ec_GFp_simple_cmp, - ec_GFp_simple_make_affine, - ec_GFp_simple_points_make_affine, + ossl_ec_GFp_simple_add, + ossl_ec_GFp_simple_dbl, + ossl_ec_GFp_simple_invert, + ossl_ec_GFp_simple_is_at_infinity, + ossl_ec_GFp_simple_is_on_curve, + ossl_ec_GFp_simple_cmp, + ossl_ec_GFp_simple_make_affine, + ossl_ec_GFp_simple_points_make_affine, ecp_nistz256_points_mul, /* mul */ ecp_nistz256_mult_precompute, /* precompute_mult */ ecp_nistz256_window_have_precompute_mult, /* have_precompute_mult */ - ec_GFp_mont_field_mul, - ec_GFp_mont_field_sqr, + ossl_ec_GFp_mont_field_mul, + ossl_ec_GFp_mont_field_sqr, 0, /* field_div */ - ec_GFp_mont_field_inv, - ec_GFp_mont_field_encode, - ec_GFp_mont_field_decode, - ec_GFp_mont_field_set_to_one, - ec_key_simple_priv2oct, - ec_key_simple_oct2priv, + ossl_ec_GFp_mont_field_inv, + ossl_ec_GFp_mont_field_encode, + ossl_ec_GFp_mont_field_decode, + ossl_ec_GFp_mont_field_set_to_one, + ossl_ec_key_simple_priv2oct, + ossl_ec_key_simple_oct2priv, 0, /* set private */ - ec_key_simple_generate_key, - ec_key_simple_check_key, - ec_key_simple_generate_public_key, + ossl_ec_key_simple_generate_key, + ossl_ec_key_simple_check_key, + ossl_ec_key_simple_generate_public_key, 0, /* keycopy */ 0, /* keyfinish */ - ecdh_simple_compute_key, - ecdsa_simple_sign_setup, - ecdsa_simple_sign_sig, - ecdsa_simple_verify_sig, + ossl_ecdh_simple_compute_key, + ossl_ecdsa_simple_sign_setup, + ossl_ecdsa_simple_sign_sig, + ossl_ecdsa_simple_verify_sig, ecp_nistz256_inv_mod_ord, /* can be #define-d NULL */ 0, /* blind_coordinates */ 0, /* ladder_pre */ diff --git a/crypto/ec/ecp_oct.c b/crypto/ec/ecp_oct.c index b1c8e3ed8a..a8408b029b 100644 --- a/crypto/ec/ecp_oct.c +++ b/crypto/ec/ecp_oct.c @@ -19,10 +19,10 @@ #include "ec_local.h" -int ec_GFp_simple_set_compressed_coordinates(const EC_GROUP *group, - EC_POINT *point, - const BIGNUM *x_, int y_bit, - BN_CTX *ctx) +int ossl_ec_GFp_simple_set_compressed_coordinates(const EC_GROUP *group, + EC_POINT *point, + const BIGNUM *x_, int y_bit, + BN_CTX *ctx) { BN_CTX *new_ctx = NULL; BIGNUM *tmp1, *tmp2, *x, *y; @@ -158,9 +158,9 @@ int ec_GFp_simple_set_compressed_coordinates(const EC_GROUP *group, return ret; } -size_t ec_GFp_simple_point2oct(const EC_GROUP *group, const EC_POINT *point, - point_conversion_form_t form, - unsigned char *buf, size_t len, BN_CTX *ctx) +size_t ossl_ec_GFp_simple_point2oct(const EC_GROUP *group, const EC_POINT *point, + point_conversion_form_t form, + unsigned char *buf, size_t len, BN_CTX *ctx) { size_t ret; BN_CTX *new_ctx = NULL; @@ -273,8 +273,9 @@ size_t ec_GFp_simple_point2oct(const EC_GROUP *group, const EC_POINT *point, return 0; } -int ec_GFp_simple_oct2point(const EC_GROUP *group, EC_POINT *point, - const unsigned char *buf, size_t len, BN_CTX *ctx) +int ossl_ec_GFp_simple_oct2point(const EC_GROUP *group, EC_POINT *point, + const unsigned char *buf, size_t len, + BN_CTX *ctx) { point_conversion_form_t form; int y_bit; diff --git a/crypto/ec/ecp_s390x_nistp.c b/crypto/ec/ecp_s390x_nistp.c index c4b490e3be..ddaee93975 100644 --- a/crypto/ec/ecp_s390x_nistp.c +++ b/crypto/ec/ecp_s390x_nistp.c @@ -115,7 +115,7 @@ static int ec_GFp_s390x_nistp_mul(const EC_GROUP *group, EC_POINT *r, ret: /* Otherwise use default. */ if (rc == -1) - rc = ec_wNAF_mul(group, r, scalar, num, points, scalars, ctx); + rc = ossl_ec_wNAF_mul(group, r, scalar, num, points, scalars, ctx); OPENSSL_cleanse(param + S390X_OFF_SCALAR(len), len); BN_CTX_end(ctx); BN_CTX_free(new_ctx); @@ -186,7 +186,7 @@ static ECDSA_SIG *ecdsa_s390x_nistp_sign_sig(const unsigned char *dgst, } } else { /* Reconstruct k = (k^-1)^-1. */ - if (ec_group_do_inverse_ord(group, k, kinv, NULL) == 0 + if (ossl_ec_group_do_inverse_ord(group, k, kinv, NULL) == 0 || BN_bn2binpad(k, param + S390X_OFF_RN(len), len) == -1) { ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB); goto ret; @@ -321,60 +321,60 @@ const EC_METHOD *EC_GFp_s390x_nistp##bits##_method(void) \ static const EC_METHOD EC_GFp_s390x_nistp##bits##_meth = { \ EC_FLAGS_DEFAULT_OCT, \ NID_X9_62_prime_field, \ - ec_GFp_simple_group_init, \ - ec_GFp_simple_group_finish, \ - ec_GFp_simple_group_clear_finish, \ - ec_GFp_simple_group_copy, \ - ec_GFp_simple_group_set_curve, \ - ec_GFp_simple_group_get_curve, \ - ec_GFp_simple_group_get_degree, \ - ec_group_simple_order_bits, \ - ec_GFp_simple_group_check_discriminant, \ - ec_GFp_simple_point_init, \ - ec_GFp_simple_point_finish, \ - ec_GFp_simple_point_clear_finish, \ - ec_GFp_simple_point_copy, \ - ec_GFp_simple_point_set_to_infinity, \ - ec_GFp_simple_point_set_affine_coordinates, \ - ec_GFp_simple_point_get_affine_coordinates, \ + ossl_ec_GFp_simple_group_init, \ + ossl_ec_GFp_simple_group_finish, \ + ossl_ec_GFp_simple_group_clear_finish, \ + ossl_ec_GFp_simple_group_copy, \ + ossl_ec_GFp_simple_group_set_curve, \ + ossl_ec_GFp_simple_group_get_curve, \ + ossl_ec_GFp_simple_group_get_degree, \ + ossl_ec_group_simple_order_bits, \ + ossl_ec_GFp_simple_group_check_discriminant, \ + ossl_ec_GFp_simple_point_init, \ + ossl_ec_GFp_simple_point_finish, \ + ossl_ec_GFp_simple_point_clear_finish, \ + ossl_ec_GFp_simple_point_copy, \ + ossl_ec_GFp_simple_point_set_to_infinity, \ + ossl_ec_GFp_simple_point_set_affine_coordinates, \ + ossl_ec_GFp_simple_point_get_affine_coordinates, \ NULL, /* point_set_compressed_coordinates */ \ NULL, /* point2oct */ \ NULL, /* oct2point */ \ - ec_GFp_simple_add, \ - ec_GFp_simple_dbl, \ - ec_GFp_simple_invert, \ - ec_GFp_simple_is_at_infinity, \ - ec_GFp_simple_is_on_curve, \ - ec_GFp_simple_cmp, \ - ec_GFp_simple_make_affine, \ - ec_GFp_simple_points_make_affine, \ + ossl_ec_GFp_simple_add, \ + ossl_ec_GFp_simple_dbl, \ + ossl_ec_GFp_simple_invert, \ + ossl_ec_GFp_simple_is_at_infinity, \ + ossl_ec_GFp_simple_is_on_curve, \ + ossl_ec_GFp_simple_cmp, \ + ossl_ec_GFp_simple_make_affine, \ + ossl_ec_GFp_simple_points_make_affine, \ ec_GFp_s390x_nistp##bits##_mul, \ NULL, /* precompute_mult */ \ NULL, /* have_precompute_mult */ \ - ec_GFp_simple_field_mul, \ - ec_GFp_simple_field_sqr, \ + ossl_ec_GFp_simple_field_mul, \ + ossl_ec_GFp_simple_field_sqr, \ NULL, /* field_div */ \ - ec_GFp_simple_field_inv, \ + ossl_ec_GFp_simple_field_inv, \ NULL, /* field_encode */ \ NULL, /* field_decode */ \ NULL, /* field_set_to_one */ \ - ec_key_simple_priv2oct, \ - ec_key_simple_oct2priv, \ + ossl_ec_key_simple_priv2oct, \ + ossl_ec_key_simple_oct2priv, \ NULL, /* set_private */ \ - ec_key_simple_generate_key, \ - ec_key_simple_check_key, \ - ec_key_simple_generate_public_key, \ + ossl_ec_key_simple_generate_key, \ + ossl_ec_key_simple_check_key, \ + ossl_ec_key_simple_generate_public_key, \ NULL, /* keycopy */ \ NULL, /* keyfinish */ \ - ecdh_simple_compute_key, \ - ecdsa_simple_sign_setup, \ + ossl_ecdh_simple_compute_key, \ + ossl_ecdsa_simple_sign_setup, \ ecdsa_s390x_nistp##bits##_sign_sig, \ ecdsa_s390x_nistp##bits##_verify_sig, \ NULL, /* field_inverse_mod_ord */ \ - ec_GFp_simple_blind_coordinates, \ - ec_GFp_simple_ladder_pre, \ - ec_GFp_simple_ladder_step, \ - ec_GFp_simple_ladder_post \ + ossl_ec_GFp_simple_blind_coordinates, \ + ossl_ec_GFp_simple_ladder_pre, \ + ossl_ec_GFp_simple_ladder_step, \ + ossl_ec_GFp_simple_ladder_post \ }; \ static const EC_METHOD *ret; \ \ diff --git a/crypto/ec/ecp_smpl.c b/crypto/ec/ecp_smpl.c index 94b819829f..bca9da3e7e 100644 --- a/crypto/ec/ecp_smpl.c +++ b/crypto/ec/ecp_smpl.c @@ -24,58 +24,58 @@ const EC_METHOD *EC_GFp_simple_method(void) static const EC_METHOD ret = { EC_FLAGS_DEFAULT_OCT, NID_X9_62_prime_field, - ec_GFp_simple_group_init, - ec_GFp_simple_group_finish, - ec_GFp_simple_group_clear_finish, - ec_GFp_simple_group_copy, - ec_GFp_simple_group_set_curve, - ec_GFp_simple_group_get_curve, - ec_GFp_simple_group_get_degree, - ec_group_simple_order_bits, - ec_GFp_simple_group_check_discriminant, - ec_GFp_simple_point_init, - ec_GFp_simple_point_finish, - ec_GFp_simple_point_clear_finish, - ec_GFp_simple_point_copy, - ec_GFp_simple_point_set_to_infinity, - ec_GFp_simple_point_set_affine_coordinates, - ec_GFp_simple_point_get_affine_coordinates, + ossl_ec_GFp_simple_group_init, + ossl_ec_GFp_simple_group_finish, + ossl_ec_GFp_simple_group_clear_finish, + ossl_ec_GFp_simple_group_copy, + ossl_ec_GFp_simple_group_set_curve, + ossl_ec_GFp_simple_group_get_curve, + ossl_ec_GFp_simple_group_get_degree, + ossl_ec_group_simple_order_bits, + ossl_ec_GFp_simple_group_check_discriminant, + ossl_ec_GFp_simple_point_init, + ossl_ec_GFp_simple_point_finish, + ossl_ec_GFp_simple_point_clear_finish, + ossl_ec_GFp_simple_point_copy, + ossl_ec_GFp_simple_point_set_to_infinity, + ossl_ec_GFp_simple_point_set_affine_coordinates, + ossl_ec_GFp_simple_point_get_affine_coordinates, 0, 0, 0, - ec_GFp_simple_add, - ec_GFp_simple_dbl, - ec_GFp_simple_invert, - ec_GFp_simple_is_at_infinity, - ec_GFp_simple_is_on_curve, - ec_GFp_simple_cmp, - ec_GFp_simple_make_affine, - ec_GFp_simple_points_make_affine, + ossl_ec_GFp_simple_add, + ossl_ec_GFp_simple_dbl, + ossl_ec_GFp_simple_invert, + ossl_ec_GFp_simple_is_at_infinity, + ossl_ec_GFp_simple_is_on_curve, + ossl_ec_GFp_simple_cmp, + ossl_ec_GFp_simple_make_affine, + ossl_ec_GFp_simple_points_make_affine, 0 /* mul */ , 0 /* precompute_mult */ , 0 /* have_precompute_mult */ , - ec_GFp_simple_field_mul, - ec_GFp_simple_field_sqr, + ossl_ec_GFp_simple_field_mul, + ossl_ec_GFp_simple_field_sqr, 0 /* field_div */ , - ec_GFp_simple_field_inv, + ossl_ec_GFp_simple_field_inv, 0 /* field_encode */ , 0 /* field_decode */ , 0, /* field_set_to_one */ - ec_key_simple_priv2oct, - ec_key_simple_oct2priv, + ossl_ec_key_simple_priv2oct, + ossl_ec_key_simple_oct2priv, 0, /* set private */ - ec_key_simple_generate_key, - ec_key_simple_check_key, - ec_key_simple_generate_public_key, + ossl_ec_key_simple_generate_key, + ossl_ec_key_simple_check_key, + ossl_ec_key_simple_generate_public_key, 0, /* keycopy */ 0, /* keyfinish */ - ecdh_simple_compute_key, - ecdsa_simple_sign_setup, - ecdsa_simple_sign_sig, - ecdsa_simple_verify_sig, + ossl_ecdh_simple_compute_key, + ossl_ecdsa_simple_sign_setup, + ossl_ecdsa_simple_sign_sig, + ossl_ecdsa_simple_verify_sig, 0, /* field_inverse_mod_ord */ - ec_GFp_simple_blind_coordinates, - ec_GFp_simple_ladder_pre, - ec_GFp_simple_ladder_step, - ec_GFp_simple_ladder_post + ossl_ec_GFp_simple_blind_coordinates, + ossl_ec_GFp_simple_ladder_pre, + ossl_ec_GFp_simple_ladder_step, + ossl_ec_GFp_simple_ladder_post }; return &ret; @@ -95,7 +95,7 @@ const EC_METHOD *EC_GFp_simple_method(void) * representation (i.e. 'encoding' means multiplying by some factor R). */ -int ec_GFp_simple_group_init(EC_GROUP *group) +int ossl_ec_GFp_simple_group_init(EC_GROUP *group) { group->field = BN_new(); group->a = BN_new(); @@ -110,21 +110,21 @@ int ec_GFp_simple_group_init(EC_GROUP *group) return 1; } -void ec_GFp_simple_group_finish(EC_GROUP *group) +void ossl_ec_GFp_simple_group_finish(EC_GROUP *group) { BN_free(group->field); BN_free(group->a); BN_free(group->b); } -void ec_GFp_simple_group_clear_finish(EC_GROUP *group) +void ossl_ec_GFp_simple_group_clear_finish(EC_GROUP *group) { BN_clear_free(group->field); BN_clear_free(group->a); BN_clear_free(group->b); } -int ec_GFp_simple_group_copy(EC_GROUP *dest, const EC_GROUP *src) +int ossl_ec_GFp_simple_group_copy(EC_GROUP *dest, const EC_GROUP *src) { if (!BN_copy(dest->field, src->field)) return 0; @@ -138,9 +138,9 @@ int ec_GFp_simple_group_copy(EC_GROUP *dest, const EC_GROUP *src) return 1; } -int ec_GFp_simple_group_set_curve(EC_GROUP *group, - const BIGNUM *p, const BIGNUM *a, - const BIGNUM *b, BN_CTX *ctx) +int ossl_ec_GFp_simple_group_set_curve(EC_GROUP *group, + const BIGNUM *p, const BIGNUM *a, + const BIGNUM *b, BN_CTX *ctx) { int ret = 0; BN_CTX *new_ctx = NULL; @@ -197,8 +197,8 @@ int ec_GFp_simple_group_set_curve(EC_GROUP *group, return ret; } -int ec_GFp_simple_group_get_curve(const EC_GROUP *group, BIGNUM *p, BIGNUM *a, - BIGNUM *b, BN_CTX *ctx) +int ossl_ec_GFp_simple_group_get_curve(const EC_GROUP *group, BIGNUM *p, + BIGNUM *a, BIGNUM *b, BN_CTX *ctx) { int ret = 0; BN_CTX *new_ctx = NULL; @@ -242,12 +242,13 @@ int ec_GFp_simple_group_get_curve(const EC_GROUP *group, BIGNUM *p, BIGNUM *a, return ret; } -int ec_GFp_simple_group_get_degree(const EC_GROUP *group) +int ossl_ec_GFp_simple_group_get_degree(const EC_GROUP *group) { return BN_num_bits(group->field); } -int ec_GFp_simple_group_check_discriminant(const EC_GROUP *group, BN_CTX *ctx) +int ossl_ec_GFp_simple_group_check_discriminant(const EC_GROUP *group, + BN_CTX *ctx) { int ret = 0; BIGNUM *a, *b, *order, *tmp_1, *tmp_2; @@ -318,7 +319,7 @@ int ec_GFp_simple_group_check_discriminant(const EC_GROUP *group, BN_CTX *ctx) return ret; } -int ec_GFp_simple_point_init(EC_POINT *point) +int ossl_ec_GFp_simple_point_init(EC_POINT *point) { point->X = BN_new(); point->Y = BN_new(); @@ -334,14 +335,14 @@ int ec_GFp_simple_point_init(EC_POINT *point) return 1; } -void ec_GFp_simple_point_finish(EC_POINT *point) +void ossl_ec_GFp_simple_point_finish(EC_POINT *point) { BN_free(point->X); BN_free(point->Y); BN_free(point->Z); } -void ec_GFp_simple_point_clear_finish(EC_POINT *point) +void ossl_ec_GFp_simple_point_clear_finish(EC_POINT *point) { BN_clear_free(point->X); BN_clear_free(point->Y); @@ -349,7 +350,7 @@ void ec_GFp_simple_point_clear_finish(EC_POINT *point) point->Z_is_one = 0; } -int ec_GFp_simple_point_copy(EC_POINT *dest, const EC_POINT *src) +int ossl_ec_GFp_simple_point_copy(EC_POINT *dest, const EC_POINT *src) { if (!BN_copy(dest->X, src->X)) return 0; @@ -363,20 +364,20 @@ int ec_GFp_simple_point_copy(EC_POINT *dest, const EC_POINT *src) return 1; } -int ec_GFp_simple_point_set_to_infinity(const EC_GROUP *group, - EC_POINT *point) +int ossl_ec_GFp_simple_point_set_to_infinity(const EC_GROUP *group, + EC_POINT *point) { point->Z_is_one = 0; BN_zero(point->Z); return 1; } -int ec_GFp_simple_set_Jprojective_coordinates_GFp(const EC_GROUP *group, - EC_POINT *point, - const BIGNUM *x, - const BIGNUM *y, - const BIGNUM *z, - BN_CTX *ctx) +int ossl_ec_GFp_simple_set_Jprojective_coordinates_GFp(const EC_GROUP *group, + EC_POINT *point, + const BIGNUM *x, + const BIGNUM *y, + const BIGNUM *z, + BN_CTX *ctx) { BN_CTX *new_ctx = NULL; int ret = 0; @@ -431,10 +432,10 @@ int ec_GFp_simple_set_Jprojective_coordinates_GFp(const EC_GROUP *group, return ret; } -int ec_GFp_simple_get_Jprojective_coordinates_GFp(const EC_GROUP *group, - const EC_POINT *point, - BIGNUM *x, BIGNUM *y, - BIGNUM *z, BN_CTX *ctx) +int ossl_ec_GFp_simple_get_Jprojective_coordinates_GFp(const EC_GROUP *group, + const EC_POINT *point, + BIGNUM *x, BIGNUM *y, + BIGNUM *z, BN_CTX *ctx) { BN_CTX *new_ctx = NULL; int ret = 0; @@ -480,10 +481,10 @@ int ec_GFp_simple_get_Jprojective_coordinates_GFp(const EC_GROUP *group, return ret; } -int ec_GFp_simple_point_set_affine_coordinates(const EC_GROUP *group, - EC_POINT *point, - const BIGNUM *x, - const BIGNUM *y, BN_CTX *ctx) +int ossl_ec_GFp_simple_point_set_affine_coordinates(const EC_GROUP *group, + EC_POINT *point, + const BIGNUM *x, + const BIGNUM *y, BN_CTX *ctx) { if (x == NULL || y == NULL) { /* @@ -497,10 +498,10 @@ int ec_GFp_simple_point_set_affine_coordinates(const EC_GROUP *group, BN_value_one(), ctx); } -int ec_GFp_simple_point_get_affine_coordinates(const EC_GROUP *group, - const EC_POINT *point, - BIGNUM *x, BIGNUM *y, - BN_CTX *ctx) +int ossl_ec_GFp_simple_point_get_affine_coordinates(const EC_GROUP *group, + const EC_POINT *point, + BIGNUM *x, BIGNUM *y, + BN_CTX *ctx) { BN_CTX *new_ctx = NULL; BIGNUM *Z, *Z_1, *Z_2, *Z_3; @@ -609,8 +610,8 @@ int ec_GFp_simple_point_get_affine_coordinates(const EC_GROUP *group, return ret; } -int ec_GFp_simple_add(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a, - const EC_POINT *b, BN_CTX *ctx) +int ossl_ec_GFp_simple_add(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a, + const EC_POINT *b, BN_CTX *ctx) { int (*field_mul) (const EC_GROUP *, BIGNUM *, const BIGNUM *, const BIGNUM *, BN_CTX *); @@ -794,8 +795,8 @@ int ec_GFp_simple_add(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a, return ret; } -int ec_GFp_simple_dbl(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a, - BN_CTX *ctx) +int ossl_ec_GFp_simple_dbl(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a, + BN_CTX *ctx) { int (*field_mul) (const EC_GROUP *, BIGNUM *, const BIGNUM *, const BIGNUM *, BN_CTX *); @@ -936,7 +937,8 @@ int ec_GFp_simple_dbl(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a, return ret; } -int ec_GFp_simple_invert(const EC_GROUP *group, EC_POINT *point, BN_CTX *ctx) +int ossl_ec_GFp_simple_invert(const EC_GROUP *group, EC_POINT *point, + BN_CTX *ctx) { if (EC_POINT_is_at_infinity(group, point) || BN_is_zero(point->Y)) /* point is its own inverse */ @@ -945,13 +947,14 @@ int ec_GFp_simple_invert(const EC_GROUP *group, EC_POINT *point, BN_CTX *ctx) return BN_usub(point->Y, group->field, point->Y); } -int ec_GFp_simple_is_at_infinity(const EC_GROUP *group, const EC_POINT *point) +int ossl_ec_GFp_simple_is_at_infinity(const EC_GROUP *group, + const EC_POINT *point) { return BN_is_zero(point->Z); } -int ec_GFp_simple_is_on_curve(const EC_GROUP *group, const EC_POINT *point, - BN_CTX *ctx) +int ossl_ec_GFp_simple_is_on_curve(const EC_GROUP *group, const EC_POINT *point, + BN_CTX *ctx) { int (*field_mul) (const EC_GROUP *, BIGNUM *, const BIGNUM *, const BIGNUM *, BN_CTX *); @@ -1053,8 +1056,8 @@ int ec_GFp_simple_is_on_curve(const EC_GROUP *group, const EC_POINT *point, return ret; } -int ec_GFp_simple_cmp(const EC_GROUP *group, const EC_POINT *a, - const EC_POINT *b, BN_CTX *ctx) +int ossl_ec_GFp_simple_cmp(const EC_GROUP *group, const EC_POINT *a, + const EC_POINT *b, BN_CTX *ctx) { /*- * return values: @@ -1161,8 +1164,8 @@ int ec_GFp_simple_cmp(const EC_GROUP *group, const EC_POINT *a, return ret; } -int ec_GFp_simple_make_affine(const EC_GROUP *group, EC_POINT *point, - BN_CTX *ctx) +int ossl_ec_GFp_simple_make_affine(const EC_GROUP *group, EC_POINT *point, + BN_CTX *ctx) { BN_CTX *new_ctx = NULL; BIGNUM *x, *y; @@ -1200,8 +1203,8 @@ int ec_GFp_simple_make_affine(const EC_GROUP *group, EC_POINT *point, return ret; } -int ec_GFp_simple_points_make_affine(const EC_GROUP *group, size_t num, - EC_POINT *points[], BN_CTX *ctx) +int ossl_ec_GFp_simple_points_make_affine(const EC_GROUP *group, size_t num, + EC_POINT *points[], BN_CTX *ctx) { BN_CTX *new_ctx = NULL; BIGNUM *tmp, *tmp_Z; @@ -1359,14 +1362,14 @@ int ec_GFp_simple_points_make_affine(const EC_GROUP *group, size_t num, return ret; } -int ec_GFp_simple_field_mul(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a, - const BIGNUM *b, BN_CTX *ctx) +int ossl_ec_GFp_simple_field_mul(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a, + const BIGNUM *b, BN_CTX *ctx) { return BN_mod_mul(r, a, b, group->field, ctx); } -int ec_GFp_simple_field_sqr(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a, - BN_CTX *ctx) +int ossl_ec_GFp_simple_field_sqr(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a, + BN_CTX *ctx) { return BN_mod_sqr(r, a, group->field, ctx); } @@ -1377,8 +1380,8 @@ int ec_GFp_simple_field_sqr(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a, * Since we don't have a Mont structure here, SCA hardening is with blinding. * NB: "a" must be in _decoded_ form. (i.e. field_decode must precede.) */ -int ec_GFp_simple_field_inv(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a, - BN_CTX *ctx) +int ossl_ec_GFp_simple_field_inv(const EC_GROUP *group, BIGNUM *r, + const BIGNUM *a, BN_CTX *ctx) { BIGNUM *e = NULL; BN_CTX *new_ctx = NULL; @@ -1424,8 +1427,8 @@ int ec_GFp_simple_field_inv(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a, * lambda = [1,group->field) * */ -int ec_GFp_simple_blind_coordinates(const EC_GROUP *group, EC_POINT *p, - BN_CTX *ctx) +int ossl_ec_GFp_simple_blind_coordinates(const EC_GROUP *group, EC_POINT *p, + BN_CTX *ctx) { int ret = 0; BIGNUM *lambda = NULL; @@ -1487,9 +1490,9 @@ int ec_GFp_simple_blind_coordinates(const EC_GROUP *group, EC_POINT *p, * Blinding uses the equivalence relation (\lambda X, \lambda Y, \lambda Z) * for any non-zero \lambda that holds for projective (homogeneous) coords. */ -int ec_GFp_simple_ladder_pre(const EC_GROUP *group, - EC_POINT *r, EC_POINT *s, - EC_POINT *p, BN_CTX *ctx) +int ossl_ec_GFp_simple_ladder_pre(const EC_GROUP *group, + EC_POINT *r, EC_POINT *s, + EC_POINT *p, BN_CTX *ctx) { BIGNUM *t1, *t2, *t3, *t4, *t5 = NULL; @@ -1557,9 +1560,9 @@ int ec_GFp_simple_ladder_pre(const EC_GROUP *group, * attacks", as described at * https://hyperelliptic.org/EFD/g1p/auto-shortw-xz.html#ladder-mladd-2002-it-4 */ -int ec_GFp_simple_ladder_step(const EC_GROUP *group, - EC_POINT *r, EC_POINT *s, - EC_POINT *p, BN_CTX *ctx) +int ossl_ec_GFp_simple_ladder_step(const EC_GROUP *group, + EC_POINT *r, EC_POINT *s, + EC_POINT *p, BN_CTX *ctx) { int ret = 0; BIGNUM *t0, *t1, *t2, *t3, *t4, *t5, *t6 = NULL; @@ -1645,9 +1648,9 @@ int ec_GFp_simple_ladder_step(const EC_GROUP *group, * - Y1==0 implies p has order 2, so either r or s are infinity and handled by * one of the BN_is_zero(...) branches. */ -int ec_GFp_simple_ladder_post(const EC_GROUP *group, - EC_POINT *r, EC_POINT *s, - EC_POINT *p, BN_CTX *ctx) +int ossl_ec_GFp_simple_ladder_post(const EC_GROUP *group, + EC_POINT *r, EC_POINT *s, + EC_POINT *p, BN_CTX *ctx) { int ret = 0; BIGNUM *t0, *t1, *t2, *t3, *t4, *t5, *t6 = NULL; diff --git a/crypto/ec/ecx_backend.c b/crypto/ec/ecx_backend.c index 8bd96474bd..f9f9d45f2d 100644 --- a/crypto/ec/ecx_backend.c +++ b/crypto/ec/ecx_backend.c @@ -20,7 +20,7 @@ * implementations alike. */ -int ecx_public_from_private(ECX_KEY *key) +int ossl_ecx_public_from_private(ECX_KEY *key) { switch (key->type) { case ECX_KEY_TYPE_X25519: @@ -47,8 +47,8 @@ int ecx_public_from_private(ECX_KEY *key) return 1; } -int ecx_key_fromdata(ECX_KEY *ecx, const OSSL_PARAM params[], - int include_private) +int ossl_ecx_key_fromdata(ECX_KEY *ecx, const OSSL_PARAM params[], + int include_private) { size_t privkeylen = 0, pubkeylen = 0; const OSSL_PARAM *param_priv_key = NULL, *param_pub_key; @@ -82,7 +82,7 @@ int ecx_key_fromdata(ECX_KEY *ecx, const OSSL_PARAM params[], || (param_priv_key != NULL && privkeylen != ecx->keylen)) return 0; - if (param_pub_key == NULL && !ecx_public_from_private(ecx)) + if (param_pub_key == NULL && !ossl_ecx_public_from_private(ecx)) return 0; ecx->haspubkey = 1; diff --git a/crypto/ec/ecx_key.c b/crypto/ec/ecx_key.c index 2b9386d522..45d55b5132 100644 --- a/crypto/ec/ecx_key.c +++ b/crypto/ec/ecx_key.c @@ -10,8 +10,8 @@ #include #include "crypto/ecx.h" -ECX_KEY *ecx_key_new(OSSL_LIB_CTX *libctx, ECX_KEY_TYPE type, int haspubkey, - const char *propq) +ECX_KEY *ossl_ecx_key_new(OSSL_LIB_CTX *libctx, ECX_KEY_TYPE type, int haspubkey, + const char *propq) { ECX_KEY *ret = OPENSSL_zalloc(sizeof(*ret)); @@ -54,7 +54,7 @@ err: return NULL; } -void ecx_key_free(ECX_KEY *key) +void ossl_ecx_key_free(ECX_KEY *key) { int i; @@ -73,12 +73,12 @@ void ecx_key_free(ECX_KEY *key) OPENSSL_free(key); } -void ecx_key_set0_libctx(ECX_KEY *key, OSSL_LIB_CTX *libctx) +void ossl_ecx_key_set0_libctx(ECX_KEY *key, OSSL_LIB_CTX *libctx) { key->libctx = libctx; } -int ecx_key_up_ref(ECX_KEY *key) +int ossl_ecx_key_up_ref(ECX_KEY *key) { int i; @@ -90,7 +90,7 @@ int ecx_key_up_ref(ECX_KEY *key) return ((i > 1) ? 1 : 0); } -unsigned char *ecx_key_allocate_privkey(ECX_KEY *key) +unsigned char *ossl_ecx_key_allocate_privkey(ECX_KEY *key) { key->privkey = OPENSSL_secure_zalloc(key->keylen); diff --git a/crypto/ec/ecx_meth.c b/crypto/ec/ecx_meth.c index 3178cc2d31..269e270ea6 100644 --- a/crypto/ec/ecx_meth.c +++ b/crypto/ec/ecx_meth.c @@ -59,7 +59,7 @@ static int ecx_key_op(EVP_PKEY *pkey, int id, const X509_ALGOR *palg, } } - key = ecx_key_new(libctx, KEYNID2TYPE(id), 1, propq); + key = ossl_ecx_key_new(libctx, KEYNID2TYPE(id), 1, propq); if (key == NULL) { ERR_raise(ERR_LIB_EC, ERR_R_MALLOC_FAILURE); return 0; @@ -69,7 +69,7 @@ static int ecx_key_op(EVP_PKEY *pkey, int id, const X509_ALGOR *palg, if (op == KEY_OP_PUBLIC) { memcpy(pubkey, p, plen); } else { - privkey = ecx_key_allocate_privkey(key); + privkey = ossl_ecx_key_allocate_privkey(key); if (privkey == NULL) { ERR_raise(ERR_LIB_EC, ERR_R_MALLOC_FAILURE); goto err; @@ -88,7 +88,7 @@ static int ecx_key_op(EVP_PKEY *pkey, int id, const X509_ALGOR *palg, } else { memcpy(privkey, p, KEYLENID(id)); } - if (!ecx_public_from_private(key)) { + if (!ossl_ecx_public_from_private(key)) { ERR_raise(ERR_LIB_EC, EC_R_FAILED_MAKING_PUBLIC_KEY); goto err; } @@ -97,7 +97,7 @@ static int ecx_key_op(EVP_PKEY *pkey, int id, const X509_ALGOR *palg, EVP_PKEY_assign(pkey, id, key); return 1; err: - ecx_key_free(key); + ossl_ecx_key_free(key); return 0; } @@ -235,7 +235,7 @@ static int ecx_security_bits(const EVP_PKEY *pkey) static void ecx_free(EVP_PKEY *pkey) { - ecx_key_free(pkey->pkey.ecx); + ossl_ecx_key_free(pkey->pkey.ecx); } /* "parameters" are always equal */ @@ -438,17 +438,17 @@ static int ecx_generic_import_from(const OSSL_PARAM params[], void *vpctx, { EVP_PKEY_CTX *pctx = vpctx; EVP_PKEY *pkey = EVP_PKEY_CTX_get0_pkey(pctx); - ECX_KEY *ecx = ecx_key_new(pctx->libctx, KEYNID2TYPE(keytype), 0, - pctx->propquery); + ECX_KEY *ecx = ossl_ecx_key_new(pctx->libctx, KEYNID2TYPE(keytype), 0, + pctx->propquery); if (ecx == NULL) { ERR_raise(ERR_LIB_DH, ERR_R_MALLOC_FAILURE); return 0; } - if (!ecx_key_fromdata(ecx, params, 1) + if (!ossl_ecx_key_fromdata(ecx, params, 1) || !EVP_PKEY_assign(pkey, keytype, ecx)) { - ecx_key_free(ecx); + ossl_ecx_key_free(ecx); return 0; } return 1; @@ -943,8 +943,8 @@ static int s390x_pkey_ecx_keygen25519(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey) 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }; - ECX_KEY *key = ecx_key_new(ctx->libctx, ECX_KEY_TYPE_X25519, 1, - ctx->propquery); + ECX_KEY *key = ossl_ecx_key_new(ctx->libctx, ECX_KEY_TYPE_X25519, 1, + ctx->propquery); unsigned char *privkey = NULL, *pubkey; if (key == NULL) { @@ -954,7 +954,7 @@ static int s390x_pkey_ecx_keygen25519(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey) pubkey = key->pubkey; - privkey = ecx_key_allocate_privkey(key); + privkey = ossl_ecx_key_allocate_privkey(key); if (privkey == NULL) { ERR_raise(ERR_LIB_EC, ERR_R_MALLOC_FAILURE); goto err; @@ -973,7 +973,7 @@ static int s390x_pkey_ecx_keygen25519(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey) EVP_PKEY_assign(pkey, ctx->pmeth->pkey_id, key); return 1; err: - ecx_key_free(key); + ossl_ecx_key_free(key); return 0; } @@ -986,8 +986,8 @@ static int s390x_pkey_ecx_keygen448(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey) 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }; - ECX_KEY *key = ecx_key_new(ctx->libctx, ECX_KEY_TYPE_X448, 1, - ctx->propquery); + ECX_KEY *key = ossl_ecx_key_new(ctx->libctx, ECX_KEY_TYPE_X448, 1, + ctx->propquery); unsigned char *privkey = NULL, *pubkey; if (key == NULL) { @@ -997,7 +997,7 @@ static int s390x_pkey_ecx_keygen448(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey) pubkey = key->pubkey; - privkey = ecx_key_allocate_privkey(key); + privkey = ossl_ecx_key_allocate_privkey(key); if (privkey == NULL) { ERR_raise(ERR_LIB_EC, ERR_R_MALLOC_FAILURE); goto err; @@ -1015,7 +1015,7 @@ static int s390x_pkey_ecx_keygen448(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey) EVP_PKEY_assign(pkey, ctx->pmeth->pkey_id, key); return 1; err: - ecx_key_free(key); + ossl_ecx_key_free(key); return 0; } @@ -1032,8 +1032,8 @@ static int s390x_pkey_ecd_keygen25519(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey) 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, }; unsigned char x_dst[32], buff[SHA512_DIGEST_LENGTH]; - ECX_KEY *key = ecx_key_new(ctx->libctx, ECX_KEY_TYPE_ED25519, 1, - ctx->propquery); + ECX_KEY *key = ossl_ecx_key_new(ctx->libctx, ECX_KEY_TYPE_ED25519, 1, + ctx->propquery); unsigned char *privkey = NULL, *pubkey; unsigned int sz; @@ -1044,7 +1044,7 @@ static int s390x_pkey_ecd_keygen25519(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey) pubkey = key->pubkey; - privkey = ecx_key_allocate_privkey(key); + privkey = ossl_ecx_key_allocate_privkey(key); if (privkey == NULL) { ERR_raise(ERR_LIB_EC, ERR_R_MALLOC_FAILURE); goto err; @@ -1069,7 +1069,7 @@ static int s390x_pkey_ecd_keygen25519(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey) EVP_PKEY_assign(pkey, ctx->pmeth->pkey_id, key); return 1; err: - ecx_key_free(key); + ossl_ecx_key_free(key); return 0; } @@ -1090,8 +1090,8 @@ static int s390x_pkey_ecd_keygen448(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey) 0x24, 0xbc, 0xb6, 0x6e, 0x71, 0x46, 0x3f, 0x69, 0x00 }; unsigned char x_dst[57], buff[114]; - ECX_KEY *key = ecx_key_new(ctx->libctx, ECX_KEY_TYPE_ED448, 1, - ctx->propquery); + ECX_KEY *key = ossl_ecx_key_new(ctx->libctx, ECX_KEY_TYPE_ED448, 1, + ctx->propquery); unsigned char *privkey = NULL, *pubkey; EVP_MD_CTX *hashctx = NULL; @@ -1102,7 +1102,7 @@ static int s390x_pkey_ecd_keygen448(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey) pubkey = key->pubkey; - privkey = ecx_key_allocate_privkey(key); + privkey = ossl_ecx_key_allocate_privkey(key); if (privkey == NULL) { ERR_raise(ERR_LIB_EC, ERR_R_MALLOC_FAILURE); goto err; @@ -1135,7 +1135,7 @@ static int s390x_pkey_ecd_keygen448(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey) EVP_MD_CTX_free(hashctx); return 1; err: - ecx_key_free(key); + ossl_ecx_key_free(key); EVP_MD_CTX_free(hashctx); return 0; } @@ -1351,7 +1351,7 @@ static const EVP_PKEY_METHOD ed448_s390x_pkey_meth = { }; #endif -const EVP_PKEY_METHOD *ecx25519_pkey_method(void) +const EVP_PKEY_METHOD *ossl_ecx25519_pkey_method(void) { #ifdef S390X_EC_ASM if (OPENSSL_s390xcap_P.pcc[1] & S390X_CAPBIT(S390X_SCALAR_MULTIPLY_X25519)) @@ -1360,7 +1360,7 @@ const EVP_PKEY_METHOD *ecx25519_pkey_method(void) return &ecx25519_pkey_meth; } -const EVP_PKEY_METHOD *ecx448_pkey_method(void) +const EVP_PKEY_METHOD *ossl_ecx448_pkey_method(void) { #ifdef S390X_EC_ASM if (OPENSSL_s390xcap_P.pcc[1] & S390X_CAPBIT(S390X_SCALAR_MULTIPLY_X448)) @@ -1369,7 +1369,7 @@ const EVP_PKEY_METHOD *ecx448_pkey_method(void) return &ecx448_pkey_meth; } -const EVP_PKEY_METHOD *ed25519_pkey_method(void) +const EVP_PKEY_METHOD *ossl_ed25519_pkey_method(void) { #ifdef S390X_EC_ASM if (OPENSSL_s390xcap_P.pcc[1] & S390X_CAPBIT(S390X_SCALAR_MULTIPLY_ED25519) @@ -1381,7 +1381,7 @@ const EVP_PKEY_METHOD *ed25519_pkey_method(void) return &ed25519_pkey_meth; } -const EVP_PKEY_METHOD *ed448_pkey_method(void) +const EVP_PKEY_METHOD *ossl_ed448_pkey_method(void) { #ifdef S390X_EC_ASM if (OPENSSL_s390xcap_P.pcc[1] & S390X_CAPBIT(S390X_SCALAR_MULTIPLY_ED448) diff --git a/crypto/evp/ctrl_params_translate.c b/crypto/evp/ctrl_params_translate.c index 04f8fdbcab..e0f849d236 100644 --- a/crypto/evp/ctrl_params_translate.c +++ b/crypto/evp/ctrl_params_translate.c @@ -1023,7 +1023,7 @@ static int fix_dh_paramgen_type(enum state state, return 0; if (state == PRE_CTRL_TO_PARAMS) { - ctx->p2 = (char *)dh_gen_type_id2name(ctx->p1); + ctx->p2 = (char *)ossl_dh_gen_type_id2name(ctx->p1); ctx->p1 = 0; } @@ -1031,7 +1031,7 @@ static int fix_dh_paramgen_type(enum state state, return ret; if (state == PRE_PARAMS_TO_CTRL) { - ctx->p1 = dh_gen_type_name2id(ctx->p2); + ctx->p1 = ossl_dh_gen_type_name2id(ctx->p2); ctx->p2 = NULL; } @@ -1504,7 +1504,7 @@ static int get_payload_group_name(enum state state, if (grp != NULL) nid = EC_GROUP_get_curve_name(grp); if (nid != NID_undef) - ctx->p2 = (char *)ec_curve_nid2name(nid); + ctx->p2 = (char *)ossl_ec_curve_nid2name(nid); } break; #endif @@ -1569,7 +1569,7 @@ static int get_payload_public_key(enum state state, case EVP_PKEY_DH: switch (ctx->params->data_type) { case OSSL_PARAM_OCTET_STRING: - ctx->sz = dh_key2buf(EVP_PKEY_get0_DH(pkey), &buf, 0, 1); + ctx->sz = ossl_dh_key2buf(EVP_PKEY_get0_DH(pkey), &buf, 0, 1); ctx->p2 = buf; break; case OSSL_PARAM_UNSIGNED_INTEGER: @@ -1592,7 +1592,7 @@ static int get_payload_public_key(enum state state, case EVP_PKEY_EC: if (ctx->params->data_type == OSSL_PARAM_OCTET_STRING) { EC_KEY *eckey = EVP_PKEY_get0_EC_KEY(pkey); - BN_CTX *bnctx = BN_CTX_new_ex(ec_key_get_libctx(eckey)); + BN_CTX *bnctx = BN_CTX_new_ex(ossl_ec_key_get_libctx(eckey)); const EC_GROUP *ecg = EC_KEY_get0_group(eckey); const EC_POINT *point = EC_KEY_get0_public_key(eckey); diff --git a/crypto/evp/dh_support.c b/crypto/evp/dh_support.c index 212cf908eb..0f33b28122 100644 --- a/crypto/evp/dh_support.c +++ b/crypto/evp/dh_support.c @@ -25,7 +25,7 @@ static const DH_GENTYPE_NAME2ID dhtype2id[]= { "generator", DH_PARAMGEN_TYPE_GENERATOR } }; -const char *dh_gen_type_id2name(int id) +const char *ossl_dh_gen_type_id2name(int id) { size_t i; @@ -36,7 +36,7 @@ const char *dh_gen_type_id2name(int id) return NULL; } -int dh_gen_type_name2id(const char *name) +int ossl_dh_gen_type_name2id(const char *name) { size_t i; diff --git a/crypto/evp/ec_support.c b/crypto/evp/ec_support.c index 7afd307435..a1eca28b79 100644 --- a/crypto/evp/ec_support.c +++ b/crypto/evp/ec_support.c @@ -115,7 +115,7 @@ static const EC_NAME2NID curve_list[] = { {"SM2", NID_sm2 }, }; -const char *ec_curve_nid2name(int nid) +const char *ossl_ec_curve_nid2name(int nid) { size_t i; @@ -126,7 +126,7 @@ const char *ec_curve_nid2name(int nid) * TODO(3.0) Figure out if we should try to find the nid with * EC_curve_nid2nist() first, i.e. make it a priority to return * NIST names if there is one for the NID. This is related to - * the TODO comment in ec_curve_name2nid(). + * the TODO comment in ossl_ec_curve_name2nid(). */ for (i = 0; i < OSSL_NELEM(curve_list); i++) { @@ -136,13 +136,13 @@ const char *ec_curve_nid2name(int nid) return NULL; } -int ec_curve_name2nid(const char *name) +int ossl_ec_curve_name2nid(const char *name) { size_t i; int nid; if (name != NULL) { - if ((nid = ec_curve_nist2nid_int(name)) != NID_undef) + if ((nid = ossl_ec_curve_nist2nid_int(name)) != NID_undef) return nid; for (i = 0; i < OSSL_NELEM(curve_list); i++) { @@ -174,7 +174,7 @@ static const EC_NAME2NID nist_curves[] = { {"P-521", NID_secp521r1} }; -const char *ec_curve_nid2nist_int(int nid) +const char *ossl_ec_curve_nid2nist_int(int nid) { size_t i; for (i = 0; i < OSSL_NELEM(nist_curves); i++) { @@ -184,7 +184,7 @@ const char *ec_curve_nid2nist_int(int nid) return NULL; } -int ec_curve_nist2nid_int(const char *name) +int ossl_ec_curve_nist2nid_int(const char *name) { size_t i; for (i = 0; i < OSSL_NELEM(nist_curves); i++) { diff --git a/crypto/evp/p_lib.c b/crypto/evp/p_lib.c index 9f3256c191..63f3f4cbc7 100644 --- a/crypto/evp/p_lib.c +++ b/crypto/evp/p_lib.c @@ -838,12 +838,12 @@ static ECX_KEY *evp_pkey_get1_ECX_KEY(EVP_PKEY *pkey, int type) { ECX_KEY *ret = evp_pkey_get0_ECX_KEY(pkey, type); if (ret != NULL) - ecx_key_up_ref(ret); + ossl_ecx_key_up_ref(ret); return ret; } # define IMPLEMENT_ECX_VARIANT(NAME) \ - ECX_KEY *evp_pkey_get1_##NAME(EVP_PKEY *pkey) \ + ECX_KEY *ossl_evp_pkey_get1_##NAME(EVP_PKEY *pkey) \ { \ return evp_pkey_get1_ECX_KEY(pkey, EVP_PKEY_##NAME); \ } diff --git a/crypto/evp/pmeth_lib.c b/crypto/evp/pmeth_lib.c index 500e056479..478ae40a26 100644 --- a/crypto/evp/pmeth_lib.c +++ b/crypto/evp/pmeth_lib.c @@ -51,25 +51,25 @@ static STACK_OF(EVP_PKEY_METHOD) *app_pkey_methods = NULL; static pmeth_fn standard_methods[] = { ossl_rsa_pkey_method, # ifndef OPENSSL_NO_DH - dh_pkey_method, + ossl_dh_pkey_method, # endif # ifndef OPENSSL_NO_DSA - dsa_pkey_method, + ossl_dsa_pkey_method, # endif # ifndef OPENSSL_NO_EC - ec_pkey_method, + ossl_ec_pkey_method, # endif ossl_rsa_pss_pkey_method, # ifndef OPENSSL_NO_DH - dhx_pkey_method, + ossl_dhx_pkey_method, # endif # ifndef OPENSSL_NO_EC - ecx25519_pkey_method, - ecx448_pkey_method, + ossl_ecx25519_pkey_method, + ossl_ecx448_pkey_method, # endif # ifndef OPENSSL_NO_EC - ed25519_pkey_method, - ed448_pkey_method, + ossl_ed25519_pkey_method, + ossl_ed448_pkey_method, # endif }; @@ -1326,6 +1326,7 @@ int EVP_PKEY_CTX_ctrl_uint64(EVP_PKEY_CTX *ctx, int keytype, int optype, return EVP_PKEY_CTX_ctrl(ctx, keytype, optype, cmd, 0, &value); } + static int evp_pkey_ctx_ctrl_str_int(EVP_PKEY_CTX *ctx, const char *name, const char *value) { diff --git a/crypto/sm2/sm2_crypt.c b/crypto/sm2/sm2_crypt.c index 9201d712c1..5e455d0613 100644 --- a/crypto/sm2/sm2_crypt.c +++ b/crypto/sm2/sm2_crypt.c @@ -17,7 +17,7 @@ #include "crypto/sm2.h" #include "crypto/sm2err.h" -#include "crypto/ec.h" /* ecdh_KDF_X9_63() */ +#include "crypto/ec.h" /* ossl_ecdh_kdf_X9_63() */ #include #include #include @@ -67,8 +67,8 @@ static size_t ec_field_size(const EC_GROUP *group) return field_size; } -int sm2_plaintext_size(const EC_KEY *key, const EVP_MD *digest, size_t msg_len, - size_t *pt_size) +int ossl_sm2_plaintext_size(const EC_KEY *key, const EVP_MD *digest, + size_t msg_len, size_t *pt_size) { const size_t field_size = ec_field_size(EC_KEY_get0_group(key)); const int md_size = EVP_MD_size(digest); @@ -93,8 +93,8 @@ int sm2_plaintext_size(const EC_KEY *key, const EVP_MD *digest, size_t msg_len, return 1; } -int sm2_ciphertext_size(const EC_KEY *key, const EVP_MD *digest, size_t msg_len, - size_t *ct_size) +int ossl_sm2_ciphertext_size(const EC_KEY *key, const EVP_MD *digest, + size_t msg_len, size_t *ct_size) { const size_t field_size = ec_field_size(EC_KEY_get0_group(key)); const int md_size = EVP_MD_size(digest); @@ -113,10 +113,10 @@ int sm2_ciphertext_size(const EC_KEY *key, const EVP_MD *digest, size_t msg_len, return 1; } -int sm2_encrypt(const EC_KEY *key, - const EVP_MD *digest, - const uint8_t *msg, - size_t msg_len, uint8_t *ciphertext_buf, size_t *ciphertext_len) +int ossl_sm2_encrypt(const EC_KEY *key, + const EVP_MD *digest, + const uint8_t *msg, size_t msg_len, + uint8_t *ciphertext_buf, size_t *ciphertext_len) { int rc = 0, ciphertext_leni; size_t i; @@ -139,8 +139,8 @@ int sm2_encrypt(const EC_KEY *key, size_t field_size; const int C3_size = EVP_MD_size(digest); EVP_MD *fetched_digest = NULL; - OSSL_LIB_CTX *libctx = ec_key_get_libctx(key); - const char *propq = ec_key_get0_propq(key); + OSSL_LIB_CTX *libctx = ossl_ec_key_get_libctx(key); + const char *propq = ossl_ec_key_get0_propq(key); /* NULL these before any "goto done" */ ctext_struct.C2 = NULL; @@ -213,8 +213,8 @@ int sm2_encrypt(const EC_KEY *key, } /* X9.63 with no salt happens to match the KDF used in SM2 */ - if (!ecdh_KDF_X9_63(msg_mask, msg_len, x2y2, 2 * field_size, NULL, 0, - digest, libctx, propq)) { + if (!ossl_ecdh_kdf_X9_63(msg_mask, msg_len, x2y2, 2 * field_size, NULL, 0, + digest, libctx, propq)) { ERR_raise(ERR_LIB_SM2, ERR_R_EVP_LIB); goto done; } @@ -275,10 +275,10 @@ int sm2_encrypt(const EC_KEY *key, return rc; } -int sm2_decrypt(const EC_KEY *key, - const EVP_MD *digest, - const uint8_t *ciphertext, - size_t ciphertext_len, uint8_t *ptext_buf, size_t *ptext_len) +int ossl_sm2_decrypt(const EC_KEY *key, + const EVP_MD *digest, + const uint8_t *ciphertext, size_t ciphertext_len, + uint8_t *ptext_buf, size_t *ptext_len) { int rc = 0; int i; @@ -297,8 +297,8 @@ int sm2_decrypt(const EC_KEY *key, const uint8_t *C3 = NULL; int msg_len = 0; EVP_MD_CTX *hash = NULL; - OSSL_LIB_CTX *libctx = ec_key_get_libctx(key); - const char *propq = ec_key_get0_propq(key); + OSSL_LIB_CTX *libctx = ossl_ec_key_get_libctx(key); + const char *propq = ossl_ec_key_get0_propq(key); if (field_size == 0 || hash_size <= 0) goto done; @@ -362,8 +362,8 @@ int sm2_decrypt(const EC_KEY *key, if (BN_bn2binpad(x2, x2y2, field_size) < 0 || BN_bn2binpad(y2, x2y2 + field_size, field_size) < 0 - || !ecdh_KDF_X9_63(msg_mask, msg_len, x2y2, 2 * field_size, NULL, 0, - digest, libctx, propq)) { + || !ossl_ecdh_kdf_X9_63(msg_mask, msg_len, x2y2, 2 * field_size, + NULL, 0, digest, libctx, propq)) { ERR_raise(ERR_LIB_SM2, ERR_R_INTERNAL_ERROR); goto done; } diff --git a/crypto/sm2/sm2_key.c b/crypto/sm2/sm2_key.c index ec96737a84..9d0b9208fa 100644 --- a/crypto/sm2/sm2_key.c +++ b/crypto/sm2/sm2_key.c @@ -19,7 +19,7 @@ * crypto/ec/ec_key.c */ -int sm2_key_private_check(const EC_KEY *eckey) +int ossl_sm2_key_private_check(const EC_KEY *eckey) { int ret = 0; BIGNUM *max = NULL; diff --git a/crypto/sm2/sm2_sign.c b/crypto/sm2/sm2_sign.c index e36e0710b7..d9e16e1f98 100644 --- a/crypto/sm2/sm2_sign.c +++ b/crypto/sm2/sm2_sign.c @@ -13,7 +13,7 @@ #include "crypto/sm2.h" #include "crypto/sm2err.h" -#include "crypto/ec.h" /* ec_group_do_inverse_ord() */ +#include "crypto/ec.h" /* ossl_ec_group_do_inverse_ord() */ #include "internal/numbers.h" #include #include @@ -21,11 +21,11 @@ #include #include -int sm2_compute_z_digest(uint8_t *out, - const EVP_MD *digest, - const uint8_t *id, - const size_t id_len, - const EC_KEY *key) +int ossl_sm2_compute_z_digest(uint8_t *out, + const EVP_MD *digest, + const uint8_t *id, + const size_t id_len, + const EC_KEY *key) { int rc = 0; const EC_GROUP *group = EC_KEY_get0_group(key); @@ -44,7 +44,7 @@ int sm2_compute_z_digest(uint8_t *out, uint8_t e_byte = 0; hash = EVP_MD_CTX_new(); - ctx = BN_CTX_new_ex(ec_key_get_libctx(key)); + ctx = BN_CTX_new_ex(ossl_ec_key_get_libctx(key)); if (hash == NULL || ctx == NULL) { ERR_raise(ERR_LIB_SM2, ERR_R_MALLOC_FAILURE); goto done; @@ -149,8 +149,8 @@ static BIGNUM *sm2_compute_msg_hash(const EVP_MD *digest, uint8_t *z = NULL; BIGNUM *e = NULL; EVP_MD *fetched_digest = NULL; - OSSL_LIB_CTX *libctx = ec_key_get_libctx(key); - const char *propq = ec_key_get0_propq(key); + OSSL_LIB_CTX *libctx = ossl_ec_key_get_libctx(key); + const char *propq = ossl_ec_key_get0_propq(key); if (md_size < 0) { ERR_raise(ERR_LIB_SM2, SM2_R_INVALID_DIGEST); @@ -169,7 +169,7 @@ static BIGNUM *sm2_compute_msg_hash(const EVP_MD *digest, goto done; } - if (!sm2_compute_z_digest(z, fetched_digest, id, id_len, key)) { + if (!ossl_sm2_compute_z_digest(z, fetched_digest, id, id_len, key)) { /* SM2err already called */ goto done; } @@ -208,7 +208,7 @@ static ECDSA_SIG *sm2_sig_gen(const EC_KEY *key, const BIGNUM *e) BIGNUM *s = NULL; BIGNUM *x1 = NULL; BIGNUM *tmp = NULL; - OSSL_LIB_CTX *libctx = ec_key_get_libctx(key); + OSSL_LIB_CTX *libctx = ossl_ec_key_get_libctx(key); kG = EC_POINT_new(group); ctx = BN_CTX_new_ex(libctx); @@ -266,7 +266,7 @@ static ECDSA_SIG *sm2_sig_gen(const EC_KEY *key, const BIGNUM *e) continue; if (!BN_add(s, dA, BN_value_one()) - || !ec_group_do_inverse_ord(group, s, s, ctx) + || !ossl_ec_group_do_inverse_ord(group, s, s, ctx) || !BN_mod_mul(tmp, dA, r, order, ctx) || !BN_sub(tmp, k, tmp) || !BN_mod_mul(s, s, tmp, order, ctx)) { @@ -308,7 +308,7 @@ static int sm2_sig_verify(const EC_KEY *key, const ECDSA_SIG *sig, BIGNUM *x1 = NULL; const BIGNUM *r = NULL; const BIGNUM *s = NULL; - OSSL_LIB_CTX *libctx = ec_key_get_libctx(key); + OSSL_LIB_CTX *libctx = ossl_ec_key_get_libctx(key); ctx = BN_CTX_new_ex(libctx); pt = EC_POINT_new(group); @@ -375,11 +375,11 @@ static int sm2_sig_verify(const EC_KEY *key, const ECDSA_SIG *sig, return ret; } -ECDSA_SIG *sm2_do_sign(const EC_KEY *key, - const EVP_MD *digest, - const uint8_t *id, - const size_t id_len, - const uint8_t *msg, size_t msg_len) +ECDSA_SIG *ossl_sm2_do_sign(const EC_KEY *key, + const EVP_MD *digest, + const uint8_t *id, + const size_t id_len, + const uint8_t *msg, size_t msg_len) { BIGNUM *e = NULL; ECDSA_SIG *sig = NULL; @@ -397,12 +397,12 @@ ECDSA_SIG *sm2_do_sign(const EC_KEY *key, return sig; } -int sm2_do_verify(const EC_KEY *key, - const EVP_MD *digest, - const ECDSA_SIG *sig, - const uint8_t *id, - const size_t id_len, - const uint8_t *msg, size_t msg_len) +int ossl_sm2_do_verify(const EC_KEY *key, + const EVP_MD *digest, + const ECDSA_SIG *sig, + const uint8_t *id, + const size_t id_len, + const uint8_t *msg, size_t msg_len) { BIGNUM *e = NULL; int ret = 0; @@ -420,8 +420,9 @@ int sm2_do_verify(const EC_KEY *key, return ret; } -int sm2_internal_sign(const unsigned char *dgst, int dgstlen, - unsigned char *sig, unsigned int *siglen, EC_KEY *eckey) +int ossl_sm2_internal_sign(const unsigned char *dgst, int dgstlen, + unsigned char *sig, unsigned int *siglen, + EC_KEY *eckey) { BIGNUM *e = NULL; ECDSA_SIG *s = NULL; @@ -455,8 +456,9 @@ int sm2_internal_sign(const unsigned char *dgst, int dgstlen, return ret; } -int sm2_internal_verify(const unsigned char *dgst, int dgstlen, - const unsigned char *sig, int sig_len, EC_KEY *eckey) +int ossl_sm2_internal_verify(const unsigned char *dgst, int dgstlen, + const unsigned char *sig, int sig_len, + EC_KEY *eckey) { ECDSA_SIG *s = NULL; BIGNUM *e = NULL; diff --git a/include/crypto/dh.h b/include/crypto/dh.h index eca2a03056..d8b597a0f1 100644 --- a/include/crypto/dh.h +++ b/include/crypto/dh.h @@ -16,40 +16,41 @@ # include # include "internal/ffc.h" -DH *dh_new_by_nid_ex(OSSL_LIB_CTX *libctx, int nid); -DH *dh_new_ex(OSSL_LIB_CTX *libctx); +DH *ossl_dh_new_by_nid_ex(OSSL_LIB_CTX *libctx, int nid); +DH *ossl_dh_new_ex(OSSL_LIB_CTX *libctx); void ossl_dh_set0_libctx(DH *d, OSSL_LIB_CTX *libctx); - -int dh_generate_ffc_parameters(DH *dh, int type, int pbits, int qbits, - BN_GENCB *cb); -int dh_generate_public_key(BN_CTX *ctx, const DH *dh, const BIGNUM *priv_key, - BIGNUM *pub_key); -int dh_get_named_group_uid_from_size(int pbits); -const char *dh_gen_type_id2name(int id); -int dh_gen_type_name2id(const char *name); -void dh_cache_named_group(DH *dh); +int ossl_dh_generate_ffc_parameters(DH *dh, int type, int pbits, int qbits, + BN_GENCB *cb); +int ossl_dh_generate_public_key(BN_CTX *ctx, const DH *dh, + const BIGNUM *priv_key, BIGNUM *pub_key); +int ossl_dh_get_named_group_uid_from_size(int pbits); +const char *ossl_dh_gen_type_id2name(int id); +int ossl_dh_gen_type_name2id(const char *name); +void ossl_dh_cache_named_group(DH *dh); int ossl_dh_is_named_safe_prime_group(const DH *dh); -FFC_PARAMS *dh_get0_params(DH *dh); -int dh_get0_nid(const DH *dh); -int dh_params_fromdata(DH *dh, const OSSL_PARAM params[]); -int dh_key_fromdata(DH *dh, const OSSL_PARAM params[]); -int dh_params_todata(DH *dh, OSSL_PARAM_BLD *bld, OSSL_PARAM params[]); -int dh_key_todata(DH *dh, OSSL_PARAM_BLD *bld, OSSL_PARAM params[]); - -int dh_check_pub_key_partial(const DH *dh, const BIGNUM *pub_key, int *ret); -int dh_check_priv_key(const DH *dh, const BIGNUM *priv_key, int *ret); -int dh_check_pairwise(const DH *dh); - -const DH_METHOD *dh_get_method(const DH *dh); - -int dh_buf2key(DH *key, const unsigned char *buf, size_t len); -size_t dh_key2buf(const DH *dh, unsigned char **pbuf, size_t size, int alloc); - -int dh_KDF_X9_42_asn1(unsigned char *out, size_t outlen, - const unsigned char *Z, size_t Zlen, - const char *cek_alg, - const unsigned char *ukm, size_t ukmlen, const EVP_MD *md, - OSSL_LIB_CTX *libctx, const char *propq); +FFC_PARAMS *ossl_dh_get0_params(DH *dh); +int ossl_dh_get0_nid(const DH *dh); +int ossl_dh_params_fromdata(DH *dh, const OSSL_PARAM params[]); +int ossl_dh_key_fromdata(DH *dh, const OSSL_PARAM params[]); +int ossl_dh_params_todata(DH *dh, OSSL_PARAM_BLD *bld, OSSL_PARAM params[]); +int ossl_dh_key_todata(DH *dh, OSSL_PARAM_BLD *bld, OSSL_PARAM params[]); + +int ossl_dh_check_pub_key_partial(const DH *dh, const BIGNUM *pub_key, int *ret); +int ossl_dh_check_priv_key(const DH *dh, const BIGNUM *priv_key, int *ret); +int ossl_dh_check_pairwise(const DH *dh); + +const DH_METHOD *ossl_dh_get_method(const DH *dh); + +int ossl_dh_buf2key(DH *key, const unsigned char *buf, size_t len); +size_t ossl_dh_key2buf(const DH *dh, unsigned char **pbuf, size_t size, + int alloc); + +int ossl_dh_kdf_X9_42_asn1(unsigned char *out, size_t outlen, + const unsigned char *Z, size_t Zlen, + const char *cek_alg, + const unsigned char *ukm, size_t ukmlen, + const EVP_MD *md, + OSSL_LIB_CTX *libctx, const char *propq); #endif /* OSSL_CRYPTO_DH_H */ diff --git a/include/crypto/dsa.h b/include/crypto/dsa.h index a47fbcd841..331baf320e 100644 --- a/include/crypto/dsa.h +++ b/include/crypto/dsa.h @@ -18,25 +18,26 @@ #define DSA_PARAMGEN_TYPE_FIPS_186_4 0 /* Use FIPS186-4 standard */ #define DSA_PARAMGEN_TYPE_FIPS_186_2 1 /* Use legacy FIPS186-2 standard */ -DSA *dsa_new_with_ctx(OSSL_LIB_CTX *libctx); +DSA *ossl_dsa_new(OSSL_LIB_CTX *libctx); void ossl_dsa_set0_libctx(DSA *d, OSSL_LIB_CTX *libctx); -int dsa_generate_ffc_parameters(DSA *dsa, int type, int pbits, int qbits, - BN_GENCB *cb); +int ossl_dsa_generate_ffc_parameters(DSA *dsa, int type, int pbits, int qbits, + BN_GENCB *cb); -int dsa_sign_int(int type, const unsigned char *dgst, - int dlen, unsigned char *sig, unsigned int *siglen, DSA *dsa); +int ossl_dsa_sign_int(int type, const unsigned char *dgst, int dlen, + unsigned char *sig, unsigned int *siglen, DSA *dsa); -FFC_PARAMS *dsa_get0_params(DSA *dsa); -int dsa_ffc_params_fromdata(DSA *dsa, const OSSL_PARAM params[]); -int dsa_key_fromdata(DSA *dsa, const OSSL_PARAM params[]); +FFC_PARAMS *ossl_dsa_get0_params(DSA *dsa); +int ossl_dsa_ffc_params_fromdata(DSA *dsa, const OSSL_PARAM params[]); +int ossl_dsa_key_fromdata(DSA *dsa, const OSSL_PARAM params[]); -int dsa_generate_public_key(BN_CTX *ctx, const DSA *dsa, const BIGNUM *priv_key, - BIGNUM *pub_key); -int dsa_check_params(const DSA *dsa, int checktype, int *ret); -int dsa_check_pub_key(const DSA *dsa, const BIGNUM *pub_key, int *ret); -int dsa_check_pub_key_partial(const DSA *dsa, const BIGNUM *pub_key, int *ret); -int dsa_check_priv_key(const DSA *dsa, const BIGNUM *priv_key, int *ret); -int dsa_check_pairwise(const DSA *dsa); +int ossl_dsa_generate_public_key(BN_CTX *ctx, const DSA *dsa, + const BIGNUM *priv_key, BIGNUM *pub_key); +int ossl_dsa_check_params(const DSA *dsa, int checktype, int *ret); +int ossl_dsa_check_pub_key(const DSA *dsa, const BIGNUM *pub_key, int *ret); +int ossl_dsa_check_pub_key_partial(const DSA *dsa, const BIGNUM *pub_key, + int *ret); +int ossl_dsa_check_priv_key(const DSA *dsa, const BIGNUM *priv_key, int *ret); +int ossl_dsa_check_pairwise(const DSA *dsa); #endif diff --git a/include/crypto/ec.h b/include/crypto/ec.h index 347474a37b..a3d87e9d1a 100644 --- a/include/crypto/ec.h +++ b/include/crypto/ec.h @@ -16,10 +16,10 @@ # include # include -const char *ec_curve_nid2name(int nid); -int ec_curve_name2nid(const char *name); -const char *ec_curve_nid2nist_int(int nid); -int ec_curve_nist2nid_int(const char *name); +const char *ossl_ec_curve_nid2name(int nid); +int ossl_ec_curve_name2nid(const char *name); +const char *ossl_ec_curve_nid2nist_int(int nid); +int ossl_ec_curve_nist2nid_int(const char *name); int evp_pkey_ctx_set_ec_param_enc_prov(EVP_PKEY_CTX *ctx, int param_enc); # ifndef OPENSSL_NO_EC @@ -48,43 +48,45 @@ int evp_pkey_ctx_set_ec_param_enc_prov(EVP_PKEY_CTX *ctx, int param_enc); * reduction round on the input can be omitted by the underlying * implementations for better SCA properties on regular input values). */ -__owur int ec_group_do_inverse_ord(const EC_GROUP *group, BIGNUM *res, - const BIGNUM *x, BN_CTX *ctx); +__owur int ossl_ec_group_do_inverse_ord(const EC_GROUP *group, BIGNUM *res, + const BIGNUM *x, BN_CTX *ctx); /*- * ECDH Key Derivation Function as defined in ANSI X9.63 */ -int ecdh_KDF_X9_63(unsigned char *out, size_t outlen, - const unsigned char *Z, size_t Zlen, - const unsigned char *sinfo, size_t sinfolen, - const EVP_MD *md, OSSL_LIB_CTX *libctx, const char *propq); +int ossl_ecdh_kdf_X9_63(unsigned char *out, size_t outlen, + const unsigned char *Z, size_t Zlen, + const unsigned char *sinfo, size_t sinfolen, + const EVP_MD *md, OSSL_LIB_CTX *libctx, + const char *propq); -int ec_key_public_check(const EC_KEY *eckey, BN_CTX *ctx); -int ec_key_public_check_quick(const EC_KEY *eckey, BN_CTX *ctx); -int ec_key_private_check(const EC_KEY *eckey); -int ec_key_pairwise_check(const EC_KEY *eckey, BN_CTX *ctx); -OSSL_LIB_CTX *ec_key_get_libctx(const EC_KEY *eckey); -const char *ec_key_get0_propq(const EC_KEY *eckey); -void ec_key_set0_libctx(EC_KEY *key, OSSL_LIB_CTX *libctx); +int ossl_ec_key_public_check(const EC_KEY *eckey, BN_CTX *ctx); +int ossl_ec_key_public_check_quick(const EC_KEY *eckey, BN_CTX *ctx); +int ossl_ec_key_private_check(const EC_KEY *eckey); +int ossl_ec_key_pairwise_check(const EC_KEY *eckey, BN_CTX *ctx); +OSSL_LIB_CTX *ossl_ec_key_get_libctx(const EC_KEY *eckey); +const char *ossl_ec_key_get0_propq(const EC_KEY *eckey); +void ossl_ec_key_set0_libctx(EC_KEY *key, OSSL_LIB_CTX *libctx); /* Backend support */ -int ec_group_todata(const EC_GROUP *group, OSSL_PARAM_BLD *tmpl, - OSSL_PARAM params[], OSSL_LIB_CTX *libctx, - const char *propq, - BN_CTX *bnctx, unsigned char **genbuf); -int ec_group_fromdata(EC_KEY *ec, const OSSL_PARAM params[]); -int ec_group_set_params(EC_GROUP *group, const OSSL_PARAM params[]); -int ec_key_fromdata(EC_KEY *ecx, const OSSL_PARAM params[], int include_private); -int ec_key_otherparams_fromdata(EC_KEY *ec, const OSSL_PARAM params[]); -int ec_set_ecdh_cofactor_mode(EC_KEY *ec, int mode); -int ec_encoding_name2id(const char *name); -int ec_encoding_param2id(const OSSL_PARAM *p, int *id); -int ec_pt_format_name2id(const char *name); -int ec_pt_format_param2id(const OSSL_PARAM *p, int *id); -char *ec_pt_format_id2name(int id); +int ossl_ec_group_todata(const EC_GROUP *group, OSSL_PARAM_BLD *tmpl, + OSSL_PARAM params[], OSSL_LIB_CTX *libctx, + const char *propq, + BN_CTX *bnctx, unsigned char **genbuf); +int ossl_ec_group_fromdata(EC_KEY *ec, const OSSL_PARAM params[]); +int ossl_ec_group_set_params(EC_GROUP *group, const OSSL_PARAM params[]); +int ossl_ec_key_fromdata(EC_KEY *ecx, const OSSL_PARAM params[], + int include_private); +int ossl_ec_key_otherparams_fromdata(EC_KEY *ec, const OSSL_PARAM params[]); +int ossl_ec_set_ecdh_cofactor_mode(EC_KEY *ec, int mode); +int ossl_ec_encoding_name2id(const char *name); +int ossl_ec_encoding_param2id(const OSSL_PARAM *p, int *id); +int ossl_ec_pt_format_name2id(const char *name); +int ossl_ec_pt_format_param2id(const OSSL_PARAM *p, int *id); +char *ossl_ec_pt_format_id2name(int id); -char *ec_check_group_type_id2name(int flags); -int ec_set_check_group_type_from_name(EC_KEY *ec, const char *name); +char *ossl_ec_check_group_type_id2name(int flags); +int ossl_ec_set_check_group_type_from_name(EC_KEY *ec, const char *name); # endif /* OPENSSL_NO_EC */ #endif diff --git a/include/crypto/ecx.h b/include/crypto/ecx.h index 678cfcccea..af03d32587 100644 --- a/include/crypto/ecx.h +++ b/include/crypto/ecx.h @@ -76,13 +76,12 @@ struct ecx_key_st { typedef struct ecx_key_st ECX_KEY; -size_t ecx_key_length(ECX_KEY_TYPE type); -ECX_KEY *ecx_key_new(OSSL_LIB_CTX *libctx, ECX_KEY_TYPE type, int haspubkey, - const char *propq); -void ecx_key_set0_libctx(ECX_KEY *key, OSSL_LIB_CTX *libctx); -unsigned char *ecx_key_allocate_privkey(ECX_KEY *key); -void ecx_key_free(ECX_KEY *key); -int ecx_key_up_ref(ECX_KEY *key); +ECX_KEY *ossl_ecx_key_new(OSSL_LIB_CTX *libctx, ECX_KEY_TYPE type, + int haspubkey, const char *propq); +void ossl_ecx_key_set0_libctx(ECX_KEY *key, OSSL_LIB_CTX *libctx); +unsigned char *ossl_ecx_key_allocate_privkey(ECX_KEY *key); +void ossl_ecx_key_free(ECX_KEY *key); +int ossl_ecx_key_up_ref(ECX_KEY *key); int X25519(uint8_t out_shared_key[32], const uint8_t private_key[32], const uint8_t peer_public_value[32]); @@ -116,13 +115,13 @@ void X448_public_from_private(uint8_t out_public_value[56], /* Backend support */ -int ecx_public_from_private(ECX_KEY *key); -int ecx_key_fromdata(ECX_KEY *ecx, const OSSL_PARAM params[], - int include_private); - -ECX_KEY *evp_pkey_get1_X25519(EVP_PKEY *pkey); -ECX_KEY *evp_pkey_get1_X448(EVP_PKEY *pkey); -ECX_KEY *evp_pkey_get1_ED25519(EVP_PKEY *pkey); -ECX_KEY *evp_pkey_get1_ED448(EVP_PKEY *pkey); +int ossl_ecx_public_from_private(ECX_KEY *key); +int ossl_ecx_key_fromdata(ECX_KEY *ecx, const OSSL_PARAM params[], + int include_private); + +ECX_KEY *ossl_evp_pkey_get1_X25519(EVP_PKEY *pkey); +ECX_KEY *ossl_evp_pkey_get1_X448(EVP_PKEY *pkey); +ECX_KEY *ossl_evp_pkey_get1_ED25519(EVP_PKEY *pkey); +ECX_KEY *ossl_evp_pkey_get1_ED448(EVP_PKEY *pkey); # endif /* OPENSSL_NO_EC */ #endif diff --git a/include/crypto/evp.h b/include/crypto/evp.h index 0ed9a02396..9115f47c1f 100644 --- a/include/crypto/evp.h +++ b/include/crypto/evp.h @@ -179,14 +179,14 @@ DEFINE_STACK_OF_CONST(EVP_PKEY_METHOD) void evp_pkey_set_cb_translate(BN_GENCB *cb, EVP_PKEY_CTX *ctx); -const EVP_PKEY_METHOD *dh_pkey_method(void); -const EVP_PKEY_METHOD *dhx_pkey_method(void); -const EVP_PKEY_METHOD *dsa_pkey_method(void); -const EVP_PKEY_METHOD *ec_pkey_method(void); -const EVP_PKEY_METHOD *ecx25519_pkey_method(void); -const EVP_PKEY_METHOD *ecx448_pkey_method(void); -const EVP_PKEY_METHOD *ed25519_pkey_method(void); -const EVP_PKEY_METHOD *ed448_pkey_method(void); +const EVP_PKEY_METHOD *ossl_dh_pkey_method(void); +const EVP_PKEY_METHOD *ossl_dhx_pkey_method(void); +const EVP_PKEY_METHOD *ossl_dsa_pkey_method(void); +const EVP_PKEY_METHOD *ossl_ec_pkey_method(void); +const EVP_PKEY_METHOD *ossl_ecx25519_pkey_method(void); +const EVP_PKEY_METHOD *ossl_ecx448_pkey_method(void); +const EVP_PKEY_METHOD *ossl_ed25519_pkey_method(void); +const EVP_PKEY_METHOD *ossl_ed448_pkey_method(void); const EVP_PKEY_METHOD *ossl_rsa_pkey_method(void); const EVP_PKEY_METHOD *ossl_rsa_pss_pkey_method(void); diff --git a/include/crypto/sm2.h b/include/crypto/sm2.h index 2bd0af03d6..e3278a31e6 100644 --- a/include/crypto/sm2.h +++ b/include/crypto/sm2.h @@ -20,65 +20,67 @@ # include # include "crypto/types.h" -int sm2_key_private_check(const EC_KEY *eckey); +int ossl_sm2_key_private_check(const EC_KEY *eckey); /* The default user id as specified in GM/T 0009-2012 */ # define SM2_DEFAULT_USERID "1234567812345678" -int sm2_compute_z_digest(uint8_t *out, - const EVP_MD *digest, - const uint8_t *id, - const size_t id_len, - const EC_KEY *key); +int ossl_sm2_compute_z_digest(uint8_t *out, + const EVP_MD *digest, + const uint8_t *id, + const size_t id_len, + const EC_KEY *key); /* * SM2 signature operation. Computes Z and then signs H(Z || msg) using SM2 */ -ECDSA_SIG *sm2_do_sign(const EC_KEY *key, +ECDSA_SIG *ossl_sm2_do_sign(const EC_KEY *key, + const EVP_MD *digest, + const uint8_t *id, + const size_t id_len, + const uint8_t *msg, size_t msg_len); + +int ossl_sm2_do_verify(const EC_KEY *key, const EVP_MD *digest, + const ECDSA_SIG *signature, const uint8_t *id, const size_t id_len, const uint8_t *msg, size_t msg_len); -int sm2_do_verify(const EC_KEY *key, - const EVP_MD *digest, - const ECDSA_SIG *signature, - const uint8_t *id, - const size_t id_len, - const uint8_t *msg, size_t msg_len); - /* * SM2 signature generation. */ -int sm2_internal_sign(const unsigned char *dgst, int dgstlen, - unsigned char *sig, unsigned int *siglen, EC_KEY *eckey); +int ossl_sm2_internal_sign(const unsigned char *dgst, int dgstlen, + unsigned char *sig, unsigned int *siglen, + EC_KEY *eckey); /* * SM2 signature verification. */ -int sm2_internal_verify(const unsigned char *dgst, int dgstlen, - const unsigned char *sig, int siglen, EC_KEY *eckey); +int ossl_sm2_internal_verify(const unsigned char *dgst, int dgstlen, + const unsigned char *sig, int siglen, + EC_KEY *eckey); /* * SM2 encryption */ -int sm2_ciphertext_size(const EC_KEY *key, const EVP_MD *digest, size_t msg_len, - size_t *ct_size); +int ossl_sm2_ciphertext_size(const EC_KEY *key, const EVP_MD *digest, + size_t msg_len, size_t *ct_size); -int sm2_plaintext_size(const EC_KEY *key, const EVP_MD *digest, size_t msg_len, - size_t *pt_size); +int ossl_sm2_plaintext_size(const EC_KEY *key, const EVP_MD *digest, + size_t msg_len, size_t *pt_size); -int sm2_encrypt(const EC_KEY *key, - const EVP_MD *digest, - const uint8_t *msg, - size_t msg_len, - uint8_t *ciphertext_buf, size_t *ciphertext_len); +int ossl_sm2_encrypt(const EC_KEY *key, + const EVP_MD *digest, + const uint8_t *msg, size_t msg_len, + uint8_t *ciphertext_buf, size_t *ciphertext_len); -int sm2_decrypt(const EC_KEY *key, - const EVP_MD *digest, - const uint8_t *ciphertext, - size_t ciphertext_len, uint8_t *ptext_buf, size_t *ptext_len); +int ossl_sm2_decrypt(const EC_KEY *key, + const EVP_MD *digest, + const uint8_t *ciphertext, size_t ciphertext_len, + uint8_t *ptext_buf, size_t *ptext_len); -const unsigned char *sm2_algorithmidentifier_encoding(int md_nid, size_t *len); +const unsigned char *ossl_sm2_algorithmidentifier_encoding(int md_nid, + size_t *len); # endif /* OPENSSL_NO_SM2 */ #endif diff --git a/providers/implementations/asymciphers/sm2_enc.c b/providers/implementations/asymciphers/sm2_enc.c index 923ee5694a..0068e504e2 100644 --- a/providers/implementations/asymciphers/sm2_enc.c +++ b/providers/implementations/asymciphers/sm2_enc.c @@ -89,14 +89,14 @@ static int sm2_asym_encrypt(void *vpsm2ctx, unsigned char *out, size_t *outlen, return 0; if (out == NULL) { - if (!sm2_ciphertext_size(psm2ctx->key, md, inlen, outlen)) { + if (!ossl_sm2_ciphertext_size(psm2ctx->key, md, inlen, outlen)) { ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY); return 0; } return 1; } - return sm2_encrypt(psm2ctx->key, md, in, inlen, out, outlen); + return ossl_sm2_encrypt(psm2ctx->key, md, in, inlen, out, outlen); } static int sm2_asym_decrypt(void *vpsm2ctx, unsigned char *out, size_t *outlen, @@ -110,12 +110,12 @@ static int sm2_asym_decrypt(void *vpsm2ctx, unsigned char *out, size_t *outlen, return 0; if (out == NULL) { - if (!sm2_plaintext_size(psm2ctx->key, md, inlen, outlen)) + if (!ossl_sm2_plaintext_size(psm2ctx->key, md, inlen, outlen)) return 0; return 1; } - return sm2_decrypt(psm2ctx->key, md, in, inlen, out, outlen); + return ossl_sm2_decrypt(psm2ctx->key, md, in, inlen, out, outlen); } static void sm2_freectx(void *vpsm2ctx) diff --git a/providers/implementations/encode_decode/decode_der2key.c b/providers/implementations/encode_decode/decode_der2key.c index 5073e660cd..fed30bf952 100644 --- a/providers/implementations/encode_decode/decode_der2key.c +++ b/providers/implementations/encode_decode/decode_der2key.c @@ -462,7 +462,7 @@ static void dsa_adjust(void *key, struct der2key_ctx_st *ctx) static void ec_adjust(void *key, struct der2key_ctx_st *ctx) { - ec_key_set0_libctx(key, PROV_LIBCTX_OF(ctx->provctx)); + ossl_ec_key_set0_libctx(key, PROV_LIBCTX_OF(ctx->provctx)); } /* @@ -472,39 +472,39 @@ static void ec_adjust(void *key, struct der2key_ctx_st *ctx) static void ecx_key_adjust(void *key, struct der2key_ctx_st *ctx) { - ecx_key_set0_libctx(key, PROV_LIBCTX_OF(ctx->provctx)); + ossl_ecx_key_set0_libctx(key, PROV_LIBCTX_OF(ctx->provctx)); } # define ed25519_evp_type EVP_PKEY_ED25519 -# define ed25519_evp_extract (extract_key_fn *)evp_pkey_get1_ED25519 +# define ed25519_evp_extract (extract_key_fn *)ossl_evp_pkey_get1_ED25519 # define ed25519_d2i_private_key NULL # define ed25519_d2i_public_key NULL # define ed25519_d2i_key_params NULL -# define ed25519_free (free_key_fn *)ecx_key_free +# define ed25519_free (free_key_fn *)ossl_ecx_key_free # define ed25519_adjust ecx_key_adjust # define ed448_evp_type EVP_PKEY_ED448 -# define ed448_evp_extract (extract_key_fn *)evp_pkey_get1_ED448 +# define ed448_evp_extract (extract_key_fn *)ossl_evp_pkey_get1_ED448 # define ed448_d2i_private_key NULL # define ed448_d2i_public_key NULL # define ed448_d2i_key_params NULL -# define ed448_free (free_key_fn *)ecx_key_free +# define ed448_free (free_key_fn *)ossl_ecx_key_free # define ed448_adjust ecx_key_adjust # define x25519_evp_type EVP_PKEY_X25519 -# define x25519_evp_extract (extract_key_fn *)evp_pkey_get1_X25519 +# define x25519_evp_extract (extract_key_fn *)ossl_evp_pkey_get1_X25519 # define x25519_d2i_private_key NULL # define x25519_d2i_public_key NULL # define x25519_d2i_key_params NULL -# define x25519_free (free_key_fn *)ecx_key_free +# define x25519_free (free_key_fn *)ossl_ecx_key_free # define x25519_adjust ecx_key_adjust # define x448_evp_type EVP_PKEY_X448 -# define x448_evp_extract (extract_key_fn *)evp_pkey_get1_X448 +# define x448_evp_extract (extract_key_fn *)ossl_evp_pkey_get1_X448 # define x448_d2i_private_key NULL # define x448_d2i_public_key NULL # define x448_d2i_key_params NULL -# define x448_free (free_key_fn *)ecx_key_free +# define x448_free (free_key_fn *)ossl_ecx_key_free # define x448_adjust ecx_key_adjust # ifndef OPENSSL_NO_SM2 diff --git a/providers/implementations/encode_decode/encode_key2text.c b/providers/implementations/encode_decode/encode_key2text.c index 8be3478102..2c6c5d70db 100644 --- a/providers/implementations/encode_decode/encode_key2text.c +++ b/providers/implementations/encode_decode/encode_key2text.c @@ -23,9 +23,9 @@ #include #include "internal/ffc.h" #include "crypto/bn.h" /* bn_get_words() */ -#include "crypto/dh.h" /* dh_get0_params() */ -#include "crypto/dsa.h" /* dsa_get0_params() */ -#include "crypto/ec.h" /* ec_key_get_libctx */ +#include "crypto/dh.h" /* ossl_dh_get0_params() */ +#include "crypto/dsa.h" /* ossl_dsa_get0_params() */ +#include "crypto/ec.h" /* ossl_ec_key_get_libctx */ #include "crypto/ecx.h" /* ECX_KEY, etc... */ #include "crypto/rsa.h" /* RSA_PSS_PARAMS_30, etc... */ #include "prov/bio.h" @@ -245,7 +245,7 @@ static int dh_to_text(BIO *out, const void *key, int selection) } } if ((selection & OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS) != 0) { - params = dh_get0_params((DH *)dh); + params = ossl_dh_get0_params((DH *)dh); if (params == NULL) { ERR_raise(ERR_LIB_PROV, PROV_R_NOT_PARAMETERS); return 0; @@ -315,7 +315,7 @@ static int dsa_to_text(BIO *out, const void *key, int selection) } } if ((selection & OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS) != 0) { - params = dsa_get0_params((DSA *)dsa); + params = ossl_dsa_get0_params((DSA *)dsa); if (params == NULL) { ERR_raise(ERR_LIB_PROV, PROV_R_NOT_PARAMETERS); return 0; @@ -539,7 +539,7 @@ static int ec_to_text(BIO *out, const void *key, int selection) && !print_labeled_buf(out, "pub:", pub, pub_len)) goto err; if ((selection & OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS) != 0) - ret = ec_param_to_text(out, group, ec_key_get_libctx(ec)); + ret = ec_param_to_text(out, group, ossl_ec_key_get_libctx(ec)); err: OPENSSL_clear_free(priv, priv_len); OPENSSL_free(pub); diff --git a/providers/implementations/exchange/dh_exch.c b/providers/implementations/exchange/dh_exch.c index 32ce2ee0ed..2638675da5 100644 --- a/providers/implementations/exchange/dh_exch.c +++ b/providers/implementations/exchange/dh_exch.c @@ -180,13 +180,13 @@ static int dh_X9_42_kdf_derive(void *vpdhctx, unsigned char *secret, /* Do KDF stuff */ if (pdhctx->kdf_type == PROV_DH_KDF_X9_42_ASN1) { - if (!dh_KDF_X9_42_asn1(secret, pdhctx->kdf_outlen, - stmp, stmplen, - pdhctx->kdf_cekalg, - pdhctx->kdf_ukm, - pdhctx->kdf_ukmlen, - pdhctx->kdf_md, - pdhctx->libctx, NULL)) + if (!ossl_dh_kdf_X9_42_asn1(secret, pdhctx->kdf_outlen, + stmp, stmplen, + pdhctx->kdf_cekalg, + pdhctx->kdf_ukm, + pdhctx->kdf_ukmlen, + pdhctx->kdf_md, + pdhctx->libctx, NULL)) goto err; } *secretlen = pdhctx->kdf_outlen; diff --git a/providers/implementations/exchange/ecdh_exch.c b/providers/implementations/exchange/ecdh_exch.c index 8d3f748f9b..6c24643255 100644 --- a/providers/implementations/exchange/ecdh_exch.c +++ b/providers/implementations/exchange/ecdh_exch.c @@ -25,7 +25,7 @@ #include "prov/providercommon.h" #include "prov/implementations.h" #include "prov/securitycheck.h" -#include "crypto/ec.h" /* ecdh_KDF_X9_63() */ +#include "crypto/ec.h" /* ossl_ecdh_kdf_X9_63() */ static OSSL_FUNC_keyexch_newctx_fn ecdh_newctx; static OSSL_FUNC_keyexch_init_fn ecdh_init; @@ -498,12 +498,12 @@ int ecdh_X9_63_kdf_derive(void *vpecdhctx, unsigned char *secret, goto err; /* Do KDF stuff */ - if (!ecdh_KDF_X9_63(secret, pecdhctx->kdf_outlen, - stmp, stmplen, - pecdhctx->kdf_ukm, - pecdhctx->kdf_ukmlen, - pecdhctx->kdf_md, - pecdhctx->libctx, NULL)) + if (!ossl_ecdh_kdf_X9_63(secret, pecdhctx->kdf_outlen, + stmp, stmplen, + pecdhctx->kdf_ukm, + pecdhctx->kdf_ukmlen, + pecdhctx->kdf_md, + pecdhctx->libctx, NULL)) goto err; *psecretlen = pecdhctx->kdf_outlen; ret = 1; diff --git a/providers/implementations/exchange/ecx_exch.c b/providers/implementations/exchange/ecx_exch.c index 17118f0e6c..6d4471be3c 100644 --- a/providers/implementations/exchange/ecx_exch.c +++ b/providers/implementations/exchange/ecx_exch.c @@ -80,12 +80,12 @@ static int ecx_init(void *vecxctx, void *vkey) if (ecxctx == NULL || key == NULL || key->keylen != ecxctx->keylen - || !ecx_key_up_ref(key)) { + || !ossl_ecx_key_up_ref(key)) { ERR_raise(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR); return 0; } - ecx_key_free(ecxctx->key); + ossl_ecx_key_free(ecxctx->key); ecxctx->key = key; return 1; @@ -102,11 +102,11 @@ static int ecx_set_peer(void *vecxctx, void *vkey) if (ecxctx == NULL || key == NULL || key->keylen != ecxctx->keylen - || !ecx_key_up_ref(key)) { + || !ossl_ecx_key_up_ref(key)) { ERR_raise(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR); return 0; } - ecx_key_free(ecxctx->peerkey); + ossl_ecx_key_free(ecxctx->peerkey); ecxctx->peerkey = key; return 1; @@ -182,8 +182,8 @@ static void ecx_freectx(void *vecxctx) { PROV_ECX_CTX *ecxctx = (PROV_ECX_CTX *)vecxctx; - ecx_key_free(ecxctx->key); - ecx_key_free(ecxctx->peerkey); + ossl_ecx_key_free(ecxctx->key); + ossl_ecx_key_free(ecxctx->peerkey); OPENSSL_free(ecxctx); } @@ -203,15 +203,15 @@ static void *ecx_dupctx(void *vecxctx) } *dstctx = *srcctx; - if (dstctx->key != NULL && !ecx_key_up_ref(dstctx->key)) { + if (dstctx->key != NULL && !ossl_ecx_key_up_ref(dstctx->key)) { ERR_raise(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR); OPENSSL_free(dstctx); return NULL; } - if (dstctx->peerkey != NULL && !ecx_key_up_ref(dstctx->peerkey)) { + if (dstctx->peerkey != NULL && !ossl_ecx_key_up_ref(dstctx->peerkey)) { ERR_raise(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR); - ecx_key_free(dstctx->key); + ossl_ecx_key_free(dstctx->key); OPENSSL_free(dstctx); return NULL; } diff --git a/providers/implementations/keymgmt/dh_kmgmt.c b/providers/implementations/keymgmt/dh_kmgmt.c index a967309644..9b1679e4fa 100644 --- a/providers/implementations/keymgmt/dh_kmgmt.c +++ b/providers/implementations/keymgmt/dh_kmgmt.c @@ -91,7 +91,7 @@ static int dh_gen_type_name2id_w_default(const char *name, int type) #endif } - return dh_gen_type_name2id(name); + return ossl_dh_gen_type_name2id(name); } static void *dh_newdata(void *provctx) @@ -99,7 +99,7 @@ static void *dh_newdata(void *provctx) DH *dh = NULL; if (ossl_prov_is_running()) { - dh = dh_new_ex(PROV_LIBCTX_OF(provctx)); + dh = ossl_dh_new_ex(PROV_LIBCTX_OF(provctx)); if (dh != NULL) { DH_clear_flags(dh, DH_FLAG_TYPE_MASK); DH_set_flags(dh, DH_FLAG_TYPE_DH); @@ -112,7 +112,7 @@ static void *dhx_newdata(void *provctx) { DH *dh = NULL; - dh = dh_new_ex(PROV_LIBCTX_OF(provctx)); + dh = ossl_dh_new_ex(PROV_LIBCTX_OF(provctx)); if (dh != NULL) { DH_clear_flags(dh, DH_FLAG_TYPE_MASK); DH_set_flags(dh, DH_FLAG_TYPE_DHX); @@ -158,8 +158,8 @@ static int dh_match(const void *keydata1, const void *keydata2, int selection) if ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0) ok = ok && BN_cmp(DH_get0_priv_key(dh1), DH_get0_priv_key(dh2)) == 0; if ((selection & OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS) != 0) { - FFC_PARAMS *dhparams1 = dh_get0_params((DH *)dh1); - FFC_PARAMS *dhparams2 = dh_get0_params((DH *)dh2); + FFC_PARAMS *dhparams1 = ossl_dh_get0_params((DH *)dh1); + FFC_PARAMS *dhparams2 = ossl_dh_get0_params((DH *)dh2); ok = ok && ossl_ffc_params_cmp(dhparams1, dhparams2, 1); } @@ -178,10 +178,10 @@ static int dh_import(void *keydata, int selection, const OSSL_PARAM params[]) return 0; if ((selection & OSSL_KEYMGMT_SELECT_ALL_PARAMETERS) != 0) - ok = ok && dh_params_fromdata(dh, params); + ok = ok && ossl_dh_params_fromdata(dh, params); if ((selection & OSSL_KEYMGMT_SELECT_KEYPAIR) != 0) - ok = ok && dh_key_fromdata(dh, params); + ok = ok && ossl_dh_key_fromdata(dh, params); return ok; } @@ -202,9 +202,9 @@ static int dh_export(void *keydata, int selection, OSSL_CALLBACK *param_cb, return 0; if ((selection & OSSL_KEYMGMT_SELECT_ALL_PARAMETERS) != 0) - ok = ok && dh_params_todata(dh, tmpl, NULL); + ok = ok && ossl_dh_params_todata(dh, tmpl, NULL); if ((selection & OSSL_KEYMGMT_SELECT_KEYPAIR) != 0) - ok = ok && dh_key_todata(dh, tmpl, NULL); + ok = ok && ossl_dh_key_todata(dh, tmpl, NULL); if (!ok || (params = OSSL_PARAM_BLD_to_param(tmpl)) == NULL) { @@ -295,14 +295,14 @@ static ossl_inline int dh_get_params(void *key, OSSL_PARAM params[]) if ((p = OSSL_PARAM_locate(params, OSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY)) != NULL) { if (p->data_type != OSSL_PARAM_OCTET_STRING) return 0; - p->return_size = dh_key2buf(dh, (unsigned char **)&p->data, - p->data_size, 0); + p->return_size = ossl_dh_key2buf(dh, (unsigned char **)&p->data, + p->data_size, 0); if (p->return_size == 0) return 0; } - return dh_params_todata(dh, NULL, params) - && dh_key_todata(dh, NULL, params); + return ossl_dh_params_todata(dh, NULL, params) + && ossl_dh_key_todata(dh, NULL, params); } static const OSSL_PARAM dh_params[] = { @@ -339,7 +339,7 @@ static int dh_set_params(void *key, const OSSL_PARAM params[]) p = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY); if (p != NULL && (p->data_type != OSSL_PARAM_OCTET_STRING - || !dh_buf2key(dh, p->data, p->data_size))) + || !ossl_dh_buf2key(dh, p->data, p->data_size))) return 0; return 1; @@ -357,7 +357,7 @@ static int dh_validate_public(const DH *dh, int checktype) /* The partial test is only valid for named group's with q = (p - 1) / 2 */ if (checktype == OSSL_KEYMGMT_VALIDATE_QUICK_CHECK && ossl_dh_is_named_safe_prime_group(dh)) - return dh_check_pub_key_partial(dh, pub_key, &res); + return ossl_dh_check_pub_key_partial(dh, pub_key, &res); return DH_check_pub_key(dh, pub_key, &res); } @@ -370,7 +370,7 @@ static int dh_validate_private(const DH *dh) DH_get0_key(dh, NULL, &priv_key); if (priv_key == NULL) return 0; - return dh_check_priv_key(dh, priv_key, &status);; + return ossl_dh_check_priv_key(dh, priv_key, &status);; } static int dh_validate(const void *keydata, int selection, int checktype) @@ -404,7 +404,7 @@ static int dh_validate(const void *keydata, int selection, int checktype) if ((selection & OSSL_KEYMGMT_SELECT_KEYPAIR) == OSSL_KEYMGMT_SELECT_KEYPAIR) - ok = ok && dh_check_pairwise(dh); + ok = ok && ossl_dh_check_pairwise(dh); return ok; } @@ -461,7 +461,7 @@ static int dh_gen_set_template(void *genctx, void *templ) if (!ossl_prov_is_running() || gctx == NULL || dh == NULL) return 0; - gctx->ffc_params = dh_get0_params(dh); + gctx->ffc_params = ossl_dh_get0_params(dh); return 1; } @@ -492,8 +492,7 @@ static int dh_gen_set_params(void *genctx, const OSSL_PARAM params[]) if (p != NULL) { if (p->data_type != OSSL_PARAM_UTF8_STRING || ((gctx->gen_type = - dh_gen_type_name2id_w_default(p->data, - gctx->dh_type)) == -1)) { + dh_gen_type_name2id_w_default(p->data, gctx->dh_type)) == -1)) { ERR_raise(ERR_LIB_PROV, ERR_R_PASSED_INVALID_ARGUMENT); return 0; } @@ -606,18 +605,18 @@ static void *dh_gen(void *genctx, OSSL_CALLBACK *osslcb, void *cbarg) && gctx->ffc_params == NULL) { /* Select a named group if there is not one already */ if (gctx->group_nid == NID_undef) - gctx->group_nid = dh_get_named_group_uid_from_size(gctx->pbits); + gctx->group_nid = ossl_dh_get_named_group_uid_from_size(gctx->pbits); if (gctx->group_nid == NID_undef) return NULL; - dh = dh_new_by_nid_ex(gctx->libctx, gctx->group_nid); + dh = ossl_dh_new_by_nid_ex(gctx->libctx, gctx->group_nid); if (dh == NULL) return NULL; - ffc = dh_get0_params(dh); + ffc = ossl_dh_get0_params(dh); } else { - dh = dh_new_ex(gctx->libctx); + dh = ossl_dh_new_ex(gctx->libctx); if (dh == NULL) return NULL; - ffc = dh_get0_params(dh); + ffc = ossl_dh_get0_params(dh); /* Copy the template value if one was passed */ if (gctx->ffc_params != NULL @@ -653,8 +652,9 @@ static void *dh_gen(void *genctx, OSSL_CALLBACK *osslcb, void *cbarg) ret = DH_generate_parameters_ex(dh, gctx->pbits, gctx->generator, gencb); else - ret = dh_generate_ffc_parameters(dh, gctx->gen_type, gctx->pbits, - gctx->qbits, gencb); + ret = ossl_dh_generate_ffc_parameters(dh, gctx->gen_type, + gctx->pbits, gctx->qbits, + gencb); if (ret <= 0) goto end; } diff --git a/providers/implementations/keymgmt/dsa_kmgmt.c b/providers/implementations/keymgmt/dsa_kmgmt.c index a02a3e6b01..18313aa329 100644 --- a/providers/implementations/keymgmt/dsa_kmgmt.c +++ b/providers/implementations/keymgmt/dsa_kmgmt.c @@ -117,7 +117,7 @@ static void *dsa_newdata(void *provctx) { if (!ossl_prov_is_running()) return NULL; - return dsa_new_with_ctx(PROV_LIBCTX_OF(provctx)); + return ossl_dsa_new(PROV_LIBCTX_OF(provctx)); } static void dsa_freedata(void *keydata) @@ -160,8 +160,8 @@ static int dsa_match(const void *keydata1, const void *keydata2, int selection) ok = ok && BN_cmp(DSA_get0_priv_key(dsa1), DSA_get0_priv_key(dsa2)) == 0; if ((selection & OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS) != 0) { - FFC_PARAMS *dsaparams1 = dsa_get0_params((DSA *)dsa1); - FFC_PARAMS *dsaparams2 = dsa_get0_params((DSA *)dsa2); + FFC_PARAMS *dsaparams1 = ossl_dsa_get0_params((DSA *)dsa1); + FFC_PARAMS *dsaparams2 = ossl_dsa_get0_params((DSA *)dsa2); ok = ok && ossl_ffc_params_cmp(dsaparams1, dsaparams2, 1); } @@ -180,9 +180,9 @@ static int dsa_import(void *keydata, int selection, const OSSL_PARAM params[]) return 0; if ((selection & OSSL_KEYMGMT_SELECT_ALL_PARAMETERS) != 0) - ok = ok && dsa_ffc_params_fromdata(dsa, params); + ok = ok && ossl_dsa_ffc_params_fromdata(dsa, params); if ((selection & OSSL_KEYMGMT_SELECT_KEYPAIR) != 0) - ok = ok && dsa_key_fromdata(dsa, params); + ok = ok && ossl_dsa_key_fromdata(dsa, params); return ok; } @@ -199,7 +199,7 @@ static int dsa_export(void *keydata, int selection, OSSL_CALLBACK *param_cb, goto err; if ((selection & OSSL_KEYMGMT_SELECT_ALL_PARAMETERS) != 0) - ok = ok && ossl_ffc_params_todata(dsa_get0_params(dsa), tmpl, NULL); + ok = ok && ossl_ffc_params_todata(ossl_dsa_get0_params(dsa), tmpl, NULL); if ((selection & OSSL_KEYMGMT_SELECT_KEYPAIR) != 0) ok = ok && dsa_key_todata(dsa, tmpl, NULL); @@ -289,7 +289,7 @@ static ossl_inline int dsa_get_params(void *key, OSSL_PARAM params[]) if ((p = OSSL_PARAM_locate(params, OSSL_PKEY_PARAM_DEFAULT_DIGEST)) != NULL && !OSSL_PARAM_set_utf8_string(p, DSA_DEFAULT_MD)) return 0; - return ossl_ffc_params_todata(dsa_get0_params(dsa), NULL, params) + return ossl_ffc_params_todata(ossl_dsa_get0_params(dsa), NULL, params) && dsa_key_todata(dsa, NULL, params); } @@ -313,7 +313,7 @@ static int dsa_validate_domparams(const DSA *dsa, int checktype) { int status = 0; - return dsa_check_params(dsa, checktype, &status); + return ossl_dsa_check_params(dsa, checktype, &status); } static int dsa_validate_public(const DSA *dsa) @@ -324,7 +324,7 @@ static int dsa_validate_public(const DSA *dsa) DSA_get0_key(dsa, &pub_key, NULL); if (pub_key == NULL) return 0; - return dsa_check_pub_key(dsa, pub_key, &status); + return ossl_dsa_check_pub_key(dsa, pub_key, &status); } static int dsa_validate_private(const DSA *dsa) @@ -335,7 +335,7 @@ static int dsa_validate_private(const DSA *dsa) DSA_get0_key(dsa, NULL, &priv_key); if (priv_key == NULL) return 0; - return dsa_check_priv_key(dsa, priv_key, &status); + return ossl_dsa_check_priv_key(dsa, priv_key, &status); } static int dsa_validate(const void *keydata, int selection, int checktype) @@ -361,7 +361,7 @@ static int dsa_validate(const void *keydata, int selection, int checktype) /* If the whole key is selected, we do a pairwise validation */ if ((selection & OSSL_KEYMGMT_SELECT_KEYPAIR) == OSSL_KEYMGMT_SELECT_KEYPAIR) - ok = ok && dsa_check_pairwise(dsa); + ok = ok && ossl_dsa_check_pairwise(dsa); return ok; } @@ -397,7 +397,7 @@ static int dsa_gen_set_template(void *genctx, void *templ) if (!ossl_prov_is_running() || gctx == NULL || dsa == NULL) return 0; - gctx->ffc_params = dsa_get0_params(dsa); + gctx->ffc_params = ossl_dsa_get0_params(dsa); return 1; } @@ -514,7 +514,7 @@ static void *dsa_gen(void *genctx, OSSL_CALLBACK *osslcb, void *cbarg) if (!ossl_prov_is_running() || gctx == NULL) return NULL; - dsa = dsa_new_with_ctx(gctx->libctx); + dsa = ossl_dsa_new(gctx->libctx); if (dsa == NULL) return NULL; @@ -524,7 +524,7 @@ static void *dsa_gen(void *genctx, OSSL_CALLBACK *osslcb, void *cbarg) if (gencb != NULL) BN_GENCB_set(gencb, dsa_gencb, genctx); - ffc = dsa_get0_params(dsa); + ffc = ossl_dsa_get0_params(dsa); /* Copy the template value if one was passed */ if (gctx->ffc_params != NULL && !ossl_ffc_params_copy(ffc, gctx->ffc_params)) @@ -546,9 +546,9 @@ static void *dsa_gen(void *genctx, OSSL_CALLBACK *osslcb, void *cbarg) } if ((gctx->selection & OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS) != 0) { - if (dsa_generate_ffc_parameters(dsa, gctx->gen_type, - gctx->pbits, gctx->qbits, - gencb) <= 0) + if (ossl_dsa_generate_ffc_parameters(dsa, gctx->gen_type, + gctx->pbits, gctx->qbits, + gencb) <= 0) goto end; } ossl_ffc_params_enable_flags(ffc, FFC_PARAM_FLAG_VALIDATE_LEGACY, diff --git a/providers/implementations/keymgmt/ec_kmgmt.c b/providers/implementations/keymgmt/ec_kmgmt.c index f612d8ed0e..6a74196600 100644 --- a/providers/implementations/keymgmt/ec_kmgmt.c +++ b/providers/implementations/keymgmt/ec_kmgmt.c @@ -131,7 +131,7 @@ int key_to_params(const EC_KEY *eckey, OSSL_PARAM_BLD *tmpl, * EC_POINT_point2buf() can generate random numbers in some * implementations so we need to ensure we use the correct libctx. */ - bnctx = BN_CTX_new_ex(ec_key_get_libctx(eckey)); + bnctx = BN_CTX_new_ex(ossl_ec_key_get_libctx(eckey)); if (bnctx == NULL) goto err; @@ -237,7 +237,7 @@ int otherparams_to_params(const EC_KEY *ec, OSSL_PARAM_BLD *tmpl, return 0; format = EC_KEY_get_conv_form(ec); - name = ec_pt_format_id2name((int)format); + name = ossl_ec_pt_format_id2name((int)format); if (name != NULL && !ossl_param_build_set_utf8_string(tmpl, params, OSSL_PKEY_PARAM_EC_POINT_CONVERSION_FORMAT, @@ -245,7 +245,7 @@ int otherparams_to_params(const EC_KEY *ec, OSSL_PARAM_BLD *tmpl, return 0; group_check = EC_KEY_get_flags(ec) & EC_FLAG_CHECK_NAMED_GROUP_MASK; - name = ec_check_group_type_id2name(group_check); + name = ossl_ec_check_group_type_id2name(group_check); if (name != NULL && !ossl_param_build_set_utf8_string(tmpl, params, OSSL_PKEY_PARAM_EC_GROUP_CHECK_TYPE, @@ -314,7 +314,7 @@ static int ec_match(const void *keydata1, const void *keydata2, int selection) if (!ossl_prov_is_running()) return 0; - ctx = BN_CTX_new_ex(ec_key_get_libctx(ec1)); + ctx = BN_CTX_new_ex(ossl_ec_key_get_libctx(ec1)); if (ctx == NULL) return 0; @@ -377,7 +377,7 @@ int common_import(void *keydata, int selection, const OSSL_PARAM params[], if ((selection & OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS) == 0) return 0; - ok = ok && ec_group_fromdata(ec, params); + ok = ok && ossl_ec_group_fromdata(ec, params); if (!common_check_sm2(ec, sm2_wanted)) return 0; @@ -386,10 +386,10 @@ int common_import(void *keydata, int selection, const OSSL_PARAM params[], int include_private = selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY ? 1 : 0; - ok = ok && ec_key_fromdata(ec, params, include_private); + ok = ok && ossl_ec_key_fromdata(ec, params, include_private); } if ((selection & OSSL_KEYMGMT_SELECT_OTHER_PARAMETERS) != 0) - ok = ok && ec_key_otherparams_fromdata(ec, params); + ok = ok && ossl_ec_key_otherparams_fromdata(ec, params); return ok; } @@ -451,15 +451,16 @@ int ec_export(void *keydata, int selection, OSSL_CALLBACK *param_cb, return 0; if ((selection & OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS) != 0) { - bnctx = BN_CTX_new_ex(ec_key_get_libctx(ec)); + bnctx = BN_CTX_new_ex(ossl_ec_key_get_libctx(ec)); if (bnctx == NULL) { ok = 0; goto end; } BN_CTX_start(bnctx); - ok = ok && ec_group_todata(EC_KEY_get0_group(ec), tmpl, NULL, - ec_key_get_libctx(ec), ec_key_get0_propq(ec), - bnctx, &genbuf); + ok = ok && ossl_ec_group_todata(EC_KEY_get0_group(ec), tmpl, NULL, + ossl_ec_key_get_libctx(ec), + ossl_ec_key_get0_propq(ec), + bnctx, &genbuf); } if ((selection & OSSL_KEYMGMT_SELECT_KEYPAIR) != 0) { @@ -610,8 +611,8 @@ int common_get_params(void *key, OSSL_PARAM params[], int sm2) if (ecg == NULL) return 0; - libctx = ec_key_get_libctx(eck); - propq = ec_key_get0_propq(eck); + libctx = ossl_ec_key_get_libctx(eck); + propq = ossl_ec_key_get0_propq(eck); bnctx = BN_CTX_new_ex(libctx); if (bnctx == NULL) @@ -696,7 +697,8 @@ int common_get_params(void *key, OSSL_PARAM params[], int sm2) } ret = ec_get_ecm_params(ecg, params) - && ec_group_todata(ecg, NULL, params, libctx, propq, bnctx, &genbuf) + && ossl_ec_group_todata(ecg, NULL, params, libctx, propq, bnctx, + &genbuf) && key_to_params(eck, NULL, params, 1, &pub_key) && otherparams_to_params(eck, NULL, params); err: @@ -773,12 +775,12 @@ int ec_set_params(void *key, const OSSL_PARAM params[]) if (key == NULL) return 0; - if (!ec_group_set_params((EC_GROUP *)EC_KEY_get0_group(key), params)) + if (!ossl_ec_group_set_params((EC_GROUP *)EC_KEY_get0_group(key), params)) return 0; p = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY); if (p != NULL) { - BN_CTX *ctx = BN_CTX_new_ex(ec_key_get_libctx(key)); + BN_CTX *ctx = BN_CTX_new_ex(ossl_ec_key_get_libctx(key)); int ret = 1; if (ctx == NULL @@ -790,7 +792,7 @@ int ec_set_params(void *key, const OSSL_PARAM params[]) return 0; } - return ec_key_otherparams_fromdata(eck, params); + return ossl_ec_key_otherparams_fromdata(eck, params); } #ifndef FIPS_MODULE @@ -842,7 +844,7 @@ int sm2_validate(const void *keydata, int selection, int checktype) if (!ossl_prov_is_running()) return 0; - ctx = BN_CTX_new_ex(ec_key_get_libctx(eck)); + ctx = BN_CTX_new_ex(ossl_ec_key_get_libctx(eck)); if (ctx == NULL) return 0; @@ -854,16 +856,16 @@ int sm2_validate(const void *keydata, int selection, int checktype) if ((selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) != 0) { if (checktype == OSSL_KEYMGMT_VALIDATE_QUICK_CHECK) - ok = ok && ec_key_public_check_quick(eck, ctx); + ok = ok && ossl_ec_key_public_check_quick(eck, ctx); else - ok = ok && ec_key_public_check(eck, ctx); + ok = ok && ossl_ec_key_public_check(eck, ctx); } if ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0) - ok = ok && sm2_key_private_check(eck); + ok = ok && ossl_sm2_key_private_check(eck); if ((selection & OSSL_KEYMGMT_SELECT_KEYPAIR) == OSSL_KEYMGMT_SELECT_KEYPAIR) - ok = ok && ec_key_pairwise_check(eck, ctx); + ok = ok && ossl_ec_key_pairwise_check(eck, ctx); BN_CTX_free(ctx); return ok; @@ -881,7 +883,7 @@ int ec_validate(const void *keydata, int selection, int checktype) if (!ossl_prov_is_running()) return 0; - ctx = BN_CTX_new_ex(ec_key_get_libctx(eck)); + ctx = BN_CTX_new_ex(ossl_ec_key_get_libctx(eck)); if (ctx == NULL) return 0; @@ -900,16 +902,16 @@ int ec_validate(const void *keydata, int selection, int checktype) if ((selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) != 0) { if (checktype == OSSL_KEYMGMT_VALIDATE_QUICK_CHECK) - ok = ok && ec_key_public_check_quick(eck, ctx); + ok = ok && ossl_ec_key_public_check_quick(eck, ctx); else - ok = ok && ec_key_public_check(eck, ctx); + ok = ok && ossl_ec_key_public_check(eck, ctx); } if ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0) - ok = ok && ec_key_private_check(eck); + ok = ok && ossl_ec_key_private_check(eck); if ((selection & OSSL_KEYMGMT_SELECT_KEYPAIR) == OSSL_KEYMGMT_SELECT_KEYPAIR) - ok = ok && ec_key_pairwise_check(eck, ctx); + ok = ok && ossl_ec_key_pairwise_check(eck, ctx); BN_CTX_free(ctx); return ok; @@ -1168,14 +1170,14 @@ static void *ec_gen(void *genctx, OSSL_CALLBACK *osslcb, void *cbarg) goto err; } else { if (gctx->encoding != NULL) { - int flags = ec_encoding_name2id(gctx->encoding); + int flags = ossl_ec_encoding_name2id(gctx->encoding); if (flags < 0) goto err; EC_GROUP_set_asn1_flag(gctx->gen_group, flags); } if (gctx->pt_format != NULL) { - int format = ec_pt_format_name2id(gctx->pt_format); + int format = ossl_ec_pt_format_name2id(gctx->pt_format); if (format < 0) goto err; @@ -1191,10 +1193,10 @@ static void *ec_gen(void *genctx, OSSL_CALLBACK *osslcb, void *cbarg) ret = ret && EC_KEY_generate_key(ec); if (gctx->ecdh_mode != -1) - ret = ret && ec_set_ecdh_cofactor_mode(ec, gctx->ecdh_mode); + ret = ret && ossl_ec_set_ecdh_cofactor_mode(ec, gctx->ecdh_mode); if (gctx->group_check != NULL) - ret = ret && ec_set_check_group_type_from_name(ec, gctx->group_check); + ret = ret && ossl_ec_set_check_group_type_from_name(ec, gctx->group_check); if (ret) return ec; err: @@ -1223,14 +1225,14 @@ static void *sm2_gen(void *genctx, OSSL_CALLBACK *osslcb, void *cbarg) goto err; } else { if (gctx->encoding) { - int flags = ec_encoding_name2id(gctx->encoding); + int flags = ossl_ec_encoding_name2id(gctx->encoding); if (flags < 0) goto err; EC_GROUP_set_asn1_flag(gctx->gen_group, flags); } if (gctx->pt_format != NULL) { - int format = ec_pt_format_name2id(gctx->pt_format); + int format = ossl_ec_pt_format_name2id(gctx->pt_format); if (format < 0) goto err; diff --git a/providers/implementations/keymgmt/ecx_kmgmt.c b/providers/implementations/keymgmt/ecx_kmgmt.c index 86deae8561..6cb0e9bc41 100644 --- a/providers/implementations/keymgmt/ecx_kmgmt.c +++ b/providers/implementations/keymgmt/ecx_kmgmt.c @@ -89,32 +89,32 @@ static void *x25519_new_key(void *provctx) { if (!ossl_prov_is_running()) return 0; - return ecx_key_new(PROV_LIBCTX_OF(provctx), ECX_KEY_TYPE_X25519, 0, - NULL); + return ossl_ecx_key_new(PROV_LIBCTX_OF(provctx), ECX_KEY_TYPE_X25519, 0, + NULL); } static void *x448_new_key(void *provctx) { if (!ossl_prov_is_running()) return 0; - return ecx_key_new(PROV_LIBCTX_OF(provctx), ECX_KEY_TYPE_X448, 0, - NULL); + return ossl_ecx_key_new(PROV_LIBCTX_OF(provctx), ECX_KEY_TYPE_X448, 0, + NULL); } static void *ed25519_new_key(void *provctx) { if (!ossl_prov_is_running()) return 0; - return ecx_key_new(PROV_LIBCTX_OF(provctx), ECX_KEY_TYPE_ED25519, 0, - NULL); + return ossl_ecx_key_new(PROV_LIBCTX_OF(provctx), ECX_KEY_TYPE_ED25519, 0, + NULL); } static void *ed448_new_key(void *provctx) { if (!ossl_prov_is_running()) return 0; - return ecx_key_new(PROV_LIBCTX_OF(provctx), ECX_KEY_TYPE_ED448, 0, - NULL); + return ossl_ecx_key_new(PROV_LIBCTX_OF(provctx), ECX_KEY_TYPE_ED448, 0, + NULL); } static int ecx_has(const void *keydata, int selection) @@ -184,7 +184,7 @@ static int ecx_import(void *keydata, int selection, const OSSL_PARAM params[]) return 0; include_private = ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0); - ok = ok && ecx_key_fromdata(key, params, include_private); + ok = ok && ossl_ecx_key_fromdata(key, params, include_private); return ok; } @@ -546,7 +546,8 @@ static void *ecx_gen(struct ecx_gen_ctx *gctx) if (gctx == NULL) return NULL; - if ((key = ecx_key_new(gctx->libctx, gctx->type, 0, gctx->propq)) == NULL) { + if ((key = ossl_ecx_key_new(gctx->libctx, gctx->type, 0, + gctx->propq)) == NULL) { ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE); return NULL; } @@ -555,7 +556,7 @@ static void *ecx_gen(struct ecx_gen_ctx *gctx) if ((gctx->selection & OSSL_KEYMGMT_SELECT_KEYPAIR) == 0) return key; - if ((privkey = ecx_key_allocate_privkey(key)) == NULL) { + if ((privkey = ossl_ecx_key_allocate_privkey(key)) == NULL) { ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE); goto err; } @@ -587,7 +588,7 @@ static void *ecx_gen(struct ecx_gen_ctx *gctx) key->haspubkey = 1; return key; err: - ecx_key_free(key); + ossl_ecx_key_free(key); return NULL; } @@ -749,7 +750,7 @@ static int ed448_validate(const void *keydata, int selection, int checktype) #define MAKE_KEYMGMT_FUNCTIONS(alg) \ const OSSL_DISPATCH ossl_##alg##_keymgmt_functions[] = { \ { OSSL_FUNC_KEYMGMT_NEW, (void (*)(void))alg##_new_key }, \ - { OSSL_FUNC_KEYMGMT_FREE, (void (*)(void))ecx_key_free }, \ + { OSSL_FUNC_KEYMGMT_FREE, (void (*)(void))ossl_ecx_key_free }, \ { OSSL_FUNC_KEYMGMT_GET_PARAMS, (void (*) (void))alg##_get_params }, \ { OSSL_FUNC_KEYMGMT_GETTABLE_PARAMS, (void (*) (void))alg##_gettable_params }, \ { OSSL_FUNC_KEYMGMT_SET_PARAMS, (void (*) (void))alg##_set_params }, \ @@ -786,7 +787,8 @@ static void *s390x_ecx_keygen25519(struct ecx_gen_ctx *gctx) 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }; - ECX_KEY *key = ecx_key_new(gctx->libctx, ECX_KEY_TYPE_X25519, 1, gctx->propq); + ECX_KEY *key = ossl_ecx_key_new(gctx->libctx, ECX_KEY_TYPE_X25519, 1, + gctx->propq); unsigned char *privkey = NULL, *pubkey; if (key == NULL) { @@ -800,7 +802,7 @@ static void *s390x_ecx_keygen25519(struct ecx_gen_ctx *gctx) pubkey = key->pubkey; - privkey = ecx_key_allocate_privkey(key); + privkey = ossl_ecx_key_allocate_privkey(key); if (privkey == NULL) { ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE); goto err; @@ -818,7 +820,7 @@ static void *s390x_ecx_keygen25519(struct ecx_gen_ctx *gctx) key->haspubkey = 1; return key; err: - ecx_key_free(key); + ossl_ecx_key_free(key); return NULL; } @@ -831,7 +833,8 @@ static void *s390x_ecx_keygen448(struct ecx_gen_ctx *gctx) 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }; - ECX_KEY *key = ecx_key_new(gctx->libctx, ECX_KEY_TYPE_X448, 1, gctx->propq); + ECX_KEY *key = ossl_ecx_key_new(gctx->libctx, ECX_KEY_TYPE_X448, 1, + gctx->propq); unsigned char *privkey = NULL, *pubkey; if (key == NULL) { @@ -845,7 +848,7 @@ static void *s390x_ecx_keygen448(struct ecx_gen_ctx *gctx) pubkey = key->pubkey; - privkey = ecx_key_allocate_privkey(key); + privkey = ossl_ecx_key_allocate_privkey(key); if (privkey == NULL) { ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE); goto err; @@ -862,7 +865,7 @@ static void *s390x_ecx_keygen448(struct ecx_gen_ctx *gctx) key->haspubkey = 1; return key; err: - ecx_key_free(key); + ossl_ecx_key_free(key); return NULL; } @@ -879,7 +882,8 @@ static void *s390x_ecd_keygen25519(struct ecx_gen_ctx *gctx) 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, }; unsigned char x_dst[32], buff[SHA512_DIGEST_LENGTH]; - ECX_KEY *key = ecx_key_new(gctx->libctx, ECX_KEY_TYPE_ED25519, 1, gctx->propq); + ECX_KEY *key = ossl_ecx_key_new(gctx->libctx, ECX_KEY_TYPE_ED25519, 1, + gctx->propq); unsigned char *privkey = NULL, *pubkey; unsigned int sz; EVP_MD *sha = NULL; @@ -896,7 +900,7 @@ static void *s390x_ecd_keygen25519(struct ecx_gen_ctx *gctx) pubkey = key->pubkey; - privkey = ecx_key_allocate_privkey(key); + privkey = ossl_ecx_key_allocate_privkey(key); if (privkey == NULL) { ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE); goto err; @@ -925,7 +929,7 @@ static void *s390x_ecd_keygen25519(struct ecx_gen_ctx *gctx) key->haspubkey = 1; return key; err: - ecx_key_free(key); + ossl_ecx_key_free(key); return NULL; } @@ -946,7 +950,8 @@ static void *s390x_ecd_keygen448(struct ecx_gen_ctx *gctx) 0x24, 0xbc, 0xb6, 0x6e, 0x71, 0x46, 0x3f, 0x69, 0x00 }; unsigned char x_dst[57], buff[114]; - ECX_KEY *key = ecx_key_new(gctx->libctx, ECX_KEY_TYPE_ED448, 1, gctx->propq); + ECX_KEY *key = ossl_ecx_key_new(gctx->libctx, ECX_KEY_TYPE_ED448, 1, + gctx->propq); unsigned char *privkey = NULL, *pubkey; EVP_MD_CTX *hashctx = NULL; EVP_MD *shake = NULL; @@ -962,7 +967,7 @@ static void *s390x_ecd_keygen448(struct ecx_gen_ctx *gctx) pubkey = key->pubkey; - privkey = ecx_key_allocate_privkey(key); + privkey = ossl_ecx_key_allocate_privkey(key); if (privkey == NULL) { ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE); goto err; @@ -998,7 +1003,7 @@ static void *s390x_ecd_keygen448(struct ecx_gen_ctx *gctx) key->haspubkey = 1; return key; err: - ecx_key_free(key); + ossl_ecx_key_free(key); EVP_MD_CTX_free(hashctx); EVP_MD_free(shake); return NULL; diff --git a/providers/implementations/signature/dsa.c b/providers/implementations/signature/dsa.c index 620bfa845c..81e435c419 100644 --- a/providers/implementations/signature/dsa.c +++ b/providers/implementations/signature/dsa.c @@ -223,7 +223,7 @@ static int dsa_sign(void *vpdsactx, unsigned char *sig, size_t *siglen, if (mdsize != 0 && tbslen != mdsize) return 0; - ret = dsa_sign_int(0, tbs, tbslen, sig, &sltmp, pdsactx->dsa); + ret = ossl_dsa_sign_int(0, tbs, tbslen, sig, &sltmp, pdsactx->dsa); if (ret <= 0) return 0; diff --git a/providers/implementations/signature/eddsa.c b/providers/implementations/signature/eddsa.c index 9813545381..71b57d70ea 100644 --- a/providers/implementations/signature/eddsa.c +++ b/providers/implementations/signature/eddsa.c @@ -99,7 +99,7 @@ static int eddsa_digest_signverify_init(void *vpeddsactx, const char *mdname, return 0; } - if (!ecx_key_up_ref(edkey)) { + if (!ossl_ecx_key_up_ref(edkey)) { ERR_raise(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR); return 0; } @@ -240,7 +240,7 @@ static void eddsa_freectx(void *vpeddsactx) { PROV_EDDSA_CTX *peddsactx = (PROV_EDDSA_CTX *)vpeddsactx; - ecx_key_free(peddsactx->key); + ossl_ecx_key_free(peddsactx->key); OPENSSL_free(peddsactx); } @@ -260,7 +260,7 @@ static void *eddsa_dupctx(void *vpeddsactx) *dstctx = *srcctx; dstctx->key = NULL; - if (srcctx->key != NULL && !ecx_key_up_ref(srcctx->key)) { + if (srcctx->key != NULL && !ossl_ecx_key_up_ref(srcctx->key)) { ERR_raise(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR); goto err; } diff --git a/providers/implementations/signature/sm2sig.c b/providers/implementations/signature/sm2sig.c index 84c3853f23..d12c7191fb 100644 --- a/providers/implementations/signature/sm2sig.c +++ b/providers/implementations/signature/sm2sig.c @@ -144,7 +144,7 @@ static int sm2sig_sign(void *vpsm2ctx, unsigned char *sig, size_t *siglen, if (ctx->mdsize != 0 && tbslen != ctx->mdsize) return 0; - ret = sm2_internal_sign(tbs, tbslen, sig, &sltmp, ctx->ec); + ret = ossl_sm2_internal_sign(tbs, tbslen, sig, &sltmp, ctx->ec); if (ret <= 0) return 0; @@ -160,7 +160,7 @@ static int sm2sig_verify(void *vpsm2ctx, const unsigned char *sig, size_t siglen if (ctx->mdsize != 0 && tbslen != ctx->mdsize) return 0; - return sm2_internal_verify(tbs, tbslen, sig, siglen, ctx->ec); + return ossl_sm2_internal_verify(tbs, tbslen, sig, siglen, ctx->ec); } static void free_md(PROV_SM2_CTX *ctx) @@ -231,7 +231,8 @@ static int sm2sig_compute_z_digest(PROV_SM2_CTX *ctx) if ((z = OPENSSL_zalloc(ctx->mdsize)) == NULL /* get hashed prefix 'z' of tbs message */ - || !sm2_compute_z_digest(z, ctx->md, ctx->id, ctx->id_len, ctx->ec) + || !ossl_sm2_compute_z_digest(z, ctx->md, ctx->id, ctx->id_len, + ctx->ec) || !EVP_DigestUpdate(ctx->mdctx, z, ctx->mdsize)) ret = 0; OPENSSL_free(z); diff --git a/test/ec_internal_test.c b/test/ec_internal_test.c index e2ea65b885..e0e6a859cb 100644 --- a/test/ec_internal_test.c +++ b/test/ec_internal_test.c @@ -233,8 +233,8 @@ static int underflow_test(void) || !TEST_int_gt(BN_hex2bn(&y1, p521m1), 0) || !TEST_int_gt(BN_hex2bn(&z1, p521m1), 0) || !TEST_int_gt(BN_hex2bn(&k, "02"), 0) - || !TEST_true(ec_GFp_simple_set_Jprojective_coordinates_GFp(grp, P, x1, - y1, z1, ctx)) + || !TEST_true(ossl_ec_GFp_simple_set_Jprojective_coordinates_GFp(grp, P, x1, + y1, z1, ctx)) || !TEST_true(EC_POINT_mul(grp, Q, NULL, P, k, ctx)) || !TEST_true(EC_POINT_get_affine_coordinates(grp, Q, x1, y1, ctx)) || !TEST_true(EC_POINT_dbl(grp, R, P, ctx)) diff --git a/test/ffc_internal_test.c b/test/ffc_internal_test.c index 1cbaec891b..3c54d68010 100644 --- a/test/ffc_internal_test.c +++ b/test/ffc_internal_test.c @@ -435,7 +435,7 @@ err: return ret; } -extern FFC_PARAMS *dh_get0_params(DH *dh); +extern FFC_PARAMS *ossl_dh_get0_params(DH *dh); static int ffc_public_validate_test(void) { @@ -449,7 +449,7 @@ static int ffc_public_validate_test(void) if (!TEST_ptr(dh = DH_new_by_nid(NID_ffdhe2048))) goto err; - params = dh_get0_params(dh); + params = ossl_dh_get0_params(dh); if (!TEST_true(BN_set_word(pub, 1))) goto err; @@ -528,7 +528,7 @@ static int ffc_private_validate_test(void) if (!TEST_ptr(dh = DH_new_by_nid(NID_ffdhe2048))) goto err; - params = dh_get0_params(dh); + params = ossl_dh_get0_params(dh); if (!TEST_true(BN_set_word(priv, 1))) goto err; @@ -589,7 +589,7 @@ static int ffc_private_gen_test(int index) if (!TEST_ptr(dh = DH_new_by_nid(NID_ffdhe2048))) goto err; - params = dh_get0_params(dh); + params = ossl_dh_get0_params(dh); N = BN_num_bits(params->q); /* Fail since N < 2*s - where s = 112*/ diff --git a/test/sm2_internal_test.c b/test/sm2_internal_test.c index 77b76e64f8..aaa337b57b 100644 --- a/test/sm2_internal_test.c +++ b/test/sm2_internal_test.c @@ -159,7 +159,8 @@ static int test_sm2_crypt(const EC_GROUP *group, if (!TEST_ptr(pt) || !TEST_true(EC_POINT_mul(group, pt, priv, NULL, NULL, NULL)) || !TEST_true(EC_KEY_set_public_key(key, pt)) - || !TEST_true(sm2_ciphertext_size(key, digest, msg_len, &ctext_len))) + || !TEST_true(ossl_sm2_ciphertext_size(key, digest, msg_len, + &ctext_len))) goto done; ctext = OPENSSL_zalloc(ctext_len); @@ -167,8 +168,9 @@ static int test_sm2_crypt(const EC_GROUP *group, goto done; start_fake_rand(k_hex); - if (!TEST_true(sm2_encrypt(key, digest, (const uint8_t *)message, msg_len, - ctext, &ctext_len))) { + if (!TEST_true(ossl_sm2_encrypt(key, digest, + (const uint8_t *)message, msg_len, + ctext, &ctext_len))) { restore_rand(); goto done; } @@ -177,13 +179,14 @@ static int test_sm2_crypt(const EC_GROUP *group, if (!TEST_mem_eq(ctext, ctext_len, expected, ctext_len)) goto done; - if (!TEST_true(sm2_plaintext_size(key, digest, ctext_len, &ptext_len)) + if (!TEST_true(ossl_sm2_plaintext_size(key, digest, ctext_len, &ptext_len)) || !TEST_int_eq(ptext_len, msg_len)) goto done; recovered = OPENSSL_zalloc(ptext_len); if (!TEST_ptr(recovered) - || !TEST_true(sm2_decrypt(key, digest, ctext, ctext_len, recovered, &recovered_len)) + || !TEST_true(ossl_sm2_decrypt(key, digest, ctext, ctext_len, + recovered, &recovered_len)) || !TEST_int_eq(recovered_len, msg_len) || !TEST_mem_eq(recovered, recovered_len, message, msg_len)) goto done; @@ -286,8 +289,8 @@ static int test_sm2_sign(const EC_GROUP *group, goto done; start_fake_rand(k_hex); - sig = sm2_do_sign(key, EVP_sm3(), (const uint8_t *)userid, strlen(userid), - (const uint8_t *)message, msg_len); + sig = ossl_sm2_do_sign(key, EVP_sm3(), (const uint8_t *)userid, + strlen(userid), (const uint8_t *)message, msg_len); if (!TEST_ptr(sig)) { restore_rand(); goto done; @@ -302,8 +305,8 @@ static int test_sm2_sign(const EC_GROUP *group, || !TEST_BN_eq(s, sig_s)) goto done; - ok = sm2_do_verify(key, EVP_sm3(), sig, (const uint8_t *)userid, - strlen(userid), (const uint8_t *)message, msg_len); + ok = ossl_sm2_do_verify(key, EVP_sm3(), sig, (const uint8_t *)userid, + strlen(userid), (const uint8_t *)message, msg_len); /* We goto done whether this passes or fails */ TEST_true(ok); From openssl at openssl.org Fri Feb 26 01:42:25 2021 From: openssl at openssl.org (OpenSSL run-checker) Date: Fri, 26 Feb 2021 01:42:25 +0000 Subject: Still FAILED build of OpenSSL branch master with options -d enable-fuzz-afl no-shared no-module Message-ID: <1614303745.474554.4183134.nullmailer@run.openssl.org> Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=afl-clang-fast ../openssl/config -d enable-fuzz-afl no-shared no-module Commit log since last time: 6be27456e1 Fix string termination and length setting in OSSL_PARAM_BLD_push_utf8_string() af8bd1d835 Fix OSSL_PARAM_allocate_from_text() for OSSL_PARAM_UTF8_STRING a8eb71ad57 Allow the sshkdf type to be passed as a single character da9988e0f5 Cleanup of some of the EVP_PKEY_CTX_ctrl related TODOs b300f1cb3d Fix missing EOL at the end of the rsa/build.info 53cefef62b Remove inclusion of unnecessary header files 7415ffe368 Use strcasecmp when comparing kdf_type 861f265a40 speed: Drop deprecated _options() calls f3ccfc76fe speed: Use EVP for ciphers, cmac, ghash, rsa, dsa, and ecdsa a89cd8d87c speed: Adapt digests and hmac to always use non-deprecated APIs ee1d7f1d25 speed: Drop code to handle platforms without SIGALRM af9f2ee339 Fix typo in comment in DH_set0_pqg function 81c15ed00b Test errors from a provider can still be accessed after unload de4a88a979 Duplicate the file and func error strings b0001d0cf2 provider: add an unquery function to allow providers to clean up. 8b3facd732 rand: note that locking needs to be explicitly enabled. 76e48c9d66 Deprecated EVP_PKEY_CTX_get0_dh_kdf_ukm() and EVP_PKEY_CTX_get0_ecdh_kdf_ukm() 10315851d0 X509: Refactor X509_PUBKEY processing to include provider side keys ce0b307ea0 Remove disabled TLS 1.3 ciphers from the SSL(_CTX) 6eb7c748d1 make update 51d058cd94 appveyor.yml: clarify conditions for building the plain configuration 4f6aeabd65 make update 7b9f8995f4 Generate doc/build.info with 'make update' rather than on the fly 1263154064 changes: note the deprecation of RAND_METHOD APIs 299f5ff3b5 provider: add option to load a provider without disabling the fallbacks. 332a245c04 test: update tests to use the fake random number generator d994ce1205 test: make the DRBG test work without RAND_METHOD support. b3ab537b3a test: add framework for generic fake random number generator 9c6ee56318 rand: add DRBG/seed setting functions f626c3ffae rand: allow lock/unlock functions to be absent 786b13fa77 RAND_METHOD deprecation: code changes de2ea978b5 RAND_METHOD deprecation: fuzzer 0a89ae97d9 RAND_METHOD deprecation: tests ac60c84fc4 RAND_METHOD deprecation: documentation f5b00834dd EVP: Adapt the EC_KEY specific EVP_PKEY_CTX setter / getter functions bbf4dc96fc EVP: Make checks in evp_pkey_ctx_store_cached_data() more restricted 13f91a7245 EVP: Adapt the RSA specific EVP_PKEY_CTX setter / getter functions df4592cbec EVP: Adapt the DH specific EVP_PKEY_CTX setter / getter functions 5524580b5c EVP: Adapt the EVP_PKEY_CTX ctrl functions 6fcd92d3d7 EVP: Adapt diverse OSSL_PARAM setters and getters 5137312993 EVP: Make evp_pkey_ctx_{set,get}_params_strict() legacy aware 9a1c4e41e8 EVP: Implement data-driven translation between known ctrl and OSSL_PARAMs 4d4928edd0 EVP: make evp_pkey_is_assigned() usable in the FIPS module e19246dc72 EVP: Make evp_pkey_ctx_state() available to all of EVP 6179dfc7c4 EVP: Implement EVP_PKEY_CTX_is_a() f627561cf5 util/perl/OpenSSL/config.pm: Add VMS specific C compiler settings 9e1094ad3d util/perl/OpenSSL/config.pm: Fix determine_compiler_settings() 444b25b1e9 Add back in legacy paths for d2i_PrivateKey/d2i_AutoPrivateKey. f16f363a85 Fix no-tests on mingw 636a93454d Note that the OSSL_CORE_MAKE_FUNC macro is reserved 510d019141 Document the OSSL_PARAM_DEFN macro 18b207c798 Add documentation for the macro OPENSSL_VERSION_PREREQ 7e1d7fea39 Document OPENSSL_LH_flush() bc4d84abce Suppress errors about undocumented asn1_d2i_read_bio 6ceaf67257 Fix -pkeyopt handling in apps/pkeyutl -rawin 7f90026b3f Handle NULL result of ERR_reason_error_string() in some apps 4718326a46 Add EVP_PKEY_public_check_quick. 681618cfc1 Fix external symbols for pkcs7. 53155f1c81 Fix external symbols for cms. Build log ended with (last 100 lines): ../../../../../enable-fuzz-afl/util/wrap.pl ../../../../../enable-fuzz-afl/apps/openssl cmp -config ../Mock/test.cnf -section 'Mock enrollment' -certout ../../../../../enable-fuzz-afl/test-runs/test_cmp_http/test.cert.pem -proxy '' -no_proxy 127.0.0.1 -cmd ir -newkey new.key -newkeypass 'pass:' -popo -1 -certout ../../../../../enable-fuzz-afl/test-runs/test_cmp_http/test.certout_popo5.pem -out_trusted root.crt => 0 not ok 47 - popo NONE # ------------------------------------------------------------------------------ # Failed test 'popo NONE' # at ../openssl/test/recipes/80-test_cmp_http.t line 145. # cmp_main:../openssl/apps/cmp.c:2692:CMP info: using section(s) 'Mock enrollment' of OpenSSL configuration file '../Mock/test.cnf' # opt_str:../openssl/apps/cmp.c:2291:CMP warning: argument of -proxy option is empty string, resetting option # warn_cert_msg:../openssl/apps/cmp.c:694:CMP warning: certificate from 'trusted.crt' with subject '/O=openssl_cmp' is not a CA cert # setup_client_ctx:../openssl/apps/cmp.c:2008:CMP info: will contact http://127.0.0.1:1700/pkix/ # send_receive_check:../openssl/crypto/cmp/cmp_client.c:167:CMP info: sending IR # send_receive_check:../openssl/crypto/cmp/cmp_client.c:187:CMP info: received IP # send_receive_check:../openssl/crypto/cmp/cmp_client.c:167:CMP info: sending CERTCONF # send_receive_check:../openssl/crypto/cmp/cmp_client.c:187:CMP info: received PKICONF # save_free_certs:../openssl/apps/cmp.c:2058:CMP info: received 1 enrolled certificate(s), saving to file '../../../../../enable-fuzz-afl/test-runs/test_cmp_http/test.certout_popo6.pem' ../../../../../enable-fuzz-afl/util/wrap.pl ../../../../../enable-fuzz-afl/apps/openssl cmp -config ../Mock/test.cnf -section 'Mock enrollment' -certout ../../../../../enable-fuzz-afl/test-runs/test_cmp_http/test.cert.pem -proxy '' -no_proxy 127.0.0.1 -cmd ir -newkey new.key -newkeypass 'pass:' -popo 2 -certout ../../../../../enable-fuzz-afl/test-runs/test_cmp_http/test.certout_popo6.pem -out_trusted root.crt => 0 not ok 48 - popo KEYENC not supported # ------------------------------------------------------------------------------ # Looks like you failed 3 tests of 92. not ok 5 - CMP app CLI Mock enrollment # ------------------------------------------------------------------------------ # # Failed test 'CMP app CLI Mock enrollment # ' # at /home/openssl/run-checker/enable-fuzz-afl/../openssl/util/perl/OpenSSL/Test.pm line 1335. # Looks like you failed 3 tests of 5.80-test_cmp_http.t ................. Dubious, test returned 3 (wstat 768, 0x300) Failed 3/5 subtests # 80-test_cms.t ...................... ok 80-test_cmsapi.t ................... ok 80-test_ct.t ....................... ok 80-test_dane.t ..................... ok 80-test_dtls.t ..................... ok 80-test_dtls_mtu.t ................. ok 80-test_dtlsv1listen.t ............. ok 80-test_http.t ..................... ok 80-test_ocsp.t ..................... ok 80-test_pkcs12.t ................... ok 80-test_ssl_new.t .................. ok 80-test_ssl_old.t .................. ok 80-test_ssl_test_ctx.t ............. ok 80-test_sslcorrupt.t ............... ok 80-test_tsa.t ...................... ok 80-test_x509aux.t .................. ok 81-test_cmp_cli.t .................. ok 90-test_asn1_time.t ................ ok 90-test_async.t .................... ok 90-test_bio_enc.t .................. ok 90-test_bio_memleak.t .............. ok 90-test_constant_time.t ............ ok 90-test_fatalerr.t ................. ok 90-test_fipsload.t ................. skipped: Test only supported in a shared build 90-test_gmdiff.t ................... ok 90-test_gost.t ..................... skipped: GOST support is disabled in this OpenSSL build 90-test_ige.t ...................... ok 90-test_includes.t ................. ok 90-test_memleak.t .................. ok 90-test_overhead.t ................. ok 90-test_secmem.t ................... ok 90-test_shlibload.t ................ skipped: Test only supported in a shared build 90-test_srp.t ...................... ok 90-test_sslapi.t ................... ok 90-test_sslbuffers.t ............... ok 90-test_store.t .................... ok 90-test_sysdefault.t ............... ok 90-test_threads.t .................. ok 90-test_time_offset.t .............. ok 90-test_tls13ccs.t ................. ok 90-test_tls13encryption.t .......... ok 90-test_tls13secrets.t ............. skipped: tls13secrets is not supported in this build 90-test_v3name.t ................... ok 91-test_pkey_check.t ............... ok 95-test_external_boringssl.t ....... skipped: No external tests in this configuration 95-test_external_gost_engine.t ..... skipped: No external tests in this configuration 95-test_external_krb5.t ............ skipped: No external tests in this configuration 95-test_external_pyca.t ............ skipped: No external tests in this configuration 99-test_ecstress.t ................. ok 99-test_fuzz_asn1.t ................ ok 99-test_fuzz_asn1parse.t ........... ok 99-test_fuzz_bignum.t .............. ok 99-test_fuzz_bndiv.t ............... ok 99-test_fuzz_client.t .............. ok 99-test_fuzz_cmp.t ................. ok 99-test_fuzz_cms.t ................. ok 99-test_fuzz_conf.t ................ ok 99-test_fuzz_crl.t ................. ok 99-test_fuzz_ct.t .................. ok 99-test_fuzz_server.t .............. ok 99-test_fuzz_x509.t ................ ok Test Summary Report ------------------- 80-test_cmp_http.t (Wstat: 768 Tests: 5 Failed: 3) Failed tests: 2-3, 5 Non-zero exit status: 3 Files=232, Tests=2737, 824 wallclock secs (10.21 usr 1.28 sys + 740.31 cusr 71.40 csys = 823.20 CPU) Result: FAIL make[1]: *** [Makefile:2482: _tests] Error 1 make[1]: Leaving directory '/home/openssl/run-checker/enable-fuzz-afl' make: *** [Makefile:2479: tests] Error 2 From levitte at openssl.org Fri Feb 26 07:54:56 2021 From: levitte at openssl.org (Richard Levitte) Date: Fri, 26 Feb 2021 07:54:56 +0000 Subject: [openssl] master update Message-ID: <1614326096.005429.2099.nullmailer@dev.openssl.org> The branch master has been updated via 5a6a6d59a642e0ee437e3753c152b67e92d3cb3f (commit) from 32ab57cbb4877ce7e6b4eb3f9b3cfbb0ff7cd10b (commit) - Log ----------------------------------------------------------------- commit 5a6a6d59a642e0ee437e3753c152b67e92d3cb3f Author: Richard Levitte Date: Thu Feb 25 00:06:46 2021 +0100 Makefile: Only update doc/build.info when there's an actual change Fixes #14307 Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14309) ----------------------------------------------------------------------- Summary of changes: Configurations/unix-Makefile.tmpl | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl index b0aff03ad1..aa4b3ec0ec 100644 --- a/Configurations/unix-Makefile.tmpl +++ b/Configurations/unix-Makefile.tmpl @@ -1096,7 +1096,16 @@ generate_fuzz_oids: generate_doc_buildinfo: ( $(PERL) -I$(BLDDIR) -Mconfigdata \ $(SRCDIR)/util/dofile.pl -o Makefile \ - $(SRCDIR)/doc/build.info.in > $(SRCDIR)/doc/build.info ) + $(SRCDIR)/doc/build.info.in \ + > $(SRCDIR)/doc/build.info.new; \ + if ( test -e $(SRCDIR)/doc/build.info \ + && cmp $(SRCDIR)/doc/build.info.new $(SRCDIR)/doc/build.info \ + > /dev/null ); \ + then \ + rm $(SRCDIR)/doc/build.info.new; \ + else \ + mv $(SRCDIR)/doc/build.info.new $(SRCDIR)/doc/build.info; \ + fi ) # Set to -force to force a rebuild ERROR_REBUILD= From pauli at openssl.org Fri Feb 26 08:13:41 2021 From: pauli at openssl.org (Dr. Paul Dale) Date: Fri, 26 Feb 2021 08:13:41 +0000 Subject: [openssl] master update Message-ID: <1614327221.932073.8770.nullmailer@dev.openssl.org> The branch master has been updated via db7fbd54cf0636e25d4f8b8fddd829741064b831 (commit) via 2e36321aec5579610da77d43ac27eb8732676654 (commit) via e79fb279dfc146af0948d2727656f72226ef104f (commit) via fe20a66ed4f911f641af4123f931319677b1e8b7 (commit) via 292b4184d6fda8e0c5c62c22170e8ad464a1a3a7 (commit) via 644c5dd366913d9297db8e0693a754e2d45c9089 (commit) via 35c76a528bb14611d7ff2c77762b16cf28c1fef3 (commit) via 8dd233bb07607239bea31f33224df2ac37eddb57 (commit) via 5a7134ee102f2a975d20353a0cfa0031d155dfcf (commit) via eee323c3390fbee9e7129719473809ab1634c2d7 (commit) via 1e8e5c6092bfa90254dd293ee87f15f9edfdbdde (commit) via de43d82b6db142a179485221a56e35fb7d83c64e (commit) via a5120afda32e67435624cef1fe0d49bf699e4ca5 (commit) via 530cacb56fbe02da8aca436c4c1ae8000200e69c (commit) via caa60428cd8f0aa60cd2fb7e6da4f5aa9664ae16 (commit) via 1c9eaf42510d0756ce0d219c5127dff2f1a0b83d (commit) via a3f091fddd1f5349a14f3874d0e3a6d77cba9865 (commit) via 90fec26dc681bec9af25fb5bd232109f1f261965 (commit) via d618ac6fd7e24a99122b04cd23b84130b2537d87 (commit) via 6de3a06dd45c68edd67b5ce1dbc94f3952a84a77 (commit) via aa95e08b291aa605fc2cf8f8b1df5d74eb5f228f (commit) via e772f25ca856d830b46927464c8e79c819746974 (commit) from 5a6a6d59a642e0ee437e3753c152b67e92d3cb3f (commit) - Log ----------------------------------------------------------------- commit db7fbd54cf0636e25d4f8b8fddd829741064b831 Author: Pauli Date: Wed Feb 24 09:24:29 2021 +1000 fuzzer: add ctx gettable/settable to the fuzzer RNG Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14240) commit 2e36321aec5579610da77d43ac27eb8732676654 Author: Pauli Date: Wed Feb 24 09:24:26 2021 +1000 test: add ctx gettable/settable to the generic fake random number generator Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14240) commit e79fb279dfc146af0948d2727656f72226ef104f Author: Pauli Date: Tue Feb 23 11:49:55 2021 +1000 core: support modified gettable/settable ctx calls for ciphers Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14240) commit fe20a66ed4f911f641af4123f931319677b1e8b7 Author: Pauli Date: Tue Feb 23 11:49:20 2021 +1000 changes to match the updated context gettable/settable calls for ciphers Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14240) commit 292b4184d6fda8e0c5c62c22170e8ad464a1a3a7 Author: Pauli Date: Tue Feb 23 11:48:57 2021 +1000 evp: upport modified gettable/settable ctx calls for ciphers Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14240) commit 644c5dd366913d9297db8e0693a754e2d45c9089 Author: Pauli Date: Tue Feb 23 11:48:35 2021 +1000 prov: upport modified gettable/settable ctx calls for ciphers Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14240) commit 35c76a528bb14611d7ff2c77762b16cf28c1fef3 Author: Pauli Date: Tue Feb 23 11:03:49 2021 +1000 evp: support modified gettable/settable ctx calls for MACs Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14240) commit 8dd233bb07607239bea31f33224df2ac37eddb57 Author: Pauli Date: Tue Feb 23 11:03:31 2021 +1000 doc: changes to match the updated context gettable/settable calls for MACs Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14240) commit 5a7134ee102f2a975d20353a0cfa0031d155dfcf Author: Pauli Date: Tue Feb 23 11:03:08 2021 +1000 core: core: support modified gettable/settable ctx calls for MACs Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14240) commit eee323c3390fbee9e7129719473809ab1634c2d7 Author: Pauli Date: Tue Feb 23 11:02:49 2021 +1000 prov: support modified gettable/settable ctx calls for MACs Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14240) commit 1e8e5c6092bfa90254dd293ee87f15f9edfdbdde Author: Pauli Date: Tue Feb 23 10:47:18 2021 +1000 prov: support modified gettable/settable ctx calls for KDFs Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14240) commit de43d82b6db142a179485221a56e35fb7d83c64e Author: Pauli Date: Tue Feb 23 10:46:58 2021 +1000 core: support modified gettable/settable ctx calls for KDFs Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14240) commit a5120afda32e67435624cef1fe0d49bf699e4ca5 Author: Pauli Date: Tue Feb 23 10:46:08 2021 +1000 evp: support modified gettable/settable ctx calls for KDFs Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14240) commit 530cacb56fbe02da8aca436c4c1ae8000200e69c Author: Pauli Date: Tue Feb 23 10:45:39 2021 +1000 doc: changes to match the updated context gettable/settable calls Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14240) commit caa60428cd8f0aa60cd2fb7e6da4f5aa9664ae16 Author: Pauli Date: Tue Feb 23 09:52:15 2021 +1000 evp: support modified gettable/settable ctx calls for RNGs Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14240) commit 1c9eaf42510d0756ce0d219c5127dff2f1a0b83d Author: Pauli Date: Tue Feb 23 09:51:48 2021 +1000 core: update RNG gettable/settable ctx param calls Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14240) commit a3f091fddd1f5349a14f3874d0e3a6d77cba9865 Author: Pauli Date: Tue Feb 23 09:51:10 2021 +1000 prov: update RNGs to support modified gettable/settable CTX params Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14240) commit 90fec26dc681bec9af25fb5bd232109f1f261965 Author: Pauli Date: Tue Feb 23 09:50:17 2021 +1000 doc: note changes to rand gettable/settable provider call Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14240) commit d618ac6fd7e24a99122b04cd23b84130b2537d87 Author: Pauli Date: Mon Feb 22 12:07:15 2021 +1000 doc: note changes to digest gettable/settable provider calls Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14240) commit 6de3a06dd45c68edd67b5ce1dbc94f3952a84a77 Author: Pauli Date: Mon Feb 22 12:06:48 2021 +1000 modify EVP to support digest gettable/settable calls Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14240) commit aa95e08b291aa605fc2cf8f8b1df5d74eb5f228f Author: Pauli Date: Mon Feb 22 12:06:30 2021 +1000 core: update digest gettable/settable ctx params calls Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14240) commit e772f25ca856d830b46927464c8e79c819746974 Author: Pauli Date: Mon Feb 22 12:06:04 2021 +1000 prov: update digests to support modified ctx params Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14240) ----------------------------------------------------------------------- Summary of changes: crypto/evp/digest.c | 34 +++++++++++------ crypto/evp/evp_enc.c | 40 +++++++++++++++++--- crypto/evp/evp_rand.c | 32 ++++++++++++++-- crypto/evp/kdf_meth.c | 30 ++++++++++++++- crypto/evp/mac_meth.c | 30 ++++++++++++++- doc/man3/EVP_DigestInit.pod | 43 +++++++++++++++------- doc/man3/EVP_EncryptInit.pod | 39 ++++++++++++++++---- doc/man3/EVP_KDF.pod | 33 +++++++++++++---- doc/man3/EVP_MAC.pod | 29 ++++++++++++--- doc/man3/EVP_RAND.pod | 29 ++++++++++++--- doc/man7/provider-cipher.pod | 20 ++++++---- doc/man7/provider-digest.pod | 22 +++++++---- doc/man7/provider-kdf.pod | 19 ++++++---- doc/man7/provider-mac.pod | 21 +++++++---- doc/man7/provider-rand.pod | 19 ++++++---- fuzz/fuzz_rand.c | 3 +- include/openssl/core_dispatch.h | 20 +++++----- include/openssl/evp.h | 6 +++ include/openssl/kdf.h | 2 + .../ciphers/cipher_aes_cbc_hmac_sha.c | 6 ++- providers/implementations/ciphers/cipher_aes_ocb.c | 6 ++- providers/implementations/ciphers/cipher_aes_siv.c | 7 ++-- providers/implementations/ciphers/cipher_aes_xts.c | 3 +- .../implementations/ciphers/cipher_chacha20.c | 6 ++- .../ciphers/cipher_chacha20_poly1305.c | 2 +- providers/implementations/ciphers/cipher_null.c | 6 ++- .../implementations/ciphers/cipher_rc4_hmac_md5.c | 6 ++- providers/implementations/ciphers/ciphercommon.c | 6 +-- providers/implementations/digests/md5_sha1_prov.c | 3 +- providers/implementations/digests/mdc2_prov.c | 3 +- providers/implementations/digests/sha2_prov.c | 3 +- providers/implementations/digests/sha3_prov.c | 3 +- .../implementations/include/prov/ciphercommon.h | 6 ++- providers/implementations/kdfs/hkdf.c | 6 ++- providers/implementations/kdfs/kbkdf.c | 6 ++- providers/implementations/kdfs/krb5kdf.c | 6 ++- providers/implementations/kdfs/pbkdf2.c | 6 ++- providers/implementations/kdfs/pkcs12kdf.c | 6 ++- providers/implementations/kdfs/scrypt.c | 6 ++- providers/implementations/kdfs/sshkdf.c | 6 ++- providers/implementations/kdfs/sskdf.c | 6 ++- providers/implementations/kdfs/tls1_prf.c | 6 ++- providers/implementations/kdfs/x942kdf.c | 6 ++- providers/implementations/macs/blake2_mac_impl.c | 6 ++- providers/implementations/macs/cmac_prov.c | 6 ++- providers/implementations/macs/gmac_prov.c | 3 +- providers/implementations/macs/hmac_prov.c | 6 ++- providers/implementations/macs/kmac_prov.c | 6 ++- providers/implementations/macs/poly1305_prov.c | 3 +- providers/implementations/macs/siphash_prov.c | 11 ++++-- providers/implementations/rands/drbg_ctr.c | 6 ++- providers/implementations/rands/drbg_hash.c | 6 ++- providers/implementations/rands/drbg_hmac.c | 6 ++- providers/implementations/rands/seed_src.c | 3 +- providers/implementations/rands/test_rng.c | 6 ++- test/testutil/fake_random.c | 3 +- util/libcrypto.num | 8 ++++ 57 files changed, 493 insertions(+), 183 deletions(-) diff --git a/crypto/evp/digest.c b/crypto/evp/digest.c index e322654241..858a9926cf 100644 --- a/crypto/evp/digest.c +++ b/crypto/evp/digest.c @@ -656,14 +656,19 @@ int EVP_MD_CTX_set_params(EVP_MD_CTX *ctx, const OSSL_PARAM params[]) const OSSL_PARAM *EVP_MD_settable_ctx_params(const EVP_MD *md) { - if (md != NULL && md->settable_ctx_params != NULL) - return md->settable_ctx_params(ossl_provider_ctx(EVP_MD_provider(md))); + void *alg; + + if (md != NULL && md->settable_ctx_params != NULL) { + alg = ossl_provider_ctx(EVP_MD_provider(md)); + return md->settable_ctx_params(NULL, alg); + } return NULL; } const OSSL_PARAM *EVP_MD_CTX_settable_params(EVP_MD_CTX *ctx) { EVP_PKEY_CTX *pctx; + void *alg; if (ctx == NULL) return NULL; @@ -678,9 +683,10 @@ const OSSL_PARAM *EVP_MD_CTX_settable_params(EVP_MD_CTX *ctx) return pctx->op.sig.signature->settable_ctx_md_params( pctx->op.sig.sigprovctx); - if (ctx->digest != NULL && ctx->digest->settable_ctx_params != NULL) - return ctx->digest->settable_ctx_params( - ossl_provider_ctx(EVP_MD_provider(ctx->digest))); + if (ctx->digest != NULL && ctx->digest->settable_ctx_params != NULL) { + alg = ossl_provider_ctx(EVP_MD_provider(ctx->digest)); + return ctx->digest->settable_ctx_params(ctx->provctx, alg); + } return NULL; } @@ -706,14 +712,19 @@ int EVP_MD_CTX_get_params(EVP_MD_CTX *ctx, OSSL_PARAM params[]) const OSSL_PARAM *EVP_MD_gettable_ctx_params(const EVP_MD *md) { - if (md != NULL && md->gettable_ctx_params != NULL) - return md->gettable_ctx_params(ossl_provider_ctx(EVP_MD_provider(md))); + void *alg; + + if (md != NULL && md->gettable_ctx_params != NULL) { + alg = ossl_provider_ctx(EVP_MD_provider(md)); + return md->gettable_ctx_params(NULL, alg); + } return NULL; } const OSSL_PARAM *EVP_MD_CTX_gettable_params(EVP_MD_CTX *ctx) { EVP_PKEY_CTX *pctx; + void *alg; if (ctx == NULL) return NULL; @@ -728,11 +739,10 @@ const OSSL_PARAM *EVP_MD_CTX_gettable_params(EVP_MD_CTX *ctx) return pctx->op.sig.signature->gettable_ctx_md_params( pctx->op.sig.sigprovctx); - if (ctx->digest != NULL - && ctx->digest->gettable_ctx_params != NULL) - return ctx->digest->gettable_ctx_params( - ossl_provider_ctx(EVP_MD_provider(ctx->digest))); - + if (ctx->digest != NULL && ctx->digest->gettable_ctx_params != NULL) { + alg = ossl_provider_ctx(EVP_MD_provider(ctx->digest)); + return ctx->digest->gettable_ctx_params(ctx->provctx, alg); + } return NULL; } diff --git a/crypto/evp/evp_enc.c b/crypto/evp/evp_enc.c index ebb876a8dc..851c6d5d9a 100644 --- a/crypto/evp/evp_enc.c +++ b/crypto/evp/evp_enc.c @@ -1220,17 +1220,45 @@ const OSSL_PARAM *EVP_CIPHER_gettable_params(const EVP_CIPHER *cipher) const OSSL_PARAM *EVP_CIPHER_settable_ctx_params(const EVP_CIPHER *cipher) { - if (cipher != NULL && cipher->settable_ctx_params != NULL) - return cipher->settable_ctx_params( - ossl_provider_ctx(EVP_CIPHER_provider(cipher))); + void *alg; + + if (cipher != NULL && cipher->settable_ctx_params != NULL) { + alg = ossl_provider_ctx(EVP_CIPHER_provider(cipher)); + return cipher->settable_ctx_params(NULL, alg); + } return NULL; } const OSSL_PARAM *EVP_CIPHER_gettable_ctx_params(const EVP_CIPHER *cipher) { - if (cipher != NULL && cipher->gettable_ctx_params != NULL) - return cipher->gettable_ctx_params( - ossl_provider_ctx(EVP_CIPHER_provider(cipher))); + void *alg; + + if (cipher != NULL && cipher->gettable_ctx_params != NULL) { + alg = ossl_provider_ctx(EVP_CIPHER_provider(cipher)); + return cipher->gettable_ctx_params(NULL, alg); + } + return NULL; +} + +const OSSL_PARAM *EVP_CIPHER_CTX_settable_params(EVP_CIPHER_CTX *cctx) +{ + void *alg; + + if (cctx != NULL && cctx->cipher->settable_ctx_params != NULL) { + alg = ossl_provider_ctx(EVP_CIPHER_provider(cctx->cipher)); + return cctx->cipher->settable_ctx_params(cctx->provctx, alg); + } + return NULL; +} + +const OSSL_PARAM *EVP_CIPHER_CTX_gettable_params(EVP_CIPHER_CTX *cctx) +{ + void *alg; + + if (cctx != NULL && cctx->cipher->gettable_ctx_params != NULL) { + alg = ossl_provider_ctx(EVP_CIPHER_provider(cctx->cipher)); + return cctx->cipher->gettable_ctx_params(cctx->provctx, alg); + } return NULL; } diff --git a/crypto/evp/evp_rand.c b/crypto/evp/evp_rand.c index b27f4e11a0..bc8c24b3b5 100644 --- a/crypto/evp/evp_rand.c +++ b/crypto/evp/evp_rand.c @@ -428,18 +428,42 @@ const OSSL_PARAM *EVP_RAND_gettable_params(const EVP_RAND *rand) const OSSL_PARAM *EVP_RAND_gettable_ctx_params(const EVP_RAND *rand) { + void *provctx; + if (rand->gettable_ctx_params == NULL) return NULL; - return rand->gettable_ctx_params( - ossl_provider_ctx(EVP_RAND_provider(rand))); + provctx = ossl_provider_ctx(EVP_RAND_provider(rand)); + return rand->gettable_ctx_params(NULL, provctx); } const OSSL_PARAM *EVP_RAND_settable_ctx_params(const EVP_RAND *rand) { + void *provctx; + if (rand->settable_ctx_params == NULL) return NULL; - return rand->settable_ctx_params( - ossl_provider_ctx(EVP_RAND_provider(rand))); + provctx = ossl_provider_ctx(EVP_RAND_provider(rand)); + return rand->settable_ctx_params(NULL, provctx); +} + +const OSSL_PARAM *EVP_RAND_CTX_gettable_params(EVP_RAND_CTX *ctx) +{ + void *provctx; + + if (ctx->meth->gettable_ctx_params == NULL) + return NULL; + provctx = ossl_provider_ctx(EVP_RAND_provider(ctx->meth)); + return ctx->meth->gettable_ctx_params(ctx->data, provctx); +} + +const OSSL_PARAM *EVP_RAND_CTX_settable_params(EVP_RAND_CTX *ctx) +{ + void *provctx; + + if (ctx->meth->settable_ctx_params == NULL) + return NULL; + provctx = ossl_provider_ctx(EVP_RAND_provider(ctx->meth)); + return ctx->meth->settable_ctx_params(ctx->data, provctx); } void EVP_RAND_do_all_provided(OSSL_LIB_CTX *libctx, diff --git a/crypto/evp/kdf_meth.c b/crypto/evp/kdf_meth.c index 40e71e8cd8..659788a58d 100644 --- a/crypto/evp/kdf_meth.c +++ b/crypto/evp/kdf_meth.c @@ -174,16 +174,42 @@ const OSSL_PARAM *EVP_KDF_gettable_params(const EVP_KDF *kdf) const OSSL_PARAM *EVP_KDF_gettable_ctx_params(const EVP_KDF *kdf) { + void *alg; + if (kdf->gettable_ctx_params == NULL) return NULL; - return kdf->gettable_ctx_params(ossl_provider_ctx(EVP_KDF_provider(kdf))); + alg = ossl_provider_ctx(EVP_KDF_provider(kdf)); + return kdf->gettable_ctx_params(NULL, alg); } const OSSL_PARAM *EVP_KDF_settable_ctx_params(const EVP_KDF *kdf) { + void *alg; + if (kdf->settable_ctx_params == NULL) return NULL; - return kdf->settable_ctx_params(ossl_provider_ctx(EVP_KDF_provider(kdf))); + alg = ossl_provider_ctx(EVP_KDF_provider(kdf)); + return kdf->settable_ctx_params(NULL, alg); +} + +const OSSL_PARAM *EVP_KDF_CTX_gettable_params(EVP_KDF_CTX *ctx) +{ + void *alg; + + if (ctx->meth->gettable_ctx_params == NULL) + return NULL; + alg = ossl_provider_ctx(EVP_KDF_provider(ctx->meth)); + return ctx->meth->gettable_ctx_params(ctx->data, alg); +} + +const OSSL_PARAM *EVP_KDF_CTX_settable_params(EVP_KDF_CTX *ctx) +{ + void *alg; + + if (ctx->meth->settable_ctx_params == NULL) + return NULL; + alg = ossl_provider_ctx(EVP_KDF_provider(ctx->meth)); + return ctx->meth->settable_ctx_params(ctx->data, alg); } void EVP_KDF_do_all_provided(OSSL_LIB_CTX *libctx, diff --git a/crypto/evp/mac_meth.c b/crypto/evp/mac_meth.c index edf08389e9..85f87e4c61 100644 --- a/crypto/evp/mac_meth.c +++ b/crypto/evp/mac_meth.c @@ -181,16 +181,42 @@ const OSSL_PARAM *EVP_MAC_gettable_params(const EVP_MAC *mac) const OSSL_PARAM *EVP_MAC_gettable_ctx_params(const EVP_MAC *mac) { + void *alg; + if (mac->gettable_ctx_params == NULL) return NULL; - return mac->gettable_ctx_params(ossl_provider_ctx(EVP_MAC_provider(mac))); + alg = ossl_provider_ctx(EVP_MAC_provider(mac)); + return mac->gettable_ctx_params(NULL, alg); } const OSSL_PARAM *EVP_MAC_settable_ctx_params(const EVP_MAC *mac) { + void *alg; + if (mac->settable_ctx_params == NULL) return NULL; - return mac->settable_ctx_params(ossl_provider_ctx(EVP_MAC_provider(mac))); + alg = ossl_provider_ctx(EVP_MAC_provider(mac)); + return mac->settable_ctx_params(NULL, alg); +} + +const OSSL_PARAM *EVP_MAC_CTX_gettable_params(EVP_MAC_CTX *ctx) +{ + void *alg; + + if (ctx->meth->gettable_ctx_params == NULL) + return NULL; + alg = ossl_provider_ctx(EVP_MAC_provider(ctx->meth)); + return ctx->meth->gettable_ctx_params(ctx->data, alg); +} + +const OSSL_PARAM *EVP_MAC_CTX_settable_params(EVP_MAC_CTX *ctx) +{ + void *alg; + + if (ctx->meth->settable_ctx_params == NULL) + return NULL; + alg = ossl_provider_ctx(EVP_MAC_provider(ctx->meth)); + return ctx->meth->settable_ctx_params(ctx->data, alg); } void EVP_MAC_do_all_provided(OSSL_LIB_CTX *libctx, diff --git a/doc/man3/EVP_DigestInit.pod b/doc/man3/EVP_DigestInit.pod index c4cecad3a7..ac527e407e 100644 --- a/doc/man3/EVP_DigestInit.pod +++ b/doc/man3/EVP_DigestInit.pod @@ -180,18 +180,29 @@ See L below for more information. Sets the list of I into a MD context I. See L below for more information. -=item EVP_MD_gettable_params(), EVP_MD_gettable_ctx_params(), -EVP_MD_settable_ctx_params(), EVP_MD_CTX_gettable_params(), -EVP_MD_CTX_settable_params() - -Get a B array that describes the retrievable and settable -parameters. EVP_MD_gettable_params() returns parameters that can be used with -EVP_MD_get_params(). EVP_MD_gettable_ctx_params() and -EVP_MD_CTX_gettable_params() return parameters that can be used with -EVP_MD_CTX_get_params(). EVP_MD_settable_ctx_params() and -EVP_MD_CTX_settable_params() return parameters that can be used with -EVP_MD_CTX_set_params(). -See L for the use of B as parameter descriptor. +=item EVP_MD_gettable_params() + +Get a constant B array that describes the retrievable parameters +that can be used with EVP_MD_get_params(). See L for the +use of B as a parameter descriptor. + +=item EVP_MD_gettable_ctx_params(), EVP_MD_CTX_gettable_params() + +Get a constant B array that describes the retrievable parameters +that can be used with EVP_MD_CTX_get_params(). EVP_MD_gettable_ctx_params() +returns the parameters that can be retrieved from the algorithm, whereas +EVP_MD_CTX_gettable_params() returns the parameters that can be retrieved +in the context's current state. See L for the use of +B as a parameter descriptor. + +=item EVP_MD_settable_ctx_params(), EVP_MD_CTX_settable_params() + +Get a constant B array that describes the settable parameters +that can be used with EVP_MD_CTX_set_params(). EVP_MD_settable_ctx_params() +returns the parameters that can be set from the algorithm, whereas +EVP_MD_CTX_settable_params() returns the parameters that can be set in the +context's current state. See L for the use of B +as a parameter descriptor. =item EVP_MD_CTX_set_flags(), EVP_MD_CTX_clear_flags(), EVP_MD_CTX_test_flags() @@ -658,8 +669,12 @@ The EVP_dss1() function was removed in OpenSSL 1.1.0. The EVP_MD_CTX_set_pkey_ctx() function was added in OpenSSL 1.1.1. -The EVP_MD_fetch(), EVP_MD_free(), EVP_MD_up_ref(), EVP_MD_CTX_set_params() -and EVP_MD_CTX_get_params() functions were added in OpenSSL 3.0. +The EVP_MD_fetch(), EVP_MD_free(), EVP_MD_up_ref(), +EVP_MD_get_params(), EVP_MD_CTX_set_params(), EVP_MD_CTX_get_params(), +EVP_MD_gettable_params(), EVP_MD_gettable_ctx_params(), +EVP_MD_settable_ctx_params(), EVP_MD_CTX_settable_params() and +EVP_MD_CTX_gettable_params() functions were added in OpenSSL 3.0. + The EVP_MD_CTX_update_fn() and EVP_MD_CTX_set_update_fn() were deprecated in OpenSSL 3.0. diff --git a/doc/man3/EVP_EncryptInit.pod b/doc/man3/EVP_EncryptInit.pod index 7cc9cebb51..63b416289b 100644 --- a/doc/man3/EVP_EncryptInit.pod +++ b/doc/man3/EVP_EncryptInit.pod @@ -48,8 +48,10 @@ EVP_CIPHER_CTX_name, EVP_CIPHER_CTX_nid, EVP_CIPHER_CTX_get_params, EVP_CIPHER_gettable_ctx_params, +EVP_CIPHER_CTX_gettable_params, EVP_CIPHER_CTX_set_params, EVP_CIPHER_settable_ctx_params, +EVP_CIPHER_CTX_settable_params, EVP_CIPHER_CTX_block_size, EVP_CIPHER_CTX_key_length, EVP_CIPHER_CTX_iv_length, @@ -147,6 +149,8 @@ EVP_CIPHER_do_all_provided const OSSL_PARAM *EVP_CIPHER_gettable_params(const EVP_CIPHER *cipher); const OSSL_PARAM *EVP_CIPHER_settable_ctx_params(const EVP_CIPHER *cipher); const OSSL_PARAM *EVP_CIPHER_gettable_ctx_params(const EVP_CIPHER *cipher); + const OSSL_PARAM *EVP_CIPHER_CTX_settable_params(EVP_CIPHER_CTX *ctx); + const OSSL_PARAM *EVP_CIPHER_CTX_gettable_params(EVP_CIPHER_CTX *ctx); int EVP_CIPHER_CTX_block_size(const EVP_CIPHER_CTX *ctx); int EVP_CIPHER_CTX_key_length(const EVP_CIPHER_CTX *ctx); int EVP_CIPHER_CTX_iv_length(const EVP_CIPHER_CTX *ctx); @@ -302,12 +306,28 @@ context B. EVP_CIPHER_CTX_get_params() retrieves the requested list of operation B from CIPHER context B. -EVP_CIPHER_gettable_params(), EVP_CIPHER_gettable_ctx_params(), and -EVP_CIPHER_settable_ctx_params() get a constant B array -that describes the retrievable and settable parameters, i.e. parameters -that can be used with EVP_CIPHER_get_params(), EVP_CIPHER_CTX_get_params() -and EVP_CIPHER_CTX_set_params(), respectively. -See L for the use of B as parameter descriptor. +EVP_CIPHER_gettable_params() returns an B array that describes +the retrievable and settable parameters. EVP_CIPHER_gettable_params() +returns parameters that can be used with EVP_CIPHER_get_params(). See +L for the use of B as a parameter descriptor. + +EVP_CIPHER_gettable_ctx_params() and EVP_CIPHER_CTX_gettable_params() +return constant B arrays that describe the retrievable +parameters that can be used with EVP_CIPHER_CTX_get_params(). +EVP_CIPHER_gettable_ctx_params() returns the parameters that can be +retrieved from the algorithm, whereas EVP_CIPHER_CTX_gettable_params() +returns the parameters that can be retrieved in the context's current +state. See L for the use of B as a parameter +descriptor. + +EVP_CIPHER_settable_ctx_params() and EVP_CIPHER_CTX_settable_params() +return constant B arrays that describe the settable +parameters that can be used with EVP_CIPHER_CTX_set_params(). +EVP_CIPHER_settable_ctx_params() returns the parameters that can be +retrieved from the algorithm, whereas EVP_CIPHER_CTX_settable_params() +returns the parameters that can be retrieved in the context's current +state. See L for the use of B as a parameter +descriptor. EVP_CIPHER_key_length() and EVP_CIPHER_CTX_key_length() return the key length of a cipher when passed an B or B @@ -884,8 +904,11 @@ disappeared. EVP_CIPHER_CTX_init() remains as an alias for EVP_CIPHER_CTX_reset(). The EVP_CIPHER_fetch(), EVP_CIPHER_free(), EVP_CIPHER_up_ref(), -EVP_CIPHER_CTX_set_params() and EVP_CIPHER_CTX_get_params() functions -were added in 3.0. +EVP_CIPHER_get_params(), EVP_CIPHER_CTX_set_params(), +EVP_CIPHER_CTX_get_params(), EVP_CIPHER_gettable_params(), +EVP_CIPHER_settable_ctx_params(), EVP_CIPHER_gettable_ctx_params(), +EVP_CIPHER_CTX_settable_params() and EVP_CIPHER_CTX_gettable_params() +functions were added in 3.0. =head1 COPYRIGHT diff --git a/doc/man3/EVP_KDF.pod b/doc/man3/EVP_KDF.pod index 3afc0bd9b1..90e8f5adcf 100644 --- a/doc/man3/EVP_KDF.pod +++ b/doc/man3/EVP_KDF.pod @@ -8,8 +8,9 @@ EVP_KDF_CTX_reset, EVP_KDF_derive, EVP_KDF_CTX_get_kdf_size, EVP_KDF_provider, EVP_KDF_CTX_kdf, EVP_KDF_is_a, EVP_KDF_number, EVP_KDF_name, EVP_KDF_names_do_all, EVP_KDF_CTX_get_params, EVP_KDF_CTX_set_params, EVP_KDF_do_all_provided, -EVP_KDF_get_params, EVP_KDF_gettable_ctx_params, EVP_KDF_settable_ctx_params, -EVP_KDF_gettable_params - EVP KDF routines +EVP_KDF_get_params, EVP_KDF_gettable_params, +EVP_KDF_gettable_ctx_params, EVP_KDF_settable_ctx_params, +EVP_KDF_CTX_gettable_params, EVP_KDF_CTX_settable_params - EVP KDF routines =head1 SYNOPSIS @@ -45,6 +46,8 @@ EVP_KDF_gettable_params - EVP KDF routines const OSSL_PARAM *EVP_KDF_gettable_params(const EVP_KDF *kdf); const OSSL_PARAM *EVP_KDF_gettable_ctx_params(const EVP_KDF *kdf); const OSSL_PARAM *EVP_KDF_settable_ctx_params(const EVP_KDF *kdf); + const OSSL_PARAM *EVP_KDF_CTX_gettable_params(const EVP_KDF *kdf); + const OSSL_PARAM *EVP_KDF_CTX_settable_params(const EVP_KDF *kdf); const OSSL_PROVIDER *EVP_KDF_provider(const EVP_KDF *kdf); =head1 DESCRIPTION @@ -124,12 +127,26 @@ simply ignored. Also, what happens when a needed parameter isn't passed down is defined by the implementation. -EVP_KDF_gettable_params(), EVP_KDF_gettable_ctx_params() and -EVP_KDF_settable_ctx_params() get a constant B array that -describes the retrievable and settable parameters, i.e. parameters that -can be used with EVP_KDF_get_params(), EVP_KDF_CTX_get_params() -and EVP_KDF_CTX_set_params(), respectively. -See L for the use of B as parameter descriptor. +EVP_KDF_gettable_params() returns an B array that describes +the retrievable and settable parameters. EVP_KDF_gettable_params() +returns parameters that can be used with EVP_KDF_get_params(). +See L for the use of B as a parameter descriptor. + +EVP_KDF_gettable_ctx_params() and EVP_KDF_CTX_gettable_params() +return constant B arrays that describe the retrievable +parameters that can be used with EVP_KDF_CTX_get_params(). +EVP_KDF_gettable_ctx_params() returns the parameters that can be retrieved +from the algorithm, whereas EVP_KDF_CTX_gettable_params() returns +the parameters that can be retrieved in the context's current state. +See L for the use of B as a parameter descriptor. + +EVP_KDF_settable_ctx_params() and EVP_KDF_CTX_settable_params() return +constant B arrays that describe the settable parameters that +can be used with EVP_KDF_CTX_set_params(). EVP_KDF_settable_ctx_params() +returns the parameters that can be retrieved from the algorithm, +whereas EVP_KDF_CTX_settable_params() returns the parameters that can +be retrieved in the context's current state. See L +for the use of B as a parameter descriptor. =head2 Information functions diff --git a/doc/man3/EVP_MAC.pod b/doc/man3/EVP_MAC.pod index ff7003b906..b32415aac5 100644 --- a/doc/man3/EVP_MAC.pod +++ b/doc/man3/EVP_MAC.pod @@ -9,6 +9,7 @@ EVP_MAC_CTX, EVP_MAC_CTX_new, EVP_MAC_CTX_free, EVP_MAC_CTX_dup, EVP_MAC_CTX_mac, EVP_MAC_CTX_get_params, EVP_MAC_CTX_set_params, EVP_MAC_CTX_get_mac_size, EVP_MAC_init, EVP_MAC_update, EVP_MAC_final, EVP_MAC_gettable_ctx_params, EVP_MAC_settable_ctx_params, +EVP_MAC_CTX_gettable_params, EVP_MAC_CTX_settable_params, EVP_MAC_do_all_provided - EVP MAC routines =head1 SYNOPSIS @@ -47,6 +48,8 @@ EVP_MAC_do_all_provided - EVP MAC routines const OSSL_PARAM *EVP_MAC_gettable_params(const EVP_MAC *mac); const OSSL_PARAM *EVP_MAC_gettable_ctx_params(const EVP_MAC *mac); const OSSL_PARAM *EVP_MAC_settable_ctx_params(const EVP_MAC *mac); + const OSSL_PARAM *EVP_MAC_CTX_gettable_params(EVP_MAC_CTX *ctx); + const OSSL_PARAM *EVP_MAC_CTX_settable_params(EVP_MAC_CTX *ctx); void EVP_MAC_do_all_provided(OSSL_LIB_CTX *libctx, void (*fn)(EVP_MAC *mac, void *arg), @@ -153,12 +156,26 @@ simply ignored. Also, what happens when a needed parameter isn't passed down is defined by the implementation. -EVP_MAC_gettable_params(), EVP_MAC_gettable_ctx_params() and -EVP_MAC_settable_ctx_params() get a constant B array that -describes the retrievable and settable parameters, i.e. parameters that -can be used with EVP_MAC_get_params(), EVP_MAC_CTX_get_params() -and EVP_MAC_CTX_set_params(), respectively. -See L for the use of B as parameter descriptor. +EVP_MAC_gettable_params() returns an B array that describes +the retrievable and settable parameters. EVP_MAC_gettable_params() +returns parameters that can be used with EVP_MAC_get_params(). +See L for the use of B as a parameter descriptor. + +EVP_MAC_gettable_ctx_params() and EVP_MAC_CTX_gettable_params() +return constant B arrays that describe the retrievable +parameters that can be used with EVP_MAC_CTX_get_params(). +EVP_MAC_gettable_ctx_params() returns the parameters that can be retrieved +from the algorithm, whereas EVP_MAC_CTX_gettable_params() returns +the parameters that can be retrieved in the context's current state. +See L for the use of B as a parameter descriptor. + +EVP_MAC_settable_ctx_params() and EVP_MAC_CTX_settable_params() return +constant B arrays that describe the settable parameters that +can be used with EVP_MAC_CTX_set_params(). EVP_MAC_settable_ctx_params() +returns the parameters that can be retrieved from the algorithm, +whereas EVP_MAC_CTX_settable_params() returns the parameters that can +be retrieved in the context's current state. See L +for the use of B as a parameter descriptor. =head2 Information functions diff --git a/doc/man3/EVP_RAND.pod b/doc/man3/EVP_RAND.pod index df92629780..88ee739d94 100644 --- a/doc/man3/EVP_RAND.pod +++ b/doc/man3/EVP_RAND.pod @@ -11,6 +11,7 @@ EVP_RAND_provider, EVP_RAND_CTX_rand, EVP_RAND_is_a, EVP_RAND_number, EVP_RAND_name, EVP_RAND_names_do_all, EVP_RAND_get_ctx_params, EVP_RAND_set_ctx_params, EVP_RAND_do_all_provided, EVP_RAND_get_params, EVP_RAND_gettable_ctx_params, EVP_RAND_settable_ctx_params, +EVP_RAND_CTX_gettable_params, EVP_RAND_CTX_settable_params, EVP_RAND_gettable_params, EVP_RAND_STATE_UNINITIALISED, EVP_RAND_STATE_READY, EVP_RAND_STATE_ERROR - EVP RAND routines @@ -34,6 +35,8 @@ EVP_RAND_STATE_ERROR - EVP RAND routines const OSSL_PARAM *EVP_RAND_gettable_params(const EVP_RAND *rand); const OSSL_PARAM *EVP_RAND_gettable_ctx_params(const EVP_RAND *rand); const OSSL_PARAM *EVP_RAND_settable_ctx_params(const EVP_RAND *rand); + const OSSL_PARAM *EVP_RAND_CTX_gettable_params(EVP_RAND_CTX *ctx); + const OSSL_PARAM *EVP_RAND_CTX_settable_params(EVP_RAND_CTX *ctx); int EVP_RAND_number(const EVP_RAND *rand); const char *EVP_RAND_name(const EVP_RAND *rand); int EVP_RAND_is_a(const EVP_RAND *rand, const char *name); @@ -179,12 +182,26 @@ simply ignored. Also, what happens when a needed parameter isn't passed down is defined by the implementation. -EVP_RAND_gettable_params(), EVP_RAND_gettable_ctx_params() and -EVP_RAND_settable_ctx_params() get a constant B array that -describes the retrievable and settable parameters, i.e. parameters that -can be used with EVP_RAND_get_params(), EVP_RAND_get_ctx_params() -and EVP_RAND_set_ctx_params(), respectively. -See L for the use of B as parameter descriptor. +EVP_RAND_gettable_params() returns an B array that describes +the retrievable and settable parameters. EVP_RAND_gettable_params() returns +parameters that can be used with EVP_RAND_get_params(). See L +for the use of B as a parameter descriptor. + +EVP_RAND_gettable_ctx_params() and EVP_RAND_CTX_gettable_params() return +constant B arrays that describe the retrievable parameters that +can be used with EVP_RAND_CTX_get_params(). EVP_RAND_gettable_ctx_params() +returns the parameters that can be retrieved from the algorithm, whereas +EVP_RAND_CTX_gettable_params() returns the parameters that can be retrieved +in the context's current state. See L for the use of +B as a parameter descriptor. + +EVP_RAND_settable_ctx_params() and EVP_RAND_CTX_settable_params() return +constant B arrays that describe the settable parameters that +can be used with EVP_RAND_CTX_set_params(). EVP_RAND_settable_ctx_params() +returns the parameters that can be retrieved from the algorithm, whereas +EVP_RAND_CTX_settable_params() returns the parameters that can be retrieved +in the context's current state. See L for the use of +B as a parameter descriptor. =head2 Information functions diff --git a/doc/man7/provider-cipher.pod b/doc/man7/provider-cipher.pod index 34a5ec0a7f..133ee07d67 100644 --- a/doc/man7/provider-cipher.pod +++ b/doc/man7/provider-cipher.pod @@ -40,8 +40,10 @@ provider-cipher - The cipher library E-E provider functions const OSSL_PARAM *OSSL_FUNC_cipher_gettable_params(void *provctx); /* Cipher operation parameter descriptors */ - const OSSL_PARAM *OSSL_FUNC_cipher_gettable_ctx_params(void *provctx); - const OSSL_PARAM *OSSL_FUNC_cipher_settable_ctx_params(void *provctx); + const OSSL_PARAM *OSSL_FUNC_cipher_gettable_ctx_params(void *cctx, + void *provctx); + const OSSL_PARAM *OSSL_FUNC_cipher_settable_ctx_params(void *cctx, + void *provctx); /* Cipher parameters */ int OSSL_FUNC_cipher_get_params(OSSL_PARAM params[]); @@ -186,11 +188,15 @@ Any parameter settings are additional to any that were previously set. OSSL_FUNC_cipher_get_ctx_params() gets cipher operation details details from the given provider side cipher context I and stores them in I. -OSSL_FUNC_cipher_gettable_params(), OSSL_FUNC_cipher_gettable_ctx_params(), and -OSSL_FUNC_cipher_settable_ctx_params() all return constant B arrays -as descriptors of the parameters that OSSL_FUNC_cipher_get_params(), -OSSL_FUNC_cipher_get_ctx_params(), and OSSL_FUNC_cipher_set_ctx_params() can handle, -respectively. +OSSL_FUNC_cipher_gettable_params(), OSSL_FUNC_cipher_gettable_ctx_params(), +and OSSL_FUNC_cipher_settable_ctx_params() all return constant B +arrays as descriptors of the parameters that OSSL_FUNC_cipher_get_params(), +OSSL_FUNC_cipher_get_ctx_params(), and OSSL_FUNC_cipher_set_ctx_params() +can handle, respectively. OSSL_FUNC_cipher_gettable_ctx_params() and +OSSL_FUNC_cipher_settable_ctx_params() will return the parameters associated +with the provider side context I in its current state if it is +not NULL. Otherwise, they return the parameters associated with the +provider side algorithm I. Parameters currently recognised by built-in ciphers are as follows. Not all parameters are relevant to, or are understood by all ciphers: diff --git a/doc/man7/provider-digest.pod b/doc/man7/provider-digest.pod index 1c09ee3c40..4f90cf8b62 100644 --- a/doc/man7/provider-digest.pod +++ b/doc/man7/provider-digest.pod @@ -33,8 +33,10 @@ provider-digest - The digest library E-E provider functions const OSSL_PARAM *OSSL_FUNC_digest_gettable_params(void *provctx); /* Digest operation parameter descriptors */ - const OSSL_PARAM *OSSL_FUNC_digest_gettable_ctx_params(void *provctx); - const OSSL_PARAM *OSSL_FUNC_digest_settable_ctx_params(void *provctx); + const OSSL_PARAM *OSSL_FUNC_digest_gettable_ctx_params(void *dctx, + void *provctx); + const OSSL_PARAM *OSSL_FUNC_digest_settable_ctx_params(void *dctx, + void *provctx); /* Digest parameters */ int OSSL_FUNC_digest_get_params(OSSL_PARAM params[]); @@ -152,11 +154,17 @@ Any parameter settings are additional to any that were previously set. OSSL_FUNC_digest_get_ctx_params() gets digest operation details details from the given provider side digest context I and stores them in I. -OSSL_FUNC_digest_gettable_params(), OSSL_FUNC_digest_gettable_ctx_params(), and -OSSL_FUNC_digest_settable_ctx_params() all return constant B arrays -as descriptors of the parameters that OSSL_FUNC_digest_get_params(), -OSSL_FUNC_digest_get_ctx_params(), and OSSL_FUNC_digest_set_ctx_params() can handle, -respectively. +OSSL_FUNC_digest_gettable_params() returns a constant B array +containing descriptors of the parameters that OSSL_FUNC_digest_get_params() +can handle. + +OSSL_FUNC_digest_gettable_ctx_params() and +OSSL_FUNC_digest_settable_ctx_params() both return constant +B arrays as descriptors of the parameters that +OSSL_FUNC_digest_get_ctx_params() and OSSL_FUNC_digest_set_ctx_params() +can handle, respectively. The array is based on the current state of +the provider side context if I is not NULL and on the provider +side algorithm I otherwise. Parameters currently recognised by built-in digests with this function are as follows. Not all parameters are relevant to, or are understood diff --git a/doc/man7/provider-kdf.pod b/doc/man7/provider-kdf.pod index 8e2069e34a..4d3d91a4e7 100644 --- a/doc/man7/provider-kdf.pod +++ b/doc/man7/provider-kdf.pod @@ -28,8 +28,8 @@ provider-kdf - The KDF library E-E provider functions /* KDF parameter descriptors */ const OSSL_PARAM *OSSL_FUNC_kdf_gettable_params(void *provctx); - const OSSL_PARAM *OSSL_FUNC_kdf_gettable_ctx_params(void *provctx); - const OSSL_PARAM *OSSL_FUNC_kdf_settable_ctx_params(void *provctx); + const OSSL_PARAM *OSSL_FUNC_kdf_gettable_ctx_params(void *kcxt, void *provctx); + const OSSL_PARAM *OSSL_FUNC_kdf_settable_ctx_params(void *kcxt, void *provctx); /* KDF parameters */ int OSSL_FUNC_kdf_get_params(OSSL_PARAM params[]); @@ -129,11 +129,16 @@ Any parameter settings are additional to any that were previously set. OSSL_FUNC_kdf_get_ctx_params() retrieves gettable parameter values associated with the given provider side KDF context I and stores them in I. -OSSL_FUNC_kdf_gettable_params(), OSSL_FUNC_kdf_gettable_ctx_params(), and -OSSL_FUNC_kdf_settable_ctx_params() all return constant B arrays -as descriptors of the parameters that OSSL_FUNC_kdf_get_params(), -OSSL_FUNC_kdf_get_ctx_params(), and OSSL_FUNC_kdf_set_ctx_params() can handle, -respectively. +OSSL_FUNC_kdf_gettable_params(), OSSL_FUNC_kdf_gettable_ctx_params(), +and OSSL_FUNC_kdf_settable_ctx_params() all return constant B +arrays as descriptors of the parameters that OSSL_FUNC_kdf_get_params(), +OSSL_FUNC_kdf_get_ctx_params(), and OSSL_FUNC_kdf_set_ctx_params() +can handle, respectively. OSSL_FUNC_kdf_gettable_ctx_params() and +OSSL_FUNC_kdf_settable_ctx_params() will return the parameters associated +with the provider side context I in its current state if it is +not NULL. Otherwise, they return the parameters associated with the +provider side algorithm I. + Parameters currently recognised by built-in KDFs are as follows. Not all parameters are relevant to, or are understood by all KDFs: diff --git a/doc/man7/provider-mac.pod b/doc/man7/provider-mac.pod index 7ce2ad2a13..fdeda79ab5 100644 --- a/doc/man7/provider-mac.pod +++ b/doc/man7/provider-mac.pod @@ -28,9 +28,9 @@ provider-mac - The mac library E-E provider functions int OSSL_FUNC_mac_final(void *mctx, unsigned char *out, size_t *outl, size_t outsize); /* MAC parameter descriptors */ - const OSSL_PARAM *OSSL_FUNC_mac_get_params(void *provctx); - const OSSL_PARAM *OSSL_FUNC_mac_get_ctx_params(void *provctx); - const OSSL_PARAM *OSSL_FUNC_mac_set_ctx_params(void *provctx); + const OSSL_PARAM *OSSL_FUNC_mac_gettable_params(void *provctx); + const OSSL_PARAM *OSSL_FUNC_mac_gettable_ctx_params(void *mctx, void *provctx); + const OSSL_PARAM *OSSL_FUNC_mac_settable_ctx_params(void *mctx, void *provctx); /* MAC parameters */ int OSSL_FUNC_mac_get_params(OSSL_PARAM params[]); @@ -140,11 +140,16 @@ OSSL_FUNC_mac_get_ctx_params() gets details of currently set parameter values associated with the given provider side mac context I and stores them in I. -OSSL_FUNC_mac_gettable_params(), OSSL_FUNC_mac_gettable_ctx_params(), and -OSSL_FUNC_mac_settable_ctx_params() all return constant B arrays -as descriptors of the parameters that OSSL_FUNC_mac_get_params(), -OSSL_FUNC_mac_get_ctx_params(), and OSSL_FUNC_mac_set_ctx_params() can handle, -respectively. +OSSL_FUNC_mac_gettable_params(), OSSL_FUNC_mac_gettable_ctx_params(), +and OSSL_FUNC_mac_settable_ctx_params() all return constant B +arrays as descriptors of the parameters that OSSL_FUNC_mac_get_params(), +OSSL_FUNC_mac_get_ctx_params(), and OSSL_FUNC_mac_set_ctx_params() +can handle, respectively. OSSL_FUNC_mac_gettable_ctx_params() and +OSSL_FUNC_mac_settable_ctx_params() will return the parameters associated +with the provider side context I in its current state if it is +not NULL. Otherwise, they return the parameters associated with the +provider side algorithm I. + Parameters currently recognised by built-in macs are as follows. Not all parameters are relevant to, or are understood by all macs: diff --git a/doc/man7/provider-rand.pod b/doc/man7/provider-rand.pod index 3250e3c11a..5de3a15f38 100644 --- a/doc/man7/provider-rand.pod +++ b/doc/man7/provider-rand.pod @@ -53,8 +53,8 @@ functions /* RAND parameter descriptors */ const OSSL_PARAM *OSSL_FUNC_rand_gettable_params(void *provctx); - const OSSL_PARAM *OSSL_FUNC_rand_gettable_ctx_params(void *provctx); - const OSSL_PARAM *OSSL_FUNC_rand_settable_ctx_params(void *provctx); + const OSSL_PARAM *OSSL_FUNC_rand_gettable_ctx_params(void *ctx, void *provctx); + const OSSL_PARAM *OSSL_FUNC_rand_settable_ctx_params(void *ctx, void *provctx); /* RAND parameters */ int OSSL_FUNC_rand_get_params(OSSL_PARAM params[]); @@ -163,11 +163,16 @@ OSSL_FUNC_rand_get_ctx_params() gets details of currently set parameter values associated with the given provider side rand context I and stores them in I. -OSSL_FUNC_rand_gettable_params(), OSSL_FUNC_rand_gettable_ctx_params(), and -OSSL_FUNC_rand_settable_ctx_params() all return constant B arrays -as descriptors of the parameters that OSSL_FUNC_rand_get_params(), -OSSL_FUNC_rand_get_ctx_params(), and OSSL_FUNC_rand_set_ctx_params() can handle, -respectively. +OSSL_FUNC_rand_gettable_params(), OSSL_FUNC_rand_gettable_ctx_params(), +and OSSL_FUNC_rand_settable_ctx_params() all return constant B +arrays as descriptors of the parameters that OSSL_FUNC_rand_get_params(), +OSSL_FUNC_rand_get_ctx_params(), and OSSL_FUNC_rand_set_ctx_params() +can handle, respectively. OSSL_FUNC_rand_gettable_ctx_params() +and OSSL_FUNC_rand_settable_ctx_params() will return the parameters +associated with the provider side context I in its current state +if it is not NULL. Otherwise, they return the parameters associated +with the provider side algorithm I. + Parameters currently recognised by built-in rands are as follows. Not all parameters are relevant to, or are understood by all rands: diff --git a/fuzz/fuzz_rand.c b/fuzz/fuzz_rand.c index 99c32509c6..cd5371efbd 100644 --- a/fuzz/fuzz_rand.c +++ b/fuzz/fuzz_rand.c @@ -91,7 +91,8 @@ static int fuzz_rand_get_ctx_params(void *vrng, OSSL_PARAM params[]) return 1; } -static const OSSL_PARAM *fuzz_rand_gettable_ctx_params(ossl_unused void *provctx) +static const OSSL_PARAM *fuzz_rand_gettable_ctx_params(ossl_unused void *vrng, + ossl_unused void *provctx) { static const OSSL_PARAM known_gettable_ctx_params[] = { OSSL_PARAM_int(OSSL_RAND_PARAM_STATE, NULL), diff --git a/include/openssl/core_dispatch.h b/include/openssl/core_dispatch.h index 4d1d89ca82..634159524d 100644 --- a/include/openssl/core_dispatch.h +++ b/include/openssl/core_dispatch.h @@ -262,9 +262,9 @@ OSSL_CORE_MAKE_FUNC(int, digest_get_ctx_params, OSSL_CORE_MAKE_FUNC(const OSSL_PARAM *, digest_gettable_params, (void *provctx)) OSSL_CORE_MAKE_FUNC(const OSSL_PARAM *, digest_settable_ctx_params, - (void *provctx)) + (void *dctx, void *provctx)) OSSL_CORE_MAKE_FUNC(const OSSL_PARAM *, digest_gettable_ctx_params, - (void *provctx)) + (void *dctx, void *provctx)) /* Symmetric Ciphers */ @@ -315,9 +315,9 @@ OSSL_CORE_MAKE_FUNC(int, cipher_set_ctx_params, (void *cctx, OSSL_CORE_MAKE_FUNC(const OSSL_PARAM *, cipher_gettable_params, (void *provctx)) OSSL_CORE_MAKE_FUNC(const OSSL_PARAM *, cipher_settable_ctx_params, - (void *provctx)) + (void *cctx, void *provctx)) OSSL_CORE_MAKE_FUNC(const OSSL_PARAM *, cipher_gettable_ctx_params, - (void *provctx)) + (void *cctx, void *provctx)) /* MACs */ @@ -345,9 +345,9 @@ OSSL_CORE_MAKE_FUNC(int, mac_final, unsigned char *out, size_t *outl, size_t outsize)) OSSL_CORE_MAKE_FUNC(const OSSL_PARAM *, mac_gettable_params, (void *provctx)) OSSL_CORE_MAKE_FUNC(const OSSL_PARAM *, mac_gettable_ctx_params, - (void *provctx)) + (void *mctx, void *provctx)) OSSL_CORE_MAKE_FUNC(const OSSL_PARAM *, mac_settable_ctx_params, - (void *provctx)) + (void *mctx, void *provctx)) OSSL_CORE_MAKE_FUNC(int, mac_get_params, (OSSL_PARAM params[])) OSSL_CORE_MAKE_FUNC(int, mac_get_ctx_params, (void *mctx, OSSL_PARAM params[])) @@ -376,9 +376,9 @@ OSSL_CORE_MAKE_FUNC(int, kdf_derive, (void *kctx, unsigned char *key, size_t keylen)) OSSL_CORE_MAKE_FUNC(const OSSL_PARAM *, kdf_gettable_params, (void *provctx)) OSSL_CORE_MAKE_FUNC(const OSSL_PARAM *, kdf_gettable_ctx_params, - (void *provctx)) + (void *kctx, void *provctx)) OSSL_CORE_MAKE_FUNC(const OSSL_PARAM *, kdf_settable_ctx_params, - (void *provctx)) + (void *kctx, void *provctx)) OSSL_CORE_MAKE_FUNC(int, kdf_get_params, (OSSL_PARAM params[])) OSSL_CORE_MAKE_FUNC(int, kdf_get_ctx_params, (void *kctx, OSSL_PARAM params[])) @@ -432,9 +432,9 @@ OSSL_CORE_MAKE_FUNC(int,rand_lock, (void *vctx)) OSSL_CORE_MAKE_FUNC(void,rand_unlock, (void *vctx)) OSSL_CORE_MAKE_FUNC(const OSSL_PARAM *,rand_gettable_params, (void *provctx)) OSSL_CORE_MAKE_FUNC(const OSSL_PARAM *,rand_gettable_ctx_params, - (void *provctx)) + (void *vctx, void *provctx)) OSSL_CORE_MAKE_FUNC(const OSSL_PARAM *,rand_settable_ctx_params, - (void *provctx)) + (void *vctx, void *provctx)) OSSL_CORE_MAKE_FUNC(int,rand_get_params, (OSSL_PARAM params[])) OSSL_CORE_MAKE_FUNC(int,rand_get_ctx_params, (void *vctx, OSSL_PARAM params[])) diff --git a/include/openssl/evp.h b/include/openssl/evp.h index 38cfefd10b..6a2202d954 100644 --- a/include/openssl/evp.h +++ b/include/openssl/evp.h @@ -816,6 +816,8 @@ int EVP_CIPHER_CTX_get_params(EVP_CIPHER_CTX *ctx, OSSL_PARAM params[]); const OSSL_PARAM *EVP_CIPHER_gettable_params(const EVP_CIPHER *cipher); const OSSL_PARAM *EVP_CIPHER_settable_ctx_params(const EVP_CIPHER *cipher); const OSSL_PARAM *EVP_CIPHER_gettable_ctx_params(const EVP_CIPHER *cipher); +const OSSL_PARAM *EVP_CIPHER_CTX_settable_params(EVP_CIPHER_CTX *ctx); +const OSSL_PARAM *EVP_CIPHER_CTX_gettable_params(EVP_CIPHER_CTX *ctx); const BIO_METHOD *BIO_f_md(void); const BIO_METHOD *BIO_f_base64(void); @@ -1149,6 +1151,8 @@ int EVP_MAC_final(EVP_MAC_CTX *ctx, const OSSL_PARAM *EVP_MAC_gettable_params(const EVP_MAC *mac); const OSSL_PARAM *EVP_MAC_gettable_ctx_params(const EVP_MAC *mac); const OSSL_PARAM *EVP_MAC_settable_ctx_params(const EVP_MAC *mac); +const OSSL_PARAM *EVP_MAC_CTX_gettable_params(EVP_MAC_CTX *ctx); +const OSSL_PARAM *EVP_MAC_CTX_settable_params(EVP_MAC_CTX *ctx); void EVP_MAC_do_all_provided(OSSL_LIB_CTX *libctx, void (*fn)(EVP_MAC *mac, void *arg), @@ -1176,6 +1180,8 @@ int EVP_RAND_set_ctx_params(EVP_RAND_CTX *ctx, const OSSL_PARAM params[]); const OSSL_PARAM *EVP_RAND_gettable_params(const EVP_RAND *rand); const OSSL_PARAM *EVP_RAND_gettable_ctx_params(const EVP_RAND *rand); const OSSL_PARAM *EVP_RAND_settable_ctx_params(const EVP_RAND *rand); +const OSSL_PARAM *EVP_RAND_CTX_gettable_params(EVP_RAND_CTX *ctx); +const OSSL_PARAM *EVP_RAND_CTX_settable_params(EVP_RAND_CTX *ctx); void EVP_RAND_do_all_provided(OSSL_LIB_CTX *libctx, void (*fn)(EVP_RAND *rand, void *arg), diff --git a/include/openssl/kdf.h b/include/openssl/kdf.h index 37c1736a8c..f1bc9a7709 100644 --- a/include/openssl/kdf.h +++ b/include/openssl/kdf.h @@ -48,6 +48,8 @@ int EVP_KDF_CTX_set_params(EVP_KDF_CTX *ctx, const OSSL_PARAM params[]); const OSSL_PARAM *EVP_KDF_gettable_params(const EVP_KDF *kdf); const OSSL_PARAM *EVP_KDF_gettable_ctx_params(const EVP_KDF *kdf); const OSSL_PARAM *EVP_KDF_settable_ctx_params(const EVP_KDF *kdf); +const OSSL_PARAM *EVP_KDF_CTX_gettable_params(EVP_KDF_CTX *ctx); +const OSSL_PARAM *EVP_KDF_CTX_settable_params(EVP_KDF_CTX *ctx); void EVP_KDF_do_all_provided(OSSL_LIB_CTX *libctx, void (*fn)(EVP_KDF *kdf, void *arg), diff --git a/providers/implementations/ciphers/cipher_aes_cbc_hmac_sha.c b/providers/implementations/ciphers/cipher_aes_cbc_hmac_sha.c index abefc20ab2..b78687ceae 100644 --- a/providers/implementations/ciphers/cipher_aes_cbc_hmac_sha.c +++ b/providers/implementations/ciphers/cipher_aes_cbc_hmac_sha.c @@ -59,7 +59,8 @@ static const OSSL_PARAM cipher_aes_known_settable_ctx_params[] = { OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_KEYLEN, NULL), OSSL_PARAM_END }; -const OSSL_PARAM *aes_settable_ctx_params(ossl_unused void *provctx) +const OSSL_PARAM *aes_settable_ctx_params(ossl_unused void *cctx, + ossl_unused void *provctx) { return cipher_aes_known_settable_ctx_params; } @@ -278,7 +279,8 @@ static const OSSL_PARAM cipher_aes_known_gettable_ctx_params[] = { OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_UPDATED_IV, NULL, 0), OSSL_PARAM_END }; -const OSSL_PARAM *aes_gettable_ctx_params(ossl_unused void *provctx) +const OSSL_PARAM *aes_gettable_ctx_params(ossl_unused void *cctx, + ossl_unused void *provctx) { return cipher_aes_known_gettable_ctx_params; } diff --git a/providers/implementations/ciphers/cipher_aes_ocb.c b/providers/implementations/ciphers/cipher_aes_ocb.c index 69ee9f2cc5..627f146273 100644 --- a/providers/implementations/ciphers/cipher_aes_ocb.c +++ b/providers/implementations/ciphers/cipher_aes_ocb.c @@ -469,7 +469,8 @@ static const OSSL_PARAM cipher_ocb_known_gettable_ctx_params[] = { OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_AEAD_TAG, NULL, 0), OSSL_PARAM_END }; -static const OSSL_PARAM *cipher_ocb_gettable_ctx_params(ossl_unused void *p_ctx) +static const OSSL_PARAM *cipher_ocb_gettable_ctx_params(ossl_unused void *cctx, + ossl_unused void *p_ctx) { return cipher_ocb_known_gettable_ctx_params; } @@ -480,7 +481,8 @@ static const OSSL_PARAM cipher_ocb_known_settable_ctx_params[] = { OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_AEAD_TAG, NULL, 0), OSSL_PARAM_END }; -static const OSSL_PARAM *cipher_ocb_settable_ctx_params(ossl_unused void *p_ctx) +static const OSSL_PARAM *cipher_ocb_settable_ctx_params(ossl_unused void *cctx, + ossl_unused void *p_ctx) { return cipher_ocb_known_settable_ctx_params; } diff --git a/providers/implementations/ciphers/cipher_aes_siv.c b/providers/implementations/ciphers/cipher_aes_siv.c index 25409bf0a8..9a75f6f5b7 100644 --- a/providers/implementations/ciphers/cipher_aes_siv.c +++ b/providers/implementations/ciphers/cipher_aes_siv.c @@ -183,7 +183,8 @@ static const OSSL_PARAM aes_siv_known_gettable_ctx_params[] = { OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_AEAD_TAG, NULL, 0), OSSL_PARAM_END }; -static const OSSL_PARAM *aes_siv_gettable_ctx_params(ossl_unused void *provctx) +static const OSSL_PARAM *aes_siv_gettable_ctx_params(ossl_unused void *cctx, + ossl_unused void *provctx) { return aes_siv_known_gettable_ctx_params; } @@ -233,7 +234,8 @@ static const OSSL_PARAM aes_siv_known_settable_ctx_params[] = { OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_AEAD_TAG, NULL, 0), OSSL_PARAM_END }; -static const OSSL_PARAM *aes_siv_settable_ctx_params(ossl_unused void *provctx) +static const OSSL_PARAM *aes_siv_settable_ctx_params(ossl_unused void *cctx, + ossl_unused void *provctx) { return aes_siv_known_settable_ctx_params; } @@ -248,7 +250,6 @@ static OSSL_FUNC_cipher_update_fn lc##_stream_update; \ static OSSL_FUNC_cipher_final_fn lc##_stream_final; \ static OSSL_FUNC_cipher_cipher_fn lc##_cipher; \ static OSSL_FUNC_cipher_get_params_fn alg##_##kbits##_##lc##_get_params; \ -static OSSL_FUNC_cipher_gettable_params_fn alg##_##lc##_gettable_ctx_params; \ static OSSL_FUNC_cipher_get_ctx_params_fn alg##_##lc##_get_ctx_params; \ static OSSL_FUNC_cipher_gettable_ctx_params_fn \ alg##_##lc##_gettable_ctx_params; \ diff --git a/providers/implementations/ciphers/cipher_aes_xts.c b/providers/implementations/ciphers/cipher_aes_xts.c index e4b18b2719..13552b2a76 100644 --- a/providers/implementations/ciphers/cipher_aes_xts.c +++ b/providers/implementations/ciphers/cipher_aes_xts.c @@ -218,7 +218,8 @@ static const OSSL_PARAM aes_xts_known_settable_ctx_params[] = { OSSL_PARAM_END }; -static const OSSL_PARAM *aes_xts_settable_ctx_params(ossl_unused void *provctx) +static const OSSL_PARAM *aes_xts_settable_ctx_params(ossl_unused void *cctx, + ossl_unused void *provctx) { return aes_xts_known_settable_ctx_params; } diff --git a/providers/implementations/ciphers/cipher_chacha20.c b/providers/implementations/ciphers/cipher_chacha20.c index bee1bb925b..9bce5b0914 100644 --- a/providers/implementations/ciphers/cipher_chacha20.c +++ b/providers/implementations/ciphers/cipher_chacha20.c @@ -95,7 +95,8 @@ static const OSSL_PARAM chacha20_known_gettable_ctx_params[] = { OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_IVLEN, NULL), OSSL_PARAM_END }; -const OSSL_PARAM *chacha20_gettable_ctx_params(ossl_unused void *provctx) +const OSSL_PARAM *chacha20_gettable_ctx_params(ossl_unused void *cctx, + ossl_unused void *provctx) { return chacha20_known_gettable_ctx_params; } @@ -135,7 +136,8 @@ static const OSSL_PARAM chacha20_known_settable_ctx_params[] = { OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_IVLEN, NULL), OSSL_PARAM_END }; -const OSSL_PARAM *chacha20_settable_ctx_params(ossl_unused void *provctx) +const OSSL_PARAM *chacha20_settable_ctx_params(ossl_unused void *cctx, + ossl_unused void *provctx) { return chacha20_known_settable_ctx_params; } diff --git a/providers/implementations/ciphers/cipher_chacha20_poly1305.c b/providers/implementations/ciphers/cipher_chacha20_poly1305.c index 5d9ffad801..78ede20b44 100644 --- a/providers/implementations/ciphers/cipher_chacha20_poly1305.c +++ b/providers/implementations/ciphers/cipher_chacha20_poly1305.c @@ -135,7 +135,7 @@ static const OSSL_PARAM chacha20_poly1305_known_gettable_ctx_params[] = { OSSL_PARAM_END }; static const OSSL_PARAM *chacha20_poly1305_gettable_ctx_params - (ossl_unused void *provctx) + (ossl_unused void *cctx, ossl_unused void *provctx) { return chacha20_poly1305_known_gettable_ctx_params; } diff --git a/providers/implementations/ciphers/cipher_null.c b/providers/implementations/ciphers/cipher_null.c index 9d33a26f8d..00c97aad7a 100644 --- a/providers/implementations/ciphers/cipher_null.c +++ b/providers/implementations/ciphers/cipher_null.c @@ -111,7 +111,8 @@ static const OSSL_PARAM null_known_gettable_ctx_params[] = { }; static OSSL_FUNC_cipher_gettable_ctx_params_fn null_gettable_ctx_params; -static const OSSL_PARAM *null_gettable_ctx_params(ossl_unused void *provctx) +static const OSSL_PARAM *null_gettable_ctx_params(ossl_unused void *cctx, + ossl_unused void *provctx) { return null_known_gettable_ctx_params; } @@ -147,7 +148,8 @@ static const OSSL_PARAM null_known_settable_ctx_params[] = { }; static OSSL_FUNC_cipher_settable_ctx_params_fn null_settable_ctx_params; -static const OSSL_PARAM *null_settable_ctx_params(ossl_unused void *provctx) +static const OSSL_PARAM *null_settable_ctx_params(ossl_unused void *cctx, + ossl_unused void *provctx) { return null_known_settable_ctx_params; } diff --git a/providers/implementations/ciphers/cipher_rc4_hmac_md5.c b/providers/implementations/ciphers/cipher_rc4_hmac_md5.c index c69b9aecb8..533820cd80 100644 --- a/providers/implementations/ciphers/cipher_rc4_hmac_md5.c +++ b/providers/implementations/ciphers/cipher_rc4_hmac_md5.c @@ -77,7 +77,8 @@ static const OSSL_PARAM rc4_hmac_md5_known_gettable_ctx_params[] = { OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_AEAD_TLS1_AAD_PAD, NULL), OSSL_PARAM_END }; -const OSSL_PARAM *rc4_hmac_md5_gettable_ctx_params(ossl_unused void *provctx) +const OSSL_PARAM *rc4_hmac_md5_gettable_ctx_params(ossl_unused void *cctx, + ossl_unused void *provctx) { return rc4_hmac_md5_known_gettable_ctx_params; } @@ -112,7 +113,8 @@ static const OSSL_PARAM rc4_hmac_md5_known_settable_ctx_params[] = { OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_AEAD_TLS1_AAD, NULL, 0), OSSL_PARAM_END }; -const OSSL_PARAM *rc4_hmac_md5_settable_ctx_params(ossl_unused void *provctx) +const OSSL_PARAM *rc4_hmac_md5_settable_ctx_params(ossl_unused void *cctx, + ossl_unused void *provctx) { return rc4_hmac_md5_known_settable_ctx_params; } diff --git a/providers/implementations/ciphers/ciphercommon.c b/providers/implementations/ciphers/ciphercommon.c index b32f564bf7..3d2fb5b8f8 100644 --- a/providers/implementations/ciphers/ciphercommon.c +++ b/providers/implementations/ciphers/ciphercommon.c @@ -33,7 +33,7 @@ static const OSSL_PARAM cipher_known_gettable_params[] = { { OSSL_CIPHER_PARAM_TLS_MAC, OSSL_PARAM_OCTET_PTR, NULL, 0, OSSL_PARAM_UNMODIFIED }, OSSL_PARAM_END }; -const OSSL_PARAM *ossl_cipher_generic_gettable_params(void *provctx) +const OSSL_PARAM *ossl_cipher_generic_gettable_params(ossl_unused void *provctx) { return cipher_known_gettable_params; } @@ -141,7 +141,7 @@ static const OSSL_PARAM cipher_aead_known_gettable_ctx_params[] = { OSSL_PARAM_END }; const OSSL_PARAM *ossl_cipher_aead_gettable_ctx_params( - ossl_unused void *provctx + ossl_unused void *cctx, ossl_unused void *provctx ) { return cipher_aead_known_gettable_ctx_params; @@ -156,7 +156,7 @@ static const OSSL_PARAM cipher_aead_known_settable_ctx_params[] = { OSSL_PARAM_END }; const OSSL_PARAM *ossl_cipher_aead_settable_ctx_params( - ossl_unused void *provctx + ossl_unused void *cctx, ossl_unused void *provctx ) { return cipher_aead_known_settable_ctx_params; diff --git a/providers/implementations/digests/md5_sha1_prov.c b/providers/implementations/digests/md5_sha1_prov.c index d96b72676b..d05a7e7d85 100644 --- a/providers/implementations/digests/md5_sha1_prov.c +++ b/providers/implementations/digests/md5_sha1_prov.c @@ -30,7 +30,8 @@ static const OSSL_PARAM known_md5_sha1_settable_ctx_params[] = { OSSL_PARAM_END }; -static const OSSL_PARAM *md5_sha1_settable_ctx_params(ossl_unused void *provctx) +static const OSSL_PARAM *md5_sha1_settable_ctx_params(ossl_unused void *ctx, + ossl_unused void *provctx) { return known_md5_sha1_settable_ctx_params; } diff --git a/providers/implementations/digests/mdc2_prov.c b/providers/implementations/digests/mdc2_prov.c index 91f123d55f..edd73ed89e 100644 --- a/providers/implementations/digests/mdc2_prov.c +++ b/providers/implementations/digests/mdc2_prov.c @@ -30,7 +30,8 @@ static const OSSL_PARAM known_mdc2_settable_ctx_params[] = { OSSL_PARAM_END }; -static const OSSL_PARAM *mdc2_settable_ctx_params(ossl_unused void *provctx) +static const OSSL_PARAM *mdc2_settable_ctx_params(ossl_unused void *ctx, + ossl_unused void *provctx) { return known_mdc2_settable_ctx_params; } diff --git a/providers/implementations/digests/sha2_prov.c b/providers/implementations/digests/sha2_prov.c index 45fa643ed5..96f4cc7004 100644 --- a/providers/implementations/digests/sha2_prov.c +++ b/providers/implementations/digests/sha2_prov.c @@ -33,7 +33,8 @@ static const OSSL_PARAM known_sha1_settable_ctx_params[] = { {OSSL_DIGEST_PARAM_SSL3_MS, OSSL_PARAM_OCTET_STRING, NULL, 0, 0}, OSSL_PARAM_END }; -static const OSSL_PARAM *sha1_settable_ctx_params(ossl_unused void *provctx) +static const OSSL_PARAM *sha1_settable_ctx_params(ossl_unused void *ctx, + ossl_unused void *provctx) { return known_sha1_settable_ctx_params; } diff --git a/providers/implementations/digests/sha3_prov.c b/providers/implementations/digests/sha3_prov.c index d4d3befa5e..c8c5df41ed 100644 --- a/providers/implementations/digests/sha3_prov.c +++ b/providers/implementations/digests/sha3_prov.c @@ -265,7 +265,8 @@ static const OSSL_PARAM known_shake_settable_ctx_params[] = { {OSSL_DIGEST_PARAM_XOFLEN, OSSL_PARAM_UNSIGNED_INTEGER, NULL, 0, 0}, OSSL_PARAM_END }; -static const OSSL_PARAM *shake_settable_ctx_params(ossl_unused void *provctx) +static const OSSL_PARAM *shake_settable_ctx_params(ossl_unused void *ctx, + ossl_unused void *provctx) { return known_shake_settable_ctx_params; } diff --git a/providers/implementations/include/prov/ciphercommon.h b/providers/implementations/include/prov/ciphercommon.h index c0d7a04b24..d5212c3c81 100644 --- a/providers/implementations/include/prov/ciphercommon.h +++ b/providers/implementations/include/prov/ciphercommon.h @@ -333,7 +333,8 @@ static const OSSL_PARAM name##_known_gettable_ctx_params[] = { \ #define CIPHER_DEFAULT_GETTABLE_CTX_PARAMS_END(name) \ OSSL_PARAM_END \ }; \ -const OSSL_PARAM * name##_gettable_ctx_params(ossl_unused void *provctx) \ +const OSSL_PARAM * name##_gettable_ctx_params(ossl_unused void *cctx, \ + ossl_unused void *provctx) \ { \ return name##_known_gettable_ctx_params; \ } @@ -345,7 +346,8 @@ static const OSSL_PARAM name##_known_settable_ctx_params[] = { \ #define CIPHER_DEFAULT_SETTABLE_CTX_PARAMS_END(name) \ OSSL_PARAM_END \ }; \ -const OSSL_PARAM * name##_settable_ctx_params(ossl_unused void *provctx) \ +const OSSL_PARAM * name##_settable_ctx_params(ossl_unused void *cctx, \ + ossl_unused void *provctx) \ { \ return name##_known_settable_ctx_params; \ } diff --git a/providers/implementations/kdfs/hkdf.c b/providers/implementations/kdfs/hkdf.c index aae923b1db..b24b745216 100644 --- a/providers/implementations/kdfs/hkdf.c +++ b/providers/implementations/kdfs/hkdf.c @@ -237,7 +237,8 @@ static int kdf_hkdf_set_ctx_params(void *vctx, const OSSL_PARAM params[]) return 1; } -static const OSSL_PARAM *kdf_hkdf_settable_ctx_params(ossl_unused void *provctx) +static const OSSL_PARAM *kdf_hkdf_settable_ctx_params(ossl_unused void *ctx, + ossl_unused void *provctx) { static const OSSL_PARAM known_settable_ctx_params[] = { OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_MODE, NULL, 0), @@ -262,7 +263,8 @@ static int kdf_hkdf_get_ctx_params(void *vctx, OSSL_PARAM params[]) return -2; } -static const OSSL_PARAM *kdf_hkdf_gettable_ctx_params(ossl_unused void *provctx) +static const OSSL_PARAM *kdf_hkdf_gettable_ctx_params(ossl_unused void *ctx, + ossl_unused void *provctx) { static const OSSL_PARAM known_gettable_ctx_params[] = { OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL), diff --git a/providers/implementations/kdfs/kbkdf.c b/providers/implementations/kdfs/kbkdf.c index 1dfae38d37..26235e400b 100644 --- a/providers/implementations/kdfs/kbkdf.c +++ b/providers/implementations/kdfs/kbkdf.c @@ -343,7 +343,8 @@ static int kbkdf_set_ctx_params(void *vctx, const OSSL_PARAM params[]) return 1; } -static const OSSL_PARAM *kbkdf_settable_ctx_params(ossl_unused void *provctx) +static const OSSL_PARAM *kbkdf_settable_ctx_params(ossl_unused void *ctx, + ossl_unused void *provctx) { static const OSSL_PARAM known_settable_ctx_params[] = { OSSL_PARAM_octet_string(OSSL_KDF_PARAM_INFO, NULL, 0), @@ -374,7 +375,8 @@ static int kbkdf_get_ctx_params(void *vctx, OSSL_PARAM params[]) return OSSL_PARAM_set_size_t(p, SIZE_MAX); } -static const OSSL_PARAM *kbkdf_gettable_ctx_params(ossl_unused void *provctx) +static const OSSL_PARAM *kbkdf_gettable_ctx_params(ossl_unused void *ctx, + ossl_unused void *provctx) { static const OSSL_PARAM known_gettable_ctx_params[] = { OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL), OSSL_PARAM_END }; diff --git a/providers/implementations/kdfs/krb5kdf.c b/providers/implementations/kdfs/krb5kdf.c index a928edbb0c..35d6ccb680 100644 --- a/providers/implementations/kdfs/krb5kdf.c +++ b/providers/implementations/kdfs/krb5kdf.c @@ -151,7 +151,8 @@ static int krb5kdf_set_ctx_params(void *vctx, const OSSL_PARAM params[]) return 1; } -static const OSSL_PARAM *krb5kdf_settable_ctx_params(ossl_unused void *provctx) +static const OSSL_PARAM *krb5kdf_settable_ctx_params(ossl_unused void *ctx, + ossl_unused void *provctx) { static const OSSL_PARAM known_settable_ctx_params[] = { OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_PROPERTIES, NULL, 0), @@ -181,7 +182,8 @@ static int krb5kdf_get_ctx_params(void *vctx, OSSL_PARAM params[]) return -2; } -static const OSSL_PARAM *krb5kdf_gettable_ctx_params(ossl_unused void *provctx) +static const OSSL_PARAM *krb5kdf_gettable_ctx_params(ossl_unused void *ctx, + ossl_unused void *provctx) { static const OSSL_PARAM known_gettable_ctx_params[] = { OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL), diff --git a/providers/implementations/kdfs/pbkdf2.c b/providers/implementations/kdfs/pbkdf2.c index a7f52f0756..9d993dc545 100644 --- a/providers/implementations/kdfs/pbkdf2.c +++ b/providers/implementations/kdfs/pbkdf2.c @@ -208,7 +208,8 @@ static int kdf_pbkdf2_set_ctx_params(void *vctx, const OSSL_PARAM params[]) return 1; } -static const OSSL_PARAM *kdf_pbkdf2_settable_ctx_params(ossl_unused void *p_ctx) +static const OSSL_PARAM *kdf_pbkdf2_settable_ctx_params(ossl_unused void *ctx, + ossl_unused void *p_ctx) { static const OSSL_PARAM known_settable_ctx_params[] = { OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_PROPERTIES, NULL, 0), @@ -231,7 +232,8 @@ static int kdf_pbkdf2_get_ctx_params(void *vctx, OSSL_PARAM params[]) return -2; } -static const OSSL_PARAM *kdf_pbkdf2_gettable_ctx_params(ossl_unused void *p_ctx) +static const OSSL_PARAM *kdf_pbkdf2_gettable_ctx_params(ossl_unused void *ctx, + ossl_unused void *p_ctx) { static const OSSL_PARAM known_gettable_ctx_params[] = { OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL), diff --git a/providers/implementations/kdfs/pkcs12kdf.c b/providers/implementations/kdfs/pkcs12kdf.c index 67506c64ba..ce49c2844c 100644 --- a/providers/implementations/kdfs/pkcs12kdf.c +++ b/providers/implementations/kdfs/pkcs12kdf.c @@ -246,7 +246,8 @@ static int kdf_pkcs12_set_ctx_params(void *vctx, const OSSL_PARAM params[]) return 1; } -static const OSSL_PARAM *kdf_pkcs12_settable_ctx_params(ossl_unused void *provctx) +static const OSSL_PARAM *kdf_pkcs12_settable_ctx_params( + ossl_unused void *ctx, ossl_unused void *provctx) { static const OSSL_PARAM known_settable_ctx_params[] = { OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_PROPERTIES, NULL, 0), @@ -269,7 +270,8 @@ static int kdf_pkcs12_get_ctx_params(void *vctx, OSSL_PARAM params[]) return -2; } -static const OSSL_PARAM *kdf_pkcs12_gettable_ctx_params(ossl_unused void *provctx) +static const OSSL_PARAM *kdf_pkcs12_gettable_ctx_params( + ossl_unused void *ctx, ossl_unused void *provctx) { static const OSSL_PARAM known_gettable_ctx_params[] = { OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL), diff --git a/providers/implementations/kdfs/scrypt.c b/providers/implementations/kdfs/scrypt.c index 207120fc77..de53d3e129 100644 --- a/providers/implementations/kdfs/scrypt.c +++ b/providers/implementations/kdfs/scrypt.c @@ -233,7 +233,8 @@ static int kdf_scrypt_set_ctx_params(void *vctx, const OSSL_PARAM params[]) return 1; } -static const OSSL_PARAM *kdf_scrypt_settable_ctx_params(ossl_unused void *p_ctx) +static const OSSL_PARAM *kdf_scrypt_settable_ctx_params(ossl_unused void *ctx, + ossl_unused void *p_ctx) { static const OSSL_PARAM known_settable_ctx_params[] = { OSSL_PARAM_octet_string(OSSL_KDF_PARAM_PASSWORD, NULL, 0), @@ -257,7 +258,8 @@ static int kdf_scrypt_get_ctx_params(void *vctx, OSSL_PARAM params[]) return -2; } -static const OSSL_PARAM *kdf_scrypt_gettable_ctx_params(ossl_unused void *p_ctx) +static const OSSL_PARAM *kdf_scrypt_gettable_ctx_params(ossl_unused void *ctx, + ossl_unused void *p_ctx) { static const OSSL_PARAM known_gettable_ctx_params[] = { OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL), diff --git a/providers/implementations/kdfs/sshkdf.c b/providers/implementations/kdfs/sshkdf.c index cc8f946390..90b7666450 100644 --- a/providers/implementations/kdfs/sshkdf.c +++ b/providers/implementations/kdfs/sshkdf.c @@ -171,7 +171,8 @@ static int kdf_sshkdf_set_ctx_params(void *vctx, const OSSL_PARAM params[]) return 1; } -static const OSSL_PARAM *kdf_sshkdf_settable_ctx_params(ossl_unused void *p_ctx) +static const OSSL_PARAM *kdf_sshkdf_settable_ctx_params(ossl_unused void *ctx, + ossl_unused void *p_ctx) { static const OSSL_PARAM known_settable_ctx_params[] = { OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_PROPERTIES, NULL, 0), @@ -194,7 +195,8 @@ static int kdf_sshkdf_get_ctx_params(void *vctx, OSSL_PARAM params[]) return -2; } -static const OSSL_PARAM *kdf_sshkdf_gettable_ctx_params(ossl_unused void *p_ctx) +static const OSSL_PARAM *kdf_sshkdf_gettable_ctx_params(ossl_unused void *ctx, + ossl_unused void *p_ctx) { static const OSSL_PARAM known_gettable_ctx_params[] = { OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL), diff --git a/providers/implementations/kdfs/sskdf.c b/providers/implementations/kdfs/sskdf.c index e9f530a9ff..bc0b49c561 100644 --- a/providers/implementations/kdfs/sskdf.c +++ b/providers/implementations/kdfs/sskdf.c @@ -484,7 +484,8 @@ static int sskdf_set_ctx_params(void *vctx, const OSSL_PARAM params[]) return 1; } -static const OSSL_PARAM *sskdf_settable_ctx_params(ossl_unused void *provctx) +static const OSSL_PARAM *sskdf_settable_ctx_params(ossl_unused void *ctx, + ossl_unused void *provctx) { static const OSSL_PARAM known_settable_ctx_params[] = { OSSL_PARAM_octet_string(OSSL_KDF_PARAM_SECRET, NULL, 0), @@ -510,7 +511,8 @@ static int sskdf_get_ctx_params(void *vctx, OSSL_PARAM params[]) return -2; } -static const OSSL_PARAM *sskdf_gettable_ctx_params(ossl_unused void *provctx) +static const OSSL_PARAM *sskdf_gettable_ctx_params(ossl_unused void *ctx, + ossl_unused void *provctx) { static const OSSL_PARAM known_gettable_ctx_params[] = { OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL), diff --git a/providers/implementations/kdfs/tls1_prf.c b/providers/implementations/kdfs/tls1_prf.c index b87cf73596..a3bdc85040 100644 --- a/providers/implementations/kdfs/tls1_prf.c +++ b/providers/implementations/kdfs/tls1_prf.c @@ -211,7 +211,8 @@ static int kdf_tls1_prf_set_ctx_params(void *vctx, const OSSL_PARAM params[]) return 1; } -static const OSSL_PARAM *kdf_tls1_prf_settable_ctx_params(ossl_unused void *ctx) +static const OSSL_PARAM *kdf_tls1_prf_settable_ctx_params( + ossl_unused void *ctx, ossl_unused void *provctx) { static const OSSL_PARAM known_settable_ctx_params[] = { OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_PROPERTIES, NULL, 0), @@ -232,7 +233,8 @@ static int kdf_tls1_prf_get_ctx_params(void *vctx, OSSL_PARAM params[]) return -2; } -static const OSSL_PARAM *kdf_tls1_prf_gettable_ctx_params(ossl_unused void *ctx) +static const OSSL_PARAM *kdf_tls1_prf_gettable_ctx_params( + ossl_unused void *ctx, ossl_unused void *provctx) { static const OSSL_PARAM known_gettable_ctx_params[] = { OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL), diff --git a/providers/implementations/kdfs/x942kdf.c b/providers/implementations/kdfs/x942kdf.c index 00ee7cbdce..a220eca80f 100644 --- a/providers/implementations/kdfs/x942kdf.c +++ b/providers/implementations/kdfs/x942kdf.c @@ -533,7 +533,8 @@ static int x942kdf_set_ctx_params(void *vctx, const OSSL_PARAM params[]) return 1; } -static const OSSL_PARAM *x942kdf_settable_ctx_params(ossl_unused void *provctx) +static const OSSL_PARAM *x942kdf_settable_ctx_params(ossl_unused void *ctx, + ossl_unused void *provctx) { static const OSSL_PARAM known_settable_ctx_params[] = { OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_PROPERTIES, NULL, 0), @@ -563,7 +564,8 @@ static int x942kdf_get_ctx_params(void *vctx, OSSL_PARAM params[]) return -2; } -static const OSSL_PARAM *x942kdf_gettable_ctx_params(ossl_unused void *provctx) +static const OSSL_PARAM *x942kdf_gettable_ctx_params(ossl_unused void *ctx, + ossl_unused void *provctx) { static const OSSL_PARAM known_gettable_ctx_params[] = { OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL), diff --git a/providers/implementations/macs/blake2_mac_impl.c b/providers/implementations/macs/blake2_mac_impl.c index d1f4e6331a..4f36991d41 100644 --- a/providers/implementations/macs/blake2_mac_impl.c +++ b/providers/implementations/macs/blake2_mac_impl.c @@ -131,7 +131,8 @@ static const OSSL_PARAM known_gettable_ctx_params[] = { OSSL_PARAM_size_t(OSSL_MAC_PARAM_SIZE, NULL), OSSL_PARAM_END }; -static const OSSL_PARAM *blake2_gettable_ctx_params(ossl_unused void *provctx) +static const OSSL_PARAM *blake2_gettable_ctx_params(ossl_unused void *ctx, + ossl_unused void *provctx) { return known_gettable_ctx_params; } @@ -153,7 +154,8 @@ static const OSSL_PARAM known_settable_ctx_params[] = { OSSL_PARAM_octet_string(OSSL_MAC_PARAM_SALT, NULL, 0), OSSL_PARAM_END }; -static const OSSL_PARAM *blake2_mac_settable_ctx_params(ossl_unused void *p_ctx) +static const OSSL_PARAM *blake2_mac_settable_ctx_params( + ossl_unused void *ctx, ossl_unused void *p_ctx) { return known_settable_ctx_params; } diff --git a/providers/implementations/macs/cmac_prov.c b/providers/implementations/macs/cmac_prov.c index 9a8b71220f..08c4eebbf3 100644 --- a/providers/implementations/macs/cmac_prov.c +++ b/providers/implementations/macs/cmac_prov.c @@ -141,7 +141,8 @@ static const OSSL_PARAM known_gettable_ctx_params[] = { OSSL_PARAM_size_t(OSSL_MAC_PARAM_SIZE, NULL), OSSL_PARAM_END }; -static const OSSL_PARAM *cmac_gettable_ctx_params(ossl_unused void *provctx) +static const OSSL_PARAM *cmac_gettable_ctx_params(ossl_unused void *ctx, + ossl_unused void *provctx) { return known_gettable_ctx_params; } @@ -162,7 +163,8 @@ static const OSSL_PARAM known_settable_ctx_params[] = { OSSL_PARAM_octet_string(OSSL_MAC_PARAM_KEY, NULL, 0), OSSL_PARAM_END }; -static const OSSL_PARAM *cmac_settable_ctx_params(ossl_unused void *provctx) +static const OSSL_PARAM *cmac_settable_ctx_params(ossl_unused void *ctx, + ossl_unused void *provctx) { return known_settable_ctx_params; } diff --git a/providers/implementations/macs/gmac_prov.c b/providers/implementations/macs/gmac_prov.c index 691d1169b7..3a4600b66a 100644 --- a/providers/implementations/macs/gmac_prov.c +++ b/providers/implementations/macs/gmac_prov.c @@ -170,7 +170,8 @@ static const OSSL_PARAM known_settable_ctx_params[] = { OSSL_PARAM_octet_string(OSSL_MAC_PARAM_IV, NULL, 0), OSSL_PARAM_END }; -static const OSSL_PARAM *gmac_settable_ctx_params(ossl_unused void *provctx) +static const OSSL_PARAM *gmac_settable_ctx_params(ossl_unused void *ctx, + ossl_unused void *provctx) { return known_settable_ctx_params; } diff --git a/providers/implementations/macs/hmac_prov.c b/providers/implementations/macs/hmac_prov.c index 0412aedbef..6d7d3d5118 100644 --- a/providers/implementations/macs/hmac_prov.c +++ b/providers/implementations/macs/hmac_prov.c @@ -219,7 +219,8 @@ static const OSSL_PARAM known_gettable_ctx_params[] = { OSSL_PARAM_size_t(OSSL_MAC_PARAM_SIZE, NULL), OSSL_PARAM_END }; -static const OSSL_PARAM *hmac_gettable_ctx_params(ossl_unused void *provctx) +static const OSSL_PARAM *hmac_gettable_ctx_params(ossl_unused void *ctx, + ossl_unused void *provctx) { return known_gettable_ctx_params; } @@ -243,7 +244,8 @@ static const OSSL_PARAM known_settable_ctx_params[] = { OSSL_PARAM_size_t(OSSL_MAC_PARAM_TLS_DATA_SIZE, NULL), OSSL_PARAM_END }; -static const OSSL_PARAM *hmac_settable_ctx_params(ossl_unused void *provctx) +static const OSSL_PARAM *hmac_settable_ctx_params(ossl_unused void *ctx, + ossl_unused void *provctx) { return known_settable_ctx_params; } diff --git a/providers/implementations/macs/kmac_prov.c b/providers/implementations/macs/kmac_prov.c index d499644f57..76f581ee77 100644 --- a/providers/implementations/macs/kmac_prov.c +++ b/providers/implementations/macs/kmac_prov.c @@ -318,7 +318,8 @@ static const OSSL_PARAM known_gettable_ctx_params[] = { OSSL_PARAM_size_t(OSSL_MAC_PARAM_SIZE, NULL), OSSL_PARAM_END }; -static const OSSL_PARAM *kmac_gettable_ctx_params(ossl_unused void *provctx) +static const OSSL_PARAM *kmac_gettable_ctx_params(ossl_unused void *ctx, + ossl_unused void *provctx) { return known_gettable_ctx_params; } @@ -340,7 +341,8 @@ static const OSSL_PARAM known_settable_ctx_params[] = { OSSL_PARAM_octet_string(OSSL_MAC_PARAM_CUSTOM, NULL, 0), OSSL_PARAM_END }; -static const OSSL_PARAM *kmac_settable_ctx_params(ossl_unused void *provctx) +static const OSSL_PARAM *kmac_settable_ctx_params(ossl_unused void *ctx, + ossl_unused void *provctx) { return known_settable_ctx_params; } diff --git a/providers/implementations/macs/poly1305_prov.c b/providers/implementations/macs/poly1305_prov.c index 27abb58a08..3f784e9c28 100644 --- a/providers/implementations/macs/poly1305_prov.c +++ b/providers/implementations/macs/poly1305_prov.c @@ -131,7 +131,8 @@ static const OSSL_PARAM known_settable_ctx_params[] = { OSSL_PARAM_octet_string(OSSL_MAC_PARAM_KEY, NULL, 0), OSSL_PARAM_END }; -static const OSSL_PARAM *poly1305_settable_ctx_params(ossl_unused void *provctx) +static const OSSL_PARAM *poly1305_settable_ctx_params(ossl_unused void *ctx, + ossl_unused void *provctx) { return known_settable_ctx_params; } diff --git a/providers/implementations/macs/siphash_prov.c b/providers/implementations/macs/siphash_prov.c index 221db4b83b..95a345495e 100644 --- a/providers/implementations/macs/siphash_prov.c +++ b/providers/implementations/macs/siphash_prov.c @@ -36,7 +36,7 @@ static OSSL_FUNC_mac_dupctx_fn siphash_dup; static OSSL_FUNC_mac_freectx_fn siphash_free; static OSSL_FUNC_mac_gettable_ctx_params_fn siphash_gettable_ctx_params; static OSSL_FUNC_mac_get_ctx_params_fn siphash_get_ctx_params; -static OSSL_FUNC_mac_settable_ctx_params_fn siphash_settable_params; +static OSSL_FUNC_mac_settable_ctx_params_fn siphash_settable_ctx_params; static OSSL_FUNC_mac_set_ctx_params_fn siphash_set_params; static OSSL_FUNC_mac_init_fn siphash_init; static OSSL_FUNC_mac_update_fn siphash_update; @@ -121,7 +121,8 @@ static const OSSL_PARAM known_gettable_ctx_params[] = { OSSL_PARAM_size_t(OSSL_MAC_PARAM_SIZE, NULL), OSSL_PARAM_END }; -static const OSSL_PARAM *siphash_gettable_ctx_params(ossl_unused void *provctx) +static const OSSL_PARAM *siphash_gettable_ctx_params(ossl_unused void *ctx, + ossl_unused void *provctx) { return known_gettable_ctx_params; } @@ -141,7 +142,9 @@ static const OSSL_PARAM known_settable_ctx_params[] = { OSSL_PARAM_octet_string(OSSL_MAC_PARAM_KEY, NULL, 0), OSSL_PARAM_END }; -static const OSSL_PARAM *siphash_settable_params(void *provctx) + +static const OSSL_PARAM *siphash_settable_ctx_params(ossl_unused void *ctx, + void *provctx) { return known_settable_ctx_params; } @@ -177,7 +180,7 @@ const OSSL_DISPATCH ossl_siphash_functions[] = { (void (*)(void))siphash_gettable_ctx_params }, { OSSL_FUNC_MAC_GET_CTX_PARAMS, (void (*)(void))siphash_get_ctx_params }, { OSSL_FUNC_MAC_SETTABLE_CTX_PARAMS, - (void (*)(void))siphash_settable_params }, + (void (*)(void))siphash_settable_ctx_params }, { OSSL_FUNC_MAC_SET_CTX_PARAMS, (void (*)(void))siphash_set_params }, { 0, NULL } }; diff --git a/providers/implementations/rands/drbg_ctr.c b/providers/implementations/rands/drbg_ctr.c index e10b4378b5..066775aa52 100644 --- a/providers/implementations/rands/drbg_ctr.c +++ b/providers/implementations/rands/drbg_ctr.c @@ -648,7 +648,8 @@ static int drbg_ctr_get_ctx_params(void *vdrbg, OSSL_PARAM params[]) return ossl_drbg_get_ctx_params(drbg, params); } -static const OSSL_PARAM *drbg_ctr_gettable_ctx_params(ossl_unused void *provctx) +static const OSSL_PARAM *drbg_ctr_gettable_ctx_params(ossl_unused void *vctx, + ossl_unused void *provctx) { static const OSSL_PARAM known_gettable_ctx_params[] = { OSSL_PARAM_utf8_string(OSSL_DRBG_PARAM_CIPHER, NULL, 0), @@ -718,7 +719,8 @@ static int drbg_ctr_set_ctx_params(void *vctx, const OSSL_PARAM params[]) return ossl_drbg_set_ctx_params(ctx, params); } -static const OSSL_PARAM *drbg_ctr_settable_ctx_params(ossl_unused void *provctx) +static const OSSL_PARAM *drbg_ctr_settable_ctx_params(ossl_unused void *vctx, + ossl_unused void *provctx) { static const OSSL_PARAM known_settable_ctx_params[] = { OSSL_PARAM_utf8_string(OSSL_DRBG_PARAM_PROPERTIES, NULL, 0), diff --git a/providers/implementations/rands/drbg_hash.c b/providers/implementations/rands/drbg_hash.c index a181b8f97e..c89b0cd5c3 100644 --- a/providers/implementations/rands/drbg_hash.c +++ b/providers/implementations/rands/drbg_hash.c @@ -442,7 +442,8 @@ static int drbg_hash_get_ctx_params(void *vdrbg, OSSL_PARAM params[]) return ossl_drbg_get_ctx_params(drbg, params); } -static const OSSL_PARAM *drbg_hash_gettable_ctx_params(ossl_unused void *p_ctx) +static const OSSL_PARAM *drbg_hash_gettable_ctx_params(ossl_unused void *vctx, + ossl_unused void *p_ctx) { static const OSSL_PARAM known_gettable_ctx_params[] = { OSSL_PARAM_utf8_string(OSSL_DRBG_PARAM_DIGEST, NULL, 0), @@ -487,7 +488,8 @@ static int drbg_hash_set_ctx_params(void *vctx, const OSSL_PARAM params[]) return ossl_drbg_set_ctx_params(ctx, params); } -static const OSSL_PARAM *drbg_hash_settable_ctx_params(ossl_unused void *p_ctx) +static const OSSL_PARAM *drbg_hash_settable_ctx_params(ossl_unused void *vctx, + ossl_unused void *p_ctx) { static const OSSL_PARAM known_settable_ctx_params[] = { OSSL_PARAM_utf8_string(OSSL_DRBG_PARAM_PROPERTIES, NULL, 0), diff --git a/providers/implementations/rands/drbg_hmac.c b/providers/implementations/rands/drbg_hmac.c index 16c5ae8711..5f193fa57c 100644 --- a/providers/implementations/rands/drbg_hmac.c +++ b/providers/implementations/rands/drbg_hmac.c @@ -349,7 +349,8 @@ static int drbg_hmac_get_ctx_params(void *vdrbg, OSSL_PARAM params[]) return ossl_drbg_get_ctx_params(drbg, params); } -static const OSSL_PARAM *drbg_hmac_gettable_ctx_params(ossl_unused void *p_ctx) +static const OSSL_PARAM *drbg_hmac_gettable_ctx_params(ossl_unused void *vctx, + ossl_unused void *p_ctx) { static const OSSL_PARAM known_gettable_ctx_params[] = { OSSL_PARAM_utf8_string(OSSL_DRBG_PARAM_MAC, NULL, 0), @@ -400,7 +401,8 @@ static int drbg_hmac_set_ctx_params(void *vctx, const OSSL_PARAM params[]) return ossl_drbg_set_ctx_params(ctx, params); } -static const OSSL_PARAM *drbg_hmac_settable_ctx_params(ossl_unused void *p_ctx) +static const OSSL_PARAM *drbg_hmac_settable_ctx_params(ossl_unused void *vctx, + ossl_unused void *p_ctx) { static const OSSL_PARAM known_settable_ctx_params[] = { OSSL_PARAM_utf8_string(OSSL_DRBG_PARAM_PROPERTIES, NULL, 0), diff --git a/providers/implementations/rands/seed_src.c b/providers/implementations/rands/seed_src.c index 06364b9074..b87aa0c6cd 100644 --- a/providers/implementations/rands/seed_src.c +++ b/providers/implementations/rands/seed_src.c @@ -156,7 +156,8 @@ static int seed_src_get_ctx_params(void *vseed, OSSL_PARAM params[]) return 1; } -static const OSSL_PARAM *seed_src_gettable_ctx_params(ossl_unused void *provctx) +static const OSSL_PARAM *seed_src_gettable_ctx_params(ossl_unused void *vseed, + ossl_unused void *provctx) { static const OSSL_PARAM known_gettable_ctx_params[] = { OSSL_PARAM_int(OSSL_RAND_PARAM_STATE, NULL), diff --git a/providers/implementations/rands/test_rng.c b/providers/implementations/rands/test_rng.c index a1b847ee78..d28f7e0937 100644 --- a/providers/implementations/rands/test_rng.c +++ b/providers/implementations/rands/test_rng.c @@ -163,7 +163,8 @@ static int test_rng_get_ctx_params(void *vtest, OSSL_PARAM params[]) return 1; } -static const OSSL_PARAM *test_rng_gettable_ctx_params(ossl_unused void *provctx) +static const OSSL_PARAM *test_rng_gettable_ctx_params(ossl_unused void *vtest, + ossl_unused void *provctx) { static const OSSL_PARAM known_gettable_ctx_params[] = { OSSL_PARAM_int(OSSL_RAND_PARAM_STATE, NULL), @@ -212,7 +213,8 @@ static int test_rng_set_ctx_params(void *vtest, const OSSL_PARAM params[]) return 1; } -static const OSSL_PARAM *test_rng_settable_ctx_params(ossl_unused void *provctx) +static const OSSL_PARAM *test_rng_settable_ctx_params(ossl_unused void *vtest, + ossl_unused void *provctx) { static const OSSL_PARAM known_settable_ctx_params[] = { OSSL_PARAM_octet_string(OSSL_RAND_PARAM_TEST_ENTROPY, NULL, 0), diff --git a/test/testutil/fake_random.c b/test/testutil/fake_random.c index 7e18e72d45..9d9b10feb1 100644 --- a/test/testutil/fake_random.c +++ b/test/testutil/fake_random.c @@ -109,7 +109,8 @@ static int fake_rand_get_ctx_params(ossl_unused void *vrng, OSSL_PARAM params[]) return 1; } -static const OSSL_PARAM *fake_rand_gettable_ctx_params(void *vrng) +static const OSSL_PARAM *fake_rand_gettable_ctx_params(ossl_unused void *vrng, + ossl_unused void *provctx) { static const OSSL_PARAM known_gettable_ctx_params[] = { OSSL_PARAM_int(OSSL_RAND_PARAM_STATE, NULL), diff --git a/util/libcrypto.num b/util/libcrypto.num index 2f04e81152..aa3071ec30 100644 --- a/util/libcrypto.num +++ b/util/libcrypto.num @@ -5302,5 +5302,13 @@ EVP_PKEY_fromdata_settable ? 3_0_0 EXIST::FUNCTION: EVP_PKEY_param_check_quick ? 3_0_0 EXIST::FUNCTION: EVP_PKEY_public_check_quick ? 3_0_0 EXIST::FUNCTION: EVP_PKEY_CTX_is_a ? 3_0_0 EXIST::FUNCTION: +EVP_CIPHER_CTX_settable_params ? 3_0_0 EXIST::FUNCTION: +EVP_CIPHER_CTX_gettable_params ? 3_0_0 EXIST::FUNCTION: +EVP_KDF_CTX_gettable_params ? 3_0_0 EXIST::FUNCTION: +EVP_KDF_CTX_settable_params ? 3_0_0 EXIST::FUNCTION: +EVP_MAC_CTX_gettable_params ? 3_0_0 EXIST::FUNCTION: +EVP_MAC_CTX_settable_params ? 3_0_0 EXIST::FUNCTION: +EVP_RAND_CTX_gettable_params ? 3_0_0 EXIST::FUNCTION: +EVP_RAND_CTX_settable_params ? 3_0_0 EXIST::FUNCTION: RAND_set_DRBG_type ? 3_0_0 EXIST::FUNCTION: RAND_set_seed_source_type ? 3_0_0 EXIST::FUNCTION: From no-reply at appveyor.com Fri Feb 26 14:38:58 2021 From: no-reply at appveyor.com (AppVeyor) Date: Fri, 26 Feb 2021 14:38:58 +0000 Subject: Build failed: openssl master.40240 Message-ID: <20210226143858.1.2235642CF986E346@appveyor.com> An HTML attachment was scrubbed... URL: From openssl at openssl.org Fri Feb 26 14:49:49 2021 From: openssl at openssl.org (OpenSSL run-checker) Date: Fri, 26 Feb 2021 14:49:49 +0000 Subject: Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-sock Message-ID: <1614350989.365460.1498261.nullmailer@run.openssl.org> Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-sock Commit log since last time: 6be27456e1 Fix string termination and length setting in OSSL_PARAM_BLD_push_utf8_string() af8bd1d835 Fix OSSL_PARAM_allocate_from_text() for OSSL_PARAM_UTF8_STRING a8eb71ad57 Allow the sshkdf type to be passed as a single character da9988e0f5 Cleanup of some of the EVP_PKEY_CTX_ctrl related TODOs b300f1cb3d Fix missing EOL at the end of the rsa/build.info 53cefef62b Remove inclusion of unnecessary header files 7415ffe368 Use strcasecmp when comparing kdf_type 861f265a40 speed: Drop deprecated _options() calls f3ccfc76fe speed: Use EVP for ciphers, cmac, ghash, rsa, dsa, and ecdsa a89cd8d87c speed: Adapt digests and hmac to always use non-deprecated APIs ee1d7f1d25 speed: Drop code to handle platforms without SIGALRM af9f2ee339 Fix typo in comment in DH_set0_pqg function 81c15ed00b Test errors from a provider can still be accessed after unload de4a88a979 Duplicate the file and func error strings b0001d0cf2 provider: add an unquery function to allow providers to clean up. 8b3facd732 rand: note that locking needs to be explicitly enabled. 76e48c9d66 Deprecated EVP_PKEY_CTX_get0_dh_kdf_ukm() and EVP_PKEY_CTX_get0_ecdh_kdf_ukm() 10315851d0 X509: Refactor X509_PUBKEY processing to include provider side keys ce0b307ea0 Remove disabled TLS 1.3 ciphers from the SSL(_CTX) 6eb7c748d1 make update 51d058cd94 appveyor.yml: clarify conditions for building the plain configuration 4f6aeabd65 make update 7b9f8995f4 Generate doc/build.info with 'make update' rather than on the fly 1263154064 changes: note the deprecation of RAND_METHOD APIs 299f5ff3b5 provider: add option to load a provider without disabling the fallbacks. 332a245c04 test: update tests to use the fake random number generator d994ce1205 test: make the DRBG test work without RAND_METHOD support. b3ab537b3a test: add framework for generic fake random number generator 9c6ee56318 rand: add DRBG/seed setting functions f626c3ffae rand: allow lock/unlock functions to be absent 786b13fa77 RAND_METHOD deprecation: code changes de2ea978b5 RAND_METHOD deprecation: fuzzer 0a89ae97d9 RAND_METHOD deprecation: tests ac60c84fc4 RAND_METHOD deprecation: documentation f5b00834dd EVP: Adapt the EC_KEY specific EVP_PKEY_CTX setter / getter functions bbf4dc96fc EVP: Make checks in evp_pkey_ctx_store_cached_data() more restricted 13f91a7245 EVP: Adapt the RSA specific EVP_PKEY_CTX setter / getter functions df4592cbec EVP: Adapt the DH specific EVP_PKEY_CTX setter / getter functions 5524580b5c EVP: Adapt the EVP_PKEY_CTX ctrl functions 6fcd92d3d7 EVP: Adapt diverse OSSL_PARAM setters and getters 5137312993 EVP: Make evp_pkey_ctx_{set,get}_params_strict() legacy aware 9a1c4e41e8 EVP: Implement data-driven translation between known ctrl and OSSL_PARAMs 4d4928edd0 EVP: make evp_pkey_is_assigned() usable in the FIPS module e19246dc72 EVP: Make evp_pkey_ctx_state() available to all of EVP 6179dfc7c4 EVP: Implement EVP_PKEY_CTX_is_a() f627561cf5 util/perl/OpenSSL/config.pm: Add VMS specific C compiler settings 9e1094ad3d util/perl/OpenSSL/config.pm: Fix determine_compiler_settings() 444b25b1e9 Add back in legacy paths for d2i_PrivateKey/d2i_AutoPrivateKey. f16f363a85 Fix no-tests on mingw 636a93454d Note that the OSSL_CORE_MAKE_FUNC macro is reserved 510d019141 Document the OSSL_PARAM_DEFN macro 18b207c798 Add documentation for the macro OPENSSL_VERSION_PREREQ 7e1d7fea39 Document OPENSSL_LH_flush() bc4d84abce Suppress errors about undocumented asn1_d2i_read_bio 6ceaf67257 Fix -pkeyopt handling in apps/pkeyutl -rawin 7f90026b3f Handle NULL result of ERR_reason_error_string() in some apps 4718326a46 Add EVP_PKEY_public_check_quick. 681618cfc1 Fix external symbols for pkcs7. 53155f1c81 Fix external symbols for cms. Build log ended with (last 100 lines): 70-test_sslrecords.t ............... skipped: test_sslrecords needs the sock feature enabled 70-test_sslsessiontick.t ........... skipped: test_sslsessiontick needs the sock feature enabled 70-test_sslsigalgs.t ............... skipped: test_sslsigalgs needs the sock feature enabled 70-test_sslsignature.t ............. skipped: test_sslsignature needs the sock feature enabled 70-test_sslskewith0p.t ............. skipped: test_sslskewith0p needs the sock feature enabled 70-test_sslversions.t .............. skipped: test_sslversions needs the sock feature enabled 70-test_sslvertol.t ................ skipped: test_sslextension needs the sock feature enabled 70-test_tls13alerts.t .............. skipped: test_tls13alerts needs the sock feature enabled 70-test_tls13cookie.t .............. skipped: test_tls13cookie needs the sock feature enabled 70-test_tls13downgrade.t ........... skipped: test_tls13downgrade needs the sock feature enabled 70-test_tls13hrr.t ................. skipped: test_tls13hrr needs the sock feature enabled 70-test_tls13kexmodes.t ............ skipped: test_tls13kexmodes needs the sock feature enabled 70-test_tls13messages.t ............ skipped: test_tls13messages needs the sock feature enabled 70-test_tls13psk.t ................. skipped: test_tls13psk needs the sock feature enabled 70-test_tlsextms.t ................. skipped: test_tlsextms needs the sock feature enabled 70-test_verify_extra.t ............. ok 70-test_wpacket.t .................. ok 71-test_ssl_ctx.t .................. ok 80-test_ca.t ....................... ok 80-test_cipherbytes.t .............. ok 80-test_cipherlist.t ............... ok 80-test_ciphername.t ............... ok Label not found for "last SKIP" at /usr/share/perl/5.30/Test/More.pm line 1372. # Looks like your test exited with 1 just after 5.80-test_cmp_http.t ................. Dubious, test returned 1 (wstat 256, 0x100) All 5 subtests passed (less 5 skipped subtests: 0 okay) # 80-test_cms.t ...................... ok 80-test_cmsapi.t ................... ok 80-test_ct.t ....................... ok 80-test_dane.t ..................... ok 80-test_dtls.t ..................... skipped: No DTLS protocols are supported by this OpenSSL build 80-test_dtls_mtu.t ................. skipped: test_dtls_mtu needs DTLS and PSK support enabled 80-test_dtlsv1listen.t ............. ok 80-test_http.t ..................... ok 80-test_ocsp.t ..................... ok 80-test_pkcs12.t ................... ok 80-test_ssl_new.t .................. ok 80-test_ssl_old.t .................. ok 80-test_ssl_test_ctx.t ............. ok 80-test_sslcorrupt.t ............... ok 80-test_tsa.t ...................... ok 80-test_x509aux.t .................. ok 81-test_cmp_cli.t .................. ok 90-test_asn1_time.t ................ ok 90-test_async.t .................... ok 90-test_bio_enc.t .................. ok 90-test_bio_memleak.t .............. ok 90-test_constant_time.t ............ ok 90-test_fatalerr.t ................. ok 90-test_fipsload.t ................. ok 90-test_gmdiff.t ................... ok 90-test_gost.t ..................... ok 90-test_ige.t ...................... ok 90-test_includes.t ................. ok 90-test_memleak.t .................. ok 90-test_overhead.t ................. ok 90-test_secmem.t ................... ok 90-test_shlibload.t ................ ok 90-test_srp.t ...................... ok 90-test_sslapi.t ................... ok 90-test_sslbuffers.t ............... ok 90-test_store.t .................... ok 90-test_sysdefault.t ............... ok 90-test_threads.t .................. ok 90-test_time_offset.t .............. ok 90-test_tls13ccs.t ................. ok 90-test_tls13encryption.t .......... ok 90-test_tls13secrets.t ............. ok 90-test_v3name.t ................... ok 91-test_pkey_check.t ............... ok 95-test_external_boringssl.t ....... skipped: No external tests in this configuration 95-test_external_gost_engine.t ..... skipped: No external tests in this configuration 95-test_external_krb5.t ............ skipped: No external tests in this configuration 95-test_external_pyca.t ............ skipped: No external tests in this configuration 99-test_ecstress.t ................. ok 99-test_fuzz_asn1.t ................ ok 99-test_fuzz_asn1parse.t ........... ok 99-test_fuzz_bignum.t .............. ok 99-test_fuzz_bndiv.t ............... ok 99-test_fuzz_client.t .............. ok 99-test_fuzz_cmp.t ................. ok 99-test_fuzz_cms.t ................. ok 99-test_fuzz_conf.t ................ ok 99-test_fuzz_crl.t ................. ok 99-test_fuzz_ct.t .................. ok 99-test_fuzz_server.t .............. ok 99-test_fuzz_x509.t ................ ok Test Summary Report ------------------- 80-test_cmp_http.t (Wstat: 256 Tests: 5 Failed: 0) Non-zero exit status: 1 Files=232, Tests=3109, 971 wallclock secs (11.14 usr 1.42 sys + 898.51 cusr 76.84 csys = 987.91 CPU) Result: FAIL make[1]: *** [Makefile:3262: _tests] Error 1 make[1]: Leaving directory '/home/openssl/run-checker/no-sock' make: *** [Makefile:3259: tests] Error 2 From no-reply at appveyor.com Fri Feb 26 16:17:57 2021 From: no-reply at appveyor.com (AppVeyor) Date: Fri, 26 Feb 2021 16:17:57 +0000 Subject: Build failed: openssl master.40242 Message-ID: <20210226161757.1.8E1EA585B7F8DCD3@appveyor.com> An HTML attachment was scrubbed... URL: From tomas at openssl.org Fri Feb 26 17:43:53 2021 From: tomas at openssl.org (tomas at openssl.org) Date: Fri, 26 Feb 2021 17:43:53 +0000 Subject: [openssl] master update Message-ID: <1614361433.009536.13268.nullmailer@dev.openssl.org> The branch master has been updated via d2ccfb9caa9f69d4980f8fe49a15a043c91b40c5 (commit) via 4519ea90eb8137ce3f00860a705f8320f41b6057 (commit) from db7fbd54cf0636e25d4f8b8fddd829741064b831 (commit) - Log ----------------------------------------------------------------- commit d2ccfb9caa9f69d4980f8fe49a15a043c91b40c5 Author: Tomas Mraz Date: Thu Feb 25 15:08:16 2021 +0100 evp_pkey_provided_test: Improve diagnostic output Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/14316) commit 4519ea90eb8137ce3f00860a705f8320f41b6057 Author: Tomas Mraz Date: Thu Feb 25 14:43:21 2021 +0100 tests: Always print errors before test verdict Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/14316) ----------------------------------------------------------------------- Summary of changes: test/evp_pkey_provided_test.c | 9 +++++---- test/testutil/driver.c | 2 +- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/test/evp_pkey_provided_test.c b/test/evp_pkey_provided_test.c index fd0dcdd38a..18b62d4645 100644 --- a/test/evp_pkey_provided_test.c +++ b/test/evp_pkey_provided_test.c @@ -361,15 +361,16 @@ static int test_fromdata_rsa(void) || !TEST_false(EVP_PKEY_copy_parameters(copy_pk, pk))) goto err; + ret = test_print_key_using_pem("RSA", pk) + && test_print_key_using_encoder("RSA", pk); + err: + /* for better diagnostics always compare key params */ for (i = 0; fromdata_params[i].key != NULL; ++i) { if (!TEST_true(BN_set_word(bn_from, key_numbers[i])) || !TEST_true(EVP_PKEY_get_bn_param(pk, fromdata_params[i].key, &bn)) || !TEST_BN_eq(bn, bn_from)) - goto err; + ret = 0; } - ret = test_print_key_using_pem("RSA", pk) - && test_print_key_using_encoder("RSA", pk); - err: BN_free(bn_from); BN_free(bn); EVP_PKEY_free(pk); diff --git a/test/testutil/driver.c b/test/testutil/driver.c index 467c3e8eb3..24222fa865 100644 --- a/test/testutil/driver.c +++ b/test/testutil/driver.c @@ -327,8 +327,8 @@ int run_tests(const char *test_prog_name) } else if (all_tests[i].num == -1) { set_test_title(all_tests[i].test_case_name); verdict = all_tests[i].test_fn(); - test_verdict(verdict, "%d - %s", ii + 1, test_title); finalize(verdict != 0); + test_verdict(verdict, "%d - %s", ii + 1, test_title); if (verdict == 0) num_failed++; } else { From no-reply at appveyor.com Fri Feb 26 20:13:31 2021 From: no-reply at appveyor.com (AppVeyor) Date: Fri, 26 Feb 2021 20:13:31 +0000 Subject: Build failed: openssl master.40252 Message-ID: <20210226201331.1.8F0161CA8FD9E14F@appveyor.com> An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Fri Feb 26 21:38:33 2021 From: no-reply at appveyor.com (AppVeyor) Date: Fri, 26 Feb 2021 21:38:33 +0000 Subject: Build failed: openssl master.40253 Message-ID: <20210226213833.1.C82AEB0843BFAB12@appveyor.com> An HTML attachment was scrubbed... URL: From kaduk at mit.edu Fri Feb 26 23:43:07 2021 From: kaduk at mit.edu (kaduk at mit.edu) Date: Fri, 26 Feb 2021 23:43:07 +0000 Subject: [openssl] master update Message-ID: <1614382987.020580.10994.nullmailer@dev.openssl.org> The branch master has been updated via 90b4247cc5dca58cee9da5f6975bb38fd200100a (commit) from d2ccfb9caa9f69d4980f8fe49a15a043c91b40c5 (commit) - Log ----------------------------------------------------------------- commit 90b4247cc5dca58cee9da5f6975bb38fd200100a Author: Benjamin Kaduk Date: Wed Feb 24 13:38:25 2021 -0800 Check ASN1_item_ndef_i2d() return value. Return an error instead of trying to malloc a negative number. The other usage in this file already had a similar check, and the caller should have put an entry on the error stack already. Note that we only check the initial calls to obtain the encoded length, and assume that the follow-up call to actually encode to the allocated storage will succeed if the first one did. Fixes: #14177 Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/14308) ----------------------------------------------------------------------- Summary of changes: crypto/asn1/bio_ndef.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/crypto/asn1/bio_ndef.c b/crypto/asn1/bio_ndef.c index 87c22e897c..f1ad8d3e70 100644 --- a/crypto/asn1/bio_ndef.c +++ b/crypto/asn1/bio_ndef.c @@ -114,6 +114,8 @@ static int ndef_prefix(BIO *b, unsigned char **pbuf, int *plen, void *parg) ndef_aux = *(NDEF_SUPPORT **)parg; derlen = ASN1_item_ndef_i2d(ndef_aux->val, NULL, ndef_aux->it); + if (derlen < 0) + return 0; if ((p = OPENSSL_malloc(derlen)) == NULL) { ERR_raise(ERR_LIB_ASN1, ERR_R_MALLOC_FAILURE); return 0; From kaduk at mit.edu Fri Feb 26 23:47:16 2021 From: kaduk at mit.edu (kaduk at mit.edu) Date: Fri, 26 Feb 2021 23:47:16 +0000 Subject: [openssl] OpenSSL_1_1_1-stable update Message-ID: <1614383236.255671.12558.nullmailer@dev.openssl.org> The branch OpenSSL_1_1_1-stable has been updated via a88ea7dfdfba2c34bd575076f12f06d80dd2c0c2 (commit) from 3a6e6b1f94ae41e2fd73483464c9c80ddcf30d17 (commit) - Log ----------------------------------------------------------------- commit a88ea7dfdfba2c34bd575076f12f06d80dd2c0c2 Author: Benjamin Kaduk Date: Wed Feb 24 13:38:25 2021 -0800 Check ASN1_item_ndef_i2d() return value. Return an error instead of trying to malloc a negative number. The other usage in this file already had a similar check, and the caller should have put an entry on the error stack already. Note that we only check the initial calls to obtain the encoded length, and assume that the follow-up call to actually encode to the allocated storage will succeed if the first one did. Fixes: #14177 Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/14308) (cherry picked from commit 90b4247cc5dca58cee9da5f6975bb38fd200100a) ----------------------------------------------------------------------- Summary of changes: crypto/asn1/bio_ndef.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/crypto/asn1/bio_ndef.c b/crypto/asn1/bio_ndef.c index 6222c99074..5642262719 100644 --- a/crypto/asn1/bio_ndef.c +++ b/crypto/asn1/bio_ndef.c @@ -113,6 +113,8 @@ static int ndef_prefix(BIO *b, unsigned char **pbuf, int *plen, void *parg) ndef_aux = *(NDEF_SUPPORT **)parg; derlen = ASN1_item_ndef_i2d(ndef_aux->val, NULL, ndef_aux->it); + if (derlen < 0) + return 0; if ((p = OPENSSL_malloc(derlen)) == NULL) { ASN1err(ASN1_F_NDEF_PREFIX, ERR_R_MALLOC_FAILURE); return 0; From openssl at openssl.org Sat Feb 27 00:39:02 2021 From: openssl at openssl.org (OpenSSL run-checker) Date: Sat, 27 Feb 2021 00:39:02 +0000 Subject: Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-tls1_2 Message-ID: <1614386342.235598.2614358.nullmailer@run.openssl.org> Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-tls1_2 Commit log since last time: 6be27456e1 Fix string termination and length setting in OSSL_PARAM_BLD_push_utf8_string() af8bd1d835 Fix OSSL_PARAM_allocate_from_text() for OSSL_PARAM_UTF8_STRING a8eb71ad57 Allow the sshkdf type to be passed as a single character da9988e0f5 Cleanup of some of the EVP_PKEY_CTX_ctrl related TODOs b300f1cb3d Fix missing EOL at the end of the rsa/build.info 53cefef62b Remove inclusion of unnecessary header files 7415ffe368 Use strcasecmp when comparing kdf_type 861f265a40 speed: Drop deprecated _options() calls f3ccfc76fe speed: Use EVP for ciphers, cmac, ghash, rsa, dsa, and ecdsa a89cd8d87c speed: Adapt digests and hmac to always use non-deprecated APIs ee1d7f1d25 speed: Drop code to handle platforms without SIGALRM af9f2ee339 Fix typo in comment in DH_set0_pqg function 81c15ed00b Test errors from a provider can still be accessed after unload de4a88a979 Duplicate the file and func error strings b0001d0cf2 provider: add an unquery function to allow providers to clean up. 8b3facd732 rand: note that locking needs to be explicitly enabled. 76e48c9d66 Deprecated EVP_PKEY_CTX_get0_dh_kdf_ukm() and EVP_PKEY_CTX_get0_ecdh_kdf_ukm() 10315851d0 X509: Refactor X509_PUBKEY processing to include provider side keys ce0b307ea0 Remove disabled TLS 1.3 ciphers from the SSL(_CTX) 6eb7c748d1 make update 51d058cd94 appveyor.yml: clarify conditions for building the plain configuration 4f6aeabd65 make update 7b9f8995f4 Generate doc/build.info with 'make update' rather than on the fly 1263154064 changes: note the deprecation of RAND_METHOD APIs 299f5ff3b5 provider: add option to load a provider without disabling the fallbacks. 332a245c04 test: update tests to use the fake random number generator d994ce1205 test: make the DRBG test work without RAND_METHOD support. b3ab537b3a test: add framework for generic fake random number generator 9c6ee56318 rand: add DRBG/seed setting functions f626c3ffae rand: allow lock/unlock functions to be absent 786b13fa77 RAND_METHOD deprecation: code changes de2ea978b5 RAND_METHOD deprecation: fuzzer 0a89ae97d9 RAND_METHOD deprecation: tests ac60c84fc4 RAND_METHOD deprecation: documentation f5b00834dd EVP: Adapt the EC_KEY specific EVP_PKEY_CTX setter / getter functions bbf4dc96fc EVP: Make checks in evp_pkey_ctx_store_cached_data() more restricted 13f91a7245 EVP: Adapt the RSA specific EVP_PKEY_CTX setter / getter functions df4592cbec EVP: Adapt the DH specific EVP_PKEY_CTX setter / getter functions 5524580b5c EVP: Adapt the EVP_PKEY_CTX ctrl functions 6fcd92d3d7 EVP: Adapt diverse OSSL_PARAM setters and getters 5137312993 EVP: Make evp_pkey_ctx_{set,get}_params_strict() legacy aware 9a1c4e41e8 EVP: Implement data-driven translation between known ctrl and OSSL_PARAMs 4d4928edd0 EVP: make evp_pkey_is_assigned() usable in the FIPS module e19246dc72 EVP: Make evp_pkey_ctx_state() available to all of EVP 6179dfc7c4 EVP: Implement EVP_PKEY_CTX_is_a() f627561cf5 util/perl/OpenSSL/config.pm: Add VMS specific C compiler settings 9e1094ad3d util/perl/OpenSSL/config.pm: Fix determine_compiler_settings() 444b25b1e9 Add back in legacy paths for d2i_PrivateKey/d2i_AutoPrivateKey. f16f363a85 Fix no-tests on mingw 636a93454d Note that the OSSL_CORE_MAKE_FUNC macro is reserved 510d019141 Document the OSSL_PARAM_DEFN macro 18b207c798 Add documentation for the macro OPENSSL_VERSION_PREREQ 7e1d7fea39 Document OPENSSL_LH_flush() bc4d84abce Suppress errors about undocumented asn1_d2i_read_bio 6ceaf67257 Fix -pkeyopt handling in apps/pkeyutl -rawin 7f90026b3f Handle NULL result of ERR_reason_error_string() in some apps 4718326a46 Add EVP_PKEY_public_check_quick. 681618cfc1 Fix external symbols for pkcs7. 53155f1c81 Fix external symbols for cms. Build log ended with (last 100 lines): (less 4 skipped subtests: 2 okay) 70-test_sslmessages.t .............. skipped: test_sslmessages needs TLS enabled 70-test_sslrecords.t ............... skipped: test_sslrecords needs TLSv1.2 enabled 70-test_sslsessiontick.t ........... skipped: test_sslsessiontick needs SSLv3, TLSv1, TLSv1.1 or TLSv1.2 enabled 70-test_sslsigalgs.t ............... ok 70-test_sslsignature.t ............. ok 70-test_sslskewith0p.t ............. ok 70-test_sslversions.t .............. skipped: test_sslversions needs TLS1.3, TLS1.2 and TLS1.1 enabled 70-test_sslvertol.t ................ ok 70-test_tls13alerts.t .............. ok 70-test_tls13cookie.t .............. ok 70-test_tls13downgrade.t ........... skipped: test_tls13downgrade needs TLS1.3 and TLS1.2 enabled 70-test_tls13hrr.t ................. ok 70-test_tls13kexmodes.t ............ ok 70-test_tls13messages.t ............ ok 70-test_tls13psk.t ................. ok 70-test_tlsextms.t ................. skipped: test_tlsextms needs TLSv1.0, TLSv1.1 or TLSv1.2 enabled 70-test_verify_extra.t ............. ok 70-test_wpacket.t .................. ok 71-test_ssl_ctx.t .................. ok 80-test_ca.t ....................... ok 80-test_cipherbytes.t .............. ok 80-test_cipherlist.t ............... ok 80-test_ciphername.t ............... ok # 80-test_cmp_http.t ................. ok # 80-test_cms.t ...................... ok 80-test_cmsapi.t ................... ok 80-test_ct.t ....................... ok 80-test_dane.t ..................... ok 80-test_dtls.t ..................... ok 80-test_dtls_mtu.t ................. ok 80-test_dtlsv1listen.t ............. ok 80-test_http.t ..................... ok 80-test_ocsp.t ..................... ok 80-test_pkcs12.t ................... ok 80-test_ssl_new.t .................. ok 80-test_ssl_old.t .................. ok 80-test_ssl_test_ctx.t ............. ok 80-test_sslcorrupt.t ............... ok 80-test_tsa.t ...................... ok 80-test_x509aux.t .................. ok 81-test_cmp_cli.t .................. ok 90-test_asn1_time.t ................ ok 90-test_async.t .................... ok 90-test_bio_enc.t .................. ok 90-test_bio_memleak.t .............. ok 90-test_constant_time.t ............ ok 90-test_fatalerr.t ................. ok 90-test_fipsload.t ................. ok 90-test_gmdiff.t ................... ok 90-test_gost.t ..................... skipped: TLSv1.3 or TLSv1.2 are disabled in this OpenSSL build 90-test_ige.t ...................... ok 90-test_includes.t ................. ok 90-test_memleak.t .................. ok 90-test_overhead.t ................. ok 90-test_secmem.t ................... ok 90-test_shlibload.t ................ ok 90-test_srp.t ...................... ok 90-test_sslapi.t ................... ok 90-test_sslbuffers.t ............... ok 90-test_store.t .................... ok 90-test_sysdefault.t ............... skipped: test_sysdefault is not supported in this build 90-test_threads.t .................. ok 90-test_time_offset.t .............. ok 90-test_tls13ccs.t ................. ok 90-test_tls13encryption.t .......... ok 90-test_tls13secrets.t ............. ok 90-test_v3name.t ................... ok 91-test_pkey_check.t ............... ok 95-test_external_boringssl.t ....... skipped: No external tests in this configuration 95-test_external_gost_engine.t ..... skipped: No external tests in this configuration 95-test_external_krb5.t ............ skipped: No external tests in this configuration 95-test_external_pyca.t ............ skipped: No external tests in this configuration 99-test_ecstress.t ................. ok 99-test_fuzz_asn1.t ................ ok 99-test_fuzz_asn1parse.t ........... ok 99-test_fuzz_bignum.t .............. ok 99-test_fuzz_bndiv.t ............... ok 99-test_fuzz_client.t .............. ok 99-test_fuzz_cmp.t ................. ok 99-test_fuzz_cms.t ................. ok 99-test_fuzz_conf.t ................ ok 99-test_fuzz_crl.t ................. ok 99-test_fuzz_ct.t .................. ok 99-test_fuzz_server.t .............. ok 99-test_fuzz_x509.t ................ ok Test Summary Report ------------------- 70-test_sslextension.t (Wstat: 256 Tests: 7 Failed: 1) Failed test: 2 Non-zero exit status: 1 Parse errors: Bad plan. You planned 8 tests but ran 7. Files=232, Tests=3215, 874 wallclock secs (12.55 usr 1.37 sys + 792.56 cusr 84.12 csys = 890.60 CPU) Result: FAIL make[1]: *** [Makefile:3261: _tests] Error 1 make[1]: Leaving directory '/home/openssl/run-checker/no-tls1_2' make: *** [Makefile:3258: tests] Error 2 From no-reply at appveyor.com Sat Feb 27 00:41:37 2021 From: no-reply at appveyor.com (AppVeyor) Date: Sat, 27 Feb 2021 00:41:37 +0000 Subject: Build failed: openssl master.40256 Message-ID: <20210227004137.1.182761227099945D@appveyor.com> An HTML attachment was scrubbed... URL: From openssl at openssl.org Sat Feb 27 01:33:04 2021 From: openssl at openssl.org (OpenSSL run-checker) Date: Sat, 27 Feb 2021 01:33:04 +0000 Subject: Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-dtls1_2 Message-ID: <1614389584.404645.2721000.nullmailer@run.openssl.org> Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-dtls1_2 Commit log since last time: 6be27456e1 Fix string termination and length setting in OSSL_PARAM_BLD_push_utf8_string() af8bd1d835 Fix OSSL_PARAM_allocate_from_text() for OSSL_PARAM_UTF8_STRING a8eb71ad57 Allow the sshkdf type to be passed as a single character da9988e0f5 Cleanup of some of the EVP_PKEY_CTX_ctrl related TODOs b300f1cb3d Fix missing EOL at the end of the rsa/build.info 53cefef62b Remove inclusion of unnecessary header files 7415ffe368 Use strcasecmp when comparing kdf_type 861f265a40 speed: Drop deprecated _options() calls f3ccfc76fe speed: Use EVP for ciphers, cmac, ghash, rsa, dsa, and ecdsa a89cd8d87c speed: Adapt digests and hmac to always use non-deprecated APIs ee1d7f1d25 speed: Drop code to handle platforms without SIGALRM af9f2ee339 Fix typo in comment in DH_set0_pqg function 81c15ed00b Test errors from a provider can still be accessed after unload de4a88a979 Duplicate the file and func error strings b0001d0cf2 provider: add an unquery function to allow providers to clean up. 8b3facd732 rand: note that locking needs to be explicitly enabled. 76e48c9d66 Deprecated EVP_PKEY_CTX_get0_dh_kdf_ukm() and EVP_PKEY_CTX_get0_ecdh_kdf_ukm() 10315851d0 X509: Refactor X509_PUBKEY processing to include provider side keys ce0b307ea0 Remove disabled TLS 1.3 ciphers from the SSL(_CTX) 6eb7c748d1 make update 51d058cd94 appveyor.yml: clarify conditions for building the plain configuration 4f6aeabd65 make update 7b9f8995f4 Generate doc/build.info with 'make update' rather than on the fly 1263154064 changes: note the deprecation of RAND_METHOD APIs 299f5ff3b5 provider: add option to load a provider without disabling the fallbacks. 332a245c04 test: update tests to use the fake random number generator d994ce1205 test: make the DRBG test work without RAND_METHOD support. b3ab537b3a test: add framework for generic fake random number generator 9c6ee56318 rand: add DRBG/seed setting functions f626c3ffae rand: allow lock/unlock functions to be absent 786b13fa77 RAND_METHOD deprecation: code changes de2ea978b5 RAND_METHOD deprecation: fuzzer 0a89ae97d9 RAND_METHOD deprecation: tests ac60c84fc4 RAND_METHOD deprecation: documentation f5b00834dd EVP: Adapt the EC_KEY specific EVP_PKEY_CTX setter / getter functions bbf4dc96fc EVP: Make checks in evp_pkey_ctx_store_cached_data() more restricted 13f91a7245 EVP: Adapt the RSA specific EVP_PKEY_CTX setter / getter functions df4592cbec EVP: Adapt the DH specific EVP_PKEY_CTX setter / getter functions 5524580b5c EVP: Adapt the EVP_PKEY_CTX ctrl functions 6fcd92d3d7 EVP: Adapt diverse OSSL_PARAM setters and getters 5137312993 EVP: Make evp_pkey_ctx_{set,get}_params_strict() legacy aware 9a1c4e41e8 EVP: Implement data-driven translation between known ctrl and OSSL_PARAMs 4d4928edd0 EVP: make evp_pkey_is_assigned() usable in the FIPS module e19246dc72 EVP: Make evp_pkey_ctx_state() available to all of EVP 6179dfc7c4 EVP: Implement EVP_PKEY_CTX_is_a() f627561cf5 util/perl/OpenSSL/config.pm: Add VMS specific C compiler settings 9e1094ad3d util/perl/OpenSSL/config.pm: Fix determine_compiler_settings() 444b25b1e9 Add back in legacy paths for d2i_PrivateKey/d2i_AutoPrivateKey. f16f363a85 Fix no-tests on mingw 636a93454d Note that the OSSL_CORE_MAKE_FUNC macro is reserved 510d019141 Document the OSSL_PARAM_DEFN macro 18b207c798 Add documentation for the macro OPENSSL_VERSION_PREREQ 7e1d7fea39 Document OPENSSL_LH_flush() bc4d84abce Suppress errors about undocumented asn1_d2i_read_bio 6ceaf67257 Fix -pkeyopt handling in apps/pkeyutl -rawin 7f90026b3f Handle NULL result of ERR_reason_error_string() in some apps 4718326a46 Add EVP_PKEY_public_check_quick. 681618cfc1 Fix external symbols for pkcs7. 53155f1c81 Fix external symbols for cms. Build log ended with (last 100 lines): # false # OPENSSL_TEST_RAND_ORDER=1614388923 not ok 2 - iteration 2 # ------------------------------------------------------------------------------ # OPENSSL_TEST_RAND_ORDER=1614388923 not ok 54 - test_ssl_pending # ------------------------------------------------------------------------------ ../../util/wrap.pl ../../test/sslapitest ../../../openssl/test/certs ../../../openssl/test/recipes/90-test_sslapi_data/passwd.txt /tmp/RQeDr1Z9ZN default ../../../openssl/test/default.cnf => 1 not ok 1 - running sslapitest # ------------------------------------------------------------------------------ # INFO: @ ../openssl/test/helpers/ssltestlib.c:957 # SSL_connect() failed -1, 1 # 80B117B2C07F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # INFO: @ ../openssl/test/helpers/ssltestlib.c:975 # SSL_accept() failed -1, 1 # 80B117B2C07F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:944 # false # OPENSSL_TEST_RAND_ORDER=1614388937 not ok 3 - test_large_message_dtls # ------------------------------------------------------------------------------ # INFO: @ ../openssl/test/helpers/ssltestlib.c:957 # SSL_connect() failed -1, 1 # 80B117B2C07F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # INFO: @ ../openssl/test/helpers/ssltestlib.c:975 # SSL_accept() failed -1, 1 # 80B117B2C07F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:1425 # false # ERROR: (bool) 'execute_cleanse_plaintext(DTLS_server_method(), DTLS_client_method(), DTLS1_VERSION, 0) == true' failed @ ../openssl/test/sslapitest.c:1503 # false # OPENSSL_TEST_RAND_ORDER=1614388937 not ok 4 - test_cleanse_plaintext # ------------------------------------------------------------------------------ # INFO: @ ../openssl/test/helpers/ssltestlib.c:957 # SSL_connect() failed -1, 1 # 80B117B2C07F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # INFO: @ ../openssl/test/helpers/ssltestlib.c:975 # SSL_accept() failed -1, 1 # 80B117B2C07F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:6574 # false # OPENSSL_TEST_RAND_ORDER=1614388937 not ok 2 - iteration 2 # ------------------------------------------------------------------------------ # OPENSSL_TEST_RAND_ORDER=1614388937 not ok 54 - test_ssl_pending # ------------------------------------------------------------------------------ ../../util/wrap.pl ../../test/sslapitest ../../../openssl/test/certs ../../../openssl/test/recipes/90-test_sslapi_data/passwd.txt /tmp/RQeDr1Z9ZN fips ../../../openssl/test/fips-and-base.cnf => 1 not ok 3 - running sslapitest # ------------------------------------------------------------------------------ # Failed test 'running sslapitest' # at ../openssl/test/recipes/90-test_sslapi.t line 45. # Looks like you failed 2 tests of 3.90-test_sslapi.t ................... Dubious, test returned 2 (wstat 512, 0x200) Failed 2/3 subtests 90-test_sslbuffers.t ............... ok 90-test_store.t .................... ok 90-test_sysdefault.t ............... ok 90-test_threads.t .................. ok 90-test_time_offset.t .............. ok 90-test_tls13ccs.t ................. ok 90-test_tls13encryption.t .......... ok 90-test_tls13secrets.t ............. ok 90-test_v3name.t ................... ok 91-test_pkey_check.t ............... ok 95-test_external_boringssl.t ....... skipped: No external tests in this configuration 95-test_external_gost_engine.t ..... skipped: No external tests in this configuration 95-test_external_krb5.t ............ skipped: No external tests in this configuration 95-test_external_pyca.t ............ skipped: No external tests in this configuration 99-test_ecstress.t ................. ok 99-test_fuzz_asn1.t ................ ok 99-test_fuzz_asn1parse.t ........... ok 99-test_fuzz_bignum.t .............. ok 99-test_fuzz_bndiv.t ............... ok 99-test_fuzz_client.t .............. ok 99-test_fuzz_cmp.t ................. ok 99-test_fuzz_cms.t ................. ok 99-test_fuzz_conf.t ................ ok 99-test_fuzz_crl.t ................. ok 99-test_fuzz_ct.t .................. ok 99-test_fuzz_server.t .............. ok 99-test_fuzz_x509.t ................ ok Test Summary Report ------------------- 80-test_dtls.t (Wstat: 256 Tests: 1 Failed: 1) Failed test: 1 Non-zero exit status: 1 80-test_ssl_new.t (Wstat: 768 Tests: 31 Failed: 3) Failed tests: 8, 17, 19 Non-zero exit status: 3 90-test_sslapi.t (Wstat: 512 Tests: 3 Failed: 2) Failed tests: 1, 3 Non-zero exit status: 2 Files=232, Tests=3301, 1058 wallclock secs (14.63 usr 1.37 sys + 965.55 cusr 91.77 csys = 1073.32 CPU) Result: FAIL make[1]: *** [Makefile:3289: _tests] Error 1 make[1]: Leaving directory '/home/openssl/run-checker/no-dtls1_2' make: *** [Makefile:3286: tests] Error 2 From openssl at openssl.org Sat Feb 27 03:18:08 2021 From: openssl at openssl.org (OpenSSL run-checker) Date: Sat, 27 Feb 2021 03:18:08 +0000 Subject: Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-tls1_2-method Message-ID: <1614395888.641429.2930447.nullmailer@run.openssl.org> Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-tls1_2-method Commit log since last time: 6be27456e1 Fix string termination and length setting in OSSL_PARAM_BLD_push_utf8_string() af8bd1d835 Fix OSSL_PARAM_allocate_from_text() for OSSL_PARAM_UTF8_STRING a8eb71ad57 Allow the sshkdf type to be passed as a single character da9988e0f5 Cleanup of some of the EVP_PKEY_CTX_ctrl related TODOs b300f1cb3d Fix missing EOL at the end of the rsa/build.info 53cefef62b Remove inclusion of unnecessary header files 7415ffe368 Use strcasecmp when comparing kdf_type 861f265a40 speed: Drop deprecated _options() calls f3ccfc76fe speed: Use EVP for ciphers, cmac, ghash, rsa, dsa, and ecdsa a89cd8d87c speed: Adapt digests and hmac to always use non-deprecated APIs ee1d7f1d25 speed: Drop code to handle platforms without SIGALRM af9f2ee339 Fix typo in comment in DH_set0_pqg function 81c15ed00b Test errors from a provider can still be accessed after unload de4a88a979 Duplicate the file and func error strings b0001d0cf2 provider: add an unquery function to allow providers to clean up. 8b3facd732 rand: note that locking needs to be explicitly enabled. 76e48c9d66 Deprecated EVP_PKEY_CTX_get0_dh_kdf_ukm() and EVP_PKEY_CTX_get0_ecdh_kdf_ukm() 10315851d0 X509: Refactor X509_PUBKEY processing to include provider side keys ce0b307ea0 Remove disabled TLS 1.3 ciphers from the SSL(_CTX) 6eb7c748d1 make update 51d058cd94 appveyor.yml: clarify conditions for building the plain configuration 4f6aeabd65 make update 7b9f8995f4 Generate doc/build.info with 'make update' rather than on the fly 1263154064 changes: note the deprecation of RAND_METHOD APIs 299f5ff3b5 provider: add option to load a provider without disabling the fallbacks. 332a245c04 test: update tests to use the fake random number generator d994ce1205 test: make the DRBG test work without RAND_METHOD support. b3ab537b3a test: add framework for generic fake random number generator 9c6ee56318 rand: add DRBG/seed setting functions f626c3ffae rand: allow lock/unlock functions to be absent 786b13fa77 RAND_METHOD deprecation: code changes de2ea978b5 RAND_METHOD deprecation: fuzzer 0a89ae97d9 RAND_METHOD deprecation: tests ac60c84fc4 RAND_METHOD deprecation: documentation f5b00834dd EVP: Adapt the EC_KEY specific EVP_PKEY_CTX setter / getter functions bbf4dc96fc EVP: Make checks in evp_pkey_ctx_store_cached_data() more restricted 13f91a7245 EVP: Adapt the RSA specific EVP_PKEY_CTX setter / getter functions df4592cbec EVP: Adapt the DH specific EVP_PKEY_CTX setter / getter functions 5524580b5c EVP: Adapt the EVP_PKEY_CTX ctrl functions 6fcd92d3d7 EVP: Adapt diverse OSSL_PARAM setters and getters 5137312993 EVP: Make evp_pkey_ctx_{set,get}_params_strict() legacy aware 9a1c4e41e8 EVP: Implement data-driven translation between known ctrl and OSSL_PARAMs 4d4928edd0 EVP: make evp_pkey_is_assigned() usable in the FIPS module e19246dc72 EVP: Make evp_pkey_ctx_state() available to all of EVP 6179dfc7c4 EVP: Implement EVP_PKEY_CTX_is_a() f627561cf5 util/perl/OpenSSL/config.pm: Add VMS specific C compiler settings 9e1094ad3d util/perl/OpenSSL/config.pm: Fix determine_compiler_settings() 444b25b1e9 Add back in legacy paths for d2i_PrivateKey/d2i_AutoPrivateKey. f16f363a85 Fix no-tests on mingw 636a93454d Note that the OSSL_CORE_MAKE_FUNC macro is reserved 510d019141 Document the OSSL_PARAM_DEFN macro 18b207c798 Add documentation for the macro OPENSSL_VERSION_PREREQ 7e1d7fea39 Document OPENSSL_LH_flush() bc4d84abce Suppress errors about undocumented asn1_d2i_read_bio 6ceaf67257 Fix -pkeyopt handling in apps/pkeyutl -rawin 7f90026b3f Handle NULL result of ERR_reason_error_string() in some apps 4718326a46 Add EVP_PKEY_public_check_quick. 681618cfc1 Fix external symbols for pkcs7. 53155f1c81 Fix external symbols for cms. Build log ended with (last 100 lines): (less 4 skipped subtests: 2 okay) 70-test_sslmessages.t .............. skipped: test_sslmessages needs TLS enabled 70-test_sslrecords.t ............... skipped: test_sslrecords needs TLSv1.2 enabled 70-test_sslsessiontick.t ........... skipped: test_sslsessiontick needs SSLv3, TLSv1, TLSv1.1 or TLSv1.2 enabled 70-test_sslsigalgs.t ............... ok 70-test_sslsignature.t ............. ok 70-test_sslskewith0p.t ............. ok 70-test_sslversions.t .............. skipped: test_sslversions needs TLS1.3, TLS1.2 and TLS1.1 enabled 70-test_sslvertol.t ................ ok 70-test_tls13alerts.t .............. ok 70-test_tls13cookie.t .............. ok 70-test_tls13downgrade.t ........... skipped: test_tls13downgrade needs TLS1.3 and TLS1.2 enabled 70-test_tls13hrr.t ................. ok 70-test_tls13kexmodes.t ............ ok 70-test_tls13messages.t ............ ok 70-test_tls13psk.t ................. ok 70-test_tlsextms.t ................. skipped: test_tlsextms needs TLSv1.0, TLSv1.1 or TLSv1.2 enabled 70-test_verify_extra.t ............. ok 70-test_wpacket.t .................. ok 71-test_ssl_ctx.t .................. ok 80-test_ca.t ....................... ok 80-test_cipherbytes.t .............. ok 80-test_cipherlist.t ............... ok 80-test_ciphername.t ............... ok # 80-test_cmp_http.t ................. ok # 80-test_cms.t ...................... ok 80-test_cmsapi.t ................... ok 80-test_ct.t ....................... ok 80-test_dane.t ..................... ok 80-test_dtls.t ..................... ok 80-test_dtls_mtu.t ................. ok 80-test_dtlsv1listen.t ............. ok 80-test_http.t ..................... ok 80-test_ocsp.t ..................... ok 80-test_pkcs12.t ................... ok 80-test_ssl_new.t .................. ok 80-test_ssl_old.t .................. ok 80-test_ssl_test_ctx.t ............. ok 80-test_sslcorrupt.t ............... ok 80-test_tsa.t ...................... ok 80-test_x509aux.t .................. ok 81-test_cmp_cli.t .................. ok 90-test_asn1_time.t ................ ok 90-test_async.t .................... ok 90-test_bio_enc.t .................. ok 90-test_bio_memleak.t .............. ok 90-test_constant_time.t ............ ok 90-test_fatalerr.t ................. ok 90-test_fipsload.t ................. ok 90-test_gmdiff.t ................... ok 90-test_gost.t ..................... skipped: TLSv1.3 or TLSv1.2 are disabled in this OpenSSL build 90-test_ige.t ...................... ok 90-test_includes.t ................. ok 90-test_memleak.t .................. ok 90-test_overhead.t ................. ok 90-test_secmem.t ................... ok 90-test_shlibload.t ................ ok 90-test_srp.t ...................... ok 90-test_sslapi.t ................... ok 90-test_sslbuffers.t ............... ok 90-test_store.t .................... ok 90-test_sysdefault.t ............... skipped: test_sysdefault is not supported in this build 90-test_threads.t .................. ok 90-test_time_offset.t .............. ok 90-test_tls13ccs.t ................. ok 90-test_tls13encryption.t .......... ok 90-test_tls13secrets.t ............. ok 90-test_v3name.t ................... ok 91-test_pkey_check.t ............... ok 95-test_external_boringssl.t ....... skipped: No external tests in this configuration 95-test_external_gost_engine.t ..... skipped: No external tests in this configuration 95-test_external_krb5.t ............ skipped: No external tests in this configuration 95-test_external_pyca.t ............ skipped: No external tests in this configuration 99-test_ecstress.t ................. ok 99-test_fuzz_asn1.t ................ ok 99-test_fuzz_asn1parse.t ........... ok 99-test_fuzz_bignum.t .............. ok 99-test_fuzz_bndiv.t ............... ok 99-test_fuzz_client.t .............. ok 99-test_fuzz_cmp.t ................. ok 99-test_fuzz_cms.t ................. ok 99-test_fuzz_conf.t ................ ok 99-test_fuzz_crl.t ................. ok 99-test_fuzz_ct.t .................. ok 99-test_fuzz_server.t .............. ok 99-test_fuzz_x509.t ................ ok Test Summary Report ------------------- 70-test_sslextension.t (Wstat: 256 Tests: 7 Failed: 1) Failed test: 2 Non-zero exit status: 1 Parse errors: Bad plan. You planned 8 tests but ran 7. Files=232, Tests=3215, 921 wallclock secs (12.72 usr 1.44 sys + 839.67 cusr 83.38 csys = 937.21 CPU) Result: FAIL make[1]: *** [Makefile:3272: _tests] Error 1 make[1]: Leaving directory '/home/openssl/run-checker/no-tls1_2-method' make: *** [Makefile:3269: tests] Error 2 From openssl at openssl.org Sat Feb 27 04:12:59 2021 From: openssl at openssl.org (OpenSSL run-checker) Date: Sat, 27 Feb 2021 04:12:59 +0000 Subject: Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-dtls1_2-method Message-ID: <1614399179.872844.3037085.nullmailer@run.openssl.org> Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-dtls1_2-method Commit log since last time: 6be27456e1 Fix string termination and length setting in OSSL_PARAM_BLD_push_utf8_string() af8bd1d835 Fix OSSL_PARAM_allocate_from_text() for OSSL_PARAM_UTF8_STRING a8eb71ad57 Allow the sshkdf type to be passed as a single character da9988e0f5 Cleanup of some of the EVP_PKEY_CTX_ctrl related TODOs b300f1cb3d Fix missing EOL at the end of the rsa/build.info 53cefef62b Remove inclusion of unnecessary header files 7415ffe368 Use strcasecmp when comparing kdf_type 861f265a40 speed: Drop deprecated _options() calls f3ccfc76fe speed: Use EVP for ciphers, cmac, ghash, rsa, dsa, and ecdsa a89cd8d87c speed: Adapt digests and hmac to always use non-deprecated APIs ee1d7f1d25 speed: Drop code to handle platforms without SIGALRM af9f2ee339 Fix typo in comment in DH_set0_pqg function 81c15ed00b Test errors from a provider can still be accessed after unload de4a88a979 Duplicate the file and func error strings b0001d0cf2 provider: add an unquery function to allow providers to clean up. 8b3facd732 rand: note that locking needs to be explicitly enabled. 76e48c9d66 Deprecated EVP_PKEY_CTX_get0_dh_kdf_ukm() and EVP_PKEY_CTX_get0_ecdh_kdf_ukm() 10315851d0 X509: Refactor X509_PUBKEY processing to include provider side keys ce0b307ea0 Remove disabled TLS 1.3 ciphers from the SSL(_CTX) 6eb7c748d1 make update 51d058cd94 appveyor.yml: clarify conditions for building the plain configuration 4f6aeabd65 make update 7b9f8995f4 Generate doc/build.info with 'make update' rather than on the fly 1263154064 changes: note the deprecation of RAND_METHOD APIs 299f5ff3b5 provider: add option to load a provider without disabling the fallbacks. 332a245c04 test: update tests to use the fake random number generator d994ce1205 test: make the DRBG test work without RAND_METHOD support. b3ab537b3a test: add framework for generic fake random number generator 9c6ee56318 rand: add DRBG/seed setting functions f626c3ffae rand: allow lock/unlock functions to be absent 786b13fa77 RAND_METHOD deprecation: code changes de2ea978b5 RAND_METHOD deprecation: fuzzer 0a89ae97d9 RAND_METHOD deprecation: tests ac60c84fc4 RAND_METHOD deprecation: documentation f5b00834dd EVP: Adapt the EC_KEY specific EVP_PKEY_CTX setter / getter functions bbf4dc96fc EVP: Make checks in evp_pkey_ctx_store_cached_data() more restricted 13f91a7245 EVP: Adapt the RSA specific EVP_PKEY_CTX setter / getter functions df4592cbec EVP: Adapt the DH specific EVP_PKEY_CTX setter / getter functions 5524580b5c EVP: Adapt the EVP_PKEY_CTX ctrl functions 6fcd92d3d7 EVP: Adapt diverse OSSL_PARAM setters and getters 5137312993 EVP: Make evp_pkey_ctx_{set,get}_params_strict() legacy aware 9a1c4e41e8 EVP: Implement data-driven translation between known ctrl and OSSL_PARAMs 4d4928edd0 EVP: make evp_pkey_is_assigned() usable in the FIPS module e19246dc72 EVP: Make evp_pkey_ctx_state() available to all of EVP 6179dfc7c4 EVP: Implement EVP_PKEY_CTX_is_a() f627561cf5 util/perl/OpenSSL/config.pm: Add VMS specific C compiler settings 9e1094ad3d util/perl/OpenSSL/config.pm: Fix determine_compiler_settings() 444b25b1e9 Add back in legacy paths for d2i_PrivateKey/d2i_AutoPrivateKey. f16f363a85 Fix no-tests on mingw 636a93454d Note that the OSSL_CORE_MAKE_FUNC macro is reserved 510d019141 Document the OSSL_PARAM_DEFN macro 18b207c798 Add documentation for the macro OPENSSL_VERSION_PREREQ 7e1d7fea39 Document OPENSSL_LH_flush() bc4d84abce Suppress errors about undocumented asn1_d2i_read_bio 6ceaf67257 Fix -pkeyopt handling in apps/pkeyutl -rawin 7f90026b3f Handle NULL result of ERR_reason_error_string() in some apps 4718326a46 Add EVP_PKEY_public_check_quick. 681618cfc1 Fix external symbols for pkcs7. 53155f1c81 Fix external symbols for cms. Build log ended with (last 100 lines): # false # OPENSSL_TEST_RAND_ORDER=1614398512 not ok 2 - iteration 2 # ------------------------------------------------------------------------------ # OPENSSL_TEST_RAND_ORDER=1614398512 not ok 54 - test_ssl_pending # ------------------------------------------------------------------------------ ../../util/wrap.pl ../../test/sslapitest ../../../openssl/test/certs ../../../openssl/test/recipes/90-test_sslapi_data/passwd.txt /tmp/bYCpUo4VCt default ../../../openssl/test/default.cnf => 1 not ok 1 - running sslapitest # ------------------------------------------------------------------------------ # INFO: @ ../openssl/test/helpers/ssltestlib.c:957 # SSL_connect() failed -1, 1 # 80A1BB6CCE7F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # INFO: @ ../openssl/test/helpers/ssltestlib.c:975 # SSL_accept() failed -1, 1 # 80A1BB6CCE7F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:944 # false # OPENSSL_TEST_RAND_ORDER=1614398526 not ok 3 - test_large_message_dtls # ------------------------------------------------------------------------------ # INFO: @ ../openssl/test/helpers/ssltestlib.c:957 # SSL_connect() failed -1, 1 # 80A1BB6CCE7F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # INFO: @ ../openssl/test/helpers/ssltestlib.c:975 # SSL_accept() failed -1, 1 # 80A1BB6CCE7F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:1425 # false # ERROR: (bool) 'execute_cleanse_plaintext(DTLS_server_method(), DTLS_client_method(), DTLS1_VERSION, 0) == true' failed @ ../openssl/test/sslapitest.c:1503 # false # OPENSSL_TEST_RAND_ORDER=1614398526 not ok 4 - test_cleanse_plaintext # ------------------------------------------------------------------------------ # INFO: @ ../openssl/test/helpers/ssltestlib.c:957 # SSL_connect() failed -1, 1 # 80A1BB6CCE7F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # INFO: @ ../openssl/test/helpers/ssltestlib.c:975 # SSL_accept() failed -1, 1 # 80A1BB6CCE7F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:6574 # false # OPENSSL_TEST_RAND_ORDER=1614398526 not ok 2 - iteration 2 # ------------------------------------------------------------------------------ # OPENSSL_TEST_RAND_ORDER=1614398526 not ok 54 - test_ssl_pending # ------------------------------------------------------------------------------ ../../util/wrap.pl ../../test/sslapitest ../../../openssl/test/certs ../../../openssl/test/recipes/90-test_sslapi_data/passwd.txt /tmp/bYCpUo4VCt fips ../../../openssl/test/fips-and-base.cnf => 1 not ok 3 - running sslapitest # ------------------------------------------------------------------------------ # Failed test 'running sslapitest' # at ../openssl/test/recipes/90-test_sslapi.t line 45. # Looks like you failed 2 tests of 3.90-test_sslapi.t ................... Dubious, test returned 2 (wstat 512, 0x200) Failed 2/3 subtests 90-test_sslbuffers.t ............... ok 90-test_store.t .................... ok 90-test_sysdefault.t ............... ok 90-test_threads.t .................. ok 90-test_time_offset.t .............. ok 90-test_tls13ccs.t ................. ok 90-test_tls13encryption.t .......... ok 90-test_tls13secrets.t ............. ok 90-test_v3name.t ................... ok 91-test_pkey_check.t ............... ok 95-test_external_boringssl.t ....... skipped: No external tests in this configuration 95-test_external_gost_engine.t ..... skipped: No external tests in this configuration 95-test_external_krb5.t ............ skipped: No external tests in this configuration 95-test_external_pyca.t ............ skipped: No external tests in this configuration 99-test_ecstress.t ................. ok 99-test_fuzz_asn1.t ................ ok 99-test_fuzz_asn1parse.t ........... ok 99-test_fuzz_bignum.t .............. ok 99-test_fuzz_bndiv.t ............... ok 99-test_fuzz_client.t .............. ok 99-test_fuzz_cmp.t ................. ok 99-test_fuzz_cms.t ................. ok 99-test_fuzz_conf.t ................ ok 99-test_fuzz_crl.t ................. ok 99-test_fuzz_ct.t .................. ok 99-test_fuzz_server.t .............. ok 99-test_fuzz_x509.t ................ ok Test Summary Report ------------------- 80-test_dtls.t (Wstat: 256 Tests: 1 Failed: 1) Failed test: 1 Non-zero exit status: 1 80-test_ssl_new.t (Wstat: 768 Tests: 31 Failed: 3) Failed tests: 8, 17, 19 Non-zero exit status: 3 90-test_sslapi.t (Wstat: 512 Tests: 3 Failed: 2) Failed tests: 1, 3 Non-zero exit status: 2 Files=232, Tests=3301, 977 wallclock secs (14.61 usr 1.37 sys + 882.59 cusr 92.84 csys = 991.41 CPU) Result: FAIL make[1]: *** [Makefile:3283: _tests] Error 1 make[1]: Leaving directory '/home/openssl/run-checker/no-dtls1_2-method' make: *** [Makefile:3280: tests] Error 2 From openssl at openssl.org Sat Feb 27 05:07:36 2021 From: openssl at openssl.org (OpenSSL run-checker) Date: Sat, 27 Feb 2021 05:07:36 +0000 Subject: Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-tls1_3 Message-ID: <1614402456.390148.3142077.nullmailer@run.openssl.org> Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-tls1_3 Commit log since last time: 6be27456e1 Fix string termination and length setting in OSSL_PARAM_BLD_push_utf8_string() af8bd1d835 Fix OSSL_PARAM_allocate_from_text() for OSSL_PARAM_UTF8_STRING a8eb71ad57 Allow the sshkdf type to be passed as a single character da9988e0f5 Cleanup of some of the EVP_PKEY_CTX_ctrl related TODOs b300f1cb3d Fix missing EOL at the end of the rsa/build.info 53cefef62b Remove inclusion of unnecessary header files 7415ffe368 Use strcasecmp when comparing kdf_type 861f265a40 speed: Drop deprecated _options() calls f3ccfc76fe speed: Use EVP for ciphers, cmac, ghash, rsa, dsa, and ecdsa a89cd8d87c speed: Adapt digests and hmac to always use non-deprecated APIs ee1d7f1d25 speed: Drop code to handle platforms without SIGALRM af9f2ee339 Fix typo in comment in DH_set0_pqg function 81c15ed00b Test errors from a provider can still be accessed after unload de4a88a979 Duplicate the file and func error strings b0001d0cf2 provider: add an unquery function to allow providers to clean up. 8b3facd732 rand: note that locking needs to be explicitly enabled. 76e48c9d66 Deprecated EVP_PKEY_CTX_get0_dh_kdf_ukm() and EVP_PKEY_CTX_get0_ecdh_kdf_ukm() 10315851d0 X509: Refactor X509_PUBKEY processing to include provider side keys ce0b307ea0 Remove disabled TLS 1.3 ciphers from the SSL(_CTX) 6eb7c748d1 make update 51d058cd94 appveyor.yml: clarify conditions for building the plain configuration 4f6aeabd65 make update 7b9f8995f4 Generate doc/build.info with 'make update' rather than on the fly 1263154064 changes: note the deprecation of RAND_METHOD APIs 299f5ff3b5 provider: add option to load a provider without disabling the fallbacks. 332a245c04 test: update tests to use the fake random number generator d994ce1205 test: make the DRBG test work without RAND_METHOD support. b3ab537b3a test: add framework for generic fake random number generator 9c6ee56318 rand: add DRBG/seed setting functions f626c3ffae rand: allow lock/unlock functions to be absent 786b13fa77 RAND_METHOD deprecation: code changes de2ea978b5 RAND_METHOD deprecation: fuzzer 0a89ae97d9 RAND_METHOD deprecation: tests ac60c84fc4 RAND_METHOD deprecation: documentation f5b00834dd EVP: Adapt the EC_KEY specific EVP_PKEY_CTX setter / getter functions bbf4dc96fc EVP: Make checks in evp_pkey_ctx_store_cached_data() more restricted 13f91a7245 EVP: Adapt the RSA specific EVP_PKEY_CTX setter / getter functions df4592cbec EVP: Adapt the DH specific EVP_PKEY_CTX setter / getter functions 5524580b5c EVP: Adapt the EVP_PKEY_CTX ctrl functions 6fcd92d3d7 EVP: Adapt diverse OSSL_PARAM setters and getters 5137312993 EVP: Make evp_pkey_ctx_{set,get}_params_strict() legacy aware 9a1c4e41e8 EVP: Implement data-driven translation between known ctrl and OSSL_PARAMs 4d4928edd0 EVP: make evp_pkey_is_assigned() usable in the FIPS module e19246dc72 EVP: Make evp_pkey_ctx_state() available to all of EVP 6179dfc7c4 EVP: Implement EVP_PKEY_CTX_is_a() f627561cf5 util/perl/OpenSSL/config.pm: Add VMS specific C compiler settings 9e1094ad3d util/perl/OpenSSL/config.pm: Fix determine_compiler_settings() 444b25b1e9 Add back in legacy paths for d2i_PrivateKey/d2i_AutoPrivateKey. f16f363a85 Fix no-tests on mingw 636a93454d Note that the OSSL_CORE_MAKE_FUNC macro is reserved 510d019141 Document the OSSL_PARAM_DEFN macro 18b207c798 Add documentation for the macro OPENSSL_VERSION_PREREQ 7e1d7fea39 Document OPENSSL_LH_flush() bc4d84abce Suppress errors about undocumented asn1_d2i_read_bio 6ceaf67257 Fix -pkeyopt handling in apps/pkeyutl -rawin 7f90026b3f Handle NULL result of ERR_reason_error_string() in some apps 4718326a46 Add EVP_PKEY_public_check_quick. 681618cfc1 Fix external symbols for pkcs7. 53155f1c81 Fix external symbols for cms. Build log ended with (last 100 lines): # ------------------------------------------------------------------------------ # ERROR: (int) 'result->client_protocol == test_ctx->expected_protocol' failed @ ../openssl/test/ssl_test.c:114 # [771] compared to [772] # INFO: @ ../openssl/test/ssl_test.c:117 # Protocol mismatch: expected TLSv1.3, got TLSv1.2. # # OPENSSL_TEST_RAND_ORDER=1614401727 not ok 3 - iteration 3 # ------------------------------------------------------------------------------ # ERROR: (int) 'result->client_protocol == test_ctx->expected_protocol' failed @ ../openssl/test/ssl_test.c:114 # [771] compared to [772] # INFO: @ ../openssl/test/ssl_test.c:117 # Protocol mismatch: expected TLSv1.3, got TLSv1.2. # # OPENSSL_TEST_RAND_ORDER=1614401727 not ok 4 - iteration 4 # ------------------------------------------------------------------------------ # ERROR: (int) 'result->client_protocol == test_ctx->expected_protocol' failed @ ../openssl/test/ssl_test.c:114 # [771] compared to [772] # INFO: @ ../openssl/test/ssl_test.c:117 # Protocol mismatch: expected TLSv1.3, got TLSv1.2. # # OPENSSL_TEST_RAND_ORDER=1614401727 not ok 5 - iteration 5 # ------------------------------------------------------------------------------ # OPENSSL_TEST_RAND_ORDER=1614401727 not ok 1 - test_handshake # ------------------------------------------------------------------------------ ../../util/wrap.pl ../../test/ssl_test 14-curves.cnf.fips fips ../../../openssl/test/fips-and-base.cnf => 1 not ok 9 - running ssl_test 14-curves.cnf # ------------------------------------------------------------------------------ # Failed test 'running ssl_test 14-curves.cnf' # at ../openssl/test/recipes/80-test_ssl_new.t line 176. # Looks like you failed 3 tests of 9. not ok 15 - Test configuration 14-curves.cnf # ------------------------------------------------------------------------------ # Looks like you failed 1 test of 31.80-test_ssl_new.t .................. Dubious, test returned 1 (wstat 256, 0x100) Failed 1/31 subtests 80-test_ssl_old.t .................. ok 80-test_ssl_test_ctx.t ............. ok 80-test_sslcorrupt.t ............... ok 80-test_tsa.t ...................... ok 80-test_x509aux.t .................. ok 81-test_cmp_cli.t .................. ok 90-test_asn1_time.t ................ ok 90-test_async.t .................... ok 90-test_bio_enc.t .................. ok 90-test_bio_memleak.t .............. ok 90-test_constant_time.t ............ ok 90-test_fatalerr.t ................. ok 90-test_fipsload.t ................. ok 90-test_gmdiff.t ................... ok 90-test_gost.t ..................... skipped: TLSv1.3 or TLSv1.2 are disabled in this OpenSSL build 90-test_ige.t ...................... ok 90-test_includes.t ................. ok 90-test_memleak.t .................. ok 90-test_overhead.t ................. ok 90-test_secmem.t ................... ok 90-test_shlibload.t ................ ok 90-test_srp.t ...................... ok 90-test_sslapi.t ................... ok 90-test_sslbuffers.t ............... ok 90-test_store.t .................... ok 90-test_sysdefault.t ............... ok 90-test_threads.t .................. ok 90-test_time_offset.t .............. ok 90-test_tls13ccs.t ................. skipped: test_tls13ccs is not supported in this build 90-test_tls13encryption.t .......... skipped: tls13encryption is not supported in this build 90-test_tls13secrets.t ............. skipped: tls13secrets is not supported in this build 90-test_v3name.t ................... ok 91-test_pkey_check.t ............... ok 95-test_external_boringssl.t ....... skipped: No external tests in this configuration 95-test_external_gost_engine.t ..... skipped: No external tests in this configuration 95-test_external_krb5.t ............ skipped: No external tests in this configuration 95-test_external_pyca.t ............ skipped: No external tests in this configuration 99-test_ecstress.t ................. ok 99-test_fuzz_asn1.t ................ ok 99-test_fuzz_asn1parse.t ........... ok 99-test_fuzz_bignum.t .............. ok 99-test_fuzz_bndiv.t ............... ok 99-test_fuzz_client.t .............. ok 99-test_fuzz_cmp.t ................. ok 99-test_fuzz_cms.t ................. ok 99-test_fuzz_conf.t ................ ok 99-test_fuzz_crl.t ................. ok 99-test_fuzz_ct.t .................. ok 99-test_fuzz_server.t .............. ok 99-test_fuzz_x509.t ................ ok Test Summary Report ------------------- 80-test_ssl_new.t (Wstat: 256 Tests: 31 Failed: 1) Failed test: 15 Non-zero exit status: 1 Files=232, Tests=3224, 1056 wallclock secs (13.18 usr 1.45 sys + 965.13 cusr 87.15 csys = 1066.91 CPU) Result: FAIL make[1]: *** [Makefile:3285: _tests] Error 1 make[1]: Leaving directory '/home/openssl/run-checker/no-tls1_3' make: *** [Makefile:3282: tests] Error 2 From no-reply at appveyor.com Sat Feb 27 06:28:52 2021 From: no-reply at appveyor.com (AppVeyor) Date: Sat, 27 Feb 2021 06:28:52 +0000 Subject: Build failed: openssl master.40264 Message-ID: <20210227062852.1.F298116783C6B602@appveyor.com> An HTML attachment was scrubbed... URL: From dev at ddvo.net Sat Feb 27 12:02:57 2021 From: dev at ddvo.net (dev at ddvo.net) Date: Sat, 27 Feb 2021 12:02:57 +0000 Subject: [openssl] master update Message-ID: <1614427377.151949.24850.nullmailer@dev.openssl.org> The branch master has been updated via 4ef70dbcf495adfa28efa815c5415dfb9903b92d (commit) from 90b4247cc5dca58cee9da5f6975bb38fd200100a (commit) - Log ----------------------------------------------------------------- commit 4ef70dbcf495adfa28efa815c5415dfb9903b92d Author: Dr. David von Oheimb Date: Fri Feb 26 08:24:07 2021 +0100 Code cleanup mostly in crypto/x509/v3_purp.c Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/14328) ----------------------------------------------------------------------- Summary of changes: crypto/x509/v3_purp.c | 179 ++++++++++++++++++++++---------------------- crypto/x509/x509_trs.c | 2 +- crypto/x509/x509_vfy.c | 6 +- crypto/x509/x509_vpm.c | 20 ++--- include/openssl/x509v3.h.in | 2 +- 5 files changed, 103 insertions(+), 106 deletions(-) diff --git a/crypto/x509/v3_purp.c b/crypto/x509/v3_purp.c index 3226d6838f..1149e83780 100644 --- a/crypto/x509/v3_purp.c +++ b/crypto/x509/v3_purp.c @@ -18,22 +18,24 @@ static int check_ssl_ca(const X509 *x); static int check_purpose_ssl_client(const X509_PURPOSE *xp, const X509 *x, - int ca); + int require_ca); static int check_purpose_ssl_server(const X509_PURPOSE *xp, const X509 *x, - int ca); + int require_ca); static int check_purpose_ns_ssl_server(const X509_PURPOSE *xp, const X509 *x, - int ca); -static int purpose_smime(const X509 *x, int ca); + int require_ca); +static int purpose_smime(const X509 *x, int require_ca); static int check_purpose_smime_sign(const X509_PURPOSE *xp, const X509 *x, - int ca); + int require_ca); static int check_purpose_smime_encrypt(const X509_PURPOSE *xp, const X509 *x, - int ca); + int require_ca); static int check_purpose_crl_sign(const X509_PURPOSE *xp, const X509 *x, - int ca); + int require_ca); static int check_purpose_timestamp_sign(const X509_PURPOSE *xp, const X509 *x, - int ca); -static int no_check(const X509_PURPOSE *xp, const X509 *x, int ca); -static int ocsp_helper(const X509_PURPOSE *xp, const X509 *x, int ca); + int require_ca); +static int no_check_purpose(const X509_PURPOSE *xp, const X509 *x, + int require_ca); +static int check_purpose_ocsp_helper(const X509_PURPOSE *xp, const X509 *x, + int require_ca); static int xp_cmp(const X509_PURPOSE *const *a, const X509_PURPOSE *const *b); static void xptable_free(X509_PURPOSE *p); @@ -51,9 +53,10 @@ static X509_PURPOSE xstandard[] = { check_purpose_smime_encrypt, "S/MIME encryption", "smimeencrypt", NULL}, {X509_PURPOSE_CRL_SIGN, X509_TRUST_COMPAT, 0, check_purpose_crl_sign, "CRL signing", "crlsign", NULL}, - {X509_PURPOSE_ANY, X509_TRUST_DEFAULT, 0, no_check, "Any Purpose", "any", + {X509_PURPOSE_ANY, X509_TRUST_DEFAULT, 0, no_check_purpose, + "Any Purpose", "any", NULL}, - {X509_PURPOSE_OCSP_HELPER, X509_TRUST_COMPAT, 0, ocsp_helper, + {X509_PURPOSE_OCSP_HELPER, X509_TRUST_COMPAT, 0, check_purpose_ocsp_helper, "OCSP helper", "ocsphelper", NULL}, {X509_PURPOSE_TIMESTAMP_SIGN, X509_TRUST_TSA, 0, check_purpose_timestamp_sign, "Time Stamp signing", "timestampsign", @@ -70,26 +73,26 @@ static int xp_cmp(const X509_PURPOSE *const *a, const X509_PURPOSE *const *b) } /* - * As much as I'd like to make X509_check_purpose use a "const" X509* I - * really can't because it does recalculate hashes and do other non-const - * things. + * As much as I'd like to make X509_check_purpose use a "const" X509* I really + * can't because it does recalculate hashes and do other non-const things. + * If id == -1 it just calls x509v3_cache_extensions() for its side-effect. + * Returns 1 on success, 0 if x does not allow purpose, -1 on (internal) error. */ -int X509_check_purpose(X509 *x, int id, int ca) +int X509_check_purpose(X509 *x, int id, int require_ca) { int idx; const X509_PURPOSE *pt; if (!x509v3_cache_extensions(x)) return -1; - - /* Return if side-effect only call */ if (id == -1) return 1; + idx = X509_PURPOSE_get_by_id(id); if (idx == -1) return -1; pt = X509_PURPOSE_get0(idx); - return pt->check_purpose(pt, x, ca); + return pt->check_purpose(pt, x, require_ca); } int X509_PURPOSE_set(int *p, int purpose) @@ -130,12 +133,13 @@ int X509_PURPOSE_get_by_sname(const char *sname) return -1; } +/* Returns -1 on error, else an index => 0 in standard/extended purpose table */ int X509_PURPOSE_get_by_id(int purpose) { X509_PURPOSE tmp; int idx; - if ((purpose >= X509_PURPOSE_MIN) && (purpose <= X509_PURPOSE_MAX)) + if (purpose >= X509_PURPOSE_MIN && purpose <= X509_PURPOSE_MAX) return purpose - X509_PURPOSE_MIN; if (xptable == NULL) return -1; @@ -152,9 +156,8 @@ int X509_PURPOSE_add(int id, int trust, int flags, { int idx; X509_PURPOSE *ptmp; - /* - * This is set according to what we change: application can't set it - */ + + /* This is set according to what we change: application can't set it */ flags &= ~X509_PURPOSE_DYNAMIC; /* This will always be set for application modified trust entries */ flags |= X509_PURPOSE_DYNAMIC_NAME; @@ -175,7 +178,7 @@ int X509_PURPOSE_add(int id, int trust, int flags, OPENSSL_free(ptmp->name); OPENSSL_free(ptmp->sname); } - /* dup supplied name */ + /* Dup supplied name */ ptmp->name = OPENSSL_strdup(name); ptmp->sname = OPENSSL_strdup(sname); if (ptmp->name == NULL|| ptmp->sname == NULL) { @@ -270,7 +273,6 @@ int X509_supported_extension(X509_EXTENSION *ex) * normally reject the certificate. The list must be kept in numerical * order because it will be searched using bsearch. */ - static const int supported_nids[] = { NID_netscape_cert_type, /* 71 */ NID_key_usage, /* 83 */ @@ -301,7 +303,7 @@ int X509_supported_extension(X509_EXTENSION *ex) return 0; } -/* return 1 on success, 0 if x is invalid, -1 on (internal) error */ +/* Returns 1 on success, 0 if x is invalid, -1 on (internal) error. */ static int setup_dp(const X509 *x, DIST_POINT *dp) { const X509_NAME *iname = NULL; @@ -323,7 +325,7 @@ static int setup_dp(const X509 *x, DIST_POINT *dp) if (dp->distpoint == NULL || dp->distpoint->type != 1) return 1; - /* handle name fragment given by nameRelativeToCRLIssuer */ + /* Handle name fragment given by nameRelativeToCRLIssuer */ /* * Note that the below way of determining iname is not really compliant * with https://tools.ietf.org/html/rfc5280#section-4.2.1.13 @@ -343,7 +345,7 @@ static int setup_dp(const X509 *x, DIST_POINT *dp) return DIST_POINT_set_dpname(dp->distpoint, iname) ? 1 : -1; } -/* return 1 on success, 0 if x is invalid, -1 on (internal) error */ +/* Return 1 on success, 0 if x is invalid, -1 on (internal) error. */ static int setup_crldp(X509 *x) { int i; @@ -380,11 +382,11 @@ static int check_sig_alg_match(const EVP_PKEY *issuer_key, const X509 *subject) #define V1_ROOT (EXFLAG_V1|EXFLAG_SS) #define ku_reject(x, usage) \ - (((x)->ex_flags & EXFLAG_KUSAGE) && !((x)->ex_kusage & (usage))) + (((x)->ex_flags & EXFLAG_KUSAGE) != 0 && ((x)->ex_kusage & (usage)) == 0) #define xku_reject(x, usage) \ - (((x)->ex_flags & EXFLAG_XKUSAGE) && !((x)->ex_xkusage & (usage))) + (((x)->ex_flags & EXFLAG_XKUSAGE) != 0 && ((x)->ex_xkusage & (usage)) == 0) #define ns_reject(x, usage) \ - (((x)->ex_flags & EXFLAG_NSCERT) && !((x)->ex_nscert & (usage))) + (((x)->ex_flags & EXFLAG_NSCERT) != 0 && ((x)->ex_nscert & (usage)) == 0) /* * Cache info on various X.509v3 extensions and further derived information, @@ -404,13 +406,13 @@ int x509v3_cache_extensions(X509 *x) int res; #ifdef tsan_ld_acq - /* fast lock-free check, see end of the function for details. */ + /* Fast lock-free check, see end of the function for details. */ if (tsan_ld_acq((TSAN_QUALIFIER int *)&x->ex_cached)) return (x->ex_flags & EXFLAG_INVALID) == 0; #endif CRYPTO_THREAD_write_lock(x->lock); - if (x->ex_flags & EXFLAG_SET) { /* cert has already been processed */ + if (x->ex_flags & EXFLAG_SET) { /* Cert has already been processed */ CRYPTO_THREAD_unlock(x->lock); return (x->ex_flags & EXFLAG_INVALID) == 0; } @@ -432,7 +434,7 @@ int x509v3_cache_extensions(X509 *x) x->ex_flags |= EXFLAG_CA; if (bs->pathlen != NULL) { /* - * the error case !bs->ca is checked by check_chain() + * The error case !bs->ca is checked by check_chain() * in case ctx->param->flags & X509_V_FLAG_X509_STRICT */ if (bs->pathlen->type == V_ASN1_NEG_INTEGER) { @@ -519,7 +521,7 @@ int x509v3_cache_extensions(X509 *x) x->ex_xkusage |= XKU_ANYEKU; break; default: - /* ignore unknown extended key usage */ + /* Ignore unknown extended key usage */ break; } } @@ -551,7 +553,7 @@ int x509v3_cache_extensions(X509 *x) /* Check if subject name matches issuer */ if (X509_NAME_cmp(X509_get_subject_name(x), X509_get_issuer_name(x)) == 0) { - x->ex_flags |= EXFLAG_SI; /* cert is self-issued */ + x->ex_flags |= EXFLAG_SI; /* Cert is self-issued */ if (X509_check_akid(x, x->akid) == X509_V_OK /* SKID matches AKID */ /* .. and the signature alg matches the PUBKEY alg: */ && check_sig_alg_match(X509_get0_pubkey(x), x) == X509_V_OK) @@ -615,7 +617,7 @@ int x509v3_cache_extensions(X509 *x) /* Set x->siginf, ignoring errors due to unsupported algos */ (void)x509_init_sig_info(x); - x->ex_flags |= EXFLAG_SET; /* indicate that cert has been processed */ + x->ex_flags |= EXFLAG_SET; /* Indicate that cert has been processed */ #ifdef tsan_st_rel tsan_st_rel((TSAN_QUALIFIER int *)&x->ex_cached, 1); /* @@ -656,14 +658,11 @@ static int check_ca(const X509 *x) /* keyUsage if present should allow cert signing */ if (ku_reject(x, KU_KEY_CERT_SIGN)) return 0; - if (x->ex_flags & EXFLAG_BCONS) { - if (x->ex_flags & EXFLAG_CA) - return 1; + if ((x->ex_flags & EXFLAG_BCONS) != 0) { /* If basicConstraints says not a CA then say so */ - else - return 0; + return (x->ex_flags & EXFLAG_CA) != 0; } else { - /* we support V1 roots for... uh, I don't really know why. */ + /* We support V1 roots for... uh, I don't really know why. */ if ((x->ex_flags & V1_ROOT) == V1_ROOT) return 3; /* @@ -674,7 +673,7 @@ static int check_ca(const X509 *x) /* Older certificates could have Netscape-specific CA types */ else if (x->ex_flags & EXFLAG_NSCERT && x->ex_nscert & NS_ANY_CA) return 5; - /* can this still be regarded a CA certificate? I doubt it */ + /* Can this still be regarded a CA certificate? I doubt it. */ return 0; } } @@ -698,26 +697,23 @@ int X509_check_ca(X509 *x) return check_ca(x); } -/* Check SSL CA: common checks for SSL client and server */ +/* Check SSL CA: common checks for SSL client and server. */ static int check_ssl_ca(const X509 *x) { - int ca_ret; - ca_ret = check_ca(x); - if (!ca_ret) - return 0; - /* check nsCertType if present */ - if (ca_ret != 5 || x->ex_nscert & NS_SSL_CA) - return ca_ret; - else + int ca_ret = check_ca(x); + + if (ca_ret == 0) return 0; + /* Check nsCertType if present */ + return ca_ret != 5 || (x->ex_nscert & NS_SSL_CA) != 0; } static int check_purpose_ssl_client(const X509_PURPOSE *xp, const X509 *x, - int ca) + int require_ca) { if (xku_reject(x, XKU_SSL_CLIENT)) return 0; - if (ca) + if (require_ca) return check_ssl_ca(x); /* We need to do digital signatures or key agreement */ if (ku_reject(x, KU_DIGITAL_SIGNATURE | KU_KEY_AGREEMENT)) @@ -737,11 +733,11 @@ static int check_purpose_ssl_client(const X509_PURPOSE *xp, const X509 *x, KU_DIGITAL_SIGNATURE|KU_KEY_ENCIPHERMENT|KU_KEY_AGREEMENT static int check_purpose_ssl_server(const X509_PURPOSE *xp, const X509 *x, - int ca) + int require_ca) { if (xku_reject(x, XKU_SSL_SERVER | XKU_SGC)) return 0; - if (ca) + if (require_ca) return check_ssl_ca(x); if (ns_reject(x, NS_SSL_SERVER)) @@ -754,11 +750,11 @@ static int check_purpose_ssl_server(const X509_PURPOSE *xp, const X509 *x, } static int check_purpose_ns_ssl_server(const X509_PURPOSE *xp, const X509 *x, - int ca) + int require_ca) { int ret; - ret = check_purpose_ssl_server(xp, x, ca); - if (!ret || ca) + ret = check_purpose_ssl_server(xp, x, require_ca); + if (!ret || require_ca) return ret; /* We need to encipher or Netscape complains */ if (ku_reject(x, KU_KEY_ENCIPHERMENT)) @@ -767,16 +763,16 @@ static int check_purpose_ns_ssl_server(const X509_PURPOSE *xp, const X509 *x, } /* common S/MIME checks */ -static int purpose_smime(const X509 *x, int ca) +static int purpose_smime(const X509 *x, int require_ca) { if (xku_reject(x, XKU_SMIME)) return 0; - if (ca) { + if (require_ca) { int ca_ret; ca_ret = check_ca(x); - if (!ca_ret) + if (ca_ret == 0) return 0; - /* check nsCertType if present */ + /* Check nsCertType if present */ if (ca_ret != 5 || x->ex_nscert & NS_SMIME_CA) return ca_ret; else @@ -794,11 +790,11 @@ static int purpose_smime(const X509 *x, int ca) } static int check_purpose_smime_sign(const X509_PURPOSE *xp, const X509 *x, - int ca) + int require_ca) { int ret; - ret = purpose_smime(x, ca); - if (!ret || ca) + ret = purpose_smime(x, require_ca); + if (!ret || require_ca) return ret; if (ku_reject(x, KU_DIGITAL_SIGNATURE | KU_NON_REPUDIATION)) return 0; @@ -806,11 +802,11 @@ static int check_purpose_smime_sign(const X509_PURPOSE *xp, const X509 *x, } static int check_purpose_smime_encrypt(const X509_PURPOSE *xp, const X509 *x, - int ca) + int require_ca) { int ret; - ret = purpose_smime(x, ca); - if (!ret || ca) + ret = purpose_smime(x, require_ca); + if (!ret || require_ca) return ret; if (ku_reject(x, KU_KEY_ENCIPHERMENT)) return 0; @@ -818,9 +814,9 @@ static int check_purpose_smime_encrypt(const X509_PURPOSE *xp, const X509 *x, } static int check_purpose_crl_sign(const X509_PURPOSE *xp, const X509 *x, - int ca) + int require_ca) { - if (ca) { + if (require_ca) { int ca_ret; if ((ca_ret = check_ca(x)) != 2) return ca_ret; @@ -836,26 +832,26 @@ static int check_purpose_crl_sign(const X509_PURPOSE *xp, const X509 *x, * OCSP helper: this is *not* a full OCSP check. It just checks that each CA * is valid. Additional checks must be made on the chain. */ - -static int ocsp_helper(const X509_PURPOSE *xp, const X509 *x, int ca) +static int check_purpose_ocsp_helper(const X509_PURPOSE *xp, const X509 *x, + int require_ca) { /* * Must be a valid CA. Should we really support the "I don't know" value * (2)? */ - if (ca) + if (require_ca) return check_ca(x); - /* leaf certificate is checked in OCSP_verify() */ + /* Leaf certificate is checked in OCSP_verify() */ return 1; } static int check_purpose_timestamp_sign(const X509_PURPOSE *xp, const X509 *x, - int ca) + int require_ca) { int i_ext; /* If ca is true we must return if this is a valid CA certificate. */ - if (ca) + if (require_ca) return check_ca(x); /* @@ -884,7 +880,8 @@ static int check_purpose_timestamp_sign(const X509_PURPOSE *xp, const X509 *x, return 1; } -static int no_check(const X509_PURPOSE *xp, const X509 *x, int ca) +static int no_check_purpose(const X509_PURPOSE *xp, const X509 *x, + int require_ca) { return 1; } @@ -911,7 +908,7 @@ int X509_check_issued(X509 *issuer, X509 *subject) return x509_signing_allowed(issuer, subject); } -/* do the checks 1., 2., and 3. as described above for X509_check_issued() */ +/* Do the checks 1., 2., and 3. as described above for X509_check_issued() */ int x509_likely_issued(X509 *issuer, X509 *subject) { int ret; @@ -920,7 +917,7 @@ int x509_likely_issued(X509 *issuer, X509 *subject) X509_get_issuer_name(subject)) != 0) return X509_V_ERR_SUBJECT_ISSUER_MISMATCH; - /* set issuer->skid and subject->akid */ + /* Set issuer->skid and subject->akid */ if (!x509v3_cache_extensions(issuer) || !x509v3_cache_extensions(subject)) return X509_V_ERR_UNSPECIFIED; @@ -929,7 +926,7 @@ int x509_likely_issued(X509 *issuer, X509 *subject) if (ret != X509_V_OK) return ret; - /* check if the subject signature alg matches the issuer's PUBKEY alg */ + /* Check if the subject signature alg matches the issuer's PUBKEY alg */ return check_sig_alg_match(X509_get0_pubkey(issuer), subject); } @@ -991,14 +988,14 @@ int X509_check_akid(const X509 *issuer, const AUTHORITY_KEYID *akid) uint32_t X509_get_extension_flags(X509 *x) { /* Call for side-effect of computing hash and caching extensions */ - X509_check_purpose(x, -1, -1); + X509_check_purpose(x, -1, 0); return x->ex_flags; } uint32_t X509_get_key_usage(X509 *x) { /* Call for side-effect of computing hash and caching extensions */ - if (X509_check_purpose(x, -1, -1) != 1) + if (X509_check_purpose(x, -1, 0) != 1) return 0; if (x->ex_flags & EXFLAG_KUSAGE) return x->ex_kusage; @@ -1008,7 +1005,7 @@ uint32_t X509_get_key_usage(X509 *x) uint32_t X509_get_extended_key_usage(X509 *x) { /* Call for side-effect of computing hash and caching extensions */ - if (X509_check_purpose(x, -1, -1) != 1) + if (X509_check_purpose(x, -1, 0) != 1) return 0; if (x->ex_flags & EXFLAG_XKUSAGE) return x->ex_xkusage; @@ -1018,7 +1015,7 @@ uint32_t X509_get_extended_key_usage(X509 *x) const ASN1_OCTET_STRING *X509_get0_subject_key_id(X509 *x) { /* Call for side-effect of computing hash and caching extensions */ - if (X509_check_purpose(x, -1, -1) != 1) + if (X509_check_purpose(x, -1, 0) != 1) return NULL; return x->skid; } @@ -1026,7 +1023,7 @@ const ASN1_OCTET_STRING *X509_get0_subject_key_id(X509 *x) const ASN1_OCTET_STRING *X509_get0_authority_key_id(X509 *x) { /* Call for side-effect of computing hash and caching extensions */ - if (X509_check_purpose(x, -1, -1) != 1) + if (X509_check_purpose(x, -1, 0) != 1) return NULL; return (x->akid != NULL ? x->akid->keyid : NULL); } @@ -1034,7 +1031,7 @@ const ASN1_OCTET_STRING *X509_get0_authority_key_id(X509 *x) const GENERAL_NAMES *X509_get0_authority_issuer(X509 *x) { /* Call for side-effect of computing hash and caching extensions */ - if (X509_check_purpose(x, -1, -1) != 1) + if (X509_check_purpose(x, -1, 0) != 1) return NULL; return (x->akid != NULL ? x->akid->issuer : NULL); } @@ -1042,7 +1039,7 @@ const GENERAL_NAMES *X509_get0_authority_issuer(X509 *x) const ASN1_INTEGER *X509_get0_authority_serial(X509 *x) { /* Call for side-effect of computing hash and caching extensions */ - if (X509_check_purpose(x, -1, -1) != 1) + if (X509_check_purpose(x, -1, 0) != 1) return NULL; return (x->akid != NULL ? x->akid->serial : NULL); } @@ -1050,7 +1047,7 @@ const ASN1_INTEGER *X509_get0_authority_serial(X509 *x) long X509_get_pathlen(X509 *x) { /* Called for side effect of caching extensions */ - if (X509_check_purpose(x, -1, -1) != 1 + if (X509_check_purpose(x, -1, 0) != 1 || (x->ex_flags & EXFLAG_BCONS) == 0) return -1; return x->ex_pathlen; @@ -1059,7 +1056,7 @@ long X509_get_pathlen(X509 *x) long X509_get_proxy_pathlen(X509 *x) { /* Called for side effect of caching extensions */ - if (X509_check_purpose(x, -1, -1) != 1 + if (X509_check_purpose(x, -1, 0) != 1 || (x->ex_flags & EXFLAG_PROXY) == 0) return -1; return x->ex_pcpathlen; diff --git a/crypto/x509/x509_trs.c b/crypto/x509/x509_trs.c index dd83dbc52f..88f2f057d5 100644 --- a/crypto/x509/x509_trs.c +++ b/crypto/x509/x509_trs.c @@ -220,7 +220,7 @@ static int trust_1oidany(X509_TRUST *trust, X509 *x, int flags) * Declare the chain verified if the desired trust OID is not rejected in * any auxiliary trust info for this certificate, and the OID is either * expressly trusted, or else either "anyEKU" is trusted, or the - * certificate is self-signed. + * certificate is self-signed and X509_TRUST_NO_SS_COMPAT is not set. */ flags |= X509_TRUST_DO_SS_COMPAT | X509_TRUST_OK_ANY_EKU; return obj_trust(trust->arg1, x, flags); diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c index f4f78eec9d..5174a67bed 100644 --- a/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c @@ -46,7 +46,7 @@ static int dane_verify(X509_STORE_CTX *ctx); static int null_callback(int ok, X509_STORE_CTX *e); static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer); static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x); -static int check_chain(X509_STORE_CTX *ctx); +static int check_extensions(X509_STORE_CTX *ctx); static int check_name_constraints(X509_STORE_CTX *ctx); static int check_id(X509_STORE_CTX *ctx); static int check_trust(X509_STORE_CTX *ctx, int num_untrusted); @@ -213,7 +213,7 @@ static int verify_chain(X509_STORE_CTX *ctx) int ok; if ((ok = build_chain(ctx)) <= 0 - || (ok = check_chain(ctx)) <= 0 + || (ok = check_extensions(ctx)) <= 0 || (ok = check_auth_level(ctx)) <= 0 || (ok = check_id(ctx)) <= 0 || (ok = X509_get_pubkey_parameters(NULL, ctx->chain) ? 1 : -1) <= 0 @@ -446,7 +446,7 @@ static int check_purpose(X509_STORE_CTX *ctx, X509 *x, int purpose, int depth, * Check extensions of a cert chain for consistency with the supplied purpose. * Sadly, returns 0 also on internal error. */ -static int check_chain(X509_STORE_CTX *ctx) +static int check_extensions(X509_STORE_CTX *ctx) { int i, must_be_ca, plen = 0; X509 *x; diff --git a/crypto/x509/x509_vpm.c b/crypto/x509/x509_vpm.c index 025232e857..0334b58530 100644 --- a/crypto/x509/x509_vpm.c +++ b/crypto/x509/x509_vpm.c @@ -504,8 +504,8 @@ const char *X509_VERIFY_PARAM_get0_name(const X509_VERIFY_PARAM *param) static const X509_VERIFY_PARAM default_table[] = { { "default", /* X509 default parameters */ - 0, /* Check time */ - 0, /* internal flags */ + 0, /* check time to use */ + 0, /* inheritance flags */ X509_V_FLAG_TRUSTED_FIRST, /* flags */ 0, /* purpose */ 0, /* trust */ @@ -515,8 +515,8 @@ static const X509_VERIFY_PARAM default_table[] = { vpm_empty_id}, { "pkcs7", /* S/MIME sign parameters */ - 0, /* Check time */ - 0, /* internal flags */ + 0, /* check time to use */ + 0, /* inheritance flags */ 0, /* flags */ X509_PURPOSE_SMIME_SIGN, /* purpose */ X509_TRUST_EMAIL, /* trust */ @@ -526,8 +526,8 @@ static const X509_VERIFY_PARAM default_table[] = { vpm_empty_id}, { "smime_sign", /* S/MIME sign parameters */ - 0, /* Check time */ - 0, /* internal flags */ + 0, /* check time to use */ + 0, /* inheritance flags */ 0, /* flags */ X509_PURPOSE_SMIME_SIGN, /* purpose */ X509_TRUST_EMAIL, /* trust */ @@ -537,8 +537,8 @@ static const X509_VERIFY_PARAM default_table[] = { vpm_empty_id}, { "ssl_client", /* SSL/TLS client parameters */ - 0, /* Check time */ - 0, /* internal flags */ + 0, /* check time to use */ + 0, /* inheritance flags */ 0, /* flags */ X509_PURPOSE_SSL_CLIENT, /* purpose */ X509_TRUST_SSL_CLIENT, /* trust */ @@ -548,8 +548,8 @@ static const X509_VERIFY_PARAM default_table[] = { vpm_empty_id}, { "ssl_server", /* SSL/TLS server parameters */ - 0, /* Check time */ - 0, /* internal flags */ + 0, /* check time to use */ + 0, /* inheritance flags */ 0, /* flags */ X509_PURPOSE_SSL_SERVER, /* purpose */ X509_TRUST_SSL_SERVER, /* trust */ diff --git a/include/openssl/x509v3.h.in b/include/openssl/x509v3.h.in index 6d28f9b540..d00a66a343 100644 --- a/include/openssl/x509v3.h.in +++ b/include/openssl/x509v3.h.in @@ -442,7 +442,7 @@ struct ISSUING_DIST_POINT_st { # define XKU_SSL_CLIENT 0x2 # define XKU_SMIME 0x4 # define XKU_CODE_SIGN 0x8 -# define XKU_SGC 0x10 +# define XKU_SGC 0x10 /* Netscape or MS Server-Gated Crypto */ # define XKU_OCSP_SIGN 0x20 # define XKU_TIMESTAMP 0x40 # define XKU_DVCS 0x80 From levitte at openssl.org Sat Feb 27 15:15:27 2021 From: levitte at openssl.org (Richard Levitte) Date: Sat, 27 Feb 2021 15:15:27 +0000 Subject: [openssl] master update Message-ID: <1614438927.574144.22417.nullmailer@dev.openssl.org> The branch master has been updated via 1d73e2adae9c80d359d6d85c9f65d97a86add542 (commit) via c8182743a7764ba8c9e61665722cae06fa8edb62 (commit) via 8ab9c4ddc41830a9bd1be36a8e37ee2abc57e886 (commit) via 3d364726606424f760211b5015920410ea9c8f0d (commit) via ad7cb0bf5cb9b014d34327cb35ecdd609a3d4dd4 (commit) via c0ff1932e446621f43cd607371b7d265370d4bc6 (commit) from 4ef70dbcf495adfa28efa815c5415dfb9903b92d (commit) - Log ----------------------------------------------------------------- commit 1d73e2adae9c80d359d6d85c9f65d97a86add542 Author: Richard Levitte Date: Tue Feb 23 22:42:18 2021 +0100 crypto/asn1/i2d_evp.c: Fix i2d_provided() to return a proper length Fixes #14258 Reviewed-by: Tomas Mraz Reviewed-by: Ben Kaduk (Merged from https://github.com/openssl/openssl/pull/14291) commit c8182743a7764ba8c9e61665722cae06fa8edb62 Author: Richard Levitte Date: Tue Feb 23 22:41:04 2021 +0100 PROV: Implement an EC key -> blob encoder, to get the public key Reviewed-by: Tomas Mraz Reviewed-by: Ben Kaduk (Merged from https://github.com/openssl/openssl/pull/14291) commit 8ab9c4ddc41830a9bd1be36a8e37ee2abc57e886 Author: Richard Levitte Date: Tue Feb 23 22:39:39 2021 +0100 Modify i2d_PublicKey() so it can get an EC public key as a blob This introduces the encoder output type "blob", to be used for anything that outputs an unstructured blob of data. Fixes #14258 Reviewed-by: Tomas Mraz Reviewed-by: Ben Kaduk (Merged from https://github.com/openssl/openssl/pull/14291) commit 3d364726606424f760211b5015920410ea9c8f0d Author: Benjamin Kaduk Date: Fri Feb 19 13:20:00 2021 -0800 test_ecpub: test that we can decode the DER we encoded We should be able to round-trip through the encoded DER form of the EC public key and get back something that compares as equal to the original key. Reviewed-by: Tomas Mraz Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/14291) commit ad7cb0bf5cb9b014d34327cb35ecdd609a3d4dd4 Author: Benjamin Kaduk Date: Fri Feb 19 13:46:49 2021 -0800 test_ecpub: verify returned length after encoding Save the length we got from querying how much space was needed, and check that the actual encoding call returned the same length. Reviewed-by: Tomas Mraz Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/14291) commit c0ff1932e446621f43cd607371b7d265370d4bc6 Author: Benjamin Kaduk Date: Mon Jan 25 12:19:16 2021 -0800 Add test for EC pubkey export/import There seems to be an issue with i2d_provided() in i2d_evp.c that causes us to fail to construct a valid chain of encoders for the "type-specific" output when it's an EC pubkey. This test is designed to exercise that codepath for a variety of curves. Reviewed-by: Tomas Mraz Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/14291) ----------------------------------------------------------------------- Summary of changes: crypto/asn1/i2d_evp.c | 54 ++++-- providers/encoders.inc | 5 +- providers/implementations/encode_decode/build.info | 6 + .../encode_decode/encode_key2blob.c | 202 +++++++++++++++++++++ .../implementations/include/prov/implementations.h | 2 + test/evp_extra_test.c | 71 ++++++++ 6 files changed, 324 insertions(+), 16 deletions(-) create mode 100644 providers/implementations/encode_decode/encode_key2blob.c diff --git a/crypto/asn1/i2d_evp.c b/crypto/asn1/i2d_evp.c index 6e4f7080c7..2a101a6fa3 100644 --- a/crypto/asn1/i2d_evp.c +++ b/crypto/asn1/i2d_evp.c @@ -25,29 +25,42 @@ #include "crypto/asn1.h" #include "crypto/evp.h" +struct type_and_structure_st { + const char *output_type; + const char *output_structure; +}; + static int i2d_provided(const EVP_PKEY *a, int selection, - const char *output_structures[], + const struct type_and_structure_st *output_info, unsigned char **pp) { OSSL_ENCODER_CTX *ctx = NULL; int ret; for (ret = -1; - ret == -1 && *output_structures != NULL; - output_structures++) { + ret == -1 && output_info->output_type != NULL; + output_info++) { /* * The i2d_ calls don't take a boundary length for *pp. However, - * OSSL_ENCODER_CTX_get_num_encoders() needs one, so we make one - * up. + * OSSL_ENCODER_to_data() needs one, so we make one up. Because + * OSSL_ENCODER_to_data() decrements this number by the amount of + * bytes written, we need to calculate the length written further + * down, when pp != NULL. */ size_t len = INT_MAX; - ctx = OSSL_ENCODER_CTX_new_for_pkey(a, selection, "DER", - *output_structures, NULL); + ctx = OSSL_ENCODER_CTX_new_for_pkey(a, selection, + output_info->output_type, + output_info->output_structure, + NULL); if (ctx == NULL) return -1; - if (OSSL_ENCODER_to_data(ctx, pp, &len)) - ret = (int)len; + if (OSSL_ENCODER_to_data(ctx, pp, &len)) { + if (pp == NULL) + ret = (int)len; + else + ret = INT_MAX - (int)len; + } OSSL_ENCODER_CTX_free(ctx); ctx = NULL; } @@ -60,9 +73,12 @@ static int i2d_provided(const EVP_PKEY *a, int selection, int i2d_KeyParams(const EVP_PKEY *a, unsigned char **pp) { if (evp_pkey_is_provided(a)) { - const char *output_structures[] = { "type-specific", NULL }; + static const struct type_and_structure_st output_info[] = { + { "DER", "type-specific" }, + { NULL, } + }; - return i2d_provided(a, EVP_PKEY_KEY_PARAMETERS, output_structures, pp); + return i2d_provided(a, EVP_PKEY_KEY_PARAMETERS, output_info, pp); } if (a->ameth != NULL && a->ameth->param_encode != NULL) return a->ameth->param_encode(a, pp); @@ -78,9 +94,13 @@ int i2d_KeyParams_bio(BIO *bp, const EVP_PKEY *pkey) int i2d_PrivateKey(const EVP_PKEY *a, unsigned char **pp) { if (evp_pkey_is_provided(a)) { - const char *output_structures[] = { "type-specific", "pkcs8", NULL }; + static const struct type_and_structure_st output_info[] = { + { "DER", "type-specific" }, + { "DER", "pkcs8" }, + { NULL, } + }; - return i2d_provided(a, EVP_PKEY_KEYPAIR, output_structures, pp); + return i2d_provided(a, EVP_PKEY_KEYPAIR, output_info, pp); } if (a->ameth != NULL && a->ameth->old_priv_encode != NULL) { return a->ameth->old_priv_encode(a, pp); @@ -102,9 +122,13 @@ int i2d_PrivateKey(const EVP_PKEY *a, unsigned char **pp) int i2d_PublicKey(const EVP_PKEY *a, unsigned char **pp) { if (evp_pkey_is_provided(a)) { - const char *output_structures[] = { "type-specific", NULL }; + static const struct type_and_structure_st output_info[] = { + { "DER", "type-specific" }, + { "blob", NULL }, /* for EC */ + { NULL, } + }; - return i2d_provided(a, EVP_PKEY_PUBLIC_KEY, output_structures, pp); + return i2d_provided(a, EVP_PKEY_PUBLIC_KEY, output_info, pp); } switch (EVP_PKEY_id(a)) { case EVP_PKEY_RSA: diff --git a/providers/encoders.inc b/providers/encoders.inc index e7d11c731b..71f4f13848 100644 --- a/providers/encoders.inc +++ b/providers/encoders.inc @@ -104,12 +104,15 @@ ENCODER_w_structure("DSA", dsa, yes, der, type_specific), ENCODER_w_structure("DSA", dsa, yes, pem, type_specific), #endif #ifndef OPENSSL_NO_EC -/* EC only supports keypair and parameters output. */ +/* EC only supports keypair and parameters DER and PEM output. */ ENCODER_w_structure("EC", ec, yes, der, type_specific_no_pub), ENCODER_w_structure("EC", ec, yes, pem, type_specific_no_pub), +/* EC supports blob output for the public key */ +ENCODER("EC", ec, yes, blob), # ifndef OPENSSL_NO_SM2 ENCODER_w_structure("SM2", sm2, yes, der, type_specific_no_pub), ENCODER_w_structure("SM2", sm2, yes, pem, type_specific_no_pub), +ENCODER("SM2", sm2, yes, blob), # endif #endif diff --git a/providers/implementations/encode_decode/build.info b/providers/implementations/encode_decode/build.info index 55b7d0ad6e..5b8d9f6ef2 100644 --- a/providers/implementations/encode_decode/build.info +++ b/providers/implementations/encode_decode/build.info @@ -15,4 +15,10 @@ SOURCE[$ENCODER_GOAL]=endecoder_common.c SOURCE[$DECODER_GOAL]=decode_der2key.c decode_pem2der.c decode_ms2key.c SOURCE[$ENCODER_GOAL]=encode_key2any.c encode_key2text.c encode_key2ms.c +# encode_key2blob.c is only being included when EC is enabled, because we +# currently only define a "blob" output type for EC public keys. This may +# change in the future. +IF[{- !$disabled{ec} -}] + SOURCE[$ENCODER_GOAL]=encode_key2blob.c +ENDIF DEPEND[encode_key2any.o]=../../common/include/prov/der_rsa.h diff --git a/providers/implementations/encode_decode/encode_key2blob.c b/providers/implementations/encode_decode/encode_key2blob.c new file mode 100644 index 0000000000..2e5e581391 --- /dev/null +++ b/providers/implementations/encode_decode/encode_key2blob.c @@ -0,0 +1,202 @@ +/* + * Copyright 2021 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +/* + * Low level APIs are deprecated for public use, but still ok for internal use. + */ +#include "internal/deprecated.h" + +#include +#include +#include +#include +#include +#include +#include +#include "internal/passphrase.h" +#include "internal/nelem.h" +#include "prov/implementations.h" +#include "prov/bio.h" +#include "prov/provider_ctx.h" +#include "endecoder_local.h" + +static int write_blob(void *provctx, OSSL_CORE_BIO *cout, + void *data, int len) +{ + BIO *out = bio_new_from_core_bio(provctx, cout); + int ret = BIO_write(out, data, len); + + BIO_free(out); + return ret; +} + +static OSSL_FUNC_encoder_newctx_fn key2blob_newctx; +static OSSL_FUNC_encoder_freectx_fn key2blob_freectx; +static OSSL_FUNC_encoder_gettable_params_fn key2blob_gettable_params; +static OSSL_FUNC_encoder_get_params_fn key2blob_get_params; + +static void *key2blob_newctx(void *provctx) +{ + return provctx; +} + +static void key2blob_freectx(void *vctx) +{ +} + +static const OSSL_PARAM *key2blob_gettable_params(ossl_unused void *provctx) +{ + static const OSSL_PARAM gettables[] = { + { OSSL_ENCODER_PARAM_OUTPUT_TYPE, OSSL_PARAM_UTF8_PTR, NULL, 0, 0 }, + OSSL_PARAM_END, + }; + + return gettables; +} + +static int key2blob_get_params(OSSL_PARAM params[]) +{ + OSSL_PARAM *p; + + p = OSSL_PARAM_locate(params, OSSL_ENCODER_PARAM_OUTPUT_TYPE); + if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, "blob")) + return 0; + + return 1; +} + +static int key2blob_check_selection(int selection, int selection_mask) +{ + /* + * The selections are kinda sorta "levels", i.e. each selection given + * here is assumed to include those following. + */ + int checks[] = { + OSSL_KEYMGMT_SELECT_PRIVATE_KEY, + OSSL_KEYMGMT_SELECT_PUBLIC_KEY, + OSSL_KEYMGMT_SELECT_ALL_PARAMETERS + }; + size_t i; + + /* The decoder implementations made here support guessing */ + if (selection == 0) + return 1; + + for (i = 0; i < OSSL_NELEM(checks); i++) { + int check1 = (selection & checks[i]) != 0; + int check2 = (selection_mask & checks[i]) != 0; + + /* + * If the caller asked for the currently checked bit(s), return + * whether the decoder description says it's supported. + */ + if (check1) + return check2; + } + + /* This should be dead code, but just to be safe... */ + return 0; +} + +static int key2blob_encode(void *vctx, const void *key, int selection, + OSSL_CORE_BIO *cout) +{ + int pubkey_len = 0, ok = 0; + unsigned char *pubkey = NULL; + + pubkey_len = i2o_ECPublicKey(key, &pubkey); + if (pubkey_len > 0 && pubkey != NULL) + ok = write_blob(vctx, cout, pubkey, pubkey_len); + OPENSSL_free(pubkey); + return ok; +} + +/* + * MAKE_BLOB_ENCODER() Makes an OSSL_DISPATCH table for a particular key->blob + * encoder + * + * impl: The keytype to encode + * type: The C structure type holding the key data + * selection_name: The acceptable selections. This translates into + * the macro EVP_PKEY_##selection_name. + * + * The selection is understood as a "level" rather than an exact set of + * requests from the caller. The encoder has to decide what contents fit + * the encoded format. For example, the EC public key blob will only contain + * the encoded public key itself, no matter if the selection bits include + * OSSL_KEYMGMT_SELECT_PARAMETERS or not. However, if the selection includes + * OSSL_KEYMGMT_SELECT_PRIVATE_KEY, the same encoder will simply refuse to + * cooperate, because it cannot output the private key. + * + * EVP_PKEY_##selection_name are convenience macros that combine "typical" + * OSSL_KEYMGMT_SELECT_ macros for a certain type of EVP_PKEY content. + */ +#define MAKE_BLOB_ENCODER(impl, type, selection_name) \ + static OSSL_FUNC_encoder_import_object_fn \ + impl##2blob_import_object; \ + static OSSL_FUNC_encoder_free_object_fn impl##2blob_free_object; \ + static OSSL_FUNC_encoder_does_selection_fn \ + impl##2blob_does_selection; \ + static OSSL_FUNC_encoder_encode_fn impl##2blob_encode; \ + \ + static void *impl##2blob_import_object(void *ctx, int selection, \ + const OSSL_PARAM params[]) \ + { \ + return ossl_prov_import_key(ossl_##impl##_keymgmt_functions, \ + ctx, selection, params); \ + } \ + static void impl##2blob_free_object(void *key) \ + { \ + ossl_prov_free_key(ossl_##impl##_keymgmt_functions, key); \ + } \ + static int impl##2blob_does_selection(void *ctx, int selection) \ + { \ + return key2blob_check_selection(selection, \ + EVP_PKEY_##selection_name); \ + } \ + static int impl##2blob_encode(void *vctx, OSSL_CORE_BIO *cout, \ + const void *key, \ + const OSSL_PARAM key_abstract[], \ + int selection, \ + OSSL_PASSPHRASE_CALLBACK *cb, \ + void *cbarg) \ + { \ + /* We don't deal with abstract objects */ \ + if (key_abstract != NULL) { \ + ERR_raise(ERR_LIB_PROV, ERR_R_PASSED_INVALID_ARGUMENT); \ + return 0; \ + } \ + return key2blob_encode(vctx, key, selection, cout); \ + } \ + const OSSL_DISPATCH ossl_##impl##_to_blob_encoder_functions[] = { \ + { OSSL_FUNC_ENCODER_NEWCTX, \ + (void (*)(void))key2blob_newctx }, \ + { OSSL_FUNC_ENCODER_FREECTX, \ + (void (*)(void))key2blob_freectx }, \ + { OSSL_FUNC_ENCODER_GETTABLE_PARAMS, \ + (void (*)(void))key2blob_gettable_params }, \ + { OSSL_FUNC_ENCODER_GET_PARAMS, \ + (void (*)(void))key2blob_get_params }, \ + { OSSL_FUNC_ENCODER_DOES_SELECTION, \ + (void (*)(void))impl##2blob_does_selection }, \ + { OSSL_FUNC_ENCODER_IMPORT_OBJECT, \ + (void (*)(void))impl##2blob_import_object }, \ + { OSSL_FUNC_ENCODER_FREE_OBJECT, \ + (void (*)(void))impl##2blob_free_object }, \ + { OSSL_FUNC_ENCODER_ENCODE, \ + (void (*)(void))impl##2blob_encode }, \ + { 0, NULL } \ + } + +#ifndef OPENSSL_NO_EC +MAKE_BLOB_ENCODER(ec, ec, PUBLIC_KEY); +# ifndef OPENSSL_NO_SM2 +MAKE_BLOB_ENCODER(sm2, ec, PUBLIC_KEY); +# endif +#endif diff --git a/providers/implementations/include/prov/implementations.h b/providers/implementations/include/prov/implementations.h index 8321dd92b4..20d6b84021 100644 --- a/providers/implementations/include/prov/implementations.h +++ b/providers/implementations/include/prov/implementations.h @@ -380,6 +380,7 @@ extern const OSSL_DISPATCH ossl_dsa_to_text_encoder_functions[]; extern const OSSL_DISPATCH ossl_ec_to_EC_der_encoder_functions[]; extern const OSSL_DISPATCH ossl_ec_to_EC_pem_encoder_functions[]; +extern const OSSL_DISPATCH ossl_ec_to_blob_encoder_functions[]; extern const OSSL_DISPATCH ossl_ec_to_PKCS8_der_encoder_functions[]; extern const OSSL_DISPATCH ossl_ec_to_PKCS8_pem_encoder_functions[]; extern const OSSL_DISPATCH ossl_ec_to_SubjectPublicKeyInfo_der_encoder_functions[]; @@ -393,6 +394,7 @@ extern const OSSL_DISPATCH ossl_ec_to_text_encoder_functions[]; #ifndef OPENSSL_NO_SM2 extern const OSSL_DISPATCH ossl_sm2_to_SM2_der_encoder_functions[]; extern const OSSL_DISPATCH ossl_sm2_to_SM2_pem_encoder_functions[]; +extern const OSSL_DISPATCH ossl_sm2_to_blob_encoder_functions[]; extern const OSSL_DISPATCH ossl_sm2_to_PKCS8_der_encoder_functions[]; extern const OSSL_DISPATCH ossl_sm2_to_PKCS8_pem_encoder_functions[]; extern const OSSL_DISPATCH ossl_sm2_to_SubjectPublicKeyInfo_der_encoder_functions[]; diff --git a/test/evp_extra_test.c b/test/evp_extra_test.c index 845752fae4..2195f21a9d 100644 --- a/test/evp_extra_test.c +++ b/test/evp_extra_test.c @@ -2415,6 +2415,74 @@ err: return ret; } +#ifndef OPENSSL_NO_EC +static int ecpub_nids[] = { NID_brainpoolP256r1, NID_X9_62_prime256v1, + NID_secp384r1, NID_secp521r1, NID_sect233k1, NID_sect233r1, NID_sect283r1, + NID_sect409k1, NID_sect409r1, NID_sect571k1, NID_sect571r1, + NID_brainpoolP384r1, NID_brainpoolP512r1}; + +static int test_ecpub(int idx) +{ + int ret = 0, len, savelen; + int nid; + unsigned char buf[1024]; + unsigned char *p; + EVP_PKEY *pkey = NULL; + EVP_PKEY_CTX *ctx = NULL; +# ifndef OPENSSL_NO_DEPRECATED_3_0 + const unsigned char *q; + EVP_PKEY *pkey2 = NULL; + EC_KEY *ec = NULL; +# endif + + nid = ecpub_nids[idx]; + + ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_EC, NULL); + if (!TEST_ptr(ctx) + || !TEST_true(EVP_PKEY_keygen_init(ctx)) + || !TEST_true(EVP_PKEY_CTX_set_ec_paramgen_curve_nid(ctx, nid)) + || !TEST_true(EVP_PKEY_keygen(ctx, &pkey))) + goto done; + len = i2d_PublicKey(pkey, NULL); + savelen = len; + if (!TEST_int_ge(len, 1) + || !TEST_int_lt(len, 1024)) + goto done; + p = buf; + len = i2d_PublicKey(pkey, &p); + if (!TEST_int_ge(len, 1) + || !TEST_int_eq(len, savelen)) + goto done; + +# ifndef OPENSSL_NO_DEPRECATED_3_0 + /* Now try to decode the just-created DER. */ + q = buf; + if (!TEST_ptr((pkey2 = EVP_PKEY_new())) + || !TEST_ptr((ec = EC_KEY_new_by_curve_name(nid))) + || !TEST_true(EVP_PKEY_assign_EC_KEY(pkey2, ec))) + goto done; + /* EC_KEY ownership transferred */ + ec = NULL; + if (!TEST_ptr(d2i_PublicKey(EVP_PKEY_EC, &pkey2, &q, savelen))) + goto done; + /* The keys should match. */ + if (!TEST_int_eq(EVP_PKEY_cmp(pkey, pkey2), 1)) + goto done; +# endif + + ret = 1; + + done: + EVP_PKEY_CTX_free(ctx); + EVP_PKEY_free(pkey); +# ifndef OPENSSL_NO_DEPRECATED_3_0 + EVP_PKEY_free(pkey2); + EC_KEY_free(ec); +# endif + return ret; +} +#endif + static int test_EVP_rsa_pss_with_keygen_bits(void) { int ret; @@ -2556,6 +2624,9 @@ int setup_tests(void) ADD_TEST(test_rand_agglomeration); ADD_ALL_TESTS(test_evp_iv, 10); ADD_TEST(test_EVP_rsa_pss_with_keygen_bits); +#ifndef OPENSSL_NO_EC + ADD_ALL_TESTS(test_ecpub, OSSL_NELEM(ecpub_nids)); +#endif ADD_TEST(test_names_do_all); From no-reply at appveyor.com Sat Feb 27 17:51:12 2021 From: no-reply at appveyor.com (AppVeyor) Date: Sat, 27 Feb 2021 17:51:12 +0000 Subject: Build failed: openssl master.40276 Message-ID: <20210227175112.1.D530B9C555A41EE4@appveyor.com> An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Sat Feb 27 20:37:34 2021 From: no-reply at appveyor.com (AppVeyor) Date: Sat, 27 Feb 2021 20:37:34 +0000 Subject: Build completed: openssl master.40277 Message-ID: <20210227203734.1.9A06AE1AD1FC3D85@appveyor.com> An HTML attachment was scrubbed... URL: From pauli at openssl.org Sun Feb 28 07:33:48 2021 From: pauli at openssl.org (Dr. Paul Dale) Date: Sun, 28 Feb 2021 07:33:48 +0000 Subject: [openssl] master update Message-ID: <1614497628.276413.6656.nullmailer@dev.openssl.org> The branch master has been updated via d5a936c5b1c2f0c6f882c0cfd2ff34f8845260f7 (commit) via dbf299f73df80c7b5695f1311837686d84f1be18 (commit) via f8a5822cff0b05df8fa937b5aca72ef5b4c1b47a (commit) via 7198bd1a8f44be994106d3dba4bbb3362147b144 (commit) via b98d550d807eccde3bd3f88f9831e002d3835cc3 (commit) via 8d5b197b289988f8bc55e01e7ae27b82b16964b6 (commit) via 671ff5c74ec135b7c419895983d67c63013ffa9e (commit) via 6980e36a2aab7a916e8bdcdb70ee03ebaa1bc1cf (commit) via f5081be376dfecb193db647b97d0fb2033760a4c (commit) via 6bcd32a43fffc944c1f06f018dd52eeefd286e7c (commit) via 36fae6e85a12c46b48d82762911c74e53ec0cc13 (commit) via bb0ab821f38427576e4f25bb66818bc297ee8b22 (commit) via 3469b388164775546022635d6695cae17104faa6 (commit) via 5cceedb5830216dfec503127d810ee1ccaaaec0a (commit) via 05cdec396be03851e5a4eb9cca6205bdb970fd47 (commit) via 7c75f2daf8b50c92bfb5c17fa62136e61f6eb515 (commit) via a9603292fb77349ba144f38612d88af07107396a (commit) via dc567dc746bcd6fd8656daf59c88362b9cb0456d (commit) via 9258f7efa7aacfef08dccb4e0f11e7cc17f078f8 (commit) via 7f7640c45534fb07562c751c935f93bf30275081 (commit) via afa44486c5314c5670870e8920d237deb6f7746c (commit) via 1dfe97530f3ec50541810e1aca99343c68fd40fb (commit) via 80ba2526fa8605d0a3848a6d90f9ae5a0125505a (commit) via ac238428cec494ec33d1558856e0b5f4a6a4c792 (commit) via c23f96f3f6f385a3d7ce3b3a4c48f9b531cec41f (commit) via 0a56b3c2e58930e6c6e958bf59a80ef026f6f1b2 (commit) via 005b190297e1ed7a930a1085b49c95c6f4ad57f7 (commit) via cf5784aa03bf4e9214dc92bd9f92fcc09e664d40 (commit) via 91593b37840067c588ce38bc628922d4b3400917 (commit) via 19ea8a8a215c2fc637b3e3664c75fc0636189459 (commit) via fbff75caaab25f028718990b716341a4de672954 (commit) via b58e1f74905fe0a51f00cd0c2d8e9a9b0469326b (commit) via 77e4ae58ea05d08851d8919543f9993fd06e113e (commit) via 41df96efc150d3ccee01ab692d882ddba3d2d3d8 (commit) via 0edb81944133a5f2f9e4c6fd7282e40a2d1aa582 (commit) via cc2314a9f630c47860afbddd29ef5b4223371a8a (commit) via 1dc28e742d0a7e37f76353680afac547e88375ef (commit) via 4a5d8c0cb7a57cc8019f16ec3218cc1044652dcc (commit) via 2211bf6bb795c59f43aa93d746c46de63843d7cd (commit) via ebf8274c552bd7543119a138cfa86728711a1431 (commit) via 2524ec1ac24ef3a887a53c728d67e6a128653186 (commit) via 8f5d64b102b7aa0e5a8102da45af5452fff692ae (commit) via ae7d90a1594dabf72123f395f9f2436452ab5d9a (commit) from 1d73e2adae9c80d359d6d85c9f65d97a86add542 (commit) - Log ----------------------------------------------------------------- commit d5a936c5b1c2f0c6f882c0cfd2ff34f8845260f7 Author: Pauli Date: Fri Feb 26 10:57:21 2021 +1000 rand: use params argument on instantiate call Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/14310) commit dbf299f73df80c7b5695f1311837686d84f1be18 Author: Pauli Date: Fri Feb 26 10:57:05 2021 +1000 core: add params argument to DRBG instantiate call Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/14310) commit f8a5822cff0b05df8fa937b5aca72ef5b4c1b47a Author: Pauli Date: Fri Feb 26 10:56:46 2021 +1000 doc: update documenation with params argument on DRBG instantiate calls Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/14310) commit 7198bd1a8f44be994106d3dba4bbb3362147b144 Author: Pauli Date: Fri Feb 26 10:56:17 2021 +1000 test: update tests to allow for params argument for the instantiate call on EVP_RAND_CTXs Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/14310) commit b98d550d807eccde3bd3f88f9831e002d3835cc3 Author: Pauli Date: Fri Feb 26 10:55:40 2021 +1000 prov: update rand implementations to have a params argument for the instantiate call Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/14310) commit 8d5b197b289988f8bc55e01e7ae27b82b16964b6 Author: Pauli Date: Fri Feb 26 10:55:02 2021 +1000 fips: update DRBG KATs for the extra instantiate argument Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/14310) commit 671ff5c74ec135b7c419895983d67c63013ffa9e Author: Pauli Date: Fri Feb 26 10:52:13 2021 +1000 evp: add params argument to EVP_RAND_instantiate() Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/14310) commit 6980e36a2aab7a916e8bdcdb70ee03ebaa1bc1cf Author: Pauli Date: Fri Feb 26 10:09:49 2021 +1000 doc: document additional argument to KDF derive calls Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/14310) commit f5081be376dfecb193db647b97d0fb2033760a4c Author: Pauli Date: Fri Feb 26 10:09:27 2021 +1000 prov: add additional argument to KDF derive call in key exchange Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/14310) commit 6bcd32a43fffc944c1f06f018dd52eeefd286e7c Author: Pauli Date: Fri Feb 26 10:09:07 2021 +1000 fips: add additional argument to KDF derive call in self test Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/14310) commit 36fae6e85a12c46b48d82762911c74e53ec0cc13 Author: Pauli Date: Fri Feb 26 10:08:45 2021 +1000 crypto: add additional argument to KDF derive calls Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/14310) commit bb0ab821f38427576e4f25bb66818bc297ee8b22 Author: Pauli Date: Fri Feb 26 10:08:23 2021 +1000 apps: add addition argument to KDF derive call Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/14310) commit 3469b388164775546022635d6695cae17104faa6 Author: Pauli Date: Fri Feb 26 10:07:23 2021 +1000 prov: add extra params argument to KDF implementations Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/14310) commit 5cceedb5830216dfec503127d810ee1ccaaaec0a Author: Pauli Date: Fri Feb 26 10:06:52 2021 +1000 tls: adjust for extra argument to KDF derive call Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/14310) commit 05cdec396be03851e5a4eb9cca6205bdb970fd47 Author: Pauli Date: Fri Feb 26 10:06:31 2021 +1000 test: adjust tests to include extra argument to KDF derive call Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/14310) commit 7c75f2daf8b50c92bfb5c17fa62136e61f6eb515 Author: Pauli Date: Fri Feb 26 10:06:11 2021 +1000 evp: add param argument to KDF derive call Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/14310) commit a9603292fb77349ba144f38612d88af07107396a Author: Pauli Date: Fri Feb 26 10:05:46 2021 +1000 core: add param argument to KDF derive call Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/14310) commit dc567dc746bcd6fd8656daf59c88362b9cb0456d Author: Pauli Date: Thu Feb 25 14:30:57 2021 +1000 doc: update provider-mac documentation to account for the additional init() arguments Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/14310) commit 9258f7efa7aacfef08dccb4e0f11e7cc17f078f8 Author: Pauli Date: Thu Feb 25 14:27:29 2021 +1000 doc: update KMAC doc to not say that the `KEY\' parameter needs to be set before the init call Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/14310) commit 7f7640c45534fb07562c751c935f93bf30275081 Author: Pauli Date: Thu Feb 25 14:12:56 2021 +1000 apps: update speed to use the additional arguments to MAC_init Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/14310) commit afa44486c5314c5670870e8920d237deb6f7746c Author: Pauli Date: Thu Feb 25 14:03:09 2021 +1000 doc: note the additional parameters to EVP_MAC_init() Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/14310) commit 1dfe97530f3ec50541810e1aca99343c68fd40fb Author: Pauli Date: Thu Feb 25 13:54:55 2021 +1000 update poly1305 to have additional init arguments Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/14310) commit 80ba2526fa8605d0a3848a6d90f9ae5a0125505a Author: Pauli Date: Thu Feb 25 13:54:35 2021 +1000 update BLAKE2 to have additional init arguments Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/14310) commit ac238428cec494ec33d1558856e0b5f4a6a4c792 Author: Pauli Date: Thu Feb 25 13:54:13 2021 +1000 prov: update kmac to have additional init arguments Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/14310) commit c23f96f3f6f385a3d7ce3b3a4c48f9b531cec41f Author: Pauli Date: Thu Feb 25 13:54:13 2021 +1000 prov: update hmac to have additional init arguments Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/14310) commit 0a56b3c2e58930e6c6e958bf59a80ef026f6f1b2 Author: Pauli Date: Thu Feb 25 13:54:13 2021 +1000 prov: update gmac to have additional init arguments Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/14310) commit 005b190297e1ed7a930a1085b49c95c6f4ad57f7 Author: Pauli Date: Thu Feb 25 13:54:12 2021 +1000 prov: update cmac to have additional init arguments Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/14310) commit cf5784aa03bf4e9214dc92bd9f92fcc09e664d40 Author: Pauli Date: Thu Feb 25 13:52:25 2021 +1000 prov: use new MAC_init arguments in HMAC-DRBG Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/14310) commit 91593b37840067c588ce38bc628922d4b3400917 Author: Pauli Date: Thu Feb 25 13:52:06 2021 +1000 prov: use new MAC_init arguments in signature legacy code Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/14310) commit 19ea8a8a215c2fc637b3e3664c75fc0636189459 Author: Pauli Date: Thu Feb 25 13:51:28 2021 +1000 prov: update provider util to be less agressive about changing things unnecessarily Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/14310) commit fbff75caaab25f028718990b716341a4de672954 Author: Pauli Date: Thu Feb 25 13:51:03 2021 +1000 fips: update to use the extra MAC init arguments Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/14310) commit b58e1f74905fe0a51f00cd0c2d8e9a9b0469326b Author: Pauli Date: Thu Feb 25 13:50:45 2021 +1000 core: update to use the extra MAC init arguments Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/14310) commit 77e4ae58ea05d08851d8919543f9993fd06e113e Author: Pauli Date: Thu Feb 25 13:50:01 2021 +1000 test: updates for the new additional MAC_init arguments Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/14310) commit 41df96efc150d3ccee01ab692d882ddba3d2d3d8 Author: Pauli Date: Thu Feb 25 13:49:37 2021 +1000 evp_test: updates for the new additional MAC_init arguments Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/14310) commit 0edb81944133a5f2f9e4c6fd7282e40a2d1aa582 Author: Pauli Date: Thu Feb 25 13:49:10 2021 +1000 tls: updates for the new additional MAC_init arguments Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/14310) commit cc2314a9f630c47860afbddd29ef5b4223371a8a Author: Pauli Date: Thu Feb 25 13:48:48 2021 +1000 evp: updates for the new additional MAC_init arguments Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/14310) commit 1dc28e742d0a7e37f76353680afac547e88375ef Author: Pauli Date: Thu Feb 25 13:48:27 2021 +1000 crmf: updates for the new additional MAC_init arguments Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/14310) commit 4a5d8c0cb7a57cc8019f16ec3218cc1044652dcc Author: Pauli Date: Thu Feb 25 13:48:00 2021 +1000 apps: updates for the new additional MAC_init arguments Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/14310) commit 2211bf6bb795c59f43aa93d746c46de63843d7cd Author: Pauli Date: Thu Feb 25 13:47:36 2021 +1000 apps: update mac to work with additional MAC_init arguments. This doesn't include the creation of new 'key' arguments. Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/14310) commit ebf8274c552bd7543119a138cfa86728711a1431 Author: Pauli Date: Thu Feb 25 13:47:01 2021 +1000 apps: update fipsinstall to work with additional MAC_init arguments Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/14310) commit 2524ec1ac24ef3a887a53c728d67e6a128653186 Author: Pauli Date: Thu Feb 25 10:27:22 2021 +1000 prov kdf: update to use the extra MAC init arguments Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/14310) commit 8f5d64b102b7aa0e5a8102da45af5452fff692ae Author: Pauli Date: Thu Feb 25 10:22:01 2021 +1000 prov: update SipHash to new init function Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/14310) commit ae7d90a1594dabf72123f395f9f2436452ab5d9a Author: Pauli Date: Thu Feb 25 09:52:26 2021 +1000 siphash: Add the C and D round parameters for SipHash. This represents a gap in functionality from the low level APIs. Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/14310) ----------------------------------------------------------------------- Summary of changes: apps/fipsinstall.c | 2 +- apps/kdf.c | 2 +- apps/lib/s_cb.c | 10 +-- apps/mac.c | 7 +- apps/speed.c | 14 ++-- crypto/crmf/crmf_pbm.c | 6 +- crypto/dh/dh_kdf.c | 3 +- crypto/ec/ecdh_kdf.c | 3 +- crypto/evp/evp_rand.c | 9 ++- crypto/evp/kdf_lib.c | 5 +- crypto/evp/mac_lib.c | 5 +- crypto/evp/p5_crpt2.c | 3 +- crypto/evp/pbe_scrypt.c | 3 +- crypto/pkcs12/p12_key.c | 2 +- crypto/rand/rand_lib.c | 9 +-- crypto/siphash/siphash.c | 8 +- crypto/siphash/siphash_local.h | 11 ++- doc/man3/EVP_KDF.pod | 17 +++-- doc/man3/EVP_MAC.pod | 21 +++--- doc/man3/EVP_RAND.pod | 16 ++-- doc/man7/EVP_KDF-HKDF.pod | 5 +- doc/man7/EVP_KDF-KB.pod | 4 +- doc/man7/EVP_KDF-KRB5KDF.pod | 5 +- doc/man7/EVP_KDF-SCRYPT.pod | 5 +- doc/man7/EVP_KDF-SS.pod | 15 +--- doc/man7/EVP_KDF-SSHKDF.pod | 5 +- doc/man7/EVP_KDF-TLS1_PRF.pod | 5 +- doc/man7/EVP_KDF-X942-ASN1.pod | 5 +- doc/man7/EVP_KDF-X963.pod | 5 +- doc/man7/EVP_MAC-KMAC.pod | 4 +- doc/man7/EVP_MAC-Siphash.pod | 8 ++ doc/man7/EVP_RAND-CTR-DRBG.pod | 2 +- doc/man7/EVP_RAND-HASH-DRBG.pod | 2 +- doc/man7/EVP_RAND-HMAC-DRBG.pod | 2 +- doc/man7/EVP_RAND-SEED-SRC.pod | 2 +- doc/man7/EVP_RAND-TEST-RAND.pod | 2 +- doc/man7/provider-kdf.pod | 6 +- doc/man7/provider-mac.pod | 11 ++- doc/man7/provider-rand.pod | 6 +- fuzz/fuzz_rand.c | 3 +- include/openssl/core_dispatch.h | 8 +- include/openssl/core_names.h | 2 + include/openssl/evp.h | 6 +- include/openssl/kdf.h | 3 +- providers/common/provider_util.c | 7 +- providers/fips/self_test.c | 7 +- providers/fips/self_test_kats.c | 10 +-- providers/implementations/exchange/kdf_exch.c | 2 +- providers/implementations/kdfs/hkdf.c | 5 +- providers/implementations/kdfs/kbkdf.c | 17 ++--- providers/implementations/kdfs/krb5kdf.c | 6 +- providers/implementations/kdfs/pbkdf2.c | 6 +- providers/implementations/kdfs/pkcs12kdf.c | 6 +- providers/implementations/kdfs/scrypt.c | 6 +- providers/implementations/kdfs/sshkdf.c | 6 +- providers/implementations/kdfs/sskdf.c | 20 ++--- providers/implementations/kdfs/tls1_prf.c | 14 +--- providers/implementations/kdfs/x942kdf.c | 5 +- providers/implementations/macs/blake2_mac_impl.c | 45 ++++++----- providers/implementations/macs/cmac_prov.c | 34 ++++----- providers/implementations/macs/gmac_prov.c | 41 +++++++--- providers/implementations/macs/hmac_prov.c | 33 ++++++-- providers/implementations/macs/kmac_prov.c | 46 +++++++----- providers/implementations/macs/poly1305_prov.c | 37 ++++++--- providers/implementations/macs/siphash_prov.c | 84 ++++++++++++++++----- providers/implementations/rands/drbg.c | 3 - providers/implementations/rands/drbg_ctr.c | 6 +- providers/implementations/rands/drbg_hash.c | 5 +- providers/implementations/rands/drbg_hmac.c | 22 ++---- providers/implementations/rands/seed_src.c | 3 +- providers/implementations/rands/test_rng.c | 5 +- providers/implementations/signature/mac_legacy.c | 6 +- ssl/t1_enc.c | 3 +- ssl/t1_lib.c | 5 +- ssl/tls13_enc.c | 26 +++---- test/acvp_test.c | 2 +- test/bad_dtls_test.c | 9 +-- test/drbgtest.c | 6 +- test/evp_kdf_test.c | 96 ++++++++++-------------- test/evp_test.c | 20 ++--- test/ossl_shim/ossl_shim.cc | 8 +- test/recipes/30-test_evp_data/evpmac_blake.txt | 4 +- test/recipes/30-test_evp_data/evpmac_common.txt | 2 +- test/recipes/30-test_evp_data/evpmac_siphash.txt | 23 +++++- test/sslapitest.c | 11 +-- test/testutil/fake_random.c | 3 +- 86 files changed, 512 insertions(+), 470 deletions(-) diff --git a/apps/fipsinstall.c b/apps/fipsinstall.c index 4a1b89d92c..ade983169b 100644 --- a/apps/fipsinstall.c +++ b/apps/fipsinstall.c @@ -78,7 +78,7 @@ static int do_mac(EVP_MAC_CTX *ctx, unsigned char *tmp, BIO *in, int i; size_t outsz = *out_len; - if (!EVP_MAC_init(ctx)) + if (!EVP_MAC_init(ctx, NULL, 0, NULL)) goto err; if (EVP_MAC_CTX_get_mac_size(ctx) > outsz) goto end; diff --git a/apps/kdf.c b/apps/kdf.c index 4bbb88a5ae..5c33234b57 100644 --- a/apps/kdf.c +++ b/apps/kdf.c @@ -135,7 +135,7 @@ opthelp: if (dkm_bytes == NULL) goto err; - if (!EVP_KDF_derive(ctx, dkm_bytes, dkm_len)) { + if (!EVP_KDF_derive(ctx, dkm_bytes, dkm_len, NULL)) { BIO_printf(bio_err, "EVP_KDF_derive failed\n"); goto err; } diff --git a/apps/lib/s_cb.c b/apps/lib/s_cb.c index 3761d91395..6737eca13e 100644 --- a/apps/lib/s_cb.c +++ b/apps/lib/s_cb.c @@ -741,7 +741,7 @@ int generate_cookie_callback(SSL *ssl, unsigned char *cookie, int res = 0; EVP_MAC *hmac = NULL; EVP_MAC_CTX *ctx = NULL; - OSSL_PARAM params[3], *p = params; + OSSL_PARAM params[2], *p = params; size_t mac_len; /* Initialize a random secret */ @@ -792,14 +792,8 @@ int generate_cookie_callback(SSL *ssl, unsigned char *cookie, goto end; } *p++ = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST, "SHA1", 0); - *p++ = OSSL_PARAM_construct_octet_string(OSSL_MAC_PARAM_KEY, cookie_secret, - COOKIE_SECRET_LENGTH); *p = OSSL_PARAM_construct_end(); - if (!EVP_MAC_CTX_set_params(ctx, params)) { - BIO_printf(bio_err, "HMAC context parameter setting failed\n"); - goto end; - } - if (!EVP_MAC_init(ctx)) { + if (!EVP_MAC_init(ctx, cookie_secret, COOKIE_SECRET_LENGTH, params)) { BIO_printf(bio_err, "HMAC context initialisation failed\n"); goto end; } diff --git a/apps/mac.c b/apps/mac.c index 6280fdcd3b..8f8dcde318 100644 --- a/apps/mac.c +++ b/apps/mac.c @@ -64,6 +64,7 @@ int mac_main(int argc, char **argv) const char *infile = NULL; int out_bin = 0; int inform = FORMAT_BINARY; + OSSL_PARAM *params = NULL; prog = opt_init(argc, argv, mac_options); buf = app_malloc(BUFSIZE, "I/O buffer"); @@ -117,9 +118,9 @@ opthelp: if (opts != NULL) { int ok = 1; - OSSL_PARAM *params = - app_params_new_from_opts(opts, EVP_MAC_settable_ctx_params(mac)); + params = app_params_new_from_opts(opts, + EVP_MAC_settable_ctx_params(mac)); if (params == NULL) goto err; @@ -144,7 +145,7 @@ opthelp: if (out == NULL) goto err; - if (!EVP_MAC_init(ctx)) { + if (!EVP_MAC_init(ctx, NULL, 0, NULL)) { BIO_printf(bio_err, "EVP_MAC_Init failed\n"); goto err; } diff --git a/apps/speed.c b/apps/speed.c index 92eb0585fc..0d7a9168c1 100644 --- a/apps/speed.c +++ b/apps/speed.c @@ -631,7 +631,7 @@ static int EVP_MAC_loop(int algindex, void *args) for (count = 0; COND(c[algindex][testnum]); count++) { size_t outl; - if (!EVP_MAC_init(mctx) + if (!EVP_MAC_init(mctx, NULL, 0, NULL) || !EVP_MAC_update(mctx, buf, lengths[testnum]) || !EVP_MAC_final(mctx, mac, &outl, sizeof(mac))) return -1; @@ -2158,28 +2158,24 @@ int speed_main(int argc, char **argv) if (doit[D_GHASH]) { static const char gmac_iv[] = "0123456789ab"; EVP_MAC *mac = EVP_MAC_fetch(NULL, "GMAC", NULL); - OSSL_PARAM params[4]; + OSSL_PARAM params[3]; if (mac == NULL) goto end; params[0] = OSSL_PARAM_construct_utf8_string(OSSL_ALG_PARAM_CIPHER, "aes-128-gcm", 0); - params[1] = OSSL_PARAM_construct_octet_string(OSSL_MAC_PARAM_KEY, - (char *)key32, 16); - params[2] = OSSL_PARAM_construct_octet_string(OSSL_MAC_PARAM_IV, + params[1] = OSSL_PARAM_construct_octet_string(OSSL_MAC_PARAM_IV, (char *)gmac_iv, sizeof(gmac_iv) - 1); - params[3] = OSSL_PARAM_construct_end(); + params[2] = OSSL_PARAM_construct_end(); for (i = 0; i < loopargs_len; i++) { loopargs[i].mctx = EVP_MAC_CTX_new(mac); if (loopargs[i].mctx == NULL) goto end; - if (!EVP_MAC_CTX_set_params(loopargs[i].mctx, params)) - goto end; - if (!EVP_MAC_init(loopargs[i].mctx)) + if (!EVP_MAC_init(loopargs[i].mctx, key32, 16, params)) goto end; } for (testnum = 0; testnum < size_num; testnum++) { diff --git a/crypto/crmf/crmf_pbm.c b/crypto/crmf/crmf_pbm.c index ffa94667ee..03730c1505 100644 --- a/crypto/crmf/crmf_pbm.c +++ b/crypto/crmf/crmf_pbm.c @@ -140,7 +140,7 @@ int OSSL_CRMF_pbm_new(OSSL_LIB_CTX *libctx, const char *propq, int ok = 0; EVP_MAC *mac = NULL; EVP_MAC_CTX *mctx = NULL; - OSSL_PARAM macparams[3] = {OSSL_PARAM_END, OSSL_PARAM_END, OSSL_PARAM_END}; + OSSL_PARAM macparams[2] = { OSSL_PARAM_END, OSSL_PARAM_END }; if (out == NULL || pbmp == NULL || pbmp->mac == NULL || pbmp->mac->algorithm == NULL || msg == NULL || sec == NULL) { @@ -207,12 +207,10 @@ int OSSL_CRMF_pbm_new(OSSL_LIB_CTX *libctx, const char *propq, macparams[0] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST, (char *)mdname, 0); - macparams[1] = OSSL_PARAM_construct_octet_string(OSSL_MAC_PARAM_KEY, - basekey, bklen); if ((mac = EVP_MAC_fetch(libctx, "HMAC", propq)) == NULL || (mctx = EVP_MAC_CTX_new(mac)) == NULL || !EVP_MAC_CTX_set_params(mctx, macparams) - || !EVP_MAC_init(mctx) + || !EVP_MAC_init(mctx, basekey, bklen, macparams) || !EVP_MAC_update(mctx, msg, msglen) || !EVP_MAC_final(mctx, mac_res, outlen, EVP_MAX_MD_SIZE)) goto err; diff --git a/crypto/dh/dh_kdf.c b/crypto/dh/dh_kdf.c index e1753b0b69..03e45aead9 100644 --- a/crypto/dh/dh_kdf.c +++ b/crypto/dh/dh_kdf.c @@ -53,8 +53,7 @@ int ossl_dh_kdf_X9_42_asn1(unsigned char *out, size_t outlen, *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_CEK_ALG, (char *)cek_alg, 0); *p = OSSL_PARAM_construct_end(); - ret = EVP_KDF_CTX_set_params(kctx, params) > 0 - && EVP_KDF_derive(kctx, out, outlen) > 0; + ret = EVP_KDF_derive(kctx, out, outlen, params) > 0; err: EVP_KDF_CTX_free(kctx); EVP_KDF_free(kdf); diff --git a/crypto/ec/ecdh_kdf.c b/crypto/ec/ecdh_kdf.c index 60e976a95f..450e2a872b 100644 --- a/crypto/ec/ecdh_kdf.c +++ b/crypto/ec/ecdh_kdf.c @@ -42,8 +42,7 @@ int ossl_ecdh_kdf_X9_63(unsigned char *out, size_t outlen, (void *)sinfo, sinfolen); *p = OSSL_PARAM_construct_end(); - ret = EVP_KDF_CTX_set_params(kctx, params) > 0 - && EVP_KDF_derive(kctx, out, outlen) > 0; + ret = EVP_KDF_derive(kctx, out, outlen, params) > 0; EVP_KDF_CTX_free(kctx); } EVP_KDF_free(kdf); diff --git a/crypto/evp/evp_rand.c b/crypto/evp/evp_rand.c index bc8c24b3b5..aea9d72ab7 100644 --- a/crypto/evp/evp_rand.c +++ b/crypto/evp/evp_rand.c @@ -487,22 +487,23 @@ int EVP_RAND_names_do_all(const EVP_RAND *rand, static int evp_rand_instantiate_locked (EVP_RAND_CTX *ctx, unsigned int strength, int prediction_resistance, - const unsigned char *pstr, size_t pstr_len) + const unsigned char *pstr, size_t pstr_len, const OSSL_PARAM params[]) { return ctx->meth->instantiate(ctx->data, strength, prediction_resistance, - pstr, pstr_len); + pstr, pstr_len, params); } int EVP_RAND_instantiate(EVP_RAND_CTX *ctx, unsigned int strength, int prediction_resistance, - const unsigned char *pstr, size_t pstr_len) + const unsigned char *pstr, size_t pstr_len, + const OSSL_PARAM params[]) { int res; if (!evp_rand_lock(ctx)) return 0; res = evp_rand_instantiate_locked(ctx, strength, prediction_resistance, - pstr, pstr_len); + pstr, pstr_len, params); evp_rand_unlock(ctx); return res; } diff --git a/crypto/evp/kdf_lib.c b/crypto/evp/kdf_lib.c index 36f8eb2ea8..5fe022a142 100644 --- a/crypto/evp/kdf_lib.c +++ b/crypto/evp/kdf_lib.c @@ -137,12 +137,13 @@ size_t EVP_KDF_CTX_get_kdf_size(EVP_KDF_CTX *ctx) return 0; } -int EVP_KDF_derive(EVP_KDF_CTX *ctx, unsigned char *key, size_t keylen) +int EVP_KDF_derive(EVP_KDF_CTX *ctx, unsigned char *key, size_t keylen, + const OSSL_PARAM params[]) { if (ctx == NULL) return 0; - return ctx->meth->derive(ctx->data, key, keylen); + return ctx->meth->derive(ctx->data, key, keylen, params); } /* diff --git a/crypto/evp/mac_lib.c b/crypto/evp/mac_lib.c index de4d3623ff..91edb93afd 100644 --- a/crypto/evp/mac_lib.c +++ b/crypto/evp/mac_lib.c @@ -105,9 +105,10 @@ size_t EVP_MAC_CTX_get_mac_size(EVP_MAC_CTX *ctx) return 0; } -int EVP_MAC_init(EVP_MAC_CTX *ctx) +int EVP_MAC_init(EVP_MAC_CTX *ctx, const unsigned char *key, size_t keylen, + const OSSL_PARAM params[]) { - return ctx->meth->init(ctx->data); + return ctx->meth->init(ctx->data, key, keylen, params); } int EVP_MAC_update(EVP_MAC_CTX *ctx, const unsigned char *data, size_t datalen) diff --git a/crypto/evp/p5_crpt2.c b/crypto/evp/p5_crpt2.c index c097210bd4..dff3310ded 100644 --- a/crypto/evp/p5_crpt2.c +++ b/crypto/evp/p5_crpt2.c @@ -55,8 +55,7 @@ int pkcs5_pbkdf2_hmac_ex(const char *pass, int passlen, *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST, (char *)mdname, 0); *p = OSSL_PARAM_construct_end(); - if (EVP_KDF_CTX_set_params(kctx, params) != 1 - || EVP_KDF_derive(kctx, out, keylen) != 1) + if (EVP_KDF_derive(kctx, out, keylen, params) != 1) rv = 0; EVP_KDF_CTX_free(kctx); diff --git a/crypto/evp/pbe_scrypt.c b/crypto/evp/pbe_scrypt.c index f7656324f6..be881b32fb 100644 --- a/crypto/evp/pbe_scrypt.c +++ b/crypto/evp/pbe_scrypt.c @@ -79,8 +79,7 @@ int EVP_PBE_scrypt(const char *pass, size_t passlen, *z++ = OSSL_PARAM_construct_uint64(OSSL_KDF_PARAM_SCRYPT_P, &p); *z++ = OSSL_PARAM_construct_uint64(OSSL_KDF_PARAM_SCRYPT_MAXMEM, &maxmem); *z = OSSL_PARAM_construct_end(); - if (EVP_KDF_CTX_set_params(kctx, params) != 1 - || EVP_KDF_derive(kctx, key, keylen) != 1) + if (EVP_KDF_derive(kctx, key, keylen, params) != 1) rv = 0; EVP_KDF_CTX_free(kctx); diff --git a/crypto/pkcs12/p12_key.c b/crypto/pkcs12/p12_key.c index 7c4056a8f8..8c7be88cd2 100644 --- a/crypto/pkcs12/p12_key.c +++ b/crypto/pkcs12/p12_key.c @@ -105,7 +105,7 @@ int PKCS12_key_gen_uni(unsigned char *pass, int passlen, unsigned char *salt, BIO_printf(trc_out, "\n"); } OSSL_TRACE_END(PKCS12_KEYGEN); - if (EVP_KDF_derive(ctx, out, (size_t)n)) { + if (EVP_KDF_derive(ctx, out, (size_t)n, NULL)) { res = 1; OSSL_TRACE_BEGIN(PKCS12_KEYGEN) { BIO_printf(trc_out, "Output KEY (length %d)\n", n); diff --git a/crypto/rand/rand_lib.c b/crypto/rand/rand_lib.c index 2a4055f617..0ee57dc460 100644 --- a/crypto/rand/rand_lib.c +++ b/crypto/rand/rand_lib.c @@ -523,7 +523,7 @@ static EVP_RAND_CTX *rand_new_seed(OSSL_LIB_CTX *libctx) ERR_raise(ERR_LIB_RAND, RAND_R_UNABLE_TO_CREATE_DRBG); return NULL; } - if (!EVP_RAND_instantiate(ctx, 0, 0, NULL, 0)) { + if (!EVP_RAND_instantiate(ctx, 0, 0, NULL, 0, NULL)) { ERR_raise(ERR_LIB_RAND, RAND_R_ERROR_INSTANTIATING_DRBG); EVP_RAND_CTX_free(ctx); return NULL; @@ -574,12 +574,7 @@ static EVP_RAND_CTX *rand_new_drbg(OSSL_LIB_CTX *libctx, EVP_RAND_CTX *parent, *p++ = OSSL_PARAM_construct_time_t(OSSL_DRBG_PARAM_RESEED_TIME_INTERVAL, &reseed_time_interval); *p = OSSL_PARAM_construct_end(); - if (!EVP_RAND_set_ctx_params(ctx, params)) { - ERR_raise(ERR_LIB_RAND, RAND_R_ERROR_INITIALISING_DRBG); - EVP_RAND_CTX_free(ctx); - return NULL; - } - if (!EVP_RAND_instantiate(ctx, 0, 0, NULL, 0)) { + if (!EVP_RAND_instantiate(ctx, 0, 0, NULL, 0, params)) { ERR_raise(ERR_LIB_RAND, RAND_R_ERROR_INSTANTIATING_DRBG); EVP_RAND_CTX_free(ctx); return NULL; diff --git a/crypto/siphash/siphash.c b/crypto/siphash/siphash.c index 03f9b4982d..eaad0a8e4a 100644 --- a/crypto/siphash/siphash.c +++ b/crypto/siphash/siphash.c @@ -30,10 +30,6 @@ #include "crypto/siphash.h" #include "siphash_local.h" -/* default: SipHash-2-4 */ -#define SIPHASH_C_ROUNDS 2 -#define SIPHASH_D_ROUNDS 4 - #define ROTL(x, b) (uint64_t)(((x) << (b)) | ((x) >> (64 - (b)))) #define U32TO8_LE(p, v) \ @@ -146,7 +142,7 @@ void SipHash_Update(SIPHASH *ctx, const unsigned char *in, size_t inlen) uint64_t m; const uint8_t *end; int left; - int i; + unsigned int i; uint64_t v0 = ctx->v0; uint64_t v1 = ctx->v1; uint64_t v2 = ctx->v2; @@ -202,7 +198,7 @@ void SipHash_Update(SIPHASH *ctx, const unsigned char *in, size_t inlen) int SipHash_Final(SIPHASH *ctx, unsigned char *out, size_t outlen) { /* finalize hash */ - int i; + unsigned int i; uint64_t b = ctx->total_inlen << 56; uint64_t v0 = ctx->v0; uint64_t v1 = ctx->v1; diff --git a/crypto/siphash/siphash_local.h b/crypto/siphash/siphash_local.h index 4841284c04..8cd7c208cc 100644 --- a/crypto/siphash/siphash_local.h +++ b/crypto/siphash/siphash_local.h @@ -16,8 +16,13 @@ struct siphash_st { uint64_t v2; uint64_t v3; unsigned int len; - int hash_size; - int crounds; - int drounds; + unsigned int hash_size; + unsigned int crounds; + unsigned int drounds; unsigned char leavings[SIPHASH_BLOCK_SIZE]; }; + +/* default: SipHash-2-4 */ +#define SIPHASH_C_ROUNDS 2 +#define SIPHASH_D_ROUNDS 4 + diff --git a/doc/man3/EVP_KDF.pod b/doc/man3/EVP_KDF.pod index 90e8f5adcf..7a012026c5 100644 --- a/doc/man3/EVP_KDF.pod +++ b/doc/man3/EVP_KDF.pod @@ -25,7 +25,8 @@ EVP_KDF_CTX_gettable_params, EVP_KDF_CTX_settable_params - EVP KDF routines EVP_KDF_CTX *EVP_KDF_CTX_dup(const EVP_KDF_CTX *src); void EVP_KDF_CTX_reset(EVP_KDF_CTX *ctx); size_t EVP_KDF_CTX_get_kdf_size(EVP_KDF_CTX *ctx); - int EVP_KDF_derive(EVP_KDF_CTX *ctx, unsigned char *key, size_t keylen); + int EVP_KDF_derive(EVP_KDF_CTX *ctx, unsigned char *key, size_t keylen, + const OSSL_PARAM params[]); int EVP_KDF_up_ref(EVP_KDF *kdf); void EVP_KDF_free(EVP_KDF *kdf); EVP_KDF *EVP_KDF_fetch(OSSL_LIB_CTX *libctx, const char *algorithm, @@ -56,9 +57,10 @@ The EVP KDF routines are a high-level interface to Key Derivation Function algorithms and should be used instead of algorithm-specific functions. After creating a B for the required algorithm using -EVP_KDF_CTX_new(), inputs to the algorithm are supplied -using calls to EVP_KDF_CTX_set_params() before -calling EVP_KDF_derive() to derive the key. +EVP_KDF_CTX_new(), inputs to the algorithm are supplied either by +passing them as part of the EVP_KDF_derive() call or using calls +to EVP_KDF_CTX_set_params() before calling EVP_KDF_derive() to derive +the key. =head2 Types @@ -99,9 +101,10 @@ I. EVP_KDF_CTX_reset() resets the context to the default state as if the context had just been created. -EVP_KDF_derive() derives I bytes of key material and places it in the -I buffer. If the algorithm produces a fixed amount of output then an -error will occur unless the I parameter is equal to that output size, +EVP_KDF_derive() processes any parameters in I and then derives +I bytes of key material and places it in the I buffer. +If the algorithm produces a fixed amount of output then an error will +occur unless the I parameter is equal to that output size, as returned by EVP_KDF_CTX_get_kdf_size(). EVP_KDF_get_params() retrieves details about the implementation diff --git a/doc/man3/EVP_MAC.pod b/doc/man3/EVP_MAC.pod index b32415aac5..928ef52407 100644 --- a/doc/man3/EVP_MAC.pod +++ b/doc/man3/EVP_MAC.pod @@ -40,7 +40,8 @@ EVP_MAC_do_all_provided - EVP MAC routines int EVP_MAC_CTX_set_params(EVP_MAC_CTX *ctx, const OSSL_PARAM params[]); size_t EVP_MAC_CTX_get_mac_size(EVP_MAC_CTX *ctx); - int EVP_MAC_init(EVP_MAC_CTX *ctx); + int EVP_MAC_init(EVP_MAC_CTX *ctx, const unsigned char *key, size_t keylen, + const OSSL_PARAM params[]); int EVP_MAC_update(EVP_MAC_CTX *ctx, const unsigned char *data, size_t datalen); int EVP_MAC_final(EVP_MAC_CTX *ctx, unsigned char *out, size_t *outl, size_t outsize); @@ -117,9 +118,11 @@ I. =head2 Computing functions EVP_MAC_init() sets up the underlying context with information given -through diverse controls. -This should be called before calling EVP_MAC_update() and -EVP_MAC_final(). +via the I and I arguments. The MAC I has a length of +I and the parameters in I are processed before setting +the key. If I is NULL, the key must be set via params either +as part of this call or separately using EVP_MAC_CTX_set_params(). +This should be called before calling EVP_MAC_update() and EVP_MAC_final(). EVP_MAC_update() adds I bytes from I to the MAC input. @@ -362,7 +365,7 @@ EVP_MAC_do_all_provided() returns nothing at all. size_t i; - OSSL_PARAM params[4]; + OSSL_PARAM params[3]; size_t params_n = 0; if (cipher != NULL) @@ -371,17 +374,13 @@ EVP_MAC_do_all_provided() returns nothing at all. if (digest != NULL) params[params_n++] = OSSL_PARAM_construct_utf8_string("digest", (char*)digest, 0); - params[params_n++] = - OSSL_PARAM_construct_octet_string("key", (void*)key, strlen(key)); params[params_n] = OSSL_PARAM_construct_end(); if (mac == NULL || key == NULL || (ctx = EVP_MAC_CTX_new(mac)) == NULL - || EVP_MAC_CTX_set_params(ctx, params) <= 0) - goto err; - - if (!EVP_MAC_init(ctx)) + || !EVP_MAC_init(ctx, (const unsigned char *)key, strlen(key), + params)) goto err; while ( (read_l = read(STDIN_FILENO, buf, sizeof(buf))) > 0) { diff --git a/doc/man3/EVP_RAND.pod b/doc/man3/EVP_RAND.pod index 88ee739d94..52cf5118d8 100644 --- a/doc/man3/EVP_RAND.pod +++ b/doc/man3/EVP_RAND.pod @@ -50,7 +50,8 @@ EVP_RAND_STATE_ERROR - EVP RAND routines int EVP_RAND_instantiate(EVP_RAND_CTX *ctx, unsigned int strength, int prediction_resistance, - const unsigned char *pstr, size_t pstr_len); + const unsigned char *pstr, size_t pstr_len, + const OSSL_PARAM params[]); int EVP_RAND_uninstantiate(EVP_RAND_CTX *ctx); int EVP_RAND_generate(EVP_RAND_CTX *ctx, unsigned char *out, size_t outlen, unsigned int strength, int prediction_resistance, @@ -78,10 +79,10 @@ If you want to do more, these calls should be used instead of the older RAND and RAND_DRBG functions. After creating a B for the required algorithm using -EVP_RAND_CTX_new(), inputs to the algorithm are supplied -using calls to EVP_RAND_set_ctx_params() before -calling EVP_RAND_instantiate() and then EVP_RAND_generate() to produce -cryptographically secure random bytes. +EVP_RAND_CTX_new(), inputs to the algorithm are supplied either by +passing them as part of the EVP_RAND_instantiate() call or using calls to +EVP_RAND_set_ctx_params() before calling EVP_RAND_instantiate(). Finally, +call EVP_RAND_generate() to produce cryptographically secure random bytes. =head2 Types @@ -123,8 +124,9 @@ I. =head2 Random Number Generator Functions -EVP_RAND_instantiate() instantiates the RAND I with a minimum security -strength of and personalisation string I of length . +EVP_RAND_instantiate() processes any parameters in I and +then instantiates the RAND I with a minimum security strength +of and personalisation string I of length . If I is specified, fresh entropy from a live source will be sought. This call operates as per NIST SP 800-90A and SP 800-90C. diff --git a/doc/man7/EVP_KDF-HKDF.pod b/doc/man7/EVP_KDF-HKDF.pod index 830bf90e92..4fc663d1b6 100644 --- a/doc/man7/EVP_KDF-HKDF.pod +++ b/doc/man7/EVP_KDF-HKDF.pod @@ -119,10 +119,7 @@ salt value "salt" and info value "label": *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SALT, "salt", (size_t)4); *p = OSSL_PARAM_construct_end(); - if (EVP_KDF_CTX_set_params(kctx, params) <= 0) { - error("EVP_KDF_CTX_set_params"); - } - if (EVP_KDF_derive(kctx, out, sizeof(out)) <= 0) { + if (EVP_KDF_derive(kctx, out, sizeof(out), params) <= 0) { error("EVP_KDF_derive"); } diff --git a/doc/man7/EVP_KDF-KB.pod b/doc/man7/EVP_KDF-KB.pod index c69a717a3c..b8d7b15902 100644 --- a/doc/man7/EVP_KDF-KB.pod +++ b/doc/man7/EVP_KDF-KB.pod @@ -108,9 +108,7 @@ Label "label", and Context "context". *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_INFO, "context", strlen("context")); *p = OSSL_PARAM_construct_end(); - if (EVP_KDF_CTX_set_params(kctx, params) <= 0) - error("EVP_KDF_CTX_set_params"); - else if (EVP_KDF_derive(kctx, out, sizeof(out)) <= 0) + if (EVP_KDF_derive(kctx, out, sizeof(out), params) <= 0) error("EVP_KDF_derive"); EVP_KDF_CTX_free(kctx); diff --git a/doc/man7/EVP_KDF-KRB5KDF.pod b/doc/man7/EVP_KDF-KRB5KDF.pod index 8d730d40b8..874b4d9753 100644 --- a/doc/man7/EVP_KDF-KRB5KDF.pod +++ b/doc/man7/EVP_KDF-KRB5KDF.pod @@ -81,10 +81,7 @@ This example derives a key using the AES-128-CBC cipher: *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_CONSTANT, constant, strlen(constant)); *p = OSSL_PARAM_construct_end(); - if (EVP_KDF_set_params(kctx, params) <= 0) - /* Error */ - - if (EVP_KDF_derive(kctx, out, outlen) <= 0) + if (EVP_KDF_derive(kctx, out, outlen, params) <= 0) /* Error */ EVP_KDF_CTX_free(kctx); diff --git a/doc/man7/EVP_KDF-SCRYPT.pod b/doc/man7/EVP_KDF-SCRYPT.pod index ec4eab8f1c..70edde375c 100644 --- a/doc/man7/EVP_KDF-SCRYPT.pod +++ b/doc/man7/EVP_KDF-SCRYPT.pod @@ -100,10 +100,7 @@ This example derives a 64-byte long test vector using scrypt with the password *p++ = OSSL_PARAM_construct_uint32(OSSL_KDF_PARAM_SCRYPT_R, (uint32_t)8); *p++ = OSSL_PARAM_construct_uint32(OSSL_KDF_PARAM_SCRYPT_P, (uint32_t)16); *p = OSSL_PARAM_construct_end(); - if (EVP_KDF_CTX_set_params(kctx, params) <= 0) { - error("EVP_KDF_CTX_set_params"); - } - if (EVP_KDF_derive(kctx, out, sizeof(out)) <= 0) { + if (EVP_KDF_derive(kctx, out, sizeof(out), params) <= 0) { error("EVP_KDF_derive"); } diff --git a/doc/man7/EVP_KDF-SS.pod b/doc/man7/EVP_KDF-SS.pod index 088ffe0ea7..958fd06676 100644 --- a/doc/man7/EVP_KDF-SS.pod +++ b/doc/man7/EVP_KDF-SS.pod @@ -92,10 +92,7 @@ and fixedinfo value "label": *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_INFO, "label", (size_t)5); *p = OSSL_PARAM_construct_end(); - if (EVP_KDF_CTX_set_params(kctx, params) <= 0) { - error("EVP_KDF_CTX_set_params"); - } - if (EVP_KDF_derive(kctx, out, sizeof(out)) <= 0) { + if (EVP_KDF_derive(kctx, out, sizeof(out), params) <= 0) { error("EVP_KDF_derive"); } @@ -124,10 +121,7 @@ fixedinfo value "label" and salt "salt": *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SALT, "salt", (size_t)4); *p = OSSL_PARAM_construct_end(); - if (EVP_KDF_CTX_set_params(kctx, params) <= 0) { - error("EVP_KDF_CTX_set_params"); - } - if (EVP_KDF_derive(kctx, out, sizeof(out)) <= 0) { + if (EVP_KDF_derive(kctx, out, sizeof(out), params) <= 0) { error("EVP_KDF_derive"); } @@ -157,10 +151,7 @@ fixedinfo value "label", salt of "salt" and KMAC outlen of 20: "salt", (size_t)4); *p++ = OSSL_PARAM_construct_size_t(OSSL_KDF_PARAM_MAC_SIZE, (size_t)20); *p = OSSL_PARAM_construct_end(); - if (EVP_KDF_CTX_set_params(kctx, params) <= 0) { - error("EVP_KDF_CTX_set_params"); - } - if (EVP_KDF_derive(kctx, out, sizeof(out)) <= 0) { + if (EVP_KDF_derive(kctx, out, sizeof(out), params) <= 0) { error("EVP_KDF_derive"); } diff --git a/doc/man7/EVP_KDF-SSHKDF.pod b/doc/man7/EVP_KDF-SSHKDF.pod index b782b6fa7c..74d1b71aca 100644 --- a/doc/man7/EVP_KDF-SSHKDF.pod +++ b/doc/man7/EVP_KDF-SSHKDF.pod @@ -126,10 +126,7 @@ This example derives an 8 byte IV using SHA-256 with a 1K "key" and appropriate *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_SSHKDF_TYPE, &type, sizeof(type)); *p = OSSL_PARAM_construct_end(); - if (EVP_KDF_CTX_set_params(kctx, params) <= 0) - /* Error */ - - if (EVP_KDF_derive(kctx, out, &outlen) <= 0) + if (EVP_KDF_derive(kctx, out, &outlen, params) <= 0) /* Error */ diff --git a/doc/man7/EVP_KDF-TLS1_PRF.pod b/doc/man7/EVP_KDF-TLS1_PRF.pod index 74ddb657f7..b7f8da5912 100644 --- a/doc/man7/EVP_KDF-TLS1_PRF.pod +++ b/doc/man7/EVP_KDF-TLS1_PRF.pod @@ -80,10 +80,7 @@ and seed value "seed": *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SEED, "seed", (size_t)4); *p = OSSL_PARAM_construct_end(); - if (EVP_KDF_CTX_set_params(kctx, params) <= 0) { - error("EVP_KDF_CTX_set_params"); - } - if (EVP_KDF_derive(kctx, out, sizeof(out)) <= 0) { + if (EVP_KDF_derive(kctx, out, sizeof(out), params) <= 0) { error("EVP_KDF_derive"); } EVP_KDF_CTX_free(kctx); diff --git a/doc/man7/EVP_KDF-X942-ASN1.pod b/doc/man7/EVP_KDF-X942-ASN1.pod index b0e36133b4..c01ec466fa 100644 --- a/doc/man7/EVP_KDF-X942-ASN1.pod +++ b/doc/man7/EVP_KDF-X942-ASN1.pod @@ -115,10 +115,7 @@ keying material: *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_UKM, ukm, sizeof(ukm)); *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_CEK_ALG, "AES-256-WRAP, 0); *p = OSSL_PARAM_construct_end(); - if (EVP_KDF_CTX_set_params(kctx, params) <= 0) - error("EVP_KDF_CTX_set_params"); - - if (EVP_KDF_derive(kctx, out, sizeof(out)) <= 0) + if (EVP_KDF_derive(kctx, out, sizeof(out), params) <= 0) error("EVP_KDF_derive"); EVP_KDF_CTX_free(kctx); diff --git a/doc/man7/EVP_KDF-X963.pod b/doc/man7/EVP_KDF-X963.pod index b814fe5b47..3272e1e755 100644 --- a/doc/man7/EVP_KDF-X963.pod +++ b/doc/man7/EVP_KDF-X963.pod @@ -72,10 +72,7 @@ value "label": *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_INFO, "label", (size_t)5); *p = OSSL_PARAM_construct_end(); - if (EVP_KDF_CTX_set_params(kctx, params) <= 0) { - error("EVP_KDF_CTX_set_params"); - } - if (EVP_KDF_derive(kctx, out, sizeof(out)) <= 0) { + if (EVP_KDF_derive(kctx, out, sizeof(out), params) <= 0) { error("EVP_KDF_derive"); } diff --git a/doc/man7/EVP_MAC-KMAC.pod b/doc/man7/EVP_MAC-KMAC.pod index 9d40288044..46fce76274 100644 --- a/doc/man7/EVP_MAC-KMAC.pod +++ b/doc/man7/EVP_MAC-KMAC.pod @@ -47,8 +47,10 @@ The default value is 0. =back -The "custom" and "key" parameters must be set before EVP_MAC_init(). +The "custom" parameter must be set as part of or before the EVP_MAC_init() call. The "xof" and "size" parameters can be set at any time before EVP_MAC_final(). +The "key" parameter is set as part of the EVP_MAC_init() call, but can be +set before it instead. =head1 EXAMPLES diff --git a/doc/man7/EVP_MAC-Siphash.pod b/doc/man7/EVP_MAC-Siphash.pod index d0a4226ae5..2b6f2ae4e4 100644 --- a/doc/man7/EVP_MAC-Siphash.pod +++ b/doc/man7/EVP_MAC-Siphash.pod @@ -36,6 +36,14 @@ The length of the "size" parameter should not exceed that of a B. =item "size" (B) +=item "c-rounds" (B) + +Specifies the number of rounds per message block. By default this is I<2>. + +=item "d-rounds" (B) + +Specifies the number of finalisation rounds. By default this is I<4>. + =back =head1 SEE ALSO diff --git a/doc/man7/EVP_RAND-CTR-DRBG.pod b/doc/man7/EVP_RAND-CTR-DRBG.pod index a31b22390a..61dfa2672e 100644 --- a/doc/man7/EVP_RAND-CTR-DRBG.pod +++ b/doc/man7/EVP_RAND-CTR-DRBG.pod @@ -81,7 +81,7 @@ A context for CTR DRBG can be obtained by calling: *p++ = OSSL_PARAM_construct_utf8_string(OSSL_DRBG_PARAM_CIPHER, SN_aes_256_ctr, 0); *p = OSSL_PARAM_construct_end(); - EVP_RAND_set_ctx_params(rctx, params); + EVP_RAND_instantiate(rctx, strength, 0, NULL, 0, params); EVP_RAND_generate(rctx, bytes, sizeof(bytes), strength, 0, NULL, 0); diff --git a/doc/man7/EVP_RAND-HASH-DRBG.pod b/doc/man7/EVP_RAND-HASH-DRBG.pod index 631383c74a..a212add6d2 100644 --- a/doc/man7/EVP_RAND-HASH-DRBG.pod +++ b/doc/man7/EVP_RAND-HASH-DRBG.pod @@ -73,7 +73,7 @@ A context for HASH DRBG can be obtained by calling: *p++ = OSSL_PARAM_construct_utf8_string(OSSL_DRBG_PARAM_DIGEST, SN_sha512, 0); *p = OSSL_PARAM_construct_end(); - EVP_RAND_set_ctx_params(rctx, params); + EVP_RAND_instantiate(rctx, strength, 0, NULL, 0, params); EVP_RAND_generate(rctx, bytes, sizeof(bytes), strength, 0, NULL, 0); diff --git a/doc/man7/EVP_RAND-HMAC-DRBG.pod b/doc/man7/EVP_RAND-HMAC-DRBG.pod index f04ae336fc..f345255efc 100644 --- a/doc/man7/EVP_RAND-HMAC-DRBG.pod +++ b/doc/man7/EVP_RAND-HMAC-DRBG.pod @@ -76,7 +76,7 @@ A context for HMAC DRBG can be obtained by calling: *p++ = OSSL_PARAM_construct_utf8_string(OSSL_DRBG_PARAM_MAC, SN_hmac, 0); *p++ = OSSL_PARAM_construct_utf8_string(OSSL_DRBG_PARAM_DIGEST, SN_sha256, 0); *p = OSSL_PARAM_construct_end(); - EVP_RAND_set_ctx_params(rctx, params); + EVP_RAND_instantiate(rctx, strength, 0, NULL, 0, params); EVP_RAND_generate(rctx, bytes, sizeof(bytes), strength, 0, NULL, 0); diff --git a/doc/man7/EVP_RAND-SEED-SRC.pod b/doc/man7/EVP_RAND-SEED-SRC.pod index f301ed25f9..4d21e4cd6e 100644 --- a/doc/man7/EVP_RAND-SEED-SRC.pod +++ b/doc/man7/EVP_RAND-SEED-SRC.pod @@ -63,7 +63,7 @@ A context for the seed source can be obtained by calling: *p++ = OSSL_PARAM_construct_utf8_string(OSSL_DRBG_PARAM_CIPHER, SN_aes_256_ctr, 0); *p = OSSL_PARAM_construct_end(); - EVP_RAND_set_ctx_params(rctx, params); + EVP_RAND_instantiate(rctx, strength, 0, NULL, 0, params); EVP_RAND_generate(rctx, bytes, sizeof(bytes), strength, 0, NULL, 0); diff --git a/doc/man7/EVP_RAND-TEST-RAND.pod b/doc/man7/EVP_RAND-TEST-RAND.pod index 9eb7001d64..c5f1a4d526 100644 --- a/doc/man7/EVP_RAND-TEST-RAND.pod +++ b/doc/man7/EVP_RAND-TEST-RAND.pod @@ -90,7 +90,7 @@ A context for a test generator can be obtained by calling: *p++ = OSSL_PARAM_construct_octet_string(OSSL_RAND_PARAM_TEST_NONCE, nonce, sizeof(nonce)); *p = OSSL_PARAM_construct_end(); - EVP_RAND_set_ctx_params(rctx, params); + EVP_RAND_instantiate(rctx, strength, 0, NULL, 0, params); EVP_RAND_generate(rctx, bytes, sizeof(bytes), strength, 0, NULL, 0); diff --git a/doc/man7/provider-kdf.pod b/doc/man7/provider-kdf.pod index 4d3d91a4e7..0b13537e8d 100644 --- a/doc/man7/provider-kdf.pod +++ b/doc/man7/provider-kdf.pod @@ -24,7 +24,8 @@ provider-kdf - The KDF library E-E provider functions /* Encryption/decryption */ int OSSL_FUNC_kdf_reset(void *kctx); - int OSSL_FUNC_kdf_derive(void *kctx, unsigned char *key, size_t keylen); + int OSSL_FUNC_kdf_derive(void *kctx, unsigned char *key, size_t keylen, + const OSSL_PARAM params[]); /* KDF parameter descriptors */ const OSSL_PARAM *OSSL_FUNC_kdf_gettable_params(void *provctx); @@ -108,7 +109,8 @@ I parameter and return the duplicate copy. OSSL_FUNC_kdf_reset() initialises a KDF operation given a provider side KDF context in the I parameter. -OSSL_FUNC_kdf_derive() performs the KDF operation. +OSSL_FUNC_kdf_derive() performs the KDF operation after processing the +I as per OSSL_FUNC_kdf_set_ctx_params(). The I parameter contains a pointer to the provider side context. The resulting key of the desired I should be written to I. If the algorithm does not support the requested I the function must diff --git a/doc/man7/provider-mac.pod b/doc/man7/provider-mac.pod index fdeda79ab5..47f26ca89b 100644 --- a/doc/man7/provider-mac.pod +++ b/doc/man7/provider-mac.pod @@ -23,7 +23,8 @@ provider-mac - The mac library E-E provider functions void *OSSL_FUNC_mac_dupctx(void *src); /* Encryption/decryption */ - int OSSL_FUNC_mac_init(void *mctx); + int OSSL_FUNC_mac_init(void *mctx, unsigned char *key, size_t keylen, + const OSSL_PARAM params[]); int OSSL_FUNC_mac_update(void *mctx, const unsigned char *in, size_t inl); int OSSL_FUNC_mac_final(void *mctx, unsigned char *out, size_t *outl, size_t outsize); @@ -108,7 +109,8 @@ I parameter and return the duplicate copy. =head2 Encryption/Decryption Functions OSSL_FUNC_mac_init() initialises a mac operation given a newly created provider -side mac context in the I parameter. +side mac context in the I parameter. The I are set before setting +the MAC I of I bytes. OSSL_FUNC_mac_update() is called to supply data for MAC computation of a previously initialised mac operation. @@ -158,7 +160,8 @@ parameters are relevant to, or are understood by all macs: =item "key" (B) -Sets the key in the associated MAC ctx. +Sets the key in the associated MAC ctx. This is identical to passing a I +argument to the OSSL_FUNC_mac_init() function. =item "iv" (B) @@ -228,7 +231,7 @@ array, or NULL if none is offered. =head1 SEE ALSO -L +L, L =head1 HISTORY diff --git a/doc/man7/provider-rand.pod b/doc/man7/provider-rand.pod index 5de3a15f38..157f6227e9 100644 --- a/doc/man7/provider-rand.pod +++ b/doc/man7/provider-rand.pod @@ -26,7 +26,8 @@ functions /* Random number generator functions: NIST */ int OSSL_FUNC_rand_instantiate(void *ctx, unsigned int strength, int prediction_resistance, - const unsigned char *pstr, size_t pstr_len); + const unsigned char *pstr, size_t pstr_len, + const OSSL_PARAM params[]); int OSSL_FUNC_rand_uninstantiate(void *ctx); int OSSL_FUNC_rand_generate(void *ctx, unsigned char *out, size_t outlen, unsigned int strength, int prediction_resistance, @@ -97,7 +98,8 @@ These functions correspond to those defined in NIST SP 800-90A and SP 800-90C. OSSL_FUNC_rand_instantiate() is used to instantiate the DRBG I at a requested security I. In addition, I can be requested. Additional input I of length I bytes can optionally -be provided. +be provided. The parameters specified in I configure the DRBG and these +should be processed before instantiation. OSSL_FUNC_rand_uninstantiate() is used to uninstantiate the DRBG I. After being uninstantiated, a DRBG is unable to produce output until it is instantiated diff --git a/fuzz/fuzz_rand.c b/fuzz/fuzz_rand.c index cd5371efbd..5bd343d8ae 100644 --- a/fuzz/fuzz_rand.c +++ b/fuzz/fuzz_rand.c @@ -41,7 +41,8 @@ static int fuzz_rand_instantiate(ossl_unused void *vrng, ossl_unused unsigned int strength, ossl_unused int prediction_resistance, ossl_unused const unsigned char *pstr, - ossl_unused size_t pstr_len) + ossl_unused size_t pstr_len, + ossl_unused const OSSL_PARAM params[]) { *(int *)vrng = EVP_RAND_STATE_READY; return 1; diff --git a/include/openssl/core_dispatch.h b/include/openssl/core_dispatch.h index 634159524d..f88645f0f6 100644 --- a/include/openssl/core_dispatch.h +++ b/include/openssl/core_dispatch.h @@ -337,7 +337,8 @@ OSSL_CORE_MAKE_FUNC(const OSSL_PARAM *, cipher_gettable_ctx_params, OSSL_CORE_MAKE_FUNC(void *, mac_newctx, (void *provctx)) OSSL_CORE_MAKE_FUNC(void *, mac_dupctx, (void *src)) OSSL_CORE_MAKE_FUNC(void, mac_freectx, (void *mctx)) -OSSL_CORE_MAKE_FUNC(int, mac_init, (void *mctx)) +OSSL_CORE_MAKE_FUNC(int, mac_init, (void *mctx, const unsigned char *key, + size_t keylen, const OSSL_PARAM params[])) OSSL_CORE_MAKE_FUNC(int, mac_update, (void *mctx, const unsigned char *in, size_t inl)) OSSL_CORE_MAKE_FUNC(int, mac_final, @@ -373,7 +374,7 @@ OSSL_CORE_MAKE_FUNC(void *, kdf_dupctx, (void *src)) OSSL_CORE_MAKE_FUNC(void, kdf_freectx, (void *kctx)) OSSL_CORE_MAKE_FUNC(void, kdf_reset, (void *kctx)) OSSL_CORE_MAKE_FUNC(int, kdf_derive, (void *kctx, unsigned char *key, - size_t keylen)) + size_t keylen, const OSSL_PARAM params[])) OSSL_CORE_MAKE_FUNC(const OSSL_PARAM *, kdf_gettable_params, (void *provctx)) OSSL_CORE_MAKE_FUNC(const OSSL_PARAM *, kdf_gettable_ctx_params, (void *kctx, void *provctx)) @@ -414,7 +415,8 @@ OSSL_CORE_MAKE_FUNC(void,rand_freectx, (void *vctx)) OSSL_CORE_MAKE_FUNC(int,rand_instantiate, (void *vdrbg, unsigned int strength, int prediction_resistance, - const unsigned char *pstr, size_t pstr_len)) + const unsigned char *pstr, size_t pstr_len, + const OSSL_PARAM params[])) OSSL_CORE_MAKE_FUNC(int,rand_uninstantiate, (void *vdrbg)) OSSL_CORE_MAKE_FUNC(int,rand_generate, (void *vctx, unsigned char *out, size_t outlen, diff --git a/include/openssl/core_names.h b/include/openssl/core_names.h index cb8d83ba88..0f242e3605 100644 --- a/include/openssl/core_names.h +++ b/include/openssl/core_names.h @@ -158,6 +158,8 @@ extern "C" { #define OSSL_MAC_PARAM_XOF "xof" /* int, 0 or 1 */ #define OSSL_MAC_PARAM_DIGEST_NOINIT "digest-noinit" /* int, 0 or 1 */ #define OSSL_MAC_PARAM_DIGEST_ONESHOT "digest-oneshot" /* int, 0 or 1 */ +#define OSSL_MAC_PARAM_C_ROUNDS "c-rounds" /* unsigned int */ +#define OSSL_MAC_PARAM_D_ROUNDS "d-rounds" /* unsigned int */ /* * If "engine" or "properties" are specified, they should always be paired diff --git a/include/openssl/evp.h b/include/openssl/evp.h index 6a2202d954..96a82827fc 100644 --- a/include/openssl/evp.h +++ b/include/openssl/evp.h @@ -1144,7 +1144,8 @@ int EVP_MAC_CTX_get_params(EVP_MAC_CTX *ctx, OSSL_PARAM params[]); int EVP_MAC_CTX_set_params(EVP_MAC_CTX *ctx, const OSSL_PARAM params[]); size_t EVP_MAC_CTX_get_mac_size(EVP_MAC_CTX *ctx); -int EVP_MAC_init(EVP_MAC_CTX *ctx); +int EVP_MAC_init(EVP_MAC_CTX *ctx, const unsigned char *key, size_t keylen, + const OSSL_PARAM params[]); int EVP_MAC_update(EVP_MAC_CTX *ctx, const unsigned char *data, size_t datalen); int EVP_MAC_final(EVP_MAC_CTX *ctx, unsigned char *out, size_t *outl, size_t outsize); @@ -1192,7 +1193,8 @@ int EVP_RAND_names_do_all(const EVP_RAND *rand, __owur int EVP_RAND_instantiate(EVP_RAND_CTX *ctx, unsigned int strength, int prediction_resistance, - const unsigned char *pstr, size_t pstr_len); + const unsigned char *pstr, size_t pstr_len, + const OSSL_PARAM params[]); int EVP_RAND_uninstantiate(EVP_RAND_CTX *ctx); __owur int EVP_RAND_generate(EVP_RAND_CTX *ctx, unsigned char *out, size_t outlen, unsigned int strength, diff --git a/include/openssl/kdf.h b/include/openssl/kdf.h index f1bc9a7709..4c1397f909 100644 --- a/include/openssl/kdf.h +++ b/include/openssl/kdf.h @@ -41,7 +41,8 @@ const EVP_KDF *EVP_KDF_CTX_kdf(EVP_KDF_CTX *ctx); void EVP_KDF_CTX_reset(EVP_KDF_CTX *ctx); size_t EVP_KDF_CTX_get_kdf_size(EVP_KDF_CTX *ctx); -int EVP_KDF_derive(EVP_KDF_CTX *ctx, unsigned char *key, size_t keylen); +int EVP_KDF_derive(EVP_KDF_CTX *ctx, unsigned char *key, size_t keylen, + const OSSL_PARAM params[]); int EVP_KDF_get_params(EVP_KDF *kdf, OSSL_PARAM params[]); int EVP_KDF_CTX_get_params(EVP_KDF_CTX *ctx, OSSL_PARAM params[]); int EVP_KDF_CTX_set_params(EVP_KDF_CTX *ctx, const OSSL_PARAM params[]); diff --git a/providers/common/provider_util.c b/providers/common/provider_util.c index 0df2addccb..6ed4378a2f 100644 --- a/providers/common/provider_util.c +++ b/providers/common/provider_util.c @@ -72,6 +72,9 @@ int ossl_prov_cipher_load_from_params(PROV_CIPHER *pc, const OSSL_PARAM *p; const char *propquery; + if (params == NULL) + return 1; + if (!load_common(params, &propquery, &pc->engine)) return 0; @@ -140,10 +143,12 @@ int ossl_prov_digest_load_from_params(PROV_DIGEST *pd, const OSSL_PARAM *p; const char *propquery; + if (params == NULL) + return 1; + if (!load_common(params, &propquery, &pd->engine)) return 0; - p = OSSL_PARAM_locate_const(params, OSSL_ALG_PARAM_DIGEST); if (p == NULL) return 1; diff --git a/providers/fips/self_test.c b/providers/fips/self_test.c index 1848686ae3..b20af1bd6c 100644 --- a/providers/fips/self_test.c +++ b/providers/fips/self_test.c @@ -171,7 +171,7 @@ static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex size_t bytes_read = 0, out_len = 0; EVP_MAC *mac = NULL; EVP_MAC_CTX *ctx = NULL; - OSSL_PARAM params[3], *p = params; + OSSL_PARAM params[2], *p = params; OSSL_SELF_TEST_onbegin(ev, event_type, OSSL_SELF_TEST_DESC_INTEGRITY_HMAC); @@ -183,12 +183,9 @@ static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex goto err; *p++ = OSSL_PARAM_construct_utf8_string("digest", DIGEST_NAME, 0); - *p++ = OSSL_PARAM_construct_octet_string("key", fixed_key, - sizeof(fixed_key)); *p = OSSL_PARAM_construct_end(); - if (EVP_MAC_CTX_set_params(ctx, params) <= 0 - || !EVP_MAC_init(ctx)) + if (!EVP_MAC_init(ctx, fixed_key, sizeof(fixed_key), params)) goto err; while (1) { diff --git a/providers/fips/self_test_kats.c b/providers/fips/self_test_kats.c index 79b78f0ba5..dbec87a0f3 100644 --- a/providers/fips/self_test_kats.c +++ b/providers/fips/self_test_kats.c @@ -217,12 +217,10 @@ static int self_test_kdf(const ST_KAT_KDF *t, OSSL_SELF_TEST *st, params = OSSL_PARAM_BLD_to_param(bld); if (params == NULL) goto err; - if (!EVP_KDF_CTX_set_params(ctx, params)) - goto err; if (t->expected_len > sizeof(out)) goto err; - if (EVP_KDF_derive(ctx, out, t->expected_len) <= 0) + if (EVP_KDF_derive(ctx, out, t->expected_len, params) <= 0) goto err; OSSL_SELF_TEST_oncorrupt_byte(st, out); @@ -296,10 +294,10 @@ static int self_test_drbg(const ST_KAT_DRBG *t, OSSL_SELF_TEST *st, drbg_params[1] = OSSL_PARAM_construct_octet_string(OSSL_RAND_PARAM_TEST_NONCE, (void *)t->nonce, t->noncelen); - if (!EVP_RAND_set_ctx_params(test, drbg_params) - || !EVP_RAND_instantiate(test, strength, 0, NULL, 0)) + if (!EVP_RAND_instantiate(test, strength, 0, NULL, 0, drbg_params)) goto err; - if (!EVP_RAND_instantiate(drbg, strength, 0, t->persstr, t->persstrlen)) + if (!EVP_RAND_instantiate(drbg, strength, 0, t->persstr, t->persstrlen, + NULL)) goto err; drbg_params[0] = diff --git a/providers/implementations/exchange/kdf_exch.c b/providers/implementations/exchange/kdf_exch.c index 2a299fbda8..7b6b12af69 100644 --- a/providers/implementations/exchange/kdf_exch.c +++ b/providers/implementations/exchange/kdf_exch.c @@ -101,7 +101,7 @@ static int kdf_derive(void *vpkdfctx, unsigned char *secret, size_t *secretlen, return 1; } - return EVP_KDF_derive(pkdfctx->kdfctx, secret, outlen); + return EVP_KDF_derive(pkdfctx->kdfctx, secret, outlen, NULL); } static void kdf_freectx(void *vpkdfctx) diff --git a/providers/implementations/kdfs/hkdf.c b/providers/implementations/kdfs/hkdf.c index b24b745216..24052f4d63 100644 --- a/providers/implementations/kdfs/hkdf.c +++ b/providers/implementations/kdfs/hkdf.c @@ -123,12 +123,13 @@ static size_t kdf_hkdf_size(KDF_HKDF *ctx) return sz; } -static int kdf_hkdf_derive(void *vctx, unsigned char *key, size_t keylen) +static int kdf_hkdf_derive(void *vctx, unsigned char *key, size_t keylen, + const OSSL_PARAM params[]) { KDF_HKDF *ctx = (KDF_HKDF *)vctx; const EVP_MD *md; - if (!ossl_prov_is_running()) + if (!ossl_prov_is_running() || !kdf_hkdf_set_ctx_params(ctx, params)) return 0; md = ossl_prov_digest_md(&ctx->digest); diff --git a/providers/implementations/kdfs/kbkdf.c b/providers/implementations/kdfs/kbkdf.c index 26235e400b..2f6171baa7 100644 --- a/providers/implementations/kdfs/kbkdf.c +++ b/providers/implementations/kdfs/kbkdf.c @@ -209,7 +209,8 @@ done: return ret; } -static int kbkdf_derive(void *vctx, unsigned char *key, size_t keylen) +static int kbkdf_derive(void *vctx, unsigned char *key, size_t keylen, + const OSSL_PARAM params[]) { KBKDF *ctx = (KBKDF *)vctx; int ret = 0; @@ -217,7 +218,7 @@ static int kbkdf_derive(void *vctx, unsigned char *key, size_t keylen) uint32_t l = 0; size_t h = 0; - if (!ossl_prov_is_running()) + if (!ossl_prov_is_running() || !kbkdf_set_ctx_params(ctx, params)) return 0; /* label, context, and iv are permitted to be empty. Check everything @@ -280,7 +281,6 @@ static int kbkdf_set_ctx_params(void *vctx, const OSSL_PARAM params[]) KBKDF *ctx = (KBKDF *)vctx; OSSL_LIB_CTX *libctx = PROV_LIBCTX_OF(ctx->provctx); const OSSL_PARAM *p; - OSSL_PARAM mparams[2]; if (!ossl_prov_macctx_load_from_params(&ctx->ctx_init, params, NULL, NULL, NULL, libctx)) @@ -330,16 +330,9 @@ static int kbkdf_set_ctx_params(void *vctx, const OSSL_PARAM params[]) return 0; /* Set up digest context, if we can. */ - if (ctx->ctx_init != NULL && ctx->ki_len != 0) { - mparams[0] = OSSL_PARAM_construct_octet_string(OSSL_MAC_PARAM_KEY, - ctx->ki, ctx->ki_len); - mparams[1] = OSSL_PARAM_construct_end(); - - if (!EVP_MAC_CTX_set_params(ctx->ctx_init, mparams) - || !EVP_MAC_init(ctx->ctx_init)) + if (ctx->ctx_init != NULL && ctx->ki_len != 0 + && !EVP_MAC_init(ctx->ctx_init, ctx->ki, ctx->ki_len, NULL)) return 0; - } - return 1; } diff --git a/providers/implementations/kdfs/krb5kdf.c b/providers/implementations/kdfs/krb5kdf.c index 35d6ccb680..041c3e32b2 100644 --- a/providers/implementations/kdfs/krb5kdf.c +++ b/providers/implementations/kdfs/krb5kdf.c @@ -101,14 +101,14 @@ static int krb5kdf_set_membuf(unsigned char **dst, size_t *dst_len, return OSSL_PARAM_get_octet_string(p, (void **)dst, 0, dst_len); } -static int krb5kdf_derive(void *vctx, unsigned char *key, - size_t keylen) +static int krb5kdf_derive(void *vctx, unsigned char *key, size_t keylen, + const OSSL_PARAM params[]) { KRB5KDF_CTX *ctx = (KRB5KDF_CTX *)vctx; const EVP_CIPHER *cipher; ENGINE *engine; - if (!ossl_prov_is_running()) + if (!ossl_prov_is_running() || !krb5kdf_set_ctx_params(ctx, params)) return 0; cipher = ossl_prov_cipher_cipher(&ctx->cipher); diff --git a/providers/implementations/kdfs/pbkdf2.c b/providers/implementations/kdfs/pbkdf2.c index 9d993dc545..ce27fe9b39 100644 --- a/providers/implementations/kdfs/pbkdf2.c +++ b/providers/implementations/kdfs/pbkdf2.c @@ -139,13 +139,13 @@ static int pbkdf2_set_membuf(unsigned char **buffer, size_t *buflen, return 1; } -static int kdf_pbkdf2_derive(void *vctx, unsigned char *key, - size_t keylen) +static int kdf_pbkdf2_derive(void *vctx, unsigned char *key, size_t keylen, + const OSSL_PARAM params[]) { KDF_PBKDF2 *ctx = (KDF_PBKDF2 *)vctx; const EVP_MD *md; - if (!ossl_prov_is_running()) + if (!ossl_prov_is_running() || !kdf_pbkdf2_set_ctx_params(ctx, params)) return 0; if (ctx->pass == NULL) { diff --git a/providers/implementations/kdfs/pkcs12kdf.c b/providers/implementations/kdfs/pkcs12kdf.c index ce49c2844c..bea6dffeca 100644 --- a/providers/implementations/kdfs/pkcs12kdf.c +++ b/providers/implementations/kdfs/pkcs12kdf.c @@ -195,13 +195,13 @@ static int pkcs12kdf_set_membuf(unsigned char **buffer, size_t *buflen, return 1; } -static int kdf_pkcs12_derive(void *vctx, unsigned char *key, - size_t keylen) +static int kdf_pkcs12_derive(void *vctx, unsigned char *key, size_t keylen, + const OSSL_PARAM params[]) { KDF_PKCS12 *ctx = (KDF_PKCS12 *)vctx; const EVP_MD *md; - if (!ossl_prov_is_running()) + if (!ossl_prov_is_running() || !kdf_pkcs12_set_ctx_params(ctx, params)) return 0; if (ctx->pass == NULL) { diff --git a/providers/implementations/kdfs/scrypt.c b/providers/implementations/kdfs/scrypt.c index de53d3e129..6c61d3bb3c 100644 --- a/providers/implementations/kdfs/scrypt.c +++ b/providers/implementations/kdfs/scrypt.c @@ -147,12 +147,12 @@ static int set_property_query(KDF_SCRYPT *ctx, const char *propq) return 1; } -static int kdf_scrypt_derive(void *vctx, unsigned char *key, - size_t keylen) +static int kdf_scrypt_derive(void *vctx, unsigned char *key, size_t keylen, + const OSSL_PARAM params[]) { KDF_SCRYPT *ctx = (KDF_SCRYPT *)vctx; - if (!ossl_prov_is_running()) + if (!ossl_prov_is_running() || !kdf_scrypt_set_ctx_params(ctx, params)) return 0; if (ctx->pass == NULL) { diff --git a/providers/implementations/kdfs/sshkdf.c b/providers/implementations/kdfs/sshkdf.c index 90b7666450..f99a6a7413 100644 --- a/providers/implementations/kdfs/sshkdf.c +++ b/providers/implementations/kdfs/sshkdf.c @@ -94,13 +94,13 @@ static int sshkdf_set_membuf(unsigned char **dst, size_t *dst_len, return OSSL_PARAM_get_octet_string(p, (void **)dst, 0, dst_len); } -static int kdf_sshkdf_derive(void *vctx, unsigned char *key, - size_t keylen) +static int kdf_sshkdf_derive(void *vctx, unsigned char *key, size_t keylen, + const OSSL_PARAM params[]) { KDF_SSHKDF *ctx = (KDF_SSHKDF *)vctx; const EVP_MD *md; - if (!ossl_prov_is_running()) + if (!ossl_prov_is_running() || !kdf_sshkdf_set_ctx_params(ctx, params)) return 0; md = ossl_prov_digest_md(&ctx->digest); diff --git a/providers/implementations/kdfs/sskdf.c b/providers/implementations/kdfs/sskdf.c index bc0b49c561..118c44cfa7 100644 --- a/providers/implementations/kdfs/sskdf.c +++ b/providers/implementations/kdfs/sskdf.c @@ -223,27 +223,19 @@ static int SSKDF_mac_kdm(EVP_MAC_CTX *ctx_init, unsigned char *out = derived_key; EVP_MAC_CTX *ctx = NULL; unsigned char *mac = mac_buf, *kmac_buffer = NULL; - OSSL_PARAM params[2], *p = params; if (z_len > SSKDF_MAX_INLEN || info_len > SSKDF_MAX_INLEN || derived_key_len > SSKDF_MAX_INLEN || derived_key_len == 0) return 0; - *p++ = OSSL_PARAM_construct_octet_string(OSSL_MAC_PARAM_KEY, - (void *)salt, salt_len); - *p = OSSL_PARAM_construct_end(); - - if (!EVP_MAC_CTX_set_params(ctx_init, params)) - goto end; - if (!kmac_init(ctx_init, kmac_custom, kmac_custom_len, kmac_out_len, derived_key_len, &kmac_buffer)) goto end; if (kmac_buffer != NULL) mac = kmac_buffer; - if (!EVP_MAC_init(ctx_init)) + if (!EVP_MAC_init(ctx_init, salt, salt_len, NULL)) goto end; out_len = EVP_MAC_CTX_get_mac_size(ctx_init); /* output size */ @@ -350,12 +342,13 @@ static size_t sskdf_size(KDF_SSKDF *ctx) return (len <= 0) ? 0 : (size_t)len; } -static int sskdf_derive(void *vctx, unsigned char *key, size_t keylen) +static int sskdf_derive(void *vctx, unsigned char *key, size_t keylen, + const OSSL_PARAM params[]) { KDF_SSKDF *ctx = (KDF_SSKDF *)vctx; const EVP_MD *md; - if (!ossl_prov_is_running()) + if (!ossl_prov_is_running() || !sskdf_set_ctx_params(ctx, params)) return 0; if (ctx->secret == NULL) { ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_SECRET); @@ -419,12 +412,13 @@ static int sskdf_derive(void *vctx, unsigned char *key, size_t keylen) } } -static int x963kdf_derive(void *vctx, unsigned char *key, size_t keylen) +static int x963kdf_derive(void *vctx, unsigned char *key, size_t keylen, + const OSSL_PARAM params[]) { KDF_SSKDF *ctx = (KDF_SSKDF *)vctx; const EVP_MD *md; - if (!ossl_prov_is_running()) + if (!ossl_prov_is_running() || !sskdf_set_ctx_params(ctx, params)) return 0; if (ctx->secret == NULL) { diff --git a/providers/implementations/kdfs/tls1_prf.c b/providers/implementations/kdfs/tls1_prf.c index a3bdc85040..4204f03b3a 100644 --- a/providers/implementations/kdfs/tls1_prf.c +++ b/providers/implementations/kdfs/tls1_prf.c @@ -131,12 +131,12 @@ static void kdf_tls1_prf_reset(void *vctx) ctx->provctx = provctx; } -static int kdf_tls1_prf_derive(void *vctx, unsigned char *key, - size_t keylen) +static int kdf_tls1_prf_derive(void *vctx, unsigned char *key, size_t keylen, + const OSSL_PARAM params[]) { TLS1_PRF *ctx = (TLS1_PRF *)vctx; - if (!ossl_prov_is_running()) + if (!ossl_prov_is_running() || !kdf_tls1_prf_set_ctx_params(ctx, params)) return 0; if (ctx->P_hash == NULL) { @@ -289,14 +289,8 @@ static int tls1_prf_P_hash(EVP_MAC_CTX *ctx_init, unsigned char Ai[EVP_MAX_MD_SIZE]; size_t Ai_len; int ret = 0; - OSSL_PARAM params[2], *p = params; - *p++ = OSSL_PARAM_construct_octet_string(OSSL_MAC_PARAM_KEY, - (void *)sec, sec_len); - *p = OSSL_PARAM_construct_end(); - if (!EVP_MAC_CTX_set_params(ctx_init, params)) - goto err; - if (!EVP_MAC_init(ctx_init)) + if (!EVP_MAC_init(ctx_init, sec, sec_len, NULL)) goto err; chunk = EVP_MAC_CTX_get_mac_size(ctx_init); if (chunk == 0) diff --git a/providers/implementations/kdfs/x942kdf.c b/providers/implementations/kdfs/x942kdf.c index a220eca80f..ca478bc883 100644 --- a/providers/implementations/kdfs/x942kdf.c +++ b/providers/implementations/kdfs/x942kdf.c @@ -392,7 +392,8 @@ static size_t x942kdf_size(KDF_X942 *ctx) return (len <= 0) ? 0 : (size_t)len; } -static int x942kdf_derive(void *vctx, unsigned char *key, size_t keylen) +static int x942kdf_derive(void *vctx, unsigned char *key, size_t keylen, + const OSSL_PARAM params[]) { KDF_X942 *ctx = (KDF_X942 *)vctx; const EVP_MD *md; @@ -401,7 +402,7 @@ static int x942kdf_derive(void *vctx, unsigned char *key, size_t keylen) unsigned char *der = NULL; size_t der_len = 0; - if (!ossl_prov_is_running()) + if (!ossl_prov_is_running() || !x942kdf_set_ctx_params(ctx, params)) return 0; /* diff --git a/providers/implementations/macs/blake2_mac_impl.c b/providers/implementations/macs/blake2_mac_impl.c index 4f36991d41..35a162246e 100644 --- a/providers/implementations/macs/blake2_mac_impl.c +++ b/providers/implementations/macs/blake2_mac_impl.c @@ -87,19 +87,36 @@ static size_t blake2_mac_size(void *vmacctx) return macctx->params.digest_length; } -static int blake2_mac_init(void *vmacctx) +static int blake2_setkey(struct blake2_mac_data_st *macctx, + const unsigned char *key, size_t keylen) +{ + if (keylen > BLAKE2_KEYBYTES || keylen == 0) { + ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH); + return 0; + } + memcpy(macctx->key, key, keylen); + /* Pad with zeroes at the end if required */ + if (keylen < BLAKE2_KEYBYTES) + memset(macctx->key + keylen, 0, BLAKE2_KEYBYTES - keylen); + BLAKE2_PARAM_SET_KEY_LENGTH(&macctx->params, (uint8_t)keylen); + return 1; +} + +static int blake2_mac_init(void *vmacctx, const unsigned char *key, + size_t keylen, const OSSL_PARAM params[]) { struct blake2_mac_data_st *macctx = vmacctx; - if (!ossl_prov_is_running()) + if (!ossl_prov_is_running() || !blake2_mac_set_ctx_params(macctx, params)) return 0; - - /* Check key has been set */ - if (macctx->params.key_length == 0) { + if (key != NULL) { + if (!blake2_setkey(macctx, key, keylen)) + return 0; + } else if (macctx->params.key_length == 0) { + /* Check key has been set */ ERR_raise(ERR_LIB_PROV, PROV_R_NO_KEY_SET); return 0; } - return BLAKE2_INIT_KEY(&macctx->ctx, &macctx->params, macctx->key); } @@ -180,19 +197,9 @@ static int blake2_mac_set_ctx_params(void *vmacctx, const OSSL_PARAM params[]) BLAKE2_PARAM_SET_DIGEST_LENGTH(&macctx->params, (uint8_t)size); } - if ((p = OSSL_PARAM_locate_const(params, OSSL_MAC_PARAM_KEY)) != NULL) { - size_t len; - void *key_p = macctx->key; - - if (!OSSL_PARAM_get_octet_string(p, &key_p, BLAKE2_KEYBYTES, &len)) { - ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH); - return 0; - } - /* Pad with zeroes at the end */ - memset(macctx->key + len, 0, BLAKE2_KEYBYTES - len); - - BLAKE2_PARAM_SET_KEY_LENGTH(&macctx->params, (uint8_t)len); - } + if ((p = OSSL_PARAM_locate_const(params, OSSL_MAC_PARAM_KEY)) != NULL + && !blake2_setkey(macctx, p->data, p->data_size)) + return 0; if ((p = OSSL_PARAM_locate_const(params, OSSL_MAC_PARAM_CUSTOM)) != NULL) { diff --git a/providers/implementations/macs/cmac_prov.c b/providers/implementations/macs/cmac_prov.c index 08c4eebbf3..9aefc2cbec 100644 --- a/providers/implementations/macs/cmac_prov.c +++ b/providers/implementations/macs/cmac_prov.c @@ -102,20 +102,26 @@ static size_t cmac_size(void *vmacctx) return EVP_CIPHER_CTX_block_size(CMAC_CTX_get0_cipher_ctx(macctx->ctx)); } -static int cmac_init(void *vmacctx) +static int cmac_setkey(struct cmac_data_st *macctx, + const unsigned char *key, size_t keylen) +{ + int rv = CMAC_Init(macctx->ctx, key, keylen, + ossl_prov_cipher_cipher(&macctx->cipher), + ossl_prov_cipher_engine(&macctx->cipher)); + ossl_prov_cipher_reset(&macctx->cipher); + return rv; +} + +static int cmac_init(void *vmacctx, const unsigned char *key, + size_t keylen, const OSSL_PARAM params[]) { struct cmac_data_st *macctx = vmacctx; - int rv; - if (!ossl_prov_is_running()) + if (!ossl_prov_is_running() || !cmac_set_ctx_params(macctx, params)) return 0; - - rv = CMAC_Init(macctx->ctx, NULL, 0, - ossl_prov_cipher_cipher(&macctx->cipher), - ossl_prov_cipher_engine(&macctx->cipher)); - - ossl_prov_cipher_reset(&macctx->cipher); - return rv; + if (key != NULL) + return cmac_setkey(macctx, key, keylen); + return 1; } static int cmac_update(void *vmacctx, const unsigned char *data, @@ -184,13 +190,7 @@ static int cmac_set_ctx_params(void *vmacctx, const OSSL_PARAM params[]) if ((p = OSSL_PARAM_locate_const(params, OSSL_MAC_PARAM_KEY)) != NULL) { if (p->data_type != OSSL_PARAM_OCTET_STRING) return 0; - - if (!CMAC_Init(macctx->ctx, p->data, p->data_size, - ossl_prov_cipher_cipher(&macctx->cipher), - ossl_prov_cipher_engine(&macctx->cipher))) - return 0; - - ossl_prov_cipher_reset(&macctx->cipher); + return cmac_setkey(macctx, p->data, p->data_size); } return 1; } diff --git a/providers/implementations/macs/gmac_prov.c b/providers/implementations/macs/gmac_prov.c index 3a4600b66a..14ca948077 100644 --- a/providers/implementations/macs/gmac_prov.c +++ b/providers/implementations/macs/gmac_prov.c @@ -98,9 +98,30 @@ static size_t gmac_size(void) return EVP_GCM_TLS_TAG_LEN; } -static int gmac_init(void *vmacctx) +static int gmac_setkey(struct gmac_data_st *macctx, + const unsigned char *key, size_t keylen) { - return ossl_prov_is_running(); + EVP_CIPHER_CTX *ctx = macctx->ctx; + + if (keylen != (size_t)EVP_CIPHER_CTX_key_length(ctx)) { + ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH); + return 0; + } + if (!EVP_EncryptInit_ex(ctx, NULL, NULL, key, NULL)) + return 0; + return 1; +} + +static int gmac_init(void *vmacctx, const unsigned char *key, + size_t keylen, const OSSL_PARAM params[]) +{ + struct gmac_data_st *macctx = vmacctx; + + if (!ossl_prov_is_running() || !gmac_set_ctx_params(macctx, params)) + return 0; + if (key != NULL) + return gmac_setkey(macctx, key, keylen); + return 1; } static int gmac_update(void *vmacctx, const unsigned char *data, @@ -186,7 +207,9 @@ static int gmac_set_ctx_params(void *vmacctx, const OSSL_PARAM params[]) OSSL_LIB_CTX *provctx = PROV_LIBCTX_OF(macctx->provctx); const OSSL_PARAM *p; - if (ctx == NULL + if (params == NULL) + return 1; + if (ctx == NULL || !ossl_prov_cipher_load_from_params(&macctx->cipher, params, provctx)) return 0; @@ -200,17 +223,11 @@ static int gmac_set_ctx_params(void *vmacctx, const OSSL_PARAM params[]) NULL)) return 0; - if ((p = OSSL_PARAM_locate_const(params, OSSL_MAC_PARAM_KEY)) != NULL) { - if (p->data_type != OSSL_PARAM_OCTET_STRING) + if ((p = OSSL_PARAM_locate_const(params, OSSL_MAC_PARAM_KEY)) != NULL) + if (p->data_type != OSSL_PARAM_OCTET_STRING + || !gmac_setkey(macctx, p->data, p->data_size)) return 0; - if (p->data_size != (size_t)EVP_CIPHER_CTX_key_length(ctx)) { - ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH); - return 0; - } - if (!EVP_EncryptInit_ex(ctx, NULL, NULL, p->data, NULL)) - return 0; - } if ((p = OSSL_PARAM_locate_const(params, OSSL_MAC_PARAM_IV)) != NULL) { if (p->data_type != OSSL_PARAM_OCTET_STRING) return 0; diff --git a/providers/implementations/macs/hmac_prov.c b/providers/implementations/macs/hmac_prov.c index 6d7d3d5118..7188232d7d 100644 --- a/providers/implementations/macs/hmac_prov.c +++ b/providers/implementations/macs/hmac_prov.c @@ -141,22 +141,39 @@ static size_t hmac_size(void *vmacctx) return HMAC_size(macctx->ctx); } -static int hmac_init(void *vmacctx) +static int hmac_setkey(struct hmac_data_st *macctx, + const unsigned char *key, size_t keylen) { - struct hmac_data_st *macctx = vmacctx; const EVP_MD *digest; - int rv = 1; - if (!ossl_prov_is_running()) + if (macctx->keylen > 0) + OPENSSL_secure_clear_free(macctx->key, macctx->keylen); + /* Keep a copy of the key in case we need it for TLS HMAC */ + macctx->key = OPENSSL_secure_malloc(keylen > 0 ? keylen : 1); + if (macctx->key == NULL) return 0; + memcpy(macctx->key, key, keylen); + macctx->keylen = keylen; digest = ossl_prov_digest_md(&macctx->digest); /* HMAC_Init_ex doesn't tolerate all zero params, so we must be careful */ - if (macctx->tls_data_size == 0 && digest != NULL) - rv = HMAC_Init_ex(macctx->ctx, NULL, 0, digest, - ossl_prov_digest_engine(&macctx->digest)); + if (key != NULL || (macctx->tls_data_size == 0 && digest != NULL)) + return HMAC_Init_ex(macctx->ctx, key, keylen, digest, + ossl_prov_digest_engine(&macctx->digest)); + return 1; +} + +static int hmac_init(void *vmacctx, const unsigned char *key, + size_t keylen, const OSSL_PARAM params[]) +{ + struct hmac_data_st *macctx = vmacctx; + + if (!ossl_prov_is_running() || !hmac_set_ctx_params(macctx, params)) + return 0; - return rv; + if (key != NULL && !hmac_setkey(macctx, key, keylen)) + return 0; + return 1; } static int hmac_update(void *vmacctx, const unsigned char *data, diff --git a/providers/implementations/macs/kmac_prov.c b/providers/implementations/macs/kmac_prov.c index 76f581ee77..361ff8e716 100644 --- a/providers/implementations/macs/kmac_prov.c +++ b/providers/implementations/macs/kmac_prov.c @@ -241,23 +241,41 @@ static size_t kmac_size(void *vmacctx) return kctx->out_len; } +static int kmac_setkey(struct kmac_data_st *kctx, const unsigned char *key, + size_t keylen) +{ + const EVP_MD *digest = ossl_prov_digest_md(&kctx->digest); + + if (keylen < 4 || keylen > KMAC_MAX_KEY) { + ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH); + return 0; + } + if (!kmac_bytepad_encode_key(kctx->key, &kctx->key_len, + key, keylen, EVP_MD_block_size(digest))) + return 0; + return 1; +} + /* * The init() assumes that any ctrl methods are set beforehand for * md, key and custom. Setting the fields afterwards will have no * effect on the output mac. */ -static int kmac_init(void *vmacctx) +static int kmac_init(void *vmacctx, const unsigned char *key, + size_t keylen, const OSSL_PARAM params[]) { struct kmac_data_st *kctx = vmacctx; EVP_MD_CTX *ctx = kctx->ctx; unsigned char out[KMAC_MAX_BLOCKSIZE]; int out_len, block_len; - if (!ossl_prov_is_running()) + if (!ossl_prov_is_running() || !kmac_set_ctx_params(kctx, params)) return 0; - - /* Check key has been set */ - if (kctx->key_len == 0) { + if (key != NULL) { + if (!kmac_setkey(kctx, key, keylen)) + return 0; + } else if (kctx->key_len == 0) { + /* Check key has been set */ ERR_raise(ERR_LIB_PROV, PROV_R_NO_KEY_SET); return 0; } @@ -271,11 +289,11 @@ static int kmac_init(void *vmacctx) /* Set default custom string if it is not already set */ if (kctx->custom_len == 0) { - const OSSL_PARAM params[] = { + const OSSL_PARAM cparams[] = { OSSL_PARAM_octet_string(OSSL_MAC_PARAM_CUSTOM, "", 0), OSSL_PARAM_END }; - (void)kmac_set_ctx_params(kctx, params); + (void)kmac_set_ctx_params(kctx, cparams); } return bytepad(out, &out_len, kmac_string, sizeof(kmac_string), @@ -360,7 +378,6 @@ static int kmac_set_ctx_params(void *vmacctx, const OSSL_PARAM *params) { struct kmac_data_st *kctx = vmacctx; const OSSL_PARAM *p; - const EVP_MD *digest = ossl_prov_digest_md(&kctx->digest); if ((p = OSSL_PARAM_locate_const(params, OSSL_MAC_PARAM_XOF)) != NULL && !OSSL_PARAM_get_int(p, &kctx->xof_mode)) @@ -368,16 +385,9 @@ static int kmac_set_ctx_params(void *vmacctx, const OSSL_PARAM *params) if (((p = OSSL_PARAM_locate_const(params, OSSL_MAC_PARAM_SIZE)) != NULL) && !OSSL_PARAM_get_size_t(p, &kctx->out_len)) return 0; - if ((p = OSSL_PARAM_locate_const(params, OSSL_MAC_PARAM_KEY)) != NULL) { - if (p->data_size < 4 || p->data_size > KMAC_MAX_KEY) { - ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH); - return 0; - } - if (!kmac_bytepad_encode_key(kctx->key, &kctx->key_len, - p->data, p->data_size, - EVP_MD_block_size(digest))) - return 0; - } + if ((p = OSSL_PARAM_locate_const(params, OSSL_MAC_PARAM_KEY)) != NULL + && !kmac_setkey(kctx, p->data, p->data_size)) + return 0; if ((p = OSSL_PARAM_locate_const(params, OSSL_MAC_PARAM_CUSTOM)) != NULL) { if (p->data_size > KMAC_MAX_CUSTOM) { diff --git a/providers/implementations/macs/poly1305_prov.c b/providers/implementations/macs/poly1305_prov.c index 3f784e9c28..5a09926551 100644 --- a/providers/implementations/macs/poly1305_prov.c +++ b/providers/implementations/macs/poly1305_prov.c @@ -77,10 +77,28 @@ static size_t poly1305_size(void) return POLY1305_DIGEST_SIZE; } -static int poly1305_init(void *vmacctx) +static int poly1305_setkey(struct poly1305_data_st *ctx, + const unsigned char *key, size_t keylen) { + if (keylen != POLY1305_KEY_SIZE) { + ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH); + return 0; + } + Poly1305_Init(&ctx->poly1305, key); + return 1; +} + +static int poly1305_init(void *vmacctx, const unsigned char *key, + size_t keylen, const OSSL_PARAM params[]) +{ + struct poly1305_data_st *ctx = vmacctx; + /* initialize the context in MAC_ctrl function */ - return ossl_prov_is_running(); + if (!ossl_prov_is_running() || !poly1305_set_ctx_params(ctx, params)) + return 0; + if (key != NULL) + return poly1305_setkey(ctx, key, keylen); + return 1; } static int poly1305_update(void *vmacctx, const unsigned char *data, @@ -140,16 +158,11 @@ static const OSSL_PARAM *poly1305_settable_ctx_params(ossl_unused void *ctx, static int poly1305_set_ctx_params(void *vmacctx, const OSSL_PARAM *params) { struct poly1305_data_st *ctx = vmacctx; - const OSSL_PARAM *p = NULL; - - if ((p = OSSL_PARAM_locate_const(params, OSSL_MAC_PARAM_KEY)) != NULL) { - if (p->data_type != OSSL_PARAM_OCTET_STRING - || p->data_size != POLY1305_KEY_SIZE) { - ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH); - return 0; - } - Poly1305_Init(&ctx->poly1305, p->data); - } + const OSSL_PARAM *p; + + if ((p = OSSL_PARAM_locate_const(params, OSSL_MAC_PARAM_KEY)) != NULL + && !poly1305_setkey(ctx, p->data, p->data_size)) + return 0; return 1; } diff --git a/providers/implementations/macs/siphash_prov.c b/providers/implementations/macs/siphash_prov.c index 95a345495e..3f2e3267e0 100644 --- a/providers/implementations/macs/siphash_prov.c +++ b/providers/implementations/macs/siphash_prov.c @@ -45,8 +45,19 @@ static OSSL_FUNC_mac_final_fn siphash_final; struct siphash_data_st { void *provctx; SIPHASH siphash; /* Siphash data */ + unsigned int crounds, drounds; }; +static unsigned int crounds(struct siphash_data_st *ctx) +{ + return ctx->crounds != 0 ? ctx->crounds : SIPHASH_C_ROUNDS; +} + +static unsigned int drounds(struct siphash_data_st *ctx) +{ + return ctx->drounds != 0 ? ctx->drounds : SIPHASH_D_ROUNDS; +} + static void *siphash_new(void *provctx) { struct siphash_data_st *ctx; @@ -86,10 +97,27 @@ static size_t siphash_size(void *vmacctx) return SipHash_hash_size(&ctx->siphash); } -static int siphash_init(void *vmacctx) +static int siphash_setkey(struct siphash_data_st *ctx, + const unsigned char *key, size_t keylen) +{ + if (keylen != SIPHASH_KEY_SIZE) + return 0; + return SipHash_Init(&ctx->siphash, key, crounds(ctx), drounds(ctx)); +} + +static int siphash_init(void *vmacctx, const unsigned char *key, size_t keylen, + const OSSL_PARAM params[]) { - /* Not much to do here, actual initialization happens through controls */ - return ossl_prov_is_running(); + struct siphash_data_st *ctx = vmacctx; + + if (!ossl_prov_is_running() || !siphash_set_params(ctx, params)) + return 0; + /* Without a key, there is not much to do here, + * The actual initialization happens through controls. + */ + if (key == NULL) + return 1; + return siphash_setkey(ctx, key, keylen); } static int siphash_update(void *vmacctx, const unsigned char *data, @@ -117,35 +145,47 @@ static int siphash_final(void *vmacctx, unsigned char *out, size_t *outl, return SipHash_Final(&ctx->siphash, out, hlen); } -static const OSSL_PARAM known_gettable_ctx_params[] = { - OSSL_PARAM_size_t(OSSL_MAC_PARAM_SIZE, NULL), - OSSL_PARAM_END -}; static const OSSL_PARAM *siphash_gettable_ctx_params(ossl_unused void *ctx, ossl_unused void *provctx) { + static const OSSL_PARAM known_gettable_ctx_params[] = { + OSSL_PARAM_size_t(OSSL_MAC_PARAM_SIZE, NULL), + OSSL_PARAM_uint(OSSL_MAC_PARAM_C_ROUNDS, NULL), + OSSL_PARAM_uint(OSSL_MAC_PARAM_D_ROUNDS, NULL), + OSSL_PARAM_END + }; + return known_gettable_ctx_params; } static int siphash_get_ctx_params(void *vmacctx, OSSL_PARAM params[]) { + struct siphash_data_st *ctx = vmacctx; OSSL_PARAM *p; - if ((p = OSSL_PARAM_locate(params, OSSL_MAC_PARAM_SIZE)) != NULL) - return OSSL_PARAM_set_size_t(p, siphash_size(vmacctx)); - + if ((p = OSSL_PARAM_locate(params, OSSL_MAC_PARAM_SIZE)) != NULL + && !OSSL_PARAM_set_size_t(p, siphash_size(vmacctx))) + return 0; + if ((p = OSSL_PARAM_locate(params, OSSL_MAC_PARAM_C_ROUNDS)) != NULL + && !OSSL_PARAM_set_uint(p, crounds(ctx))) + return 0; + if ((p = OSSL_PARAM_locate(params, OSSL_MAC_PARAM_D_ROUNDS)) != NULL + && !OSSL_PARAM_set_uint(p, drounds(ctx))) + return 0; return 1; } -static const OSSL_PARAM known_settable_ctx_params[] = { - OSSL_PARAM_size_t(OSSL_MAC_PARAM_SIZE, NULL), - OSSL_PARAM_octet_string(OSSL_MAC_PARAM_KEY, NULL, 0), - OSSL_PARAM_END -}; - static const OSSL_PARAM *siphash_settable_ctx_params(ossl_unused void *ctx, void *provctx) { + static const OSSL_PARAM known_settable_ctx_params[] = { + OSSL_PARAM_size_t(OSSL_MAC_PARAM_SIZE, NULL), + OSSL_PARAM_octet_string(OSSL_MAC_PARAM_KEY, NULL, 0), + OSSL_PARAM_uint(OSSL_MAC_PARAM_C_ROUNDS, NULL), + OSSL_PARAM_uint(OSSL_MAC_PARAM_D_ROUNDS, NULL), + OSSL_PARAM_END + }; + return known_settable_ctx_params; } @@ -153,18 +193,22 @@ static int siphash_set_params(void *vmacctx, const OSSL_PARAM *params) { struct siphash_data_st *ctx = vmacctx; const OSSL_PARAM *p = NULL; + size_t size; if ((p = OSSL_PARAM_locate_const(params, OSSL_MAC_PARAM_SIZE)) != NULL) { - size_t size; - if (!OSSL_PARAM_get_size_t(p, &size) || !SipHash_set_hash_size(&ctx->siphash, size)) return 0; } + if ((p = OSSL_PARAM_locate_const(params, OSSL_MAC_PARAM_C_ROUNDS)) != NULL + && !OSSL_PARAM_get_uint(p, &ctx->crounds)) + return 0; + if ((p = OSSL_PARAM_locate_const(params, OSSL_MAC_PARAM_D_ROUNDS)) != NULL + && !OSSL_PARAM_get_uint(p, &ctx->drounds)) + return 0; if ((p = OSSL_PARAM_locate_const(params, OSSL_MAC_PARAM_KEY)) != NULL) if (p->data_type != OSSL_PARAM_OCTET_STRING - || p->data_size != SIPHASH_KEY_SIZE - || !SipHash_Init(&ctx->siphash, p->data, 0, 0)) + || !siphash_setkey(ctx, p->data, p->data_size)) return 0; return 1; } diff --git a/providers/implementations/rands/drbg.c b/providers/implementations/rands/drbg.c index fc8ac52ac2..a05c9397c8 100644 --- a/providers/implementations/rands/drbg.c +++ b/providers/implementations/rands/drbg.c @@ -365,9 +365,6 @@ int ossl_prov_drbg_instantiate(PROV_DRBG *drbg, unsigned int strength, size_t noncelen = 0, entropylen = 0; size_t min_entropy, min_entropylen, max_entropylen; - if (!ossl_prov_is_running()) - return 0; - if (strength > drbg->strength) { ERR_raise(ERR_LIB_PROV, PROV_R_INSUFFICIENT_DRBG_STRENGTH); goto end; diff --git a/providers/implementations/rands/drbg_ctr.c b/providers/implementations/rands/drbg_ctr.c index 066775aa52..48e8677ec8 100644 --- a/providers/implementations/rands/drbg_ctr.c +++ b/providers/implementations/rands/drbg_ctr.c @@ -18,6 +18,7 @@ #include "crypto/modes.h" #include "internal/thread_once.h" #include "prov/implementations.h" +#include "prov/providercommon.h" #include "prov/provider_ctx.h" #include "drbg_local.h" @@ -326,10 +327,13 @@ static int drbg_ctr_instantiate(PROV_DRBG *drbg, static int drbg_ctr_instantiate_wrapper(void *vdrbg, unsigned int strength, int prediction_resistance, const unsigned char *pstr, - size_t pstr_len) + size_t pstr_len, + const OSSL_PARAM params[]) { PROV_DRBG *drbg = (PROV_DRBG *)vdrbg; + if (!ossl_prov_is_running() || !drbg_ctr_set_ctx_params(drbg, params)) + return 0; return ossl_prov_drbg_instantiate(drbg, strength, prediction_resistance, pstr, pstr_len); } diff --git a/providers/implementations/rands/drbg_hash.c b/providers/implementations/rands/drbg_hash.c index c89b0cd5c3..4db104c773 100644 --- a/providers/implementations/rands/drbg_hash.c +++ b/providers/implementations/rands/drbg_hash.c @@ -266,10 +266,13 @@ static int drbg_hash_instantiate(PROV_DRBG *drbg, static int drbg_hash_instantiate_wrapper(void *vdrbg, unsigned int strength, int prediction_resistance, const unsigned char *pstr, - size_t pstr_len) + size_t pstr_len, + const OSSL_PARAM params[]) { PROV_DRBG *drbg = (PROV_DRBG *)vdrbg; + if (!ossl_prov_is_running() || !drbg_hash_set_ctx_params(drbg, params)) + return 0; return ossl_prov_drbg_instantiate(drbg, strength, prediction_resistance, pstr, pstr_len); } diff --git a/providers/implementations/rands/drbg_hmac.c b/providers/implementations/rands/drbg_hmac.c index 5f193fa57c..67c0339801 100644 --- a/providers/implementations/rands/drbg_hmac.c +++ b/providers/implementations/rands/drbg_hmac.c @@ -60,12 +60,8 @@ static int do_hmac(PROV_DRBG_HMAC *hmac, unsigned char inbyte, const unsigned char *in3, size_t in3len) { EVP_MAC_CTX *ctx = hmac->ctx; - OSSL_PARAM params[2] = { OSSL_PARAM_END, OSSL_PARAM_END }; - *params = OSSL_PARAM_construct_octet_string(OSSL_MAC_PARAM_KEY, hmac->K, - hmac->blocklen); - if (!EVP_MAC_CTX_set_params(ctx, params) - || !EVP_MAC_init(ctx) + if (!EVP_MAC_init(ctx, hmac->K, hmac->blocklen, NULL) /* K = HMAC(K, V || inbyte || [in1] || [in2] || [in3]) */ || !EVP_MAC_update(ctx, hmac->V, hmac->blocklen) || !EVP_MAC_update(ctx, &inbyte, 1) @@ -76,10 +72,7 @@ static int do_hmac(PROV_DRBG_HMAC *hmac, unsigned char inbyte, return 0; /* V = HMAC(K, V) */ - *params = OSSL_PARAM_construct_octet_string(OSSL_MAC_PARAM_KEY, hmac->K, - hmac->blocklen); - return EVP_MAC_CTX_set_params(ctx, params) - && EVP_MAC_init(ctx) + return EVP_MAC_init(ctx, hmac->K, hmac->blocklen, NULL) && EVP_MAC_update(ctx, hmac->V, hmac->blocklen) && EVP_MAC_final(ctx, hmac->V, NULL, sizeof(hmac->V)); } @@ -150,10 +143,13 @@ static int drbg_hmac_instantiate(PROV_DRBG *drbg, static int drbg_hmac_instantiate_wrapper(void *vdrbg, unsigned int strength, int prediction_resistance, const unsigned char *pstr, - size_t pstr_len) + size_t pstr_len, + const OSSL_PARAM params[]) { PROV_DRBG *drbg = (PROV_DRBG *)vdrbg; + if (!ossl_prov_is_running() || !drbg_hmac_set_ctx_params(drbg, params)) + return 0; return ossl_prov_drbg_instantiate(drbg, strength, prediction_resistance, pstr, pstr_len); } @@ -202,7 +198,6 @@ static int drbg_hmac_generate(PROV_DRBG *drbg, PROV_DRBG_HMAC *hmac = (PROV_DRBG_HMAC *)drbg->data; EVP_MAC_CTX *ctx = hmac->ctx; const unsigned char *temp = hmac->V; - OSSL_PARAM params[2] = { OSSL_PARAM_END, OSSL_PARAM_END }; /* (Step 2) if adin != NULL then (K,V) = HMAC_DRBG_Update(adin, K, V) */ if (adin != NULL @@ -218,10 +213,7 @@ static int drbg_hmac_generate(PROV_DRBG *drbg, * } */ for (;;) { - *params = OSSL_PARAM_construct_octet_string(OSSL_MAC_PARAM_KEY, - hmac->K, hmac->blocklen); - if (!EVP_MAC_CTX_set_params(ctx, params) - || !EVP_MAC_init(ctx) + if (!EVP_MAC_init(ctx, hmac->K, hmac->blocklen, NULL) || !EVP_MAC_update(ctx, temp, hmac->blocklen)) return 0; diff --git a/providers/implementations/rands/seed_src.c b/providers/implementations/rands/seed_src.c index b87aa0c6cd..ad315efb9b 100644 --- a/providers/implementations/rands/seed_src.c +++ b/providers/implementations/rands/seed_src.c @@ -70,7 +70,8 @@ static void seed_src_free(void *vseed) static int seed_src_instantiate(void *vseed, unsigned int strength, int prediction_resistance, - const unsigned char *pstr, size_t pstr_len) + const unsigned char *pstr, size_t pstr_len, + ossl_unused const OSSL_PARAM params[]) { PROV_SEED_SRC *s = (PROV_SEED_SRC *)vseed; diff --git a/providers/implementations/rands/test_rng.c b/providers/implementations/rands/test_rng.c index d28f7e0937..1335de8681 100644 --- a/providers/implementations/rands/test_rng.c +++ b/providers/implementations/rands/test_rng.c @@ -79,11 +79,12 @@ static void test_rng_free(void *vtest) static int test_rng_instantiate(void *vtest, unsigned int strength, int prediction_resistance, - const unsigned char *pstr, size_t pstr_len) + const unsigned char *pstr, size_t pstr_len, + const OSSL_PARAM params[]) { PROV_TEST_RNG *t = (PROV_TEST_RNG *)vtest; - if (strength > t->strength) + if (!test_rng_set_ctx_params(t, params) || strength > t->strength) return 0; t->state = EVP_RAND_STATE_READY; diff --git a/providers/implementations/signature/mac_legacy.c b/providers/implementations/signature/mac_legacy.c index 2386583069..fb99221f08 100644 --- a/providers/implementations/signature/mac_legacy.c +++ b/providers/implementations/signature/mac_legacy.c @@ -117,11 +117,11 @@ static int mac_digest_sign_init(void *vpmacctx, const char *mdname, void *vkey) (char *)mdname, (char *)engine, pmacctx->key->properties, - pmacctx->key->priv_key, - pmacctx->key->priv_key_len)) + NULL, 0)) return 0; - if (!EVP_MAC_init(pmacctx->macctx)) + if (!EVP_MAC_init(pmacctx->macctx, pmacctx->key->priv_key, + pmacctx->key->priv_key_len, NULL)) return 0; return 1; diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c index 531872bfb0..bb0ee0c5d4 100644 --- a/ssl/t1_enc.c +++ b/ssl/t1_enc.c @@ -69,8 +69,7 @@ static int tls1_PRF(SSL *s, *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SEED, (void *)seed5, (size_t)seed5_len); *p = OSSL_PARAM_construct_end(); - if (EVP_KDF_CTX_set_params(kctx, params) - && EVP_KDF_derive(kctx, out, olen)) { + if (EVP_KDF_derive(kctx, out, olen, params)) { EVP_KDF_CTX_free(kctx); return 1; } diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index ace890d915..4d66db9f9d 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -3393,13 +3393,12 @@ EVP_MAC_CTX *ssl_hmac_get0_EVP_MAC_CTX(SSL_HMAC *ctx) int ssl_hmac_init(SSL_HMAC *ctx, void *key, size_t len, char *md) { - OSSL_PARAM params[3], *p = params; + OSSL_PARAM params[2], *p = params; if (ctx->ctx != NULL) { *p++ = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST, md, 0); - *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY, key, len); *p = OSSL_PARAM_construct_end(); - if (EVP_MAC_CTX_set_params(ctx->ctx, params) && EVP_MAC_init(ctx->ctx)) + if (EVP_MAC_init(ctx->ctx, key, len, params)) return 1; } #ifndef OPENSSL_NO_DEPRECATED_3_0 diff --git a/ssl/tls13_enc.c b/ssl/tls13_enc.c index c5b4dcc8d1..d48f305b01 100644 --- a/ssl/tls13_enc.c +++ b/ssl/tls13_enc.c @@ -105,8 +105,7 @@ int tls13_hkdf_expand(SSL *s, const EVP_MD *md, const unsigned char *secret, hkdflabel, hkdflabellen); *p++ = OSSL_PARAM_construct_end(); - ret = EVP_KDF_CTX_set_params(kctx, params) <= 0 - || EVP_KDF_derive(kctx, out, outlen) <= 0; + ret = EVP_KDF_derive(kctx, out, outlen, params) <= 0; EVP_KDF_CTX_free(kctx); @@ -258,8 +257,7 @@ int tls13_generate_secret(SSL *s, const EVP_MD *md, prevsecretlen); *p++ = OSSL_PARAM_construct_end(); - ret = EVP_KDF_CTX_set_params(kctx, params) <= 0 - || EVP_KDF_derive(kctx, outsecret, mdlen) <= 0; + ret = EVP_KDF_derive(kctx, outsecret, mdlen, params) <= 0; if (ret != 0) SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); @@ -311,9 +309,10 @@ size_t tls13_final_finish_mac(SSL *s, const char *str, size_t slen, EVP_MAC *hmac = EVP_MAC_fetch(s->ctx->libctx, "HMAC", s->ctx->propq); unsigned char hash[EVP_MAX_MD_SIZE]; unsigned char finsecret[EVP_MAX_MD_SIZE]; + unsigned char *key = NULL; size_t hashlen, ret = 0; EVP_MAC_CTX *ctx = NULL; - OSSL_PARAM params[4], *p = params; + OSSL_PARAM params[3], *p = params; if (hmac == NULL) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); @@ -327,6 +326,7 @@ size_t tls13_final_finish_mac(SSL *s, const char *str, size_t slen, *p++ = OSSL_PARAM_construct_utf8_string(OSSL_ALG_PARAM_PROPERTIES, (char *)s->ctx->propq, 0); + *p = OSSL_PARAM_construct_end(); if (!ssl_handshake_hash(s, hash, sizeof(hash), &hashlen)) { /* SSLfatal() already called */ @@ -334,28 +334,20 @@ size_t tls13_final_finish_mac(SSL *s, const char *str, size_t slen, } if (str == s->method->ssl3_enc->server_finished_label) { - *p++ = OSSL_PARAM_construct_octet_string(OSSL_MAC_PARAM_KEY, - s->server_finished_secret, - hashlen); + key = s->server_finished_secret; } else if (SSL_IS_FIRST_HANDSHAKE(s)) { - *p++ = OSSL_PARAM_construct_octet_string(OSSL_MAC_PARAM_KEY, - s->client_finished_secret, - hashlen); + key = s->client_finished_secret; } else { if (!tls13_derive_finishedkey(s, ssl_handshake_md(s), s->client_app_traffic_secret, finsecret, hashlen)) goto err; - - *p++ = OSSL_PARAM_construct_octet_string(OSSL_MAC_PARAM_KEY, finsecret, - hashlen); + key = finsecret; } - *p++ = OSSL_PARAM_construct_end(); ctx = EVP_MAC_CTX_new(hmac); if (ctx == NULL - || !EVP_MAC_CTX_set_params(ctx, params) - || !EVP_MAC_init(ctx) + || !EVP_MAC_init(ctx, key, hashlen, params) || !EVP_MAC_update(ctx, hash, hashlen) /* outsize as per sizeof(peer_finish_md) */ || !EVP_MAC_final(ctx, out, &hashlen, EVP_MAX_MD_SIZE * 2)) { diff --git a/test/acvp_test.c b/test/acvp_test.c index 6d7360b5b6..dab75a8a13 100644 --- a/test/acvp_test.c +++ b/test/acvp_test.c @@ -1383,7 +1383,7 @@ static int drbg_test(int id) * A NULL personalisation string defaults to the built in so something * non-NULL is needed if there is no personalisation string */ - if (!TEST_true(EVP_RAND_instantiate(ctx, 0, 0, (void *)"", 0)) + if (!TEST_true(EVP_RAND_instantiate(ctx, 0, 0, (void *)"", 0, NULL)) || !TEST_true(EVP_RAND_generate(ctx, returned_bits, returned_bits_len, 0, 0, NULL, 0)) || !TEST_true(EVP_RAND_generate(ctx, returned_bits, returned_bits_len, diff --git a/test/bad_dtls_test.c b/test/bad_dtls_test.c index bfbaa7953a..0eef2a2239 100644 --- a/test/bad_dtls_test.c +++ b/test/bad_dtls_test.c @@ -286,7 +286,7 @@ static int send_record(BIO *rbio, unsigned char type, uint64_t seqnr, unsigned char iv[16]; unsigned char pad; unsigned char *enc; - OSSL_PARAM params[3]; + OSSL_PARAM params[2]; seq[0] = (seqnr >> 40) & 0xff; seq[1] = (seqnr >> 32) & 0xff; @@ -309,11 +309,8 @@ static int send_record(BIO *rbio, unsigned char type, uint64_t seqnr, EVP_MAC_free(hmac); params[0] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST, "SHA1", 0); - params[1] = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY, - mac_key, 20); - params[2] = OSSL_PARAM_construct_end(); - EVP_MAC_CTX_set_params(ctx, params); - EVP_MAC_init(ctx); + params[1] = OSSL_PARAM_construct_end(); + EVP_MAC_init(ctx, mac_key, 20, params); EVP_MAC_update(ctx, epoch, 2); EVP_MAC_update(ctx, seq, 6); EVP_MAC_update(ctx, &type, 1); diff --git a/test/drbgtest.c b/test/drbgtest.c index 1276f726cc..07f123dce8 100644 --- a/test/drbgtest.c +++ b/test/drbgtest.c @@ -828,11 +828,11 @@ static int test_rand_prediction_resistance(void) /* Initialise a three long DRBG chain */ if (!TEST_ptr(x = new_drbg(NULL)) || !TEST_true(disable_crngt(x)) - || !TEST_true(EVP_RAND_instantiate(x, 0, 0, NULL, 0)) + || !TEST_true(EVP_RAND_instantiate(x, 0, 0, NULL, 0, NULL)) || !TEST_ptr(y = new_drbg(x)) - || !TEST_true(EVP_RAND_instantiate(y, 0, 0, NULL, 0)) + || !TEST_true(EVP_RAND_instantiate(y, 0, 0, NULL, 0, NULL)) || !TEST_ptr(z = new_drbg(y)) - || !TEST_true(EVP_RAND_instantiate(z, 0, 0, NULL, 0))) + || !TEST_true(EVP_RAND_instantiate(z, 0, 0, NULL, 0, NULL))) goto err; /* diff --git a/test/evp_kdf_test.c b/test/evp_kdf_test.c index a1a2fadcce..0c1de95f95 100644 --- a/test/evp_kdf_test.c +++ b/test/evp_kdf_test.c @@ -61,8 +61,7 @@ static int test_kdf_tls1_prf(void) ret = TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_TLS1_PRF)) - && TEST_true(EVP_KDF_CTX_set_params(kctx, params)) - && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out)), 0) + && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), params), 0) && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected)); EVP_KDF_CTX_free(kctx); @@ -100,7 +99,7 @@ static int test_kdf_tls1_prf_zero_output_size(void) ret = TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_TLS1_PRF)) && TEST_true(EVP_KDF_CTX_set_params(kctx, params)) - && TEST_int_eq(EVP_KDF_derive(kctx, out, 0), 0); + && TEST_int_eq(EVP_KDF_derive(kctx, out, 0, NULL), 0); EVP_KDF_CTX_free(kctx); OPENSSL_free(params); @@ -118,8 +117,7 @@ static int test_kdf_tls1_prf_empty_secret(void) ret = TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_TLS1_PRF)) - && TEST_true(EVP_KDF_CTX_set_params(kctx, params)) - && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out)), 0); + && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), params), 0); EVP_KDF_CTX_free(kctx); OPENSSL_free(params); @@ -137,8 +135,7 @@ static int test_kdf_tls1_prf_1byte_secret(void) ret = TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_TLS1_PRF)) - && TEST_true(EVP_KDF_CTX_set_params(kctx, params)) - && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out)), 0); + && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), params), 0); EVP_KDF_CTX_free(kctx); OPENSSL_free(params); @@ -158,7 +155,7 @@ static int test_kdf_tls1_prf_empty_seed(void) ret = TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_TLS1_PRF)) && TEST_true(EVP_KDF_CTX_set_params(kctx, params)) - && TEST_int_eq(EVP_KDF_derive(kctx, out, sizeof(out)), 0); + && TEST_int_eq(EVP_KDF_derive(kctx, out, sizeof(out), NULL), 0); EVP_KDF_CTX_free(kctx); OPENSSL_free(params); @@ -176,8 +173,7 @@ static int test_kdf_tls1_prf_1byte_seed(void) ret = TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_TLS1_PRF)) - && TEST_true(EVP_KDF_CTX_set_params(kctx, params)) - && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out)), 0); + && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), params), 0); EVP_KDF_CTX_free(kctx); OPENSSL_free(params); @@ -217,8 +213,7 @@ static int test_kdf_hkdf(void) ret = TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_HKDF)) - && TEST_true(EVP_KDF_CTX_set_params(kctx, params)) - && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out)), 0) + && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), params), 0) && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected)); EVP_KDF_CTX_free(kctx); @@ -256,7 +251,7 @@ static int test_kdf_hkdf_zero_output_size(void) ret = TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_HKDF)) && TEST_true(EVP_KDF_CTX_set_params(kctx, params)) - && TEST_int_eq(EVP_KDF_derive(kctx, out, 0), 0); + && TEST_int_eq(EVP_KDF_derive(kctx, out, 0, NULL), 0); EVP_KDF_CTX_free(kctx); OPENSSL_free(params); @@ -274,8 +269,7 @@ static int test_kdf_hkdf_empty_key(void) ret = TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_HKDF)) - && TEST_true(EVP_KDF_CTX_set_params(kctx, params)) - && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out)), 0); + && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), params), 0); EVP_KDF_CTX_free(kctx); OPENSSL_free(params); @@ -293,8 +287,7 @@ static int test_kdf_hkdf_1byte_key(void) ret = TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_HKDF)) - && TEST_true(EVP_KDF_CTX_set_params(kctx, params)) - && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out)), 0); + && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), params), 0); EVP_KDF_CTX_free(kctx); OPENSSL_free(params); @@ -312,8 +305,7 @@ static int test_kdf_hkdf_empty_salt(void) ret = TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_HKDF)) - && TEST_true(EVP_KDF_CTX_set_params(kctx, params)) - && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out)), 0); + && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), params), 0); EVP_KDF_CTX_free(kctx); OPENSSL_free(params); @@ -359,8 +351,7 @@ static int test_kdf_pbkdf2(void) &iterations, &mode); if (!TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_PBKDF2)) - || !TEST_true(EVP_KDF_CTX_set_params(kctx, params)) - || !TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out)), 0) + || !TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), params), 0) || !TEST_mem_eq(out, sizeof(out), expected, sizeof(expected))) goto err; @@ -387,7 +378,7 @@ static int test_kdf_pbkdf2_small_output(void) if (!TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_PBKDF2)) || !TEST_true(EVP_KDF_CTX_set_params(kctx, params)) /* A key length that is too small should fail */ - || !TEST_int_eq(EVP_KDF_derive(kctx, out, 112 / 8 - 1), 0)) + || !TEST_int_eq(EVP_KDF_derive(kctx, out, 112 / 8 - 1, NULL), 0)) goto err; ret = 1; @@ -415,9 +406,9 @@ static int test_kdf_pbkdf2_large_output(void) &iterations, &mode); if (!TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_PBKDF2)) - || !TEST_true(EVP_KDF_CTX_set_params(kctx, params)) /* A key length that is too large should fail */ - || (len != 0 && !TEST_int_eq(EVP_KDF_derive(kctx, out, len), 0))) + || !TEST_true(EVP_KDF_CTX_set_params(kctx, params)) + || (len != 0 && !TEST_int_eq(EVP_KDF_derive(kctx, out, len, NULL), 0))) goto err; ret = 1; @@ -492,7 +483,7 @@ static int test_kdf_pbkdf2_small_salt_pkcs5(void) if (!TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_PBKDF2)) /* A salt that is too small should pass in pkcs5 mode */ || !TEST_true(EVP_KDF_CTX_set_params(kctx, params)) - || !TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out)), 0)) + || !TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), NULL), 0)) goto err; mode = 0; @@ -501,7 +492,7 @@ static int test_kdf_pbkdf2_small_salt_pkcs5(void) /* If the "pkcs5" mode is disabled then the derive will now fail */ if (!TEST_true(EVP_KDF_CTX_set_params(kctx, mode_params)) - || !TEST_int_eq(EVP_KDF_derive(kctx, out, sizeof(out)), 0)) + || !TEST_int_eq(EVP_KDF_derive(kctx, out, sizeof(out), NULL), 0)) goto err; ret = 1; @@ -528,7 +519,7 @@ static int test_kdf_pbkdf2_small_iterations_pkcs5(void) if (!TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_PBKDF2)) /* An iteration count that is too small will pass in pkcs5 mode */ || !TEST_true(EVP_KDF_CTX_set_params(kctx, params)) - || !TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out)), 0)) + || !TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), NULL), 0)) goto err; mode = 0; @@ -537,7 +528,7 @@ static int test_kdf_pbkdf2_small_iterations_pkcs5(void) /* If the "pkcs5" mode is disabled then the derive will now fail */ if (!TEST_true(EVP_KDF_CTX_set_params(kctx, mode_params)) - || !TEST_int_eq(EVP_KDF_derive(kctx, out, sizeof(out)), 0)) + || !TEST_int_eq(EVP_KDF_derive(kctx, out, sizeof(out), NULL), 0)) goto err; ret = 1; @@ -604,10 +595,10 @@ static int test_kdf_scrypt(void) TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_SCRYPT)) && TEST_true(EVP_KDF_CTX_set_params(kctx, params)) /* failure test *//* - && TEST_int_le(EVP_KDF_derive(kctx, out, sizeof(out)), 0)*/ + && TEST_int_le(EVP_KDF_derive(kctx, out, sizeof(out), NULL), 0)*/ && TEST_true(OSSL_PARAM_set_uint(p - 1, 10 * 1024 * 1024)) && TEST_true(EVP_KDF_CTX_set_params(kctx, p - 1)) - && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out)), 0) + && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), NULL), 0) && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected)); EVP_KDF_CTX_free(kctx); @@ -646,8 +637,7 @@ static int test_kdf_ss_hash(void) ret = TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_SSKDF)) - && TEST_true(EVP_KDF_CTX_set_params(kctx, params)) - && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out)), 0) + && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), params), 0) && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected)); EVP_KDF_CTX_free(kctx); @@ -700,8 +690,7 @@ static int test_kdf_x963(void) ret = TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_X963KDF)) - && TEST_true(EVP_KDF_CTX_set_params(kctx, params)) - && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out)), 0) + && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), params), 0) && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected)); EVP_KDF_CTX_free(kctx); @@ -756,8 +745,8 @@ static int test_kdf_kbkdf_6803_128(void) kctx = get_kdfbyname("KBKDF"); ret = TEST_ptr(kctx) - && TEST_true(EVP_KDF_CTX_set_params(kctx, params)) - && TEST_int_gt(EVP_KDF_derive(kctx, result, sizeof(result)), 0) + && TEST_int_gt(EVP_KDF_derive(kctx, result, sizeof(result), + params), 0) && TEST_mem_eq(result, sizeof(result), outputs[i], sizeof(outputs[i])); EVP_KDF_CTX_free(kctx); @@ -822,8 +811,8 @@ static int test_kdf_kbkdf_6803_256(void) kctx = get_kdfbyname("KBKDF"); ret = TEST_ptr(kctx) - && TEST_true(EVP_KDF_CTX_set_params(kctx, params)) - && TEST_int_gt(EVP_KDF_derive(kctx, result, sizeof(result)), 0) + && TEST_int_gt(EVP_KDF_derive(kctx, result, sizeof(result), + params), 0) && TEST_mem_eq(result, sizeof(result), outputs[i], sizeof(outputs[i])); EVP_KDF_CTX_free(kctx); @@ -913,7 +902,7 @@ static int test_kdf_kbkdf_empty_key(void) kctx = get_kdfbyname("KBKDF"); ret = TEST_ptr(kctx) && TEST_true(EVP_KDF_CTX_set_params(kctx, params)) - && TEST_int_eq(EVP_KDF_derive(kctx, result, sizeof(result)), 0); + && TEST_int_eq(EVP_KDF_derive(kctx, result, sizeof(result), NULL), 0); EVP_KDF_CTX_free(kctx); OPENSSL_free(params); @@ -933,8 +922,7 @@ static int test_kdf_kbkdf_1byte_key(void) kctx = get_kdfbyname("KBKDF"); ret = TEST_ptr(kctx) - && TEST_true(EVP_KDF_CTX_set_params(kctx, params)) - && TEST_int_gt(EVP_KDF_derive(kctx, result, sizeof(result)), 0); + && TEST_int_gt(EVP_KDF_derive(kctx, result, sizeof(result), params), 0); EVP_KDF_CTX_free(kctx); OPENSSL_free(params); @@ -956,7 +944,7 @@ static int test_kdf_kbkdf_zero_output_size(void) kctx = get_kdfbyname("KBKDF"); ret = TEST_ptr(kctx) && TEST_true(EVP_KDF_CTX_set_params(kctx, params)) - && TEST_int_eq(EVP_KDF_derive(kctx, result, 0), 0); + && TEST_int_eq(EVP_KDF_derive(kctx, result, 0, NULL), 0); EVP_KDF_CTX_free(kctx); OPENSSL_free(params); @@ -998,8 +986,7 @@ static int test_kdf_kbkdf_8009_prf1(void) kctx = get_kdfbyname("KBKDF"); ret = TEST_ptr(kctx) - && TEST_true(EVP_KDF_CTX_set_params(kctx, params)) - && TEST_int_gt(EVP_KDF_derive(kctx, result, sizeof(result)), 0) + && TEST_int_gt(EVP_KDF_derive(kctx, result, sizeof(result), params), 0) && TEST_mem_eq(result, sizeof(result), output, sizeof(output)); EVP_KDF_CTX_free(kctx); @@ -1043,8 +1030,7 @@ static int test_kdf_kbkdf_8009_prf2(void) kctx = get_kdfbyname("KBKDF"); ret = TEST_ptr(kctx) - && TEST_true(EVP_KDF_CTX_set_params(kctx, params)) - && TEST_int_gt(EVP_KDF_derive(kctx, result, sizeof(result)), 0) + && TEST_int_gt(EVP_KDF_derive(kctx, result, sizeof(result), params), 0) && TEST_mem_eq(result, sizeof(result), output, sizeof(output)); EVP_KDF_CTX_free(kctx); @@ -1104,8 +1090,7 @@ static int test_kdf_kbkdf_fixedinfo(void) kctx = get_kdfbyname("KBKDF"); ret = TEST_ptr(kctx) - && TEST_true(EVP_KDF_CTX_set_params(kctx, params)) - && TEST_int_gt(EVP_KDF_derive(kctx, result, sizeof(result)), 0) + && TEST_int_gt(EVP_KDF_derive(kctx, result, sizeof(result), params), 0) && TEST_mem_eq(result, sizeof(result), output, sizeof(output)); EVP_KDF_CTX_free(kctx); @@ -1147,8 +1132,7 @@ static int test_kdf_ss_hmac(void) ret = TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_SSKDF)) - && TEST_true(EVP_KDF_CTX_set_params(kctx, params)) - && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out)), 0) + && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), params), 0) && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected)); EVP_KDF_CTX_free(kctx); @@ -1192,8 +1176,7 @@ static int test_kdf_ss_kmac(void) ret = TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_SSKDF)) - && TEST_true(EVP_KDF_CTX_set_params(kctx, params)) - && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out)), 0) + && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), params), 0) && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected)); EVP_KDF_CTX_free(kctx); @@ -1250,8 +1233,7 @@ static int test_kdf_sshkdf(void) ret = TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_SSHKDF)) - && TEST_true(EVP_KDF_CTX_set_params(kctx, params)) - && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out)), 0) + && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), params), 0) && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected)); EVP_KDF_CTX_free(kctx); @@ -1338,8 +1320,7 @@ static int test_kdf_x942_asn1(void) ret = TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_X942KDF_ASN1)) - && TEST_true(EVP_KDF_CTX_set_params(kctx, params)) - && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out)), 0) + && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), params), 0) && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected)); EVP_KDF_CTX_free(kctx); @@ -1375,8 +1356,7 @@ static int test_kdf_krb5kdf(void) ret = TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_KRB5KDF)) - && TEST_true(EVP_KDF_CTX_set_params(kctx, params)) - && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out)), 0) + && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), params), 0) && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected)); EVP_KDF_CTX_free(kctx); diff --git a/test/evp_test.c b/test/evp_test.c index d3b02a2e46..8c88f0937c 100644 --- a/test/evp_test.c +++ b/test/evp_test.c @@ -1279,11 +1279,6 @@ static int mac_test_run_mac(EVP_TEST *t) goto err; } } - if (expected->key != NULL) - params[params_n++] = - OSSL_PARAM_construct_octet_string(OSSL_MAC_PARAM_KEY, - expected->key, - expected->key_len); if (expected->custom != NULL) params[params_n++] = OSSL_PARAM_construct_octet_string(OSSL_MAC_PARAM_CUSTOM, @@ -1339,11 +1334,7 @@ static int mac_test_run_mac(EVP_TEST *t) goto err; } - if (!EVP_MAC_CTX_set_params(ctx, params)) { - t->err = "MAC_BAD_PARAMS"; - goto err; - } - if (!EVP_MAC_init(ctx)) { + if (!EVP_MAC_init(ctx, expected->key, expected->key_len, params)) { t->err = "MAC_INIT_ERROR"; goto err; } @@ -2268,16 +2259,15 @@ static int rand_test_run(EVP_TEST *t) *p++ = OSSL_PARAM_construct_octet_string(OSSL_RAND_PARAM_TEST_NONCE, z, item->nonce_len); *p = OSSL_PARAM_construct_end(); - if (!TEST_true(EVP_RAND_set_ctx_params(expected->parent, params)) - || !TEST_true(EVP_RAND_instantiate(expected->parent, strength, - 0, NULL, 0))) + if (!TEST_true(EVP_RAND_instantiate(expected->parent, strength, + 0, NULL, 0, params))) goto err; z = item->pers != NULL ? item->pers : (unsigned char *)""; if (!TEST_true(EVP_RAND_instantiate (expected->ctx, strength, expected->prediction_resistance, z, - item->pers_len))) + item->pers_len, NULL))) goto err; if (item->reseed_entropy != NULL) { @@ -2473,7 +2463,7 @@ static int kdf_test_run(EVP_TEST *t) t->err = "INTERNAL_ERROR"; goto err; } - if (EVP_KDF_derive(expected->ctx, got, got_len) <= 0) { + if (EVP_KDF_derive(expected->ctx, got, got_len, NULL) <= 0) { t->err = "KDF_DERIVE_ERROR"; goto err; } diff --git a/test/ossl_shim/ossl_shim.cc b/test/ossl_shim/ossl_shim.cc index 380e6853c6..eff0b3eb9b 100644 --- a/test/ossl_shim/ossl_shim.cc +++ b/test/ossl_shim/ossl_shim.cc @@ -373,7 +373,7 @@ static int NewSessionCallback(SSL *ssl, SSL_SESSION *session) { static int TicketKeyCallback(SSL *ssl, uint8_t *key_name, uint8_t *iv, EVP_CIPHER_CTX *ctx, EVP_MAC_CTX *hmac_ctx, int encrypt) { - OSSL_PARAM params[3], *p = params; + OSSL_PARAM params[2], *p = params; if (!encrypt) { if (GetTestState(ssl)->ticket_decrypt_done) { @@ -396,14 +396,10 @@ static int TicketKeyCallback(SSL *ssl, uint8_t *key_name, uint8_t *iv, *p++ = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST, const_cast("SHA256"), 0); - *p++ = OSSL_PARAM_construct_octet_string(OSSL_MAC_PARAM_KEY, - (void *)kZeros, - sizeof(kZeros)); *p = OSSL_PARAM_construct_end(); if (!EVP_CipherInit_ex(ctx, EVP_aes_128_cbc(), NULL, kZeros, iv, encrypt) - || !EVP_MAC_init(hmac_ctx) - || !EVP_MAC_CTX_set_params(hmac_ctx, params)) { + || !EVP_MAC_init(hmac_ctx, kZeros, sizeof(kZeros), params)) { return -1; } diff --git a/test/recipes/30-test_evp_data/evpmac_blake.txt b/test/recipes/30-test_evp_data/evpmac_blake.txt index ad5836a175..416d6b25dd 100644 --- a/test/recipes/30-test_evp_data/evpmac_blake.txt +++ b/test/recipes/30-test_evp_data/evpmac_blake.txt @@ -169,7 +169,7 @@ Output = 233a6c732212f4813ec4c9f357e35297e59a652fd24155205f00363f7c54734ee1e8c73 MAC = BLAKE2BMAC Key = 000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f Ctrl = size:128 -Result = MAC_BAD_PARAMS +Result = MAC_INIT_ERROR MAC = BLAKE2BMAC Key = 000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f @@ -225,7 +225,7 @@ Output = e9f7704dfe5080a4aafe62a806f53ea7f98ffc24175164158f18ec5497b961f5 MAC = BLAKE2SMAC Key = 000102030405060708090a0b0c0d0e0f Ctrl = size:64 -Result = MAC_BAD_PARAMS +Result = MAC_INIT_ERROR MAC = BLAKE2SMAC Key = 000102030405060708090a0b0c0d0e0f diff --git a/test/recipes/30-test_evp_data/evpmac_common.txt b/test/recipes/30-test_evp_data/evpmac_common.txt index dcea924695..67a0d3482d 100644 --- a/test/recipes/30-test_evp_data/evpmac_common.txt +++ b/test/recipes/30-test_evp_data/evpmac_common.txt @@ -213,7 +213,7 @@ MAC = HMAC Algorithm = SHAKE128 Input = "Test that SHAKE128 fails" Key = 000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f -Result = MAC_BAD_PARAMS +Result = MAC_INIT_ERROR Title = CMAC tests (from FIPS module) diff --git a/test/recipes/30-test_evp_data/evpmac_siphash.txt b/test/recipes/30-test_evp_data/evpmac_siphash.txt index 2e24f8b1e5..028b2d656f 100644 --- a/test/recipes/30-test_evp_data/evpmac_siphash.txt +++ b/test/recipes/30-test_evp_data/evpmac_siphash.txt @@ -155,7 +155,7 @@ Output = 5150d1772f50834a503e069a973fbd7c MAC = SipHash Ctrl = size:13 Key = 000102030405060708090A0B0C0D0E0F -Result = MAC_BAD_PARAMS +Result = MAC_INIT_ERROR # SIPHASH - default values: 2,4 rounds, explicit 13-byte mac (invalid size) # by EVP_PKEY this time @@ -164,3 +164,24 @@ MAC = SipHash by EVP_PKEY Ctrl = size:13 Key = 000102030405060708090A0B0C0D0E0F Result = EVPPKEYCTXCTRL_ERROR + +Title = SIPHASH - explicit rounds + +MAC = SipHash +Ctrl = size:0 +Ctrl = c-rounds:2 +Ctrl = d-rounds:4 +Key = 000102030405060708090A0B0C0D0E0F +Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E +Output = 5150d1772f50834a503e069a973fbd7c + +# Generated by the reference implementation +Title = SIPHASH - non-default values: 4,8 rounds + +MAC = SipHash +Ctrl = size:8 +Ctrl = c-rounds:4 +Ctrl = d-rounds:8 +Key = 000102030405060708090A0B0C0D0E0F +Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E +Output = E67784BC5503DE23 diff --git a/test/sslapitest.c b/test/sslapitest.c index b6eb6c16db..3fa60538e9 100644 --- a/test/sslapitest.c +++ b/test/sslapitest.c @@ -6858,7 +6858,7 @@ static int tick_key_evp_cb(SSL *s, unsigned char key_name[16], { const unsigned char tick_aes_key[16] = "0123456789abcdef"; unsigned char tick_hmac_key[16] = "0123456789abcdef"; - OSSL_PARAM params[3]; + OSSL_PARAM params[2]; EVP_CIPHER *aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL); int ret; @@ -6867,14 +6867,11 @@ static int tick_key_evp_cb(SSL *s, unsigned char key_name[16], memset(key_name, 0, 16); params[0] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST, "SHA256", 0); - params[1] = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY, - tick_hmac_key, - sizeof(tick_hmac_key)); - params[2] = OSSL_PARAM_construct_end(); + params[1] = OSSL_PARAM_construct_end(); if (aes128cbc == NULL || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc) - || !EVP_MAC_CTX_set_params(hctx, params) - || !EVP_MAC_init(hctx)) + || !EVP_MAC_init(hctx, tick_hmac_key, sizeof(tick_hmac_key), + params)) ret = -1; else ret = tick_key_renew ? 2 : 1; diff --git a/test/testutil/fake_random.c b/test/testutil/fake_random.c index 9d9b10feb1..f8b97d2287 100644 --- a/test/testutil/fake_random.c +++ b/test/testutil/fake_random.c @@ -48,7 +48,8 @@ static void fake_rand_freectx(void *vrng) static int fake_rand_instantiate(void *vrng, ossl_unused unsigned int strength, ossl_unused int prediction_resistance, ossl_unused const unsigned char *pstr, - size_t pstr_len) + size_t pstr_len, + ossl_unused const OSSL_PARAM params[]) { FAKE_RAND *frng = (FAKE_RAND *)vrng; From scan-admin at coverity.com Sun Feb 28 07:52:06 2021 From: scan-admin at coverity.com (scan-admin at coverity.com) Date: Sun, 28 Feb 2021 07:52:06 +0000 (UTC) Subject: Coverity Scan: Analysis completed for openssl/openssl Message-ID: <603b4ba6647c9_d353a2abc413e6f704756c@prd-scan-dashboard-0.mail> Your request for analysis of openssl/openssl has been completed successfully. The results are available at https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoN-2BQSVjTtaSz8wS4wOr7HlekBtV1P4YRtWclMVkCdvAA-3D-3DOOM__MulOTlHne1IxTRELXXnGni8d68xSVF-2BUCe3a7Ux-2BjeE8QjSILLT6CLjIQxCxGYCTPA3JVNbdN9iZa6s0EmfEVvguxlA5m7K0cqBpAJ41ux-2FK7T5DsbWw-2Bf45H15Sj2cx312dp9jlICRrJlzJb6sgUFoN1g2LVLoSp4a8qHs27xFF6R5YWdO383SnN2HfPZTLEdjGebImybiaLd1VCwq-2BtTATIsUt-2FnJO5u22cUVzh5bCvOGZs4t3drhHqVkm081L Build ID: 372128 Analysis Summary: New defects found: 13 Defects eliminated: 16 If you have difficulty understanding any defects, email us at scan-admin at coverity.com, or post your question to StackOverflow at https://u15810271.ct.sendgrid.net/ls/click?upn=CTPegkVN6peWFCMEieYYmPWIi1E4yUS9EoqKFcNAiqhRq8qmgeBE-2Bdt3uvFRAFXd-2FlwX83-2FVVdybfzIMOby0qA-3D-3DDuUv_MulOTlHne1IxTRELXXnGni8d68xSVF-2BUCe3a7Ux-2BjeE8QjSILLT6CLjIQxCxGYCTPA3JVNbdN9iZa6s0EmfEVt7qV0-2BsBt-2F7wAtuheECJLP-2BObxRyUoTgkar-2BX6woXbxXsPXJZD09iDKuab44kMC8w2D-2FpDSXaIiJ44T89ZQPcoaoy6eiOx8pdCbEscWXl3zS3OS7YjPAg3VUs6NOM-2ByaAylZvWoc-2FOmw5THd3vnuliM2TLlEn-2FeCbVYDabeFoJW From scan-admin at coverity.com Sun Feb 28 07:52:38 2021 From: scan-admin at coverity.com (scan-admin at coverity.com) Date: Sun, 28 Feb 2021 07:52:38 +0000 (UTC) Subject: Coverity Scan: Analysis completed for OpenSSL-1.0.2 Message-ID: <603b4bc5adfd0_d35e02abc413e6f70475cf@prd-scan-dashboard-0.mail> Your request for analysis of OpenSSL-1.0.2 has been completed successfully. The results are available at https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoN-2BQSVjTtaSz8wS4wOr7Hlun-2FGpeF2rhqKLKnzox0Gkw-3D-3DReHJ_MulOTlHne1IxTRELXXnGni8d68xSVF-2BUCe3a7Ux-2BjeFSz8KD8hF3MIjhXgwQ2PVEnNj4iZusULGt6HhZakR4JIISBrWzIPtQAx-2FdYJhy4tbRZKDWkLku6FWJHkbPUgZAqYNCfzHhdDR75dMR3ujhZqaLC7VjXmiOz-2F9s8GtCkZ0X9AjiRsBj-2FsrjR2MsQlSZ55P5JMjtmaBCKKvH1iOM-2BUSST-2FUUwsTQfn-2FORRTq7Z4-3D Build ID: 372129 Analysis Summary: New defects found: 0 Defects eliminated: 0 From no-reply at appveyor.com Sun Feb 28 07:58:02 2021 From: no-reply at appveyor.com (AppVeyor) Date: Sun, 28 Feb 2021 07:58:02 +0000 Subject: Build failed: openssl master.40289 Message-ID: <20210228075802.1.FF3BAD6890ED8C26@appveyor.com> An HTML attachment was scrubbed... URL: From dev at ddvo.net Sun Feb 28 10:47:08 2021 From: dev at ddvo.net (dev at ddvo.net) Date: Sun, 28 Feb 2021 10:47:08 +0000 Subject: [openssl] master update Message-ID: <1614509228.477713.24491.nullmailer@dev.openssl.org> The branch master has been updated via e60e974414a7e637ff2f946dc2aa24c381a32cc2 (commit) via 46a11faf3b86ddd2fcc687a0fcfd982e6d201626 (commit) via 859e5f16213b1b80d06a20872ac137bdea708c29 (commit) via ed0a5ac9200466d876a847b82bf95694356cef99 (commit) from d5a936c5b1c2f0c6f882c0cfd2ff34f8845260f7 (commit) - Log ----------------------------------------------------------------- commit e60e974414a7e637ff2f946dc2aa24c381a32cc2 Author: Dr. David von Oheimb Date: Fri Feb 26 13:26:37 2021 +0100 apps/x509.c: Fix mem leaks in processing of -next_serial in print loop Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/14340) commit 46a11faf3b86ddd2fcc687a0fcfd982e6d201626 Author: Dr. David von Oheimb Date: Fri Feb 26 12:48:43 2021 +0100 apps/x509.c: Improve print_name() and coding style of large print loop in x509_main() Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/14340) commit 859e5f16213b1b80d06a20872ac137bdea708c29 Author: Dr. David von Oheimb Date: Fri Feb 26 11:51:43 2021 +0100 apps/x509.c: Improve indentation of the large print loop in x509_main() Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/14340) commit ed0a5ac9200466d876a847b82bf95694356cef99 Author: Dr. David von Oheimb Date: Fri Feb 26 11:42:49 2021 +0100 apps/x509.c: Fix too eager call to X509_set_issuer_name() introduced recently Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/14340) ----------------------------------------------------------------------- Summary of changes: apps/crl.c | 3 +- apps/include/apps.h | 3 +- apps/lib/apps.c | 10 +- apps/req.c | 17 +-- apps/x509.c | 319 ++++++++++++++++++++++------------------------------ 5 files changed, 148 insertions(+), 204 deletions(-) diff --git a/apps/crl.c b/apps/crl.c index dd9d41e8ea..1f12e24a4b 100644 --- a/apps/crl.c +++ b/apps/crl.c @@ -286,8 +286,7 @@ int crl_main(int argc, char **argv) if (num) { for (i = 1; i <= num; i++) { if (issuer == i) { - print_name(bio_out, "issuer=", X509_CRL_get_issuer(x), - get_nameopt()); + print_name(bio_out, "issuer=", X509_CRL_get_issuer(x)); } if (crlnumber == i) { ASN1_INTEGER *crlnum; diff --git a/apps/include/apps.h b/apps/include/apps.h index 45a9c4e758..8c365c44bd 100644 --- a/apps/include/apps.h +++ b/apps/include/apps.h @@ -94,8 +94,7 @@ int wrap_password_callback(char *buf, int bufsiz, int verify, void *cb_data); int chopup_args(ARGS *arg, char *buf); int dump_cert_text(BIO *out, X509 *x); -void print_name(BIO *out, const char *title, const X509_NAME *nm, - unsigned long lflags); +void print_name(BIO *out, const char *title, const X509_NAME *nm); void print_bignum_var(BIO *, const BIGNUM *, const char*, int, unsigned char *); void print_array(BIO *, const char *, int, const unsigned char *); diff --git a/apps/lib/apps.c b/apps/lib/apps.c index 7c1015737d..634bebde42 100644 --- a/apps/lib/apps.c +++ b/apps/lib/apps.c @@ -188,9 +188,9 @@ unsigned long get_nameopt(void) int dump_cert_text(BIO *out, X509 *x) { - print_name(out, "subject=", X509_get_subject_name(x), get_nameopt()); + print_name(out, "subject=", X509_get_subject_name(x)); BIO_puts(out, "\n"); - print_name(out, "issuer=", X509_get_issuer_name(x), get_nameopt()); + print_name(out, "issuer=", X509_get_issuer_name(x)); BIO_puts(out, "\n"); return 0; @@ -1071,14 +1071,14 @@ static int set_table_opts(unsigned long *flags, const char *arg, return 0; } -void print_name(BIO *out, const char *title, const X509_NAME *nm, - unsigned long lflags) +void print_name(BIO *out, const char *title, const X509_NAME *nm) { char *buf; char mline = 0; int indent = 0; + unsigned long lflags = get_nameopt(); - if (title) + if (title != NULL) BIO_puts(out, title); if ((lflags & XN_FLAG_SEP_MASK) == XN_FLAG_SEP_MULTILINE) { mline = 1; diff --git a/apps/req.c b/apps/req.c index 881cbb45c7..4056b18f51 100644 --- a/apps/req.c +++ b/apps/req.c @@ -921,9 +921,8 @@ int req_main(int argc, char **argv) if (subj != NULL && !newreq && !gen_x509) { if (verbose) { - BIO_printf(bio_err, "Modifying subject of certificate request\n"); - print_name(bio_err, "Old subject=", - X509_REQ_get_subject_name(req), get_nameopt()); + BIO_printf(out, "Modifying subject of certificate request\n"); + print_name(out, "Old subject=", X509_REQ_get_subject_name(req)); } if (!X509_REQ_set_subject_name(req, fsubj)) { @@ -932,8 +931,7 @@ int req_main(int argc, char **argv) } if (verbose) { - print_name(bio_err, "New subject=", - X509_REQ_get_subject_name(req), get_nameopt()); + print_name(out, "New subject=", X509_REQ_get_subject_name(req)); } } @@ -996,12 +994,9 @@ int req_main(int argc, char **argv) } if (subject) { - if (gen_x509) - print_name(out, "subject=", X509_get_subject_name(new_x509), - get_nameopt()); - else - print_name(out, "subject=", X509_REQ_get_subject_name(req), - get_nameopt()); + print_name(out, "subject=", gen_x509 + ? X509_get_subject_name(new_x509) + : X509_REQ_get_subject_name(req)); } if (modulus) { diff --git a/apps/x509.c b/apps/x509.c index 67895c8169..1108ff7ad4 100644 --- a/apps/x509.c +++ b/apps/x509.c @@ -245,6 +245,7 @@ int x509_main(int argc, char **argv) int ext_copy = EXT_COPY_UNSET; X509V3_CTX ext_ctx; EVP_PKEY *signkey = NULL, *CAkey = NULL, *pubkey = NULL; + EVP_PKEY *pkey; int newcert = 0; char *subj = NULL, *digestname = NULL; X509_NAME *fsubj = NULL; @@ -270,7 +271,7 @@ int x509_main(int argc, char **argv) int next_serial = 0, subject_hash = 0, issuer_hash = 0, ocspid = 0; int noout = 0, CA_createserial = 0, email = 0; int ocsp_uri = 0, trustout = 0, clrtrust = 0, clrreject = 0, aliasout = 0; - int ret = 1, i, num = 0, badsig = 0, clrext = 0, nocert = 0; + int ret = 1, i, j, num = 0, badsig = 0, clrext = 0, nocert = 0; int text = 0, serial = 0, subject = 0, issuer = 0, startdate = 0, ext = 0; int enddate = 0; time_t checkoffset = 0; @@ -403,30 +404,25 @@ int x509_main(int argc, char **argv) subj = opt_arg(); break; case OPT_ADDTRUST: + if (trust == NULL && (trust = sk_ASN1_OBJECT_new_null()) == NULL) + goto end; if ((objtmp = OBJ_txt2obj(opt_arg(), 0)) == NULL) { - BIO_printf(bio_err, - "%s: Invalid trust object value %s\n", + BIO_printf(bio_err, "%s: Invalid trust object value %s\n", prog, opt_arg()); goto opthelp; } - if (trust == NULL && (trust = sk_ASN1_OBJECT_new_null()) == NULL) - goto end; sk_ASN1_OBJECT_push(trust, objtmp); - objtmp = NULL; trustout = 1; break; case OPT_ADDREJECT: + if (reject == NULL && (reject = sk_ASN1_OBJECT_new_null()) == NULL) + goto end; if ((objtmp = OBJ_txt2obj(opt_arg(), 0)) == NULL) { - BIO_printf(bio_err, - "%s: Invalid reject object value %s\n", + BIO_printf(bio_err, "%s: Invalid reject object value %s\n", prog, opt_arg()); goto opthelp; } - if (reject == NULL - && (reject = sk_ASN1_OBJECT_new_null()) == NULL) - goto end; sk_ASN1_OBJECT_push(reject, objtmp); - objtmp = NULL; trustout = 1; break; case OPT_SETALIAS: @@ -674,32 +670,24 @@ int x509_main(int argc, char **argv) } if (reqfile) { - EVP_PKEY *pkey; - req = load_csr(infile, informat, "certificate request input"); if (req == NULL) goto end; if ((pkey = X509_REQ_get0_pubkey(req)) == NULL) { - BIO_printf(bio_err, "Error unpacking public key\n"); + BIO_printf(bio_err, "Error unpacking public key from CSR\n"); goto end; } i = do_X509_REQ_verify(req, pkey, vfyopts); - if (i < 0) { - BIO_printf(bio_err, - "Error while verifying certificate request self-signature\n"); - goto end; - } - if (i == 0) { - BIO_printf(bio_err, - "Certificate request self-signature did not match the contents\n"); + if (i <= 0) { + BIO_printf(bio_err, i < 0 + ? "Error while verifying certificate request self-signature\n" + : "Certificate request self-signature did not match the contents\n"); goto end; - } else { - BIO_printf(bio_err, "Certificate request self-signature ok\n"); } + BIO_printf(out, "Certificate request self-signature ok\n"); - print_name(bio_err, "subject=", X509_REQ_get_subject_name(req), - get_nameopt()); + print_name(out, "subject=", X509_REQ_get_subject_name(req)); } else if (!x509toreq && ext_copy != EXT_COPY_UNSET) { BIO_printf(bio_err, "Warning: ignoring -copy_extensions since neither -x509toreq nor -req is given\n"); } @@ -768,19 +756,13 @@ int x509_main(int argc, char **argv) X509_reject_clear(x); if (trust != NULL) { - for (i = 0; i < sk_ASN1_OBJECT_num(trust); i++) { - objtmp = sk_ASN1_OBJECT_value(trust, i); - X509_add1_trust_object(x, objtmp); - } - objtmp = NULL; + for (i = 0; i < sk_ASN1_OBJECT_num(trust); i++) + X509_add1_trust_object(x, sk_ASN1_OBJECT_value(trust, i)); } if (reject != NULL) { - for (i = 0; i < sk_ASN1_OBJECT_num(reject); i++) { - objtmp = sk_ASN1_OBJECT_value(reject, i); - X509_add1_reject_object(x, objtmp); - } - objtmp = NULL; + for (i = 0; i < sk_ASN1_OBJECT_num(reject); i++) + X509_add1_reject_object(x, sk_ASN1_OBJECT_value(reject, i)); } if (clrext && ext_names != NULL) @@ -793,10 +775,6 @@ int x509_main(int argc, char **argv) X509_EXTENSION_free(X509_delete_ext(x, i)); } - if ((reqfile || newcert || signkey != NULL || CAfile != NULL) - && !preserve_dates && !set_cert_times(x, NULL, NULL, days)) - goto end; - issuer_cert = x; if (CAfile != NULL) { issuer_cert = xca; @@ -809,8 +787,12 @@ int x509_main(int argc, char **argv) if (sno != NULL && !X509_set_serialNumber(x, sno)) goto end; - if (!X509_set_issuer_name(x, X509_get_subject_name(issuer_cert))) - goto end; + if (reqfile || newcert || signkey != NULL || CAfile != NULL) { + if (!preserve_dates && !set_cert_times(x, NULL, NULL, days)) + goto end; + if (!X509_set_issuer_name(x, X509_get_subject_name(issuer_cert))) + goto end; + } X509V3_set_ctx(&ext_ctx, issuer_cert, x, req, NULL, X509V3_CTX_REPLACE); if (extconf != NULL) { @@ -824,6 +806,12 @@ int x509_main(int argc, char **argv) /* At this point the contents of the certificate x have been finished. */ + pkey = X509_get0_pubkey(x); + if ((print_pubkey != 0 || modulus != 0) && pkey == NULL) { + BIO_printf(bio_err, "Error getting public key\n"); + goto end; + } + if (x509toreq) { /* also works in conjunction with -req */ if (signkey == NULL) { BIO_printf(bio_err, "Must specify request key using -signkey\n"); @@ -888,159 +876,123 @@ int x509_main(int argc, char **argv) corrupt_signature(signature); } - if (num) { /* TODO remove this needless guard and extra indentation below */ - /* Process print options in the given order, as indicated by index i */ - for (i = 1; i <= num; i++) { - if (issuer == i) { - print_name(out, "issuer=", X509_get_issuer_name(x), - get_nameopt()); - } else if (subject == i) { - print_name(out, "subject=", - X509_get_subject_name(x), get_nameopt()); - } else if (serial == i) { - BIO_printf(out, "serial="); - i2a_ASN1_INTEGER(out, X509_get0_serialNumber(x)); - BIO_printf(out, "\n"); - } else if (next_serial == i) { - ASN1_INTEGER *ser = X509_get_serialNumber(x); - BIGNUM *bnser = ASN1_INTEGER_to_BN(ser, NULL); - - if (!bnser) - goto end; - if (!BN_add_word(bnser, 1)) - goto end; - ser = BN_to_ASN1_INTEGER(bnser, NULL); - if (!ser) - goto end; + /* Process print options in the given order, as indicated by index i */ + for (i = 1; i <= num; i++) { + if (i == issuer) { + print_name(out, "issuer=", X509_get_issuer_name(x)); + } else if (i == subject) { + print_name(out, "subject=", X509_get_subject_name(x)); + } else if (i == serial) { + BIO_printf(out, "serial="); + i2a_ASN1_INTEGER(out, X509_get0_serialNumber(x)); + BIO_printf(out, "\n"); + } else if (i == next_serial) { + ASN1_INTEGER *ser; + BIGNUM *bnser = ASN1_INTEGER_to_BN(X509_get0_serialNumber(x), NULL); + + if (bnser == NULL) + goto end; + if (!BN_add_word(bnser, 1) + || (ser = BN_to_ASN1_INTEGER(bnser, NULL)) == NULL) { BN_free(bnser); - i2a_ASN1_INTEGER(out, ser); - ASN1_INTEGER_free(ser); - BIO_puts(out, "\n"); - } else if (email == i || ocsp_uri == i) { - STACK_OF(OPENSSL_STRING) *emlst; - int j; - - if (email == i) - emlst = X509_get1_email(x); - else - emlst = X509_get1_ocsp(x); - for (j = 0; j < sk_OPENSSL_STRING_num(emlst); j++) - BIO_printf(out, "%s\n", - sk_OPENSSL_STRING_value(emlst, j)); - X509_email_free(emlst); - } else if (aliasout == i) { - unsigned char *alstr; - - alstr = X509_alias_get0(x, NULL); - if (alstr) - BIO_printf(out, "%s\n", alstr); - else - BIO_puts(out, "\n"); - } else if (subject_hash == i) { - BIO_printf(out, "%08lx\n", X509_subject_name_hash(x)); + goto end; + } + BN_free(bnser); + i2a_ASN1_INTEGER(out, ser); + ASN1_INTEGER_free(ser); + BIO_puts(out, "\n"); + } else if (i == email || i == ocsp_uri) { + STACK_OF(OPENSSL_STRING) *emlst = + i == email ? X509_get1_email(x) : X509_get1_ocsp(x); + + for (j = 0; j < sk_OPENSSL_STRING_num(emlst); j++) + BIO_printf(out, "%s\n", sk_OPENSSL_STRING_value(emlst, j)); + X509_email_free(emlst); + } else if (i == aliasout) { + unsigned char *alstr = X509_alias_get0(x, NULL); + + if (alstr) + BIO_printf(out, "%s\n", alstr); + else + BIO_puts(out, "\n"); + } else if (i == subject_hash) { + BIO_printf(out, "%08lx\n", X509_subject_name_hash(x)); #ifndef OPENSSL_NO_MD5 - } else if (subject_hash_old == i) { - BIO_printf(out, "%08lx\n", X509_subject_name_hash_old(x)); + } else if (i == subject_hash_old) { + BIO_printf(out, "%08lx\n", X509_subject_name_hash_old(x)); #endif - } else if (issuer_hash == i) { - BIO_printf(out, "%08lx\n", X509_issuer_name_hash(x)); + } else if (i == issuer_hash) { + BIO_printf(out, "%08lx\n", X509_issuer_name_hash(x)); #ifndef OPENSSL_NO_MD5 - } else if (issuer_hash_old == i) { - BIO_printf(out, "%08lx\n", X509_issuer_name_hash_old(x)); + } else if (i == issuer_hash_old) { + BIO_printf(out, "%08lx\n", X509_issuer_name_hash_old(x)); #endif - } else if (pprint == i) { - X509_PURPOSE *ptmp; - int j; - - BIO_printf(out, "Certificate purposes:\n"); - for (j = 0; j < X509_PURPOSE_get_count(); j++) { - ptmp = X509_PURPOSE_get0(j); - purpose_print(out, x, ptmp); - } - } else if (modulus == i) { - EVP_PKEY *pkey; - - pkey = X509_get0_pubkey(x); - if (pkey == NULL) { - BIO_printf(bio_err, - "Modulus unavailable: cannot get key\n"); - goto end; - } - BIO_printf(out, "Modulus="); - if (EVP_PKEY_is_a(pkey, "RSA")) { - BIGNUM *n; - - /* Every RSA key has an 'n' */ - EVP_PKEY_get_bn_param(pkey, "n", &n); - BN_print(out, n); - BN_free(n); - } else if (EVP_PKEY_is_a(pkey, "DSA")) { - BIGNUM *dsapub; - - /* Every DSA key has an 'pub' */ - EVP_PKEY_get_bn_param(pkey, "pub", &dsapub); - BN_print(out, dsapub); - BN_free(dsapub); - } else { - BIO_printf(out, "No modulus for this public key type"); - } - BIO_printf(out, "\n"); - } else if (print_pubkey == i) { - EVP_PKEY *pkey; - - pkey = X509_get0_pubkey(x); - if (pkey == NULL) { - BIO_printf(bio_err, "Error getting public key\n"); - goto end; - } - PEM_write_bio_PUBKEY(out, pkey); - } else if (text == i) { - X509_print_ex(out, x, get_nameopt(), certflag); - } else if (startdate == i) { - BIO_puts(out, "notBefore="); - ASN1_TIME_print(out, X509_get0_notBefore(x)); - BIO_puts(out, "\n"); - } else if (enddate == i) { - BIO_puts(out, "notAfter="); - ASN1_TIME_print(out, X509_get0_notAfter(x)); - BIO_puts(out, "\n"); - } else if (fingerprint == i) { - int j; - unsigned int n; - unsigned char md[EVP_MAX_MD_SIZE]; - const EVP_MD *fdig = digest; - - if (fdig == NULL) - fdig = EVP_sha1(); - - if (!X509_digest(x, fdig, md, &n)) { - BIO_printf(bio_err, "Out of memory\n"); - goto end; - } - BIO_printf(out, "%s Fingerprint=", - OBJ_nid2sn(EVP_MD_type(fdig))); - for (j = 0; j < (int)n; j++) { - BIO_printf(out, "%02X%c", md[j], (j + 1 == (int)n) - ? '\n' : ':'); - } - } else if (ocspid == i) { - X509_ocspid_print(out, x); - } else if (ext == i) { - print_x509v3_exts(out, x, ext_names); + } else if (i == pprint) { + BIO_printf(out, "Certificate purposes:\n"); + for (j = 0; j < X509_PURPOSE_get_count(); j++) + purpose_print(out, x, X509_PURPOSE_get0(j)); + } else if (i == modulus) { + BIO_printf(out, "Modulus="); + if (EVP_PKEY_is_a(pkey, "RSA")) { + BIGNUM *n; + + /* Every RSA key has an 'n' */ + EVP_PKEY_get_bn_param(pkey, "n", &n); + BN_print(out, n); + BN_free(n); + } else if (EVP_PKEY_is_a(pkey, "DSA")) { + BIGNUM *dsapub; + + /* Every DSA key has a 'pub' */ + EVP_PKEY_get_bn_param(pkey, "pub", &dsapub); + BN_print(out, dsapub); + BN_free(dsapub); + } else { + BIO_printf(out, "No modulus for this public key type"); } + BIO_printf(out, "\n"); + } else if (i == print_pubkey) { + PEM_write_bio_PUBKEY(out, pkey); + } else if (i == text) { + X509_print_ex(out, x, get_nameopt(), certflag); + } else if (i == startdate) { + BIO_puts(out, "notBefore="); + ASN1_TIME_print(out, X509_get0_notBefore(x)); + BIO_puts(out, "\n"); + } else if (i == enddate) { + BIO_puts(out, "notAfter="); + ASN1_TIME_print(out, X509_get0_notAfter(x)); + BIO_puts(out, "\n"); + } else if (i == fingerprint) { + unsigned int n; + unsigned char md[EVP_MAX_MD_SIZE]; + const EVP_MD *fdig = digest; + + if (fdig == NULL) + fdig = EVP_sha1(); + + if (!X509_digest(x, fdig, md, &n)) { + BIO_printf(bio_err, "Out of memory\n"); + goto end; + } + BIO_printf(out, "%s Fingerprint=", OBJ_nid2sn(EVP_MD_type(fdig))); + for (j = 0; j < (int)n; j++) + BIO_printf(out, "%02X%c", md[j], (j + 1 == (int)n) ? '\n' : ':'); + } else if (i == ocspid) { + X509_ocspid_print(out, x); + } else if (i == ext) { + print_x509v3_exts(out, x, ext_names); } } if (checkend) { time_t tcheck = time(NULL) + checkoffset; - if (X509_cmp_time(X509_get0_notAfter(x), &tcheck) < 0) { + ret = X509_cmp_time(X509_get0_notAfter(x), &tcheck) < 0; + if (ret) BIO_printf(out, "Certificate will expire\n"); - ret = 1; - } else { + else BIO_printf(out, "Certificate will not expire\n"); - ret = 0; - } goto end; } @@ -1087,7 +1039,6 @@ int x509_main(int argc, char **argv) ASN1_INTEGER_free(sno); sk_ASN1_OBJECT_pop_free(trust, ASN1_OBJECT_free); sk_ASN1_OBJECT_pop_free(reject, ASN1_OBJECT_free); - ASN1_OBJECT_free(objtmp); release_engine(e); clear_free(passin); return ret; @@ -1152,7 +1103,7 @@ static int callb(int ok, X509_STORE_CTX *ctx) return 0; } else { err_cert = X509_STORE_CTX_get_current_cert(ctx); - print_name(bio_err, NULL, X509_get_subject_name(err_cert), 0); + print_name(bio_err, "subject=", X509_get_subject_name(err_cert)); BIO_printf(bio_err, "Error with certificate - error %d at depth %d\n%s\n", err, X509_STORE_CTX_get_error_depth(ctx), From no-reply at appveyor.com Sun Feb 28 20:53:10 2021 From: no-reply at appveyor.com (AppVeyor) Date: Sun, 28 Feb 2021 20:53:10 +0000 Subject: Build failed: openssl master.40294 Message-ID: <20210228205310.1.A7E181C59ED3A588@appveyor.com> An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Sun Feb 28 21:29:58 2021 From: no-reply at appveyor.com (AppVeyor) Date: Sun, 28 Feb 2021 21:29:58 +0000 Subject: Build failed: openssl master.40295 Message-ID: <20210228212958.1.BBDAA213BB8ADA15@appveyor.com> An HTML attachment was scrubbed... URL:

beslist.nl

+

Jameson Lopp