diff --git a/.github/workflows/compiler-zoo.yml b/.github/workflows/compiler-zoo.yml index 4f17322ec5b967a1342565cbb6e6a0864b1be650..9932b39f95bc5ab2ba93976a4ad6beeb8ba8c696 100644 --- a/.github/workflows/compiler-zoo.yml +++ b/.github/workflows/compiler-zoo.yml @@ -1,4 +1,4 @@ -# Copyright 2021-2022 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2021-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/.github/workflows/coveralls.yml b/.github/workflows/coveralls.yml index 5aa595ce8d04c6de44a437628a369172b2091bb9..bcdcab45c737b5744b1333e26ccc508b117566c8 100644 --- a/.github/workflows/coveralls.yml +++ b/.github/workflows/coveralls.yml @@ -1,4 +1,4 @@ -# Copyright 2021-2022 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2021-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/.github/workflows/cross-compiles.yml b/.github/workflows/cross-compiles.yml index 65bb9cbce44c7b01e95727d42088effa5928c000..63fd5e829e60ffd3c1ca921bc632430d75b59458 100644 --- a/.github/workflows/cross-compiles.yml +++ b/.github/workflows/cross-compiles.yml @@ -1,4 +1,4 @@ -# Copyright 2021-2022 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2021-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/.github/workflows/fips-checksums.yml b/.github/workflows/fips-checksums.yml index 002494f58c83a1e33c415698015c51e2c143394e..1b56755bfbb176882b0fe31839240f06bffe5d11 100644 --- a/.github/workflows/fips-checksums.yml +++ b/.github/workflows/fips-checksums.yml @@ -1,4 +1,4 @@ -# Copyright 2021-2022 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2021-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/.github/workflows/fips-old.yml b/.github/workflows/fips-old.yml index 3589c832660d2efeac1796bb4038731a2607a90b..88c6fe281f218ce04a59b0eb850a47a5aa9d44cc 100644 --- a/.github/workflows/fips-old.yml +++ b/.github/workflows/fips-old.yml @@ -1,4 +1,4 @@ -# Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/.github/workflows/fuzz-checker.yml b/.github/workflows/fuzz-checker.yml index ce6d894a9825e8cacabbe0176d08e48e370e370a..3e84fdbac6fc641b71587cb98af83564ffb6092c 100644 --- a/.github/workflows/fuzz-checker.yml +++ b/.github/workflows/fuzz-checker.yml @@ -1,4 +1,4 @@ -# Copyright 2021-2022 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2021-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/.github/workflows/run-checker-ci.yml b/.github/workflows/run-checker-ci.yml index 73ee5f1f805dd3573379ec51c366c8201b9e58bd..101c44f1b2ca3ded729e3aee071b74cadf431435 100644 --- a/.github/workflows/run-checker-ci.yml +++ b/.github/workflows/run-checker-ci.yml @@ -1,4 +1,4 @@ -# Copyright 2021-2022 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2021-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/.github/workflows/run-checker-daily.yml b/.github/workflows/run-checker-daily.yml index 8b7252b128749c684f9a561ce34ce99828eae806..1716ed3327b4f3705b4d43d555ea8176c74a45dc 100644 --- a/.github/workflows/run-checker-daily.yml +++ b/.github/workflows/run-checker-daily.yml @@ -1,4 +1,4 @@ -# Copyright 2021-2022 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2021-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/.github/workflows/run-checker-merge.yml b/.github/workflows/run-checker-merge.yml index 14dfa7c2d4e83afdf672e364a7d946085434c9af..7154b6b62da4d9aed56cbb5735d2b5f781dd5f83 100644 --- a/.github/workflows/run-checker-merge.yml +++ b/.github/workflows/run-checker-merge.yml @@ -1,4 +1,4 @@ -# Copyright 2021-2022 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2021-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/.github/workflows/windows.yml b/.github/workflows/windows.yml index 8c518d17d9274528c6ad52da1c3dbb7e8145c36f..10005d35221d0228b21fb023681ebcfc0d082d3c 100644 --- a/.github/workflows/windows.yml +++ b/.github/workflows/windows.yml @@ -1,4 +1,4 @@ -# Copyright 2021-2022 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2021-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/CHANGES.md b/CHANGES.md index e51997884239dbc9f841f45a83c4e5d6cb64f8c9..61efa01bb6f8517c859be7c62b5157fc6ea9c74a 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -28,7 +28,11 @@ breaking changes, and mappings for the large list of deprecated functions. [Migration guide]: https://github.com/openssl/openssl/tree/master/doc/man7/migration_guide.pod -### Changes between 3.0.10 and 3.0.11 [xx XXX xxxx] +### Changes between 3.0.11 and 3.0.12 [xx XXX xxxx] + + * none yet + +### Changes between 3.0.10 and 3.0.11 [19 Sep 2023] * Fix POLY1305 MAC implementation corrupting XMM registers on Windows. diff --git a/NEWS.md b/NEWS.md index 1b8ec67442a8a6c981be5a566525b71cfd28af34..72f78d581e12149e7cddb1832a7c50a113c5aa20 100644 --- a/NEWS.md +++ b/NEWS.md @@ -18,7 +18,11 @@ OpenSSL Releases OpenSSL 3.0 ----------- -### Major changes between OpenSSL 3.0.10 and OpenSSL 3.0.11 [under development] +### Major changes between OpenSSL 3.0.11 and OpenSSL 3.0.12 [under development] + + * none + +### Major changes between OpenSSL 3.0.10 and OpenSSL 3.0.11 [19 Sep 2023] * Fix POLY1305 MAC implementation corrupting XMM registers on Windows ([CVE-2023-4807]) diff --git a/README.md b/README.md index f2f4fd39ad05bbd5c8ca5b8bcbc1def7be9e2e96..b848d050132aaed2cf2a8b0a40aad1e11f53245a 100644 --- a/README.md +++ b/README.md @@ -166,7 +166,7 @@ attempting to develop or distribute cryptographic code. Copyright ========= -Copyright (c) 1998-2022 The OpenSSL Project +Copyright (c) 1998-2023 The OpenSSL Project Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson diff --git a/VERSION.dat b/VERSION.dat index bc7aac614685f511e12281e595bb42c384cde330..b9d08f44f5123a932f8382a161821ff4e60a10d5 100644 --- a/VERSION.dat +++ b/VERSION.dat @@ -1,6 +1,6 @@ MAJOR=3 MINOR=0 -PATCH=11 +PATCH=12 PRE_RELEASE_TAG=dev BUILD_METADATA= RELEASE_DATE="" diff --git a/apps/dgst.c b/apps/dgst.c index e12389197de4a6d5aee5d52c0afc41d83f54cc70..3f02af0d5738ab72dfc23bdef59cd01a626b3ed2 100644 --- a/apps/dgst.c +++ b/apps/dgst.c @@ -320,6 +320,8 @@ int dgst_main(int argc, char **argv) sigkey = app_keygen(mac_ctx, mac_name, 0, 0 /* not verbose */); /* Verbose output would make external-tests gost-engine fail */ EVP_PKEY_CTX_free(mac_ctx); + if (sigkey == NULL) + goto end; } if (hmac_key != NULL) { diff --git a/apps/dhparam.c b/apps/dhparam.c index 43906cea56497bc115953d258c984e4f6f36a4ec..c4b5559ef87ea93b7bdfdcab5a661ccbb682ec4e 100644 --- a/apps/dhparam.c +++ b/apps/dhparam.c @@ -222,6 +222,8 @@ int dhparam_main(int argc, char **argv) } tmppkey = app_paramgen(ctx, alg); + if (tmppkey == NULL) + goto end; EVP_PKEY_CTX_free(ctx); ctx = NULL; if (dsaparam) { diff --git a/apps/dsaparam.c b/apps/dsaparam.c index b5555282be6e18ad2275488c7226f82b9f2dff58..cb3f9d9eaf20c84cea13a0f272c1a244ec2e7e7f 100644 --- a/apps/dsaparam.c +++ b/apps/dsaparam.c @@ -218,6 +218,8 @@ int dsaparam_main(int argc, char **argv) goto end; } pkey = app_keygen(ctx, "DSA", numbits, verbose); + if (pkey == NULL) + goto end; assert(private); if (outformat == FORMAT_ASN1) i = i2d_PrivateKey_bio(out, pkey); diff --git a/apps/enc.c b/apps/enc.c index b3bf4cc2592d01dfa1c998911bcab79f66a4c3fa..c275046cf57a647d18cf01b6df8dcf756801d61e 100644 --- a/apps/enc.c +++ b/apps/enc.c @@ -624,7 +624,10 @@ int enc_main(int argc, char **argv) } } if (!BIO_flush(wbio)) { - BIO_printf(bio_err, "bad decrypt\n"); + if (enc) + BIO_printf(bio_err, "bad encrypt\n"); + else + BIO_printf(bio_err, "bad decrypt\n"); goto end; } diff --git a/apps/gendsa.c b/apps/gendsa.c index 27feb793fed23cac1a9bff0ac5e5e625073511e3..34f7af377d6e56207d6a52f68d8f9041e7bb7bfa 100644 --- a/apps/gendsa.c +++ b/apps/gendsa.c @@ -146,6 +146,8 @@ int gendsa_main(int argc, char **argv) goto end; } pkey = app_keygen(ctx, "DSA", nbits, verbose); + if (pkey == NULL) + goto end; assert(private); if (!PEM_write_bio_PrivateKey(out, pkey, enc, NULL, 0, NULL, passout)) { diff --git a/apps/genpkey.c b/apps/genpkey.c index d00754eeaca09fb62e37f08e4a5f211435cd5c90..8774a4ee289cffe5798b87769066274b35f147ac 100644 --- a/apps/genpkey.c +++ b/apps/genpkey.c @@ -183,6 +183,8 @@ int genpkey_main(int argc, char **argv) pkey = do_param ? app_paramgen(ctx, algname) : app_keygen(ctx, algname, 0, 0 /* not verbose */); + if (pkey == NULL) + goto end; if (do_param) { rv = PEM_write_bio_Parameters(out, pkey); diff --git a/apps/genrsa.c b/apps/genrsa.c index 4436b7fa1745a9f75f3c90c3cddb0767aa785d63..390a5d72a7c8ffb765ec866eff67545458872051 100644 --- a/apps/genrsa.c +++ b/apps/genrsa.c @@ -203,6 +203,8 @@ opthelp: goto end; } pkey = app_keygen(ctx, "RSA", num, verbose); + if (pkey == NULL) + goto end; if (verbose) { BIGNUM *e = NULL; diff --git a/apps/lib/apps.c b/apps/lib/apps.c index 572f6a3f8f286fc4486731d664866e63906e759e..9de518f38357760acb90f9d384e295627b1a6476 100644 --- a/apps/lib/apps.c +++ b/apps/lib/apps.c @@ -3359,8 +3359,8 @@ EVP_PKEY *app_keygen(EVP_PKEY_CTX *ctx, const char *alg, int bits, int verbose) BIO_printf(bio_err, "Warning: generating random key material may take a long time\n" "if the system has a poor entropy source\n"); if (EVP_PKEY_keygen(ctx, &res) <= 0) - app_bail_out("%s: Error generating %s key\n", opt_getprog(), - alg != NULL ? alg : "asymmetric"); + BIO_printf(bio_err, "%s: Error generating %s key\n", opt_getprog(), + alg != NULL ? alg : "asymmetric"); return res; } @@ -3372,8 +3372,8 @@ EVP_PKEY *app_paramgen(EVP_PKEY_CTX *ctx, const char *alg) BIO_printf(bio_err, "Warning: generating random key parameters may take a long time\n" "if the system has a poor entropy source\n"); if (EVP_PKEY_paramgen(ctx, &res) <= 0) - app_bail_out("%s: Generating %s key parameters failed\n", - opt_getprog(), alg != NULL ? alg : "asymmetric"); + BIO_printf(bio_err, "%s: Generating %s key parameters failed\n", + opt_getprog(), alg != NULL ? alg : "asymmetric"); return res; } diff --git a/apps/req.c b/apps/req.c index 926f0796bc8f381e1e179d9368ca7541d861855a..41191803aef417a5fe72bed1e8af15c27f3ceba8 100644 --- a/apps/req.c +++ b/apps/req.c @@ -685,6 +685,8 @@ int req_main(int argc, char **argv) EVP_PKEY_CTX_set_app_data(genctx, bio_err); pkey = app_keygen(genctx, keyalgstr, newkey_len, verbose); + if (pkey == NULL) + goto end; EVP_PKEY_CTX_free(genctx); genctx = NULL; diff --git a/crypto/asn1/a_strnid.c b/crypto/asn1/a_strnid.c index c960daf5cb8fa174b8f8613c16481e5b5d28ee12..d052935661d362f6b5ba2364830df9e7bb67dca7 100644 --- a/crypto/asn1/a_strnid.c +++ b/crypto/asn1/a_strnid.c @@ -1,5 +1,5 @@ /* - * Copyright 1999-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1999-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/asn1/asn1_gen.c b/crypto/asn1/asn1_gen.c index 5a15c6a5d993233153f22d4cc56318ab67c3a78b..402ab34e6a46f7a0d0eecdc316c6d1a2d9f1b790 100644 --- a/crypto/asn1/asn1_gen.c +++ b/crypto/asn1/asn1_gen.c @@ -1,5 +1,5 @@ /* - * Copyright 2002-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2002-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/build.info b/crypto/build.info index b90390ae864c40f1401bff71a12e2f6b0622d5d9..c04db5591120df945972de3e801aaa32bcbf3241 100644 --- a/crypto/build.info +++ b/crypto/build.info @@ -97,8 +97,6 @@ $UTIL_COMMON=\ context.c sparse_array.c asn1_dsa.c packet.c param_build.c \ param_build_set.c der_writer.c threads_lib.c params_dup.c -SHARED_SOURCE[../libssl]=sparse_array.c - SOURCE[../libcrypto]=$UTIL_COMMON \ mem.c mem_sec.c \ cversion.c info.c cpt_err.c ebcdic.c uid.c o_time.c o_dir.c \ diff --git a/crypto/cmp/cmp_asn.c b/crypto/cmp/cmp_asn.c index 5c47a1a067129e843b06f2f65ae755b5238e7e2d..a8de73ad979b67b2f799da7082c5cc1f7630ceb1 100644 --- a/crypto/cmp/cmp_asn.c +++ b/crypto/cmp/cmp_asn.c @@ -1,5 +1,5 @@ /* - * Copyright 2007-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2007-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright Nokia 2007-2019 * Copyright Siemens AG 2015-2019 * diff --git a/crypto/cmp/cmp_status.c b/crypto/cmp/cmp_status.c index 2da02c5524dd0f64297a798d027f6342ccf39856..68144aa4fed8780a4e77f19d4ce28e28e02c5c22 100644 --- a/crypto/cmp/cmp_status.c +++ b/crypto/cmp/cmp_status.c @@ -1,5 +1,5 @@ /* - * Copyright 2007-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2007-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright Nokia 2007-2019 * Copyright Siemens AG 2015-2019 * diff --git a/crypto/cms/cms_local.h b/crypto/cms/cms_local.h index f1e9be908764104f6d9db2c44d6ebe92cc13d644..253f6819e43542122ca1b7a5ba873401a2d1247e 100644 --- a/crypto/cms/cms_local.h +++ b/crypto/cms/cms_local.h @@ -1,5 +1,5 @@ /* - * Copyright 2008-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2008-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/cms/cms_sd.c b/crypto/cms/cms_sd.c index 626401add4bd4e108b68c4553d2719824625914e..53c8e378f31876a07ee7597266a93217b3cbd67b 100644 --- a/crypto/cms/cms_sd.c +++ b/crypto/cms/cms_sd.c @@ -1,5 +1,5 @@ /* - * Copyright 2008-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2008-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/encode_decode/decoder_lib.c b/crypto/encode_decode/decoder_lib.c index a1257571ec9a2203d9cd3dd2c5e16fa3d243e514..2e4b7ed60b9c1c16abaf7214d9a2a745c24210c3 100644 --- a/crypto/encode_decode/decoder_lib.c +++ b/crypto/encode_decode/decoder_lib.c @@ -1,5 +1,5 @@ /* - * Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/encode_decode/decoder_pkey.c b/crypto/encode_decode/decoder_pkey.c index cc7e6903b6dcdc18f07562d453bb1734f9ae65d6..ad5e2805319b57b72e4c3f616ce6ca16ed20617d 100644 --- a/crypto/encode_decode/decoder_pkey.c +++ b/crypto/encode_decode/decoder_pkey.c @@ -1,5 +1,5 @@ /* - * Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/engine/eng_lib.c b/crypto/engine/eng_lib.c index dfd53a4331955981a82429d92b491fdcc2fafb5f..cfdb5a50f481da22073fcb779ff14ba81cba70cd 100644 --- a/crypto/engine/eng_lib.c +++ b/crypto/engine/eng_lib.c @@ -133,28 +133,34 @@ static ENGINE_CLEANUP_ITEM *int_cleanup_item(ENGINE_CLEANUP_CB *cb) return item; } -void engine_cleanup_add_first(ENGINE_CLEANUP_CB *cb) +int engine_cleanup_add_first(ENGINE_CLEANUP_CB *cb) { ENGINE_CLEANUP_ITEM *item; if (!int_cleanup_check(1)) - return; + return 0; item = int_cleanup_item(cb); - if (item != NULL) - if (sk_ENGINE_CLEANUP_ITEM_insert(cleanup_stack, item, 0) <= 0) - OPENSSL_free(item); + if (item != NULL) { + if (sk_ENGINE_CLEANUP_ITEM_insert(cleanup_stack, item, 0)) + return 1; + OPENSSL_free(item); + } + return 0; } -void engine_cleanup_add_last(ENGINE_CLEANUP_CB *cb) +int engine_cleanup_add_last(ENGINE_CLEANUP_CB *cb) { ENGINE_CLEANUP_ITEM *item; + if (!int_cleanup_check(1)) - return; + return 0; item = int_cleanup_item(cb); if (item != NULL) { - if (sk_ENGINE_CLEANUP_ITEM_push(cleanup_stack, item) <= 0) - OPENSSL_free(item); + if (sk_ENGINE_CLEANUP_ITEM_push(cleanup_stack, item) > 0) + return 1; + OPENSSL_free(item); } + return 0; } /* The API function that performs all cleanup */ diff --git a/crypto/engine/eng_list.c b/crypto/engine/eng_list.c index 04c73c76286486936db9ac913c50c7f00786db7e..f2eed3b071746bd669e9aab677c8f703f5c82b0c 100644 --- a/crypto/engine/eng_list.c +++ b/crypto/engine/eng_list.c @@ -1,5 +1,5 @@ /* - * Copyright 2001-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2001-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved * * Licensed under the Apache License 2.0 (the "License"). You may not use @@ -78,12 +78,15 @@ static int engine_list_add(ENGINE *e) ERR_raise(ERR_LIB_ENGINE, ENGINE_R_INTERNAL_LIST_ERROR); return 0; } - engine_list_head = e; - e->prev = NULL; /* * The first time the list allocates, we should register the cleanup. */ - engine_cleanup_add_last(engine_list_cleanup); + if (!engine_cleanup_add_last(engine_list_cleanup)) { + ERR_raise(ERR_LIB_ENGINE, ENGINE_R_INTERNAL_LIST_ERROR); + return 0; + } + engine_list_head = e; + e->prev = NULL; } else { /* We are adding to the tail of an existing list. */ if ((engine_list_tail == NULL) || (engine_list_tail->next != NULL)) { diff --git a/crypto/engine/eng_local.h b/crypto/engine/eng_local.h index 03a86299cf88b889ec920eceb53b2ec657200d45..75bc9e6f1675b979f973abb003133a4dc15e5906 100644 --- a/crypto/engine/eng_local.h +++ b/crypto/engine/eng_local.h @@ -1,5 +1,5 @@ /* - * Copyright 2001-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2001-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved * * Licensed under the Apache License 2.0 (the "License"). You may not use @@ -46,8 +46,8 @@ typedef struct st_engine_cleanup_item { ENGINE_CLEANUP_CB *cb; } ENGINE_CLEANUP_ITEM; DEFINE_STACK_OF(ENGINE_CLEANUP_ITEM) -void engine_cleanup_add_first(ENGINE_CLEANUP_CB *cb); -void engine_cleanup_add_last(ENGINE_CLEANUP_CB *cb); +int engine_cleanup_add_first(ENGINE_CLEANUP_CB *cb); +int engine_cleanup_add_last(ENGINE_CLEANUP_CB *cb); /* We need stacks of ENGINEs for use in eng_table.c */ DEFINE_STACK_OF(ENGINE) diff --git a/crypto/engine/eng_table.c b/crypto/engine/eng_table.c index d6a7452c76d0dc92ba611adfa1b34d90feab9175..9dc3144bbfd7b610c1cd73f056a9c7a0ea862bc8 100644 --- a/crypto/engine/eng_table.c +++ b/crypto/engine/eng_table.c @@ -1,5 +1,5 @@ /* - * Copyright 2001-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2001-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -93,9 +93,12 @@ int engine_table_register(ENGINE_TABLE **table, ENGINE_CLEANUP_CB *cleanup, added = 1; if (!int_table_check(table, 1)) goto end; - if (added) - /* The cleanup callback needs to be added */ - engine_cleanup_add_first(cleanup); + /* The cleanup callback needs to be added */ + if (added && !engine_cleanup_add_first(cleanup)) { + lh_ENGINE_PILE_free(&(*table)->piles); + *table = NULL; + goto end; + } while (num_nids--) { tmplate.nid = *nids; fnd = lh_ENGINE_PILE_retrieve(&(*table)->piles, &tmplate); diff --git a/crypto/evp/pmeth_lib.c b/crypto/evp/pmeth_lib.c index ce6e1a1ccbd577006c79a991a3b080dfef4ada7c..ba1971ce461d57a6043c1e0f3c86d36b4cd87886 100644 --- a/crypto/evp/pmeth_lib.c +++ b/crypto/evp/pmeth_lib.c @@ -251,10 +251,11 @@ static EVP_PKEY_CTX *int_ctx_new(OSSL_LIB_CTX *libctx, */ if (e != NULL) pmeth = ENGINE_get_pkey_meth(e, id); - else if (pkey != NULL && pkey->foreign) + else +# endif /* OPENSSL_NO_ENGINE */ + if (pkey != NULL && pkey->foreign) pmeth = EVP_PKEY_meth_find(id); else -# endif app_pmeth = pmeth = evp_pkey_meth_find_added_by_application(id); /* END legacy */ diff --git a/crypto/ex_data.c b/crypto/ex_data.c index 40223f06e4ecb695d234f4c533e3033a3f81167b..455b63cd575f0e36d161d04295338c7bb2fb0616 100644 --- a/crypto/ex_data.c +++ b/crypto/ex_data.c @@ -163,6 +163,8 @@ int ossl_crypto_get_ex_new_index_ex(OSSL_LIB_CTX *ctx, int class_index, * "app_data" routines use ex_data index zero. See RT 3710. */ if (ip->meth == NULL || !sk_EX_CALLBACK_push(ip->meth, NULL)) { + sk_EX_CALLBACK_free(ip->meth); + ip->meth = NULL; ERR_raise(ERR_LIB_CRYPTO, ERR_R_MALLOC_FAILURE); goto err; } diff --git a/crypto/lhash/lhash.c b/crypto/lhash/lhash.c index 1cd988f01fc76a59267281b459a0ca68efee0a8f..bd39b1ba572cd6f73fda4612ef4b514c767f9ee3 100644 --- a/crypto/lhash/lhash.c +++ b/crypto/lhash/lhash.c @@ -266,12 +266,12 @@ static void contract(OPENSSL_LHASH *lh) if (n == NULL) { /* fputs("realloc error in lhash",stderr); */ lh->error++; - return; + } else { + lh->b = n; } lh->num_alloc_nodes /= 2; lh->pmax /= 2; lh->p = lh->pmax - 1; - lh->b = n; } else lh->p--; diff --git a/crypto/mem.c b/crypto/mem.c index d575dcdc13c352b044251167c71ec8fed8fce4cf..bc9dc111676fd2fbc90c221ede963a6565e2b53b 100644 --- a/crypto/mem.c +++ b/crypto/mem.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/pem/pem_pkey.c b/crypto/pem/pem_pkey.c index 284b144fd640fd313c8394a50d467315e13f1c0c..4deee46ce5506f85efa45f8a1e5871b96da3e4d9 100644 --- a/crypto/pem/pem_pkey.c +++ b/crypto/pem/pem_pkey.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/perlasm/arm-xlate.pl b/crypto/perlasm/arm-xlate.pl index 57b75c4e5dad68456a60304cf91e824fa8941a31..38d570c79017c2e083ec02029377334e2377698c 100755 --- a/crypto/perlasm/arm-xlate.pl +++ b/crypto/perlasm/arm-xlate.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2015-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2015-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/crypto/pkcs12/p12_crt.c b/crypto/pkcs12/p12_crt.c index 00c71297463d9e9d821d3dc74c25975c415ec042..26a444f868b0280524a55a6f042c3c7843fde3b7 100644 --- a/crypto/pkcs12/p12_crt.c +++ b/crypto/pkcs12/p12_crt.c @@ -1,5 +1,5 @@ /* - * Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1999-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -14,6 +14,12 @@ static int pkcs12_add_bag(STACK_OF(PKCS12_SAFEBAG) **pbags, PKCS12_SAFEBAG *bag); +static PKCS12_SAFEBAG *pkcs12_add_cert_bag(STACK_OF(PKCS12_SAFEBAG) **pbags, + X509 *cert, + const char *name, + int namelen, + unsigned char *keyid, + int keyidlen); static int copy_bag_attr(PKCS12_SAFEBAG *bag, EVP_PKEY *pkey, int nid) { @@ -40,6 +46,9 @@ PKCS12 *PKCS12_create_ex(const char *pass, const char *name, EVP_PKEY *pkey, int i; unsigned char keyid[EVP_MAX_MD_SIZE]; unsigned int keyidlen = 0; + int namelen = -1; + unsigned char *pkeyid = NULL; + int pkeyidlen = -1; /* Set defaults */ if (nid_cert == NID_undef) @@ -64,11 +73,16 @@ PKCS12 *PKCS12_create_ex(const char *pass, const char *name, EVP_PKEY *pkey, } if (cert) { - bag = PKCS12_add_cert(&bags, cert); - if (name && !PKCS12_add_friendlyname(bag, name, -1)) - goto err; - if (keyidlen && !PKCS12_add_localkeyid(bag, keyid, keyidlen)) - goto err; + if (name == NULL) + name = (char *)X509_alias_get0(cert, &namelen); + if (keyidlen > 0) { + pkeyid = keyid; + pkeyidlen = keyidlen; + } else { + pkeyid = X509_keyid_get0(cert, &pkeyidlen); + } + + bag = pkcs12_add_cert_bag(&bags, cert, name, namelen, pkeyid, pkeyidlen); } /* Add all other certificates */ @@ -139,30 +153,23 @@ PKCS12 *PKCS12_create(const char *pass, const char *name, EVP_PKEY *pkey, X509 * iter, mac_iter, keytype, NULL, NULL); } -PKCS12_SAFEBAG *PKCS12_add_cert(STACK_OF(PKCS12_SAFEBAG) **pbags, X509 *cert) +static PKCS12_SAFEBAG *pkcs12_add_cert_bag(STACK_OF(PKCS12_SAFEBAG) **pbags, + X509 *cert, + const char *name, + int namelen, + unsigned char *keyid, + int keyidlen) { PKCS12_SAFEBAG *bag = NULL; - char *name; - int namelen = -1; - unsigned char *keyid; - int keyidlen = -1; /* Add user certificate */ if ((bag = PKCS12_SAFEBAG_create_cert(cert)) == NULL) goto err; - /* - * Use friendlyName and localKeyID in certificate. (if present) - */ - - name = (char *)X509_alias_get0(cert, &namelen); - - if (name && !PKCS12_add_friendlyname(bag, name, namelen)) + if (name != NULL && !PKCS12_add_friendlyname(bag, name, namelen)) goto err; - keyid = X509_keyid_get0(cert, &keyidlen); - - if (keyid && !PKCS12_add_localkeyid(bag, keyid, keyidlen)) + if (keyid != NULL && !PKCS12_add_localkeyid(bag, keyid, keyidlen)) goto err; if (!pkcs12_add_bag(pbags, bag)) @@ -173,7 +180,22 @@ PKCS12_SAFEBAG *PKCS12_add_cert(STACK_OF(PKCS12_SAFEBAG) **pbags, X509 *cert) err: PKCS12_SAFEBAG_free(bag); return NULL; +} + +PKCS12_SAFEBAG *PKCS12_add_cert(STACK_OF(PKCS12_SAFEBAG) **pbags, X509 *cert) +{ + char *name = NULL; + int namelen = -1; + unsigned char *keyid = NULL; + int keyidlen = -1; + + /* + * Use friendlyName and localKeyID in certificate. (if present) + */ + name = (char *)X509_alias_get0(cert, &namelen); + keyid = X509_keyid_get0(cert, &keyidlen); + return pkcs12_add_cert_bag(pbags, cert, name, namelen, keyid, keyidlen); } PKCS12_SAFEBAG *PKCS12_add_key_ex(STACK_OF(PKCS12_SAFEBAG) **pbags, diff --git a/crypto/poly1305/asm/poly1305-x86_64.pl b/crypto/poly1305/asm/poly1305-x86_64.pl index 24bab9d0bcf950711611ddcb5414b548b16f5cb0..4cddca1c514c04ff72b7b0b36caa2ec1c117b1a2 100755 --- a/crypto/poly1305/asm/poly1305-x86_64.pl +++ b/crypto/poly1305/asm/poly1305-x86_64.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/crypto/provider_core.c b/crypto/provider_core.c index 873b335b94d72b961413a1d7dd6fdd258a720d9e..92cce32c5bbf88ece1e0df549bfa0735c6c5735a 100644 --- a/crypto/provider_core.c +++ b/crypto/provider_core.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/srp/srp_vfy.c b/crypto/srp/srp_vfy.c index edcfb0c76e515df8b11d06de730b6b182d7a2d0b..96d511ffe6368ec375a02409b5bc29f37d563795 100644 --- a/crypto/srp/srp_vfy.c +++ b/crypto/srp/srp_vfy.c @@ -1,5 +1,5 @@ /* - * Copyright 2004-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2004-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2004, EdelKey Project. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use diff --git a/crypto/store/store_lib.c b/crypto/store/store_lib.c index 60a6aded05d813472d1c0ad74a7ff248d31f90a6..bc12d8dd13a28e376ab85e9a382dedc10a3dd3ae 100644 --- a/crypto/store/store_lib.c +++ b/crypto/store/store_lib.c @@ -1,5 +1,5 @@ /* - * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/threads_pthread.c b/crypto/threads_pthread.c index ec4cddb3af9e2ea350b7c547be1ff265eab25010..801855c9306e2095129970c556679a1b474934c2 100644 --- a/crypto/threads_pthread.c +++ b/crypto/threads_pthread.c @@ -1,5 +1,5 @@ /* - * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/doc/man1/openssl-cmp.pod.in b/doc/man1/openssl-cmp.pod.in index 4250deb426fc15adc7fe46e75106656a7fc8f553..9240916fce40fea6d008835ae7ff2ce555f22dc1 100644 --- a/doc/man1/openssl-cmp.pod.in +++ b/doc/man1/openssl-cmp.pod.in @@ -659,11 +659,12 @@ is typically used when authenticating with pre-shared key (password-based MAC). =item B<-secret> I -Prefer PBM-based message protection with given source of a secret value. -The secret is used for creating PBM-based protection of outgoing messages -and (as far as needed) for validating PBM-based protection of incoming messages. -PBM stands for Password-Based Message Authentication Code. +Provides the source of a secret value to use with MAC-based message protection. This takes precedence over the B<-cert> and B<-key> options. +The secret is used for creating MAC-based protection of outgoing messages +and for validating incoming messages that have MAC-based protection. +The algorithm used by default is Password-Based Message Authentication Code (PBM) +as defined in RFC 4210 section 5.1.3.1. For more information about the format of I see L. @@ -682,7 +683,8 @@ while the subject of B<-oldcert> or B<-subjectName> may provide fallback values. The issuer of this certificate is used as one of the recipient fallback values and as fallback issuer entry in the certificate template of IR/CR/KUR messages. -When using signature-based message protection, this "protection certificate" +When performing signature-based message protection, +this "protection certificate", also called "signer certificate", will be included first in the extraCerts field of outgoing messages and the signature is done with the corresponding key. In Initialization Request (IR) messages this can be used for authenticating @@ -713,8 +715,8 @@ have no effect on the certificate verification enabled via this option. The corresponding private key file for the client's current certificate given in the B<-cert> option. -This will be used for signature-based message protection unless -the B<-secret> option indicating PBM or B<-unprotected_requests> is given. +This will be used for signature-based message protection unless the B<-secret> +option indicating MAC-based protection or B<-unprotected_requests> is given. It is also used as a fallback for the B<-newkey> option with IR/CR/KUR messages. @@ -730,7 +732,7 @@ L. =item B<-digest> I Specifies name of supported digest to use in RFC 4210's MSG_SIG_ALG -and as the one-way function (OWF) in MSG_MAC_ALG. +and as the one-way function (OWF) in C. If applicable, this is used for message protection and proof-of-possession (POPO) signatures. To see the list of supported digests, use C. @@ -738,7 +740,7 @@ Defaults to C. =item B<-mac> I -Specifies the name of the MAC algorithm in MSG_MAC_ALG. +Specifies the name of the MAC algorithm in C. To get the names of supported MAC algorithms use C and possibly combine such a name with the name of a supported digest algorithm, e.g., hmacWithSHA256. @@ -1097,6 +1099,13 @@ only affect the certificate verification enabled via the B<-out_trusted> option. =head1 NOTES +When a client obtains from a CMP server CA certificates that it is going to +trust, for instance via the C field of a certificate response, +authentication of the CMP server is particularly critical. +So special care must be taken setting up server authentication +using B<-trusted> and related options for certificate-based authentication +or B<-secret> for MAC-based protection. + When setting up CMP configurations and experimenting with enrollment options typically various errors occur until the configuration is correct and complete. When the CMP server reports an error the client will by default @@ -1166,7 +1175,7 @@ In order to update the enrolled certificate one may call openssl cmp -section insta,kur -using with PBM-based protection or +using MAC-based protection with PBM or openssl cmp -section insta,kur,signature @@ -1225,7 +1234,7 @@ Then it can start using the new cert and key. -newkey cl_key_new.pem -certout cl_cert.pem cp cl_key_new.pem cl_key.pem -This command sequence can be repated as often as needed. +This command sequence can be repeated as often as needed. =head2 Requesting information from CMP server diff --git a/doc/man1/openssl-cms.pod.in b/doc/man1/openssl-cms.pod.in index c63a7f330ba63600764c814bd8ff10d2f73c09d5..65a61ee97f1d6a2862f66e13f9ea9a2c169b051c 100644 --- a/doc/man1/openssl-cms.pod.in +++ b/doc/man1/openssl-cms.pod.in @@ -391,7 +391,7 @@ option. =item I ... This is an alternative to using the B<-recip> option when encrypting a message. -One or more certificate filennames may be given. +One or more certificate filenames may be given. =item B<-I> @@ -902,7 +902,7 @@ The B<-engine> option was deprecated in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2008-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2008-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man1/openssl-ts.pod.in b/doc/man1/openssl-ts.pod.in index 0f9049d2a4cd4ea2f4467521ceb08bb68bf0ae49..3e7f7c4be94b2d6c62bbffe917f8e3f0bf48ac2d 100644 --- a/doc/man1/openssl-ts.pod.in +++ b/doc/man1/openssl-ts.pod.in @@ -652,7 +652,7 @@ L =head1 COPYRIGHT -Copyright 2006-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2006-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/BIO_s_mem.pod b/doc/man3/BIO_s_mem.pod index 31b2daf33d9ccb12f6e819bfab31b4867831c237..3bbc3e7fcf02c9fc1df44e3347b78f89dee88f98 100644 --- a/doc/man3/BIO_s_mem.pod +++ b/doc/man3/BIO_s_mem.pod @@ -174,7 +174,7 @@ and BUF_MEM structure: =head1 COPYRIGHT -Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/CMS_sign.pod b/doc/man3/CMS_sign.pod index a701c4d0fa85a4e80ac75324146b67473e2b0739..03bfc6fce16a74277aef0aef5f3591435c7ed864 100644 --- a/doc/man3/CMS_sign.pod +++ b/doc/man3/CMS_sign.pod @@ -132,7 +132,7 @@ The CMS_sign_ex() method was added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2008-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2008-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EVP_MAC.pod b/doc/man3/EVP_MAC.pod index 13482ac5e188e7b7016e7ff49d59d15790167a47..56ac92a486728ef9661720dd031b75d02aa73dd7 100644 --- a/doc/man3/EVP_MAC.pod +++ b/doc/man3/EVP_MAC.pod @@ -181,7 +181,7 @@ EVP_MAC_CTX_set_params() passes chosen parameters to the underlying context, given a context I. The set of parameters given with I determine exactly what parameters are passed down. -If I are NULL, the unterlying context should do nothing and return 1. +If I are NULL, the underlying context should do nothing and return 1. Note that a parameter that is unknown in the underlying context is simply ignored. Also, what happens when a needed parameter isn't passed down is @@ -481,7 +481,7 @@ These functions were added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2018-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2018-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EVP_SIGNATURE.pod b/doc/man3/EVP_SIGNATURE.pod index 600522085398c271ecf946cb3c36428488fb52f3..1f534ef33810eb92b848890e2c3d510bdbef6bcf 100644 --- a/doc/man3/EVP_SIGNATURE.pod +++ b/doc/man3/EVP_SIGNATURE.pod @@ -61,7 +61,7 @@ EVP_SIGNATURE_get0_provider() returns the provider that I was fetched from. EVP_SIGNATURE_do_all_provided() traverses all SIGNATURE implemented by all -activated roviders in the given library context I, and for each of the +activated providers in the given library context I, and for each of the implementations, calls the given function I with the implementation method and the given I as argument. @@ -106,7 +106,7 @@ The functions described here were added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/OSSL_CMP_CTX_new.pod b/doc/man3/OSSL_CMP_CTX_new.pod index e81fb08b00d613ae516fd277b9ef34c2530bab92..ce7db8f2f08628c7a9cbb175024fa7cf4d526bb9 100644 --- a/doc/man3/OSSL_CMP_CTX_new.pod +++ b/doc/man3/OSSL_CMP_CTX_new.pod @@ -182,7 +182,7 @@ clearing the internal CMP transaction (aka session) status, PKIStatusInfo, and any previous results (newCert, newChain, caPubs, and extraCertsIn) from the last executed transaction. It also clears any ITAVs that were added by OSSL_CMP_CTX_push0_genm_ITAV(). -All other field values (i.e., CMP options) are retained for potential re-use. +All other field values (i.e., CMP options) are retained for potential reuse. OSSL_CMP_CTX_set_option() sets the given value for the given option (e.g., OSSL_CMP_OPT_IMPLICIT_CONFIRM) in the given OSSL_CMP_CTX structure. @@ -260,12 +260,12 @@ The following options can be set: =item B The NID of the digest algorithm to be used as one-way function (OWF) - in RFC 4210's MSG_MAC_ALG for PBM-based message protection. + for MAC-based message protection with password-based MAC (PBM). + See RFC 4210 section 5.1.3.1 for details. Default is SHA256. =item B - The NID of the MAC algorithm to be used in RFC 4210's MSG_MAC_ALG - for PBM-based message protection. + The NID of the MAC algorithm to be used for message protection with PBM. Default is HMAC-SHA1 as per RFC 4210. =item B @@ -450,8 +450,8 @@ The reference counts of those certificates handled successfully are increased. OSSL_CMP_CTX_get0_untrusted(OSSL_CMP_CTX *ctx) returns a pointer to the list of untrusted certs, which may be empty if unset. -OSSL_CMP_CTX_set1_cert() sets the CMP signer certificate -related to the private key used for CMP message protection. +OSSL_CMP_CTX_set1_cert() sets the CMP signer certificate, also called protection +certificate, related to the private key for signature-based message protection. Therefore the public key of this I must correspond to the private key set before or thereafter via OSSL_CMP_CTX_set1_pkey(). When using signature-based protection of CMP request messages @@ -481,15 +481,15 @@ OSSL_CMP_CTX_set1_pkey() sets the client's private key corresponding to the CMP signer certificate set via OSSL_CMP_CTX_set1_cert(). This key is used create signature-based protection (protectionAlg = MSG_SIG_ALG) of outgoing messages -unless a PBM secret has been set via OSSL_CMP_CTX_set1_secretValue(). +unless a symmetric secret has been set via OSSL_CMP_CTX_set1_secretValue(). The I argument may be NULL to clear the entry. -OSSL_CMP_CTX_set1_secretValue() sets the byte string I with length I -as PBM secret in the given I or clears it if the I argument is NULL. -If present, this secret is used to create PBM-based protection of outgoing -messages and to verify any PBM-based protection of incoming messages -(protectionAlg = MSG_MAC_ALG). PBM stands for Password-Based MAC. -PBM-based protection takes precedence over signature-based protection. +OSSL_CMP_CTX_set1_secretValue() sets in I the byte string I of length +I to use as pre-shared secret, or clears it if the I argument is NULL. +If present, this secret is used to create MAC-based authentication and integrity +protection (rather than applying signature-based protection) +of outgoing messages and to verify authenticity and integrity of incoming +messages that have MAC-based protection (protectionAlg = C). OSSL_CMP_CTX_set1_referenceValue() sets the given referenceValue I with length I in the given I or clears it if the I argument is NULL. @@ -500,7 +500,7 @@ then the sender field will contain the NULL-DN and the senderKID field of the CMP message header must be set. When signature-based protection is used the senderKID will be set to the subjectKeyIdentifier of the CMP signer certificate as far as present. -If not present or when PBM-based protection is used +If not present or when MAC-based protection is used the I value is taken as the fallback value for the senderKID. OSSL_CMP_CTX_set1_recipient() sets the recipient name that will be used in the @@ -731,7 +731,7 @@ Set up a CMP client context for sending requests and verifying responses: OSSL_CMP_CTX_set1_serverPath(cmp_ctx, path_or_alias); OSSL_CMP_CTX_set0_trustedStore(cmp_ctx, ts); -Set up client credentials for password-based protection (PBM): +Set up symmetric credentials for MAC-based message protection such as PBM: OSSL_CMP_CTX_set1_referenceValue(cmp_ctx, ref, ref_len); OSSL_CMP_CTX_set1_secretValue(cmp_ctx, sec, sec_len); diff --git a/doc/man3/OSSL_CMP_exec_certreq.pod b/doc/man3/OSSL_CMP_exec_certreq.pod index b0d81c7c41a96894d96f91e72c3119c2b4b889ca..0cabc3bad5ac96c7aa69e083b89d2759896234e5 100644 --- a/doc/man3/OSSL_CMP_exec_certreq.pod +++ b/doc/man3/OSSL_CMP_exec_certreq.pod @@ -42,7 +42,7 @@ client-server transactions, i.e., sequences of CMP requests and responses. All functions take a populated OSSL_CMP_CTX structure as their first argument. Usually the server name, port, and path ("CMP alias") need to be set, as well as -credentials the client can use for authenticating itself to the client. +credentials the client can use for authenticating itself to the server. In order to authenticate the server the client typically needs a trust store. The functions return their respective main results directly, while there are also accessor functions for retrieving various results and status information @@ -72,7 +72,7 @@ and need to be filled in using L, L, L, etc. For P10CR, L needs to be used instead. The enrollment session may be blocked by sleeping until the addressed -CA (or an intermedate PKI component) can fully process and answer the request. +CA (or an intermediate PKI component) can fully process and answer the request. OSSL_CMP_try_certreq() is an alternative to the above functions that is more flexible regarding what to do after receiving a checkAfter value. @@ -119,9 +119,17 @@ See RFC 4210 section 5.3.19 and appendix E.5 for details. CMP is defined in RFC 4210 (and CRMF in RFC 4211). -So far the CMP client implementation is limited to one request per CMP message +The CMP client implementation is limited to one request per CMP message (and consequently to at most one response component per CMP message). +When a client obtains from a CMP server CA certificates that it is going to +trust, for instance via the caPubs field of a certificate response, +authentication of the CMP server is particularly critical. +So special care must be taken setting up server authentication in I +using functions such as +L (for certificate-based authentication) or +L (for MAC-based protection). + =head1 RETURN VALUES OSSL_CMP_exec_certreq(), OSSL_CMP_exec_IR_ses(), OSSL_CMP_exec_CR_ses(), @@ -163,7 +171,7 @@ The OpenSSL CMP support was added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2007-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2007-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/OSSL_HTTP_transfer.pod b/doc/man3/OSSL_HTTP_transfer.pod index 05ede23a2f753e3e98e420d9af6af31d0c74ed71..716e365ef50db08801067affa9614a9f7f7b281e 100644 --- a/doc/man3/OSSL_HTTP_transfer.pod +++ b/doc/man3/OSSL_HTTP_transfer.pod @@ -277,7 +277,7 @@ All the functions described here were added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/PKCS12_create.pod b/doc/man3/PKCS12_create.pod index f528330c04d0b873d6dee8310dfd8d474e1f8a0c..92e588062a36ed3a085c1246c749b152801cc036 100644 --- a/doc/man3/PKCS12_create.pod +++ b/doc/man3/PKCS12_create.pod @@ -101,7 +101,7 @@ standards. =head1 COPYRIGHT -Copyright 2002-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2002-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/SSL_CONF_CTX_set_ssl_ctx.pod b/doc/man3/SSL_CONF_CTX_set_ssl_ctx.pod index 06cc1e4ec539d23d9d3588efc1d76e7748da1f47..b74c869b83d2dc99df397e9ef00a8f85ac00dc96 100644 --- a/doc/man3/SSL_CONF_CTX_set_ssl_ctx.pod +++ b/doc/man3/SSL_CONF_CTX_set_ssl_ctx.pod @@ -2,6 +2,7 @@ =head1 NAME +SSL_CONF_CTX_finish, SSL_CONF_CTX_set_ssl_ctx, SSL_CONF_CTX_set_ssl - set context to configure =head1 SYNOPSIS @@ -10,6 +11,7 @@ SSL_CONF_CTX_set_ssl_ctx, SSL_CONF_CTX_set_ssl - set context to configure void SSL_CONF_CTX_set_ssl_ctx(SSL_CONF_CTX *cctx, SSL_CTX *ctx); void SSL_CONF_CTX_set_ssl(SSL_CONF_CTX *cctx, SSL *ssl); + int SSL_CONF_CTX_finish(SSL_CONF_CTX *cctx); =head1 DESCRIPTION @@ -23,6 +25,10 @@ B structure B. Any previous B or B associated with B is cleared. Subsequent calls to SSL_CONF_cmd() will be sent to B. +The function SSL_CONF_CTX_finish() must be called after all configuration +operations have been completed. It is used to finalise any operations +or to process defaults. + =head1 NOTES The context need not be set or it can be set to B in which case only @@ -32,6 +38,8 @@ syntax checking of commands is performed, where possible. SSL_CONF_CTX_set_ssl_ctx() and SSL_CTX_set_ssl() do not return a value. +SSL_CONF_CTX_finish() returns 1 for success and 0 for failure. + =head1 SEE ALSO L, diff --git a/doc/man3/SSL_new.pod b/doc/man3/SSL_new.pod index 59d275523f98e7d018e4abca5302192e0373980a..2b522769169b773757dd0942509365be9a16b160 100644 --- a/doc/man3/SSL_new.pod +++ b/doc/man3/SSL_new.pod @@ -35,7 +35,7 @@ MUST NOT have yet started the SSL handshake. For connections that are not in their initial state SSL_dup() just increments an internal reference count and returns the I handle. It may be possible to use L to recycle an SSL handle that is not in its initial -state for re-use, but this is best avoided. Instead, save and restore +state for reuse, but this is best avoided. Instead, save and restore the session, if desired, and construct a fresh handle for each connection. The subset of settings in I that are duplicated are: @@ -124,7 +124,7 @@ L =head1 COPYRIGHT -Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/d2i_RSAPrivateKey.pod b/doc/man3/d2i_RSAPrivateKey.pod index 5156f0edb27ad52d07bc7f14ac995757cad7a302..08cd2c85e5bd79d50dc757f7e9d5ff4c60e835d7 100644 --- a/doc/man3/d2i_RSAPrivateKey.pod +++ b/doc/man3/d2i_RSAPrivateKey.pod @@ -28,7 +28,6 @@ d2i_RSA_PUBKEY_fp, d2i_DHparams, d2i_DHparams_bio, d2i_DHparams_fp, -d2i_ECPKParameters, d2i_ECParameters, d2i_ECPrivateKey, d2i_ECPrivateKey_bio, @@ -56,7 +55,6 @@ i2d_DSA_PUBKEY, i2d_DSA_PUBKEY_bio, i2d_DSA_PUBKEY_fp, i2d_DSAparams, -i2d_ECPKParameters, i2d_ECParameters, i2d_ECPrivateKey, i2d_ECPrivateKey_bio, @@ -309,7 +307,7 @@ L =head1 COPYRIGHT -Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/d2i_X509.pod b/doc/man3/d2i_X509.pod index c79a964e6d7f981aef97b0e2f8e1faa5a08051b7..9226ef77c3946b0f5e181c03d86200ffd2957b11 100644 --- a/doc/man3/d2i_X509.pod +++ b/doc/man3/d2i_X509.pod @@ -53,6 +53,7 @@ d2i_DIST_POINT, d2i_DIST_POINT_NAME, d2i_DSA_SIG, d2i_ECDSA_SIG, +d2i_ECPKParameters, d2i_EDIPARTYNAME, d2i_ESS_CERT_ID, d2i_ESS_CERT_ID_V2, @@ -223,6 +224,7 @@ i2d_DIST_POINT, i2d_DIST_POINT_NAME, i2d_DSA_SIG, i2d_ECDSA_SIG, +i2d_ECPKParameters, i2d_EDIPARTYNAME, i2d_ESS_CERT_ID, i2d_ESS_CERT_ID_V2, diff --git a/doc/man5/x509v3_config.pod b/doc/man5/x509v3_config.pod index 1830092394bc906ff76263eef257f122933dde4a..044904022d894e7bfa59bbed078f980d61bf6db9 100644 --- a/doc/man5/x509v3_config.pod +++ b/doc/man5/x509v3_config.pod @@ -93,7 +93,7 @@ numeric identifier, as shown here: email.2 = steve@example.org The syntax of raw extensions is defined by the source code that parses -the extension but should be documened. +the extension but should be documented. See L for an example of a raw extension. If an extension type is unsupported, then the I extension syntax @@ -590,7 +590,7 @@ L =head1 COPYRIGHT -Copyright 2004-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2004-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man7/EVP_KDF-PKCS12KDF.pod b/doc/man7/EVP_KDF-PKCS12KDF.pod index 05d4e902bd30f0b00db1c1f5bdad59f58fde04cd..986536569864274a7801524196f05e54848d27a2 100644 --- a/doc/man7/EVP_KDF-PKCS12KDF.pod +++ b/doc/man7/EVP_KDF-PKCS12KDF.pod @@ -80,7 +80,7 @@ This functionality was added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/fuzz/x509.c b/fuzz/x509.c index 6293f1a5c547a55f2ef05b2cfcea326d8cbe4ef4..e2d2639164c01d0eda79d74329b078abfd80b0ca 100644 --- a/fuzz/x509.c +++ b/fuzz/x509.c @@ -1,5 +1,5 @@ /* - * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"); * you may not use this file except in compliance with the License. diff --git a/providers/fips-sources.checksums b/providers/fips-sources.checksums index 42785c33a0d2e0334956b08603ab0a4a72e7ae3c..f55fa914be7fe9738c7ed5ba286fe75782319525 100644 --- a/providers/fips-sources.checksums +++ b/providers/fips-sources.checksums @@ -259,12 +259,12 @@ a0097ff2da8955fe15ba204cb54f3fd48a06f846e2b9826f507b26acf65715c3 crypto/params_ 97cb7414dc2f165d5849ee3b46cdfff0afb067729435d9c01a747e0ca41e230c crypto/ppccap.c 3ca43596a7528dec8ff9d1a3cd0d68b62640f84b1d6a8b5e4842cfd0be1133ad crypto/ppccpuid.pl b4d34272a0bd1fbe6562022bf7ea6259b6a5a021a48222d415be47ef5ef2a905 crypto/property/defn_cache.c -7da6ae864beb1a4daa4be31eb41d48141a3a7eb7a263a4937a6889e05656a595 crypto/property/property.c +3c4ade2fed4605e374d85ec1134a98da34e7124f89f44b81a754e8cfe81f14ba crypto/property/property.c 66da4f28d408133fb544b14aeb9ad4913e7c5c67e2826e53f0dc5bf4d8fada26 crypto/property/property_local.h 921305e62749aec22da4843738bee3448b61e7e30d5309beddc7141ad07a8004 crypto/property/property_parse.c a7cefda6a117550e2c76e0f307565ce1e11640b11ba10c80e469a837fd1212a3 crypto/property/property_query.c 065698c8d88a5facc0cbc02a3bd0c642c94687a8c5dd79901c942138b406067d crypto/property/property_string.c -9653ec9c1476350a94b9cc7f8be3d99961fd803870c9ac03315298d2909a6a8e crypto/provider_core.c +0ba5d0297837940c972224c97cbbf3ea4a723c1eed9ce1112538c9bb26208639 crypto/provider_core.c d0af10d4091b2032aac1b7db80f8c2e14fa7176592716b25b9437ab6b53c0a89 crypto/provider_local.h 5ba2e1c74ddcd0453d02e32612299d1eef18eff8493a7606c15d0dc3738ad1d9 crypto/provider_predefined.c a5a4472636b8b0095ad8d4acd37e275ad79da1a67ecff7b7b5c3e46c9ebc65b7 crypto/rand/rand_lib.c @@ -344,7 +344,7 @@ c50c584c55e56347bb43aca4b796b5344d70daece3061f586b79c871c21f5d1a crypto/sparse_ 8da78169fa8c09dc3c29c9bf1602b22e88c5eac4815e274ba1864c166e31584b crypto/stack/stack.c 7b4efa594d8d1f3ecbf4605cf54f72fb296a3b1d951bdc69e415aaa08f34e5c8 crypto/threads_lib.c a41ae93a755e2ec89b3cb5b4932e2b508fdda92ace2e025a2650a6da0e9e972c crypto/threads_none.c -2637a8727dee790812b000f2e02b336f7907949df633dda72938bbaafdb204fe crypto/threads_pthread.c +3729e2bd36f945808b578e0d89fac0fcb3114e4fc9381614bcbd8a9869991716 crypto/threads_pthread.c 88423960f0414f6fd41fba4f4c67f9f7260c2741e4788adcd52493e895ec8027 crypto/threads_win.c fd6c27cf7c6b5449b17f2b725f4203c4c10207f1973db09fd41571efe5de08fd crypto/x86_64cpuid.pl bbec287bb9bf35379885f8f8998b7fd9e8fc22efee9e1b299109af0f33a7ee16 crypto/x86cpuid.pl @@ -567,13 +567,13 @@ abe2b0f3711eaa34846e155cffc9242e4051c45de896f747afd5ac9d87f637dc providers/impl 589f6133799da80760e8bc3ab0191a341ab6d4d2706e92e6eb4a24b0250fefa6 providers/implementations/kdfs/tls1_prf.c 4d4a6d9a562d2dcfec941d3f113a544663b5ac2fbe4accd89ec70c1cc11751d0 providers/implementations/kdfs/x942kdf.c 6b6c776b12664164f3cb54c21df61e1c4477c7855d89431a16fb338cdae58d43 providers/implementations/kem/rsa_kem.c -37120f8a420de0e44b7dc1f31b50d59520e5318cf546e83684e0c3de5c7b76c5 providers/implementations/keymgmt/dh_kmgmt.c -2a4493c9e68f41d37d7ec69c272005c6df7b1a34db2d49663f52e836e4fd888c providers/implementations/keymgmt/dsa_kmgmt.c +9d5eb7e056e790b1b4292ec7af03fbf0b26e34625c70eb36643451965bcfc696 providers/implementations/keymgmt/dh_kmgmt.c +a329f57cb041cd03907e9d996fbc2f378ee116c7f8d7fbf1ea08b7a5df7e0304 providers/implementations/keymgmt/dsa_kmgmt.c 9bc88451d3ae110c7a108ee73d3b3b6bda801ec3494d2dfb9c9970b85c2d34fe providers/implementations/keymgmt/ec_kmgmt.c 258ae17bb2dd87ed1511a8eb3fe99eed9b77f5c2f757215ff6b3d0e8791fc251 providers/implementations/keymgmt/ec_kmgmt_imexport.inc -d77ece2494e6b12a6201a2806ee5fb24a6dc2fa3e1891a46012a870e0b781ab1 providers/implementations/keymgmt/ecx_kmgmt.c +011c36aad6834729043f23eacab417732541ee23916d9afa5bb9164862be00bb providers/implementations/keymgmt/ecx_kmgmt.c 053a2be39a87f50b877ebdbbf799cf5faf8b2de33b04311d819d212ee1ea329b providers/implementations/keymgmt/kdf_legacy_kmgmt.c -e30357311e4a3e1c78266af6315fd1fc99584bfb09f4a7cd0ddc7261cf1e17e1 providers/implementations/keymgmt/mac_legacy_kmgmt.c +1646b477fa231dd0f6c22444c99098f9b447cab0d39ff69b811262469d4dbe09 providers/implementations/keymgmt/mac_legacy_kmgmt.c 19f22fc70a6321441e56d5bd4aab3d01d52d17069d4e4b5cefce0f411ecece75 providers/implementations/keymgmt/rsa_kmgmt.c aeb42590728ca87b916b8a3d337351b1c82ee0747213e5ce740c2350b3db7185 providers/implementations/macs/cmac_prov.c e69aa06f8f3c6f5a26702b9f44a844b8589b99dc0ee590953a29e8b9ef10acbe providers/implementations/macs/gmac_prov.c diff --git a/providers/fips.checksum b/providers/fips.checksum index ec1978c7fedec1b4690b1aef2a8bc07f2c574cb4..db5ddc6cb7c60e0035e25f12b5a16d631423f263 100644 --- a/providers/fips.checksum +++ b/providers/fips.checksum @@ -1 +1 @@ -f07990ec634ec6ea3c8c42a664768debcf92a1b0c39bde7041c24df33dd7f052 providers/fips-sources.checksums +8d97c837eeb1288f74788f0e48cb0cbc8498d4cf7ddc25c89344df7d5309ffc8 providers/fips-sources.checksums diff --git a/providers/implementations/ciphers/cipher_chacha20.c b/providers/implementations/ciphers/cipher_chacha20.c index 81cfd5277364f2395caba4cbeabd66e45c8cc91a..ef80a515d756dccba8f1333f4170bc57f8363134 100644 --- a/providers/implementations/ciphers/cipher_chacha20.c +++ b/providers/implementations/ciphers/cipher_chacha20.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/encode_decode/decode_msblob2key.c b/providers/implementations/encode_decode/decode_msblob2key.c index 80c6e0a91e906bd9e146a4fd22b30b47d86619f9..b9d0cabadae2e4cc21f6fa614fd124b777b26b89 100644 --- a/providers/implementations/encode_decode/decode_msblob2key.c +++ b/providers/implementations/encode_decode/decode_msblob2key.c @@ -1,5 +1,5 @@ /* - * Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/encode_decode/decode_pvk2key.c b/providers/implementations/encode_decode/decode_pvk2key.c index 4eeeaf425a409a3d13716d54910483aac66270d5..2d7cb15e53e0ae0b2b4a8b03cb910c047689d84a 100644 --- a/providers/implementations/encode_decode/decode_pvk2key.c +++ b/providers/implementations/encode_decode/decode_pvk2key.c @@ -1,5 +1,5 @@ /* - * Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/encode_decode/encode_key2any.c b/providers/implementations/encode_decode/encode_key2any.c index c7b01cb2b3e5ef1b570f751368af34bee5b0d22e..0f4c62962ddcd40959f9df01dbfe747d37845ae1 100644 --- a/providers/implementations/encode_decode/encode_key2any.c +++ b/providers/implementations/encode_decode/encode_key2any.c @@ -1,5 +1,5 @@ /* - * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -858,14 +858,17 @@ static int prepare_rsa_params(const void *rsa, int nid, int save, case 1: if ((str = OPENSSL_malloc(str_sz)) == NULL || !WPACKET_init_der(&pkt, str, str_sz)) { + WPACKET_cleanup(&pkt); goto err; } break; } if (!ossl_DER_w_RSASSA_PSS_params(&pkt, -1, pss) || !WPACKET_finish(&pkt) - || !WPACKET_get_total_written(&pkt, &str_sz)) + || !WPACKET_get_total_written(&pkt, &str_sz)) { + WPACKET_cleanup(&pkt); goto err; + } WPACKET_cleanup(&pkt); /* diff --git a/providers/implementations/keymgmt/ecx_kmgmt.c b/providers/implementations/keymgmt/ecx_kmgmt.c index 831681412aec7730dd2ba21834bbd1e4a4f65a79..987d38456fba41c973e8ce4e2adf60c1c4fc95f9 100644 --- a/providers/implementations/keymgmt/ecx_kmgmt.c +++ b/providers/implementations/keymgmt/ecx_kmgmt.c @@ -1,5 +1,5 @@ /* - * Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/keymgmt/mac_legacy_kmgmt.c b/providers/implementations/keymgmt/mac_legacy_kmgmt.c index 3434b966f450a52cf7a6a01623083a335ac285c8..1fae4407fca6093a63e14ea17fa7200449e35458 100644 --- a/providers/implementations/keymgmt/mac_legacy_kmgmt.c +++ b/providers/implementations/keymgmt/mac_legacy_kmgmt.c @@ -1,5 +1,5 @@ /* - * Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index e5310133c6b7b9f4353dc46c77c436d3d6aeef56..81a9f0728dbf7c6721efcd22c88b67d979c97e34 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved * Copyright 2005 Nokia. All rights reserved. * @@ -2809,14 +2809,14 @@ char *SSL_get_shared_ciphers(const SSL *s, char *buf, int size) if (sk_SSL_CIPHER_find(srvrsk, c) < 0) continue; - n = strlen(c->name); - if (n + 1 > size) { + n = OPENSSL_strnlen(c->name, size); + if (n >= size) { if (p != buf) --p; *p = '\0'; return buf; } - strcpy(p, c->name); + memcpy(p, c->name, n); p += n; *(p++) = ':'; size -= n + 1; diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c index 7085585082935f02339073102451263e301d14ba..1fab5a3d129543891050d46267031f362bcc2660 100644 --- a/ssl/statem/extensions_srvr.c +++ b/ssl/statem/extensions_srvr.c @@ -1,5 +1,5 @@ /* - * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/test/chacha_internal_test.c b/test/chacha_internal_test.c index d52479b6584d893ee1b976140ed727ef49220597..d316bfd7b361705271e5cf23cbb7f45b098ccfb0 100644 --- a/test/chacha_internal_test.c +++ b/test/chacha_internal_test.c @@ -1,5 +1,5 @@ /* - * Copyright 2017 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/test/cmsapitest.c b/test/cmsapitest.c index ffc9a0c98a1cf6546aa64420a79b230117112e1a..dbb05cd4962269b7f95f893bd1aa98abeb2b392d 100644 --- a/test/cmsapitest.c +++ b/test/cmsapitest.c @@ -1,5 +1,5 @@ /* - * Copyright 2018-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2018-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/test/endecode_test.c b/test/endecode_test.c index 838ab1c35ae86e6035082d399bed9e174f80dfec..5158b39ee41f190794e70d77d477f447db3caef7 100644 --- a/test/endecode_test.c +++ b/test/endecode_test.c @@ -1,5 +1,5 @@ /* - * Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/test/pbetest.c b/test/pbetest.c index 7bf0680785d80e76fd89215d092ba661e598c606..cfffc2b9323327ccca7fba49ccbf21264c93f9eb 100644 --- a/test/pbetest.c +++ b/test/pbetest.c @@ -1,5 +1,5 @@ /* - * Copyright 2021-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2021-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/test/pkcs12_format_test.c b/test/pkcs12_format_test.c index d4129d2522bce8beb5b2e6845fd1bbcd98fc2a7b..c142093f72bbbcd28399e7c3d49a044a9c115e39 100644 --- a/test/pkcs12_format_test.c +++ b/test/pkcs12_format_test.c @@ -1,5 +1,5 @@ /* - * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -792,6 +792,70 @@ err: } #endif +static int pkcs12_recreate_test(void) +{ + int ret = 0; + X509 *cert = NULL; + X509 *cert_parsed = NULL; + EVP_PKEY *pkey = NULL; + EVP_PKEY *pkey_parsed = NULL; + PKCS12 *p12 = NULL; + PKCS12 *p12_parsed = NULL; + PKCS12 *p12_recreated = NULL; + const unsigned char *cert_bytes = CERT1; + const unsigned char *key_bytes = KEY1; + BIO *bio = NULL; + + cert = d2i_X509(NULL, &cert_bytes, sizeof(CERT1)); + if (!TEST_ptr(cert)) + goto err; + pkey = d2i_AutoPrivateKey(NULL, &key_bytes, sizeof(KEY1)); + if (!TEST_ptr(pkey)) + goto err; + p12 = PKCS12_create("pass", NULL, pkey, cert, NULL, NID_aes_256_cbc, + NID_aes_256_cbc, 2, 1, 0); + if (!TEST_ptr(p12)) + goto err; + if (!TEST_int_eq(ERR_peek_error(), 0)) + goto err; + + bio = BIO_new(BIO_s_mem()); + if (!TEST_ptr(bio)) + goto err; + if (!TEST_int_eq(i2d_PKCS12_bio(bio, p12), 1)) + goto err; + p12_parsed = PKCS12_init_ex(NID_pkcs7_data, testctx, NULL); + if (!TEST_ptr(p12_parsed)) + goto err; + p12_parsed = d2i_PKCS12_bio(bio, &p12_parsed); + if (!TEST_ptr(p12_parsed)) + goto err; + if (!TEST_int_eq(PKCS12_parse(p12_parsed, "pass", &pkey_parsed, + &cert_parsed, NULL), 1)) + goto err; + + /* cert_parsed also contains auxiliary data */ + p12_recreated = PKCS12_create("new_pass", NULL, pkey_parsed, cert_parsed, + NULL, NID_aes_256_cbc, NID_aes_256_cbc, + 2, 1, 0); + if (!TEST_ptr(p12_recreated)) + goto err; + if (!TEST_int_eq(ERR_peek_error(), 0)) + goto err; + + ret = 1; +err: + BIO_free(bio); + PKCS12_free(p12); + PKCS12_free(p12_parsed); + PKCS12_free(p12_recreated); + EVP_PKEY_free(pkey); + EVP_PKEY_free(pkey_parsed); + X509_free(cert); + X509_free(cert_parsed); + return ret; +} + typedef enum OPTION_choice { OPT_ERR = -1, OPT_EOF = 0, @@ -873,6 +937,8 @@ int setup_tests(void) if (default_libctx) ADD_TEST(pkcs12_create_test); #endif + if (default_libctx) + ADD_TEST(pkcs12_recreate_test); ADD_ALL_TESTS(test_single_key_enc_pass, OSSL_NELEM(passwords)); ADD_ALL_TESTS(test_single_key_enc_iter, OSSL_NELEM(iters)); ADD_TEST(test_single_key_with_attrs); diff --git a/test/provider_internal_test.c b/test/provider_internal_test.c index bccce7159e1fdf97deee0c89978ffe12ef684415..1fe8fb0cc5c4123f7ab3773a0a7ab26fefa43dee 100644 --- a/test/provider_internal_test.c +++ b/test/provider_internal_test.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/test/recipes/15-test_rsapss.t b/test/recipes/15-test_rsapss.t index 4773252185b91b99d1cc969d56cb777c2bd49d0f..44721a32372f781f1bef19f814979b8ec287f5c6 100644 --- a/test/recipes/15-test_rsapss.t +++ b/test/recipes/15-test_rsapss.t @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2017-2022 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/test/recipes/25-test_req.t b/test/recipes/25-test_req.t index f4526f36699253868bfab4c80b251f3c459dae14..8c8274aee699cec00efb0a74a064968fc4369fc7 100644 --- a/test/recipes/25-test_req.t +++ b/test/recipes/25-test_req.t @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2015-2022 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2015-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/test/recipes/30-test_defltfips.t b/test/recipes/30-test_defltfips.t index 103f28da764a003271fe16538e371e0212680d6a..c8f145405b2b4e899b7fbecd3f87d7aab79e1b42 100644 --- a/test/recipes/30-test_defltfips.t +++ b/test/recipes/30-test_defltfips.t @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2015-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/test/recipes/30-test_evp.t b/test/recipes/30-test_evp.t index d4d26667c8dc2f889dbc58a51e772cac692c8d03..af823515f9bd64fd839bd6709d816ba69e1ece91 100644 --- a/test/recipes/30-test_evp.t +++ b/test/recipes/30-test_evp.t @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2015-2022 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2015-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/test/recipes/80-test_cms.t b/test/recipes/80-test_cms.t index 8dbec71212a2ceadf975dee9a16d34c7ed835803..f99ae8327e81199710c27099c70961d302843052 100644 --- a/test/recipes/80-test_cms.t +++ b/test/recipes/80-test_cms.t @@ -998,9 +998,13 @@ with({ exit_checker => sub { return shift == 6; } }, # Test case for return value mis-check reported in #21986 with({ exit_checker => sub { return shift == 3; } }, sub { - ok(run(app(['openssl', 'cms', '-sign', - '-in', srctop_file("test", "smcont.txt"), - '-signer', srctop_file("test/smime-certs", "smdsa1.pem"), - '-md', 'SHAKE256'])), - "issue#21986"); + SKIP: { + skip "DSA is not supported in this build", 1 if $no_dsa; + + ok(run(app(['openssl', 'cms', '-sign', + '-in', srctop_file("test", "smcont.txt"), + '-signer', srctop_file("test/smime-certs", "smdsa1.pem"), + '-md', 'SHAKE256'])), + "issue#21986"); + } }); diff --git a/test/recipes/99-test_fuzz_x509.t b/test/recipes/99-test_fuzz_x509.t index 7ca3ee8ae7ca00df0a5d843c9e96793579589cb5..b0b86365d1019382811059ffe42ace1e9e7eb1bc 100644 --- a/test/recipes/99-test_fuzz_x509.t +++ b/test/recipes/99-test_fuzz_x509.t @@ -1,5 +1,5 @@ #!/usr/bin/env perl -# Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/test/ssl_old_test.c b/test/ssl_old_test.c index 91c8b5b7b535f62143120d5bbef9631de25c9292..6b56754b824017f931be9b653f21dd105d355c75 100644 --- a/test/ssl_old_test.c +++ b/test/ssl_old_test.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved * Copyright 2005 Nokia. All rights reserved. * @@ -1525,8 +1525,10 @@ int main(int argc, char *argv[]) ERR_print_errors(bio_err); goto end; } - SSL_CTX_set0_tmp_dh_pkey(s_ctx, dhpkey); - SSL_CTX_set0_tmp_dh_pkey(s_ctx2, dhpkey); + if (!SSL_CTX_set0_tmp_dh_pkey(s_ctx, dhpkey)) + EVP_PKEY_free(dhpkey); + if (!SSL_CTX_set0_tmp_dh_pkey(s_ctx2, dhpkey)) + EVP_PKEY_free(dhpkey); } #endif diff --git a/test/testutil/main.c b/test/testutil/main.c index 2945bb52b8e58817ac10319b6edcdf43c6689996..32e32d8328723ba1e0fb7cb4b15defa47035c9f4 100644 --- a/test/testutil/main.c +++ b/test/testutil/main.c @@ -1,5 +1,5 @@ /* - * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/util/missingssl.txt b/util/missingssl.txt index 48219fd99a9a479a2216e81d19c1edf3d46fc946..41ca8a8bbc0022746b2bb4305af22ee22315f106 100644 --- a/util/missingssl.txt +++ b/util/missingssl.txt @@ -3,7 +3,6 @@ ERR_load_SSL_strings(3) SRP_Calc_A_param(3) SSL_COMP_get_name(3) SSL_COMP_set0_compression_methods(3) -SSL_CONF_CTX_finish(3) SSL_CTX_SRP_CTX_free(3) SSL_CTX_SRP_CTX_init(3) SSL_CTX_get0_certificate(3)