From 86ba0c6473066b14baae550e3abfe4a27cc8fd92 Mon Sep 17 00:00:00 2001 From: Bernd Edlinger Date: Mon, 11 Sep 2023 12:34:02 +0200 Subject: [PATCH 01/23] Fix a memleak in prepare_rsa_params This affects only RSA-PSS keys with params using negative salt legth, or in case of out of memory. This fixes a memory leak reported in #22049. Reviewed-by: Hugo Landau Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/22061) (cherry picked from commit 46def829afa4d8bed8f53d484bdf842d65f0e176) Signed-off-by: fly2x --- providers/implementations/encode_decode/encode_key2any.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/providers/implementations/encode_decode/encode_key2any.c b/providers/implementations/encode_decode/encode_key2any.c index c7b01cb2b3..e4870e1031 100644 --- a/providers/implementations/encode_decode/encode_key2any.c +++ b/providers/implementations/encode_decode/encode_key2any.c @@ -858,14 +858,17 @@ static int prepare_rsa_params(const void *rsa, int nid, int save, case 1: if ((str = OPENSSL_malloc(str_sz)) == NULL || !WPACKET_init_der(&pkt, str, str_sz)) { + WPACKET_cleanup(&pkt); goto err; } break; } if (!ossl_DER_w_RSASSA_PSS_params(&pkt, -1, pss) || !WPACKET_finish(&pkt) - || !WPACKET_get_total_written(&pkt, &str_sz)) + || !WPACKET_get_total_written(&pkt, &str_sz)) { + WPACKET_cleanup(&pkt); goto err; + } WPACKET_cleanup(&pkt); /* -- Gitee From 8461c26338abbce4485352082bc2f8c0db2fea72 Mon Sep 17 00:00:00 2001 From: Dimitri Papadopoulos <3234522+DimitriPapadopoulos@users.noreply.github.com> Date: Mon, 11 Sep 2023 13:32:06 +0200 Subject: [PATCH 02/23] Fix typos found by codespell in openssl-3.0 Only modify doc/man* in the openssl-3.0 branch. Reviewed-by: Hugo Landau Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/22064) Signed-off-by: fly2x --- doc/man1/openssl-cms.pod.in | 2 +- doc/man3/EVP_MAC.pod | 2 +- doc/man3/EVP_SIGNATURE.pod | 2 +- doc/man3/OSSL_CMP_CTX_new.pod | 2 +- doc/man3/SSL_new.pod | 2 +- doc/man5/x509v3_config.pod | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/doc/man1/openssl-cms.pod.in b/doc/man1/openssl-cms.pod.in index c63a7f330b..a97eea0d71 100644 --- a/doc/man1/openssl-cms.pod.in +++ b/doc/man1/openssl-cms.pod.in @@ -391,7 +391,7 @@ option. =item I ... This is an alternative to using the B<-recip> option when encrypting a message. -One or more certificate filennames may be given. +One or more certificate filenames may be given. =item B<-I> diff --git a/doc/man3/EVP_MAC.pod b/doc/man3/EVP_MAC.pod index 13482ac5e1..8fd237599e 100644 --- a/doc/man3/EVP_MAC.pod +++ b/doc/man3/EVP_MAC.pod @@ -181,7 +181,7 @@ EVP_MAC_CTX_set_params() passes chosen parameters to the underlying context, given a context I. The set of parameters given with I determine exactly what parameters are passed down. -If I are NULL, the unterlying context should do nothing and return 1. +If I are NULL, the underlying context should do nothing and return 1. Note that a parameter that is unknown in the underlying context is simply ignored. Also, what happens when a needed parameter isn't passed down is diff --git a/doc/man3/EVP_SIGNATURE.pod b/doc/man3/EVP_SIGNATURE.pod index 6005220853..a4ee9c4807 100644 --- a/doc/man3/EVP_SIGNATURE.pod +++ b/doc/man3/EVP_SIGNATURE.pod @@ -61,7 +61,7 @@ EVP_SIGNATURE_get0_provider() returns the provider that I was fetched from. EVP_SIGNATURE_do_all_provided() traverses all SIGNATURE implemented by all -activated roviders in the given library context I, and for each of the +activated providers in the given library context I, and for each of the implementations, calls the given function I with the implementation method and the given I as argument. diff --git a/doc/man3/OSSL_CMP_CTX_new.pod b/doc/man3/OSSL_CMP_CTX_new.pod index e81fb08b00..41d334887f 100644 --- a/doc/man3/OSSL_CMP_CTX_new.pod +++ b/doc/man3/OSSL_CMP_CTX_new.pod @@ -182,7 +182,7 @@ clearing the internal CMP transaction (aka session) status, PKIStatusInfo, and any previous results (newCert, newChain, caPubs, and extraCertsIn) from the last executed transaction. It also clears any ITAVs that were added by OSSL_CMP_CTX_push0_genm_ITAV(). -All other field values (i.e., CMP options) are retained for potential re-use. +All other field values (i.e., CMP options) are retained for potential reuse. OSSL_CMP_CTX_set_option() sets the given value for the given option (e.g., OSSL_CMP_OPT_IMPLICIT_CONFIRM) in the given OSSL_CMP_CTX structure. diff --git a/doc/man3/SSL_new.pod b/doc/man3/SSL_new.pod index 59d275523f..f9b8678246 100644 --- a/doc/man3/SSL_new.pod +++ b/doc/man3/SSL_new.pod @@ -35,7 +35,7 @@ MUST NOT have yet started the SSL handshake. For connections that are not in their initial state SSL_dup() just increments an internal reference count and returns the I handle. It may be possible to use L to recycle an SSL handle that is not in its initial -state for re-use, but this is best avoided. Instead, save and restore +state for reuse, but this is best avoided. Instead, save and restore the session, if desired, and construct a fresh handle for each connection. The subset of settings in I that are duplicated are: diff --git a/doc/man5/x509v3_config.pod b/doc/man5/x509v3_config.pod index 1830092394..fe24cb3456 100644 --- a/doc/man5/x509v3_config.pod +++ b/doc/man5/x509v3_config.pod @@ -93,7 +93,7 @@ numeric identifier, as shown here: email.2 = steve@example.org The syntax of raw extensions is defined by the source code that parses -the extension but should be documened. +the extension but should be documented. See L for an example of a raw extension. If an extension type is unsupported, then the I extension syntax -- Gitee From 574823009739af9a61ecc5fefa0db39c6bd969f1 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Mon, 11 Sep 2023 17:23:46 +0200 Subject: [PATCH 03/23] d2i_ECPKParameters and i2d_ECPKParameters are not deprecated So do not document them as such. Fixes #22068 Reviewed-by: Paul Dale Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/22069) (cherry picked from commit 2508629765403375b3075300a0951705ec26fe27) Signed-off-by: fly2x --- doc/man3/d2i_RSAPrivateKey.pod | 2 -- doc/man3/d2i_X509.pod | 2 ++ 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/man3/d2i_RSAPrivateKey.pod b/doc/man3/d2i_RSAPrivateKey.pod index 5156f0edb2..6ad06aa048 100644 --- a/doc/man3/d2i_RSAPrivateKey.pod +++ b/doc/man3/d2i_RSAPrivateKey.pod @@ -28,7 +28,6 @@ d2i_RSA_PUBKEY_fp, d2i_DHparams, d2i_DHparams_bio, d2i_DHparams_fp, -d2i_ECPKParameters, d2i_ECParameters, d2i_ECPrivateKey, d2i_ECPrivateKey_bio, @@ -56,7 +55,6 @@ i2d_DSA_PUBKEY, i2d_DSA_PUBKEY_bio, i2d_DSA_PUBKEY_fp, i2d_DSAparams, -i2d_ECPKParameters, i2d_ECParameters, i2d_ECPrivateKey, i2d_ECPrivateKey_bio, diff --git a/doc/man3/d2i_X509.pod b/doc/man3/d2i_X509.pod index c79a964e6d..9226ef77c3 100644 --- a/doc/man3/d2i_X509.pod +++ b/doc/man3/d2i_X509.pod @@ -53,6 +53,7 @@ d2i_DIST_POINT, d2i_DIST_POINT_NAME, d2i_DSA_SIG, d2i_ECDSA_SIG, +d2i_ECPKParameters, d2i_EDIPARTYNAME, d2i_ESS_CERT_ID, d2i_ESS_CERT_ID_V2, @@ -223,6 +224,7 @@ i2d_DIST_POINT, i2d_DIST_POINT_NAME, i2d_DSA_SIG, i2d_ECDSA_SIG, +i2d_ECPKParameters, i2d_EDIPARTYNAME, i2d_ESS_CERT_ID, i2d_ESS_CERT_ID_V2, -- Gitee From 561e9eefc710b08702b320bc9ec028966c32f6ed Mon Sep 17 00:00:00 2001 From: Bernd Edlinger Date: Mon, 11 Sep 2023 12:26:46 +0200 Subject: [PATCH 04/23] Fix memory leaks in ssl_old_test.c This fixes a few memory leaks reported in #22049. If SSL_CTX_set0_tmp_dh_pkey rejects the temp dh key due to security restrictions (even when @SECLEVEL=0 is used!) then the caller has to delete the PKEY object. That is different to how the deprecated SSL_CTX_set_tmp_dh_pkey was designed to work. Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/22060) (cherry picked from commit 21f0b80cd4b32ba80843b812b01a6056daf14093) Signed-off-by: fly2x --- test/ssl_old_test.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/test/ssl_old_test.c b/test/ssl_old_test.c index 91c8b5b7b5..70524dee41 100644 --- a/test/ssl_old_test.c +++ b/test/ssl_old_test.c @@ -1525,8 +1525,10 @@ int main(int argc, char *argv[]) ERR_print_errors(bio_err); goto end; } - SSL_CTX_set0_tmp_dh_pkey(s_ctx, dhpkey); - SSL_CTX_set0_tmp_dh_pkey(s_ctx2, dhpkey); + if (!SSL_CTX_set0_tmp_dh_pkey(s_ctx, dhpkey)) + EVP_PKEY_free(dhpkey); + if (!SSL_CTX_set0_tmp_dh_pkey(s_ctx2, dhpkey)) + EVP_PKEY_free(dhpkey); } #endif -- Gitee From e07ec5a53fd99545ff5c0aa730583a13081af932 Mon Sep 17 00:00:00 2001 From: Bernd Edlinger Date: Tue, 5 Sep 2023 16:59:45 +0200 Subject: [PATCH 05/23] Fix engine cleanup error handling Error handling in engine_cleanup_add_first/last was broken and caused memory leaks. Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/21971) (cherry picked from commit 00f2efccf5b9671a7af2b12571068258e9c255a5) Signed-off-by: fly2x --- crypto/engine/eng_lib.c | 24 +++++++++++++++--------- crypto/engine/eng_list.c | 10 +++++++--- crypto/engine/eng_local.h | 4 ++-- crypto/engine/eng_table.c | 8 +++++--- 4 files changed, 29 insertions(+), 17 deletions(-) diff --git a/crypto/engine/eng_lib.c b/crypto/engine/eng_lib.c index dfd53a4331..cfdb5a50f4 100644 --- a/crypto/engine/eng_lib.c +++ b/crypto/engine/eng_lib.c @@ -133,28 +133,34 @@ static ENGINE_CLEANUP_ITEM *int_cleanup_item(ENGINE_CLEANUP_CB *cb) return item; } -void engine_cleanup_add_first(ENGINE_CLEANUP_CB *cb) +int engine_cleanup_add_first(ENGINE_CLEANUP_CB *cb) { ENGINE_CLEANUP_ITEM *item; if (!int_cleanup_check(1)) - return; + return 0; item = int_cleanup_item(cb); - if (item != NULL) - if (sk_ENGINE_CLEANUP_ITEM_insert(cleanup_stack, item, 0) <= 0) - OPENSSL_free(item); + if (item != NULL) { + if (sk_ENGINE_CLEANUP_ITEM_insert(cleanup_stack, item, 0)) + return 1; + OPENSSL_free(item); + } + return 0; } -void engine_cleanup_add_last(ENGINE_CLEANUP_CB *cb) +int engine_cleanup_add_last(ENGINE_CLEANUP_CB *cb) { ENGINE_CLEANUP_ITEM *item; + if (!int_cleanup_check(1)) - return; + return 0; item = int_cleanup_item(cb); if (item != NULL) { - if (sk_ENGINE_CLEANUP_ITEM_push(cleanup_stack, item) <= 0) - OPENSSL_free(item); + if (sk_ENGINE_CLEANUP_ITEM_push(cleanup_stack, item) > 0) + return 1; + OPENSSL_free(item); } + return 0; } /* The API function that performs all cleanup */ diff --git a/crypto/engine/eng_list.c b/crypto/engine/eng_list.c index 04c73c7628..d3bd0c0dc2 100644 --- a/crypto/engine/eng_list.c +++ b/crypto/engine/eng_list.c @@ -78,12 +78,16 @@ static int engine_list_add(ENGINE *e) ERR_raise(ERR_LIB_ENGINE, ENGINE_R_INTERNAL_LIST_ERROR); return 0; } - engine_list_head = e; - e->prev = NULL; /* * The first time the list allocates, we should register the cleanup. */ - engine_cleanup_add_last(engine_list_cleanup); + if (!engine_cleanup_add_last(engine_list_cleanup)) { + CRYPTO_DOWN_REF(&e->struct_ref, &ref); + ERR_raise(ERR_LIB_ENGINE, ENGINE_R_INTERNAL_LIST_ERROR); + return 0; + } + engine_list_head = e; + e->prev = NULL; } else { /* We are adding to the tail of an existing list. */ if ((engine_list_tail == NULL) || (engine_list_tail->next != NULL)) { diff --git a/crypto/engine/eng_local.h b/crypto/engine/eng_local.h index 03a86299cf..b3227b3bcd 100644 --- a/crypto/engine/eng_local.h +++ b/crypto/engine/eng_local.h @@ -46,8 +46,8 @@ typedef struct st_engine_cleanup_item { ENGINE_CLEANUP_CB *cb; } ENGINE_CLEANUP_ITEM; DEFINE_STACK_OF(ENGINE_CLEANUP_ITEM) -void engine_cleanup_add_first(ENGINE_CLEANUP_CB *cb); -void engine_cleanup_add_last(ENGINE_CLEANUP_CB *cb); +int engine_cleanup_add_first(ENGINE_CLEANUP_CB *cb); +int engine_cleanup_add_last(ENGINE_CLEANUP_CB *cb); /* We need stacks of ENGINEs for use in eng_table.c */ DEFINE_STACK_OF(ENGINE) diff --git a/crypto/engine/eng_table.c b/crypto/engine/eng_table.c index d6a7452c76..6628c612b9 100644 --- a/crypto/engine/eng_table.c +++ b/crypto/engine/eng_table.c @@ -93,9 +93,11 @@ int engine_table_register(ENGINE_TABLE **table, ENGINE_CLEANUP_CB *cleanup, added = 1; if (!int_table_check(table, 1)) goto end; - if (added) - /* The cleanup callback needs to be added */ - engine_cleanup_add_first(cleanup); + /* The cleanup callback needs to be added */ + if (added && !engine_cleanup_add_first(cleanup)) { + lh_ENGINE_PILE_free(&(*table)->piles); + *table = NULL; + } while (num_nids--) { tmplate.nid = *nids; fnd = lh_ENGINE_PILE_retrieve(&(*table)->piles, &tmplate); -- Gitee From cff04c5f9ccaad804da62af57d4caaf5d20f4ecd Mon Sep 17 00:00:00 2001 From: Bernd Edlinger Date: Fri, 15 Sep 2023 09:56:01 +0200 Subject: [PATCH 06/23] Fix a merge mistake in engne_list_add master version increments the struct_ref early and needs to decrement the struct_ref on error, while 3.1 and 3.0 increment the struct_ref later. Reviewed-by: Tom Cosgrove Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/22115) (cherry picked from commit bb67dff95aeb21047b95f92c5119cb63e75cfd2f) Signed-off-by: fly2x --- crypto/engine/eng_list.c | 1 - 1 file changed, 1 deletion(-) diff --git a/crypto/engine/eng_list.c b/crypto/engine/eng_list.c index d3bd0c0dc2..d9e620dc58 100644 --- a/crypto/engine/eng_list.c +++ b/crypto/engine/eng_list.c @@ -82,7 +82,6 @@ static int engine_list_add(ENGINE *e) * The first time the list allocates, we should register the cleanup. */ if (!engine_cleanup_add_last(engine_list_cleanup)) { - CRYPTO_DOWN_REF(&e->struct_ref, &ref); ERR_raise(ERR_LIB_ENGINE, ENGINE_R_INTERNAL_LIST_ERROR); return 0; } -- Gitee From ebbfd50487342623c70e5d968912559d773241e9 Mon Sep 17 00:00:00 2001 From: Olga Batyshkina Date: Mon, 7 Aug 2023 15:14:53 +0200 Subject: [PATCH 07/23] Fix PKCS#12 creation error when certificate contains auxiliary data Prefer friendly name passed by the caller and calculated local key id to ones found in certificate auxiliary data when creating PKCS#12. Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/21675) (cherry picked from commit 388a8e731445d190a46ec27b2ff5b4bf334d526b) Signed-off-by: fly2x --- crypto/pkcs12/p12_crt.c | 62 ++++++++++++++++++++++++------------ test/pkcs12_format_test.c | 66 +++++++++++++++++++++++++++++++++++++++ 2 files changed, 108 insertions(+), 20 deletions(-) diff --git a/crypto/pkcs12/p12_crt.c b/crypto/pkcs12/p12_crt.c index 00c7129746..b92a16cec3 100644 --- a/crypto/pkcs12/p12_crt.c +++ b/crypto/pkcs12/p12_crt.c @@ -14,6 +14,12 @@ static int pkcs12_add_bag(STACK_OF(PKCS12_SAFEBAG) **pbags, PKCS12_SAFEBAG *bag); +static PKCS12_SAFEBAG *pkcs12_add_cert_bag(STACK_OF(PKCS12_SAFEBAG) **pbags, + X509 *cert, + const char *name, + int namelen, + unsigned char *keyid, + int keyidlen); static int copy_bag_attr(PKCS12_SAFEBAG *bag, EVP_PKEY *pkey, int nid) { @@ -40,6 +46,9 @@ PKCS12 *PKCS12_create_ex(const char *pass, const char *name, EVP_PKEY *pkey, int i; unsigned char keyid[EVP_MAX_MD_SIZE]; unsigned int keyidlen = 0; + int namelen = -1; + unsigned char *pkeyid = NULL; + int pkeyidlen = -1; /* Set defaults */ if (nid_cert == NID_undef) @@ -64,11 +73,16 @@ PKCS12 *PKCS12_create_ex(const char *pass, const char *name, EVP_PKEY *pkey, } if (cert) { - bag = PKCS12_add_cert(&bags, cert); - if (name && !PKCS12_add_friendlyname(bag, name, -1)) - goto err; - if (keyidlen && !PKCS12_add_localkeyid(bag, keyid, keyidlen)) - goto err; + if (name == NULL) + name = (char *)X509_alias_get0(cert, &namelen); + if (keyidlen > 0) { + pkeyid = keyid; + pkeyidlen = keyidlen; + } else { + pkeyid = X509_keyid_get0(cert, &pkeyidlen); + } + + bag = pkcs12_add_cert_bag(&bags, cert, name, namelen, pkeyid, pkeyidlen); } /* Add all other certificates */ @@ -139,30 +153,23 @@ PKCS12 *PKCS12_create(const char *pass, const char *name, EVP_PKEY *pkey, X509 * iter, mac_iter, keytype, NULL, NULL); } -PKCS12_SAFEBAG *PKCS12_add_cert(STACK_OF(PKCS12_SAFEBAG) **pbags, X509 *cert) +static PKCS12_SAFEBAG *pkcs12_add_cert_bag(STACK_OF(PKCS12_SAFEBAG) **pbags, + X509 *cert, + const char *name, + int namelen, + unsigned char *keyid, + int keyidlen) { PKCS12_SAFEBAG *bag = NULL; - char *name; - int namelen = -1; - unsigned char *keyid; - int keyidlen = -1; /* Add user certificate */ if ((bag = PKCS12_SAFEBAG_create_cert(cert)) == NULL) goto err; - /* - * Use friendlyName and localKeyID in certificate. (if present) - */ - - name = (char *)X509_alias_get0(cert, &namelen); - - if (name && !PKCS12_add_friendlyname(bag, name, namelen)) + if (name != NULL && !PKCS12_add_friendlyname(bag, name, namelen)) goto err; - keyid = X509_keyid_get0(cert, &keyidlen); - - if (keyid && !PKCS12_add_localkeyid(bag, keyid, keyidlen)) + if (keyid != NULL && !PKCS12_add_localkeyid(bag, keyid, keyidlen)) goto err; if (!pkcs12_add_bag(pbags, bag)) @@ -173,7 +180,22 @@ PKCS12_SAFEBAG *PKCS12_add_cert(STACK_OF(PKCS12_SAFEBAG) **pbags, X509 *cert) err: PKCS12_SAFEBAG_free(bag); return NULL; +} + +PKCS12_SAFEBAG *PKCS12_add_cert(STACK_OF(PKCS12_SAFEBAG) **pbags, X509 *cert) +{ + char *name = NULL; + int namelen = -1; + unsigned char *keyid = NULL; + int keyidlen = -1; + + /* + * Use friendlyName and localKeyID in certificate. (if present) + */ + name = (char *)X509_alias_get0(cert, &namelen); + keyid = X509_keyid_get0(cert, &keyidlen); + return pkcs12_add_cert_bag(pbags, cert, name, namelen, keyid, keyidlen); } PKCS12_SAFEBAG *PKCS12_add_key_ex(STACK_OF(PKCS12_SAFEBAG) **pbags, diff --git a/test/pkcs12_format_test.c b/test/pkcs12_format_test.c index d4129d2522..93d66e87d8 100644 --- a/test/pkcs12_format_test.c +++ b/test/pkcs12_format_test.c @@ -792,6 +792,70 @@ err: } #endif +static int pkcs12_recreate_test(void) +{ + int ret = 0; + X509 *cert = NULL; + X509 *cert_parsed = NULL; + EVP_PKEY *pkey = NULL; + EVP_PKEY *pkey_parsed = NULL; + PKCS12 *p12 = NULL; + PKCS12 *p12_parsed = NULL; + PKCS12 *p12_recreated = NULL; + const unsigned char *cert_bytes = CERT1; + const unsigned char *key_bytes = KEY1; + BIO *bio = NULL; + + cert = d2i_X509(NULL, &cert_bytes, sizeof(CERT1)); + if (!TEST_ptr(cert)) + goto err; + pkey = d2i_AutoPrivateKey(NULL, &key_bytes, sizeof(KEY1)); + if (!TEST_ptr(pkey)) + goto err; + p12 = PKCS12_create("pass", NULL, pkey, cert, NULL, NID_aes_256_cbc, + NID_aes_256_cbc, 2, 1, 0); + if (!TEST_ptr(p12)) + goto err; + if (!TEST_int_eq(ERR_peek_error(), 0)) + goto err; + + bio = BIO_new(BIO_s_mem()); + if (!TEST_ptr(bio)) + goto err; + if (!TEST_int_eq(i2d_PKCS12_bio(bio, p12), 1)) + goto err; + p12_parsed = PKCS12_init_ex(NID_pkcs7_data, testctx, NULL); + if (!TEST_ptr(p12_parsed)) + goto err; + p12_parsed = d2i_PKCS12_bio(bio, &p12_parsed); + if (!TEST_ptr(p12_parsed)) + goto err; + if (!TEST_int_eq(PKCS12_parse(p12_parsed, "pass", &pkey_parsed, + &cert_parsed, NULL), 1)) + goto err; + + /* cert_parsed also contains auxiliary data */ + p12_recreated = PKCS12_create("new_pass", NULL, pkey_parsed, cert_parsed, + NULL, NID_aes_256_cbc, NID_aes_256_cbc, + 2, 1, 0); + if (!TEST_ptr(p12_recreated)) + goto err; + if (!TEST_int_eq(ERR_peek_error(), 0)) + goto err; + + ret = 1; +err: + BIO_free(bio); + PKCS12_free(p12); + PKCS12_free(p12_parsed); + PKCS12_free(p12_recreated); + EVP_PKEY_free(pkey); + EVP_PKEY_free(pkey_parsed); + X509_free(cert); + X509_free(cert_parsed); + return ret; +} + typedef enum OPTION_choice { OPT_ERR = -1, OPT_EOF = 0, @@ -873,6 +937,8 @@ int setup_tests(void) if (default_libctx) ADD_TEST(pkcs12_create_test); #endif + if (default_libctx) + ADD_TEST(pkcs12_recreate_test); ADD_ALL_TESTS(test_single_key_enc_pass, OSSL_NELEM(passwords)); ADD_ALL_TESTS(test_single_key_enc_iter, OSSL_NELEM(iters)); ADD_TEST(test_single_key_with_attrs); -- Gitee From 237f8284b26d944c6cc01bb004797f2e28b9d59e Mon Sep 17 00:00:00 2001 From: Sumitra Sharma Date: Tue, 12 Sep 2023 12:00:21 +0530 Subject: [PATCH 08/23] Enhance code safety and readability in SSL_get_shared_ciphers() This commit introduces two key improvements: 1. Improve code safety by replacing the conditional statement with `if (n >= size)` and using OPENSSL_strnlen() instead of strlen(). This change ensures proper buffer size handling and adheres to secure coding practices. 2. Enhance code readability by substituting `strcpy(p, c->name)` with `memcpy(p, c->name, n)`. This adjustment prioritizes code clarity and maintenance, even while mitigating a minimal buffer overflow risk. These enhancements bolster the code's robustness and comprehensibility, aligning with secure coding principles and best practices. Fixes #19837 Signed-off-by: Sumitra Sharma Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/21934) (cherry picked from commit 2743594d73e65c38375c619e89ec62579e2c24a9) Signed-off-by: fly2x --- ssl/ssl_lib.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index e5310133c6..67c4359878 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -2809,14 +2809,14 @@ char *SSL_get_shared_ciphers(const SSL *s, char *buf, int size) if (sk_SSL_CIPHER_find(srvrsk, c) < 0) continue; - n = strlen(c->name); - if (n + 1 > size) { + n = OPENSSL_strnlen(c->name, size); + if (n >= size) { if (p != buf) --p; *p = '\0'; return buf; } - strcpy(p, c->name); + memcpy(p, c->name, n); p += n; *(p++) = ':'; size -= n + 1; -- Gitee From 3c715149a82c4a695423d2b0565e9271cd134033 Mon Sep 17 00:00:00 2001 From: "Dr. David von Oheimb" Date: Sat, 3 Jun 2023 17:15:06 +0200 Subject: [PATCH 09/23] CMP doc: various small corrections, mostly on PBM vs. MAC-based protection Reviewed-by: Paul Dale Reviewed-by: Matt Caswell Reviewed-by: David von Oheimb (Merged from https://github.com/openssl/openssl/pull/21138) Signed-off-by: fly2x --- doc/man1/openssl-cmp.pod.in | 24 +++++++++++++----------- doc/man3/OSSL_CMP_CTX_new.pod | 28 ++++++++++++++-------------- doc/man3/OSSL_CMP_exec_certreq.pod | 6 +++--- 3 files changed, 30 insertions(+), 28 deletions(-) diff --git a/doc/man1/openssl-cmp.pod.in b/doc/man1/openssl-cmp.pod.in index 4250deb426..35a9057a9a 100644 --- a/doc/man1/openssl-cmp.pod.in +++ b/doc/man1/openssl-cmp.pod.in @@ -659,11 +659,12 @@ is typically used when authenticating with pre-shared key (password-based MAC). =item B<-secret> I -Prefer PBM-based message protection with given source of a secret value. -The secret is used for creating PBM-based protection of outgoing messages -and (as far as needed) for validating PBM-based protection of incoming messages. -PBM stands for Password-Based Message Authentication Code. +Provides the source of a secret value to use with MAC-based message protection. This takes precedence over the B<-cert> and B<-key> options. +The secret is used for creating MAC-based protection of outgoing messages +and for validating incoming messages that have MAC-based protection. +The algorithm used by default is Password-Based Message Authentication Code (PBM) +as defined in RFC 4210 section 5.1.3.1. For more information about the format of I see L. @@ -682,7 +683,8 @@ while the subject of B<-oldcert> or B<-subjectName> may provide fallback values. The issuer of this certificate is used as one of the recipient fallback values and as fallback issuer entry in the certificate template of IR/CR/KUR messages. -When using signature-based message protection, this "protection certificate" +When performing signature-based message protection, +this "protection certificate", also called "signer certificate", will be included first in the extraCerts field of outgoing messages and the signature is done with the corresponding key. In Initialization Request (IR) messages this can be used for authenticating @@ -713,8 +715,8 @@ have no effect on the certificate verification enabled via this option. The corresponding private key file for the client's current certificate given in the B<-cert> option. -This will be used for signature-based message protection unless -the B<-secret> option indicating PBM or B<-unprotected_requests> is given. +This will be used for signature-based message protection unless the B<-secret> +option indicating MAC-based protection or B<-unprotected_requests> is given. It is also used as a fallback for the B<-newkey> option with IR/CR/KUR messages. @@ -730,7 +732,7 @@ L. =item B<-digest> I Specifies name of supported digest to use in RFC 4210's MSG_SIG_ALG -and as the one-way function (OWF) in MSG_MAC_ALG. +and as the one-way function (OWF) in C. If applicable, this is used for message protection and proof-of-possession (POPO) signatures. To see the list of supported digests, use C. @@ -738,7 +740,7 @@ Defaults to C. =item B<-mac> I -Specifies the name of the MAC algorithm in MSG_MAC_ALG. +Specifies the name of the MAC algorithm in C. To get the names of supported MAC algorithms use C and possibly combine such a name with the name of a supported digest algorithm, e.g., hmacWithSHA256. @@ -1166,7 +1168,7 @@ In order to update the enrolled certificate one may call openssl cmp -section insta,kur -using with PBM-based protection or +using MAC-based protection with PBM or openssl cmp -section insta,kur,signature @@ -1225,7 +1227,7 @@ Then it can start using the new cert and key. -newkey cl_key_new.pem -certout cl_cert.pem cp cl_key_new.pem cl_key.pem -This command sequence can be repated as often as needed. +This command sequence can be repeated as often as needed. =head2 Requesting information from CMP server diff --git a/doc/man3/OSSL_CMP_CTX_new.pod b/doc/man3/OSSL_CMP_CTX_new.pod index 41d334887f..ce7db8f2f0 100644 --- a/doc/man3/OSSL_CMP_CTX_new.pod +++ b/doc/man3/OSSL_CMP_CTX_new.pod @@ -260,12 +260,12 @@ The following options can be set: =item B The NID of the digest algorithm to be used as one-way function (OWF) - in RFC 4210's MSG_MAC_ALG for PBM-based message protection. + for MAC-based message protection with password-based MAC (PBM). + See RFC 4210 section 5.1.3.1 for details. Default is SHA256. =item B - The NID of the MAC algorithm to be used in RFC 4210's MSG_MAC_ALG - for PBM-based message protection. + The NID of the MAC algorithm to be used for message protection with PBM. Default is HMAC-SHA1 as per RFC 4210. =item B @@ -450,8 +450,8 @@ The reference counts of those certificates handled successfully are increased. OSSL_CMP_CTX_get0_untrusted(OSSL_CMP_CTX *ctx) returns a pointer to the list of untrusted certs, which may be empty if unset. -OSSL_CMP_CTX_set1_cert() sets the CMP signer certificate -related to the private key used for CMP message protection. +OSSL_CMP_CTX_set1_cert() sets the CMP signer certificate, also called protection +certificate, related to the private key for signature-based message protection. Therefore the public key of this I must correspond to the private key set before or thereafter via OSSL_CMP_CTX_set1_pkey(). When using signature-based protection of CMP request messages @@ -481,15 +481,15 @@ OSSL_CMP_CTX_set1_pkey() sets the client's private key corresponding to the CMP signer certificate set via OSSL_CMP_CTX_set1_cert(). This key is used create signature-based protection (protectionAlg = MSG_SIG_ALG) of outgoing messages -unless a PBM secret has been set via OSSL_CMP_CTX_set1_secretValue(). +unless a symmetric secret has been set via OSSL_CMP_CTX_set1_secretValue(). The I argument may be NULL to clear the entry. -OSSL_CMP_CTX_set1_secretValue() sets the byte string I with length I -as PBM secret in the given I or clears it if the I argument is NULL. -If present, this secret is used to create PBM-based protection of outgoing -messages and to verify any PBM-based protection of incoming messages -(protectionAlg = MSG_MAC_ALG). PBM stands for Password-Based MAC. -PBM-based protection takes precedence over signature-based protection. +OSSL_CMP_CTX_set1_secretValue() sets in I the byte string I of length +I to use as pre-shared secret, or clears it if the I argument is NULL. +If present, this secret is used to create MAC-based authentication and integrity +protection (rather than applying signature-based protection) +of outgoing messages and to verify authenticity and integrity of incoming +messages that have MAC-based protection (protectionAlg = C). OSSL_CMP_CTX_set1_referenceValue() sets the given referenceValue I with length I in the given I or clears it if the I argument is NULL. @@ -500,7 +500,7 @@ then the sender field will contain the NULL-DN and the senderKID field of the CMP message header must be set. When signature-based protection is used the senderKID will be set to the subjectKeyIdentifier of the CMP signer certificate as far as present. -If not present or when PBM-based protection is used +If not present or when MAC-based protection is used the I value is taken as the fallback value for the senderKID. OSSL_CMP_CTX_set1_recipient() sets the recipient name that will be used in the @@ -731,7 +731,7 @@ Set up a CMP client context for sending requests and verifying responses: OSSL_CMP_CTX_set1_serverPath(cmp_ctx, path_or_alias); OSSL_CMP_CTX_set0_trustedStore(cmp_ctx, ts); -Set up client credentials for password-based protection (PBM): +Set up symmetric credentials for MAC-based message protection such as PBM: OSSL_CMP_CTX_set1_referenceValue(cmp_ctx, ref, ref_len); OSSL_CMP_CTX_set1_secretValue(cmp_ctx, sec, sec_len); diff --git a/doc/man3/OSSL_CMP_exec_certreq.pod b/doc/man3/OSSL_CMP_exec_certreq.pod index b0d81c7c41..5c24b27a47 100644 --- a/doc/man3/OSSL_CMP_exec_certreq.pod +++ b/doc/man3/OSSL_CMP_exec_certreq.pod @@ -42,7 +42,7 @@ client-server transactions, i.e., sequences of CMP requests and responses. All functions take a populated OSSL_CMP_CTX structure as their first argument. Usually the server name, port, and path ("CMP alias") need to be set, as well as -credentials the client can use for authenticating itself to the client. +credentials the client can use for authenticating itself to the server. In order to authenticate the server the client typically needs a trust store. The functions return their respective main results directly, while there are also accessor functions for retrieving various results and status information @@ -72,7 +72,7 @@ and need to be filled in using L, L, L, etc. For P10CR, L needs to be used instead. The enrollment session may be blocked by sleeping until the addressed -CA (or an intermedate PKI component) can fully process and answer the request. +CA (or an intermediate PKI component) can fully process and answer the request. OSSL_CMP_try_certreq() is an alternative to the above functions that is more flexible regarding what to do after receiving a checkAfter value. @@ -119,7 +119,7 @@ See RFC 4210 section 5.3.19 and appendix E.5 for details. CMP is defined in RFC 4210 (and CRMF in RFC 4211). -So far the CMP client implementation is limited to one request per CMP message +The CMP client implementation is limited to one request per CMP message (and consequently to at most one response component per CMP message). =head1 RETURN VALUES -- Gitee From 840928c98a9f1368a7fa1e238425b581b7aaf58b Mon Sep 17 00:00:00 2001 From: "Dr. David von Oheimb" Date: Sat, 3 Jun 2023 17:17:14 +0200 Subject: [PATCH 10/23] CMP app and API doc: add note on critical server auth on receiving trust anchor certs Reviewed-by: Paul Dale Reviewed-by: Matt Caswell Reviewed-by: David von Oheimb (Merged from https://github.com/openssl/openssl/pull/21138) Signed-off-by: fly2x --- doc/man1/openssl-cmp.pod.in | 7 +++++++ doc/man3/OSSL_CMP_exec_certreq.pod | 8 ++++++++ 2 files changed, 15 insertions(+) diff --git a/doc/man1/openssl-cmp.pod.in b/doc/man1/openssl-cmp.pod.in index 35a9057a9a..9240916fce 100644 --- a/doc/man1/openssl-cmp.pod.in +++ b/doc/man1/openssl-cmp.pod.in @@ -1099,6 +1099,13 @@ only affect the certificate verification enabled via the B<-out_trusted> option. =head1 NOTES +When a client obtains from a CMP server CA certificates that it is going to +trust, for instance via the C field of a certificate response, +authentication of the CMP server is particularly critical. +So special care must be taken setting up server authentication +using B<-trusted> and related options for certificate-based authentication +or B<-secret> for MAC-based protection. + When setting up CMP configurations and experimenting with enrollment options typically various errors occur until the configuration is correct and complete. When the CMP server reports an error the client will by default diff --git a/doc/man3/OSSL_CMP_exec_certreq.pod b/doc/man3/OSSL_CMP_exec_certreq.pod index 5c24b27a47..ef3451f754 100644 --- a/doc/man3/OSSL_CMP_exec_certreq.pod +++ b/doc/man3/OSSL_CMP_exec_certreq.pod @@ -122,6 +122,14 @@ CMP is defined in RFC 4210 (and CRMF in RFC 4211). The CMP client implementation is limited to one request per CMP message (and consequently to at most one response component per CMP message). +When a client obtains from a CMP server CA certificates that it is going to +trust, for instance via the caPubs field of a certificate response, +authentication of the CMP server is particularly critical. +So special care must be taken setting up server authentication in I +using functions such as +L (for certificate-based authentication) or +L (for MAC-based protection). + =head1 RETURN VALUES OSSL_CMP_exec_certreq(), OSSL_CMP_exec_IR_ses(), OSSL_CMP_exec_CR_ses(), -- Gitee From 4a8f4a34857fad588f37218f737b13407d2216d1 Mon Sep 17 00:00:00 2001 From: Richard Levitte Date: Tue, 19 Sep 2023 14:58:35 +0200 Subject: [PATCH 11/23] Copyright year updates Reviewed-by: Matt Caswell Release: yes Signed-off-by: fly2x --- .github/workflows/compiler-zoo.yml | 2 +- .github/workflows/coveralls.yml | 2 +- .github/workflows/cross-compiles.yml | 2 +- .github/workflows/fips-checksums.yml | 2 +- .github/workflows/fips-old.yml | 2 +- .github/workflows/fuzz-checker.yml | 2 +- .github/workflows/run-checker-ci.yml | 2 +- .github/workflows/run-checker-daily.yml | 2 +- .github/workflows/run-checker-merge.yml | 2 +- .github/workflows/windows.yml | 2 +- README.md | 2 +- crypto/asn1/a_strnid.c | 2 +- crypto/asn1/asn1_gen.c | 2 +- crypto/cmp/cmp_asn.c | 2 +- crypto/cmp/cmp_status.c | 2 +- crypto/cms/cms_local.h | 2 +- crypto/cms/cms_sd.c | 2 +- crypto/encode_decode/decoder_lib.c | 2 +- crypto/encode_decode/decoder_pkey.c | 2 +- crypto/engine/eng_list.c | 2 +- crypto/engine/eng_local.h | 2 +- crypto/engine/eng_table.c | 2 +- crypto/mem.c | 2 +- crypto/pem/pem_pkey.c | 2 +- crypto/perlasm/arm-xlate.pl | 2 +- crypto/pkcs12/p12_crt.c | 2 +- crypto/poly1305/asm/poly1305-x86_64.pl | 2 +- crypto/provider_core.c | 2 +- crypto/srp/srp_vfy.c | 2 +- crypto/store/store_lib.c | 2 +- crypto/threads_pthread.c | 2 +- doc/man1/openssl-cms.pod.in | 2 +- doc/man1/openssl-ts.pod.in | 2 +- doc/man3/BIO_s_mem.pod | 2 +- doc/man3/CMS_sign.pod | 2 +- doc/man3/EVP_MAC.pod | 2 +- doc/man3/EVP_SIGNATURE.pod | 2 +- doc/man3/OSSL_CMP_exec_certreq.pod | 2 +- doc/man3/OSSL_HTTP_transfer.pod | 2 +- doc/man3/PKCS12_create.pod | 2 +- doc/man3/SSL_new.pod | 2 +- doc/man3/d2i_RSAPrivateKey.pod | 2 +- doc/man5/x509v3_config.pod | 2 +- doc/man7/EVP_KDF-PKCS12KDF.pod | 2 +- fuzz/x509.c | 2 +- providers/implementations/ciphers/cipher_chacha20.c | 2 +- providers/implementations/encode_decode/decode_msblob2key.c | 2 +- providers/implementations/encode_decode/decode_pvk2key.c | 2 +- providers/implementations/encode_decode/encode_key2any.c | 2 +- providers/implementations/keymgmt/ecx_kmgmt.c | 2 +- providers/implementations/keymgmt/mac_legacy_kmgmt.c | 2 +- ssl/ssl_lib.c | 2 +- ssl/statem/extensions_srvr.c | 2 +- test/chacha_internal_test.c | 2 +- test/cmsapitest.c | 2 +- test/endecode_test.c | 2 +- test/pbetest.c | 2 +- test/pkcs12_format_test.c | 2 +- test/provider_internal_test.c | 2 +- test/recipes/15-test_rsapss.t | 2 +- test/recipes/25-test_req.t | 2 +- test/recipes/30-test_defltfips.t | 2 +- test/recipes/30-test_evp.t | 2 +- test/recipes/99-test_fuzz_x509.t | 2 +- test/ssl_old_test.c | 2 +- test/testutil/main.c | 2 +- 66 files changed, 66 insertions(+), 66 deletions(-) diff --git a/.github/workflows/compiler-zoo.yml b/.github/workflows/compiler-zoo.yml index 4f17322ec5..9932b39f95 100644 --- a/.github/workflows/compiler-zoo.yml +++ b/.github/workflows/compiler-zoo.yml @@ -1,4 +1,4 @@ -# Copyright 2021-2022 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2021-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/.github/workflows/coveralls.yml b/.github/workflows/coveralls.yml index 5aa595ce8d..bcdcab45c7 100644 --- a/.github/workflows/coveralls.yml +++ b/.github/workflows/coveralls.yml @@ -1,4 +1,4 @@ -# Copyright 2021-2022 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2021-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/.github/workflows/cross-compiles.yml b/.github/workflows/cross-compiles.yml index 65bb9cbce4..63fd5e829e 100644 --- a/.github/workflows/cross-compiles.yml +++ b/.github/workflows/cross-compiles.yml @@ -1,4 +1,4 @@ -# Copyright 2021-2022 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2021-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/.github/workflows/fips-checksums.yml b/.github/workflows/fips-checksums.yml index 002494f58c..1b56755bfb 100644 --- a/.github/workflows/fips-checksums.yml +++ b/.github/workflows/fips-checksums.yml @@ -1,4 +1,4 @@ -# Copyright 2021-2022 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2021-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/.github/workflows/fips-old.yml b/.github/workflows/fips-old.yml index 3589c83266..88c6fe281f 100644 --- a/.github/workflows/fips-old.yml +++ b/.github/workflows/fips-old.yml @@ -1,4 +1,4 @@ -# Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/.github/workflows/fuzz-checker.yml b/.github/workflows/fuzz-checker.yml index ce6d894a98..3e84fdbac6 100644 --- a/.github/workflows/fuzz-checker.yml +++ b/.github/workflows/fuzz-checker.yml @@ -1,4 +1,4 @@ -# Copyright 2021-2022 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2021-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/.github/workflows/run-checker-ci.yml b/.github/workflows/run-checker-ci.yml index 73ee5f1f80..101c44f1b2 100644 --- a/.github/workflows/run-checker-ci.yml +++ b/.github/workflows/run-checker-ci.yml @@ -1,4 +1,4 @@ -# Copyright 2021-2022 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2021-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/.github/workflows/run-checker-daily.yml b/.github/workflows/run-checker-daily.yml index 8b7252b128..1716ed3327 100644 --- a/.github/workflows/run-checker-daily.yml +++ b/.github/workflows/run-checker-daily.yml @@ -1,4 +1,4 @@ -# Copyright 2021-2022 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2021-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/.github/workflows/run-checker-merge.yml b/.github/workflows/run-checker-merge.yml index 14dfa7c2d4..7154b6b62d 100644 --- a/.github/workflows/run-checker-merge.yml +++ b/.github/workflows/run-checker-merge.yml @@ -1,4 +1,4 @@ -# Copyright 2021-2022 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2021-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/.github/workflows/windows.yml b/.github/workflows/windows.yml index 8c518d17d9..10005d3522 100644 --- a/.github/workflows/windows.yml +++ b/.github/workflows/windows.yml @@ -1,4 +1,4 @@ -# Copyright 2021-2022 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2021-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/README.md b/README.md index f2f4fd39ad..b848d05013 100644 --- a/README.md +++ b/README.md @@ -166,7 +166,7 @@ attempting to develop or distribute cryptographic code. Copyright ========= -Copyright (c) 1998-2022 The OpenSSL Project +Copyright (c) 1998-2023 The OpenSSL Project Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson diff --git a/crypto/asn1/a_strnid.c b/crypto/asn1/a_strnid.c index c960daf5cb..d052935661 100644 --- a/crypto/asn1/a_strnid.c +++ b/crypto/asn1/a_strnid.c @@ -1,5 +1,5 @@ /* - * Copyright 1999-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1999-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/asn1/asn1_gen.c b/crypto/asn1/asn1_gen.c index 5a15c6a5d9..402ab34e6a 100644 --- a/crypto/asn1/asn1_gen.c +++ b/crypto/asn1/asn1_gen.c @@ -1,5 +1,5 @@ /* - * Copyright 2002-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2002-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/cmp/cmp_asn.c b/crypto/cmp/cmp_asn.c index 5c47a1a067..a8de73ad97 100644 --- a/crypto/cmp/cmp_asn.c +++ b/crypto/cmp/cmp_asn.c @@ -1,5 +1,5 @@ /* - * Copyright 2007-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2007-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright Nokia 2007-2019 * Copyright Siemens AG 2015-2019 * diff --git a/crypto/cmp/cmp_status.c b/crypto/cmp/cmp_status.c index 2da02c5524..68144aa4fe 100644 --- a/crypto/cmp/cmp_status.c +++ b/crypto/cmp/cmp_status.c @@ -1,5 +1,5 @@ /* - * Copyright 2007-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2007-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright Nokia 2007-2019 * Copyright Siemens AG 2015-2019 * diff --git a/crypto/cms/cms_local.h b/crypto/cms/cms_local.h index f1e9be9087..253f6819e4 100644 --- a/crypto/cms/cms_local.h +++ b/crypto/cms/cms_local.h @@ -1,5 +1,5 @@ /* - * Copyright 2008-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2008-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/cms/cms_sd.c b/crypto/cms/cms_sd.c index 626401add4..53c8e378f3 100644 --- a/crypto/cms/cms_sd.c +++ b/crypto/cms/cms_sd.c @@ -1,5 +1,5 @@ /* - * Copyright 2008-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2008-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/encode_decode/decoder_lib.c b/crypto/encode_decode/decoder_lib.c index a1257571ec..2e4b7ed60b 100644 --- a/crypto/encode_decode/decoder_lib.c +++ b/crypto/encode_decode/decoder_lib.c @@ -1,5 +1,5 @@ /* - * Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/encode_decode/decoder_pkey.c b/crypto/encode_decode/decoder_pkey.c index cc7e6903b6..ad5e280531 100644 --- a/crypto/encode_decode/decoder_pkey.c +++ b/crypto/encode_decode/decoder_pkey.c @@ -1,5 +1,5 @@ /* - * Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/engine/eng_list.c b/crypto/engine/eng_list.c index d9e620dc58..f2eed3b071 100644 --- a/crypto/engine/eng_list.c +++ b/crypto/engine/eng_list.c @@ -1,5 +1,5 @@ /* - * Copyright 2001-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2001-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved * * Licensed under the Apache License 2.0 (the "License"). You may not use diff --git a/crypto/engine/eng_local.h b/crypto/engine/eng_local.h index b3227b3bcd..75bc9e6f16 100644 --- a/crypto/engine/eng_local.h +++ b/crypto/engine/eng_local.h @@ -1,5 +1,5 @@ /* - * Copyright 2001-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2001-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved * * Licensed under the Apache License 2.0 (the "License"). You may not use diff --git a/crypto/engine/eng_table.c b/crypto/engine/eng_table.c index 6628c612b9..3138a15260 100644 --- a/crypto/engine/eng_table.c +++ b/crypto/engine/eng_table.c @@ -1,5 +1,5 @@ /* - * Copyright 2001-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2001-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/mem.c b/crypto/mem.c index d575dcdc13..bc9dc11167 100644 --- a/crypto/mem.c +++ b/crypto/mem.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/pem/pem_pkey.c b/crypto/pem/pem_pkey.c index 284b144fd6..4deee46ce5 100644 --- a/crypto/pem/pem_pkey.c +++ b/crypto/pem/pem_pkey.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/perlasm/arm-xlate.pl b/crypto/perlasm/arm-xlate.pl index 57b75c4e5d..38d570c790 100755 --- a/crypto/perlasm/arm-xlate.pl +++ b/crypto/perlasm/arm-xlate.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2015-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2015-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/crypto/pkcs12/p12_crt.c b/crypto/pkcs12/p12_crt.c index b92a16cec3..26a444f868 100644 --- a/crypto/pkcs12/p12_crt.c +++ b/crypto/pkcs12/p12_crt.c @@ -1,5 +1,5 @@ /* - * Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1999-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/poly1305/asm/poly1305-x86_64.pl b/crypto/poly1305/asm/poly1305-x86_64.pl index 24bab9d0bc..4cddca1c51 100755 --- a/crypto/poly1305/asm/poly1305-x86_64.pl +++ b/crypto/poly1305/asm/poly1305-x86_64.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/crypto/provider_core.c b/crypto/provider_core.c index 873b335b94..92cce32c5b 100644 --- a/crypto/provider_core.c +++ b/crypto/provider_core.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/srp/srp_vfy.c b/crypto/srp/srp_vfy.c index edcfb0c76e..96d511ffe6 100644 --- a/crypto/srp/srp_vfy.c +++ b/crypto/srp/srp_vfy.c @@ -1,5 +1,5 @@ /* - * Copyright 2004-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2004-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2004, EdelKey Project. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use diff --git a/crypto/store/store_lib.c b/crypto/store/store_lib.c index 60a6aded05..bc12d8dd13 100644 --- a/crypto/store/store_lib.c +++ b/crypto/store/store_lib.c @@ -1,5 +1,5 @@ /* - * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/threads_pthread.c b/crypto/threads_pthread.c index ec4cddb3af..801855c930 100644 --- a/crypto/threads_pthread.c +++ b/crypto/threads_pthread.c @@ -1,5 +1,5 @@ /* - * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/doc/man1/openssl-cms.pod.in b/doc/man1/openssl-cms.pod.in index a97eea0d71..65a61ee97f 100644 --- a/doc/man1/openssl-cms.pod.in +++ b/doc/man1/openssl-cms.pod.in @@ -902,7 +902,7 @@ The B<-engine> option was deprecated in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2008-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2008-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man1/openssl-ts.pod.in b/doc/man1/openssl-ts.pod.in index 0f9049d2a4..3e7f7c4be9 100644 --- a/doc/man1/openssl-ts.pod.in +++ b/doc/man1/openssl-ts.pod.in @@ -652,7 +652,7 @@ L =head1 COPYRIGHT -Copyright 2006-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2006-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/BIO_s_mem.pod b/doc/man3/BIO_s_mem.pod index 31b2daf33d..3bbc3e7fcf 100644 --- a/doc/man3/BIO_s_mem.pod +++ b/doc/man3/BIO_s_mem.pod @@ -174,7 +174,7 @@ and BUF_MEM structure: =head1 COPYRIGHT -Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/CMS_sign.pod b/doc/man3/CMS_sign.pod index a701c4d0fa..03bfc6fce1 100644 --- a/doc/man3/CMS_sign.pod +++ b/doc/man3/CMS_sign.pod @@ -132,7 +132,7 @@ The CMS_sign_ex() method was added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2008-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2008-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EVP_MAC.pod b/doc/man3/EVP_MAC.pod index 8fd237599e..56ac92a486 100644 --- a/doc/man3/EVP_MAC.pod +++ b/doc/man3/EVP_MAC.pod @@ -481,7 +481,7 @@ These functions were added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2018-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2018-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EVP_SIGNATURE.pod b/doc/man3/EVP_SIGNATURE.pod index a4ee9c4807..1f534ef338 100644 --- a/doc/man3/EVP_SIGNATURE.pod +++ b/doc/man3/EVP_SIGNATURE.pod @@ -106,7 +106,7 @@ The functions described here were added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/OSSL_CMP_exec_certreq.pod b/doc/man3/OSSL_CMP_exec_certreq.pod index ef3451f754..0cabc3bad5 100644 --- a/doc/man3/OSSL_CMP_exec_certreq.pod +++ b/doc/man3/OSSL_CMP_exec_certreq.pod @@ -171,7 +171,7 @@ The OpenSSL CMP support was added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2007-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2007-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/OSSL_HTTP_transfer.pod b/doc/man3/OSSL_HTTP_transfer.pod index 05ede23a2f..716e365ef5 100644 --- a/doc/man3/OSSL_HTTP_transfer.pod +++ b/doc/man3/OSSL_HTTP_transfer.pod @@ -277,7 +277,7 @@ All the functions described here were added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/PKCS12_create.pod b/doc/man3/PKCS12_create.pod index f528330c04..92e588062a 100644 --- a/doc/man3/PKCS12_create.pod +++ b/doc/man3/PKCS12_create.pod @@ -101,7 +101,7 @@ standards. =head1 COPYRIGHT -Copyright 2002-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2002-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/SSL_new.pod b/doc/man3/SSL_new.pod index f9b8678246..2b52276916 100644 --- a/doc/man3/SSL_new.pod +++ b/doc/man3/SSL_new.pod @@ -124,7 +124,7 @@ L =head1 COPYRIGHT -Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/d2i_RSAPrivateKey.pod b/doc/man3/d2i_RSAPrivateKey.pod index 6ad06aa048..08cd2c85e5 100644 --- a/doc/man3/d2i_RSAPrivateKey.pod +++ b/doc/man3/d2i_RSAPrivateKey.pod @@ -307,7 +307,7 @@ L =head1 COPYRIGHT -Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man5/x509v3_config.pod b/doc/man5/x509v3_config.pod index fe24cb3456..044904022d 100644 --- a/doc/man5/x509v3_config.pod +++ b/doc/man5/x509v3_config.pod @@ -590,7 +590,7 @@ L =head1 COPYRIGHT -Copyright 2004-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2004-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man7/EVP_KDF-PKCS12KDF.pod b/doc/man7/EVP_KDF-PKCS12KDF.pod index 05d4e902bd..9865365698 100644 --- a/doc/man7/EVP_KDF-PKCS12KDF.pod +++ b/doc/man7/EVP_KDF-PKCS12KDF.pod @@ -80,7 +80,7 @@ This functionality was added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/fuzz/x509.c b/fuzz/x509.c index 6293f1a5c5..e2d2639164 100644 --- a/fuzz/x509.c +++ b/fuzz/x509.c @@ -1,5 +1,5 @@ /* - * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"); * you may not use this file except in compliance with the License. diff --git a/providers/implementations/ciphers/cipher_chacha20.c b/providers/implementations/ciphers/cipher_chacha20.c index 81cfd52773..ef80a515d7 100644 --- a/providers/implementations/ciphers/cipher_chacha20.c +++ b/providers/implementations/ciphers/cipher_chacha20.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/encode_decode/decode_msblob2key.c b/providers/implementations/encode_decode/decode_msblob2key.c index 80c6e0a91e..b9d0cabada 100644 --- a/providers/implementations/encode_decode/decode_msblob2key.c +++ b/providers/implementations/encode_decode/decode_msblob2key.c @@ -1,5 +1,5 @@ /* - * Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/encode_decode/decode_pvk2key.c b/providers/implementations/encode_decode/decode_pvk2key.c index 4eeeaf425a..2d7cb15e53 100644 --- a/providers/implementations/encode_decode/decode_pvk2key.c +++ b/providers/implementations/encode_decode/decode_pvk2key.c @@ -1,5 +1,5 @@ /* - * Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/encode_decode/encode_key2any.c b/providers/implementations/encode_decode/encode_key2any.c index e4870e1031..0f4c62962d 100644 --- a/providers/implementations/encode_decode/encode_key2any.c +++ b/providers/implementations/encode_decode/encode_key2any.c @@ -1,5 +1,5 @@ /* - * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/keymgmt/ecx_kmgmt.c b/providers/implementations/keymgmt/ecx_kmgmt.c index 831681412a..987d38456f 100644 --- a/providers/implementations/keymgmt/ecx_kmgmt.c +++ b/providers/implementations/keymgmt/ecx_kmgmt.c @@ -1,5 +1,5 @@ /* - * Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/keymgmt/mac_legacy_kmgmt.c b/providers/implementations/keymgmt/mac_legacy_kmgmt.c index 3434b966f4..1fae4407fc 100644 --- a/providers/implementations/keymgmt/mac_legacy_kmgmt.c +++ b/providers/implementations/keymgmt/mac_legacy_kmgmt.c @@ -1,5 +1,5 @@ /* - * Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index 67c4359878..81a9f0728d 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved * Copyright 2005 Nokia. All rights reserved. * diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c index 7085585082..1fab5a3d12 100644 --- a/ssl/statem/extensions_srvr.c +++ b/ssl/statem/extensions_srvr.c @@ -1,5 +1,5 @@ /* - * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/test/chacha_internal_test.c b/test/chacha_internal_test.c index d52479b658..d316bfd7b3 100644 --- a/test/chacha_internal_test.c +++ b/test/chacha_internal_test.c @@ -1,5 +1,5 @@ /* - * Copyright 2017 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/test/cmsapitest.c b/test/cmsapitest.c index ffc9a0c98a..dbb05cd496 100644 --- a/test/cmsapitest.c +++ b/test/cmsapitest.c @@ -1,5 +1,5 @@ /* - * Copyright 2018-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2018-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/test/endecode_test.c b/test/endecode_test.c index 838ab1c35a..5158b39ee4 100644 --- a/test/endecode_test.c +++ b/test/endecode_test.c @@ -1,5 +1,5 @@ /* - * Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/test/pbetest.c b/test/pbetest.c index 7bf0680785..cfffc2b932 100644 --- a/test/pbetest.c +++ b/test/pbetest.c @@ -1,5 +1,5 @@ /* - * Copyright 2021-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2021-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/test/pkcs12_format_test.c b/test/pkcs12_format_test.c index 93d66e87d8..c142093f72 100644 --- a/test/pkcs12_format_test.c +++ b/test/pkcs12_format_test.c @@ -1,5 +1,5 @@ /* - * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/test/provider_internal_test.c b/test/provider_internal_test.c index bccce7159e..1fe8fb0cc5 100644 --- a/test/provider_internal_test.c +++ b/test/provider_internal_test.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/test/recipes/15-test_rsapss.t b/test/recipes/15-test_rsapss.t index 4773252185..44721a3237 100644 --- a/test/recipes/15-test_rsapss.t +++ b/test/recipes/15-test_rsapss.t @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2017-2022 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/test/recipes/25-test_req.t b/test/recipes/25-test_req.t index f4526f3669..8c8274aee6 100644 --- a/test/recipes/25-test_req.t +++ b/test/recipes/25-test_req.t @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2015-2022 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2015-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/test/recipes/30-test_defltfips.t b/test/recipes/30-test_defltfips.t index 103f28da76..c8f145405b 100644 --- a/test/recipes/30-test_defltfips.t +++ b/test/recipes/30-test_defltfips.t @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2015-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/test/recipes/30-test_evp.t b/test/recipes/30-test_evp.t index d4d26667c8..af823515f9 100644 --- a/test/recipes/30-test_evp.t +++ b/test/recipes/30-test_evp.t @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2015-2022 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2015-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/test/recipes/99-test_fuzz_x509.t b/test/recipes/99-test_fuzz_x509.t index 7ca3ee8ae7..b0b86365d1 100644 --- a/test/recipes/99-test_fuzz_x509.t +++ b/test/recipes/99-test_fuzz_x509.t @@ -1,5 +1,5 @@ #!/usr/bin/env perl -# Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/test/ssl_old_test.c b/test/ssl_old_test.c index 70524dee41..6b56754b82 100644 --- a/test/ssl_old_test.c +++ b/test/ssl_old_test.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved * Copyright 2005 Nokia. All rights reserved. * diff --git a/test/testutil/main.c b/test/testutil/main.c index 2945bb52b8..32e32d8328 100644 --- a/test/testutil/main.c +++ b/test/testutil/main.c @@ -1,5 +1,5 @@ /* - * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy -- Gitee From 392ad9b47975277544e08eaf6cef974c52412362 Mon Sep 17 00:00:00 2001 From: Richard Levitte Date: Tue, 19 Sep 2023 15:02:19 +0200 Subject: [PATCH 12/23] make update Reviewed-by: Matt Caswell Release: yes Signed-off-by: fly2x --- providers/fips-sources.checksums | 14 +++++++------- providers/fips.checksum | 2 +- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/providers/fips-sources.checksums b/providers/fips-sources.checksums index 42785c33a0..f55fa914be 100644 --- a/providers/fips-sources.checksums +++ b/providers/fips-sources.checksums @@ -259,12 +259,12 @@ a0097ff2da8955fe15ba204cb54f3fd48a06f846e2b9826f507b26acf65715c3 crypto/params_ 97cb7414dc2f165d5849ee3b46cdfff0afb067729435d9c01a747e0ca41e230c crypto/ppccap.c 3ca43596a7528dec8ff9d1a3cd0d68b62640f84b1d6a8b5e4842cfd0be1133ad crypto/ppccpuid.pl b4d34272a0bd1fbe6562022bf7ea6259b6a5a021a48222d415be47ef5ef2a905 crypto/property/defn_cache.c -7da6ae864beb1a4daa4be31eb41d48141a3a7eb7a263a4937a6889e05656a595 crypto/property/property.c +3c4ade2fed4605e374d85ec1134a98da34e7124f89f44b81a754e8cfe81f14ba crypto/property/property.c 66da4f28d408133fb544b14aeb9ad4913e7c5c67e2826e53f0dc5bf4d8fada26 crypto/property/property_local.h 921305e62749aec22da4843738bee3448b61e7e30d5309beddc7141ad07a8004 crypto/property/property_parse.c a7cefda6a117550e2c76e0f307565ce1e11640b11ba10c80e469a837fd1212a3 crypto/property/property_query.c 065698c8d88a5facc0cbc02a3bd0c642c94687a8c5dd79901c942138b406067d crypto/property/property_string.c -9653ec9c1476350a94b9cc7f8be3d99961fd803870c9ac03315298d2909a6a8e crypto/provider_core.c +0ba5d0297837940c972224c97cbbf3ea4a723c1eed9ce1112538c9bb26208639 crypto/provider_core.c d0af10d4091b2032aac1b7db80f8c2e14fa7176592716b25b9437ab6b53c0a89 crypto/provider_local.h 5ba2e1c74ddcd0453d02e32612299d1eef18eff8493a7606c15d0dc3738ad1d9 crypto/provider_predefined.c a5a4472636b8b0095ad8d4acd37e275ad79da1a67ecff7b7b5c3e46c9ebc65b7 crypto/rand/rand_lib.c @@ -344,7 +344,7 @@ c50c584c55e56347bb43aca4b796b5344d70daece3061f586b79c871c21f5d1a crypto/sparse_ 8da78169fa8c09dc3c29c9bf1602b22e88c5eac4815e274ba1864c166e31584b crypto/stack/stack.c 7b4efa594d8d1f3ecbf4605cf54f72fb296a3b1d951bdc69e415aaa08f34e5c8 crypto/threads_lib.c a41ae93a755e2ec89b3cb5b4932e2b508fdda92ace2e025a2650a6da0e9e972c crypto/threads_none.c -2637a8727dee790812b000f2e02b336f7907949df633dda72938bbaafdb204fe crypto/threads_pthread.c +3729e2bd36f945808b578e0d89fac0fcb3114e4fc9381614bcbd8a9869991716 crypto/threads_pthread.c 88423960f0414f6fd41fba4f4c67f9f7260c2741e4788adcd52493e895ec8027 crypto/threads_win.c fd6c27cf7c6b5449b17f2b725f4203c4c10207f1973db09fd41571efe5de08fd crypto/x86_64cpuid.pl bbec287bb9bf35379885f8f8998b7fd9e8fc22efee9e1b299109af0f33a7ee16 crypto/x86cpuid.pl @@ -567,13 +567,13 @@ abe2b0f3711eaa34846e155cffc9242e4051c45de896f747afd5ac9d87f637dc providers/impl 589f6133799da80760e8bc3ab0191a341ab6d4d2706e92e6eb4a24b0250fefa6 providers/implementations/kdfs/tls1_prf.c 4d4a6d9a562d2dcfec941d3f113a544663b5ac2fbe4accd89ec70c1cc11751d0 providers/implementations/kdfs/x942kdf.c 6b6c776b12664164f3cb54c21df61e1c4477c7855d89431a16fb338cdae58d43 providers/implementations/kem/rsa_kem.c -37120f8a420de0e44b7dc1f31b50d59520e5318cf546e83684e0c3de5c7b76c5 providers/implementations/keymgmt/dh_kmgmt.c -2a4493c9e68f41d37d7ec69c272005c6df7b1a34db2d49663f52e836e4fd888c providers/implementations/keymgmt/dsa_kmgmt.c +9d5eb7e056e790b1b4292ec7af03fbf0b26e34625c70eb36643451965bcfc696 providers/implementations/keymgmt/dh_kmgmt.c +a329f57cb041cd03907e9d996fbc2f378ee116c7f8d7fbf1ea08b7a5df7e0304 providers/implementations/keymgmt/dsa_kmgmt.c 9bc88451d3ae110c7a108ee73d3b3b6bda801ec3494d2dfb9c9970b85c2d34fe providers/implementations/keymgmt/ec_kmgmt.c 258ae17bb2dd87ed1511a8eb3fe99eed9b77f5c2f757215ff6b3d0e8791fc251 providers/implementations/keymgmt/ec_kmgmt_imexport.inc -d77ece2494e6b12a6201a2806ee5fb24a6dc2fa3e1891a46012a870e0b781ab1 providers/implementations/keymgmt/ecx_kmgmt.c +011c36aad6834729043f23eacab417732541ee23916d9afa5bb9164862be00bb providers/implementations/keymgmt/ecx_kmgmt.c 053a2be39a87f50b877ebdbbf799cf5faf8b2de33b04311d819d212ee1ea329b providers/implementations/keymgmt/kdf_legacy_kmgmt.c -e30357311e4a3e1c78266af6315fd1fc99584bfb09f4a7cd0ddc7261cf1e17e1 providers/implementations/keymgmt/mac_legacy_kmgmt.c +1646b477fa231dd0f6c22444c99098f9b447cab0d39ff69b811262469d4dbe09 providers/implementations/keymgmt/mac_legacy_kmgmt.c 19f22fc70a6321441e56d5bd4aab3d01d52d17069d4e4b5cefce0f411ecece75 providers/implementations/keymgmt/rsa_kmgmt.c aeb42590728ca87b916b8a3d337351b1c82ee0747213e5ce740c2350b3db7185 providers/implementations/macs/cmac_prov.c e69aa06f8f3c6f5a26702b9f44a844b8589b99dc0ee590953a29e8b9ef10acbe providers/implementations/macs/gmac_prov.c diff --git a/providers/fips.checksum b/providers/fips.checksum index ec1978c7fe..db5ddc6cb7 100644 --- a/providers/fips.checksum +++ b/providers/fips.checksum @@ -1 +1 @@ -f07990ec634ec6ea3c8c42a664768debcf92a1b0c39bde7041c24df33dd7f052 providers/fips-sources.checksums +8d97c837eeb1288f74788f0e48cb0cbc8498d4cf7ddc25c89344df7d5309ffc8 providers/fips-sources.checksums -- Gitee From b5de23f146319d151b79f74e171313ec59b7790e Mon Sep 17 00:00:00 2001 From: Richard Levitte Date: Tue, 19 Sep 2023 15:02:31 +0200 Subject: [PATCH 13/23] Prepare for release of 3.0.11 Reviewed-by: Matt Caswell Release: yes Signed-off-by: fly2x --- CHANGES.md | 2 +- NEWS.md | 2 +- VERSION.dat | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/CHANGES.md b/CHANGES.md index e519978842..a26bdbdd0a 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -28,7 +28,7 @@ breaking changes, and mappings for the large list of deprecated functions. [Migration guide]: https://github.com/openssl/openssl/tree/master/doc/man7/migration_guide.pod -### Changes between 3.0.10 and 3.0.11 [xx XXX xxxx] +### Changes between 3.0.10 and 3.0.11 [19 Sep 2023] * Fix POLY1305 MAC implementation corrupting XMM registers on Windows. diff --git a/NEWS.md b/NEWS.md index 1b8ec67442..f7ca47baff 100644 --- a/NEWS.md +++ b/NEWS.md @@ -18,7 +18,7 @@ OpenSSL Releases OpenSSL 3.0 ----------- -### Major changes between OpenSSL 3.0.10 and OpenSSL 3.0.11 [under development] +### Major changes between OpenSSL 3.0.10 and OpenSSL 3.0.11 [19 Sep 2023] * Fix POLY1305 MAC implementation corrupting XMM registers on Windows ([CVE-2023-4807]) diff --git a/VERSION.dat b/VERSION.dat index bc7aac6146..c4157a8627 100644 --- a/VERSION.dat +++ b/VERSION.dat @@ -1,7 +1,7 @@ MAJOR=3 MINOR=0 PATCH=11 -PRE_RELEASE_TAG=dev +PRE_RELEASE_TAG= BUILD_METADATA= -RELEASE_DATE="" +RELEASE_DATE="19 Sep 2023" SHLIB_VERSION=3 -- Gitee From 2d7075b9f0493bca129b6c6bc9ebc6d3023170fd Mon Sep 17 00:00:00 2001 From: Richard Levitte Date: Tue, 19 Sep 2023 15:03:18 +0200 Subject: [PATCH 14/23] Prepare for 3.0.12 Reviewed-by: Matt Caswell Release: yes Signed-off-by: fly2x --- CHANGES.md | 4 ++++ NEWS.md | 4 ++++ VERSION.dat | 6 +++--- 3 files changed, 11 insertions(+), 3 deletions(-) diff --git a/CHANGES.md b/CHANGES.md index a26bdbdd0a..61efa01bb6 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -28,6 +28,10 @@ breaking changes, and mappings for the large list of deprecated functions. [Migration guide]: https://github.com/openssl/openssl/tree/master/doc/man7/migration_guide.pod +### Changes between 3.0.11 and 3.0.12 [xx XXX xxxx] + + * none yet + ### Changes between 3.0.10 and 3.0.11 [19 Sep 2023] * Fix POLY1305 MAC implementation corrupting XMM registers on Windows. diff --git a/NEWS.md b/NEWS.md index f7ca47baff..72f78d581e 100644 --- a/NEWS.md +++ b/NEWS.md @@ -18,6 +18,10 @@ OpenSSL Releases OpenSSL 3.0 ----------- +### Major changes between OpenSSL 3.0.11 and OpenSSL 3.0.12 [under development] + + * none + ### Major changes between OpenSSL 3.0.10 and OpenSSL 3.0.11 [19 Sep 2023] * Fix POLY1305 MAC implementation corrupting XMM registers on Windows diff --git a/VERSION.dat b/VERSION.dat index c4157a8627..b9d08f44f5 100644 --- a/VERSION.dat +++ b/VERSION.dat @@ -1,7 +1,7 @@ MAJOR=3 MINOR=0 -PATCH=11 -PRE_RELEASE_TAG= +PATCH=12 +PRE_RELEASE_TAG=dev BUILD_METADATA= -RELEASE_DATE="19 Sep 2023" +RELEASE_DATE="" SHLIB_VERSION=3 -- Gitee From 1c88ccdc2887eaad33c74be0cfc09a8ddabe8a56 Mon Sep 17 00:00:00 2001 From: Mathieu Tortuyaux Date: Mon, 18 Sep 2023 16:02:21 +0200 Subject: [PATCH 15/23] enc: "bad decrypt" only in decryption CLA: trivial Signed-off-by: Mathieu Tortuyaux Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/22134) (cherry picked from commit 0e138b7b591f160a50aff22f662254d1b39c9cac) Signed-off-by: fly2x --- apps/enc.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/apps/enc.c b/apps/enc.c index b3bf4cc259..c275046cf5 100644 --- a/apps/enc.c +++ b/apps/enc.c @@ -624,7 +624,10 @@ int enc_main(int argc, char **argv) } } if (!BIO_flush(wbio)) { - BIO_printf(bio_err, "bad decrypt\n"); + if (enc) + BIO_printf(bio_err, "bad encrypt\n"); + else + BIO_printf(bio_err, "bad decrypt\n"); goto end; } -- Gitee From 009b67fc86e685a35b55923aacd9e657ee998e37 Mon Sep 17 00:00:00 2001 From: Sumitra Sharma Date: Mon, 18 Sep 2023 16:38:11 +0530 Subject: [PATCH 16/23] Add documentation for the function SSL_CONF_CTX_finish. Add documentation for the function SSL_CONF_CTX_finish() in man3. Fixes #22084 Signed-off-by: Sumitra Sharma Reviewed-by: Matt Caswell Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/22128) (cherry picked from commit 955c133ccccd2b6e3f5a1b1342045111fe8b3e86) Signed-off-by: fly2x --- doc/man3/SSL_CONF_CTX_set_ssl_ctx.pod | 8 ++++++++ util/missingssl.txt | 1 - 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/doc/man3/SSL_CONF_CTX_set_ssl_ctx.pod b/doc/man3/SSL_CONF_CTX_set_ssl_ctx.pod index 06cc1e4ec5..b74c869b83 100644 --- a/doc/man3/SSL_CONF_CTX_set_ssl_ctx.pod +++ b/doc/man3/SSL_CONF_CTX_set_ssl_ctx.pod @@ -2,6 +2,7 @@ =head1 NAME +SSL_CONF_CTX_finish, SSL_CONF_CTX_set_ssl_ctx, SSL_CONF_CTX_set_ssl - set context to configure =head1 SYNOPSIS @@ -10,6 +11,7 @@ SSL_CONF_CTX_set_ssl_ctx, SSL_CONF_CTX_set_ssl - set context to configure void SSL_CONF_CTX_set_ssl_ctx(SSL_CONF_CTX *cctx, SSL_CTX *ctx); void SSL_CONF_CTX_set_ssl(SSL_CONF_CTX *cctx, SSL *ssl); + int SSL_CONF_CTX_finish(SSL_CONF_CTX *cctx); =head1 DESCRIPTION @@ -23,6 +25,10 @@ B structure B. Any previous B or B associated with B is cleared. Subsequent calls to SSL_CONF_cmd() will be sent to B. +The function SSL_CONF_CTX_finish() must be called after all configuration +operations have been completed. It is used to finalise any operations +or to process defaults. + =head1 NOTES The context need not be set or it can be set to B in which case only @@ -32,6 +38,8 @@ syntax checking of commands is performed, where possible. SSL_CONF_CTX_set_ssl_ctx() and SSL_CTX_set_ssl() do not return a value. +SSL_CONF_CTX_finish() returns 1 for success and 0 for failure. + =head1 SEE ALSO L, diff --git a/util/missingssl.txt b/util/missingssl.txt index 48219fd99a..41ca8a8bbc 100644 --- a/util/missingssl.txt +++ b/util/missingssl.txt @@ -3,7 +3,6 @@ ERR_load_SSL_strings(3) SRP_Calc_A_param(3) SSL_COMP_get_name(3) SSL_COMP_set0_compression_methods(3) -SSL_CONF_CTX_finish(3) SSL_CTX_SRP_CTX_free(3) SSL_CTX_SRP_CTX_init(3) SSL_CTX_get0_certificate(3) -- Gitee From 1fced7e980957e138393733016f87293a9228e01 Mon Sep 17 00:00:00 2001 From: Pauli Date: Tue, 19 Sep 2023 11:07:21 +1000 Subject: [PATCH 17/23] coverity: NULL dereference Fixes coverity 1544699. Reviewed-by: Matt Caswell Reviewed-by: Tim Hudson Reviewed-by: Tomas Mraz Reviewed-by: Bernd Edlinger (Merged from https://github.com/openssl/openssl/pull/22138) (cherry picked from commit be01f609f98a8930f2c91b813715e515a88f4d54) Signed-off-by: fly2x --- crypto/engine/eng_table.c | 1 + 1 file changed, 1 insertion(+) diff --git a/crypto/engine/eng_table.c b/crypto/engine/eng_table.c index 3138a15260..9dc3144bbf 100644 --- a/crypto/engine/eng_table.c +++ b/crypto/engine/eng_table.c @@ -97,6 +97,7 @@ int engine_table_register(ENGINE_TABLE **table, ENGINE_CLEANUP_CB *cleanup, if (added && !engine_cleanup_add_first(cleanup)) { lh_ENGINE_PILE_free(&(*table)->piles); *table = NULL; + goto end; } while (num_nids--) { tmplate.nid = *nids; -- Gitee From 52623e39f40370f6814cc857bea51650b5cb2a0a Mon Sep 17 00:00:00 2001 From: Bernd Edlinger Date: Mon, 11 Sep 2023 06:38:31 +0200 Subject: [PATCH 18/23] Fix some memory leaks in the openssl app In some error cases the normal cleanup did not happen, but instead an exit(1) which caused some memory leaks, as reported in #22049. Reviewed-by: Tom Cosgrove Reviewed-by: Nicola Tuveri (Merged from https://github.com/openssl/openssl/pull/22055) (cherry picked from commit 8c040c086ca11a519975c58961a5dc933aa6524a) Signed-off-by: fly2x --- apps/dgst.c | 2 ++ apps/dhparam.c | 2 ++ apps/dsaparam.c | 2 ++ apps/gendsa.c | 2 ++ apps/genpkey.c | 2 ++ apps/genrsa.c | 2 ++ apps/lib/apps.c | 8 ++++---- apps/req.c | 2 ++ 8 files changed, 18 insertions(+), 4 deletions(-) diff --git a/apps/dgst.c b/apps/dgst.c index e12389197d..3f02af0d57 100644 --- a/apps/dgst.c +++ b/apps/dgst.c @@ -320,6 +320,8 @@ int dgst_main(int argc, char **argv) sigkey = app_keygen(mac_ctx, mac_name, 0, 0 /* not verbose */); /* Verbose output would make external-tests gost-engine fail */ EVP_PKEY_CTX_free(mac_ctx); + if (sigkey == NULL) + goto end; } if (hmac_key != NULL) { diff --git a/apps/dhparam.c b/apps/dhparam.c index 43906cea56..c4b5559ef8 100644 --- a/apps/dhparam.c +++ b/apps/dhparam.c @@ -222,6 +222,8 @@ int dhparam_main(int argc, char **argv) } tmppkey = app_paramgen(ctx, alg); + if (tmppkey == NULL) + goto end; EVP_PKEY_CTX_free(ctx); ctx = NULL; if (dsaparam) { diff --git a/apps/dsaparam.c b/apps/dsaparam.c index b5555282be..cb3f9d9eaf 100644 --- a/apps/dsaparam.c +++ b/apps/dsaparam.c @@ -218,6 +218,8 @@ int dsaparam_main(int argc, char **argv) goto end; } pkey = app_keygen(ctx, "DSA", numbits, verbose); + if (pkey == NULL) + goto end; assert(private); if (outformat == FORMAT_ASN1) i = i2d_PrivateKey_bio(out, pkey); diff --git a/apps/gendsa.c b/apps/gendsa.c index 27feb793fe..34f7af377d 100644 --- a/apps/gendsa.c +++ b/apps/gendsa.c @@ -146,6 +146,8 @@ int gendsa_main(int argc, char **argv) goto end; } pkey = app_keygen(ctx, "DSA", nbits, verbose); + if (pkey == NULL) + goto end; assert(private); if (!PEM_write_bio_PrivateKey(out, pkey, enc, NULL, 0, NULL, passout)) { diff --git a/apps/genpkey.c b/apps/genpkey.c index d00754eeac..8774a4ee28 100644 --- a/apps/genpkey.c +++ b/apps/genpkey.c @@ -183,6 +183,8 @@ int genpkey_main(int argc, char **argv) pkey = do_param ? app_paramgen(ctx, algname) : app_keygen(ctx, algname, 0, 0 /* not verbose */); + if (pkey == NULL) + goto end; if (do_param) { rv = PEM_write_bio_Parameters(out, pkey); diff --git a/apps/genrsa.c b/apps/genrsa.c index 4436b7fa17..390a5d72a7 100644 --- a/apps/genrsa.c +++ b/apps/genrsa.c @@ -203,6 +203,8 @@ opthelp: goto end; } pkey = app_keygen(ctx, "RSA", num, verbose); + if (pkey == NULL) + goto end; if (verbose) { BIGNUM *e = NULL; diff --git a/apps/lib/apps.c b/apps/lib/apps.c index 572f6a3f8f..9de518f383 100644 --- a/apps/lib/apps.c +++ b/apps/lib/apps.c @@ -3359,8 +3359,8 @@ EVP_PKEY *app_keygen(EVP_PKEY_CTX *ctx, const char *alg, int bits, int verbose) BIO_printf(bio_err, "Warning: generating random key material may take a long time\n" "if the system has a poor entropy source\n"); if (EVP_PKEY_keygen(ctx, &res) <= 0) - app_bail_out("%s: Error generating %s key\n", opt_getprog(), - alg != NULL ? alg : "asymmetric"); + BIO_printf(bio_err, "%s: Error generating %s key\n", opt_getprog(), + alg != NULL ? alg : "asymmetric"); return res; } @@ -3372,8 +3372,8 @@ EVP_PKEY *app_paramgen(EVP_PKEY_CTX *ctx, const char *alg) BIO_printf(bio_err, "Warning: generating random key parameters may take a long time\n" "if the system has a poor entropy source\n"); if (EVP_PKEY_paramgen(ctx, &res) <= 0) - app_bail_out("%s: Generating %s key parameters failed\n", - opt_getprog(), alg != NULL ? alg : "asymmetric"); + BIO_printf(bio_err, "%s: Generating %s key parameters failed\n", + opt_getprog(), alg != NULL ? alg : "asymmetric"); return res; } diff --git a/apps/req.c b/apps/req.c index 926f0796bc..41191803ae 100644 --- a/apps/req.c +++ b/apps/req.c @@ -685,6 +685,8 @@ int req_main(int argc, char **argv) EVP_PKEY_CTX_set_app_data(genctx, bio_err); pkey = app_keygen(genctx, keyalgstr, newkey_len, verbose); + if (pkey == NULL) + goto end; EVP_PKEY_CTX_free(genctx); genctx = NULL; -- Gitee From 52689ddc0ec088717f2941bc45cb8a19765c59f2 Mon Sep 17 00:00:00 2001 From: Bernd Edlinger Date: Tue, 19 Sep 2023 20:15:18 +0200 Subject: [PATCH 19/23] Fix error handling in CRYPTO_get_ex_new_index If an out of memory error happens when the index zero is reserved in a newly created ip->meth stack object, that reservation is not done in a second attempt, which makes various X_set_ex_data overwrite the value of X_set_app_data. Reviewed-by: Paul Dale Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/22149) (cherry picked from commit d4f22a915ac50570015a23ad794032c4fb9496cb) Signed-off-by: fly2x --- crypto/ex_data.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/crypto/ex_data.c b/crypto/ex_data.c index 40223f06e4..455b63cd57 100644 --- a/crypto/ex_data.c +++ b/crypto/ex_data.c @@ -163,6 +163,8 @@ int ossl_crypto_get_ex_new_index_ex(OSSL_LIB_CTX *ctx, int class_index, * "app_data" routines use ex_data index zero. See RT 3710. */ if (ip->meth == NULL || !sk_EX_CALLBACK_push(ip->meth, NULL)) { + sk_EX_CALLBACK_free(ip->meth); + ip->meth = NULL; ERR_raise(ERR_LIB_CRYPTO, ERR_R_MALLOC_FAILURE); goto err; } -- Gitee From 659640dc908504c3a7e5c62ca5e1dbcbb88af897 Mon Sep 17 00:00:00 2001 From: Bernd Edlinger Date: Wed, 20 Sep 2023 15:45:56 +0200 Subject: [PATCH 20/23] Fix error handling in lhash contract When the realloc fails in contract, this not a fatal error, since the memory is only shrinked. It is also no option to exit the function at this point, since that would leave the hash table in an inconsistent state. Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/22154) (cherry picked from commit 5fbfd641aeebdf4b29a0749e13a79a1e59502878) Signed-off-by: fly2x --- crypto/lhash/lhash.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/crypto/lhash/lhash.c b/crypto/lhash/lhash.c index 1cd988f01f..bd39b1ba57 100644 --- a/crypto/lhash/lhash.c +++ b/crypto/lhash/lhash.c @@ -266,12 +266,12 @@ static void contract(OPENSSL_LHASH *lh) if (n == NULL) { /* fputs("realloc error in lhash",stderr); */ lh->error++; - return; + } else { + lh->b = n; } lh->num_alloc_nodes /= 2; lh->pmax /= 2; lh->p = lh->pmax - 1; - lh->b = n; } else lh->p--; -- Gitee From 8ce4c221dd2a0e5175359d918221183fae9c5aef Mon Sep 17 00:00:00 2001 From: Steffen Klee Date: Wed, 20 Sep 2023 00:04:18 +0200 Subject: [PATCH 21/23] Fix test_cms if DSA is not supported CLA: trivial Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/22150) (cherry picked from commit dee2129802d9694d72e8745aec2d8bd4577ee4ee) Signed-off-by: fly2x --- test/recipes/80-test_cms.t | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/test/recipes/80-test_cms.t b/test/recipes/80-test_cms.t index 8dbec71212..f99ae8327e 100644 --- a/test/recipes/80-test_cms.t +++ b/test/recipes/80-test_cms.t @@ -998,9 +998,13 @@ with({ exit_checker => sub { return shift == 6; } }, # Test case for return value mis-check reported in #21986 with({ exit_checker => sub { return shift == 3; } }, sub { - ok(run(app(['openssl', 'cms', '-sign', - '-in', srctop_file("test", "smcont.txt"), - '-signer', srctop_file("test/smime-certs", "smdsa1.pem"), - '-md', 'SHAKE256'])), - "issue#21986"); + SKIP: { + skip "DSA is not supported in this build", 1 if $no_dsa; + + ok(run(app(['openssl', 'cms', '-sign', + '-in', srctop_file("test", "smcont.txt"), + '-signer', srctop_file("test/smime-certs", "smdsa1.pem"), + '-md', 'SHAKE256'])), + "issue#21986"); + } }); -- Gitee From 7b6193359e42dce14d4bc81bf399642b385e2753 Mon Sep 17 00:00:00 2001 From: Huiyue Xu Date: Thu, 14 Sep 2023 16:21:35 +0800 Subject: [PATCH 22/23] Do not include sparse_array.o in libssl sparse_array.o is not needed in libssl at 3.0.x version. Signed-off-by: Huiyue Xu Reviewed-by: Matt Caswell Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/22111) Signed-off-by: fly2x --- crypto/build.info | 2 -- 1 file changed, 2 deletions(-) diff --git a/crypto/build.info b/crypto/build.info index b90390ae86..c04db55911 100644 --- a/crypto/build.info +++ b/crypto/build.info @@ -97,8 +97,6 @@ $UTIL_COMMON=\ context.c sparse_array.c asn1_dsa.c packet.c param_build.c \ param_build_set.c der_writer.c threads_lib.c params_dup.c -SHARED_SOURCE[../libssl]=sparse_array.c - SOURCE[../libcrypto]=$UTIL_COMMON \ mem.c mem_sec.c \ cversion.c info.c cpt_err.c ebcdic.c uid.c o_time.c o_dir.c \ -- Gitee From 4bc43e6a4b19196938438d2c1a2ec7bfbe386b50 Mon Sep 17 00:00:00 2001 From: "Matthias St. Pierre" Date: Thu, 21 Sep 2023 16:43:43 +0200 Subject: [PATCH 23/23] no-engine: fix signing with legacy app method based keys Signing with an app method based key (i.e. an `EVP_PKEY` which wraps an `RSA` key with an application defined `RSA_METHOD`) used to work in 1.1.1. That feature was broken in commit 60488d2434, but later on fixed by @t8m in commit b247113c05 (see #14859). This commit corrects a minor flaw of the fix, which affects only `no-engine` builds: the special treatment for foreign keys is guarded by an `OPENSSL_NO_ENGINE` check. Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell Reviewed-by: Dmitry Belyavskiy Reviewed-by: Todd Short (Merged from https://github.com/openssl/openssl/pull/22163) (cherry picked from commit 1acc3e8cc3c69187b55cc557c1bc03278ab38063) (cherry picked from commit c67a1988fcf8fe34b1d31e29849f2528d553dd66) Signed-off-by: fly2x --- crypto/evp/pmeth_lib.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/crypto/evp/pmeth_lib.c b/crypto/evp/pmeth_lib.c index ce6e1a1ccb..ba1971ce46 100644 --- a/crypto/evp/pmeth_lib.c +++ b/crypto/evp/pmeth_lib.c @@ -251,10 +251,11 @@ static EVP_PKEY_CTX *int_ctx_new(OSSL_LIB_CTX *libctx, */ if (e != NULL) pmeth = ENGINE_get_pkey_meth(e, id); - else if (pkey != NULL && pkey->foreign) + else +# endif /* OPENSSL_NO_ENGINE */ + if (pkey != NULL && pkey->foreign) pmeth = EVP_PKEY_meth_find(id); else -# endif app_pmeth = pmeth = evp_pkey_meth_find_added_by_application(id); /* END legacy */ -- Gitee