From 466677c22bbc12a9329741a1714127a679a603fb Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Thu, 31 Aug 2023 10:26:22 +0200 Subject: [PATCH 01/22] test_provider_ex(): Add missing call failure checks Fixes Coverity 1542440 Reviewed-by: Tim Hudson Reviewed-by: Dmitry Belyavskiy Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/21913) Signed-off-by: fly2x --- test/provider_test.c | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/test/provider_test.c b/test/provider_test.c index 3268a287a2..2d20d12071 100644 --- a/test/provider_test.c +++ b/test/provider_test.c @@ -166,13 +166,15 @@ static int test_provider_ex(OSSL_LIB_CTX **libctx, const char *name) int ok = 0; long err; const char custom_buf[] = "Custom greeting"; - OSSL_PARAM_BLD *bld = OSSL_PARAM_BLD_new(); + OSSL_PARAM_BLD *bld = NULL; OSSL_PARAM *params = NULL; - OSSL_PARAM_BLD_push_utf8_string(bld, "greeting", custom_buf, strlen(custom_buf)); - params = OSSL_PARAM_BLD_to_param(bld); - - OSSL_PARAM_BLD_free(bld); + if (!TEST_ptr(bld = OSSL_PARAM_BLD_new()) + || !TEST_true(OSSL_PARAM_BLD_push_utf8_string(bld, "greeting", custom_buf, + strlen(custom_buf))) + || !TEST_ptr(params = OSSL_PARAM_BLD_to_param(bld))) { + goto err; + } if (!TEST_ptr(prov = OSSL_PROVIDER_load_ex(*libctx, name, params))) goto err; @@ -204,6 +206,7 @@ static int test_provider_ex(OSSL_LIB_CTX **libctx, const char *name) ERR_print_errors_fp(stderr); ok = 1; err: + OSSL_PARAM_BLD_free(bld); OSSL_PARAM_free(params); OSSL_PROVIDER_unload(prov); OSSL_LIB_CTX_free(*libctx); -- Gitee From 10a19f226cf3fee089e6039c736d2a9fa28c57b7 Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Thu, 5 Oct 2023 17:11:25 +0100 Subject: [PATCH 02/22] Fix the BIO_addr test The BIO_addr test is failing on non-stop. The length of the data is larger than the size we have allocated for it. We dynamically allocate instead. Fixes #22218 Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/22294) Signed-off-by: fly2x --- test/bio_addr_test.c | 30 +++++++++++++++++++++--------- 1 file changed, 21 insertions(+), 9 deletions(-) diff --git a/test/bio_addr_test.c b/test/bio_addr_test.c index 9ca007e511..38ea3de36c 100644 --- a/test/bio_addr_test.c +++ b/test/bio_addr_test.c @@ -80,8 +80,9 @@ static BIO_ADDR *make_dummy_addr(int family) static int bio_addr_is_eq(const BIO_ADDR *a, const BIO_ADDR *b) { - struct sockaddr_storage adata, bdata; + unsigned char *adata = NULL, *bdata = NULL; size_t alen, blen; + int ret = 0; /* True even if a and b are NULL */ if (a == b) @@ -98,15 +99,11 @@ static int bio_addr_is_eq(const BIO_ADDR *a, const BIO_ADDR *b) if (BIO_ADDR_rawport(a) != BIO_ADDR_rawport(b)) return 0; - if (!BIO_ADDR_rawaddress(a, NULL, &alen) - || alen > sizeof(adata) - || !BIO_ADDR_rawaddress(a, &adata, &alen)) + if (!BIO_ADDR_rawaddress(a, NULL, &alen)) return 0; - if (!BIO_ADDR_rawaddress(a, NULL, &blen) - || blen > sizeof(bdata) - || !BIO_ADDR_rawaddress(a, &bdata, &blen)) - return 0; + if (!BIO_ADDR_rawaddress(b, NULL, &blen)) + goto err; if (alen != blen) return 0; @@ -114,7 +111,22 @@ static int bio_addr_is_eq(const BIO_ADDR *a, const BIO_ADDR *b) if (alen == 0) return 1; - return memcmp(&adata, &bdata, alen) == 0; + adata = OPENSSL_malloc(alen); + if (!TEST_ptr(adata) + || !BIO_ADDR_rawaddress(a, adata, &alen)) + goto err; + + bdata = OPENSSL_malloc(blen); + if (!TEST_ptr(bdata) + || !BIO_ADDR_rawaddress(b, bdata, &blen)) + goto err; + + ret = (memcmp(adata, bdata, alen) == 0); + + err: + OPENSSL_free(adata); + OPENSSL_free(bdata); + return ret; } static int test_bio_addr_copy_dup(int idx) -- Gitee From b29084a07569cb597d4ee3fda40616c479cdaa1b Mon Sep 17 00:00:00 2001 From: Klavishnik Date: Wed, 9 Aug 2023 17:05:03 +0300 Subject: [PATCH 03/22] Avoid divide-by-zero in kmac_prov.c's bytepad() This would happen if EVP_MD_get_block_size() returned 0 so we return an error instead. Reviewed-by: Paul Dale Reviewed-by: Tim Hudson Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/21698) Signed-off-by: fly2x --- providers/implementations/macs/kmac_prov.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/providers/implementations/macs/kmac_prov.c b/providers/implementations/macs/kmac_prov.c index 4d920c249a..ddaab4ba86 100644 --- a/providers/implementations/macs/kmac_prov.c +++ b/providers/implementations/macs/kmac_prov.c @@ -249,7 +249,7 @@ static int kmac_setkey(struct kmac_data_st *kctx, const unsigned char *key, ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH); return 0; } - if (w < 0) { + if (w <= 0) { ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_DIGEST_LENGTH); return 0; } @@ -289,7 +289,7 @@ static int kmac_init(void *vmacctx, const unsigned char *key, return 0; t = EVP_MD_get_block_size(ossl_prov_digest_md(&kctx->digest)); - if (t < 0) { + if (t <= 0) { ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_DIGEST_LENGTH); return 0; } -- Gitee From 5ea98bd163c718a5bdca953860c45e100ed440f3 Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Fri, 6 Oct 2023 15:56:15 +0100 Subject: [PATCH 04/22] When calling ossl_crypto_condvar_wait_timeout() we must use real time Although many of the QUIC tests use fake time, the time we pass to the ossl_crypto_condvar_wait_timeout() must be a real time. Passing fake time was causing the QUIC tserver test to hang because ossl_crypto_convar_wait_timeout() always timed out immediately and never relinquished the CPU. If using fake time we adjust the time to real time just before using it. Fixes #22020 Reviewed-by: Hugo Landau Reviewed-by: Paul Dale Reviewed-by: Richard Levitte Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/22301) Signed-off-by: fly2x --- include/internal/quic_thread_assist.h | 7 ++++++- ssl/quic/quic_impl.c | 4 +++- ssl/quic/quic_thread_assist.c | 23 ++++++++++++++++++++--- 3 files changed, 29 insertions(+), 5 deletions(-) diff --git a/include/internal/quic_thread_assist.h b/include/internal/quic_thread_assist.h index 7d1b47453a..592c2ffabf 100644 --- a/include/internal/quic_thread_assist.h +++ b/include/internal/quic_thread_assist.h @@ -12,6 +12,7 @@ # include # include "internal/thread.h" +# include "internal/time.h" # if defined(OPENSSL_NO_QUIC) || defined(OPENSSL_NO_THREAD_POOL) # define OPENSSL_NO_QUIC_THREAD_ASSIST @@ -46,6 +47,8 @@ typedef struct quic_thread_assist_st { CRYPTO_CONDVAR *cv; CRYPTO_THREAD *t; int teardown, joined; + OSSL_TIME (*now_cb)(void *arg); + void *now_cb_arg; } QUIC_THREAD_ASSIST; /* @@ -55,7 +58,9 @@ typedef struct quic_thread_assist_st { * not affect the state of the mutex. */ int ossl_quic_thread_assist_init_start(QUIC_THREAD_ASSIST *qta, - QUIC_CHANNEL *ch); + QUIC_CHANNEL *ch, + OSSL_TIME (*now_cb)(void *arg), + void *now_cb_arg); /* * Request the thread assist helper to begin stopping the assist thread. This diff --git a/ssl/quic/quic_impl.c b/ssl/quic/quic_impl.c index cb927fa52d..86020a450a 100644 --- a/ssl/quic/quic_impl.c +++ b/ssl/quic/quic_impl.c @@ -1532,7 +1532,9 @@ static int ensure_channel_started(QCTX *ctx) #if !defined(OPENSSL_NO_QUIC_THREAD_ASSIST) if (qc->is_thread_assisted) - if (!ossl_quic_thread_assist_init_start(&qc->thread_assist, qc->ch)) { + if (!ossl_quic_thread_assist_init_start(&qc->thread_assist, qc->ch, + qc->override_now_cb, + qc->override_now_cb_arg)) { QUIC_RAISE_NON_NORMAL_ERROR(ctx, ERR_R_INTERNAL_ERROR, "failed to start assist thread"); return 0; diff --git a/ssl/quic/quic_thread_assist.c b/ssl/quic/quic_thread_assist.c index b5c1829e8e..e1de72a910 100644 --- a/ssl/quic/quic_thread_assist.c +++ b/ssl/quic/quic_thread_assist.c @@ -28,11 +28,24 @@ static unsigned int assist_thread_main(void *arg) rtor = ossl_quic_channel_get_reactor(qta->ch); for (;;) { + OSSL_TIME deadline; + if (qta->teardown) break; - ossl_crypto_condvar_wait_timeout(qta->cv, m, - ossl_quic_reactor_get_tick_deadline(rtor)); + deadline = ossl_quic_reactor_get_tick_deadline(rtor); + if (qta->now_cb != NULL + && !ossl_time_is_zero(deadline) + && !ossl_time_is_infinite(deadline)) { + /* + * ossl_crypto_condvar_wait_timeout needs to use real time for the + * deadline + */ + deadline = ossl_time_add(ossl_time_subtract(deadline, + qta->now_cb(qta->now_cb_arg)), + ossl_time_now()); + } + ossl_crypto_condvar_wait_timeout(qta->cv, m, deadline); /* * We have now been woken up. This can be for one of the following @@ -56,7 +69,9 @@ static unsigned int assist_thread_main(void *arg) } int ossl_quic_thread_assist_init_start(QUIC_THREAD_ASSIST *qta, - QUIC_CHANNEL *ch) + QUIC_CHANNEL *ch, + OSSL_TIME (*now_cb)(void *arg), + void *now_cb_arg) { CRYPTO_MUTEX *mutex = ossl_quic_channel_get_mutex(ch); @@ -66,6 +81,8 @@ int ossl_quic_thread_assist_init_start(QUIC_THREAD_ASSIST *qta, qta->ch = ch; qta->teardown = 0; qta->joined = 0; + qta->now_cb = now_cb; + qta->now_cb_arg = now_cb_arg; qta->cv = ossl_crypto_condvar_new(); if (qta->cv == NULL) -- Gitee From ac2998d201383252b4f41283ba8ef8480496c74b Mon Sep 17 00:00:00 2001 From: Evgeny Karpov Date: Mon, 7 Aug 2023 14:28:20 +0200 Subject: [PATCH 05/22] * Enable extra Arm64 optimization on Windows for GHASH, RAND and AES Reviewed-by: Tom Cosgrove Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/21673) Signed-off-by: fly2x --- CHANGES.md | 4 ++++ crypto/arm_arch.h | 2 ++ crypto/modes/gcm128.c | 2 +- crypto/sm3/sm3_local.h | 2 +- include/crypto/aes_platform.h | 6 +++--- include/crypto/sm4_platform.h | 2 +- 6 files changed, 12 insertions(+), 6 deletions(-) diff --git a/CHANGES.md b/CHANGES.md index af5f3cd2ab..ef801c2f73 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -25,6 +25,10 @@ OpenSSL 3.2 ### Changes between 3.1 and 3.2 [xx XXX xxxx] + * Enable extra Arm64 optimization on Windows for GHASH, RAND and AES. + + *Evgeny Karpov* + * Added a function to delete objects from store by URI - OSSL_STORE_delete() and the corresponding provider-storemgmt API function OSSL_FUNC_store_delete(). diff --git a/crypto/arm_arch.h b/crypto/arm_arch.h index 43aa6b97c5..83acbe0126 100644 --- a/crypto/arm_arch.h +++ b/crypto/arm_arch.h @@ -49,6 +49,8 @@ # else # error "unsupported ARM architecture" # endif +# elif defined(__ARM_ARCH) +# define __ARM_ARCH__ __ARM_ARCH # endif # endif diff --git a/crypto/modes/gcm128.c b/crypto/modes/gcm128.c index 677eb21a0b..77ff5dd06b 100644 --- a/crypto/modes/gcm128.c +++ b/crypto/modes/gcm128.c @@ -369,7 +369,7 @@ void gcm_gmult_4bit_x86(u64 Xi[2], const u128 Htable[16]); void gcm_ghash_4bit_x86(u64 Xi[2], const u128 Htable[16], const u8 *inp, size_t len); # endif -# elif defined(__arm__) || defined(__arm) || defined(__aarch64__) +# elif defined(__arm__) || defined(__arm) || defined(__aarch64__) || defined(_M_ARM64) # include "arm_arch.h" # if __ARM_MAX_ARCH__>=7 # define GHASH_ASM_ARM diff --git a/crypto/sm3/sm3_local.h b/crypto/sm3/sm3_local.h index cb5a187a12..18e10890eb 100644 --- a/crypto/sm3/sm3_local.h +++ b/crypto/sm3/sm3_local.h @@ -34,7 +34,7 @@ } while (0) #if defined(OPENSSL_SM3_ASM) -# if defined(__aarch64__) +# if defined(__aarch64__) || defined(_M_ARM64) # include "crypto/arm_arch.h" # define HWSM3_CAPABLE (OPENSSL_armcap_P & ARMV8_SM3) void ossl_hwsm3_block_data_order(SM3_CTX *c, const void *p, size_t num); diff --git a/include/crypto/aes_platform.h b/include/crypto/aes_platform.h index cbc035926e..e641450b15 100644 --- a/include/crypto/aes_platform.h +++ b/include/crypto/aes_platform.h @@ -90,7 +90,7 @@ void gcm_ghash_p8(u64 Xi[2],const u128 Htable[16],const u8 *inp, size_t len); # endif /* OPENSSL_SYS_AIX || OPENSSL_SYS_MACOSX */ # endif /* PPC */ -# if (defined(__arm__) || defined(__arm) || defined(__aarch64__)) +# if (defined(__arm__) || defined(__arm) || defined(__aarch64__) || defined(_M_ARM64)) # include "arm_arch.h" # if __ARM_MAX_ARCH__>=7 # if defined(BSAES_ASM) @@ -106,7 +106,7 @@ void gcm_ghash_p8(u64 Xi[2],const u128 Htable[16],const u8 *inp, size_t len); # define HWAES_decrypt aes_v8_decrypt # define HWAES_cbc_encrypt aes_v8_cbc_encrypt # define HWAES_ecb_encrypt aes_v8_ecb_encrypt -# if __ARM_MAX_ARCH__>=8 && defined(__aarch64__) +# if __ARM_MAX_ARCH__>=8 && (defined(__aarch64__) || defined(_M_ARM64)) # define HWAES_xts_encrypt aes_v8_xts_encrypt # define HWAES_xts_decrypt aes_v8_xts_decrypt # endif @@ -114,7 +114,7 @@ void gcm_ghash_p8(u64 Xi[2],const u128 Htable[16],const u8 *inp, size_t len); # define AES_PMULL_CAPABLE ((OPENSSL_armcap_P & ARMV8_PMULL) && (OPENSSL_armcap_P & ARMV8_AES)) # define AES_GCM_ENC_BYTES 512 # define AES_GCM_DEC_BYTES 512 -# if __ARM_MAX_ARCH__>=8 && defined(__aarch64__) +# if __ARM_MAX_ARCH__>=8 && (defined(__aarch64__) || defined(_M_ARM64)) # define AES_gcm_encrypt armv8_aes_gcm_encrypt # define AES_gcm_decrypt armv8_aes_gcm_decrypt # define AES_GCM_ASM(gctx) ((gctx)->ctr==aes_v8_ctr32_encrypt_blocks && \ diff --git a/include/crypto/sm4_platform.h b/include/crypto/sm4_platform.h index 8a26885097..cc4f514256 100644 --- a/include/crypto/sm4_platform.h +++ b/include/crypto/sm4_platform.h @@ -12,7 +12,7 @@ # pragma once # if defined(OPENSSL_CPUID_OBJ) -# if defined(__aarch64__) +# if defined(__aarch64__) || defined (_M_ARM64) # include "arm_arch.h" extern unsigned int OPENSSL_arm_midr; static inline int vpsm4_capable(void) -- Gitee From fb740554f81eb8419c91eb677bb585a70af0ebd7 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Mon, 9 Oct 2023 16:47:07 +0200 Subject: [PATCH 06/22] provider-compatibility.yml: Correct the directory where opensslwrap.sh is being run Reviewed-by: Paul Dale Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/22322) Signed-off-by: fly2x --- .github/workflows/provider-compatibility.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/provider-compatibility.yml b/.github/workflows/provider-compatibility.yml index ccb0fbdd7d..8fc125cbd8 100644 --- a/.github/workflows/provider-compatibility.yml +++ b/.github/workflows/provider-compatibility.yml @@ -236,10 +236,11 @@ jobs: working-directory: ${{ matrix.tree_b }} - name: get cpu info + if: steps.early_exit.outcome == 'success' run: | cat /proc/cpuinfo ./util/opensslwrap.sh version -c - working-directory: ${{ matrix.branch.dir }} + working-directory: ${{ matrix.tree_b }} - name: run cross validation tests of FIPS from A with tree from B if: steps.early_exit.outcome == 'success' -- Gitee From b7752e5cc0bf776884d36354cc51855b19ea934f Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Mon, 9 Oct 2023 17:32:53 +0200 Subject: [PATCH 07/22] ECDSA with SHA3 verification does not depend on FIPS provider version Reviewed-by: Paul Dale Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/22322) Signed-off-by: fly2x --- test/recipes/25-test_verify.t | 22 +++++++++++++--------- 1 file changed, 13 insertions(+), 9 deletions(-) diff --git a/test/recipes/25-test_verify.t b/test/recipes/25-test_verify.t index 48af75ab2e..1c8fce86fd 100644 --- a/test/recipes/25-test_verify.t +++ b/test/recipes/25-test_verify.t @@ -369,6 +369,19 @@ SKIP: { skip "EC is not supported or FIPS is disabled", 7 if disabled("ec") || $no_fips; + $ENV{OPENSSL_CONF} = $provconf; + + ok(verify("ee-cert-ec-sha3-224", "", ["root-cert"], ["ca-cert-ec-named"], @prov), + "accept cert generated with EC and SHA3-224 w/fips"); + ok(verify("ee-cert-ec-sha3-256", "", ["root-cert"], ["ca-cert-ec-named"], @prov), + "accept cert generated with EC and SHA3-256 w/fips"); + ok(verify("ee-cert-ec-sha3-384", "", ["root-cert"], ["ca-cert-ec-named"], @prov), + "accept cert generated with EC and SHA3-384 w/fips"); + ok(verify("ee-cert-ec-sha3-512", "", ["root-cert"], ["ca-cert-ec-named"], @prov), + "accept cert generated with EC and SHA3-512 w/fips"); + + delete $ENV{OPENSSL_CONF}; + run(test(["fips_version_test", "-config", $provconf, ">3.0.0"]), capture => 1, statusvar => \my $exit); skip "FIPS provider version is too old", 3 @@ -385,15 +398,6 @@ SKIP: { ok(verify("ee-cert-ec-named-named", "", ["root-cert"], ["ca-cert-ec-named"], @prov), "accept named curve leaf with named curve intermediate w/fips"); - ok(verify("ee-cert-ec-sha3-224", "", ["root-cert"], ["ca-cert-ec-named"], @prov), - "accept cert generated with EC and SHA3-224 w/fips"); - ok(verify("ee-cert-ec-sha3-256", "", ["root-cert"], ["ca-cert-ec-named"], @prov), - "accept cert generated with EC and SHA3-256 w/fips"); - ok(verify("ee-cert-ec-sha3-384", "", ["root-cert"], ["ca-cert-ec-named"], @prov), - "accept cert generated with EC and SHA3-384 w/fips"); - ok(verify("ee-cert-ec-sha3-512", "", ["root-cert"], ["ca-cert-ec-named"], @prov), - "accept cert generated with EC and SHA3-512 w/fips"); - delete $ENV{OPENSSL_CONF}; } -- Gitee From 51dcb9085ba2fcb3f8f59e567490f4eabed6120a Mon Sep 17 00:00:00 2001 From: Klavishnik Date: Thu, 10 Aug 2023 13:56:24 +0300 Subject: [PATCH 08/22] Added check for the return value of the RAND_bytes() function Call app_bail_out if RAND_bytes() fails. Also changed the output parameter of RAND_bytes() to inp as writing to encrypted output buffer does not make sense. Reviewed-by: Matt Caswell Reviewed-by: Tom Cosgrove Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/21706) Signed-off-by: fly2x --- apps/speed.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/apps/speed.c b/apps/speed.c index 88d389523b..44e3af7591 100644 --- a/apps/speed.c +++ b/apps/speed.c @@ -4747,7 +4747,8 @@ static void multiblock_speed(const EVP_CIPHER *evp_cipher, int lengths_single, } else { int pad; - RAND_bytes(out, 16); + if (RAND_bytes(inp, 16) <= 0) + app_bail_out("error setting random bytes\n"); len += 16; aad[11] = (unsigned char)(len >> 8); aad[12] = (unsigned char)(len); -- Gitee From d3ac4482ac476550062da222081b2528f9d640f3 Mon Sep 17 00:00:00 2001 From: "Dr. David von Oheimb" Date: Sun, 11 Jun 2023 17:36:55 +0200 Subject: [PATCH 09/22] apps/cmp.c: -tls_used may be implied by -server https:...; improve related checks and doc Reviewed-by: Todd Short Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/21176) Signed-off-by: fly2x --- apps/cmp.c | 8 ++----- doc/man1/openssl-cmp.pod.in | 24 +++++++++---------- .../80-test_cmp_http_data/test_connection.csv | 2 ++ 3 files changed, 16 insertions(+), 18 deletions(-) diff --git a/apps/cmp.c b/apps/cmp.c index e38f0010a0..911d94c198 100644 --- a/apps/cmp.c +++ b/apps/cmp.c @@ -1933,10 +1933,6 @@ static int setup_client_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine) CMP_warn("ignoring -proxy option since -server is not given"); if (opt_no_proxy != NULL) CMP_warn("ignoring -no_proxy option since -server is not given"); - if (opt_tls_used) { - CMP_warn("ignoring -tls_used option since -server is not given"); - opt_tls_used = 0; - } goto set_path; } if (!OSSL_HTTP_parse_url(opt_server, &use_ssl, NULL /* user */, @@ -1946,8 +1942,8 @@ static int setup_client_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine) goto err; } if (use_ssl && !opt_tls_used) { - CMP_err("missing -tls_used option since -server URL indicates HTTPS"); - goto err; + CMP_warn("assuming -tls_used since -server URL indicates HTTPS"); + opt_tls_used = 1; } BIO_snprintf(server_port, sizeof(server_port), "%s", port); diff --git a/doc/man1/openssl-cmp.pod.in b/doc/man1/openssl-cmp.pod.in index fec815e756..051c749d08 100644 --- a/doc/man1/openssl-cmp.pod.in +++ b/doc/man1/openssl-cmp.pod.in @@ -480,8 +480,8 @@ IP address may be for v4 or v6, such as C<127.0.0.1> or C<[::1]> for localhost. This option excludes I<-port> and I<-use_mock_srv>. It is ignored if I<-rspin> is given with enough filename arguments. -The scheme C may be given only if the B<-tls_used> option is provided. -In this case the default port is 443, else 80. +If the scheme C is given, the B<-tls_used> option is implied. +When TLS is used, the default port is 443, otherwise 80. The optional userinfo and fragment components are ignored. Any given query component is handled as part of the path component. If a path is included it provides the default value for the B<-path> option. @@ -491,9 +491,9 @@ If a path is included it provides the default value for the B<-path> option. The HTTP(S) proxy server to use for reaching the CMP server unless B<-no_proxy> applies, see below. The proxy port defaults to 80 or 443 if the scheme is C; apart from that -the optional C or C prefix is ignored (note that TLS may be -enabled by B<-tls_used>), as well as any path, userinfo, and query, and fragment -components. +the optional C or C prefix is ignored (note that using TLS +may be required by B<-tls_used> or B<-server> with the prefix C), +as well as any path, userinfo, and query, and fragment components. Defaults to the environment variable C if set, else C in case no TLS is used, otherwise C if set, else C. This option is ignored if I<-server> is not given. @@ -584,7 +584,7 @@ Non-trusted intermediate CA certificate(s). Any extra certificates given with the B<-cert> option are appended to it. All these certificates may be useful for cert path construction for the own CMP signer certificate (to include in the extraCerts field of -request messages) and for the TLS client certificate (if TLS is enabled) +request messages) and for the TLS client certificate (if TLS is used) as well as for chain building when validating server certificates (checking signature-based CMP message protection) and when validating newly enrolled certificates. @@ -898,14 +898,14 @@ B<-tls_key>. =item B<-tls_used> -Enable using TLS (even when other TLS-related options are not set) -for message exchange with CMP server via HTTP. +Make the CMP client use TLS (regardless if other TLS-related options are set) +for message exchange with the server via HTTP. This option is not supported with the I<-port> option. -It is ignored if the I<-server> option is not given or I<-use_mock_srv> is given -or I<-rspin> is given with enough filename arguments. +It is implied if the B<-server> option is given with the scheme C. +It is ignored if the B<-server> option is not given or B<-use_mock_srv> is given +or B<-rspin> is given with enough filename arguments. -The following TLS-related options are ignored -if B<-tls_used> is not given or does not take effect. +The following TLS-related options are ignored if TLS is not used. =item B<-tls_cert> I|I diff --git a/test/recipes/80-test_cmp_http_data/test_connection.csv b/test/recipes/80-test_cmp_http_data/test_connection.csv index 202eb223c4..8814da5009 100644 --- a/test/recipes/80-test_cmp_http_data/test_connection.csv +++ b/test/recipes/80-test_cmp_http_data/test_connection.csv @@ -21,6 +21,8 @@ TBD,server IP address with TLS port, -section,, -server,_SERVER_IP:_SERVER_TLS,, 0,proxy default port, -section,, -server,_SERVER_HOST:_SERVER_PORT, -proxy,127.0.0.1, -no_proxy,nonmatch.com,BLANK,,,,-msg_timeout,1,BLANK,,BLANK, 0,proxy missing argument, -section,, -server,_SERVER_HOST:_SERVER_PORT, -proxy,, -no_proxy,nonmatch.com,BLANK,,,,BLANK,,BLANK,,BLANK, ,,,,,,,,,,,,,,,,,,, +0,tls_used, -section,, -server,_SERVER_HOST:_SERVER_PORT,,,,,-tls_used,,,,-msg_timeout,1,BLANK,,BLANK, +,,,,,,,,,,,,,,,,,,, 1,path explicit, -section,, -server,_SERVER_HOST:_SERVER_PORT,,,,,BLANK,, -path,_SERVER_PATH,BLANK,,BLANK,,BLANK, 1,path overrides -server path, -section,, -server,_SERVER_HOST:_SERVER_PORT/ignored,,,,,BLANK,, -path,_SERVER_PATH,BLANK,,BLANK,,BLANK, 1,path default -server path, -section,, -server,_SERVER_HOST:_SERVER_PORT/_SERVER_PATH,,,,,BLANK,, -path,"""",BLANK,,BLANK,,BLANK, -- Gitee From d1bf94a98a09cb6fd3da2d9c2b270fd17fd99ba7 Mon Sep 17 00:00:00 2001 From: "Dr. David von Oheimb" Date: Sun, 11 Jun 2023 18:19:50 +0200 Subject: [PATCH 10/22] OSSL_CMP_CTX_new.pod: remove overlap with OSSL_HTTP_transfer.pod; improve the latter Reviewed-by: Todd Short Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/21176) Signed-off-by: fly2x --- doc/man3/OSSL_CMP_CTX_new.pod | 30 +++++++++++------------------- doc/man3/OSSL_HTTP_transfer.pod | 8 +++++--- 2 files changed, 16 insertions(+), 22 deletions(-) diff --git a/doc/man3/OSSL_CMP_CTX_new.pod b/doc/man3/OSSL_CMP_CTX_new.pod index 32fbc09158..488b22de9b 100644 --- a/doc/man3/OSSL_CMP_CTX_new.pod +++ b/doc/man3/OSSL_CMP_CTX_new.pod @@ -377,22 +377,16 @@ Defaults to the environment variable C if set, else C. OSSL_CMP_CTX_set_http_cb() sets the optional BIO connect/disconnect callback function, which has the prototype - typedef BIO *(*HTTP_bio_cb_t) (BIO *bio, void *ctx, int connect, int detail); - -The callback may modify the I provided by L, -whereby it may make use of a custom defined argument I -stored in the OSSL_CMP_CTX by means of OSSL_CMP_CTX_set_http_cb_arg(). -During connection establishment, just after calling BIO_do_connect_retry(), -the function is invoked with the I argument being 1 and the I -argument being 1 if HTTPS is requested, i.e., SSL/TLS should be enabled. On -disconnect I is 0 and I is 1 in case no error occurred, else 0. -For instance, on connect the function may prepend a TLS BIO to implement HTTPS; -after disconnect it may do some diagnostic output and/or specific cleanup. -The function should return NULL to indicate failure. -After disconnect the modified BIO will be deallocated using BIO_free_all(). - -OSSL_CMP_CTX_set_http_cb_arg() sets an argument, respectively a pointer to -a structure containing arguments, + typedef BIO *(*HTTP_bio_cb_t) (BIO *bio, void *arg, int connect, int detail); + +The callback may modify the I provided by L +as described for the I parameter of L. +The callback may make use of a custom defined argument I, +as described for the I parameter of L. +The argument is stored in the OSSL_CMP_CTX using OSSL_CMP_CTX_set_http_cb_arg(). + +OSSL_CMP_CTX_set_http_cb_arg() sets the argument, respectively a pointer to +a structure containing arguments such as an B structure, optionally to be used by the http connect/disconnect callback function. I is not consumed, and it must therefore explicitly be freed when not needed any more. I may be NULL to clear the entry. @@ -407,8 +401,6 @@ which has the type typedef OSSL_CMP_MSG *(*OSSL_CMP_transfer_cb_t) (OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *req); -Returns 1 on success, 0 on error. - Default is NULL, which implies the use of L. The callback should send the CMP request message it obtains via the I parameter and on success return the response, else it must return NULL. @@ -824,7 +816,7 @@ the id-it-signKeyPairTypes OID and prints info on the General Response contents: L, L, L, L, L, L, -L +L, L =head1 HISTORY diff --git a/doc/man3/OSSL_HTTP_transfer.pod b/doc/man3/OSSL_HTTP_transfer.pod index e0375377e6..323525c5b0 100644 --- a/doc/man3/OSSL_HTTP_transfer.pod +++ b/doc/man3/OSSL_HTTP_transfer.pod @@ -99,8 +99,8 @@ I is a BIO connect/disconnect callback function with prototype BIO *(*OSSL_HTTP_bio_cb_t)(BIO *bio, void *arg, int connect, int detail) The callback function may modify the BIO provided in the I argument, -whereby it may make use of a custom defined argument I, -which may for instance point to an B structure. +whereby it may use an optional custom defined argument I, +which can for instance point to an B structure. During connection establishment, just after calling BIO_do_connect_retry(), the callback function is invoked with the I argument being 1 and I being 1 if I is nonzero (i.e., HTTPS is requested), else 0. @@ -108,7 +108,7 @@ On disconnect I is 0 and I is 1 if no error occurred, else 0. For instance, on connect the callback may push an SSL BIO to implement HTTPS; after disconnect it may do some diagnostic output and pop and free the SSL BIO. -The callback function must return either the potentially modified BIO I. +The callback function must return either the potentially modified BIO I or NULL to indicate failure, in which case it should not modify the BIO. Here is a simple example that supports TLS connections (but not via a proxy): @@ -135,6 +135,8 @@ Here is a simple example that supports TLS connections (but not via a proxy): } After disconnect the modified BIO will be deallocated using BIO_free_all(). +The optional callback function argument I is not consumed, +so must be freed by the caller when not needed any more. The I parameter specifies the response header maximum line length. A value <= 0 means that the B (4KiB) is used. -- Gitee From 856fb6cbdd8bed3337bdf94802be6454f9f9b52f Mon Sep 17 00:00:00 2001 From: "Dr. David von Oheimb" Date: Sun, 11 Jun 2023 17:41:03 +0200 Subject: [PATCH 11/22] CMP: fix OSSL_CMP_MSG_http_perform() by adding option OSSL_CMP_OPT_USE_TLS Fixes #21120 Reviewed-by: Todd Short Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/21176) Signed-off-by: fly2x --- apps/cmp.c | 2 ++ crypto/cmp/cmp_ctx.c | 6 ++++++ crypto/cmp/cmp_http.c | 3 ++- crypto/cmp/cmp_local.h | 1 + doc/man3/OSSL_CMP_CTX_new.pod | 12 ++++++++++++ include/openssl/cmp.h.in | 5 +++-- 6 files changed, 26 insertions(+), 3 deletions(-) diff --git a/apps/cmp.c b/apps/cmp.c index 911d94c198..dd5a69af7c 100644 --- a/apps/cmp.c +++ b/apps/cmp.c @@ -1945,6 +1945,8 @@ static int setup_client_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine) CMP_warn("assuming -tls_used since -server URL indicates HTTPS"); opt_tls_used = 1; } + if (!OSSL_CMP_CTX_set_option(ctx, OSSL_CMP_OPT_USE_TLS, opt_tls_used)) + goto err; BIO_snprintf(server_port, sizeof(server_port), "%s", port); if (opt_path == NULL) diff --git a/crypto/cmp/cmp_ctx.c b/crypto/cmp/cmp_ctx.c index b95c540133..947d2ceb8f 100644 --- a/crypto/cmp/cmp_ctx.c +++ b/crypto/cmp/cmp_ctx.c @@ -123,6 +123,7 @@ OSSL_CMP_CTX *OSSL_CMP_CTX_new(OSSL_LIB_CTX *libctx, const char *propq) ctx->keep_alive = 1; ctx->msg_timeout = -1; + ctx->tls_used = -1; /* default for backward compatibility */ if ((ctx->untrusted = sk_X509_new_null()) == NULL) { ERR_raise(ERR_LIB_X509, ERR_R_CRYPTO_LIB); @@ -949,6 +950,9 @@ int OSSL_CMP_CTX_set_option(OSSL_CMP_CTX *ctx, int opt, int val) case OSSL_CMP_OPT_TOTAL_TIMEOUT: ctx->total_timeout = val; break; + case OSSL_CMP_OPT_USE_TLS: + ctx->tls_used = val; + break; case OSSL_CMP_OPT_PERMIT_TA_IN_EXTRACERTS_FOR_IR: ctx->permitTAInExtraCertsForIR = val; break; @@ -1013,6 +1017,8 @@ int OSSL_CMP_CTX_get_option(const OSSL_CMP_CTX *ctx, int opt) return ctx->msg_timeout; case OSSL_CMP_OPT_TOTAL_TIMEOUT: return ctx->total_timeout; + case OSSL_CMP_OPT_USE_TLS: + return ctx->tls_used; case OSSL_CMP_OPT_PERMIT_TA_IN_EXTRACERTS_FOR_IR: return ctx->permitTAInExtraCertsForIR; case OSSL_CMP_OPT_REVOCATION_REASON: diff --git a/crypto/cmp/cmp_http.c b/crypto/cmp/cmp_http.c index ef77d251ef..d08c362a70 100644 --- a/crypto/cmp/cmp_http.c +++ b/crypto/cmp/cmp_http.c @@ -68,7 +68,8 @@ OSSL_CMP_MSG *OSSL_CMP_MSG_http_perform(OSSL_CMP_CTX *ctx, if (ctx->serverPort != 0) BIO_snprintf(server_port, sizeof(server_port), "%d", ctx->serverPort); - tls_used = OSSL_CMP_CTX_get_http_cb_arg(ctx) != NULL; + tls_used = ctx->tls_used >= 0 ? ctx->tls_used != 0 + : OSSL_CMP_CTX_get_http_cb_arg(ctx) != NULL; /* backward compat */ if (ctx->http_ctx == NULL) ossl_cmp_log3(DEBUG, ctx, "connecting to CMP server %s:%s%s", ctx->server, server_port, tls_used ? " using TLS" : ""); diff --git a/crypto/cmp/cmp_local.h b/crypto/cmp/cmp_local.h index 3fb479ca39..29aa84cd2a 100644 --- a/crypto/cmp/cmp_local.h +++ b/crypto/cmp/cmp_local.h @@ -49,6 +49,7 @@ struct ossl_cmp_ctx_st { int keep_alive; /* persistent connection: 0=no, 1=prefer, 2=require */ int msg_timeout; /* max seconds to wait for each CMP message round trip */ int total_timeout; /* max number of seconds an enrollment may take, incl. */ + int tls_used; /* whether to use TLS for client-side HTTP connections */ /* attempts polling for a response if a 'waiting' PKIStatus is received */ time_t end_time; /* session start time + totaltimeout */ # ifndef OPENSSL_NO_HTTP diff --git a/doc/man3/OSSL_CMP_CTX_new.pod b/doc/man3/OSSL_CMP_CTX_new.pod index 488b22de9b..8109970171 100644 --- a/doc/man3/OSSL_CMP_CTX_new.pod +++ b/doc/man3/OSSL_CMP_CTX_new.pod @@ -237,6 +237,17 @@ The following options can be set: A value <= 0 means no limitation (waiting indefinitely). Default is 0. +=item B + + Use this option to indicate to the HTTP implementation + whether TLS is going to be used for the connection (resulting in HTTPS). + The value 1 indicates that TLS is used for client-side HTTP connections, + which needs to be implemented via a callback function set by + OSSL_CMP_CTX_set_http_cb(). + The value 0 indicates that TLS is not used. + Default is -1 for backward compatibility: TLS is used by the client side + if and only if OSSL_CMP_CTX_set_http_cb_arg() sets a non-NULL I. + =item B Number of days new certificates are asked to be valid for. @@ -384,6 +395,7 @@ as described for the I parameter of L. The callback may make use of a custom defined argument I, as described for the I parameter of L. The argument is stored in the OSSL_CMP_CTX using OSSL_CMP_CTX_set_http_cb_arg(). +See also the B option described above. OSSL_CMP_CTX_set_http_cb_arg() sets the argument, respectively a pointer to a structure containing arguments such as an B structure, diff --git a/include/openssl/cmp.h.in b/include/openssl/cmp.h.in index e6af016c7f..5bd8beb57a 100644 --- a/include/openssl/cmp.h.in +++ b/include/openssl/cmp.h.in @@ -285,9 +285,10 @@ const char *OSSL_CMP_CTX_get0_propq(const OSSL_CMP_CTX *ctx); /* CMP general options: */ # define OSSL_CMP_OPT_LOG_VERBOSITY 0 /* CMP transfer options: */ -# define OSSL_CMP_OPT_KEEP_ALIVE 10 -# define OSSL_CMP_OPT_MSG_TIMEOUT 11 +# define OSSL_CMP_OPT_KEEP_ALIVE 10 +# define OSSL_CMP_OPT_MSG_TIMEOUT 11 # define OSSL_CMP_OPT_TOTAL_TIMEOUT 12 +# define OSSL_CMP_OPT_USE_TLS 13 /* CMP request options: */ # define OSSL_CMP_OPT_VALIDITY_DAYS 20 # define OSSL_CMP_OPT_SUBJECTALTNAME_NODEFAULT 21 -- Gitee From 068770de2e6dda5c6737c9b84ff46a2b94fdfc3d Mon Sep 17 00:00:00 2001 From: Bernd Edlinger Date: Mon, 18 Sep 2023 08:16:01 +0200 Subject: [PATCH 12/22] Improve Malloc Failure Test Allow 2 digits after the comma in percentage in OPENSSL_MALLOC_FAILURES. Add OPENSSL_MALLOC_SEED to allow for some randomization. Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/22127) Signed-off-by: fly2x --- crypto/mem.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/crypto/mem.c b/crypto/mem.c index 62fee87842..d7aa3ab85d 100644 --- a/crypto/mem.c +++ b/crypto/mem.c @@ -100,6 +100,9 @@ void CRYPTO_get_alloc_counts(int *mcount, int *rcount, int *fcount) * or 100;100@25;0 * This means 100 mallocs succeed, then next 100 fail 25% of the time, and * all remaining (count is zero) succeed. + * The failure percentge can have 2 digits after the comma. For example: + * 0@0.01 + * This means 0.01% of all allocations will fail. */ static void parseit(void) { @@ -112,7 +115,7 @@ static void parseit(void) /* Get the count (atol will stop at the @ if there), and percentage */ md_count = atol(md_failstring); atsign = strchr(md_failstring, '@'); - md_fail_percent = atsign == NULL ? 0 : atoi(atsign + 1); + md_fail_percent = atsign == NULL ? 0 : (int)(atof(atsign + 1) * 100 + 0.5); if (semi != NULL) md_failstring = semi; @@ -131,7 +134,7 @@ static void parseit(void) */ static int shouldfail(void) { - int roll = (int)(random() % 100); + int roll = (int)(random() % 10000); int shoulditfail = roll < md_fail_percent; # ifndef _WIN32 /* suppressed on Windows as POSIX-like file descriptors are non-inheritable */ @@ -165,6 +168,8 @@ void ossl_malloc_setup_failures(void) parseit(); if ((cp = getenv("OPENSSL_MALLOC_FD")) != NULL) md_tracefd = atoi(cp); + if ((cp = getenv("OPENSSL_MALLOC_SEED")) != NULL) + srandom(atoi(cp)); } #endif -- Gitee From 1948a796f1769a7195a3238ecfd3160ac0953934 Mon Sep 17 00:00:00 2001 From: Hugo Landau Date: Mon, 9 Oct 2023 19:11:39 +0100 Subject: [PATCH 13/22] Ensure struct timeval is defined when including ssl.h Reviewed-by: Paul Dale Reviewed-by: Richard Levitte Reviewed-by: Matt Caswell Reviewed-by: Tom Cosgrove (Merged from https://github.com/openssl/openssl/pull/22323) Signed-off-by: fly2x --- include/openssl/e_ostime.h | 30 ++++++++++++++++++++++++++++++ include/openssl/ssl.h.in | 1 + 2 files changed, 31 insertions(+) create mode 100644 include/openssl/e_ostime.h diff --git a/include/openssl/e_ostime.h b/include/openssl/e_ostime.h new file mode 100644 index 0000000000..8a7cc9880f --- /dev/null +++ b/include/openssl/e_ostime.h @@ -0,0 +1,30 @@ +/* + * Copyright 2023 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#ifndef OPENSSL_E_OSTIME_H +# define OPENSSL_E_OSTIME_H +# pragma once + +# include +# include +# include + +/* + * This header guarantees that 'struct timeval' will be available. It includes + * the minimum headers needed to facilitate this. This may still be a + * substantial set of headers on some platforms (e.g. on Win32). + */ + +# if defined(OPENSSL_SYS_WINDOWS) +# include +# else +# include +# endif + +#endif diff --git a/include/openssl/ssl.h.in b/include/openssl/ssl.h.in index 5df101ff87..59b587e657 100644 --- a/include/openssl/ssl.h.in +++ b/include/openssl/ssl.h.in @@ -25,6 +25,7 @@ use OpenSSL::stackhash qw(generate_stack_macros generate_const_stack_macros); # endif # include +# include # include # include # include -- Gitee From 2a3f8ae4c7fa15385b24188e3cb653666faa5aca Mon Sep 17 00:00:00 2001 From: Richard Levitte Date: Tue, 10 Oct 2023 12:32:40 +0200 Subject: [PATCH 14/22] test/recipes/05-test_rand.t: replace 'and' with '&&' The lower priority 'and' seems to have some "interesting" interactions with function argument parsing in some perl versions (presumably because 'and' is lower priority than the comma). For the lines that are changed here, perl v5.20.1 says this: Useless use of string eq in void context at [.test.recipes]05-test_rand.t line 33. Useless use of numeric eq (==) in void context at [.test.recipes]05-test_rand.t line 39. Replacing 'and' with '&&' in these two cases fixes the problem. Replacing Reviewed-by: Hugo Landau Reviewed-by: Matt Caswell Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/22331) Signed-off-by: fly2x --- test/recipes/05-test_rand.t | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/test/recipes/05-test_rand.t b/test/recipes/05-test_rand.t index 60fcb04ca6..6d097c1721 100644 --- a/test/recipes/05-test_rand.t +++ b/test/recipes/05-test_rand.t @@ -29,12 +29,12 @@ SKIP: { @randdata = run(app(['openssl', 'rand', '-engine', 'ossltest', '-hex', '16' ]), capture => 1, statusvar => \$success); chomp(@randdata); - ok($success and $randdata[0] eq $expected, + ok($success && $randdata[0] eq $expected, "rand with ossltest: Check rand output is as expected"); @randdata = run(app(['openssl', 'rand', '-engine', 'dasync', '-hex', '16' ]), capture => 1, statusvar => \$success); chomp(@randdata); - ok($success and length($randdata[0]) == 32, + ok($success && length($randdata[0]) == 32, "rand with dasync: Check rand output is of expected length"); } -- Gitee From 1716629d11872fc84083437af60e8ad5fdbda4c5 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Thu, 5 Oct 2023 11:11:16 +0200 Subject: [PATCH 15/22] DH_check_pub_key() should not fail when setting result code The semantics of ossl_ffc_validate_public_key() and ossl_ffc_validate_public_key_partial() needs to be changed to not return error on non-fatal problems. Fixes #22287 Reviewed-by: Todd Short Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/22291) Signed-off-by: fly2x --- crypto/dh/dh_check.c | 3 +- crypto/dsa/dsa_check.c | 6 ++-- crypto/ffc/ffc_key_validate.c | 16 +++------ providers/implementations/keymgmt/dh_kmgmt.c | 2 +- test/ffc_internal_test.c | 38 ++++++++++---------- 5 files changed, 30 insertions(+), 35 deletions(-) diff --git a/crypto/dh/dh_check.c b/crypto/dh/dh_check.c index f4173e2137..7ba2beae7f 100644 --- a/crypto/dh/dh_check.c +++ b/crypto/dh/dh_check.c @@ -259,7 +259,8 @@ int DH_check_pub_key(const DH *dh, const BIGNUM *pub_key, int *ret) */ int ossl_dh_check_pub_key_partial(const DH *dh, const BIGNUM *pub_key, int *ret) { - return ossl_ffc_validate_public_key_partial(&dh->params, pub_key, ret); + return ossl_ffc_validate_public_key_partial(&dh->params, pub_key, ret) + && *ret == 0; } int ossl_dh_check_priv_key(const DH *dh, const BIGNUM *priv_key, int *ret) diff --git a/crypto/dsa/dsa_check.c b/crypto/dsa/dsa_check.c index 7ee914a477..ec3534d35c 100644 --- a/crypto/dsa/dsa_check.c +++ b/crypto/dsa/dsa_check.c @@ -39,7 +39,8 @@ int ossl_dsa_check_params(const DSA *dsa, int checktype, int *ret) */ int ossl_dsa_check_pub_key(const DSA *dsa, const BIGNUM *pub_key, int *ret) { - return ossl_ffc_validate_public_key(&dsa->params, pub_key, ret); + return ossl_ffc_validate_public_key(&dsa->params, pub_key, ret) + && *ret == 0; } /* @@ -49,7 +50,8 @@ int ossl_dsa_check_pub_key(const DSA *dsa, const BIGNUM *pub_key, int *ret) */ int ossl_dsa_check_pub_key_partial(const DSA *dsa, const BIGNUM *pub_key, int *ret) { - return ossl_ffc_validate_public_key_partial(&dsa->params, pub_key, ret); + return ossl_ffc_validate_public_key_partial(&dsa->params, pub_key, ret) + && *ret == 0; } int ossl_dsa_check_priv_key(const DSA *dsa, const BIGNUM *priv_key, int *ret) diff --git a/crypto/ffc/ffc_key_validate.c b/crypto/ffc/ffc_key_validate.c index 342789621d..a4a2a58e9a 100644 --- a/crypto/ffc/ffc_key_validate.c +++ b/crypto/ffc/ffc_key_validate.c @@ -26,7 +26,7 @@ int ossl_ffc_validate_public_key_partial(const FFC_PARAMS *params, *ret = 0; if (params == NULL || pub_key == NULL || params->p == NULL) { *ret = FFC_ERROR_PASSED_NULL_PARAM; - return 0; + return 1; } ctx = BN_CTX_new_ex(NULL); @@ -39,18 +39,14 @@ int ossl_ffc_validate_public_key_partial(const FFC_PARAMS *params, if (tmp == NULL || !BN_set_word(tmp, 1)) goto err; - if (BN_cmp(pub_key, tmp) <= 0) { + if (BN_cmp(pub_key, tmp) <= 0) *ret |= FFC_ERROR_PUBKEY_TOO_SMALL; - goto err; - } /* Step(1): Verify pub_key <= p-2 */ if (BN_copy(tmp, params->p) == NULL || !BN_sub_word(tmp, 1)) goto err; - if (BN_cmp(pub_key, tmp) >= 0) { + if (BN_cmp(pub_key, tmp) >= 0) *ret |= FFC_ERROR_PUBKEY_TOO_LARGE; - goto err; - } ok = 1; err: if (ctx != NULL) { @@ -73,7 +69,7 @@ int ossl_ffc_validate_public_key(const FFC_PARAMS *params, if (!ossl_ffc_validate_public_key_partial(params, pub_key, ret)) return 0; - if (params->q != NULL) { + if (*ret == 0 && params->q != NULL) { ctx = BN_CTX_new_ex(NULL); if (ctx == NULL) goto err; @@ -84,10 +80,8 @@ int ossl_ffc_validate_public_key(const FFC_PARAMS *params, if (tmp == NULL || !BN_mod_exp(tmp, pub_key, params->q, params->p, ctx)) goto err; - if (!BN_is_one(tmp)) { + if (!BN_is_one(tmp)) *ret |= FFC_ERROR_PUBKEY_INVALID; - goto err; - } } ok = 1; diff --git a/providers/implementations/keymgmt/dh_kmgmt.c b/providers/implementations/keymgmt/dh_kmgmt.c index 1d6b1f3730..795a3f2fab 100644 --- a/providers/implementations/keymgmt/dh_kmgmt.c +++ b/providers/implementations/keymgmt/dh_kmgmt.c @@ -392,7 +392,7 @@ static int dh_validate_public(const DH *dh, int checktype) && ossl_dh_is_named_safe_prime_group(dh)) return ossl_dh_check_pub_key_partial(dh, pub_key, &res); - return DH_check_pub_key(dh, pub_key, &res); + return DH_check_pub_key_ex(dh, pub_key); } static int dh_validate_private(const DH *dh) diff --git a/test/ffc_internal_test.c b/test/ffc_internal_test.c index 0332e777c0..c56d1d0e99 100644 --- a/test/ffc_internal_test.c +++ b/test/ffc_internal_test.c @@ -455,22 +455,20 @@ static int ffc_public_validate_test(void) if (!TEST_true(BN_set_word(pub, 1))) goto err; BN_set_negative(pub, 1); - /* Fail if public key is negative */ - if (!TEST_false(ossl_ffc_validate_public_key(params, pub, &res))) + /* Check must succeed but set res if public key is negative */ + if (!TEST_true(ossl_ffc_validate_public_key(params, pub, &res))) goto err; if (!TEST_int_eq(FFC_ERROR_PUBKEY_TOO_SMALL, res)) goto err; if (!TEST_true(BN_set_word(pub, 0))) goto err; - if (!TEST_int_eq(FFC_ERROR_PUBKEY_TOO_SMALL, res)) - goto err; - /* Fail if public key is zero */ - if (!TEST_false(ossl_ffc_validate_public_key(params, pub, &res))) + /* Check must succeed but set res if public key is zero */ + if (!TEST_true(ossl_ffc_validate_public_key(params, pub, &res))) goto err; if (!TEST_int_eq(FFC_ERROR_PUBKEY_TOO_SMALL, res)) goto err; - /* Fail if public key is 1 */ - if (!TEST_false(ossl_ffc_validate_public_key(params, BN_value_one(), &res))) + /* Check must succeed but set res if public key is 1 */ + if (!TEST_true(ossl_ffc_validate_public_key(params, BN_value_one(), &res))) goto err; if (!TEST_int_eq(FFC_ERROR_PUBKEY_TOO_SMALL, res)) goto err; @@ -482,24 +480,24 @@ static int ffc_public_validate_test(void) if (!TEST_ptr(BN_copy(pub, params->p))) goto err; - /* Fail if public key = p */ - if (!TEST_false(ossl_ffc_validate_public_key(params, pub, &res))) + /* Check must succeed but set res if public key = p */ + if (!TEST_true(ossl_ffc_validate_public_key(params, pub, &res))) goto err; if (!TEST_int_eq(FFC_ERROR_PUBKEY_TOO_LARGE, res)) goto err; if (!TEST_true(BN_sub_word(pub, 1))) goto err; - /* Fail if public key = p - 1 */ - if (!TEST_false(ossl_ffc_validate_public_key(params, pub, &res))) + /* Check must succeed but set res if public key = p - 1 */ + if (!TEST_true(ossl_ffc_validate_public_key(params, pub, &res))) goto err; if (!TEST_int_eq(FFC_ERROR_PUBKEY_TOO_LARGE, res)) goto err; if (!TEST_true(BN_sub_word(pub, 1))) goto err; - /* Fail if public key is not related to p & q */ - if (!TEST_false(ossl_ffc_validate_public_key(params, pub, &res))) + /* Check must succeed but set res if public key is not related to p & q */ + if (!TEST_true(ossl_ffc_validate_public_key(params, pub, &res))) goto err; if (!TEST_int_eq(FFC_ERROR_PUBKEY_INVALID, res)) goto err; @@ -510,14 +508,14 @@ static int ffc_public_validate_test(void) if (!TEST_true(ossl_ffc_validate_public_key(params, pub, &res))) goto err; - /* Fail if params is NULL */ - if (!TEST_false(ossl_ffc_validate_public_key(NULL, pub, &res))) + /* Check must succeed but set res if params is NULL */ + if (!TEST_true(ossl_ffc_validate_public_key(NULL, pub, &res))) goto err; if (!TEST_int_eq(FFC_ERROR_PASSED_NULL_PARAM, res)) goto err; res = -1; - /* Fail if pubkey is NULL */ - if (!TEST_false(ossl_ffc_validate_public_key(params, NULL, &res))) + /* Check must succeed but set res if pubkey is NULL */ + if (!TEST_true(ossl_ffc_validate_public_key(params, NULL, &res))) goto err; if (!TEST_int_eq(FFC_ERROR_PASSED_NULL_PARAM, res)) goto err; @@ -525,8 +523,8 @@ static int ffc_public_validate_test(void) BN_free(params->p); params->p = NULL; - /* Fail if params->p is NULL */ - if (!TEST_false(ossl_ffc_validate_public_key(params, pub, &res))) + /* Check must succeed but set res if params->p is NULL */ + if (!TEST_true(ossl_ffc_validate_public_key(params, pub, &res))) goto err; if (!TEST_int_eq(FFC_ERROR_PASSED_NULL_PARAM, res)) goto err; -- Gitee From 6ed680a8d692c4304824e6ac2e9c2c39755c659d Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Wed, 11 Oct 2023 11:05:37 +0200 Subject: [PATCH 16/22] Windows CI: Add some non-default options to check they are working Some of the non-default options that enable more code to be built need to be enabled in one of the Windows builds to avoid regressions. Reviewed-by: Tom Cosgrove Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/22347) Signed-off-by: fly2x --- .github/workflows/ci.yml | 2 +- .github/workflows/windows.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 6c89c65096..8c994d4f96 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -237,7 +237,7 @@ jobs: - name: modprobe tls run: sudo modprobe tls - name: config - run: ./config --banner=Configured --strict-warnings no-ec enable-ssl-trace enable-zlib enable-zlib-dynamic enable-crypto-mdebug enable-crypto-mdebug-backtrace enable-egd enable-ktls enable-fips no-threads && perl configdata.pm --dump + run: ./config --banner=Configured --strict-warnings no-ec enable-ssl-trace enable-zlib enable-zlib-dynamic enable-crypto-mdebug enable-egd enable-ktls enable-fips no-threads && perl configdata.pm --dump - name: make run: make -s -j4 - name: get cpu info diff --git a/.github/workflows/windows.yml b/.github/workflows/windows.yml index 7125b91f75..c80741cf51 100644 --- a/.github/workflows/windows.yml +++ b/.github/workflows/windows.yml @@ -87,7 +87,7 @@ jobs: - name: config working-directory: _build run: | - perl ..\Configure --banner=Configured no-makedepend no-shared no-fips VC-WIN64A-masm + perl ..\Configure --banner=Configured no-makedepend no-shared no-fips enable-md2 enable-rc5 enable-ssl3 enable-ssl3-method enable-weak-ssl-ciphers enable-trace enable-crypto-mdebug VC-WIN64A-masm perl configdata.pm --dump - name: build working-directory: _build -- Gitee From 956ec80e47965c553b3e6f3f68e67ca86aee0588 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Wed, 11 Oct 2023 11:20:02 +0200 Subject: [PATCH 17/22] Windows: use srand() instead of srandom() This is used for memory allocation failure debugging only Reviewed-by: Tom Cosgrove Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/22347) Signed-off-by: fly2x --- crypto/mem.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/crypto/mem.c b/crypto/mem.c index d7aa3ab85d..eef1165708 100644 --- a/crypto/mem.c +++ b/crypto/mem.c @@ -122,12 +122,13 @@ static void parseit(void) } /* - * Windows doesn't have random(), but it has rand() + * Windows doesn't have random() and srandom(), but it has rand() and srand(). * Some rand() implementations aren't good, but we're not * dealing with secure randomness here. */ # ifdef _WIN32 # define random() rand() +# define srandom(seed) srand(seed) # endif /* * See if the current malloc should fail. -- Gitee From 2d79564690c42e81bf66db79421b193c712f0cdc Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Wed, 11 Oct 2023 12:55:41 +0200 Subject: [PATCH 18/22] trace_api_test.c: Separate tracing statements Reviewed-by: Tom Cosgrove Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/22347) Signed-off-by: fly2x --- test/trace_api_test.c | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/test/trace_api_test.c b/test/trace_api_test.c index e12750f06a..f4f7ab42d4 100644 --- a/test/trace_api_test.c +++ b/test/trace_api_test.c @@ -84,14 +84,14 @@ static int put_trace_output(void) int res = 1; OSSL_TRACE_BEGIN(HTTP) { - res = TEST_int_eq(BIO_printf(trc_out, OSSL_HELLO), strlen(OSSL_HELLO)) - + TEST_int_eq(trace_string(0, 0, OSSL_STR80), strlen(OSSL_STR80)) - + TEST_int_eq(trace_string(0, 0, OSSL_STR81), strlen(OSSL_STR80)) - + TEST_int_eq(trace_string(1, 1, OSSL_CTRL), strlen(OSSL_CTRL)) - + TEST_int_eq(trace_string(0, 1, OSSL_MASKED), strlen(OSSL_MASKED) - + 1) /* newline added */ - + TEST_int_eq(BIO_printf(trc_out, OSSL_BYE), strlen(OSSL_BYE)) - == 6; + res = TEST_int_eq(BIO_printf(trc_out, OSSL_HELLO), strlen(OSSL_HELLO)); + res += TEST_int_eq(trace_string(0, 0, OSSL_STR80), strlen(OSSL_STR80)); + res += TEST_int_eq(trace_string(0, 0, OSSL_STR81), strlen(OSSL_STR80)); + res += TEST_int_eq(trace_string(1, 1, OSSL_CTRL), strlen(OSSL_CTRL)); + res += TEST_int_eq(trace_string(0, 1, OSSL_MASKED), strlen(OSSL_MASKED) + + 1); /* newline added */ + res += TEST_int_eq(BIO_printf(trc_out, OSSL_BYE), strlen(OSSL_BYE)); + res = res == 6; /* not using '&&' but '+' to catch potentially multiple test failures */ } OSSL_TRACE_END(HTTP); return res; -- Gitee From 65c7a91b25e7bfb27d849ecb96d20c8d9c1f5a1c Mon Sep 17 00:00:00 2001 From: James Muir Date: Tue, 10 Oct 2023 12:41:59 -0400 Subject: [PATCH 19/22] Update unix Makefile template to handle paths with spaces Fixes #4668 (on unix-like platforms) Testing: rm -rf "$HOME/tmp/beforespace afterspace" ./Configure -Werror --strict-warnings --prefix="$HOME/tmp/beforespace afterspace" make -j6 update make -j6 make install make test Reviewed-by: Richard Levitte Reviewed-by: Tomas Mraz Reviewed-by: Todd Short (Merged from https://github.com/openssl/openssl/pull/21821) Signed-off-by: fly2x --- Configurations/unix-Makefile.tmpl | 294 +++++++++++++++--------------- 1 file changed, 147 insertions(+), 147 deletions(-) diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl index 3d9ce086f9..8ddb1282af 100644 --- a/Configurations/unix-Makefile.tmpl +++ b/Configurations/unix-Makefile.tmpl @@ -635,28 +635,28 @@ uninstall_sw: uninstall_runtime uninstall_modules uninstall_engines uninstall_de install_docs: install_man_docs install_html_docs ## Install manpages and HTML documentation uninstall_docs: uninstall_man_docs uninstall_html_docs ## Uninstall manpages and HTML documentation - $(RM) -r $(DESTDIR)$(DOCDIR) + $(RM) -r "$(DESTDIR)$(DOCDIR)" {- output_off() if $disabled{fips}; "" -} install_fips: build_sw $(INSTALL_FIPSMODULECONF) @[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1) - @$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(MODULESDIR) - @$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(OPENSSLDIR) + @$(PERL) $(SRCDIR)/util/mkdir-p.pl "$(DESTDIR)$(MODULESDIR)" + @$(PERL) $(SRCDIR)/util/mkdir-p.pl "$(DESTDIR)$(OPENSSLDIR)" @$(ECHO) "*** Installing FIPS module" @$(ECHO) "install $(INSTALL_FIPSMODULE) -> $(DESTDIR)$(MODULESDIR)/$(FIPSMODULENAME)" - @cp "$(INSTALL_FIPSMODULE)" $(DESTDIR)$(MODULESDIR)/$(FIPSMODULENAME).new - @chmod 755 $(DESTDIR)$(MODULESDIR)/$(FIPSMODULENAME).new - @mv -f $(DESTDIR)$(MODULESDIR)/$(FIPSMODULENAME).new \ - $(DESTDIR)$(MODULESDIR)/$(FIPSMODULENAME) + @cp "$(INSTALL_FIPSMODULE)" "$(DESTDIR)$(MODULESDIR)/$(FIPSMODULENAME).new" + @chmod 755 "$(DESTDIR)$(MODULESDIR)/$(FIPSMODULENAME).new" + @mv -f "$(DESTDIR)$(MODULESDIR)/$(FIPSMODULENAME).new" \ + "$(DESTDIR)$(MODULESDIR)/$(FIPSMODULENAME)" @$(ECHO) "*** Installing FIPS module configuration" @$(ECHO) "install $(INSTALL_FIPSMODULECONF) -> $(DESTDIR)$(OPENSSLDIR)/fipsmodule.cnf" - @cp $(INSTALL_FIPSMODULECONF) $(DESTDIR)$(OPENSSLDIR)/fipsmodule.cnf + @cp $(INSTALL_FIPSMODULECONF) "$(DESTDIR)$(OPENSSLDIR)/fipsmodule.cnf" uninstall_fips: @$(ECHO) "*** Uninstalling FIPS module configuration" - $(RM) $(DESTDIR)$(OPENSSLDIR)/fipsmodule.cnf + $(RM) "$(DESTDIR)$(OPENSSLDIR)/fipsmodule.cnf" @$(ECHO) "*** Uninstalling FIPS module" - $(RM) $(DESTDIR)$(MODULESDIR)/$(FIPSMODULENAME) + $(RM) "$(DESTDIR)$(MODULESDIR)/$(FIPSMODULENAME)" {- if ($disabled{fips}) { output_on(); } else { output_off(); } "" -} install_fips: @$(ECHO) "The 'install_fips' target requires the 'enable-fips' option" @@ -667,75 +667,75 @@ uninstall_fips: install_ssldirs: - @$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(OPENSSLDIR)/certs - @$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(OPENSSLDIR)/private - @$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(OPENSSLDIR)/misc + @$(PERL) $(SRCDIR)/util/mkdir-p.pl "$(DESTDIR)$(OPENSSLDIR)/certs" + @$(PERL) $(SRCDIR)/util/mkdir-p.pl "$(DESTDIR)$(OPENSSLDIR)/private" + @$(PERL) $(SRCDIR)/util/mkdir-p.pl "$(DESTDIR)$(OPENSSLDIR)/misc" @set -e; for x in dummy $(MISC_SCRIPTS); do \ if [ "$$x" = "dummy" ]; then continue; fi; \ x1=`echo "$$x" | cut -f1 -d:`; \ x2=`echo "$$x" | cut -f2 -d:`; \ fn=`basename $$x1`; \ $(ECHO) "install $$x1 -> $(DESTDIR)$(OPENSSLDIR)/misc/$$fn"; \ - cp $$x1 $(DESTDIR)$(OPENSSLDIR)/misc/$$fn.new; \ - chmod 755 $(DESTDIR)$(OPENSSLDIR)/misc/$$fn.new; \ - mv -f $(DESTDIR)$(OPENSSLDIR)/misc/$$fn.new \ - $(DESTDIR)$(OPENSSLDIR)/misc/$$fn; \ + cp $$x1 "$(DESTDIR)$(OPENSSLDIR)/misc/$$fn.new"; \ + chmod 755 "$(DESTDIR)$(OPENSSLDIR)/misc/$$fn.new"; \ + mv -f "$(DESTDIR)$(OPENSSLDIR)/misc/$$fn.new" \ + "$(DESTDIR)$(OPENSSLDIR)/misc/$$fn"; \ if [ "$$x1" != "$$x2" ]; then \ ln=`basename "$$x2"`; \ : {- output_off() unless windowsdll(); "" -}; \ $(ECHO) "copy $(DESTDIR)$(OPENSSLDIR)/misc/$$ln -> $(DESTDIR)$(OPENSSLDIR)/misc/$$fn"; \ - cp $(DESTDIR)$(OPENSSLDIR)/misc/$$fn $(DESTDIR)$(OPENSSLDIR)/misc/$$ln; \ + cp "$(DESTDIR)$(OPENSSLDIR)/misc/$$fn" "$(DESTDIR)$(OPENSSLDIR)/misc/$$ln"; \ : {- output_on() unless windowsdll(); output_off() if windowsdll(); "" -}; \ $(ECHO) "link $(DESTDIR)$(OPENSSLDIR)/misc/$$ln -> $(DESTDIR)$(OPENSSLDIR)/misc/$$fn"; \ - ln -sf $$fn $(DESTDIR)$(OPENSSLDIR)/misc/$$ln; \ + ln -sf $$fn "$(DESTDIR)$(OPENSSLDIR)/misc/$$ln"; \ : {- output_on() if windowsdll(); "" -}; \ fi; \ done @$(ECHO) "install $(SRCDIR)/apps/openssl.cnf -> $(DESTDIR)$(OPENSSLDIR)/openssl.cnf.dist" - @cp $(SRCDIR)/apps/openssl.cnf $(DESTDIR)$(OPENSSLDIR)/openssl.cnf.new - @chmod 644 $(DESTDIR)$(OPENSSLDIR)/openssl.cnf.new - @mv -f $(DESTDIR)$(OPENSSLDIR)/openssl.cnf.new $(DESTDIR)$(OPENSSLDIR)/openssl.cnf.dist + @cp $(SRCDIR)/apps/openssl.cnf "$(DESTDIR)$(OPENSSLDIR)/openssl.cnf.new" + @chmod 644 "$(DESTDIR)$(OPENSSLDIR)/openssl.cnf.new" + @mv -f "$(DESTDIR)$(OPENSSLDIR)/openssl.cnf.new" "$(DESTDIR)$(OPENSSLDIR)/openssl.cnf.dist" @if [ ! -f "$(DESTDIR)$(OPENSSLDIR)/openssl.cnf" ]; then \ $(ECHO) "install $(SRCDIR)/apps/openssl.cnf -> $(DESTDIR)$(OPENSSLDIR)/openssl.cnf"; \ - cp $(SRCDIR)/apps/openssl.cnf $(DESTDIR)$(OPENSSLDIR)/openssl.cnf; \ - chmod 644 $(DESTDIR)$(OPENSSLDIR)/openssl.cnf; \ + cp $(SRCDIR)/apps/openssl.cnf "$(DESTDIR)$(OPENSSLDIR)/openssl.cnf"; \ + chmod 644 "$(DESTDIR)$(OPENSSLDIR)/openssl.cnf"; \ fi @$(ECHO) "install $(SRCDIR)/apps/ct_log_list.cnf -> $(DESTDIR)$(OPENSSLDIR)/ct_log_list.cnf.dist" - @cp $(SRCDIR)/apps/ct_log_list.cnf $(DESTDIR)$(OPENSSLDIR)/ct_log_list.cnf.new - @chmod 644 $(DESTDIR)$(OPENSSLDIR)/ct_log_list.cnf.new - @mv -f $(DESTDIR)$(OPENSSLDIR)/ct_log_list.cnf.new $(DESTDIR)$(OPENSSLDIR)/ct_log_list.cnf.dist + @cp $(SRCDIR)/apps/ct_log_list.cnf "$(DESTDIR)$(OPENSSLDIR)/ct_log_list.cnf.new" + @chmod 644 "$(DESTDIR)$(OPENSSLDIR)/ct_log_list.cnf.new" + @mv -f "$(DESTDIR)$(OPENSSLDIR)/ct_log_list.cnf.new" "$(DESTDIR)$(OPENSSLDIR)/ct_log_list.cnf.dist" @if [ ! -f "$(DESTDIR)$(OPENSSLDIR)/ct_log_list.cnf" ]; then \ $(ECHO) "install $(SRCDIR)/apps/ct_log_list.cnf -> $(DESTDIR)$(OPENSSLDIR)/ct_log_list.cnf"; \ - cp $(SRCDIR)/apps/ct_log_list.cnf $(DESTDIR)$(OPENSSLDIR)/ct_log_list.cnf; \ - chmod 644 $(DESTDIR)$(OPENSSLDIR)/ct_log_list.cnf; \ + cp $(SRCDIR)/apps/ct_log_list.cnf "$(DESTDIR)$(OPENSSLDIR)/ct_log_list.cnf"; \ + chmod 644 "$(DESTDIR)$(OPENSSLDIR)/ct_log_list.cnf"; \ fi install_dev: install_runtime_libs @[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1) @$(ECHO) "*** Installing development files" - @$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(INSTALLTOP)/include/openssl + @$(PERL) $(SRCDIR)/util/mkdir-p.pl "$(DESTDIR)$(INSTALLTOP)/include/openssl" @ : {- output_off() if $disabled{uplink}; "" -} @$(ECHO) "install $(SRCDIR)/ms/applink.c -> $(DESTDIR)$(INSTALLTOP)/include/openssl/applink.c" - @cp $(SRCDIR)/ms/applink.c $(DESTDIR)$(INSTALLTOP)/include/openssl/applink.c - @chmod 644 $(DESTDIR)$(INSTALLTOP)/include/openssl/applink.c + @cp $(SRCDIR)/ms/applink.c "$(DESTDIR)$(INSTALLTOP)/include/openssl/applink.c" + @chmod 644 "$(DESTDIR)$(INSTALLTOP)/include/openssl/applink.c" @ : {- output_on() if $disabled{uplink}; "" -} @set -e; for i in $(SRCDIR)/include/openssl/*.h \ $(BLDDIR)/include/openssl/*.h; do \ fn=`basename $$i`; \ $(ECHO) "install $$i -> $(DESTDIR)$(INSTALLTOP)/include/openssl/$$fn"; \ - cp $$i $(DESTDIR)$(INSTALLTOP)/include/openssl/$$fn; \ - chmod 644 $(DESTDIR)$(INSTALLTOP)/include/openssl/$$fn; \ + cp $$i "$(DESTDIR)$(INSTALLTOP)/include/openssl/$$fn"; \ + chmod 644 "$(DESTDIR)$(INSTALLTOP)/include/openssl/$$fn"; \ done - @$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(libdir) + @$(PERL) $(SRCDIR)/util/mkdir-p.pl "$(DESTDIR)$(libdir)" @set -e; for l in $(INSTALL_LIBS); do \ fn=`basename $$l`; \ $(ECHO) "install $$l -> $(DESTDIR)$(libdir)/$$fn"; \ - cp $$l $(DESTDIR)$(libdir)/$$fn.new; \ - $(RANLIB) $(DESTDIR)$(libdir)/$$fn.new; \ - chmod 644 $(DESTDIR)$(libdir)/$$fn.new; \ - mv -f $(DESTDIR)$(libdir)/$$fn.new \ - $(DESTDIR)$(libdir)/$$fn; \ + cp $$l "$(DESTDIR)$(libdir)/$$fn.new"; \ + $(RANLIB) "$(DESTDIR)$(libdir)/$$fn.new"; \ + chmod 644 "$(DESTDIR)$(libdir)/$$fn.new"; \ + mv -f "$(DESTDIR)$(libdir)/$$fn.new" \ + "$(DESTDIR)$(libdir)/$$fn"; \ done @ : {- output_off() if $disabled{shared}; "" -} @set -e; for s in $(INSTALL_SHLIB_INFO); do \ @@ -748,18 +748,18 @@ install_dev: install_runtime_libs : {- output_off(); output_on() unless windowsdll() or sharedaix(); "" -}; \ if [ "$$fn2" != "" ]; then \ $(ECHO) "link $(DESTDIR)$(libdir)/$$fn2 -> $(DESTDIR)$(libdir)/$$fn1"; \ - ln -sf $$fn1 $(DESTDIR)$(libdir)/$$fn2; \ + ln -sf $$fn1 "$(DESTDIR)$(libdir)/$$fn2"; \ fi; \ : {- output_off() unless windowsdll() or sharedaix(); output_on() if windowsdll(); "" -}; \ if [ "$$fn3" != "" ]; then \ $(ECHO) "install $$s3 -> $(DESTDIR)$(libdir)/$$fn3"; \ - cp $$s3 $(DESTDIR)$(libdir)/$$fn3.new; \ - chmod 755 $(DESTDIR)$(libdir)/$$fn3.new; \ - mv -f $(DESTDIR)$(libdir)/$$fn3.new \ - $(DESTDIR)$(libdir)/$$fn3; \ + cp $$s3 "$(DESTDIR)$(libdir)/$$fn3.new"; \ + chmod 755 "$(DESTDIR)$(libdir)/$$fn3.new"; \ + mv -f "$(DESTDIR)$(libdir)/$$fn3.new" \ + "$(DESTDIR)$(libdir)/$$fn3"; \ fi; \ : {- output_off() if windowsdll(); output_on() if sharedaix(); "" -}; \ - a=$(DESTDIR)$(libdir)/$$fn2; \ + a="$(DESTDIR)$(libdir)/$$fn2"; \ $(ECHO) "install $$s1 -> $$a"; \ if [ -f $$a ]; then ( trap "rm -rf /tmp/ar.$$$$" INT 0; \ mkdir /tmp/ar.$$$$; ( cd /tmp/ar.$$$$; \ @@ -776,35 +776,35 @@ install_dev: install_runtime_libs : {- output_off() if sharedaix(); output_on(); "" -}; \ done @ : {- output_on() if $disabled{shared}; "" -} - @$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(libdir)/pkgconfig + @$(PERL) $(SRCDIR)/util/mkdir-p.pl "$(DESTDIR)$(libdir)/pkgconfig" @$(ECHO) "install libcrypto.pc -> $(DESTDIR)$(libdir)/pkgconfig/libcrypto.pc" - @cp libcrypto.pc $(DESTDIR)$(libdir)/pkgconfig - @chmod 644 $(DESTDIR)$(libdir)/pkgconfig/libcrypto.pc + @cp libcrypto.pc "$(DESTDIR)$(libdir)/pkgconfig" + @chmod 644 "$(DESTDIR)$(libdir)/pkgconfig/libcrypto.pc" @$(ECHO) "install libssl.pc -> $(DESTDIR)$(libdir)/pkgconfig/libssl.pc" - @cp libssl.pc $(DESTDIR)$(libdir)/pkgconfig - @chmod 644 $(DESTDIR)$(libdir)/pkgconfig/libssl.pc + @cp libssl.pc "$(DESTDIR)$(libdir)/pkgconfig" + @chmod 644 "$(DESTDIR)$(libdir)/pkgconfig/libssl.pc" @$(ECHO) "install openssl.pc -> $(DESTDIR)$(libdir)/pkgconfig/openssl.pc" - @cp openssl.pc $(DESTDIR)$(libdir)/pkgconfig - @chmod 644 $(DESTDIR)$(libdir)/pkgconfig/openssl.pc + @cp openssl.pc "$(DESTDIR)$(libdir)/pkgconfig" + @chmod 644 "$(DESTDIR)$(libdir)/pkgconfig/openssl.pc" uninstall_dev: uninstall_runtime_libs @$(ECHO) "*** Uninstalling development files" @ : {- output_off() if $disabled{uplink}; "" -} @$(ECHO) "$(RM) $(DESTDIR)$(INSTALLTOP)/include/openssl/applink.c" - @$(RM) $(DESTDIR)$(INSTALLTOP)/include/openssl/applink.c + @$(RM) "$(DESTDIR)$(INSTALLTOP)/include/openssl/applink.c" @ : {- output_on() if $disabled{uplink}; "" -} @set -e; for i in $(SRCDIR)/include/openssl/*.h \ $(BLDDIR)/include/openssl/*.h; do \ fn=`basename $$i`; \ $(ECHO) "$(RM) $(DESTDIR)$(INSTALLTOP)/include/openssl/$$fn"; \ - $(RM) $(DESTDIR)$(INSTALLTOP)/include/openssl/$$fn; \ + $(RM) "$(DESTDIR)$(INSTALLTOP)/include/openssl/$$fn"; \ done - -$(RMDIR) $(DESTDIR)$(INSTALLTOP)/include/openssl - -$(RMDIR) $(DESTDIR)$(INSTALLTOP)/include + -$(RMDIR) "$(DESTDIR)$(INSTALLTOP)/include/openssl" + -$(RMDIR) "$(DESTDIR)$(INSTALLTOP)/include" @set -e; for l in $(INSTALL_LIBS); do \ fn=`basename $$l`; \ $(ECHO) "$(RM) $(DESTDIR)$(libdir)/$$fn"; \ - $(RM) $(DESTDIR)$(libdir)/$$fn; \ + $(RM) "$(DESTDIR)$(libdir)/$$fn"; \ done @ : {- output_off() if $disabled{shared}; "" -} @set -e; for s in $(INSTALL_SHLIB_INFO); do \ @@ -816,39 +816,39 @@ uninstall_dev: uninstall_runtime_libs fn3=`basename "$$s3"`; \ : {- output_off() if windowsdll(); "" -}; \ $(ECHO) "$(RM) $(DESTDIR)$(libdir)/$$fn1"; \ - $(RM) $(DESTDIR)$(libdir)/$$fn1; \ + $(RM) "$(DESTDIR)$(libdir)/$$fn1"; \ if [ -n "$$fn2" ]; then \ $(ECHO) "$(RM) $(DESTDIR)$(libdir)/$$fn2"; \ - $(RM) $(DESTDIR)$(libdir)/$$fn2; \ + $(RM) "$(DESTDIR)$(libdir)/$$fn2"; \ fi; \ : {- output_on() if windowsdll(); "" -}{- output_off() unless windowsdll(); "" -}; \ if [ -n "$$fn3" ]; then \ $(ECHO) "$(RM) $(DESTDIR)$(libdir)/$$fn3"; \ - $(RM) $(DESTDIR)$(libdir)/$$fn3; \ + $(RM) "$(DESTDIR)$(libdir)/$$fn3"; \ fi; \ : {- output_on() unless windowsdll(); "" -}; \ done @ : {- output_on() if $disabled{shared}; "" -} - $(RM) $(DESTDIR)$(libdir)/pkgconfig/libcrypto.pc - $(RM) $(DESTDIR)$(libdir)/pkgconfig/libssl.pc - $(RM) $(DESTDIR)$(libdir)/pkgconfig/openssl.pc - -$(RMDIR) $(DESTDIR)$(libdir)/pkgconfig - -$(RMDIR) $(DESTDIR)$(libdir) + $(RM) "$(DESTDIR)$(libdir)/pkgconfig/libcrypto.pc" + $(RM) "$(DESTDIR)$(libdir)/pkgconfig/libssl.pc" + $(RM) "$(DESTDIR)$(libdir)/pkgconfig/openssl.pc" + -$(RMDIR) "$(DESTDIR)$(libdir)/pkgconfig" + -$(RMDIR) "$(DESTDIR)$(libdir)" _install_modules_deps: install_runtime_libs build_modules install_engines: _install_modules_deps @[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1) - @$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(ENGINESDIR)/ + @$(PERL) $(SRCDIR)/util/mkdir-p.pl "$(DESTDIR)$(ENGINESDIR)/" @$(ECHO) "*** Installing engines" @set -e; for e in dummy $(INSTALL_ENGINES); do \ if [ "$$e" = "dummy" ]; then continue; fi; \ fn=`basename $$e`; \ $(ECHO) "install $$e -> $(DESTDIR)$(ENGINESDIR)/$$fn"; \ - cp $$e $(DESTDIR)$(ENGINESDIR)/$$fn.new; \ - chmod 755 $(DESTDIR)$(ENGINESDIR)/$$fn.new; \ - mv -f $(DESTDIR)$(ENGINESDIR)/$$fn.new \ - $(DESTDIR)$(ENGINESDIR)/$$fn; \ + cp $$e "$(DESTDIR)$(ENGINESDIR)/$$fn.new"; \ + chmod 755 "$(DESTDIR)$(ENGINESDIR)/$$fn.new"; \ + mv -f "$(DESTDIR)$(ENGINESDIR)/$$fn.new" \ + "$(DESTDIR)$(ENGINESDIR)/$$fn"; \ done uninstall_engines: @@ -857,22 +857,22 @@ uninstall_engines: if [ "$$e" = "dummy" ]; then continue; fi; \ fn=`basename $$e`; \ $(ECHO) "$(RM) $(DESTDIR)$(ENGINESDIR)/$$fn"; \ - $(RM) $(DESTDIR)$(ENGINESDIR)/$$fn; \ + $(RM) "$(DESTDIR)$(ENGINESDIR)/$$fn"; \ done - -$(RMDIR) $(DESTDIR)$(ENGINESDIR) + -$(RMDIR) "$(DESTDIR)$(ENGINESDIR)" install_modules: _install_modules_deps @[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1) - @$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(MODULESDIR)/ + @$(PERL) $(SRCDIR)/util/mkdir-p.pl "$(DESTDIR)$(MODULESDIR)/" @$(ECHO) "*** Installing modules" @set -e; for e in dummy $(INSTALL_MODULES); do \ if [ "$$e" = "dummy" ]; then continue; fi; \ fn=`basename $$e`; \ $(ECHO) "install $$e -> $(DESTDIR)$(MODULESDIR)/$$fn"; \ - cp $$e $(DESTDIR)$(MODULESDIR)/$$fn.new; \ - chmod 755 $(DESTDIR)$(MODULESDIR)/$$fn.new; \ - mv -f $(DESTDIR)$(MODULESDIR)/$$fn.new \ - $(DESTDIR)$(MODULESDIR)/$$fn; \ + cp $$e "$(DESTDIR)$(MODULESDIR)/$$fn.new"; \ + chmod 755 "$(DESTDIR)$(MODULESDIR)/$$fn.new"; \ + mv -f "$(DESTDIR)$(MODULESDIR)/$$fn.new" \ + "$(DESTDIR)$(MODULESDIR)/$$fn"; \ done uninstall_modules: @@ -881,18 +881,18 @@ uninstall_modules: if [ "$$e" = "dummy" ]; then continue; fi; \ fn=`basename $$e`; \ $(ECHO) "$(RM) $(DESTDIR)$(MODULESDIR)/$$fn"; \ - $(RM) $(DESTDIR)$(MODULESDIR)/$$fn; \ + $(RM) "$(DESTDIR)$(MODULESDIR)/$$fn"; \ done - -$(RMDIR) $(DESTDIR)$(MODULESDIR) + -$(RMDIR) "$(DESTDIR)$(MODULESDIR)" install_runtime: install_programs install_runtime_libs: build_libs @[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1) @ : {- output_off() if windowsdll(); "" -} - @$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(libdir) + @$(PERL) $(SRCDIR)/util/mkdir-p.pl "$(DESTDIR)$(libdir)" @ : {- output_on() if windowsdll(); output_off() unless windowsdll(); "" -} - @$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(bindir)/ + @$(PERL) $(SRCDIR)/util/mkdir-p.pl "$(DESTDIR)$(bindir)/" @ : {- output_on() unless windowsdll(); "" -} @$(ECHO) "*** Installing runtime libraries" @set -e; for s in dummy $(INSTALL_SHLIBS); do \ @@ -900,40 +900,40 @@ install_runtime_libs: build_libs fn=`basename $$s`; \ : {- output_off() unless windowsdll(); "" -}; \ $(ECHO) "install $$s -> $(DESTDIR)$(bindir)/$$fn"; \ - cp $$s $(DESTDIR)$(bindir)/$$fn.new; \ - chmod 755 $(DESTDIR)$(bindir)/$$fn.new; \ - mv -f $(DESTDIR)$(bindir)/$$fn.new \ - $(DESTDIR)$(bindir)/$$fn; \ + cp $$s "$(DESTDIR)$(bindir)/$$fn.new"; \ + chmod 755 "$(DESTDIR)$(bindir)/$$fn.new"; \ + mv -f "$(DESTDIR)$(bindir)/$$fn.new" \ + "$(DESTDIR)$(bindir)/$$fn"; \ : {- output_on() unless windowsdll(); "" -}{- output_off() if windowsdll(); "" -}; \ $(ECHO) "install $$s -> $(DESTDIR)$(libdir)/$$fn"; \ - cp $$s $(DESTDIR)$(libdir)/$$fn.new; \ - chmod 755 $(DESTDIR)$(libdir)/$$fn.new; \ - mv -f $(DESTDIR)$(libdir)/$$fn.new \ - $(DESTDIR)$(libdir)/$$fn; \ + cp $$s "$(DESTDIR)$(libdir)/$$fn.new"; \ + chmod 755 "$(DESTDIR)$(libdir)/$$fn.new"; \ + mv -f "$(DESTDIR)$(libdir)/$$fn.new" \ + "$(DESTDIR)$(libdir)/$$fn"; \ : {- output_on() if windowsdll(); "" -}; \ done install_programs: install_runtime_libs build_programs @[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1) - @$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(bindir) + @$(PERL) $(SRCDIR)/util/mkdir-p.pl "$(DESTDIR)$(bindir)" @$(ECHO) "*** Installing runtime programs" @set -e; for x in dummy $(INSTALL_PROGRAMS); do \ if [ "$$x" = "dummy" ]; then continue; fi; \ fn=`basename $$x`; \ $(ECHO) "install $$x -> $(DESTDIR)$(bindir)/$$fn"; \ - cp $$x $(DESTDIR)$(bindir)/$$fn.new; \ - chmod 755 $(DESTDIR)$(bindir)/$$fn.new; \ - mv -f $(DESTDIR)$(bindir)/$$fn.new \ - $(DESTDIR)$(bindir)/$$fn; \ + cp $$x "$(DESTDIR)$(bindir)/$$fn.new"; \ + chmod 755 "$(DESTDIR)$(bindir)/$$fn.new"; \ + mv -f "$(DESTDIR)$(bindir)/$$fn.new" \ + "$(DESTDIR)$(bindir)/$$fn"; \ done @set -e; for x in dummy $(BIN_SCRIPTS); do \ if [ "$$x" = "dummy" ]; then continue; fi; \ fn=`basename $$x`; \ $(ECHO) "install $$x -> $(DESTDIR)$(bindir)/$$fn"; \ - cp $$x $(DESTDIR)$(bindir)/$$fn.new; \ - chmod 755 $(DESTDIR)$(bindir)/$$fn.new; \ - mv -f $(DESTDIR)$(bindir)/$$fn.new \ - $(DESTDIR)$(bindir)/$$fn; \ + cp $$x "$(DESTDIR)$(bindir)/$$fn.new"; \ + chmod 755 "$(DESTDIR)$(bindir)/$$fn.new"; \ + mv -f "$(DESTDIR)$(bindir)/$$fn.new" \ + "$(DESTDIR)$(bindir)/$$fn"; \ done uninstall_runtime: uninstall_programs uninstall_runtime_libs @@ -945,16 +945,16 @@ uninstall_programs: if [ "$$x" = "dummy" ]; then continue; fi; \ fn=`basename $$x`; \ $(ECHO) "$(RM) $(DESTDIR)$(bindir)/$$fn"; \ - $(RM) $(DESTDIR)$(bindir)/$$fn; \ + $(RM) "$(DESTDIR)$(bindir)/$$fn"; \ done; @set -e; for x in dummy $(BIN_SCRIPTS); \ do \ if [ "$$x" = "dummy" ]; then continue; fi; \ fn=`basename $$x`; \ $(ECHO) "$(RM) $(DESTDIR)$(bindir)/$$fn"; \ - $(RM) $(DESTDIR)$(bindir)/$$fn; \ + $(RM) "$(DESTDIR)$(bindir)/$$fn"; \ done - -$(RMDIR) $(DESTDIR)$(bindir) + -$(RMDIR) "$(DESTDIR)$(bindir)" uninstall_runtime_libs: @$(ECHO) "*** Uninstalling runtime libraries" @@ -963,49 +963,49 @@ uninstall_runtime_libs: if [ "$$s" = "dummy" ]; then continue; fi; \ fn=`basename $$s`; \ $(ECHO) "$(RM) $(DESTDIR)$(bindir)/$$fn"; \ - $(RM) $(DESTDIR)$(bindir)/$$fn; \ + $(RM) "$(DESTDIR)$(bindir)/$$fn"; \ done @ : {- output_on() unless windowsdll(); "" -} install_man_docs: build_man_docs @[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1) - @$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(MANDIR)/man1 - @$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(MANDIR)/man3 - @$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(MANDIR)/man5 - @$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(MANDIR)/man7 + @$(PERL) $(SRCDIR)/util/mkdir-p.pl "$(DESTDIR)$(MANDIR)/man1" + @$(PERL) $(SRCDIR)/util/mkdir-p.pl "$(DESTDIR)$(MANDIR)/man3" + @$(PERL) $(SRCDIR)/util/mkdir-p.pl "$(DESTDIR)$(MANDIR)/man5" + @$(PERL) $(SRCDIR)/util/mkdir-p.pl "$(DESTDIR)$(MANDIR)/man7" @$(ECHO) "*** Installing manpages" @set -e; for x in dummy $(MANDOCS1); do \ if [ "$$x" = "dummy" ]; then continue; fi; \ fn=`basename $$x`; \ $(ECHO) "install $$x -> $(DESTDIR)$(MANDIR)/man1/$${fn}$(MANSUFFIX)"; \ - cp $$x $(DESTDIR)$(MANDIR)/man1/$${fn}$(MANSUFFIX); \ - chmod 644 $(DESTDIR)$(MANDIR)/man1/$${fn}$(MANSUFFIX); \ - $(PERL) $(SRCDIR)/util/write-man-symlinks install $(SRCDIR)/doc/man1 $(BLDDIR)/doc/man1 $${fn}$(MANSUFFIX) $(DESTDIR)$(MANDIR)/man1; \ + cp $$x "$(DESTDIR)$(MANDIR)/man1/$${fn}$(MANSUFFIX)"; \ + chmod 644 "$(DESTDIR)$(MANDIR)/man1/$${fn}$(MANSUFFIX)"; \ + $(PERL) $(SRCDIR)/util/write-man-symlinks install $(SRCDIR)/doc/man1 $(BLDDIR)/doc/man1 $${fn}$(MANSUFFIX) "$(DESTDIR)$(MANDIR)/man1"; \ done @set -e; for x in dummy $(MANDOCS3); do \ if [ "$$x" = "dummy" ]; then continue; fi; \ fn=`basename $$x`; \ $(ECHO) "install $$x -> $(DESTDIR)$(MANDIR)/man3/$${fn}$(MANSUFFIX)"; \ - cp $$x $(DESTDIR)$(MANDIR)/man3/$${fn}$(MANSUFFIX); \ - chmod 644 $(DESTDIR)$(MANDIR)/man3/$${fn}$(MANSUFFIX); \ - $(PERL) $(SRCDIR)/util/write-man-symlinks install $(SRCDIR)/doc/man3 $(BLDDIR)/doc/man3 $${fn}$(MANSUFFIX) $(DESTDIR)$(MANDIR)/man3; \ + cp $$x "$(DESTDIR)$(MANDIR)/man3/$${fn}$(MANSUFFIX)"; \ + chmod 644 "$(DESTDIR)$(MANDIR)/man3/$${fn}$(MANSUFFIX)"; \ + $(PERL) $(SRCDIR)/util/write-man-symlinks install $(SRCDIR)/doc/man3 $(BLDDIR)/doc/man3 $${fn}$(MANSUFFIX) "$(DESTDIR)$(MANDIR)/man3"; \ done @set -e; for x in dummy $(MANDOCS5); do \ if [ "$$x" = "dummy" ]; then continue; fi; \ fn=`basename $$x`; \ $(ECHO) "install $$x -> $(DESTDIR)$(MANDIR)/man5/$${fn}$(MANSUFFIX)"; \ - cp $$x $(DESTDIR)$(MANDIR)/man5/$${fn}$(MANSUFFIX); \ - chmod 644 $(DESTDIR)$(MANDIR)/man5/$${fn}$(MANSUFFIX); \ - $(PERL) $(SRCDIR)/util/write-man-symlinks install $(SRCDIR)/doc/man5 $(BLDDIR)/doc/man5 $${fn}$(MANSUFFIX) $(DESTDIR)$(MANDIR)/man5; \ + cp $$x "$(DESTDIR)$(MANDIR)/man5/$${fn}$(MANSUFFIX)"; \ + chmod 644 "$(DESTDIR)$(MANDIR)/man5/$${fn}$(MANSUFFIX)"; \ + $(PERL) $(SRCDIR)/util/write-man-symlinks install $(SRCDIR)/doc/man5 $(BLDDIR)/doc/man5 $${fn}$(MANSUFFIX) "$(DESTDIR)$(MANDIR)/man5"; \ done @set -e; for x in dummy $(MANDOCS7); do \ if [ "$$x" = "dummy" ]; then continue; fi; \ fn=`basename $$x`; \ $(ECHO) "install $$x -> $(DESTDIR)$(MANDIR)/man7/$${fn}$(MANSUFFIX)"; \ - cp $$x $(DESTDIR)$(MANDIR)/man7/$${fn}$(MANSUFFIX); \ - chmod 644 $(DESTDIR)$(MANDIR)/man7/$${fn}$(MANSUFFIX); \ - $(PERL) $(SRCDIR)/util/write-man-symlinks install $(SRCDIR)/doc/man7 $(BLDDIR)/doc/man7 $${fn}$(MANSUFFIX) $(DESTDIR)$(MANDIR)/man7; \ + cp $$x "$(DESTDIR)$(MANDIR)/man7/$${fn}$(MANSUFFIX)"; \ + chmod 644 "$(DESTDIR)$(MANDIR)/man7/$${fn}$(MANSUFFIX)"; \ + $(PERL) $(SRCDIR)/util/write-man-symlinks install $(SRCDIR)/doc/man7 $(BLDDIR)/doc/man7 $${fn}$(MANSUFFIX) "$(DESTDIR)$(MANDIR)/man7"; \ done uninstall_man_docs: build_man_docs @@ -1014,65 +1014,65 @@ uninstall_man_docs: build_man_docs if [ "$$x" = "dummy" ]; then continue; fi; \ fn=`basename $$x`; \ $(ECHO) "$(RM) $(DESTDIR)$(MANDIR)/man1/$${fn}$(MANSUFFIX)"; \ - $(RM) $(DESTDIR)$(MANDIR)/man1/$${fn}$(MANSUFFIX); \ - $(PERL) $(SRCDIR)/util/write-man-symlinks uninstall $(SRCDIR)/doc/man1 $(BLDDIR)/doc/man1 $${fn}$(MANSUFFIX) $(DESTDIR)$(MANDIR)/man1; \ + $(RM) "$(DESTDIR)$(MANDIR)/man1/$${fn}$(MANSUFFIX)"; \ + $(PERL) $(SRCDIR)/util/write-man-symlinks uninstall $(SRCDIR)/doc/man1 $(BLDDIR)/doc/man1 $${fn}$(MANSUFFIX) "$(DESTDIR)$(MANDIR)/man1"; \ done @set -e; for x in dummy $(MANDOCS3); do \ if [ "$$x" = "dummy" ]; then continue; fi; \ fn=`basename $$x`; \ $(ECHO) "$(RM) $(DESTDIR)$(MANDIR)/man3/$${fn}$(MANSUFFIX)"; \ - $(RM) $(DESTDIR)$(MANDIR)/man3/$${fn}$(MANSUFFIX); \ - $(PERL) $(SRCDIR)/util/write-man-symlinks uninstall $(SRCDIR)/doc/man3 $(BLDDIR)/doc/man3 $${fn}$(MANSUFFIX) $(DESTDIR)$(MANDIR)/man3; \ + $(RM) "$(DESTDIR)$(MANDIR)/man3/$${fn}$(MANSUFFIX)"; \ + $(PERL) $(SRCDIR)/util/write-man-symlinks uninstall $(SRCDIR)/doc/man3 $(BLDDIR)/doc/man3 $${fn}$(MANSUFFIX) "$(DESTDIR)$(MANDIR)/man3"; \ done @set -e; for x in dummy $(MANDOCS5); do \ if [ "$$x" = "dummy" ]; then continue; fi; \ fn=`basename $$x`; \ $(ECHO) "$(RM) $(DESTDIR)$(MANDIR)/man5/$${fn}$(MANSUFFIX)"; \ - $(RM) $(DESTDIR)$(MANDIR)/man5/$${fn}$(MANSUFFIX); \ - $(PERL) $(SRCDIR)/util/write-man-symlinks uninstall $(SRCDIR)/doc/man5 $(BLDDIR)/doc/man5 $${fn}$(MANSUFFIX) $(DESTDIR)$(MANDIR)/man5; \ + $(RM) "$(DESTDIR)$(MANDIR)/man5/$${fn}$(MANSUFFIX)"; \ + $(PERL) $(SRCDIR)/util/write-man-symlinks uninstall $(SRCDIR)/doc/man5 $(BLDDIR)/doc/man5 $${fn}$(MANSUFFIX) "$(DESTDIR)$(MANDIR)/man5"; \ done @set -e; for x in dummy $(MANDOCS7); do \ if [ "$$x" = "dummy" ]; then continue; fi; \ fn=`basename $$x`; \ $(ECHO) "$(RM) $(DESTDIR)$(MANDIR)/man7/$${fn}$(MANSUFFIX)"; \ - $(RM) $(DESTDIR)$(MANDIR)/man7/$${fn}$(MANSUFFIX); \ - $(PERL) $(SRCDIR)/util/write-man-symlinks uninstall $(SRCDIR)/doc/man7 $(BLDDIR)/doc/man7 $${fn}$(MANSUFFIX) $(DESTDIR)$(MANDIR)/man7; \ + $(RM) "$(DESTDIR)$(MANDIR)/man7/$${fn}$(MANSUFFIX)"; \ + $(PERL) $(SRCDIR)/util/write-man-symlinks uninstall $(SRCDIR)/doc/man7 $(BLDDIR)/doc/man7 $${fn}$(MANSUFFIX) "$(DESTDIR)$(MANDIR)/man7"; \ done install_html_docs: install_image_docs build_html_docs @[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1) - @$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(HTMLDIR)/man1 - @$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(HTMLDIR)/man3 - @$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(HTMLDIR)/man5 - @$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(HTMLDIR)/man7 + @$(PERL) $(SRCDIR)/util/mkdir-p.pl "$(DESTDIR)$(HTMLDIR)/man1" + @$(PERL) $(SRCDIR)/util/mkdir-p.pl "$(DESTDIR)$(HTMLDIR)/man3" + @$(PERL) $(SRCDIR)/util/mkdir-p.pl "$(DESTDIR)$(HTMLDIR)/man5" + @$(PERL) $(SRCDIR)/util/mkdir-p.pl "$(DESTDIR)$(HTMLDIR)/man7" @$(ECHO) "*** Installing HTML manpages" @set -e; for x in dummy $(HTMLDOCS1); do \ if [ "$$x" = "dummy" ]; then continue; fi; \ fn=`basename $$x`; \ $(ECHO) "install $$x -> $(DESTDIR)$(HTMLDIR)/man1/$$fn"; \ - cp $$x $(DESTDIR)$(HTMLDIR)/man1/$$fn; \ - chmod 644 $(DESTDIR)$(HTMLDIR)/man1/$$fn; \ + cp $$x "$(DESTDIR)$(HTMLDIR)/man1/$$fn"; \ + chmod 644 "$(DESTDIR)$(HTMLDIR)/man1/$$fn"; \ done @set -e; for x in dummy $(HTMLDOCS3); do \ if [ "$$x" = "dummy" ]; then continue; fi; \ fn=`basename $$x`; \ $(ECHO) "install $$x -> $(DESTDIR)$(HTMLDIR)/man3/$$fn"; \ - cp $$x $(DESTDIR)$(HTMLDIR)/man3/$$fn; \ - chmod 644 $(DESTDIR)$(HTMLDIR)/man3/$$fn; \ + cp $$x "$(DESTDIR)$(HTMLDIR)/man3/$$fn"; \ + chmod 644 "$(DESTDIR)$(HTMLDIR)/man3/$$fn"; \ done @set -e; for x in dummy $(HTMLDOCS5); do \ if [ "$$x" = "dummy" ]; then continue; fi; \ fn=`basename $$x`; \ $(ECHO) "install $$x -> $(DESTDIR)$(HTMLDIR)/man5/$$fn"; \ - cp $$x $(DESTDIR)$(HTMLDIR)/man5/$$fn; \ - chmod 644 $(DESTDIR)$(HTMLDIR)/man5/$$fn; \ + cp $$x "$(DESTDIR)$(HTMLDIR)/man5/$$fn"; \ + chmod 644 "$(DESTDIR)$(HTMLDIR)/man5/$$fn"; \ done @set -e; for x in dummy $(HTMLDOCS7); do \ if [ "$$x" = "dummy" ]; then continue; fi; \ fn=`basename $$x`; \ $(ECHO) "install $$x -> $(DESTDIR)$(HTMLDIR)/man7/$$fn"; \ - cp $$x $(DESTDIR)$(HTMLDIR)/man7/$$fn; \ - chmod 644 $(DESTDIR)$(HTMLDIR)/man7/$$fn; \ + cp $$x "$(DESTDIR)$(HTMLDIR)/man7/$$fn"; \ + chmod 644 "$(DESTDIR)$(HTMLDIR)/man7/$$fn"; \ done uninstall_html_docs: uninstall_image_docs @@ -1081,35 +1081,35 @@ uninstall_html_docs: uninstall_image_docs if [ "$$x" = "dummy" ]; then continue; fi; \ fn=`basename $$x`; \ $(ECHO) "$(RM) $(DESTDIR)$(HTMLDIR)/man1/$$fn"; \ - $(RM) $(DESTDIR)$(HTMLDIR)/man1/$$fn; \ + $(RM) "$(DESTDIR)$(HTMLDIR)/man1/$$fn"; \ done @set -e; for x in dummy $(HTMLDOCS3); do \ if [ "$$x" = "dummy" ]; then continue; fi; \ fn=`basename $$x`; \ $(ECHO) "$(RM) $(DESTDIR)$(HTMLDIR)/man3/$$fn"; \ - $(RM) $(DESTDIR)$(HTMLDIR)/man3/$$fn; \ + $(RM) "$(DESTDIR)$(HTMLDIR)/man3/$$fn"; \ done @set -e; for x in dummy $(HTMLDOCS5); do \ if [ "$$x" = "dummy" ]; then continue; fi; \ fn=`basename $$x`; \ $(ECHO) "$(RM) $(DESTDIR)$(HTMLDIR)/man5/$$fn"; \ - $(RM) $(DESTDIR)$(HTMLDIR)/man5/$$fn; \ + $(RM) "$(DESTDIR)$(HTMLDIR)/man5/$$fn"; \ done @set -e; for x in dummy $(HTMLDOCS7); do \ if [ "$$x" = "dummy" ]; then continue; fi; \ fn=`basename $$x`; \ $(ECHO) "$(RM) $(DESTDIR)$(HTMLDIR)/man7/$$fn"; \ - $(RM) $(DESTDIR)$(HTMLDIR)/man7/$$fn; \ + $(RM) "$(DESTDIR)$(HTMLDIR)/man7/$$fn"; \ done install_image_docs: - @$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(HTMLDIR)/man7/img + @$(PERL) $(SRCDIR)/util/mkdir-p.pl "$(DESTDIR)$(HTMLDIR)/man7/img" @set -e; for x in dummy $(IMAGEDOCS7); do \ if [ "$$x" = "dummy" ]; then continue; fi; \ fn=`basename $$x`; \ $(ECHO) "install $$x -> $(DESTDIR)$(HTMLDIR)/man7/img/$$fn"; \ - cp $(SRCDIR)/$$x $(DESTDIR)$(HTMLDIR)/man7/img/$$fn; \ - chmod 644 $(DESTDIR)$(HTMLDIR)/man7/img/$$fn; \ + cp $(SRCDIR)/$$x "$(DESTDIR)$(HTMLDIR)/man7/img/$$fn"; \ + chmod 644 "$(DESTDIR)$(HTMLDIR)/man7/img/$$fn"; \ done uninstall_image_docs: @@ -1117,7 +1117,7 @@ uninstall_image_docs: if [ "$$x" = "dummy" ]; then continue; fi; \ fn=`basename $$x`; \ $(ECHO) "$(RM) $(DESTDIR)$(HTMLDIR)/man7/img/$$fn"; \ - $(RM) $(DESTDIR)$(HTMLDIR)/man7/img/$$fn; \ + $(RM) "$(DESTDIR)$(HTMLDIR)/man7/img/$$fn"; \ done # Developer targets (note: these are only available on Unix) ######### -- Gitee From 9644d687c931081b80d836c30e8e3fe81e4026ea Mon Sep 17 00:00:00 2001 From: James Muir Date: Wed, 11 Oct 2023 18:11:42 -0400 Subject: [PATCH 20/22] Fix parenthesis, use a colon Reviewed-by: Paul Dale Reviewed-by: Todd Short Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/22356) Signed-off-by: fly2x --- INSTALL.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/INSTALL.md b/INSTALL.md index 3322acb6a2..37b57027f4 100644 --- a/INSTALL.md +++ b/INSTALL.md @@ -2,8 +2,8 @@ Build and Install ================= This document describes installation on all supported operating -systems (the Unix/Linux family, including macOS), OpenVMS, -and Windows). +systems: the Unix/Linux family (including macOS), OpenVMS, +and Windows. Table of Contents ================= -- Gitee From 1781ee44736477fca931fa9b3925a5658e293406 Mon Sep 17 00:00:00 2001 From: Pauli Date: Thu, 12 Oct 2023 08:46:19 +1100 Subject: [PATCH 21/22] cmp: add null pointer check in tear_down test function problem reported by: 2ourc3 Reviewed-by: Shane Lontis Reviewed-by: Tom Cosgrove Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/22355) Signed-off-by: fly2x --- test/cmp_protect_test.c | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/test/cmp_protect_test.c b/test/cmp_protect_test.c index 0d2311fc29..89f342458e 100644 --- a/test/cmp_protect_test.c +++ b/test/cmp_protect_test.c @@ -38,15 +38,17 @@ static OSSL_PROVIDER *default_null_provider = NULL, *provider = NULL; static void tear_down(CMP_PROTECT_TEST_FIXTURE *fixture) { - OSSL_CMP_CTX_free(fixture->cmp_ctx); - OSSL_CMP_MSG_free(fixture->msg); - OSSL_CMP_PKISI_free(fixture->si); + if (fixture != NULL) { + OSSL_CMP_CTX_free(fixture->cmp_ctx); + OSSL_CMP_MSG_free(fixture->msg); + OSSL_CMP_PKISI_free(fixture->si); - OPENSSL_free(fixture->mem); - sk_X509_free(fixture->certs); - sk_X509_free(fixture->chain); + OPENSSL_free(fixture->mem); + sk_X509_free(fixture->certs); + sk_X509_free(fixture->chain); - OPENSSL_free(fixture); + OPENSSL_free(fixture); + } } static CMP_PROTECT_TEST_FIXTURE *set_up(const char *const test_case_name) -- Gitee From fb64ed50be0bed8494acdcc8948548cbe818fd2c Mon Sep 17 00:00:00 2001 From: Hugo Landau Date: Tue, 10 Oct 2023 12:19:29 +0100 Subject: [PATCH 22/22] QUIC APL: Fix incoming default stream popping Fixes #22106 Reviewed-by: Matt Caswell Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/22333) Signed-off-by: fly2x --- ssl/quic/quic_impl.c | 12 ++++++++++-- test/quic_multistream_test.c | 23 ++++++++++++++++++++++- 2 files changed, 32 insertions(+), 3 deletions(-) diff --git a/ssl/quic/quic_impl.c b/ssl/quic/quic_impl.c index 86020a450a..29a283dca0 100644 --- a/ssl/quic/quic_impl.c +++ b/ssl/quic/quic_impl.c @@ -1836,6 +1836,7 @@ static int qc_wait_for_default_xso_for_read(QCTX *ctx) QUIC_STREAM *qs; int res; struct quic_wait_for_stream_args wargs; + OSSL_RTT_INFO rtt_info; /* * If default stream functionality is disabled or we already detached @@ -1890,8 +1891,15 @@ static int qc_wait_for_default_xso_for_read(QCTX *ctx) } /* - * We now have qs != NULL. Make it the default stream, creating the - * necessary XSO. + * We now have qs != NULL. Remove it from the incoming stream queue so that + * it isn't also returned by any future SSL_accept_stream calls. + */ + ossl_statm_get_rtt_info(ossl_quic_channel_get_statm(qc->ch), &rtt_info); + ossl_quic_stream_map_remove_from_accept_queue(ossl_quic_channel_get_qsm(qc->ch), + qs, rtt_info.smoothed_rtt); + + /* + * Now make qs the default stream, creating the necessary XSO. */ qc_set_default_xso(qc, create_xso_from_stream(qc, qs), /*touch=*/0); if (qc->default_xso == NULL) diff --git a/test/quic_multistream_test.c b/test/quic_multistream_test.c index 58b0831ebb..e4663ece17 100644 --- a/test/quic_multistream_test.c +++ b/test/quic_multistream_test.c @@ -4902,6 +4902,26 @@ static const struct script_op script_76[] = { OP_END }; +static const struct script_op script_77[] = { + OP_C_SET_ALPN ("ossltest") + OP_C_CONNECT_WAIT () + + OP_C_SET_INCOMING_STREAM_POLICY(SSL_INCOMING_STREAM_POLICY_ACCEPT) + + OP_S_NEW_STREAM_BIDI (a, S_BIDI_ID(0)) + OP_S_WRITE (a, "Strawberry", 10) + + OP_C_READ_EXPECT (DEFAULT, "Strawberry", 10) + + OP_S_NEW_STREAM_BIDI (b, S_BIDI_ID(1)) + OP_S_WRITE (b, "xyz", 3) + + OP_C_ACCEPT_STREAM_WAIT (b) + OP_C_READ_EXPECT (b, "xyz", 3) + + OP_END +}; + static const struct script_op *const scripts[] = { script_1, script_2, @@ -4978,7 +4998,8 @@ static const struct script_op *const scripts[] = { script_73, script_74, script_75, - script_76 + script_76, + script_77 }; static int test_script(int idx) -- Gitee