From 40e613af42e62c85e0efebee5d30f25f2806725e Mon Sep 17 00:00:00 2001 From: Neil Horman Date: Tue, 5 Dec 2023 15:24:20 -0500 Subject: [PATCH 01/17] Harden asn1 oid loader to invalid inputs In the event that a config file contains this sequence: ======= openssl_conf = openssl_init config_diagnostics = 1 [openssl_init] oid_section = oids [oids] testoid1 = 1.2.3.4.1 testoid2 = A Very Long OID Name, 1.2.3.4.2 testoid3 = ,1.2.3.4.3 ====== The leading comma in testoid3 can cause a heap buffer overflow, as the parsing code will move the string pointer back 1 character, thereby pointing to an invalid memory space correct the parser to detect this condition and handle it by treating it as if the comma doesn't exist (i.e. an empty long oid name) (cherry picked from commit a552c23c6502592c1b3c67d93dd7e5ffbe958aa4) Reviewed-by: Tom Cosgrove Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/23034) Signed-off-by: lanming1120 --- crypto/asn1/asn_moid.c | 4 ++++ test/recipes/04-test_asn1_parse.t | 26 ++++++++++++++++++++++++++ test/test_asn1_parse.cnf | 12 ++++++++++++ 3 files changed, 42 insertions(+) create mode 100644 test/recipes/04-test_asn1_parse.t create mode 100644 test/test_asn1_parse.cnf diff --git a/crypto/asn1/asn_moid.c b/crypto/asn1/asn_moid.c index 526219c1a7..9aaab8a269 100644 --- a/crypto/asn1/asn_moid.c +++ b/crypto/asn1/asn_moid.c @@ -67,6 +67,10 @@ static int do_create(const char *value, const char *name) if (p == NULL) { ln = name; ostr = value; + } else if (p == value) { + /* we started with a leading comma */ + ln = name; + ostr = p + 1; } else { ln = value; ostr = p + 1; diff --git a/test/recipes/04-test_asn1_parse.t b/test/recipes/04-test_asn1_parse.t new file mode 100644 index 0000000000..f3af436592 --- /dev/null +++ b/test/recipes/04-test_asn1_parse.t @@ -0,0 +1,26 @@ +#! /usr/bin/env perl +# Copyright 2023 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the Apache License 2.0 (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + +use strict; +use OpenSSL::Test qw(:DEFAULT srctop_file); +use OpenSSL::Test::Utils; + +setup("test_asn1_parse"); + +plan tests => 3; + +$ENV{OPENSSL_CONF} = srctop_file("test", "test_asn1_parse.cnf"); + +ok(run(app(([ 'openssl', 'asn1parse', + '-genstr', 'OID:1.2.3.4.1'])))); + +ok(run(app(([ 'openssl', 'asn1parse', + '-genstr', 'OID:1.2.3.4.2'])))); + +ok(run(app(([ 'openssl', 'asn1parse', + '-genstr', 'OID:1.2.3.4.3'])))); diff --git a/test/test_asn1_parse.cnf b/test/test_asn1_parse.cnf new file mode 100644 index 0000000000..5f0305657e --- /dev/null +++ b/test/test_asn1_parse.cnf @@ -0,0 +1,12 @@ +openssl_conf = openssl_init + +# Comment out the next line to ignore configuration errors +config_diagnostics = 1 + +[openssl_init] +oid_section = oids + +[oids] +testoid1 = 1.2.3.4.1 +testoid2 = A Very Long OID Name, 1.2.3.4.2 +testoid3 = ,1.2.3.4.3 -- Gitee From e961a2dcc2ee8aa2a9c9afb19aafb5d7dbb508ee Mon Sep 17 00:00:00 2001 From: Hugo Landau Date: Fri, 8 Dec 2023 10:14:27 +0000 Subject: [PATCH 02/17] LHASH: Fix documentation for doall-delete hazards Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell Reviewed-by: Tom Cosgrove Reviewed-by: Neil Horman (Merged from https://github.com/openssl/openssl/pull/23032) (cherry picked from commit e91f21193c1b11de775e65b4e209a9fed67a41c1) Signed-off-by: lanming1120 --- doc/man3/OPENSSL_LH_COMPFUNC.pod | 26 +++++++++++++++++--------- 1 file changed, 17 insertions(+), 9 deletions(-) diff --git a/doc/man3/OPENSSL_LH_COMPFUNC.pod b/doc/man3/OPENSSL_LH_COMPFUNC.pod index d3bb272c4a..aabd13c522 100644 --- a/doc/man3/OPENSSL_LH_COMPFUNC.pod +++ b/doc/man3/OPENSSL_LH_COMPFUNC.pod @@ -145,15 +145,6 @@ For example: /* Then the hash table itself can be deallocated */ lh_TYPE_free(hashtable); -When doing this, be careful if you delete entries from the hash table -in your callbacks: the table may decrease in size, moving the item -that you are currently on down lower in the hash table - this could -cause some entries to be skipped during the iteration. The second -best solution to this problem is to set hash-Edown_load=0 before -you start (which will stop the hash table ever decreasing in size). -The best solution is probably to avoid deleting items from the hash -table inside a "doall" callback! - B_doall_arg>() is the same as B_doall>() except that I will be called with I as the second argument and I should be of type B(B>) (a callback prototype @@ -175,6 +166,23 @@ that is provided by the caller): lh_TYPE_doall_arg(hashtable, LHASH_DOALL_ARG_FN(TYPE_print), BIO, logging_bio); +Note that it is by default B safe to use B_delete>() inside a +callback passed to B_doall>() or B_doall_arg>(). The +reason for this is that deleting an item from the hash table may result in the +hash table being contracted to a smaller size and rehashed. +B_doall>() and B_doall_arg>() are unsafe and will exhibit +undefined behaviour under these conditions, as these functions assume the hash +table size and bucket pointers do not change during the call. + +If it is desired to use B_doall>() or B_doall_arg>() with +B_delete>(), it is essential that you call +B_set_down_load>() with a I argument of 0 first. This +disables hash table contraction and guarantees that it will be safe to delete +items from a hash table during a call to B_doall>() or +B_doall_arg>(). + +It is never safe to call B_insert>() during a call to +B_doall>() or B_doall_arg>(). B_error>() can be used to determine if an error occurred in the last operation. -- Gitee From 2051938654ecd82d43fad121615352445b78f86c Mon Sep 17 00:00:00 2001 From: Hugo Landau Date: Mon, 11 Dec 2023 07:57:54 +0000 Subject: [PATCH 03/17] LHASH: Document down_load functions Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell Reviewed-by: Tom Cosgrove Reviewed-by: Neil Horman (Merged from https://github.com/openssl/openssl/pull/23032) (cherry picked from commit f8c75e053569cdcbf0d39620e28b4044f1be04f1) Signed-off-by: lanming1120 --- doc/man3/OPENSSL_LH_COMPFUNC.pod | 39 ++++++++++++++++++++++++-------- util/missingcrypto.txt | 3 --- 2 files changed, 30 insertions(+), 12 deletions(-) diff --git a/doc/man3/OPENSSL_LH_COMPFUNC.pod b/doc/man3/OPENSSL_LH_COMPFUNC.pod index aabd13c522..688ef0edcb 100644 --- a/doc/man3/OPENSSL_LH_COMPFUNC.pod +++ b/doc/man3/OPENSSL_LH_COMPFUNC.pod @@ -8,10 +8,12 @@ LHASH_DOALL_ARG_FN_TYPE, IMPLEMENT_LHASH_HASH_FN, IMPLEMENT_LHASH_COMP_FN, lh_TYPE_new, lh_TYPE_free, lh_TYPE_flush, lh_TYPE_insert, lh_TYPE_delete, lh_TYPE_retrieve, -lh_TYPE_doall, lh_TYPE_doall_arg, lh_TYPE_error, +lh_TYPE_doall, lh_TYPE_doall_arg, lh_TYPE_num_items, lh_TYPE_get_down_load, +lh_TYPE_set_down_load, lh_TYPE_error, OPENSSL_LH_new, OPENSSL_LH_free, OPENSSL_LH_flush, OPENSSL_LH_insert, OPENSSL_LH_delete, OPENSSL_LH_retrieve, -OPENSSL_LH_doall, OPENSSL_LH_doall_arg, OPENSSL_LH_error +OPENSSL_LH_doall, OPENSSL_LH_doall_arg, OPENSSL_LH_num_items, +OPENSSL_LH_get_down_load, OPENSSL_LH_set_down_load, OPENSSL_LH_error - dynamic hash table =head1 SYNOPSIS @@ -34,6 +36,10 @@ OPENSSL_LH_doall, OPENSSL_LH_doall_arg, OPENSSL_LH_error void lh_TYPE_doall_arg(LHASH_OF(TYPE) *table, OPENSSL_LH_DOALL_FUNCARG func, TYPE *arg); + unsigned long lh_TYPE_num_items(OPENSSL_LHASH *lh); + unsigned long lh_TYPE_get_down_load(OPENSSL_LHASH *lh); + void lh_TYPE_set_down_load(OPENSSL_LHASH *lh, unsigned long dl); + int lh_TYPE_error(LHASH_OF(TYPE) *table); typedef int (*OPENSSL_LH_COMPFUNC)(const void *, const void *); @@ -52,8 +58,14 @@ OPENSSL_LH_doall, OPENSSL_LH_doall_arg, OPENSSL_LH_error void OPENSSL_LH_doall(OPENSSL_LHASH *lh, OPENSSL_LH_DOALL_FUNC func); void OPENSSL_LH_doall_arg(OPENSSL_LHASH *lh, OPENSSL_LH_DOALL_FUNCARG func, void *arg); + unsigned long OPENSSL_LH_num_items(OPENSSL_LHASH *lh); + unsigned long OPENSSL_LH_get_down_load(OPENSSL_LHASH *lh); + void OPENSSL_LH_set_down_load(OPENSSL_LHASH *lh, unsigned long dl); + int OPENSSL_LH_error(OPENSSL_LHASH *lh); + #define LH_LOAD_MULT /* integer constant */ + =head1 DESCRIPTION This library implements type-checked dynamic hash tables. The hash @@ -187,17 +199,26 @@ B_doall>() or B_doall_arg>(). B_error>() can be used to determine if an error occurred in the last operation. +B_num_items>() returns the number of items in the hash table. + +B_get_down_load>() and B_set_down_load>() get and set the +factor used to determine when the hash table is contracted. The factor is the +load factor at or below which hash table contraction will occur, multiplied by +B, where the load factor is the number of items divided by the +number of nodes. Setting this value to 0 disables hash table contraction. + OPENSSL_LH_new() is the same as the B_new>() except that it is not type specific. So instead of returning an B)> value it returns a B. In the same way the functions OPENSSL_LH_free(), OPENSSL_LH_flush(), OPENSSL_LH_insert(), OPENSSL_LH_delete(), -OPENSSL_LH_retrieve(), OPENSSL_LH_doall(), OPENSSL_LH_doall_arg(), and -OPENSSL_LH_error() are equivalent to the similarly named B> functions -except that they return or use a B where the equivalent B> -function returns or uses a B *> or B) *>. B> -functions are implemented as type checked wrappers around the B -functions. Most applications should not call the B functions -directly. +OPENSSL_LH_retrieve(), OPENSSL_LH_doall(), OPENSSL_LH_doall_arg(), +OPENSSL_LH_num_items(), OPENSSL_LH_get_down_load(), OPENSSL_LH_set_down_load() +and OPENSSL_LH_error() are equivalent to the similarly named B> +functions except that they return or use a B where the equivalent +B> function returns or uses a B *> or B) *>. +B> functions are implemented as type checked wrappers around the +B functions. Most applications should not call the B +functions directly. =head1 RETURN VALUES diff --git a/util/missingcrypto.txt b/util/missingcrypto.txt index 27c8018c24..ab60764a4f 100644 --- a/util/missingcrypto.txt +++ b/util/missingcrypto.txt @@ -763,9 +763,6 @@ OCSP_response_status_str(3) OCSP_url_svcloc_new(3) OPENSSL_DIR_end(3) OPENSSL_DIR_read(3) -OPENSSL_LH_get_down_load(3) -OPENSSL_LH_num_items(3) -OPENSSL_LH_set_down_load(3) OPENSSL_LH_strhash(3) OPENSSL_asc2uni(3) OPENSSL_die(3) -- Gitee From 23076f44a62db1bf5f95d1d6194b7a20c2b91986 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Mon, 11 Dec 2023 15:19:47 +0100 Subject: [PATCH 04/17] Fix provider compatibility check crash in evp_test EVP_MAC_CTX_get_mac_size() cannot be called on older unfixed versions before EVP_MAC_init(). Reviewed-by: Matt Caswell Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/23009) Signed-off-by: lanming1120 --- test/evp_test.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/test/evp_test.c b/test/evp_test.c index ed555766c0..e81213e2f8 100644 --- a/test/evp_test.c +++ b/test/evp_test.c @@ -1408,7 +1408,7 @@ static int mac_test_run_mac(EVP_TEST *t) EVP_MAC_CTX *ctx = NULL; unsigned char *got = NULL; size_t got_len = 0, size = 0; - size_t size_before_init, size_after_init, size_val = 0; + size_t size_before_init = 0, size_after_init, size_val = 0; int i, block_size = -1, output_size = -1; OSSL_PARAM params[21], sizes[3], *psizes = sizes; size_t params_n = 0; @@ -1516,7 +1516,8 @@ static int mac_test_run_mac(EVP_TEST *t) t->err = "MAC_CREATE_ERROR"; goto err; } - size_before_init = EVP_MAC_CTX_get_mac_size(ctx); + if (fips_provider_version_gt(libctx, 3, 0, 12)) + size_before_init = EVP_MAC_CTX_get_mac_size(ctx); if (!EVP_MAC_init(ctx, expected->key, expected->key_len, params)) { t->err = "MAC_INIT_ERROR"; goto err; -- Gitee From c88ddc4143d7790ccf6514a5eab2a3c918004681 Mon Sep 17 00:00:00 2001 From: Dmitry Kobets <89153909+dmitrykobets-msft@users.noreply.github.com> Date: Thu, 14 Dec 2023 20:12:43 -0800 Subject: [PATCH 05/17] Fix instructions for running tests on Windows In the command `nmake TEST='foo' test`, on Windows the runner will look for test `'foo'` and complain about the test not being found (due to the extraneous single quotes), whereas with `nmake TEST="foo" test`, the test `foo` will be correctly found. CLA: trivial Reviewed-by: Tom Cosgrove Reviewed-by: Matthias St. Pierre Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/23059) (cherry picked from commit cf424d1da05b3cd928c97596af08e260429b308c) Signed-off-by: lanming1120 --- test/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/README.md b/test/README.md index 9a5c91953d..14ce32ecd6 100644 --- a/test/README.md +++ b/test/README.md @@ -42,7 +42,7 @@ the make variable TESTS to specify them, like this: $ make TESTS='test_rsa test_dsa' test # Unix $ mms/macro="TESTS=test_rsa test_dsa" test ! OpenVMS - $ nmake TESTS='test_rsa test_dsa' test # Windows + $ nmake TESTS="test_rsa test_dsa" test # Windows And of course, you can combine (Unix examples shown): -- Gitee From 82d26640a4139dd385b7787dd84c71fbce6a0671 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 18 Dec 2023 09:58:53 +0000 Subject: [PATCH 06/17] Bump actions/upload-artifact from 3 to 4 Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 3 to 4. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](https://github.com/actions/upload-artifact/compare/v3...v4) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] CLA: trivial Reviewed-by: Kurt Roeckx Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/23053) (cherry picked from commit 1ee0560f43a38d3a2de6c2cd2cacb0879c75cf46) Signed-off-by: lanming1120 --- .github/workflows/fips-checksums.yml | 2 +- .github/workflows/main.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/fips-checksums.yml b/.github/workflows/fips-checksums.yml index 1b56755bfb..a9777a2394 100644 --- a/.github/workflows/fips-checksums.yml +++ b/.github/workflows/fips-checksums.yml @@ -69,7 +69,7 @@ jobs: - name: save PR number run: echo ${{ github.event.number }} > ./artifact/pr_num - name: save artifact - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 with: name: fips_checksum path: artifact/ diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 5850c0e4f3..1d187f0dd2 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -26,7 +26,7 @@ jobs: fuzz-seconds: 600 dry-run: false - name: Upload Crash - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 if: failure() with: name: artifacts -- Gitee From 48f18ad72d43c0098dcf9b115d6e4ffb4d94e6e1 Mon Sep 17 00:00:00 2001 From: James Muir Date: Thu, 14 Dec 2023 14:14:37 -0500 Subject: [PATCH 07/17] cms: avoid intermittent test failure If you decrypt a random input using RSAES-PKCS-v1_5, then there is a non-negligible chance that the result will look like a valid plaintext (that is why RSAES-PKCS-v1_5 shouldn't be used anymore). This was the cause of an intermittent failure in a test that did a cms-encrypt operation targetting multiple recipients. The failure happened during key-only decrypt. The recipient decrypts every RSA ciphertext -- only one is supposed to decrypt successfully, which would reveal the right content-key. Occassionally, more than one decrypted successfully. Update the test by specifying the recipient cert in the decrypt op (this avoids looping over all RSA ciphertexts). Add a new test to get coverage for key-only decrypt, but use RSA-OAEP during the encrypt op. Fixes https://github.com/openssl/project/issues/380 Testing: $ make TESTS='test_cms' test Reviewed-by: Neil Horman Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/23055) (cherry picked from commit ffed597882baf2f07274e7eaa8f3c4fa9fa74ac1) Signed-off-by: lanming1120 --- test/recipes/80-test_cms.t | 58 +++++++++++++++++++++++++++++--- test/smime-certs/smrsa3-cert.pem | 21 ++++++++++++ test/smime-certs/smrsa3-key.pem | 28 +++++++++++++++ 3 files changed, 103 insertions(+), 4 deletions(-) create mode 100644 test/smime-certs/smrsa3-cert.pem create mode 100644 test/smime-certs/smrsa3-key.pem diff --git a/test/recipes/80-test_cms.t b/test/recipes/80-test_cms.t index be77923313..eda35a95e3 100644 --- a/test/recipes/80-test_cms.t +++ b/test/recipes/80-test_cms.t @@ -50,7 +50,7 @@ my ($no_des, $no_dh, $no_dsa, $no_ec, $no_ec2m, $no_rc2, $no_zlib) $no_rc2 = 1 if disabled("legacy"); -plan tests => 18; +plan tests => 19; ok(run(test(["pkcs7_test"])), "test pkcs7"); @@ -222,13 +222,15 @@ my @smime_pkcs7_tests = ( \&final_compare ], - [ "enveloped content test streaming S/MIME format, DES, 3 recipients, key only used", + [ "enveloped content test streaming S/MIME format, DES, 3 recipients, cert and key files used", [ "{cmd1}", @defaultprov, "-encrypt", "-in", $smcont, "-stream", "-out", "{output}.cms", $smrsa1, catfile($smdir, "smrsa2.pem"), - catfile($smdir, "smrsa3.pem") ], - [ "{cmd2}", @defaultprov, "-decrypt", "-inkey", catfile($smdir, "smrsa3.pem"), + catfile($smdir, "smrsa3-cert.pem") ], + [ "{cmd2}", @defaultprov, "-decrypt", + "-recip", catfile($smdir, "smrsa3-cert.pem"), + "-inkey", catfile($smdir, "smrsa3-key.pem"), "-in", "{output}.cms", "-out", "{output}.txt" ], \&final_compare ], @@ -1019,3 +1021,51 @@ with({ exit_checker => sub { return shift == 3; } }, ])), "Check for failure when cipher does not have an assigned OID (issue#22225)"); }); + +# Test encrypt to three recipients, and decrypt using key-only; +# i.e. do not follow the recommended practice of providing the +# recipient cert in the decrypt op. +# +# Use RSAES-OAEP for key-transport, not RSAES-PKCS-v1_5. +# +# Because the cert is not provided during decrypt, all RSA ciphertexts +# are decrypted in turn, and when/if there is a valid decryption, it +# is assumed the correct content-key has been recovered. +# +# That process may fail with RSAES-PKCS-v1_5 b/c there is a +# non-negligible chance that decrypting a random input using +# RSAES-PKCS-v1_5 can result in a valid plaintext (so two content-keys +# could be recovered and the wrong one might be used). +# +# See https://github.com/openssl/project/issues/380 +subtest "encrypt to three recipients with RSA-OAEP, key only decrypt" => sub { + plan tests => 3; + + my $pt = srctop_file("test", "smcont.txt"); + my $ct = "smtst.cms"; + my $ptpt = "smtst.txt"; + + ok(run(app(['openssl', 'cms', + @defaultprov, + '-encrypt', + '-in', $pt, + '-out', $ct, + '-stream', + '-recip', catfile($smdir, "smrsa1.pem"), + '-keyopt', 'rsa_padding_mode:oaep', + '-recip', catfile($smdir, "smrsa2.pem"), + '-keyopt', 'rsa_padding_mode:oaep', + '-recip', catfile($smdir, "smrsa3-cert.pem"), + '-keyopt', 'rsa_padding_mode:oaep', + ])), + "encrypt to three recipients with RSA-OAEP (avoid openssl/project issue#380)"); + ok(run(app(['openssl', 'cms', + @defaultprov, + '-decrypt', + '-in', $ct, + '-out', $ptpt, + '-inkey', catfile($smdir, "smrsa3-key.pem"), + ])), + "decrypt with key only"); + is(compare($pt, $ptpt), 0, "compare original message with decrypted ciphertext"); +}; diff --git a/test/smime-certs/smrsa3-cert.pem b/test/smime-certs/smrsa3-cert.pem new file mode 100644 index 0000000000..70004acb86 --- /dev/null +++ b/test/smime-certs/smrsa3-cert.pem @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDeTCCAmGgAwIBAgIUIDyc//j/LoNDesZTGbPBoVarv4EwDQYJKoZIhvcNAQEL +BQAwRDELMAkGA1UEBhMCVUsxFjAUBgNVBAoMDU9wZW5TU0wgR3JvdXAxHTAbBgNV +BAMMFFRlc3QgUy9NSU1FIFJTQSBSb290MCAXDTIyMDYwMjE1MzMxM1oYDzIxMjIw +NTA5MTUzMzEzWjBFMQswCQYDVQQGEwJVSzEWMBQGA1UECgwNT3BlblNTTCBHcm91 +cDEeMBwGA1UEAwwVVGVzdCBTL01JTUUgRUUgUlNBICMzMIIBIjANBgkqhkiG9w0B +AQEFAAOCAQ8AMIIBCgKCAQEA+QP7d56K4/9eu7aChtWILYNxvqWeDcJeWvX5Z5vC +XUjFuUxBD9U0rw1SBLgFYu8aqAJ+oXsqaGjJARifgKEqPUe7pnYYatr55lhTbHR+ +qA88p1V4sclEaPNWKzd7J/V3eeYr04kqWV5XYhAq9k9AWLzsNIePe2z7OoGPS6oK +wRzWFRd5RYXTpmFr/tqknbYvtYFd7duKb9QqytgHV+RKXXeY0fnjZ7frLmaqDwtI +U3DY7MyS3Hw2BVx72vQXBNA364HGEpqEgVOdzI7et0wpSumaFXDye714xUR53L7N +f3fp3PQXS/RbBiNXs7KUsHCR6nsdsIKO+sg66gxOLNt6zwIDAQABo2AwXjAMBgNV +HRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIF4DAdBgNVHQ4EFgQUN9pGq/UFS3o50rTi +V+AYgAk+3R4wHwYDVR0jBBgwFoAUFcETIWviVV+nah1XINbP86lzZFkwDQYJKoZI +hvcNAQELBQADggEBAGcOh380/6aJqMpYBssuf2CB3DX/hGKdvEF7fF8iNSfl5HHq +112kHl3MhbL9Th/safJq9sLDJqjXRNdVCUJJbU4YI2P2gsi04paC0qxWxMLtzQLd +CE7ki2xH94Fuu/dThbpzZBABROO1RrdI24GDGt9t4Gf0WVkobmT/zNlwGppKTIB2 +iV/Ug30iKr/C49UzwUIa+XXXujkjPTmGSnrKwVQNxQh81rb+iTL7GEnNuqDsatHW +ZyLS2SaVdG5tMqDkITPMDGjehUzJcAbVc8Bv4m8Ukuov3uDj2Doc6MxlvrVkV0AE +BcSCb/bWQJJ/X4LQZlx9cMk4NINxV9UeFPZOefg= +-----END CERTIFICATE----- diff --git a/test/smime-certs/smrsa3-key.pem b/test/smime-certs/smrsa3-key.pem new file mode 100644 index 0000000000..216d70b61b --- /dev/null +++ b/test/smime-certs/smrsa3-key.pem @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQD5A/t3norj/167 +toKG1Ygtg3G+pZ4Nwl5a9flnm8JdSMW5TEEP1TSvDVIEuAVi7xqoAn6heypoaMkB +GJ+AoSo9R7umdhhq2vnmWFNsdH6oDzynVXixyURo81YrN3sn9Xd55ivTiSpZXldi +ECr2T0BYvOw0h497bPs6gY9LqgrBHNYVF3lFhdOmYWv+2qSdti+1gV3t24pv1CrK +2AdX5Epdd5jR+eNnt+suZqoPC0hTcNjszJLcfDYFXHva9BcE0DfrgcYSmoSBU53M +jt63TClK6ZoVcPJ7vXjFRHncvs1/d+nc9BdL9FsGI1ezspSwcJHqex2wgo76yDrq +DE4s23rPAgMBAAECggEAEDi+VWD5VUpjD5zWOoPQiRDGBJBhtMAKkl6okxEmXvWb +Xz3STFnjHgA1JFHW3bRU9BHI9k8vSHmnlnkfKb3V/ZX5IHNcKCHb/x9NBak+QLVQ +0zLtfE9vxiTC0B/oac+MPaiD4hYFQ81pFwK6VS0Poi8ZCBJtOkRqfUvsyV8zZrgh +/6cs4mwOVyZPFRgF9eWXYv7PJz8pNRizhII0iv9H/r2I3DzsZLPCg7c29mP+I/SG +A7Pl82UXjtOc0KurGY2M5VheZjxJT/k/FLMkWY2GS5n6dfcyzsVSKb25HoeuvQsI +vs1mKs+Onbobdc17hCcKVJzbi3DwXs5XDhrEzfHccQKBgQD88uBxVCRV31PsCN6I +pKxQDGgz+1BqPqe7KMRiZI7HgDUK0eCM3/oG089/jsBtJcSxnScLSVNBjQ+xGiFi +YCD4icQoJSzpqJyR6gDq5lTHASAe+9LWRW771MrtyACQWNXowYEyu8AjekrZkCUS +wIKVpw57oWykzIoS7ixZsJ8gxwKBgQD8BPWqJEsLiQvOlS5E/g88eV1KTpxm9Xs+ +BbwsDXZ7m4Iw5lYaUu5CwBB/2jkGGRl8Q/EfAdUT7gXv3t6x5b1qMXaIczmRGYto +NuI3AH2MPxAa7lg5TgBgie1r7PKwyPMfG3CtDx6n8W5sexgJpbIy5u7E+U6d8s1o +c7EcsefduQKBgCkHJAx9v18GWFBip+W2ABUDzisQSlzRSNd8p03mTZpiWzgkDq4K +7j0JQhDIkMGjbKH6gYi9Hfn17WOmf1+7g92MSvrP/NbxeGPadsejEIEu14zu/6Wt +oXDLdRbYZ+8B2cBlEpWuCl42yck8Lic6fnPTou++oSah3otvglYR5d2lAoGACd8L +3FE1m0sP6lSPjmZBJIZAcDOqDqJY5HIHD9arKGZL8CxlfPx4lqa9PrTGfQWoqORk +YmmI9hHhq6aYJHGyPKGZWfjhbVyJyFg1/h+Hy2GA+P0S+ZOjkiR050BNtTz5wOMr +Q6wO8FcVkywzIdWaqEHBYne9a5RiFVBKxKv3QAkCgYBxmCBKajFkMVb4Uc55WqJs +Add0mctGgmZ1l5vq81eWe3wjM8wgfJgaD3Q3gwx2ABUX/R+OsVWSh4o5ZR86sYoz +TviknBHF8GeDLjpT49+04fEaz336J2JOptF9zIpz7ZK1nrOEjzaZGtumReVjUP7X +fNcb5iDYqZRzD8ixBbLxUw== +-----END PRIVATE KEY----- -- Gitee From 36a11d93bef852451d9fa553d3642eb615da5db9 Mon Sep 17 00:00:00 2001 From: Dmitry Misharov Date: Thu, 14 Dec 2023 11:09:15 +0100 Subject: [PATCH 08/17] run Cross Compiles workflow on self-hosted runner Reviewed-by: Hugo Landau Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/23042) (cherry picked from commit 625287bc80129deedab7484ee4c0ac112ae874a0) Signed-off-by: lanming1120 --- .github/workflows/cross-compiles.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/cross-compiles.yml b/.github/workflows/cross-compiles.yml index ef946545aa..ca8558b74e 100644 --- a/.github/workflows/cross-compiles.yml +++ b/.github/workflows/cross-compiles.yml @@ -129,7 +129,7 @@ jobs: tests: none } ] - runs-on: ubuntu-latest + runs-on: ${{ github.server_url == 'https://github.com' && 'ubuntu-latest' || 'ubuntu-22.04-self-hosted' }} steps: - name: install packages run: | -- Gitee From f7253687789a3e9c8b8d4a468191b4c091ab59f4 Mon Sep 17 00:00:00 2001 From: Dmitry Misharov Date: Thu, 14 Dec 2023 12:29:23 +0100 Subject: [PATCH 09/17] run GitHub CI workflow on self-hosted runners Reviewed-by: Hugo Landau Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/23042) (cherry picked from commit 834a2d7088a042a4f8f95fa2b8327fd388556151) Signed-off-by: lanming1120 --- .github/workflows/ci.yml | 112 +++++++++++++++++++++++++++++---------- 1 file changed, 85 insertions(+), 27 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index b9185fc4e9..25757a98b9 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -23,7 +23,7 @@ permissions: jobs: check_update: - runs-on: ubuntu-latest + runs-on: ${{ github.server_url == 'https://github.com' && 'ubuntu-latest' || 'ubuntu-22.04-self-hosted' }} steps: - name: install unifdef run: | @@ -42,7 +42,7 @@ jobs: run: git diff --exit-code check_docs: - runs-on: ubuntu-latest + runs-on: ${{ github.server_url == 'https://github.com' && 'ubuntu-latest' || 'ubuntu-22.04-self-hosted' }} steps: - uses: actions/checkout@v4 - name: config @@ -60,7 +60,7 @@ jobs: # We are not as strict with libraries, but rather adapt to what's # expected to be available in a certain version of each platform. check-ansi: - runs-on: ubuntu-latest + runs-on: ${{ github.server_url == 'https://github.com' && 'ubuntu-latest' || 'ubuntu-22.04-self-hosted' }} steps: - uses: actions/checkout@v4 - name: config @@ -69,7 +69,7 @@ jobs: run: make -s -j4 basic_gcc: - runs-on: ubuntu-latest + runs-on: ${{ github.server_url == 'https://github.com' && 'ubuntu-latest' || 'ubuntu-22.04-self-hosted' }} steps: - uses: actions/checkout@v4 - name: localegen @@ -82,7 +82,7 @@ jobs: run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} basic_clang: - runs-on: ubuntu-latest + runs-on: ${{ github.server_url == 'https://github.com' && 'ubuntu-latest' || 'ubuntu-22.04-self-hosted' }} steps: - uses: actions/checkout@v4 - name: config @@ -112,7 +112,7 @@ jobs: run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} minimal: - runs-on: ubuntu-latest + runs-on: ${{ github.server_url == 'https://github.com' && 'ubuntu-latest' || 'ubuntu-22.04-self-hosted' }} steps: - uses: actions/checkout@v4 - name: config @@ -123,7 +123,7 @@ jobs: run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} no-deprecated: - runs-on: ubuntu-latest + runs-on: ${{ github.server_url == 'https://github.com' && 'ubuntu-latest' || 'ubuntu-22.04-self-hosted' }} steps: - uses: actions/checkout@v4 - name: config @@ -133,11 +133,20 @@ jobs: - name: make test run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} - no-shared: - strategy: - matrix: - os: [ ubuntu-latest, macos-latest ] - runs-on: ${{matrix.os}} + no-shared-ubuntu: + runs-on: ${{ github.server_url == 'https://github.com' && 'ubuntu-latest' || 'ubuntu-22.04-self-hosted' }} + steps: + - uses: actions/checkout@v4 + - name: config + run: ./config --banner=Configured --strict-warnings no-shared no-fips && perl configdata.pm --dump + - name: make + run: make -s -j4 + - name: make test + run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} + + no-shared-macos: + runs-on: macos-latest + if: github.server_url == 'https://github.com' steps: - uses: actions/checkout@v4 - name: config @@ -148,7 +157,7 @@ jobs: run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} non-caching: - runs-on: ubuntu-latest + runs-on: ${{ github.server_url == 'https://github.com' && 'ubuntu-latest' || 'ubuntu-22.04-self-hosted' }} steps: - uses: actions/checkout@v4 - name: config @@ -159,7 +168,7 @@ jobs: run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} OPENSSL_TEST_RAND_ORDER=0 TESTS="-test_fuzz* -test_ssl_* -test_sslapi -test_evp -test_cmp_http -test_verify -test_cms -test_store -test_enc -[01][0-9]" address_ub_sanitizer: - runs-on: ubuntu-latest + runs-on: ${{ github.server_url == 'https://github.com' && 'ubuntu-latest' || 'ubuntu-22.04-self-hosted' }} steps: - uses: actions/checkout@v4 - name: config @@ -170,7 +179,7 @@ jobs: run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} OPENSSL_TEST_RAND_ORDER=0 memory_sanitizer: - runs-on: ubuntu-latest + runs-on: ${{ github.server_url == 'https://github.com' && 'ubuntu-latest' || 'ubuntu-22.04-self-hosted' }} steps: - uses: actions/checkout@v4 - name: config @@ -182,7 +191,7 @@ jobs: run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} OPENSSL_TEST_RAND_ORDER=0 threads_sanitizer: - runs-on: ubuntu-latest + runs-on: ${{ github.server_url == 'https://github.com' && 'ubuntu-latest' || 'ubuntu-22.04-self-hosted' }} steps: - uses: actions/checkout@v4 - name: config @@ -193,7 +202,7 @@ jobs: run: make V=1 TESTS="test_threads test_internal_provider test_provfetch test_provider test_pbe test_evp_kdf test_pkcs12 test_store test_evp" test HARNESS_JOBS=${HARNESS_JOBS:-4} enable_non-default_options: - runs-on: ubuntu-latest + runs-on: ${{ github.server_url == 'https://github.com' && 'ubuntu-latest' || 'ubuntu-22.04-self-hosted' }} steps: - uses: actions/checkout@v4 - name: modprobe tls @@ -206,7 +215,7 @@ jobs: run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} fips_and_ktls: - runs-on: ubuntu-latest + runs-on: ${{ github.server_url == 'https://github.com' && 'ubuntu-latest' || 'ubuntu-22.04-self-hosted' }} steps: - uses: actions/checkout@v4 - name: modprobe tls @@ -219,7 +228,7 @@ jobs: run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} no-legacy: - runs-on: ubuntu-latest + runs-on: ${{ github.server_url == 'https://github.com' && 'ubuntu-latest' || 'ubuntu-22.04-self-hosted' }} steps: - uses: actions/checkout@v4 - name: config @@ -230,7 +239,7 @@ jobs: run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} legacy: - runs-on: ubuntu-latest + runs-on: ${{ github.server_url == 'https://github.com' && 'ubuntu-latest' || 'ubuntu-22.04-self-hosted' }} steps: - uses: actions/checkout@v4 - name: config @@ -256,11 +265,36 @@ jobs: # build tree # - That building, testing and installing works with a read-only source # tree - out-of-readonly-source-and-install: - strategy: - matrix: - os: [ubuntu-latest, macos-latest ] - runs-on: ${{matrix.os}} + out-of-readonly-source-and-install-ubuntu: + runs-on: ${{ github.server_url == 'https://github.com' && 'ubuntu-latest' || 'ubuntu-22.04-self-hosted' }} + steps: + - uses: actions/checkout@v4 + with: + path: ./source + - name: make source read-only + run: chmod -R a-w ./source + - name: create build and install directories + run: | + mkdir ./build + mkdir ./install + - name: config + run: | + ../source/config --banner=Configured enable-fips enable-acvp-tests --strict-warnings --prefix=$(cd ../install; pwd) + perl configdata.pm --dump + working-directory: ./build + - name: make + run: make -s -j4 + working-directory: ./build + - name: make test + run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} + working-directory: ./build + - name: make install + run: make install + working-directory: ./build + + out-of-readonly-source-and-install-macos: + runs-on: macos-latest + if: github.server_url == 'https://github.com' steps: - uses: actions/checkout@v4 with: @@ -287,7 +321,7 @@ jobs: working-directory: ./build external-tests: - runs-on: ubuntu-latest + runs-on: ${{ github.server_url == 'https://github.com' && 'ubuntu-latest' || 'ubuntu-22.04-self-hosted' }} steps: - uses: actions/checkout@v4 with: @@ -312,7 +346,7 @@ jobs: run: make test TESTS="test_external_krb5" external-test-pyca: - runs-on: ubuntu-latest + runs-on: ${{ github.server_url == 'https://github.com' && 'ubuntu-latest' || 'ubuntu-22.04-self-hosted' }} strategy: matrix: RUST: @@ -339,3 +373,27 @@ jobs: default: true - name: test external pyca run: make test TESTS="test_external_pyca" VERBOSE=1 +==== BASE ==== + + external-test-cf-quiche: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + with: + submodules: recursive + - name: Configure OpenSSL + run: ./config --banner=Configured --strict-warnings enable-external-tests && perl configdata.pm --dump + - name: make + run: make -s -j4 + - uses: actions-rs/toolchain@v1 + with: + profile: default + toolchain: stable + default: true + - name: get cpu info + run: | + cat /proc/cpuinfo + ./util/opensslwrap.sh version -c + - name: test external Cloudflare quiche + run: make test TESTS="test_external_cf_quiche" VERBOSE=1 +==== BASE ==== -- Gitee From d28b4ff40ab4c21392155ab0b2604d48963106c4 Mon Sep 17 00:00:00 2001 From: Dmitry Misharov Date: Thu, 14 Dec 2023 13:36:04 +0100 Subject: [PATCH 10/17] run Windows GitHub CI workflow on self-hosted runners Reviewed-by: Hugo Landau Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/23042) (cherry picked from commit ce42b72cb1ca2ba8669bc28a70ed9dca28b7a551) Signed-off-by: lanming1120 --- .github/workflows/windows.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/windows.yml b/.github/workflows/windows.yml index a3274457c3..2e0f4fe0c9 100644 --- a/.github/workflows/windows.yml +++ b/.github/workflows/windows.yml @@ -25,7 +25,7 @@ jobs: config: enable-fips - arch: win32 config: --strict-warnings no-fips - runs-on: ${{matrix.os}} + runs-on: ${{ github.server_url == 'https://github.com' && matrix.os || format('{0}-self-hosted', matrix.os) }} steps: - uses: actions/checkout@v4 - uses: ilammy/msvc-dev-cmd@v1 @@ -61,7 +61,7 @@ jobs: os: - windows-2019 - windows-2022 - runs-on: ${{matrix.os}} + runs-on: ${{ github.server_url == 'https://github.com' && matrix.os || format('{0}-self-hosted', matrix.os) }} steps: - uses: actions/checkout@v4 - uses: ilammy/msvc-dev-cmd@v1 @@ -85,7 +85,7 @@ jobs: os: - windows-2019 - windows-2022 - runs-on: ${{matrix.os}} + runs-on: ${{ github.server_url == 'https://github.com' && matrix.os || format('{0}-self-hosted', matrix.os) }} steps: - uses: actions/checkout@v4 - uses: ilammy/msvc-dev-cmd@v1 -- Gitee From ee5c1394faf1a000637b25fb5ef6f835fba85af6 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Thu, 14 Dec 2023 16:26:21 +0100 Subject: [PATCH 11/17] Always apply all configuration settings from the ssl section Even if some configuration entry is incorrect, do not skip the remaining ones. Fixes #20789 Reviewed-by: Neil Horman Reviewed-by: Dmitry Belyavskiy (Merged from https://github.com/openssl/openssl/pull/23048) (cherry picked from commit 69c067ffbc2c02295e20c90e557b6fcb2f7da69c) Signed-off-by: lanming1120 --- ssl/ssl_mcnf.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/ssl/ssl_mcnf.c b/ssl/ssl_mcnf.c index c2366e41e3..d7ec22c0e8 100644 --- a/ssl/ssl_mcnf.c +++ b/ssl/ssl_mcnf.c @@ -24,7 +24,7 @@ static int ssl_do_config(SSL *s, SSL_CTX *ctx, const char *name, int system) { SSL_CONF_CTX *cctx = NULL; size_t i, idx, cmd_count; - int rv = 0; + int err = 1; unsigned int flags; const SSL_METHOD *meth; const SSL_CONF_CMD *cmds; @@ -66,8 +66,10 @@ static int ssl_do_config(SSL *s, SSL_CTX *ctx, const char *name, int system) flags |= SSL_CONF_FLAG_CLIENT; SSL_CONF_CTX_set_flags(cctx, flags); prev_libctx = OSSL_LIB_CTX_set0_default(libctx); + err = 0; for (i = 0; i < cmd_count; i++) { char *cmdstr, *arg; + int rv; conf_ssl_get_cmd(cmds, i, &cmdstr, &arg); rv = SSL_CONF_cmd(cctx, cmdstr, arg); @@ -76,14 +78,15 @@ static int ssl_do_config(SSL *s, SSL_CTX *ctx, const char *name, int system) ERR_raise_data(ERR_LIB_SSL, errcode, "section=%s, cmd=%s, arg=%s", name, cmdstr, arg); - goto err; + ++err; } } - rv = SSL_CONF_CTX_finish(cctx); + if (!SSL_CONF_CTX_finish(cctx)) + ++err; err: OSSL_LIB_CTX_set0_default(prev_libctx); SSL_CONF_CTX_free(cctx); - return rv <= 0 ? 0 : 1; + return err == 0; } int SSL_config(SSL *s, const char *name) -- Gitee From e397b19a05d0cdb5218de1897da220d9e57df6a4 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Thu, 14 Dec 2023 16:37:58 +0100 Subject: [PATCH 12/17] Test that incorrect entry in the ssl section is not fatal The following entries should be still applied. Reviewed-by: Neil Horman Reviewed-by: Dmitry Belyavskiy (Merged from https://github.com/openssl/openssl/pull/23048) (cherry picked from commit 17b4277d9ac6665e9b53a6270949418154cab2dc) Signed-off-by: lanming1120 --- test/sysdefault.cnf | 1 + 1 file changed, 1 insertion(+) diff --git a/test/sysdefault.cnf b/test/sysdefault.cnf index 20712b5bda..1c8915074a 100644 --- a/test/sysdefault.cnf +++ b/test/sysdefault.cnf @@ -18,5 +18,6 @@ new-sig-oid = 1.1.1.1.1.1.1.1.1.1.1.1.1.1 system_default = ssl_default_sect [ssl_default_sect] +SignatureAlgorithms = RSA+SHA256:nonex MaxProtocol = TLSv1.2 MinProtocol = TLSv1.2 -- Gitee From 4605b38be9bd35364b95ee69906fcdea3264c861 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Thu, 14 Dec 2023 18:33:57 +0100 Subject: [PATCH 13/17] Consolidate raising errors in SSL_CONF_cmd() Reviewed-by: Neil Horman Reviewed-by: Dmitry Belyavskiy (Merged from https://github.com/openssl/openssl/pull/23048) (cherry picked from commit 430dcbd0463573fece704263648cc15e891c3d49) Signed-off-by: lanming1120 --- ssl/ssl_conf.c | 24 ++++++++++++++++-------- ssl/ssl_mcnf.c | 7 +------ 2 files changed, 17 insertions(+), 14 deletions(-) diff --git a/ssl/ssl_conf.c b/ssl/ssl_conf.c index 5146cedb96..698280288e 100644 --- a/ssl/ssl_conf.c +++ b/ssl/ssl_conf.c @@ -870,9 +870,12 @@ static int ctrl_switch_option(SSL_CONF_CTX *cctx, const ssl_conf_cmd_tbl * cmd) /* Find index of command in table */ size_t idx = cmd - ssl_conf_cmds; const ssl_switch_tbl *scmd; + /* Sanity check index */ - if (idx >= OSSL_NELEM(ssl_cmd_switches)) + if (idx >= OSSL_NELEM(ssl_cmd_switches)) { + ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR); return 0; + } /* Obtain switches entry with same index */ scmd = ssl_cmd_switches + idx; ssl_set_option(cctx, scmd->name_flags, scmd->option_value, 1); @@ -888,28 +891,33 @@ int SSL_CONF_cmd(SSL_CONF_CTX *cctx, const char *cmd, const char *value) } if (!ssl_conf_cmd_skip_prefix(cctx, &cmd)) - return -2; + goto unknown_cmd; runcmd = ssl_conf_cmd_lookup(cctx, cmd); if (runcmd) { - int rv; + int rv = -3; + if (runcmd->value_type == SSL_CONF_TYPE_NONE) { return ctrl_switch_option(cctx, runcmd); } if (value == NULL) - return -3; + goto bad_value; rv = runcmd->cmd(cctx, value); if (rv > 0) return 2; - if (rv == -2) - return -2; + if (rv != -2) + rv = 0; + + bad_value: if (cctx->flags & SSL_CONF_FLAG_SHOW_ERRORS) ERR_raise_data(ERR_LIB_SSL, SSL_R_BAD_VALUE, - "cmd=%s, value=%s", cmd, value); - return 0; + "cmd=%s, value=%s", cmd, + value != NULL ? value : ""); + return rv; } + unknown_cmd: if (cctx->flags & SSL_CONF_FLAG_SHOW_ERRORS) ERR_raise_data(ERR_LIB_SSL, SSL_R_UNKNOWN_CMD_NAME, "cmd=%s", cmd); diff --git a/ssl/ssl_mcnf.c b/ssl/ssl_mcnf.c index d7ec22c0e8..8bccce84d4 100644 --- a/ssl/ssl_mcnf.c +++ b/ssl/ssl_mcnf.c @@ -73,13 +73,8 @@ static int ssl_do_config(SSL *s, SSL_CTX *ctx, const char *name, int system) conf_ssl_get_cmd(cmds, i, &cmdstr, &arg); rv = SSL_CONF_cmd(cctx, cmdstr, arg); - if (rv <= 0) { - int errcode = rv == -2 ? SSL_R_UNKNOWN_COMMAND : SSL_R_BAD_VALUE; - - ERR_raise_data(ERR_LIB_SSL, errcode, - "section=%s, cmd=%s, arg=%s", name, cmdstr, arg); + if (rv <= 0) ++err; - } } if (!SSL_CONF_CTX_finish(cctx)) ++err; -- Gitee From 3a509f1dda51e5c0feaa52e9058fbf5713b56bf1 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Tue, 19 Dec 2023 12:11:51 +0100 Subject: [PATCH 14/17] ci.yml: Fix bad conflict fix in backported patch Reviewed-by: Matt Caswell Reviewed-by: Neil Horman (Merged from https://github.com/openssl/openssl/pull/23090) (cherry picked from commit b80cee9658ff18a6dbb575015589ebde1a94ffdc) Signed-off-by: lanming1120 --- .github/workflows/ci.yml | 24 ------------------------ 1 file changed, 24 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 25757a98b9..6b7ffa292e 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -373,27 +373,3 @@ jobs: default: true - name: test external pyca run: make test TESTS="test_external_pyca" VERBOSE=1 -==== BASE ==== - - external-test-cf-quiche: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - with: - submodules: recursive - - name: Configure OpenSSL - run: ./config --banner=Configured --strict-warnings enable-external-tests && perl configdata.pm --dump - - name: make - run: make -s -j4 - - uses: actions-rs/toolchain@v1 - with: - profile: default - toolchain: stable - default: true - - name: get cpu info - run: | - cat /proc/cpuinfo - ./util/opensslwrap.sh version -c - - name: test external Cloudflare quiche - run: make test TESTS="test_external_cf_quiche" VERBOSE=1 -==== BASE ==== -- Gitee From a4e832cc0100d1c08c88cbad78a176c040e5baf2 Mon Sep 17 00:00:00 2001 From: Bernd Edlinger Date: Mon, 18 Dec 2023 21:38:22 +0100 Subject: [PATCH 15/17] Fix no-des failure in test_cms The newly introduced test case do not work when configured with no-des, fix that by choosing -aes128 as cipher. Fixes ffed597882ba ("cms: avoid intermittent test failure") Reviewed-by: Hugo Landau Reviewed-by: Matt Caswell Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/23086) (cherry picked from commit 5b4f4474b2562c4422193e1719461a0ef5cbc3e5) Signed-off-by: lanming1120 --- test/recipes/80-test_cms.t | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/test/recipes/80-test_cms.t b/test/recipes/80-test_cms.t index eda35a95e3..31f9fbd128 100644 --- a/test/recipes/80-test_cms.t +++ b/test/recipes/80-test_cms.t @@ -1047,7 +1047,7 @@ subtest "encrypt to three recipients with RSA-OAEP, key only decrypt" => sub { ok(run(app(['openssl', 'cms', @defaultprov, - '-encrypt', + '-encrypt', '-aes128', '-in', $pt, '-out', $ct, '-stream', @@ -1061,7 +1061,7 @@ subtest "encrypt to three recipients with RSA-OAEP, key only decrypt" => sub { "encrypt to three recipients with RSA-OAEP (avoid openssl/project issue#380)"); ok(run(app(['openssl', 'cms', @defaultprov, - '-decrypt', + '-decrypt', '-aes128', '-in', $ct, '-out', $ptpt, '-inkey', catfile($smdir, "smrsa3-key.pem"), -- Gitee From 58afec4b15f3a214e561816e9b57bab3075127b2 Mon Sep 17 00:00:00 2001 From: Bernd Edlinger Date: Sun, 10 Dec 2023 15:21:19 +0100 Subject: [PATCH 16/17] Fix a possible memory leak in ossl_x509_algor_md_to_mgf1 Add a missing check of the return code of X509_ALGOR_set0. otherwise a memory leak may occur. Reviewed-by: Hugo Landau Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/22999) (cherry picked from commit 493d6c9ab37b18b110c977a2bc896f06b18f6065) Signed-off-by: lanming1120 --- crypto/asn1/x_algor.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/crypto/asn1/x_algor.c b/crypto/asn1/x_algor.c index c0a5f76803..2c4a8d4b4e 100644 --- a/crypto/asn1/x_algor.c +++ b/crypto/asn1/x_algor.c @@ -179,7 +179,11 @@ int ossl_x509_algor_md_to_mgf1(X509_ALGOR **palg, const EVP_MD *mgf1md) *palg = X509_ALGOR_new(); if (*palg == NULL) goto err; - X509_ALGOR_set0(*palg, OBJ_nid2obj(NID_mgf1), V_ASN1_SEQUENCE, stmp); + if (!X509_ALGOR_set0(*palg, OBJ_nid2obj(NID_mgf1), V_ASN1_SEQUENCE, stmp)) { + X509_ALGOR_free(*palg); + *palg = NULL; + goto err; + } stmp = NULL; err: ASN1_STRING_free(stmp); -- Gitee From 5b12f406d134cabf621bdb8a98f1f653bd0ac205 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 19 Dec 2023 18:00:12 +0000 Subject: [PATCH 17/17] Bump actions/setup-python from 4.7.1 to 5.0.0 Bumps [actions/setup-python](https://github.com/actions/setup-python) from 4.7.1 to 5.0.0. - [Release notes](https://github.com/actions/setup-python/releases) - [Commits](https://github.com/actions/setup-python/compare/v4.7.1...v5.0.0) --- updated-dependencies: - dependency-name: actions/setup-python dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] CLA: trivial Reviewed-by: Kurt Roeckx Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/22963) (cherry picked from commit 51c85496dc227f277adbe0748d596e07d9a34bc2) Signed-off-by: lanming1120 --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 6b7ffa292e..078864471c 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -362,7 +362,7 @@ jobs: - name: make run: make -s -j4 - name: Setup Python - uses: actions/setup-python@v4.7.1 + uses: actions/setup-python@v5.0.0 with: python-version: ${{ matrix.PYTHON }} - uses: actions-rs/toolchain@v1 -- Gitee