From 0b2103419fa16f803bf4b608fefa2c9b5b02ef65 Mon Sep 17 00:00:00 2001 From: Richard Lau Date: Tue, 14 Dec 2021 16:07:56 -0500 Subject: [PATCH] deps: upgrade openssl sources to quictls/openssl-3.0.1+quic MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This updates all sources in deps/openssl/openssl by: $ git clone git@github.com:quictls/openssl.git $ cd openssl $ cd ../node/deps/openssl $ rm -rf openssl $ cp -R ../openssl openssl $ rm -rf openssl/.git* openssl/.travis* $ git add --all openssl $ git commit openssl PR-URL: https://github.com/nodejs/node/pull/41177 Refs: https://github.com/quictls/openssl/pull/69 Refs: https://mta.openssl.org/pipermail/openssl-announce/2021-December/000212.html Reviewed-By: Danielle Adams Reviewed-By: Colin Ihrig Reviewed-By: Matteo Collina Reviewed-By: Tobias Nießen Reviewed-By: Derek Lewis --- deps/openssl/openssl/CHANGES.md | 90 +++ .../openssl/Configurations/10-main.conf | 1 + .../openssl/Configurations/15-ios.conf | 2 +- .../openssl/Configurations/descrip.mms.tmpl | 36 +- .../openssl/Configurations/platform/Unix.pm | 18 +- .../openssl/Configurations/unix-Makefile.tmpl | 20 +- .../Configurations/windows-makefile.tmpl | 17 +- deps/openssl/openssl/NEWS.md | 7 + deps/openssl/openssl/NOTES-VALGRIND.md | 2 +- deps/openssl/openssl/README.md | 29 +- deps/openssl/openssl/SUPPORT.md | 4 +- deps/openssl/openssl/VERSION.dat | 4 +- deps/openssl/openssl/VMS/openssl_ivp.com.in | 10 +- .../openssl/VMS/openssl_shutdown.com.in | 9 +- .../openssl/VMS/openssl_startup.com.in | 8 +- deps/openssl/openssl/VMS/openssl_utils.com.in | 2 +- deps/openssl/openssl/apps/cmp.c | 190 +++-- deps/openssl/openssl/apps/dgst.c | 4 +- deps/openssl/openssl/apps/dhparam.c | 6 +- deps/openssl/openssl/apps/dsaparam.c | 2 +- deps/openssl/openssl/apps/lib/app_rand.c | 10 +- deps/openssl/openssl/apps/lib/apps.c | 18 +- deps/openssl/openssl/apps/lib/engine_loader.c | 4 +- deps/openssl/openssl/apps/lib/s_cb.c | 40 +- deps/openssl/openssl/apps/openssl.c | 6 +- deps/openssl/openssl/apps/req.c | 13 +- deps/openssl/openssl/apps/s_client.c | 6 +- deps/openssl/openssl/apps/s_server.c | 14 +- deps/openssl/openssl/apps/speed.c | 20 +- deps/openssl/openssl/apps/tsget.in | 52 +- deps/openssl/openssl/apps/x509.c | 49 +- deps/openssl/openssl/crypto/aes/build.info | 2 +- deps/openssl/openssl/crypto/armcap.c | 15 +- deps/openssl/openssl/crypto/asn1/d2i_pu.c | 23 +- deps/openssl/openssl/crypto/asn1/tasn_dec.c | 4 +- deps/openssl/openssl/crypto/async/async.c | 8 + deps/openssl/openssl/crypto/bio/bio_lib.c | 18 +- deps/openssl/openssl/crypto/bio/bss_mem.c | 4 +- deps/openssl/openssl/crypto/bn/asm/mips.pl | 6 +- deps/openssl/openssl/crypto/bn/bn_lib.c | 5 +- deps/openssl/openssl/crypto/bn/bn_rand.c | 2 +- .../openssl/crypto/bn/bn_rsa_fips186_4.c | 16 +- deps/openssl/openssl/crypto/bn/rsaz_exp_x2.c | 16 +- deps/openssl/openssl/crypto/cmac/cmac.c | 2 +- deps/openssl/openssl/crypto/cmp/cmp_msg.c | 5 +- deps/openssl/openssl/crypto/cmp/cmp_server.c | 6 +- deps/openssl/openssl/crypto/cmp/cmp_vfy.c | 4 +- deps/openssl/openssl/crypto/cms/cms_dh.c | 2 +- deps/openssl/openssl/crypto/cms/cms_ec.c | 2 +- deps/openssl/openssl/crypto/cms/cms_pwri.c | 4 + deps/openssl/openssl/crypto/cms/cms_sd.c | 4 +- deps/openssl/openssl/crypto/cms/cms_smime.c | 2 + deps/openssl/openssl/crypto/comp/c_zlib.c | 12 +- deps/openssl/openssl/crypto/conf/conf_api.c | 7 +- deps/openssl/openssl/crypto/conf/conf_def.c | 2 + deps/openssl/openssl/crypto/context.c | 4 + deps/openssl/openssl/crypto/core_algorithm.c | 17 +- deps/openssl/openssl/crypto/core_fetch.c | 13 +- deps/openssl/openssl/crypto/core_namemap.c | 2 +- deps/openssl/openssl/crypto/cpt_err.c | 2 + deps/openssl/openssl/crypto/crmf/crmf_pbm.c | 4 +- deps/openssl/openssl/crypto/des/set_key.c | 47 +- deps/openssl/openssl/crypto/dh/dh_ameth.c | 2 +- deps/openssl/openssl/crypto/dh/dh_kdf.c | 2 +- deps/openssl/openssl/crypto/dsa/dsa_sign.c | 3 +- deps/openssl/openssl/crypto/dso/dso_lib.c | 24 +- deps/openssl/openssl/crypto/ec/ec_asn1.c | 3 +- .../openssl/openssl/crypto/ec/ec_deprecated.c | 4 +- deps/openssl/openssl/crypto/ec/ecx_backend.c | 25 +- .../crypto/encode_decode/decoder_meth.c | 11 +- .../crypto/encode_decode/encoder_lib.c | 7 +- .../crypto/encode_decode/encoder_meth.c | 11 +- deps/openssl/openssl/crypto/engine/eng_dyn.c | 4 +- deps/openssl/openssl/crypto/engine/eng_lib.c | 2 + deps/openssl/openssl/crypto/engine/eng_list.c | 87 +++ .../openssl/openssl/crypto/engine/eng_local.h | 9 + deps/openssl/openssl/crypto/err/err.c | 16 +- deps/openssl/openssl/crypto/err/openssl.txt | 2 + deps/openssl/openssl/crypto/evp/asymcipher.c | 129 +++- .../crypto/evp/ctrl_params_translate.c | 35 +- deps/openssl/openssl/crypto/evp/digest.c | 18 +- deps/openssl/openssl/crypto/evp/e_rc5.c | 7 +- deps/openssl/openssl/crypto/evp/evp_fetch.c | 55 +- deps/openssl/openssl/crypto/evp/evp_lib.c | 2 +- deps/openssl/openssl/crypto/evp/evp_local.h | 22 + deps/openssl/openssl/crypto/evp/exchange.c | 139 ++-- deps/openssl/openssl/crypto/evp/kem.c | 121 +++- deps/openssl/openssl/crypto/evp/keymgmt_lib.c | 20 + .../openssl/openssl/crypto/evp/keymgmt_meth.c | 11 + deps/openssl/openssl/crypto/evp/m_sigver.c | 160 +++-- deps/openssl/openssl/crypto/evp/mac_lib.c | 8 +- deps/openssl/openssl/crypto/evp/p_lib.c | 22 +- deps/openssl/openssl/crypto/evp/pmeth_lib.c | 15 +- deps/openssl/openssl/crypto/evp/signature.c | 130 +++- .../openssl/openssl/crypto/http/http_client.c | 83 ++- deps/openssl/openssl/crypto/http/http_err.c | 1 + deps/openssl/openssl/crypto/initthread.c | 15 + deps/openssl/openssl/crypto/objects/o_names.c | 8 +- deps/openssl/openssl/crypto/ocsp/ocsp_http.c | 8 +- deps/openssl/openssl/crypto/param_build.c | 6 + .../openssl/openssl/crypto/params_from_text.c | 28 +- deps/openssl/openssl/crypto/passphrase.c | 15 +- deps/openssl/openssl/crypto/pem/pvkfmt.c | 5 + .../openssl/crypto/perlasm/ppc-xlate.pl | 5 +- .../openssl/crypto/property/property.c | 80 ++- .../openssl/crypto/property/property_local.h | 3 +- .../openssl/crypto/property/property_parse.c | 40 +- .../openssl/crypto/property/property_query.c | 4 +- deps/openssl/openssl/crypto/provider.c | 10 +- deps/openssl/openssl/crypto/provider_child.c | 28 +- deps/openssl/openssl/crypto/provider_conf.c | 26 +- deps/openssl/openssl/crypto/provider_core.c | 88 ++- deps/openssl/openssl/crypto/rsa/rsa_backend.c | 2 + deps/openssl/openssl/crypto/rsa/rsa_lib.c | 5 +- deps/openssl/openssl/crypto/sm2/sm2_sign.c | 13 + .../openssl/openssl/crypto/store/store_meth.c | 11 +- deps/openssl/openssl/crypto/threads_win.c | 1 - deps/openssl/openssl/crypto/x509/v3_akid.c | 25 +- deps/openssl/openssl/crypto/x509/v3_ncons.c | 3 + deps/openssl/openssl/crypto/x509/v3_san.c | 11 +- deps/openssl/openssl/crypto/x509/v3_skid.c | 6 +- deps/openssl/openssl/crypto/x509/x509_cmp.c | 8 +- deps/openssl/openssl/crypto/x509/x509_vfy.c | 26 +- deps/openssl/openssl/crypto/x509/x_name.c | 4 +- deps/openssl/openssl/crypto/x509/x_pubkey.c | 20 +- deps/openssl/openssl/crypto/x509/x_x509.c | 19 +- .../demos/signature/EVP_Signature_demo.c | 2 +- deps/openssl/openssl/doc/build.info | 12 +- deps/openssl/openssl/doc/build.info.in | 2 +- .../openssl/doc/internal/man3/OPTIONS.pod | 2 +- .../doc/internal/man3/OSSL_METHOD_STORE.pod | 22 +- .../internal/man3/cms_add1_signing_cert.pod | 4 +- .../doc/internal/man3/evp_generic_fetch.pod | 20 +- .../doc/internal/man3/evp_md_get_number.pod | 2 +- .../internal/man3/ossl_lib_ctx_get_data.pod | 2 +- .../internal/man3/ossl_method_construct.pod | 31 +- .../doc/internal/man3/ossl_provider_new.pod | 16 +- .../internal/man3/ossl_punycode_decode.pod | 6 +- .../openssl/doc/internal/man7/DERlib.pod | 4 +- .../openssl/doc/internal/man7/build.info.pod | 2 +- .../openssl/doc/life-cycles/digest.dot | 2 +- deps/openssl/openssl/doc/life-cycles/kdf.dot | 2 +- deps/openssl/openssl/doc/life-cycles/mac.dot | 2 +- deps/openssl/openssl/doc/life-cycles/rand.dot | 2 +- .../openssl/doc/man1/openssl-cmp.pod.in | 14 +- .../doc/man1/openssl-fipsinstall.pod.in | 12 + .../openssl/doc/man1/openssl-mac.pod.in | 2 +- .../openssl/doc/man1/openssl-passwd.pod.in | 2 - .../openssl/doc/man1/openssl-req.pod.in | 29 +- .../openssl/doc/man1/openssl-x509.pod.in | 37 +- .../doc/man3/ASN1_INTEGER_get_int64.pod | 8 +- .../openssl/doc/man3/ASN1_TYPE_get.pod | 4 +- .../openssl/doc/man3/ASN1_item_d2i_bio.pod | 8 +- deps/openssl/openssl/doc/man3/BF_encrypt.pod | 8 +- deps/openssl/openssl/doc/man3/BIO_ctrl.pod | 15 +- .../openssl/openssl/doc/man3/BIO_f_buffer.pod | 9 +- .../openssl/openssl/doc/man3/BIO_f_cipher.pod | 12 +- deps/openssl/openssl/doc/man3/BIO_f_md.pod | 2 +- .../openssl/openssl/doc/man3/BIO_f_prefix.pod | 8 +- deps/openssl/openssl/doc/man3/BIO_f_ssl.pod | 19 +- .../openssl/doc/man3/BIO_get_ex_new_index.pod | 6 +- deps/openssl/openssl/doc/man3/BIO_push.pod | 53 +- .../openssl/openssl/doc/man3/BIO_s_accept.pod | 6 +- .../openssl/doc/man3/BIO_s_connect.pod | 10 +- deps/openssl/openssl/doc/man3/BIO_s_fd.pod | 4 +- deps/openssl/openssl/doc/man3/BIO_s_file.pod | 15 +- .../openssl/doc/man3/BIO_set_callback.pod | 8 +- .../openssl/doc/man3/BN_BLINDING_new.pod | 6 +- deps/openssl/openssl/doc/man3/BN_bn2bin.pod | 6 +- .../openssl/doc/man3/BN_generate_prime.pod | 10 +- .../doc/man3/BN_mod_mul_reciprocal.pod | 6 +- deps/openssl/openssl/doc/man3/BN_rand.pod | 18 +- .../doc/man3/CMS_add1_recipient_cert.pod | 4 +- .../doc/man3/CMS_get0_RecipientInfos.pod | 4 +- deps/openssl/openssl/doc/man3/CMS_verify.pod | 2 +- .../openssl/doc/man3/CONF_modules_free.pod | 8 +- .../doc/man3/CRYPTO_get_ex_new_index.pod | 4 +- .../openssl/doc/man3/DEFINE_STACK_OF.pod | 5 +- .../openssl/doc/man3/DES_random_key.pod | 8 +- .../openssl/doc/man3/DH_generate_key.pod | 6 +- .../doc/man3/DH_generate_parameters.pod | 14 +- deps/openssl/openssl/doc/man3/DH_get0_pqg.pod | 6 +- .../openssl/doc/man3/DH_get_1024_160.pod | 6 +- deps/openssl/openssl/doc/man3/DH_meth_new.pod | 8 +- .../openssl/doc/man3/DH_new_by_nid.pod | 8 +- .../openssl/doc/man3/DH_set_method.pod | 8 +- deps/openssl/openssl/doc/man3/DH_size.pod | 6 +- deps/openssl/openssl/doc/man3/DSA_do_sign.pod | 6 +- deps/openssl/openssl/doc/man3/DSA_dup_DH.pod | 8 +- .../openssl/doc/man3/DSA_generate_key.pod | 6 +- .../doc/man3/DSA_generate_parameters.pod | 12 +- .../openssl/openssl/doc/man3/DSA_get0_pqg.pod | 8 +- .../openssl/openssl/doc/man3/DSA_meth_new.pod | 8 +- deps/openssl/openssl/doc/man3/DSA_new.pod | 8 +- .../openssl/doc/man3/DSA_set_method.pod | 8 +- deps/openssl/openssl/doc/man3/DSA_sign.pod | 6 +- deps/openssl/openssl/doc/man3/DSA_size.pod | 6 +- .../openssl/doc/man3/ECDSA_SIG_new.pod | 6 +- .../openssl/doc/man3/ECPKParameters_print.pod | 6 +- .../openssl/doc/man3/EC_GFp_simple_method.pod | 6 +- .../openssl/doc/man3/EC_GROUP_copy.pod | 4 +- .../openssl/openssl/doc/man3/EC_GROUP_new.pod | 6 +- deps/openssl/openssl/doc/man3/EC_KEY_new.pod | 6 +- .../openssl/openssl/doc/man3/EC_POINT_add.pod | 6 +- .../openssl/openssl/doc/man3/EC_POINT_new.pod | 6 +- deps/openssl/openssl/doc/man3/ENGINE_add.pod | 17 +- .../openssl/doc/man3/ERR_get_error.pod | 10 +- .../doc/man3/ERR_load_crypto_strings.pod | 8 +- .../openssl/doc/man3/ERR_load_strings.pod | 6 +- .../openssl/doc/man3/ERR_put_error.pod | 8 +- .../openssl/doc/man3/ERR_remove_state.pod | 14 +- .../man3/EVP_CIPHER_CTX_get_original_iv.pod | 6 +- .../openssl/doc/man3/EVP_CIPHER_meth_new.pod | 8 +- .../openssl/doc/man3/EVP_DigestInit.pod | 24 +- .../openssl/doc/man3/EVP_DigestSignInit.pod | 13 +- .../openssl/doc/man3/EVP_DigestVerifyInit.pod | 9 +- .../openssl/doc/man3/EVP_EncryptInit.pod | 53 +- .../openssl/doc/man3/EVP_MD_meth_new.pod | 6 +- .../openssl/doc/man3/EVP_PKEY_CTX_ctrl.pod | 12 +- .../doc/man3/EVP_PKEY_copy_parameters.pod | 48 +- .../openssl/doc/man3/EVP_PKEY_encapsulate.pod | 2 +- .../openssl/doc/man3/EVP_PKEY_encrypt.pod | 2 +- .../openssl/doc/man3/EVP_PKEY_fromdata.pod | 22 +- .../doc/man3/EVP_PKEY_gettable_params.pod | 6 +- .../openssl/doc/man3/EVP_PKEY_keygen.pod | 4 +- .../doc/man3/EVP_PKEY_meth_get_count.pod | 8 +- .../openssl/doc/man3/EVP_PKEY_meth_new.pod | 6 +- .../openssl/openssl/doc/man3/EVP_PKEY_new.pod | 6 +- .../openssl/doc/man3/EVP_PKEY_set1_RSA.pod | 6 +- .../man3/EVP_PKEY_set1_encoded_public_key.pod | 8 +- ...P_SIGNATURE_free.pod => EVP_SIGNATURE.pod} | 3 + deps/openssl/openssl/doc/man3/HMAC.pod | 12 +- deps/openssl/openssl/doc/man3/MD5.pod | 20 +- deps/openssl/openssl/doc/man3/MDC2_Init.pod | 8 +- deps/openssl/openssl/doc/man3/OBJ_nid2obj.pod | 30 +- .../openssl/doc/man3/OCSP_sendreq_new.pod | 6 +- .../openssl/doc/man3/OPENSSL_config.pod | 8 +- .../openssl/doc/man3/OPENSSL_fork_prepare.pod | 8 +- .../doc/man3/OPENSSL_instrument_bus.pod | 6 +- .../openssl/doc/man3/OPENSSL_malloc.pod | 6 +- .../doc/man3/OSSL_CMP_MSG_get0_header.pod | 2 +- .../openssl/doc/man3/OSSL_CMP_SRV_CTX_new.pod | 2 +- .../openssl/doc/man3/OSSL_DECODER_CTX.pod | 8 +- .../openssl/doc/man3/OSSL_ENCODER_to_bio.pod | 2 +- .../openssl/doc/man3/OSSL_HTTP_REQ_CTX.pod | 21 +- .../openssl/doc/man3/OSSL_HTTP_parse_url.pod | 6 +- .../openssl/doc/man3/OSSL_HTTP_transfer.pod | 41 +- .../openssl/doc/man3/OSSL_PARAM_BLD.pod | 5 + .../openssl/doc/man3/OSSL_PARAM_int.pod | 6 + .../openssl/doc/man3/OSSL_STORE_LOADER.pod | 6 +- .../openssl/doc/man3/OSSL_STORE_open.pod | 6 +- .../doc/man3/OpenSSL_add_all_algorithms.pod | 8 +- .../openssl/openssl/doc/man3/PEM_read_CMS.pod | 6 +- .../doc/man3/PEM_read_bio_PrivateKey.pod | 18 +- .../doc/man3/PKCS12_SAFEBAG_create_cert.pod | 4 +- .../doc/man3/PKCS12_SAFEBAG_get0_attrs.pod | 8 +- .../doc/man3/PKCS12_SAFEBAG_get1_cert.pod | 4 +- .../openssl/doc/man3/PKCS12_decrypt_skey.pod | 2 +- deps/openssl/openssl/doc/man3/RAND_add.pod | 8 +- deps/openssl/openssl/doc/man3/RAND_bytes.pod | 6 +- .../openssl/openssl/doc/man3/RAND_cleanup.pod | 8 +- .../openssl/doc/man3/RAND_set_rand_method.pod | 6 +- deps/openssl/openssl/doc/man3/RC4_set_key.pod | 8 +- .../openssl/doc/man3/RIPEMD160_Init.pod | 8 +- .../openssl/doc/man3/RSA_blinding_on.pod | 6 +- .../openssl/doc/man3/RSA_check_key.pod | 12 +- .../openssl/doc/man3/RSA_generate_key.pod | 10 +- .../openssl/openssl/doc/man3/RSA_get0_key.pod | 6 +- .../openssl/openssl/doc/man3/RSA_meth_new.pod | 8 +- deps/openssl/openssl/doc/man3/RSA_new.pod | 4 +- .../doc/man3/RSA_padding_add_PKCS1_type_1.pod | 6 +- deps/openssl/openssl/doc/man3/RSA_print.pod | 39 +- .../openssl/doc/man3/RSA_private_encrypt.pod | 6 +- .../openssl/doc/man3/RSA_public_encrypt.pod | 6 +- .../openssl/doc/man3/RSA_set_method.pod | 14 +- deps/openssl/openssl/doc/man3/RSA_sign.pod | 8 +- .../doc/man3/RSA_sign_ASN1_OCTET_STRING.pod | 8 +- deps/openssl/openssl/doc/man3/RSA_size.pod | 6 +- deps/openssl/openssl/doc/man3/SCT_print.pod | 4 +- deps/openssl/openssl/doc/man3/SHA256_Init.pod | 18 +- deps/openssl/openssl/doc/man3/SRP_Calc_B.pod | 6 +- .../openssl/doc/man3/SRP_VBASE_new.pod | 6 +- .../openssl/doc/man3/SRP_create_verifier.pod | 6 +- .../openssl/doc/man3/SRP_user_pwd_new.pod | 6 +- .../openssl/doc/man3/SSL_CIPHER_get_name.pod | 6 +- .../man3/SSL_COMP_add_compression_method.pod | 8 +- .../doc/man3/SSL_CTX_set_client_hello_cb.pod | 4 +- .../doc/man3/SSL_CTX_set_keylog_callback.pod | 4 +- .../doc/man3/SSL_CTX_set_num_tickets.pod | 12 +- .../openssl/doc/man3/SSL_CTX_set_options.pod | 4 +- .../man3/SSL_CTX_set_psk_client_callback.pod | 10 +- .../doc/man3/SSL_CTX_set_security_level.pod | 15 +- .../man3/SSL_CTX_set_split_send_fragment.pod | 4 +- .../doc/man3/SSL_CTX_set_srp_password.pod | 6 +- .../man3/SSL_CTX_set_tlsext_ticket_key_cb.pod | 8 +- .../doc/man3/SSL_CTX_set_tmp_dh_callback.pod | 8 +- .../doc/man3/SSL_CTX_use_certificate.pod | 14 +- .../openssl/doc/man3/SSL_get_session.pod | 9 +- .../openssl/doc/man3/SSL_group_to_name.pod | 2 +- .../doc/man3/SSL_set_async_callback.pod | 4 +- deps/openssl/openssl/doc/man3/SSL_set_bio.pod | 4 +- deps/openssl/openssl/doc/man3/SSL_set_fd.pod | 13 +- .../openssl/doc/man3/X509V3_set_ctx.pod | 12 +- deps/openssl/openssl/doc/man3/X509_dup.pod | 6 +- .../openssl/doc/man3/X509_get0_signature.pod | 6 +- .../openssl/doc/man3/X509_get_pubkey.pod | 4 +- .../doc/man3/X509_get_subject_name.pod | 8 +- .../openssl/doc/man3/X509_load_http.pod | 6 +- .../openssl/doc/man3/d2i_RSAPrivateKey.pod | 20 +- deps/openssl/openssl/doc/man3/d2i_X509.pod | 4 + .../openssl/doc/man3/i2d_re_X509_tbs.pod | 4 +- .../openssl/doc/man5/x509v3_config.pod | 23 +- .../openssl/doc/man7/EVP_KDF-SSHKDF.pod | 2 +- .../openssl/doc/man7/EVP_KEYEXCH-ECDH.pod | 2 +- deps/openssl/openssl/doc/man7/EVP_PKEY-DH.pod | 4 +- deps/openssl/openssl/doc/man7/EVP_PKEY-EC.pod | 2 +- .../openssl/openssl/doc/man7/EVP_PKEY-FFC.pod | 2 +- .../openssl/doc/man7/EVP_RAND-TEST-RAND.pod | 5 +- .../openssl/doc/man7/EVP_SIGNATURE-DSA.pod | 4 +- .../openssl/doc/man7/EVP_SIGNATURE-ECDSA.pod | 4 +- .../openssl/doc/man7/EVP_SIGNATURE-RSA.pod | 6 +- .../openssl/doc/man7/OSSL_PROVIDER-FIPS.pod | 4 +- deps/openssl/openssl/doc/man7/RAND.pod | 2 +- deps/openssl/openssl/doc/man7/bio.pod | 2 +- deps/openssl/openssl/doc/man7/crypto.pod | 35 +- .../openssl/doc/man7/life_cycle-cipher.pod | 6 +- .../openssl/doc/man7/life_cycle-digest.pod | 2 +- .../openssl/doc/man7/life_cycle-kdf.pod | 14 +- .../openssl/doc/man7/life_cycle-mac.pod | 2 +- .../openssl/doc/man7/life_cycle-rand.pod | 2 +- .../openssl/doc/man7/migration_guide.pod | 50 +- .../openssl/doc/man7/openssl-core.h.pod | 2 +- deps/openssl/openssl/doc/man7/openssl-env.pod | 13 + .../openssl/doc/man7/openssl-glossary.pod | 2 +- deps/openssl/openssl/doc/man7/ossl_store.pod | 4 +- deps/openssl/openssl/doc/man7/property.pod | 8 +- .../openssl/doc/man7/provider-base.pod | 23 +- .../openssl/doc/man7/provider-keyexch.pod | 2 +- .../openssl/doc/man7/provider-keymgmt.pod | 20 +- .../openssl/doc/man7/provider-signature.pod | 10 +- .../openssl/doc/man7/proxy-certificates.pod | 6 +- deps/openssl/openssl/engines/e_afalg.c | 7 +- deps/openssl/openssl/engines/e_dasync.c | 43 +- deps/openssl/openssl/engines/e_loader_attic.c | 4 +- deps/openssl/openssl/engines/e_ossltest.c | 216 +++++- .../openssl/include/crypto/aes_platform.h | 2 +- deps/openssl/openssl/include/crypto/bn_conf.h | 1 - .../openssl/openssl/include/crypto/dso_conf.h | 1 - deps/openssl/openssl/include/crypto/evp.h | 3 + deps/openssl/openssl/include/crypto/rand.h | 2 +- deps/openssl/openssl/include/internal/core.h | 4 +- .../openssl/include/internal/passphrase.h | 1 + .../openssl/include/internal/property.h | 13 +- .../openssl/include/internal/provider.h | 3 +- deps/openssl/openssl/include/openssl/asn1.h | 1 - deps/openssl/openssl/include/openssl/asn1t.h | 1 - deps/openssl/openssl/include/openssl/bio.h | 1 - deps/openssl/openssl/include/openssl/cmp.h | 1 - deps/openssl/openssl/include/openssl/cms.h | 1 - deps/openssl/openssl/include/openssl/conf.h | 1 - .../openssl/include/openssl/configuration.h | 1 - deps/openssl/openssl/include/openssl/core.h | 2 +- deps/openssl/openssl/include/openssl/crmf.h | 1 - deps/openssl/openssl/include/openssl/crypto.h | 1 - .../openssl/include/openssl/cryptoerr.h | 1 + deps/openssl/openssl/include/openssl/ct.h | 1 - deps/openssl/openssl/include/openssl/err.h | 1 - deps/openssl/openssl/include/openssl/ess.h | 1 - .../openssl/openssl/include/openssl/fipskey.h | 1 - .../openssl/openssl/include/openssl/httperr.h | 1 + deps/openssl/openssl/include/openssl/lhash.h | 1 - deps/openssl/openssl/include/openssl/macros.h | 2 +- deps/openssl/openssl/include/openssl/ocsp.h | 1 - .../openssl/include/openssl/opensslv.h | 1 - deps/openssl/openssl/include/openssl/pkcs12.h | 1 - deps/openssl/openssl/include/openssl/pkcs7.h | 1 - .../openssl/include/openssl/safestack.h | 1 - deps/openssl/openssl/include/openssl/srp.h | 1 - deps/openssl/openssl/include/openssl/ssl.h | 1 - deps/openssl/openssl/include/openssl/ui.h | 1 - deps/openssl/openssl/include/openssl/x509.h | 1 - .../openssl/include/openssl/x509_vfy.h | 1 - deps/openssl/openssl/include/openssl/x509v3.h | 1 - .../openssl/providers/common/provider_util.c | 52 +- deps/openssl/openssl/providers/defltprov.c | 1 + .../openssl/providers/fips-sources.checksums | 124 ++-- deps/openssl/openssl/providers/fips.checksum | 2 +- .../openssl/providers/fips/self_test_kats.c | 2 +- .../implementations/digests/build.info | 3 + .../implementations/digests/null_prov.c | 52 ++ .../encode_decode/decode_pvk2key.c | 2 +- .../encode_decode/decode_spki2typespki.c | 2 +- .../encode_decode/encode_key2any.c | 16 +- .../encode_decode/encode_key2ms.c | 12 +- .../include/prov/digestcommon.h | 23 +- .../include/prov/implementations.h | 1 + .../providers/implementations/kdfs/kbkdf.c | 4 +- .../providers/implementations/kdfs/krb5kdf.c | 1 + .../providers/implementations/kdfs/pbkdf1.c | 4 +- .../providers/implementations/kdfs/pbkdf2.c | 4 +- .../implementations/kdfs/pkcs12kdf.c | 4 +- .../providers/implementations/kdfs/scrypt.c | 4 +- .../providers/implementations/kdfs/sshkdf.c | 1 + .../providers/implementations/kdfs/sskdf.c | 4 +- .../implementations/keymgmt/dh_kmgmt.c | 28 +- .../implementations/keymgmt/dsa_kmgmt.c | 30 +- .../implementations/keymgmt/ec_kmgmt.c | 30 +- .../implementations/keymgmt/ecx_kmgmt.c | 51 +- .../keymgmt/mac_legacy_kmgmt.c | 1 + .../implementations/keymgmt/rsa_kmgmt.c | 28 +- .../providers/implementations/rands/drbg.c | 4 +- .../implementations/rands/seed_src.c | 5 +- .../implementations/rands/test_rng.c | 14 +- .../implementations/signature/dsa_sig.c | 40 +- .../implementations/signature/ecdsa_sig.c | 36 +- .../implementations/signature/eddsa_sig.c | 9 + .../signature/mac_legacy_sig.c | 18 +- .../implementations/signature/rsa_sig.c | 47 +- .../implementations/signature/sm2_sig.c | 41 +- deps/openssl/openssl/ssl/bio_ssl.c | 7 +- deps/openssl/openssl/ssl/ktls.c | 20 +- .../openssl/openssl/ssl/record/rec_layer_s3.c | 2 +- deps/openssl/openssl/ssl/record/ssl3_record.c | 23 +- deps/openssl/openssl/ssl/record/tls_pad.c | 4 +- deps/openssl/openssl/ssl/s3_lib.c | 12 +- deps/openssl/openssl/ssl/ssl_cert.c | 19 +- deps/openssl/openssl/ssl/ssl_ciph.c | 22 +- deps/openssl/openssl/ssl/ssl_lib.c | 53 +- deps/openssl/openssl/ssl/ssl_local.h | 5 + deps/openssl/openssl/ssl/statem/README.md | 2 +- .../openssl/ssl/statem/extensions_clnt.c | 7 +- .../openssl/ssl/statem/extensions_cust.c | 11 +- deps/openssl/openssl/ssl/statem/statem.c | 5 + deps/openssl/openssl/ssl/statem/statem_clnt.c | 2 +- deps/openssl/openssl/ssl/statem/statem_lib.c | 2 + deps/openssl/openssl/ssl/statem/statem_srvr.c | 9 + deps/openssl/openssl/ssl/t1_lib.c | 2 + deps/openssl/openssl/ssl/tls_depr.c | 10 +- deps/openssl/openssl/test/acvp_test.c | 23 +- deps/openssl/openssl/test/afalgtest.c | 42 +- deps/openssl/openssl/test/algorithmid_test.c | 2 +- deps/openssl/openssl/test/bio_enc_test.c | 14 +- deps/openssl/openssl/test/bio_prefix_text.c | 6 +- deps/openssl/openssl/test/bntest.c | 79 ++- deps/openssl/openssl/test/build.info | 11 +- deps/openssl/openssl/test/certs/cross-key.pem | 28 + .../openssl/openssl/test/certs/cross-root.pem | 18 + .../openssl/test/certs/goodcn2-cert.pem | 19 + .../openssl/test/certs/goodcn2-chain.pem | 40 ++ .../openssl/test/certs/goodcn2-key.pem | 28 + deps/openssl/openssl/test/certs/mkcert.sh | 29 +- .../openssl/test/certs/root-cross-cert.pem | 18 + deps/openssl/openssl/test/certs/setup.sh | 9 + deps/openssl/openssl/test/dane-cross.in | 113 +++ deps/openssl/openssl/test/danetest.c | 4 +- deps/openssl/openssl/test/destest.c | 69 ++ deps/openssl/openssl/test/dhtest.c | 22 + deps/openssl/openssl/test/ecdsatest.c | 2 +- deps/openssl/openssl/test/ectest.c | 52 +- deps/openssl/openssl/test/enginetest.c | 89 +++ deps/openssl/openssl/test/evp_extra_test.c | 655 ++++++++++++++++-- deps/openssl/openssl/test/evp_extra_test2.c | 59 +- .../openssl/test/evp_fetch_prov_test.c | 8 +- deps/openssl/openssl/test/evp_kdf_test.c | 13 +- deps/openssl/openssl/test/evp_libctx_test.c | 2 +- .../openssl/test/evp_pkey_provided_test.c | 44 +- deps/openssl/openssl/test/fake_rsaprov.c | 234 +++++++ deps/openssl/openssl/test/fake_rsaprov.h | 14 + .../test/helpers/predefined_dhparams.c | 4 +- .../openssl/openssl/test/helpers/ssltestlib.c | 5 - .../openssl/test/keymgmt_internal_test.c | 2 +- deps/openssl/openssl/test/packettest.c | 4 +- deps/openssl/openssl/test/params_test.c | 99 ++- deps/openssl/openssl/test/property_test.c | 193 +++++- deps/openssl/openssl/test/provfetchtest.c | 2 +- .../openssl/test/provider_internal_test.c | 2 +- .../openssl/openssl/test/provider_pkey_test.c | 132 ++++ deps/openssl/openssl/test/rand_test.c | 53 ++ .../test/recipes/01-test_symbol_presence.t | 19 +- .../openssl/test/recipes/02-test_errstr.t | 2 +- .../test/recipes/04-test_provider_pkey.t | 18 + .../openssl/test/recipes/05-test_rand.t | 5 +- .../openssl/test/recipes/15-test_rsa.t | 20 +- .../openssl/test/recipes/20-test_dgst.t | 23 +- .../openssl/test/recipes/25-test_req.t | 2 +- .../openssl/test/recipes/25-test_verify.t | 5 +- .../openssl/test/recipes/30-test_engine.t | 9 +- .../openssl/test/recipes/80-test_cmp_http.t | 4 +- .../80-test_cmp_http_data/Mock/server.cnf | 2 + .../80-test_cmp_http_data/test_commands.csv | 4 + .../openssl/test/recipes/80-test_dane.t | 8 +- .../openssl/test/recipes/90-test_fipsload.t | 4 +- .../openssl/test/recipes/tconversion.pl | 6 +- deps/openssl/openssl/test/sm2_internal_test.c | 41 ++ .../openssl/test/ssl-tests/01-simple.cnf | 26 +- .../openssl/test/ssl-tests/01-simple.cnf.in | 14 +- deps/openssl/openssl/test/ssl_old_test.c | 6 +- deps/openssl/openssl/test/sslapitest.c | 74 +- deps/openssl/openssl/test/testutil/tests.c | 14 +- .../openssl/test/testutil/testutil_init.c | 7 +- deps/openssl/openssl/test/threadstest.c | 30 +- deps/openssl/openssl/test/tls-provider.c | 2 +- deps/openssl/openssl/tools/c_rehash.in | 292 ++++---- deps/openssl/openssl/util/missingcrypto.txt | 4 - .../openssl/openssl/util/missingcrypto111.txt | 4 - deps/openssl/openssl/util/mkpod2html.pl | 11 +- deps/openssl/openssl/util/other.syms | 1 + .../openssl/util/perl/OpenSSL/Ordinals.pm | 4 - .../openssl/util/perl/OpenSSL/ParseC.pm | 6 + 509 files changed, 6380 insertions(+), 2405 deletions(-) rename deps/openssl/openssl/doc/man3/{EVP_SIGNATURE_free.pod => EVP_SIGNATURE.pod} (98%) delete mode 100644 deps/openssl/openssl/include/crypto/bn_conf.h delete mode 100644 deps/openssl/openssl/include/crypto/dso_conf.h delete mode 100644 deps/openssl/openssl/include/openssl/asn1.h delete mode 100644 deps/openssl/openssl/include/openssl/asn1t.h delete mode 100644 deps/openssl/openssl/include/openssl/bio.h delete mode 100644 deps/openssl/openssl/include/openssl/cmp.h delete mode 100644 deps/openssl/openssl/include/openssl/cms.h delete mode 100644 deps/openssl/openssl/include/openssl/conf.h delete mode 100644 deps/openssl/openssl/include/openssl/configuration.h delete mode 100644 deps/openssl/openssl/include/openssl/crmf.h delete mode 100644 deps/openssl/openssl/include/openssl/crypto.h delete mode 100644 deps/openssl/openssl/include/openssl/ct.h delete mode 100644 deps/openssl/openssl/include/openssl/err.h delete mode 100644 deps/openssl/openssl/include/openssl/ess.h delete mode 100644 deps/openssl/openssl/include/openssl/fipskey.h delete mode 100644 deps/openssl/openssl/include/openssl/lhash.h delete mode 100644 deps/openssl/openssl/include/openssl/ocsp.h delete mode 100644 deps/openssl/openssl/include/openssl/opensslv.h delete mode 100644 deps/openssl/openssl/include/openssl/pkcs12.h delete mode 100644 deps/openssl/openssl/include/openssl/pkcs7.h delete mode 100644 deps/openssl/openssl/include/openssl/safestack.h delete mode 100644 deps/openssl/openssl/include/openssl/srp.h delete mode 100644 deps/openssl/openssl/include/openssl/ssl.h delete mode 100644 deps/openssl/openssl/include/openssl/ui.h delete mode 100644 deps/openssl/openssl/include/openssl/x509.h delete mode 100644 deps/openssl/openssl/include/openssl/x509_vfy.h delete mode 100644 deps/openssl/openssl/include/openssl/x509v3.h create mode 100644 deps/openssl/openssl/providers/implementations/digests/null_prov.c create mode 100644 deps/openssl/openssl/test/certs/cross-key.pem create mode 100644 deps/openssl/openssl/test/certs/cross-root.pem create mode 100644 deps/openssl/openssl/test/certs/goodcn2-cert.pem create mode 100644 deps/openssl/openssl/test/certs/goodcn2-chain.pem create mode 100644 deps/openssl/openssl/test/certs/goodcn2-key.pem create mode 100644 deps/openssl/openssl/test/certs/root-cross-cert.pem create mode 100644 deps/openssl/openssl/test/dane-cross.in create mode 100644 deps/openssl/openssl/test/fake_rsaprov.c create mode 100644 deps/openssl/openssl/test/fake_rsaprov.h create mode 100644 deps/openssl/openssl/test/provider_pkey_test.c create mode 100644 deps/openssl/openssl/test/rand_test.c create mode 100644 deps/openssl/openssl/test/recipes/04-test_provider_pkey.t diff --git a/deps/openssl/openssl/CHANGES.md b/deps/openssl/openssl/CHANGES.md index 144e54c2b8ddde..43b3bb89d615b8 100644 --- a/deps/openssl/openssl/CHANGES.md +++ b/deps/openssl/openssl/CHANGES.md @@ -34,6 +34,80 @@ breaking changes, and mappings for the large list of deprecated functions. *Todd Short* +### Changes between 3.0.0 and 3.0.1 [14 Dec 2021] + + * Fixed invalid handling of X509_verify_cert() internal errors in libssl + Internally libssl in OpenSSL calls X509_verify_cert() on the client side to + verify a certificate supplied by a server. That function may return a + negative return value to indicate an internal error (for example out of + memory). Such a negative return value is mishandled by OpenSSL and will cause + an IO function (such as SSL_connect() or SSL_do_handshake()) to not indicate + success and a subsequent call to SSL_get_error() to return the value + SSL_ERROR_WANT_RETRY_VERIFY. This return value is only supposed to be + returned by OpenSSL if the application has previously called + SSL_CTX_set_cert_verify_callback(). Since most applications do not do this + the SSL_ERROR_WANT_RETRY_VERIFY return value from SSL_get_error() will be + totally unexpected and applications may not behave correctly as a result. The + exact behaviour will depend on the application but it could result in + crashes, infinite loops or other similar incorrect responses. + + This issue is made more serious in combination with a separate bug in OpenSSL + 3.0 that will cause X509_verify_cert() to indicate an internal error when + processing a certificate chain. This will occur where a certificate does not + include the Subject Alternative Name extension but where a Certificate + Authority has enforced name constraints. This issue can occur even with valid + chains. + ([CVE-2021-4044]) + + *Matt Caswell* + + * Corrected a few file name and file reference bugs in the build, + installation and setup scripts, which lead to installation verification + failures. Slightly enhanced the installation verification script. + + *Richard Levitte* + + * Fixed EVP_PKEY_eq() to make it possible to use it with strictly private + keys. + + *Richard Levitte* + + * Fixed PVK encoder to properly query for the passphrase. + + *Tomáš Mráz* + + * Multiple fixes in the OSSL_HTTP API functions. + + *David von Oheimb* + + * Allow sign extension in OSSL_PARAM_allocate_from_text() for the + OSSL_PARAM_INTEGER data type and return error on negative numbers + used with the OSSL_PARAM_UNSIGNED_INTEGER data type. Make + OSSL_PARAM_BLD_push_BN{,_pad}() return an error on negative numbers. + + *Richard Levitte* + + * Allow copying uninitialized digest contexts with EVP_MD_CTX_copy_ex. + + *Tomáš Mráz* + + * Fixed detection of ARMv7 and ARM64 CPU features on FreeBSD. + + *Allan Jude* + + * Multiple threading fixes. + + *Matt Caswell* + + * Added NULL digest implementation to keep compatibility with 1.1.1 version. + + *Tomáš Mráz* + + * Allow fetching an operation from the provider that owns an unexportable key + as a fallback if that is still allowed by the property query. + + *Richard Levitte* + ### Changes between 1.1.1 and 3.0.0 [7 sep 2021] * TLS_MAX_VERSION, DTLS_MAX_VERSION and DTLS_MIN_VERSION constants are now @@ -1459,6 +1533,22 @@ breaking changes, and mappings for the large list of deprecated functions. OpenSSL 1.1.1 ------------- +### Changes between 1.1.1l and 1.1.1m [xx XXX xxxx] + + * Avoid loading of a dynamic engine twice. + + *Bernd Edlinger* + + * Prioritise DANE TLSA issuer certs over peer certs + + *Viktor Dukhovni* + + * Fixed random API for MacOS prior to 10.12 + + These MacOS versions don't support the CommonCrypto APIs + + *Lenny Primak* + ### Changes between 1.1.1k and 1.1.1l [24 Aug 2021] * Fixed an SM2 Decryption Buffer Overflow. diff --git a/deps/openssl/openssl/Configurations/10-main.conf b/deps/openssl/openssl/Configurations/10-main.conf index 468698a366d30b..8414b34ed9af7d 100644 --- a/deps/openssl/openssl/Configurations/10-main.conf +++ b/deps/openssl/openssl/Configurations/10-main.conf @@ -857,6 +857,7 @@ my %targets = ( inherit_from => [ "linux-x86" ], CC => "clang", CXX => "clang++", + ex_libs => add(threads("-latomic")), }, "linux-x86_64" => { inherit_from => [ "linux-generic64" ], diff --git a/deps/openssl/openssl/Configurations/15-ios.conf b/deps/openssl/openssl/Configurations/15-ios.conf index 4b5aeecc28a5c3..54d37f63f445d4 100644 --- a/deps/openssl/openssl/Configurations/15-ios.conf +++ b/deps/openssl/openssl/Configurations/15-ios.conf @@ -10,7 +10,7 @@ my %targets = ( template => 1, inherit_from => [ "darwin-common" ], sys_id => "iOS", - disable => [ "engine", "async" ], + disable => [ "shared", "async" ], }, "ios-xcrun" => { inherit_from => [ "ios-common" ], diff --git a/deps/openssl/openssl/Configurations/descrip.mms.tmpl b/deps/openssl/openssl/Configurations/descrip.mms.tmpl index 3db0fc72865a48..c8197337650604 100644 --- a/deps/openssl/openssl/Configurations/descrip.mms.tmpl +++ b/deps/openssl/openssl/Configurations/descrip.mms.tmpl @@ -9,7 +9,7 @@ (our $osslprefix_q = platform->osslprefix()) =~ s/\$/\\\$/; our $sover_dirname = platform->shlib_version_as_filename(); - our $osslver = sprintf "%02d%02d", split(/\./, $config{version}); + our $osslver = sprintf "%02d", split(/\./, $config{version}); our $sourcedir = $config{sourcedir}; our $builddir = $config{builddir}; @@ -110,9 +110,9 @@ @cnf_defines, 'OPENSSLDIR="""$(OPENSSLDIR_C)"""', 'ENGINESDIR="""$(ENGINESDIR_C)"""', - 'MODULESDIR="""$(MODULESDIR_C)"""', - #'$(DEFINES)' + 'MODULESDIR="""$(MODULESDIR_C)"""' ) + . '$(DEFINES)' . "'extradefines'"; our $lib_asflags = join(' ', $target{lib_asflags} || (), @{$config{lib_asflags}}, @@ -144,8 +144,8 @@ join(',', @{$target{dso_defines}}, @{$target{module_defines}}, @{$config{dso_defines}}, @{$config{module_defines}}, @cnf_defines, - #'$(DEFINES)' ) + . '$(DEFINES)' . "'extradefines'"; our $dso_asflags = join(' ', $target{dso_asflags} || (), $target{module_asflags} || (), @@ -180,8 +180,8 @@ join(',', @{$target{bin_defines}}, @{$config{bin_defines}}, @cnf_defines, - #'$(DEFINES)' ) + . '$(DEFINES)' . "'extradefines'"; our $bin_asflags = join(' ', $target{bin_asflags} || (), @@ -267,6 +267,7 @@ VERBOSE=$(V) VERBOSE_FAILURE=$(VF) VERSION={- "$config{full_version}" -} +VERSION_NUMBER={- "$config{version}" -} MAJOR={- $config{major} -} MINOR={- $config{minor} -} SHLIB_VERSION_NUMBER={- $config{shlib_version} -} @@ -355,7 +356,7 @@ OPENSSLDIR_C={- platform->osslprefix() -}DATAROOT:[000000] # Where installed ENGINE modules reside, for C ENGINESDIR_C={- platform->osslprefix() -}ENGINES{- $sover_dirname.$target{pointer_size} -}: # Where modules reside, for C -MODULESDIR_C={- platform->osslprefix() -}MODULES{- $sover_dirname.$target{pointer_size} -}: +MODULESDIR_C={- platform->osslprefix() -}MODULES{- $target{pointer_size} -}: ##### User defined commands and flags ################################ @@ -428,7 +429,9 @@ NODEBUG=@ $(NODEBUG) ! them, so we create it instead. This is an unfortunate $(NODEBUG) ! necessity. $(NODEBUG) ! - $(NODEBUG) DEFINE openssl "{- sourcedir('include/openssl') -} + $(NODEBUG) openssl_inc1 = F$PARSE("[.include.openssl]","A.;",,,"syntax_only") - "A.;" + $(NODEBUG) openssl_inc2 = F$PARSE("sourcetop:[include.openssl]","A.;",,,"SYNTAX_ONLY") - "A.;" + $(NODEBUG) DEFINE openssl 'openssl_inc1','openssl_inc2' $(NODEBUG) ! $(NODEBUG) ! Figure out the architecture $(NODEBUG) ! @@ -441,9 +444,10 @@ NODEBUG=@ .LAST : $(NODEBUG) {- join("\n\t\$(NODEBUG) ", map { "DEASSIGN ".uc($_) } @shlibs) || "!" -} + $(NODEBUG) DEASSIGN openssl $(NODEBUG) DEASSIGN ossl_dataroot $(NODEBUG) DEASSIGN ossl_installroot - $(NODEBUG) DEASSIGN openssl + $(NODEBUG) DEASSIGN ossl_sourceroot .DEFAULT : @ ! MMS cannot handle no actions... @@ -569,8 +573,10 @@ uninstall_docs : uninstall_html_docs {- output_off() if $disabled{fips}; "" -} install_fips : build_sw $(INSTALL_FIPSMODULECONF) @ WRITE SYS$OUTPUT "*** Installing FIPS module" + - CREATE/DIR ossl_installroot:[MODULES{- $target{pointer_size} -}.'arch'] + - CREATE/DIR/PROT=(S:RWED,O:RWE,G:RE,W:RE) OSSL_DATAROOT:[000000] COPY/PROT=W:RE $(INSTALL_FIPSMODULES) - - ossl_installroot:[MODULES{- $sover_dirname.$target{pointer_size} -}.'arch']$(FIPSMODULENAME) + ossl_installroot:[MODULES{- $target{pointer_size} -}.'arch']$(FIPSMODULENAME) @ WRITE SYS$OUTPUT "*** Installing FIPS module configuration" COPY/PROT=W:RE $(INSTALL_FIPSMODULECONF) OSSL_DATAROOT:[000000] @@ -578,7 +584,7 @@ uninstall_fips : @ WRITE SYS$OUTPUT "*** Uninstalling FIPS module configuration" DELETE OSSL_DATAROOT:[000000]fipsmodule.cnf;* @ WRITE SYS$OUTPUT "*** Uninstalling FIPS module" - DELETE ossl_installroot:[MODULES{- $sover_dirname.$target{pointer_size} -}.'arch']$(FIPSMODULENAME);* + DELETE ossl_installroot:[MODULES{- $target{pointer_size} -}.'arch']$(FIPSMODULENAME);* {- output_on() if $disabled{fips}; "" -} install_ssldirs : check_INSTALLTOP @@ -607,7 +613,9 @@ install_dev : check_INSTALLTOP install_runtime_libs @ WRITE SYS$OUTPUT "*** Installing development files" @ ! Install header files - CREATE/DIR ossl_installroot:[include.openssl] - COPY/PROT=W:R openssl:*.h ossl_installroot:[include.openssl] + COPY/PROT=W:R ossl_sourceroot:[include.openssl]*.h - + ossl_installroot:[include.openssl] + COPY/PROT=W:R [.include.openssl]*.h ossl_installroot:[include.openssl] @ ! Install static (development) libraries - CREATE/DIR ossl_installroot:[LIB.'arch'] {- join("\n ", @@ -626,9 +634,9 @@ install_engines : check_INSTALLTOP install_runtime_libs build_modules install_modules : check_INSTALLTOP install_runtime_libs build_modules @ {- output_off() unless scalar @install_modules; "" -} ! @ WRITE SYS$OUTPUT "*** Installing modules" - - CREATE/DIR ossl_installroot:[MODULES{- $sover_dirname.$target{pointer_size} -}.'arch'] + - CREATE/DIR ossl_installroot:[MODULES{- $target{pointer_size} -}.'arch'] {- join("\n ", - map { "COPY/PROT=W:RE $_.EXE ossl_installroot:[MODULES$sover_dirname$target{pointer_size}.'arch']" } + map { "COPY/PROT=W:RE $_.EXE ossl_installroot:[MODULES$target{pointer_size}.'arch']" } @install_modules) -} @ {- output_on() unless scalar @install_modules; "" -} ! @@ -904,7 +912,7 @@ EOF # my $target = platform->def($args{src}); my $mkdef = sourcefile('util', 'mkdef.pl'); - my $ord_ver = $args{intent} eq 'lib' ? ' --version $(VERSION)' : ''; + my $ord_ver = $args{intent} eq 'lib' ? ' --version $(VERSION_NUMBER)' : ''; my $ord_name = $args{generator}->[1] || basename($args{product}, '.EXE'); my $case_insensitive = diff --git a/deps/openssl/openssl/Configurations/platform/Unix.pm b/deps/openssl/openssl/Configurations/platform/Unix.pm index c7d7d9eb808c89..8db0ed912e3a2f 100644 --- a/deps/openssl/openssl/Configurations/platform/Unix.pm +++ b/deps/openssl/openssl/Configurations/platform/Unix.pm @@ -63,9 +63,21 @@ sub sharedname_simple { } sub sharedlib_simple { - return undef if $_[0]->shlibext() eq $_[0]->shlibextsimple(); - return platform::BASE::__concat($_[0]->sharedname_simple($_[1]), - $_[0]->shlibextsimple()); + # This function returns the simplified shared library name (no version + # or variant in the shared library file name) if the simple variants of + # the base name or the suffix differ from the full variants of the same. + + # Note: if $_[1] isn't a shared library name, then $_[0]->sharedname() + # and $_[0]->sharedname_simple() will return undef. This needs being + # accounted for. + my $name = $_[0]->sharedname($_[1]); + my $simplename = $_[0]->sharedname_simple($_[1]); + my $ext = $_[0]->shlibext(); + my $simpleext = $_[0]->shlibextsimple(); + + return undef unless defined $simplename && defined $name; + return undef if ($name eq $simplename && $ext eq $simpleext); + return platform::BASE::__concat($simplename, $simpleext); } sub sharedlib_import { diff --git a/deps/openssl/openssl/Configurations/unix-Makefile.tmpl b/deps/openssl/openssl/Configurations/unix-Makefile.tmpl index f88a70f4828ec7..52d2f6a64e9d80 100644 --- a/deps/openssl/openssl/Configurations/unix-Makefile.tmpl +++ b/deps/openssl/openssl/Configurations/unix-Makefile.tmpl @@ -67,6 +67,7 @@ BLDDIR={- $config{builddir} -} FIPSKEY={- $config{FIPSKEY} -} VERSION={- "$config{full_version}" -} +VERSION_NUMBER={- "$config{version}" -} MAJOR={- $config{major} -} MINOR={- $config{minor} -} SHLIB_VERSION_NUMBER={- $config{shlib_version} -} @@ -618,6 +619,7 @@ uninstall_docs: uninstall_man_docs uninstall_html_docs install_fips: build_sw $(INSTALL_FIPSMODULECONF) @[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1) @$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(MODULESDIR) + @$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(OPENSSLDIR) @$(ECHO) "*** Installing FIPS module" @$(ECHO) "install $(INSTALL_FIPSMODULE) -> $(DESTDIR)$(MODULESDIR)/$(FIPSMODULENAME)" @cp "$(INSTALL_FIPSMODULE)" $(DESTDIR)$(MODULESDIR)/$(FIPSMODULENAME).new @@ -691,11 +693,11 @@ install_dev: install_runtime_libs @[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1) @$(ECHO) "*** Installing development files" @$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(INSTALLTOP)/include/openssl - @ : {- output_off() unless grep { $_ eq "OPENSSL_USE_APPLINK" } (@{$target{defines}}, @{$config{defines}}); "" -} + @ : {- output_off() if $disabled{uplink}; "" -} @$(ECHO) "install $(SRCDIR)/ms/applink.c -> $(DESTDIR)$(INSTALLTOP)/include/openssl/applink.c" @cp $(SRCDIR)/ms/applink.c $(DESTDIR)$(INSTALLTOP)/include/openssl/applink.c @chmod 644 $(DESTDIR)$(INSTALLTOP)/include/openssl/applink.c - @ : {- output_on() unless grep { $_ eq "OPENSSL_USE_APPLINK" } (@{$target{defines}}, @{$config{defines}}); "" -} + @ : {- output_on() if $disabled{uplink}; "" -} @set -e; for i in $(SRCDIR)/include/openssl/*.h \ $(BLDDIR)/include/openssl/*.h; do \ fn=`basename $$i`; \ @@ -765,10 +767,10 @@ install_dev: install_runtime_libs uninstall_dev: uninstall_runtime_libs @$(ECHO) "*** Uninstalling development files" - @ : {- output_off() unless grep { $_ eq "OPENSSL_USE_APPLINK" } (@{$target{defines}}, @{$config{defines}}); "" -} + @ : {- output_off() if $disabled{uplink}; "" -} @$(ECHO) "$(RM) $(DESTDIR)$(INSTALLTOP)/include/openssl/applink.c" @$(RM) $(DESTDIR)$(INSTALLTOP)/include/openssl/applink.c - @ : {- output_on() unless grep { $_ eq "OPENSSL_USE_APPLINK" } (@{$target{defines}}, @{$config{defines}}); "" -} + @ : {- output_on() if $disabled{uplink}; "" -} @set -e; for i in $(SRCDIR)/include/openssl/*.h \ $(BLDDIR)/include/openssl/*.h; do \ fn=`basename $$i`; \ @@ -1305,23 +1307,23 @@ SSLHEADERS={- join(" \\\n" . ' ' x 11, fill_lines(" ", $COLUMNS - 11, sort keys %sslheaders)) -} renumber: build_generated - $(PERL) $(SRCDIR)/util/mknum.pl --version $(VERSION) --no-warnings \ + $(PERL) $(SRCDIR)/util/mknum.pl --version $(VERSION_NUMBER) --no-warnings \ --ordinals $(SRCDIR)/util/libcrypto.num \ --symhacks $(SRCDIR)/include/openssl/symhacks.h \ --renumber \ $(CRYPTOHEADERS) - $(PERL) $(SRCDIR)/util/mknum.pl --version $(VERSION) --no-warnings \ + $(PERL) $(SRCDIR)/util/mknum.pl --version $(VERSION_NUMBER) --no-warnings \ --ordinals $(SRCDIR)/util/libssl.num \ --symhacks $(SRCDIR)/include/openssl/symhacks.h \ --renumber \ $(SSLHEADERS) ordinals: build_generated - $(PERL) $(SRCDIR)/util/mknum.pl --version $(VERSION) --no-warnings \ + $(PERL) $(SRCDIR)/util/mknum.pl --version $(VERSION_NUMBER) --no-warnings \ --ordinals $(SRCDIR)/util/libcrypto.num \ --symhacks $(SRCDIR)/include/openssl/symhacks.h \ $(CRYPTOHEADERS) - $(PERL) $(SRCDIR)/util/mknum.pl --version $(VERSION) --no-warnings \ + $(PERL) $(SRCDIR)/util/mknum.pl --version $(VERSION_NUMBER) --no-warnings \ --ordinals $(SRCDIR)/util/libssl.num \ --symhacks $(SRCDIR)/include/openssl/symhacks.h \ $(SSLHEADERS) @@ -1529,7 +1531,7 @@ EOF # my $target = platform->def($args{src}); (my $mkdef_os = $target{shared_target}) =~ s|-shared$||; - my $ord_ver = $args{intent} eq 'lib' ? ' --version $(VERSION)' : ''; + my $ord_ver = $args{intent} eq 'lib' ? ' --version $(VERSION_NUMBER)' : ''; my $ord_name = $args{generator}->[1] || $args{product}; return <<"EOF"; $target: $gen0 $deps \$(SRCDIR)/util/mkdef.pl diff --git a/deps/openssl/openssl/Configurations/windows-makefile.tmpl b/deps/openssl/openssl/Configurations/windows-makefile.tmpl index 26357c75bc3475..4718f118e395a7 100644 --- a/deps/openssl/openssl/Configurations/windows-makefile.tmpl +++ b/deps/openssl/openssl/Configurations/windows-makefile.tmpl @@ -41,6 +41,7 @@ BLDDIR={- $config{builddir} -} FIPSKEY={- $config{FIPSKEY} -} VERSION={- "$config{full_version}" -} +VERSION_NUMBER={- "$config{version}" -} MAJOR={- $config{major} -} MINOR={- $config{minor} -} @@ -461,10 +462,10 @@ libclean: -del /Q /F $(LIBS) libcrypto.* libssl.* ossl_static.pdb clean: libclean - -rd /Q /S $(HTMLDOCS1_BLDDIRS) - -rd /Q /S $(HTMLDOCS3_BLDDIRS) - -rd /Q /S $(HTMLDOCS5_BLDDIRS) - -rd /Q /S $(HTMLDOCS7_BLDDIRS) + {- join("\n\t", map { "-del /Q /F $_" } @HTMLDOCS1) || "\@rem" -} + {- join("\n\t", map { "-del /Q /F $_" } @HTMLDOCS3) || "\@rem" -} + {- join("\n\t", map { "-del /Q /F $_" } @HTMLDOCS5) || "\@rem" -} + {- join("\n\t", map { "-del /Q /F $_" } @HTMLDOCS7) || "\@rem" -} {- join("\n\t", map { "-del /Q /F $_" } @PROGRAMS) || "\@rem" -} {- join("\n\t", map { "-del /Q /F $_" } @MODULES) || "\@rem" -} {- join("\n\t", map { "-del /Q /F $_" } @SCRIPTS) || "\@rem" -} @@ -499,6 +500,7 @@ uninstall_docs: uninstall_html_docs install_fips: build_sw $(INSTALL_FIPSMODULECONF) # @[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1) @$(PERL) $(SRCDIR)\util\mkdir-p.pl $(MODULESDIR) + @$(PERL) $(SRCDIR)\util\mkdir-p.pl $(OPENSSLDIR) @$(ECHO) "*** Installing FIPS module" @$(ECHO) "install $(INSTALL_FIPSMODULE) -> $(MODULESDIR)\$(FIPSMODULENAME)" @"$(PERL)" "$(SRCDIR)\util\copy.pl" "$(INSTALL_FIPSMODULE)" "$(MODULESDIR)" @@ -541,10 +543,10 @@ install_dev: install_runtime_libs @if "$(INSTALLTOP)"=="" ( $(ECHO) "INSTALLTOP should not be empty" & exit 1 ) @$(ECHO) "*** Installing development files" @"$(PERL)" "$(SRCDIR)\util\mkdir-p.pl" "$(INSTALLTOP)\include\openssl" - @{- output_off() unless grep { $_ eq "OPENSSL_USE_APPLINK" } (@{$target{defines}}, @{$config{defines}}); "" -} + @{- output_off() if $disabled{uplink}; "" -} @"$(PERL)" "$(SRCDIR)\util\copy.pl" "$(SRCDIR)\ms\applink.c" \ "$(INSTALLTOP)\include\openssl" - @{- output_on() unless grep { $_ eq "OPENSSL_USE_APPLINK" } (@{$target{defines}}, @{$config{defines}}); "" -} + @{- output_on() if $disabled{uplink}; "" -} @"$(PERL)" "$(SRCDIR)\util\copy.pl" "-exclude_re=/__DECC_" \ "$(SRCDIR)\include\openssl\*.h" \ "$(INSTALLTOP)\include\openssl" @@ -727,7 +729,7 @@ EOF my $mkdef = abs2rel(rel2abs(catfile($config{sourcedir}, "util", "mkdef.pl")), rel2abs($config{builddir})); - my $ord_ver = $args{intent} eq 'lib' ? ' --version $(VERSION)' : ''; + my $ord_ver = $args{intent} eq 'lib' ? ' --version $(VERSION_NUMBER)' : ''; my $ord_name = $args{generator}->[1] || platform->dsoname($args{product}); return <<"EOF"; @@ -981,6 +983,7 @@ EOF @{$args{objs}}; my @deps = compute_lib_depends(@{$args{deps}}); my $objs = join($target{ld_resp_delim}, @objs); + my $ress = join($target{ld_resp_delim}, @ress); my $linklibs = join("", map { "$_$target{ld_resp_delim}" } @deps); my $deps = join(" ", @objs, @ress, @deps); return <<"EOF"; diff --git a/deps/openssl/openssl/NEWS.md b/deps/openssl/openssl/NEWS.md index b71a55d0514a4d..c27423e584e316 100644 --- a/deps/openssl/openssl/NEWS.md +++ b/deps/openssl/openssl/NEWS.md @@ -18,6 +18,13 @@ OpenSSL Releases OpenSSL 3.0 ----------- +### Major changes between OpenSSL 3.0.0 and OpenSSL 3.0.1 [14 Dec 2021] + + * Fixed invalid handling of X509_verify_cert() internal errors in libssl + ([CVE-2021-4044]) + * Allow fetching an operation from the provider that owns an unexportable key + as a fallback if that is still allowed by the property query. + ### Major changes between OpenSSL 1.1.1 and OpenSSL 3.0.0 [7 sep 2021] * Enhanced 'openssl list' with many new options. diff --git a/deps/openssl/openssl/NOTES-VALGRIND.md b/deps/openssl/openssl/NOTES-VALGRIND.md index a37e323e23fbe1..2700324efa36d5 100644 --- a/deps/openssl/openssl/NOTES-VALGRIND.md +++ b/deps/openssl/openssl/NOTES-VALGRIND.md @@ -16,7 +16,7 @@ Requirements See 2. Valgrind installed on the platform See -3. OpensSSL compiled +3. OpenSSL compiled See [INSTALL.md](INSTALL.md) Running Tests diff --git a/deps/openssl/openssl/README.md b/deps/openssl/openssl/README.md index 49650f8d42df3d..f960fd8e675420 100644 --- a/deps/openssl/openssl/README.md +++ b/deps/openssl/openssl/README.md @@ -4,27 +4,28 @@ What This Is This is a fork of [OpenSSL](https://www.openssl.org) to enable QUIC. In addition to the website, the official source distribution is at . The OpenSSL `README` can be found at -[README-OpenSSL.md](README-OpenSSL.md). +[README-OpenSSL.md](https://github.com/quictls/openssl/blob/openssl-3.0.1%2Bquic/README-OpenSSL.md) -This fork adds API that can be used by QUIC implementations for connection +This fork adds APIs that can be used by QUIC implementations for connection handshakes. Quoting the IETF Working group [charter](https://datatracker.ietf.org/wg/quic/about/), QUIC is a "UDP-based, stream-multiplexing, encrypted transport protocol." If you don't need QUIC, you should use the official OpenSSL distributions. -This API's here are used by Microsoft's +The APIs here are used by Microsoft's [MsQuic](https://github.com/microsoft/msquic) and Google's [Chromium QUIC](https://chromium.googlesource.com/chromium/src/+/master/net/quic/) We are not in competition with OpenSSL project. We informed them of our plans to fork the code before we went public. We do not speak for the OpenSSL project, and can only point to a -[blog post](https://www.openssl.org/blog/blog/2020/02/17/QUIC-and-OpenSSL/) that -provides their view of QUIC support. +[blog post](https://www.openssl.org/blog/blog/2020/02/17/QUIC-and-OpenSSL/) and +[openssl-project email](https://github.com/quictls/openssl/discussions/54) +that provides their view of QUIC support. As stated in their blog post, the OpenSSL team is focused on their 3.0 release -which is still in alpha, and does not intend to add QUIC functionality to 1.1.x. -There is a community need for a QUIC capable TLS library. This fork is intended +(released 2021-09-07), and does not intend to add QUIC functionality to 1.1.x. +There is a community need for a QUIC-capable TLS library. This fork is intended as stopgap solution to enable higher level frameworks and runtimes to use QUIC with the proven and reliable TLS functionality from OpenSSL. This fork will be maintained until OpenSSL officially provides reasonable support for QUIC @@ -42,8 +43,8 @@ What about branches? We don't want to conflict with OpenSSL branch names. Our current plan is to append `+quic`. Release tags are likely to be the QUIC branch with `-releaseX` appended. -For example, the OpenSSL tag `openssl-3.0.0-alpha12` would have a branch named -`openssl-3.0.0-alpha12+quic` and a release tag of `openssl-3.0.0-alpha12+quic-release1` +For example, the OpenSSL tag `openssl-3.0.0` would have a branch named +`openssl-3.0.0+quic` and a release tag of `openssl-3.0.0+quic-release1`. How are you keeping current with OpenSSL? ----------------------------------------- @@ -65,13 +66,13 @@ What about library names? Library names will be the same, but will use a different version number. The version numbers for the current OpenSSL libraries are `1.1` (for the 1.1.0 and 1.1.1 branches) -and `3` (for the to-be-3.0 branch). We will be prefixing 81 (ASCII for 'Q') to +and `3` (for the 3.0 branch). We will be prefixing `81` (ASCII for 'Q') to the version numbers to generate a unique version number. -- libcrypto.so.81.3 vs libcrypto.so.3 -- libcrypto.so.81.1.1 vs libcrypto.so.1.1 -- libssl.so.81.3 vs libssl.so.3 -- libssl.so.81.1.1 vs libsslo.so.1.1 +- `libcrypto.so.81.3` vs `libcrypto.so.3` +- `libcrypto.so.81.1.1` vs `libcrypto.so.1.1` +- `libssl.so.81.3` vs `libssl.so.3` +- `libssl.so.81.1.1` vs `libssl.so.1.1` The SONAME of these libraries are all different, guaranteeing the correct library will be used. diff --git a/deps/openssl/openssl/SUPPORT.md b/deps/openssl/openssl/SUPPORT.md index bf88c2147e3996..c0b6babe89ada9 100644 --- a/deps/openssl/openssl/SUPPORT.md +++ b/deps/openssl/openssl/SUPPORT.md @@ -55,7 +55,7 @@ particular the manual pages, can be reported as issues. The fastest way to get a bug fixed is to fix it yourself ;-). If you are experienced in programming and know how to fix the bug, you can open a -pull request. The details are covered in the [Contributing](#contributing) section. +pull request. The details are covered in the [Contributing][contributing] section. Don't hesitate to open a pull request, even if it's only a small change like a grammatical or typographical error in the documentation. @@ -89,3 +89,5 @@ anymore, the searchable archive may still contain useful information. [openssl-announce]: https://mta.openssl.org/mailman/listinfo/openssl-announce [openssl-project]: https://mta.openssl.org/mailman/listinfo/openssl-project [openssl-dev]: https://mta.openssl.org/mailman/listinfo/openssl-dev +[github-issues]: https://github.com/openssl/openssl/issues/new/choose +[contributing]: https://github.com/openssl/openssl/blob/master/CONTRIBUTING.md diff --git a/deps/openssl/openssl/VERSION.dat b/deps/openssl/openssl/VERSION.dat index ed466e603880df..442559b71c9b78 100644 --- a/deps/openssl/openssl/VERSION.dat +++ b/deps/openssl/openssl/VERSION.dat @@ -1,7 +1,7 @@ MAJOR=3 MINOR=0 -PATCH=0 +PATCH=1 PRE_RELEASE_TAG= BUILD_METADATA=quic -RELEASE_DATE="7 sep 2021" +RELEASE_DATE="14 Dec 2021" SHLIB_VERSION=81.3 diff --git a/deps/openssl/openssl/VMS/openssl_ivp.com.in b/deps/openssl/openssl/VMS/openssl_ivp.com.in index 825a699c4f7ec5..6810792b38d3d6 100644 --- a/deps/openssl/openssl/VMS/openssl_ivp.com.in +++ b/deps/openssl/openssl/VMS/openssl_ivp.com.in @@ -14,8 +14,8 @@ $ INSTALLTOP_ = F$PARSE("A.;",INSTALLTOP,,,"NO_CONCEAL") - $ OPENSSLDIR_ = F$PARSE("A.;",OPENSSLDIR,,,"NO_CONCEAL") - - ".][000000" - "[000000." - "][" - "]A.;" + "." $ -$ v := {- sprintf "%02d%02d", split(/\./, $config{version}) -} -$ pz := {- $config{pointer_size} -} +$ v := {- sprintf "%02d", split(/\./, $config{version}) -} +$ pz := {- $target{pointer_size} -} $ $ @'INSTALLTOP_'SYS$STARTUP]openssl_startup'v' $ @'INSTALLTOP_'SYS$STARTUP]openssl_utils'v' @@ -41,6 +41,12 @@ $ $ ! FUTURE ENHANCEMENT: Verify that engines are where they should be. $ ! openssl engine -c -t checker $ +$ ! Verify that the built in providers are reachable. If they aren't, +$ ! then we're likely to get an image activation error here +$ openssl list -provider base -providers +$ openssl list -provider default -providers +$ openssl list -provider legacy -providers +$ $ WRITE SYS$ERROR "OpenSSL IVP passed" $ EXIT %x10000001 $ diff --git a/deps/openssl/openssl/VMS/openssl_shutdown.com.in b/deps/openssl/openssl/VMS/openssl_shutdown.com.in index c3b8de8b6d68bc..4193c900f9e99e 100644 --- a/deps/openssl/openssl/VMS/openssl_shutdown.com.in +++ b/deps/openssl/openssl/VMS/openssl_shutdown.com.in @@ -26,15 +26,16 @@ $ ENDIF $ $ ! Abbrevs $ DEAS := DEASSIGN /NOLOG 'P1' -$ sv := {- sprintf "%02d%02d", split m|\.|, $config{shlib_version} -} -$ pz := {- $config{pointer_size} -} +$ sv := {- platform->shlib_version_as_filename(); -} +$ pz := {- $target{pointer_size} -} $ $ DEAS OSSL$DATAROOT $ DEAS OSSL$INSTROOT $ DEAS OSSL$INCLUDE $ DEAS OSSL$LIB $ DEAS OSSL$SHARE -$ DEAS OSSL$ENGINES'sv' +$ DEAS OSSL$ENGINES'sv''pz' +$ DEAS OSSL$MODULES'pz' $ DEAS OSSL$EXE $ DEAS OSSL$LIBCRYPTO'pz' $ DEAS OSSL$LIBSSL'pz' @@ -46,7 +47,7 @@ $ DEAS OPENSSL $ $ IF P2 .NES. "NOALIASES" $ THEN -$ DEAS OSSL$ENGINES +$ DEAS OSSL$ENGINES'pz' ${- output_off() if $config{no_shared}; "" -} $ DEAS OSSL$LIBCRYPTO_SHR'pz' $ DEAS OSSL$LIBSSL_SHR'pz' diff --git a/deps/openssl/openssl/VMS/openssl_startup.com.in b/deps/openssl/openssl/VMS/openssl_startup.com.in index a6624eb6983a65..bbf3e3b4e6e488 100644 --- a/deps/openssl/openssl/VMS/openssl_startup.com.in +++ b/deps/openssl/openssl/VMS/openssl_startup.com.in @@ -15,7 +15,8 @@ $ ! are located $ ! OSSL$SHARE Where the shareable image files $ ! are located $ ! OSSL$EXE Where the executables are located -$ ! OSSL$ENGINESnnn Where the shareable images are located +$ ! OSSL$ENGINESnnn Where the engines modules are located +$ ! OSSL$MODULES Where the non-engine modules are located $ ! OSSL$LIBCRYPTO The static crypto library $ ! OSSL$LIBSSL The static ssl library $ ! OSSL$LIBCRYPTOnnn_SHR The shareable crypto image @@ -88,8 +89,8 @@ $ $ ! Abbrevs $ DEFT := DEFINE /TRANSLATION=CONCEALED /NOLOG 'P1' $ DEF := DEFINE /NOLOG 'P1' -$ sv := {- sprintf "%02d%02d", split m|\.|, $config{shlib_version} -} -$ pz := {- $config{pointer_size} -} +$ sv := {- platform->shlib_version_as_filename(); -} +$ pz := {- $target{pointer_size} -} $ $ DEFT OSSL$DATAROOT 'OPENSSLDIR_'] $ DEFT OSSL$INSTROOT 'INSTALLTOP_'] @@ -97,6 +98,7 @@ $ DEFT OSSL$INCLUDE 'INSTALLTOP_'INCLUDE.] $ DEF OSSL$LIB OSSL$INSTROOT:[LIB.'arch'] $ DEF OSSL$SHARE OSSL$INSTROOT:[LIB.'arch'] $ DEF OSSL$ENGINES'sv''pz' OSSL$INSTROOT:[ENGINES'sv''pz'.'arch'] +$ DEF OSSL$MODULES'pz' OSSL$INSTROOT:[MODULES'pz'.'arch'] $ DEF OSSL$EXE OSSL$INSTROOT:[EXE.'arch'],- OSSL$INSTROOT:[EXE] $ DEF OSSL$LIBCRYPTO'pz' OSSL$LIB:OSSL$LIBCRYPTO'pz'.OLB diff --git a/deps/openssl/openssl/VMS/openssl_utils.com.in b/deps/openssl/openssl/VMS/openssl_utils.com.in index edd733d7bb18e4..900d0462c5a9c2 100644 --- a/deps/openssl/openssl/VMS/openssl_utils.com.in +++ b/deps/openssl/openssl/VMS/openssl_utils.com.in @@ -1,7 +1,7 @@ $ ! OpenSSL utilities $ ! $ -$ v := {- sprintf "%02d%02d", split(/\./, $config{version}) -} +$ v := {- sprintf "%02d", split(/\./, $config{version}) -} $ $ OPENSSL'v' :== $OSSL$EXE:OPENSSL'v' $ OPENSSL :== $OSSL$EXE:OPENSSL'v' diff --git a/deps/openssl/openssl/apps/cmp.c b/deps/openssl/openssl/apps/cmp.c index 74c8cd71f1a8f5..01a437fe482748 100644 --- a/deps/openssl/openssl/apps/cmp.c +++ b/deps/openssl/openssl/apps/cmp.c @@ -9,6 +9,8 @@ * https://www.openssl.org/source/license.html */ +/* This app is disabled when OPENSSL_NO_CMP is defined. */ + #include #include @@ -66,12 +68,13 @@ typedef enum { } cmp_cmd_t; /* message transfer */ +#ifndef OPENSSL_NO_SOCK static char *opt_server = NULL; -static char server_port[32] = { '\0' }; -static char *opt_path = NULL; static char *opt_proxy = NULL; static char *opt_no_proxy = NULL; +#endif static char *opt_recipient = NULL; +static char *opt_path = NULL; static int opt_keep_alive = 1; static int opt_msg_timeout = -1; static int opt_total_timeout = -1; @@ -137,6 +140,7 @@ static int opt_keyform = FORMAT_UNDEF; static char *opt_otherpass = NULL; static char *opt_engine = NULL; +#ifndef OPENSSL_NO_SOCK /* TLS connection */ static int opt_tls_used = 0; static char *opt_tls_cert = NULL; @@ -145,6 +149,7 @@ static char *opt_tls_keypass = NULL; static char *opt_tls_extra = NULL; static char *opt_tls_trusted = NULL; static char *opt_tls_host = NULL; +#endif /* client-side debugging */ static int opt_batch = 0; @@ -157,9 +162,10 @@ static char *opt_rspout = NULL; static int opt_use_mock_srv = 0; /* server-side debugging */ +#ifndef OPENSSL_NO_SOCK static char *opt_port = NULL; static int opt_max_msgs = 0; - +#endif static char *opt_srv_ref = NULL; static char *opt_srv_secret = NULL; static char *opt_srv_cert = NULL; @@ -204,8 +210,10 @@ typedef enum OPTION_choice { OPT_OLDCERT, OPT_REVREASON, - OPT_SERVER, OPT_PATH, OPT_PROXY, OPT_NO_PROXY, - OPT_RECIPIENT, +#ifndef OPENSSL_NO_SOCK + OPT_SERVER, OPT_PROXY, OPT_NO_PROXY, +#endif + OPT_RECIPIENT, OPT_PATH, OPT_KEEP_ALIVE, OPT_MSG_TIMEOUT, OPT_TOTAL_TIMEOUT, OPT_TRUSTED, OPT_UNTRUSTED, OPT_SRVCERT, @@ -225,15 +233,19 @@ typedef enum OPTION_choice { OPT_PROV_ENUM, OPT_R_ENUM, +#ifndef OPENSSL_NO_SOCK OPT_TLS_USED, OPT_TLS_CERT, OPT_TLS_KEY, OPT_TLS_KEYPASS, OPT_TLS_EXTRA, OPT_TLS_TRUSTED, OPT_TLS_HOST, +#endif OPT_BATCH, OPT_REPEAT, OPT_REQIN, OPT_REQIN_NEW_TID, OPT_REQOUT, OPT_RSPIN, OPT_RSPOUT, OPT_USE_MOCK_SRV, +#ifndef OPENSSL_NO_SOCK OPT_PORT, OPT_MAX_MSGS, +#endif OPT_SRV_REF, OPT_SRV_SECRET, OPT_SRV_CERT, OPT_SRV_KEY, OPT_SRV_KEYPASS, OPT_SRV_TRUSTED, OPT_SRV_UNTRUSTED, @@ -331,20 +343,25 @@ const OPTIONS cmp_options[] = { "0..6, 8..10 (see RFC5280, 5.3.1) or -1. Default -1 = none included"}, OPT_SECTION("Message transfer"), +#ifdef OPENSSL_NO_SOCK + {OPT_MORE_STR, 0, 0, + "NOTE: -server, -proxy, and -no_proxy not supported due to no-sock build"}, +#else {"server", OPT_SERVER, 's', "[http[s]://]address[:port][/path] of CMP server. Default port 80 or 443."}, {OPT_MORE_STR, 0, 0, "address may be a DNS name or an IP address; path can be overridden by -path"}, - {"path", OPT_PATH, 's', - "HTTP path (aka CMP alias) at the CMP server. Default from -server, else \"/\""}, {"proxy", OPT_PROXY, 's', "[http[s]://]address[:port][/path] of HTTP(S) proxy to use; path is ignored"}, {"no_proxy", OPT_NO_PROXY, 's', "List of addresses of servers not to use HTTP(S) proxy for"}, {OPT_MORE_STR, 0, 0, "Default from environment variable 'no_proxy', else 'NO_PROXY', else none"}, +#endif {"recipient", OPT_RECIPIENT, 's', "DN of CA. Default: subject of -srvcert, -issuer, issuer of -oldcert or -cert"}, + {"path", OPT_PATH, 's', + "HTTP path (aka CMP alias) at the CMP server. Default from -server, else \"/\""}, {"keep_alive", OPT_KEEP_ALIVE, 'N', "Persistent HTTP connections. 0: no, 1 (the default): request, 2: require"}, {"msg_timeout", OPT_MSG_TIMEOUT, 'N', @@ -419,6 +436,10 @@ const OPTIONS cmp_options[] = { OPT_R_OPTIONS, OPT_SECTION("TLS connection"), +#ifdef OPENSSL_NO_SOCK + {OPT_MORE_STR, 0, 0, + "NOTE: -tls_used and all other TLS options not supported due to no-sock build"}, +#else {"tls_used", OPT_TLS_USED, '-', "Enable using TLS (also when other TLS options are not set)"}, {"tls_cert", OPT_TLS_CERT, 's', @@ -434,6 +455,7 @@ const OPTIONS cmp_options[] = { {OPT_MORE_STR, 0, 0, "this implies host name validation"}, {"tls_host", OPT_TLS_HOST, 's', "Address to be checked (rather than -server) during TLS host name validation"}, +#endif OPT_SECTION("Client-side debugging"), {"batch", OPT_BATCH, '-', @@ -451,9 +473,14 @@ const OPTIONS cmp_options[] = { {"use_mock_srv", OPT_USE_MOCK_SRV, '-', "Use mock server at API level, bypassing HTTP"}, OPT_SECTION("Mock server"), +#ifdef OPENSSL_NO_SOCK + {OPT_MORE_STR, 0, 0, + "NOTE: -port and -max_msgs not supported due to no-sock build"}, +#else {"port", OPT_PORT, 's', "Act as HTTP mock server listening on given port"}, {"max_msgs", OPT_MAX_MSGS, 'N', "max number of messages handled by HTTP mock server. Default: 0 = unlimited"}, +#endif {"srv_ref", OPT_SRV_REF, 's', "Reference value to use as senderKID of server in case no -srv_cert is given"}, @@ -532,8 +559,10 @@ static varref cmp_vars[] = { /* must be in same order as enumerated above! */ {&opt_oldcert}, {(char **)&opt_revreason}, - {&opt_server}, {&opt_path}, {&opt_proxy}, {&opt_no_proxy}, - {&opt_recipient}, {(char **)&opt_keep_alive}, +#ifndef OPENSSL_NO_SOCK + {&opt_server}, {&opt_proxy}, {&opt_no_proxy}, +#endif + {&opt_recipient}, {&opt_path}, {(char **)&opt_keep_alive}, {(char **)&opt_msg_timeout}, {(char **)&opt_total_timeout}, {&opt_trusted}, {&opt_untrusted}, {&opt_srvcert}, @@ -552,15 +581,20 @@ static varref cmp_vars[] = { /* must be in same order as enumerated above! */ {&opt_engine}, #endif +#ifndef OPENSSL_NO_SOCK {(char **)&opt_tls_used}, {&opt_tls_cert}, {&opt_tls_key}, {&opt_tls_keypass}, {&opt_tls_extra}, {&opt_tls_trusted}, {&opt_tls_host}, +#endif {(char **)&opt_batch}, {(char **)&opt_repeat}, {&opt_reqin}, {(char **)&opt_reqin_new_tid}, {&opt_reqout}, {&opt_rspin}, {&opt_rspout}, - {(char **)&opt_use_mock_srv}, {&opt_port}, {(char **)&opt_max_msgs}, + {(char **)&opt_use_mock_srv}, +#ifndef OPENSSL_NO_SOCK + {&opt_port}, {(char **)&opt_max_msgs}, +#endif {&opt_srv_ref}, {&opt_srv_secret}, {&opt_srv_cert}, {&opt_srv_key}, {&opt_srv_keypass}, {&opt_srv_trusted}, {&opt_srv_untrusted}, @@ -613,6 +647,12 @@ static int print_to_bio_out(const char *func, const char *file, int line, return OSSL_CMP_print_to_bio(bio_out, func, file, line, level, msg); } +static int print_to_bio_err(const char *func, const char *file, int line, + OSSL_CMP_severity level, const char *msg) +{ + return OSSL_CMP_print_to_bio(bio_err, func, file, line, level, msg); +} + static int set_verbosity(int level) { if (level < OSSL_CMP_LOG_EMERG || level > OSSL_CMP_LOG_MAX) { @@ -747,6 +787,7 @@ static OSSL_CMP_MSG *read_write_req_resp(OSSL_CMP_CTX *ctx, OSSL_CMP_MSG *req_new = NULL; OSSL_CMP_MSG *res = NULL; OSSL_CMP_PKIHEADER *hdr; + const char *prev_opt_rspin = opt_rspin; if (req != NULL && opt_reqout != NULL && !write_PKIMESSAGE(req, &opt_reqout)) @@ -776,7 +817,7 @@ static OSSL_CMP_MSG *read_write_req_resp(OSSL_CMP_CTX *ctx, if (res == NULL) goto err; - if (opt_reqin != NULL || opt_rspin != NULL) { + if (opt_reqin != NULL || prev_opt_rspin != NULL) { /* need to satisfy nonce and transactionID checks */ ASN1_OCTET_STRING *nonce; ASN1_OCTET_STRING *tid; @@ -1318,7 +1359,7 @@ static SSL_CTX *setup_ssl_ctx(OSSL_CMP_CTX *ctx, const char *host, SSL_CTX_free(ssl_ctx); return NULL; } -#endif +#endif /* OPENSSL_NO_SOCK */ /* * set up protection aspects of OSSL_CMP_CTX based on options from config @@ -1758,12 +1799,16 @@ static int handle_opt_geninfo(OSSL_CMP_CTX *ctx) static int setup_client_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine) { int ret = 0; - char *host = NULL, *port = NULL, *path = NULL, *used_path; + char *host = NULL, *port = NULL, *path = NULL, *used_path = opt_path; +#ifndef OPENSSL_NO_SOCK int portnum, ssl; + static char server_port[32] = { '\0' }; + const char *proxy_host = NULL; +#endif char server_buf[200] = { '\0' }; char proxy_buf[200] = { '\0' }; - const char *proxy_host = NULL; +#ifndef OPENSSL_NO_SOCK if (opt_server == NULL) { CMP_err("missing -server option"); goto err; @@ -1777,11 +1822,12 @@ static int setup_client_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine) CMP_err("missing -tls_used option since -server URL indicates https"); goto err; } + BIO_snprintf(server_port, sizeof(server_port), "%s", port); - used_path = opt_path != NULL ? opt_path : path; + if (opt_path == NULL) + used_path = path; if (!OSSL_CMP_CTX_set1_server(ctx, host) - || !OSSL_CMP_CTX_set_serverPort(ctx, portnum) - || !OSSL_CMP_CTX_set1_serverPath(ctx, used_path)) + || !OSSL_CMP_CTX_set_serverPort(ctx, portnum)) goto oom; if (opt_proxy != NULL && !OSSL_CMP_CTX_set1_proxy(ctx, opt_proxy)) goto oom; @@ -1795,6 +1841,10 @@ static int setup_client_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine) if (proxy_host != NULL) (void)BIO_snprintf(proxy_buf, sizeof(proxy_buf), " via %s", proxy_host); +#endif + + if (!OSSL_CMP_CTX_set1_serverPath(ctx, used_path)) + goto oom; if (!transform_opts()) goto err; @@ -1835,16 +1885,13 @@ static int setup_client_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine) || opt_rspin != NULL || opt_rspout != NULL || opt_use_mock_srv) (void)OSSL_CMP_CTX_set_transfer_cb(ctx, read_write_req_resp); +#ifndef OPENSSL_NO_SOCK if ((opt_tls_cert != NULL || opt_tls_key != NULL || opt_tls_keypass != NULL || opt_tls_extra != NULL || opt_tls_trusted != NULL || opt_tls_host != NULL) && !opt_tls_used) CMP_warn("TLS options(s) given but not -tls_used"); if (opt_tls_used) { -#ifdef OPENSSL_NO_SOCK - BIO_printf(bio_err, "Cannot use TLS - sockets not supported\n"); - goto err; -#else APP_HTTP_TLS_INFO *info; if (opt_tls_cert != NULL @@ -1873,8 +1920,8 @@ static int setup_client_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine) if (info->ssl_ctx == NULL) goto err; (void)OSSL_CMP_CTX_set_http_cb(ctx, app_http_tls_cb); -#endif } +#endif if (!setup_protection_ctx(ctx, engine)) goto err; @@ -1989,7 +2036,7 @@ static void print_itavs(STACK_OF(OSSL_CMP_ITAV) *itavs) } static char opt_item[SECTION_NAME_MAX + 1]; -/* get previous name from a comma-separated list of names */ +/* get previous name from a comma or space-separated list of names */ static const char *prev_item(const char *opt, const char *end) { const char *beg; @@ -1998,19 +2045,28 @@ static const char *prev_item(const char *opt, const char *end) if (end == opt) return NULL; beg = end; - while (beg != opt && beg[-1] != ',' && !isspace(beg[-1])) - beg--; + while (beg > opt) { + --beg; + if (beg[0] == ',' || isspace(beg[0])) { + ++beg; + break; + } + } len = end - beg; - if (len > SECTION_NAME_MAX) + if (len > SECTION_NAME_MAX) { + CMP_warn3("using only first %d characters of section name starting with \"%.*s\"", + SECTION_NAME_MAX, SECTION_NAME_MAX, beg); len = SECTION_NAME_MAX; - strncpy(opt_item, beg, len); - opt_item[SECTION_NAME_MAX] = '\0'; /* avoid gcc v8 O3 stringop-truncation */ + } + memcpy(opt_item, beg, len); opt_item[len] = '\0'; - if (len > SECTION_NAME_MAX) - CMP_warn2("using only first %d characters of section name starting with \"%s\"", - SECTION_NAME_MAX, opt_item); - while (beg != opt && (beg[-1] == ',' || isspace(beg[-1]))) - beg--; + while (beg > opt) { + --beg; + if (beg[0] != ',' && !isspace(beg[0])) { + ++beg; + break; + } + } return beg; } @@ -2058,16 +2114,16 @@ static int read_config(void) long num = 0; char *txt = NULL; const OPTIONS *opt; - int start = OPT_VERBOSITY; + int start_opt = OPT_VERBOSITY - OPT_HELP; + int start_idx = OPT_VERBOSITY - 2; /* * starting with offset OPT_VERBOSITY because OPT_CONFIG and OPT_SECTION * would not make sense within the config file. - * Moreover, these two options and OPT_VERBOSITY have already been handled. */ int n_options = OSSL_NELEM(cmp_options) - 1; - for (i = start - OPT_HELP, opt = &cmp_options[start]; - opt->name; i++, opt++) + for (opt = &cmp_options[start_opt], i = start_idx; + opt->name != NULL; i++, opt++) if (!strcmp(opt->name, OPT_SECTION_STR) || !strcmp(opt->name, OPT_MORE_STR)) n_options--; @@ -2075,8 +2131,8 @@ static int read_config(void) + OPT_PROV__FIRST + 1 - OPT_PROV__LAST + OPT_R__FIRST + 1 - OPT_R__LAST + OPT_V__FIRST + 1 - OPT_V__LAST); - for (i = start - OPT_HELP, opt = &cmp_options[start]; - opt->name; i++, opt++) { + for (opt = &cmp_options[start_opt], i = start_idx; + opt->name != NULL; i++, opt++) { int provider_option = (OPT_PROV__FIRST <= opt->retval && opt->retval < OPT_PROV__LAST); int rand_state_option = (OPT_R__FIRST <= opt->retval @@ -2106,7 +2162,7 @@ static int read_config(void) num, opt->name); return -1; } - if (opt->valtype == 'N' && num <= 0) { + if (opt->valtype == 'N' && num < 0) { opt_printf_stderr("Negative number \"%ld\" for config option -%s\n", num, opt->name); return -1; @@ -2216,8 +2272,12 @@ static int get_opts(int argc, char **argv) return -1; case OPT_CONFIG: /* has already been handled */ case OPT_SECTION: /* has already been handled */ - case OPT_VERBOSITY: /* has already been handled */ break; + case OPT_VERBOSITY: + if (!set_verbosity(opt_int_arg())) + goto opthelp; + break; +#ifndef OPENSSL_NO_SOCK case OPT_SERVER: opt_server = opt_str(); break; @@ -2227,12 +2287,13 @@ static int get_opts(int argc, char **argv) case OPT_NO_PROXY: opt_no_proxy = opt_str(); break; - case OPT_PATH: - opt_path = opt_str(); - break; +#endif case OPT_RECIPIENT: opt_recipient = opt_str(); break; + case OPT_PATH: + opt_path = opt_str(); + break; case OPT_KEEP_ALIVE: opt_keep_alive = opt_int_arg(); if (opt_keep_alive > 2) { @@ -2246,6 +2307,7 @@ static int get_opts(int argc, char **argv) case OPT_TOTAL_TIMEOUT: opt_total_timeout = opt_int_arg(); break; +#ifndef OPENSSL_NO_SOCK case OPT_TLS_USED: opt_tls_used = 1; break; @@ -2267,6 +2329,8 @@ static int get_opts(int argc, char **argv) case OPT_TLS_HOST: opt_tls_host = opt_str(); break; +#endif + case OPT_REF: opt_ref = opt_str(); break; @@ -2455,12 +2519,15 @@ static int get_opts(int argc, char **argv) case OPT_USE_MOCK_SRV: opt_use_mock_srv = 1; break; + +#ifndef OPENSSL_NO_SOCK case OPT_PORT: opt_port = opt_str(); break; case OPT_MAX_MSGS: opt_max_msgs = opt_int_arg(); break; +#endif case OPT_SRV_REF: opt_srv_ref = opt_str(); break; @@ -2625,7 +2692,9 @@ int cmp_main(int argc, char **argv) int i; X509 *newcert = NULL; ENGINE *engine = NULL; +#ifndef OPENSSL_NO_SOCK char mock_server[] = "mock server:1"; +#endif OSSL_CMP_CTX *srv_cmp_ctx = NULL; int ret = 0; /* default: failure */ @@ -2687,6 +2756,8 @@ int cmp_main(int argc, char **argv) } } ret = read_config(); + if (!set_verbosity(opt_verbosity)) /* just for checking range */ + ret = -1; if (ret <= 0) { if (ret == -1) BIO_printf(bio_err, "Use -help for summary.\n"); @@ -2714,6 +2785,7 @@ int cmp_main(int argc, char **argv) } } +#ifndef OPENSSL_NO_SOCK if (opt_port != NULL) { if (opt_use_mock_srv) { CMP_err("cannot use both -port and -use_mock_srv options"); @@ -2724,6 +2796,7 @@ int cmp_main(int argc, char **argv) goto err; } } +#endif cmp_ctx = OSSL_CMP_CTX_new(app_get0_libctx(), app_get0_propq()); if (cmp_ctx == NULL) @@ -2733,14 +2806,18 @@ int cmp_main(int argc, char **argv) CMP_err1("cannot set up error reporting and logging for %s", prog); goto err; } - if ((opt_use_mock_srv || opt_port != NULL)) { + if (opt_use_mock_srv +#ifndef OPENSSL_NO_SOCK + || opt_port != NULL +#endif + ) { OSSL_CMP_SRV_CTX *srv_ctx; if ((srv_ctx = setup_srv_ctx(engine)) == NULL) goto err; srv_cmp_ctx = OSSL_CMP_SRV_CTX_get0_cmp_ctx(srv_ctx); OSSL_CMP_CTX_set_transfer_cb_arg(cmp_ctx, srv_ctx); - if (!OSSL_CMP_CTX_set_log_cb(srv_cmp_ctx, print_to_bio_out)) { + if (!OSSL_CMP_CTX_set_log_cb(srv_cmp_ctx, print_to_bio_err)) { CMP_err1("cannot set up error reporting and logging for %s", prog); goto err; } @@ -2748,17 +2825,16 @@ int cmp_main(int argc, char **argv) } +#ifndef OPENSSL_NO_SOCK if (opt_port != NULL) { /* act as very basic CMP HTTP server */ -#ifdef OPENSSL_NO_SOCK - BIO_printf(bio_err, "Cannot act as server - sockets not supported\n"); -#else ret = cmp_server(srv_cmp_ctx); -#endif goto err; } +#endif /* else act as CMP client */ if (opt_use_mock_srv) { +#ifndef OPENSSL_NO_SOCK if (opt_server != NULL) { CMP_err("cannot use both -use_mock_srv and -server options"); goto err; @@ -2769,6 +2845,7 @@ int cmp_main(int argc, char **argv) } opt_server = mock_server; opt_proxy = "API"; +#endif } if (!setup_client_ctx(cmp_ctx, engine)) { @@ -2833,7 +2910,14 @@ int cmp_main(int argc, char **argv) const char *string = OSSL_CMP_CTX_snprint_PKIStatus(cmp_ctx, buf, OSSL_CMP_PKISI_BUFLEN); + const char *from = "", *server = ""; +#ifndef OPENSSL_NO_SOCK + if (opt_server != NULL) { + from = " from "; + server = opt_server; + } +#endif CMP_print(bio_err, status == OSSL_CMP_PKISTATUS_accepted ? OSSL_CMP_LOG_INFO : @@ -2844,8 +2928,8 @@ int cmp_main(int argc, char **argv) status == OSSL_CMP_PKISTATUS_rejection ? "server error" : status == OSSL_CMP_PKISTATUS_waiting ? "internal error" : "warning", - "received from %s %s %s", opt_server, - string != NULL ? string : "", ""); + "received%s%s %s", from, server, + string != NULL ? string : ""); OPENSSL_free(buf); } @@ -2882,7 +2966,9 @@ int cmp_main(int argc, char **argv) cleanse(opt_keypass); cleanse(opt_newkeypass); cleanse(opt_otherpass); +#ifndef OPENSSL_NO_SOCK cleanse(opt_tls_keypass); +#endif cleanse(opt_secret); cleanse(opt_srv_keypass); cleanse(opt_srv_secret); diff --git a/deps/openssl/openssl/apps/dgst.c b/deps/openssl/openssl/apps/dgst.c index 36a8c6fb084b8d..bd23b76996e7d7 100644 --- a/deps/openssl/openssl/apps/dgst.c +++ b/deps/openssl/openssl/apps/dgst.c @@ -335,7 +335,7 @@ int dgst_main(int argc, char **argv) EVP_PKEY_CTX *pctx = NULL; int res; - if (!BIO_get_md_ctx(bmd, &mctx)) { + if (BIO_get_md_ctx(bmd, &mctx) <= 0) { BIO_printf(bio_err, "Error getting context\n"); goto end; } @@ -362,7 +362,7 @@ int dgst_main(int argc, char **argv) /* we use md as a filter, reading from 'in' */ else { EVP_MD_CTX *mctx = NULL; - if (!BIO_get_md_ctx(bmd, &mctx)) { + if (BIO_get_md_ctx(bmd, &mctx) <= 0) { BIO_printf(bio_err, "Error getting context\n"); goto end; } diff --git a/deps/openssl/openssl/apps/dhparam.c b/deps/openssl/openssl/apps/dhparam.c index 982b2db5493600..0e90698cd69408 100644 --- a/deps/openssl/openssl/apps/dhparam.c +++ b/deps/openssl/openssl/apps/dhparam.c @@ -194,7 +194,7 @@ int dhparam_main(int argc, char **argv) "Generating %s parameters, %d bit long %sprime\n", alg, num, dsaparam ? "" : "safe "); - if (!EVP_PKEY_paramgen_init(ctx)) { + if (EVP_PKEY_paramgen_init(ctx) <= 0) { BIO_printf(bio_err, "Error, unable to initialise %s parameters\n", alg); @@ -383,8 +383,8 @@ static EVP_PKEY *dsa_to_dh(EVP_PKEY *dh) ctx = EVP_PKEY_CTX_new_from_name(NULL, "DHX", NULL); if (ctx == NULL - || !EVP_PKEY_fromdata_init(ctx) - || !EVP_PKEY_fromdata(ctx, &pkey, EVP_PKEY_KEY_PARAMETERS, params)) { + || EVP_PKEY_fromdata_init(ctx) <= 0 + || EVP_PKEY_fromdata(ctx, &pkey, EVP_PKEY_KEY_PARAMETERS, params) <= 0) { BIO_printf(bio_err, "Error, failed to set DH parameters\n"); goto err; } diff --git a/deps/openssl/openssl/apps/dsaparam.c b/deps/openssl/openssl/apps/dsaparam.c index df985324596a27..8025b8be67c830 100644 --- a/deps/openssl/openssl/apps/dsaparam.c +++ b/deps/openssl/openssl/apps/dsaparam.c @@ -211,7 +211,7 @@ int dsaparam_main(int argc, char **argv) "Error, DSA key generation context allocation failed\n"); goto end; } - if (!EVP_PKEY_keygen_init(ctx)) { + if (EVP_PKEY_keygen_init(ctx) <= 0) { BIO_printf(bio_err, "Error, unable to initialise for key generation\n"); goto end; diff --git a/deps/openssl/openssl/apps/lib/app_rand.c b/deps/openssl/openssl/apps/lib/app_rand.c index e38d3a72fc7752..713792ead40a3d 100644 --- a/deps/openssl/openssl/apps/lib/app_rand.c +++ b/deps/openssl/openssl/apps/lib/app_rand.c @@ -28,8 +28,14 @@ void app_RAND_load_conf(CONF *c, const char *section) BIO_printf(bio_err, "Can't load %s into RNG\n", randfile); ERR_print_errors(bio_err); } - if (save_rand_file == NULL) + if (save_rand_file == NULL) { save_rand_file = OPENSSL_strdup(randfile); + /* If some internal memory errors have occurred */ + if (save_rand_file == NULL) { + BIO_printf(bio_err, "Can't duplicate %s\n", randfile); + ERR_print_errors(bio_err); + } + } } static int loadfiles(char *name) @@ -110,6 +116,8 @@ int opt_rand(int opt) case OPT_R_WRITERAND: OPENSSL_free(save_rand_file); save_rand_file = OPENSSL_strdup(opt_arg()); + if (save_rand_file == NULL) + return 0; break; } return 1; diff --git a/deps/openssl/openssl/apps/lib/apps.c b/deps/openssl/openssl/apps/lib/apps.c index 43c01401e8d757..e01633c5b540b8 100644 --- a/deps/openssl/openssl/apps/lib/apps.c +++ b/deps/openssl/openssl/apps/lib/apps.c @@ -2302,23 +2302,35 @@ int do_X509_CRL_sign(X509_CRL *x, EVP_PKEY *pkey, const char *md, return rv; } +/* + * do_X509_verify returns 1 if the signature is valid, + * 0 if the signature check fails, or -1 if error occurs. + */ int do_X509_verify(X509 *x, EVP_PKEY *pkey, STACK_OF(OPENSSL_STRING) *vfyopts) { int rv = 0; if (do_x509_init(x, vfyopts) > 0) - rv = (X509_verify(x, pkey) > 0); + rv = X509_verify(x, pkey); + else + rv = -1; return rv; } +/* + * do_X509_REQ_verify returns 1 if the signature is valid, + * 0 if the signature check fails, or -1 if error occurs. + */ int do_X509_REQ_verify(X509_REQ *x, EVP_PKEY *pkey, STACK_OF(OPENSSL_STRING) *vfyopts) { int rv = 0; if (do_x509_req_init(x, vfyopts) > 0) - rv = (X509_REQ_verify_ex(x, pkey, - app_get0_libctx(), app_get0_propq()) > 0); + rv = X509_REQ_verify_ex(x, pkey, + app_get0_libctx(), app_get0_propq()); + else + rv = -1; return rv; } diff --git a/deps/openssl/openssl/apps/lib/engine_loader.c b/deps/openssl/openssl/apps/lib/engine_loader.c index 2b4480000cc640..b2a11d438df876 100644 --- a/deps/openssl/openssl/apps/lib/engine_loader.c +++ b/deps/openssl/openssl/apps/lib/engine_loader.c @@ -1,5 +1,5 @@ /* - * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2018-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -91,7 +91,7 @@ static OSSL_STORE_LOADER_CTX *engine_open(const OSSL_STORE_LOADER *loader, keyid = OPENSSL_strdup(q + 1); } - if (e != NULL) + if (e != NULL && keyid != NULL) ctx = OSSL_STORE_LOADER_CTX_new(e, keyid); if (ctx == NULL) { diff --git a/deps/openssl/openssl/apps/lib/s_cb.c b/deps/openssl/openssl/apps/lib/s_cb.c index c9a611aa3aa5d1..4257190a149f19 100644 --- a/deps/openssl/openssl/apps/lib/s_cb.c +++ b/deps/openssl/openssl/apps/lib/s_cb.c @@ -146,6 +146,7 @@ int set_cert_key_stuff(SSL_CTX *ctx, X509 *cert, EVP_PKEY *key, STACK_OF(X509) *chain, int build_chain) { int chflags = chain ? SSL_BUILD_CHAIN_FLAG_CHECK : 0; + if (cert == NULL) return 1; if (SSL_CTX_use_certificate(ctx, cert) <= 0) { @@ -199,6 +200,7 @@ static void ssl_print_client_cert_types(BIO *bio, SSL *s) const unsigned char *p; int i; int cert_type_num = SSL_get0_certificate_types(s, &p); + if (!cert_type_num) return; BIO_puts(bio, "Client Certificate Types: "); @@ -228,22 +230,22 @@ static const char *get_sigtype(int nid) case EVP_PKEY_DSA: return "DSA"; - case EVP_PKEY_EC: + case EVP_PKEY_EC: return "ECDSA"; - case NID_ED25519: + case NID_ED25519: return "Ed25519"; - case NID_ED448: + case NID_ED448: return "Ed448"; - case NID_id_GostR3410_2001: + case NID_id_GostR3410_2001: return "gost2001"; - case NID_id_GostR3410_2012_256: + case NID_id_GostR3410_2012_256: return "gost2012_256"; - case NID_id_GostR3410_2012_512: + case NID_id_GostR3410_2012_512: return "gost2012_512"; default: @@ -254,6 +256,7 @@ static const char *get_sigtype(int nid) static int do_print_sigalgs(BIO *out, SSL *s, int shared) { int i, nsig, client; + client = SSL_is_server(s) ? 0 : 1; if (shared) nsig = SSL_get_shared_sigalgs(s, 0, NULL, NULL, NULL, NULL, NULL); @@ -296,6 +299,7 @@ static int do_print_sigalgs(BIO *out, SSL *s, int shared) int ssl_print_sigalgs(BIO *out, SSL *s) { int nid; + if (!SSL_is_server(s)) ssl_print_client_cert_types(out, s); do_print_sigalgs(out, s, 0); @@ -312,6 +316,7 @@ int ssl_print_point_formats(BIO *out, SSL *s) { int i, nformats; const char *pformats; + nformats = SSL_get0_ec_point_formats(s, &pformats); if (nformats <= 0) return 1; @@ -895,6 +900,7 @@ static int set_cert_cb(SSL *ssl, void *arg) SSL_EXCERT *exc = arg; #ifdef CERT_CB_TEST_RETRY static int retry_cnt; + if (retry_cnt < 5) { retry_cnt++; BIO_printf(bio_err, @@ -993,6 +999,7 @@ void ssl_excert_free(SSL_EXCERT *exc) int load_excert(SSL_EXCERT **pexc) { SSL_EXCERT *exc = *pexc; + if (exc == NULL) return 1; /* If nothing in list, free and set to NULL */ @@ -1098,6 +1105,7 @@ static void print_raw_cipherlist(SSL *s) const unsigned char *rlist; static const unsigned char scsv_id[] = { 0, 0xFF }; size_t i, rlistlen, num; + if (!SSL_is_server(s)) return; num = SSL_get0_raw_cipherlist(s, NULL); @@ -1275,6 +1283,7 @@ static int add_crls_store(X509_STORE *st, STACK_OF(X509_CRL) *crls) int ssl_ctx_add_crls(SSL_CTX *ctx, STACK_OF(X509_CRL) *crls, int crl_download) { X509_STORE *st; + st = SSL_CTX_get_cert_store(ctx); add_crls_store(st, crls); if (crl_download) @@ -1291,6 +1300,7 @@ int ssl_load_stores(SSL_CTX *ctx, { X509_STORE *vfy = NULL, *ch = NULL; int rv = 0; + if (vfyCApath != NULL || vfyCAfile != NULL || vfyCAstore != NULL) { vfy = X509_STORE_new(); if (vfy == NULL) @@ -1367,6 +1377,7 @@ static int security_callback_debug(const SSL *s, const SSL_CTX *ctx, int rv, show_bits = 1, cert_md = 0; const char *nm; int show_nm; + rv = sdb->old_cb(s, ctx, op, bits, nid, other, ex); if (rv == 1 && sdb->verbose < 2) return 1; @@ -1420,14 +1431,21 @@ static int security_callback_debug(const SSL *s, const SSL_CTX *ctx, { if (cert_md) { int sig_nid = X509_get_signature_nid(other); + BIO_puts(sdb->out, OBJ_nid2sn(sig_nid)); } else { EVP_PKEY *pkey = X509_get0_pubkey(other); - const char *algname = ""; - EVP_PKEY_asn1_get0_info(NULL, NULL, NULL, NULL, - &algname, EVP_PKEY_get0_asn1(pkey)); - BIO_printf(sdb->out, "%s, bits=%d", - algname, EVP_PKEY_get_bits(pkey)); + + if (pkey == NULL) { + BIO_printf(sdb->out, "Public key missing"); + } else { + const char *algname = ""; + + EVP_PKEY_asn1_get0_info(NULL, NULL, NULL, NULL, + &algname, EVP_PKEY_get0_asn1(pkey)); + BIO_printf(sdb->out, "%s, bits=%d", + algname, EVP_PKEY_get_bits(pkey)); + } } break; } diff --git a/deps/openssl/openssl/apps/openssl.c b/deps/openssl/openssl/apps/openssl.c index 30e1e755e0148c..e20661277e1985 100644 --- a/deps/openssl/openssl/apps/openssl.c +++ b/deps/openssl/openssl/apps/openssl.c @@ -168,14 +168,17 @@ static void setup_trace_category(int category) { BIO *channel; tracedata *trace_data; + BIO *bio = NULL; if (OSSL_trace_enabled(category)) return; - channel = BIO_push(BIO_new(BIO_f_prefix()), dup_bio_err(FORMAT_TEXT)); + bio = BIO_new(BIO_f_prefix()); + channel = BIO_push(bio, dup_bio_err(FORMAT_TEXT)); trace_data = OPENSSL_zalloc(sizeof(*trace_data)); if (trace_data == NULL + || bio == NULL || (trace_data->bio = channel) == NULL || OSSL_trace_set_callback(category, internal_trace_cb, trace_data) == 0 @@ -395,6 +398,7 @@ static int do_cmd(LHASH_OF(FUNCTION) *prog, int argc, char *argv[]) if (argc <= 0 || argv[0] == NULL) return 0; + memset(&f, 0, sizeof(f)); f.name = argv[0]; fp = lh_FUNCTION_retrieve(prog, &f); if (fp == NULL) { diff --git a/deps/openssl/openssl/apps/req.c b/deps/openssl/openssl/apps/req.c index 6aa364fec502ad..fd9826a5a8df2f 100644 --- a/deps/openssl/openssl/apps/req.c +++ b/deps/openssl/openssl/apps/req.c @@ -103,7 +103,7 @@ const OPTIONS req_options[] = { {"keygen_engine", OPT_KEYGEN_ENGINE, 's', "Specify engine to be used for key generation operations"}, #endif - {"in", OPT_IN, '<', "X.509 request input file"}, + {"in", OPT_IN, '<', "X.509 request input file (default stdin)"}, {"inform", OPT_INFORM, 'F', "Input format - DER or PEM"}, {"verify", OPT_VERIFY, '-', "Verify self-signature on the request"}, @@ -136,10 +136,11 @@ const OPTIONS req_options[] = { "Cert extension section (override value in config file)"}, {"reqexts", OPT_REQEXTS, 's', "Request extension section (override value in config file)"}, - {"precert", OPT_PRECERT, '-', "Add a poison extension (implies -new)"}, + {"precert", OPT_PRECERT, '-', + "Add a poison extension to the generated cert (implies -new)"}, OPT_SECTION("Keys and Signing"), - {"key", OPT_KEY, 's', "Key to include and to use for self-signature"}, + {"key", OPT_KEY, 's', "Key for signing, and to include unless -in given"}, {"keyform", OPT_KEYFORM, 'f', "Key file format (ENGINE, other values ignored)"}, {"pubkey", OPT_PUBKEY, '-', "Output public key"}, {"keyout", OPT_KEYOUT, '>', "File to write private key to"}, @@ -742,7 +743,8 @@ int req_main(int argc, char **argv) goto end; if (!newreq) { - req = load_csr(infile, informat, "X509 request"); + req = load_csr(infile /* if NULL, reads from stdin */, + informat, "X509 request"); if (req == NULL) goto end; } @@ -752,7 +754,7 @@ int req_main(int argc, char **argv) if (CAkeyfile != NULL) { if (CAfile == NULL) { BIO_printf(bio_err, - "Ignoring -CAkey option since no -CA option is given\n"); + "Warning: Ignoring -CAkey option since no -CA option is given\n"); } else { if ((CAkey = load_key(CAkeyfile, FORMAT_UNDEF, 0, passin, e, @@ -788,6 +790,7 @@ int req_main(int argc, char **argv) BIO_printf(bio_err, "Error making certificate request\n"); goto end; } + /* Note that -x509 can take over -key and -subj option values. */ } if (gen_x509) { EVP_PKEY *pub_key = X509_REQ_get0_pubkey(req); diff --git a/deps/openssl/openssl/apps/s_client.c b/deps/openssl/openssl/apps/s_client.c index 3b9be0e8c265bc..30a9b34ccb6fb5 100644 --- a/deps/openssl/openssl/apps/s_client.c +++ b/deps/openssl/openssl/apps/s_client.c @@ -3040,6 +3040,8 @@ int s_client_main(int argc, char **argv) #endif OPENSSL_free(connectstr); OPENSSL_free(bindstr); + OPENSSL_free(bindhost); + OPENSSL_free(bindport); OPENSSL_free(host); OPENSSL_free(port); OPENSSL_free(thost); @@ -3276,11 +3278,11 @@ static void print_stuff(BIO *bio, SSL *s, int full) BIO_printf(bio, " Label: '%s'\n", keymatexportlabel); BIO_printf(bio, " Length: %i bytes\n", keymatexportlen); exportedkeymat = app_malloc(keymatexportlen, "export key"); - if (!SSL_export_keying_material(s, exportedkeymat, + if (SSL_export_keying_material(s, exportedkeymat, keymatexportlen, keymatexportlabel, strlen(keymatexportlabel), - NULL, 0, 0)) { + NULL, 0, 0) <= 0) { BIO_printf(bio, " Error\n"); } else { BIO_printf(bio, " Keying material: "); diff --git a/deps/openssl/openssl/apps/s_server.c b/deps/openssl/openssl/apps/s_server.c index c5d9221e90cb96..d95bf14cbf50b4 100644 --- a/deps/openssl/openssl/apps/s_server.c +++ b/deps/openssl/openssl/apps/s_server.c @@ -131,12 +131,12 @@ static unsigned int psk_server_cb(SSL *ssl, const char *identity, if (s_debug) BIO_printf(bio_s_out, "psk_server_cb\n"); - if (SSL_version(ssl) >= TLS1_3_VERSION) { + if (!SSL_is_dtls(ssl) && SSL_version(ssl) >= TLS1_3_VERSION) { /* - * This callback is designed for use in TLSv1.2. It is possible to use - * a single callback for all protocol versions - but it is preferred to - * use a dedicated callback for TLSv1.3. For TLSv1.3 we have - * psk_find_session_cb. + * This callback is designed for use in (D)TLSv1.2 (or below). It is + * possible to use a single callback for all protocol versions - but it + * is preferred to use a dedicated callback for TLSv1.3. For TLSv1.3 we + * have psk_find_session_cb. */ return 0; } @@ -2940,11 +2940,11 @@ static void print_connection_info(SSL *con) BIO_printf(bio_s_out, " Label: '%s'\n", keymatexportlabel); BIO_printf(bio_s_out, " Length: %i bytes\n", keymatexportlen); exportedkeymat = app_malloc(keymatexportlen, "export key"); - if (!SSL_export_keying_material(con, exportedkeymat, + if (SSL_export_keying_material(con, exportedkeymat, keymatexportlen, keymatexportlabel, strlen(keymatexportlabel), - NULL, 0, 0)) { + NULL, 0, 0) <= 0) { BIO_printf(bio_s_out, " Error\n"); } else { BIO_printf(bio_s_out, " Keying material: "); diff --git a/deps/openssl/openssl/apps/speed.c b/deps/openssl/openssl/apps/speed.c index 830a502656eb11..ada559228d5a08 100644 --- a/deps/openssl/openssl/apps/speed.c +++ b/deps/openssl/openssl/apps/speed.c @@ -462,6 +462,7 @@ typedef struct loopargs_st { unsigned char *buf_malloc; unsigned char *buf2_malloc; unsigned char *key; + size_t buflen; size_t sigsize; EVP_PKEY_CTX *rsa_sign_ctx[RSA_NUM]; EVP_PKEY_CTX *rsa_verify_ctx[RSA_NUM]; @@ -832,6 +833,7 @@ static int RSA_sign_loop(void *args) int ret, count; for (count = 0; COND(rsa_c[testnum][0]); count++) { + *rsa_num = tempargs->buflen; ret = EVP_PKEY_sign(rsa_sign_ctx[testnum], buf2, rsa_num, buf, 36); if (ret <= 0) { BIO_printf(bio_err, "RSA sign failure\n"); @@ -892,6 +894,7 @@ static int DSA_sign_loop(void *args) int ret, count; for (count = 0; COND(dsa_c[testnum][0]); count++) { + *dsa_num = tempargs->buflen; ret = EVP_PKEY_sign(dsa_sign_ctx[testnum], buf2, dsa_num, buf, 20); if (ret <= 0) { BIO_printf(bio_err, "DSA sign failure\n"); @@ -935,6 +938,7 @@ static int ECDSA_sign_loop(void *args) int ret, count; for (count = 0; COND(ecdsa_c[testnum][0]); count++) { + *ecdsa_num = tempargs->buflen; ret = EVP_PKEY_sign(ecdsa_sign_ctx[testnum], buf2, ecdsa_num, buf, 20); if (ret <= 0) { BIO_printf(bio_err, "ECDSA sign failure\n"); @@ -1540,6 +1544,10 @@ int speed_main(int argc, char **argv) case OPT_MULTI: #ifndef NO_FORK multi = atoi(opt_arg()); + if ((size_t)multi >= SIZE_MAX / sizeof(int)) { + BIO_printf(bio_err, "%s: multi argument too large\n", prog); + return 0; + } #endif break; case OPT_ASYNCJOBS: @@ -1775,6 +1783,8 @@ int speed_main(int argc, char **argv) /* Align the start of buffers on a 64 byte boundary */ loopargs[i].buf = loopargs[i].buf_malloc + misalign; loopargs[i].buf2 = loopargs[i].buf2_malloc + misalign; + loopargs[i].buflen = buflen - misalign; + loopargs[i].sigsize = buflen - misalign; loopargs[i].secret_a = app_malloc(MAX_ECDH_SIZE, "ECDH secret a"); loopargs[i].secret_b = app_malloc(MAX_ECDH_SIZE, "ECDH secret b"); #ifndef OPENSSL_NO_DH @@ -2345,6 +2355,7 @@ int speed_main(int argc, char **argv) for (i = 0; st && i < loopargs_len; i++) { loopargs[i].rsa_sign_ctx[testnum] = EVP_PKEY_CTX_new(rsa_key, NULL); + loopargs[i].sigsize = loopargs[i].buflen; if (loopargs[i].rsa_sign_ctx[testnum] == NULL || EVP_PKEY_sign_init(loopargs[i].rsa_sign_ctx[testnum]) <= 0 || EVP_PKEY_sign(loopargs[i].rsa_sign_ctx[testnum], @@ -2423,6 +2434,7 @@ int speed_main(int argc, char **argv) for (i = 0; st && i < loopargs_len; i++) { loopargs[i].dsa_sign_ctx[testnum] = EVP_PKEY_CTX_new(dsa_key, NULL); + loopargs[i].sigsize = loopargs[i].buflen; if (loopargs[i].dsa_sign_ctx[testnum] == NULL || EVP_PKEY_sign_init(loopargs[i].dsa_sign_ctx[testnum]) <= 0 @@ -2501,6 +2513,7 @@ int speed_main(int argc, char **argv) for (i = 0; st && i < loopargs_len; i++) { loopargs[i].ecdsa_sign_ctx[testnum] = EVP_PKEY_CTX_new(ecdsa_key, NULL); + loopargs[i].sigsize = loopargs[i].buflen; if (loopargs[i].ecdsa_sign_ctx[testnum] == NULL || EVP_PKEY_sign_init(loopargs[i].ecdsa_sign_ctx[testnum]) <= 0 @@ -3092,10 +3105,9 @@ int speed_main(int argc, char **argv) #endif if (!mr) { printf("version: %s\n", OpenSSL_version(OPENSSL_FULL_VERSION_STRING)); - printf("built on: %s\n", OpenSSL_version(OPENSSL_BUILT_ON)); - printf("options:"); - printf("%s ", BN_options()); - printf("\n%s\n", OpenSSL_version(OPENSSL_CFLAGS)); + printf("%s\n", OpenSSL_version(OPENSSL_BUILT_ON)); + printf("options: %s\n", BN_options()); + printf("%s\n", OpenSSL_version(OPENSSL_CFLAGS)); printf("%s\n", OpenSSL_version(OPENSSL_CPU_INFO)); } diff --git a/deps/openssl/openssl/apps/tsget.in b/deps/openssl/openssl/apps/tsget.in index d87ea4d6548a1d..3b5f83cf9b572d 100644 --- a/deps/openssl/openssl/apps/tsget.in +++ b/deps/openssl/openssl/apps/tsget.in @@ -1,5 +1,5 @@ #!{- $config{HASHBANGPERL} -} -# Copyright 2002-2018 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2002-2021 The OpenSSL Project Authors. All Rights Reserved. # Copyright (c) 2002 The OpenTSA Project. All rights reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use @@ -21,10 +21,10 @@ sub read_body { my $return_data = ""; my $data_len = length ${$state->{data}}; if ($state->{bytes} < $data_len) { - $data_len = $data_len - $state->{bytes}; - $data_len = $maxlength if $data_len > $maxlength; - $return_data = substr ${$state->{data}}, $state->{bytes}, $data_len; - $state->{bytes} += $data_len; + $data_len = $data_len - $state->{bytes}; + $data_len = $maxlength if $data_len > $maxlength; + $return_data = substr ${$state->{data}}, $state->{bytes}, $data_len; + $state->{bytes} += $data_len; } return $return_data; } @@ -53,8 +53,8 @@ sub create_curl { $curl->setopt(CURLOPT_UPLOAD, 1); $curl->setopt(CURLOPT_CUSTOMREQUEST, "POST"); $curl->setopt(CURLOPT_HTTPHEADER, - ["Content-Type: application/timestamp-query", - "Accept: application/timestamp-reply,application/timestamp-response"]); + ["Content-Type: application/timestamp-query", + "Accept: application/timestamp-reply,application/timestamp-response"]); $curl->setopt(CURLOPT_READFUNCTION, \&read_body); $curl->setopt(CURLOPT_HEADERFUNCTION, sub { return length($_[0]); }); @@ -63,8 +63,8 @@ sub create_curl { # SSL related options. $curl->setopt(CURLOPT_SSLKEYTYPE, "PEM"); - $curl->setopt(CURLOPT_SSL_VERIFYPEER, 1); # Verify server's certificate. - $curl->setopt(CURLOPT_SSL_VERIFYHOST, 2); # Check server's CN. + $curl->setopt(CURLOPT_SSL_VERIFYPEER, 1); # Verify server's certificate. + $curl->setopt(CURLOPT_SSL_VERIFYHOST, 2); # Check server's CN. $curl->setopt(CURLOPT_SSLKEY, $options{k}) if defined($options{k}); $curl->setopt(CURLOPT_SSLKEYPASSWD, $options{p}) if defined($options{p}); $curl->setopt(CURLOPT_SSLCERT, $options{c}) if defined($options{c}); @@ -101,15 +101,15 @@ sub get_timestamp { my $error_string; if ($error_code != 0) { my $http_code = $curl->getinfo(CURLINFO_HTTP_CODE); - $error_string = "could not get timestamp"; - $error_string .= ", http code: $http_code" unless $http_code == 0; - $error_string .= ", curl code: $error_code"; - $error_string .= " ($::error_buf)" if defined($::error_buf); + $error_string = "could not get timestamp"; + $error_string .= ", http code: $http_code" unless $http_code == 0; + $error_string .= ", curl code: $error_code"; + $error_string .= " ($::error_buf)" if defined($::error_buf); } else { my $ct = $curl->getinfo(CURLINFO_CONTENT_TYPE); - if (lc($ct) ne "application/timestamp-reply" - && lc($ct) ne "application/timestamp-response") { - $error_string = "unexpected content type returned: $ct"; + if (lc($ct) ne "application/timestamp-reply" + && lc($ct) ne "application/timestamp-response") { + $error_string = "unexpected content type returned: $ct"; } } return ($ts_body, $error_string); @@ -163,15 +163,15 @@ REQUEST: foreach (@ARGV) { # Read request. my $body; if ($input eq "-") { - # Read the request from STDIN; - $body = ; + # Read the request from STDIN; + $body = ; } else { - # Read the request from file. + # Read the request from file. open INPUT, "<" . $input - or warn("$input: could not open input file: $!\n"), next REQUEST; + or warn("$input: could not open input file: $!\n"), next REQUEST; $body = ; close INPUT - or warn("$input: could not close input file: $!\n"), next REQUEST; + or warn("$input: could not close input file: $!\n"), next REQUEST; } # Send request. @@ -179,21 +179,21 @@ REQUEST: foreach (@ARGV) { my ($ts_body, $error) = get_timestamp $curl, \$body; if (defined($error)) { - die "$input: fatal error: $error\n"; + die "$input: fatal error: $error\n"; } STDERR->printflush(", reply received") if $options{v}; # Write response. if ($output eq "-") { - # Write to STDOUT. + # Write to STDOUT. print $ts_body; } else { - # Write to file. + # Write to file. open OUTPUT, ">", $output - or warn("$output: could not open output file: $!\n"), next REQUEST; + or warn("$output: could not open output file: $!\n"), next REQUEST; print OUTPUT $ts_body; close OUTPUT - or warn("$output: could not close output file: $!\n"), next REQUEST; + or warn("$output: could not close output file: $!\n"), next REQUEST; } STDERR->printflush(", $output written.\n") if $options{v}; } diff --git a/deps/openssl/openssl/apps/x509.c b/deps/openssl/openssl/apps/x509.c index 7236972c5bf38d..2880ae792a046b 100644 --- a/deps/openssl/openssl/apps/x509.c +++ b/deps/openssl/openssl/apps/x509.c @@ -61,7 +61,7 @@ const OPTIONS x509_options[] = { {"help", OPT_HELP, '-', "Display this summary"}, {"in", OPT_IN, '<', - "Certificate input (default stdin), or CSR input file with -req"}, + "Certificate input, or CSR input file with -req (default stdin)"}, {"passin", OPT_PASSIN, 's', "Private key and cert file pass-phrase source"}, {"new", OPT_NEW, '-', "Generate a certificate from scratch"}, {"x509toreq", OPT_X509TOREQ, '-', @@ -73,7 +73,7 @@ const OPTIONS x509_options[] = { "CSR input file format (DER or PEM) - default PEM"}, {"vfyopt", OPT_VFYOPT, 's', "CSR verification parameter in n:v form"}, {"key", OPT_KEY, 's', - "Key to be used in certificate or cert request"}, + "Key for signing, and to include unless using -force_pubkey"}, {"signkey", OPT_SIGNKEY, 's', "Same as -key"}, {"keyform", OPT_KEYFORM, 'E', @@ -235,6 +235,21 @@ static X509_REQ *x509_to_req(X509 *cert, int ext_copy, const char *names) return NULL; } +static int self_signed(X509_STORE *ctx, X509 *cert) +{ + X509_STORE_CTX *xsc = X509_STORE_CTX_new(); + int ret = 0; + + if (xsc == NULL || !X509_STORE_CTX_init(xsc, ctx, cert, NULL)) { + BIO_printf(bio_err, "Error initialising X509 store\n"); + } else { + X509_STORE_CTX_set_flags(xsc, X509_V_FLAG_CHECK_SS_SIGNATURE); + ret = X509_verify_cert(xsc) > 0; + } + X509_STORE_CTX_free(xsc); + return ret; +} + int x509_main(int argc, char **argv) { ASN1_INTEGER *sno = NULL; @@ -630,7 +645,7 @@ int x509_main(int argc, char **argv) } if (privkeyfile == NULL && pubkeyfile == NULL) { BIO_printf(bio_err, - "The -new option without -key requires using -force_pubkey\n"); + "The -new option requires using the -key or -force_pubkey option\n"); goto end; } } @@ -642,7 +657,7 @@ int x509_main(int argc, char **argv) CAkeyfile = CAfile; if (CAfile != NULL) { if (privkeyfile != NULL) { - BIO_printf(bio_err, "Cannot use both -key and -CA option\n"); + BIO_printf(bio_err, "Cannot use both -key/-signkey and -CA option\n"); goto end; } } else if (CAkeyfile != NULL) { @@ -787,6 +802,8 @@ int x509_main(int argc, char **argv) sno = x509_load_serial(CAfile, CAserial, CA_createserial); if (sno == NULL) goto end; + if (!x509toreq && !reqfile && !newcert && !self_signed(ctx, x)) + goto end; } if (sno != NULL && !X509_set_serialNumber(x, sno)) @@ -799,7 +816,12 @@ int x509_main(int argc, char **argv) goto end; } - X509V3_set_ctx(&ext_ctx, issuer_cert, x, req, NULL, X509V3_CTX_REPLACE); + X509V3_set_ctx(&ext_ctx, issuer_cert, x, NULL, NULL, X509V3_CTX_REPLACE); + /* prepare fallback for AKID, but only if issuer cert equals subject cert */ + if (CAfile == NULL) { + if (!X509V3_set_issuer_pkey(&ext_ctx, privkey)) + goto end; + } if (extconf != NULL && !x509toreq) { X509V3_set_nconf(&ext_ctx, extconf); if (!X509V3_EXT_add_nconf(extconf, &ext_ctx, extsect, x)) { @@ -819,7 +841,7 @@ int x509_main(int argc, char **argv) if (x509toreq) { /* also works in conjunction with -req */ if (privkey == NULL) { - BIO_printf(bio_err, "Must specify request key using -key\n"); + BIO_printf(bio_err, "Must specify request signing key using -key\n"); goto end; } if (clrext && ext_copy != EXT_COPY_NONE) { @@ -856,21 +878,6 @@ int x509_main(int argc, char **argv) if (!do_X509_sign(x, privkey, digest, sigopts, &ext_ctx)) goto end; } else if (CAfile != NULL) { - if (!reqfile && !newcert) { /* certificate should be self-signed */ - X509_STORE_CTX *xsc = X509_STORE_CTX_new(); - - if (xsc == NULL || !X509_STORE_CTX_init(xsc, ctx, x, NULL)) { - BIO_printf(bio_err, "Error initialising X509 store\n"); - X509_STORE_CTX_free(xsc); - goto end; - } - X509_STORE_CTX_set_cert(xsc, x); - X509_STORE_CTX_set_flags(xsc, X509_V_FLAG_CHECK_SS_SIGNATURE); - i = X509_verify_cert(xsc); - X509_STORE_CTX_free(xsc); - if (i <= 0) - goto end; - } if ((CAkey = load_key(CAkeyfile, CAkeyformat, 0, passin, e, "CA private key")) == NULL) goto end; diff --git a/deps/openssl/openssl/crypto/aes/build.info b/deps/openssl/openssl/crypto/aes/build.info index 0b9f499ee60583..af362bcf6254bd 100644 --- a/deps/openssl/openssl/crypto/aes/build.info +++ b/deps/openssl/openssl/crypto/aes/build.info @@ -5,7 +5,7 @@ IF[{- !$disabled{asm} -}] $AESASM_x86=aes-586.s $AESDEF_x86=AES_ASM $AESASM_x86_sse2=vpaes-x86.s aesni-x86.s - $AESDEF_x86_sse2=VPAES_ASM + $AESDEF_x86_sse2=VPAES_ASM OPENSSL_IA32_SSE2 $AESASM_x86_64=\ aes-x86_64.s vpaes-x86_64.s bsaes-x86_64.s aesni-x86_64.s \ diff --git a/deps/openssl/openssl/crypto/armcap.c b/deps/openssl/openssl/crypto/armcap.c index 62e166a4dd039f..5b45a9d0f40c7d 100644 --- a/deps/openssl/openssl/crypto/armcap.c +++ b/deps/openssl/openssl/crypto/armcap.c @@ -112,20 +112,23 @@ static unsigned long getauxval(unsigned long key) * ARM puts the feature bits for Crypto Extensions in AT_HWCAP2, whereas * AArch64 used AT_HWCAP. */ +# ifndef AT_HWCAP +# define AT_HWCAP 16 +# endif +# ifndef AT_HWCAP2 +# define AT_HWCAP2 26 +# endif # if defined(__arm__) || defined (__arm) -# define HWCAP 16 - /* AT_HWCAP */ +# define HWCAP AT_HWCAP # define HWCAP_NEON (1 << 12) -# define HWCAP_CE 26 - /* AT_HWCAP2 */ +# define HWCAP_CE AT_HWCAP2 # define HWCAP_CE_AES (1 << 0) # define HWCAP_CE_PMULL (1 << 1) # define HWCAP_CE_SHA1 (1 << 2) # define HWCAP_CE_SHA256 (1 << 3) # elif defined(__aarch64__) -# define HWCAP 16 - /* AT_HWCAP */ +# define HWCAP AT_HWCAP # define HWCAP_NEON (1 << 1) # define HWCAP_CE HWCAP diff --git a/deps/openssl/openssl/crypto/asn1/d2i_pu.c b/deps/openssl/openssl/crypto/asn1/d2i_pu.c index ddf1aad70093aa..1be114b8a2a21c 100644 --- a/deps/openssl/openssl/crypto/asn1/d2i_pu.c +++ b/deps/openssl/openssl/crypto/asn1/d2i_pu.c @@ -29,16 +29,27 @@ EVP_PKEY *d2i_PublicKey(int type, EVP_PKEY **a, const unsigned char **pp, long length) { EVP_PKEY *ret; + EVP_PKEY *copy = NULL; if ((a == NULL) || (*a == NULL)) { if ((ret = EVP_PKEY_new()) == NULL) { ERR_raise(ERR_LIB_ASN1, ERR_R_EVP_LIB); return NULL; } - } else + } else { ret = *a; - if (type != EVP_PKEY_get_id(ret) && !EVP_PKEY_set_type(ret, type)) { +#ifndef OPENSSL_NO_EC + if (evp_pkey_is_provided(ret) + && EVP_PKEY_get_base_id(ret) == EVP_PKEY_EC) { + if (!evp_pkey_copy_downgraded(©, ret)) + goto err; + } +#endif + } + + if ((type != EVP_PKEY_get_id(ret) || copy != NULL) + && !EVP_PKEY_set_type(ret, type)) { ERR_raise(ERR_LIB_ASN1, ERR_R_EVP_LIB); goto err; } @@ -52,7 +63,6 @@ EVP_PKEY *d2i_PublicKey(int type, EVP_PKEY **a, const unsigned char **pp, break; #ifndef OPENSSL_NO_DSA case EVP_PKEY_DSA: - /* TMP UGLY CAST */ if (!d2i_DSAPublicKey(&ret->pkey.dsa, pp, length)) { ERR_raise(ERR_LIB_ASN1, ERR_R_ASN1_LIB); goto err; @@ -61,6 +71,11 @@ EVP_PKEY *d2i_PublicKey(int type, EVP_PKEY **a, const unsigned char **pp, #endif #ifndef OPENSSL_NO_EC case EVP_PKEY_EC: + if (copy != NULL) { + /* use downgraded parameters from copy */ + ret->pkey.ec = copy->pkey.ec; + copy->pkey.ec = NULL; + } if (!o2i_ECPublicKey(&ret->pkey.ec, pp, length)) { ERR_raise(ERR_LIB_ASN1, ERR_R_ASN1_LIB); goto err; @@ -73,9 +88,11 @@ EVP_PKEY *d2i_PublicKey(int type, EVP_PKEY **a, const unsigned char **pp, } if (a != NULL) (*a) = ret; + EVP_PKEY_free(copy); return ret; err: if (a == NULL || *a != ret) EVP_PKEY_free(ret); + EVP_PKEY_free(copy); return NULL; } diff --git a/deps/openssl/openssl/crypto/asn1/tasn_dec.c b/deps/openssl/openssl/crypto/asn1/tasn_dec.c index eff67d87fc16a0..11198087a57b37 100644 --- a/deps/openssl/openssl/crypto/asn1/tasn_dec.c +++ b/deps/openssl/openssl/crypto/asn1/tasn_dec.c @@ -648,9 +648,9 @@ static int asn1_template_noexp_d2i(ASN1_VALUE **val, break; } skfield = NULL; - if (!asn1_item_embed_d2i(&skfield, &p, len, + if (asn1_item_embed_d2i(&skfield, &p, len, ASN1_ITEM_ptr(tt->item), -1, 0, 0, ctx, - depth, libctx, propq)) { + depth, libctx, propq) <= 0) { ERR_raise(ERR_LIB_ASN1, ERR_R_NESTED_ASN1_ERROR); /* |skfield| may be partially allocated despite failure. */ ASN1_item_free(skfield, ASN1_ITEM_ptr(tt->item)); diff --git a/deps/openssl/openssl/crypto/async/async.c b/deps/openssl/openssl/crypto/async/async.c index 84c587685295ac..a320d455b7bb7a 100644 --- a/deps/openssl/openssl/crypto/async/async.c +++ b/deps/openssl/openssl/crypto/async/async.c @@ -138,6 +138,10 @@ static void async_release_job(ASYNC_JOB *job) { async_pool *pool; pool = (async_pool *)CRYPTO_THREAD_get_local(&poolkey); + if (pool == NULL) { + ERR_raise(ERR_LIB_ASYNC, ERR_R_INTERNAL_ERROR); + return; + } OPENSSL_free(job->funcargs); job->funcargs = NULL; sk_ASYNC_JOB_push(pool->jobs, job); @@ -148,6 +152,10 @@ void async_start_func(void) ASYNC_JOB *job; async_ctx *ctx = async_get_ctx(); + if (ctx == NULL) { + ERR_raise(ERR_LIB_ASYNC, ERR_R_INTERNAL_ERROR); + return; + } while (1) { /* Run the job */ job = ctx->currjob; diff --git a/deps/openssl/openssl/crypto/bio/bio_lib.c b/deps/openssl/openssl/crypto/bio/bio_lib.c index a378f186d7b4a0..b5454f14b24922 100644 --- a/deps/openssl/openssl/crypto/bio/bio_lib.c +++ b/deps/openssl/openssl/crypto/bio/bio_lib.c @@ -140,7 +140,7 @@ int BIO_free(BIO *a) if (HAS_CALLBACK(a)) { ret = (int)bio_call_callback(a, BIO_CB_FREE, NULL, 0, 0, 0L, 1L, NULL); if (ret <= 0) - return ret; + return 0; } if ((a->method != NULL) && (a->method->destroy != NULL)) @@ -563,10 +563,8 @@ long BIO_ctrl(BIO *b, int cmd, long larg, void *parg) { long ret; - if (b == NULL) { - ERR_raise(ERR_LIB_BIO, ERR_R_PASSED_NULL_PARAMETER); + if (b == NULL) return -1; - } if (b->method == NULL || b->method->ctrl == NULL) { ERR_raise(ERR_LIB_BIO, BIO_R_UNSUPPORTED_METHOD); return -2; @@ -591,10 +589,8 @@ long BIO_callback_ctrl(BIO *b, int cmd, BIO_info_cb *fp) { long ret; - if (b == NULL) { - ERR_raise(ERR_LIB_BIO, ERR_R_PASSED_NULL_PARAMETER); + if (b == NULL) return -2; - } if (b->method == NULL || b->method->callback_ctrl == NULL || cmd != BIO_CTRL_SET_CALLBACK) { ERR_raise(ERR_LIB_BIO, BIO_R_UNSUPPORTED_METHOD); @@ -655,10 +651,8 @@ BIO *BIO_pop(BIO *b) { BIO *ret; - if (b == NULL) { - ERR_raise(ERR_LIB_BIO, ERR_R_PASSED_NULL_PARAMETER); + if (b == NULL) return NULL; - } ret = b->next_bio; BIO_ctrl(b, BIO_CTRL_POP, 0, b); @@ -728,10 +722,8 @@ BIO *BIO_find_type(BIO *bio, int type) BIO *BIO_next(BIO *b) { - if (b == NULL) { - ERR_raise(ERR_LIB_BIO, ERR_R_PASSED_NULL_PARAMETER); + if (b == NULL) return NULL; - } return b->next_bio; } diff --git a/deps/openssl/openssl/crypto/bio/bss_mem.c b/deps/openssl/openssl/crypto/bio/bss_mem.c index 7e501762bb0b3e..9153c1f1cd8163 100644 --- a/deps/openssl/openssl/crypto/bio/bss_mem.c +++ b/deps/openssl/openssl/crypto/bio/bss_mem.c @@ -254,7 +254,7 @@ static long mem_ctrl(BIO *b, int cmd, long num, void *ptr) bm = bbm->readp; bo = bbm->buf; } - off = bm->data - bo->data; + off = (bm->data == bo->data) ? 0 : bm->data - bo->data; remain = bm->length; switch (cmd) { @@ -277,7 +277,7 @@ static long mem_ctrl(BIO *b, int cmd, long num, void *ptr) if (num < 0 || num > off + remain) return -1; /* Can't see outside of the current buffer */ - bm->data = bo->data + num; + bm->data = (num != 0) ? bo->data + num : bo->data; bm->length = bo->length - num; bm->max = bo->max - num; off = num; diff --git a/deps/openssl/openssl/crypto/bn/asm/mips.pl b/deps/openssl/openssl/crypto/bn/asm/mips.pl index 95cb227dc50698..bc18826d08f823 100644 --- a/deps/openssl/openssl/crypto/bn/asm/mips.pl +++ b/deps/openssl/openssl/crypto/bn/asm/mips.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2010-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2010-2021 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -1986,6 +1986,8 @@ () sltu $at,$c_2,$t_1 $ADDU $c_3,$t_2,$at $ST $c_2,$BNSZ($a0) + sltu $at,$c_3,$t_2 + $ADDU $c_1,$at mflo ($t_1,$a_2,$a_0) mfhi ($t_2,$a_2,$a_0) ___ @@ -2196,6 +2198,8 @@ () sltu $at,$c_2,$t_1 $ADDU $c_3,$t_2,$at $ST $c_2,$BNSZ($a0) + sltu $at,$c_3,$t_2 + $ADDU $c_1,$at mflo ($t_1,$a_2,$a_0) mfhi ($t_2,$a_2,$a_0) ___ diff --git a/deps/openssl/openssl/crypto/bn/bn_lib.c b/deps/openssl/openssl/crypto/bn/bn_lib.c index 28a3e91679d78e..7ad6842560b4fa 100644 --- a/deps/openssl/openssl/crypto/bn/bn_lib.c +++ b/deps/openssl/openssl/crypto/bn/bn_lib.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -505,7 +505,8 @@ int bn2binpad(const BIGNUM *a, unsigned char *to, int tolen, endianess_t endiane /* Swipe through whole available data and don't give away padded zero. */ atop = a->dmax * BN_BYTES; if (atop == 0) { - OPENSSL_cleanse(to, tolen); + if (tolen != 0) + memset(to, '\0', tolen); return tolen; } diff --git a/deps/openssl/openssl/crypto/bn/bn_rand.c b/deps/openssl/openssl/crypto/bn/bn_rand.c index baac4ea7ed8328..1b495969906fc5 100644 --- a/deps/openssl/openssl/crypto/bn/bn_rand.c +++ b/deps/openssl/openssl/crypto/bn/bn_rand.c @@ -287,7 +287,7 @@ int BN_generate_dsa_nonce(BIGNUM *out, const BIGNUM *range, goto err; } for (done = 0; done < num_k_bytes;) { - if (!RAND_priv_bytes_ex(libctx, random_bytes, sizeof(random_bytes), 0)) + if (RAND_priv_bytes_ex(libctx, random_bytes, sizeof(random_bytes), 0) <= 0) goto err; if (!EVP_DigestInit_ex(mdctx, md, NULL) diff --git a/deps/openssl/openssl/crypto/bn/bn_rsa_fips186_4.c b/deps/openssl/openssl/crypto/bn/bn_rsa_fips186_4.c index 794e00839095d6..6ac42a5b4bdea1 100644 --- a/deps/openssl/openssl/crypto/bn/bn_rsa_fips186_4.c +++ b/deps/openssl/openssl/crypto/bn/bn_rsa_fips186_4.c @@ -106,6 +106,7 @@ static int bn_rsa_fips186_4_find_aux_prob_prime(const BIGNUM *Xp1, { int ret = 0; int i = 0; + int tmp = 0; if (BN_copy(p1, Xp1) == NULL) return 0; @@ -116,8 +117,11 @@ static int bn_rsa_fips186_4_find_aux_prob_prime(const BIGNUM *Xp1, i++; BN_GENCB_call(cb, 0, i); /* MR test with trial division */ - if (BN_check_prime(p1, ctx, cb)) + tmp = BN_check_prime(p1, ctx, cb); + if (tmp > 0) break; + if (tmp < 0) + goto err; /* Get next odd number */ if (!BN_add_word(p1, 2)) goto err; @@ -329,8 +333,14 @@ int ossl_bn_rsa_fips186_4_derive_prime(BIGNUM *Y, BIGNUM *X, const BIGNUM *Xin, || !BN_sub_word(y1, 1) || !BN_gcd(tmp, y1, e, ctx)) goto err; - if (BN_is_one(tmp) && BN_check_prime(Y, ctx, cb)) - goto end; + if (BN_is_one(tmp)) { + int rv = BN_check_prime(Y, ctx, cb); + + if (rv > 0) + goto end; + if (rv < 0) + goto err; + } /* (Step 8-10) */ if (++i >= imax || !BN_add(Y, Y, r1r2x2)) goto err; diff --git a/deps/openssl/openssl/crypto/bn/rsaz_exp_x2.c b/deps/openssl/openssl/crypto/bn/rsaz_exp_x2.c index b7d11180f82484..15db0c1f05aa9c 100644 --- a/deps/openssl/openssl/crypto/bn/rsaz_exp_x2.c +++ b/deps/openssl/openssl/crypto/bn/rsaz_exp_x2.c @@ -14,6 +14,7 @@ */ #include +#include #include "rsaz_exp.h" #ifndef RSAZ_ENABLED @@ -310,14 +311,23 @@ static void RSAZ_exp52x20_x2_256(BN_ULONG *out, /* [2][20] */ /* Exponentiation */ { - int rem = BITSIZE_MODULUS % EXP_WIN_SIZE; - int delta = rem ? rem : EXP_WIN_SIZE; + const int rem = BITSIZE_MODULUS % EXP_WIN_SIZE; BN_ULONG table_idx_mask = EXP_WIN_MASK; - int exp_bit_no = BITSIZE_MODULUS - delta; + int exp_bit_no = BITSIZE_MODULUS - rem; int exp_chunk_no = exp_bit_no / 64; int exp_chunk_shift = exp_bit_no % 64; + /* + * If rem == 0, then + * exp_bit_no = modulus_bitsize - exp_win_size + * However, this isn't possible because rem is { 1024, 1536, 2048 } % 5 + * which is { 4, 1, 3 } respectively. + * + * If this assertion ever fails the fix above is easy. + */ + OPENSSL_assert(rem != 0); + /* Process 1-st exp window - just init result */ BN_ULONG red_table_idx_0 = expz[0][exp_chunk_no]; BN_ULONG red_table_idx_1 = expz[1][exp_chunk_no]; diff --git a/deps/openssl/openssl/crypto/cmac/cmac.c b/deps/openssl/openssl/crypto/cmac/cmac.c index 18c7fea3ddeec5..218eb94259614c 100644 --- a/deps/openssl/openssl/crypto/cmac/cmac.c +++ b/deps/openssl/openssl/crypto/cmac/cmac.c @@ -227,7 +227,7 @@ int CMAC_Final(CMAC_CTX *ctx, unsigned char *out, size_t *poutlen) for (i = 0; i < bl; i++) out[i] = ctx->last_block[i] ^ ctx->k2[i]; } - if (!EVP_Cipher(ctx->cctx, out, out, bl)) { + if (EVP_Cipher(ctx->cctx, out, out, bl) <= 0) { OPENSSL_cleanse(out, bl); return 0; } diff --git a/deps/openssl/openssl/crypto/cmp/cmp_msg.c b/deps/openssl/openssl/crypto/cmp/cmp_msg.c index 10ef4cd922ec59..84a272fe2b062e 100644 --- a/deps/openssl/openssl/crypto/cmp/cmp_msg.c +++ b/deps/openssl/openssl/crypto/cmp/cmp_msg.c @@ -1100,9 +1100,8 @@ OSSL_CMP_MSG *OSSL_CMP_MSG_read(const char *file, OSSL_LIB_CTX *libctx, return NULL; } - if ((bio = BIO_new_file(file, "rb")) == NULL) - return NULL; - if (d2i_OSSL_CMP_MSG_bio(bio, &msg) == NULL) { + if ((bio = BIO_new_file(file, "rb")) == NULL + || d2i_OSSL_CMP_MSG_bio(bio, &msg) == NULL) { OSSL_CMP_MSG_free(msg); msg = NULL; } diff --git a/deps/openssl/openssl/crypto/cmp/cmp_server.c b/deps/openssl/openssl/crypto/cmp/cmp_server.c index 6f3409468d024e..7ce4662aee5f14 100644 --- a/deps/openssl/openssl/crypto/cmp/cmp_server.c +++ b/deps/openssl/openssl/crypto/cmp/cmp_server.c @@ -457,6 +457,9 @@ OSSL_CMP_MSG *OSSL_CMP_SRV_process_request(OSSL_CMP_SRV_CTX *srv_ctx, } ctx = srv_ctx->ctx; backup_secret = ctx->secretValue; + req_type = OSSL_CMP_MSG_get_bodytype(req); + ossl_cmp_log1(DEBUG, ctx, + "received %s", ossl_cmp_bodytype_to_string(req_type)); /* * Some things need to be done already before validating the message in @@ -469,7 +472,6 @@ OSSL_CMP_MSG *OSSL_CMP_SRV_process_request(OSSL_CMP_SRV_CTX *srv_ctx, if (!OSSL_CMP_CTX_set1_recipient(ctx, hdr->sender->d.directoryName)) goto err; - req_type = OSSL_CMP_MSG_get_bodytype(req); switch (req_type) { case OSSL_CMP_PKIBODY_IR: case OSSL_CMP_PKIBODY_CR: @@ -503,8 +505,6 @@ OSSL_CMP_MSG *OSSL_CMP_SRV_process_request(OSSL_CMP_SRV_CTX *srv_ctx, #endif } } - ossl_cmp_log1(DEBUG, ctx, - "received %s", ossl_cmp_bodytype_to_string(req_type)); res = ossl_cmp_msg_check_update(ctx, req, unprotected_exception, srv_ctx->acceptUnprotected); diff --git a/deps/openssl/openssl/crypto/cmp/cmp_vfy.c b/deps/openssl/openssl/crypto/cmp/cmp_vfy.c index aa4665a5629247..b9d6fc2bdd17ee 100644 --- a/deps/openssl/openssl/crypto/cmp/cmp_vfy.c +++ b/deps/openssl/openssl/crypto/cmp/cmp_vfy.c @@ -27,12 +27,14 @@ static int verify_signature(const OSSL_CMP_CTX *cmp_ctx, { OSSL_CMP_PROTECTEDPART prot_part; EVP_PKEY *pubkey = NULL; - BIO *bio = BIO_new(BIO_s_mem()); /* may be NULL */ + BIO *bio; int res = 0; if (!ossl_assert(cmp_ctx != NULL && msg != NULL && cert != NULL)) return 0; + bio = BIO_new(BIO_s_mem()); /* may be NULL */ + /* verify that keyUsage, if present, contains digitalSignature */ if (!cmp_ctx->ignore_keyusage && (X509_get_key_usage(cert) & X509v3_KU_DIGITAL_SIGNATURE) == 0) { diff --git a/deps/openssl/openssl/crypto/cms/cms_dh.c b/deps/openssl/openssl/crypto/cms/cms_dh.c index fe6289b20501ec..f14546c703782f 100644 --- a/deps/openssl/openssl/crypto/cms/cms_dh.c +++ b/deps/openssl/openssl/crypto/cms/cms_dh.c @@ -118,7 +118,7 @@ static int dh_cms_set_shared_info(EVP_PKEY_CTX *pctx, CMS_RecipientInfo *ri) if (kekctx == NULL) goto err; - if (!OBJ_obj2txt(name, sizeof(name), kekalg->algorithm, 0)) + if (OBJ_obj2txt(name, sizeof(name), kekalg->algorithm, 0) <= 0) goto err; kekcipher = EVP_CIPHER_fetch(pctx->libctx, name, pctx->propquery); diff --git a/deps/openssl/openssl/crypto/cms/cms_ec.c b/deps/openssl/openssl/crypto/cms/cms_ec.c index 65018956a8877a..b07af92bad8b8f 100644 --- a/deps/openssl/openssl/crypto/cms/cms_ec.c +++ b/deps/openssl/openssl/crypto/cms/cms_ec.c @@ -47,7 +47,7 @@ static EVP_PKEY *pkey_type2param(int ptype, const void *pval, pctx = EVP_PKEY_CTX_new_from_name(libctx, "EC", propq); if (pctx == NULL || EVP_PKEY_paramgen_init(pctx) <= 0) goto err; - if (!OBJ_obj2txt(groupname, sizeof(groupname), poid, 0) + if (OBJ_obj2txt(groupname, sizeof(groupname), poid, 0) <= 0 || !EVP_PKEY_CTX_set_group_name(pctx, groupname)) { ERR_raise(ERR_LIB_CMS, CMS_R_DECODE_ERROR); goto err; diff --git a/deps/openssl/openssl/crypto/cms/cms_pwri.c b/deps/openssl/openssl/crypto/cms/cms_pwri.c index bc2b5179b748b6..380240561f8683 100644 --- a/deps/openssl/openssl/crypto/cms/cms_pwri.c +++ b/deps/openssl/openssl/crypto/cms/cms_pwri.c @@ -85,6 +85,10 @@ CMS_RecipientInfo *CMS_add0_recipient_password(CMS_ContentInfo *cms, goto merr; } ctx = EVP_CIPHER_CTX_new(); + if (ctx == NULL) { + ERR_raise(ERR_LIB_CMS, ERR_R_MALLOC_FAILURE); + goto err; + } if (EVP_EncryptInit_ex(ctx, kekciph, NULL, NULL, NULL) <= 0) { ERR_raise(ERR_LIB_CMS, ERR_R_EVP_LIB); diff --git a/deps/openssl/openssl/crypto/cms/cms_sd.c b/deps/openssl/openssl/crypto/cms/cms_sd.c index 4fbe09ca5fef5d..34c021bba64af7 100644 --- a/deps/openssl/openssl/crypto/cms/cms_sd.c +++ b/deps/openssl/openssl/crypto/cms/cms_sd.c @@ -784,8 +784,8 @@ int CMS_SignerInfo_sign(CMS_SignerInfo *si) const CMS_CTX *ctx = si->cms_ctx; char md_name[OSSL_MAX_NAME_SIZE]; - if (!OBJ_obj2txt(md_name, sizeof(md_name), - si->digestAlgorithm->algorithm, 0)) + if (OBJ_obj2txt(md_name, sizeof(md_name), + si->digestAlgorithm->algorithm, 0) <= 0) return 0; if (CMS_signed_get_attr_by_NID(si, NID_pkcs9_signingTime, -1) < 0) { diff --git a/deps/openssl/openssl/crypto/cms/cms_smime.c b/deps/openssl/openssl/crypto/cms/cms_smime.c index 0c3bbd03c3b38f..4e80a13b4daa0a 100644 --- a/deps/openssl/openssl/crypto/cms/cms_smime.c +++ b/deps/openssl/openssl/crypto/cms/cms_smime.c @@ -608,6 +608,8 @@ CMS_ContentInfo *CMS_sign_receipt(CMS_SignerInfo *si, /* Set embedded content */ pos = CMS_get0_content(cms); + if (pos == NULL) + goto err; *pos = os; r = 1; diff --git a/deps/openssl/openssl/crypto/comp/c_zlib.c b/deps/openssl/openssl/crypto/comp/c_zlib.c index b36a562d888220..9a7087e444048c 100644 --- a/deps/openssl/openssl/crypto/comp/c_zlib.c +++ b/deps/openssl/openssl/crypto/comp/c_zlib.c @@ -380,7 +380,11 @@ static int bio_zlib_read(BIO *b, char *out, int outl) ERR_raise(ERR_LIB_COMP, ERR_R_MALLOC_FAILURE); return 0; } - inflateInit(zin); + if ((ret = inflateInit(zin)) != Z_OK) { + ERR_raise_data(ERR_LIB_COMP, COMP_R_ZLIB_INFLATE_ERROR, + "zlib error: %s", zError(ret)); + return 0; + } zin->next_in = ctx->ibuf; zin->avail_in = 0; } @@ -443,7 +447,11 @@ static int bio_zlib_write(BIO *b, const char *in, int inl) } ctx->optr = ctx->obuf; ctx->ocount = 0; - deflateInit(zout, ctx->comp_level); + if ((ret = deflateInit(zout, ctx->comp_level)) != Z_OK) { + ERR_raise_data(ERR_LIB_COMP, COMP_R_ZLIB_DEFLATE_ERROR, + "zlib error: %s", zError(ret)); + return 0; + } zout->next_out = ctx->obuf; zout->avail_out = ctx->obufsize; } diff --git a/deps/openssl/openssl/crypto/conf/conf_api.c b/deps/openssl/openssl/crypto/conf/conf_api.c index e4e305c714f0d8..7a4efe6dbb2b12 100644 --- a/deps/openssl/openssl/crypto/conf/conf_api.c +++ b/deps/openssl/openssl/crypto/conf/conf_api.c @@ -135,7 +135,11 @@ IMPLEMENT_LHASH_DOALL_ARG_CONST(CONF_VALUE, LH_CONF_VALUE); void _CONF_free_data(CONF *conf) { - if (conf == NULL || conf->data == NULL) + if (conf == NULL) + return; + + OPENSSL_free(conf->includedir); + if (conf->data == NULL) return; /* evil thing to make sure the 'OPENSSL_free()' works as expected */ @@ -147,7 +151,6 @@ void _CONF_free_data(CONF *conf) * with */ - OPENSSL_free(conf->includedir); lh_CONF_VALUE_doall(conf->data, value_free_stack_doall); lh_CONF_VALUE_free(conf->data); } diff --git a/deps/openssl/openssl/crypto/conf/conf_def.c b/deps/openssl/openssl/crypto/conf/conf_def.c index 7b67854c8b702e..c05c3c6b109de7 100644 --- a/deps/openssl/openssl/crypto/conf/conf_def.c +++ b/deps/openssl/openssl/crypto/conf/conf_def.c @@ -424,6 +424,7 @@ static int def_load_bio(CONF *conf, BIO *in, long *line) if (!parsebool(pval, &conf->flag_abspath)) goto err; } else if (strcmp(p, "includedir") == 0) { + OPENSSL_free(conf->includedir); if ((conf->includedir = OPENSSL_strdup(pval)) == NULL) { ERR_raise(ERR_LIB_CONF, ERR_R_MALLOC_FAILURE); goto err; @@ -474,6 +475,7 @@ static int def_load_bio(CONF *conf, BIO *in, long *line) if (conf->flag_abspath && !ossl_is_absolute_path(include_path)) { ERR_raise(ERR_LIB_CONF, CONF_R_RELATIVE_PATH); + OPENSSL_free(include_path); goto err; } diff --git a/deps/openssl/openssl/crypto/context.c b/deps/openssl/openssl/crypto/context.c index 1e0dfa8e015e35..bba8e4208b1a0b 100644 --- a/deps/openssl/openssl/crypto/context.c +++ b/deps/openssl/openssl/crypto/context.c @@ -240,6 +240,10 @@ void OSSL_LIB_CTX_free(OSSL_LIB_CTX *ctx) if (ossl_lib_ctx_is_default(ctx)) return; +#ifndef FIPS_MODULE + if (ctx->ischild) + ossl_provider_deinit_child(ctx); +#endif context_deinit(ctx); OPENSSL_free(ctx); } diff --git a/deps/openssl/openssl/crypto/core_algorithm.c b/deps/openssl/openssl/crypto/core_algorithm.c index 1a2e798c2c2d84..5ff33eff7c747b 100644 --- a/deps/openssl/openssl/crypto/core_algorithm.c +++ b/deps/openssl/openssl/crypto/core_algorithm.c @@ -105,10 +105,23 @@ void ossl_algorithm_do_all(OSSL_LIB_CTX *libctx, int operation_id, cbdata.post = post; cbdata.data = data; - if (provider == NULL) + if (provider == NULL) { ossl_provider_doall_activated(libctx, algorithm_do_this, &cbdata); - else + } else { + OSSL_LIB_CTX *libctx2 = ossl_provider_libctx(provider); + + /* + * If a provider is given, its library context MUST match the library + * context we're passed. If this turns out not to be true, there is + * a programming error in the functions up the call stack. + */ + if (!ossl_assert(ossl_lib_ctx_get_concrete(libctx) + == ossl_lib_ctx_get_concrete(libctx2))) + return; + + cbdata.libctx = libctx2; algorithm_do_this(provider, &cbdata); + } } char *ossl_algorithm_get1_first_name(const OSSL_ALGORITHM *algo) diff --git a/deps/openssl/openssl/crypto/core_fetch.c b/deps/openssl/openssl/crypto/core_fetch.c index d315599ce67f7d..367f6ba8a47b11 100644 --- a/deps/openssl/openssl/crypto/core_fetch.c +++ b/deps/openssl/openssl/crypto/core_fetch.c @@ -105,19 +105,21 @@ static void ossl_method_construct_this(OSSL_PROVIDER *provider, } void *ossl_method_construct(OSSL_LIB_CTX *libctx, int operation_id, - int force_store, + OSSL_PROVIDER **provider_rw, int force_store, OSSL_METHOD_CONSTRUCT_METHOD *mcm, void *mcm_data) { void *method = NULL; - if ((method = mcm->get(NULL, mcm_data)) == NULL) { + if ((method = mcm->get(NULL, (const OSSL_PROVIDER **)provider_rw, + mcm_data)) == NULL) { + OSSL_PROVIDER *provider = provider_rw != NULL ? *provider_rw : NULL; struct construct_data_st cbdata; cbdata.store = NULL; cbdata.force_store = force_store; cbdata.mcm = mcm; cbdata.mcm_data = mcm_data; - ossl_algorithm_do_all(libctx, operation_id, NULL, + ossl_algorithm_do_all(libctx, operation_id, provider, ossl_method_construct_precondition, ossl_method_construct_this, ossl_method_construct_postcondition, @@ -125,11 +127,12 @@ void *ossl_method_construct(OSSL_LIB_CTX *libctx, int operation_id, /* If there is a temporary store, try there first */ if (cbdata.store != NULL) - method = mcm->get(cbdata.store, mcm_data); + method = mcm->get(cbdata.store, (const OSSL_PROVIDER **)provider_rw, + mcm_data); /* If no method was found yet, try the global store */ if (method == NULL) - method = mcm->get(NULL, mcm_data); + method = mcm->get(NULL, (const OSSL_PROVIDER **)provider_rw, mcm_data); } return method; diff --git a/deps/openssl/openssl/crypto/core_namemap.c b/deps/openssl/openssl/crypto/core_namemap.c index 415df3d8394d43..e1da724bd2f4df 100644 --- a/deps/openssl/openssl/crypto/core_namemap.c +++ b/deps/openssl/openssl/crypto/core_namemap.c @@ -397,7 +397,7 @@ static void get_legacy_evp_names(int base_nid, int nid, const char *pem_name, if ((obj = OBJ_nid2obj(nid)) != NULL) { char txtoid[OSSL_MAX_NAME_SIZE]; - if (OBJ_obj2txt(txtoid, sizeof(txtoid), obj, 1)) + if (OBJ_obj2txt(txtoid, sizeof(txtoid), obj, 1) > 0) num = ossl_namemap_add_name(arg, num, txtoid); } } diff --git a/deps/openssl/openssl/crypto/cpt_err.c b/deps/openssl/openssl/crypto/cpt_err.c index 79c1a90595723d..8574f31a8124b4 100644 --- a/deps/openssl/openssl/crypto/cpt_err.c +++ b/deps/openssl/openssl/crypto/cpt_err.c @@ -29,6 +29,8 @@ static const ERR_STRING_DATA CRYPTO_str_reasons[] = { "insufficient param size"}, {ERR_PACK(ERR_LIB_CRYPTO, 0, CRYPTO_R_INSUFFICIENT_SECURE_DATA_SPACE), "insufficient secure data space"}, + {ERR_PACK(ERR_LIB_CRYPTO, 0, CRYPTO_R_INVALID_NEGATIVE_VALUE), + "invalid negative value"}, {ERR_PACK(ERR_LIB_CRYPTO, 0, CRYPTO_R_INVALID_NULL_ARGUMENT), "invalid null argument"}, {ERR_PACK(ERR_LIB_CRYPTO, 0, CRYPTO_R_INVALID_OSSL_PARAM_TYPE), diff --git a/deps/openssl/openssl/crypto/crmf/crmf_pbm.c b/deps/openssl/openssl/crypto/crmf/crmf_pbm.c index aba6b3a16fb27f..88a8480cf73a33 100644 --- a/deps/openssl/openssl/crypto/crmf/crmf_pbm.c +++ b/deps/openssl/openssl/crypto/crmf/crmf_pbm.c @@ -200,8 +200,8 @@ int OSSL_CRMF_pbm_new(OSSL_LIB_CTX *libctx, const char *propq, mac_nid = OBJ_obj2nid(pbmp->mac->algorithm); if (!EVP_PBE_find(EVP_PBE_TYPE_PRF, mac_nid, NULL, &hmac_md_nid, NULL) - || !OBJ_obj2txt(hmac_mdname, sizeof(hmac_mdname), - OBJ_nid2obj(hmac_md_nid), 0)) { + || OBJ_obj2txt(hmac_mdname, sizeof(hmac_mdname), + OBJ_nid2obj(hmac_md_nid), 0) <= 0) { ERR_raise(ERR_LIB_CRMF, CRMF_R_UNSUPPORTED_ALGORITHM); goto err; } diff --git a/deps/openssl/openssl/crypto/des/set_key.c b/deps/openssl/openssl/crypto/des/set_key.c index 9510dc2c6ad33b..adcfb7f12451c4 100644 --- a/deps/openssl/openssl/crypto/des/set_key.c +++ b/deps/openssl/openssl/crypto/des/set_key.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -23,6 +23,8 @@ #include "internal/deprecated.h" #include +#include "internal/constant_time.h" +#include "internal/nelem.h" #include "des_local.h" static const unsigned char odd_parity[256] = { @@ -62,15 +64,23 @@ void DES_set_odd_parity(DES_cblock *key) (*key)[i] = odd_parity[(*key)[i]]; } +/* + * Check that a key has the correct parity. + * Return 1 if parity is okay and 0 if not. + */ int DES_check_key_parity(const_DES_cblock *key) { unsigned int i; + unsigned char res = 0377, b; for (i = 0; i < DES_KEY_SZ; i++) { - if ((*key)[i] != odd_parity[(*key)[i]]) - return 0; + b = (*key)[i]; + b ^= b >> 4; + b ^= b >> 2; + b ^= b >> 1; + res &= constant_time_eq_8(b & 1, 1); } - return 1; + return (int)(res & 1); } /*- @@ -81,8 +91,7 @@ int DES_check_key_parity(const_DES_cblock *key) * %I John Wiley & Sons * %D 1984 */ -#define NUM_WEAK_KEY 16 -static const DES_cblock weak_keys[NUM_WEAK_KEY] = { +static const DES_cblock weak_keys[] = { /* weak keys */ {0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01}, {0xFE, 0xFE, 0xFE, 0xFE, 0xFE, 0xFE, 0xFE, 0xFE}, @@ -103,14 +112,20 @@ static const DES_cblock weak_keys[NUM_WEAK_KEY] = { {0xFE, 0xE0, 0xFE, 0xE0, 0xFE, 0xF1, 0xFE, 0xF1} }; +/* + * Check for weak keys. + * Return 1 if the key is weak and 0 otherwise. + */ int DES_is_weak_key(const_DES_cblock *key) { - int i; + unsigned int i, res = 0; + int j; - for (i = 0; i < NUM_WEAK_KEY; i++) - if (memcmp(weak_keys[i], key, sizeof(DES_cblock)) == 0) - return 1; - return 0; + for (i = 0; i < OSSL_NELEM(weak_keys); i++) { + j = CRYPTO_memcmp(weak_keys[i], key, sizeof(DES_cblock)); + res |= constant_time_is_zero((unsigned int)j); + } + return (int)(res & 1); } /*- @@ -279,9 +294,17 @@ static const DES_LONG des_skb[8][64] = { } }; +/* Return values as DES_set_key_checked() but always set the key */ int DES_set_key(const_DES_cblock *key, DES_key_schedule *schedule) { - return DES_set_key_checked(key, schedule); + int ret = 0; + + if (!DES_check_key_parity(key)) + ret = -1; + if (DES_is_weak_key(key)) + ret = -2; + DES_set_key_unchecked(key, schedule); + return ret; } /*- diff --git a/deps/openssl/openssl/crypto/dh/dh_ameth.c b/deps/openssl/openssl/crypto/dh/dh_ameth.c index 0e577177ec4a81..38d8e7a38f610b 100644 --- a/deps/openssl/openssl/crypto/dh/dh_ameth.c +++ b/deps/openssl/openssl/crypto/dh/dh_ameth.c @@ -311,7 +311,7 @@ static int dh_security_bits(const EVP_PKEY *pkey) static int dh_cmp_parameters(const EVP_PKEY *a, const EVP_PKEY *b) { - return ossl_ffc_params_cmp(&a->pkey.dh->params, &a->pkey.dh->params, + return ossl_ffc_params_cmp(&a->pkey.dh->params, &b->pkey.dh->params, a->ameth != &ossl_dhx_asn1_meth); } diff --git a/deps/openssl/openssl/crypto/dh/dh_kdf.c b/deps/openssl/openssl/crypto/dh/dh_kdf.c index 7a234b8fb15abc..419e7711d36248 100644 --- a/deps/openssl/openssl/crypto/dh/dh_kdf.c +++ b/deps/openssl/openssl/crypto/dh/dh_kdf.c @@ -70,7 +70,7 @@ int DH_KDF_X9_42(unsigned char *out, size_t outlen, const OSSL_PROVIDER *prov = EVP_MD_get0_provider(md); OSSL_LIB_CTX *libctx = ossl_provider_libctx(prov); - if (!OBJ_obj2txt(key_alg, sizeof(key_alg), key_oid, 0)) + if (OBJ_obj2txt(key_alg, sizeof(key_alg), key_oid, 0) <= 0) return 0; return ossl_dh_kdf_X9_42_asn1(out, outlen, Z, Zlen, key_alg, diff --git a/deps/openssl/openssl/crypto/dsa/dsa_sign.c b/deps/openssl/openssl/crypto/dsa/dsa_sign.c index 6e87bd16571902..21b0cbd5fbefac 100644 --- a/deps/openssl/openssl/crypto/dsa/dsa_sign.c +++ b/deps/openssl/openssl/crypto/dsa/dsa_sign.c @@ -65,7 +65,8 @@ DSA_SIG *d2i_DSA_SIG(DSA_SIG **psig, const unsigned char **ppin, long len) sig->r = BN_new(); if (sig->s == NULL) sig->s = BN_new(); - if (ossl_decode_der_dsa_sig(sig->r, sig->s, ppin, (size_t)len) == 0) { + if (sig->r == NULL || sig->s == NULL + || ossl_decode_der_dsa_sig(sig->r, sig->s, ppin, (size_t)len) == 0) { if (psig == NULL || *psig == NULL) DSA_SIG_free(sig); return NULL; diff --git a/deps/openssl/openssl/crypto/dso/dso_lib.c b/deps/openssl/openssl/crypto/dso/dso_lib.c index 4850e96a4b5e94..9d755986d755ef 100644 --- a/deps/openssl/openssl/crypto/dso/dso_lib.c +++ b/deps/openssl/openssl/crypto/dso/dso_lib.c @@ -1,5 +1,5 @@ /* - * Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -10,20 +10,10 @@ #include "dso_local.h" #include "internal/refcount.h" -static DSO_METHOD *default_DSO_meth = NULL; - static DSO *DSO_new_method(DSO_METHOD *meth) { DSO *ret; - if (default_DSO_meth == NULL) { - /* - * We default to DSO_METH_openssl() which in turn defaults to - * stealing the "best available" method. Will fallback to - * DSO_METH_null() in the worst case. - */ - default_DSO_meth = DSO_METHOD_openssl(); - } ret = OPENSSL_zalloc(sizeof(*ret)); if (ret == NULL) { ERR_raise(ERR_LIB_DSO, ERR_R_MALLOC_FAILURE); @@ -36,7 +26,7 @@ static DSO *DSO_new_method(DSO_METHOD *meth) OPENSSL_free(ret); return NULL; } - ret->meth = default_DSO_meth; + ret->meth = DSO_METHOD_openssl(); ret->references = 1; ret->lock = CRYPTO_THREAD_lock_new(); if (ret->lock == NULL) { @@ -309,9 +299,8 @@ char *DSO_convert_filename(DSO *dso, const char *filename) int DSO_pathbyaddr(void *addr, char *path, int sz) { - DSO_METHOD *meth = default_DSO_meth; - if (meth == NULL) - meth = DSO_METHOD_openssl(); + DSO_METHOD *meth = DSO_METHOD_openssl(); + if (meth->pathbyaddr == NULL) { ERR_raise(ERR_LIB_DSO, DSO_R_UNSUPPORTED); return -1; @@ -339,9 +328,8 @@ DSO *DSO_dsobyaddr(void *addr, int flags) void *DSO_global_lookup(const char *name) { - DSO_METHOD *meth = default_DSO_meth; - if (meth == NULL) - meth = DSO_METHOD_openssl(); + DSO_METHOD *meth = DSO_METHOD_openssl(); + if (meth->globallookup == NULL) { ERR_raise(ERR_LIB_DSO, DSO_R_UNSUPPORTED); return NULL; diff --git a/deps/openssl/openssl/crypto/ec/ec_asn1.c b/deps/openssl/openssl/crypto/ec/ec_asn1.c index 31519137c6a7a3..6323131a22b70f 100644 --- a/deps/openssl/openssl/crypto/ec/ec_asn1.c +++ b/deps/openssl/openssl/crypto/ec/ec_asn1.c @@ -1223,7 +1223,8 @@ ECDSA_SIG *d2i_ECDSA_SIG(ECDSA_SIG **psig, const unsigned char **ppin, long len) sig->r = BN_new(); if (sig->s == NULL) sig->s = BN_new(); - if (ossl_decode_der_dsa_sig(sig->r, sig->s, ppin, (size_t)len) == 0) { + if (sig->r == NULL || sig->s == NULL + || ossl_decode_der_dsa_sig(sig->r, sig->s, ppin, (size_t)len) == 0) { if (psig == NULL || *psig == NULL) ECDSA_SIG_free(sig); return NULL; diff --git a/deps/openssl/openssl/crypto/ec/ec_deprecated.c b/deps/openssl/openssl/crypto/ec/ec_deprecated.c index cd2eec80b7938e..765894c3297714 100644 --- a/deps/openssl/openssl/crypto/ec/ec_deprecated.c +++ b/deps/openssl/openssl/crypto/ec/ec_deprecated.c @@ -1,5 +1,5 @@ /* - * Copyright 2002-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2002-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -52,7 +52,7 @@ EC_POINT *EC_POINT_bn2point(const EC_GROUP *group, return NULL; } - if (!BN_bn2binpad(bn, buf, buf_len)) { + if (BN_bn2binpad(bn, buf, buf_len) < 0) { OPENSSL_free(buf); return NULL; } diff --git a/deps/openssl/openssl/crypto/ec/ecx_backend.c b/deps/openssl/openssl/crypto/ec/ecx_backend.c index a0144d5a86bc2b..2ab7611be9af69 100644 --- a/deps/openssl/openssl/crypto/ec/ecx_backend.c +++ b/deps/openssl/openssl/crypto/ec/ecx_backend.c @@ -70,11 +70,23 @@ int ossl_ecx_key_fromdata(ECX_KEY *ecx, const OSSL_PARAM params[], if (param_pub_key == NULL && param_priv_key == NULL) return 0; - if (param_priv_key != NULL - && !OSSL_PARAM_get_octet_string(param_priv_key, - (void **)&ecx->privkey, ecx->keylen, - &privkeylen)) - return 0; + if (param_priv_key != NULL) { + if (!OSSL_PARAM_get_octet_string(param_priv_key, + (void **)&ecx->privkey, ecx->keylen, + &privkeylen)) + return 0; + if (privkeylen != ecx->keylen) { + /* + * Invalid key length. We will clear what we've received now. We + * can't leave it to ossl_ecx_key_free() because that will call + * OPENSSL_secure_clear_free() and assume the correct key length + */ + OPENSSL_secure_clear_free(ecx->privkey, privkeylen); + ecx->privkey = NULL; + return 0; + } + } + pubkey = ecx->pubkey; if (param_pub_key != NULL @@ -83,8 +95,7 @@ int ossl_ecx_key_fromdata(ECX_KEY *ecx, const OSSL_PARAM params[], sizeof(ecx->pubkey), &pubkeylen)) return 0; - if ((param_pub_key != NULL && pubkeylen != ecx->keylen) - || (param_priv_key != NULL && privkeylen != ecx->keylen)) + if ((param_pub_key != NULL && pubkeylen != ecx->keylen)) return 0; if (param_pub_key == NULL && !ossl_ecx_public_from_private(ecx)) diff --git a/deps/openssl/openssl/crypto/encode_decode/decoder_meth.c b/deps/openssl/openssl/crypto/encode_decode/decoder_meth.c index 8f0786c941db4a..6d444373147dbd 100644 --- a/deps/openssl/openssl/crypto/encode_decode/decoder_meth.c +++ b/deps/openssl/openssl/crypto/encode_decode/decoder_meth.c @@ -125,7 +125,8 @@ static OSSL_METHOD_STORE *get_decoder_store(OSSL_LIB_CTX *libctx) } /* Get decoder methods from a store, or put one in */ -static void *get_decoder_from_store(void *store, void *data) +static void *get_decoder_from_store(void *store, const OSSL_PROVIDER **prov, + void *data) { struct decoder_data_st *methdata = data; void *method = NULL; @@ -154,7 +155,7 @@ static void *get_decoder_from_store(void *store, void *data) && (store = get_decoder_store(methdata->libctx)) == NULL) return NULL; - if (!ossl_method_store_fetch(store, id, methdata->propquery, &method)) + if (!ossl_method_store_fetch(store, id, methdata->propquery, prov, &method)) return NULL; return method; } @@ -366,7 +367,7 @@ inner_ossl_decoder_fetch(struct decoder_data_st *methdata, int id, unsupported = 1; if (id == 0 - || !ossl_method_store_cache_get(store, id, properties, &method)) { + || !ossl_method_store_cache_get(store, NULL, id, properties, &method)) { OSSL_METHOD_CONSTRUCT_METHOD mcm = { get_tmp_decoder_store, get_decoder_from_store, @@ -380,7 +381,7 @@ inner_ossl_decoder_fetch(struct decoder_data_st *methdata, int id, methdata->propquery = properties; methdata->flag_construct_error_occurred = 0; if ((method = ossl_method_construct(methdata->libctx, OSSL_OP_DECODER, - 0 /* !force_cache */, + NULL, 0 /* !force_cache */, &mcm, methdata)) != NULL) { /* * If construction did create a method for us, we know that @@ -391,7 +392,7 @@ inner_ossl_decoder_fetch(struct decoder_data_st *methdata, int id, if (id == 0 && name != NULL) id = ossl_namemap_name2num(namemap, name); if (id != 0) - ossl_method_store_cache_set(store, id, properties, method, + ossl_method_store_cache_set(store, NULL, id, properties, method, up_ref_decoder, free_decoder); } diff --git a/deps/openssl/openssl/crypto/encode_decode/encoder_lib.c b/deps/openssl/openssl/crypto/encode_decode/encoder_lib.c index 6c20fbb3d16703..cfd9275172f591 100644 --- a/deps/openssl/openssl/crypto/encode_decode/encoder_lib.c +++ b/deps/openssl/openssl/crypto/encode_decode/encoder_lib.c @@ -92,7 +92,7 @@ int OSSL_ENCODER_to_fp(OSSL_ENCODER_CTX *ctx, FILE *fp) int OSSL_ENCODER_to_data(OSSL_ENCODER_CTX *ctx, unsigned char **pdata, size_t *pdata_len) { - BIO *out = BIO_new(BIO_s_mem()); + BIO *out; BUF_MEM *buf = NULL; int ret = 0; @@ -101,7 +101,10 @@ int OSSL_ENCODER_to_data(OSSL_ENCODER_CTX *ctx, unsigned char **pdata, return 0; } - if (OSSL_ENCODER_to_bio(ctx, out) + out = BIO_new(BIO_s_mem()); + + if (out != NULL + && OSSL_ENCODER_to_bio(ctx, out) && BIO_get_mem_ptr(out, &buf) > 0) { ret = 1; /* Hope for the best. A too small buffer will clear this */ diff --git a/deps/openssl/openssl/crypto/encode_decode/encoder_meth.c b/deps/openssl/openssl/crypto/encode_decode/encoder_meth.c index 9f7ecc82cbd4dd..9c0214db6bc741 100644 --- a/deps/openssl/openssl/crypto/encode_decode/encoder_meth.c +++ b/deps/openssl/openssl/crypto/encode_decode/encoder_meth.c @@ -125,7 +125,8 @@ static OSSL_METHOD_STORE *get_encoder_store(OSSL_LIB_CTX *libctx) } /* Get encoder methods from a store, or put one in */ -static void *get_encoder_from_store(void *store, void *data) +static void *get_encoder_from_store(void *store, const OSSL_PROVIDER **prov, + void *data) { struct encoder_data_st *methdata = data; void *method = NULL; @@ -154,7 +155,7 @@ static void *get_encoder_from_store(void *store, void *data) && (store = get_encoder_store(methdata->libctx)) == NULL) return NULL; - if (!ossl_method_store_fetch(store, id, methdata->propquery, &method)) + if (!ossl_method_store_fetch(store, id, methdata->propquery, prov, &method)) return NULL; return method; } @@ -376,7 +377,7 @@ inner_ossl_encoder_fetch(struct encoder_data_st *methdata, int id, unsupported = 1; if (id == 0 - || !ossl_method_store_cache_get(store, id, properties, &method)) { + || !ossl_method_store_cache_get(store, NULL, id, properties, &method)) { OSSL_METHOD_CONSTRUCT_METHOD mcm = { get_tmp_encoder_store, get_encoder_from_store, @@ -390,7 +391,7 @@ inner_ossl_encoder_fetch(struct encoder_data_st *methdata, int id, methdata->propquery = properties; methdata->flag_construct_error_occurred = 0; if ((method = ossl_method_construct(methdata->libctx, OSSL_OP_ENCODER, - 0 /* !force_cache */, + NULL, 0 /* !force_cache */, &mcm, methdata)) != NULL) { /* * If construction did create a method for us, we know that @@ -400,7 +401,7 @@ inner_ossl_encoder_fetch(struct encoder_data_st *methdata, int id, */ if (id == 0) id = ossl_namemap_name2num(namemap, name); - ossl_method_store_cache_set(store, id, properties, method, + ossl_method_store_cache_set(store, NULL, id, properties, method, up_ref_encoder, free_encoder); } diff --git a/deps/openssl/openssl/crypto/engine/eng_dyn.c b/deps/openssl/openssl/crypto/engine/eng_dyn.c index f401063d377bbd..c8a54f7d44427a 100644 --- a/deps/openssl/openssl/crypto/engine/eng_dyn.c +++ b/deps/openssl/openssl/crypto/engine/eng_dyn.c @@ -484,7 +484,9 @@ static int dynamic_load(ENGINE *e, dynamic_data_ctx *ctx) engine_set_all_null(e); /* Try to bind the ENGINE onto our own ENGINE structure */ - if (!ctx->bind_engine(e, ctx->engine_id, &fns)) { + if (!engine_add_dynamic_id(e, (ENGINE_DYNAMIC_ID)ctx->bind_engine, 1) + || !ctx->bind_engine(e, ctx->engine_id, &fns)) { + engine_remove_dynamic_id(e, 1); ctx->bind_engine = NULL; ctx->v_check = NULL; DSO_free(ctx->dynamic_dso); diff --git a/deps/openssl/openssl/crypto/engine/eng_lib.c b/deps/openssl/openssl/crypto/engine/eng_lib.c index 44e997e77b332d..05c6a67c1e1b51 100644 --- a/deps/openssl/openssl/crypto/engine/eng_lib.c +++ b/deps/openssl/openssl/crypto/engine/eng_lib.c @@ -65,6 +65,7 @@ void engine_set_all_null(ENGINE *e) e->load_pubkey = NULL; e->cmd_defns = NULL; e->flags = 0; + e->dynamic_id = NULL; } int engine_free_util(ENGINE *e, int not_locked) @@ -90,6 +91,7 @@ int engine_free_util(ENGINE *e, int not_locked) */ if (e->destroy) e->destroy(e); + engine_remove_dynamic_id(e, not_locked); CRYPTO_free_ex_data(CRYPTO_EX_INDEX_ENGINE, e, &e->ex_data); OPENSSL_free(e); return 1; diff --git a/deps/openssl/openssl/crypto/engine/eng_list.c b/deps/openssl/openssl/crypto/engine/eng_list.c index fec0ef7129c40f..04c73c76286486 100644 --- a/deps/openssl/openssl/crypto/engine/eng_list.c +++ b/deps/openssl/openssl/crypto/engine/eng_list.c @@ -27,6 +27,12 @@ static ENGINE *engine_list_head = NULL; static ENGINE *engine_list_tail = NULL; +/* + * The linked list of currently loaded dynamic engines. + */ +static ENGINE *engine_dyn_list_head = NULL; +static ENGINE *engine_dyn_list_tail = NULL; + /* * This cleanup function is only needed internally. If it should be called, * we register it with the "engine_cleanup_int()" stack to be called during @@ -128,6 +134,85 @@ static int engine_list_remove(ENGINE *e) return 1; } +/* Add engine to dynamic engine list. */ +int engine_add_dynamic_id(ENGINE *e, ENGINE_DYNAMIC_ID dynamic_id, + int not_locked) +{ + int result = 0; + ENGINE *iterator = NULL; + + if (e == NULL) + return 0; + + if (e->dynamic_id == NULL && dynamic_id == NULL) + return 0; + + if (not_locked && !CRYPTO_THREAD_write_lock(global_engine_lock)) + return 0; + + if (dynamic_id != NULL) { + iterator = engine_dyn_list_head; + while (iterator != NULL) { + if (iterator->dynamic_id == dynamic_id) + goto err; + iterator = iterator->next; + } + if (e->dynamic_id != NULL) + goto err; + e->dynamic_id = dynamic_id; + } + + if (engine_dyn_list_head == NULL) { + /* We are adding to an empty list. */ + if (engine_dyn_list_tail != NULL) + goto err; + engine_dyn_list_head = e; + e->prev_dyn = NULL; + } else { + /* We are adding to the tail of an existing list. */ + if (engine_dyn_list_tail == NULL + || engine_dyn_list_tail->next_dyn != NULL) + goto err; + engine_dyn_list_tail->next_dyn = e; + e->prev_dyn = engine_dyn_list_tail; + } + + engine_dyn_list_tail = e; + e->next_dyn = NULL; + result = 1; + + err: + if (not_locked) + CRYPTO_THREAD_unlock(global_engine_lock); + return result; +} + +/* Remove engine from dynamic engine list. */ +void engine_remove_dynamic_id(ENGINE *e, int not_locked) +{ + if (e == NULL || e->dynamic_id == NULL) + return; + + if (not_locked && !CRYPTO_THREAD_write_lock(global_engine_lock)) + return; + + e->dynamic_id = NULL; + + /* un-link e from the chain. */ + if (e->next_dyn != NULL) + e->next_dyn->prev_dyn = e->prev_dyn; + if (e->prev_dyn != NULL) + e->prev_dyn->next_dyn = e->next_dyn; + /* Correct our head/tail if necessary. */ + if (engine_dyn_list_head == e) + engine_dyn_list_head = e->next_dyn; + if (engine_dyn_list_tail == e) + engine_dyn_list_tail = e->prev_dyn; + + if (not_locked) + CRYPTO_THREAD_unlock(global_engine_lock); +} + /* Get the first/last "ENGINE" type available. */ ENGINE *ENGINE_get_first(void) { @@ -278,6 +363,8 @@ static void engine_cpy(ENGINE *dest, const ENGINE *src) dest->load_pubkey = src->load_pubkey; dest->cmd_defns = src->cmd_defns; dest->flags = src->flags; + dest->dynamic_id = src->dynamic_id; + engine_add_dynamic_id(dest, NULL, 0); } ENGINE *ENGINE_by_id(const char *id) diff --git a/deps/openssl/openssl/crypto/engine/eng_local.h b/deps/openssl/openssl/crypto/engine/eng_local.h index 455dc1fdb78187..03a86299cf88b8 100644 --- a/deps/openssl/openssl/crypto/engine/eng_local.h +++ b/deps/openssl/openssl/crypto/engine/eng_local.h @@ -99,6 +99,11 @@ void engine_pkey_asn1_meths_free(ENGINE *e); extern CRYPTO_ONCE engine_lock_init; DECLARE_RUN_ONCE(do_engine_lock_init) +typedef void (*ENGINE_DYNAMIC_ID)(void); +int engine_add_dynamic_id(ENGINE *e, ENGINE_DYNAMIC_ID dynamic_id, + int not_locked); +void engine_remove_dynamic_id(ENGINE *e, int not_locked); + /* * This is a structure for storing implementations of various crypto * algorithms and functions. @@ -143,6 +148,10 @@ struct engine_st { /* Used to maintain the linked-list of engines. */ struct engine_st *prev; struct engine_st *next; + /* Used to maintain the linked-list of dynamic engines. */ + struct engine_st *prev_dyn; + struct engine_st *next_dyn; + ENGINE_DYNAMIC_ID dynamic_id; }; typedef struct st_engine_pile ENGINE_PILE; diff --git a/deps/openssl/openssl/crypto/err/err.c b/deps/openssl/openssl/crypto/err/err.c index 60a9b02d19aaed..c605c21f01b962 100644 --- a/deps/openssl/openssl/crypto/err/err.c +++ b/deps/openssl/openssl/crypto/err/err.c @@ -80,6 +80,10 @@ static ERR_STRING_DATA ERR_str_libraries[] = { {0, NULL}, }; +/* + * Should make sure that all ERR_R_ reasons defined in include/openssl/err.h.in + * are listed. For maintainability, please keep all reasons in the same order. + */ static ERR_STRING_DATA ERR_str_reasons[] = { {ERR_R_SYS_LIB, "system lib"}, {ERR_R_BN_LIB, "BN lib"}, @@ -92,17 +96,16 @@ static ERR_STRING_DATA ERR_str_reasons[] = { {ERR_R_DSA_LIB, "DSA lib"}, {ERR_R_X509_LIB, "X509 lib"}, {ERR_R_ASN1_LIB, "ASN1 lib"}, + {ERR_R_CRYPTO_LIB, "CRYPTO lib"}, {ERR_R_EC_LIB, "EC lib"}, {ERR_R_BIO_LIB, "BIO lib"}, {ERR_R_PKCS7_LIB, "PKCS7 lib"}, {ERR_R_X509V3_LIB, "X509V3 lib"}, {ERR_R_ENGINE_LIB, "ENGINE lib"}, {ERR_R_UI_LIB, "UI lib"}, - {ERR_R_OSSL_STORE_LIB, "STORE lib"}, {ERR_R_ECDSA_LIB, "ECDSA lib"}, - - {ERR_R_NESTED_ASN1_ERROR, "nested asn1 error"}, - {ERR_R_MISSING_ASN1_EOS, "missing asn1 eos"}, + {ERR_R_OSSL_STORE_LIB, "OSSL_STORE lib"}, + {ERR_R_OSSL_DECODER_LIB, "OSSL_DECODER lib"}, {ERR_R_FATAL, "fatal"}, {ERR_R_MALLOC_FAILURE, "malloc failure"}, @@ -112,10 +115,12 @@ static ERR_STRING_DATA ERR_str_reasons[] = { {ERR_R_INTERNAL_ERROR, "internal error"}, {ERR_R_DISABLED, "called a function that was disabled at compile-time"}, {ERR_R_INIT_FAIL, "init fail"}, + {ERR_R_PASSED_INVALID_ARGUMENT, "passed invalid argument"}, {ERR_R_OPERATION_FAIL, "operation fail"}, {ERR_R_INVALID_PROVIDER_FUNCTIONS, "invalid provider functions"}, {ERR_R_INTERRUPTED_OR_CANCELLED, "interrupted or cancelled"}, - + {ERR_R_NESTED_ASN1_ERROR, "nested asn1 error"}, + {ERR_R_MISSING_ASN1_EOS, "missing asn1 eos"}, /* * Something is unsupported, exactly what is expressed with additional data */ @@ -125,7 +130,6 @@ static ERR_STRING_DATA ERR_str_reasons[] = { * unsupported. */ {ERR_R_FETCH_FAILED, "fetch failed"}, - {ERR_R_INVALID_PROPERTY_DEFINITION, "invalid property definition"}, {ERR_R_UNABLE_TO_GET_READ_LOCK, "unable to get read lock"}, {ERR_R_UNABLE_TO_GET_WRITE_LOCK, "unable to get write lock"}, diff --git a/deps/openssl/openssl/crypto/err/openssl.txt b/deps/openssl/openssl/crypto/err/openssl.txt index c891b13ddbd23a..ce9d274e689990 100644 --- a/deps/openssl/openssl/crypto/err/openssl.txt +++ b/deps/openssl/openssl/crypto/err/openssl.txt @@ -434,6 +434,7 @@ CRYPTO_R_ILLEGAL_HEX_DIGIT:102:illegal hex digit CRYPTO_R_INSUFFICIENT_DATA_SPACE:106:insufficient data space CRYPTO_R_INSUFFICIENT_PARAM_SIZE:107:insufficient param size CRYPTO_R_INSUFFICIENT_SECURE_DATA_SPACE:108:insufficient secure data space +CRYPTO_R_INVALID_NEGATIVE_VALUE:122:invalid negative value CRYPTO_R_INVALID_NULL_ARGUMENT:109:invalid null argument CRYPTO_R_INVALID_OSSL_PARAM_TYPE:110:invalid ossl param type CRYPTO_R_ODD_NUMBER_OF_DIGITS:103:odd number of digits @@ -778,6 +779,7 @@ HTTP_R_REDIRECTION_FROM_HTTPS_TO_HTTP:112:redirection from https to http HTTP_R_REDIRECTION_NOT_ENABLED:116:redirection not enabled HTTP_R_RESPONSE_LINE_TOO_LONG:113:response line too long HTTP_R_RESPONSE_PARSE_ERROR:104:response parse error +HTTP_R_RETRY_TIMEOUT:129:retry timeout HTTP_R_SERVER_CANCELED_CONNECTION:127:server canceled connection HTTP_R_SOCK_NOT_SUPPORTED:122:sock not supported HTTP_R_STATUS_CODE_UNSUPPORTED:114:status code unsupported diff --git a/deps/openssl/openssl/crypto/evp/asymcipher.c b/deps/openssl/openssl/crypto/evp/asymcipher.c index 3150bfa94b2ba7..b7784c899457ee 100644 --- a/deps/openssl/openssl/crypto/evp/asymcipher.c +++ b/deps/openssl/openssl/crypto/evp/asymcipher.c @@ -24,7 +24,9 @@ static int evp_pkey_asym_cipher_init(EVP_PKEY_CTX *ctx, int operation, void *provkey = NULL; EVP_ASYM_CIPHER *cipher = NULL; EVP_KEYMGMT *tmp_keymgmt = NULL; + const OSSL_PROVIDER *tmp_prov = NULL; const char *supported_ciph = NULL; + int iter; if (ctx == NULL) { ERR_raise(ERR_LIB_EVP, EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE); @@ -39,56 +41,102 @@ static int evp_pkey_asym_cipher_init(EVP_PKEY_CTX *ctx, int operation, if (evp_pkey_ctx_is_legacy(ctx)) goto legacy; + if (ctx->pkey == NULL) { + ERR_clear_last_mark(); + ERR_raise(ERR_LIB_EVP, EVP_R_NO_KEY_SET); + goto err; + } + /* - * Ensure that the key is provided, either natively, or as a cached export. - * If not, go legacy + * Try to derive the supported asym cipher from |ctx->keymgmt|. */ - tmp_keymgmt = ctx->keymgmt; - provkey = evp_pkey_export_to_provider(ctx->pkey, ctx->libctx, - &tmp_keymgmt, ctx->propquery); - if (provkey == NULL) - goto legacy; - if (!EVP_KEYMGMT_up_ref(tmp_keymgmt)) { + if (!ossl_assert(ctx->pkey->keymgmt == NULL + || ctx->pkey->keymgmt == ctx->keymgmt)) { + ERR_clear_last_mark(); + ERR_raise(ERR_LIB_EVP, ERR_R_INTERNAL_ERROR); + goto err; + } + supported_ciph + = evp_keymgmt_util_query_operation_name(ctx->keymgmt, + OSSL_OP_ASYM_CIPHER); + if (supported_ciph == NULL) { ERR_clear_last_mark(); ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR); goto err; } - EVP_KEYMGMT_free(ctx->keymgmt); - ctx->keymgmt = tmp_keymgmt; - - if (ctx->keymgmt->query_operation_name != NULL) - supported_ciph = - ctx->keymgmt->query_operation_name(OSSL_OP_ASYM_CIPHER); /* - * If we didn't get a supported ciph, assume there is one with the - * same name as the key type. + * We perform two iterations: + * + * 1. Do the normal asym cipher fetch, using the fetching data given by + * the EVP_PKEY_CTX. + * 2. Do the provider specific asym cipher fetch, from the same provider + * as |ctx->keymgmt| + * + * We then try to fetch the keymgmt from the same provider as the + * asym cipher, and try to export |ctx->pkey| to that keymgmt (when + * this keymgmt happens to be the same as |ctx->keymgmt|, the export + * is a no-op, but we call it anyway to not complicate the code even + * more). + * If the export call succeeds (returns a non-NULL provider key pointer), + * we're done and can perform the operation itself. If not, we perform + * the second iteration, or jump to legacy. */ - if (supported_ciph == NULL) - supported_ciph = ctx->keytype; + for (iter = 1, provkey = NULL; iter < 3 && provkey == NULL; iter++) { + EVP_KEYMGMT *tmp_keymgmt_tofree; - /* - * Because we cleared out old ops, we shouldn't need to worry about - * checking if cipher is already there. - */ - cipher = - EVP_ASYM_CIPHER_fetch(ctx->libctx, supported_ciph, ctx->propquery); + /* + * If we're on the second iteration, free the results from the first. + * They are NULL on the first iteration, so no need to check what + * iteration we're on. + */ + EVP_ASYM_CIPHER_free(cipher); + EVP_KEYMGMT_free(tmp_keymgmt); + + switch (iter) { + case 1: + cipher = EVP_ASYM_CIPHER_fetch(ctx->libctx, supported_ciph, + ctx->propquery); + if (cipher != NULL) + tmp_prov = EVP_ASYM_CIPHER_get0_provider(cipher); + break; + case 2: + tmp_prov = EVP_KEYMGMT_get0_provider(ctx->keymgmt); + cipher = + evp_asym_cipher_fetch_from_prov((OSSL_PROVIDER *)tmp_prov, + supported_ciph, ctx->propquery); + if (cipher == NULL) + goto legacy; + break; + } + if (cipher == NULL) + continue; - if (cipher == NULL - || (EVP_KEYMGMT_get0_provider(ctx->keymgmt) - != EVP_ASYM_CIPHER_get0_provider(cipher))) { /* - * We don't need to free ctx->keymgmt here, as it's not necessarily - * tied to this operation. It will be freed by EVP_PKEY_CTX_free(). + * Ensure that the key is provided, either natively, or as a cached + * export. We start by fetching the keymgmt with the same name as + * |ctx->pkey|, but from the provider of the asym cipher method, using + * the same property query as when fetching the asym cipher method. + * With the keymgmt we found (if we did), we try to export |ctx->pkey| + * to it (evp_pkey_export_to_provider() is smart enough to only actually + * export it if |tmp_keymgmt| is different from |ctx->pkey|'s keymgmt) */ + tmp_keymgmt_tofree = tmp_keymgmt + = evp_keymgmt_fetch_from_prov((OSSL_PROVIDER *)tmp_prov, + EVP_KEYMGMT_get0_name(ctx->keymgmt), + ctx->propquery); + if (tmp_keymgmt != NULL) + provkey = evp_pkey_export_to_provider(ctx->pkey, ctx->libctx, + &tmp_keymgmt, ctx->propquery); + if (tmp_keymgmt == NULL) + EVP_KEYMGMT_free(tmp_keymgmt_tofree); + } + + if (provkey == NULL) { EVP_ASYM_CIPHER_free(cipher); goto legacy; } - /* - * If we don't have the full support we need with provided methods, - * let's go see if legacy does. - */ ERR_pop_to_mark(); /* No more legacy from here down to legacy: */ @@ -125,6 +173,7 @@ static int evp_pkey_asym_cipher_init(EVP_PKEY_CTX *ctx, int operation, if (ret <= 0) goto err; + EVP_KEYMGMT_free(tmp_keymgmt); return 1; legacy: @@ -133,6 +182,8 @@ static int evp_pkey_asym_cipher_init(EVP_PKEY_CTX *ctx, int operation, * let's go see if legacy does. */ ERR_pop_to_mark(); + EVP_KEYMGMT_free(tmp_keymgmt); + tmp_keymgmt = NULL; if (ctx->pmeth == NULL || ctx->pmeth->encrypt == NULL) { ERR_raise(ERR_LIB_EVP, EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE); @@ -159,6 +210,7 @@ static int evp_pkey_asym_cipher_init(EVP_PKEY_CTX *ctx, int operation, evp_pkey_ctx_free_old_ops(ctx); ctx->operation = EVP_PKEY_OP_UNDEFINED; } + EVP_KEYMGMT_free(tmp_keymgmt); return ret; } @@ -423,6 +475,17 @@ EVP_ASYM_CIPHER *EVP_ASYM_CIPHER_fetch(OSSL_LIB_CTX *ctx, const char *algorithm, (void (*)(void *))EVP_ASYM_CIPHER_free); } +EVP_ASYM_CIPHER *evp_asym_cipher_fetch_from_prov(OSSL_PROVIDER *prov, + const char *algorithm, + const char *properties) +{ + return evp_generic_fetch_from_prov(prov, OSSL_OP_ASYM_CIPHER, + algorithm, properties, + evp_asym_cipher_from_algorithm, + (int (*)(void *))EVP_ASYM_CIPHER_up_ref, + (void (*)(void *))EVP_ASYM_CIPHER_free); +} + int EVP_ASYM_CIPHER_is_a(const EVP_ASYM_CIPHER *cipher, const char *name) { return evp_is_a(cipher->prov, cipher->name_id, NULL, name); diff --git a/deps/openssl/openssl/crypto/evp/ctrl_params_translate.c b/deps/openssl/openssl/crypto/evp/ctrl_params_translate.c index 88945e13e629b8..f6a2d1d0f857c2 100644 --- a/deps/openssl/openssl/crypto/evp/ctrl_params_translate.c +++ b/deps/openssl/openssl/crypto/evp/ctrl_params_translate.c @@ -465,8 +465,8 @@ static int default_fixup_args(enum state state, ERR_raise(ERR_LIB_EVP, ERR_R_MALLOC_FAILURE); return 0; } - if (!BN_bn2nativepad(ctx->p2, - ctx->allocated_buf, ctx->buflen)) { + if (BN_bn2nativepad(ctx->p2, + ctx->allocated_buf, ctx->buflen) < 0) { OPENSSL_free(ctx->allocated_buf); ctx->allocated_buf = NULL; return 0; @@ -1026,10 +1026,23 @@ static int fix_dh_nid5114(enum state state, if (ctx->action_type != SET) return 0; - if (state == PRE_CTRL_STR_TO_PARAMS) { + switch (state) { + case PRE_CTRL_TO_PARAMS: + ctx->p2 = (char *)ossl_ffc_named_group_get_name + (ossl_ffc_uid_to_dh_named_group(ctx->p1)); + ctx->p1 = 0; + break; + + case PRE_CTRL_STR_TO_PARAMS: + if (ctx->p2 == NULL) + return 0; ctx->p2 = (char *)ossl_ffc_named_group_get_name (ossl_ffc_uid_to_dh_named_group(atoi(ctx->p2))); ctx->p1 = 0; + break; + + default: + break; } return default_fixup_args(state, translation, ctx); @@ -1379,21 +1392,23 @@ static int fix_rsa_pss_saltlen(enum state state, if ((ctx->action_type == SET && state == PRE_PARAMS_TO_CTRL) || (ctx->action_type == GET && state == POST_CTRL_TO_PARAMS)) { size_t i; + int val; for (i = 0; i < OSSL_NELEM(str_value_map); i++) { if (strcmp(ctx->p2, str_value_map[i].ptr) == 0) break; } - if (i == OSSL_NELEM(str_value_map)) { - ctx->p1 = atoi(ctx->p2); - } else if (state == POST_CTRL_TO_PARAMS) { + + val = i == OSSL_NELEM(str_value_map) ? atoi(ctx->p2) + : (int)str_value_map[i].id; + if (state == POST_CTRL_TO_PARAMS) { /* * EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN weirdness explained further * up */ - *(int *)ctx->orig_p2 = str_value_map[i].id; + *(int *)ctx->orig_p2 = val; } else { - ctx->p1 = (int)str_value_map[i].id; + ctx->p1 = val; } ctx->p2 = NULL; } @@ -1595,10 +1610,13 @@ static int get_payload_public_key(enum state state, const EC_GROUP *ecg = EC_KEY_get0_group(eckey); const EC_POINT *point = EC_KEY_get0_public_key(eckey); + if (bnctx == NULL) + return 0; ctx->sz = EC_POINT_point2buf(ecg, point, POINT_CONVERSION_COMPRESSED, &buf, bnctx); ctx->p2 = buf; + BN_CTX_free(bnctx); break; } return 0; @@ -2738,4 +2756,3 @@ int evp_pkey_get_params_to_ctrl(const EVP_PKEY *pkey, OSSL_PARAM *params) { return evp_pkey_setget_params_to_ctrl(pkey, GET, params); } - diff --git a/deps/openssl/openssl/crypto/evp/digest.c b/deps/openssl/openssl/crypto/evp/digest.c index 1f2910bc695f60..d3a28fa3515f70 100644 --- a/deps/openssl/openssl/crypto/evp/digest.c +++ b/deps/openssl/openssl/crypto/evp/digest.c @@ -228,7 +228,10 @@ static int evp_md_init_internal(EVP_MD_CTX *ctx, const EVP_MD *type, ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR); return 0; #else - EVP_MD *provmd = EVP_MD_fetch(NULL, OBJ_nid2sn(type->type), ""); + /* The NULL digest is a special case */ + EVP_MD *provmd = EVP_MD_fetch(NULL, + type->type != NID_undef ? OBJ_nid2sn(type->type) + : "NULL", ""); if (provmd == NULL) { ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR); @@ -506,11 +509,20 @@ int EVP_MD_CTX_copy_ex(EVP_MD_CTX *out, const EVP_MD_CTX *in) { unsigned char *tmp_buf; - if (in == NULL || in->digest == NULL) { - ERR_raise(ERR_LIB_EVP, EVP_R_INPUT_NOT_INITIALIZED); + if (in == NULL) { + ERR_raise(ERR_LIB_EVP, ERR_R_PASSED_NULL_PARAMETER); return 0; } + if (in->digest == NULL) { + /* copying uninitialized digest context */ + EVP_MD_CTX_reset(out); + if (out->fetched_digest != NULL) + EVP_MD_free(out->fetched_digest); + *out = *in; + return 1; + } + if (in->digest->prov == NULL || (in->flags & EVP_MD_CTX_FLAG_NO_INIT) != 0) goto legacy; diff --git a/deps/openssl/openssl/crypto/evp/e_rc5.c b/deps/openssl/openssl/crypto/evp/e_rc5.c index 3fb372360d4dff..3496a701931c9a 100644 --- a/deps/openssl/openssl/crypto/evp/e_rc5.c +++ b/deps/openssl/openssl/crypto/evp/e_rc5.c @@ -72,12 +72,13 @@ static int rc5_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) static int r_32_12_16_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, const unsigned char *iv, int enc) { - if (EVP_CIPHER_CTX_get_key_length(ctx) > 255) { + const int key_len = EVP_CIPHER_CTX_get_key_length(ctx); + + if (key_len > 255 || key_len < 0) { ERR_raise(ERR_LIB_EVP, EVP_R_BAD_KEY_LENGTH); return 0; } - return RC5_32_set_key(&data(ctx)->ks, EVP_CIPHER_CTX_get_key_length(ctx), - key, data(ctx)->rounds); + return RC5_32_set_key(&data(ctx)->ks, key_len, key, data(ctx)->rounds); } #endif diff --git a/deps/openssl/openssl/crypto/evp/evp_fetch.c b/deps/openssl/openssl/crypto/evp/evp_fetch.c index 5303cf8859ea63..80da3fa4bf8e34 100644 --- a/deps/openssl/openssl/crypto/evp/evp_fetch.c +++ b/deps/openssl/openssl/crypto/evp/evp_fetch.c @@ -115,7 +115,8 @@ static uint32_t evp_method_id(int name_id, unsigned int operation_id) | (operation_id & METHOD_ID_OPERATION_MASK)); } -static void *get_evp_method_from_store(void *store, void *data) +static void *get_evp_method_from_store(void *store, const OSSL_PROVIDER **prov, + void *data) { struct evp_method_data_st *methdata = data; void *method = NULL; @@ -146,7 +147,7 @@ static void *get_evp_method_from_store(void *store, void *data) && (store = get_evp_method_store(methdata->libctx)) == NULL) return NULL; - if (!ossl_method_store_fetch(store, meth_id, methdata->propquery, + if (!ossl_method_store_fetch(store, meth_id, methdata->propquery, prov, &method)) return NULL; return method; @@ -234,7 +235,8 @@ static void destruct_evp_method(void *method, void *data) } static void * -inner_evp_generic_fetch(struct evp_method_data_st *methdata, int operation_id, +inner_evp_generic_fetch(struct evp_method_data_st *methdata, + OSSL_PROVIDER *prov, int operation_id, int name_id, const char *name, const char *properties, void *(*new_method)(int name_id, @@ -297,7 +299,8 @@ inner_evp_generic_fetch(struct evp_method_data_st *methdata, int operation_id, unsupported = 1; if (meth_id == 0 - || !ossl_method_store_cache_get(store, meth_id, properties, &method)) { + || !ossl_method_store_cache_get(store, prov, meth_id, properties, + &method)) { OSSL_METHOD_CONSTRUCT_METHOD mcm = { get_tmp_evp_method_store, get_evp_method_from_store, @@ -315,7 +318,7 @@ inner_evp_generic_fetch(struct evp_method_data_st *methdata, int operation_id, methdata->destruct_method = free_method; methdata->flag_construct_error_occurred = 0; if ((method = ossl_method_construct(methdata->libctx, operation_id, - 0 /* !force_cache */, + &prov, 0 /* !force_cache */, &mcm, methdata)) != NULL) { /* * If construction did create a method for us, we know that @@ -327,8 +330,8 @@ inner_evp_generic_fetch(struct evp_method_data_st *methdata, int operation_id, name_id = ossl_namemap_name2num(namemap, name); meth_id = evp_method_id(name_id, operation_id); if (name_id != 0) - ossl_method_store_cache_set(store, meth_id, properties, method, - up_ref_method, free_method); + ossl_method_store_cache_set(store, prov, meth_id, properties, + method, up_ref_method, free_method); } /* @@ -366,8 +369,8 @@ void *evp_generic_fetch(OSSL_LIB_CTX *libctx, int operation_id, methdata.libctx = libctx; methdata.tmp_store = NULL; - method = inner_evp_generic_fetch(&methdata, - operation_id, 0, name, properties, + method = inner_evp_generic_fetch(&methdata, NULL, operation_id, + 0, name, properties, new_method, up_ref_method, free_method); dealloc_tmp_evp_method_store(methdata.tmp_store); return method; @@ -378,7 +381,7 @@ void *evp_generic_fetch(OSSL_LIB_CTX *libctx, int operation_id, * already known names, i.e. it refuses to work if no name_id can be found * (it's considered an internal programming error). * This is meant to be used when one method needs to fetch an associated - * other method. + * method. */ void *evp_generic_fetch_by_number(OSSL_LIB_CTX *libctx, int operation_id, int name_id, const char *properties, @@ -393,8 +396,34 @@ void *evp_generic_fetch_by_number(OSSL_LIB_CTX *libctx, int operation_id, methdata.libctx = libctx; methdata.tmp_store = NULL; - method = inner_evp_generic_fetch(&methdata, - operation_id, name_id, NULL, properties, + method = inner_evp_generic_fetch(&methdata, NULL, operation_id, + name_id, NULL, properties, + new_method, up_ref_method, free_method); + dealloc_tmp_evp_method_store(methdata.tmp_store); + return method; +} + +/* + * evp_generic_fetch_from_prov() is special, and only returns methods from + * the given provider. + * This is meant to be used when one method needs to fetch an associated + * method. + */ +void *evp_generic_fetch_from_prov(OSSL_PROVIDER *prov, int operation_id, + const char *name, const char *properties, + void *(*new_method)(int name_id, + const OSSL_ALGORITHM *algodef, + OSSL_PROVIDER *prov), + int (*up_ref_method)(void *), + void (*free_method)(void *)) +{ + struct evp_method_data_st methdata; + void *method; + + methdata.libctx = ossl_provider_libctx(prov); + methdata.tmp_store = NULL; + method = inner_evp_generic_fetch(&methdata, prov, operation_id, + 0, name, properties, new_method, up_ref_method, free_method); dealloc_tmp_evp_method_store(methdata.tmp_store); return method; @@ -588,7 +617,7 @@ void evp_generic_do_all(OSSL_LIB_CTX *libctx, int operation_id, methdata.libctx = libctx; methdata.tmp_store = NULL; - (void)inner_evp_generic_fetch(&methdata, operation_id, 0, NULL, NULL, + (void)inner_evp_generic_fetch(&methdata, NULL, operation_id, 0, NULL, NULL, new_method, up_ref_method, free_method); data.operation_id = operation_id; diff --git a/deps/openssl/openssl/crypto/evp/evp_lib.c b/deps/openssl/openssl/crypto/evp/evp_lib.c index 64d7fb046de9c7..24092cfd5be059 100644 --- a/deps/openssl/openssl/crypto/evp/evp_lib.c +++ b/deps/openssl/openssl/crypto/evp/evp_lib.c @@ -999,7 +999,7 @@ EVP_MD *EVP_MD_CTX_get1_md(EVP_MD_CTX *ctx) if (ctx == NULL) return NULL; md = (EVP_MD *)ctx->reqdigest; - if (!EVP_MD_up_ref(md)) + if (md == NULL || !EVP_MD_up_ref(md)) return NULL; return md; } diff --git a/deps/openssl/openssl/crypto/evp/evp_local.h b/deps/openssl/openssl/crypto/evp/evp_local.h index f8fd3f05f5c4bb..d9e1ca997e222f 100644 --- a/deps/openssl/openssl/crypto/evp/evp_local.h +++ b/deps/openssl/openssl/crypto/evp/evp_local.h @@ -276,6 +276,13 @@ void *evp_generic_fetch_by_number(OSSL_LIB_CTX *ctx, int operation_id, OSSL_PROVIDER *prov), int (*up_ref_method)(void *), void (*free_method)(void *)); +void *evp_generic_fetch_from_prov(OSSL_PROVIDER *prov, int operation_id, + const char *name, const char *properties, + void *(*new_method)(int name_id, + const OSSL_ALGORITHM *algodef, + OSSL_PROVIDER *prov), + int (*up_ref_method)(void *), + void (*free_method)(void *)); void evp_generic_do_all_prefetched(OSSL_LIB_CTX *libctx, int operation_id, void (*user_fn)(void *method, void *arg), void *user_arg); @@ -291,6 +298,21 @@ void evp_generic_do_all(OSSL_LIB_CTX *libctx, int operation_id, /* Internal fetchers for method types that are to be combined with others */ EVP_KEYMGMT *evp_keymgmt_fetch_by_number(OSSL_LIB_CTX *ctx, int name_id, const char *properties); +EVP_KEYMGMT *evp_keymgmt_fetch_from_prov(OSSL_PROVIDER *prov, + const char *name, + const char *properties); +EVP_SIGNATURE *evp_signature_fetch_from_prov(OSSL_PROVIDER *prov, + const char *name, + const char *properties); +EVP_ASYM_CIPHER *evp_asym_cipher_fetch_from_prov(OSSL_PROVIDER *prov, + const char *name, + const char *properties); +EVP_KEYEXCH *evp_keyexch_fetch_from_prov(OSSL_PROVIDER *prov, + const char *name, + const char *properties); +EVP_KEM *evp_kem_fetch_from_prov(OSSL_PROVIDER *prov, + const char *name, + const char *properties); /* Internal structure constructors for fetched methods */ EVP_MD *evp_md_new(void); diff --git a/deps/openssl/openssl/crypto/evp/exchange.c b/deps/openssl/openssl/crypto/evp/exchange.c index ca8a049a1bdf4d..e2ca30c94d06eb 100644 --- a/deps/openssl/openssl/crypto/evp/exchange.c +++ b/deps/openssl/openssl/crypto/evp/exchange.c @@ -10,6 +10,7 @@ #include #include #include +#include "internal/cryptlib.h" #include "internal/refcount.h" #include "internal/provider.h" #include "internal/core.h" @@ -180,6 +181,17 @@ EVP_KEYEXCH *EVP_KEYEXCH_fetch(OSSL_LIB_CTX *ctx, const char *algorithm, (void (*)(void *))EVP_KEYEXCH_free); } +EVP_KEYEXCH *evp_keyexch_fetch_from_prov(OSSL_PROVIDER *prov, + const char *algorithm, + const char *properties) +{ + return evp_generic_fetch_from_prov(prov, OSSL_OP_KEYEXCH, + algorithm, properties, + evp_keyexch_from_algorithm, + (int (*)(void *))EVP_KEYEXCH_up_ref, + (void (*)(void *))EVP_KEYEXCH_free); +} + int EVP_PKEY_derive_init(EVP_PKEY_CTX *ctx) { return EVP_PKEY_derive_init_ex(ctx, NULL); @@ -191,7 +203,9 @@ int EVP_PKEY_derive_init_ex(EVP_PKEY_CTX *ctx, const OSSL_PARAM params[]) void *provkey = NULL; EVP_KEYEXCH *exchange = NULL; EVP_KEYMGMT *tmp_keymgmt = NULL; + const OSSL_PROVIDER *tmp_prov = NULL; const char *supported_exch = NULL; + int iter; if (ctx == NULL) { ERR_raise(ERR_LIB_EVP, ERR_R_PASSED_NULL_PARAMETER); @@ -207,73 +221,113 @@ int EVP_PKEY_derive_init_ex(EVP_PKEY_CTX *ctx, const OSSL_PARAM params[]) goto legacy; /* - * Ensure that the key is provided, either natively, or as a cached export. - * If not, goto legacy + * Some algorithms (e.g. legacy KDFs) don't have a pkey - so we create + * a blank one. */ - tmp_keymgmt = ctx->keymgmt; if (ctx->pkey == NULL) { - /* - * Some algorithms (e.g. legacy KDFs) don't have a pkey - so we create - * a blank one. - */ EVP_PKEY *pkey = EVP_PKEY_new(); - if (pkey == NULL || !EVP_PKEY_set_type_by_keymgmt(pkey, tmp_keymgmt)) { + if (pkey == NULL + || !EVP_PKEY_set_type_by_keymgmt(pkey, ctx->keymgmt) + || (pkey->keydata = evp_keymgmt_newdata(ctx->keymgmt)) == NULL) { ERR_clear_last_mark(); EVP_PKEY_free(pkey); ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR); goto err; } - provkey = pkey->keydata = evp_keymgmt_newdata(tmp_keymgmt); - if (provkey == NULL) - EVP_PKEY_free(pkey); - else - ctx->pkey = pkey; - } else { - provkey = evp_pkey_export_to_provider(ctx->pkey, ctx->libctx, - &tmp_keymgmt, ctx->propquery); + ctx->pkey = pkey; } - if (provkey == NULL) - goto legacy; - if (!EVP_KEYMGMT_up_ref(tmp_keymgmt)) { + + /* + * Try to derive the supported exch from |ctx->keymgmt|. + */ + if (!ossl_assert(ctx->pkey->keymgmt == NULL + || ctx->pkey->keymgmt == ctx->keymgmt)) { + ERR_clear_last_mark(); + ERR_raise(ERR_LIB_EVP, ERR_R_INTERNAL_ERROR); + goto err; + } + supported_exch = evp_keymgmt_util_query_operation_name(ctx->keymgmt, + OSSL_OP_KEYEXCH); + if (supported_exch == NULL) { ERR_clear_last_mark(); ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR); goto err; } - EVP_KEYMGMT_free(ctx->keymgmt); - ctx->keymgmt = tmp_keymgmt; - if (ctx->keymgmt->query_operation_name != NULL) - supported_exch = ctx->keymgmt->query_operation_name(OSSL_OP_KEYEXCH); /* - * If we didn't get a supported exch, assume there is one with the - * same name as the key type. + * We perform two iterations: + * + * 1. Do the normal exchange fetch, using the fetching data given by + * the EVP_PKEY_CTX. + * 2. Do the provider specific exchange fetch, from the same provider + * as |ctx->keymgmt| + * + * We then try to fetch the keymgmt from the same provider as the + * exchange, and try to export |ctx->pkey| to that keymgmt (when + * this keymgmt happens to be the same as |ctx->keymgmt|, the export + * is a no-op, but we call it anyway to not complicate the code even + * more). + * If the export call succeeds (returns a non-NULL provider key pointer), + * we're done and can perform the operation itself. If not, we perform + * the second iteration, or jump to legacy. */ - if (supported_exch == NULL) - supported_exch = ctx->keytype; + for (iter = 1, provkey = NULL; iter < 3 && provkey == NULL; iter++) { + EVP_KEYMGMT *tmp_keymgmt_tofree = NULL; - /* - * Because we cleared out old ops, we shouldn't need to worry about - * checking if exchange is already there. - */ - exchange = EVP_KEYEXCH_fetch(ctx->libctx, supported_exch, ctx->propquery); + /* + * If we're on the second iteration, free the results from the first. + * They are NULL on the first iteration, so no need to check what + * iteration we're on. + */ + EVP_KEYEXCH_free(exchange); + EVP_KEYMGMT_free(tmp_keymgmt); + + switch (iter) { + case 1: + exchange = + EVP_KEYEXCH_fetch(ctx->libctx, supported_exch, ctx->propquery); + if (exchange != NULL) + tmp_prov = EVP_KEYEXCH_get0_provider(exchange); + break; + case 2: + tmp_prov = EVP_KEYMGMT_get0_provider(ctx->keymgmt); + exchange = + evp_keyexch_fetch_from_prov((OSSL_PROVIDER *)tmp_prov, + supported_exch, ctx->propquery); + if (exchange == NULL) + goto legacy; + break; + } + if (exchange == NULL) + continue; - if (exchange == NULL - || (EVP_KEYMGMT_get0_provider(ctx->keymgmt) - != EVP_KEYEXCH_get0_provider(exchange))) { /* - * We don't need to free ctx->keymgmt here, as it's not necessarily - * tied to this operation. It will be freed by EVP_PKEY_CTX_free(). + * Ensure that the key is provided, either natively, or as a cached + * export. We start by fetching the keymgmt with the same name as + * |ctx->pkey|, but from the provider of the exchange method, using + * the same property query as when fetching the exchange method. + * With the keymgmt we found (if we did), we try to export |ctx->pkey| + * to it (evp_pkey_export_to_provider() is smart enough to only actually + * export it if |tmp_keymgmt| is different from |ctx->pkey|'s keymgmt) */ + tmp_keymgmt_tofree = tmp_keymgmt = + evp_keymgmt_fetch_from_prov((OSSL_PROVIDER *)tmp_prov, + EVP_KEYMGMT_get0_name(ctx->keymgmt), + ctx->propquery); + if (tmp_keymgmt != NULL) + provkey = evp_pkey_export_to_provider(ctx->pkey, ctx->libctx, + &tmp_keymgmt, ctx->propquery); + if (tmp_keymgmt == NULL) + EVP_KEYMGMT_free(tmp_keymgmt_tofree); + } + + if (provkey == NULL) { EVP_KEYEXCH_free(exchange); goto legacy; } - /* - * If we don't have the full support we need with provided methods, - * let's go see if legacy does. - */ ERR_pop_to_mark(); /* No more legacy from here down to legacy: */ @@ -287,10 +341,12 @@ int EVP_PKEY_derive_init_ex(EVP_PKEY_CTX *ctx, const OSSL_PARAM params[]) } ret = exchange->init(ctx->op.kex.algctx, provkey, params); + EVP_KEYMGMT_free(tmp_keymgmt); return ret ? 1 : 0; err: evp_pkey_ctx_free_old_ops(ctx); ctx->operation = EVP_PKEY_OP_UNDEFINED; + EVP_KEYMGMT_free(tmp_keymgmt); return 0; legacy: @@ -313,6 +369,7 @@ int EVP_PKEY_derive_init_ex(EVP_PKEY_CTX *ctx, const OSSL_PARAM params[]) ret = ctx->pmeth->derive_init(ctx); if (ret <= 0) ctx->operation = EVP_PKEY_OP_UNDEFINED; + EVP_KEYMGMT_free(tmp_keymgmt); return ret; #endif } diff --git a/deps/openssl/openssl/crypto/evp/kem.c b/deps/openssl/openssl/crypto/evp/kem.c index cb904a6b2670d7..7594888b97d13b 100644 --- a/deps/openssl/openssl/crypto/evp/kem.c +++ b/deps/openssl/openssl/crypto/evp/kem.c @@ -23,8 +23,10 @@ static int evp_kem_init(EVP_PKEY_CTX *ctx, int operation, int ret = 0; EVP_KEM *kem = NULL; EVP_KEYMGMT *tmp_keymgmt = NULL; + const OSSL_PROVIDER *tmp_prov = NULL; void *provkey = NULL; const char *supported_kem = NULL; + int iter; if (ctx == NULL || ctx->keytype == NULL) { ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR); @@ -34,35 +36,101 @@ static int evp_kem_init(EVP_PKEY_CTX *ctx, int operation, evp_pkey_ctx_free_old_ops(ctx); ctx->operation = operation; + if (ctx->pkey == NULL) { + ERR_raise(ERR_LIB_EVP, EVP_R_NO_KEY_SET); + goto err; + } + /* - * Ensure that the key is provided, either natively, or as a cached export. + * Try to derive the supported kem from |ctx->keymgmt|. */ - tmp_keymgmt = ctx->keymgmt; - provkey = evp_pkey_export_to_provider(ctx->pkey, ctx->libctx, - &tmp_keymgmt, ctx->propquery); - if (provkey == NULL - || !EVP_KEYMGMT_up_ref(tmp_keymgmt)) { + if (!ossl_assert(ctx->pkey->keymgmt == NULL + || ctx->pkey->keymgmt == ctx->keymgmt)) { + ERR_raise(ERR_LIB_EVP, ERR_R_INTERNAL_ERROR); + goto err; + } + supported_kem = evp_keymgmt_util_query_operation_name(ctx->keymgmt, + OSSL_OP_KEM); + if (supported_kem == NULL) { ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR); goto err; } - EVP_KEYMGMT_free(ctx->keymgmt); - ctx->keymgmt = tmp_keymgmt; - - if (ctx->keymgmt->query_operation_name != NULL) - supported_kem = ctx->keymgmt->query_operation_name(OSSL_OP_KEM); /* - * If we didn't get a supported kem, assume there is one with the - * same name as the key type. + * Because we cleared out old ops, we shouldn't need to worry about + * checking if kem is already there. + * We perform two iterations: + * + * 1. Do the normal kem fetch, using the fetching data given by + * the EVP_PKEY_CTX. + * 2. Do the provider specific kem fetch, from the same provider + * as |ctx->keymgmt| + * + * We then try to fetch the keymgmt from the same provider as the + * kem, and try to export |ctx->pkey| to that keymgmt (when this + * keymgmt happens to be the same as |ctx->keymgmt|, the export is + * a no-op, but we call it anyway to not complicate the code even + * more). + * If the export call succeeds (returns a non-NULL provider key pointer), + * we're done and can perform the operation itself. If not, we perform + * the second iteration, or jump to legacy. */ - if (supported_kem == NULL) - supported_kem = ctx->keytype; + for (iter = 1, provkey = NULL; iter < 3 && provkey == NULL; iter++) { + EVP_KEYMGMT *tmp_keymgmt_tofree = NULL; - kem = EVP_KEM_fetch(ctx->libctx, supported_kem, ctx->propquery); - if (kem == NULL - || (EVP_KEYMGMT_get0_provider(ctx->keymgmt) != EVP_KEM_get0_provider(kem))) { - ERR_raise(ERR_LIB_EVP, EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE); - ret = -2; + /* + * If we're on the second iteration, free the results from the first. + * They are NULL on the first iteration, so no need to check what + * iteration we're on. + */ + EVP_KEM_free(kem); + EVP_KEYMGMT_free(tmp_keymgmt); + + switch (iter) { + case 1: + kem = EVP_KEM_fetch(ctx->libctx, supported_kem, ctx->propquery); + if (kem != NULL) + tmp_prov = EVP_KEM_get0_provider(kem); + break; + case 2: + tmp_prov = EVP_KEYMGMT_get0_provider(ctx->keymgmt); + kem = evp_kem_fetch_from_prov((OSSL_PROVIDER *)tmp_prov, + supported_kem, ctx->propquery); + + if (kem == NULL) { + ERR_raise(ERR_LIB_EVP, + EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE); + ret = -2; + goto err; + } + } + if (kem == NULL) + continue; + + /* + * Ensure that the key is provided, either natively, or as a cached + * export. We start by fetching the keymgmt with the same name as + * |ctx->pkey|, but from the provider of the kem method, using the + * same property query as when fetching the kem method. + * With the keymgmt we found (if we did), we try to export |ctx->pkey| + * to it (evp_pkey_export_to_provider() is smart enough to only actually + + * export it if |tmp_keymgmt| is different from |ctx->pkey|'s keymgmt) + */ + tmp_keymgmt_tofree = tmp_keymgmt = + evp_keymgmt_fetch_from_prov((OSSL_PROVIDER *)tmp_prov, + EVP_KEYMGMT_get0_name(ctx->keymgmt), + ctx->propquery); + if (tmp_keymgmt != NULL) + provkey = evp_pkey_export_to_provider(ctx->pkey, ctx->libctx, + &tmp_keymgmt, ctx->propquery); + if (tmp_keymgmt == NULL) + EVP_KEYMGMT_free(tmp_keymgmt_tofree); + } + + if (provkey == NULL) { + EVP_KEM_free(kem); + ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR); goto err; } @@ -96,6 +164,9 @@ static int evp_kem_init(EVP_PKEY_CTX *ctx, int operation, goto err; } + EVP_KEYMGMT_free(tmp_keymgmt); + tmp_keymgmt = NULL; + if (ret > 0) return 1; err: @@ -103,6 +174,7 @@ static int evp_kem_init(EVP_PKEY_CTX *ctx, int operation, evp_pkey_ctx_free_old_ops(ctx); ctx->operation = EVP_PKEY_OP_UNDEFINED; } + EVP_KEYMGMT_free(tmp_keymgmt); return ret; } @@ -338,6 +410,15 @@ EVP_KEM *EVP_KEM_fetch(OSSL_LIB_CTX *ctx, const char *algorithm, (void (*)(void *))EVP_KEM_free); } +EVP_KEM *evp_kem_fetch_from_prov(OSSL_PROVIDER *prov, const char *algorithm, + const char *properties) +{ + return evp_generic_fetch_from_prov(prov, OSSL_OP_KEM, algorithm, properties, + evp_kem_from_algorithm, + (int (*)(void *))EVP_KEM_up_ref, + (void (*)(void *))EVP_KEM_free); +} + int EVP_KEM_is_a(const EVP_KEM *kem, const char *name) { return evp_is_a(kem->prov, kem->name_id, NULL, name); diff --git a/deps/openssl/openssl/crypto/evp/keymgmt_lib.c b/deps/openssl/openssl/crypto/evp/keymgmt_lib.c index 32e4fbcbaa0bb7..2a73e9a2be9485 100644 --- a/deps/openssl/openssl/crypto/evp/keymgmt_lib.c +++ b/deps/openssl/openssl/crypto/evp/keymgmt_lib.c @@ -197,6 +197,7 @@ void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt) /* Add the new export to the operation cache */ if (!evp_keymgmt_util_cache_keydata(pk, keymgmt, import_data.keydata)) { + CRYPTO_THREAD_unlock(pk->lock); evp_keymgmt_freedata(keymgmt, import_data.keydata); return NULL; } @@ -561,3 +562,22 @@ int evp_keymgmt_util_get_deflt_digest_name(EVP_KEYMGMT *keymgmt, OPENSSL_strlcpy(mdname, result, mdname_sz); return rv; } + +/* + * If |keymgmt| has the method function |query_operation_name|, use it to get + * the name of a supported operation identity. Otherwise, return the keytype, + * assuming that it works as a default operation name. + */ +const char *evp_keymgmt_util_query_operation_name(EVP_KEYMGMT *keymgmt, + int op_id) +{ + const char *name = NULL; + + if (keymgmt != NULL) { + if (keymgmt->query_operation_name != NULL) + name = keymgmt->query_operation_name(op_id); + if (name == NULL) + name = EVP_KEYMGMT_get0_name(keymgmt); + } + return name; +} diff --git a/deps/openssl/openssl/crypto/evp/keymgmt_meth.c b/deps/openssl/openssl/crypto/evp/keymgmt_meth.c index 47a0350cc2bb3a..fb999c7fd0e96c 100644 --- a/deps/openssl/openssl/crypto/evp/keymgmt_meth.c +++ b/deps/openssl/openssl/crypto/evp/keymgmt_meth.c @@ -213,6 +213,17 @@ EVP_KEYMGMT *evp_keymgmt_fetch_by_number(OSSL_LIB_CTX *ctx, int name_id, (void (*)(void *))EVP_KEYMGMT_free); } +EVP_KEYMGMT *evp_keymgmt_fetch_from_prov(OSSL_PROVIDER *prov, + const char *name, + const char *properties) +{ + return evp_generic_fetch_from_prov(prov, OSSL_OP_KEYMGMT, + name, properties, + keymgmt_from_algorithm, + (int (*)(void *))EVP_KEYMGMT_up_ref, + (void (*)(void *))EVP_KEYMGMT_free); +} + EVP_KEYMGMT *EVP_KEYMGMT_fetch(OSSL_LIB_CTX *ctx, const char *algorithm, const char *properties) { diff --git a/deps/openssl/openssl/crypto/evp/m_sigver.c b/deps/openssl/openssl/crypto/evp/m_sigver.c index 806ef3224cd3ac..9188edbc215fbb 100644 --- a/deps/openssl/openssl/crypto/evp/m_sigver.c +++ b/deps/openssl/openssl/crypto/evp/m_sigver.c @@ -45,10 +45,11 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, EVP_PKEY_CTX *locpctx = NULL; EVP_SIGNATURE *signature = NULL; EVP_KEYMGMT *tmp_keymgmt = NULL; + const OSSL_PROVIDER *tmp_prov = NULL; const char *supported_sig = NULL; char locmdname[80] = ""; /* 80 chars should be enough */ void *provkey = NULL; - int ret; + int ret, iter, reinit = 1; if (ctx->algctx != NULL) { if (!ossl_assert(ctx->digest != NULL)) { @@ -61,6 +62,7 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, } if (ctx->pctx == NULL) { + reinit = 0; if (e == NULL) ctx->pctx = EVP_PKEY_CTX_new_from_pkey(libctx, pkey, props); else @@ -70,75 +72,133 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, return 0; locpctx = ctx->pctx; - evp_pkey_ctx_free_old_ops(locpctx); + ERR_set_mark(); + + if (evp_pkey_ctx_is_legacy(locpctx)) + goto legacy; + + /* do not reinitialize if pkey is set or operation is different */ + if (reinit + && (pkey != NULL + || locpctx->operation != (ver ? EVP_PKEY_OP_VERIFYCTX + : EVP_PKEY_OP_SIGNCTX) + || (signature = locpctx->op.sig.signature) == NULL + || locpctx->op.sig.algctx == NULL)) + reinit = 0; if (props == NULL) props = locpctx->propquery; - ERR_set_mark(); + if (locpctx->pkey == NULL) { + ERR_clear_last_mark(); + ERR_raise(ERR_LIB_EVP, EVP_R_NO_KEY_SET); + goto err; + } - if (evp_pkey_ctx_is_legacy(locpctx)) - goto legacy; + if (!reinit) { + evp_pkey_ctx_free_old_ops(locpctx); + } else { + if (mdname == NULL && type == NULL) + mdname = canon_mdname(EVP_MD_get0_name(ctx->reqdigest)); + goto reinitialize; + } /* - * Ensure that the key is provided, either natively, or as a cached export. + * Try to derive the supported signature from |locpctx->keymgmt|. */ - tmp_keymgmt = locpctx->keymgmt; - provkey = evp_pkey_export_to_provider(locpctx->pkey, locpctx->libctx, - &tmp_keymgmt, locpctx->propquery); - if (provkey == NULL) { + if (!ossl_assert(locpctx->pkey->keymgmt == NULL + || locpctx->pkey->keymgmt == locpctx->keymgmt)) { ERR_clear_last_mark(); - ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR); + ERR_raise(ERR_LIB_EVP, ERR_R_INTERNAL_ERROR); goto err; } - if (!EVP_KEYMGMT_up_ref(tmp_keymgmt)) { + supported_sig = evp_keymgmt_util_query_operation_name(locpctx->keymgmt, + OSSL_OP_SIGNATURE); + if (supported_sig == NULL) { ERR_clear_last_mark(); ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR); goto err; } - EVP_KEYMGMT_free(locpctx->keymgmt); - locpctx->keymgmt = tmp_keymgmt; - - if (locpctx->keymgmt->query_operation_name != NULL) - supported_sig = - locpctx->keymgmt->query_operation_name(OSSL_OP_SIGNATURE); /* - * If we didn't get a supported sig, assume there is one with the - * same name as the key type. + * We perform two iterations: + * + * 1. Do the normal signature fetch, using the fetching data given by + * the EVP_PKEY_CTX. + * 2. Do the provider specific signature fetch, from the same provider + * as |ctx->keymgmt| + * + * We then try to fetch the keymgmt from the same provider as the + * signature, and try to export |ctx->pkey| to that keymgmt (when + * this keymgmt happens to be the same as |ctx->keymgmt|, the export + * is a no-op, but we call it anyway to not complicate the code even + * more). + * If the export call succeeds (returns a non-NULL provider key pointer), + * we're done and can perform the operation itself. If not, we perform + * the second iteration, or jump to legacy. */ - if (supported_sig == NULL) - supported_sig = locpctx->keytype; + for (iter = 1, provkey = NULL; iter < 3 && provkey == NULL; iter++) { + EVP_KEYMGMT *tmp_keymgmt_tofree = NULL; - /* - * Because we cleared out old ops, we shouldn't need to worry about - * checking if signature is already there. - */ - signature = EVP_SIGNATURE_fetch(locpctx->libctx, supported_sig, - locpctx->propquery); + /* + * If we're on the second iteration, free the results from the first. + * They are NULL on the first iteration, so no need to check what + * iteration we're on. + */ + EVP_SIGNATURE_free(signature); + EVP_KEYMGMT_free(tmp_keymgmt); + + switch (iter) { + case 1: + signature = EVP_SIGNATURE_fetch(locpctx->libctx, supported_sig, + locpctx->propquery); + if (signature != NULL) + tmp_prov = EVP_SIGNATURE_get0_provider(signature); + break; + case 2: + tmp_prov = EVP_KEYMGMT_get0_provider(locpctx->keymgmt); + signature = + evp_signature_fetch_from_prov((OSSL_PROVIDER *)tmp_prov, + supported_sig, locpctx->propquery); + if (signature == NULL) + goto legacy; + break; + } + if (signature == NULL) + continue; - if (signature == NULL - || (EVP_KEYMGMT_get0_provider(locpctx->keymgmt) - != EVP_SIGNATURE_get0_provider(signature))) { /* - * We don't need to free ctx->keymgmt here, as it's not necessarily - * tied to this operation. It will be freed by EVP_PKEY_CTX_free(). + * Ensure that the key is provided, either natively, or as a cached + * export. We start by fetching the keymgmt with the same name as + * |locpctx->pkey|, but from the provider of the signature method, using + * the same property query as when fetching the signature method. + * With the keymgmt we found (if we did), we try to export |locpctx->pkey| + * to it (evp_pkey_export_to_provider() is smart enough to only actually + + * export it if |tmp_keymgmt| is different from |locpctx->pkey|'s keymgmt) */ + tmp_keymgmt_tofree = tmp_keymgmt = + evp_keymgmt_fetch_from_prov((OSSL_PROVIDER *)tmp_prov, + EVP_KEYMGMT_get0_name(locpctx->keymgmt), + locpctx->propquery); + if (tmp_keymgmt != NULL) + provkey = evp_pkey_export_to_provider(locpctx->pkey, locpctx->libctx, + &tmp_keymgmt, locpctx->propquery); + if (tmp_keymgmt == NULL) + EVP_KEYMGMT_free(tmp_keymgmt_tofree); + } + + if (provkey == NULL) { EVP_SIGNATURE_free(signature); - goto legacy; + ERR_clear_last_mark(); + ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR); + goto err; } - /* - * If we don't have the full support we need with provided methods, - * let's go see if legacy does. - */ ERR_pop_to_mark(); /* No more legacy from here down to legacy: */ - if (pctx != NULL) - *pctx = locpctx; - locpctx->op.sig.signature = signature; locpctx->operation = ver ? EVP_PKEY_OP_VERIFYCTX : EVP_PKEY_OP_SIGNCTX; @@ -148,12 +208,17 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR); goto err; } + + reinitialize: + if (pctx != NULL) + *pctx = locpctx; + if (type != NULL) { ctx->reqdigest = type; if (mdname == NULL) mdname = canon_mdname(EVP_MD_get0_name(type)); } else { - if (mdname == NULL) { + if (mdname == NULL && !reinit) { if (evp_keymgmt_util_get_deflt_digest_name(tmp_keymgmt, provkey, locmdname, sizeof(locmdname)) > 0) { @@ -221,6 +286,7 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, err: evp_pkey_ctx_free_old_ops(locpctx); locpctx->operation = EVP_PKEY_OP_UNDEFINED; + EVP_KEYMGMT_free(tmp_keymgmt); return 0; legacy: @@ -229,6 +295,8 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, * let's go see if legacy does. */ ERR_pop_to_mark(); + EVP_KEYMGMT_free(tmp_keymgmt); + tmp_keymgmt = NULL; if (type == NULL && mdname != NULL) type = evp_get_digestbyname_ex(locpctx->libctx, mdname); @@ -299,6 +367,7 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, ret = evp_pkey_ctx_use_cached_data(locpctx); #endif + EVP_KEYMGMT_free(tmp_keymgmt); return ret > 0 ? 1 : 0; } @@ -411,14 +480,14 @@ int EVP_DigestSignFinal(EVP_MD_CTX *ctx, unsigned char *sigret, if (sigret == NULL || (ctx->flags & EVP_MD_CTX_FLAG_FINALISE) != 0) return pctx->op.sig.signature->digest_sign_final(pctx->op.sig.algctx, sigret, siglen, - SIZE_MAX); + (siglen == NULL) ? 0 : *siglen); dctx = EVP_PKEY_CTX_dup(pctx); if (dctx == NULL) return 0; r = dctx->op.sig.signature->digest_sign_final(dctx->op.sig.algctx, sigret, siglen, - SIZE_MAX); + (siglen == NULL) ? 0 : *siglen); EVP_PKEY_CTX_free(dctx); return r; @@ -506,7 +575,8 @@ int EVP_DigestSign(EVP_MD_CTX *ctx, unsigned char *sigret, size_t *siglen, && pctx->op.sig.signature != NULL) { if (pctx->op.sig.signature->digest_sign != NULL) return pctx->op.sig.signature->digest_sign(pctx->op.sig.algctx, - sigret, siglen, SIZE_MAX, + sigret, siglen, + sigret == NULL ? 0 : *siglen, tbs, tbslen); } else { /* legacy */ diff --git a/deps/openssl/openssl/crypto/evp/mac_lib.c b/deps/openssl/openssl/crypto/evp/mac_lib.c index 1a68c58919e974..24fdb35c8efc53 100644 --- a/deps/openssl/openssl/crypto/evp/mac_lib.c +++ b/deps/openssl/openssl/crypto/evp/mac_lib.c @@ -132,6 +132,7 @@ static int evp_mac_final(EVP_MAC_CTX *ctx, int xof, size_t l; int res; OSSL_PARAM params[2]; + size_t macsize; if (ctx == NULL || ctx->meth == NULL) { ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_NULL_ALGORITHM); @@ -142,14 +143,19 @@ static int evp_mac_final(EVP_MAC_CTX *ctx, int xof, return 0; } + macsize = EVP_MAC_CTX_get_mac_size(ctx); if (out == NULL) { if (outl == NULL) { ERR_raise(ERR_LIB_EVP, ERR_R_PASSED_NULL_PARAMETER); return 0; } - *outl = EVP_MAC_CTX_get_mac_size(ctx); + *outl = macsize; return 1; } + if (outsize < macsize) { + ERR_raise(ERR_LIB_EVP, EVP_R_BUFFER_TOO_SMALL); + return 0; + } if (xof) { params[0] = OSSL_PARAM_construct_int(OSSL_MAC_PARAM_XOF, &xof); params[1] = OSSL_PARAM_construct_end(); diff --git a/deps/openssl/openssl/crypto/evp/p_lib.c b/deps/openssl/openssl/crypto/evp/p_lib.c index 2bc1237488d35f..27138af564219a 100644 --- a/deps/openssl/openssl/crypto/evp/p_lib.c +++ b/deps/openssl/openssl/crypto/evp/p_lib.c @@ -343,7 +343,7 @@ int EVP_PKEY_eq(const EVP_PKEY *a, const EVP_PKEY *b) if (a->keymgmt != NULL || b->keymgmt != NULL) return evp_pkey_cmp_any(a, b, (SELECT_PARAMETERS - | OSSL_KEYMGMT_SELECT_PUBLIC_KEY)); + | OSSL_KEYMGMT_SELECT_KEYPAIR)); /* All legacy keys */ if (a->type != b->type) @@ -529,12 +529,14 @@ static int get_raw_key_details(const OSSL_PARAM params[], void *arg) if ((p = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_PRIV_KEY)) != NULL) return OSSL_PARAM_get_octet_string(p, (void **)raw_key->key, - SIZE_MAX, raw_key->len); + raw_key->key == NULL ? 0 : *raw_key->len, + raw_key->len); } else if (raw_key->selection == OSSL_KEYMGMT_SELECT_PUBLIC_KEY) { if ((p = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_PUB_KEY)) != NULL) return OSSL_PARAM_get_octet_string(p, (void **)raw_key->key, - SIZE_MAX, raw_key->len); + raw_key->key == NULL ? 0 : *raw_key->len, + raw_key->len); } return 0; @@ -630,7 +632,7 @@ static EVP_PKEY *new_cmac_key_int(const unsigned char *priv, size_t len, if (ctx == NULL) goto err; - if (!EVP_PKEY_fromdata_init(ctx)) { + if (EVP_PKEY_fromdata_init(ctx) <= 0) { ERR_raise(ERR_LIB_EVP, EVP_R_KEY_SETUP_FAILED); goto err; } @@ -649,7 +651,7 @@ static EVP_PKEY *new_cmac_key_int(const unsigned char *priv, size_t len, # endif *p = OSSL_PARAM_construct_end(); - if (!EVP_PKEY_fromdata(ctx, &pkey, EVP_PKEY_KEYPAIR, params)) { + if (EVP_PKEY_fromdata(ctx, &pkey, EVP_PKEY_KEYPAIR, params) <= 0) { ERR_raise(ERR_LIB_EVP, EVP_R_KEY_SETUP_FAILED); goto err; } @@ -1554,7 +1556,6 @@ static int pkey_set_type(EVP_PKEY *pkey, ENGINE *e, int type, const char *str, */ if (keymgmt == NULL) pkey->ameth = ameth; - pkey->engine = e; /* * The EVP_PKEY_ASN1_METHOD |pkey_id| retains its legacy key purpose @@ -1570,6 +1571,13 @@ static int pkey_set_type(EVP_PKEY *pkey, ENGINE *e, int type, const char *str, } else { pkey->type = EVP_PKEY_KEYMGMT; } +# ifndef OPENSSL_NO_ENGINE + if (eptr == NULL && e != NULL && !ENGINE_init(e)) { + ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR); + return 0; + } +# endif + pkey->engine = e; #endif } return 1; @@ -1842,6 +1850,8 @@ void *evp_pkey_export_to_provider(EVP_PKEY *pk, OSSL_LIB_CTX *libctx, if (tmp_keymgmt == NULL) { EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new_from_pkey(libctx, pk, propquery); + if (ctx == NULL) + goto end; tmp_keymgmt = ctx->keymgmt; ctx->keymgmt = NULL; EVP_PKEY_CTX_free(ctx); diff --git a/deps/openssl/openssl/crypto/evp/pmeth_lib.c b/deps/openssl/openssl/crypto/evp/pmeth_lib.c index 1af16288236e0f..2b9c6c2351da2d 100644 --- a/deps/openssl/openssl/crypto/evp/pmeth_lib.c +++ b/deps/openssl/openssl/crypto/evp/pmeth_lib.c @@ -265,7 +265,20 @@ static EVP_PKEY_CTX *int_ctx_new(OSSL_LIB_CTX *libctx, * fetching a provider implementation. */ if (e == NULL && app_pmeth == NULL && keytype != NULL) { - keymgmt = EVP_KEYMGMT_fetch(libctx, keytype, propquery); + /* + * If |pkey| is given and is provided, we take a reference to its + * keymgmt. Otherwise, we fetch one for the keytype we got. This + * is to ensure that operation init functions can access what they + * need through this single pointer. + */ + if (pkey != NULL && pkey->keymgmt != NULL) { + if (!EVP_KEYMGMT_up_ref(pkey->keymgmt)) + ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR); + else + keymgmt = pkey->keymgmt; + } else { + keymgmt = EVP_KEYMGMT_fetch(libctx, keytype, propquery); + } if (keymgmt == NULL) return NULL; /* EVP_KEYMGMT_fetch() recorded an error */ diff --git a/deps/openssl/openssl/crypto/evp/signature.c b/deps/openssl/openssl/crypto/evp/signature.c index e3bfdd56a2466c..49f40c8cec241a 100644 --- a/deps/openssl/openssl/crypto/evp/signature.c +++ b/deps/openssl/openssl/crypto/evp/signature.c @@ -314,6 +314,17 @@ EVP_SIGNATURE *EVP_SIGNATURE_fetch(OSSL_LIB_CTX *ctx, const char *algorithm, (void (*)(void *))EVP_SIGNATURE_free); } +EVP_SIGNATURE *evp_signature_fetch_from_prov(OSSL_PROVIDER *prov, + const char *algorithm, + const char *properties) +{ + return evp_generic_fetch_from_prov(prov, OSSL_OP_SIGNATURE, + algorithm, properties, + evp_signature_from_algorithm, + (int (*)(void *))EVP_SIGNATURE_up_ref, + (void (*)(void *))EVP_SIGNATURE_free); +} + int EVP_SIGNATURE_is_a(const EVP_SIGNATURE *signature, const char *name) { return evp_is_a(signature->prov, signature->name_id, NULL, name); @@ -386,7 +397,9 @@ static int evp_pkey_signature_init(EVP_PKEY_CTX *ctx, int operation, void *provkey = NULL; EVP_SIGNATURE *signature = NULL; EVP_KEYMGMT *tmp_keymgmt = NULL; + const OSSL_PROVIDER *tmp_prov = NULL; const char *supported_sig = NULL; + int iter; if (ctx == NULL) { ERR_raise(ERR_LIB_EVP, EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE); @@ -401,55 +414,102 @@ static int evp_pkey_signature_init(EVP_PKEY_CTX *ctx, int operation, if (evp_pkey_ctx_is_legacy(ctx)) goto legacy; + if (ctx->pkey == NULL) { + ERR_clear_last_mark(); + ERR_raise(ERR_LIB_EVP, EVP_R_NO_KEY_SET); + goto err; + } + /* - * Ensure that the key is provided, either natively, or as a cached export. - * If not, go legacy + * Try to derive the supported signature from |ctx->keymgmt|. */ - tmp_keymgmt = ctx->keymgmt; - provkey = evp_pkey_export_to_provider(ctx->pkey, ctx->libctx, - &tmp_keymgmt, ctx->propquery); - if (tmp_keymgmt == NULL) - goto legacy; - if (!EVP_KEYMGMT_up_ref(tmp_keymgmt)) { + if (!ossl_assert(ctx->pkey->keymgmt == NULL + || ctx->pkey->keymgmt == ctx->keymgmt)) { + ERR_clear_last_mark(); + ERR_raise(ERR_LIB_EVP, ERR_R_INTERNAL_ERROR); + goto err; + } + supported_sig = evp_keymgmt_util_query_operation_name(ctx->keymgmt, + OSSL_OP_SIGNATURE); + if (supported_sig == NULL) { ERR_clear_last_mark(); ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR); goto err; } - EVP_KEYMGMT_free(ctx->keymgmt); - ctx->keymgmt = tmp_keymgmt; - - if (ctx->keymgmt->query_operation_name != NULL) - supported_sig = ctx->keymgmt->query_operation_name(OSSL_OP_SIGNATURE); /* - * If we didn't get a supported sig, assume there is one with the - * same name as the key type. + * We perform two iterations: + * + * 1. Do the normal signature fetch, using the fetching data given by + * the EVP_PKEY_CTX. + * 2. Do the provider specific signature fetch, from the same provider + * as |ctx->keymgmt| + * + * We then try to fetch the keymgmt from the same provider as the + * signature, and try to export |ctx->pkey| to that keymgmt (when + * this keymgmt happens to be the same as |ctx->keymgmt|, the export + * is a no-op, but we call it anyway to not complicate the code even + * more). + * If the export call succeeds (returns a non-NULL provider key pointer), + * we're done and can perform the operation itself. If not, we perform + * the second iteration, or jump to legacy. */ - if (supported_sig == NULL) - supported_sig = ctx->keytype; + for (iter = 1; iter < 3 && provkey == NULL; iter++) { + EVP_KEYMGMT *tmp_keymgmt_tofree = NULL; - /* - * Because we cleared out old ops, we shouldn't need to worry about - * checking if signature is already there. - */ - signature = - EVP_SIGNATURE_fetch(ctx->libctx, supported_sig, ctx->propquery); + /* + * If we're on the second iteration, free the results from the first. + * They are NULL on the first iteration, so no need to check what + * iteration we're on. + */ + EVP_SIGNATURE_free(signature); + EVP_KEYMGMT_free(tmp_keymgmt); + + switch (iter) { + case 1: + signature = + EVP_SIGNATURE_fetch(ctx->libctx, supported_sig, ctx->propquery); + if (signature != NULL) + tmp_prov = EVP_SIGNATURE_get0_provider(signature); + break; + case 2: + tmp_prov = EVP_KEYMGMT_get0_provider(ctx->keymgmt); + signature = + evp_signature_fetch_from_prov((OSSL_PROVIDER *)tmp_prov, + supported_sig, ctx->propquery); + if (signature == NULL) + goto legacy; + break; + } + if (signature == NULL) + continue; - if (signature == NULL - || (EVP_KEYMGMT_get0_provider(ctx->keymgmt) - != EVP_SIGNATURE_get0_provider(signature))) { /* - * We don't need to free ctx->keymgmt here, as it's not necessarily - * tied to this operation. It will be freed by EVP_PKEY_CTX_free(). + * Ensure that the key is provided, either natively, or as a cached + * export. We start by fetching the keymgmt with the same name as + * |ctx->pkey|, but from the provider of the signature method, using + * the same property query as when fetching the signature method. + * With the keymgmt we found (if we did), we try to export |ctx->pkey| + * to it (evp_pkey_export_to_provider() is smart enough to only actually + + * export it if |tmp_keymgmt| is different from |ctx->pkey|'s keymgmt) */ + tmp_keymgmt_tofree = tmp_keymgmt = + evp_keymgmt_fetch_from_prov((OSSL_PROVIDER *)tmp_prov, + EVP_KEYMGMT_get0_name(ctx->keymgmt), + ctx->propquery); + if (tmp_keymgmt != NULL) + provkey = evp_pkey_export_to_provider(ctx->pkey, ctx->libctx, + &tmp_keymgmt, ctx->propquery); + if (tmp_keymgmt == NULL) + EVP_KEYMGMT_free(tmp_keymgmt_tofree); + } + + if (provkey == NULL) { EVP_SIGNATURE_free(signature); goto legacy; } - /* - * If we don't have the full support we need with provided methods, - * let's go see if legacy does. - */ ERR_pop_to_mark(); /* No more legacy from here down to legacy: */ @@ -507,6 +567,8 @@ static int evp_pkey_signature_init(EVP_PKEY_CTX *ctx, int operation, * let's go see if legacy does. */ ERR_pop_to_mark(); + EVP_KEYMGMT_free(tmp_keymgmt); + tmp_keymgmt = NULL; if (ctx->pmeth == NULL || (operation == EVP_PKEY_OP_SIGN && ctx->pmeth->sign == NULL) @@ -545,10 +607,12 @@ static int evp_pkey_signature_init(EVP_PKEY_CTX *ctx, int operation, ret = evp_pkey_ctx_use_cached_data(ctx); #endif + EVP_KEYMGMT_free(tmp_keymgmt); return ret; err: evp_pkey_ctx_free_old_ops(ctx); ctx->operation = EVP_PKEY_OP_UNDEFINED; + EVP_KEYMGMT_free(tmp_keymgmt); return ret; } @@ -582,7 +646,7 @@ int EVP_PKEY_sign(EVP_PKEY_CTX *ctx, goto legacy; ret = ctx->op.sig.signature->sign(ctx->op.sig.algctx, sig, siglen, - SIZE_MAX, tbs, tbslen); + (sig == NULL) ? 0 : *siglen, tbs, tbslen); return ret; legacy: diff --git a/deps/openssl/openssl/crypto/http/http_client.c b/deps/openssl/openssl/crypto/http/http_client.c index bb80836cd1b65d..7f8d8fc8d7d5a5 100644 --- a/deps/openssl/openssl/crypto/http/http_client.c +++ b/deps/openssl/openssl/crypto/http/http_client.c @@ -369,12 +369,13 @@ static OSSL_HTTP_REQ_CTX *http_req_ctx_new(int free_wbio, BIO *wbio, BIO *rbio, /* * Parse first HTTP response line. This should be like this: "HTTP/1.0 200 OK". - * We need to obtain the numeric code and (optional) informational message. + * We need to obtain the status code and (optional) informational message. + * Return any received HTTP response status code, or 0 on fatal error. */ static int parse_http_line1(char *line, int *found_keep_alive) { - int i, retcode; + int i, retcode, err; char *code, *reason, *end; if (!HAS_PREFIX(line, HTTP_PREFIX_VERSION)) @@ -430,22 +431,21 @@ static int parse_http_line1(char *line, int *found_keep_alive) case HTTP_STATUS_CODE_FOUND: return retcode; default: + err = HTTP_R_RECEIVED_ERROR; if (retcode < 400) - retcode = HTTP_R_STATUS_CODE_UNSUPPORTED; - else - retcode = HTTP_R_RECEIVED_ERROR; + err = HTTP_R_STATUS_CODE_UNSUPPORTED; if (*reason == '\0') - ERR_raise_data(ERR_LIB_HTTP, retcode, "code=%s", code); + ERR_raise_data(ERR_LIB_HTTP, err, "code=%s", code); else - ERR_raise_data(ERR_LIB_HTTP, retcode, - "code=%s, reason=%s", code, reason); - return 0; + ERR_raise_data(ERR_LIB_HTTP, err, "code=%s, reason=%s", code, + reason); + return retcode; } err: - i = 0; - while (i < 60 && ossl_isprint(line[i])) - i++; + for (i = 0; i < 60 && line[i] != '\0'; i++) + if (!ossl_isprint(line[i])) + line[i] = ' '; line[i] = '\0'; ERR_raise_data(ERR_LIB_HTTP, HTTP_R_HEADER_PARSE_ERROR, "content=%s", line); return 0; @@ -464,6 +464,21 @@ static int check_set_resp_len(OSSL_HTTP_REQ_CTX *rctx, size_t len) return 1; } +static int may_still_retry(time_t max_time, int *ptimeout) +{ + time_t time_diff, now = time(NULL); + + if (max_time != 0) { + if (max_time < now) { + ERR_raise(ERR_LIB_HTTP, HTTP_R_RETRY_TIMEOUT); + return 0; + } + time_diff = max_time - now; + *ptimeout = time_diff > INT_MAX ? INT_MAX : (int)time_diff; + } + return 1; +} + /* * Try exchanging request and response via HTTP on (non-)blocking BIO in rctx. * Returns 1 on success, 0 on error or redirection, -1 on BIO_should_retry. @@ -474,7 +489,7 @@ int OSSL_HTTP_REQ_CTX_nbio(OSSL_HTTP_REQ_CTX *rctx) long n; size_t resp_len; const unsigned char *p; - char *key, *value, *line_end = NULL; + char *buf, *key, *value, *line_end = NULL; if (rctx == NULL) { ERR_raise(ERR_LIB_HTTP, ERR_R_PASSED_NULL_PARAMETER); @@ -487,11 +502,20 @@ int OSSL_HTTP_REQ_CTX_nbio(OSSL_HTTP_REQ_CTX *rctx) rctx->redirection_url = NULL; next_io: + buf = (char *)rctx->buf; if ((rctx->state & OHS_NOREAD) == 0) { - if (rctx->expect_asn1) + if (rctx->expect_asn1) { n = BIO_read(rctx->rbio, rctx->buf, rctx->buf_size); - else - n = BIO_gets(rctx->rbio, (char *)rctx->buf, rctx->buf_size); + } else { + (void)ERR_set_mark(); + n = BIO_gets(rctx->rbio, buf, rctx->buf_size); + if (n == -2) { /* unsupported method */ + (void)ERR_pop_to_mark(); + n = BIO_get_line(rctx->rbio, buf, rctx->buf_size); + } else { + (void)ERR_clear_last_mark(); + } + } if (n <= 0) { if (BIO_should_retry(rctx->rbio)) return -1; @@ -592,7 +616,7 @@ int OSSL_HTTP_REQ_CTX_nbio(OSSL_HTTP_REQ_CTX *rctx) } goto next_io; } - n = BIO_gets(rctx->mem, (char *)rctx->buf, rctx->buf_size); + n = BIO_gets(rctx->mem, buf, rctx->buf_size); if (n <= 0) { if (BIO_should_retry(rctx->mem)) @@ -610,7 +634,7 @@ int OSSL_HTTP_REQ_CTX_nbio(OSSL_HTTP_REQ_CTX *rctx) /* First line */ if (rctx->state == OHS_FIRSTLINE) { - switch (parse_http_line1((char *)rctx->buf, &found_keep_alive)) { + switch (parse_http_line1(buf, &found_keep_alive)) { case HTTP_STATUS_CODE_OK: rctx->state = OHS_HEADERS; goto next_line; @@ -625,10 +649,10 @@ int OSSL_HTTP_REQ_CTX_nbio(OSSL_HTTP_REQ_CTX *rctx) /* fall through */ default: rctx->state = OHS_ERROR; - return 0; + goto next_line; } } - key = (char *)rctx->buf; + key = buf; value = strchr(key, ':'); if (value != NULL) { *(value++) = '\0'; @@ -684,11 +708,6 @@ int OSSL_HTTP_REQ_CTX_nbio(OSSL_HTTP_REQ_CTX *rctx) if (*p != '\0') /* not end of headers */ goto next_line; - if (rctx->expected_ct != NULL && !found_expected_ct) { - ERR_raise_data(ERR_LIB_HTTP, HTTP_R_MISSING_CONTENT_TYPE, - "expected=%s", rctx->expected_ct); - return 0; - } if (rctx->keep_alive != 0 /* do not let server initiate keep_alive */ && !found_keep_alive /* otherwise there is no change */) { if (rctx->keep_alive == 2) { @@ -699,6 +718,14 @@ int OSSL_HTTP_REQ_CTX_nbio(OSSL_HTTP_REQ_CTX *rctx) rctx->keep_alive = 0; } + if (rctx->state == OHS_ERROR) + return 0; + + if (rctx->expected_ct != NULL && !found_expected_ct) { + ERR_raise_data(ERR_LIB_HTTP, HTTP_R_MISSING_CONTENT_TYPE, + "expected=%s", rctx->expected_ct); + return 0; + } if (rctx->state == OHS_REDIRECT) { /* http status code indicated redirect but there was no Location */ ERR_raise(ERR_LIB_HTTP, HTTP_R_MISSING_REDIRECT_LOCATION); @@ -959,7 +986,7 @@ int OSSL_HTTP_set1_request(OSSL_HTTP_REQ_CTX *rctx, const char *path, return 0; } use_http_proxy = rctx->proxy != NULL && !rctx->use_ssl; - if (use_http_proxy && (rctx->server == NULL || rctx->port == NULL)) { + if (use_http_proxy && rctx->server == NULL) { ERR_raise(ERR_LIB_HTTP, ERR_R_PASSED_INVALID_ARGUMENT); return 0; } @@ -1069,6 +1096,7 @@ BIO *OSSL_HTTP_get(const char *url, const char *proxy, const char *no_proxy, int use_ssl; OSSL_HTTP_REQ_CTX *rctx; BIO *resp = NULL; + time_t max_time = timeout > 0 ? time(NULL) + timeout : 0; if (url == NULL) { ERR_raise(ERR_LIB_HTTP, ERR_R_PASSED_NULL_PARAMETER); @@ -1099,7 +1127,8 @@ BIO *OSSL_HTTP_get(const char *url, const char *proxy, const char *no_proxy, } OPENSSL_free(path); if (resp == NULL && redirection_url != NULL) { - if (redirection_ok(++n_redirs, current_url, redirection_url)) { + if (redirection_ok(++n_redirs, current_url, redirection_url) + && may_still_retry(max_time, &timeout)) { (void)BIO_reset(bio); OPENSSL_free(current_url); current_url = redirection_url; diff --git a/deps/openssl/openssl/crypto/http/http_err.c b/deps/openssl/openssl/crypto/http/http_err.c index b2f2cfb1879ebf..332ad926d3672a 100644 --- a/deps/openssl/openssl/crypto/http/http_err.c +++ b/deps/openssl/openssl/crypto/http/http_err.c @@ -55,6 +55,7 @@ static const ERR_STRING_DATA HTTP_str_reasons[] = { "response line too long"}, {ERR_PACK(ERR_LIB_HTTP, 0, HTTP_R_RESPONSE_PARSE_ERROR), "response parse error"}, + {ERR_PACK(ERR_LIB_HTTP, 0, HTTP_R_RETRY_TIMEOUT), "retry timeout"}, {ERR_PACK(ERR_LIB_HTTP, 0, HTTP_R_SERVER_CANCELED_CONNECTION), "server canceled connection"}, {ERR_PACK(ERR_LIB_HTTP, 0, HTTP_R_SOCK_NOT_SUPPORTED), diff --git a/deps/openssl/openssl/crypto/initthread.c b/deps/openssl/openssl/crypto/initthread.c index d86e280fc134af..1bdaeda9fc8ed6 100644 --- a/deps/openssl/openssl/crypto/initthread.c +++ b/deps/openssl/openssl/crypto/initthread.c @@ -309,11 +309,23 @@ void ossl_ctx_thread_stop(OSSL_LIB_CTX *ctx) static void init_thread_stop(void *arg, THREAD_EVENT_HANDLER **hands) { THREAD_EVENT_HANDLER *curr, *prev = NULL, *tmp; +#ifndef FIPS_MODULE + GLOBAL_TEVENT_REGISTER *gtr; +#endif /* Can't do much about this */ if (hands == NULL) return; +#ifndef FIPS_MODULE + gtr = get_global_tevent_register(); + if (gtr == NULL) + return; + + if (!CRYPTO_THREAD_write_lock(gtr->lock)) + return; +#endif + curr = *hands; while (curr != NULL) { if (arg != NULL && curr->arg != arg) { @@ -332,6 +344,9 @@ static void init_thread_stop(void *arg, THREAD_EVENT_HANDLER **hands) OPENSSL_free(tmp); } +#ifndef FIPS_MODULE + CRYPTO_THREAD_unlock(gtr->lock); +#endif } int ossl_init_thread_start(const void *index, void *arg, diff --git a/deps/openssl/openssl/crypto/objects/o_names.c b/deps/openssl/openssl/crypto/objects/o_names.c index 05aa8c44aad4e7..92152eeb667462 100644 --- a/deps/openssl/openssl/crypto/objects/o_names.c +++ b/deps/openssl/openssl/crypto/objects/o_names.c @@ -66,8 +66,14 @@ static int obj_name_cmp(const OBJ_NAME *a, const OBJ_NAME *b); static CRYPTO_ONCE init = CRYPTO_ONCE_STATIC_INIT; DEFINE_RUN_ONCE_STATIC(o_names_init) { - names_lh = lh_OBJ_NAME_new(obj_name_hash, obj_name_cmp); + names_lh = NULL; obj_lock = CRYPTO_THREAD_lock_new(); + if (obj_lock != NULL) + names_lh = lh_OBJ_NAME_new(obj_name_hash, obj_name_cmp); + if (names_lh == NULL) { + CRYPTO_THREAD_lock_free(obj_lock); + obj_lock = NULL; + } return names_lh != NULL && obj_lock != NULL; } diff --git a/deps/openssl/openssl/crypto/ocsp/ocsp_http.c b/deps/openssl/openssl/crypto/ocsp/ocsp_http.c index 28166d3a175c7a..e8b6406d3c384c 100644 --- a/deps/openssl/openssl/crypto/ocsp/ocsp_http.c +++ b/deps/openssl/openssl/crypto/ocsp/ocsp_http.c @@ -58,13 +58,11 @@ OCSP_RESPONSE *OCSP_sendreq_bio(BIO *b, const char *path, OCSP_REQUEST *req) if (ctx == NULL) return NULL; mem = OSSL_HTTP_REQ_CTX_exchange(ctx); - resp = (OCSP_RESPONSE *) - ASN1_item_d2i_bio(ASN1_ITEM_rptr(OCSP_RESPONSE), mem, NULL); - BIO_free(mem); + /* ASN1_item_d2i_bio handles NULL bio gracefully */ + resp = (OCSP_RESPONSE *)ASN1_item_d2i_bio(ASN1_ITEM_rptr(OCSP_RESPONSE), + mem, NULL); - /* this indirectly calls ERR_clear_error(): */ OSSL_HTTP_REQ_CTX_free(ctx); - return resp; } #endif /* !defined(OPENSSL_NO_OCSP) */ diff --git a/deps/openssl/openssl/crypto/param_build.c b/deps/openssl/openssl/crypto/param_build.c index e64deaa88fbb3c..eaece0026dea21 100644 --- a/deps/openssl/openssl/crypto/param_build.c +++ b/deps/openssl/openssl/crypto/param_build.c @@ -204,6 +204,12 @@ int OSSL_PARAM_BLD_push_BN_pad(OSSL_PARAM_BLD *bld, const char *key, OSSL_PARAM_BLD_DEF *pd; if (bn != NULL) { + if (BN_is_negative(bn)) { + ERR_raise_data(ERR_LIB_CRYPTO, ERR_R_UNSUPPORTED, + "Negative big numbers are unsupported for OSSL_PARAM"); + return 0; + } + n = BN_num_bytes(bn); if (n < 0) { ERR_raise(ERR_LIB_CRYPTO, CRYPTO_R_ZERO_LENGTH_NUMBER); diff --git a/deps/openssl/openssl/crypto/params_from_text.c b/deps/openssl/openssl/crypto/params_from_text.c index 50f48fdb7e3734..360f8933e13557 100644 --- a/deps/openssl/openssl/crypto/params_from_text.c +++ b/deps/openssl/openssl/crypto/params_from_text.c @@ -57,8 +57,14 @@ static int prepare_from_text(const OSSL_PARAM *paramdefs, const char *key, if (r == 0 || *tmpbn == NULL) return 0; + if (p->data_type == OSSL_PARAM_UNSIGNED_INTEGER + && BN_is_negative(*tmpbn)) { + ERR_raise(ERR_LIB_CRYPTO, CRYPTO_R_INVALID_NEGATIVE_VALUE); + return 0; + } + /* - * 2s complement negate, part 1 + * 2's complement negate, part 1 * * BN_bn2nativepad puts the absolute value of the number in the * buffer, i.e. if it's negative, we need to deal with it. We do @@ -73,6 +79,20 @@ static int prepare_from_text(const OSSL_PARAM *paramdefs, const char *key, } buf_bits = (size_t)BN_num_bits(*tmpbn); + + /* + * Compensate for cases where the most significant bit in + * the resulting OSSL_PARAM buffer will be set after the + * BN_bn2nativepad() call, as the implied sign may not be + * correct after the second part of the 2's complement + * negation has been performed. + * We fix these cases by extending the buffer by one byte + * (8 bits), which will give some padding. The second part + * of the 2's complement negation will do the rest. + */ + if (p->data_type == OSSL_PARAM_INTEGER && buf_bits % 8 == 0) + buf_bits += 8; + *buf_n = (buf_bits + 7) / 8; /* @@ -80,9 +100,7 @@ static int prepare_from_text(const OSSL_PARAM *paramdefs, const char *key, * range checking if a size is specified. */ if (p->data_size > 0) { - if (buf_bits > p->data_size * 8 - || (p->data_type == OSSL_PARAM_INTEGER - && buf_bits == p->data_size * 8)) { + if (buf_bits > p->data_size * 8) { ERR_raise(ERR_LIB_CRYPTO, CRYPTO_R_TOO_SMALL_BUFFER); /* Since this is a different error, we don't break */ return 0; @@ -132,7 +150,7 @@ static int construct_from_text(OSSL_PARAM *to, const OSSL_PARAM *paramdef, BN_bn2nativepad(tmpbn, buf, buf_n); /* - * 2s complement negate, part two. + * 2's complement negation, part two. * * Because we did the first part on the BIGNUM itself, we can just * invert all the bytes here and be done with it. diff --git a/deps/openssl/openssl/crypto/passphrase.c b/deps/openssl/openssl/crypto/passphrase.c index fb8ea1deb13eeb..d61e2494405ac4 100644 --- a/deps/openssl/openssl/crypto/passphrase.c +++ b/deps/openssl/openssl/crypto/passphrase.c @@ -296,7 +296,8 @@ int ossl_pw_get_passphrase(char *pass, size_t pass_size, size_t *pass_len, return ret; } -int ossl_pw_pem_password(char *buf, int size, int rwflag, void *userdata) +static int ossl_pw_get_password(char *buf, int size, int rwflag, + void *userdata, const char *info) { size_t password_len = 0; OSSL_PARAM params[] = { @@ -304,13 +305,23 @@ int ossl_pw_pem_password(char *buf, int size, int rwflag, void *userdata) OSSL_PARAM_END }; - params[0].data = "PEM"; + params[0].data = (void *)info; if (ossl_pw_get_passphrase(buf, (size_t)size, &password_len, params, rwflag, userdata)) return (int)password_len; return -1; } +int ossl_pw_pem_password(char *buf, int size, int rwflag, void *userdata) +{ + return ossl_pw_get_password(buf, size, rwflag, userdata, "PEM"); +} + +int ossl_pw_pvk_password(char *buf, int size, int rwflag, void *userdata) +{ + return ossl_pw_get_password(buf, size, rwflag, userdata, "PVK"); +} + int ossl_pw_passphrase_callback_enc(char *pass, size_t pass_size, size_t *pass_len, const OSSL_PARAM params[], void *arg) diff --git a/deps/openssl/openssl/crypto/pem/pvkfmt.c b/deps/openssl/openssl/crypto/pem/pvkfmt.c index 11ac0a7c405115..21b16f5928c1e0 100644 --- a/deps/openssl/openssl/crypto/pem/pvkfmt.c +++ b/deps/openssl/openssl/crypto/pem/pvkfmt.c @@ -832,6 +832,11 @@ static void *do_PVK_body_key(const unsigned char **in, #endif EVP_CIPHER_CTX *cctx = EVP_CIPHER_CTX_new(); + if (cctx == NULL) { + ERR_raise(ERR_LIB_PEM, ERR_R_MALLOC_FAILURE); + goto err; + } + if (saltlen) { #ifndef OPENSSL_NO_RC4 unsigned int magic; diff --git a/deps/openssl/openssl/crypto/perlasm/ppc-xlate.pl b/deps/openssl/openssl/crypto/perlasm/ppc-xlate.pl index 47ca9b8afa9b1f..2ee444045ff963 100755 --- a/deps/openssl/openssl/crypto/perlasm/ppc-xlate.pl +++ b/deps/openssl/openssl/crypto/perlasm/ppc-xlate.pl @@ -153,13 +153,14 @@ # vs -> v if N > 32 sub vsr2vr1 { my $in = shift; + my ($prefix, $reg) = ($in =~ m/(\D*)(\d+)/); - my $n = int($in); + my $n = int($reg); if ($n >= 32) { $n -= 32; } - return "$n"; + return "${prefix}${n}"; } # As above for first $num register args, returns list sub _vsr2vr { diff --git a/deps/openssl/openssl/crypto/property/property.c b/deps/openssl/openssl/crypto/property/property.c index a4cd612b9daa26..c087e741edc7f3 100644 --- a/deps/openssl/openssl/crypto/property/property.c +++ b/deps/openssl/openssl/crypto/property/property.c @@ -45,6 +45,7 @@ typedef struct { DEFINE_STACK_OF(IMPLEMENTATION) typedef struct { + const OSSL_PROVIDER *provider; const char *query; METHOD method; char body[1]; @@ -117,7 +118,7 @@ OSSL_PROPERTY_LIST **ossl_ctx_global_properties(OSSL_LIB_CTX *libctx, globp = ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_GLOBAL_PROPERTIES, &ossl_ctx_global_properties_method); - return &globp->list; + return globp != NULL ? &globp->list : NULL; } #ifndef FIPS_MODULE @@ -127,7 +128,7 @@ int ossl_global_properties_no_mirrored(OSSL_LIB_CTX *libctx) = ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_GLOBAL_PROPERTIES, &ossl_ctx_global_properties_method); - return globp->no_mirrored ? 1 : 0; + return globp != NULL && globp->no_mirrored ? 1 : 0; } void ossl_global_properties_stop_mirroring(OSSL_LIB_CTX *libctx) @@ -136,7 +137,8 @@ void ossl_global_properties_stop_mirroring(OSSL_LIB_CTX *libctx) = ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_GLOBAL_PROPERTIES, &ossl_ctx_global_properties_method); - globp->no_mirrored = 1; + if (globp != NULL) + globp->no_mirrored = 1; } #endif @@ -172,7 +174,13 @@ static unsigned long query_hash(const QUERY *a) static int query_cmp(const QUERY *a, const QUERY *b) { - return strcmp(a->query, b->query); + int res = strcmp(a->query, b->query); + + if (res == 0 && a->provider != NULL && b->provider != NULL) + res = b->provider > a->provider ? 1 + : b->provider < a->provider ? -1 + : 0; + return res; } static void impl_free(IMPLEMENTATION *impl) @@ -260,6 +268,9 @@ int ossl_method_store_add(OSSL_METHOD_STORE *store, const OSSL_PROVIDER *prov, if (properties == NULL) properties = ""; + if (!ossl_assert(prov != NULL)) + return 0; + /* Create new entry */ impl = OPENSSL_malloc(sizeof(*impl)); if (impl == NULL) @@ -393,15 +404,15 @@ void ossl_method_store_do_all(OSSL_METHOD_STORE *store, ossl_sa_ALGORITHM_doall_arg(store->algs, alg_do_each, &data); } -int ossl_method_store_fetch(OSSL_METHOD_STORE *store, int nid, - const char *prop_query, - void **method) +int ossl_method_store_fetch(OSSL_METHOD_STORE *store, + int nid, const char *prop_query, + const OSSL_PROVIDER **prov_rw, void **method) { OSSL_PROPERTY_LIST **plp; ALGORITHM *alg; - IMPLEMENTATION *impl; + IMPLEMENTATION *impl, *best_impl = NULL; OSSL_PROPERTY_LIST *pq = NULL, *p2 = NULL; - METHOD *best_method = NULL; + const OSSL_PROVIDER *prov = prov_rw != NULL ? *prov_rw : NULL; int ret = 0; int j, best = -1, score, optional; @@ -438,29 +449,38 @@ int ossl_method_store_fetch(OSSL_METHOD_STORE *store, int nid, } if (pq == NULL) { - if ((impl = sk_IMPLEMENTATION_value(alg->impls, 0)) != NULL) { - best_method = &impl->method; - ret = 1; + for (j = 0; j < sk_IMPLEMENTATION_num(alg->impls); j++) { + if ((impl = sk_IMPLEMENTATION_value(alg->impls, j)) != NULL + && (prov == NULL || impl->provider == prov)) { + best_impl = impl; + ret = 1; + break; + } } goto fin; } optional = ossl_property_has_optional(pq); for (j = 0; j < sk_IMPLEMENTATION_num(alg->impls); j++) { - impl = sk_IMPLEMENTATION_value(alg->impls, j); - score = ossl_property_match_count(pq, impl->properties); - if (score > best) { - best_method = &impl->method; - best = score; - ret = 1; - if (!optional) - goto fin; + if ((impl = sk_IMPLEMENTATION_value(alg->impls, j)) != NULL + && (prov == NULL || impl->provider == prov)) { + score = ossl_property_match_count(pq, impl->properties); + if (score > best) { + best_impl = impl; + best = score; + ret = 1; + if (!optional) + goto fin; + } } } fin: - if (ret && ossl_method_up_ref(best_method)) - *method = best_method->method; - else + if (ret && ossl_method_up_ref(&best_impl->method)) { + *method = best_impl->method.method; + if (prov_rw != NULL) + *prov_rw = best_impl->provider; + } else { ret = 0; + } ossl_property_unlock(store); ossl_property_free(p2); return ret; @@ -569,8 +589,8 @@ static void ossl_method_cache_flush_some(OSSL_METHOD_STORE *store) store->nelem = state.nelem; } -int ossl_method_store_cache_get(OSSL_METHOD_STORE *store, int nid, - const char *prop_query, void **method) +int ossl_method_store_cache_get(OSSL_METHOD_STORE *store, OSSL_PROVIDER *prov, + int nid, const char *prop_query, void **method) { ALGORITHM *alg; QUERY elem, *r; @@ -586,6 +606,7 @@ int ossl_method_store_cache_get(OSSL_METHOD_STORE *store, int nid, goto err; elem.query = prop_query != NULL ? prop_query : ""; + elem.provider = prov; r = lh_QUERY_retrieve(alg->cache, &elem); if (r == NULL) goto err; @@ -598,8 +619,8 @@ int ossl_method_store_cache_get(OSSL_METHOD_STORE *store, int nid, return res; } -int ossl_method_store_cache_set(OSSL_METHOD_STORE *store, int nid, - const char *prop_query, void *method, +int ossl_method_store_cache_set(OSSL_METHOD_STORE *store, OSSL_PROVIDER *prov, + int nid, const char *prop_query, void *method, int (*method_up_ref)(void *), void (*method_destruct)(void *)) { @@ -613,6 +634,9 @@ int ossl_method_store_cache_set(OSSL_METHOD_STORE *store, int nid, if (prop_query == NULL) return 1; + if (!ossl_assert(prov != NULL)) + return 0; + if (!ossl_property_write_lock(store)) return 0; if (store->need_flush) @@ -623,6 +647,7 @@ int ossl_method_store_cache_set(OSSL_METHOD_STORE *store, int nid, if (method == NULL) { elem.query = prop_query; + elem.provider = prov; if ((old = lh_QUERY_delete(alg->cache, &elem)) != NULL) { impl_cache_free(old); store->nelem--; @@ -632,6 +657,7 @@ int ossl_method_store_cache_set(OSSL_METHOD_STORE *store, int nid, p = OPENSSL_malloc(sizeof(*p) + (len = strlen(prop_query))); if (p != NULL) { p->query = p->body; + p->provider = prov; p->method.method = method; p->method.up_ref = method_up_ref; p->method.free = method_destruct; diff --git a/deps/openssl/openssl/crypto/property/property_local.h b/deps/openssl/openssl/crypto/property/property_local.h index 46c5dbe3cc3962..6b85ce1586e809 100644 --- a/deps/openssl/openssl/crypto/property/property_local.h +++ b/deps/openssl/openssl/crypto/property/property_local.h @@ -34,7 +34,8 @@ struct ossl_property_list_st { OSSL_PROPERTY_DEFINITION properties[1]; }; -extern OSSL_PROPERTY_IDX ossl_property_true, ossl_property_false; +#define OSSL_PROPERTY_TRUE 1 +#define OSSL_PROPERTY_FALSE 2 /* Property string functions */ OSSL_PROPERTY_IDX ossl_property_name(OSSL_LIB_CTX *ctx, const char *s, diff --git a/deps/openssl/openssl/crypto/property/property_parse.c b/deps/openssl/openssl/crypto/property/property_parse.c index 21228b4a398944..8954ec724617fb 100644 --- a/deps/openssl/openssl/crypto/property/property_parse.c +++ b/deps/openssl/openssl/crypto/property/property_parse.c @@ -19,8 +19,6 @@ #include "property_local.h" #include "e_os.h" -OSSL_PROPERTY_IDX ossl_property_true, ossl_property_false; - DEFINE_STACK_OF(OSSL_PROPERTY_DEFINITION) static const char *skip_space(const char *s) @@ -277,12 +275,16 @@ static void pd_free(OSSL_PROPERTY_DEFINITION *pd) /* * Convert a stack of property definitions and queries into a fixed array. * The items are sorted for efficient query. The stack is not freed. + * This function also checks for duplicated names and returns an error if + * any exist. */ static OSSL_PROPERTY_LIST * -stack_to_property_list(STACK_OF(OSSL_PROPERTY_DEFINITION) *sk) +stack_to_property_list(OSSL_LIB_CTX *ctx, + STACK_OF(OSSL_PROPERTY_DEFINITION) *sk) { const int n = sk_OSSL_PROPERTY_DEFINITION_num(sk); OSSL_PROPERTY_LIST *r; + OSSL_PROPERTY_IDX prev_name_idx = 0; int i; r = OPENSSL_malloc(sizeof(*r) @@ -294,6 +296,16 @@ stack_to_property_list(STACK_OF(OSSL_PROPERTY_DEFINITION) *sk) for (i = 0; i < n; i++) { r->properties[i] = *sk_OSSL_PROPERTY_DEFINITION_value(sk, i); r->has_optional |= r->properties[i].optional; + + /* Check for duplicated names */ + if (i > 0 && r->properties[i].name_idx == prev_name_idx) { + OPENSSL_free(r); + ERR_raise_data(ERR_LIB_PROP, PROP_R_PARSE_FAILED, + "Duplicated name `%s'", + ossl_property_name_str(ctx, prev_name_idx)); + return NULL; + } + prev_name_idx = r->properties[i].name_idx; } r->num_properties = n; } @@ -338,7 +350,7 @@ OSSL_PROPERTY_LIST *ossl_parse_property(OSSL_LIB_CTX *ctx, const char *defn) } else { /* A name alone means a true Boolean */ prop->type = OSSL_PROPERTY_TYPE_STRING; - prop->v.str_val = ossl_property_true; + prop->v.str_val = OSSL_PROPERTY_TRUE; } if (!sk_OSSL_PROPERTY_DEFINITION_push(sk, prop)) @@ -351,7 +363,7 @@ OSSL_PROPERTY_LIST *ossl_parse_property(OSSL_LIB_CTX *ctx, const char *defn) "HERE-->%s", s); goto err; } - res = stack_to_property_list(sk); + res = stack_to_property_list(ctx, sk); err: OPENSSL_free(prop); @@ -397,7 +409,7 @@ OSSL_PROPERTY_LIST *ossl_parse_query(OSSL_LIB_CTX *ctx, const char *s, /* A name alone is a Boolean comparison for true */ prop->oper = OSSL_PROPERTY_OPER_EQ; prop->type = OSSL_PROPERTY_TYPE_STRING; - prop->v.str_val = ossl_property_true; + prop->v.str_val = OSSL_PROPERTY_TRUE; goto skip_value; } if (!parse_value(ctx, &s, prop, create_values)) @@ -414,7 +426,7 @@ OSSL_PROPERTY_LIST *ossl_parse_query(OSSL_LIB_CTX *ctx, const char *s, "HERE-->%s", s); goto err; } - res = stack_to_property_list(sk); + res = stack_to_property_list(ctx, sk); err: OPENSSL_free(prop); @@ -471,9 +483,9 @@ int ossl_property_match_count(const OSSL_PROPERTY_LIST *query, return -1; } else if (q[i].type != OSSL_PROPERTY_TYPE_STRING || (oper == OSSL_PROPERTY_OPER_EQ - && q[i].v.str_val != ossl_property_false) + && q[i].v.str_val != OSSL_PROPERTY_FALSE) || (oper == OSSL_PROPERTY_OPER_NE - && q[i].v.str_val == ossl_property_false)) { + && q[i].v.str_val == OSSL_PROPERTY_FALSE)) { if (!q[i].optional) return -1; } else { @@ -546,9 +558,13 @@ int ossl_property_parse_init(OSSL_LIB_CTX *ctx) if (ossl_property_name(ctx, predefined_names[i], 1) == 0) goto err; - /* Pre-populate the two Boolean values */ - if ((ossl_property_true = ossl_property_value(ctx, "yes", 1)) == 0 - || (ossl_property_false = ossl_property_value(ctx, "no", 1)) == 0) + /* + * Pre-populate the two Boolean values. We must do them before any other + * values and in this order so that we get the same index as the global + * OSSL_PROPERTY_TRUE and OSSL_PROPERTY_FALSE values + */ + if ((ossl_property_value(ctx, "yes", 1) != OSSL_PROPERTY_TRUE) + || (ossl_property_value(ctx, "no", 1) != OSSL_PROPERTY_FALSE)) goto err; return 1; diff --git a/deps/openssl/openssl/crypto/property/property_query.c b/deps/openssl/openssl/crypto/property/property_query.c index 1352bc009eee8b..28cc704840a49c 100644 --- a/deps/openssl/openssl/crypto/property/property_query.c +++ b/deps/openssl/openssl/crypto/property/property_query.c @@ -75,8 +75,8 @@ int ossl_property_is_enabled(OSSL_LIB_CTX *ctx, const char *property_name, return 0; return (prop->type == OSSL_PROPERTY_TYPE_STRING && ((prop->oper == OSSL_PROPERTY_OPER_EQ - && prop->v.str_val == ossl_property_true) + && prop->v.str_val == OSSL_PROPERTY_TRUE) || (prop->oper == OSSL_PROPERTY_OPER_NE - && prop->v.str_val != ossl_property_true))); + && prop->v.str_val != OSSL_PROPERTY_TRUE))); } diff --git a/deps/openssl/openssl/crypto/provider.c b/deps/openssl/openssl/crypto/provider.c index 82d980a8aee335..114b42692940a2 100644 --- a/deps/openssl/openssl/crypto/provider.c +++ b/deps/openssl/openssl/crypto/provider.c @@ -35,10 +35,16 @@ OSSL_PROVIDER *OSSL_PROVIDER_try_load(OSSL_LIB_CTX *libctx, const char *name, actual = prov; if (isnew && !ossl_provider_add_to_store(prov, &actual, retain_fallbacks)) { - ossl_provider_deactivate(prov); + ossl_provider_deactivate(prov, 1); ossl_provider_free(prov); return NULL; } + if (actual != prov) { + if (!ossl_provider_activate(actual, 1, 0)) { + ossl_provider_free(actual); + return NULL; + } + } return actual; } @@ -53,7 +59,7 @@ OSSL_PROVIDER *OSSL_PROVIDER_load(OSSL_LIB_CTX *libctx, const char *name) int OSSL_PROVIDER_unload(OSSL_PROVIDER *prov) { - if (!ossl_provider_deactivate(prov)) + if (!ossl_provider_deactivate(prov, 1)) return 0; ossl_provider_free(prov); return 1; diff --git a/deps/openssl/openssl/crypto/provider_child.c b/deps/openssl/openssl/crypto/provider_child.c index 272d67a52d80ac..977ea4db3bf215 100644 --- a/deps/openssl/openssl/crypto/provider_child.c +++ b/deps/openssl/openssl/crypto/provider_child.c @@ -22,7 +22,6 @@ DEFINE_STACK_OF(OSSL_PROVIDER) struct child_prov_globals { const OSSL_CORE_HANDLE *handle; const OSSL_CORE_HANDLE *curr_prov; - unsigned int isinited:1; CRYPTO_RWLOCK *lock; OSSL_FUNC_core_get_libctx_fn *c_get_libctx; OSSL_FUNC_provider_register_child_cb_fn *c_provider_register_child_cb; @@ -43,7 +42,6 @@ static void child_prov_ossl_ctx_free(void *vgbl) { struct child_prov_globals *gbl = vgbl; - gbl->c_provider_deregister_child_cb(gbl->handle); CRYPTO_THREAD_lock_free(gbl->lock); OPENSSL_free(gbl); } @@ -110,11 +108,7 @@ static int provider_create_child_cb(const OSSL_CORE_HANDLE *prov, void *cbdata) if (gbl == NULL) return 0; - /* - * If !gbl->isinited, then we are still initing and we already hold the - * lock - so don't take it again. - */ - if (gbl->isinited && !CRYPTO_THREAD_write_lock(gbl->lock)) + if (!CRYPTO_THREAD_write_lock(gbl->lock)) return 0; provname = gbl->c_prov_name(prov); @@ -153,7 +147,7 @@ static int provider_create_child_cb(const OSSL_CORE_HANDLE *prov, void *cbdata) if (!ossl_provider_set_child(cprov, prov) || !ossl_provider_add_to_store(cprov, NULL, 0)) { - ossl_provider_deactivate(cprov); + ossl_provider_deactivate(cprov, 0); ossl_provider_free(cprov); goto err; } @@ -161,8 +155,7 @@ static int provider_create_child_cb(const OSSL_CORE_HANDLE *prov, void *cbdata) ret = 1; err: - if (gbl->isinited) - CRYPTO_THREAD_unlock(gbl->lock); + CRYPTO_THREAD_unlock(gbl->lock); return ret; } @@ -188,7 +181,7 @@ static int provider_remove_child_cb(const OSSL_CORE_HANDLE *prov, void *cbdata) */ ossl_provider_free(cprov); if (ossl_provider_is_child(cprov) - && !ossl_provider_deactivate(cprov)) + && !ossl_provider_deactivate(cprov, 1)) return 0; return 1; @@ -272,11 +265,20 @@ int ossl_provider_init_as_child(OSSL_LIB_CTX *ctx, ctx)) return 0; - gbl->isinited = 1; - return 1; } +void ossl_provider_deinit_child(OSSL_LIB_CTX *ctx) +{ + struct child_prov_globals *gbl + = ossl_lib_ctx_get_data(ctx, OSSL_LIB_CTX_CHILD_PROVIDER_INDEX, + &child_prov_ossl_ctx_method); + if (gbl == NULL) + return; + + gbl->c_provider_deregister_child_cb(gbl->handle); +} + int ossl_provider_up_ref_parent(OSSL_PROVIDER *prov, int activate) { struct child_prov_globals *gbl; diff --git a/deps/openssl/openssl/crypto/provider_conf.c b/deps/openssl/openssl/crypto/provider_conf.c index da3796d914af51..c13c887c3d4aaf 100644 --- a/deps/openssl/openssl/crypto/provider_conf.c +++ b/deps/openssl/openssl/crypto/provider_conf.c @@ -146,9 +146,6 @@ static int provider_conf_load(OSSL_LIB_CTX *libctx, const char *name, const char *path = NULL; long activate = 0; int ok = 0; - PROVIDER_CONF_GLOBAL *pcgbl - = ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_PROVIDER_CONF_INDEX, - &provider_conf_ossl_ctx_method); name = skip_dot(name); OSSL_TRACE1(CONF, "Configuring provider %s\n", name); @@ -185,7 +182,11 @@ static int provider_conf_load(OSSL_LIB_CTX *libctx, const char *name, } if (activate) { - if (!CRYPTO_THREAD_write_lock(pcgbl->lock)) { + PROVIDER_CONF_GLOBAL *pcgbl + = ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_PROVIDER_CONF_INDEX, + &provider_conf_ossl_ctx_method); + + if (pcgbl == NULL || !CRYPTO_THREAD_write_lock(pcgbl->lock)) { ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR); return 0; } @@ -221,13 +222,24 @@ static int provider_conf_load(OSSL_LIB_CTX *libctx, const char *name, if (!ossl_provider_activate(prov, 1, 0)) { ok = 0; } else if (!ossl_provider_add_to_store(prov, &actual, 0)) { - ossl_provider_deactivate(prov); + ossl_provider_deactivate(prov, 1); + ok = 0; + } else if (actual != prov + && !ossl_provider_activate(actual, 1, 0)) { + ossl_provider_free(actual); ok = 0; } else { if (pcgbl->activated_providers == NULL) pcgbl->activated_providers = sk_OSSL_PROVIDER_new_null(); - sk_OSSL_PROVIDER_push(pcgbl->activated_providers, actual); - ok = 1; + if (pcgbl->activated_providers == NULL + || !sk_OSSL_PROVIDER_push(pcgbl->activated_providers, + actual)) { + ossl_provider_deactivate(actual, 1); + ossl_provider_free(actual); + ok = 0; + } else { + ok = 1; + } } } if (!ok) diff --git a/deps/openssl/openssl/crypto/provider_core.c b/deps/openssl/openssl/crypto/provider_core.c index e4069eb4f7179a..cb4c07c781ac4e 100644 --- a/deps/openssl/openssl/crypto/provider_core.c +++ b/deps/openssl/openssl/crypto/provider_core.c @@ -107,8 +107,8 @@ * some other function while holding a lock make sure you know whether it * will make any upcalls or not. For example ossl_provider_up_ref() can call * ossl_provider_up_ref_parent() which can call the c_prov_up_ref() upcall. - * - It is permissible to hold the store lock when calling child provider - * callbacks. No other locks may be held during such callbacks. + * - It is permissible to hold the store and flag locks when calling child + * provider callbacks. No other locks may be held during such callbacks. */ static OSSL_PROVIDER *provider_new(const char *name, @@ -230,7 +230,7 @@ struct provider_store_st { static void provider_deactivate_free(OSSL_PROVIDER *prov) { if (prov->flag_activated) - ossl_provider_deactivate(prov); + ossl_provider_deactivate(prov, 1); ossl_provider_free(prov); } @@ -424,7 +424,11 @@ OSSL_PROVIDER *ossl_provider_find(OSSL_LIB_CTX *libctx, const char *name, #endif tmpl.name = (char *)name; - if (!CRYPTO_THREAD_read_lock(store->lock)) + /* + * A "find" operation can sort the stack, and therefore a write lock is + * required. + */ + if (!CRYPTO_THREAD_write_lock(store->lock)) return NULL; if ((i = sk_OSSL_PROVIDER_find(store->providers, &tmpl)) != -1) prov = sk_OSSL_PROVIDER_value(store->providers, i); @@ -499,13 +503,18 @@ static int provider_up_ref_intern(OSSL_PROVIDER *prov, int activate) static int provider_free_intern(OSSL_PROVIDER *prov, int deactivate) { if (deactivate) - return ossl_provider_deactivate(prov); + return ossl_provider_deactivate(prov, 1); ossl_provider_free(prov); return 1; } #endif +/* + * We assume that the requested provider does not already exist in the store. + * The caller should check. If it does exist then adding it to the store later + * will fail. + */ OSSL_PROVIDER *ossl_provider_new(OSSL_LIB_CTX *libctx, const char *name, OSSL_provider_init_fn *init_function, int noconfig) @@ -517,14 +526,6 @@ OSSL_PROVIDER *ossl_provider_new(OSSL_LIB_CTX *libctx, const char *name, if ((store = get_provider_store(libctx)) == NULL) return NULL; - if ((prov = ossl_provider_find(libctx, name, - noconfig)) != NULL) { /* refcount +1 */ - ossl_provider_free(prov); /* refcount -1 */ - ERR_raise_data(ERR_LIB_CRYPTO, CRYPTO_R_PROVIDER_ALREADY_EXISTS, - "name=%s", name); - return NULL; - } - memset(&template, 0, sizeof(template)); if (init_function == NULL) { const OSSL_PROVIDER_INFO *p; @@ -645,8 +646,11 @@ int ossl_provider_add_to_store(OSSL_PROVIDER *prov, OSSL_PROVIDER **actualprov, * name and raced to put them in the store. This thread lost. We * deactivate the one we just created and use the one that already * exists instead. + * If we get here then we know we did not create provider children + * above, so we inform ossl_provider_deactivate not to attempt to remove + * any. */ - ossl_provider_deactivate(prov); + ossl_provider_deactivate(prov, 0); ossl_provider_free(prov); } @@ -1003,27 +1007,35 @@ static int provider_init(OSSL_PROVIDER *prov) } /* - * Deactivate a provider. + * Deactivate a provider. If upcalls is 0 then we suppress any upcalls to a + * parent provider. If removechildren is 0 then we suppress any calls to remove + * child providers. * Return -1 on failure and the activation count on success */ -static int provider_deactivate(OSSL_PROVIDER *prov, int upcalls) +static int provider_deactivate(OSSL_PROVIDER *prov, int upcalls, + int removechildren) { int count; struct provider_store_st *store; #ifndef FIPS_MODULE - int freeparent = 0, removechildren = 0; + int freeparent = 0; #endif + int lock = 1; if (!ossl_assert(prov != NULL)) return -1; + /* + * No need to lock if we've got no store because we've not been shared with + * other threads. + */ store = get_provider_store(prov->libctx); if (store == NULL) - return -1; + lock = 0; - if (!CRYPTO_THREAD_read_lock(store->lock)) + if (lock && !CRYPTO_THREAD_read_lock(store->lock)) return -1; - if (!CRYPTO_THREAD_write_lock(prov->flag_lock)) { + if (lock && !CRYPTO_THREAD_write_lock(prov->flag_lock)) { CRYPTO_THREAD_unlock(store->lock); return -1; } @@ -1040,17 +1052,15 @@ static int provider_deactivate(OSSL_PROVIDER *prov, int upcalls) } #endif - if ((count = --prov->activatecnt) < 1) { + if ((count = --prov->activatecnt) < 1) prov->flag_activated = 0; #ifndef FIPS_MODULE - removechildren = 1; + else + removechildren = 0; #endif - } - - CRYPTO_THREAD_unlock(prov->flag_lock); #ifndef FIPS_MODULE - if (removechildren) { + if (removechildren && store != NULL) { int i, max = sk_OSSL_PROVIDER_CHILD_CB_num(store->child_cbs); OSSL_PROVIDER_CHILD_CB *child_cb; @@ -1060,7 +1070,10 @@ static int provider_deactivate(OSSL_PROVIDER *prov, int upcalls) } } #endif - CRYPTO_THREAD_unlock(store->lock); + if (lock) { + CRYPTO_THREAD_unlock(prov->flag_lock); + CRYPTO_THREAD_unlock(store->lock); + } #ifndef FIPS_MODULE if (freeparent) ossl_provider_free_parent(prov, 1); @@ -1078,7 +1091,7 @@ static int provider_activate(OSSL_PROVIDER *prov, int lock, int upcalls) { int count = -1; struct provider_store_st *store; - int ret = 1, createchildren = 0; + int ret = 1; store = prov->store; /* @@ -1116,15 +1129,13 @@ static int provider_activate(OSSL_PROVIDER *prov, int lock, int upcalls) count = ++prov->activatecnt; prov->flag_activated = 1; - if (prov->activatecnt == 1 && store != NULL) - createchildren = 1; - - if (lock) - CRYPTO_THREAD_unlock(prov->flag_lock); - if (createchildren) + if (prov->activatecnt == 1 && store != NULL) { ret = create_provider_children(prov); - if (lock) + } + if (lock) { + CRYPTO_THREAD_unlock(prov->flag_lock); CRYPTO_THREAD_unlock(store->lock); + } if (!ret) return -1; @@ -1170,11 +1181,12 @@ int ossl_provider_activate(OSSL_PROVIDER *prov, int upcalls, int aschild) return 0; } -int ossl_provider_deactivate(OSSL_PROVIDER *prov) +int ossl_provider_deactivate(OSSL_PROVIDER *prov, int removechildren) { int count; - if (prov == NULL || (count = provider_deactivate(prov, 1)) < 0) + if (prov == NULL + || (count = provider_deactivate(prov, 1, removechildren)) < 0) return 0; return count == 0 ? provider_flush_store_cache(prov) : 1; } @@ -1356,7 +1368,7 @@ int ossl_provider_doall_activated(OSSL_LIB_CTX *ctx, for (curr++; curr < max; curr++) { OSSL_PROVIDER *prov = sk_OSSL_PROVIDER_value(provs, curr); - provider_deactivate(prov, 0); + provider_deactivate(prov, 0, 1); /* * As above where we did the up-ref, we don't call ossl_provider_free * to avoid making upcalls. There should always be at least one ref diff --git a/deps/openssl/openssl/crypto/rsa/rsa_backend.c b/deps/openssl/openssl/crypto/rsa/rsa_backend.c index 85ad54e4cfdbc8..46283265d2746c 100644 --- a/deps/openssl/openssl/crypto/rsa/rsa_backend.c +++ b/deps/openssl/openssl/crypto/rsa/rsa_backend.c @@ -392,6 +392,8 @@ RSA *ossl_rsa_dup(const RSA *rsa, int selection) if ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0 && (pnum = sk_RSA_PRIME_INFO_num(rsa->prime_infos)) > 0) { dupkey->prime_infos = sk_RSA_PRIME_INFO_new_reserve(NULL, pnum); + if (dupkey->prime_infos == NULL) + goto err; for (i = 0; i < pnum; i++) { const RSA_PRIME_INFO *pinfo = NULL; RSA_PRIME_INFO *duppinfo = NULL; diff --git a/deps/openssl/openssl/crypto/rsa/rsa_lib.c b/deps/openssl/openssl/crypto/rsa/rsa_lib.c index 6433282597091f..a8a6d6c758e92a 100644 --- a/deps/openssl/openssl/crypto/rsa/rsa_lib.c +++ b/deps/openssl/openssl/crypto/rsa/rsa_lib.c @@ -1244,8 +1244,11 @@ int EVP_PKEY_CTX_set1_rsa_keygen_pubexp(EVP_PKEY_CTX *ctx, BIGNUM *pubexp) * When we're dealing with a provider, there's no need to duplicate * pubexp, as it gets copied when transforming to an OSSL_PARAM anyway. */ - if (evp_pkey_ctx_is_legacy(ctx)) + if (evp_pkey_ctx_is_legacy(ctx)) { pubexp = BN_dup(pubexp); + if (pubexp == NULL) + return 0; + } ret = EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_KEYGEN, EVP_PKEY_CTRL_RSA_KEYGEN_PUBEXP, 0, pubexp); if (evp_pkey_ctx_is_legacy(ctx) && ret <= 0) diff --git a/deps/openssl/openssl/crypto/sm2/sm2_sign.c b/deps/openssl/openssl/crypto/sm2/sm2_sign.c index 72be1c00b458b3..5861f420fb6607 100644 --- a/deps/openssl/openssl/crypto/sm2/sm2_sign.c +++ b/deps/openssl/openssl/crypto/sm2/sm2_sign.c @@ -239,6 +239,15 @@ static ECDSA_SIG *sm2_sig_gen(const EC_KEY *key, const BIGNUM *e) goto done; } + /* + * A3: Generate a random number k in [1,n-1] using random number generators; + * A4: Compute (x1,y1)=[k]G, and convert the type of data x1 to be integer + * as specified in clause 4.2.8 of GM/T 0003.1-2012; + * A5: Compute r=(e+x1) mod n. If r=0 or r+k=n, then go to A3; + * A6: Compute s=(1/(1+dA)*(k-r*dA)) mod n. If s=0, then go to A3; + * A7: Convert the type of data (r,s) to be bit strings according to the details + * in clause 4.2.2 of GM/T 0003.1-2012. Then the signature of message M is (r,s). + */ for (;;) { if (!BN_priv_rand_range_ex(k, order, 0, ctx)) { ERR_raise(ERR_LIB_SM2, ERR_R_INTERNAL_ERROR); @@ -274,6 +283,10 @@ static ECDSA_SIG *sm2_sig_gen(const EC_KEY *key, const BIGNUM *e) goto done; } + /* try again if s == 0 */ + if (BN_is_zero(s)) + continue; + sig = ECDSA_SIG_new(); if (sig == NULL) { ERR_raise(ERR_LIB_SM2, ERR_R_MALLOC_FAILURE); diff --git a/deps/openssl/openssl/crypto/store/store_meth.c b/deps/openssl/openssl/crypto/store/store_meth.c index 61230a6c241d87..e79ec871fd79c9 100644 --- a/deps/openssl/openssl/crypto/store/store_meth.c +++ b/deps/openssl/openssl/crypto/store/store_meth.c @@ -128,7 +128,8 @@ static OSSL_METHOD_STORE *get_loader_store(OSSL_LIB_CTX *libctx) } /* Get loader methods from a store, or put one in */ -static void *get_loader_from_store(void *store, void *data) +static void *get_loader_from_store(void *store, const OSSL_PROVIDER **prov, + void *data) { struct loader_data_st *methdata = data; void *method = NULL; @@ -144,7 +145,7 @@ static void *get_loader_from_store(void *store, void *data) && (store = get_loader_store(methdata->libctx)) == NULL) return NULL; - if (!ossl_method_store_fetch(store, id, methdata->propquery, &method)) + if (!ossl_method_store_fetch(store, id, methdata->propquery, prov, &method)) return NULL; return method; } @@ -308,7 +309,7 @@ inner_loader_fetch(struct loader_data_st *methdata, int id, unsupported = 1; if (id == 0 - || !ossl_method_store_cache_get(store, id, properties, &method)) { + || !ossl_method_store_cache_get(store, NULL, id, properties, &method)) { OSSL_METHOD_CONSTRUCT_METHOD mcm = { get_tmp_loader_store, get_loader_from_store, @@ -322,7 +323,7 @@ inner_loader_fetch(struct loader_data_st *methdata, int id, methdata->propquery = properties; methdata->flag_construct_error_occurred = 0; if ((method = ossl_method_construct(methdata->libctx, OSSL_OP_STORE, - 0 /* !force_cache */, + NULL, 0 /* !force_cache */, &mcm, methdata)) != NULL) { /* * If construction did create a method for us, we know that there @@ -331,7 +332,7 @@ inner_loader_fetch(struct loader_data_st *methdata, int id, */ if (id == 0) id = ossl_namemap_name2num(namemap, scheme); - ossl_method_store_cache_set(store, id, properties, method, + ossl_method_store_cache_set(store, NULL, id, properties, method, up_ref_loader, free_loader); } diff --git a/deps/openssl/openssl/crypto/threads_win.c b/deps/openssl/openssl/crypto/threads_win.c index fdc32a2a5432b6..d65b3826d93a27 100644 --- a/deps/openssl/openssl/crypto/threads_win.c +++ b/deps/openssl/openssl/crypto/threads_win.c @@ -10,7 +10,6 @@ #if defined(_WIN32) # include # if defined(_WIN32_WINNT) && _WIN32_WINNT >= 0x600 -# include # define USE_RWLOCK # endif #endif diff --git a/deps/openssl/openssl/crypto/x509/v3_akid.c b/deps/openssl/openssl/crypto/x509/v3_akid.c index 5abd35d644c217..43b515f50c49cc 100644 --- a/deps/openssl/openssl/crypto/x509/v3_akid.c +++ b/deps/openssl/openssl/crypto/x509/v3_akid.c @@ -107,6 +107,7 @@ static AUTHORITY_KEYID *v2i_AUTHORITY_KEYID(X509V3_EXT_METHOD *method, ASN1_INTEGER *serial = NULL; X509_EXTENSION *ext; X509 *issuer_cert; + int same_issuer, ss; AUTHORITY_KEYID *akeyid = AUTHORITY_KEYID_new(); if (akeyid == NULL) @@ -144,14 +145,26 @@ static AUTHORITY_KEYID *v2i_AUTHORITY_KEYID(X509V3_EXT_METHOD *method, ERR_raise(ERR_LIB_X509V3, X509V3_R_NO_ISSUER_CERTIFICATE); goto err; } - - if (keyid != 0) { - /* prefer any pre-existing subject key identifier of the issuer cert */ + same_issuer = ctx->subject_cert == ctx->issuer_cert; + ERR_set_mark(); + if (ctx->issuer_pkey != NULL) + ss = X509_check_private_key(ctx->subject_cert, ctx->issuer_pkey); + else + ss = same_issuer; + ERR_pop_to_mark(); + + /* unless forced with "always", AKID is suppressed for self-signed certs */ + if (keyid == 2 || (keyid == 1 && !ss)) { + /* + * prefer any pre-existing subject key identifier of the issuer cert + * except issuer cert is same as subject cert and is not self-signed + */ i = X509_get_ext_by_NID(issuer_cert, NID_subject_key_identifier, -1); - if (i >= 0 && (ext = X509_get_ext(issuer_cert, i)) != NULL) + if (i >= 0 && (ext = X509_get_ext(issuer_cert, i)) != NULL + && !(same_issuer && !ss)) ikeyid = X509V3_EXT_d2i(ext); - if (ikeyid == NULL && ctx->issuer_pkey != NULL) { /* fallback */ - /* generate AKID from scratch, emulating s2i_skey_id(..., "hash") */ + if (ikeyid == NULL && same_issuer && ctx->issuer_pkey != NULL) { + /* generate fallback AKID, emulating s2i_skey_id(..., "hash") */ X509_PUBKEY *pubkey = NULL; if (X509_PUBKEY_set(&pubkey, ctx->issuer_pkey)) diff --git a/deps/openssl/openssl/crypto/x509/v3_ncons.c b/deps/openssl/openssl/crypto/x509/v3_ncons.c index dc56fe2c0ca8a5..70a7e8304edb3d 100644 --- a/deps/openssl/openssl/crypto/x509/v3_ncons.c +++ b/deps/openssl/openssl/crypto/x509/v3_ncons.c @@ -714,6 +714,9 @@ static int nc_email(ASN1_IA5STRING *eml, ASN1_IA5STRING *base) if (baseat != baseptr) { if ((baseat - baseptr) != (emlat - emlptr)) return X509_V_ERR_PERMITTED_VIOLATION; + if (memchr(baseptr, 0, baseat - baseptr) || + memchr(emlptr, 0, emlat - emlptr)) + return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX; /* Case sensitive match of local part */ if (strncmp(baseptr, emlptr, emlat - emlptr)) return X509_V_ERR_PERMITTED_VIOLATION; diff --git a/deps/openssl/openssl/crypto/x509/v3_san.c b/deps/openssl/openssl/crypto/x509/v3_san.c index 26708aefae06db..c081f02e19e418 100644 --- a/deps/openssl/openssl/crypto/x509/v3_san.c +++ b/deps/openssl/openssl/crypto/x509/v3_san.c @@ -393,11 +393,11 @@ static GENERAL_NAMES *v2i_subject_alt(X509V3_EXT_METHOD *method, for (i = 0; i < num; i++) { cnf = sk_CONF_VALUE_value(nval, i); - if (!ossl_v3_name_cmp(cnf->name, "email") + if (ossl_v3_name_cmp(cnf->name, "email") == 0 && cnf->value && strcmp(cnf->value, "copy") == 0) { if (!copy_email(ctx, gens, 0)) goto err; - } else if (!ossl_v3_name_cmp(cnf->name, "email") + } else if (ossl_v3_name_cmp(cnf->name, "email") == 0 && cnf->value && strcmp(cnf->value, "move") == 0) { if (!copy_email(ctx, gens, 1)) goto err; @@ -434,10 +434,9 @@ static int copy_email(X509V3_CTX *ctx, GENERAL_NAMES *gens, int move_p) return 0; } /* Find the subject name */ - if (ctx->subject_cert) - nm = X509_get_subject_name(ctx->subject_cert); - else - nm = X509_REQ_get_subject_name(ctx->subject_req); + nm = ctx->subject_cert != NULL ? + X509_get_subject_name(ctx->subject_cert) : + X509_REQ_get_subject_name(ctx->subject_req); /* Now add any email address(es) to STACK */ while ((i = X509_NAME_get_index_by_NID(nm, diff --git a/deps/openssl/openssl/crypto/x509/v3_skid.c b/deps/openssl/openssl/crypto/x509/v3_skid.c index bab88898e687a2..18223f2ef496bb 100644 --- a/deps/openssl/openssl/crypto/x509/v3_skid.c +++ b/deps/openssl/openssl/crypto/x509/v3_skid.c @@ -105,7 +105,7 @@ static ASN1_OCTET_STRING *s2i_skey_id(X509V3_EXT_METHOD *method, return NULL; } - return ossl_x509_pubkey_hash(ctx->subject_req != NULL ? - ctx->subject_req->req_info.pubkey : - ctx->subject_cert->cert_info.key); + return ossl_x509_pubkey_hash(ctx->subject_cert != NULL ? + ctx->subject_cert->cert_info.key : + ctx->subject_req->req_info.pubkey); } diff --git a/deps/openssl/openssl/crypto/x509/x509_cmp.c b/deps/openssl/openssl/crypto/x509/x509_cmp.c index 8b4e46a5895618..f3d58cdfa61331 100644 --- a/deps/openssl/openssl/crypto/x509/x509_cmp.c +++ b/deps/openssl/openssl/crypto/x509/x509_cmp.c @@ -208,8 +208,12 @@ int X509_add_cert(STACK_OF(X509) *sk, X509 *cert, int flags) return 1; } } - if ((flags & X509_ADD_FLAG_NO_SS) != 0 && X509_self_signed(cert, 0)) - return 1; + if ((flags & X509_ADD_FLAG_NO_SS) != 0) { + int ret = X509_self_signed(cert, 0); + + if (ret != 0) + return ret > 0 ? 1 : 0; + } if (!sk_X509_insert(sk, cert, (flags & X509_ADD_FLAG_PREPEND) != 0 ? 0 : -1)) { ERR_raise(ERR_LIB_X509, ERR_R_MALLOC_FAILURE); diff --git a/deps/openssl/openssl/crypto/x509/x509_vfy.c b/deps/openssl/openssl/crypto/x509/x509_vfy.c index 18c6172c9800e4..ff3ca83de6d5cf 100644 --- a/deps/openssl/openssl/crypto/x509/x509_vfy.c +++ b/deps/openssl/openssl/crypto/x509/x509_vfy.c @@ -630,7 +630,7 @@ static int has_san_id(X509 *x, int gtype) GENERAL_NAMES *gs = X509_get_ext_d2i(x, NID_subject_alt_name, NULL, NULL); if (gs == NULL) - return -1; + return 0; for (i = 0; i < sk_GENERAL_NAME_num(gs); i++) { GENERAL_NAME *g = sk_GENERAL_NAME_value(gs, i); @@ -3023,22 +3023,26 @@ static int build_chain(X509_STORE_CTX *ctx) may_trusted = 1; } - /* - * Shallow-copy the stack of untrusted certificates (with TLS, this is - * typically the content of the peer's certificate message) so can make - * multiple passes over it, while free to remove elements as we go. - */ - if ((sk_untrusted = sk_X509_dup(ctx->untrusted)) == NULL) + /* Initialize empty untrusted stack. */ + if ((sk_untrusted = sk_X509_new_null()) == NULL) goto memerr; /* - * If we got any "DANE-TA(2) Cert(0) Full(0)" trust anchors from DNS, add - * them to our working copy of the untrusted certificate stack. + * If we got any "Cert(0) Full(0)" trust anchors from DNS, *prepend* them + * to our working copy of the untrusted certificate stack. */ if (DANETLS_ENABLED(dane) && dane->certs != NULL && !X509_add_certs(sk_untrusted, dane->certs, X509_ADD_FLAG_DEFAULT)) goto memerr; + /* + * Shallow-copy the stack of untrusted certificates (with TLS, this is + * typically the content of the peer's certificate message) so we can make + * multiple passes over it, while free to remove elements as we go. + */ + if (!X509_add_certs(sk_untrusted, ctx->untrusted, X509_ADD_FLAG_DEFAULT)) + goto memerr; + /* * Still absurdly large, but arithmetically safe, a lower hard upper bound * might be reasonable. @@ -3227,7 +3231,7 @@ static int build_chain(X509_STORE_CTX *ctx) if (!ossl_assert(num == ctx->num_untrusted)) goto int_err; curr = sk_X509_value(ctx->chain, num - 1); - issuer = (X509_self_signed(curr, 0) || num > max_depth) ? + issuer = (X509_self_signed(curr, 0) > 0 || num > max_depth) ? NULL : find_issuer(ctx, sk_untrusted, curr); if (issuer == NULL) { /* @@ -3298,7 +3302,7 @@ static int build_chain(X509_STORE_CTX *ctx) CB_FAIL_IF(DANETLS_ENABLED(dane) && (!DANETLS_HAS_PKIX(dane) || dane->pdpth >= 0), ctx, NULL, num - 1, X509_V_ERR_DANE_NO_MATCH); - if (X509_self_signed(sk_X509_value(ctx->chain, num - 1), 0)) + if (X509_self_signed(sk_X509_value(ctx->chain, num - 1), 0) > 0) return verify_cb_cert(ctx, NULL, num - 1, num == 1 ? X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT diff --git a/deps/openssl/openssl/crypto/x509/x_name.c b/deps/openssl/openssl/crypto/x509/x_name.c index d5ef8e340874e4..bed2d049b43e6b 100644 --- a/deps/openssl/openssl/crypto/x509/x_name.c +++ b/deps/openssl/openssl/crypto/x509/x_name.c @@ -219,8 +219,8 @@ static int x509_name_ex_i2d(const ASN1_VALUE **val, unsigned char **out, if (ret < 0) return ret; ret = x509_name_canon(a); - if (ret < 0) - return ret; + if (!ret) + return -1; } ret = a->bytes->length; if (out != NULL) { diff --git a/deps/openssl/openssl/crypto/x509/x_pubkey.c b/deps/openssl/openssl/crypto/x509/x_pubkey.c index 0c07c39a1f284d..bc90ddd89b4952 100644 --- a/deps/openssl/openssl/crypto/x509/x_pubkey.c +++ b/deps/openssl/openssl/crypto/x509/x_pubkey.c @@ -289,14 +289,28 @@ X509_PUBKEY *X509_PUBKEY_dup(const X509_PUBKEY *a) || (pubkey->algor = X509_ALGOR_dup(a->algor)) == NULL || (pubkey->public_key = ASN1_BIT_STRING_new()) == NULL || !ASN1_BIT_STRING_set(pubkey->public_key, - a->public_key->data, a->public_key->length) - || (a->pkey != NULL && !EVP_PKEY_up_ref(a->pkey))) { + a->public_key->data, + a->public_key->length)) { x509_pubkey_ex_free((ASN1_VALUE **)&pubkey, ASN1_ITEM_rptr(X509_PUBKEY_INTERNAL)); ERR_raise(ERR_LIB_X509, ERR_R_MALLOC_FAILURE); return NULL; } - pubkey->pkey = a->pkey; + + if (a->pkey != NULL) { + ERR_set_mark(); + pubkey->pkey = EVP_PKEY_dup(a->pkey); + if (pubkey->pkey == NULL) { + pubkey->flag_force_legacy = 1; + if (x509_pubkey_decode(&pubkey->pkey, pubkey) <= 0) { + x509_pubkey_ex_free((ASN1_VALUE **)&pubkey, + ASN1_ITEM_rptr(X509_PUBKEY_INTERNAL)); + ERR_clear_last_mark(); + return NULL; + } + } + ERR_pop_to_mark(); + } return pubkey; } diff --git a/deps/openssl/openssl/crypto/x509/x_x509.c b/deps/openssl/openssl/crypto/x509/x_x509.c index d14de0e77e8978..010578b19a3110 100644 --- a/deps/openssl/openssl/crypto/x509/x_x509.c +++ b/deps/openssl/openssl/crypto/x509/x_x509.c @@ -104,23 +104,6 @@ static int x509_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, if (!ossl_x509_set0_libctx(ret, old->libctx, old->propq)) return 0; - if (old->cert_info.key != NULL) { - EVP_PKEY *pkey = X509_PUBKEY_get0(old->cert_info.key); - - if (pkey != NULL) { - pkey = EVP_PKEY_dup(pkey); - if (pkey == NULL) { - ERR_raise(ERR_LIB_X509, ERR_R_MALLOC_FAILURE); - return 0; - } - if (!X509_PUBKEY_set(&ret->cert_info.key, pkey)) { - EVP_PKEY_free(pkey); - ERR_raise(ERR_LIB_X509, ERR_R_INTERNAL_ERROR); - return 0; - } - EVP_PKEY_free(pkey); - } - } } break; case ASN1_OP_GET0_LIBCTX: @@ -130,6 +113,7 @@ static int x509_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, *libctx = ret->libctx; } break; + case ASN1_OP_GET0_PROPQ: { const char **propq = exarg; @@ -137,6 +121,7 @@ static int x509_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, *propq = ret->propq; } break; + default: break; } diff --git a/deps/openssl/openssl/demos/signature/EVP_Signature_demo.c b/deps/openssl/openssl/demos/signature/EVP_Signature_demo.c index d7f26f164ba6d5..123c95c26ad8a1 100644 --- a/deps/openssl/openssl/demos/signature/EVP_Signature_demo.c +++ b/deps/openssl/openssl/demos/signature/EVP_Signature_demo.c @@ -188,7 +188,7 @@ static int demo_verify(OSSL_LIB_CTX *libctx, const char *sig_name, fprintf(stderr, "EVP_DigestVerifyUpdate(hamlet_2) failed.\n"); goto cleanup; } - if (!EVP_DigestVerifyFinal(verify_context, sig_value, sig_len)) { + if (EVP_DigestVerifyFinal(verify_context, sig_value, sig_len) <= 0) { fprintf(stderr, "EVP_DigestVerifyFinal failed.\n"); goto cleanup; } diff --git a/deps/openssl/openssl/doc/build.info b/deps/openssl/openssl/doc/build.info index aa5a1a761b9383..fbf00207592fbb 100644 --- a/deps/openssl/openssl/doc/build.info +++ b/deps/openssl/openssl/doc/build.info @@ -1307,10 +1307,10 @@ DEPEND[html/man3/EVP_RAND.html]=man3/EVP_RAND.pod GENERATE[html/man3/EVP_RAND.html]=man3/EVP_RAND.pod DEPEND[man/man3/EVP_RAND.3]=man3/EVP_RAND.pod GENERATE[man/man3/EVP_RAND.3]=man3/EVP_RAND.pod -DEPEND[html/man3/EVP_SIGNATURE_free.html]=man3/EVP_SIGNATURE_free.pod -GENERATE[html/man3/EVP_SIGNATURE_free.html]=man3/EVP_SIGNATURE_free.pod -DEPEND[man/man3/EVP_SIGNATURE_free.3]=man3/EVP_SIGNATURE_free.pod -GENERATE[man/man3/EVP_SIGNATURE_free.3]=man3/EVP_SIGNATURE_free.pod +DEPEND[html/man3/EVP_SIGNATURE.html]=man3/EVP_SIGNATURE.pod +GENERATE[html/man3/EVP_SIGNATURE.html]=man3/EVP_SIGNATURE.pod +DEPEND[man/man3/EVP_SIGNATURE.3]=man3/EVP_SIGNATURE.pod +GENERATE[man/man3/EVP_SIGNATURE.3]=man3/EVP_SIGNATURE.pod DEPEND[html/man3/EVP_SealInit.html]=man3/EVP_SealInit.pod GENERATE[html/man3/EVP_SealInit.html]=man3/EVP_SealInit.pod DEPEND[man/man3/EVP_SealInit.3]=man3/EVP_SealInit.pod @@ -3050,7 +3050,7 @@ html/man3/EVP_PKEY_todata.html \ html/man3/EVP_PKEY_verify.html \ html/man3/EVP_PKEY_verify_recover.html \ html/man3/EVP_RAND.html \ -html/man3/EVP_SIGNATURE_free.html \ +html/man3/EVP_SIGNATURE.html \ html/man3/EVP_SealInit.html \ html/man3/EVP_SignInit.html \ html/man3/EVP_VerifyInit.html \ @@ -3643,7 +3643,7 @@ man/man3/EVP_PKEY_todata.3 \ man/man3/EVP_PKEY_verify.3 \ man/man3/EVP_PKEY_verify_recover.3 \ man/man3/EVP_RAND.3 \ -man/man3/EVP_SIGNATURE_free.3 \ +man/man3/EVP_SIGNATURE.3 \ man/man3/EVP_SealInit.3 \ man/man3/EVP_SignInit.3 \ man/man3/EVP_VerifyInit.3 \ diff --git a/deps/openssl/openssl/doc/build.info.in b/deps/openssl/openssl/doc/build.info.in index fa1962f382580f..e8dae7058a6eff 100644 --- a/deps/openssl/openssl/doc/build.info.in +++ b/deps/openssl/openssl/doc/build.info.in @@ -14,7 +14,7 @@ SUBDIRS = man1 map { $_ => 1 } glob catfile($sourcedir, "man$section", "img", "*.png"); my %podfiles = map { $_ => 1 } glob catfile($sourcedir, "man$section", "*.pod"); - my %podinfiles = + my %podinfiles = map { $_ => 1 } glob catfile($sourcedir, "man$section", "*.pod.in"); foreach (keys %podinfiles) { diff --git a/deps/openssl/openssl/doc/internal/man3/OPTIONS.pod b/deps/openssl/openssl/doc/internal/man3/OPTIONS.pod index 1971c76241bc26..90593ca46f6fd3 100644 --- a/deps/openssl/openssl/doc/internal/man3/OPTIONS.pod +++ b/deps/openssl/openssl/doc/internal/man3/OPTIONS.pod @@ -189,7 +189,7 @@ B macro: OPT_PARAMETERS() {OPT_PARAM_STR, 1, '-', "Parameters:\n"} -Every "option" after after this should contain the parameter and +Every "option" after after this should contain the parameter and the help string: {"text", 0, 0, "Words to display (optional)"}, diff --git a/deps/openssl/openssl/doc/internal/man3/OSSL_METHOD_STORE.pod b/deps/openssl/openssl/doc/internal/man3/OSSL_METHOD_STORE.pod index 7d9b80778dbf51..5d9219fd0e98c1 100644 --- a/deps/openssl/openssl/doc/internal/man3/OSSL_METHOD_STORE.pod +++ b/deps/openssl/openssl/doc/internal/man3/OSSL_METHOD_STORE.pod @@ -27,14 +27,14 @@ ossl_method_store_flush_cache int nid, const void *method); int ossl_method_store_fetch(OSSL_METHOD_STORE *store, int nid, const char *properties, - void **method); - int ossl_method_store_cache_get(OSSL_METHOD_STORE *store, int nid, - const char *prop_query, void **method); - int ossl_method_store_cache_set(OSSL_METHOD_STORE *store, int nid, - const char *prop_query, void *method, + void **method, const OSSL_PROVIDER **prov_rw); + int ossl_method_store_cache_get(OSSL_METHOD_STORE *store, OSSL_PROVIDER *prov, + int nid, const char *prop_query, void **method); + int ossl_method_store_cache_set(OSSL_METHOD_STORE *store, OSSL_PROVIDER *prov, + int nid, const char *prop_query, void *method, int (*method_up_ref)(void *), void (*method_destruct)(void *)); - void ossl_method_store_flush_cache(OSSL_METHOD_STORE *store); + void ossl_method_store_flush_cache(OSSL_METHOD_STORE *store, int all); =head1 DESCRIPTION @@ -79,7 +79,9 @@ I. ossl_method_store_fetch() queries I for a method identified by I that matches the property query I. -The result, if any, is returned in I. +I<*prop> may be a pointer to a provider, which will narrow the search +to methods from that provider. +The result, if any, is returned in I<*method>, and its provider in I<*prov>. ossl_method_store_flush_cache() flushes all cached entries associated with I. @@ -89,10 +91,12 @@ I. ossl_method_store_cache_get() queries the cache associated with the I for a method identified by I that matches the property query I. +Additionally, if I isn't NULL, it will be used to narrow the search +to only include methods from that provider. The result, if any, is returned in I. -ossl_method_store_cache_set() sets a cache entry identified by I with the -property query I in the I. +ossl_method_store_cache_set() sets a cache entry identified by I from the +provider I, with the property query I in the I. Future calls to ossl_method_store_cache_get() will return the specified I. The I function is called to increment the reference count of the method and the I function is called diff --git a/deps/openssl/openssl/doc/internal/man3/cms_add1_signing_cert.pod b/deps/openssl/openssl/doc/internal/man3/cms_add1_signing_cert.pod index 97c5a5111d9f67..cc2747dcde6e70 100644 --- a/deps/openssl/openssl/doc/internal/man3/cms_add1_signing_cert.pod +++ b/deps/openssl/openssl/doc/internal/man3/cms_add1_signing_cert.pod @@ -31,12 +31,12 @@ For a fuller description see L). =head1 RETURN VALUES -cms_add1_signing_cert() and cms_add1_signing_cert_v2() return 1 if attribute +cms_add1_signing_cert() and cms_add1_signing_cert_v2() return 1 if attribute is added or 0 if an error occurred. =head1 COPYRIGHT -Copyright 2019 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/internal/man3/evp_generic_fetch.pod b/deps/openssl/openssl/doc/internal/man3/evp_generic_fetch.pod index 243f6c952fb61e..b23d2ec0eaa244 100644 --- a/deps/openssl/openssl/doc/internal/man3/evp_generic_fetch.pod +++ b/deps/openssl/openssl/doc/internal/man3/evp_generic_fetch.pod @@ -2,7 +2,7 @@ =head1 NAME -evp_generic_fetch, evp_generic_fetch_by_number +evp_generic_fetch, evp_generic_fetch_by_number, evp_generic_fetch_from_prov - generic algorithm fetchers and method creators for EVP =head1 SYNOPSIS @@ -29,6 +29,15 @@ evp_generic_fetch, evp_generic_fetch_by_number void *method_data, int (*up_ref_method)(void *), void (*free_method)(void *)); + void *evp_generic_fetch_from_prov(OSSL_PROVIDER *prov, int operation_id, + int name_id, const char *properties, + void *(*new_method)(int name_id, + const OSSL_DISPATCH *fns, + OSSL_PROVIDER *prov, + void *method_data), + void *method_data, + int (*up_ref_method)(void *), + void (*free_method)(void *)); =head1 DESCRIPTION @@ -37,14 +46,19 @@ I, I, I, and I and uses it to create an EVP method with the help of the functions I, I, and I. -evp_generic_fetch_by_number() does the same thing as evp_generic_fetch(), +evp_generic_fetch_by_number() does the same thing as evp_generic_fetch(), but takes a numeric I instead of a name. I must always be nonzero; as a matter of fact, it being zero is considered a programming error. This is meant to be used when one method needs to fetch an associated -other method, and is typically called from inside the given function +method, and is typically called from inside the given function I. +evp_generic_fetch_from_prov() does the same thing as evp_generic_fetch(), +but limits the search of methods to the provider given with I. +This is meant to be used when one method needs to fetch an associated +method in the same provider. + The three functions I, I, and I are supposed to: diff --git a/deps/openssl/openssl/doc/internal/man3/evp_md_get_number.pod b/deps/openssl/openssl/doc/internal/man3/evp_md_get_number.pod index 3c85f58b99be24..1f913551aad61e 100644 --- a/deps/openssl/openssl/doc/internal/man3/evp_md_get_number.pod +++ b/deps/openssl/openssl/doc/internal/man3/evp_md_get_number.pod @@ -10,7 +10,7 @@ ossl_store_loader_get_number - EVP get internal identification numbers =head1 SYNOPSIS - #include + #include "crypto/evp.h" int evp_asym_cipher_get_number(const EVP_ASYM_CIPHER *cipher); int evp_cipher_get_number(const EVP_CIPHER *e); diff --git a/deps/openssl/openssl/doc/internal/man3/ossl_lib_ctx_get_data.pod b/deps/openssl/openssl/doc/internal/man3/ossl_lib_ctx_get_data.pod index 2050a2506b812f..faedf7275f08d6 100644 --- a/deps/openssl/openssl/doc/internal/man3/ossl_lib_ctx_get_data.pod +++ b/deps/openssl/openssl/doc/internal/man3/ossl_lib_ctx_get_data.pod @@ -91,7 +91,7 @@ and a destructor to an index. } /* - * Include a reference to this in the methods table in context.c + * Include a reference to this in the methods table in context.c * OSSL_LIB_CTX_FOO_INDEX should be added to internal/cryptlib.h * Priorities can be OSSL_LIB_CTX_METHOD_DEFAULT_PRIORITY, * OSSL_LIB_CTX_METHOD_PRIORITY_1, OSSL_LIB_CTX_METHOD_PRIORITY_2, etc. diff --git a/deps/openssl/openssl/doc/internal/man3/ossl_method_construct.pod b/deps/openssl/openssl/doc/internal/man3/ossl_method_construct.pod index 46a17ba7b6d2c2..3683798b06b49b 100644 --- a/deps/openssl/openssl/doc/internal/man3/ossl_method_construct.pod +++ b/deps/openssl/openssl/doc/internal/man3/ossl_method_construct.pod @@ -13,21 +13,20 @@ OSSL_METHOD_CONSTRUCT_METHOD, ossl_method_construct /* Get a temporary store */ void *(*get_tmp_store)(void *data); /* Get an already existing method from a store */ - void *(*get)(void *store, void *data); + void *(*get)(void *store, const OSSL_PROVIDER *prov, void *data); /* Store a method in a store */ - int (*put)(void *store, void *method, - const OSSL_PROVIDER *prov, const char *name, - const char *propdef, void *data); + int (*put)(void *store, void *method, const OSSL_PROVIDER *prov, + const char *name, const char *propdef, void *data); /* Construct a new method */ - void *(*construct)(const char *name, const OSSL_DISPATCH *fns, - OSSL_PROVIDER *prov, void *data); + void *(*construct)(const OSSL_ALGORITHM *algodef, OSSL_PROVIDER *prov, + void *data); /* Destruct a method */ - void (*destruct)(void *method); + void (*destruct)(void *method, void *data); }; typedef struct ossl_method_construct_method OSSL_METHOD_CONSTRUCT_METHOD; void *ossl_method_construct(OSSL_LIB_CTX *ctx, int operation_id, - int force_cache, + OSSL_PROVIDER *prov, int force_cache, OSSL_METHOD_CONSTRUCT_METHOD *mcm, void *mcm_data); @@ -57,6 +56,9 @@ providers for a dispatch table given an I, and then calling the appropriate functions given by the subsystem specific method creator through I and the data in I (which is passed by ossl_method_construct()). +If I is not NULL, only that provider is considered, which is +useful in the case a method must be found in that particular +provider. This function assumes that the subsystem method creator implements reference counting and acts accordingly (i.e. it will call the @@ -72,17 +74,13 @@ function pointers: =over 4 -=item alloc_tmp_store() +=item get_tmp_store() Create a temporary method store in the scope of the library context I. This store is used to temporarily store methods for easier lookup, for when the provider doesn't want its dispatch table stored in a longer term cache. -=item dealloc_tmp_store() - -Remove a temporary store. - =item get() Look up an already existing method from a store by name. @@ -97,7 +95,10 @@ The method to be looked up should be identified with data found in I In other words, the ossl_method_construct() caller is entirely responsible for ensuring the necesssary data is made available. -This function is expected to increment the method's reference count. +Optionally, I may be given as a search criterion, to narrow down the +search of a method belonging to just one provider. + +This function is expected to increment the resulting method's reference count. =item put() @@ -109,7 +110,7 @@ NULL is a valid value and means that a subsystem default store must be used. This default store should be stored in the library context I. -The method should be associated with the given I, +The method should be associated with the given provider I, I and property definition I as well as any identification data given through I (which is the I that was passed to ossl_construct_method()). diff --git a/deps/openssl/openssl/doc/internal/man3/ossl_provider_new.pod b/deps/openssl/openssl/doc/internal/man3/ossl_provider_new.pod index 09b2e041172f96..0cf51a163f6186 100644 --- a/deps/openssl/openssl/doc/internal/man3/ossl_provider_new.pod +++ b/deps/openssl/openssl/doc/internal/man3/ossl_provider_new.pod @@ -8,7 +8,7 @@ ossl_provider_set_fallback, ossl_provider_set_module_path, ossl_provider_add_parameter, ossl_provider_set_child, ossl_provider_get_parent, ossl_provider_up_ref_parent, ossl_provider_free_parent, ossl_provider_default_props_update, ossl_provider_get0_dispatch, -ossl_provider_init_as_child, +ossl_provider_init_as_child, ossl_provider_deinit_child, ossl_provider_activate, ossl_provider_deactivate, ossl_provider_add_to_store, ossl_provider_ctx, ossl_provider_doall_activated, @@ -54,7 +54,7 @@ ossl_provider_get_capabilities * If the Provider is a module, the module will be loaded */ int ossl_provider_activate(OSSL_PROVIDER *prov, int upcalls, int aschild); - int ossl_provider_deactivate(OSSL_PROVIDER *prov); + int ossl_provider_deactivate(OSSL_PROVIDER *prov, int removechildren); int ossl_provider_add_to_store(OSSL_PROVIDER *prov, OSSL_PROVIDER **actualprov, int retain_fallbacks); @@ -99,7 +99,7 @@ ossl_provider_get_capabilities int ossl_provider_init_as_child(OSSL_LIB_CTX *ctx, const OSSL_CORE_HANDLE *handle, const OSSL_DISPATCH *in); - + void ossl_provider_deinit_child(OSSL_LIB_CTX *ctx); =head1 DESCRIPTION @@ -226,7 +226,9 @@ no action is taken and ossl_provider_activate() returns success. ossl_provider_deactivate() "deactivates" the provider for the given provider object I by decrementing its activation count. When -that count reaches zero, the activation flag is cleared. +that count reaches zero, the activation flag is cleared. If the +I parameter is 0 then no attempt is made to remove any +associated child providers. ossl_provider_add_to_store() adds the provider I to the provider store and makes it available to other threads. This will prevent future automatic loading @@ -296,7 +298,7 @@ in a bitstring that's internal to I. ossl_provider_test_operation_bit() checks if the bit operation I is set (1) or not (0) in the internal I bitstring, and sets -I<*result> to 1 or 0 accorddingly. +I<*result> to 1 or 0 accorddingly. ossl_provider_clear_all_operation_bits() clears all of the operation bits to (0) for all providers in the library context I. @@ -306,6 +308,10 @@ the necessary upcalls for managing child providers. The I and I parameters are the B and B pointers that were passed to the provider's B function. +ossl_provider_deinit_child() deregisters callbacks from the parent library +context about provider creation or removal events for the child library context +I. Must only be called if I is a child library context. + =head1 NOTES Locating a provider module happens as follows: diff --git a/deps/openssl/openssl/doc/internal/man3/ossl_punycode_decode.pod b/deps/openssl/openssl/doc/internal/man3/ossl_punycode_decode.pod index 1926a4b4bc6110..652626159e3ac8 100644 --- a/deps/openssl/openssl/doc/internal/man3/ossl_punycode_decode.pod +++ b/deps/openssl/openssl/doc/internal/man3/ossl_punycode_decode.pod @@ -22,10 +22,10 @@ PUNYCODE encoding introduced in RFCs 3490-3492 is widely used for representation of host names in ASCII-only format. Some specifications, such as RFC 8398, require comparison of host names encoded in UTF-8 charset. -ossl_a2ulabel() decodes NULL-terminated hostname from PUNYCODE to UTF-8, +ossl_a2ulabel() decodes NUL-terminated hostname from PUNYCODE to UTF-8, using a provided buffer for output. -ossl_a2ucompare() accepts two NULL-terminated hostnames, decodes the 1st +ossl_a2ucompare() accepts two NUL-terminated hostnames, decodes the 1st from PUNYCODE to UTF-8 and compares it with the 2nd one as is. ossl_punycode_decode() decodes one label (one dot-separated part) from @@ -49,7 +49,7 @@ The functions described here were all added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/internal/man7/DERlib.pod b/deps/openssl/openssl/doc/internal/man7/DERlib.pod index 7085a2cb6dd0da..8dd5d6cec79138 100644 --- a/deps/openssl/openssl/doc/internal/man7/DERlib.pod +++ b/deps/openssl/openssl/doc/internal/man7/DERlib.pod @@ -81,7 +81,7 @@ As a reminder, the AlgorithmIdentifier is specified like this: -- From RFC 3280, section 4.1.1.2 AlgorithmIdentifier ::= SEQUENCE { algorithm OBJECT IDENTIFIER, - parameters ANY DEFINED BY algorithm OPTIONAL } + parameters ANY DEFINED BY algorithm OPTIONAL } And the RSASSA-PSS OID and parameters are specified like this: @@ -139,7 +139,7 @@ L =head1 COPYRIGHT -Copyright 2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/internal/man7/build.info.pod b/deps/openssl/openssl/doc/internal/man7/build.info.pod index 8c651b37e67cde..080c9e444eea4b 100644 --- a/deps/openssl/openssl/doc/internal/man7/build.info.pod +++ b/deps/openssl/openssl/doc/internal/man7/build.info.pod @@ -574,7 +574,7 @@ appear in a linking command line (because of recursive dependencies through other libraries), they will be ordered in such a way that this dependency is maintained: - DEPEND[libfoo.a]{weak}=libfoo.a libcookie.a + DEPEND[libfoo.a]{weak}=libfoo.a libcookie.a This is useful in complex dependency trees where two libraries can be used as alternatives for each other. In this example, C and diff --git a/deps/openssl/openssl/doc/life-cycles/digest.dot b/deps/openssl/openssl/doc/life-cycles/digest.dot index 4ad7f79e456b94..8d4d72480c9acc 100644 --- a/deps/openssl/openssl/doc/life-cycles/digest.dot +++ b/deps/openssl/openssl/doc/life-cycles/digest.dot @@ -30,4 +30,4 @@ digraph digest { finaled -> initialised [label="EVP_DigestInit", style=dashed, color="#034f84", fontcolor="#034f84"]; } - + diff --git a/deps/openssl/openssl/doc/life-cycles/kdf.dot b/deps/openssl/openssl/doc/life-cycles/kdf.dot index b0e925685d4669..2dce34377db661 100644 --- a/deps/openssl/openssl/doc/life-cycles/kdf.dot +++ b/deps/openssl/openssl/doc/life-cycles/kdf.dot @@ -13,4 +13,4 @@ strict digraph kdf { deriving -> newed [label="EVP_KDF_CTX_reset", style=dashed, color="#034f84", fontcolor="#034f84"]; } - + diff --git a/deps/openssl/openssl/doc/life-cycles/mac.dot b/deps/openssl/openssl/doc/life-cycles/mac.dot index c841c5f21830a6..fe277f8328e613 100644 --- a/deps/openssl/openssl/doc/life-cycles/mac.dot +++ b/deps/openssl/openssl/doc/life-cycles/mac.dot @@ -25,4 +25,4 @@ digraph mac { finaled -> initialised [label="EVP_MAC_init", style=dashed, color="#034f84", fontcolor="#034f84"]; } - + diff --git a/deps/openssl/openssl/doc/life-cycles/rand.dot b/deps/openssl/openssl/doc/life-cycles/rand.dot index df740b7a9bcd92..a57cf710c75d52 100644 --- a/deps/openssl/openssl/doc/life-cycles/rand.dot +++ b/deps/openssl/openssl/doc/life-cycles/rand.dot @@ -14,4 +14,4 @@ strict digraph rand { uninstantiated -> end [label="EVP_RAND_CTX_free"]; uninstantiated -> instantiated [label="EVP_RAND_instantiate", style=dashed, color="#034f84", fontcolor="#034f84"]; } - + diff --git a/deps/openssl/openssl/doc/man1/openssl-cmp.pod.in b/deps/openssl/openssl/doc/man1/openssl-cmp.pod.in index 0e482677a022e7..420c194a6c70fe 100644 --- a/deps/openssl/openssl/doc/man1/openssl-cmp.pod.in +++ b/deps/openssl/openssl/doc/man1/openssl-cmp.pod.in @@ -48,10 +48,10 @@ Certificate enrollment and revocation options: Message transfer options: [B<-server> I<[http[s]://][userinfo@]host[:port][/path][?query][#fragment]>] -[B<-path> I] [B<-proxy> I<[http[s]://][userinfo@]host[:port][/path][?query][#fragment]>] [B<-no_proxy> I] [B<-recipient> I] +[B<-path> I] [B<-keep_alive> I] [B<-msg_timeout> I] [B<-total_timeout> I] @@ -448,11 +448,6 @@ The optional userinfo and fragment components are ignored. Any given query component is handled as part of the path component. If a path is included it provides the default value for the B<-path> option. -=item B<-path> I - -HTTP path at the CMP server (aka CMP alias) to use for POST requests. -Defaults to any path given with B<-server>, else C<"/">. - =item B<-proxy> I<[http[s]://][userinfo@]host[:port][/path][?query][#fragment]> The HTTP(S) proxy server to use for reaching the CMP server unless B<-no_proxy> @@ -487,6 +482,11 @@ as far as any of those is present, else the NULL-DN as last resort. The argument must be formatted as I. For details see the description of the B<-subject> option. +=item B<-path> I + +HTTP path at the CMP server (aka CMP alias) to use for POST requests. +Defaults to any path given with B<-server>, else C<"/">. + =item B<-keep_alive> I If the given value is 0 then HTTP connections are not kept open @@ -835,7 +835,7 @@ have no effect on the certificate verification enabled via this option. =item B<-tls_host> I -Address to be checked during hostname validation. +Address to be checked during hostname validation. This may be a DNS name or an IP address. If not given it defaults to the B<-server> address. diff --git a/deps/openssl/openssl/doc/man1/openssl-fipsinstall.pod.in b/deps/openssl/openssl/doc/man1/openssl-fipsinstall.pod.in index d79e237dba2787..97e2ae910c170b 100644 --- a/deps/openssl/openssl/doc/man1/openssl-fipsinstall.pod.in +++ b/deps/openssl/openssl/doc/man1/openssl-fipsinstall.pod.in @@ -197,6 +197,18 @@ All other options are ignored if '-config' is used. =back +=head1 NOTES + +Self tests results are logged by default if the options B<-quiet> and B<-noout> +are not specified, or if either of the options B<-corrupt_desc> or +B<-corrupt_type> are used. +If the base configuration file is set up to autoload the fips module, then the +fips module will be loaded and self tested BEFORE the fipsinstall application +has a chance to set up its own self test callback. As a result of this the self +test output and the options B<-corrupt_desc> and B<-corrupt_type> will be ignored. +For normal usage the base configuration file should use the default provider +when generating the fips configuration file. + =head1 EXAMPLES Calculate the mac of a FIPS module F and run a FIPS self test diff --git a/deps/openssl/openssl/doc/man1/openssl-mac.pod.in b/deps/openssl/openssl/doc/man1/openssl-mac.pod.in index b368b79bc774bc..e76e185e08af85 100644 --- a/deps/openssl/openssl/doc/man1/openssl-mac.pod.in +++ b/deps/openssl/openssl/doc/man1/openssl-mac.pod.in @@ -116,7 +116,7 @@ This option is identical to the B<-cipher> option. =item I Specifies the name of a supported MAC algorithm which will be used. -To see the list of supported MAC's use the command C. =back diff --git a/deps/openssl/openssl/doc/man1/openssl-passwd.pod.in b/deps/openssl/openssl/doc/man1/openssl-passwd.pod.in index ed68bab4956ae2..314fe4fe7248a8 100644 --- a/deps/openssl/openssl/doc/man1/openssl-passwd.pod.in +++ b/deps/openssl/openssl/doc/man1/openssl-passwd.pod.in @@ -31,8 +31,6 @@ This command computes the hash of a password typed at run-time or the hash of each password in a list. The password list is taken from the named file for option B<-in>, from stdin for option B<-stdin>, or from the command line, or from the terminal otherwise. -The MD5-based BSD password algorithm B<-1>, its Apache variant B<-apr1>, -and its AIX variant are available. =head1 OPTIONS diff --git a/deps/openssl/openssl/doc/man1/openssl-req.pod.in b/deps/openssl/openssl/doc/man1/openssl-req.pod.in index e78b04c65ba7a6..a21c30ba47fe4f 100644 --- a/deps/openssl/openssl/doc/man1/openssl-req.pod.in +++ b/deps/openssl/openssl/doc/man1/openssl-req.pod.in @@ -79,9 +79,10 @@ The data is a PKCS#10 object. =item B<-in> I -This specifies the input filename to read a request from or standard input -if this option is not specified. A request is only read if the creation -options (B<-new> or B<-newkey>) are not specified. +This specifies the input filename to read a request from. +This defaults to standard input unless B<-x509> or B<-CA> is specified. +A request is only read if the creation options +(B<-new> or B<-newkey> or B<-precert>) are not specified. =item B<-sigopt> I:I @@ -156,8 +157,13 @@ else by default an RSA key with 2048 bits length. =item B<-newkey> I -This option creates a new certificate request and a new private -key. The argument takes one of several forms. +This option is used to generate a new private key unless B<-key> is given. +It is subsequently used as if it was given using the B<-key> option. + +This option implies the B<-new> flag to create a new certificate request +or a new certificate in case B<-x509> is given. + +The argument takes one of several forms. [B]I generates an RSA key I in size. If I is omitted, i.e., B<-newkey> B is specified, @@ -193,9 +199,14 @@ See L for more details. =item B<-key> I|I -This specifies the key to include and to use for request self-signature -and for self-signing certificates produced with the B<-x509> option. -It also accepts PKCS#8 format private keys for PEM format files. +This option provides the private key for signing a new certificate or +certificate request. +Unless B<-in> is given, the corresponding public key is placed in +the new certificate or certificate request, resulting in a self-signature. + +For certificate signing this option is overridden by the B<-CA> option. + +This option also accepts PKCS#8 format private keys for PEM format files. =item B<-keyform> B|B|B|B @@ -268,6 +279,8 @@ This option outputs a certificate instead of a certificate request. This is typically used to generate test certificates. It is implied by the B<-CA> option. +This option implies the B<-new> flag if B<-in> is not given. + If an existing request is specified with the B<-in> option, it is converted to the a certificate; otherwise a request is created from scratch. diff --git a/deps/openssl/openssl/doc/man1/openssl-x509.pod.in b/deps/openssl/openssl/doc/man1/openssl-x509.pod.in index 9c77a216c22827..b86f409ce81e5e 100644 --- a/deps/openssl/openssl/doc/man1/openssl-x509.pod.in +++ b/deps/openssl/openssl/doc/man1/openssl-x509.pod.in @@ -102,9 +102,11 @@ Print out a usage message. =item B<-in> I|I -If the B<-req> option is not used this specifies the input -to read a certificate from or standard input if this option is not specified. -With the B<-req> option this specifies a certificate request file. +This specifies the input to read a certificate from +or the input file for reading a certificate request if the B<-req> flag is used. +In both cases this defaults to standard input. + +This option cannot be combined with the B<-new> flag. =item B<-passin> I @@ -118,14 +120,14 @@ Generate a certificate from scratch, not using an input certificate or certificate request. So the B<-in> option must not be used in this case. Instead, the B<-subj> option needs to be given. The public key to include can be given with the B<-force_pubkey> option -and defaults to the key given with the B<-key> option, +and defaults to the key given with the B<-key> (or B<-signkey>) option, which implies self-signature. =item B<-x509toreq> Output a PKCS#10 certificate request (rather than a certificate). -The B<-key> option must be used to provide the private key for self-signing; -the corresponding public key is placed in the subjectPKInfo field. +The B<-key> (or B<-signkey>) option must be used to provide the private key for +self-signing; the corresponding public key is placed in the subjectPKInfo field. X.509 extensions included in a certificate input are not copied by default. X.509 extensions to be added can be specified using the B<-extfile> option. @@ -163,9 +165,12 @@ Names and values of these options are algorithm-specific. =item B<-key> I|I -This option causes the new certificate or certificate request -to be self-signed using the supplied private key. -This cannot be used in conjunction with the B<-CA> option. +This option provides the private key for signing a new certificate or +certificate request. +Unless B<-force_pubkey> is given, the corresponding public key is placed in +the new certificate or certificate request, resulting in a self-signature. + +This option cannot be used in conjunction with the B<-CA> option. It sets the issuer name to the subject name (i.e., makes it self-issued) and changes the public key to the supplied value (unless overridden @@ -355,8 +360,9 @@ Check that the certificate matches the specified IP address. =item B<-set_serial> I -Specifies the serial number to use. This option can be used with either -the B<-key> or B<-CA> options. If used in conjunction with the B<-CA> option +Specifies the serial number to use. +This option can be used with the B<-key>, B<-signkey>, or B<-CA> options. +If used in conjunction with the B<-CA> option the serial number file (as specified by the B<-CAserial> option) is not used. The serial number can be decimal or hex (if preceded by C<0x>). @@ -400,7 +406,8 @@ or certificate request. =item B<-force_pubkey> I When a certificate is created set its public key to the key in I -instead of the key contained in the input or given with the B<-key> option. +instead of the key contained in the input +or given with the B<-key> (or B<-signkey>) option. This option is useful for creating self-issued certificates that are not self-signed, for instance when the key cannot be used for signing, such as DH. @@ -446,7 +453,7 @@ for testing. The digest to use. This affects any signing or printing option that uses a message -digest, such as the B<-fingerprint>, B<-key> and B<-CA> options. +digest, such as the B<-fingerprint>, B<-key>, and B<-CA> options. Any digest supported by the L command can be used. If not specified then SHA1 is used with B<-fingerprint> or the default digest for the signing algorithm is used, typically SHA256. @@ -464,9 +471,9 @@ When present, this behaves like a "micro CA" as follows: The subject name of the "CA" certificate is placed as issuer name in the new certificate, which is then signed using the "CA" key given as detailed below. -This option cannot be used in conjunction with the B<-key> option. +This option cannot be used in conjunction with B<-key> (or B<-signkey>). This option is normally combined with the B<-req> option referencing a CSR. -Without the B<-req> option the input must be a self-signed certificate +Without the B<-req> option the input must be an existing certificate unless the B<-new> option is given, which generates a certificate from scratch. =item B<-CAform> B|B|B, diff --git a/deps/openssl/openssl/doc/man3/ASN1_INTEGER_get_int64.pod b/deps/openssl/openssl/doc/man3/ASN1_INTEGER_get_int64.pod index 1d9ff25f8463f1..3bde0b20e686d6 100644 --- a/deps/openssl/openssl/doc/man3/ASN1_INTEGER_get_int64.pod +++ b/deps/openssl/openssl/doc/man3/ASN1_INTEGER_get_int64.pod @@ -14,7 +14,7 @@ ASN1_INTEGER_get_int64, ASN1_INTEGER_get, ASN1_INTEGER_set_int64, ASN1_INTEGER_s long ASN1_INTEGER_get(const ASN1_INTEGER *a); int ASN1_INTEGER_set_int64(ASN1_INTEGER *a, int64_t r); - int ASN1_INTEGER_set(const ASN1_INTEGER *a, long v); + int ASN1_INTEGER_set(ASN1_INTEGER *a, long v); int ASN1_INTEGER_get_uint64(uint64_t *pr, const ASN1_INTEGER *a); int ASN1_INTEGER_set_uint64(ASN1_INTEGER *a, uint64_t r); @@ -28,8 +28,8 @@ ASN1_INTEGER_get_int64, ASN1_INTEGER_get, ASN1_INTEGER_set_int64, ASN1_INTEGER_s int ASN1_ENUMERATED_set_int64(ASN1_ENUMERATED *a, int64_t r); int ASN1_ENUMERATED_set(ASN1_ENUMERATED *a, long v); - ASN1_ENUMERATED *BN_to_ASN1_ENUMERATED(BIGNUM *bn, ASN1_ENUMERATED *ai); - BIGNUM *ASN1_ENUMERATED_to_BN(ASN1_ENUMERATED *ai, BIGNUM *bn); + ASN1_ENUMERATED *BN_to_ASN1_ENUMERATED(const BIGNUM *bn, ASN1_ENUMERATED *ai); + BIGNUM *ASN1_ENUMERATED_to_BN(const ASN1_ENUMERATED *ai, BIGNUM *bn); =head1 DESCRIPTION @@ -123,7 +123,7 @@ were added in OpenSSL 1.1.0. =head1 COPYRIGHT -Copyright 2015-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/ASN1_TYPE_get.pod b/deps/openssl/openssl/doc/man3/ASN1_TYPE_get.pod index c34572345ffb1f..9bfb5a76d4792f 100644 --- a/deps/openssl/openssl/doc/man3/ASN1_TYPE_get.pod +++ b/deps/openssl/openssl/doc/man3/ASN1_TYPE_get.pod @@ -24,7 +24,7 @@ These functions allow an B structure to be manipulated. The B structure can contain any ASN.1 type or constructed type such as a SEQUENCE: it is effectively equivalent to the ASN.1 ANY type. -ASN1_TYPE_get() returns the type of I. +ASN1_TYPE_get() returns the type of I or 0 if it fails. ASN1_TYPE_set() sets the value of I to I and I. This function uses the pointer I internally so it must B be freed @@ -91,7 +91,7 @@ NULL on failure. =head1 COPYRIGHT -Copyright 2015-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/ASN1_item_d2i_bio.pod b/deps/openssl/openssl/doc/man3/ASN1_item_d2i_bio.pod index 9083f85f69feed..bdf5c48096abc7 100644 --- a/deps/openssl/openssl/doc/man3/ASN1_item_d2i_bio.pod +++ b/deps/openssl/openssl/doc/man3/ASN1_item_d2i_bio.pod @@ -10,15 +10,15 @@ ASN1_item_d2i_fp_ex, ASN1_item_d2i_fp, ASN1_item_i2d_mem_bio #include - ASN1_VALUE *ASN1_item_d2i_ex(ASN1_VALUE **val, const unsigned char **in, + ASN1_VALUE *ASN1_item_d2i_ex(ASN1_VALUE **pval, const unsigned char **in, long len, const ASN1_ITEM *it, OSSL_LIB_CTX *libctx, const char *propq); - ASN1_VALUE *ASN1_item_d2i(ASN1_VALUE **val, const unsigned char **in, + ASN1_VALUE *ASN1_item_d2i(ASN1_VALUE **pval, const unsigned char **in, long len, const ASN1_ITEM *it); - void *ASN1_item_d2i_bio_ex(const ASN1_ITEM *it, BIO *in, void *pval, + void *ASN1_item_d2i_bio_ex(const ASN1_ITEM *it, BIO *in, void *x, OSSL_LIB_CTX *libctx, const char *propq); - void *ASN1_item_d2i_bio(const ASN1_ITEM *it, BIO *in, void *pval); + void *ASN1_item_d2i_bio(const ASN1_ITEM *it, BIO *in, void *x); void *ASN1_item_d2i_fp_ex(const ASN1_ITEM *it, FILE *in, void *x, OSSL_LIB_CTX *libctx, const char *propq); diff --git a/deps/openssl/openssl/doc/man3/BF_encrypt.pod b/deps/openssl/openssl/doc/man3/BF_encrypt.pod index b4a335076df6c6..509dd22c63fb99 100644 --- a/deps/openssl/openssl/doc/man3/BF_encrypt.pod +++ b/deps/openssl/openssl/doc/man3/BF_encrypt.pod @@ -9,9 +9,9 @@ BF_cfb64_encrypt, BF_ofb64_encrypt, BF_options - Blowfish encryption #include -Deprecated since OpenSSL 3.0, can be hidden entirely by defining -B with a suitable version value, see -L: +The following functions have been deprecated since OpenSSL 3.0, and can be +hidden entirely by defining B with a suitable version value, +see L: void BF_set_key(BF_KEY *key, int len, const unsigned char *data); @@ -121,7 +121,7 @@ All of these functions were deprecated in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/BIO_ctrl.pod b/deps/openssl/openssl/doc/man3/BIO_ctrl.pod index fdffda7b41719f..bcdeac6f7bddce 100644 --- a/deps/openssl/openssl/doc/man3/BIO_ctrl.pod +++ b/deps/openssl/openssl/doc/man3/BIO_ctrl.pod @@ -77,26 +77,27 @@ return a size_t type and are functions, BIO_pending() and BIO_wpending() are macros which call BIO_ctrl(). BIO_get_ktls_send() returns 1 if the BIO is using the Kernel TLS data-path for -sending. Otherwise, it returns zero. +sending. Otherwise, it returns zero. It also returns negative values for failure. BIO_get_ktls_recv() returns 1 if the BIO is using the Kernel TLS data-path for -receiving. Otherwise, it returns zero. +receiving. Otherwise, it returns zero. It also returns negative values for failure. =head1 RETURN VALUES -BIO_reset() normally returns 1 for success and 0 or -1 for failure. File +BIO_reset() normally returns 1 for success and <=0 for failure. File BIOs are an exception, they return 0 for success and -1 for failure. BIO_seek() and BIO_tell() both return the current file position on success and -1 for failure, except file BIOs which for BIO_seek() always return 0 for success and -1 for failure. -BIO_flush() returns 1 for success and 0 or -1 for failure. +BIO_flush() returns 1 for success and <=0 for failure. -BIO_eof() returns 1 if EOF has been reached, 0 if not, or -1 for failure. +BIO_eof() returns 1 if EOF has been reached, 0 if not, or negative values for failure. -BIO_set_close() always returns 1. +BIO_set_close() returns 1 on success or <=0 for failure. -BIO_get_close() returns the close flag value: BIO_CLOSE or BIO_NOCLOSE. +BIO_get_close() returns the close flag value: BIO_CLOSE or BIO_NOCLOSE. It also +returns other negative values if an error occurs. BIO_pending(), BIO_ctrl_pending(), BIO_wpending() and BIO_ctrl_wpending() return the amount of pending data. diff --git a/deps/openssl/openssl/doc/man3/BIO_f_buffer.pod b/deps/openssl/openssl/doc/man3/BIO_f_buffer.pod index ed32e11d92f737..9a1d5b4b33fa17 100644 --- a/deps/openssl/openssl/doc/man3/BIO_f_buffer.pod +++ b/deps/openssl/openssl/doc/man3/BIO_f_buffer.pod @@ -74,12 +74,13 @@ source/sink BIO is non blocking. BIO_f_buffer() returns the buffering BIO method. -BIO_get_buffer_num_lines() returns the number of lines buffered (may be 0). +BIO_get_buffer_num_lines() returns the number of lines buffered (may be 0) or +a negative value in case of errors. BIO_set_read_buffer_size(), BIO_set_write_buffer_size() and BIO_set_buffer_size() -return 1 if the buffer was successfully resized or 0 for failure. +return 1 if the buffer was successfully resized or <=0 for failure. -BIO_set_buffer_read_data() returns 1 if the data was set correctly or 0 if +BIO_set_buffer_read_data() returns 1 if the data was set correctly or <=0 if there was an error. =head1 SEE ALSO @@ -92,7 +93,7 @@ L. =head1 COPYRIGHT -Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/BIO_f_cipher.pod b/deps/openssl/openssl/doc/man3/BIO_f_cipher.pod index 48f55360394181..3a11cabd3c4c07 100644 --- a/deps/openssl/openssl/doc/man3/BIO_f_cipher.pod +++ b/deps/openssl/openssl/doc/man3/BIO_f_cipher.pod @@ -12,8 +12,8 @@ BIO_f_cipher, BIO_set_cipher, BIO_get_cipher_status, BIO_get_cipher_ctx - cipher #include const BIO_METHOD *BIO_f_cipher(void); - void BIO_set_cipher(BIO *b, const EVP_CIPHER *cipher, - unsigned char *key, unsigned char *iv, int enc); + int BIO_set_cipher(BIO *b, const EVP_CIPHER *cipher, + const unsigned char *key, const unsigned char *iv, int enc); int BIO_get_cipher_status(BIO *b); int BIO_get_cipher_ctx(BIO *b, EVP_CIPHER_CTX **pctx); @@ -62,16 +62,16 @@ be achieved by preceding the cipher BIO with a buffering BIO. BIO_f_cipher() returns the cipher BIO method. -BIO_set_cipher() does not return a value. +BIO_set_cipher() returns 1 for success and 0 for failure. -BIO_get_cipher_status() returns 1 for a successful decrypt and 0 +BIO_get_cipher_status() returns 1 for a successful decrypt and <=0 for failure. -BIO_get_cipher_ctx() currently always returns 1. +BIO_get_cipher_ctx() returns 1 for success and <=0 for failure. =head1 COPYRIGHT -Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/BIO_f_md.pod b/deps/openssl/openssl/doc/man3/BIO_f_md.pod index e146427d89ec0e..c2b825e35272b9 100644 --- a/deps/openssl/openssl/doc/man3/BIO_f_md.pod +++ b/deps/openssl/openssl/doc/man3/BIO_f_md.pod @@ -69,7 +69,7 @@ if the standard calls such as BIO_set_md() are not sufficiently flexible. BIO_f_md() returns the digest BIO method. BIO_set_md(), BIO_get_md() and BIO_md_ctx() return 1 for success and -0 for failure. +<=0 for failure. =head1 EXAMPLES diff --git a/deps/openssl/openssl/doc/man3/BIO_f_prefix.pod b/deps/openssl/openssl/doc/man3/BIO_f_prefix.pod index b4d0298b2a4a3b..3c98ef311bb5c4 100644 --- a/deps/openssl/openssl/doc/man3/BIO_f_prefix.pod +++ b/deps/openssl/openssl/doc/man3/BIO_f_prefix.pod @@ -46,13 +46,13 @@ implemented as macros. BIO_f_prefix() returns the prefix BIO method. -BIO_set_prefix() returns 1 if the prefix was correctly set, or 0 on +BIO_set_prefix() returns 1 if the prefix was correctly set, or <=0 on failure. -BIO_set_indent() returns 1 if the prefix was correctly set, or 0 on +BIO_set_indent() returns 1 if the prefix was correctly set, or <=0 on failure. -BIO_get_indent() returns the current indentation. +BIO_get_indent() returns the current indentation, or a negative value for failure. =head1 SEE ALSO @@ -60,7 +60,7 @@ L =head1 COPYRIGHT -Copyright 2019 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/BIO_f_ssl.pod b/deps/openssl/openssl/doc/man3/BIO_f_ssl.pod index 36ddf705d20432..c6dc53c1056cfd 100644 --- a/deps/openssl/openssl/doc/man3/BIO_f_ssl.pod +++ b/deps/openssl/openssl/doc/man3/BIO_f_ssl.pod @@ -54,26 +54,26 @@ The SSL BIO is then reset to the initial accept or connect state. If the close flag is set when an SSL BIO is freed then the internal SSL structure is also freed using SSL_free(). -BIO_set_ssl() sets the internal SSL pointer of BIO B to B using +BIO_set_ssl() sets the internal SSL pointer of SSL BIO B to B using the close flag B. -BIO_get_ssl() retrieves the SSL pointer of BIO B, it can then be +BIO_get_ssl() retrieves the SSL pointer of SSL BIO B, it can then be manipulated using the standard SSL library functions. BIO_set_ssl_mode() sets the SSL BIO mode to B. If B is 1 client mode is set. If B is 0 server mode is set. -BIO_set_ssl_renegotiate_bytes() sets the renegotiate byte count +BIO_set_ssl_renegotiate_bytes() sets the renegotiate byte count of SSL BIO B to B. When set after every B bytes of I/O (read and write) the SSL session is automatically renegotiated. B must be at least 512 bytes. -BIO_set_ssl_renegotiate_timeout() sets the renegotiate timeout to -B. When the renegotiate timeout elapses the session is -automatically renegotiated. +BIO_set_ssl_renegotiate_timeout() sets the renegotiate timeout of SSL BIO B +to B. +When the renegotiate timeout elapses the session is automatically renegotiated. BIO_get_num_renegotiates() returns the total number of session -renegotiations due to I/O or timeout. +renegotiations due to I/O or timeout of SSL BIO B. BIO_new_ssl() allocates an SSL BIO using SSL_CTX B and using client mode if B is non zero. @@ -82,8 +82,7 @@ BIO_new_ssl_connect() creates a new BIO chain consisting of an SSL BIO (using B) followed by a connect BIO. BIO_new_buffer_ssl_connect() creates a new BIO chain consisting -of a buffering BIO, an SSL BIO (using B) and a connect -BIO. +of a buffering BIO, an SSL BIO (using B), and a connect BIO. BIO_ssl_copy_session_id() copies an SSL session id between BIO chains B and B. It does this by locating the @@ -96,7 +95,7 @@ chain and calling SSL_shutdown() on its internal SSL pointer. BIO_do_handshake() attempts to complete an SSL handshake on the --supplied BIO and establish the SSL connection. +supplied BIO and establish the SSL connection. For non-SSL BIOs the connection is done typically at TCP level. If domain name resolution yields multiple IP addresses all of them are tried after connect() failures. diff --git a/deps/openssl/openssl/doc/man3/BIO_get_ex_new_index.pod b/deps/openssl/openssl/doc/man3/BIO_get_ex_new_index.pod index 7dce548f90d5d5..f26b573350d95b 100644 --- a/deps/openssl/openssl/doc/man3/BIO_get_ex_new_index.pod +++ b/deps/openssl/openssl/doc/man3/BIO_get_ex_new_index.pod @@ -43,9 +43,9 @@ X509_get_ex_new_index, X509_set_ex_data, X509_get_ex_data #define TYPE_set_app_data(TYPE *d, void *arg) #define TYPE_get_app_data(TYPE *d) -Deprecated since OpenSSL 3.0, can be hidden entirely by defining -B with a suitable version value, see -L: +The following functions have been deprecated since OpenSSL 3.0, and can be +hidden entirely by defining B with a suitable version value, +see L: int DH_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func, CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func); diff --git a/deps/openssl/openssl/doc/man3/BIO_push.pod b/deps/openssl/openssl/doc/man3/BIO_push.pod index a9a1f84b5d49b4..84ce3f042d1ea6 100644 --- a/deps/openssl/openssl/doc/man3/BIO_push.pod +++ b/deps/openssl/openssl/doc/man3/BIO_push.pod @@ -8,22 +8,27 @@ BIO_push, BIO_pop, BIO_set_next - add and remove BIOs from a chain #include - BIO *BIO_push(BIO *b, BIO *append); + BIO *BIO_push(BIO *b, BIO *next); BIO *BIO_pop(BIO *b); void BIO_set_next(BIO *b, BIO *next); =head1 DESCRIPTION -The BIO_push() function appends the BIO B to B, it returns -B. +BIO_push() pushes I on I. +If I is NULL the function does nothing and returns I. +Otherwise it prepends I, which may be a single BIO or a chain of BIOs, +to I (unless I is NULL). +It then makes a control call on I and returns I. -BIO_pop() removes the BIO B from a chain and returns the next BIO -in the chain, or NULL if there is no next BIO. The removed BIO then -becomes a single BIO with no association with the original chain, -it can thus be freed or attached to a different chain. +BIO_pop() removes the BIO I from any chain is is part of. +If I is NULL the function does nothing and returns NULL. +Otherwise it makes a control call on I and +returns the next BIO in the chain, or NULL if there is no next BIO. +The removed BIO becomes a single BIO with no association with +the original chain, it can thus be freed or be made part of a different chain. BIO_set_next() replaces the existing next BIO in a chain with the BIO pointed to -by B. The new chain may include some of the same BIOs from the old chain +by I. The new chain may include some of the same BIOs from the old chain or it may be completely different. =head1 NOTES @@ -33,41 +38,45 @@ joins two BIO chains whereas BIO_pop() deletes a single BIO from a chain, the deleted BIO does not need to be at the end of a chain. The process of calling BIO_push() and BIO_pop() on a BIO may have additional -consequences (a control call is made to the affected BIOs) any effects will -be noted in the descriptions of individual BIOs. +consequences (a control call is made to the affected BIOs). +Any effects will be noted in the descriptions of individual BIOs. =head1 RETURN VALUES -BIO_push() returns the end of the chain, B. +BIO_push() returns the head of the chain, +which usually is I, or I if I is NULL. -BIO_pop() returns the next BIO in the chain, or NULL if there is no next -BIO. +BIO_pop() returns the next BIO in the chain, +or NULL if there is no next BIO. =head1 EXAMPLES -For these examples suppose B and B are digest BIOs, B is -a base64 BIO and B is a file BIO. +For these examples suppose I and I are digest BIOs, +I is a base64 BIO and I is a file BIO. If the call: BIO_push(b64, f); -is made then the new chain will be B. After making the calls +is made then the new chain will be I. After making the calls BIO_push(md2, b64); BIO_push(md1, md2); -the new chain is B. Data written to B will be digested -by B and B, B encoded and written to B. +the new chain is I. Data written to I will be digested +by I and I, base64 encoded, and finally written to I. It should be noted that reading causes data to pass in the reverse -direction, that is data is read from B, B decoded and digested -by B and B. If the call: +direction, that is data is read from I, base64 decoded, +and digested by I and then I. + +The call: BIO_pop(md2); -The call will return B and the new chain will be B data can -be written to B as before. +will return I and the new chain will be I. +Data can be written to and read from I as before, +except that I will no more be applied. =head1 SEE ALSO diff --git a/deps/openssl/openssl/doc/man3/BIO_s_accept.pod b/deps/openssl/openssl/doc/man3/BIO_s_accept.pod index e6f9291364e447..c3826a609f96a5 100644 --- a/deps/openssl/openssl/doc/man3/BIO_s_accept.pod +++ b/deps/openssl/openssl/doc/man3/BIO_s_accept.pod @@ -169,16 +169,16 @@ BIO_set_bind_mode(), BIO_get_bind_mode() and BIO_do_accept() are macros. BIO_do_accept(), BIO_set_accept_name(), BIO_set_accept_port(), BIO_set_nbio_accept(), BIO_set_accept_bios(), BIO_set_accept_ip_family(), and BIO_set_bind_mode() -return 1 for success and 0 or -1 for failure. +return 1 for success and <=0 for failure. BIO_get_accept_name() returns the accept name or NULL on error. BIO_get_peer_name() returns the peer name or NULL on error. BIO_get_accept_port() returns the accept port as a string or NULL on error. BIO_get_peer_port() returns the peer port as a string or NULL on error. -BIO_get_accept_ip_family() returns the IP family or -1 on error. +BIO_get_accept_ip_family() returns the IP family or <=0 on error. -BIO_get_bind_mode() returns the set of B flags, or -1 on failure. +BIO_get_bind_mode() returns the set of B flags, or <=0 on failure. BIO_new_accept() returns a BIO or NULL on error. diff --git a/deps/openssl/openssl/doc/man3/BIO_s_connect.pod b/deps/openssl/openssl/doc/man3/BIO_s_connect.pod index f31da27fe7bb39..88450dffce527e 100644 --- a/deps/openssl/openssl/doc/man3/BIO_s_connect.pod +++ b/deps/openssl/openssl/doc/man3/BIO_s_connect.pod @@ -15,7 +15,7 @@ BIO_set_nbio, BIO_do_connect - connect BIO const BIO_METHOD *BIO_s_connect(void); - BIO *BIO_new_connect(char *name); + BIO *BIO_new_connect(const char *name); long BIO_set_conn_hostname(BIO *b, char *name); long BIO_set_conn_port(BIO *b, char *port); @@ -141,9 +141,9 @@ BIO_set_nbio(), and BIO_do_connect() are macros. BIO_s_connect() returns the connect BIO method. BIO_set_conn_address(), BIO_set_conn_port(), and BIO_set_conn_ip_family() -always return 1. +return 1 or <=0 if an error occurs. -BIO_set_conn_hostname() returns 1 on success and 0 on failure. +BIO_set_conn_hostname() returns 1 on success and <=0 on failure. BIO_get_conn_address() returns the address information or NULL if none was set. @@ -156,10 +156,10 @@ BIO_get_conn_ip_family() returns the address family or -1 if none was set. BIO_get_conn_port() returns a string representing the connected port or NULL if not set. -BIO_set_nbio() always returns 1. +BIO_set_nbio() returns 1 or <=0 if an error occurs. BIO_do_connect() returns 1 if the connection was successfully -established and 0 or -1 if the connection failed. +established and <=0 if the connection failed. =head1 EXAMPLES diff --git a/deps/openssl/openssl/doc/man3/BIO_s_fd.pod b/deps/openssl/openssl/doc/man3/BIO_s_fd.pod index 1f7bb0cd30ce67..10aea50d4640c6 100644 --- a/deps/openssl/openssl/doc/man3/BIO_s_fd.pod +++ b/deps/openssl/openssl/doc/man3/BIO_s_fd.pod @@ -60,10 +60,10 @@ BIO_set_fd() and BIO_get_fd() are implemented as macros. BIO_s_fd() returns the file descriptor BIO method. -BIO_set_fd() always returns 1. +BIO_set_fd() returns 1 on success or <=0 for failure. BIO_get_fd() returns the file descriptor or -1 if the BIO has not -been initialized. +been initialized. It also returns zero and negative values if other error occurs. BIO_new_fd() returns the newly allocated BIO or NULL is an error occurred. diff --git a/deps/openssl/openssl/doc/man3/BIO_s_file.pod b/deps/openssl/openssl/doc/man3/BIO_s_file.pod index c2beb7f924d4f8..60e68dba1c3d0a 100644 --- a/deps/openssl/openssl/doc/man3/BIO_s_file.pod +++ b/deps/openssl/openssl/doc/man3/BIO_s_file.pod @@ -87,16 +87,15 @@ BIO_s_file() returns the file BIO method. BIO_new_file() and BIO_new_fp() return a file BIO or NULL if an error occurred. -BIO_set_fp() and BIO_get_fp() return 1 for success or 0 for failure +BIO_set_fp() and BIO_get_fp() return 1 for success or <=0 for failure (although the current implementation never return 0). -BIO_seek() returns the same value as the underlying fseek() function: -0 for success or -1 for failure. +BIO_seek() returns 0 for success or negative values for failure. -BIO_tell() returns the current file position. +BIO_tell() returns the current file position or negative values for failure. BIO_read_filename(), BIO_write_filename(), BIO_append_filename() and -BIO_rw_filename() return 1 for success or 0 for failure. +BIO_rw_filename() return 1 for success or <=0 for failure. =head1 EXAMPLES @@ -114,7 +113,7 @@ Alternative technique: bio_out = BIO_new(BIO_s_file()); if (bio_out == NULL) /* Error */ - if (!BIO_set_fp(bio_out, stdout, BIO_NOCLOSE)) + if (BIO_set_fp(bio_out, stdout, BIO_NOCLOSE) <= 0) /* Error */ BIO_printf(bio_out, "Hello World\n"); @@ -135,7 +134,7 @@ Alternative technique: out = BIO_new(BIO_s_file()); if (out == NULL) /* Error */ - if (!BIO_write_filename(out, "filename.txt")) + if (BIO_write_filename(out, "filename.txt") <= 0) /* Error */ BIO_printf(out, "Hello World\n"); BIO_free(out); @@ -158,7 +157,7 @@ L, L =head1 COPYRIGHT -Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/BIO_set_callback.pod b/deps/openssl/openssl/doc/man3/BIO_set_callback.pod index dac94bfea3863f..b98c0929cb1660 100644 --- a/deps/openssl/openssl/doc/man3/BIO_set_callback.pod +++ b/deps/openssl/openssl/doc/man3/BIO_set_callback.pod @@ -24,14 +24,14 @@ BIO_debug_callback_ex, BIO_callback_fn_ex, BIO_callback_fn long BIO_debug_callback_ex(BIO *bio, int oper, const char *argp, size_t len, int argi, long argl, int ret, size_t *processed); - Deprecated since OpenSSL 3.0, can be hidden entirely by defining - OPENSSL_API_COMPAT with a suitable version value, see - openssl_user_macros(7): +The following functions have been deprecated since OpenSSL 3.0, and can be +hidden entirely by defining B with a suitable version value, +see L: typedef long (*BIO_callback_fn)(BIO *b, int oper, const char *argp, int argi, long argl, long ret); void BIO_set_callback(BIO *b, BIO_callback_fn cb); - BIO_callback_fn BIO_get_callback(BIO *b); + BIO_callback_fn BIO_get_callback(const BIO *b); long BIO_debug_callback(BIO *bio, int cmd, const char *argp, int argi, long argl, long ret); diff --git a/deps/openssl/openssl/doc/man3/BN_BLINDING_new.pod b/deps/openssl/openssl/doc/man3/BN_BLINDING_new.pod index 25d3c642a0e219..210fad709c0b92 100644 --- a/deps/openssl/openssl/doc/man3/BN_BLINDING_new.pod +++ b/deps/openssl/openssl/doc/man3/BN_BLINDING_new.pod @@ -26,8 +26,8 @@ BN_BLINDING_set_flags, BN_BLINDING_create_param - blinding related BIGNUM functi void BN_BLINDING_set_current_thread(BN_BLINDING *b); int BN_BLINDING_lock(BN_BLINDING *b); int BN_BLINDING_unlock(BN_BLINDING *b); - unsigned long BN_BLINDING_get_flags(const BN_BLINDING *); - void BN_BLINDING_set_flags(BN_BLINDING *, unsigned long); + unsigned long BN_BLINDING_get_flags(const BN_BLINDING *b); + void BN_BLINDING_set_flags(BN_BLINDING *b, unsigned long flags); BN_BLINDING *BN_BLINDING_create_param(BN_BLINDING *b, const BIGNUM *e, BIGNUM *m, BN_CTX *ctx, int (*bn_mod_exp)(BIGNUM *r, @@ -116,7 +116,7 @@ deprecates BN_BLINDING_set_thread_id() and BN_BLINDING_get_thread_id(). =head1 COPYRIGHT -Copyright 2005-2017 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2005-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/BN_bn2bin.pod b/deps/openssl/openssl/doc/man3/BN_bn2bin.pod index d50107409bc3b1..92cb7d74f1015d 100644 --- a/deps/openssl/openssl/doc/man3/BN_bn2bin.pod +++ b/deps/openssl/openssl/doc/man3/BN_bn2bin.pod @@ -91,10 +91,10 @@ if B is NULL. BN_bn2bin() returns the length of the big-endian number placed at B. BN_bin2bn() returns the B, NULL on error. -BN_bn2binpad() returns the number of bytes written or -1 if the supplied +BN_bn2binpad(), BN_bn2lebinpad(), and BN_bn2nativepad() return the number of bytes written or -1 if the supplied buffer is too small. -BN_bn2hex() and BN_bn2dec() return a null-terminated string, or NULL +BN_bn2hex() and BN_bn2dec() return a NUL-terminated string, or NULL on error. BN_hex2bn() and BN_dec2bn() return the number of characters used in parsing, or 0 on error, in which case no new B will be created. @@ -114,7 +114,7 @@ L =head1 COPYRIGHT -Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/BN_generate_prime.pod b/deps/openssl/openssl/doc/man3/BN_generate_prime.pod index ef797e5971a889..b536bcb3b781ca 100644 --- a/deps/openssl/openssl/doc/man3/BN_generate_prime.pod +++ b/deps/openssl/openssl/doc/man3/BN_generate_prime.pod @@ -34,9 +34,9 @@ BN_is_prime, BN_is_prime_fasttest - generate primes and test for primality void *BN_GENCB_get_arg(BN_GENCB *cb); -Deprecated since OpenSSL 0.9.8, can be hidden entirely by defining -B with a suitable version value, see -L: +The following functions have been deprecated since OpenSSL 0.9.8, and can be +hidden entirely by defining B with a suitable version value, +see L: BIGNUM *BN_generate_prime(BIGNUM *ret, int num, int safe, BIGNUM *add, BIGNUM *rem, void (*callback)(int, int, void *), @@ -49,7 +49,9 @@ L: void (*callback)(int, int, void *), BN_CTX *ctx, void *cb_arg, int do_trial_division); -Deprecated since OpenSSL 3.0: +The following functions have been deprecated since OpenSSL 3.0, and can be +hidden entirely by defining B with a suitable version value, +see L: int BN_is_prime_ex(const BIGNUM *p, int nchecks, BN_CTX *ctx, BN_GENCB *cb); diff --git a/deps/openssl/openssl/doc/man3/BN_mod_mul_reciprocal.pod b/deps/openssl/openssl/doc/man3/BN_mod_mul_reciprocal.pod index dd3b0ee8080417..28d5f1131d730e 100644 --- a/deps/openssl/openssl/doc/man3/BN_mod_mul_reciprocal.pod +++ b/deps/openssl/openssl/doc/man3/BN_mod_mul_reciprocal.pod @@ -15,10 +15,10 @@ reciprocal int BN_RECP_CTX_set(BN_RECP_CTX *recp, const BIGNUM *m, BN_CTX *ctx); - int BN_div_recp(BIGNUM *dv, BIGNUM *rem, BIGNUM *a, BN_RECP_CTX *recp, + int BN_div_recp(BIGNUM *dv, BIGNUM *rem, const BIGNUM *a, BN_RECP_CTX *recp, BN_CTX *ctx); - int BN_mod_mul_reciprocal(BIGNUM *r, BIGNUM *a, BIGNUM *b, + int BN_mod_mul_reciprocal(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_RECP_CTX *recp, BN_CTX *ctx); =head1 DESCRIPTION @@ -66,7 +66,7 @@ BN_RECP_CTX_init() was removed in OpenSSL 1.1.0 =head1 COPYRIGHT -Copyright 2000-2017 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/BN_rand.pod b/deps/openssl/openssl/doc/man3/BN_rand.pod index 06ee99d28ed6e4..aebad1e72eb2c2 100644 --- a/deps/openssl/openssl/doc/man3/BN_rand.pod +++ b/deps/openssl/openssl/doc/man3/BN_rand.pod @@ -19,20 +19,20 @@ BN_pseudo_rand_range unsigned int strength, BN_CTX *ctx); int BN_priv_rand(BIGNUM *rnd, int bits, int top, int bottom); - int BN_rand_range_ex(BIGNUM *rnd, BIGNUM *range, unsigned int strength, + int BN_rand_range_ex(BIGNUM *rnd, const BIGNUM *range, unsigned int strength, BN_CTX *ctx); - int BN_rand_range(BIGNUM *rnd, BIGNUM *range); + int BN_rand_range(BIGNUM *rnd, const BIGNUM *range); - int BN_priv_rand_range_ex(BIGNUM *rnd, BIGNUM *range, unsigned int strength, + int BN_priv_rand_range_ex(BIGNUM *rnd, const BIGNUM *range, unsigned int strength, BN_CTX *ctx); - int BN_priv_rand_range(BIGNUM *rnd, BIGNUM *range); + int BN_priv_rand_range(BIGNUM *rnd, const BIGNUM *range); -Deprecated since OpenSSL 3.0, can be hidden entirely by defining -OPENSSL_API_COMPAT with a suitable version value, see -openssl_user_macros(7): +The following functions have been deprecated since OpenSSL 3.0, and can be +hidden entirely by defining B with a suitable version value, +see L: int BN_pseudo_rand(BIGNUM *rnd, int bits, int top, int bottom); - int BN_pseudo_rand_range(BIGNUM *rnd, BIGNUM *range); + int BN_pseudo_rand_range(BIGNUM *rnd, const BIGNUM *range); =head1 DESCRIPTION @@ -53,7 +53,7 @@ the number will be set to 1, so that the product of two such random numbers will always have 2*I length. If I is B, the number will be odd; if it is B it can be odd or even. -If I is 1 then I cannot also be B. +If I is 1 then I cannot also be B. BN_rand() is the same as BN_rand_ex() except that the default library context is always used. diff --git a/deps/openssl/openssl/doc/man3/CMS_add1_recipient_cert.pod b/deps/openssl/openssl/doc/man3/CMS_add1_recipient_cert.pod index 34d1e0ee3651dd..e1fc34303be025 100644 --- a/deps/openssl/openssl/doc/man3/CMS_add1_recipient_cert.pod +++ b/deps/openssl/openssl/doc/man3/CMS_add1_recipient_cert.pod @@ -9,7 +9,7 @@ CMS_add1_recipient, CMS_add1_recipient_cert, CMS_add0_recipient_key - add recipi #include CMS_RecipientInfo *CMS_add1_recipient(CMS_ContentInfo *cms, X509 *recip, - EVP_PKEY *originatorPrivKey, + EVP_PKEY *originatorPrivKey, X509 *originator, unsigned int flags); CMS_RecipientInfo *CMS_add1_recipient_cert(CMS_ContentInfo *cms, @@ -76,7 +76,7 @@ OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2008-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2008-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/CMS_get0_RecipientInfos.pod b/deps/openssl/openssl/doc/man3/CMS_get0_RecipientInfos.pod index c6354381fc2305..8f4593538d1904 100644 --- a/deps/openssl/openssl/doc/man3/CMS_get0_RecipientInfos.pod +++ b/deps/openssl/openssl/doc/man3/CMS_get0_RecipientInfos.pod @@ -140,12 +140,12 @@ L, L =head1 HISTORY -B and B +B and B were added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2008-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2008-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/CMS_verify.pod b/deps/openssl/openssl/doc/man3/CMS_verify.pod index 33130bc9f27104..6c9595e51ee158 100644 --- a/deps/openssl/openssl/doc/man3/CMS_verify.pod +++ b/deps/openssl/openssl/doc/man3/CMS_verify.pod @@ -71,7 +71,7 @@ verified, unless CMS_CADES flag is also set. If B is set the signed attributes signature is not verified, unless CMS_CADES flag is also set. -If B is set, each signer certificate is checked against the +If B is set, each signer certificate is checked against the ESS signingCertificate or ESS signingCertificateV2 extension that is required in the signed attributes of the signature. diff --git a/deps/openssl/openssl/doc/man3/CONF_modules_free.pod b/deps/openssl/openssl/doc/man3/CONF_modules_free.pod index f47637f62b0a1e..81b10ebc3bbea2 100644 --- a/deps/openssl/openssl/doc/man3/CONF_modules_free.pod +++ b/deps/openssl/openssl/doc/man3/CONF_modules_free.pod @@ -12,9 +12,9 @@ OpenSSL configuration cleanup functions void CONF_modules_finish(void); void CONF_modules_unload(int all); -Deprecated since OpenSSL 1.1.0, can be hidden entirely by defining -B with a suitable version value, see -L: +The following functions have been deprecated since OpenSSL 1.1.0, and can be +hidden entirely by defining B with a suitable version value, +see L: void CONF_modules_free(void); @@ -48,7 +48,7 @@ For more information see L. =head1 COPYRIGHT -Copyright 2004-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2004-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/CRYPTO_get_ex_new_index.pod b/deps/openssl/openssl/doc/man3/CRYPTO_get_ex_new_index.pod index 7a8ebdf1d99df8..d2b44fd694319e 100644 --- a/deps/openssl/openssl/doc/man3/CRYPTO_get_ex_new_index.pod +++ b/deps/openssl/openssl/doc/man3/CRYPTO_get_ex_new_index.pod @@ -32,7 +32,7 @@ CRYPTO_free_ex_data, CRYPTO_new_ex_data int CRYPTO_set_ex_data(CRYPTO_EX_DATA *r, int idx, void *arg); - void *CRYPTO_get_ex_data(CRYPTO_EX_DATA *r, int idx); + void *CRYPTO_get_ex_data(const CRYPTO_EX_DATA *r, int idx); void CRYPTO_free_ex_data(int class_index, void *obj, CRYPTO_EX_DATA *r); @@ -152,7 +152,7 @@ will fail. CRYPTO_get_ex_new_index() returns a new index or -1 on failure. CRYPTO_free_ex_index(), CRYPTO_alloc_ex_data() and CRYPTO_set_ex_data() -return 1 on success or 0 on failure. +return 1 on success or 0 on failure. CRYPTO_get_ex_data() returns the application data or NULL on failure; note that NULL may be a valid value. diff --git a/deps/openssl/openssl/doc/man3/DEFINE_STACK_OF.pod b/deps/openssl/openssl/doc/man3/DEFINE_STACK_OF.pod index d7152466f4d3b4..ec9eda81c6f83c 100644 --- a/deps/openssl/openssl/doc/man3/DEFINE_STACK_OF.pod +++ b/deps/openssl/openssl/doc/man3/DEFINE_STACK_OF.pod @@ -178,7 +178,10 @@ where a comparison function has been specified, I is sorted and B_find>() returns the index of a matching element or B<-1> if there is no match. Note that, in this case the comparison function will usually compare the values pointed to rather than the pointers themselves and -the order of elements in I can change. +the order of elements in I can change. Note that because the stack may be +sorted as the result of a B_find>() call, if a lock is being used to +synchronise access to the stack across multiple threads, then that lock must be +a "write" lock. B_find_ex>() operates like B_find>() except when a comparison function has been specified and no matching element is found. diff --git a/deps/openssl/openssl/doc/man3/DES_random_key.pod b/deps/openssl/openssl/doc/man3/DES_random_key.pod index 775611a8edb7d6..0887453f27a291 100644 --- a/deps/openssl/openssl/doc/man3/DES_random_key.pod +++ b/deps/openssl/openssl/doc/man3/DES_random_key.pod @@ -16,9 +16,9 @@ DES_fcrypt, DES_crypt - DES encryption #include -Deprecated since OpenSSL 3.0, can be hidden entirely by defining -B with a suitable version value, see -L: +The following functions have been deprecated since OpenSSL 3.0, and can be +hidden entirely by defining B with a suitable version value, +see L: void DES_random_key(DES_cblock *ret); @@ -320,7 +320,7 @@ on some platforms. =head1 COPYRIGHT -Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/DH_generate_key.pod b/deps/openssl/openssl/doc/man3/DH_generate_key.pod index 722dea65bd0c2c..2b14f2ad276226 100644 --- a/deps/openssl/openssl/doc/man3/DH_generate_key.pod +++ b/deps/openssl/openssl/doc/man3/DH_generate_key.pod @@ -9,9 +9,9 @@ Diffie-Hellman key exchange #include -Deprecated since OpenSSL 3.0, can be hidden entirely by defining -B with a suitable version value, see -L: +The following functions have been deprecated since OpenSSL 3.0, and can be +hidden entirely by defining B with a suitable version value, +see L: int DH_generate_key(DH *dh); diff --git a/deps/openssl/openssl/doc/man3/DH_generate_parameters.pod b/deps/openssl/openssl/doc/man3/DH_generate_parameters.pod index ff548ee0f0e685..1098a161ea63f2 100644 --- a/deps/openssl/openssl/doc/man3/DH_generate_parameters.pod +++ b/deps/openssl/openssl/doc/man3/DH_generate_parameters.pod @@ -12,9 +12,9 @@ parameters #include -Deprecated since OpenSSL 3.0, can be hidden entirely by defining -B with a suitable version value, see -L: +The following functions have been deprecated since OpenSSL 3.0, and can be +hidden entirely by defining B with a suitable version value, +see L: int DH_generate_parameters_ex(DH *dh, int prime_len, int generator, BN_GENCB *cb); @@ -25,9 +25,9 @@ L: int DH_check_params_ex(const DH *dh); int DH_check_pub_key_ex(const DH *dh, const BIGNUM *pub_key); -Deprecated since OpenSSL 0.9.8, can be hidden entirely by defining -B with a suitable version value, see -L: +The following functions have been deprecated since OpenSSL 0.9.8, and can be +hidden entirely by defining B with a suitable version value, +see L: DH *DH_generate_parameters(int prime_len, int generator, void (*callback)(int, int, void *), void *cb_arg); @@ -160,7 +160,7 @@ DH_generate_parameters_ex() instead. =head1 COPYRIGHT -Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/DH_get0_pqg.pod b/deps/openssl/openssl/doc/man3/DH_get0_pqg.pod index 5de7bae219f5c7..2afc35c77f865d 100644 --- a/deps/openssl/openssl/doc/man3/DH_get0_pqg.pod +++ b/deps/openssl/openssl/doc/man3/DH_get0_pqg.pod @@ -12,9 +12,9 @@ DH_get_length, DH_set_length - Routines for getting and setting data in a DH obj #include -Deprecated since OpenSSL 3.0, can be hidden entirely by defining -B with a suitable version value, see -L: +The following functions have been deprecated since OpenSSL 3.0, and can be +hidden entirely by defining B with a suitable version value, +see L: void DH_get0_pqg(const DH *dh, const BIGNUM **p, const BIGNUM **q, const BIGNUM **g); diff --git a/deps/openssl/openssl/doc/man3/DH_get_1024_160.pod b/deps/openssl/openssl/doc/man3/DH_get_1024_160.pod index f4465930d1f899..af2fc8c205c652 100644 --- a/deps/openssl/openssl/doc/man3/DH_get_1024_160.pod +++ b/deps/openssl/openssl/doc/man3/DH_get_1024_160.pod @@ -39,9 +39,9 @@ BN_get_rfc3526_prime_8192 BIGNUM *BN_get_rfc3526_prime_6144(BIGNUM *bn); BIGNUM *BN_get_rfc3526_prime_8192(BIGNUM *bn); -Deprecated since OpenSSL 3.0, can be hidden entirely by defining -B with a suitable version value, see -L: +The following functions have been deprecated since OpenSSL 3.0, and can be +hidden entirely by defining B with a suitable version value, +see L: #include diff --git a/deps/openssl/openssl/doc/man3/DH_meth_new.pod b/deps/openssl/openssl/doc/man3/DH_meth_new.pod index 48396e3bce1e7b..43827f55ef8c37 100644 --- a/deps/openssl/openssl/doc/man3/DH_meth_new.pod +++ b/deps/openssl/openssl/doc/man3/DH_meth_new.pod @@ -14,9 +14,9 @@ DH_meth_set_generate_params - Routines to build up DH methods #include -Deprecated since OpenSSL 3.0, can be hidden entirely by defining -B with a suitable version value, see -L: +The following functions have been deprecated since OpenSSL 3.0, and can be +hidden entirely by defining B with a suitable version value, +see L: DH_METHOD *DH_meth_new(const char *name, int flags); @@ -166,7 +166,7 @@ The functions described here were added in OpenSSL 1.1.0. =head1 COPYRIGHT -Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/DH_new_by_nid.pod b/deps/openssl/openssl/doc/man3/DH_new_by_nid.pod index 163be09fedcb6e..d5ad0ff6ce9322 100644 --- a/deps/openssl/openssl/doc/man3/DH_new_by_nid.pod +++ b/deps/openssl/openssl/doc/man3/DH_new_by_nid.pod @@ -9,9 +9,9 @@ DH_new_by_nid, DH_get_nid - create or get DH named parameters #include DH *DH_new_by_nid(int nid); -Deprecated since OpenSSL 3.0, can be hidden entirely by defining -B with a suitable version value, see -L: +The following functions have been deprecated since OpenSSL 3.0, and can be +hidden entirely by defining B with a suitable version value, +see L: int DH_get_nid(const DH *dh); @@ -41,7 +41,7 @@ The DH_get_nid() function was deprecated in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2017-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2017-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/DH_set_method.pod b/deps/openssl/openssl/doc/man3/DH_set_method.pod index 4782a766d45d0d..88dffab26c0c31 100644 --- a/deps/openssl/openssl/doc/man3/DH_set_method.pod +++ b/deps/openssl/openssl/doc/man3/DH_set_method.pod @@ -9,9 +9,9 @@ DH_set_method, DH_new_method, DH_OpenSSL - select DH method #include -Deprecated since OpenSSL 3.0, can be hidden entirely by defining -B with a suitable version value, see -L: +The following functions have been deprecated since OpenSSL 3.0, and can be +hidden entirely by defining B with a suitable version value, +see L: void DH_set_default_method(const DH_METHOD *meth); @@ -89,7 +89,7 @@ All of these functions were deprecated in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/DH_size.pod b/deps/openssl/openssl/doc/man3/DH_size.pod index 75cdc9744c9163..81b73a8c66478f 100644 --- a/deps/openssl/openssl/doc/man3/DH_size.pod +++ b/deps/openssl/openssl/doc/man3/DH_size.pod @@ -9,9 +9,9 @@ security bits #include -Deprecated since OpenSSL 3.0, can be hidden entirely by defining -B with a suitable version value, see -L: +The following functions have been deprecated since OpenSSL 3.0, and can be +hidden entirely by defining B with a suitable version value, +see L: int DH_bits(const DH *dh); diff --git a/deps/openssl/openssl/doc/man3/DSA_do_sign.pod b/deps/openssl/openssl/doc/man3/DSA_do_sign.pod index 24d2d60b8e047a..756843b5776116 100644 --- a/deps/openssl/openssl/doc/man3/DSA_do_sign.pod +++ b/deps/openssl/openssl/doc/man3/DSA_do_sign.pod @@ -8,9 +8,9 @@ DSA_do_sign, DSA_do_verify - raw DSA signature operations #include -Deprecated since OpenSSL 3.0, can be hidden entirely by defining -B with a suitable version value, see -L: +The following functions have been deprecated since OpenSSL 3.0, and can be +hidden entirely by defining B with a suitable version value, +see L: DSA_SIG *DSA_do_sign(const unsigned char *dgst, int dlen, DSA *dsa); diff --git a/deps/openssl/openssl/doc/man3/DSA_dup_DH.pod b/deps/openssl/openssl/doc/man3/DSA_dup_DH.pod index 8beab95a7b6f66..b2a1529ac867c4 100644 --- a/deps/openssl/openssl/doc/man3/DSA_dup_DH.pod +++ b/deps/openssl/openssl/doc/man3/DSA_dup_DH.pod @@ -8,9 +8,9 @@ DSA_dup_DH - create a DH structure out of DSA structure #include -Deprecated since OpenSSL 3.0, can be hidden entirely by defining -B with a suitable version value, see -L: +The following functions have been deprecated since OpenSSL 3.0, and can be +hidden entirely by defining B with a suitable version value, +see L: DH *DSA_dup_DH(const DSA *r); @@ -43,7 +43,7 @@ This function was deprecated in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/DSA_generate_key.pod b/deps/openssl/openssl/doc/man3/DSA_generate_key.pod index 65cc29dddaf7fd..c8f123be009c8d 100644 --- a/deps/openssl/openssl/doc/man3/DSA_generate_key.pod +++ b/deps/openssl/openssl/doc/man3/DSA_generate_key.pod @@ -8,9 +8,9 @@ DSA_generate_key - generate DSA key pair #include -Deprecated since OpenSSL 3.0, can be hidden entirely by defining -B with a suitable version value, see -L: +The following functions have been deprecated since OpenSSL 3.0, and can be +hidden entirely by defining B with a suitable version value, +see L: int DSA_generate_key(DSA *a); diff --git a/deps/openssl/openssl/doc/man3/DSA_generate_parameters.pod b/deps/openssl/openssl/doc/man3/DSA_generate_parameters.pod index f0b94542ae019b..415c4c8b82ce74 100644 --- a/deps/openssl/openssl/doc/man3/DSA_generate_parameters.pod +++ b/deps/openssl/openssl/doc/man3/DSA_generate_parameters.pod @@ -8,18 +8,18 @@ DSA_generate_parameters_ex, DSA_generate_parameters - generate DSA parameters #include -Deprecated since OpenSSL 3.0, can be hidden entirely by defining -B with a suitable version value, see -L: +The following functions have been deprecated since OpenSSL 3.0, and can be +hidden entirely by defining B with a suitable version value, +see L: int DSA_generate_parameters_ex(DSA *dsa, int bits, const unsigned char *seed, int seed_len, int *counter_ret, unsigned long *h_ret, BN_GENCB *cb); -Deprecated since OpenSSL 0.9.8, can be hidden entirely by defining -B with a suitable version value, see -L: +The following functions have been deprecated since OpenSSL 0.9.8, and can be +hidden entirely by defining B with a suitable version value, +see L: DSA *DSA_generate_parameters(int bits, unsigned char *seed, int seed_len, int *counter_ret, unsigned long *h_ret, diff --git a/deps/openssl/openssl/doc/man3/DSA_get0_pqg.pod b/deps/openssl/openssl/doc/man3/DSA_get0_pqg.pod index 3542a771e9e8fa..7b2f132a99b2c1 100644 --- a/deps/openssl/openssl/doc/man3/DSA_get0_pqg.pod +++ b/deps/openssl/openssl/doc/man3/DSA_get0_pqg.pod @@ -13,9 +13,9 @@ setting data in a DSA object #include -Deprecated since OpenSSL 3.0, can be hidden entirely by defining -B with a suitable version value, see -L: +The following functions have been deprecated since OpenSSL 3.0, and can be +hidden entirely by defining B with a suitable version value, +see L: void DSA_get0_pqg(const DSA *d, const BIGNUM **p, const BIGNUM **q, const BIGNUM **g); @@ -113,7 +113,7 @@ OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/DSA_meth_new.pod b/deps/openssl/openssl/doc/man3/DSA_meth_new.pod index 1e23c0e6942bdf..c00747cfc44865 100644 --- a/deps/openssl/openssl/doc/man3/DSA_meth_new.pod +++ b/deps/openssl/openssl/doc/man3/DSA_meth_new.pod @@ -16,9 +16,9 @@ DSA_meth_set_keygen - Routines to build up DSA methods #include -Deprecated since OpenSSL 3.0, can be hidden entirely by defining -B with a suitable version value, see -L: +The following functions have been deprecated since OpenSSL 3.0, and can be +hidden entirely by defining B with a suitable version value, +see L: DSA_METHOD *DSA_meth_new(const char *name, int flags); @@ -214,7 +214,7 @@ The functions described here were added in OpenSSL 1.1.0. =head1 COPYRIGHT -Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/DSA_new.pod b/deps/openssl/openssl/doc/man3/DSA_new.pod index 0993071d189e48..60b3d50dfa013f 100644 --- a/deps/openssl/openssl/doc/man3/DSA_new.pod +++ b/deps/openssl/openssl/doc/man3/DSA_new.pod @@ -8,9 +8,9 @@ DSA_new, DSA_free - allocate and free DSA objects #include -Deprecated since OpenSSL 3.0, can be hidden entirely by defining -B with a suitable version value, see -L: +The following functions have been deprecated since OpenSSL 3.0, and can be +hidden entirely by defining B with a suitable version value, +see L: DSA* DSA_new(void); @@ -50,7 +50,7 @@ All of these functions were deprecated in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/DSA_set_method.pod b/deps/openssl/openssl/doc/man3/DSA_set_method.pod index 0d5a0ff1c5bf7e..6275859b2c54ce 100644 --- a/deps/openssl/openssl/doc/man3/DSA_set_method.pod +++ b/deps/openssl/openssl/doc/man3/DSA_set_method.pod @@ -9,9 +9,9 @@ DSA_set_method, DSA_new_method, DSA_OpenSSL - select DSA method #include -Deprecated since OpenSSL 3.0, can be hidden entirely by defining -B with a suitable version value, see -L: +The following functions have been deprecated since OpenSSL 3.0, and can be +hidden entirely by defining B with a suitable version value, +see L: void DSA_set_default_method(const DSA_METHOD *meth); @@ -21,7 +21,7 @@ L: DSA *DSA_new_method(ENGINE *engine); - DSA_METHOD *DSA_OpenSSL(void); + const DSA_METHOD *DSA_OpenSSL(void); =head1 DESCRIPTION diff --git a/deps/openssl/openssl/doc/man3/DSA_sign.pod b/deps/openssl/openssl/doc/man3/DSA_sign.pod index 2687f99650d772..ad5f108c90960b 100644 --- a/deps/openssl/openssl/doc/man3/DSA_sign.pod +++ b/deps/openssl/openssl/doc/man3/DSA_sign.pod @@ -8,9 +8,9 @@ DSA_sign, DSA_sign_setup, DSA_verify - DSA signatures #include -Deprecated since OpenSSL 3.0, can be hidden entirely by defining -B with a suitable version value, see -L: +The following functions have been deprecated since OpenSSL 3.0, and can be +hidden entirely by defining B with a suitable version value, +see L: int DSA_sign(int type, const unsigned char *dgst, int len, unsigned char *sigret, unsigned int *siglen, DSA *dsa); diff --git a/deps/openssl/openssl/doc/man3/DSA_size.pod b/deps/openssl/openssl/doc/man3/DSA_size.pod index 60837bad74337c..57fc4a63eee933 100644 --- a/deps/openssl/openssl/doc/man3/DSA_size.pod +++ b/deps/openssl/openssl/doc/man3/DSA_size.pod @@ -8,9 +8,9 @@ DSA_size, DSA_bits, DSA_security_bits - get DSA signature size, key bits or secu #include -Deprecated since OpenSSL 3.0, can be hidden entirely by defining -B with a suitable version value, see -L: +The following functions have been deprecated since OpenSSL 3.0, and can be +hidden entirely by defining B with a suitable version value, +see L: int DSA_bits(const DSA *dsa); diff --git a/deps/openssl/openssl/doc/man3/ECDSA_SIG_new.pod b/deps/openssl/openssl/doc/man3/ECDSA_SIG_new.pod index 584f11b32edf05..12f0d4af8db0cf 100644 --- a/deps/openssl/openssl/doc/man3/ECDSA_SIG_new.pod +++ b/deps/openssl/openssl/doc/man3/ECDSA_SIG_new.pod @@ -19,9 +19,9 @@ functions const BIGNUM *ECDSA_SIG_get0_s(const ECDSA_SIG *sig); int ECDSA_SIG_set0(ECDSA_SIG *sig, BIGNUM *r, BIGNUM *s); -Deprecated since OpenSSL 3.0, can be hidden entirely by defining -B with a suitable version value, see -L: +The following functions have been deprecated since OpenSSL 3.0, and can be +hidden entirely by defining B with a suitable version value, +see L: int ECDSA_size(const EC_KEY *eckey); diff --git a/deps/openssl/openssl/doc/man3/ECPKParameters_print.pod b/deps/openssl/openssl/doc/man3/ECPKParameters_print.pod index 5b2c31917f546e..70e435b090967b 100644 --- a/deps/openssl/openssl/doc/man3/ECPKParameters_print.pod +++ b/deps/openssl/openssl/doc/man3/ECPKParameters_print.pod @@ -9,9 +9,9 @@ encoding ASN1 representations of elliptic curve entities #include -Deprecated since OpenSSL 3.0, can be hidden entirely by defining -B with a suitable version value, see -L: +The following functions have been deprecated since OpenSSL 3.0, and can be +hidden entirely by defining B with a suitable version value, +see L: int ECPKParameters_print(BIO *bp, const EC_GROUP *x, int off); int ECPKParameters_print_fp(FILE *fp, const EC_GROUP *x, int off); diff --git a/deps/openssl/openssl/doc/man3/EC_GFp_simple_method.pod b/deps/openssl/openssl/doc/man3/EC_GFp_simple_method.pod index eec721edb55b45..8c4acd28e0b0ee 100644 --- a/deps/openssl/openssl/doc/man3/EC_GFp_simple_method.pod +++ b/deps/openssl/openssl/doc/man3/EC_GFp_simple_method.pod @@ -8,7 +8,9 @@ EC_GFp_simple_method, EC_GFp_mont_method, EC_GFp_nist_method, EC_GFp_nistp224_me #include -Deprecated since OpenSSL 3.0: +The following functions have been deprecated since OpenSSL 3.0, and can be +hidden entirely by defining B with a suitable version value, +see L: const EC_METHOD *EC_GFp_simple_method(void); const EC_METHOD *EC_GFp_mont_method(void); @@ -71,7 +73,7 @@ were deprecated in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2013-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2013-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/EC_GROUP_copy.pod b/deps/openssl/openssl/doc/man3/EC_GROUP_copy.pod index c74e70edf59e2f..3702f7368cef3d 100644 --- a/deps/openssl/openssl/doc/man3/EC_GROUP_copy.pod +++ b/deps/openssl/openssl/doc/man3/EC_GROUP_copy.pod @@ -64,7 +64,9 @@ EC_GROUP_get_field_type int EC_GROUP_get_field_type(const EC_GROUP *group); -Deprecated since OpenSSL 3.0: +The following function has been deprecated since OpenSSL 3.0, and can be +hidden entirely by defining B with a suitable version value, +see L: const EC_METHOD *EC_GROUP_method_of(const EC_GROUP *group); diff --git a/deps/openssl/openssl/doc/man3/EC_GROUP_new.pod b/deps/openssl/openssl/doc/man3/EC_GROUP_new.pod index f45c5ac8d2b597..b6d67b61764222 100644 --- a/deps/openssl/openssl/doc/man3/EC_GROUP_new.pod +++ b/deps/openssl/openssl/doc/man3/EC_GROUP_new.pod @@ -55,9 +55,9 @@ Functions for creating and destroying EC_GROUP objects size_t EC_get_builtin_curves(EC_builtin_curve *r, size_t nitems); const char *OSSL_EC_curve_nid2name(int nid); -Deprecated since OpenSSL 3.0, can be hidden entirely by defining -B with a suitable version value, see -L: +The following functions have been deprecated since OpenSSL 3.0, and can be +hidden entirely by defining B with a suitable version value, +see L: EC_GROUP *EC_GROUP_new(const EC_METHOD *meth); void EC_GROUP_clear_free(EC_GROUP *group); diff --git a/deps/openssl/openssl/doc/man3/EC_KEY_new.pod b/deps/openssl/openssl/doc/man3/EC_KEY_new.pod index a816a0745da242..ce5f5e491f73cb 100644 --- a/deps/openssl/openssl/doc/man3/EC_KEY_new.pod +++ b/deps/openssl/openssl/doc/man3/EC_KEY_new.pod @@ -23,9 +23,9 @@ EC_KEY objects EVP_PKEY *EVP_EC_gen(const char *curve); -Deprecated since OpenSSL 3.0, can be hidden entirely by defining -B with a suitable version value, see -L: +The following functions have been deprecated since OpenSSL 3.0, and can be +hidden entirely by defining B with a suitable version value, +see L: EC_KEY *EC_KEY_new_ex(OSSL_LIB_CTX *ctx, const char *propq); EC_KEY *EC_KEY_new(void); diff --git a/deps/openssl/openssl/doc/man3/EC_POINT_add.pod b/deps/openssl/openssl/doc/man3/EC_POINT_add.pod index b276be46ed9434..97bd34c3932e39 100644 --- a/deps/openssl/openssl/doc/man3/EC_POINT_add.pod +++ b/deps/openssl/openssl/doc/man3/EC_POINT_add.pod @@ -18,7 +18,9 @@ EC_POINT_add, EC_POINT_dbl, EC_POINT_invert, EC_POINT_is_at_infinity, EC_POINT_i int EC_POINT_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *n, const EC_POINT *q, const BIGNUM *m, BN_CTX *ctx); -Deprecated since OpenSSL 3.0: +The following functions have been deprecated since OpenSSL 3.0, and can be +hidden entirely by defining B with a suitable version value, +see L: int EC_POINT_make_affine(const EC_GROUP *group, EC_POINT *point, BN_CTX *ctx); int EC_POINTs_make_affine(const EC_GROUP *group, size_t num, @@ -88,7 +90,7 @@ were deprecated in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2013-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2013-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/EC_POINT_new.pod b/deps/openssl/openssl/doc/man3/EC_POINT_new.pod index fb247507e5cbef..f92cc2c8e22929 100644 --- a/deps/openssl/openssl/doc/man3/EC_POINT_new.pod +++ b/deps/openssl/openssl/doc/man3/EC_POINT_new.pod @@ -60,7 +60,9 @@ EC_POINT_hex2point EC_POINT *EC_POINT_hex2point(const EC_GROUP *group, const char *hex, EC_POINT *p, BN_CTX *ctx); -Deprecated since OpenSSL 3.0: +The following functions have been deprecated since OpenSSL 3.0, and can be +hidden entirely by defining B with a suitable version value, +see L: const EC_METHOD *EC_POINT_method_of(const EC_POINT *point); int EC_POINT_set_Jprojective_coordinates_GFp(const EC_GROUP *group, @@ -267,7 +269,7 @@ added in OpenSSL 1.1.1. =head1 COPYRIGHT -Copyright 2013-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2013-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/ENGINE_add.pod b/deps/openssl/openssl/doc/man3/ENGINE_add.pod index c9279e871fc247..55e5d76fcdb8c0 100644 --- a/deps/openssl/openssl/doc/man3/ENGINE_add.pod +++ b/deps/openssl/openssl/doc/man3/ENGINE_add.pod @@ -46,9 +46,9 @@ ENGINE_unregister_digests #include -Deprecated since OpenSSL 3.0, can be hidden entirely by defining -B with a suitable version value, see -L: +The following functions have been deprecated since OpenSSL 3.0, and can be +hidden entirely by defining B with a suitable version value, +see L: ENGINE *ENGINE_get_first(void); ENGINE *ENGINE_get_last(void); @@ -158,9 +158,9 @@ L: EVP_PKEY *ENGINE_load_public_key(ENGINE *e, const char *key_id, UI_METHOD *ui_method, void *callback_data); -Deprecated since OpenSSL 1.1.0, can be hidden entirely by defining -B with a suitable version value, see -L: +The following function has been deprecated since OpenSSL 1.1.0, and can be +hidden entirely by defining B with a suitable version value, +see L: void ENGINE_cleanup(void); @@ -604,8 +604,7 @@ B implementations. All ENGINE_register_TYPE() functions return 1 on success or 0 on error. -ENGINE_register_complete() and ENGINE_register_all_complete() return 1 on success -or 0 on error. +ENGINE_register_complete() and ENGINE_register_all_complete() always return 1. ENGINE_ctrl() returns a positive value on success or others on error. @@ -616,7 +615,7 @@ ENGINE_ctrl_cmd() and ENGINE_ctrl_cmd_string() return 1 on success or 0 on error ENGINE_new() returns a valid B structure on success or NULL if an error occurred. -ENGINE_free() returns 1 on success or 0 on error. +ENGINE_free() always returns 1. ENGINE_up_ref() returns 1 on success or 0 on error. diff --git a/deps/openssl/openssl/doc/man3/ERR_get_error.pod b/deps/openssl/openssl/doc/man3/ERR_get_error.pod index 4e33378cf37ec2..6518458907d9a0 100644 --- a/deps/openssl/openssl/doc/man3/ERR_get_error.pod +++ b/deps/openssl/openssl/doc/man3/ERR_get_error.pod @@ -37,7 +37,9 @@ ERR_get_error_line_data, ERR_peek_error_line_data, ERR_peek_last_error_line_data const char *func, const char **data, int *flags); -Deprecated since OpenSSL 3.0: +The following functions have been deprecated since OpenSSL 3.0, and can be +hidden entirely by defining B with a suitable version value, +see L: unsigned long ERR_get_error_line(const char **file, int *line); unsigned long ERR_get_error_line_data(const char **file, int *line, @@ -78,14 +80,14 @@ is valid until the respective entry is overwritten in the error queue. ERR_peek_error_line() and ERR_peek_last_error_line() are the same as ERR_peek_error() and ERR_peek_last_error(), but on success they additionally store the filename and line number where the error occurred in *I and -*I, as far as they are not NULL. +*I, as far as they are not NULL. An unset filename is indicated as "", i.e., an empty string. An unset line number is indicated as 0. ERR_peek_error_func() and ERR_peek_last_error_func() are the same as ERR_peek_error() and ERR_peek_last_error(), but on success they additionally store the name of the function where the error occurred in *I, unless -it is NULL. +it is NULL. An unset function name is indicated as "". ERR_peek_error_data() and ERR_peek_last_error_data() are the same as @@ -130,7 +132,7 @@ and ERR_peek_last_error_line_data() became deprecated in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/ERR_load_crypto_strings.pod b/deps/openssl/openssl/doc/man3/ERR_load_crypto_strings.pod index ef29aa0b754f0c..ef871896494c2e 100644 --- a/deps/openssl/openssl/doc/man3/ERR_load_crypto_strings.pod +++ b/deps/openssl/openssl/doc/man3/ERR_load_crypto_strings.pod @@ -7,9 +7,9 @@ load and free error strings =head1 SYNOPSIS -Deprecated since OpenSSL 1.1.0, can be hidden entirely by defining -B with a suitable version value, see -L: +The following functions have been deprecated since OpenSSL 1.1.0, and can be +hidden entirely by defining B with a suitable version value, +see L: #include @@ -46,7 +46,7 @@ OPENSSL_init_crypto() and OPENSSL_init_ssl() and should not be used. =head1 COPYRIGHT -Copyright 2000-2017 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/ERR_load_strings.pod b/deps/openssl/openssl/doc/man3/ERR_load_strings.pod index 56d31e6611fd6a..f291644bb36196 100644 --- a/deps/openssl/openssl/doc/man3/ERR_load_strings.pod +++ b/deps/openssl/openssl/doc/man3/ERR_load_strings.pod @@ -9,7 +9,7 @@ arbitrary error strings #include - void ERR_load_strings(int lib, ERR_STRING_DATA str[]); + int ERR_load_strings(int lib, ERR_STRING_DATA *str); int ERR_get_next_error_library(void); @@ -38,7 +38,7 @@ to user libraries at run time. =head1 RETURN VALUES -ERR_load_strings() returns no value. ERR_PACK() return the error code. +ERR_load_strings() returns 1 for success and 0 for failure. ERR_PACK() returns the error code. ERR_get_next_error_library() returns zero on failure, otherwise a new library number. @@ -48,7 +48,7 @@ L =head1 COPYRIGHT -Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/ERR_put_error.pod b/deps/openssl/openssl/doc/man3/ERR_put_error.pod index a4e0cd6bec5c5d..1078c31b636a2a 100644 --- a/deps/openssl/openssl/doc/man3/ERR_put_error.pod +++ b/deps/openssl/openssl/doc/man3/ERR_put_error.pod @@ -21,7 +21,9 @@ ERR_add_error_txt, ERR_add_error_mem_bio void ERR_add_error_txt(const char *sep, const char *txt); void ERR_add_error_mem_bio(const char *sep, BIO *bio); -Deprecated since OpenSSL 3.0: +The following function has been deprecated since OpenSSL 3.0, and can be +hidden entirely by defining B with a suitable version value, +see L: void ERR_put_error(int lib, int func, int reason, const char *file, int line); @@ -35,7 +37,7 @@ record. ERR_raise_data() does the same thing as ERR_raise(), but also lets the caller specify additional information as a format string B and an -arbitrary number of values, which are processed with L. +arbitrary number of values, which are processed with L. ERR_put_error() adds an error code to the thread's error queue. It signals that the error of reason code B occurred in function @@ -177,7 +179,7 @@ were added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/ERR_remove_state.pod b/deps/openssl/openssl/doc/man3/ERR_remove_state.pod index a4e36de3770cc3..f5f6ffbb49bb58 100644 --- a/deps/openssl/openssl/doc/man3/ERR_remove_state.pod +++ b/deps/openssl/openssl/doc/man3/ERR_remove_state.pod @@ -6,15 +6,15 @@ ERR_remove_thread_state, ERR_remove_state - DEPRECATED =head1 SYNOPSIS -Deprecated since OpenSSL 1.0.0, can be hidden entirely by defining -B with a suitable version value, see -L: +The following function has been deprecated since OpenSSL 1.0.0, and can be +hidden entirely by defining B with a suitable version value, +see L: void ERR_remove_state(unsigned long tid); -Deprecated since OpenSSL 1.1.0, can be hidden entirely by defining -B with a suitable version value, see -L: +The following function has been deprecated since OpenSSL 1.1.0, and can be +hidden entirely by defining B with a suitable version value, +see L: void ERR_remove_thread_state(void *tid); @@ -41,7 +41,7 @@ and should not be used. =head1 COPYRIGHT -Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/EVP_CIPHER_CTX_get_original_iv.pod b/deps/openssl/openssl/doc/man3/EVP_CIPHER_CTX_get_original_iv.pod index f5021b87286b4e..393930cf388e93 100644 --- a/deps/openssl/openssl/doc/man3/EVP_CIPHER_CTX_get_original_iv.pod +++ b/deps/openssl/openssl/doc/man3/EVP_CIPHER_CTX_get_original_iv.pod @@ -13,9 +13,9 @@ EVP_CIPHER_CTX_iv_noconst - Routines to inspect EVP_CIPHER_CTX IV data int EVP_CIPHER_CTX_get_original_iv(EVP_CIPHER_CTX *ctx, void *buf, size_t len); int EVP_CIPHER_CTX_get_updated_iv(EVP_CIPHER_CTX *ctx, void *buf, size_t len); -Deprecated since OpenSSL 3.0, can be hidden entirely by defining -B with a suitable version value, see -L: +The following functions have been deprecated since OpenSSL 3.0, and can be +hidden entirely by defining B with a suitable version value, +see L: const unsigned char *EVP_CIPHER_CTX_iv(const EVP_CIPHER_CTX *ctx); const unsigned char *EVP_CIPHER_CTX_original_iv(const EVP_CIPHER_CTX *ctx); diff --git a/deps/openssl/openssl/doc/man3/EVP_CIPHER_meth_new.pod b/deps/openssl/openssl/doc/man3/EVP_CIPHER_meth_new.pod index dd73ee693ce694..8b862d9d99c815 100644 --- a/deps/openssl/openssl/doc/man3/EVP_CIPHER_meth_new.pod +++ b/deps/openssl/openssl/doc/man3/EVP_CIPHER_meth_new.pod @@ -17,9 +17,9 @@ EVP_CIPHER_meth_get_ctrl #include -Deprecated since OpenSSL 3.0, can be hidden entirely by defining -B with a suitable version value, see -L: +The following functions have been deprecated since OpenSSL 3.0, and can be +hidden entirely by defining B with a suitable version value, +see L: EVP_CIPHER *EVP_CIPHER_meth_new(int cipher_type, int block_size, int key_len); EVP_CIPHER *EVP_CIPHER_meth_dup(const EVP_CIPHER *cipher); @@ -249,7 +249,7 @@ counted in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/EVP_DigestInit.pod b/deps/openssl/openssl/doc/man3/EVP_DigestInit.pod index 75d8e63e24bbfe..5b9d75b7040470 100644 --- a/deps/openssl/openssl/doc/man3/EVP_DigestInit.pod +++ b/deps/openssl/openssl/doc/man3/EVP_DigestInit.pod @@ -117,9 +117,9 @@ EVP_MD_CTX_type, EVP_MD_CTX_pkey_ctx, EVP_MD_CTX_md_data #define EVP_MD_CTX_pkey_ctx EVP_MD_CTX_get_pkey_ctx #define EVP_MD_CTX_md_data EVP_MD_CTX_get0_md_data -Deprecated since OpenSSL 3.0, can be hidden entirely by defining -B with a suitable version value, see -L: +The following functions have been deprecated since OpenSSL 3.0, and can be +hidden entirely by defining B with a suitable version value, +see L: const EVP_MD *EVP_MD_CTX_md(const EVP_MD_CTX *ctx); @@ -420,6 +420,24 @@ EVP_get_digestbyobj() Returns an B structure when passed a digest name, a digest B or an B structure respectively. +The EVP_get_digestbyname() function is present for backwards compatibility with +OpenSSL prior to version 3 and is different to the EVP_MD_fetch() function +since it does not attempt to "fetch" an implementation of the cipher. +Additionally, it only knows about digests that are built-in to OpenSSL and have +an associated NID. Similarly EVP_get_digestbynid() and EVP_get_digestbyobj() +also return objects without an associated implementation. + +When the digest objects returned by these functions are used (such as in a call +to EVP_DigestInit_ex()) an implementation of the digest will be implicitly +fetched from the loaded providers. This fetch could fail if no suitable +implementation is available. Use EVP_MD_fetch() instead to explicitly fetch +the algorithm and an associated implementation from a provider. + +See L for more information about fetching. + +The digest objects returned from these functions do not need to be freed with +EVP_MD_free(). + =item EVP_MD_CTX_get_pkey_ctx() Returns the B assigned to I. The returned pointer should not diff --git a/deps/openssl/openssl/doc/man3/EVP_DigestSignInit.pod b/deps/openssl/openssl/doc/man3/EVP_DigestSignInit.pod index 87480144654c53..228e9d1c5f806e 100644 --- a/deps/openssl/openssl/doc/man3/EVP_DigestSignInit.pod +++ b/deps/openssl/openssl/doc/man3/EVP_DigestSignInit.pod @@ -130,7 +130,11 @@ written to I. EVP_DigestSign() signs I bytes of data at I and places the signature in I and its length in I in a similar way to -EVP_DigestSignFinal(). +EVP_DigestSignFinal(). In the event of a failure EVP_DigestSign() cannot be +called again without reinitialising the EVP_MD_CTX. If I is NULL before the +call then I will be populated with the required size for the I +buffer. If I is non-NULL before the call then I should contain the +length of the I buffer. =head1 RETURN VALUES @@ -163,9 +167,10 @@ The call to EVP_DigestSignFinal() internally finalizes a copy of the digest context. This means that calls to EVP_DigestSignUpdate() and EVP_DigestSignFinal() can be called later to digest and sign additional data. -Since only a copy of the digest context is ever finalized, the context must -be cleaned up after use by calling EVP_MD_CTX_free() or a memory leak -will occur. +EVP_DigestSignInit() and EVP_DigestSignInit_ex() functions can be called +multiple times on a context and the parameters set by previous calls should be +preserved if the I parameter is NULL. The call then just resets the state +of the I. The use of EVP_PKEY_get_size() with these functions is discouraged because some signature operations may have a signature length which depends on the diff --git a/deps/openssl/openssl/doc/man3/EVP_DigestVerifyInit.pod b/deps/openssl/openssl/doc/man3/EVP_DigestVerifyInit.pod index 9a02f12e37546d..398146b5b8eda5 100644 --- a/deps/openssl/openssl/doc/man3/EVP_DigestVerifyInit.pod +++ b/deps/openssl/openssl/doc/man3/EVP_DigestVerifyInit.pod @@ -57,7 +57,7 @@ EVP_MD_CTX is freed). If the EVP_PKEY_CTX to be used is created by EVP_DigestVerifyInit_ex then it will use the B specified in I and the property query string specified in I. -No B will be created by EVP_DigestSignInit_ex() if the +No B will be created by EVP_DigestVerifyInit_ex() if the passed B has already been assigned one via L. See also L. @@ -156,9 +156,10 @@ The call to EVP_DigestVerifyFinal() internally finalizes a copy of the digest context. This means that EVP_VerifyUpdate() and EVP_VerifyFinal() can be called later to digest and verify additional data. -Since only a copy of the digest context is ever finalized, the context must -be cleaned up after use by calling EVP_MD_CTX_free() or a memory leak -will occur. +EVP_DigestVerifyInit() and EVP_DigestVerifyInit_ex() functions can be called +multiple times on a context and the parameters set by previous calls should be +preserved if the I parameter is NULL. The call then just resets the state +of the I. =head1 SEE ALSO diff --git a/deps/openssl/openssl/doc/man3/EVP_EncryptInit.pod b/deps/openssl/openssl/doc/man3/EVP_EncryptInit.pod index 62d9047dce781f..7f9c44b10765b9 100644 --- a/deps/openssl/openssl/doc/man3/EVP_EncryptInit.pod +++ b/deps/openssl/openssl/doc/man3/EVP_EncryptInit.pod @@ -229,15 +229,15 @@ EVP_CIPHER_CTX_mode #define EVP_CIPHER_CTX_type EVP_CIPHER_CTX_get_type #define EVP_CIPHER_CTX_mode EVP_CIPHER_CTX_get_mode -Deprecated since OpenSSL 3.0, can be hidden entirely by defining -B with a suitable version value, see -L: +The following function has been deprecated since OpenSSL 3.0, and can be +hidden entirely by defining B with a suitable version value, +see L: const EVP_CIPHER *EVP_CIPHER_CTX_cipher(const EVP_CIPHER_CTX *ctx); -Deprecated since OpenSSL 1.1.0, can be hidden entirely by defining -B with a suitable version value, see -L: +The following function has been deprecated since OpenSSL 1.1.0, and can be +hidden entirely by defining B with a suitable version value, +see L: int EVP_CIPHER_CTX_flags(const EVP_CIPHER_CTX *ctx); @@ -444,13 +444,30 @@ EVP_CipherFinal_ex() instead. =item EVP_get_cipherbyname(), EVP_get_cipherbynid() and EVP_get_cipherbyobj() -Return an EVP_CIPHER structure when passed a cipher name, a NID or an -ASN1_OBJECT structure. +Returns an B structure when passed a cipher name, a cipher B or +an B structure respectively. EVP_get_cipherbyname() will return NULL for algorithms such as "AES-128-SIV", "AES-128-CBC-CTS" and "CAMELLIA-128-CBC-CTS" which were previously only -accessible via low level interfaces. Use EVP_CIPHER_fetch() instead to retrieve -these algorithms from a provider. +accessible via low level interfaces. + +The EVP_get_cipherbyname() function is present for backwards compatibility with +OpenSSL prior to version 3 and is different to the EVP_CIPHER_fetch() function +since it does not attempt to "fetch" an implementation of the cipher. +Additionally, it only knows about ciphers that are built-in to OpenSSL and have +an associated NID. Similarly EVP_get_cipherbynid() and EVP_get_cipherbyobj() +also return objects without an associated implementation. + +When the cipher objects returned by these functions are used (such as in a call +to EVP_EncryptInit_ex()) an implementation of the cipher will be implicitly +fetched from the loaded providers. This fetch could fail if no suitable +implementation is available. Use EVP_CIPHER_fetch() instead to explicitly fetch +the algorithm and an associated implementation from a provider. + +See L for more information about fetching. + +The cipher objects returned from these functions do not need to be freed with +EVP_CIPHER_free(). =item EVP_CIPHER_get_nid() and EVP_CIPHER_CTX_get_nid() @@ -1283,18 +1300,20 @@ B. =item EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, taglen, tag) -Sets the expected tag to C bytes from C. -The tag length can only be set before specifying an IV. +When decrypting, this call sets the expected tag to C bytes from C. C must be between 1 and 16 inclusive. +The tag must be set prior to any call to EVP_DecryptFinal() or +EVP_DecryptFinal_ex(). For GCM, this call is only valid when decrypting data. For OCB, this call is valid when decrypting data to set the expected tag, -and before encryption to set the desired tag length. +and when encrypting to set the desired tag length. -In OCB mode, calling this before encryption with C set to C sets the -tag length. If this is not called prior to encryption, a default tag length is -used. +In OCB mode, calling this when encrypting with C set to C sets the +tag length. The tag length can only be set before specifying an IV. If this is +not called prior to setting the IV during encryption, then a default tag length +is used. For OCB AES, the default tag length is 16 (i.e. 128 bits). It is also the maximum tag length for OCB. @@ -1330,7 +1349,7 @@ Sets the CCM B value. If not set a default is used (8 for AES). =item EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_IVLEN, ivlen, NULL) -Sets the CCM nonce (IV) length. This call can only be made before specifying a +Sets the CCM nonce (IV) length. This call can only be made before specifying a nonce value. The nonce length is given by B<15 - L> so it is 7 by default for AES. diff --git a/deps/openssl/openssl/doc/man3/EVP_MD_meth_new.pod b/deps/openssl/openssl/doc/man3/EVP_MD_meth_new.pod index 70c353482417de..a553c378f3d7d8 100644 --- a/deps/openssl/openssl/doc/man3/EVP_MD_meth_new.pod +++ b/deps/openssl/openssl/doc/man3/EVP_MD_meth_new.pod @@ -18,9 +18,9 @@ EVP_MD_meth_get_ctrl #include -Deprecated since OpenSSL 3.0, can be hidden entirely by defining -B with a suitable version value, see -L: +The following functions have been deprecated since OpenSSL 3.0, and can be +hidden entirely by defining B with a suitable version value, +see L: EVP_MD *EVP_MD_meth_new(int md_type, int pkey_type); void EVP_MD_meth_free(EVP_MD *md); diff --git a/deps/openssl/openssl/doc/man3/EVP_PKEY_CTX_ctrl.pod b/deps/openssl/openssl/doc/man3/EVP_PKEY_CTX_ctrl.pod index 7c8db14cb6c401..3075eaafd677d9 100644 --- a/deps/openssl/openssl/doc/man3/EVP_PKEY_CTX_ctrl.pod +++ b/deps/openssl/openssl/doc/man3/EVP_PKEY_CTX_ctrl.pod @@ -116,7 +116,7 @@ EVP_PKEY_CTX_set_kem_op int EVP_PKEY_CTX_get_rsa_oaep_md(EVP_PKEY_CTX *ctx, const EVP_MD **md); int EVP_PKEY_CTX_get_rsa_oaep_md_name(EVP_PKEY_CTX *ctx, char *name, size_t namelen); - int EVP_PKEY_CTX_set0_rsa_oaep_label(EVP_PKEY_CTX *ctx, unsigned char *label, + int EVP_PKEY_CTX_set0_rsa_oaep_label(EVP_PKEY_CTX *ctx, void *label, int len); int EVP_PKEY_CTX_get0_rsa_oaep_label(EVP_PKEY_CTX *ctx, unsigned char **label); @@ -176,9 +176,9 @@ EVP_PKEY_CTX_set_kem_op int EVP_PKEY_CTX_get1_id(EVP_PKEY_CTX *ctx, void *id); int EVP_PKEY_CTX_get1_id_len(EVP_PKEY_CTX *ctx, size_t *id_len); -Deprecated since OpenSSL 3.0, can be hidden entirely by defining -B with a suitable version value, see -L: +The following functions have been deprecated since OpenSSL 3.0, and can be +hidden entirely by defining B with a suitable version value, +see L: #include @@ -356,8 +356,8 @@ EVP_MD object instead. Note that only known, built-in EVP_MD objects will be returned. The EVP_MD object may be NULL if the digest is not one of these (such as a digest only implemented in a third party provider). -EVP_PKEY_CTX_set0_rsa_oaep_label() sets the RSA OAEP label to -I and B for equality. -The function EVP_PKEY_eq() checks the public key components and parameters -(if present) of keys B and B for equality. +The function EVP_PKEY_eq() checks the keys B and B for equality, +including their parameters if they are available. =head1 NOTES @@ -47,14 +47,40 @@ EVP_PKEY_copy_parameters() is to handle public keys in certificates where the parameters are sometimes omitted from a public key if they are inherited from the CA that signed it. -Since OpenSSL private keys contain public key components too the function -EVP_PKEY_eq() can also be used to determine if a private key matches -a public key. - The deprecated functions EVP_PKEY_cmp() and EVP_PKEY_cmp_parameters() differ in -their return values compared to other _cmp() functions. They are aliases for +their return values compared to other _cmp() functions. They are aliases for EVP_PKEY_eq() and EVP_PKEY_parameters_eq(). +The function EVP_PKEY_cmp() previously only checked the key parameters +(if there are any) and the public key, assuming that there always was +a public key and that private key equality could be derived from that. +Because it's no longer assumed that the private key in an L is +always accompanied by a public key, the comparison can not rely on public +key comparison alone. + +Instead, EVP_PKEY_eq() (and therefore also EVP_PKEY_cmp()) now compares: + +=over 4 + +=item 1. + +the key parameters (if there are any) + +=item 2. + +the public keys or the private keys of the two Bs, depending on +what they both contain. + +=back + +=begin comment + +Exactly what is compared is ultimately at the discretion of the provider +that holds the key, as they will compare what makes sense to them that fits +the selector bits they are passed. + +=end comment + =head1 RETURN VALUES The function EVP_PKEY_missing_parameters() returns 1 if the public key @@ -64,7 +90,7 @@ doesn't use parameters. These functions EVP_PKEY_copy_parameters() returns 1 for success and 0 for failure. -The functions EVP_PKEY_cmp_parameters(), EVP_PKEY_parameters_eq(), +The functions EVP_PKEY_cmp_parameters(), EVP_PKEY_parameters_eq(), EVP_PKEY_cmp() and EVP_PKEY_eq() return 1 if their inputs match, 0 if they don't match, -1 if the key types are different and -2 if the operation is not supported. diff --git a/deps/openssl/openssl/doc/man3/EVP_PKEY_encapsulate.pod b/deps/openssl/openssl/doc/man3/EVP_PKEY_encapsulate.pod index 22b0aaed6fa865..9baf88d07beffc 100644 --- a/deps/openssl/openssl/doc/man3/EVP_PKEY_encapsulate.pod +++ b/deps/openssl/openssl/doc/man3/EVP_PKEY_encapsulate.pod @@ -75,7 +75,7 @@ Encapsulate an RSASVE key (for RSA keys). /* * The generated 'secret' can be used as key material. * The encapsulated 'out' can be sent to another party who can - * decapsulate it using their private key to retrieve the 'secret'. + * decapsulate it using their private key to retrieve the 'secret'. */ if (EVP_PKEY_encapsulate(ctx, out, &outlen, secret, &secretlen) <= 0) /* Error */ diff --git a/deps/openssl/openssl/doc/man3/EVP_PKEY_encrypt.pod b/deps/openssl/openssl/doc/man3/EVP_PKEY_encrypt.pod index e574efa73a9530..9ff6ed6cae8643 100644 --- a/deps/openssl/openssl/doc/man3/EVP_PKEY_encrypt.pod +++ b/deps/openssl/openssl/doc/man3/EVP_PKEY_encrypt.pod @@ -2,7 +2,7 @@ =head1 NAME -EVP_PKEY_encrypt_init_ex, +EVP_PKEY_encrypt_init_ex, EVP_PKEY_encrypt_init, EVP_PKEY_encrypt - encrypt using a public key algorithm =head1 SYNOPSIS diff --git a/deps/openssl/openssl/doc/man3/EVP_PKEY_fromdata.pod b/deps/openssl/openssl/doc/man3/EVP_PKEY_fromdata.pod index 107ebf82a0f3ac..fdab94cd4f1bdc 100644 --- a/deps/openssl/openssl/doc/man3/EVP_PKEY_fromdata.pod +++ b/deps/openssl/openssl/doc/man3/EVP_PKEY_fromdata.pod @@ -80,7 +80,7 @@ public key and key parameters. These functions only work with key management methods coming from a provider. This is the mirror function to L. -=for comment We may choose to make this available for legacy methods too... +=for comment We may choose to make this available for legacy methods too... =head1 RETURN VALUES @@ -138,6 +138,7 @@ TODO Write a set of cookbook documents and link to them. #include #include + #include /* * Fixed data to represent the private and public key. @@ -160,12 +161,6 @@ TODO Write a set of cookbook documents and link to them. 0x8f, 0xb9, 0x33, 0x6e, 0xcf, 0x12, 0x16, 0x2f, 0x5c, 0xcd, 0x86, 0x71, 0xa8, 0xbf, 0x1a, 0x47 }; - const OSSL_PARAM params[] = { - OSSL_PARAM_utf8_string("group", "prime256v1", 10), - OSSL_PARAM_BN("priv", priv, sizeof(priv)), - OSSL_PARAM_BN("pub", pub, sizeof(pub)), - OSSL_PARAM_END - }; int main() { @@ -181,15 +176,15 @@ TODO Write a set of cookbook documents and link to them. param_bld = OSSL_PARAM_BLD_new(); if (priv != NULL && param_bld != NULL && OSSL_PARAM_BLD_push_utf8_string(param_bld, "group", - "prime256v1", 0); - && OSSL_PARAM_BLD_push_BN(param_bld, "priv", priv); + "prime256v1", 0) + && OSSL_PARAM_BLD_push_BN(param_bld, "priv", priv) && OSSL_PARAM_BLD_push_octet_string(param_bld, "pub", pub_data, sizeof(pub_data))) params = OSSL_PARAM_BLD_to_param(param_bld); ctx = EVP_PKEY_CTX_new_from_name(NULL, "EC", NULL); if (ctx == NULL - || params != NULL + || params == NULL || EVP_PKEY_fromdata_init(ctx) <= 0 || EVP_PKEY_fromdata(ctx, &pkey, EVP_PKEY_KEYPAIR, params) <= 0) { exitcode = 1; @@ -209,12 +204,13 @@ TODO Write a set of cookbook documents and link to them. =head2 Finding out params for an unknown key type #include + #include /* Program expects a key type as first argument */ int main(int argc, char *argv[]) { EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new_from_name(NULL, argv[1], NULL); - const *OSSL_PARAM *settable_params = NULL; + const OSSL_PARAM *settable_params = NULL; if (ctx == NULL) exit(1); @@ -247,9 +243,9 @@ TODO Write a set of cookbook documents and link to them. } printf("%s : %s ", settable_params->key, datatype); if (settable_params->data_size == 0) - printf("(unlimited size)"); + printf("(unlimited size)\n"); else - printf("(maximum size %zu)", settable_params->data_size); + printf("(maximum size %zu)\n", settable_params->data_size); } } diff --git a/deps/openssl/openssl/doc/man3/EVP_PKEY_gettable_params.pod b/deps/openssl/openssl/doc/man3/EVP_PKEY_gettable_params.pod index b28ed6993993ad..23ac4bd8b06793 100644 --- a/deps/openssl/openssl/doc/man3/EVP_PKEY_gettable_params.pod +++ b/deps/openssl/openssl/doc/man3/EVP_PKEY_gettable_params.pod @@ -52,11 +52,15 @@ buffer I of maximum size I associated with a name of I. The maximum size must be large enough to accomodate the string value including a terminating NUL byte, or this function will fail. If I is not NULL, I<*out_len> is set to the length of the string -not including the terminating NUL byte. +not including the terminating NUL byte. The required buffer size not including +the terminating NUL byte can be obtained from I<*out_len> by calling the +function with I set to NULL. EVP_PKEY_get_octet_string_param() get a key I's octet string value into a buffer I of maximum size I associated with a name of I. If I is not NULL, I<*out_len> is set to the length of the contents. +The required buffer size can be obtained from I<*out_len> by calling the +function with I set to NULL. =head1 NOTES diff --git a/deps/openssl/openssl/doc/man3/EVP_PKEY_keygen.pod b/deps/openssl/openssl/doc/man3/EVP_PKEY_keygen.pod index f21314504e653f..87644cc5c37568 100644 --- a/deps/openssl/openssl/doc/man3/EVP_PKEY_keygen.pod +++ b/deps/openssl/openssl/doc/man3/EVP_PKEY_keygen.pod @@ -51,8 +51,8 @@ key generation function itself. The key algorithm context must be created using L or variants thereof, see that manual for details. -EVP_PKEY_keygen_init() initializes a public key algorithm context using key -I for a key generation operation. +EVP_PKEY_keygen_init() initializes a public key algorithm context I +for a key generation operation. EVP_PKEY_paramgen_init() is similar to EVP_PKEY_keygen_init() except key parameters are generated. diff --git a/deps/openssl/openssl/doc/man3/EVP_PKEY_meth_get_count.pod b/deps/openssl/openssl/doc/man3/EVP_PKEY_meth_get_count.pod index 278600f4b240fb..2e2a3fc13e3131 100644 --- a/deps/openssl/openssl/doc/man3/EVP_PKEY_meth_get_count.pod +++ b/deps/openssl/openssl/doc/man3/EVP_PKEY_meth_get_count.pod @@ -8,9 +8,9 @@ EVP_PKEY_meth_get_count, EVP_PKEY_meth_get0, EVP_PKEY_meth_get0_info - enumerate #include -Deprecated since OpenSSL 3.0, can be hidden entirely by defining -B with a suitable version value, see -L: +The following functions have been deprecated since OpenSSL 3.0, and can be +hidden entirely by defining B with a suitable version value, +see L: size_t EVP_PKEY_meth_get_count(void); const EVP_PKEY_METHOD *EVP_PKEY_meth_get0(size_t idx); @@ -51,7 +51,7 @@ All of these functions were deprecated in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2002-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2002-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/EVP_PKEY_meth_new.pod b/deps/openssl/openssl/doc/man3/EVP_PKEY_meth_new.pod index 06404079ab2482..db0b09f855fc4d 100644 --- a/deps/openssl/openssl/doc/man3/EVP_PKEY_meth_new.pod +++ b/deps/openssl/openssl/doc/man3/EVP_PKEY_meth_new.pod @@ -29,9 +29,9 @@ EVP_PKEY_meth_remove #include -Deprecated since OpenSSL 3.0, can be hidden entirely by defining -B with a suitable version value, see -L: +The following functions have been deprecated since OpenSSL 3.0, and can be +hidden entirely by defining B with a suitable version value, +see L: typedef struct evp_pkey_method_st EVP_PKEY_METHOD; diff --git a/deps/openssl/openssl/doc/man3/EVP_PKEY_new.pod b/deps/openssl/openssl/doc/man3/EVP_PKEY_new.pod index ee55396de3b31d..0ea7062f0182aa 100644 --- a/deps/openssl/openssl/doc/man3/EVP_PKEY_new.pod +++ b/deps/openssl/openssl/doc/man3/EVP_PKEY_new.pod @@ -50,9 +50,9 @@ EVP_PKEY_get_raw_public_key int EVP_PKEY_get_raw_public_key(const EVP_PKEY *pkey, unsigned char *pub, size_t *len); -Deprecated since OpenSSL 3.0, can be hidden entirely by defining -B with a suitable version value, see -L: +The following function has been deprecated since OpenSSL 3.0, and can be +hidden entirely by defining B with a suitable version value, +see L: EVP_PKEY *EVP_PKEY_new_CMAC_key(ENGINE *e, const unsigned char *priv, size_t len, const EVP_CIPHER *cipher); diff --git a/deps/openssl/openssl/doc/man3/EVP_PKEY_set1_RSA.pod b/deps/openssl/openssl/doc/man3/EVP_PKEY_set1_RSA.pod index 59ea093d59831f..c0366d34fcee53 100644 --- a/deps/openssl/openssl/doc/man3/EVP_PKEY_set1_RSA.pod +++ b/deps/openssl/openssl/doc/man3/EVP_PKEY_set1_RSA.pod @@ -24,9 +24,9 @@ EVP_PKEY assignment functions #define EVP_PKEY_id EVP_PKEY_get_id #define EVP_PKEY_base_id EVP_PKEY_get_base_id -Deprecated since OpenSSL 3.0, can be hidden entirely by defining -B with a suitable version value, see -L: +The following functions have been deprecated since OpenSSL 3.0, and can be +hidden entirely by defining B with a suitable version value, +see L: int EVP_PKEY_set1_RSA(EVP_PKEY *pkey, RSA *key); int EVP_PKEY_set1_DSA(EVP_PKEY *pkey, DSA *key); diff --git a/deps/openssl/openssl/doc/man3/EVP_PKEY_set1_encoded_public_key.pod b/deps/openssl/openssl/doc/man3/EVP_PKEY_set1_encoded_public_key.pod index be30ad2d11681f..20ae767dd6a17a 100644 --- a/deps/openssl/openssl/doc/man3/EVP_PKEY_set1_encoded_public_key.pod +++ b/deps/openssl/openssl/doc/man3/EVP_PKEY_set1_encoded_public_key.pod @@ -15,9 +15,9 @@ EVP_PKEY_set1_tls_encodedpoint, EVP_PKEY_get1_tls_encodedpoint size_t EVP_PKEY_get1_encoded_public_key(EVP_PKEY *pkey, unsigned char **ppub); -Deprecated since OpenSSL 3.0, can be hidden entirely by defining -B with a suitable version value, see -L: +The following functions have been deprecated since OpenSSL 3.0, and can be +hidden entirely by defining B with a suitable version value, +see L: int EVP_PKEY_set1_tls_encodedpoint(EVP_PKEY *pkey, const unsigned char *pt, size_t ptlen); @@ -131,7 +131,7 @@ deprecated in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/EVP_SIGNATURE_free.pod b/deps/openssl/openssl/doc/man3/EVP_SIGNATURE.pod similarity index 98% rename from deps/openssl/openssl/doc/man3/EVP_SIGNATURE_free.pod rename to deps/openssl/openssl/doc/man3/EVP_SIGNATURE.pod index 4642f40efc146a..9fb389e7aeb0ec 100644 --- a/deps/openssl/openssl/doc/man3/EVP_SIGNATURE_free.pod +++ b/deps/openssl/openssl/doc/man3/EVP_SIGNATURE.pod @@ -2,6 +2,7 @@ =head1 NAME +EVP_SIGNATURE, EVP_SIGNATURE_fetch, EVP_SIGNATURE_free, EVP_SIGNATURE_up_ref, EVP_SIGNATURE_is_a, EVP_SIGNATURE_get0_provider, EVP_SIGNATURE_do_all_provided, EVP_SIGNATURE_names_do_all, @@ -13,6 +14,8 @@ EVP_SIGNATURE_gettable_ctx_params, EVP_SIGNATURE_settable_ctx_params #include + typedef struct evp_signature_st EVP_SIGNATURE; + EVP_SIGNATURE *EVP_SIGNATURE_fetch(OSSL_LIB_CTX *ctx, const char *algorithm, const char *properties); void EVP_SIGNATURE_free(EVP_SIGNATURE *signature); diff --git a/deps/openssl/openssl/doc/man3/HMAC.pod b/deps/openssl/openssl/doc/man3/HMAC.pod index 3c543092e073ba..43aca065f0d285 100644 --- a/deps/openssl/openssl/doc/man3/HMAC.pod +++ b/deps/openssl/openssl/doc/man3/HMAC.pod @@ -24,9 +24,9 @@ HMAC_size const unsigned char *data, size_t data_len, unsigned char *md, unsigned int *md_len); -Deprecated since OpenSSL 3.0, can be hidden entirely by defining -B with a suitable version value, see -L: +The following functions have been deprecated since OpenSSL 3.0, and can be +hidden entirely by defining B with a suitable version value, +see L: HMAC_CTX *HMAC_CTX_new(void); int HMAC_CTX_reset(HMAC_CTX *ctx); @@ -44,9 +44,9 @@ L: size_t HMAC_size(const HMAC_CTX *e); -Deprecated since OpenSSL 1.1.0, can be hidden entirely by defining -B with a suitable version value, see -L: +The following function has been deprecated since OpenSSL 1.1.0, and can be +hidden entirely by defining B with a suitable version value, +see L: int HMAC_Init(HMAC_CTX *ctx, const void *key, int key_len, const EVP_MD *md); diff --git a/deps/openssl/openssl/doc/man3/MD5.pod b/deps/openssl/openssl/doc/man3/MD5.pod index 68ffc65b5a2030..5d1a8eb7da92cb 100644 --- a/deps/openssl/openssl/doc/man3/MD5.pod +++ b/deps/openssl/openssl/doc/man3/MD5.pod @@ -9,9 +9,9 @@ MD4_Final, MD5_Init, MD5_Update, MD5_Final - MD2, MD4, and MD5 hash functions #include -Deprecated since OpenSSL 3.0, can be hidden entirely by defining -B with a suitable version value, see -L: +The following functions have been deprecated since OpenSSL 3.0, and can be +hidden entirely by defining B with a suitable version value, +see L: unsigned char *MD2(const unsigned char *d, unsigned long n, unsigned char *md); @@ -22,9 +22,9 @@ L: #include -Deprecated since OpenSSL 3.0, can be hidden entirely by defining -B with a suitable version value, see -L: +The following functions have been deprecated since OpenSSL 3.0, and can be +hidden entirely by defining B with a suitable version value, +see L: unsigned char *MD4(const unsigned char *d, unsigned long n, unsigned char *md); @@ -35,9 +35,9 @@ L: #include -Deprecated since OpenSSL 3.0, can be hidden entirely by defining -B with a suitable version value, see -L: +The following functions have been deprecated since OpenSSL 3.0, and can be +hidden entirely by defining B with a suitable version value, +see L: unsigned char *MD5(const unsigned char *d, unsigned long n, unsigned char *md); @@ -105,7 +105,7 @@ All of these functions were deprecated in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/MDC2_Init.pod b/deps/openssl/openssl/doc/man3/MDC2_Init.pod index abcf14445ece11..f29c9b78dc25c2 100644 --- a/deps/openssl/openssl/doc/man3/MDC2_Init.pod +++ b/deps/openssl/openssl/doc/man3/MDC2_Init.pod @@ -8,9 +8,9 @@ MDC2, MDC2_Init, MDC2_Update, MDC2_Final - MDC2 hash function #include -Deprecated since OpenSSL 3.0, can be hidden entirely by defining -B with a suitable version value, see -L: +The following functions have been deprecated since OpenSSL 3.0, and can be +hidden entirely by defining B with a suitable version value, +see L: unsigned char *MDC2(const unsigned char *d, unsigned long n, unsigned char *md); @@ -70,7 +70,7 @@ All of these functions were deprecated in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/OBJ_nid2obj.pod b/deps/openssl/openssl/doc/man3/OBJ_nid2obj.pod index 58fc94f6dd97a9..482cc320c778d4 100644 --- a/deps/openssl/openssl/doc/man3/OBJ_nid2obj.pod +++ b/deps/openssl/openssl/doc/man3/OBJ_nid2obj.pod @@ -37,9 +37,9 @@ OBJ_dup, OBJ_txt2obj, OBJ_obj2txt, OBJ_create, OBJ_cleanup, OBJ_add_sigid int OBJ_add_sigid(int signid, int dig_id, int pkey_id); -Deprecated since OpenSSL 1.1.0, can be hidden entirely by defining -B with a suitable version value, see -L: +The following function has been deprecated since OpenSSL 1.1.0, and can be +hidden entirely by defining B with a suitable version value, +see L: void OBJ_cleanup(void); @@ -71,12 +71,14 @@ as well as numerical forms. If I is 1 only the numerical form is acceptable. OBJ_obj2txt() converts the B I into a textual representation. -The representation is written as a null terminated string to I +Unless I is NULL, +the representation is written as a NUL-terminated string to I, where at most I bytes are written, truncating the result if necessary. -The total amount of space required is returned. If I is 0 then -if the object has a long or short name then that will be used, otherwise -the numerical form will be used. If I is 1 then the numerical -form will always be used. +In any case it returns the total string length, excluding the NUL character, +required for non-truncated representation, or -1 on error. +If I is 0 then if the object has a long or short name +then that will be used, otherwise the numerical form will be used. +If I is 1 then the numerical form will always be used. i2t_ASN1_OBJECT() is the same as OBJ_obj2txt() with the I set to zero. @@ -152,6 +154,11 @@ a NID or B on error. OBJ_add_sigid() returns 1 on success or 0 on error. +i2t_ASN1_OBJECT() an OBJ_obj2txt() return -1 on error. +On success, they return the length of the string written to I if I is +not NULL and I is big enough, otherwise the total string length. +Note that this does not count the trailing NUL character. + =head1 EXAMPLES Create an object for B: @@ -174,13 +181,6 @@ Create a new object directly: =head1 BUGS -OBJ_obj2txt() is awkward and messy to use: it doesn't follow the -convention of other OpenSSL functions where the buffer can be set -to B to determine the amount of data that should be written. -Instead I must point to a valid buffer and I should -be set to a positive value. A buffer length of 80 should be more -than enough to handle any OID encountered in practice. - Neither OBJ_create() nor OBJ_add_sigid() do any locking and are thus not thread safe. Moreover, none of the other functions should be called while concurrent calls to these two functions are possible. diff --git a/deps/openssl/openssl/doc/man3/OCSP_sendreq_new.pod b/deps/openssl/openssl/doc/man3/OCSP_sendreq_new.pod index 51469661deff90..6e4c8110f1f038 100644 --- a/deps/openssl/openssl/doc/man3/OCSP_sendreq_new.pod +++ b/deps/openssl/openssl/doc/man3/OCSP_sendreq_new.pod @@ -21,9 +21,9 @@ OCSP_REQ_CTX_set1_req const OCSP_REQUEST *req, int buf_size); OCSP_RESPONSE *OCSP_sendreq_bio(BIO *io, const char *path, OCSP_REQUEST *req); -Deprecated since OpenSSL 3.0, can be hidden entirely by defining -B with a suitable version value, see -L: +The following functions have been deprecated since OpenSSL 3.0, and can be +hidden entirely by defining B with a suitable version value, +see L: typedef OSSL_HTTP_REQ_CTX OCSP_REQ_CTX; int OCSP_sendreq_nbio(OCSP_RESPONSE **presp, OSSL_HTTP_REQ_CTX *rctx); diff --git a/deps/openssl/openssl/doc/man3/OPENSSL_config.pod b/deps/openssl/openssl/doc/man3/OPENSSL_config.pod index 44017b4215c47f..3fe6dd0e496b05 100644 --- a/deps/openssl/openssl/doc/man3/OPENSSL_config.pod +++ b/deps/openssl/openssl/doc/man3/OPENSSL_config.pod @@ -8,9 +8,9 @@ OPENSSL_config, OPENSSL_no_config - simple OpenSSL configuration functions #include -Deprecated since OpenSSL 1.1.0, can be hidden entirely by defining -B with a suitable version value, see -L: +The following functions have been deprecated since OpenSSL 1.1.0, and can be +hidden entirely by defining B with a suitable version value, +see L: void OPENSSL_config(const char *appname); void OPENSSL_no_config(void); @@ -77,7 +77,7 @@ deprecated in OpenSSL 1.1.0 by OPENSSL_init_crypto(). =head1 COPYRIGHT -Copyright 2004-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2004-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/OPENSSL_fork_prepare.pod b/deps/openssl/openssl/doc/man3/OPENSSL_fork_prepare.pod index b011c6a63d31f0..6f8277c110da5c 100644 --- a/deps/openssl/openssl/doc/man3/OPENSSL_fork_prepare.pod +++ b/deps/openssl/openssl/doc/man3/OPENSSL_fork_prepare.pod @@ -11,9 +11,9 @@ OPENSSL_fork_child #include -Deprecated since OpenSSL 3.0.0, can be hidden entirely by defining -B with a suitable version value, see -L: +The following functions have been deprecated since OpenSSL 3.0, and can be +hidden entirely by defining B with a suitable version value, +see L: void OPENSSL_fork_prepare(void); void OPENSSL_fork_parent(void); @@ -60,7 +60,7 @@ These functions were added in OpenSSL 1.1.1. =head1 COPYRIGHT -Copyright 2017-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2017-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/OPENSSL_instrument_bus.pod b/deps/openssl/openssl/doc/man3/OPENSSL_instrument_bus.pod index fe72bb882d2712..1af07b29c7edef 100644 --- a/deps/openssl/openssl/doc/man3/OPENSSL_instrument_bus.pod +++ b/deps/openssl/openssl/doc/man3/OPENSSL_instrument_bus.pod @@ -7,8 +7,8 @@ OPENSSL_instrument_bus, OPENSSL_instrument_bus2 - instrument references to memor =head1 SYNOPSIS #ifdef OPENSSL_CPUID_OBJ - size_t OPENSSL_instrument_bus(int *vector, size_t num); - size_t OPENSSL_instrument_bus2(int *vector, size_t num, size_t max); + size_t OPENSSL_instrument_bus(unsigned int *vector, size_t num); + size_t OPENSSL_instrument_bus2(unsigned int *vector, size_t num, size_t max); #endif =head1 DESCRIPTION @@ -43,7 +43,7 @@ Otherwise number of recorded values is returned. =head1 COPYRIGHT -Copyright 2011-2018 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2011-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/OPENSSL_malloc.pod b/deps/openssl/openssl/doc/man3/OPENSSL_malloc.pod index 81a437806037a5..99a76e000d8f9f 100644 --- a/deps/openssl/openssl/doc/man3/OPENSSL_malloc.pod +++ b/deps/openssl/openssl/doc/man3/OPENSSL_malloc.pod @@ -66,9 +66,9 @@ OPENSSL_MALLOC_FD env OPENSSL_MALLOC_FAILURES=... env OPENSSL_MALLOC_FD=... -Deprecated since OpenSSL 3.0.0, can be hidden entirely by defining -B with a suitable version value, see -L: +The following functions have been deprecated since OpenSSL 3.0, and can be +hidden entirely by defining B with a suitable version value, +see L: int CRYPTO_mem_leaks(BIO *b); int CRYPTO_mem_leaks_fp(FILE *fp); diff --git a/deps/openssl/openssl/doc/man3/OSSL_CMP_MSG_get0_header.pod b/deps/openssl/openssl/doc/man3/OSSL_CMP_MSG_get0_header.pod index 32cdf811870a0f..741349cd6e3f54 100644 --- a/deps/openssl/openssl/doc/man3/OSSL_CMP_MSG_get0_header.pod +++ b/deps/openssl/openssl/doc/man3/OSSL_CMP_MSG_get0_header.pod @@ -20,7 +20,7 @@ i2d_OSSL_CMP_MSG_bio int OSSL_CMP_MSG_get_bodytype(const OSSL_CMP_MSG *msg); int OSSL_CMP_MSG_update_transactionID(OSSL_CMP_CTX *ctx, OSSL_CMP_MSG *msg); OSSL_CRMF_MSG *OSSL_CMP_CTX_setup_CRM(OSSL_CMP_CTX *ctx, int for_KUR, int rid); - OSSL_CMP_MSG *OSSL_CMP_MSG_read(const char *file); + OSSL_CMP_MSG *OSSL_CMP_MSG_read(const char *file, OSSL_LIB_CTX *libctx, const char *propq); int OSSL_CMP_MSG_write(const char *file, const OSSL_CMP_MSG *msg); OSSL_CMP_MSG *d2i_OSSL_CMP_MSG_bio(BIO *bio, OSSL_CMP_MSG **msg); int i2d_OSSL_CMP_MSG_bio(BIO *bio, const OSSL_CMP_MSG *msg); diff --git a/deps/openssl/openssl/doc/man3/OSSL_CMP_SRV_CTX_new.pod b/deps/openssl/openssl/doc/man3/OSSL_CMP_SRV_CTX_new.pod index bad043cb921cfc..d7f1a2e4dba7ba 100644 --- a/deps/openssl/openssl/doc/man3/OSSL_CMP_SRV_CTX_new.pod +++ b/deps/openssl/openssl/doc/man3/OSSL_CMP_SRV_CTX_new.pod @@ -100,7 +100,7 @@ in the same way as L. The B must be set as I of I. OSSL_CMP_SRV_CTX_new() creates and initializes an B structure -associated with the library context I and property query string +associated with the library context I and property query string I, both of which may be NULL to select the defaults. OSSL_CMP_SRV_CTX_free() deletes the given I. diff --git a/deps/openssl/openssl/doc/man3/OSSL_DECODER_CTX.pod b/deps/openssl/openssl/doc/man3/OSSL_DECODER_CTX.pod index aa5dc90893fe89..3ffd794cf0fb38 100644 --- a/deps/openssl/openssl/doc/man3/OSSL_DECODER_CTX.pod +++ b/deps/openssl/openssl/doc/man3/OSSL_DECODER_CTX.pod @@ -47,7 +47,9 @@ OSSL_DECODER_INSTANCE_get_input_structure int OSSL_DECODER_CTX_set_input_structure(OSSL_DECODER_CTX *ctx, const char *input_structure); int OSSL_DECODER_CTX_add_decoder(OSSL_DECODER_CTX *ctx, OSSL_DECODER *decoder); - int OSSL_DECODER_CTX_add_extra(OSSL_DECODER_CTX *ctx); + int OSSL_DECODER_CTX_add_extra(OSSL_DECODER_CTX *ctx, + OSSL_LIB_CTX *libctx, + const char *propq); int OSSL_DECODER_CTX_get_num_decoders(OSSL_DECODER_CTX *ctx); typedef struct ossl_decoder_instance_st OSSL_DECODER_INSTANCE; @@ -159,7 +161,7 @@ OSSL_DECODER_CTX_set_cleanup() respectively. OSSL_DECODER_export() is a fallback function for constructors that cannot use the data they get directly for diverse reasons. It takes the same -decode instance I that the constructor got and an object +decode instance I that the constructor got and an object I, unpacks the object which it refers to, and exports it by creating an L array that it then passes to I, along with I. @@ -247,7 +249,7 @@ The functions described here were added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/OSSL_ENCODER_to_bio.pod b/deps/openssl/openssl/doc/man3/OSSL_ENCODER_to_bio.pod index 365c74ad058958..237e29b0b38b34 100644 --- a/deps/openssl/openssl/doc/man3/OSSL_ENCODER_to_bio.pod +++ b/deps/openssl/openssl/doc/man3/OSSL_ENCODER_to_bio.pod @@ -92,7 +92,7 @@ AES-256-CBC into a buffer: size_t datalen; ectx = OSSL_ENCODER_CTX_new_for_pkey(pkey, - OSSL_KEYMGMT_SELECT_KEYPAIR, + OSSL_KEYMGMT_SELECT_KEYPAIR | OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS, format, structure, NULL); diff --git a/deps/openssl/openssl/doc/man3/OSSL_HTTP_REQ_CTX.pod b/deps/openssl/openssl/doc/man3/OSSL_HTTP_REQ_CTX.pod index 38f57f5cd62a8b..ad2d731153502c 100644 --- a/deps/openssl/openssl/doc/man3/OSSL_HTTP_REQ_CTX.pod +++ b/deps/openssl/openssl/doc/man3/OSSL_HTTP_REQ_CTX.pod @@ -70,8 +70,7 @@ The allocated context structure is also populated with an internal allocated memory B, which collects the HTTP request and additional headers as text. OSSL_HTTP_REQ_CTX_free() frees up the HTTP request context I. -The I and I are not free'd and it is up to the application -to do so. +The I is not free'd, I will be free'd if I is set. OSSL_HTTP_REQ_CTX_set_request_line() adds the HTTP request line to the context. The HTTP method is determined by I, @@ -140,13 +139,15 @@ using the ASN.1 template I and places the result in I<*pval>. OSSL_HTTP_REQ_CTX_exchange() calls OSSL_HTTP_REQ_CTX_nbio() as often as needed in order to exchange a request and response or until a timeout is reached. -If successful and an ASN.1-encoded response was expected, the response contents -should be read via the BIO returned by OSSL_HTTP_REQ_CTX_get0_mem_bio(). -Else the I that was given when calling OSSL_HTTP_REQ_CTX_new() -represents the current state of reading the response. -If OSSL_HTTP_REQ_CTX_exchange() was successful, this BIO has been read past the -end of the response headers, such that the actual response contents can be read -via this BIO, which may support streaming. +On success it returns a pointer to the BIO that can be used to read the result. +If an ASN.1-encoded response was expected, this is the BIO +returned by OSSL_HTTP_REQ_CTX_get0_mem_bio() when called after the exchange. +This memory BIO does not support streaming. +Otherwise it may be the I given when calling OSSL_HTTP_REQ_CTX_new(), +and this BIO has been read past the end of the response headers, +such that the actual response body can be read via this BIO, +which may support streaming. +The returned BIO pointer must not be freed by the caller. OSSL_HTTP_REQ_CTX_get0_mem_bio() returns the internal memory B. Before sending the request, this could used to modify the HTTP request text. @@ -154,6 +155,7 @@ I After receiving a response via HTTP, the BIO represents the current state of reading the response headers. If the response was expected to be ASN.1 encoded, its contents can be read via this BIO, which does not support streaming. +The returned BIO pointer must not be freed by the caller. OSSL_HTTP_REQ_CTX_get_resp_len() returns the size of the response contents in I if provided by the server as header field, else 0. @@ -228,6 +230,7 @@ return 1 for success, 0 on error or redirection, -1 if retry is needed. OSSL_HTTP_REQ_CTX_exchange() and OSSL_HTTP_REQ_CTX_get0_mem_bio() return a pointer to a B on success and NULL on failure. +The returned BIO must not be freed by the caller. OSSL_HTTP_REQ_CTX_get_resp_len() returns the size of the response contents or 0 if not available or an error occurred. diff --git a/deps/openssl/openssl/doc/man3/OSSL_HTTP_parse_url.pod b/deps/openssl/openssl/doc/man3/OSSL_HTTP_parse_url.pod index 5c253414ac8c39..945e981a73fa14 100644 --- a/deps/openssl/openssl/doc/man3/OSSL_HTTP_parse_url.pod +++ b/deps/openssl/openssl/doc/man3/OSSL_HTTP_parse_url.pod @@ -23,9 +23,9 @@ OCSP_parse_url char **pport, int *pport_num, char **ppath, char **pquery, char **pfrag); -Deprecated since OpenSSL 3.0, can be hidden entirely by defining -B with a suitable version value, see -L: +The following functions have been deprecated since OpenSSL 3.0, and can be +hidden entirely by defining B with a suitable version value, +see L: int OCSP_parse_url(const char *url, char **phost, char **pport, char **ppath, int *pssl); diff --git a/deps/openssl/openssl/doc/man3/OSSL_HTTP_transfer.pod b/deps/openssl/openssl/doc/man3/OSSL_HTTP_transfer.pod index ab30f5385f16d8..7fcd71dbe03b56 100644 --- a/deps/openssl/openssl/doc/man3/OSSL_HTTP_transfer.pod +++ b/deps/openssl/openssl/doc/man3/OSSL_HTTP_transfer.pod @@ -56,9 +56,10 @@ OSSL_HTTP_open() initiates an HTTP session using the I argument if not NULL, else by connecting to a given I optionally via a I. Typically the OpenSSL build supports sockets and the I parameter is NULL. -In this case I must be NULL as well, and the -library creates a network BIO internally for connecting to the given I -at the specified I if any, defaulting to 80 for HTTP or 443 for HTTPS. +In this case I must be NULL as well and the I must be non-NULL. +The function creates a network BIO internally using L +for connecting to the given server and the optionally given I, +defaulting to 80 for HTTP or 443 for HTTPS. Then this internal BIO is used for setting up a connection and for exchanging one or more request and response. If I is given and I is NULL then this I is used instead. @@ -68,6 +69,8 @@ I is used for writing requests and I for reading responses. As soon as the client has flushed I the server must be ready to provide a response or indicate a waiting condition via I. +If I is given, it is an error to provide I or I arguments, +while I and I arguments may be given to support diagnostic output. If I is NULL the optional I parameter can be used to set an HTTP(S) proxy to use (unless overridden by "no_proxy" settings). If TLS is not used this defaults to the environment variable C @@ -95,16 +98,19 @@ I is a BIO connect/disconnect callback function with prototype BIO *(*OSSL_HTTP_bio_cb_t)(BIO *bio, void *arg, int connect, int detail) -The callback may modify the HTTP BIO provided in the I argument, +The callback function may modify the BIO provided in the I argument, whereby it may make use of a custom defined argument I, -which may for instance refer to an I structure. -During connection establishment, just after calling BIO_do_connect_retry(), -the function is invoked with the I argument being 1 and the I +which may for instance point to an B structure. +During connection establishment, just after calling BIO_do_connect_retry(), the +callback function is invoked with the I argument being 1 and the I argument being 1 if HTTPS is requested, i.e., SSL/TLS should be enabled, else 0. On disconnect I is 0 and I is 1 if no error occurred, else 0. -For instance, on connect the function may prepend a TLS BIO to implement HTTPS; -after disconnect it may do some diagnostic output and/or specific cleanup. -The function should return NULL to indicate failure. +For instance, on connect the callback may push an SSL BIO to implement HTTPS; +after disconnect it may do some diagnostic output and pop and free the SSL BIO. + +The callback function must return either the potentially modified BIO I. +or NULL to indicate failure, in which case it should not modify the BIO. + Here is a simple example that supports TLS connections (but not via a proxy): BIO *http_tls_cb(BIO *hbio, void *arg, int connect, int detail) @@ -147,6 +153,8 @@ NULL) to print additional diagnostic information in a user-oriented way. OSSL_HTTP_set1_request() sets up in I the request header and content data and expectations on the response using the following parameters. +If indicates using a proxy for HTTP (but not HTTPS), the server hostname +(and optionally port) needs to be placed in the header and thus must be present. If I is NULL it defaults to "/". If I is NULL the HTTP GET method will be used to send the request else HTTP POST with the contents of I and optional I, where @@ -185,10 +193,11 @@ If the response header contains one or more "Content-Length" header lines and/or an ASN.1-encoded response is expected, which should include a total length, the length indications received are checked for consistency and for not exceeding any given maximum response length. -On receiving a response, the function returns the contents as a memory BIO, -which does not support streaming, in case an ASN.1-encoded response is expected. -Else it returns directly the read BIO that holds the response contents, +If an ASN.1-encoded response is expected, the function returns on success +the contents as a memory BIO, which does not support streaming. +Otherwise it returns directly the read BIO that holds the response contents, which allows a response of indefinite length and may support streaming. +The caller is responsible for freeing the BIO pointer obtained. OSSL_HTTP_get() uses HTTP GET to obtain data from I if non-NULL, else from the server contained in the I, and returns it as a BIO. @@ -202,6 +211,7 @@ If the scheme component of the I is C a TLS connection is requested and the I, as described for OSSL_HTTP_open(), must be provided. Also the remaining parameters are interpreted as described for OSSL_HTTP_open() and OSSL_HTTP_set1_request(), respectively. +The caller is responsible for freeing the BIO pointer obtained. OSSL_HTTP_transfer() exchanges an HTTP request and response over a connection managed via I without supporting redirection. @@ -213,10 +223,12 @@ or required and this was granted by the server, else it closes the connection and assigns NULL to I<*prctx>. The remaining parameters are interpreted as described for OSSL_HTTP_open() and OSSL_HTTP_set1_request(), respectively. +The caller is responsible for freeing the BIO pointer obtained. OSSL_HTTP_close() closes the connection and releases I. The I parameter is passed to any BIO update function given during setup as described above for OSSL_HTTP_open(). +It must be 1 if no error occurred during the HTTP transfer and 0 otherwise. =head1 NOTES @@ -238,12 +250,13 @@ is expected, else a BIO that may support streaming. The BIO must be freed by the caller. On failure, they return NULL. Failure conditions include connection/transfer timeout, parse errors, etc. +The caller is responsible for freeing the BIO pointer obtained. OSSL_HTTP_close() returns 0 if anything went wrong while disconnecting, else 1. =head1 SEE ALSO -L, L +L, L, L, L, L diff --git a/deps/openssl/openssl/doc/man3/OSSL_PARAM_BLD.pod b/deps/openssl/openssl/doc/man3/OSSL_PARAM_BLD.pod index d07eff6f270554..114ce44489cdb5 100644 --- a/deps/openssl/openssl/doc/man3/OSSL_PARAM_BLD.pod +++ b/deps/openssl/openssl/doc/man3/OSSL_PARAM_BLD.pod @@ -124,6 +124,11 @@ on error. All of the OSSL_PARAM_BLD_push_TYPE functions return 1 on success and 0 on error. +=head1 NOTES + +OSSL_PARAM_BLD_push_BN() and OSSL_PARAM_BLD_push_BN_pad() currently only +support nonnegative Bs. They return an error on negative Bs. + =head1 EXAMPLES Both examples creating an OSSL_PARAM array that contains an RSA key. diff --git a/deps/openssl/openssl/doc/man3/OSSL_PARAM_int.pod b/deps/openssl/openssl/doc/man3/OSSL_PARAM_int.pod index 69b723d3482fcc..9ca725d120ec2d 100644 --- a/deps/openssl/openssl/doc/man3/OSSL_PARAM_int.pod +++ b/deps/openssl/openssl/doc/man3/OSSL_PARAM_int.pod @@ -331,6 +331,12 @@ representable by the target type or parameter. Apart from that, the functions must be used appropriately for the expected type of the parameter. +OSSL_PARAM_get_BN() and OSSL_PARAM_set_BN() currently only support +nonnegative Bs, and by consequence, only +B. OSSL_PARAM_construct_BN() currently +constructs an B structure with the data type +B. + For OSSL_PARAM_construct_utf8_ptr() and OSSL_PARAM_consstruct_octet_ptr(), I is not relevant if the purpose is to send the B array to a I, i.e. to get parameter data back. diff --git a/deps/openssl/openssl/doc/man3/OSSL_STORE_LOADER.pod b/deps/openssl/openssl/doc/man3/OSSL_STORE_LOADER.pod index fc1153eb211bb2..b1d838604badc8 100644 --- a/deps/openssl/openssl/doc/man3/OSSL_STORE_LOADER.pod +++ b/deps/openssl/openssl/doc/man3/OSSL_STORE_LOADER.pod @@ -52,9 +52,9 @@ unregister STORE loaders for different URI schemes void (*fn)(const char *name, void *data), void *data); -Deprecated since OpenSSL 3.0, can be hidden entirely by defining -B with a suitable version value, see -L: +The following functions have been deprecated since OpenSSL 3.0, and can be +hidden entirely by defining B with a suitable version value, +see L: OSSL_STORE_LOADER *OSSL_STORE_LOADER_new(ENGINE *e, const char *scheme); const ENGINE *OSSL_STORE_LOADER_get0_engine(const OSSL_STORE_LOADER diff --git a/deps/openssl/openssl/doc/man3/OSSL_STORE_open.pod b/deps/openssl/openssl/doc/man3/OSSL_STORE_open.pod index 2d127a30fed8e3..a3fe7e13eed124 100644 --- a/deps/openssl/openssl/doc/man3/OSSL_STORE_open.pod +++ b/deps/openssl/openssl/doc/man3/OSSL_STORE_open.pod @@ -33,9 +33,9 @@ OSSL_STORE_error, OSSL_STORE_close int OSSL_STORE_error(OSSL_STORE_CTX *ctx); int OSSL_STORE_close(OSSL_STORE_CTX *ctx); -Deprecated since OpenSSL 3.0, can be hidden entirely by defining -B with a suitable version value, see -L: +The following function has been deprecated since OpenSSL 3.0, and can be +hidden entirely by defining B with a suitable version value, +see L: int OSSL_STORE_ctrl(OSSL_STORE_CTX *ctx, int cmd, ... /* args */); diff --git a/deps/openssl/openssl/doc/man3/OpenSSL_add_all_algorithms.pod b/deps/openssl/openssl/doc/man3/OpenSSL_add_all_algorithms.pod index 263d9b00fd10e8..07403a32d53448 100644 --- a/deps/openssl/openssl/doc/man3/OpenSSL_add_all_algorithms.pod +++ b/deps/openssl/openssl/doc/man3/OpenSSL_add_all_algorithms.pod @@ -9,9 +9,9 @@ add algorithms to internal table #include -Deprecated since OpenSSL 1.1.0, can be hidden entirely by defining -B with a suitable version value, see -L: +The following functions have been deprecated since OpenSSL 1.1.0, and can be +hidden entirely by defining B with a suitable version value, +see L: void OpenSSL_add_all_algorithms(void); void OpenSSL_add_all_ciphers(void); @@ -53,7 +53,7 @@ not be used. =head1 COPYRIGHT -Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/PEM_read_CMS.pod b/deps/openssl/openssl/doc/man3/PEM_read_CMS.pod index 4024b3219c5a82..2b96db9c31a330 100644 --- a/deps/openssl/openssl/doc/man3/PEM_read_CMS.pod +++ b/deps/openssl/openssl/doc/man3/PEM_read_CMS.pod @@ -55,9 +55,9 @@ PEM_write_bio_X509_PUBKEY int PEM_write_TYPE(FILE *fp, const TYPE *a); int PEM_write_bio_TYPE(BIO *bp, const TYPE *a); -Deprecated since OpenSSL 3.0, can be hidden entirely by defining -B with a suitable version value, see -L: +The following functions have been deprecated since OpenSSL 3.0, and can be +hidden entirely by defining B with a suitable version value, +see L: #include diff --git a/deps/openssl/openssl/doc/man3/PEM_read_bio_PrivateKey.pod b/deps/openssl/openssl/doc/man3/PEM_read_bio_PrivateKey.pod index 4ed1b8c70338e4..a71907b1701694 100644 --- a/deps/openssl/openssl/doc/man3/PEM_read_bio_PrivateKey.pod +++ b/deps/openssl/openssl/doc/man3/PEM_read_bio_PrivateKey.pod @@ -134,9 +134,9 @@ PEM_write_bio_PKCS7, PEM_write_PKCS7 - PEM routines int PEM_write_bio_PKCS7(BIO *bp, PKCS7 *x); int PEM_write_PKCS7(FILE *fp, PKCS7 *x); -Deprecated since OpenSSL 3.0, can be hidden entirely by defining -B with a suitable version value, see -L: +The following functions have been deprecated since OpenSSL 3.0, and can be +hidden entirely by defining B with a suitable version value, +see L: RSA *PEM_read_bio_RSAPrivateKey(BIO *bp, RSA **x, pem_password_cb *cb, void *u); @@ -209,7 +209,14 @@ refer to the B>(), B>(), B>(), and B>() functions. Some operations have additional variants that take a library context I -and a property query string I. +and a property query string I. The B, B and B +objects may have an associated library context or property query string but +there are no variants of these functions that take a library context or property +query string parameter. In this case it is possible to set the appropriate +library context or property query string by creating an empty B, +B or B object using L, L +or L respectively. Then pass the empty object as a parameter +to the relevant PEM function. See the L section below. The B functions read or write a private key in PEM format using an EVP_PKEY structure. The write routines use PKCS#8 private key format and are @@ -448,7 +455,8 @@ where I already contains a valid certificate, may not work, whereas: X509_free(x); x = PEM_read_bio_X509(bp, NULL, 0, NULL); -is guaranteed to work. +is guaranteed to work. It is always acceptable for I to contain a newly +allocated, empty B object (for example allocated via L). =head1 RETURN VALUES diff --git a/deps/openssl/openssl/doc/man3/PKCS12_SAFEBAG_create_cert.pod b/deps/openssl/openssl/doc/man3/PKCS12_SAFEBAG_create_cert.pod index 07ba1425e7add2..ef161f01badce8 100644 --- a/deps/openssl/openssl/doc/man3/PKCS12_SAFEBAG_create_cert.pod +++ b/deps/openssl/openssl/doc/man3/PKCS12_SAFEBAG_create_cert.pod @@ -3,7 +3,7 @@ =head1 NAME PKCS12_SAFEBAG_create_cert, PKCS12_SAFEBAG_create_crl, -PKCS12_SAFEBAG_create_secret, PKCS12_SAFEBAG_create0_p8inf, +PKCS12_SAFEBAG_create_secret, PKCS12_SAFEBAG_create0_p8inf, PKCS12_SAFEBAG_create0_pkcs8, PKCS12_SAFEBAG_create_pkcs8_encrypt, PKCS12_SAFEBAG_create_pkcs8_encrypt_ex - Create PKCS#12 safeBag objects @@ -52,7 +52,7 @@ containing the supplied PKCS8 structure. PKCS12_SAFEBAG_create0_pkcs8() creates a new B of type B containing the supplied PKCS8 structure. -PKCS12_SAFEBAG_create_pkcs8_encrypt() creates a new B of type +PKCS12_SAFEBAG_create_pkcs8_encrypt() creates a new B of type B by encrypting the supplied PKCS8 I. If I is 0, a default encryption algorithm is used. I is the passphrase and I is the iteration count. If I is zero then a default diff --git a/deps/openssl/openssl/doc/man3/PKCS12_SAFEBAG_get0_attrs.pod b/deps/openssl/openssl/doc/man3/PKCS12_SAFEBAG_get0_attrs.pod index c1544bc0e797b3..7073c0d5cec0ec 100644 --- a/deps/openssl/openssl/doc/man3/PKCS12_SAFEBAG_get0_attrs.pod +++ b/deps/openssl/openssl/doc/man3/PKCS12_SAFEBAG_get0_attrs.pod @@ -16,7 +16,7 @@ PKCS12_SAFEBAG_get0_attrs, PKCS12_get_attr_gen =head1 DESCRIPTION -PKCS12_SAFEBAG_get0_attrs() retrieves the stack of Bs from a +PKCS12_SAFEBAG_get0_attrs() retrieves the stack of Bs from a PKCS#12 safeBag. I is the B to retrieve the attributes from. PKCS12_get_attr_gen() retrieves an attribute by NID from a stack of @@ -24,10 +24,10 @@ Bs. I is the NID of the attribute to retrieve. =head1 RETURN VALUES -PKCS12_SAFEBAG_get0_attrs() returns the stack of Bs from a +PKCS12_SAFEBAG_get0_attrs() returns the stack of Bs from a PKCS#12 safeBag, which could be empty. -PKCS12_get_attr_gen() returns an B object containing the attribute, +PKCS12_get_attr_gen() returns an B object containing the attribute, or NULL if the attribute was either not present or an error occurred. PKCS12_get_attr_gen() does not allocate a new attribute. The returned attribute @@ -40,7 +40,7 @@ L =head1 COPYRIGHT -Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/PKCS12_SAFEBAG_get1_cert.pod b/deps/openssl/openssl/doc/man3/PKCS12_SAFEBAG_get1_cert.pod index b89b17eeafc4e4..ecd212c775ec34 100644 --- a/deps/openssl/openssl/doc/man3/PKCS12_SAFEBAG_get1_cert.pod +++ b/deps/openssl/openssl/doc/man3/PKCS12_SAFEBAG_get1_cert.pod @@ -48,7 +48,7 @@ PKCS12_SAFEBAG_get0_p8inf() and PKCS12_SAFEBAG_get0_pkcs8() return the PKCS8 obj from a PKCS8shroudedKeyBag or a keyBag. PKCS12_SAFEBAG_get0_safes() retrieves the set of B contained within a -safeContentsBag. +safeContentsBag. =head1 RETURN VALUES @@ -64,7 +64,7 @@ L =head1 COPYRIGHT -Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/PKCS12_decrypt_skey.pod b/deps/openssl/openssl/doc/man3/PKCS12_decrypt_skey.pod index a376ddc50257fa..7a41b2b06c2f7e 100644 --- a/deps/openssl/openssl/doc/man3/PKCS12_decrypt_skey.pod +++ b/deps/openssl/openssl/doc/man3/PKCS12_decrypt_skey.pod @@ -21,7 +21,7 @@ decrypt functions PKCS12_decrypt_skey() Decrypt the PKCS#8 shrouded keybag contained within I using the supplied password I of length I. -PKCS12_decrypt_skey_ex() is similar to the above but allows for a library contex +PKCS12_decrypt_skey_ex() is similar to the above but allows for a library contex I and property query I to be used to select algorithm implementations. =head1 RETURN VALUES diff --git a/deps/openssl/openssl/doc/man3/RAND_add.pod b/deps/openssl/openssl/doc/man3/RAND_add.pod index 990f6978d314ae..10a68114330a12 100644 --- a/deps/openssl/openssl/doc/man3/RAND_add.pod +++ b/deps/openssl/openssl/doc/man3/RAND_add.pod @@ -18,9 +18,9 @@ RAND_keep_random_devices_open void RAND_keep_random_devices_open(int keep); -Deprecated since OpenSSL 1.1.0, can be hidden entirely by defining -B with a suitable version value, see -L: +The following functions have been deprecated since OpenSSL 1.1.0, and can be +hidden entirely by defining B with a suitable version value, +see L: int RAND_event(UINT iMsg, WPARAM wParam, LPARAM lParam); void RAND_screen(void); @@ -101,7 +101,7 @@ not be used. =head1 COPYRIGHT -Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/RAND_bytes.pod b/deps/openssl/openssl/doc/man3/RAND_bytes.pod index 106badd078ca5f..ee7ed4af860c81 100644 --- a/deps/openssl/openssl/doc/man3/RAND_bytes.pod +++ b/deps/openssl/openssl/doc/man3/RAND_bytes.pod @@ -17,9 +17,9 @@ RAND_pseudo_bytes - generate random data int RAND_priv_bytes_ex(OSSL_LIB_CTX *ctx, unsigned char *buf, size_t num, unsigned int strength); -Deprecated since OpenSSL 1.1.0, can be hidden entirely by defining -B with a suitable version value, see -L: +The following function has been deprecated since OpenSSL 1.1.0, and can be +hidden entirely by defining B with a suitable version value, +see L: int RAND_pseudo_bytes(unsigned char *buf, int num); diff --git a/deps/openssl/openssl/doc/man3/RAND_cleanup.pod b/deps/openssl/openssl/doc/man3/RAND_cleanup.pod index f407620ddda4b5..ce61a9f2b12e18 100644 --- a/deps/openssl/openssl/doc/man3/RAND_cleanup.pod +++ b/deps/openssl/openssl/doc/man3/RAND_cleanup.pod @@ -8,9 +8,9 @@ RAND_cleanup - erase the PRNG state #include -Deprecated since OpenSSL 1.1.0, can be hidden entirely by defining -B with a suitable version value, see -L: +The following function has been deprecated since OpenSSL 1.1.0, and can be +hidden entirely by defining B with a suitable version value, +see L: void RAND_cleanup(void); @@ -36,7 +36,7 @@ See L =head1 COPYRIGHT -Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/RAND_set_rand_method.pod b/deps/openssl/openssl/doc/man3/RAND_set_rand_method.pod index ccc6d83f28acf8..0cd5ac41cee4eb 100644 --- a/deps/openssl/openssl/doc/man3/RAND_set_rand_method.pod +++ b/deps/openssl/openssl/doc/man3/RAND_set_rand_method.pod @@ -8,9 +8,9 @@ RAND_set_rand_method, RAND_get_rand_method, RAND_OpenSSL - select RAND method #include -Deprecated since OpenSSL 3.0, can be hidden entirely by defining -B with a suitable version value, see -L: +The following functions have been deprecated since OpenSSL 3.0, and can be +hidden entirely by defining B with a suitable version value, +see L: RAND_METHOD *RAND_OpenSSL(void); diff --git a/deps/openssl/openssl/doc/man3/RC4_set_key.pod b/deps/openssl/openssl/doc/man3/RC4_set_key.pod index b9876291b998d3..296f88eb6f2073 100644 --- a/deps/openssl/openssl/doc/man3/RC4_set_key.pod +++ b/deps/openssl/openssl/doc/man3/RC4_set_key.pod @@ -8,9 +8,9 @@ RC4_set_key, RC4 - RC4 encryption #include -Deprecated since OpenSSL 3.0, can be hidden entirely by defining -B with a suitable version value, see -L: +The following functions have been deprecated since OpenSSL 3.0, and can be +hidden entirely by defining B with a suitable version value, +see L: void RC4_set_key(RC4_KEY *key, int len, const unsigned char *data); @@ -68,7 +68,7 @@ All of these functions were deprecated in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/RIPEMD160_Init.pod b/deps/openssl/openssl/doc/man3/RIPEMD160_Init.pod index 7b1b84eb9cf1e8..48937a647f5a9f 100644 --- a/deps/openssl/openssl/doc/man3/RIPEMD160_Init.pod +++ b/deps/openssl/openssl/doc/man3/RIPEMD160_Init.pod @@ -9,9 +9,9 @@ RIPEMD-160 hash function #include -Deprecated since OpenSSL 3.0, can be hidden entirely by defining -B with a suitable version value, see -L: +The following functions have been deprecated since OpenSSL 3.0, and can be +hidden entirely by defining B with a suitable version value, +see L: unsigned char *RIPEMD160(const unsigned char *d, unsigned long n, unsigned char *md); @@ -73,7 +73,7 @@ All of these functions were deprecated in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/RSA_blinding_on.pod b/deps/openssl/openssl/doc/man3/RSA_blinding_on.pod index 36124e41239979..c2d290b0dfdfaa 100644 --- a/deps/openssl/openssl/doc/man3/RSA_blinding_on.pod +++ b/deps/openssl/openssl/doc/man3/RSA_blinding_on.pod @@ -8,9 +8,9 @@ RSA_blinding_on, RSA_blinding_off - protect the RSA operation from timing attack #include -Deprecated since OpenSSL 3.0, can be hidden entirely by defining -B with a suitable version value, see -L: +The following functions have been deprecated since OpenSSL 3.0, and can be +hidden entirely by defining B with a suitable version value, +see L: int RSA_blinding_on(RSA *rsa, BN_CTX *ctx); diff --git a/deps/openssl/openssl/doc/man3/RSA_check_key.pod b/deps/openssl/openssl/doc/man3/RSA_check_key.pod index f33d6b0aba0f64..d9c0097772c4c3 100644 --- a/deps/openssl/openssl/doc/man3/RSA_check_key.pod +++ b/deps/openssl/openssl/doc/man3/RSA_check_key.pod @@ -8,13 +8,13 @@ RSA_check_key_ex, RSA_check_key - validate private RSA keys #include -Deprecated since OpenSSL 3.0, can be hidden entirely by defining -B with a suitable version value, see -L: +The following functions have been deprecated since OpenSSL 3.0, and can be +hidden entirely by defining B with a suitable version value, +see L: - int RSA_check_key_ex(RSA *rsa, BN_GENCB *cb); + int RSA_check_key_ex(const RSA *rsa, BN_GENCB *cb); - int RSA_check_key(RSA *rsa); + int RSA_check_key(const RSA *rsa); =head1 DESCRIPTION @@ -84,7 +84,7 @@ RSA_check_key_ex() appeared after OpenSSL 1.0.2. =head1 COPYRIGHT -Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/RSA_generate_key.pod b/deps/openssl/openssl/doc/man3/RSA_generate_key.pod index 54ba4df9cba5a0..d00045e8a3cb42 100644 --- a/deps/openssl/openssl/doc/man3/RSA_generate_key.pod +++ b/deps/openssl/openssl/doc/man3/RSA_generate_key.pod @@ -12,14 +12,16 @@ RSA_generate_multi_prime_key - generate RSA key pair EVP_PKEY *EVP_RSA_gen(unsigned int bits); -Deprecated since OpenSSL 3.0, can be hidden entirely by defining -B with a suitable version value, see -L: +The following functions have been deprecated since OpenSSL 3.0, and can be +hidden entirely by defining B with a suitable version value, +see L: int RSA_generate_key_ex(RSA *rsa, int bits, BIGNUM *e, BN_GENCB *cb); int RSA_generate_multi_prime_key(RSA *rsa, int bits, int primes, BIGNUM *e, BN_GENCB *cb); -Deprecated since OpenSSL 0.9.8: +The following function has been deprecated since OpenSSL 0.9.8, and can be +hidden entirely by defining B with a suitable version value, +see L: RSA *RSA_generate_key(int bits, unsigned long e, void (*callback)(int, int, void *), void *cb_arg); diff --git a/deps/openssl/openssl/doc/man3/RSA_get0_key.pod b/deps/openssl/openssl/doc/man3/RSA_get0_key.pod index bdc6f0d289dd0f..0a0f79125a3281 100644 --- a/deps/openssl/openssl/doc/man3/RSA_get0_key.pod +++ b/deps/openssl/openssl/doc/man3/RSA_get0_key.pod @@ -16,9 +16,9 @@ RSA_set0_multi_prime_params, RSA_get_version #include -Deprecated since OpenSSL 3.0, can be hidden entirely by defining -B with a suitable version value, see -L: +The following functions have been deprecated since OpenSSL 3.0, and can be +hidden entirely by defining B with a suitable version value, +see L: int RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d); int RSA_set0_factors(RSA *r, BIGNUM *p, BIGNUM *q); diff --git a/deps/openssl/openssl/doc/man3/RSA_meth_new.pod b/deps/openssl/openssl/doc/man3/RSA_meth_new.pod index ceab3177916ca0..29ea4161b0b535 100644 --- a/deps/openssl/openssl/doc/man3/RSA_meth_new.pod +++ b/deps/openssl/openssl/doc/man3/RSA_meth_new.pod @@ -20,9 +20,9 @@ RSA_meth_get_multi_prime_keygen, RSA_meth_set_multi_prime_keygen #include -Deprecated since OpenSSL 3.0, can be hidden entirely by defining -B with a suitable version value, see -L: +The following functions have been deprecated since OpenSSL 3.0, and can be +hidden entirely by defining B with a suitable version value, +see L: RSA_METHOD *RSA_meth_new(const char *name, int flags); void RSA_meth_free(RSA_METHOD *meth); @@ -260,7 +260,7 @@ Other functions described here were added in OpenSSL 1.1.0. =head1 COPYRIGHT -Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/RSA_new.pod b/deps/openssl/openssl/doc/man3/RSA_new.pod index ebbb2e76c0fcc3..7373c2042d9ccd 100644 --- a/deps/openssl/openssl/doc/man3/RSA_new.pod +++ b/deps/openssl/openssl/doc/man3/RSA_new.pod @@ -8,7 +8,9 @@ RSA_new, RSA_free - allocate and free RSA objects #include -Deprecated since OpenSSL 3.0: +The following functions have been deprecated since OpenSSL 3.0, and can be +hidden entirely by defining B with a suitable version value, +see L: RSA *RSA_new(void); diff --git a/deps/openssl/openssl/doc/man3/RSA_padding_add_PKCS1_type_1.pod b/deps/openssl/openssl/doc/man3/RSA_padding_add_PKCS1_type_1.pod index 873825a2c3cded..9f7025c49755d5 100644 --- a/deps/openssl/openssl/doc/man3/RSA_padding_add_PKCS1_type_1.pod +++ b/deps/openssl/openssl/doc/man3/RSA_padding_add_PKCS1_type_1.pod @@ -13,9 +13,9 @@ padding #include -Deprecated since OpenSSL 3.0, can be hidden entirely by defining -B with a suitable version value, see -L: +The following functions have been deprecated since OpenSSL 3.0, and can be +hidden entirely by defining B with a suitable version value, +see L: int RSA_padding_add_PKCS1_type_1(unsigned char *to, int tlen, const unsigned char *f, int fl); diff --git a/deps/openssl/openssl/doc/man3/RSA_print.pod b/deps/openssl/openssl/doc/man3/RSA_print.pod index ee1995aa7efd78..27495b2241af88 100644 --- a/deps/openssl/openssl/doc/man3/RSA_print.pod +++ b/deps/openssl/openssl/doc/man3/RSA_print.pod @@ -10,32 +10,32 @@ DHparams_print, DHparams_print_fp - print cryptographic parameters #include -Deprecated since OpenSSL 3.0, can be hidden entirely by defining -B with a suitable version value, see -L: +The following functions have been deprecated since OpenSSL 3.0, and can be +hidden entirely by defining B with a suitable version value, +see L: - int RSA_print(BIO *bp, RSA *x, int offset); - int RSA_print_fp(FILE *fp, RSA *x, int offset); + int RSA_print(BIO *bp, const RSA *x, int offset); + int RSA_print_fp(FILE *fp, const RSA *x, int offset); #include -Deprecated since OpenSSL 3.0, can be hidden entirely by defining -B with a suitable version value, see -L: +The following functions have been deprecated since OpenSSL 3.0, and can be +hidden entirely by defining B with a suitable version value, +see L: - int DSAparams_print(BIO *bp, DSA *x); - int DSAparams_print_fp(FILE *fp, DSA *x); - int DSA_print(BIO *bp, DSA *x, int offset); - int DSA_print_fp(FILE *fp, DSA *x, int offset); + int DSAparams_print(BIO *bp, const DSA *x); + int DSAparams_print_fp(FILE *fp, const DSA *x); + int DSA_print(BIO *bp, const DSA *x, int offset); + int DSA_print_fp(FILE *fp, const DSA *x, int offset); #include -Deprecated since OpenSSL 3.0, can be hidden entirely by defining -B with a suitable version value, see -L: +The following functions have been deprecated since OpenSSL 3.0, and can be +hidden entirely by defining B with a suitable version value, +see L: int DHparams_print(BIO *bp, DH *x); - int DHparams_print_fp(FILE *fp, DH *x); + int DHparams_print_fp(FILE *fp, const DH *x); =head1 DESCRIPTION @@ -50,7 +50,10 @@ The output lines are indented by B spaces. =head1 RETURN VALUES -These functions return 1 on success, 0 on error. +DSAparams_print(), DSAparams_print_fp(), DSA_print(), and DSA_print_fp() +return 1 for success and 0 or a negative value for failure. + +DHparams_print() and DHparams_print_fp() return 1 on success, 0 on error. =head1 SEE ALSO @@ -64,7 +67,7 @@ All of these functions were deprecated in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/RSA_private_encrypt.pod b/deps/openssl/openssl/doc/man3/RSA_private_encrypt.pod index 1c89b58b5fb509..a9bd23c1345c69 100644 --- a/deps/openssl/openssl/doc/man3/RSA_private_encrypt.pod +++ b/deps/openssl/openssl/doc/man3/RSA_private_encrypt.pod @@ -8,9 +8,9 @@ RSA_private_encrypt, RSA_public_decrypt - low-level signature operations #include -Deprecated since OpenSSL 3.0, can be hidden entirely by defining -B with a suitable version value, see -L: +The following functions have been deprecated since OpenSSL 3.0, and can be +hidden entirely by defining B with a suitable version value, +see L: int RSA_private_encrypt(int flen, unsigned char *from, unsigned char *to, RSA *rsa, int padding); diff --git a/deps/openssl/openssl/doc/man3/RSA_public_encrypt.pod b/deps/openssl/openssl/doc/man3/RSA_public_encrypt.pod index 1624c16002e33d..1d38073aeada99 100644 --- a/deps/openssl/openssl/doc/man3/RSA_public_encrypt.pod +++ b/deps/openssl/openssl/doc/man3/RSA_public_encrypt.pod @@ -8,9 +8,9 @@ RSA_public_encrypt, RSA_private_decrypt - RSA public key cryptography #include -Deprecated since OpenSSL 3.0, can be hidden entirely by defining -B with a suitable version value, see -L: +The following functions have been deprecated since OpenSSL 3.0, and can be +hidden entirely by defining B with a suitable version value, +see L: int RSA_public_encrypt(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding); diff --git a/deps/openssl/openssl/doc/man3/RSA_set_method.pod b/deps/openssl/openssl/doc/man3/RSA_set_method.pod index 884765ce973d63..6e45d6b60b9d24 100644 --- a/deps/openssl/openssl/doc/man3/RSA_set_method.pod +++ b/deps/openssl/openssl/doc/man3/RSA_set_method.pod @@ -10,19 +10,19 @@ RSA_new_method - select RSA method #include -Deprecated since OpenSSL 3.0, can be hidden entirely by defining -B with a suitable version value, see -L: +The following functions have been deprecated since OpenSSL 3.0, and can be +hidden entirely by defining B with a suitable version value, +see L: void RSA_set_default_method(const RSA_METHOD *meth); - RSA_METHOD *RSA_get_default_method(void); + const RSA_METHOD *RSA_get_default_method(void); int RSA_set_method(RSA *rsa, const RSA_METHOD *meth); - RSA_METHOD *RSA_get_method(const RSA *rsa); + const RSA_METHOD *RSA_get_method(const RSA *rsa); - RSA_METHOD *RSA_PKCS1_OpenSSL(void); + const RSA_METHOD *RSA_PKCS1_OpenSSL(void); int RSA_flags(const RSA *rsa); @@ -185,7 +185,7 @@ was replaced to always return NULL in OpenSSL 1.1.1. =head1 COPYRIGHT -Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/RSA_sign.pod b/deps/openssl/openssl/doc/man3/RSA_sign.pod index 715dfe465bfeba..1917d977849282 100644 --- a/deps/openssl/openssl/doc/man3/RSA_sign.pod +++ b/deps/openssl/openssl/doc/man3/RSA_sign.pod @@ -8,9 +8,9 @@ RSA_sign, RSA_verify - RSA signatures #include -Deprecated since OpenSSL 3.0, can be hidden entirely by defining -B with a suitable version value, see -L: +The following functions have been deprecated since OpenSSL 3.0, and can be +hidden entirely by defining B with a suitable version value, +see L: int RSA_sign(int type, const unsigned char *m, unsigned int m_len, unsigned char *sigret, unsigned int *siglen, RSA *rsa); @@ -67,7 +67,7 @@ All of these functions were deprecated in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/RSA_sign_ASN1_OCTET_STRING.pod b/deps/openssl/openssl/doc/man3/RSA_sign_ASN1_OCTET_STRING.pod index 846cb231bff738..6548bdb78a06bf 100644 --- a/deps/openssl/openssl/doc/man3/RSA_sign_ASN1_OCTET_STRING.pod +++ b/deps/openssl/openssl/doc/man3/RSA_sign_ASN1_OCTET_STRING.pod @@ -8,9 +8,9 @@ RSA_sign_ASN1_OCTET_STRING, RSA_verify_ASN1_OCTET_STRING - RSA signatures #include -Deprecated since OpenSSL 3.0, can be hidden entirely by defining -B with a suitable version value, see -L: +The following functions have been deprecated since OpenSSL 3.0, and can be +hidden entirely by defining B with a suitable version value, +see L: int RSA_sign_ASN1_OCTET_STRING(int dummy, unsigned char *m, unsigned int m_len, unsigned char *sigret, @@ -68,7 +68,7 @@ All of these functions were deprecated in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/RSA_size.pod b/deps/openssl/openssl/doc/man3/RSA_size.pod index c6f07367b8d0f3..18e968c966b2da 100644 --- a/deps/openssl/openssl/doc/man3/RSA_size.pod +++ b/deps/openssl/openssl/doc/man3/RSA_size.pod @@ -10,9 +10,9 @@ RSA_size, RSA_bits, RSA_security_bits - get RSA modulus size or security bits int RSA_bits(const RSA *rsa); -Deprecated since OpenSSL 3.0, can be hidden entirely by defining -B with a suitable version value, see -L: +The following functions have been deprecated since OpenSSL 3.0, and can be +hidden entirely by defining B with a suitable version value, +see L: int RSA_size(const RSA *rsa); diff --git a/deps/openssl/openssl/doc/man3/SCT_print.pod b/deps/openssl/openssl/doc/man3/SCT_print.pod index c7ace453af3653..fbcbce2760c387 100644 --- a/deps/openssl/openssl/doc/man3/SCT_print.pod +++ b/deps/openssl/openssl/doc/man3/SCT_print.pod @@ -31,7 +31,7 @@ beforehand in order to set the validation status of an SCT first. =head1 RETURN VALUES -SCT_validation_status_string() returns a null-terminated string representing +SCT_validation_status_string() returns a NUL-terminated string representing the validation status of an B object. =head1 SEE ALSO @@ -47,7 +47,7 @@ These functions were added in OpenSSL 1.1.0. =head1 COPYRIGHT -Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/SHA256_Init.pod b/deps/openssl/openssl/doc/man3/SHA256_Init.pod index 924f44fd100407..3d647c381b4e55 100644 --- a/deps/openssl/openssl/doc/man3/SHA256_Init.pod +++ b/deps/openssl/openssl/doc/man3/SHA256_Init.pod @@ -11,15 +11,15 @@ SHA512_Final - Secure Hash Algorithm #include - unsigned char *SHA1(const void *data, size_t count, unsigned char *md_buf); - unsigned char *SHA224(const void *data, size_t count, unsigned char *md_buf); - unsigned char *SHA256(const void *data, size_t count, unsigned char *md_buf); - unsigned char *SHA384(const void *data, size_t count, unsigned char *md_buf); - unsigned char *SHA512(const void *data, size_t count, unsigned char *md_buf); - -Deprecated since OpenSSL 3.0, can be hidden entirely by defining -B with a suitable version value, see -L: + unsigned char *SHA1(const unsigned char *data, size_t count, unsigned char *md_buf); + unsigned char *SHA224(const unsigned char *data, size_t count, unsigned char *md_buf); + unsigned char *SHA256(const unsigned char *data, size_t count, unsigned char *md_buf); + unsigned char *SHA384(const unsigned char *data, size_t count, unsigned char *md_buf); + unsigned char *SHA512(const unsigned char *data, size_t count, unsigned char *md_buf); + +The following functions have been deprecated since OpenSSL 3.0, and can be +hidden entirely by defining B with a suitable version value, +see L: int SHA1_Init(SHA_CTX *c); int SHA1_Update(SHA_CTX *c, const void *data, size_t len); diff --git a/deps/openssl/openssl/doc/man3/SRP_Calc_B.pod b/deps/openssl/openssl/doc/man3/SRP_Calc_B.pod index 8fa25b0b569876..ec6221aa7cc973 100644 --- a/deps/openssl/openssl/doc/man3/SRP_Calc_B.pod +++ b/deps/openssl/openssl/doc/man3/SRP_Calc_B.pod @@ -18,9 +18,9 @@ SRP_Calc_client_key #include -Deprecated since OpenSSL 3.0, can be hidden entirely by defining -B with a suitable version value, see -L: +The following functions have been deprecated since OpenSSL 3.0, and can be +hidden entirely by defining B with a suitable version value, +see L: /* server side .... */ BIGNUM *SRP_Calc_server_key(const BIGNUM *A, const BIGNUM *v, const BIGNUM *u, diff --git a/deps/openssl/openssl/doc/man3/SRP_VBASE_new.pod b/deps/openssl/openssl/doc/man3/SRP_VBASE_new.pod index 0333bec6eabcfa..a4838fb6c6179e 100644 --- a/deps/openssl/openssl/doc/man3/SRP_VBASE_new.pod +++ b/deps/openssl/openssl/doc/man3/SRP_VBASE_new.pod @@ -14,9 +14,9 @@ SRP_VBASE_get_by_user #include -Deprecated since OpenSSL 3.0, can be hidden entirely by defining -B with a suitable version value, see -L: +The following functions have been deprecated since OpenSSL 3.0, and can be +hidden entirely by defining B with a suitable version value, +see L: SRP_VBASE *SRP_VBASE_new(char *seed_key); void SRP_VBASE_free(SRP_VBASE *vb); diff --git a/deps/openssl/openssl/doc/man3/SRP_create_verifier.pod b/deps/openssl/openssl/doc/man3/SRP_create_verifier.pod index 37022b7ddacb21..a4de39a573ba59 100644 --- a/deps/openssl/openssl/doc/man3/SRP_create_verifier.pod +++ b/deps/openssl/openssl/doc/man3/SRP_create_verifier.pod @@ -14,9 +14,9 @@ SRP_get_default_gN #include -Deprecated since OpenSSL 3.0, can be hidden entirely by defining -B with a suitable version value, see -L: +The following functions have been deprecated since OpenSSL 3.0, and can be +hidden entirely by defining B with a suitable version value, +see L: int SRP_create_verifier_BN_ex(const char *user, const char *pass, BIGNUM **salt, BIGNUM **verifier, const BIGNUM *N, diff --git a/deps/openssl/openssl/doc/man3/SRP_user_pwd_new.pod b/deps/openssl/openssl/doc/man3/SRP_user_pwd_new.pod index 3c7507f54d3d4c..405ece0d7ab95c 100644 --- a/deps/openssl/openssl/doc/man3/SRP_user_pwd_new.pod +++ b/deps/openssl/openssl/doc/man3/SRP_user_pwd_new.pod @@ -13,9 +13,9 @@ SRP_user_pwd_set0_sv #include -Deprecated since OpenSSL 3.0, can be hidden entirely by defining -B with a suitable version value, see -L: +The following functions have been deprecated since OpenSSL 3.0, and can be +hidden entirely by defining B with a suitable version value, +see L: SRP_user_pwd *SRP_user_pwd_new(void); void SRP_user_pwd_free(SRP_user_pwd *user_pwd); diff --git a/deps/openssl/openssl/doc/man3/SSL_CIPHER_get_name.pod b/deps/openssl/openssl/doc/man3/SSL_CIPHER_get_name.pod index 1f4b59f4c74bcc..7f00f09d67f8ff 100644 --- a/deps/openssl/openssl/doc/man3/SSL_CIPHER_get_name.pod +++ b/deps/openssl/openssl/doc/man3/SSL_CIPHER_get_name.pod @@ -28,7 +28,7 @@ SSL_CIPHER_get_protocol_id const char *SSL_CIPHER_standard_name(const SSL_CIPHER *cipher); const char *OPENSSL_cipher_name(const char *stdname); int SSL_CIPHER_get_bits(const SSL_CIPHER *cipher, int *alg_bits); - char *SSL_CIPHER_get_version(const SSL_CIPHER *cipher); + const char *SSL_CIPHER_get_version(const SSL_CIPHER *cipher); char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int size); int SSL_CIPHER_get_cipher_nid(const SSL_CIPHER *c); int SSL_CIPHER_get_digest_nid(const SSL_CIPHER *c); @@ -168,7 +168,7 @@ Some examples for the output of SSL_CIPHER_description(): SSL_CIPHER_get_name(), SSL_CIPHER_standard_name(), OPENSSL_cipher_name(), SSL_CIPHER_get_version() and SSL_CIPHER_description() return the corresponding -value in a null-terminated string for a specific cipher or "(NONE)" +value in a NUL-terminated string for a specific cipher or "(NONE)" if the cipher is not found. SSL_CIPHER_get_bits() returns a positive integer representing the number of @@ -216,7 +216,7 @@ The SSL_CIPHER_get_prf_nid() function was added in OpenSSL 3.0.0. =head1 COPYRIGHT -Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/SSL_COMP_add_compression_method.pod b/deps/openssl/openssl/doc/man3/SSL_COMP_add_compression_method.pod index 87718df4080d69..924553805eea5b 100644 --- a/deps/openssl/openssl/doc/man3/SSL_COMP_add_compression_method.pod +++ b/deps/openssl/openssl/doc/man3/SSL_COMP_add_compression_method.pod @@ -15,9 +15,9 @@ SSL_COMP_get0_name, SSL_COMP_get_id, SSL_COMP_free_compression_methods const char *SSL_COMP_get0_name(const SSL_COMP *comp); int SSL_COMP_get_id(const SSL_COMP *comp); -Deprecated since OpenSSL 1.1.0, can be hidden entirely by defining -B with a suitable version value, see -L: +The following function has been deprecated since OpenSSL 1.1.0, and can be +hidden entirely by defining B with a suitable version value, +see L: void SSL_COMP_free_compression_methods(void); @@ -96,7 +96,7 @@ The SSL_COMP_get0_name() and SSL_comp_get_id() functions were added in OpenSSL 1 =head1 COPYRIGHT -Copyright 2001-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2001-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/SSL_CTX_set_client_hello_cb.pod b/deps/openssl/openssl/doc/man3/SSL_CTX_set_client_hello_cb.pod index f70b147fc5ecfb..d592102028ce75 100644 --- a/deps/openssl/openssl/doc/man3/SSL_CTX_set_client_hello_cb.pod +++ b/deps/openssl/openssl/doc/man3/SSL_CTX_set_client_hello_cb.pod @@ -18,7 +18,7 @@ SSL_CTX_set_client_hello_cb, SSL_client_hello_cb_fn, SSL_client_hello_isv2, SSL_ const unsigned char **out); int SSL_client_hello_get1_extensions_present(SSL *s, int **out, size_t *outlen); - int SSL_client_hello_get0_ext(SSL *s, int type, const unsigned char **out, + int SSL_client_hello_get0_ext(SSL *s, unsigned int type, const unsigned char **out, size_t *outlen); =head1 DESCRIPTION @@ -122,7 +122,7 @@ were added in OpenSSL 1.1.1. =head1 COPYRIGHT -Copyright 2017 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2017-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/SSL_CTX_set_keylog_callback.pod b/deps/openssl/openssl/doc/man3/SSL_CTX_set_keylog_callback.pod index 1f170ae81ad43d..27dfb3419e3a07 100644 --- a/deps/openssl/openssl/doc/man3/SSL_CTX_set_keylog_callback.pod +++ b/deps/openssl/openssl/doc/man3/SSL_CTX_set_keylog_callback.pod @@ -29,7 +29,7 @@ The key logging callback is called with two items: the B object associated with the connection, and B, a string containing the key material in the format used by NSS for its B debugging output. To recreate that file, the key logging callback should log B, followed by a newline. -B will always be a NULL-terminated string. +B will always be a NUL-terminated string. =head1 RETURN VALUES @@ -42,7 +42,7 @@ L =head1 COPYRIGHT -Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/SSL_CTX_set_num_tickets.pod b/deps/openssl/openssl/doc/man3/SSL_CTX_set_num_tickets.pod index c06583304f0739..0c7331bc6da94b 100644 --- a/deps/openssl/openssl/doc/man3/SSL_CTX_set_num_tickets.pod +++ b/deps/openssl/openssl/doc/man3/SSL_CTX_set_num_tickets.pod @@ -14,9 +14,9 @@ SSL_new_session_ticket #include int SSL_set_num_tickets(SSL *s, size_t num_tickets); - size_t SSL_get_num_tickets(SSL *s); + size_t SSL_get_num_tickets(const SSL *s); int SSL_CTX_set_num_tickets(SSL_CTX *ctx, size_t num_tickets); - size_t SSL_CTX_get_num_tickets(SSL_CTX *ctx); + size_t SSL_CTX_get_num_tickets(const SSL_CTX *ctx); int SSL_new_session_ticket(SSL *s); =head1 DESCRIPTION @@ -27,10 +27,10 @@ the client after a full handshake. Set the desired value (which could be 0) in the B argument. Typically these functions should be called before the start of the handshake. -The default number of tickets is 2; the default number of tickets sent following -a resumption handshake is 1 but this cannot be changed using these functions. -The number of tickets following a resumption handshake can be reduced to 0 using -custom session ticket callbacks (see L). +The default number of tickets is 2. Following a resumption the number of tickets +issued will never be more than 1 regardless of the value set via +SSL_set_num_tickets() or SSL_CTX_set_num_tickets(). If B is set to +0 then no tickets will be issued for either a normal connection or a resumption. Tickets are also issued on receipt of a post-handshake certificate from the client following a request by the server using diff --git a/deps/openssl/openssl/doc/man3/SSL_CTX_set_options.pod b/deps/openssl/openssl/doc/man3/SSL_CTX_set_options.pod index dfd0c83afc1d09..08522522cd0bb8 100644 --- a/deps/openssl/openssl/doc/man3/SSL_CTX_set_options.pod +++ b/deps/openssl/openssl/doc/man3/SSL_CTX_set_options.pod @@ -16,8 +16,8 @@ SSL_get_secure_renegotiation_support - manipulate SSL options uint64_t SSL_CTX_clear_options(SSL_CTX *ctx, uint64_t options); uint64_t SSL_clear_options(SSL *ssl, uint64_t options); - uint64_t SSL_CTX_get_options(SSL_CTX *ctx); - uint64_t SSL_get_options(SSL *ssl); + uint64_t SSL_CTX_get_options(const SSL_CTX *ctx); + uint64_t SSL_get_options(const SSL *ssl); long SSL_get_secure_renegotiation_support(SSL *ssl); diff --git a/deps/openssl/openssl/doc/man3/SSL_CTX_set_psk_client_callback.pod b/deps/openssl/openssl/doc/man3/SSL_CTX_set_psk_client_callback.pod index 23bab173177212..7ccea7273f837c 100644 --- a/deps/openssl/openssl/doc/man3/SSL_CTX_set_psk_client_callback.pod +++ b/deps/openssl/openssl/doc/man3/SSL_CTX_set_psk_client_callback.pod @@ -107,11 +107,11 @@ the pre-shared key to use during the connection setup phase. The callback is set using functions SSL_CTX_set_psk_client_callback() or SSL_set_psk_client_callback(). The callback function is given the -connection in parameter B, a B-terminated PSK identity hint +connection in parameter B, a B-terminated PSK identity hint sent by the server in parameter B, a buffer B of -length B bytes where the resulting -B-terminated identity is to be stored, and a buffer B of -length B bytes where the resulting pre-shared key is to +length B bytes (including the B-terminator) where the +resulting B-terminated identity is to be stored, and a buffer B +of length B bytes where the resulting pre-shared key is to be stored. The callback for use in TLSv1.2 will also work in TLSv1.3 although it is @@ -169,7 +169,7 @@ were added in OpenSSL 1.1.1. =head1 COPYRIGHT -Copyright 2006-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2006-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/SSL_CTX_set_security_level.pod b/deps/openssl/openssl/doc/man3/SSL_CTX_set_security_level.pod index 292d6a2333b799..a4595490013b42 100644 --- a/deps/openssl/openssl/doc/man3/SSL_CTX_set_security_level.pod +++ b/deps/openssl/openssl/doc/man3/SSL_CTX_set_security_level.pod @@ -77,7 +77,9 @@ parameters offering below 80 bits of security are excluded. As a result RSA, DSA and DH keys shorter than 1024 bits and ECC keys shorter than 160 bits are prohibited. All export cipher suites are prohibited since they all offer less than 80 bits of security. SSL version 2 is prohibited. Any cipher suite -using MD5 for the MAC is also prohibited. +using MD5 for the MAC is also prohibited. Note that signatures using SHA1 +and MD5 are also forbidden at this level as they have less than 80 security +bits. =item B @@ -147,10 +149,11 @@ key size or the DH parameter size will abort the handshake with a fatal alert. Attempts to set certificates or parameters with insufficient security are -also blocked. For example trying to set a certificate using a 512 bit RSA -key using SSL_CTX_use_certificate() at level 1. Applications which do not -check the return values for errors will misbehave: for example it might -appear that a certificate is not set at all because it had been rejected. +also blocked. For example trying to set a certificate using a 512 bit RSA key +or a certificate with a signature with SHA1 digest at level 1 using +SSL_CTX_use_certificate(). Applications which do not check the return values +for errors will misbehave: for example it might appear that a certificate is +not set at all because it had been rejected. =head1 RETURN VALUES @@ -178,7 +181,7 @@ These functions were added in OpenSSL 1.1.0. =head1 COPYRIGHT -Copyright 2014-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2014-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/SSL_CTX_set_split_send_fragment.pod b/deps/openssl/openssl/doc/man3/SSL_CTX_set_split_send_fragment.pod index ece474b2eb2a61..5097404398b2a9 100644 --- a/deps/openssl/openssl/doc/man3/SSL_CTX_set_split_send_fragment.pod +++ b/deps/openssl/openssl/doc/man3/SSL_CTX_set_split_send_fragment.pod @@ -28,7 +28,7 @@ SSL_SESSION_get_max_fragment_length - Control fragment size settings and pipelin int SSL_CTX_set_tlsext_max_fragment_length(SSL_CTX *ctx, uint8_t mode); int SSL_set_tlsext_max_fragment_length(SSL *ssl, uint8_t mode); - uint8_t SSL_SESSION_get_max_fragment_length(SSL_SESSION *session); + uint8_t SSL_SESSION_get_max_fragment_length(const SSL_SESSION *session); =head1 DESCRIPTION @@ -179,7 +179,7 @@ and SSL_SESSION_get_max_fragment_length() functions were added in OpenSSL 1.1.1. =head1 COPYRIGHT -Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/SSL_CTX_set_srp_password.pod b/deps/openssl/openssl/doc/man3/SSL_CTX_set_srp_password.pod index 720198a40158ae..7e7e98c8dcd9f6 100644 --- a/deps/openssl/openssl/doc/man3/SSL_CTX_set_srp_password.pod +++ b/deps/openssl/openssl/doc/man3/SSL_CTX_set_srp_password.pod @@ -21,9 +21,9 @@ SSL_get_srp_userinfo #include -Deprecated since OpenSSL 3.0, can be hidden entirely by defining -B with a suitable version value, see -L: +The following functions have been deprecated since OpenSSL 3.0, and can be +hidden entirely by defining B with a suitable version value, +see L: int SSL_CTX_set_srp_username(SSL_CTX *ctx, char *name); int SSL_CTX_set_srp_password(SSL_CTX *ctx, char *password); diff --git a/deps/openssl/openssl/doc/man3/SSL_CTX_set_tlsext_ticket_key_cb.pod b/deps/openssl/openssl/doc/man3/SSL_CTX_set_tlsext_ticket_key_cb.pod index f4730066facefb..5d178bb8e4de8b 100644 --- a/deps/openssl/openssl/doc/man3/SSL_CTX_set_tlsext_ticket_key_cb.pod +++ b/deps/openssl/openssl/doc/man3/SSL_CTX_set_tlsext_ticket_key_cb.pod @@ -15,9 +15,9 @@ SSL_CTX_set_tlsext_ticket_key_cb unsigned char iv[EVP_MAX_IV_LENGTH], EVP_CIPHER_CTX *ctx, EVP_MAC_CTX *hctx, int enc)); -Deprecated since OpenSSL 3.0, can be hidden entirely by defining -B with a suitable version value, see -L: +The following function has been deprecated since OpenSSL 3.0, and can be +hidden entirely by defining B with a suitable version value, +see L: int SSL_CTX_set_tlsext_ticket_key_cb(SSL_CTX sslctx, int (*cb)(SSL *s, unsigned char key_name[16], @@ -145,7 +145,7 @@ enable an attacker to obtain the session keys. =head1 RETURN VALUES -returns 0 to indicate the callback function was set. +Returns 1 to indicate the callback function was set and 0 otherwise. =head1 EXAMPLES diff --git a/deps/openssl/openssl/doc/man3/SSL_CTX_set_tmp_dh_callback.pod b/deps/openssl/openssl/doc/man3/SSL_CTX_set_tmp_dh_callback.pod index ac8dd391b2b587..aacf82a80fba79 100644 --- a/deps/openssl/openssl/doc/man3/SSL_CTX_set_tmp_dh_callback.pod +++ b/deps/openssl/openssl/doc/man3/SSL_CTX_set_tmp_dh_callback.pod @@ -16,9 +16,9 @@ SSL_set_tmp_dh_callback, SSL_set_tmp_dh int SSL_CTX_set0_tmp_dh_pkey(SSL_CTX *ctx, EVP_PKEY *dhpkey); int SSL_set0_tmp_dh_pkey(SSL *s, EVP_PKEY *dhpkey); -Deprecated since OpenSSL 3.0, can be hidden entirely by defining -B with a suitable version value, see -L: +The following functions have been deprecated since OpenSSL 3.0, and can be +hidden entirely by defining B with a suitable version value, +see L: void SSL_CTX_set_tmp_dh_callback(SSL_CTX *ctx, DH *(*tmp_dh_callback)(SSL *ssl, int is_export, @@ -112,7 +112,7 @@ L, L =head1 COPYRIGHT -Copyright 2001-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2001-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/SSL_CTX_use_certificate.pod b/deps/openssl/openssl/doc/man3/SSL_CTX_use_certificate.pod index 72608c84daf050..f08656bb85b378 100644 --- a/deps/openssl/openssl/doc/man3/SSL_CTX_use_certificate.pod +++ b/deps/openssl/openssl/doc/man3/SSL_CTX_use_certificate.pod @@ -20,27 +20,27 @@ SSL_CTX_use_cert_and_key, SSL_use_cert_and_key #include int SSL_CTX_use_certificate(SSL_CTX *ctx, X509 *x); - int SSL_CTX_use_certificate_ASN1(SSL_CTX *ctx, int len, unsigned char *d); + int SSL_CTX_use_certificate_ASN1(SSL_CTX *ctx, int len, const unsigned char *d); int SSL_CTX_use_certificate_file(SSL_CTX *ctx, const char *file, int type); int SSL_use_certificate(SSL *ssl, X509 *x); - int SSL_use_certificate_ASN1(SSL *ssl, unsigned char *d, int len); + int SSL_use_certificate_ASN1(SSL *ssl, const unsigned char *d, int len); int SSL_use_certificate_file(SSL *ssl, const char *file, int type); int SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file); int SSL_use_certificate_chain_file(SSL *ssl, const char *file); int SSL_CTX_use_PrivateKey(SSL_CTX *ctx, EVP_PKEY *pkey); - int SSL_CTX_use_PrivateKey_ASN1(int pk, SSL_CTX *ctx, unsigned char *d, + int SSL_CTX_use_PrivateKey_ASN1(int pk, SSL_CTX *ctx, const unsigned char *d, long len); int SSL_CTX_use_PrivateKey_file(SSL_CTX *ctx, const char *file, int type); int SSL_CTX_use_RSAPrivateKey(SSL_CTX *ctx, RSA *rsa); - int SSL_CTX_use_RSAPrivateKey_ASN1(SSL_CTX *ctx, unsigned char *d, long len); + int SSL_CTX_use_RSAPrivateKey_ASN1(SSL_CTX *ctx, const unsigned char *d, long len); int SSL_CTX_use_RSAPrivateKey_file(SSL_CTX *ctx, const char *file, int type); int SSL_use_PrivateKey(SSL *ssl, EVP_PKEY *pkey); - int SSL_use_PrivateKey_ASN1(int pk, SSL *ssl, unsigned char *d, long len); + int SSL_use_PrivateKey_ASN1(int pk, SSL *ssl, const unsigned char *d, long len); int SSL_use_PrivateKey_file(SSL *ssl, const char *file, int type); int SSL_use_RSAPrivateKey(SSL *ssl, RSA *rsa); - int SSL_use_RSAPrivateKey_ASN1(SSL *ssl, unsigned char *d, long len); + int SSL_use_RSAPrivateKey_ASN1(SSL *ssl, const unsigned char *d, long len); int SSL_use_RSAPrivateKey_file(SSL *ssl, const char *file, int type); int SSL_CTX_check_private_key(const SSL_CTX *ctx); @@ -194,7 +194,7 @@ L =head1 COPYRIGHT -Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/SSL_get_session.pod b/deps/openssl/openssl/doc/man3/SSL_get_session.pod index 967ccea564a30d..8d5d1f6b4792f4 100644 --- a/deps/openssl/openssl/doc/man3/SSL_get_session.pod +++ b/deps/openssl/openssl/doc/man3/SSL_get_session.pod @@ -37,8 +37,11 @@ L for information on how to determine whether an SSL_SESSION object can be used for resumption or not. Additionally, in TLSv1.3, a server can send multiple messages that establish a -session for a single connection. In that case the above functions will only -return information on the last session that was received. +session for a single connection. In that case, on the client side, the above +functions will only return information on the last session that was received. On +the server side they will only return information on the last session that was +sent, or if no session tickets were sent then the session for the current +connection. The preferred way for applications to obtain a resumable SSL_SESSION object is to use a new session callback as described in L. @@ -100,7 +103,7 @@ L =head1 COPYRIGHT -Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/SSL_group_to_name.pod b/deps/openssl/openssl/doc/man3/SSL_group_to_name.pod index 9c0e75c188684c..4551a1264c2936 100644 --- a/deps/openssl/openssl/doc/man3/SSL_group_to_name.pod +++ b/deps/openssl/openssl/doc/man3/SSL_group_to_name.pod @@ -20,7 +20,7 @@ or SSL_get_shared_group(). =head1 RETURN VALUES If non-NULL, SSL_group_to_name() returns the TLS group name -corresponding to the given I as a NULL-terminated string. +corresponding to the given I as a NUL-terminated string. If SSL_group_to_name() returns NULL, an error occurred; possibly no corresponding tlsname was registered during provider initialisation. diff --git a/deps/openssl/openssl/doc/man3/SSL_set_async_callback.pod b/deps/openssl/openssl/doc/man3/SSL_set_async_callback.pod index 9de735f8fc092a..e0a665dc451b1f 100644 --- a/deps/openssl/openssl/doc/man3/SSL_set_async_callback.pod +++ b/deps/openssl/openssl/doc/man3/SSL_set_async_callback.pod @@ -55,7 +55,7 @@ An example of the above functions would be the following: =item 1. -Application sets the async callback and callback data on an SSL connection +Application sets the async callback and callback data on an SSL connection by calling SSL_set_async_callback(). =item 2. @@ -121,7 +121,7 @@ SSL_get_async_status() were first added to OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/SSL_set_bio.pod b/deps/openssl/openssl/doc/man3/SSL_set_bio.pod index d88e6836b83af1..c666dc466ecd2d 100644 --- a/deps/openssl/openssl/doc/man3/SSL_set_bio.pod +++ b/deps/openssl/openssl/doc/man3/SSL_set_bio.pod @@ -78,7 +78,7 @@ and no references are consumed for the B. If the B and B parameters are different and the B is the same as the previously set value and the old B and B values were different -to each other, then one reference is consumed for the B and one +to each other, then one reference is consumed for the B and one reference is consumed for the B. =back @@ -102,7 +102,7 @@ SSL_set0_rbio() and SSL_set0_wbio() were added in OpenSSL 1.1.0. =head1 COPYRIGHT -Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/SSL_set_fd.pod b/deps/openssl/openssl/doc/man3/SSL_set_fd.pod index 0b474eb99b9d81..691b068d73fc70 100644 --- a/deps/openssl/openssl/doc/man3/SSL_set_fd.pod +++ b/deps/openssl/openssl/doc/man3/SSL_set_fd.pod @@ -45,6 +45,17 @@ The operation succeeded. =back +=head1 NOTES + +On Windows, a socket handle is a 64-bit data type (UINT_PTR), which leads to a +compiler warning (conversion from 'SOCKET' to 'int', possible loss of data) when +passing the socket handle to SSL_set_*fd(). For the time being, this warning can +safely be ignored, because although the Microsoft documentation claims that the +upper limit is INVALID_SOCKET-1 (2^64 - 2), in practice the current socket() +implementation returns an index into the kernel handle table, the size of which +is limited to 2^24. + + =head1 SEE ALSO L, L, @@ -53,7 +64,7 @@ L, L , L =head1 COPYRIGHT -Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/X509V3_set_ctx.pod b/deps/openssl/openssl/doc/man3/X509V3_set_ctx.pod index 1fc5111de43f54..8287802e41b2f7 100644 --- a/deps/openssl/openssl/doc/man3/X509V3_set_ctx.pod +++ b/deps/openssl/openssl/doc/man3/X509V3_set_ctx.pod @@ -18,12 +18,16 @@ X509V3_set_issuer_pkey - X.509 v3 extension generation utilities X509V3_set_ctx() fills in the basic fields of I of type B, providing details potentially needed by functions producing X509 v3 extensions, e.g., to look up values for filling in authority key identifiers. -Any of I, I, or I may be provided, pointing to a certificate, +Any of I, I, or I may be provided, pointing to a certificate, certification request, or certificate revocation list, respectively. -If I or I is provided, I should point to its issuer, +When constructing the subject key identifier of a certificate by computing a +hash value of its public key, the public key is taken from I or I. +Similarly, when constructing subject alternative names from any email addresses +contained in a subject DN, the subject DN is taken from I or I. +If I or I is provided, I should point to its issuer, for instance to help generating an authority key identifier extension. -Note that if I is provided, I may be the same as I, -which means that I is self-issued (or even self-signed). +Note that if I is provided, I may be the same as I, +which means that I is self-issued (or even self-signed). I may be 0 or contain B, which means that just the syntax of extension definitions is to be checked without actually producing an extension, diff --git a/deps/openssl/openssl/doc/man3/X509_dup.pod b/deps/openssl/openssl/doc/man3/X509_dup.pod index b68d42e934b09d..9fc355c7ce3478 100644 --- a/deps/openssl/openssl/doc/man3/X509_dup.pod +++ b/deps/openssl/openssl/doc/man3/X509_dup.pod @@ -320,9 +320,9 @@ X509_dup, void TYPE_free(TYPE *a); int TYPE_print_ctx(BIO *out, TYPE *a, int indent, const ASN1_PCTX *pctx); -Deprecated since OpenSSL 3.0, can be hidden entirely by defining -B with a suitable version value, see -L: +The following functions have been deprecated since OpenSSL 3.0, and can be +hidden entirely by defining B with a suitable version value, +see L: DSA *DSAparams_dup(const DSA *dsa); RSA *RSAPrivateKey_dup(const RSA *rsa); diff --git a/deps/openssl/openssl/doc/man3/X509_get0_signature.pod b/deps/openssl/openssl/doc/man3/X509_get0_signature.pod index 0d251a0012ed3c..e37a04fe8b2722 100644 --- a/deps/openssl/openssl/doc/man3/X509_get0_signature.pod +++ b/deps/openssl/openssl/doc/man3/X509_get0_signature.pod @@ -3,8 +3,8 @@ =head1 NAME X509_get0_signature, X509_REQ_set0_signature, X509_REQ_set1_signature_algo, -X509_get_signature_nid, X509_get0_tbs_sigalg, X509_REQ_get0_signature, -X509_REQ_get_signature_nid, X509_CRL_get0_signature, X509_CRL_get_signature_nid, +X509_get_signature_nid, X509_get0_tbs_sigalg, X509_REQ_get0_signature, +X509_REQ_get_signature_nid, X509_CRL_get0_signature, X509_CRL_get_signature_nid, X509_get_signature_info, X509_SIG_INFO_get, X509_SIG_INFO_set - signature information =head1 SYNOPSIS @@ -132,7 +132,7 @@ were added in OpenSSL 1.1.1e. =head1 COPYRIGHT -Copyright 2015-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/X509_get_pubkey.pod b/deps/openssl/openssl/doc/man3/X509_get_pubkey.pod index e9626672e16c8a..fea0064b9bb2ed 100644 --- a/deps/openssl/openssl/doc/man3/X509_get_pubkey.pod +++ b/deps/openssl/openssl/doc/man3/X509_get_pubkey.pod @@ -14,7 +14,7 @@ public key EVP_PKEY *X509_get_pubkey(X509 *x); EVP_PKEY *X509_get0_pubkey(const X509 *x); int X509_set_pubkey(X509 *x, EVP_PKEY *pkey); - X509_PUBKEY *X509_get_X509_PUBKEY(X509 *x); + X509_PUBKEY *X509_get_X509_PUBKEY(const X509 *x); EVP_PKEY *X509_REQ_get_pubkey(X509_REQ *req); EVP_PKEY *X509_REQ_get0_pubkey(X509_REQ *req); @@ -77,7 +77,7 @@ L =head1 COPYRIGHT -Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/X509_get_subject_name.pod b/deps/openssl/openssl/doc/man3/X509_get_subject_name.pod index 5a4ff4755468f2..64659de6ab6a72 100644 --- a/deps/openssl/openssl/doc/man3/X509_get_subject_name.pod +++ b/deps/openssl/openssl/doc/man3/X509_get_subject_name.pod @@ -15,8 +15,6 @@ get X509_NAME hashes or get and set issuer or subject names unsigned long X509_NAME_hash_ex(const X509_NAME *x, OSSL_LIB_CTX *libctx, const char *propq, int *ok); -Deprecated since OpenSSL 3.0: - #define X509_NAME_hash(x) X509_NAME_hash_ex(x, NULL, NULL, NULL) X509_NAME *X509_get_subject_name(const X509 *x); int X509_set_subject_name(X509 *x, const X509_NAME *name); @@ -32,6 +30,12 @@ Deprecated since OpenSSL 3.0: X509_NAME *X509_CRL_get_issuer(const X509_CRL *crl); int X509_CRL_set_issuer_name(X509_CRL *x, const X509_NAME *name); +The following macro has been deprecated since OpenSSL 3.0, and can be +hidden entirely by defining B with a suitable version value, +see L: + + #define X509_NAME_hash(x) X509_NAME_hash_ex(x, NULL, NULL, NULL) + =head1 DESCRIPTION X509_NAME_hash_ex() returns a hash value of name I or 0 on failure, diff --git a/deps/openssl/openssl/doc/man3/X509_load_http.pod b/deps/openssl/openssl/doc/man3/X509_load_http.pod index 93a63c68cfbd2f..a147c43caa3fde 100644 --- a/deps/openssl/openssl/doc/man3/X509_load_http.pod +++ b/deps/openssl/openssl/doc/man3/X509_load_http.pod @@ -15,9 +15,9 @@ X509_CRL_http_nbio X509 *X509_load_http(const char *url, BIO *bio, BIO *rbio, int timeout); X509_CRL *X509_CRL_load_http(const char *url, BIO *bio, BIO *rbio, int timeout); -Deprecated since OpenSSL 3.0, can be hidden entirely by defining -B with a suitable version value, see -L: +The following macros have been deprecated since OpenSSL 3.0, and can be +hidden entirely by defining B with a suitable version value, +see L: #define X509_http_nbio(rctx, pcert) #define X509_CRL_http_nbio(rctx, pcrl) diff --git a/deps/openssl/openssl/doc/man3/d2i_RSAPrivateKey.pod b/deps/openssl/openssl/doc/man3/d2i_RSAPrivateKey.pod index 20cdfb1fcb4c86..b4f5b466090004 100644 --- a/deps/openssl/openssl/doc/man3/d2i_RSAPrivateKey.pod +++ b/deps/openssl/openssl/doc/man3/d2i_RSAPrivateKey.pod @@ -70,9 +70,9 @@ i2d_EC_PUBKEY_fp =for openssl generic -Deprecated since OpenSSL 3.0, can be hidden entirely by defining -B with a suitable version value, see -L: +The following functions have been deprecated since OpenSSL 3.0, and can be +hidden entirely by defining B with a suitable version value, +see L: TYPE *d2i_TYPEPrivateKey(TYPE **a, const unsigned char **ppin, long length); TYPE *d2i_TYPEPrivateKey_bio(BIO *bp, TYPE **a); @@ -172,13 +172,13 @@ There are two migration paths: =item * Replace -bPrivateKey()> with L, -bPublicKey()> with L, -bparams()> with L, -b_PUBKEY()> with L, -bPrivateKey()> with L, -bPublicKey()> with L, -bparams()> with L, +bPrivateKey()> with L, +bPublicKey()> with L, +bparams()> with L, +b_PUBKEY()> with L, +bPrivateKey()> with L, +bPublicKey()> with L, +bparams()> with L, b_PUBKEY()> with L. A caveat is that L may output a DER encoded PKCS#8 outermost structure instead of the type specific structure, and that diff --git a/deps/openssl/openssl/doc/man3/d2i_X509.pod b/deps/openssl/openssl/doc/man3/d2i_X509.pod index 5de84a9244a39b..2bb1522f05dd4b 100644 --- a/deps/openssl/openssl/doc/man3/d2i_X509.pod +++ b/deps/openssl/openssl/doc/man3/d2i_X509.pod @@ -154,6 +154,8 @@ d2i_TS_TST_INFO_bio, d2i_TS_TST_INFO_fp, d2i_USERNOTICE, d2i_X509, +d2i_X509_bio, +d2i_X509_fp, d2i_X509_ALGOR, d2i_X509_ALGORS, d2i_X509_ATTRIBUTE, @@ -325,6 +327,8 @@ i2d_TS_TST_INFO_bio, i2d_TS_TST_INFO_fp, i2d_USERNOTICE, i2d_X509, +i2d_X509_bio, +i2d_X509_fp, i2d_X509_ALGOR, i2d_X509_ALGORS, i2d_X509_ATTRIBUTE, diff --git a/deps/openssl/openssl/doc/man3/i2d_re_X509_tbs.pod b/deps/openssl/openssl/doc/man3/i2d_re_X509_tbs.pod index 4a9cbe5b38214f..97208a92224358 100644 --- a/deps/openssl/openssl/doc/man3/i2d_re_X509_tbs.pod +++ b/deps/openssl/openssl/doc/man3/i2d_re_X509_tbs.pod @@ -11,7 +11,7 @@ i2d_re_X509_tbs, i2d_re_X509_CRL_tbs, i2d_re_X509_REQ_tbs #include X509 *d2i_X509_AUX(X509 **px, const unsigned char **in, long len); - int i2d_X509_AUX(X509 *x, unsigned char **out); + int i2d_X509_AUX(const X509 *x, unsigned char **out); int i2d_re_X509_tbs(X509 *x, unsigned char **out); int i2d_re_X509_CRL_tbs(X509_CRL *crl, unsigned char **pp); int i2d_re_X509_REQ_tbs(X509_REQ *req, unsigned char **pp); @@ -78,7 +78,7 @@ L =head1 COPYRIGHT -Copyright 2002-2018 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2002-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man5/x509v3_config.pod b/deps/openssl/openssl/doc/man5/x509v3_config.pod index fb7c3aaff7cf19..1830092394bc90 100644 --- a/deps/openssl/openssl/doc/man5/x509v3_config.pod +++ b/deps/openssl/openssl/doc/man5/x509v3_config.pod @@ -194,13 +194,16 @@ Otherwise it may have the value B or B or both of them, separated by C<,>. Either or both can have the option B, indicated by putting a colon C<:> between the value and this option. +For self-signed certificates the AKID is suppressed unless B is present. By default the B, B, and B apps behave as if "none" was given for self-signed certificates and "keyid, issuer" otherwise. -If B is present, an attempt is made to compute the hash of the public key -corresponding to the signing key in case the certificate is self-signed, -or else to copy the subject key identifier (SKID) from the issuer certificate. -If this fails and the option B is present, an error is returned. +If B is present, an attempt is made to +copy the subject key identifier (SKID) from the issuer certificate except if +the issuer certificate is the same as the current one and it is not self-signed. +The hash of the public key related to the signing key is taken as fallback +if the issuer certificate is the same as the current certificate. +If B is present but no value can be obtained, an error is returned. If B is present, and in addition it has the option B specified or B is not present, @@ -225,9 +228,11 @@ B (a distinguished name), and B. The syntax of each is described in the following paragraphs. -The B option has a special C value, which will automatically -include any email addresses contained in the certificate subject name in -the extension. +The B option has two special values. +C will automatically include any email addresses +contained in the certificate subject name in the extension. +C will automatically move any email addresses +from the certificate subject name to the extension. The IP address used in the B option can be in either IPv4 or IPv6 format. @@ -289,8 +294,8 @@ B, where B is an object identifier syntax as subject alternative name (except that B is not supported). Possible values for access_id include B (OCSP responder), -B (CA Issuers), -B (AD Time Stamping), +B (CA Issuers), +B (AD Time Stamping), B (ad dvcs), B (CA Repository). diff --git a/deps/openssl/openssl/doc/man7/EVP_KDF-SSHKDF.pod b/deps/openssl/openssl/doc/man7/EVP_KDF-SSHKDF.pod index 74d1b71aca0113..08369abff15907 100644 --- a/deps/openssl/openssl/doc/man7/EVP_KDF-SSHKDF.pod +++ b/deps/openssl/openssl/doc/man7/EVP_KDF-SSHKDF.pod @@ -121,7 +121,7 @@ This example derives an 8 byte IV using SHA-256 with a 1K "key" and appropriate key, (size_t)1024); *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SSHKDF_XCGHASH, xcghash, (size_t)32); - *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SALT, + *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SSHKDF_SESSION_ID, session_id, (size_t)32); *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_SSHKDF_TYPE, &type, sizeof(type)); diff --git a/deps/openssl/openssl/doc/man7/EVP_KEYEXCH-ECDH.pod b/deps/openssl/openssl/doc/man7/EVP_KEYEXCH-ECDH.pod index 95076b1ebd039b..a710625f223133 100644 --- a/deps/openssl/openssl/doc/man7/EVP_KEYEXCH-ECDH.pod +++ b/deps/openssl/openssl/doc/man7/EVP_KEYEXCH-ECDH.pod @@ -74,7 +74,7 @@ Keys for the host and peer must be generated as shown in L using the same curve name. The code to generate a shared secret for the normal case is identical to -L. +L. To derive a shared secret on the host using the host's key and the peer's public key but also using X963KDF with a user key material: diff --git a/deps/openssl/openssl/doc/man7/EVP_PKEY-DH.pod b/deps/openssl/openssl/doc/man7/EVP_PKEY-DH.pod index 9da5d9c6efec6a..cd34d323ee11db 100644 --- a/deps/openssl/openssl/doc/man7/EVP_PKEY-DH.pod +++ b/deps/openssl/openssl/doc/man7/EVP_PKEY-DH.pod @@ -74,7 +74,7 @@ See EVP_PKEY_set1_encoded_public_key() and EVP_PKEY_get1_encoded_public_key(). Used for DH generation of safe primes using the old safe prime generator code. The default value is 2. It is recommended to use a named safe prime group instead, if domain parameter -validation is required. +validation is required. Randomly generated safe primes are not allowed by FIPS, so setting this value for the OpenSSL FIPS provider will instead choose a named safe prime group @@ -156,7 +156,7 @@ A B key can be generated with a named safe prime group by calling: EVP_PKEY_CTX_set_params(pctx, params); EVP_PKEY_generate(pctx, &pkey); ... - EVP_PKEY_free(key); + EVP_PKEY_free(pkey); EVP_PKEY_CTX_free(pctx); B domain parameters can be generated according to B by calling: diff --git a/deps/openssl/openssl/doc/man7/EVP_PKEY-EC.pod b/deps/openssl/openssl/doc/man7/EVP_PKEY-EC.pod index 31d92bf8a19482..a3c3ccb705615a 100644 --- a/deps/openssl/openssl/doc/man7/EVP_PKEY-EC.pod +++ b/deps/openssl/openssl/doc/man7/EVP_PKEY-EC.pod @@ -71,7 +71,7 @@ I multiplied by the I gives the number of points on the curve. =item "decoded-from-explicit" (B) Gets a flag indicating wether the key or parameters were decoded from explicit -curve parameters. Set to 1 if so or 0 if a named curve was used. +curve parameters. Set to 1 if so or 0 if a named curve was used. =item "use-cofactor-flag" (B) diff --git a/deps/openssl/openssl/doc/man7/EVP_PKEY-FFC.pod b/deps/openssl/openssl/doc/man7/EVP_PKEY-FFC.pod index 3ab243f45a49f3..dab7380fc2dfd8 100644 --- a/deps/openssl/openssl/doc/man7/EVP_PKEY-FFC.pod +++ b/deps/openssl/openssl/doc/man7/EVP_PKEY-FFC.pod @@ -92,7 +92,7 @@ of I

. This value must be saved if domain parameter validation is required. =item "hindex" (B) -For unverifiable generation of the generator I this value is output during +For unverifiable generation of the generator I this value is output during generation of I. Its value is the first integer larger than one that satisfies g = h^j mod p (where g != 1 and "j" is the cofactor). diff --git a/deps/openssl/openssl/doc/man7/EVP_RAND-TEST-RAND.pod b/deps/openssl/openssl/doc/man7/EVP_RAND-TEST-RAND.pod index 56e9d755e3ddb5..a70015345b7edd 100644 --- a/deps/openssl/openssl/doc/man7/EVP_RAND-TEST-RAND.pod +++ b/deps/openssl/openssl/doc/man7/EVP_RAND-TEST-RAND.pod @@ -52,9 +52,8 @@ they can all be set as well as read. =item "test_entropy" (B) Sets the bytes returned when the test generator is sent an entropy request. -When entropy is requested, these bytes are treated as a cyclic buffer and they -are repeated as required. The current position is remembered across generate -calls. +The current position is remembered across generate calls. +If there are insufficient data present to satisfy a call, an error is returned. =item "test_nonce" (B) diff --git a/deps/openssl/openssl/doc/man7/EVP_SIGNATURE-DSA.pod b/deps/openssl/openssl/doc/man7/EVP_SIGNATURE-DSA.pod index 11fe500cb33db0..5a42d6b1cd224f 100644 --- a/deps/openssl/openssl/doc/man7/EVP_SIGNATURE-DSA.pod +++ b/deps/openssl/openssl/doc/man7/EVP_SIGNATURE-DSA.pod @@ -14,7 +14,7 @@ See L for information related to DSA keys. The following signature parameters can be set using EVP_PKEY_CTX_set_params(). This may be called after EVP_PKEY_sign_init() or EVP_PKEY_verify_init(), -and before calling EVP_PKEY_sign() or EVP_PKEY_verify(). +and before calling EVP_PKEY_sign() or EVP_PKEY_verify(). =over 4 @@ -48,7 +48,7 @@ L, =head1 COPYRIGHT -Copyright 2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man7/EVP_SIGNATURE-ECDSA.pod b/deps/openssl/openssl/doc/man7/EVP_SIGNATURE-ECDSA.pod index 04b80a111831b7..0f6aa13c4a2f28 100644 --- a/deps/openssl/openssl/doc/man7/EVP_SIGNATURE-ECDSA.pod +++ b/deps/openssl/openssl/doc/man7/EVP_SIGNATURE-ECDSA.pod @@ -13,7 +13,7 @@ See L for information related to EC keys. The following signature parameters can be set using EVP_PKEY_CTX_set_params(). This may be called after EVP_PKEY_sign_init() or EVP_PKEY_verify_init(), -and before calling EVP_PKEY_sign() or EVP_PKEY_verify(). +and before calling EVP_PKEY_sign() or EVP_PKEY_verify(). =over 4 @@ -47,7 +47,7 @@ L, =head1 COPYRIGHT -Copyright 2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man7/EVP_SIGNATURE-RSA.pod b/deps/openssl/openssl/doc/man7/EVP_SIGNATURE-RSA.pod index 1be30b3158f94b..06ca036f0c4618 100644 --- a/deps/openssl/openssl/doc/man7/EVP_SIGNATURE-RSA.pod +++ b/deps/openssl/openssl/doc/man7/EVP_SIGNATURE-RSA.pod @@ -14,7 +14,7 @@ See L for information related to RSA keys. The following signature parameters can be set using EVP_PKEY_CTX_set_params(). This may be called after EVP_PKEY_sign_init() or EVP_PKEY_verify_init(), -and before calling EVP_PKEY_sign() or EVP_PKEY_verify(). +and before calling EVP_PKEY_sign() or EVP_PKEY_verify(). =over 4 @@ -32,11 +32,11 @@ The type of padding to be used. Its value can be one of the following: =item "none" (B) -=item "pkcs1" (B) +=item "pkcs1" (B) =item "x931" (B) -=item "pss" (B) +=item "pss" (B) =back diff --git a/deps/openssl/openssl/doc/man7/OSSL_PROVIDER-FIPS.pod b/deps/openssl/openssl/doc/man7/OSSL_PROVIDER-FIPS.pod index 0eac85b324bb4b..00ab7977f487e8 100644 --- a/deps/openssl/openssl/doc/man7/OSSL_PROVIDER-FIPS.pod +++ b/deps/openssl/openssl/doc/man7/OSSL_PROVIDER-FIPS.pod @@ -6,7 +6,7 @@ OSSL_PROVIDER-FIPS - OpenSSL FIPS provider =head1 DESCRIPTION -The OpenSSL FIPS provider is a special provider that conforms to the Federal +The OpenSSL FIPS provider is a special provider that conforms to the Federal Information Processing Standards (FIPS) specified in FIPS 140-2. This 'module' contains an approved set of cryptographic algorithms that is validated by an accredited testing laboratory. @@ -214,7 +214,7 @@ Known answer test for a digest. Known answer test for a signature. -=item "PCT_Signature" (B) +=item "PCT_Signature" (B) Pairwise Consistency check for a signature. diff --git a/deps/openssl/openssl/doc/man7/RAND.pod b/deps/openssl/openssl/doc/man7/RAND.pod index 39a7bcc81e221c..c4a630856c58bd 100644 --- a/deps/openssl/openssl/doc/man7/RAND.pod +++ b/deps/openssl/openssl/doc/man7/RAND.pod @@ -54,7 +54,7 @@ only in exceptional cases and is not recommended, unless you have a profound knowledge of cryptographic principles and understand the implications of your changes. -=head1 DEAFULT SETUP +=head1 DEFAULT SETUP The default OpenSSL RAND method is based on the EVP_RAND deterministic random bit generator (DRBG) classes. diff --git a/deps/openssl/openssl/doc/man7/bio.pod b/deps/openssl/openssl/doc/man7/bio.pod index e2c11665b9d8fd..9b86e9493d1c1f 100644 --- a/deps/openssl/openssl/doc/man7/bio.pod +++ b/deps/openssl/openssl/doc/man7/bio.pod @@ -49,7 +49,7 @@ BIO_free() on it other than the discarded return value. Normally the I argument is supplied by a function which returns a pointer to a BIO_METHOD. There is a naming convention for such functions: -a source/sink BIO typically starts with I and +a source/sink BIO typically starts with I and a filter BIO with I. =head1 EXAMPLES diff --git a/deps/openssl/openssl/doc/man7/crypto.pod b/deps/openssl/openssl/doc/man7/crypto.pod index 78fb8f8f3784fc..2b09ad8903a21e 100644 --- a/deps/openssl/openssl/doc/man7/crypto.pod +++ b/deps/openssl/openssl/doc/man7/crypto.pod @@ -167,8 +167,8 @@ call to L. =head2 Implicit fetch OpenSSL has a number of functions that return an algorithm object with no -associated implementation, such as L, -L or L. These are present for +associated implementation, such as L, L, +L or L. These are present for compatibility with OpenSSL before version 3.0 where explicit fetching was not available. @@ -181,6 +181,35 @@ is supplied. In this case an algorithm implementation is implicitly fetched using default search criteria and an algorithm name that is consistent with the context in which it is being used. +Functions that revolve around B and L, such as +L and friends, all fetch the implementations +implicitly. Because these functions involve both an operation type (such as +L) and an L for the L, they try +the following: + +=over 4 + +=item 1. + +Fetch the operation type implementation from any provider given a library +context and property string stored in the B. + +If the provider of the operation type implementation is different from the +provider of the L's L implementation, try to +fetch a L implementation in the same provider as the operation +type implementation and export the L to it (effectively making a +temporary copy of the original key). + +If anything in this step fails, the next step is used as a fallback. + +=item 2. + +As a fallback, try to fetch the operation type implementation from the same +provider as the original L's L, still using the +propery string from the B. + +=back + =head1 FETCHING EXAMPLES The following section provides a series of examples of fetching algorithm @@ -259,7 +288,7 @@ algorithm identifier to the appropriate fetching function. Also see the provider specific manual pages linked below for further details about using the algorithms available in each of the providers. -As well as the OpenSSL providers third parties can also implemment providers. +As well as the OpenSSL providers third parties can also implement providers. For information on writing a provider see L. =head2 Default provider diff --git a/deps/openssl/openssl/doc/man7/life_cycle-cipher.pod b/deps/openssl/openssl/doc/man7/life_cycle-cipher.pod index 227cc18b8d7990..1fe05688ed3e34 100644 --- a/deps/openssl/openssl/doc/man7/life_cycle-cipher.pod +++ b/deps/openssl/openssl/doc/man7/life_cycle-cipher.pod @@ -126,12 +126,12 @@ This is the canonical list. Function Call ---------------------------------------------- Current State ----------------------------------------------- start newed initialised updated finaled initialised updated initialised updated freed decryption decryption encryption encryption - EVP_CIPHER_CTX_new newed + EVP_CIPHER_CTX_new newed EVP_CipherInit initialised initialised initialised initialised initialised initialised initialised initialised EVP_DecryptInit initialised initialised initialised initialised initialised initialised initialised initialised - decryption decryption decryption decryption decryption decryption decryption decryption + decryption decryption decryption decryption decryption decryption decryption decryption EVP_EncryptInit initialised initialised initialised initialised initialised initialised initialised initialised - encryption encryption encryption encryption encryption encryption encryption encryption + encryption encryption encryption encryption encryption encryption encryption encryption EVP_CipherUpdate updated updated EVP_DecryptUpdate updated updated decryption decryption diff --git a/deps/openssl/openssl/doc/man7/life_cycle-digest.pod b/deps/openssl/openssl/doc/man7/life_cycle-digest.pod index 5425f57dd56f73..709fd0d04ce7eb 100644 --- a/deps/openssl/openssl/doc/man7/life_cycle-digest.pod +++ b/deps/openssl/openssl/doc/man7/life_cycle-digest.pod @@ -93,7 +93,7 @@ This is the canonical list. Function Call --------------------- Current State ---------------------- start newed initialised updated finaled freed - EVP_MD_CTX_new newed + EVP_MD_CTX_new newed EVP_DigestInit initialised initialised initialised initialised EVP_DigestUpdate updated updated EVP_DigestFinal finaled diff --git a/deps/openssl/openssl/doc/man7/life_cycle-kdf.pod b/deps/openssl/openssl/doc/man7/life_cycle-kdf.pod index 6a50cc9aa6f2a9..9fe042a2c24d3c 100644 --- a/deps/openssl/openssl/doc/man7/life_cycle-kdf.pod +++ b/deps/openssl/openssl/doc/man7/life_cycle-kdf.pod @@ -75,7 +75,7 @@ This is the canonical list. Function Call ------------- Current State ------------- start newed deriving freed - EVP_KDF_CTX_new newed + EVP_KDF_CTX_new newed EVP_KDF_derive deriving deriving EVP_KDF_CTX_free freed freed freed EVP_KDF_CTX_reset newed newed @@ -103,19 +103,19 @@ This is the canonical list. EVP_KDF_derive - newed deriving - -EVP_KDF_CTX_free - - newed deriving -EVP_KDF_CTX_reset +EVP_KDF_CTX_free freed freed freed +EVP_KDF_CTX_reset + + newed + newed + EVP_KDF_CTX_get_params newed diff --git a/deps/openssl/openssl/doc/man7/life_cycle-mac.pod b/deps/openssl/openssl/doc/man7/life_cycle-mac.pod index 1a9a008818225e..60b8b55d4bf076 100644 --- a/deps/openssl/openssl/doc/man7/life_cycle-mac.pod +++ b/deps/openssl/openssl/doc/man7/life_cycle-mac.pod @@ -94,7 +94,7 @@ This is the canonical list. Function Call --------------------- Current State ---------------------- start newed initialised updated finaled freed - EVP_MAC_CTX_new newed + EVP_MAC_CTX_new newed EVP_MAC_init initialised initialised initialised initialised EVP_MAC_update updated updated EVP_MAC_final finaled diff --git a/deps/openssl/openssl/doc/man7/life_cycle-rand.pod b/deps/openssl/openssl/doc/man7/life_cycle-rand.pod index de2dfcb97ec137..8afb229b58ba4c 100644 --- a/deps/openssl/openssl/doc/man7/life_cycle-rand.pod +++ b/deps/openssl/openssl/doc/man7/life_cycle-rand.pod @@ -87,7 +87,7 @@ This is the canonical list. Function Call ------------------ Current State ------------------ start newed instantiated uninstantiated freed - EVP_RAND_CTX_new newed + EVP_RAND_CTX_new newed EVP_RAND_instantiate instantiated EVP_RAND_generate instantiated EVP_RAND_uninstantiate uninstantiated diff --git a/deps/openssl/openssl/doc/man7/migration_guide.pod b/deps/openssl/openssl/doc/man7/migration_guide.pod index 02d2327ee2f7f7..67e102fa4c181c 100644 --- a/deps/openssl/openssl/doc/man7/migration_guide.pod +++ b/deps/openssl/openssl/doc/man7/migration_guide.pod @@ -119,7 +119,22 @@ bypass provider selection and configuration, with unintended consequences. This is particularly relevant for applications written to use the OpenSSL 3.0 FIPS module, as detailed below. Authors and maintainers of external engines are strongly encouraged to refactor their code transforming engines into providers -using the new Provider API and avoiding deprecated methods. +using the new Provider API and avoiding deprecated methods. + +=head3 Support of legacy engines + +If openssl is not built without engine support or deprecated API support, engines +will still work. However, their applicability will be limited. + +New algorithms provided via engines will still work. + +Engine-backed keys can be loaded via custom B implementation. +In this case the B objects created via L +will be concidered legacy and will continue to work. + +To ensure the future compatibility, the engines should be turned to providers. +To prefer the provider-based hardware offload, you can specify the default +properties to prefer your provider. =head3 Versioning Scheme @@ -133,7 +148,7 @@ at the end of the release version number. This will no longer be used and instead the patch level is indicated by the final number in the version. A change in the second (MINOR) number indicates that new features may have been added. OpenSSL versions with the same major number are API and ABI compatible. -If the major number changes then API and ABI compatibility is not guaranteed. +If the major number changes then API and ABI compatibility is not guaranteed. For more information, see L. @@ -409,7 +424,7 @@ enable them to be "freed". However they should also be treated as read-only. This may mean result in an error in L rather than during L. -To disable this check use EVP_PKEY_derive_set_peer_ex(dh, peer, 0). +To disable this check use EVP_PKEY_derive_set_peer_ex(dh, peer, 0). =head4 The print format has cosmetic changes for some functions @@ -451,6 +466,11 @@ For example when setting an unsupported curve with EVP_PKEY_CTX_set_ec_paramgen_curve_nid() this function call will not fail but later keygen operations with the EVP_PKEY_CTX will fail. +=head4 Removal of function code from the error codes + +The function code part of the error code is now always set to 0. For that +reason the ERR_GET_FUNC() macro was removed. Applications must resolve +the error codes only using the library number and the reason code. =head2 Installation and Compilation @@ -541,14 +561,14 @@ The code needs to be amended to look like this: Support for TLSv1.3 has been added. -This has a number of implications for SSL/TLS applications. See the +This has a number of implications for SSL/TLS applications. See the L for further details. =back More details about the breaking changes between OpenSSL versions 1.0.2 and 1.1.0 can be found on the -L. +L. =head3 Upgrading from the OpenSSL 2.0 FIPS Object Module @@ -985,7 +1005,7 @@ APIs, or alternatively use L or L. Functions that access low-level objects directly such as L are now deprecated. Applications should use one of L, L, l, -L, L or +L, L or L to access fields from an EVP_PKEY. Gettable parameters are listed in L, L, L, @@ -1115,7 +1135,7 @@ Bi-directional IGE mode. These modes were never formally standardised and usage of these functions is believed to be very small. In particular AES_bi_ige_encrypt() has a known bug. It accepts 2 AES keys, but only one is ever used. The security implications are believed to be minimal, but -this issue was never fixed for backwards compatibility reasons. +this issue was never fixed for backwards compatibility reasons. =item * @@ -1265,7 +1285,7 @@ DES_decrypt3(), DES_ede3_cbc_encrypt(), DES_ede3_cfb64_encrypt(), DES_ede3_cfb_encrypt(),DES_ede3_ofb64_encrypt(), DES_ecb_encrypt(), DES_ecb3_encrypt(), DES_ofb64_encrypt(), DES_ofb_encrypt(), DES_cfb64_encrypt DES_cfb_encrypt(), DES_cbc_encrypt(), DES_ncbc_encrypt(), -DES_pcbc_encrypt(), DES_xcbc_encrypt(), DES_cbc_cksum(), DES_quad_cksum(), +DES_pcbc_encrypt(), DES_xcbc_encrypt(), DES_cbc_cksum(), DES_quad_cksum(), DES_check_key_parity(), DES_is_weak_key(), DES_key_sched(), DES_options(), DES_random_key(), DES_set_key(), DES_set_key_checked(), DES_set_key_unchecked(), DES_set_odd_parity(), DES_string_to_2keys(), DES_string_to_key() @@ -1513,7 +1533,7 @@ EC_KEY_set_flags(), EC_KEY_get_flags(), EC_KEY_clear_flags() See L which handles flags as seperate parameters for B, B, B, -B and +B and B. See also L @@ -1715,7 +1735,7 @@ See L for further details. =item * -EVP_PKEY_encrypt_old(), EVP_PKEY_decrypt_old(), +EVP_PKEY_encrypt_old(), EVP_PKEY_decrypt_old(), Applications should use L and L or L and L instead. @@ -1795,7 +1815,7 @@ See L. i2d_DHparams(), i2d_DHxparams() See L -and L +and L =item * @@ -1804,7 +1824,7 @@ i2d_DSAPrivateKey_fp(), i2d_DSA_PUBKEY(), i2d_DSA_PUBKEY_bio(), i2d_DSA_PUBKEY_fp(), i2d_DSAPublicKey() See L -and L +and L =item * @@ -1813,7 +1833,7 @@ i2d_ECPrivateKey_fp(), i2d_EC_PUBKEY(), i2d_EC_PUBKEY_bio(), i2d_EC_PUBKEY_fp(), i2o_ECPublicKey() See L -and L +and L =item * @@ -1822,7 +1842,7 @@ i2d_RSA_PUBKEY(), i2d_RSA_PUBKEY_bio(), i2d_RSA_PUBKEY_fp(), i2d_RSAPublicKey(), i2d_RSAPublicKey_bio(), i2d_RSAPublicKey_fp() See L -and L +and L =item * @@ -2201,7 +2221,7 @@ B<-provider_path> and B<-provider> are available to all apps and can be used multiple times to load any providers, such as the 'legacy' provider or third party providers. If used then the 'default' provider would also need to be specified if required. The B<-provider_path> must be specified before the -B<-provider> option. +B<-provider> option. The B app has many new options. See L for more information. diff --git a/deps/openssl/openssl/doc/man7/openssl-core.h.pod b/deps/openssl/openssl/doc/man7/openssl-core.h.pod index 03980a4b569b84..3d1eca3e649ab9 100644 --- a/deps/openssl/openssl/doc/man7/openssl-core.h.pod +++ b/deps/openssl/openssl/doc/man7/openssl-core.h.pod @@ -67,7 +67,7 @@ or canonical name, on a per algorithm implementation basis. This type is a structure that allows passing arbitrary object data between two parties that have no or very little shared knowledge about -their respective internal structures for that object. +their respective internal structures for that object. It's normally passed in arrays, where the array is terminated with an element where all fields are zero (for non-pointers) or NULL (for pointers). diff --git a/deps/openssl/openssl/doc/man7/openssl-env.pod b/deps/openssl/openssl/doc/man7/openssl-env.pod index f691191b6f43a2..a2443d54d82291 100644 --- a/deps/openssl/openssl/doc/man7/openssl-env.pod +++ b/deps/openssl/openssl/doc/man7/openssl-env.pod @@ -74,6 +74,19 @@ See L. Additional arguments for the L command. +=item B, B, B, B, B + +OpenSSL supports a number of different algorithm implementations for +various machines and, by default, it determines which to use based on the +processor capabilities and run time feature enquiry. These environment +variables can be used to exert more control over this selection process. +See L, L. + +=item B, B, B + +Specify a proxy hostname. +See L. + =back =head1 COPYRIGHT diff --git a/deps/openssl/openssl/doc/man7/openssl-glossary.pod b/deps/openssl/openssl/doc/man7/openssl-glossary.pod index 16ff2f317619b3..b112b375ac2019 100644 --- a/deps/openssl/openssl/doc/man7/openssl-glossary.pod +++ b/deps/openssl/openssl/doc/man7/openssl-glossary.pod @@ -132,7 +132,7 @@ L =item Operation -An operation is a group of OpenSSL functions with a common purpose such as +An operation is a group of OpenSSL functions with a common purpose such as encryption, or digesting. L diff --git a/deps/openssl/openssl/doc/man7/ossl_store.pod b/deps/openssl/openssl/doc/man7/ossl_store.pod index 68503cd0929df1..3152cff104240a 100644 --- a/deps/openssl/openssl/doc/man7/ossl_store.pod +++ b/deps/openssl/openssl/doc/man7/ossl_store.pod @@ -58,7 +58,7 @@ other encoding is undefined. * here just one example */ switch (OSSL_STORE_INFO_get_type(info)) { - case OSSL_STORE_INFO_X509: + case OSSL_STORE_INFO_CERT: /* Print the X.509 certificate text */ X509_print_fp(stdout, OSSL_STORE_INFO_get0_CERT(info)); /* Print the X.509 certificate PEM output */ @@ -77,7 +77,7 @@ L =head1 COPYRIGHT -Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man7/property.pod b/deps/openssl/openssl/doc/man7/property.pod index 90368b1f8d0254..7b89d1823b0382 100644 --- a/deps/openssl/openssl/doc/man7/property.pod +++ b/deps/openssl/openssl/doc/man7/property.pod @@ -41,7 +41,8 @@ property names like A I is a I pair. A I is a sequence of comma separated properties. -There can be any number of properties in a definition. +There can be any number of properties in a definition, however each name must +be unique. For example: "" defines an empty property definition (i.e., no restriction); "my.foo=bar" defines a property named I which has a string value I and "iteration.count=3" defines a property named I which @@ -68,6 +69,7 @@ Matching such clauses is not a requirement, but any additional optional match counts in favor of the algorithm. More details about that in the B section. A I is a sequence of comma separated property query clauses. +It is an error if a property name appears in more than one query clause. The full syntax for property queries appears below, but the available syntactic features are: @@ -144,7 +146,7 @@ setting. The lexical syntax in EBNF is given by: - Definition ::= PropertyName ( '=' Value )? + Definition ::= PropertyName ( '=' Value )? ( ',' PropertyName ( '=' Value )? )* Query ::= PropertyQuery ( ',' PropertyQuery )* PropertyQuery ::= '-' PropertyName @@ -162,7 +164,7 @@ Properties were added in OpenSSL 3.0 =head1 COPYRIGHT -Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man7/provider-base.pod b/deps/openssl/openssl/doc/man7/provider-base.pod index ac197accca38d9..f928934ab71e64 100644 --- a/deps/openssl/openssl/doc/man7/provider-base.pod +++ b/deps/openssl/openssl/doc/man7/provider-base.pod @@ -42,11 +42,6 @@ provider-base */ void *CRYPTO_malloc(size_t num, const char *file, int line); void *CRYPTO_zalloc(size_t num, const char *file, int line); - void *CRYPTO_memdup(const void *str, size_t siz, - const char *file, int line); - char *CRYPTO_strdup(const char *str, const char *file, int line); - char *CRYPTO_strndup(const char *str, size_t s, - const char *file, int line); void CRYPTO_free(void *ptr, const char *file, int line); void CRYPTO_clear_free(void *ptr, size_t num, const char *file, int line); @@ -153,9 +148,6 @@ provider): core_obj_create OSSL_FUNC_CORE_OBJ_CREATE CRYPTO_malloc OSSL_FUNC_CRYPTO_MALLOC CRYPTO_zalloc OSSL_FUNC_CRYPTO_ZALLOC - CRYPTO_memdup OSSL_FUNC_CRYPTO_MEMDUP - CRYPTO_strdup OSSL_FUNC_CRYPTO_STRDUP - CRYPTO_strndup OSSL_FUNC_CRYPTO_STRNDUP CRYPTO_free OSSL_FUNC_CRYPTO_FREE CRYPTO_clear_free OSSL_FUNC_CRYPTO_CLEAR_FREE CRYPTO_realloc OSSL_FUNC_CRYPTO_REALLOC @@ -220,10 +212,14 @@ the thread that is stopping and gets passed the provider context as an argument. This may be useful to perform thread specific clean up such as freeing thread local variables. -core_get_libctx() retrieves the library context in which the library +core_get_libctx() retrieves the core context in which the library object for the current provider is stored, accessible through the I. -This may sometimes be useful if the provider wishes to store a -reference to its context in the same library context. +This function is useful only for built-in providers such as the default +provider. Never cast this to OSSL_LIB_CTX in a provider that is not +built-in as the OSSL_LIB_CTX of the library loading the provider might be +a completely different structure than the OSSL_LIB_CTX of the library the +provider is linked to. Use L instead to obtain +a proper library context that is linked to the application library context. core_new_error(), core_set_error_debug() and core_vset_error() are building blocks for reporting an error back to the core, with @@ -285,8 +281,7 @@ underlying signature or digest algorithm). It returns 1 on success or 0 on failure. This function is not thread safe. -CRYPTO_malloc(), CRYPTO_zalloc(), CRYPTO_memdup(), CRYPTO_strdup(), -CRYPTO_strndup(), CRYPTO_free(), CRYPTO_clear_free(), +CRYPTO_malloc(), CRYPTO_zalloc(), CRYPTO_free(), CRYPTO_clear_free(), CRYPTO_realloc(), CRYPTO_clear_realloc(), CRYPTO_secure_malloc(), CRYPTO_secure_zalloc(), CRYPTO_secure_free(), CRYPTO_secure_clear_free(), CRYPTO_secure_allocated(), @@ -443,7 +438,7 @@ different for any third party provider. This returns 0 if the provider has entered an error state, otherwise it returns 1. -=back +=back provider_gettable_params() should return the above parameters. diff --git a/deps/openssl/openssl/doc/man7/provider-keyexch.pod b/deps/openssl/openssl/doc/man7/provider-keyexch.pod index ebfcd8515308f9..f85f3cac508173 100644 --- a/deps/openssl/openssl/doc/man7/provider-keyexch.pod +++ b/deps/openssl/openssl/doc/man7/provider-keyexch.pod @@ -43,7 +43,7 @@ This documentation is primarily aimed at provider authors. See L for further information. The key exchange (OSSL_OP_KEYEXCH) operation enables providers to implement key -exchange algorithms and make them available to applications via +exchange algorithms and make them available to applications via L and other related functions). diff --git a/deps/openssl/openssl/doc/man7/provider-keymgmt.pod b/deps/openssl/openssl/doc/man7/provider-keymgmt.pod index 000c8cab3fe18c..fc8d995f4440cb 100644 --- a/deps/openssl/openssl/doc/man7/provider-keymgmt.pod +++ b/deps/openssl/openssl/doc/man7/provider-keymgmt.pod @@ -200,12 +200,11 @@ Indicating that everything in a key object should be considered. The exact interpretation of those bits or how they combine is left to each function where you can specify a selector. -=for comment One might think that a combination of bits means that all -the selected data subsets must be considered, but then you have to -consider that when comparing key objects (future function), an -implementation might opt to not compare the private key if it has -compared the public key, since a match of one half implies a match of -the other half. +It's left to the provider implementation to decide what is reasonable +to do with regards to received selector bits and how to do it. +Among others, an implementation of OSSL_FUNC_keymgmt_match() might opt +to not compare the private half if it has compared the public half, +since a match of one half implies a match of the other half. =head2 Constructing and Destructing Functions @@ -237,7 +236,7 @@ OSSL_FUNC_keymgmt_gen_set_params() should set additional parameters from I in the key object generation context I. OSSL_FUNC_keymgmt_gen_settable_params() should return a constant array of -descriptor B, for parameters that OSSL_FUNC_keymgmt_gen_set_params() +descriptor B, for parameters that OSSL_FUNC_keymgmt_gen_set_params() can handle. OSSL_FUNC_keymgmt_gen() should perform the key object generation itself, and @@ -254,9 +253,10 @@ provider knows how to interpret, but that may come from other operations. Outside the provider, this reference is simply an array of bytes. At least one of OSSL_FUNC_keymgmt_new(), OSSL_FUNC_keymgmt_gen() and -OSSL_FUNC_keymgmt_load() are mandatory, as well as OSSL_FUNC_keymgmt_free(). -Additionally, if OSSL_FUNC_keymgmt_gen() is present, OSSL_FUNC_keymgmt_gen_init() -and OSSL_FUNC_keymgmt_gen_cleanup() must be present as well. +OSSL_FUNC_keymgmt_load() are mandatory, as well as OSSL_FUNC_keymgmt_free() and +OSSL_FUNC_keymgmt_has(). Additionally, if OSSL_FUNC_keymgmt_gen() is present, +OSSL_FUNC_keymgmt_gen_init() and OSSL_FUNC_keymgmt_gen_cleanup() must be +present as well. =head2 Key Object Information Functions diff --git a/deps/openssl/openssl/doc/man7/provider-signature.pod b/deps/openssl/openssl/doc/man7/provider-signature.pod index 9cb3a620c339c0..9d4df86fd65d6c 100644 --- a/deps/openssl/openssl/doc/man7/provider-signature.pod +++ b/deps/openssl/openssl/doc/man7/provider-signature.pod @@ -18,7 +18,7 @@ provider-signature - The signature library E-E provider functions */ /* Context management */ - void *OSSL_FUNC_signature_newctx(void *provctx); + void *OSSL_FUNC_signature_newctx(void *provctx, const char *propq); void OSSL_FUNC_signature_freectx(void *ctx); void *OSSL_FUNC_signature_dupctx(void *ctx); @@ -104,7 +104,7 @@ function pointer from an B element named B. For example, the "function" OSSL_FUNC_signature_newctx() has these: - typedef void *(OSSL_FUNC_signature_newctx_fn)(void *provctx); + typedef void *(OSSL_FUNC_signature_newctx_fn)(void *provctx, const char *propq); static ossl_inline OSSL_FUNC_signature_newctx_fn OSSL_FUNC_signature_newctx(const OSSL_DISPATCH *opf); @@ -183,7 +183,9 @@ structure for holding context information during a signature operation. A pointer to this context will be passed back in a number of the other signature operation function calls. The parameter I is the provider context generated during provider -initialisation (see L). +initialisation (see L). The I parameter is a property query +string that may be (optionally) used by the provider during any "fetches" that +it may perform (if it performs any). OSSL_FUNC_signature_freectx() is passed a pointer to the provider side signature context in the I parameter. @@ -371,7 +373,7 @@ Sets a flag to modify the sign operation to return an error if the initial calculated signature is invalid. In the normal mode of operation - new random values are chosen until the signature operation succeeds. -By default it retries until a signature is calculated. +By default it retries until a signature is calculated. Setting the value to 0 causes the sign operation to retry, otherwise the sign operation is only tried once and returns whether or not it was successful. diff --git a/deps/openssl/openssl/doc/man7/proxy-certificates.pod b/deps/openssl/openssl/doc/man7/proxy-certificates.pod index 395fab86e5de0e..0a637f25df16eb 100644 --- a/deps/openssl/openssl/doc/man7/proxy-certificates.pod +++ b/deps/openssl/openssl/doc/man7/proxy-certificates.pod @@ -215,7 +215,7 @@ The following skeleton code can be used as a starting point: * bottom. You get the CA root first, followed by the * possible chain of intermediate CAs, followed by the EE * certificate, followed by the possible proxy - * certificates. + * certificates. */ X509 *xs = X509_STORE_CTX_get_current_cert(ctx); @@ -234,7 +234,7 @@ The following skeleton code can be used as a starting point: * by pulling them from some database. If there * are none to be found, clear all rights (making * this and any subsequent proxy certificate void - * of any rights). + * of any rights). */ memset(rights->rights, 0, sizeof(rights->rights)); break; @@ -351,7 +351,7 @@ L =head1 COPYRIGHT -Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/engines/e_afalg.c b/deps/openssl/openssl/engines/e_afalg.c index d8d3ef610ca022..2c08cbb28dde39 100644 --- a/deps/openssl/openssl/engines/e_afalg.c +++ b/deps/openssl/openssl/engines/e_afalg.c @@ -683,11 +683,8 @@ static int afalg_cipher_cleanup(EVP_CIPHER_CTX *ctx) } actx = (afalg_ctx *) EVP_CIPHER_CTX_get_cipher_data(ctx); - if (actx == NULL || actx->init_done != MAGIC_INIT_NUM) { - ALG_WARN("%s afalg ctx passed\n", - ctx == NULL ? "NULL" : "Uninitialised"); - return 0; - } + if (actx == NULL || actx->init_done != MAGIC_INIT_NUM) + return 1; close(actx->sfd); close(actx->bfd); diff --git a/deps/openssl/openssl/engines/e_dasync.c b/deps/openssl/openssl/engines/e_dasync.c index e2e587d839361e..5a303a9f852820 100644 --- a/deps/openssl/openssl/engines/e_dasync.c +++ b/deps/openssl/openssl/engines/e_dasync.c @@ -211,7 +211,8 @@ static int bind_dasync(ENGINE *e) /* Setup RSA */ ; if ((dasync_rsa_orig = EVP_PKEY_meth_find(EVP_PKEY_RSA)) == NULL - || (dasync_rsa = EVP_PKEY_meth_new(EVP_PKEY_RSA, 0)) == NULL) + || (dasync_rsa = EVP_PKEY_meth_new(EVP_PKEY_RSA, + EVP_PKEY_FLAG_AUTOARGLEN)) == NULL) return 0; EVP_PKEY_meth_set_init(dasync_rsa, dasync_rsa_init); EVP_PKEY_meth_set_cleanup(dasync_rsa, dasync_rsa_cleanup); @@ -267,7 +268,8 @@ static int bind_dasync(ENGINE *e) || !EVP_CIPHER_meth_set_flags(_hidden_aes_128_cbc, EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CBC_MODE - | EVP_CIPH_FLAG_PIPELINE) + | EVP_CIPH_FLAG_PIPELINE + | EVP_CIPH_CUSTOM_COPY) || !EVP_CIPHER_meth_set_init(_hidden_aes_128_cbc, dasync_aes128_init_key) || !EVP_CIPHER_meth_set_do_cipher(_hidden_aes_128_cbc, @@ -292,7 +294,8 @@ static int bind_dasync(ENGINE *e) EVP_CIPH_CBC_MODE | EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_FLAG_AEAD_CIPHER - | EVP_CIPH_FLAG_PIPELINE) + | EVP_CIPH_FLAG_PIPELINE + | EVP_CIPH_CUSTOM_COPY) || !EVP_CIPHER_meth_set_init(_hidden_aes_128_cbc_hmac_sha1, dasync_aes128_cbc_hmac_sha1_init_key) || !EVP_CIPHER_meth_set_do_cipher(_hidden_aes_128_cbc_hmac_sha1, @@ -312,7 +315,10 @@ static int bind_dasync(ENGINE *e) static void destroy_pkey(void) { - EVP_PKEY_meth_free(dasync_rsa); + /* + * We don't actually need to free the dasync_rsa method since this is + * automatically freed for us by libcrypto. + */ dasync_rsa_orig = NULL; dasync_rsa = NULL; } @@ -576,7 +582,8 @@ static int dasync_sha1_final(EVP_MD_CTX *ctx, unsigned char *md) /* Cipher helper functions */ static int dasync_cipher_ctrl_helper(EVP_CIPHER_CTX *ctx, int type, int arg, - void *ptr, int aeadcapable) + void *ptr, int aeadcapable, + const EVP_CIPHER *ciph) { int ret; struct dasync_pipeline_ctx *pipe_ctx = @@ -586,6 +593,18 @@ static int dasync_cipher_ctrl_helper(EVP_CIPHER_CTX *ctx, int type, int arg, return 0; switch (type) { + case EVP_CTRL_COPY: + { + size_t sz = EVP_CIPHER_impl_ctx_size(ciph); + void *inner_cipher_data = OPENSSL_malloc(sz); + + if (inner_cipher_data == NULL) + return -1; + memcpy(inner_cipher_data, pipe_ctx->inner_cipher_data, sz); + pipe_ctx->inner_cipher_data = inner_cipher_data; + } + break; + case EVP_CTRL_SET_PIPELINE_OUTPUT_BUFS: pipe_ctx->numpipes = arg; pipe_ctx->outbufs = (unsigned char **)ptr; @@ -740,7 +759,7 @@ static int dasync_cipher_cleanup_helper(EVP_CIPHER_CTX *ctx, static int dasync_aes128_cbc_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, void *ptr) { - return dasync_cipher_ctrl_helper(ctx, type, arg, ptr, 0); + return dasync_cipher_ctrl_helper(ctx, type, arg, ptr, 0, EVP_aes_128_cbc()); } static int dasync_aes128_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, @@ -768,7 +787,7 @@ static int dasync_aes128_cbc_cleanup(EVP_CIPHER_CTX *ctx) static int dasync_aes128_cbc_hmac_sha1_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, void *ptr) { - return dasync_cipher_ctrl_helper(ctx, type, arg, ptr, 1); + return dasync_cipher_ctrl_helper(ctx, type, arg, ptr, 1, EVP_aes_128_cbc_hmac_sha1()); } static int dasync_aes128_cbc_hmac_sha1_init_key(EVP_CIPHER_CTX *ctx, @@ -829,7 +848,7 @@ static int dasync_rsa_paramgen_init(EVP_PKEY_CTX *ctx) if (pparamgen_init == NULL) EVP_PKEY_meth_get_paramgen(dasync_rsa_orig, &pparamgen_init, NULL); - return pparamgen_init(ctx); + return pparamgen_init != NULL ? pparamgen_init(ctx) : 1; } static int dasync_rsa_paramgen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey) @@ -838,7 +857,7 @@ static int dasync_rsa_paramgen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey) if (pparamgen == NULL) EVP_PKEY_meth_get_paramgen(dasync_rsa_orig, NULL, &pparamgen); - return pparamgen(ctx, pkey); + return pparamgen != NULL ? pparamgen(ctx, pkey) : 1; } static int dasync_rsa_keygen_init(EVP_PKEY_CTX *ctx) @@ -847,7 +866,7 @@ static int dasync_rsa_keygen_init(EVP_PKEY_CTX *ctx) if (pkeygen_init == NULL) EVP_PKEY_meth_get_keygen(dasync_rsa_orig, &pkeygen_init, NULL); - return pkeygen_init(ctx); + return pkeygen_init != NULL ? pkeygen_init(ctx) : 1; } static int dasync_rsa_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey) @@ -865,7 +884,7 @@ static int dasync_rsa_encrypt_init(EVP_PKEY_CTX *ctx) if (pencrypt_init == NULL) EVP_PKEY_meth_get_encrypt(dasync_rsa_orig, &pencrypt_init, NULL); - return pencrypt_init(ctx); + return pencrypt_init != NULL ? pencrypt_init(ctx) : 1; } static int dasync_rsa_encrypt(EVP_PKEY_CTX *ctx, unsigned char *out, @@ -887,7 +906,7 @@ static int dasync_rsa_decrypt_init(EVP_PKEY_CTX *ctx) if (pdecrypt_init == NULL) EVP_PKEY_meth_get_decrypt(dasync_rsa_orig, &pdecrypt_init, NULL); - return pdecrypt_init(ctx); + return pdecrypt_init != NULL ? pdecrypt_init(ctx) : 1; } static int dasync_rsa_decrypt(EVP_PKEY_CTX *ctx, unsigned char *out, diff --git a/deps/openssl/openssl/engines/e_loader_attic.c b/deps/openssl/openssl/engines/e_loader_attic.c index 74f297400b4203..391ed33d5e3a85 100644 --- a/deps/openssl/openssl/engines/e_loader_attic.c +++ b/deps/openssl/openssl/engines/e_loader_attic.c @@ -1354,8 +1354,8 @@ static OSSL_STORE_INFO *file_try_read_msblob(BIO *bp, int *matchcount) if (BIO_buffer_peek(bp, peekbuf, sizeof(peekbuf)) <= 0) return 0; - if (!ossl_do_blob_header(&p, sizeof(peekbuf), &magic, &bitlen, - &isdss, &ispub)) + if (ossl_do_blob_header(&p, sizeof(peekbuf), &magic, &bitlen, + &isdss, &ispub) <= 0) return 0; } diff --git a/deps/openssl/openssl/engines/e_ossltest.c b/deps/openssl/openssl/engines/e_ossltest.c index 8479414f0198b4..0506faa6285bab 100644 --- a/deps/openssl/openssl/engines/e_ossltest.c +++ b/deps/openssl/openssl/engines/e_ossltest.c @@ -38,6 +38,7 @@ #include #include #include +#include #include "e_ossltest_err.c" @@ -247,21 +248,39 @@ static int ossltest_ciphers(ENGINE *, const EVP_CIPHER **, const int **, int); static int ossltest_cipher_nids[] = { - NID_aes_128_cbc, NID_aes_128_gcm, 0 + NID_aes_128_cbc, NID_aes_128_gcm, + NID_aes_128_cbc_hmac_sha1, 0 }; /* AES128 */ -int ossltest_aes128_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, - const unsigned char *iv, int enc); -int ossltest_aes128_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, - const unsigned char *in, size_t inl); -int ossltest_aes128_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, - const unsigned char *iv, int enc); -int ossltest_aes128_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, - const unsigned char *in, size_t inl); +static int ossltest_aes128_init_key(EVP_CIPHER_CTX *ctx, + const unsigned char *key, + const unsigned char *iv, int enc); +static int ossltest_aes128_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, + const unsigned char *in, size_t inl); +static int ossltest_aes128_gcm_init_key(EVP_CIPHER_CTX *ctx, + const unsigned char *key, + const unsigned char *iv, int enc); +static int ossltest_aes128_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, + const unsigned char *in, size_t inl); static int ossltest_aes128_gcm_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, void *ptr); +static int ossltest_aes128_cbc_hmac_sha1_init_key(EVP_CIPHER_CTX *ctx, + const unsigned char *key, + const unsigned char *iv, + int enc); +static int ossltest_aes128_cbc_hmac_sha1_cipher(EVP_CIPHER_CTX *ctx, + unsigned char *out, + const unsigned char *in, + size_t inl); +static int ossltest_aes128_cbc_hmac_sha1_ctrl(EVP_CIPHER_CTX *ctx, int type, + int arg, void *ptr); + +typedef struct { + size_t payload_length; /* AAD length in decrypt case */ + unsigned int tls_ver; +} EVP_AES_HMAC_SHA1; static EVP_CIPHER *_hidden_aes_128_cbc = NULL; static const EVP_CIPHER *ossltest_aes_128_cbc(void) @@ -285,6 +304,7 @@ static const EVP_CIPHER *ossltest_aes_128_cbc(void) } return _hidden_aes_128_cbc; } + static EVP_CIPHER *_hidden_aes_128_gcm = NULL; #define AES_GCM_FLAGS (EVP_CIPH_FLAG_DEFAULT_ASN1 \ @@ -315,11 +335,45 @@ static const EVP_CIPHER *ossltest_aes_128_gcm(void) return _hidden_aes_128_gcm; } +static EVP_CIPHER *_hidden_aes_128_cbc_hmac_sha1 = NULL; + +static const EVP_CIPHER *ossltest_aes_128_cbc_hmac_sha1(void) +{ + if (_hidden_aes_128_cbc_hmac_sha1 == NULL + && ((_hidden_aes_128_cbc_hmac_sha1 + = EVP_CIPHER_meth_new(NID_aes_128_cbc_hmac_sha1, + 16 /* block size */, + 16 /* key len */)) == NULL + || !EVP_CIPHER_meth_set_iv_length(_hidden_aes_128_cbc_hmac_sha1,16) + || !EVP_CIPHER_meth_set_flags(_hidden_aes_128_cbc_hmac_sha1, + EVP_CIPH_CBC_MODE | EVP_CIPH_FLAG_DEFAULT_ASN1 | + EVP_CIPH_FLAG_AEAD_CIPHER) + || !EVP_CIPHER_meth_set_init(_hidden_aes_128_cbc_hmac_sha1, + ossltest_aes128_cbc_hmac_sha1_init_key) + || !EVP_CIPHER_meth_set_do_cipher(_hidden_aes_128_cbc_hmac_sha1, + ossltest_aes128_cbc_hmac_sha1_cipher) + || !EVP_CIPHER_meth_set_ctrl(_hidden_aes_128_cbc_hmac_sha1, + ossltest_aes128_cbc_hmac_sha1_ctrl) + || !EVP_CIPHER_meth_set_set_asn1_params(_hidden_aes_128_cbc_hmac_sha1, + EVP_CIPH_FLAG_DEFAULT_ASN1 ? NULL : EVP_CIPHER_set_asn1_iv) + || !EVP_CIPHER_meth_set_get_asn1_params(_hidden_aes_128_cbc_hmac_sha1, + EVP_CIPH_FLAG_DEFAULT_ASN1 ? NULL : EVP_CIPHER_get_asn1_iv) + || !EVP_CIPHER_meth_set_impl_ctx_size(_hidden_aes_128_cbc_hmac_sha1, + sizeof(EVP_AES_HMAC_SHA1)))) { + EVP_CIPHER_meth_free(_hidden_aes_128_cbc_hmac_sha1); + _hidden_aes_128_cbc_hmac_sha1 = NULL; + } + return _hidden_aes_128_cbc_hmac_sha1; +} + static void destroy_ciphers(void) { EVP_CIPHER_meth_free(_hidden_aes_128_cbc); EVP_CIPHER_meth_free(_hidden_aes_128_gcm); + EVP_CIPHER_meth_free(_hidden_aes_128_cbc_hmac_sha1); _hidden_aes_128_cbc = NULL; + _hidden_aes_128_gcm = NULL; + _hidden_aes_128_cbc_hmac_sha1 = NULL; } /* Key loading */ @@ -490,6 +544,9 @@ static int ossltest_ciphers(ENGINE *e, const EVP_CIPHER **cipher, case NID_aes_128_gcm: *cipher = ossltest_aes_128_gcm(); break; + case NID_aes_128_cbc_hmac_sha1: + *cipher = ossltest_aes_128_cbc_hmac_sha1(); + break; default: ok = 0; *cipher = NULL; @@ -634,14 +691,15 @@ static int digest_sha512_final(EVP_MD_CTX *ctx, unsigned char *md) * AES128 Implementation */ -int ossltest_aes128_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, - const unsigned char *iv, int enc) +static int ossltest_aes128_init_key(EVP_CIPHER_CTX *ctx, + const unsigned char *key, + const unsigned char *iv, int enc) { return EVP_CIPHER_meth_get_init(EVP_aes_128_cbc()) (ctx, key, iv, enc); } -int ossltest_aes128_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, - const unsigned char *in, size_t inl) +static int ossltest_aes128_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, + const unsigned char *in, size_t inl) { unsigned char *tmpbuf; int ret; @@ -667,15 +725,15 @@ int ossltest_aes128_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, return ret; } -int ossltest_aes128_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, - const unsigned char *iv, int enc) +static int ossltest_aes128_gcm_init_key(EVP_CIPHER_CTX *ctx, + const unsigned char *key, + const unsigned char *iv, int enc) { return EVP_CIPHER_meth_get_init(EVP_aes_128_gcm()) (ctx, key, iv, enc); } - -int ossltest_aes128_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, - const unsigned char *in, size_t inl) +static int ossltest_aes128_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, + const unsigned char *in, size_t inl) { unsigned char *tmpbuf = OPENSSL_malloc(inl); @@ -720,6 +778,128 @@ static int ossltest_aes128_gcm_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, return 1; } +#define NO_PAYLOAD_LENGTH ((size_t)-1) +# define data(ctx) ((EVP_AES_HMAC_SHA1 *)EVP_CIPHER_CTX_get_cipher_data(ctx)) + +static int ossltest_aes128_cbc_hmac_sha1_init_key(EVP_CIPHER_CTX *ctx, + const unsigned char *inkey, + const unsigned char *iv, + int enc) +{ + EVP_AES_HMAC_SHA1 *key = data(ctx); + key->payload_length = NO_PAYLOAD_LENGTH; + return 1; +} + +static int ossltest_aes128_cbc_hmac_sha1_cipher(EVP_CIPHER_CTX *ctx, + unsigned char *out, + const unsigned char *in, + size_t len) +{ + EVP_AES_HMAC_SHA1 *key = data(ctx); + unsigned int l; + size_t plen = key->payload_length; + + key->payload_length = NO_PAYLOAD_LENGTH; + + if (len % AES_BLOCK_SIZE) + return 0; + + if (EVP_CIPHER_CTX_is_encrypting(ctx)) { + if (plen == NO_PAYLOAD_LENGTH) + plen = len; + else if (len != + ((plen + SHA_DIGEST_LENGTH + + AES_BLOCK_SIZE) & -AES_BLOCK_SIZE)) + return 0; + + memmove(out, in, plen); + + if (plen != len) { /* "TLS" mode of operation */ + /* calculate HMAC and append it to payload */ + fill_known_data(out + plen, SHA_DIGEST_LENGTH); + + /* pad the payload|hmac */ + plen += SHA_DIGEST_LENGTH; + for (l = len - plen - 1; plen < len; plen++) + out[plen] = l; + } + } else { + /* decrypt HMAC|padding at once */ + memmove(out, in, len); + + if (plen != NO_PAYLOAD_LENGTH) { /* "TLS" mode of operation */ + unsigned int maxpad, pad; + + if (key->tls_ver >= TLS1_1_VERSION) { + if (len < (AES_BLOCK_SIZE + SHA_DIGEST_LENGTH + 1)) + return 0; + + /* omit explicit iv */ + in += AES_BLOCK_SIZE; + out += AES_BLOCK_SIZE; + len -= AES_BLOCK_SIZE; + } else if (len < (SHA_DIGEST_LENGTH + 1)) + return 0; + + /* figure out payload length */ + pad = out[len - 1]; + maxpad = len - (SHA_DIGEST_LENGTH + 1); + if (pad > maxpad) + return 0; + for (plen = len - pad - 1; plen < len; plen++) + if (out[plen] != pad) + return 0; + } + } + + return 1; +} + +static int ossltest_aes128_cbc_hmac_sha1_ctrl(EVP_CIPHER_CTX *ctx, int type, + int arg, void *ptr) +{ + EVP_AES_HMAC_SHA1 *key = data(ctx); + + switch (type) { + case EVP_CTRL_AEAD_SET_MAC_KEY: + return 1; + + case EVP_CTRL_AEAD_TLS1_AAD: + { + unsigned char *p = ptr; + unsigned int len; + + if (arg != EVP_AEAD_TLS1_AAD_LEN) + return -1; + + len = p[arg - 2] << 8 | p[arg - 1]; + key->tls_ver = p[arg - 4] << 8 | p[arg - 3]; + + if (EVP_CIPHER_CTX_is_encrypting(ctx)) { + key->payload_length = len; + if (key->tls_ver >= TLS1_1_VERSION) { + if (len < AES_BLOCK_SIZE) + return 0; + len -= AES_BLOCK_SIZE; + p[arg - 2] = len >> 8; + p[arg - 1] = len; + } + + return (int)(((len + SHA_DIGEST_LENGTH + + AES_BLOCK_SIZE) & -AES_BLOCK_SIZE) + - len); + } else { + key->payload_length = arg; + + return SHA_DIGEST_LENGTH; + } + } + default: + return -1; + } +} + static int ossltest_rand_bytes(unsigned char *buf, int num) { unsigned char val = 1; diff --git a/deps/openssl/openssl/include/crypto/aes_platform.h b/deps/openssl/openssl/include/crypto/aes_platform.h index 015c3bd4ab9176..e95ad5aa5de6f8 100644 --- a/deps/openssl/openssl/include/crypto/aes_platform.h +++ b/deps/openssl/openssl/include/crypto/aes_platform.h @@ -100,7 +100,7 @@ void AES_xts_decrypt(const unsigned char *inp, unsigned char *out, size_t len, # define AES_PMULL_CAPABLE ((OPENSSL_armcap_P & ARMV8_PMULL) && (OPENSSL_armcap_P & ARMV8_AES)) # define AES_GCM_ENC_BYTES 512 # define AES_GCM_DEC_BYTES 512 -# if __ARM_MAX_ARCH__>=8 +# if __ARM_MAX_ARCH__>=8 && defined(__aarch64__) # define AES_gcm_encrypt armv8_aes_gcm_encrypt # define AES_gcm_decrypt armv8_aes_gcm_decrypt # define AES_GCM_ASM(gctx) ((gctx)->ctr==aes_v8_ctr32_encrypt_blocks && \ diff --git a/deps/openssl/openssl/include/crypto/bn_conf.h b/deps/openssl/openssl/include/crypto/bn_conf.h deleted file mode 100644 index 79400c6472a49c..00000000000000 --- a/deps/openssl/openssl/include/crypto/bn_conf.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../../config/bn_conf.h" diff --git a/deps/openssl/openssl/include/crypto/dso_conf.h b/deps/openssl/openssl/include/crypto/dso_conf.h deleted file mode 100644 index e7f2afa9872320..00000000000000 --- a/deps/openssl/openssl/include/crypto/dso_conf.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../../config/dso_conf.h" diff --git a/deps/openssl/openssl/include/crypto/evp.h b/deps/openssl/openssl/include/crypto/evp.h index 41ac80ed9dbeb4..c5d3a930f74977 100644 --- a/deps/openssl/openssl/include/crypto/evp.h +++ b/deps/openssl/openssl/include/crypto/evp.h @@ -38,6 +38,7 @@ struct evp_pkey_ctx_st { OSSL_LIB_CTX *libctx; char *propquery; const char *keytype; + /* If |pkey| below is set, this field is always a reference to its keymgmt */ EVP_KEYMGMT *keymgmt; union { @@ -794,6 +795,8 @@ void *evp_keymgmt_util_gen(EVP_PKEY *target, EVP_KEYMGMT *keymgmt, int evp_keymgmt_util_get_deflt_digest_name(EVP_KEYMGMT *keymgmt, void *keydata, char *mdname, size_t mdname_sz); +const char *evp_keymgmt_util_query_operation_name(EVP_KEYMGMT *keymgmt, + int op_id); /* * KEYMGMT provider interface functions diff --git a/deps/openssl/openssl/include/crypto/rand.h b/deps/openssl/openssl/include/crypto/rand.h index ac41a9f62bfe3f..fa3b5b2b939494 100644 --- a/deps/openssl/openssl/include/crypto/rand.h +++ b/deps/openssl/openssl/include/crypto/rand.h @@ -24,7 +24,7 @@ # if defined(__APPLE__) && !defined(OPENSSL_NO_APPLE_CRYPTO_RANDOM) # include -# if (defined(__MAC_OS_X_VERSION_MIN_REQUIRED) && __MAC_OS_X_VERSION_MIN_REQUIRED >= 101000) || \ +# if (defined(__MAC_OS_X_VERSION_MIN_REQUIRED) && __MAC_OS_X_VERSION_MIN_REQUIRED >= 101200) || \ (defined(__IPHONE_OS_VERSION_MIN_REQUIRED) && __IPHONE_OS_VERSION_MIN_REQUIRED >= 80000) # define OPENSSL_APPLE_CRYPTO_RANDOM 1 # include diff --git a/deps/openssl/openssl/include/internal/core.h b/deps/openssl/openssl/include/internal/core.h index 035b7268942dbb..d9dc424164c935 100644 --- a/deps/openssl/openssl/include/internal/core.h +++ b/deps/openssl/openssl/include/internal/core.h @@ -31,7 +31,7 @@ typedef struct ossl_method_construct_method_st { /* Get a temporary store */ void *(*get_tmp_store)(void *data); /* Get an already existing method from a store */ - void *(*get)(void *store, void *data); + void *(*get)(void *store, const OSSL_PROVIDER **prov, void *data); /* Store a method in a store */ int (*put)(void *store, void *method, const OSSL_PROVIDER *prov, const char *name, const char *propdef, void *data); @@ -43,7 +43,7 @@ typedef struct ossl_method_construct_method_st { } OSSL_METHOD_CONSTRUCT_METHOD; void *ossl_method_construct(OSSL_LIB_CTX *ctx, int operation_id, - int force_cache, + OSSL_PROVIDER **provider_rw, int force_cache, OSSL_METHOD_CONSTRUCT_METHOD *mcm, void *mcm_data); void ossl_algorithm_do_all(OSSL_LIB_CTX *libctx, int operation_id, diff --git a/deps/openssl/openssl/include/internal/passphrase.h b/deps/openssl/openssl/include/internal/passphrase.h index ee0be9b128b0aa..54d997b0d90b25 100644 --- a/deps/openssl/openssl/include/internal/passphrase.h +++ b/deps/openssl/openssl/include/internal/passphrase.h @@ -114,6 +114,7 @@ int ossl_pw_get_passphrase(char *pass, size_t pass_size, size_t *pass_len, */ pem_password_cb ossl_pw_pem_password; +pem_password_cb ossl_pw_pvk_password; /* One callback for encoding (verification prompt) and one for decoding */ OSSL_PASSPHRASE_CALLBACK ossl_pw_passphrase_callback_enc; OSSL_PASSPHRASE_CALLBACK ossl_pw_passphrase_callback_dec; diff --git a/deps/openssl/openssl/include/internal/property.h b/deps/openssl/openssl/include/internal/property.h index dd9a2dc2d8f3da..8211974595de6d 100644 --- a/deps/openssl/openssl/include/internal/property.h +++ b/deps/openssl/openssl/include/internal/property.h @@ -61,18 +61,19 @@ int ossl_method_store_remove(OSSL_METHOD_STORE *store, int nid, void ossl_method_store_do_all(OSSL_METHOD_STORE *store, void (*fn)(int id, void *method, void *fnarg), void *fnarg); -int ossl_method_store_fetch(OSSL_METHOD_STORE *store, int nid, - const char *prop_query, void **method); +int ossl_method_store_fetch(OSSL_METHOD_STORE *store, + int nid, const char *prop_query, + const OSSL_PROVIDER **prov, void **method); /* Get the global properties associate with the specified library context */ OSSL_PROPERTY_LIST **ossl_ctx_global_properties(OSSL_LIB_CTX *ctx, int loadconfig); /* property query cache functions */ -int ossl_method_store_cache_get(OSSL_METHOD_STORE *store, int nid, - const char *prop_query, void **result); -int ossl_method_store_cache_set(OSSL_METHOD_STORE *store, int nid, - const char *prop_query, void *result, +int ossl_method_store_cache_get(OSSL_METHOD_STORE *store, OSSL_PROVIDER *prov, + int nid, const char *prop_query, void **result); +int ossl_method_store_cache_set(OSSL_METHOD_STORE *store, OSSL_PROVIDER *prov, + int nid, const char *prop_query, void *result, int (*method_up_ref)(void *), void (*method_destruct)(void *)); diff --git a/deps/openssl/openssl/include/internal/provider.h b/deps/openssl/openssl/include/internal/provider.h index 237c852e8dcd91..d09829d05e177f 100644 --- a/deps/openssl/openssl/include/internal/provider.h +++ b/deps/openssl/openssl/include/internal/provider.h @@ -57,7 +57,7 @@ int ossl_provider_disable_fallback_loading(OSSL_LIB_CTX *libctx); * If the Provider is a module, the module will be loaded */ int ossl_provider_activate(OSSL_PROVIDER *prov, int upcalls, int aschild); -int ossl_provider_deactivate(OSSL_PROVIDER *prov); +int ossl_provider_deactivate(OSSL_PROVIDER *prov, int removechildren); int ossl_provider_add_to_store(OSSL_PROVIDER *prov, OSSL_PROVIDER **actualprov, int retain_fallbacks); @@ -108,6 +108,7 @@ void ossl_provider_add_conf_module(void); int ossl_provider_init_as_child(OSSL_LIB_CTX *ctx, const OSSL_CORE_HANDLE *handle, const OSSL_DISPATCH *in); +void ossl_provider_deinit_child(OSSL_LIB_CTX *ctx); # ifdef __cplusplus } diff --git a/deps/openssl/openssl/include/openssl/asn1.h b/deps/openssl/openssl/include/openssl/asn1.h deleted file mode 100644 index cd9fc7cc706c37..00000000000000 --- a/deps/openssl/openssl/include/openssl/asn1.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../../config/asn1.h" diff --git a/deps/openssl/openssl/include/openssl/asn1t.h b/deps/openssl/openssl/include/openssl/asn1t.h deleted file mode 100644 index 6ff4f574949bbd..00000000000000 --- a/deps/openssl/openssl/include/openssl/asn1t.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../../config/asn1t.h" diff --git a/deps/openssl/openssl/include/openssl/bio.h b/deps/openssl/openssl/include/openssl/bio.h deleted file mode 100644 index dcece3cb4d6ebf..00000000000000 --- a/deps/openssl/openssl/include/openssl/bio.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../../config/bio.h" diff --git a/deps/openssl/openssl/include/openssl/cmp.h b/deps/openssl/openssl/include/openssl/cmp.h deleted file mode 100644 index 7c8a6dc96fc360..00000000000000 --- a/deps/openssl/openssl/include/openssl/cmp.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../../config/cmp.h" diff --git a/deps/openssl/openssl/include/openssl/cms.h b/deps/openssl/openssl/include/openssl/cms.h deleted file mode 100644 index 33a00775c9fa76..00000000000000 --- a/deps/openssl/openssl/include/openssl/cms.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../../config/cms.h" diff --git a/deps/openssl/openssl/include/openssl/conf.h b/deps/openssl/openssl/include/openssl/conf.h deleted file mode 100644 index 2712886cafcd78..00000000000000 --- a/deps/openssl/openssl/include/openssl/conf.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../../config/conf.h" diff --git a/deps/openssl/openssl/include/openssl/configuration.h b/deps/openssl/openssl/include/openssl/configuration.h deleted file mode 100644 index 8ffad996047c5e..00000000000000 --- a/deps/openssl/openssl/include/openssl/configuration.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../../config/configuration.h" diff --git a/deps/openssl/openssl/include/openssl/core.h b/deps/openssl/openssl/include/openssl/core.h index 3356ef20884335..9683ac70a55cff 100644 --- a/deps/openssl/openssl/include/openssl/core.h +++ b/deps/openssl/openssl/include/openssl/core.h @@ -195,7 +195,7 @@ typedef int (OSSL_provider_init_fn)(const OSSL_CORE_HANDLE *handle, # pragma names save # pragma names uppercase,truncated # endif -extern OSSL_provider_init_fn OSSL_provider_init; +OPENSSL_EXPORT OSSL_provider_init_fn OSSL_provider_init; # ifdef __VMS # pragma names restore # endif diff --git a/deps/openssl/openssl/include/openssl/crmf.h b/deps/openssl/openssl/include/openssl/crmf.h deleted file mode 100644 index 4103852ecb21c2..00000000000000 --- a/deps/openssl/openssl/include/openssl/crmf.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../../config/crmf.h" diff --git a/deps/openssl/openssl/include/openssl/crypto.h b/deps/openssl/openssl/include/openssl/crypto.h deleted file mode 100644 index 6d0e701ebd3c19..00000000000000 --- a/deps/openssl/openssl/include/openssl/crypto.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../../config/crypto.h" diff --git a/deps/openssl/openssl/include/openssl/cryptoerr.h b/deps/openssl/openssl/include/openssl/cryptoerr.h index 679966808963c7..c6a04d9b973a5e 100644 --- a/deps/openssl/openssl/include/openssl/cryptoerr.h +++ b/deps/openssl/openssl/include/openssl/cryptoerr.h @@ -28,6 +28,7 @@ # define CRYPTO_R_INSUFFICIENT_DATA_SPACE 106 # define CRYPTO_R_INSUFFICIENT_PARAM_SIZE 107 # define CRYPTO_R_INSUFFICIENT_SECURE_DATA_SPACE 108 +# define CRYPTO_R_INVALID_NEGATIVE_VALUE 122 # define CRYPTO_R_INVALID_NULL_ARGUMENT 109 # define CRYPTO_R_INVALID_OSSL_PARAM_TYPE 110 # define CRYPTO_R_ODD_NUMBER_OF_DIGITS 103 diff --git a/deps/openssl/openssl/include/openssl/ct.h b/deps/openssl/openssl/include/openssl/ct.h deleted file mode 100644 index 7ebb84387135be..00000000000000 --- a/deps/openssl/openssl/include/openssl/ct.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../../config/ct.h" diff --git a/deps/openssl/openssl/include/openssl/err.h b/deps/openssl/openssl/include/openssl/err.h deleted file mode 100644 index bf482070474781..00000000000000 --- a/deps/openssl/openssl/include/openssl/err.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../../config/err.h" diff --git a/deps/openssl/openssl/include/openssl/ess.h b/deps/openssl/openssl/include/openssl/ess.h deleted file mode 100644 index 64cc016225119f..00000000000000 --- a/deps/openssl/openssl/include/openssl/ess.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../../config/ess.h" diff --git a/deps/openssl/openssl/include/openssl/fipskey.h b/deps/openssl/openssl/include/openssl/fipskey.h deleted file mode 100644 index c012013d98d4e8..00000000000000 --- a/deps/openssl/openssl/include/openssl/fipskey.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../../config/fipskey.h" diff --git a/deps/openssl/openssl/include/openssl/httperr.h b/deps/openssl/openssl/include/openssl/httperr.h index b639ef0051fbb5..ee089592034cc6 100644 --- a/deps/openssl/openssl/include/openssl/httperr.h +++ b/deps/openssl/openssl/include/openssl/httperr.h @@ -44,6 +44,7 @@ # define HTTP_R_REDIRECTION_NOT_ENABLED 116 # define HTTP_R_RESPONSE_LINE_TOO_LONG 113 # define HTTP_R_RESPONSE_PARSE_ERROR 104 +# define HTTP_R_RETRY_TIMEOUT 129 # define HTTP_R_SERVER_CANCELED_CONNECTION 127 # define HTTP_R_SOCK_NOT_SUPPORTED 122 # define HTTP_R_STATUS_CODE_UNSUPPORTED 114 diff --git a/deps/openssl/openssl/include/openssl/lhash.h b/deps/openssl/openssl/include/openssl/lhash.h deleted file mode 100644 index 8d824f5cfe6274..00000000000000 --- a/deps/openssl/openssl/include/openssl/lhash.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../../config/lhash.h" diff --git a/deps/openssl/openssl/include/openssl/macros.h b/deps/openssl/openssl/include/openssl/macros.h index 7d377985608265..a6bc3f1feb0404 100644 --- a/deps/openssl/openssl/include/openssl/macros.h +++ b/deps/openssl/openssl/include/openssl/macros.h @@ -20,7 +20,7 @@ # define OPENSSL_MSTR(x) OPENSSL_MSTR_HELPER(x) /* - * Sometimes OPENSSSL_NO_xxx ends up with an empty file and some compilers + * Sometimes OPENSSL_NO_xxx ends up with an empty file and some compilers * don't like that. This will hopefully silence them. */ # define NON_EMPTY_TRANSLATION_UNIT static void *dummy = &dummy; diff --git a/deps/openssl/openssl/include/openssl/ocsp.h b/deps/openssl/openssl/include/openssl/ocsp.h deleted file mode 100644 index 5b13afedf36bb6..00000000000000 --- a/deps/openssl/openssl/include/openssl/ocsp.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../../config/ocsp.h" diff --git a/deps/openssl/openssl/include/openssl/opensslv.h b/deps/openssl/openssl/include/openssl/opensslv.h deleted file mode 100644 index 078cfba40fbe73..00000000000000 --- a/deps/openssl/openssl/include/openssl/opensslv.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../../config/opensslv.h" diff --git a/deps/openssl/openssl/include/openssl/pkcs12.h b/deps/openssl/openssl/include/openssl/pkcs12.h deleted file mode 100644 index 2d7e2c08e99175..00000000000000 --- a/deps/openssl/openssl/include/openssl/pkcs12.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../../config/pkcs12.h" diff --git a/deps/openssl/openssl/include/openssl/pkcs7.h b/deps/openssl/openssl/include/openssl/pkcs7.h deleted file mode 100644 index b553f9d0f053b0..00000000000000 --- a/deps/openssl/openssl/include/openssl/pkcs7.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../../config/pkcs7.h" diff --git a/deps/openssl/openssl/include/openssl/safestack.h b/deps/openssl/openssl/include/openssl/safestack.h deleted file mode 100644 index 989eafb33023b9..00000000000000 --- a/deps/openssl/openssl/include/openssl/safestack.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../../config/safestack.h" diff --git a/deps/openssl/openssl/include/openssl/srp.h b/deps/openssl/openssl/include/openssl/srp.h deleted file mode 100644 index 9df42dad4c3127..00000000000000 --- a/deps/openssl/openssl/include/openssl/srp.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../../config/srp.h" diff --git a/deps/openssl/openssl/include/openssl/ssl.h b/deps/openssl/openssl/include/openssl/ssl.h deleted file mode 100644 index eb74ca98a9759a..00000000000000 --- a/deps/openssl/openssl/include/openssl/ssl.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../../config/ssl.h" diff --git a/deps/openssl/openssl/include/openssl/ui.h b/deps/openssl/openssl/include/openssl/ui.h deleted file mode 100644 index f5edb766b4fc6c..00000000000000 --- a/deps/openssl/openssl/include/openssl/ui.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../../config/ui.h" diff --git a/deps/openssl/openssl/include/openssl/x509.h b/deps/openssl/openssl/include/openssl/x509.h deleted file mode 100644 index ed28bd68cb2474..00000000000000 --- a/deps/openssl/openssl/include/openssl/x509.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../../config/x509.h" diff --git a/deps/openssl/openssl/include/openssl/x509_vfy.h b/deps/openssl/openssl/include/openssl/x509_vfy.h deleted file mode 100644 index 9270a3ee09750a..00000000000000 --- a/deps/openssl/openssl/include/openssl/x509_vfy.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../../config/x509_vfy.h" diff --git a/deps/openssl/openssl/include/openssl/x509v3.h b/deps/openssl/openssl/include/openssl/x509v3.h deleted file mode 100644 index 5629ae9a3a90af..00000000000000 --- a/deps/openssl/openssl/include/openssl/x509v3.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../../config/x509v3.h" diff --git a/deps/openssl/openssl/providers/common/provider_util.c b/deps/openssl/openssl/providers/common/provider_util.c index 662175c2f3be4a..58d4db33793f5c 100644 --- a/deps/openssl/openssl/providers/common/provider_util.c +++ b/deps/openssl/openssl/providers/common/provider_util.c @@ -16,6 +16,7 @@ #include #ifndef FIPS_MODULE # include +# include "crypto/evp.h" #endif #include "prov/provider_util.h" #include "internal/nelem.h" @@ -25,6 +26,9 @@ void ossl_prov_cipher_reset(PROV_CIPHER *pc) EVP_CIPHER_free(pc->alloc_cipher); pc->alloc_cipher = NULL; pc->cipher = NULL; +#if !defined(FIPS_MODULE) && !defined(OPENSSL_NO_ENGINE) + ENGINE_finish(pc->engine); +#endif pc->engine = NULL; } @@ -32,6 +36,12 @@ int ossl_prov_cipher_copy(PROV_CIPHER *dst, const PROV_CIPHER *src) { if (src->alloc_cipher != NULL && !EVP_CIPHER_up_ref(src->alloc_cipher)) return 0; +#if !defined(FIPS_MODULE) && !defined(OPENSSL_NO_ENGINE) + if (src->engine != NULL && !ENGINE_init(src->engine)) { + EVP_CIPHER_free(src->alloc_cipher); + return 0; + } +#endif dst->engine = src->engine; dst->cipher = src->cipher; dst->alloc_cipher = src->alloc_cipher; @@ -51,6 +61,9 @@ static int load_common(const OSSL_PARAM params[], const char **propquery, *propquery = p->data; } +#if !defined(FIPS_MODULE) && !defined(OPENSSL_NO_ENGINE) + ENGINE_finish(*engine); +#endif *engine = NULL; /* Inside the FIPS module, we don't support legacy ciphers */ #if !defined(FIPS_MODULE) && !defined(OPENSSL_NO_ENGINE) @@ -58,10 +71,18 @@ static int load_common(const OSSL_PARAM params[], const char **propquery, if (p != NULL) { if (p->data_type != OSSL_PARAM_UTF8_STRING) return 0; - ENGINE_finish(*engine); + /* Get a structural reference */ *engine = ENGINE_by_id(p->data); if (*engine == NULL) return 0; + /* Get a functional reference */ + if (!ENGINE_init(*engine)) { + ENGINE_free(*engine); + *engine = NULL; + return 0; + } + /* Free the structural reference */ + ENGINE_free(*engine); } #endif return 1; @@ -90,8 +111,14 @@ int ossl_prov_cipher_load_from_params(PROV_CIPHER *pc, ERR_set_mark(); pc->cipher = pc->alloc_cipher = EVP_CIPHER_fetch(ctx, p->data, propquery); #ifndef FIPS_MODULE /* Inside the FIPS module, we don't support legacy ciphers */ - if (pc->cipher == NULL) - pc->cipher = EVP_get_cipherbyname(p->data); + if (pc->cipher == NULL) { + const EVP_CIPHER *cipher; + + cipher = EVP_get_cipherbyname(p->data); + /* Do not use global EVP_CIPHERs */ + if (cipher != NULL && cipher->origin != EVP_ORIG_GLOBAL) + pc->cipher = cipher; + } #endif if (pc->cipher != NULL) ERR_pop_to_mark(); @@ -115,6 +142,9 @@ void ossl_prov_digest_reset(PROV_DIGEST *pd) EVP_MD_free(pd->alloc_md); pd->alloc_md = NULL; pd->md = NULL; +#if !defined(FIPS_MODULE) && !defined(OPENSSL_NO_ENGINE) + ENGINE_finish(pd->engine); +#endif pd->engine = NULL; } @@ -122,6 +152,12 @@ int ossl_prov_digest_copy(PROV_DIGEST *dst, const PROV_DIGEST *src) { if (src->alloc_md != NULL && !EVP_MD_up_ref(src->alloc_md)) return 0; +#if !defined(FIPS_MODULE) && !defined(OPENSSL_NO_ENGINE) + if (src->engine != NULL && !ENGINE_init(src->engine)) { + EVP_MD_free(src->alloc_md); + return 0; + } +#endif dst->engine = src->engine; dst->md = src->md; dst->alloc_md = src->alloc_md; @@ -159,8 +195,14 @@ int ossl_prov_digest_load_from_params(PROV_DIGEST *pd, ERR_set_mark(); ossl_prov_digest_fetch(pd, ctx, p->data, propquery); #ifndef FIPS_MODULE /* Inside the FIPS module, we don't support legacy digests */ - if (pd->md == NULL) - pd->md = EVP_get_digestbyname(p->data); + if (pd->md == NULL) { + const EVP_MD *md; + + md = EVP_get_digestbyname(p->data); + /* Do not use global EVP_MDs */ + if (md != NULL && md->origin != EVP_ORIG_GLOBAL) + pd->md = md; + } #endif if (pd->md != NULL) ERR_pop_to_mark(); diff --git a/deps/openssl/openssl/providers/defltprov.c b/deps/openssl/openssl/providers/defltprov.c index 62258da7235a5e..6e669fbdfbac27 100644 --- a/deps/openssl/openssl/providers/defltprov.c +++ b/deps/openssl/openssl/providers/defltprov.c @@ -148,6 +148,7 @@ static const OSSL_ALGORITHM deflt_digests[] = { { PROV_NAMES_MD5_SHA1, "provider=default", ossl_md5_sha1_functions }, #endif /* OPENSSL_NO_MD5 */ + { PROV_NAMES_NULL, "provider=default", ossl_nullmd_functions }, { NULL, NULL, NULL } }; diff --git a/deps/openssl/openssl/providers/fips-sources.checksums b/deps/openssl/openssl/providers/fips-sources.checksums index afa31bf80c5596..383e923f737e29 100644 --- a/deps/openssl/openssl/providers/fips-sources.checksums +++ b/deps/openssl/openssl/providers/fips-sources.checksums @@ -39,7 +39,7 @@ c86664fb974362ee52a454c83c2c4b23fd5b7d64b3c9e23ef1e0dfd130a46ee5 crypto/bn/asm/ 199b9b100f194a2a128c14f2a71be5a04d50d069666d90ca5b69baee1318ccb7 crypto/bn/asm/ia64-mont.pl a511aafbf76647a0c83705d4491c898a5584d300aa449fa6166c8803372946eb crypto/bn/asm/ia64.S 687c5d6606fdfd0e242005972d15db74a9cbac2b8a9a54a56fcb1e99d3880ff3 crypto/bn/asm/mips-mont.pl -eb240c1f72063048abe026ab7fab340361a329d5cd355276a25950be446cc091 crypto/bn/asm/mips.pl +8aca83d2ec45a40af15e59cff1ac2dc33737a3d25f0a0b74d401fa778a5c5eb8 crypto/bn/asm/mips.pl b27ec5181e387e812925bb26823b830f49d7a6e4971b6d11ea583f5632a1504b crypto/bn/asm/parisc-mont.pl 9973523b361db963eea4938a7a8a3adc692e1a4e1aec4fa1f1e57dc93da37921 crypto/bn/asm/ppc-mont.pl 59cd27e1e10c4984b7fb684b27f491e7634473b1bcff197a07e0ca653124aa9a crypto/bn/asm/ppc.pl @@ -79,7 +79,7 @@ b32d83cee8c00d837a7e4fb8af3f5cf17cb8d2419302e8f5fbcf62119092e874 crypto/bn/bn_g 4d6cc7ed36978247a191df1eea0120f8ee97b639ba228793dabe5a8355a1a609 crypto/bn/bn_gf2m.c 081e8a6abc23599307dab3b1a92113a65e0bf8717cbc40c970c7469350bc4581 crypto/bn/bn_intern.c 602ed46fbfe12c899dfb7d9d99ff0dbfff96b454fce3cd02817f3e2488dd9192 crypto/bn/bn_kron.c -7e8f6e8bfc0958fc73d163f8139194a71385d98868e6ed51f4d52198b0649acf crypto/bn/bn_lib.c +b33295765dc6d3843e3571007e2d6dbe75564645ebf181191a91464706d9fadb crypto/bn/bn_lib.c 64bce599181c45d999f0c5bda9ce36b2820f0e91ec6590cc8cba77e2760f8287 crypto/bn/bn_local.h 07247dc2ccc55f3be525baed92fd20031bbaa80fd0bc56155e80ee0da3fc943d crypto/bn/bn_mod.c 4f8763847752d570ef95dc0d06e51240829ab55c3529301214d3c2b613c6a18b crypto/bn/bn_mont.c @@ -88,22 +88,22 @@ b32d83cee8c00d837a7e4fb8af3f5cf17cb8d2419302e8f5fbcf62119092e874 crypto/bn/bn_g 40d04d1bc722bef0d6392e8a9061af8305552f955478fa782230a0b8bf2288b5 crypto/bn/bn_nist.c 0d85203a3bd9ba7ebf711885cfb621eefb27002f5cb4ef2adfe4f49c7dd7b4a6 crypto/bn/bn_prime.c c56ad3073108a0de21c5820a48beae2bccdbf5aa8075ec21738878222eb9adc3 crypto/bn/bn_prime.h -3a0f76ec95802d15d0f7b299e36a3aed2c96414363c20a74a4ad2c410be600dc crypto/bn/bn_rand.c +18779263932eb2bf50728b9758fc83b1e721a1d22aa75d6443c80591ccd9bb79 crypto/bn/bn_rand.c 1f6e13da1d9965b341f81bc0842a987a7db9b7de0fa7f7040d49be01b92d282b crypto/bn/bn_recp.c -b180881a08942e99e9a6b7714b98e8ce3d7958e1e0be8524966ad859c6d2be39 crypto/bn/bn_rsa_fips186_4.c +9d8c10645db51c3baedf57d5f0f32b67fc7eba223c192bc1ae7d87af40307e59 crypto/bn/bn_rsa_fips186_4.c 704b0b4723e5c9e9bae5f3e35f9ae8ae8dca3383929e954de9e5169845abfdb2 crypto/bn/bn_shift.c 622e90766b29e0d25f46474429aebda8eba2246835b9e85dc26da7cdbd49334f crypto/bn/bn_sqr.c 8e397a44eefa00ecb85fafc11fe8c883b3bb1572d6ac136373946d472fbe2490 crypto/bn/bn_sqrt.c 24e62baa56e02f2db6454e10168b7c7fa7638db9221b9acda1803d43f38f36e0 crypto/bn/bn_word.c 3a85d20f80c4d96b3704e58b173fc876ec81f19eac805ae2b125c138c91c86c4 crypto/bn/rsaz_exp.c affabb87861653b216e746d6c2fce5c2ac395b0ca570d439508e9f5e102ee340 crypto/bn/rsaz_exp.h -35d5b375e857743403762f759d43a48416652554636e6700d84372cd9ee1b731 crypto/bn/rsaz_exp_x2.c +e18b943bfc1623597d6233421c358f3453bb0f026f28ae11cfd3b3c484c0bc4b crypto/bn/rsaz_exp_x2.c 834db8ff36006e5cb53e09ca6c44290124bd23692f4341ea6563b66fcade4cea crypto/bsearch.c c39334b70e1394e43f378ae8d31b6e6dc125e4d9181e6536d38e649c4eaadb75 crypto/buffer/buffer.c -490681100f1cbaf629a7cc89f1785689d7ecef8791af4b8aae1e26da86de1b98 crypto/cmac/cmac.c +23d46ae37a8d9452c0c88418d2cb8350153f8c2c6060234130a2e429da2370e0 crypto/cmac/cmac.c b352903e60908dc7287051983e2068508715b4d9f3f46575540295010908bfa0 crypto/context.c -018a6c130a15cbcd6ed40b4253eacfba42f02e958d06d6a3d77d3c2ee506f7d0 crypto/core_algorithm.c -0b27e62cf5e635c2e8cfeb478d716640dd38fa38aca695861439b30e247dd2d6 crypto/core_fetch.c +83b8912fb01bacfe0b5269c7afa69db7e1718530cce1ed27870abef1407951d6 crypto/core_algorithm.c +60321d1af7bf9697d969438f6b319fbcb4fdc1a47a0b056d02b971973a8550ca crypto/core_fetch.c 4982395fa843f62c83b95f81e1f5622d799a2fe17108bde44cdab935b77e8ae1 crypto/core_namemap.c 469e2f53b5f76cd487a60d3d4c44c8fc3a6c4d08405597ba664661ba485508d3 crypto/cpuid.c 71f0fff881eb4c5505fb17662f0ea4bbff24c6858c045a013ad8f786b07da5c4 crypto/cryptlib.c @@ -114,7 +114,7 @@ fea3ba4225df97aee90690adf387625b746d8edfdc5af2357ee65151a3d236ac crypto/des/des eeef5722ad56bf1af2ff71681bcc8b8525bc7077e973c98cee920ce9bcc66c81 crypto/des/ecb3_enc.c 04d4cc355200b57f1e7d265a2cebdf094df1eb6e96621b533adddc3d60d31fbe crypto/des/fcrypt_b.c 499513b3ad386fe694c4e04b3c8a9fd4c4e18fc44bb6c4f94d6bf2d9362a3a5a crypto/des/ncbc_enc.c -5771c2e517df1dfa35e0cc06ce1d9808e3a5ab21110020d4bdf77284fedb41e1 crypto/des/set_key.c +61926e30dd940616e80936d1c94c5f522daf0d475fb3a40a9e589e78f322901e crypto/des/set_key.c 8344811b14d151f6cd40a7bc45c8f4a1106252b119c1d5e6a589a023f39b107d crypto/des/spr.h 0209b1ff430e2c237bf96e2e283c24df4b6708014c5a7005b295c28733d2a8ce crypto/dh/dh_backend.c 832e5a1caf9cb0dacfd937fc59252aaac7c5c1bf0ae1a9ebf3c3af6e59dcf4c0 crypto/dh/dh_check.c @@ -131,7 +131,7 @@ b1de1624e590dbf76f76953802ff162cc8de7c5e2eaba897313c866424d6902b crypto/dsa/dsa 9e436a2e0867920c3a5ac58bc14300cad4ab2c4c8fe5e40b355dfd21bfdfe146 crypto/dsa/dsa_lib.c f4d52d3897219786c6046bf76abb2f174655c584caa50272bf5d281720df5022 crypto/dsa/dsa_local.h f88db9fd73a78e66967e56df442b55230f405b4cd804f31f8696324f0b702f15 crypto/dsa/dsa_ossl.c -b57b648524bc7dd98f8e2737f4e87b5578c7921df59b1df4a03a34e23e977e8a crypto/dsa/dsa_sign.c +6222aa8f60d7451d974dd87c66995033919f36d7f858cbe609cf731ad1eee34e crypto/dsa/dsa_sign.c 53fa10cc87ac63e35df661882852dc46ae68e6fee83b842f1aeefe00b8900ee1 crypto/dsa/dsa_vrf.c 0a206e4c4de4702808cba7c9304bedb66abcbc33e513bc25574a795cd5fa3db0 crypto/ec/asm/ecp_nistp521-ppc64.pl 78ad06b88fcc8689a3a846b82f9ee01546e5734acd1bccf2494e523b71dc74d1 crypto/ec/asm/ecp_nistz256-armv4.pl @@ -160,7 +160,7 @@ f6447921a0031fa5beddedd298e82096fb3fdb189b712fab328b61f6beae0c23 crypto/ec/curv 3052a044afae2e91b677542fc8b34b3ec9d033e0c6562b0d43098cfb34ab3c9d crypto/ec/curve448/word.h ae1637d89287c9d22a34bdc0d67f6e01262a2f8dcef9b61369dba8c334f5a80d crypto/ec/ec2_oct.c 6bbbf570ce31f5b579f7e03ec9f8a774663c7c1eb5e475bd31f8fee94a021ffc crypto/ec/ec2_smpl.c -69d64accd498583e65df2dc43730eee2922217a7bfefda2cd1a9da176e3d1dcd crypto/ec/ec_asn1.c +2a71bd8dbe4f427c117d990581709a4ddce07fa8e530794b5a9574fef7c48a0c crypto/ec/ec_asn1.c c07fa05c6885e59913e2ce345ff52ef9dfb0418842de3affa6163ad3e71f9c1b crypto/ec/ec_backend.c 86e2becf9b3870979e2abefa1bd318e1a31820d275e2b50e03b17fc287abb20a crypto/ec/ec_check.c 265f911b9d4aada326a2d52cd8a589b556935c8b641598dcd36c6f85d29ce655 crypto/ec/ec_curve.c @@ -181,33 +181,33 @@ f686cea8c8a3259d95c1e6142813d9da47b6d624c62f26c7e4a16d5607cddb35 crypto/ec/ecds c016eb9412aad8cd1213a2f5b1083df1a1a9cb734dc6cc19d99e706935c81ef2 crypto/ec/ecp_nistz256.c 51cb98e7e9c241e33261589f0d74103238baaa850e333c61ff1da360e127518a crypto/ec/ecp_oct.c b4b7c683279454ba41438f50a015cb63ef056ccb9be0168918dfbae00313dc68 crypto/ec/ecp_smpl.c -4d9e693c64709a9359ac724a767a85566849373231e314b8d8127b707dd5e83d crypto/ec/ecx_backend.c +2096e13aa2fbcb0d4b10faca3e3f5359cf66098b0397a6d74c6fca14f5dee659 crypto/ec/ecx_backend.c 5ee19c357c318b2948ff5d9118a626a6207af2b2eade7d8536051d4a522668d3 crypto/ec/ecx_backend.h 22c44f561ab42d1bd7fd3a3c538ebaba375a704f98056b035e7949d73963c580 crypto/ec/ecx_key.c -6618159105f23d5b2aa03d806d66f9c7a0b97298fe1e8ec7d503b066d627b31d crypto/evp/asymcipher.c +28abc295dad8888b5482eb61d31cd78dd80545ecb67dc6f9446a36deb8c40a5e crypto/evp/asymcipher.c 0e75a058dcbbb62cfe39fec6c4a85385dc1a8fce794e4278ce6cebb29763b82b crypto/evp/dh_support.c -847e039a249a1f9af42dfc6427de2ad4925f1116f86619dd420cf8cec9d3bbfe crypto/evp/digest.c +e696c10cc2ed2fc5552e659b343af751b9edc3b4dbce1a2108d21e8b10424657 crypto/evp/digest.c 5e2c5d865029ae86855f15e162360d091f28ca0d4c67260700c90aa25faf308b crypto/evp/ec_support.c 37b5e0bdb30a24c925a26f818828fd3b4ab4c1725f84797260556c0f47f2b76d crypto/evp/evp_enc.c -363dda606a23f1cbb6eefc713903bb353b8fc8661dee0e853366c7798f050483 crypto/evp/evp_fetch.c -6e0a2b11440a3cfd80d5539aa6a4b133dbfefc6a646736980dbbd504b3f16ac8 crypto/evp/evp_lib.c -34574e474d3f5daf24981200cae9e24a427d165cd43d8fb738844fa9b0fc991f crypto/evp/evp_local.h +d8162b57e041e83da55efe6f073d156a00b8d7a3b2fb7782b05295f2c0ea3c14 crypto/evp/evp_fetch.c +029df8bb80a2fb45c22765234b9041ffce82735108e0b11580fd3fbd805362dd crypto/evp/evp_lib.c +9ac3d97d756ec008db16dd1952115b551f32b2d0590d9a85e1c87d1c78620257 crypto/evp/evp_local.h e822c16fc4dc30f2c86e8598c721a9ddfe46d318ce78f4e8e883cdcf8b936221 crypto/evp/evp_rand.c 2a128617ec0178e9eeacbe41d75a5530755f41ea524cd124607543cf73456a0c crypto/evp/evp_utils.c -befe4e1ec273973748a9fff49d8510873737ea04d86eac70c2e11bbb0d874ca1 crypto/evp/exchange.c +5496cf34a1643923ff434e4ae16ee203a626b36685e98201dec30547857847d8 crypto/evp/exchange.c a3164e3247e2a38f4f9a20db463779b5260e4e6639ac8eec6e960b265fc8cce5 crypto/evp/kdf_lib.c 1d72f5506984df1df8606e8c7045f041cf517223e2e1b50c4da8ba8bf1c6c186 crypto/evp/kdf_meth.c -f88b3d178f0d5e7bcd250fd2b3d2fabb19f05f3ecc0627c100c5418e9fdd0ade crypto/evp/kem.c -df82657d18fb15d4da3218e33e7326248db509443304889b1dbee5810cbcb78b crypto/evp/keymgmt_lib.c -7b850a8f7e7c5018546541254cd33da479834c47273b5018fdcb8a9ccf77f522 crypto/evp/keymgmt_meth.c +38715a14f202e7d24602e5cc19d2f78abbd9f5fa3dde8d7b2bfded907690e18f crypto/evp/kem.c +787105780e2aa625bfedfbfd7167be16f743883d02a897969695ad8e637298af crypto/evp/keymgmt_lib.c +3d0a2c5fea0d9bb01a09e1eabc041e3bc76ba4ee90bc0af54ef414e7ca3a531f crypto/evp/keymgmt_meth.c e1a052839b8b70dca20dbac1282d61abd1c415bf4fb6afb56b811e8770d8a2e1 crypto/evp/m_sigver.c -f9988dfed6253c30b08a966496f188763671cb72a2fcb25455f65f8d270027cc crypto/evp/mac_lib.c +5b8b0bcd4b720b66ce6bc54090ec333891126bb7f6cce4502daf2333668c3db9 crypto/evp/mac_lib.c e7e8eb5683cd3fbd409df888020dc353b65ac291361829cc4131d5bc86c9fcb3 crypto/evp/mac_meth.c -cd2902a111d200417d04f0422451b3760a67fc21cd1f9ca3b02200dc91b8b916 crypto/evp/p_lib.c +b976077a1f880768f2f0a1c996a53dfdd363605e4977c56fb37e9c1f84f35aa6 crypto/evp/p_lib.c 3b4228b92eebd04616ecc3ee58684095313dd5ffd1b43cf698a7d6c202cb4622 crypto/evp/pmeth_check.c bbce11755bcc5ba2ee8e9c1eb95905447136f614fdc2b0f74cf785fe81ead6a5 crypto/evp/pmeth_gn.c -fdaddf5c4b274d83292a5121d9b0541dce82fb83e59d64d48a93964840421f30 crypto/evp/pmeth_lib.c -c2158cf4f1d149889746665501035f38049dc1cdcea8c61cd377c0c3be6b8a43 crypto/evp/signature.c +76511fba789089a50ef87774817a5482c33633a76a94ecf7b6e8eb915585575d crypto/evp/pmeth_lib.c +f3a5cbbccb1078cf1fafd74c4caa9f30827081832fbe6dfa5579b17ef809776c crypto/evp/signature.c b06cb8fd4bd95aae1f66e1e145269c82169257f1a60ef0f78f80a3d4c5131fac crypto/ex_data.c 00ca3b72cd56308aabb2826b6a400c675526afa7efca052d39c74b2ac6d137d8 crypto/ffc/ffc_backend.c ead786b4f5689ab69d6cca5d49e513e0f90cb558b67e6c5898255f2671f1393d crypto/ffc/ffc_dh.c @@ -245,18 +245,18 @@ e55a816c356b2d526bc6e40c8b81afa02576e4d44c7d7b6bbe444fb8b01aad41 crypto/modes/w 608a04f387be2a509b4d4ad414b7015ab833e56b85020e692e193160f36883a2 crypto/modes/xts128.c ca8f63ee71797f51c2bf5629190897306b3308882feb3d64c982239f18e8b738 crypto/o_str.c 7b8d9f5dfe00460df5fbcfd4a5f2f36128020ebd2ced85ff5071b91f98740b2e crypto/packet.c -e30c9e30e4356621236136caf001ee60d51aac492a5bf0fb7f1022b973aec425 crypto/param_build.c +cc4483ec9ba7a30908e3a433a6817e2f211d4c1f69c206e6bae24bbd39a68281 crypto/param_build.c c2fe815fb3fd5efe9a6544cae55f9469063a0f6fb728361737b927f6182ae0bb crypto/param_build_set.c 02dfeb286c85567bb1b6323a53c089ba66447db97695cc78eceb6677fbc76bf9 crypto/params.c 4f2a8c9acf5898fdc1e4bf98813049947221cd9a1db04faaa490250591f54cb4 crypto/params_dup.c -d0f6af3e89a693f0327e1bf073666cbec6786220ef3b3688ef0be9539d5ab6bf crypto/params_from_text.c +a0097ff2da8955fe15ba204cb54f3fd48a06f846e2b9826f507b26acf65715c3 crypto/params_from_text.c 2140778d5f35e503e22b173736e18ff84406f6657463e8ff9e7b91a78aa686d3 crypto/property/defn_cache.c -ed7724ac6350afe2ac49498f894259b40176092ebdfeff9e9afa3e28681442fe crypto/property/property.c -726b1102bfffd0b1f18759e6373fc21d491dd001f21a0a4c3d26d6867f39623c crypto/property/property_local.h -5d780fd1a656db32a0292d2692690f69aa1b977646282f4884f17dca861fe681 crypto/property/property_parse.c -43259a466b118d938e4480f4e6f46aaa8eab452f971ff0788e2eb8369ff1b5ec crypto/property/property_query.c +b09bfc2cdde7ab703b54630a67cc8d01ca92af402be246e5a9f82d176abd9442 crypto/property/property.c +a2c69527b60692a8b07cfdfe7e75f654daa092411d5de5e02b446a4ef3752855 crypto/property/property_local.h +c3217b73871d93d81ab9f15e9f1fc37ea609bbe4bbc0c1b84ec62a99c91f6756 crypto/property/property_parse.c +a7cefda6a117550e2c76e0f307565ce1e11640b11ba10c80e469a837fd1212a3 crypto/property/property_query.c 065698c8d88a5facc0cbc02a3bd0c642c94687a8c5dd79901c942138b406067d crypto/property/property_string.c -a065691f37df209ce2ab5ce721e6fc45008e2f00edfbad0ceaa5ef2a0cfee23d crypto/provider_core.c +c56fb722699e1148dc392bad8069292e6521e7498c8aa9572661af118ff59e16 crypto/provider_core.c d0af10d4091b2032aac1b7db80f8c2e14fa7176592716b25b9437ab6b53c0a89 crypto/provider_local.h 5ba2e1c74ddcd0453d02e32612299d1eef18eff8493a7606c15d0dc3738ad1d9 crypto/provider_predefined.c 5d16318d3a36b06145af74afa3523109768990a33457c81895c7ab8a830654f8 crypto/rand/rand_lib.c @@ -333,10 +333,10 @@ b39e5ba863af36e455cc5864fe8c5d0fc05a6aaef0d528a115951d1248e8fa8b crypto/stack/s 7b4efa594d8d1f3ecbf4605cf54f72fb296a3b1d951bdc69e415aaa08f34e5c8 crypto/threads_lib.c a41ae93a755e2ec89b3cb5b4932e2b508fdda92ace2e025a2650a6da0e9e972c crypto/threads_none.c ebb210a22c280839853920bee245eb769c713ab99cb35a468ed2b1df0d112a7f crypto/threads_pthread.c -60bdd9213c67c4d9a287cb57517eca63913c134ef57fcb102b641eb56ddce19a crypto/threads_win.c +68e1cdeb948d3a106b5a27b76bcddbae6bb053b2bdc4a21a1fec9797a00cd904 crypto/threads_win.c fd6c27cf7c6b5449b17f2b725f4203c4c10207f1973db09fd41571efe5de08fd crypto/x86_64cpuid.pl d13560a5f8a66d7b956d54cd6bf24eade529d686992d243bfb312376a57b475e e_os.h -4dab31beb4bbd9275a914839f590eaa328cc8ddec3561acd3e6fae0606758b32 include/crypto/aes_platform.h +6f353dc7c8c4d8f24f7ffbf920668ccb224ebb5810805a7c80d96770cd858005 include/crypto/aes_platform.h 8c6f308c1ca774e6127e325c3b80511dbcdc99631f032694d8db53a5c02364ee include/crypto/asn1_dsa.h 8ce1b35c6924555ef316c7c51d6c27656869e6da7f513f45b7a7051579e3e54d include/crypto/bn.h 1c46818354d42bd1b1c4e5fdae9e019814936e775fd8c918ca49959c2a6416df include/crypto/bn_conf.h.in @@ -348,11 +348,11 @@ e69b2b20fb415e24b970941c84a62b752b5d0175bc68126e467f7cc970495504 include/crypto 7ddd70f02371c7bd190414369d2bbe7c9c6d2de085dfe1e3eab0c4082f803ca1 include/crypto/dsa.h 2ea47c059e84ce9d14cc31f4faf45f64d631de9e2937aa1d7a83de5571c63574 include/crypto/ec.h edbfae8720502a4708983b60eac72aa04f031059f197ada31627cb5e72812858 include/crypto/ecx.h -1930dcf277bba1f458bcb1b74bba2db0fd28a8e047d8ceef5bf6973075167bdd include/crypto/evp.h +782ea27154525789cd49afd36a8056457dfab4ea662481b502363cc0a55ed34e include/crypto/evp.h bbe5e52d84e65449a13e42cd2d6adce59b8ed6e73d6950917aa77dc1f3f5dff6 include/crypto/lhash.h 162812058c69f65a824906193057cd3edeabc22f51a4220aea7cb9064379a9b6 include/crypto/md32_common.h f12bfc145290444bcc7bf408874bded348e742443c145b8b5bc70ae558d96c31 include/crypto/modes.h -11734df47031edd5fd025313ab10d3cfd777920760c023f0bc7019d0653e73df include/crypto/rand.h +0e4472433ca4008aa4fc9234761be70f323a22a4519bb9d62728dc001d606f04 include/crypto/rand.h 90930fc8788d6e04e57829346e0405293ac7a678c3cef23d0692c742e9586d09 include/crypto/rand_pool.h bd5ce686c97a8a3a0e3d7ca1e4f16706fd51df5da9673169303a4428d62da233 include/crypto/rsa.h 32f0149ab1d82fddbdfbbc44e3078b4a4cc6936d35187e0f8d02cc0bc19f2401 include/crypto/security_bits.h @@ -361,7 +361,7 @@ bd5ce686c97a8a3a0e3d7ca1e4f16706fd51df5da9673169303a4428d62da233 include/crypto 5bfeea62d21b7cb43d9a819c5cd2800f02ea019687a8331abf313d615889ad37 include/crypto/types.h a1778b610a244f49317a09e1e6c78b5fb68bc6d003ffdea0f6eefe5733ee5b5f include/internal/bio.h 92aacb3e49288f91b44f97e41933e88fe455706e1dd21a365683c2ab545db131 include/internal/constant_time.h -28195bbbe81d831792f07485287fd3ac400e03f1f1733a19e3f7115c0f1828f6 include/internal/core.h +71ddae419297069056065ab71f32fe88b09ddbe4db2200a759fedd8ad4349628 include/internal/core.h d7ddeab97434a21cb2cad1935a3cb130f6cd0b3c75322463d431c5eab3ab1ae1 include/internal/cryptlib.h 9571cfd3d5666749084b354a6d65adee443deeb5713a58c098c7b03bc69dbc63 include/internal/deprecated.h 8a2371f964cbb7fc3916583d2a4cee5c56f98595dfa30bd60c71637811a6d9da include/internal/der.h @@ -374,9 +374,9 @@ b02701592960eb4608bb83b297eed90184004828c7fc03ea81568062f347623d include/intern ae41a2fb41bf592bbb47e4855cf4efd9ef85fc11f910a7e195ceef78fb4321dc include/internal/numbers.h ea1bec4f1fff37aef8d4a62745bb451baa3e3ad20ba1bc68920a24f5cbb2f0a7 include/internal/packet.h dd7ddecf30bef3002313e6b776ce34d660931e783b2f6edacf64c7c6e729e688 include/internal/param_build_set.h -d10417cb2dc5b9f04d98decc641ffcfd2efd3a23fbf4d7fcf69941812d62487a include/internal/property.h +0cee1d5908e8e262b88554e71a0a52fa3a8c2a30a9bf782bdf2b89364840bde6 include/internal/property.h 727326afb3d33fdffdf26471e313f27892708318c0934089369e4b28267e2635 include/internal/propertyerr.h -772a7a733103ead30439959f8d06e904af53d738021ff752b234fdded393521a include/internal/provider.h +94e90e25183c244b20c344885d2b8386a85475afaa3e7885a84bc64566558f26 include/internal/provider.h 5af9a40c44def13576fe2c0eb082fb73c3565c5e00f902d51b1ed1593d481ccb include/internal/refcount.h 11ee9893f7774c83fcfdee6e0ca593af3d28b779107883553facdbfdae3a68f5 include/internal/sha3.h 494ab5c802716bf38032986674fb094dde927a21752fe395d82e6044d81801d1 include/internal/sizes.h @@ -399,11 +399,11 @@ ea344bb0b690d4e47c99e83f6692b970c9b54a4520296bb2d3ddbcbdf0d51653 include/openss f20c3c845129a129f5e0b1dae970d86a5c96ab49f2e3f6f364734521e9e1abe3 include/openssl/conferr.h 02a1baff7b71a298419c6c5dcb43eaa9cc13e9beeb88c03fb14854b4e84e8862 include/openssl/configuration.h.in 6b3810dac6c9d6f5ee36a10ad6d895a5e4553afdfb9641ce9b7dc5db7eef30b7 include/openssl/conftypes.h -792488b5d6bb87a5138322d7a6ae011faa279918321af62e76fa018e1a991c93 include/openssl/core.h +df5e60af861665675e4a00d40d15e36884f940e3379c7b45c9f717eaf1942697 include/openssl/core.h 00110e80b9b4f621c604ea99f05e7a75d3db4721fc2779224e6fa7e52f06e345 include/openssl/core_dispatch.h cbd9d7855ca3ba4240207fc025c22bbfef7411116446ff63511e336a0559bed0 include/openssl/core_names.h d165f5c61bfe17ba366a3ba94afb30d3c8ce6b21e9cff59a15f3622f2654ae49 include/openssl/crypto.h.in -06e9f521a6e98e104cdf37260ce967d928e25d424e0013f1feb3ff4da18eaec0 include/openssl/cryptoerr.h +1d1697bd3e35920ff9eaec23c29472d727a7fc4d108150957f41f6f5ecf80f1a include/openssl/cryptoerr.h bbc82260cbcadd406091f39b9e3b5ea63146d9a4822623ead16fa12c43ab9fc6 include/openssl/cryptoerr_legacy.h fa3e6b6c2e6222424b9cd7005e3c5499a2334c831cd5d6a29256ce945be8cb1d include/openssl/des.h 3a57eceec58ab781d79cb0458c2251a233f45ba0ef8f414d148c55ac2dff1bc8 include/openssl/dh.h @@ -486,7 +486,7 @@ a4dc9bf2d77e34175737b7b8d28fbe90815ac0e2904e3ac2d9e2a271f345ef20 providers/fips fdbaf748044ce54f13e673b92db876e32436e4d5644f443cc43d063112a89676 providers/fips/self_test.c f822a03138e8b83ccaa910b89d72f31691da6778bf6638181f993ec7ae1167e3 providers/fips/self_test.h 7a23cc81ca7542325634891d1982c70e68a27914b088a51ca60249d54031bfc2 providers/fips/self_test_data.inc -85c068c86363777941e226a37b3cba23c78f963eda2bd848f66af4a7eedc0e21 providers/fips/self_test_kats.c +2f4f23ebc2c7ed5ef71c98ca71f06b639112a1dea04784c46af58083482c150f providers/fips/self_test_kats.c f054b24ea53ad5db41dd7f37f20f42166ed68b832121a94858cb0173b1aaeb1d providers/implementations/asymciphers/rsa_enc.c 4db1826ecce8b60cb641bcd7a61430ec8cef73d2fe3cbc06aa33526afe1c954a providers/implementations/ciphers/cipher_aes.c f9d4b30e7110c90064b990c07430bb79061f4436b06ccaa981b25c306cfbfaa2 providers/implementations/ciphers/cipher_aes.h @@ -538,45 +538,45 @@ de342d04be6af69037922d5c97bdc40c0c27f6740636e72786a765d0d8ad9173 providers/impl 6dc876a1a785420e84210f085be6e4c7aca407ffb5433dbca4cd3f1c11bb7f06 providers/implementations/include/prov/ciphercommon_aead.h dd07797d61988fd4124cfb920616df672938da80649fac5977bfd061c981edc5 providers/implementations/include/prov/ciphercommon_ccm.h 0c1e99d70155402a790e4de65923228c8df8ad970741caccfe8b513837457d7f providers/implementations/include/prov/ciphercommon_gcm.h -79a5ed6e4a97431233c56eede9d9c9eec27598fff53590c627ea40bd5b871fd5 providers/implementations/include/prov/digestcommon.h -c47c960398bad27844f837e68d19df3912e2c9497362789b3d5c858ca4f9242b providers/implementations/include/prov/implementations.h +b9a61ce951c1904d8315b1bb26c0ab0aaadb47e71d4ead5df0a891608c728c4b providers/implementations/include/prov/digestcommon.h +f7017afcde9e5477b0542ca0eff31edfbd8a3488b28bfdd66db56c78c72329c6 providers/implementations/include/prov/implementations.h 5f09fc71874b00419d71646714f21ebbdcceda277463b6f77d3d3ea6946914e8 providers/implementations/include/prov/kdfexchange.h c95ce5498e724b9b3d58e3c2f4723e7e3e4beb07f9bea9422e43182cbadb43af providers/implementations/include/prov/macsignature.h 29d1a112b799e1f45fdf8bcee8361c2ed67428c250c1cdf408a9fbb7ebf4cce1 providers/implementations/include/prov/names.h 2187713b446d8b6d24ee986748b941ac3e24292c71e07ff9fb53a33021decdda providers/implementations/include/prov/seeding.h 432e2d5e467a50bd031a6b94b27072f5d66f4fadb6d62c9bfd9453d444c2aedf providers/implementations/kdfs/hkdf.c -b2e971a5a5d91da121db468cd8c8501c154643120dae31bb674e758c6403ad14 providers/implementations/kdfs/kbkdf.c -fb62e76d7d751bf3b4c39157d601aa0a16477bb9335121ec6649ba7176a43f8d providers/implementations/kdfs/pbkdf2.c +06c93b62806819ee51f69c899413fda5be2435d43a70ef467b77a7296cd9528a providers/implementations/kdfs/kbkdf.c +e0644e727aacfea4da3cf2c4d2602d7ef0626ebb760b6467432ffd54d5fbb24d providers/implementations/kdfs/pbkdf2.c c0778565abff112c0c5257329a7750ec4605e62f26cc36851fa1fbee6e03c70c providers/implementations/kdfs/pbkdf2.h abe2b0f3711eaa34846e155cffc9242e4051c45de896f747afd5ac9d87f637dc providers/implementations/kdfs/pbkdf2_fips.c -09efa4d172009398bb9b7256822a32a191bf296297480d1ce3ee6a0fa6eae202 providers/implementations/kdfs/sshkdf.c -5b30c7a7d0b3e6c511aa876cbec3cf206d67899b5f5116b333857877b79555dc providers/implementations/kdfs/sskdf.c +66d30c754c1e16d97a8e989f7f2e89eab59ec40ca3731dea664ba56ec38c4002 providers/implementations/kdfs/sshkdf.c +7c692170729ab1d648564abdbf9bcbba5071f9a81a25fab9eae66899316bcd4a providers/implementations/kdfs/sskdf.c 3c46ec0e14be09a133d709c3a1c3d5ab05a4f1ed5385c3e7a1afb2f0ee47ef7a providers/implementations/kdfs/tls1_prf.c 27bb6ee5e2d00c545635c0c29402b10e74a1831adbc9800c159cbe04f2bfa2f7 providers/implementations/kdfs/x942kdf.c f419a9f6b17cfba1543a3690326188ac8335db66807c58de211a3d69e18f7d4d providers/implementations/kem/rsa_kem.c -b2055b38d436e918a06ccdb095ba888ae4d650f5d57c58cc1ce5f0a367f92852 providers/implementations/keymgmt/dh_kmgmt.c -a06a0c2ff67772da75f2498ec5390a84a9cb221b70974e687e6e48cdf719004d providers/implementations/keymgmt/dsa_kmgmt.c -a388e52f059331a8636c6b73fc7cc03c8d51a585f2a8ae1a5e21bd967db9f9f5 providers/implementations/keymgmt/ec_kmgmt.c +6878218c16d5c9c308a414af67790e11912ced638ba9e64668912ec98ca20d9d providers/implementations/keymgmt/dh_kmgmt.c +4f9e8263d529f619766be73a11223b8a3dfaf46b506c17b44d8a1cd9d2eaee54 providers/implementations/keymgmt/dsa_kmgmt.c +3e2798d299d6571c973fc75468e2ac025b7c893ae2f15f14e057430325622a69 providers/implementations/keymgmt/ec_kmgmt.c 258ae17bb2dd87ed1511a8eb3fe99eed9b77f5c2f757215ff6b3d0e8791fc251 providers/implementations/keymgmt/ec_kmgmt_imexport.inc -75b23aa264e2935794ce5e0420e3815f798c8d6aa82abb1447f0a2c10ce475b5 providers/implementations/keymgmt/ecx_kmgmt.c +085e1cf54941fa1c1e423b4a75b820945a1c05d1c347d4910d9a772b8c9d9f3a providers/implementations/keymgmt/ecx_kmgmt.c 053a2be39a87f50b877ebdbbf799cf5faf8b2de33b04311d819d212ee1ea329b providers/implementations/keymgmt/kdf_legacy_kmgmt.c -bcb51fe05014ade575494b44c55b1a0b3dc404e31ff7acee40bb2f63a8f6712f providers/implementations/keymgmt/mac_legacy_kmgmt.c -464d6f9236351e7dc3b991f5bba142c7aabcf2db3c236367332a9dd0308ddfac providers/implementations/keymgmt/rsa_kmgmt.c +260c560930c5aca61225a40ed49dfbb905f2b1fa50728d1388e946358f9d5e18 providers/implementations/keymgmt/mac_legacy_kmgmt.c +9c16e76419aeb422d189ff7c5bf9a07f37abb54043dd47e48d450d68329de933 providers/implementations/keymgmt/rsa_kmgmt.c 79da66d4b696388d7eab6b2126bccc88908915813d79c4305b8b4d545a500469 providers/implementations/macs/cmac_prov.c 41464d1e640434bb3ff9998f093829d5e2c1963d68033dca7d31e5ab75365fb1 providers/implementations/macs/gmac_prov.c 282c1065f18c87073529ed1bdc2c0b3a1967701728084de6632ddc72c671d209 providers/implementations/macs/hmac_prov.c aa7ba1d39ea4e3347294eb50b4dfcb895ef1a22bd6117d3b076a74e9ff11c242 providers/implementations/macs/kmac_prov.c bf30274dd6b528ae913984775bd8f29c6c48c0ef06d464d0f738217727b7aa5c providers/implementations/rands/crngt.c -f6c4b38dd1c22d562ef8b172218b688070336dc43550f40af01bb2e77eb3ea4d providers/implementations/rands/drbg.c +f8d24c882fda71c117a00bf4e6c7ffb6b88946c16a816249a5a7499dbdff712d providers/implementations/rands/drbg.c b1e7a0b2610aaab5800af7ede0df13a184f4a321a4084652cdb509357c55783b providers/implementations/rands/drbg_ctr.c a05adc3f6d9d6f948e5ead75f0522ed3164cb5b2d301169242f3cb97c4a7fac3 providers/implementations/rands/drbg_hash.c 0876dfae991028c569631938946e458e6829cacf4cfb673d2b144ae50a3160bb providers/implementations/rands/drbg_hmac.c fc43558964bdf12442d3f6ab6cc3e6849f7adb42f4d0123a1279819befcf71cb providers/implementations/rands/drbg_local.h -888a671934abef4225956f9931cff842f245f90660e11f23a55228edca962e16 providers/implementations/rands/test_rng.c -9b9111a1502badf60c5e93603bb8841e62c6541ff82e356fb8c1ca31bd374b0a providers/implementations/signature/dsa_sig.c -bcacc02b7c92a20acf32b3d26b1a8f2bf8d4cab4ef97b91cfaa3e2062a7b839f providers/implementations/signature/ecdsa_sig.c -2f2b974819c29112144c1086e61dd6fd7bd3ebd924376f8ebdcff9f477a821c7 providers/implementations/signature/eddsa_sig.c -762b49aa68fa7cd15c0496c35a23acb85df9588c8bb4ecb54438f86cc06ce13d providers/implementations/signature/mac_legacy_sig.c -c35f9ceff14f539526e568afc7e52282d732be9f0ff4bd9fbb9da9c4d3a663ef providers/implementations/signature/rsa_sig.c -737b9afe8f03f58797034ae906f982179677f5a9cf42965468f7126cf15e6694 ssl/record/tls_pad.c +04339b66c10017229ef368cb48077f58a252ebfda9ab12b9f919e4149b1036ed providers/implementations/rands/test_rng.c +cafb9e6f54ad15889fcebddac6df61336bff7d78936f7de3bb5aab8aee5728d2 providers/implementations/signature/dsa_sig.c +a30dc6308de0ca33406e7ce909f3bcf7580fb84d863b0976b275839f866258df providers/implementations/signature/ecdsa_sig.c +b057870cf8be1fd28834670fb092f0e6f202424c7ae19282fe9df4e52c9ce036 providers/implementations/signature/eddsa_sig.c +3bb0f342b4cc1b4594ed0986adc47791c0a7b5c1ae7b1888c1fb5edb268a78d9 providers/implementations/signature/mac_legacy_sig.c +cee0e3304cc365ef76b422363ef12affc4d03670fd2ab2c8f3babc38f9d5db37 providers/implementations/signature/rsa_sig.c +c8df17850314b145ca83d4037207d6bf0994f9c34e6e55116860cf575df58e81 ssl/record/tls_pad.c 3f2e01a98d9e3fda6cc5cb4b44dd43f6cae4ec34994e8f734d11b1e643e58636 ssl/s3_cbc.c diff --git a/deps/openssl/openssl/providers/fips.checksum b/deps/openssl/openssl/providers/fips.checksum index e9e7ad2ea08ea5..d6a8665160ab50 100644 --- a/deps/openssl/openssl/providers/fips.checksum +++ b/deps/openssl/openssl/providers/fips.checksum @@ -1 +1 @@ -bbbd640470428086f7a658e7020fa73149e276e594412a83347ca1782c0e0486 providers/fips-sources.checksums +a59d74b7f6b55bd9d58d55876562fdd00d28dbb3c942ae80ccea859da4624f1d providers/fips-sources.checksums diff --git a/deps/openssl/openssl/providers/fips/self_test_kats.c b/deps/openssl/openssl/providers/fips/self_test_kats.c index 81f7226ba194f8..94a0cf842c0c03 100644 --- a/deps/openssl/openssl/providers/fips/self_test_kats.c +++ b/deps/openssl/openssl/providers/fips/self_test_kats.c @@ -446,7 +446,7 @@ static int self_test_sign(const ST_KAT_SIGN *t, EVP_PKEY *pkey = NULL; unsigned char sig[256]; BN_CTX *bnctx = NULL; - size_t siglen = 0; + size_t siglen = sizeof(sig); static const unsigned char dgst[] = { 0x7f, 0x83, 0xb1, 0x65, 0x7f, 0xf1, 0xfc, 0x53, 0xb9, 0x2d, 0xc1, 0x81, 0x48, 0xa1, 0xd6, 0x5d, 0xfc, 0x2d, 0x4b, 0x1f, 0xa3, 0xd6, 0x77, 0x28, diff --git a/deps/openssl/openssl/providers/implementations/digests/build.info b/deps/openssl/openssl/providers/implementations/digests/build.info index 2c2b0c3db045f9..c6508b6e85b267 100644 --- a/deps/openssl/openssl/providers/implementations/digests/build.info +++ b/deps/openssl/openssl/providers/implementations/digests/build.info @@ -9,6 +9,7 @@ $SHA3_GOAL=../../libdefault.a ../../libfips.a $BLAKE2_GOAL=../../libdefault.a $SM3_GOAL=../../libdefault.a $MD5_GOAL=../../libdefault.a +$NULL_GOAL=../../libdefault.a $MD2_GOAL=../../liblegacy.a $MD4_GOAL=../../liblegacy.a @@ -22,6 +23,8 @@ SOURCE[$COMMON_GOAL]=digestcommon.c SOURCE[$SHA2_GOAL]=sha2_prov.c SOURCE[$SHA3_GOAL]=sha3_prov.c +SOURCE[$NULL_GOAL]=null_prov.c + IF[{- !$disabled{blake2} -}] SOURCE[$BLAKE2_GOAL]=blake2_prov.c blake2b_prov.c blake2s_prov.c ENDIF diff --git a/deps/openssl/openssl/providers/implementations/digests/null_prov.c b/deps/openssl/openssl/providers/implementations/digests/null_prov.c new file mode 100644 index 00000000000000..b220a1966ff79d --- /dev/null +++ b/deps/openssl/openssl/providers/implementations/digests/null_prov.c @@ -0,0 +1,52 @@ +/* + * Copyright 2021 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include +#include "prov/digestcommon.h" +#include "prov/implementations.h" + +typedef struct { + unsigned char nothing; +} NULLMD_CTX; + +static int null_init(NULLMD_CTX *ctx) +{ + return 1; +} + +static int null_update(NULLMD_CTX *ctx, const void *data, size_t datalen) +{ + return 1; +} + +static int null_final(unsigned char *md, NULLMD_CTX *ctx) +{ + return 1; +} + +/* + * We must override the PROV_FUNC_DIGEST_FINAL as dgstsize == 0 + * and that would cause compilation warnings with the default implementation. + */ +#undef PROV_FUNC_DIGEST_FINAL +#define PROV_FUNC_DIGEST_FINAL(name, dgstsize, fin) \ +static OSSL_FUNC_digest_final_fn name##_internal_final; \ +static int name##_internal_final(void *ctx, unsigned char *out, size_t *outl, \ + size_t outsz) \ +{ \ + if (ossl_prov_is_running() && fin(out, ctx)) { \ + *outl = dgstsize; \ + return 1; \ + } \ + return 0; \ +} + +IMPLEMENT_digest_functions(nullmd, NULLMD_CTX, + 0, 0, 0, + null_init, null_update, null_final) diff --git a/deps/openssl/openssl/providers/implementations/encode_decode/decode_pvk2key.c b/deps/openssl/openssl/providers/implementations/encode_decode/decode_pvk2key.c index 30b42d2097b3ae..32206fe84d9446 100644 --- a/deps/openssl/openssl/providers/implementations/encode_decode/decode_pvk2key.c +++ b/deps/openssl/openssl/providers/implementations/encode_decode/decode_pvk2key.c @@ -100,7 +100,7 @@ static int pvk2key_decode(void *vctx, OSSL_CORE_BIO *cin, int selection, if (!ossl_pw_set_ossl_passphrase_cb(&pwdata, pw_cb, pw_cbarg)) goto end; - key = ctx->desc->read_private_key(in, ossl_pw_pem_password, &pwdata, + key = ctx->desc->read_private_key(in, ossl_pw_pvk_password, &pwdata, PROV_LIBCTX_OF(ctx->provctx), NULL); /* diff --git a/deps/openssl/openssl/providers/implementations/encode_decode/decode_spki2typespki.c b/deps/openssl/openssl/providers/implementations/encode_decode/decode_spki2typespki.c index 3a4c83e8b5166a..a5dbbb31adf8d3 100644 --- a/deps/openssl/openssl/providers/implementations/encode_decode/decode_spki2typespki.c +++ b/deps/openssl/openssl/providers/implementations/encode_decode/decode_spki2typespki.c @@ -87,7 +87,7 @@ static int spki2typespki_decode(void *vctx, OSSL_CORE_BIO *cin, int selection, strcpy(dataname, "SM2"); else #endif - if (!OBJ_obj2txt(dataname, sizeof(dataname), oid, 0)) + if (OBJ_obj2txt(dataname, sizeof(dataname), oid, 0) <= 0) goto end; ossl_X509_PUBKEY_INTERNAL_free(xpub); diff --git a/deps/openssl/openssl/providers/implementations/encode_decode/encode_key2any.c b/deps/openssl/openssl/providers/implementations/encode_decode/encode_key2any.c index f142f2b2424d93..c7b01cb2b3e5ef 100644 --- a/deps/openssl/openssl/providers/implementations/encode_decode/encode_key2any.c +++ b/deps/openssl/openssl/providers/implementations/encode_decode/encode_key2any.c @@ -401,7 +401,7 @@ static int key_to_type_specific_pem_bio_cb(BIO *out, const void *key, { return PEM_ASN1_write_bio(k2d, pemname, out, key, ctx->cipher, - NULL, 0, ossl_pw_pem_password, &ctx->pwdata) > 0; + NULL, 0, cb, cbarg) > 0; } static int key_to_type_specific_pem_priv_bio(BIO *out, const void *key, @@ -701,6 +701,10 @@ static int prepare_ec_params(const void *eckey, int nid, int save, static int ec_spki_pub_to_der(const void *eckey, unsigned char **pder) { + if (EC_KEY_get0_public_key(eckey) == NULL) { + ERR_raise(ERR_LIB_PROV, PROV_R_NOT_A_PUBLIC_KEY); + return 0; + } return i2o_ECPublicKey(eckey, pder); } @@ -727,7 +731,7 @@ static int ec_pki_priv_to_der(const void *veckey, unsigned char **pder) # define ec_epki_priv_to_der ec_pki_priv_to_der # define ec_type_specific_params_to_der (i2d_of_void *)i2d_ECParameters -# define ec_type_specific_pub_to_der (i2d_of_void *)i2o_ECPublicKey +/* No ec_type_specific_pub_to_der, there simply is no such thing */ # define ec_type_specific_priv_to_der (i2d_of_void *)i2d_ECPrivateKey # define ec_check_key_type NULL @@ -1186,11 +1190,11 @@ static int key2any_encode(struct key2any_ctx_st *ctx, OSSL_CORE_BIO *cout, #define DO_DSA_selection_mask DO_type_specific_selection_mask #define DO_DSA(impl, type, output) DO_type_specific(impl, type, output) -#define DO_EC_selection_mask DO_type_specific_selection_mask -#define DO_EC(impl, type, output) DO_type_specific(impl, type, output) +#define DO_EC_selection_mask DO_type_specific_no_pub_selection_mask +#define DO_EC(impl, type, output) DO_type_specific_no_pub(impl, type, output) -#define DO_SM2_selection_mask DO_type_specific_selection_mask -#define DO_SM2(impl, type, output) DO_type_specific(impl, type, output) +#define DO_SM2_selection_mask DO_type_specific_no_pub_selection_mask +#define DO_SM2(impl, type, output) DO_type_specific_no_pub(impl, type, output) /* PKCS#1 defines a structure for RSA private and public keys */ #define DO_PKCS1_selection_mask DO_RSA_selection_mask diff --git a/deps/openssl/openssl/providers/implementations/encode_decode/encode_key2ms.c b/deps/openssl/openssl/providers/implementations/encode_decode/encode_key2ms.c index 3933a0d4205309..81528fefb67463 100644 --- a/deps/openssl/openssl/providers/implementations/encode_decode/encode_key2ms.c +++ b/deps/openssl/openssl/providers/implementations/encode_decode/encode_key2ms.c @@ -47,8 +47,7 @@ static int write_msblob(struct key2ms_ctx_st *ctx, OSSL_CORE_BIO *cout, } static int write_pvk(struct key2ms_ctx_st *ctx, OSSL_CORE_BIO *cout, - EVP_PKEY *pkey, - OSSL_PASSPHRASE_CALLBACK *pw_cb, void *pw_cbarg) + EVP_PKEY *pkey) { BIO *out = NULL; int ret = 0; @@ -56,7 +55,7 @@ static int write_pvk(struct key2ms_ctx_st *ctx, OSSL_CORE_BIO *cout, out = ossl_bio_new_from_core_bio(ctx->provctx, cout); ret = i2b_PVK_bio_ex(out, pkey, ctx->pvk_encr_level, - ossl_pw_pem_password, &ctx->pwdata, libctx, NULL); + ossl_pw_pvk_password, &ctx->pwdata, libctx, NULL); BIO_free(out); return ret; @@ -81,6 +80,7 @@ static void key2ms_freectx(void *vctx) { struct key2ms_ctx_st *ctx = vctx; + ossl_pw_clear_passphrase_data(&ctx->pwdata); OPENSSL_free(ctx); } @@ -154,8 +154,10 @@ static int key2pvk_encode(void *vctx, const void *key, int selection, if ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) == 0) return 0; /* Error */ - if ((pkey = EVP_PKEY_new()) != NULL && set1_key(pkey, key)) - ok = write_pvk(ctx, cout, pkey, pw_cb, pw_cbarg); + if ((pkey = EVP_PKEY_new()) != NULL && set1_key(pkey, key) + && (pw_cb == NULL + || ossl_pw_set_ossl_passphrase_cb(&ctx->pwdata, pw_cb, pw_cbarg))) + ok = write_pvk(ctx, cout, pkey); EVP_PKEY_free(pkey); return ok; } diff --git a/deps/openssl/openssl/providers/implementations/include/prov/digestcommon.h b/deps/openssl/openssl/providers/implementations/include/prov/digestcommon.h index b0ed83648dfcd2..abdb8bb2ad55a8 100644 --- a/deps/openssl/openssl/providers/implementations/include/prov/digestcommon.h +++ b/deps/openssl/openssl/providers/implementations/include/prov/digestcommon.h @@ -35,6 +35,18 @@ static int name##_get_params(OSSL_PARAM params[]) \ { OSSL_FUNC_DIGEST_GETTABLE_PARAMS, \ (void (*)(void))ossl_digest_default_gettable_params } +# define PROV_FUNC_DIGEST_FINAL(name, dgstsize, fin) \ +static OSSL_FUNC_digest_final_fn name##_internal_final; \ +static int name##_internal_final(void *ctx, unsigned char *out, size_t *outl, \ + size_t outsz) \ +{ \ + if (ossl_prov_is_running() && outsz >= dgstsize && fin(out, ctx)) { \ + *outl = dgstsize; \ + return 1; \ + } \ + return 0; \ +} + # define PROV_DISPATCH_FUNC_DIGEST_CONSTRUCT_START( \ name, CTX, blksize, dgstsize, flags, upd, fin) \ static OSSL_FUNC_digest_newctx_fn name##_newctx; \ @@ -58,16 +70,7 @@ static void *name##_dupctx(void *ctx) \ *ret = *in; \ return ret; \ } \ -static OSSL_FUNC_digest_final_fn name##_internal_final; \ -static int name##_internal_final(void *ctx, unsigned char *out, size_t *outl, \ - size_t outsz) \ -{ \ - if (ossl_prov_is_running() && outsz >= dgstsize && fin(out, ctx)) { \ - *outl = dgstsize; \ - return 1; \ - } \ - return 0; \ -} \ +PROV_FUNC_DIGEST_FINAL(name, dgstsize, fin) \ PROV_FUNC_DIGEST_GET_PARAM(name, blksize, dgstsize, flags) \ const OSSL_DISPATCH ossl_##name##_functions[] = { \ { OSSL_FUNC_DIGEST_NEWCTX, (void (*)(void))name##_newctx }, \ diff --git a/deps/openssl/openssl/providers/implementations/include/prov/implementations.h b/deps/openssl/openssl/providers/implementations/include/prov/implementations.h index 73e1823742261a..30e5e4cd775a90 100644 --- a/deps/openssl/openssl/providers/implementations/include/prov/implementations.h +++ b/deps/openssl/openssl/providers/implementations/include/prov/implementations.h @@ -36,6 +36,7 @@ extern const OSSL_DISPATCH ossl_md4_functions[]; extern const OSSL_DISPATCH ossl_mdc2_functions[]; extern const OSSL_DISPATCH ossl_wp_functions[]; extern const OSSL_DISPATCH ossl_ripemd160_functions[]; +extern const OSSL_DISPATCH ossl_nullmd_functions[]; /* Ciphers */ extern const OSSL_DISPATCH ossl_null_functions[]; diff --git a/deps/openssl/openssl/providers/implementations/kdfs/kbkdf.c b/deps/openssl/openssl/providers/implementations/kdfs/kbkdf.c index 01f7f0d4fd2ebd..5f30b037d94eb6 100644 --- a/deps/openssl/openssl/providers/implementations/kdfs/kbkdf.c +++ b/deps/openssl/openssl/providers/implementations/kdfs/kbkdf.c @@ -46,7 +46,7 @@ #include "e_os.h" -#define MIN(a, b) ((a) < (b)) ? (a) : (b) +#define ossl_min(a, b) ((a) < (b)) ? (a) : (b) typedef enum { COUNTER = 0, @@ -195,7 +195,7 @@ static int derive(EVP_MAC_CTX *ctx_init, kbkdf_mode mode, unsigned char *iv, goto done; to_write = ko_len - written; - memcpy(ko + written, k_i, MIN(to_write, h)); + memcpy(ko + written, k_i, ossl_min(to_write, h)); written += h; k_i_len = h; diff --git a/deps/openssl/openssl/providers/implementations/kdfs/krb5kdf.c b/deps/openssl/openssl/providers/implementations/kdfs/krb5kdf.c index f8d4baa5684c40..2c887f0eb99394 100644 --- a/deps/openssl/openssl/providers/implementations/kdfs/krb5kdf.c +++ b/deps/openssl/openssl/providers/implementations/kdfs/krb5kdf.c @@ -98,6 +98,7 @@ static int krb5kdf_set_membuf(unsigned char **dst, size_t *dst_len, { OPENSSL_clear_free(*dst, *dst_len); *dst = NULL; + *dst_len = 0; return OSSL_PARAM_get_octet_string(p, (void **)dst, 0, dst_len); } diff --git a/deps/openssl/openssl/providers/implementations/kdfs/pbkdf1.c b/deps/openssl/openssl/providers/implementations/kdfs/pbkdf1.c index af715efc91ffa8..1a042bac9f52d0 100644 --- a/deps/openssl/openssl/providers/implementations/kdfs/pbkdf1.c +++ b/deps/openssl/openssl/providers/implementations/kdfs/pbkdf1.c @@ -134,13 +134,15 @@ static int kdf_pbkdf1_set_membuf(unsigned char **buffer, size_t *buflen, const OSSL_PARAM *p) { OPENSSL_clear_free(*buffer, *buflen); + *buffer = NULL; + *buflen = 0; + if (p->data_size == 0) { if ((*buffer = OPENSSL_malloc(1)) == NULL) { ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE); return 0; } } else if (p->data != NULL) { - *buffer = NULL; if (!OSSL_PARAM_get_octet_string(p, (void **)buffer, 0, buflen)) return 0; } diff --git a/deps/openssl/openssl/providers/implementations/kdfs/pbkdf2.c b/deps/openssl/openssl/providers/implementations/kdfs/pbkdf2.c index fe247028ea968e..2a0ae63acc32b3 100644 --- a/deps/openssl/openssl/providers/implementations/kdfs/pbkdf2.c +++ b/deps/openssl/openssl/providers/implementations/kdfs/pbkdf2.c @@ -126,13 +126,15 @@ static int pbkdf2_set_membuf(unsigned char **buffer, size_t *buflen, const OSSL_PARAM *p) { OPENSSL_clear_free(*buffer, *buflen); + *buffer = NULL; + *buflen = 0; + if (p->data_size == 0) { if ((*buffer = OPENSSL_malloc(1)) == NULL) { ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE); return 0; } } else if (p->data != NULL) { - *buffer = NULL; if (!OSSL_PARAM_get_octet_string(p, (void **)buffer, 0, buflen)) return 0; } diff --git a/deps/openssl/openssl/providers/implementations/kdfs/pkcs12kdf.c b/deps/openssl/openssl/providers/implementations/kdfs/pkcs12kdf.c index 2037b458c8bfb7..3218daa781e9e9 100644 --- a/deps/openssl/openssl/providers/implementations/kdfs/pkcs12kdf.c +++ b/deps/openssl/openssl/providers/implementations/kdfs/pkcs12kdf.c @@ -182,13 +182,15 @@ static int pkcs12kdf_set_membuf(unsigned char **buffer, size_t *buflen, const OSSL_PARAM *p) { OPENSSL_clear_free(*buffer, *buflen); + *buffer = NULL; + *buflen = 0; + if (p->data_size == 0) { if ((*buffer = OPENSSL_malloc(1)) == NULL) { ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE); return 0; } } else if (p->data != NULL) { - *buffer = NULL; if (!OSSL_PARAM_get_octet_string(p, (void **)buffer, 0, buflen)) return 0; } diff --git a/deps/openssl/openssl/providers/implementations/kdfs/scrypt.c b/deps/openssl/openssl/providers/implementations/kdfs/scrypt.c index 2bbea0c7ccfc19..a7072f785f0877 100644 --- a/deps/openssl/openssl/providers/implementations/kdfs/scrypt.c +++ b/deps/openssl/openssl/providers/implementations/kdfs/scrypt.c @@ -108,13 +108,15 @@ static int scrypt_set_membuf(unsigned char **buffer, size_t *buflen, const OSSL_PARAM *p) { OPENSSL_clear_free(*buffer, *buflen); + *buffer = NULL; + *buflen = 0; + if (p->data_size == 0) { if ((*buffer = OPENSSL_malloc(1)) == NULL) { ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE); return 0; } } else if (p->data != NULL) { - *buffer = NULL; if (!OSSL_PARAM_get_octet_string(p, (void **)buffer, 0, buflen)) return 0; } diff --git a/deps/openssl/openssl/providers/implementations/kdfs/sshkdf.c b/deps/openssl/openssl/providers/implementations/kdfs/sshkdf.c index 93a7a64fb5d5ce..be23c2143d3c76 100644 --- a/deps/openssl/openssl/providers/implementations/kdfs/sshkdf.c +++ b/deps/openssl/openssl/providers/implementations/kdfs/sshkdf.c @@ -91,6 +91,7 @@ static int sshkdf_set_membuf(unsigned char **dst, size_t *dst_len, { OPENSSL_clear_free(*dst, *dst_len); *dst = NULL; + *dst_len = 0; return OSSL_PARAM_get_octet_string(p, (void **)dst, 0, dst_len); } diff --git a/deps/openssl/openssl/providers/implementations/kdfs/sskdf.c b/deps/openssl/openssl/providers/implementations/kdfs/sskdf.c index 56ac1e63340273..297ddcdc2de1cd 100644 --- a/deps/openssl/openssl/providers/implementations/kdfs/sskdf.c +++ b/deps/openssl/openssl/providers/implementations/kdfs/sskdf.c @@ -239,7 +239,7 @@ static int SSKDF_mac_kdm(EVP_MAC_CTX *ctx_init, goto end; out_len = EVP_MAC_CTX_get_mac_size(ctx_init); /* output size */ - if (out_len <= 0) + if (out_len <= 0 || (mac == mac_buf && out_len > sizeof(mac_buf))) goto end; len = derived_key_len; @@ -263,7 +263,7 @@ static int SSKDF_mac_kdm(EVP_MAC_CTX *ctx_init, if (len == 0) break; } else { - if (!EVP_MAC_final(ctx, mac, NULL, len)) + if (!EVP_MAC_final(ctx, mac, NULL, out_len)) goto end; memcpy(out, mac, len); break; diff --git a/deps/openssl/openssl/providers/implementations/keymgmt/dh_kmgmt.c b/deps/openssl/openssl/providers/implementations/keymgmt/dh_kmgmt.c index c4cda447bf8527..98eb882e3fa0a0 100644 --- a/deps/openssl/openssl/providers/implementations/keymgmt/dh_kmgmt.c +++ b/deps/openssl/openssl/providers/implementations/keymgmt/dh_kmgmt.c @@ -154,10 +154,30 @@ static int dh_match(const void *keydata1, const void *keydata2, int selection) if (!ossl_prov_is_running()) return 0; - if ((selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) != 0) - ok = ok && BN_cmp(DH_get0_pub_key(dh1), DH_get0_pub_key(dh2)) == 0; - if ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0) - ok = ok && BN_cmp(DH_get0_priv_key(dh1), DH_get0_priv_key(dh2)) == 0; + if ((selection & OSSL_KEYMGMT_SELECT_KEYPAIR) != 0) { + int key_checked = 0; + + if ((selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) != 0) { + const BIGNUM *pa = DH_get0_pub_key(dh1); + const BIGNUM *pb = DH_get0_pub_key(dh2); + + if (pa != NULL && pb != NULL) { + ok = ok && BN_cmp(pa, pb) == 0; + key_checked = 1; + } + } + if (!key_checked + && (selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0) { + const BIGNUM *pa = DH_get0_priv_key(dh1); + const BIGNUM *pb = DH_get0_priv_key(dh2); + + if (pa != NULL && pb != NULL) { + ok = ok && BN_cmp(pa, pb) == 0; + key_checked = 1; + } + } + ok = ok && key_checked; + } if ((selection & OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS) != 0) { FFC_PARAMS *dhparams1 = ossl_dh_get0_params((DH *)dh1); FFC_PARAMS *dhparams2 = ossl_dh_get0_params((DH *)dh2); diff --git a/deps/openssl/openssl/providers/implementations/keymgmt/dsa_kmgmt.c b/deps/openssl/openssl/providers/implementations/keymgmt/dsa_kmgmt.c index 4f05799bb38ebe..1e1b168f7d2005 100644 --- a/deps/openssl/openssl/providers/implementations/keymgmt/dsa_kmgmt.c +++ b/deps/openssl/openssl/providers/implementations/keymgmt/dsa_kmgmt.c @@ -154,12 +154,30 @@ static int dsa_match(const void *keydata1, const void *keydata2, int selection) if (!ossl_prov_is_running()) return 0; - if ((selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) != 0) - ok = ok - && BN_cmp(DSA_get0_pub_key(dsa1), DSA_get0_pub_key(dsa2)) == 0; - if ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0) - ok = ok - && BN_cmp(DSA_get0_priv_key(dsa1), DSA_get0_priv_key(dsa2)) == 0; + if ((selection & OSSL_KEYMGMT_SELECT_KEYPAIR) != 0) { + int key_checked = 0; + + if ((selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) != 0) { + const BIGNUM *pa = DSA_get0_pub_key(dsa1); + const BIGNUM *pb = DSA_get0_pub_key(dsa2); + + if (pa != NULL && pb != NULL) { + ok = ok && BN_cmp(pa, pb) == 0; + key_checked = 1; + } + } + if (!key_checked + && (selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0) { + const BIGNUM *pa = DSA_get0_priv_key(dsa1); + const BIGNUM *pb = DSA_get0_priv_key(dsa2); + + if (pa != NULL && pb != NULL) { + ok = ok && BN_cmp(pa, pb) == 0; + key_checked = 1; + } + } + ok = ok && key_checked; + } if ((selection & OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS) != 0) { FFC_PARAMS *dsaparams1 = ossl_dsa_get0_params((DSA *)dsa1); FFC_PARAMS *dsaparams2 = ossl_dsa_get0_params((DSA *)dsa2); diff --git a/deps/openssl/openssl/providers/implementations/keymgmt/ec_kmgmt.c b/deps/openssl/openssl/providers/implementations/keymgmt/ec_kmgmt.c index 24d4df543b8b7e..15b4532cd71c2b 100644 --- a/deps/openssl/openssl/providers/implementations/keymgmt/ec_kmgmt.c +++ b/deps/openssl/openssl/providers/implementations/keymgmt/ec_kmgmt.c @@ -337,17 +337,29 @@ static int ec_match(const void *keydata1, const void *keydata2, int selection) if ((selection & OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS) != 0) ok = ok && group_a != NULL && group_b != NULL && EC_GROUP_cmp(group_a, group_b, ctx) == 0; - if ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0) { - const BIGNUM *pa = EC_KEY_get0_private_key(ec1); - const BIGNUM *pb = EC_KEY_get0_private_key(ec2); + if ((selection & OSSL_KEYMGMT_SELECT_KEYPAIR) != 0) { + int key_checked = 0; - ok = ok && BN_cmp(pa, pb) == 0; - } - if ((selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) != 0) { - const EC_POINT *pa = EC_KEY_get0_public_key(ec1); - const EC_POINT *pb = EC_KEY_get0_public_key(ec2); + if ((selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) != 0) { + const EC_POINT *pa = EC_KEY_get0_public_key(ec1); + const EC_POINT *pb = EC_KEY_get0_public_key(ec2); - ok = ok && EC_POINT_cmp(group_b, pa, pb, ctx) == 0; + if (pa != NULL && pb != NULL) { + ok = ok && EC_POINT_cmp(group_b, pa, pb, ctx) == 0; + key_checked = 1; + } + } + if (!key_checked + && (selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0) { + const BIGNUM *pa = EC_KEY_get0_private_key(ec1); + const BIGNUM *pb = EC_KEY_get0_private_key(ec2); + + if (pa != NULL && pb != NULL) { + ok = ok && BN_cmp(pa, pb) == 0; + key_checked = 1; + } + } + ok = ok && key_checked; } BN_CTX_free(ctx); return ok; diff --git a/deps/openssl/openssl/providers/implementations/keymgmt/ecx_kmgmt.c b/deps/openssl/openssl/providers/implementations/keymgmt/ecx_kmgmt.c index b088c03b301c99..2be95086924baa 100644 --- a/deps/openssl/openssl/providers/implementations/keymgmt/ecx_kmgmt.c +++ b/deps/openssl/openssl/providers/implementations/keymgmt/ecx_kmgmt.c @@ -153,24 +153,39 @@ static int ecx_match(const void *keydata1, const void *keydata2, int selection) if ((selection & OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS) != 0) ok = ok && key1->type == key2->type; - if ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0) { - if ((key1->privkey == NULL && key2->privkey != NULL) - || (key1->privkey != NULL && key2->privkey == NULL) - || key1->type != key2->type) - ok = 0; - else - ok = ok && (key1->privkey == NULL /* implies key2->privkey == NULL */ - || CRYPTO_memcmp(key1->privkey, key2->privkey, - key1->keylen) == 0); - } - if ((selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) != 0) { - if (key1->haspubkey != key2->haspubkey - || key1->type != key2->type) - ok = 0; - else - ok = ok && (key1->haspubkey == 0 /* implies key2->haspubkey == 0 */ - || CRYPTO_memcmp(key1->pubkey, key2->pubkey, - key1->keylen) == 0); + if ((selection & OSSL_KEYMGMT_SELECT_KEYPAIR) != 0) { + int key_checked = 0; + + if ((selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) != 0) { + const unsigned char *pa = key1->haspubkey ? key1->pubkey : NULL; + const unsigned char *pb = key2->haspubkey ? key2->pubkey : NULL; + size_t pal = key1->keylen; + size_t pbl = key2->keylen; + + if (pa != NULL && pb != NULL) { + ok = ok + && key1->type == key2->type + && pal == pbl + && CRYPTO_memcmp(pa, pb, pal) == 0; + key_checked = 1; + } + } + if (!key_checked + && (selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0) { + const unsigned char *pa = key1->privkey; + const unsigned char *pb = key2->privkey; + size_t pal = key1->keylen; + size_t pbl = key2->keylen; + + if (pa != NULL && pb != NULL) { + ok = ok + && key1->type == key2->type + && pal == pbl + && CRYPTO_memcmp(pa, pb, pal) == 0; + key_checked = 1; + } + } + ok = ok && key_checked; } return ok; } diff --git a/deps/openssl/openssl/providers/implementations/keymgmt/mac_legacy_kmgmt.c b/deps/openssl/openssl/providers/implementations/keymgmt/mac_legacy_kmgmt.c index 63553996bd993d..ec34a3ee71318a 100644 --- a/deps/openssl/openssl/providers/implementations/keymgmt/mac_legacy_kmgmt.c +++ b/deps/openssl/openssl/providers/implementations/keymgmt/mac_legacy_kmgmt.c @@ -508,6 +508,7 @@ static void *mac_gen(void *genctx, OSSL_CALLBACK *cb, void *cbarg) * of this can be removed and we will only support the EVP_KDF APIs. */ if (!ossl_prov_cipher_copy(&key->cipher, &gctx->cipher)) { + ossl_mac_key_free(key); ERR_raise(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR); return NULL; } diff --git a/deps/openssl/openssl/providers/implementations/keymgmt/rsa_kmgmt.c b/deps/openssl/openssl/providers/implementations/keymgmt/rsa_kmgmt.c index 34871629ba6c80..b1c3011f1452d8 100644 --- a/deps/openssl/openssl/providers/implementations/keymgmt/rsa_kmgmt.c +++ b/deps/openssl/openssl/providers/implementations/keymgmt/rsa_kmgmt.c @@ -143,10 +143,30 @@ static int rsa_match(const void *keydata1, const void *keydata2, int selection) /* There is always an |e| */ ok = ok && BN_cmp(RSA_get0_e(rsa1), RSA_get0_e(rsa2)) == 0; - if ((selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) != 0) - ok = ok && BN_cmp(RSA_get0_n(rsa1), RSA_get0_n(rsa2)) == 0; - if ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0) - ok = ok && BN_cmp(RSA_get0_d(rsa1), RSA_get0_d(rsa2)) == 0; + if ((selection & OSSL_KEYMGMT_SELECT_KEYPAIR) != 0) { + int key_checked = 0; + + if ((selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) != 0) { + const BIGNUM *pa = RSA_get0_n(rsa1); + const BIGNUM *pb = RSA_get0_n(rsa2); + + if (pa != NULL && pb != NULL) { + ok = ok && BN_cmp(pa, pb) == 0; + key_checked = 1; + } + } + if (!key_checked + && (selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0) { + const BIGNUM *pa = RSA_get0_d(rsa1); + const BIGNUM *pb = RSA_get0_d(rsa2); + + if (pa != NULL && pb != NULL) { + ok = ok && BN_cmp(pa, pb) == 0; + key_checked = 1; + } + } + ok = ok && key_checked; + } return ok; } diff --git a/deps/openssl/openssl/providers/implementations/rands/drbg.c b/deps/openssl/openssl/providers/implementations/rands/drbg.c index 81343fbd525dc0..8b899b99b17dc0 100644 --- a/deps/openssl/openssl/providers/implementations/rands/drbg.c +++ b/deps/openssl/openssl/providers/implementations/rands/drbg.c @@ -459,9 +459,11 @@ int ossl_prov_drbg_instantiate(PROV_DRBG *drbg, unsigned int strength, if (!drbg->instantiate(drbg, entropy, entropylen, nonce, noncelen, pers, perslen)) { + cleanup_entropy(drbg, entropy, entropylen); ERR_raise(ERR_LIB_PROV, PROV_R_ERROR_INSTANTIATING_DRBG); goto end; } + cleanup_entropy(drbg, entropy, entropylen); drbg->state = EVP_RAND_STATE_READY; drbg->generate_counter = 1; @@ -469,8 +471,6 @@ int ossl_prov_drbg_instantiate(PROV_DRBG *drbg, unsigned int strength, tsan_store(&drbg->reseed_counter, drbg->reseed_next_counter); end: - if (entropy != NULL) - cleanup_entropy(drbg, entropy, entropylen); if (nonce != NULL) ossl_prov_cleanup_nonce(drbg->provctx, nonce, noncelen); if (drbg->state == EVP_RAND_STATE_READY) diff --git a/deps/openssl/openssl/providers/implementations/rands/seed_src.c b/deps/openssl/openssl/providers/implementations/rands/seed_src.c index 173c99ce173229..7a4b780bb46977 100644 --- a/deps/openssl/openssl/providers/implementations/rands/seed_src.c +++ b/deps/openssl/openssl/providers/implementations/rands/seed_src.c @@ -201,10 +201,11 @@ static size_t seed_get_seed(void *vseed, unsigned char **pout, ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE); return 0; } - *pout = p; if (seed_src_generate(vseed, p, bytes_needed, 0, prediction_resistance, - adin, adin_len) != 0) + adin, adin_len) != 0) { + *pout = p; return bytes_needed; + } OPENSSL_secure_clear_free(p, bytes_needed); return 0; } diff --git a/deps/openssl/openssl/providers/implementations/rands/test_rng.c b/deps/openssl/openssl/providers/implementations/rands/test_rng.c index bdad7ac9ac2362..4e7fed0fc7b1f8 100644 --- a/deps/openssl/openssl/providers/implementations/rands/test_rng.c +++ b/deps/openssl/openssl/providers/implementations/rands/test_rng.c @@ -52,9 +52,6 @@ static void *test_rng_new(void *provctx, void *parent, { PROV_TEST_RNG *t; - if (parent != NULL) - return NULL; - t = OPENSSL_zalloc(sizeof(*t)); if (t == NULL) return NULL; @@ -107,16 +104,11 @@ static int test_rng_generate(void *vtest, unsigned char *out, size_t outlen, const unsigned char *adin, size_t adin_len) { PROV_TEST_RNG *t = (PROV_TEST_RNG *)vtest; - size_t i; - if (strength > t->strength) + if (strength > t->strength || t->entropy_len - t->entropy_pos < outlen) return 0; - - for (i = 0; i < outlen; i++) { - out[i] = t->entropy[t->entropy_pos++]; - if (t->entropy_pos >= t->entropy_len) - break; - } + memcpy(out, t->entropy + t->entropy_pos, outlen); + t->entropy_pos += outlen; return 1; } diff --git a/deps/openssl/openssl/providers/implementations/signature/dsa_sig.c b/deps/openssl/openssl/providers/implementations/signature/dsa_sig.c index 2acab0b4811524..28fd7c498e9922 100644 --- a/deps/openssl/openssl/providers/implementations/signature/dsa_sig.c +++ b/deps/openssl/openssl/providers/implementations/signature/dsa_sig.c @@ -189,22 +189,31 @@ static int dsa_signverify_init(void *vpdsactx, void *vdsa, PROV_DSA_CTX *pdsactx = (PROV_DSA_CTX *)vpdsactx; if (!ossl_prov_is_running() - || pdsactx == NULL - || vdsa == NULL - || !DSA_up_ref(vdsa)) + || pdsactx == NULL) return 0; - DSA_free(pdsactx->dsa); - pdsactx->dsa = vdsa; + + if (vdsa == NULL && pdsactx->dsa == NULL) { + ERR_raise(ERR_LIB_PROV, PROV_R_NO_KEY_SET); + return 0; + } + + if (vdsa != NULL) { + if (!ossl_dsa_check_key(pdsactx->libctx, vdsa, + operation == EVP_PKEY_OP_SIGN)) { + ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH); + return 0; + } + if (!DSA_up_ref(vdsa)) + return 0; + DSA_free(pdsactx->dsa); + pdsactx->dsa = vdsa; + } + pdsactx->operation = operation; if (!dsa_set_ctx_params(pdsactx, params)) return 0; - if (!ossl_dsa_check_key(pdsactx->libctx, vdsa, - operation == EVP_PKEY_OP_SIGN)) { - ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH); - return 0; - } return 1; } @@ -278,9 +287,12 @@ static int dsa_digest_signverify_init(void *vpdsactx, const char *mdname, return 0; pdsactx->flag_allow_md = 0; - pdsactx->mdctx = EVP_MD_CTX_new(); - if (pdsactx->mdctx == NULL) - goto error; + + if (pdsactx->mdctx == NULL) { + pdsactx->mdctx = EVP_MD_CTX_new(); + if (pdsactx->mdctx == NULL) + goto error; + } if (!EVP_DigestInit_ex2(pdsactx->mdctx, pdsactx->md, params)) goto error; @@ -289,9 +301,7 @@ static int dsa_digest_signverify_init(void *vpdsactx, const char *mdname, error: EVP_MD_CTX_free(pdsactx->mdctx); - EVP_MD_free(pdsactx->md); pdsactx->mdctx = NULL; - pdsactx->md = NULL; return 0; } diff --git a/deps/openssl/openssl/providers/implementations/signature/ecdsa_sig.c b/deps/openssl/openssl/providers/implementations/signature/ecdsa_sig.c index 64be0657c386c7..865d49d1004f00 100644 --- a/deps/openssl/openssl/providers/implementations/signature/ecdsa_sig.c +++ b/deps/openssl/openssl/providers/implementations/signature/ecdsa_sig.c @@ -131,16 +131,29 @@ static int ecdsa_signverify_init(void *vctx, void *ec, PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx; if (!ossl_prov_is_running() - || ctx == NULL - || ec == NULL - || !EC_KEY_up_ref(ec)) + || ctx == NULL) return 0; - EC_KEY_free(ctx->ec); - ctx->ec = ec; + + if (ec == NULL && ctx->ec == NULL) { + ERR_raise(ERR_LIB_PROV, PROV_R_NO_KEY_SET); + return 0; + } + + if (ec != NULL) { + if (!ossl_ec_check_key(ctx->libctx, ec, operation == EVP_PKEY_OP_SIGN)) + return 0; + if (!EC_KEY_up_ref(ec)) + return 0; + EC_KEY_free(ctx->ec); + ctx->ec = ec; + } + ctx->operation = operation; + if (!ecdsa_set_ctx_params(ctx, params)) return 0; - return ossl_ec_check_key(ctx->libctx, ec, operation == EVP_PKEY_OP_SIGN); + + return 1; } static int ecdsa_sign_init(void *vctx, void *ec, const OSSL_PARAM params[]) @@ -279,18 +292,19 @@ static int ecdsa_digest_signverify_init(void *vctx, const char *mdname, return 0; ctx->flag_allow_md = 0; - ctx->mdctx = EVP_MD_CTX_new(); - if (ctx->mdctx == NULL) - goto error; + + if (ctx->mdctx == NULL) { + ctx->mdctx = EVP_MD_CTX_new(); + if (ctx->mdctx == NULL) + goto error; + } if (!EVP_DigestInit_ex2(ctx->mdctx, ctx->md, params)) goto error; return 1; error: EVP_MD_CTX_free(ctx->mdctx); - EVP_MD_free(ctx->md); ctx->mdctx = NULL; - ctx->md = NULL; return 0; } diff --git a/deps/openssl/openssl/providers/implementations/signature/eddsa_sig.c b/deps/openssl/openssl/providers/implementations/signature/eddsa_sig.c index 148c143cc01bd4..eb1a7691283827 100644 --- a/deps/openssl/openssl/providers/implementations/signature/eddsa_sig.c +++ b/deps/openssl/openssl/providers/implementations/signature/eddsa_sig.c @@ -100,6 +100,14 @@ static int eddsa_digest_signverify_init(void *vpeddsactx, const char *mdname, return 0; } + if (edkey == NULL) { + if (peddsactx->key != NULL) + /* there is nothing to do on reinit */ + return 1; + ERR_raise(ERR_LIB_PROV, PROV_R_NO_KEY_SET); + return 0; + } + if (!ossl_ecx_key_up_ref(edkey)) { ERR_raise(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR); return 0; @@ -124,6 +132,7 @@ static int eddsa_digest_signverify_init(void *vpeddsactx, const char *mdname, default: /* Should never happen */ ERR_raise(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR); + ossl_ecx_key_free(edkey); return 0; } if (ret && WPACKET_finish(&pkt)) { diff --git a/deps/openssl/openssl/providers/implementations/signature/mac_legacy_sig.c b/deps/openssl/openssl/providers/implementations/signature/mac_legacy_sig.c index 06f79505ff4c82..6be605c8c60f43 100644 --- a/deps/openssl/openssl/providers/implementations/signature/mac_legacy_sig.c +++ b/deps/openssl/openssl/providers/implementations/signature/mac_legacy_sig.c @@ -16,6 +16,7 @@ #include #include #include +#include #ifndef FIPS_MODULE # include #endif @@ -101,13 +102,20 @@ static int mac_digest_sign_init(void *vpmacctx, const char *mdname, void *vkey, const char *ciphername = NULL, *engine = NULL; if (!ossl_prov_is_running() - || pmacctx == NULL - || vkey == NULL - || !ossl_mac_key_up_ref(vkey)) + || pmacctx == NULL) return 0; - ossl_mac_key_free(pmacctx->key); - pmacctx->key = vkey; + if (pmacctx->key == NULL && vkey == NULL) { + ERR_raise(ERR_LIB_PROV, PROV_R_NO_KEY_SET); + return 0; + } + + if (vkey != NULL) { + if (!ossl_mac_key_up_ref(vkey)) + return 0; + ossl_mac_key_free(pmacctx->key); + pmacctx->key = vkey; + } if (pmacctx->key->cipher.cipher != NULL) ciphername = (char *)EVP_CIPHER_get0_name(pmacctx->key->cipher.cipher); diff --git a/deps/openssl/openssl/providers/implementations/signature/rsa_sig.c b/deps/openssl/openssl/providers/implementations/signature/rsa_sig.c index 298d789b74e687..325e855333e905 100644 --- a/deps/openssl/openssl/providers/implementations/signature/rsa_sig.c +++ b/deps/openssl/openssl/providers/implementations/signature/rsa_sig.c @@ -190,6 +190,9 @@ static void *rsa_newctx(void *provctx, const char *propq) prsactx->libctx = PROV_LIBCTX_OF(provctx); prsactx->flag_allow_md = 1; prsactx->propq = propq_copy; + /* Maximum for sign, auto for verify */ + prsactx->saltlen = RSA_PSS_SALTLEN_AUTO; + prsactx->min_saltlen = -1; return prsactx; } @@ -386,23 +389,25 @@ static int rsa_signverify_init(void *vprsactx, void *vrsa, { PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; - if (!ossl_prov_is_running()) + if (!ossl_prov_is_running() || prsactx == NULL) return 0; - if (prsactx == NULL || vrsa == NULL) + if (vrsa == NULL && prsactx->rsa == NULL) { + ERR_raise(ERR_LIB_PROV, PROV_R_NO_KEY_SET); return 0; + } - if (!ossl_rsa_check_key(prsactx->libctx, vrsa, operation)) - return 0; + if (vrsa != NULL) { + if (!ossl_rsa_check_key(prsactx->libctx, vrsa, operation)) + return 0; - if (!RSA_up_ref(vrsa)) - return 0; - RSA_free(prsactx->rsa); - prsactx->rsa = vrsa; - prsactx->operation = operation; + if (!RSA_up_ref(vrsa)) + return 0; + RSA_free(prsactx->rsa); + prsactx->rsa = vrsa; + } - if (!rsa_set_ctx_params(prsactx, params)) - return 0; + prsactx->operation = operation; /* Maximum for sign, auto for verify */ prsactx->saltlen = RSA_PSS_SALTLEN_AUTO; @@ -457,9 +462,10 @@ static int rsa_signverify_init(void *vprsactx, void *vrsa, prsactx->saltlen = min_saltlen; /* call rsa_setup_mgf1_md before rsa_setup_md to avoid duplication */ - return rsa_setup_mgf1_md(prsactx, mgf1mdname, prsactx->propq) - && rsa_setup_md(prsactx, mdname, prsactx->propq) - && rsa_check_parameters(prsactx, min_saltlen); + if (!rsa_setup_mgf1_md(prsactx, mgf1mdname, prsactx->propq) + || !rsa_setup_md(prsactx, mdname, prsactx->propq) + || !rsa_check_parameters(prsactx, min_saltlen)) + return 0; } } @@ -469,6 +475,9 @@ static int rsa_signverify_init(void *vprsactx, void *vrsa, return 0; } + if (!rsa_set_ctx_params(prsactx, params)) + return 0; + return 1; } @@ -842,6 +851,7 @@ static int rsa_digest_signverify_init(void *vprsactx, const char *mdname, if (!rsa_signverify_init(vprsactx, vrsa, params, operation)) return 0; + if (mdname != NULL /* was rsa_setup_md already called in rsa_signverify_init()? */ && (mdname[0] == '\0' || strcasecmp(prsactx->mdname, mdname) != 0) @@ -849,10 +859,11 @@ static int rsa_digest_signverify_init(void *vprsactx, const char *mdname, return 0; prsactx->flag_allow_md = 0; - prsactx->mdctx = EVP_MD_CTX_new(); + if (prsactx->mdctx == NULL) { - ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE); - goto error; + prsactx->mdctx = EVP_MD_CTX_new(); + if (prsactx->mdctx == NULL) + goto error; } if (!EVP_DigestInit_ex2(prsactx->mdctx, prsactx->md, params)) @@ -862,9 +873,7 @@ static int rsa_digest_signverify_init(void *vprsactx, const char *mdname, error: EVP_MD_CTX_free(prsactx->mdctx); - EVP_MD_free(prsactx->md); prsactx->mdctx = NULL; - prsactx->md = NULL; return 0; } diff --git a/deps/openssl/openssl/providers/implementations/signature/sm2_sig.c b/deps/openssl/openssl/providers/implementations/signature/sm2_sig.c index 719e7a2eb26e2e..3c700ac88710f3 100644 --- a/deps/openssl/openssl/providers/implementations/signature/sm2_sig.c +++ b/deps/openssl/openssl/providers/implementations/signature/sm2_sig.c @@ -27,6 +27,7 @@ #include "internal/cryptlib.h" #include "internal/sm3.h" #include "prov/implementations.h" +#include "prov/providercommon.h" #include "prov/provider_ctx.h" #include "crypto/ec.h" #include "crypto/sm2.h" @@ -94,9 +95,16 @@ static int sm2sig_set_mdname(PROV_SM2_CTX *psm2ctx, const char *mdname) if (psm2ctx->md == NULL) /* We need an SM3 md to compare with */ psm2ctx->md = EVP_MD_fetch(psm2ctx->libctx, psm2ctx->mdname, psm2ctx->propq); - if (psm2ctx->md == NULL - || strlen(mdname) >= sizeof(psm2ctx->mdname) + if (psm2ctx->md == NULL) + return 0; + + if (mdname == NULL) + return 1; + + if (strlen(mdname) >= sizeof(psm2ctx->mdname) || !EVP_MD_is_a(psm2ctx->md, mdname)) { + ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST, "digest=%s", + mdname); return 0; } @@ -127,10 +135,22 @@ static int sm2sig_signature_init(void *vpsm2ctx, void *ec, { PROV_SM2_CTX *psm2ctx = (PROV_SM2_CTX *)vpsm2ctx; - if (psm2ctx == NULL || ec == NULL || !EC_KEY_up_ref(ec)) + if (!ossl_prov_is_running() + || psm2ctx == NULL) + return 0; + + if (ec == NULL && psm2ctx->ec == NULL) { + ERR_raise(ERR_LIB_PROV, PROV_R_NO_KEY_SET); return 0; - EC_KEY_free(psm2ctx->ec); - psm2ctx->ec = ec; + } + + if (ec != NULL) { + if (!EC_KEY_up_ref(ec)) + return 0; + EC_KEY_free(psm2ctx->ec); + psm2ctx->ec = ec; + } + return sm2sig_set_ctx_params(psm2ctx, params); } @@ -193,10 +213,11 @@ static int sm2sig_digest_signverify_init(void *vpsm2ctx, const char *mdname, || !sm2sig_set_mdname(ctx, mdname)) return ret; - EVP_MD_CTX_free(ctx->mdctx); - ctx->mdctx = EVP_MD_CTX_new(); - if (ctx->mdctx == NULL) - goto error; + if (ctx->mdctx == NULL) { + ctx->mdctx = EVP_MD_CTX_new(); + if (ctx->mdctx == NULL) + goto error; + } md_nid = EVP_MD_get_type(ctx->md); @@ -224,8 +245,6 @@ static int sm2sig_digest_signverify_init(void *vpsm2ctx, const char *mdname, ret = 1; error: - if (!ret) - free_md(ctx); return ret; } diff --git a/deps/openssl/openssl/ssl/bio_ssl.c b/deps/openssl/openssl/ssl/bio_ssl.c index 43747785f0757c..401178f0c2e48c 100644 --- a/deps/openssl/openssl/ssl/bio_ssl.c +++ b/deps/openssl/openssl/ssl/bio_ssl.c @@ -76,13 +76,12 @@ static int ssl_free(BIO *a) if (a == NULL) return 0; bs = BIO_get_data(a); - if (bs->ssl != NULL) - SSL_shutdown(bs->ssl); if (BIO_get_shutdown(a)) { + if (bs->ssl != NULL) + SSL_shutdown(bs->ssl); if (BIO_get_init(a)) SSL_free(bs->ssl); - /* Clear all flags */ - BIO_clear_flags(a, ~0); + BIO_clear_flags(a, ~0); /* Clear all flags */ BIO_set_init(a, 0); } OPENSSL_free(bs); diff --git a/deps/openssl/openssl/ssl/ktls.c b/deps/openssl/openssl/ssl/ktls.c index 02dbb937eacacc..79d980959e3ebb 100644 --- a/deps/openssl/openssl/ssl/ktls.c +++ b/deps/openssl/openssl/ssl/ktls.c @@ -129,28 +129,28 @@ int ktls_check_supported_cipher(const SSL *s, const EVP_CIPHER *c, /* check that cipher is AES_GCM_128, AES_GCM_256, AES_CCM_128 * or Chacha20-Poly1305 */ - switch (EVP_CIPHER_get_nid(c)) - { # ifdef OPENSSL_KTLS_AES_CCM_128 - case NID_aes_128_ccm: + if (EVP_CIPHER_is_a(c, "AES-128-CCM")) { if (s->version == TLS_1_3_VERSION /* broken on 5.x kernels */ || EVP_CIPHER_CTX_get_tag_length(dd) != EVP_CCM_TLS_TAG_LEN) - return 0; + return 0; + return 1; + } else # endif + if (0 # ifdef OPENSSL_KTLS_AES_GCM_128 - /* Fall through */ - case NID_aes_128_gcm: + || EVP_CIPHER_is_a(c, "AES-128-GCM") # endif # ifdef OPENSSL_KTLS_AES_GCM_256 - case NID_aes_256_gcm: + || EVP_CIPHER_is_a(c, "AES-256-GCM") # endif # ifdef OPENSSL_KTLS_CHACHA20_POLY1305 - case NID_chacha20_poly1305: + || EVP_CIPHER_is_a(c, "ChaCha20-Poly1305") # endif + ) { return 1; - default: - return 0; } + return 0; } /* Function to configure kernel TLS structure */ diff --git a/deps/openssl/openssl/ssl/record/rec_layer_s3.c b/deps/openssl/openssl/ssl/record/rec_layer_s3.c index ea7b0cbfde37db..d26437f026c3ee 100644 --- a/deps/openssl/openssl/ssl/record/rec_layer_s3.c +++ b/deps/openssl/openssl/ssl/record/rec_layer_s3.c @@ -1246,7 +1246,7 @@ int ssl3_write_pending(SSL *s, int type, const unsigned char *buf, size_t len, * * This function must handle any surprises the peer may have for us, such as * Alert records (e.g. close_notify) or renegotiation requests. ChangeCipherSpec - * messages are treated as if they were handshake messages *if* the |recd_type| + * messages are treated as if they were handshake messages *if* the |recvd_type| * argument is non NULL. * Also if record payloads contain fragments too small to process, we store * them until there is enough for the respective protocol (the record protocol diff --git a/deps/openssl/openssl/ssl/record/ssl3_record.c b/deps/openssl/openssl/ssl/record/ssl3_record.c index b6ac61e0e8084f..c713f231cabc24 100644 --- a/deps/openssl/openssl/ssl/record/ssl3_record.c +++ b/deps/openssl/openssl/ssl/record/ssl3_record.c @@ -1218,23 +1218,17 @@ int tls1_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int sending, } if (!sending) { - /* Adjust the record to remove the explicit IV/MAC/Tag */ - if (EVP_CIPHER_get_mode(enc) == EVP_CIPH_GCM_MODE) { - for (ctr = 0; ctr < n_recs; ctr++) { + for (ctr = 0; ctr < n_recs; ctr++) { + /* Adjust the record to remove the explicit IV/MAC/Tag */ + if (EVP_CIPHER_get_mode(enc) == EVP_CIPH_GCM_MODE) { recs[ctr].data += EVP_GCM_TLS_EXPLICIT_IV_LEN; recs[ctr].input += EVP_GCM_TLS_EXPLICIT_IV_LEN; recs[ctr].length -= EVP_GCM_TLS_EXPLICIT_IV_LEN; - } - } else if (EVP_CIPHER_get_mode(enc) == EVP_CIPH_CCM_MODE) { - for (ctr = 0; ctr < n_recs; ctr++) { + } else if (EVP_CIPHER_get_mode(enc) == EVP_CIPH_CCM_MODE) { recs[ctr].data += EVP_CCM_TLS_EXPLICIT_IV_LEN; recs[ctr].input += EVP_CCM_TLS_EXPLICIT_IV_LEN; recs[ctr].length -= EVP_CCM_TLS_EXPLICIT_IV_LEN; - } - } - - for (ctr = 0; ctr < n_recs; ctr++) { - if (bs != 1 && SSL_USE_EXPLICIT_IV(s)) { + } else if (bs != 1 && SSL_USE_EXPLICIT_IV(s)) { if (recs[ctr].length < bs) return 0; recs[ctr].data += bs; @@ -1254,17 +1248,12 @@ int tls1_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int sending, (macs != NULL) ? &macs[ctr].alloced : NULL, bs, - macsize, + pad ? (size_t)pad : macsize, (EVP_CIPHER_get_flags(enc) & EVP_CIPH_FLAG_AEAD_CIPHER) != 0, s->ctx->libctx)) return 0; } - if (pad) { - for (ctr = 0; ctr < n_recs; ctr++) { - recs[ctr].length -= pad; - } - } } } } diff --git a/deps/openssl/openssl/ssl/record/tls_pad.c b/deps/openssl/openssl/ssl/record/tls_pad.c index 46614e143b3812..e559350461a2a6 100644 --- a/deps/openssl/openssl/ssl/record/tls_pad.c +++ b/deps/openssl/openssl/ssl/record/tls_pad.c @@ -138,8 +138,6 @@ int tls1_cbc_remove_padding_and_mac(size_t *reclen, if (aead) { /* padding is already verified and we don't need to check the MAC */ *reclen -= padding_length + 1 + mac_size; - *mac = NULL; - *alloced = 0; return 1; } @@ -253,7 +251,7 @@ static int ssl3_cbc_copy_mac(size_t *reclen, } /* Create the random MAC we will emit if padding is bad */ - if (!RAND_bytes_ex(libctx, randmac, mac_size, 0)) + if (RAND_bytes_ex(libctx, randmac, mac_size, 0) <= 0) return 0; if (!ossl_assert(mac != NULL && alloced != NULL)) diff --git a/deps/openssl/openssl/ssl/s3_lib.c b/deps/openssl/openssl/ssl/s3_lib.c index 348d02d8bdaed2..0ce747bd4c8bf4 100644 --- a/deps/openssl/openssl/ssl/s3_lib.c +++ b/deps/openssl/openssl/ssl/s3_lib.c @@ -3448,7 +3448,11 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE); return 0; } - return SSL_set0_tmp_dh_pkey(s, pkdh); + if (!SSL_set0_tmp_dh_pkey(s, pkdh)) { + EVP_PKEY_free(pkdh); + return 0; + } + return 1; } break; case SSL_CTRL_SET_TMP_DH_CB: @@ -3771,7 +3775,11 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE); return 0; } - return SSL_CTX_set0_tmp_dh_pkey(ctx, pkdh); + if (!SSL_CTX_set0_tmp_dh_pkey(ctx, pkdh)) { + EVP_PKEY_free(pkdh); + return 0; + } + return 1; } case SSL_CTRL_SET_TMP_DH_CB: { diff --git a/deps/openssl/openssl/ssl/ssl_cert.c b/deps/openssl/openssl/ssl/ssl_cert.c index 547e9b9ccdd805..21ce1684814cf8 100644 --- a/deps/openssl/openssl/ssl/ssl_cert.c +++ b/deps/openssl/openssl/ssl/ssl_cert.c @@ -362,6 +362,13 @@ void ssl_cert_set_cert_cb(CERT *c, int (*cb) (SSL *ssl, void *arg), void *arg) c->cert_cb_arg = arg; } +/* + * Verify a certificate chain + * Return codes: + * 1: Verify success + * 0: Verify failure or error + * -1: Retry required + */ int ssl_verify_cert_chain(SSL *s, STACK_OF(X509) *sk) { X509 *x; @@ -423,10 +430,14 @@ int ssl_verify_cert_chain(SSL *s, STACK_OF(X509) *sk) if (s->verify_callback) X509_STORE_CTX_set_verify_cb(ctx, s->verify_callback); - if (s->ctx->app_verify_callback != NULL) + if (s->ctx->app_verify_callback != NULL) { i = s->ctx->app_verify_callback(ctx, s->ctx->app_verify_arg); - else + } else { i = X509_verify_cert(ctx); + /* We treat an error in the same way as a failure to verify */ + if (i < 0) + i = 0; + } s->verify_result = X509_STORE_CTX_get_error(ctx); sk_X509_pop_free(s->verified_chain, X509_free); @@ -625,7 +636,7 @@ STACK_OF(X509_NAME) *SSL_load_client_CA_file_ex(const char *file, ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE); goto err; } - if (!BIO_read_filename(in, file)) + if (BIO_read_filename(in, file) <= 0) goto err; /* Internally lh_X509_NAME_retrieve() needs the libctx to retrieve SHA1 */ @@ -696,7 +707,7 @@ int SSL_add_file_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack, goto err; } - if (!BIO_read_filename(in, file)) + if (BIO_read_filename(in, file) <= 0) goto err; for (;;) { diff --git a/deps/openssl/openssl/ssl/ssl_ciph.c b/deps/openssl/openssl/ssl/ssl_ciph.c index 2860870db33652..da5d3dcdc5fa8a 100644 --- a/deps/openssl/openssl/ssl/ssl_ciph.c +++ b/deps/openssl/openssl/ssl/ssl_ciph.c @@ -1365,7 +1365,8 @@ static int update_cipher_list_by_id(STACK_OF(SSL_CIPHER) **cipher_list_by_id, return 1; } -static int update_cipher_list(STACK_OF(SSL_CIPHER) **cipher_list, +static int update_cipher_list(SSL_CTX *ctx, + STACK_OF(SSL_CIPHER) **cipher_list, STACK_OF(SSL_CIPHER) **cipher_list_by_id, STACK_OF(SSL_CIPHER) *tls13_ciphersuites) { @@ -1385,9 +1386,17 @@ static int update_cipher_list(STACK_OF(SSL_CIPHER) **cipher_list, (void)sk_SSL_CIPHER_delete(tmp_cipher_list, 0); /* Insert the new TLSv1.3 ciphersuites */ - for (i = 0; i < sk_SSL_CIPHER_num(tls13_ciphersuites); i++) - sk_SSL_CIPHER_insert(tmp_cipher_list, - sk_SSL_CIPHER_value(tls13_ciphersuites, i), i); + for (i = sk_SSL_CIPHER_num(tls13_ciphersuites) - 1; i >= 0; i--) { + const SSL_CIPHER *sslc = sk_SSL_CIPHER_value(tls13_ciphersuites, i); + + /* Don't include any TLSv1.3 ciphersuites that are disabled */ + if ((sslc->algorithm_enc & ctx->disabled_enc_mask) == 0 + && (ssl_cipher_table_mac[sslc->algorithm2 + & SSL_HANDSHAKE_MAC_MASK].mask + & ctx->disabled_mac_mask) == 0) { + sk_SSL_CIPHER_unshift(tmp_cipher_list, sslc); + } + } if (!update_cipher_list_by_id(cipher_list_by_id, tmp_cipher_list)) { sk_SSL_CIPHER_free(tmp_cipher_list); @@ -1405,7 +1414,7 @@ int SSL_CTX_set_ciphersuites(SSL_CTX *ctx, const char *str) int ret = set_ciphersuites(&(ctx->tls13_ciphersuites), str); if (ret && ctx->cipher_list != NULL) - return update_cipher_list(&ctx->cipher_list, &ctx->cipher_list_by_id, + return update_cipher_list(ctx, &ctx->cipher_list, &ctx->cipher_list_by_id, ctx->tls13_ciphersuites); return ret; @@ -1421,7 +1430,7 @@ int SSL_set_ciphersuites(SSL *s, const char *str) s->cipher_list = sk_SSL_CIPHER_dup(cipher_list); } if (ret && s->cipher_list != NULL) - return update_cipher_list(&s->cipher_list, &s->cipher_list_by_id, + return update_cipher_list(s->ctx, &s->cipher_list, &s->cipher_list_by_id, s->tls13_ciphersuites); return ret; @@ -1638,6 +1647,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx, } if (!sk_SSL_CIPHER_push(cipherstack, sslc)) { + OPENSSL_free(co_list); sk_SSL_CIPHER_free(cipherstack); return NULL; } diff --git a/deps/openssl/openssl/ssl/ssl_lib.c b/deps/openssl/openssl/ssl/ssl_lib.c index db903a39563f18..718af4aa91bca7 100644 --- a/deps/openssl/openssl/ssl/ssl_lib.c +++ b/deps/openssl/openssl/ssl/ssl_lib.c @@ -566,7 +566,56 @@ static void clear_ciphers(SSL *s) ssl_clear_hash_ctx(&s->write_hash); } +#ifndef OPENSSL_NO_QUIC +int SSL_clear(SSL *s) +{ + if (!SSL_clear_not_quic(s)) + return 0; + return SSL_clear_quic(s); +} + +int SSL_clear_quic(SSL *s) +{ + OPENSSL_free(s->ext.peer_quic_transport_params_draft); + s->ext.peer_quic_transport_params_draft = NULL; + s->ext.peer_quic_transport_params_draft_len = 0; + OPENSSL_free(s->ext.peer_quic_transport_params); + s->ext.peer_quic_transport_params = NULL; + s->ext.peer_quic_transport_params_len = 0; + s->quic_read_level = ssl_encryption_initial; + s->quic_write_level = ssl_encryption_initial; + s->quic_latest_level_received = ssl_encryption_initial; + while (s->quic_input_data_head != NULL) { + QUIC_DATA *qd; + + qd = s->quic_input_data_head; + s->quic_input_data_head = qd->next; + OPENSSL_free(qd); + } + s->quic_input_data_tail = NULL; + BUF_MEM_free(s->quic_buf); + s->quic_buf = NULL; + s->quic_next_record_start = 0; + memset(s->client_hand_traffic_secret, 0, EVP_MAX_MD_SIZE); + memset(s->server_hand_traffic_secret, 0, EVP_MAX_MD_SIZE); + memset(s->client_early_traffic_secret, 0, EVP_MAX_MD_SIZE); + /* + * CONFIG - DON'T CLEAR + * s->ext.quic_transport_params + * s->ext.quic_transport_params_len + * s->quic_transport_version + * s->quic_method = NULL; + */ + return 1; +} +#endif + +/* Keep this conditional very local */ +#ifndef OPENSSL_NO_QUIC +int SSL_clear_not_quic(SSL *s) +#else int SSL_clear(SSL *s) +#endif { if (s->method == NULL) { ERR_raise(ERR_LIB_SSL, SSL_R_NO_METHOD_SPECIFIED); @@ -1788,6 +1837,8 @@ static int ssl_start_async_job(SSL *s, struct ssl_async_args *args, (s->waitctx, ssl_async_wait_ctx_cb, s)) return -1; } + + s->rwstate = SSL_NOTHING; switch (ASYNC_start_job(&s->job, s->waitctx, &ret, func, args, sizeof(struct ssl_async_args))) { case ASYNC_ERR: @@ -6029,7 +6080,6 @@ int SSL_set0_tmp_dh_pkey(SSL *s, EVP_PKEY *dhpkey) if (!ssl_security(s, SSL_SECOP_TMP_DH, EVP_PKEY_get_security_bits(dhpkey), 0, dhpkey)) { ERR_raise(ERR_LIB_SSL, SSL_R_DH_KEY_TOO_SMALL); - EVP_PKEY_free(dhpkey); return 0; } EVP_PKEY_free(s->cert->dh_tmp); @@ -6042,7 +6092,6 @@ int SSL_CTX_set0_tmp_dh_pkey(SSL_CTX *ctx, EVP_PKEY *dhpkey) if (!ssl_ctx_security(ctx, SSL_SECOP_TMP_DH, EVP_PKEY_get_security_bits(dhpkey), 0, dhpkey)) { ERR_raise(ERR_LIB_SSL, SSL_R_DH_KEY_TOO_SMALL); - EVP_PKEY_free(dhpkey); return 0; } EVP_PKEY_free(ctx->cert->dh_tmp); diff --git a/deps/openssl/openssl/ssl/ssl_local.h b/deps/openssl/openssl/ssl/ssl_local.h index 151d4751f8e00c..93a825db326fb6 100644 --- a/deps/openssl/openssl/ssl/ssl_local.h +++ b/deps/openssl/openssl/ssl/ssl_local.h @@ -2858,6 +2858,11 @@ void custom_exts_free(custom_ext_methods *exts); void ssl_comp_free_compression_methods_int(void); +#ifndef OPENSSL_NO_QUIC +__owur int SSL_clear_not_quic(SSL *s); +__owur int SSL_clear_quic(SSL *s); +#endif + /* ssl_mcnf.c */ void ssl_ctx_system_config(SSL_CTX *ctx); diff --git a/deps/openssl/openssl/ssl/statem/README.md b/deps/openssl/openssl/ssl/statem/README.md index ef33f77c82a97a..ee49ed986371c5 100644 --- a/deps/openssl/openssl/ssl/statem/README.md +++ b/deps/openssl/openssl/ssl/statem/README.md @@ -56,7 +56,7 @@ Conceptually the state machine component is designed as follows: | | | | ____________V_______V________ ________V______V_______________ | | | | - | statem_both.c | | statem_dtls.c | + | statem_lib.c | | statem_dtls.c | | | | | | Non core functions common | | Non core functions common to | | to both servers and clients | | both DTLS servers and clients | diff --git a/deps/openssl/openssl/ssl/statem/extensions_clnt.c b/deps/openssl/openssl/ssl/statem/extensions_clnt.c index 640fe84fda4258..7b46074232798c 100644 --- a/deps/openssl/openssl/ssl/statem/extensions_clnt.c +++ b/deps/openssl/openssl/ssl/statem/extensions_clnt.c @@ -1718,7 +1718,11 @@ int tls_parse_stoc_etm(SSL *s, PACKET *pkt, unsigned int context, X509 *x, /* Ignore if inappropriate ciphersuite */ if (!(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC) && s->s3.tmp.new_cipher->algorithm_mac != SSL_AEAD - && s->s3.tmp.new_cipher->algorithm_enc != SSL_RC4) + && s->s3.tmp.new_cipher->algorithm_enc != SSL_RC4 + && s->s3.tmp.new_cipher->algorithm_enc != SSL_eGOST2814789CNT + && s->s3.tmp.new_cipher->algorithm_enc != SSL_eGOST2814789CNT12 + && s->s3.tmp.new_cipher->algorithm_enc != SSL_MAGMA + && s->s3.tmp.new_cipher->algorithm_enc != SSL_KUZNYECHIK) s->ext.use_etm = 1; return 1; @@ -1870,6 +1874,7 @@ int tls_parse_stoc_key_share(SSL *s, PACKET *pkt, unsigned int context, X509 *x, skey = EVP_PKEY_new(); if (skey == NULL || EVP_PKEY_copy_parameters(skey, ckey) <= 0) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_COPY_PARAMETERS_FAILED); + EVP_PKEY_free(skey); return 0; } diff --git a/deps/openssl/openssl/ssl/statem/extensions_cust.c b/deps/openssl/openssl/ssl/statem/extensions_cust.c index a00194bf337004..401a4c5c76b104 100644 --- a/deps/openssl/openssl/ssl/statem/extensions_cust.c +++ b/deps/openssl/openssl/ssl/statem/extensions_cust.c @@ -145,11 +145,12 @@ int custom_ext_parse(SSL *s, unsigned int context, unsigned int ext_type, } /* - * Extensions received in the ClientHello are marked with the - * SSL_EXT_FLAG_RECEIVED. This is so we know to add the equivalent - * extensions in the ServerHello/EncryptedExtensions message + * Extensions received in the ClientHello or CertificateRequest are marked + * with the SSL_EXT_FLAG_RECEIVED. This is so we know to add the equivalent + * extensions in the response messages */ - if ((context & SSL_EXT_CLIENT_HELLO) != 0) + if ((context & (SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_CERTIFICATE_REQUEST)) + != 0) meth->ext_flags |= SSL_EXT_FLAG_RECEIVED; /* If no parse function set return success */ @@ -191,7 +192,7 @@ int custom_ext_add(SSL *s, int context, WPACKET *pkt, X509 *x, size_t chainidx, | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS | SSL_EXT_TLS1_3_CERTIFICATE | SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST)) != 0) { - /* Only send extensions present in ClientHello. */ + /* Only send extensions present in ClientHello/CertificateRequest */ if (!(meth->ext_flags & SSL_EXT_FLAG_RECEIVED)) continue; } diff --git a/deps/openssl/openssl/ssl/statem/statem.c b/deps/openssl/openssl/ssl/statem/statem.c index cd4329992c90ce..0a11d2053d7fef 100644 --- a/deps/openssl/openssl/ssl/statem/statem.c +++ b/deps/openssl/openssl/ssl/statem/statem.c @@ -334,8 +334,13 @@ static int state_machine(SSL *s, int server) * If we are stateless then we already called SSL_clear() - don't do * it again and clear the STATELESS flag itself. */ +#ifndef OPENSSL_NO_QUIC + if ((s->s3.flags & TLS1_FLAGS_STATELESS) == 0 && !SSL_clear_not_quic(s)) + return -1; +#else if ((s->s3.flags & TLS1_FLAGS_STATELESS) == 0 && !SSL_clear(s)) return -1; +#endif } #ifndef OPENSSL_NO_SCTP if (SSL_IS_DTLS(s) && BIO_dgram_is_sctp(SSL_get_wbio(s))) { diff --git a/deps/openssl/openssl/ssl/statem/statem_clnt.c b/deps/openssl/openssl/ssl/statem/statem_clnt.c index 0d8a8d84fa0889..1cdf53390e80cb 100644 --- a/deps/openssl/openssl/ssl/statem/statem_clnt.c +++ b/deps/openssl/openssl/ssl/statem/statem_clnt.c @@ -1886,7 +1886,7 @@ WORK_STATE tls_post_process_server_certificate(SSL *s, WORK_STATE wst) * (less clean) historic behaviour of performing validation if any flag is * set. The *documented* interface remains the same. */ - if (s->verify_mode != SSL_VERIFY_NONE && i <= 0) { + if (s->verify_mode != SSL_VERIFY_NONE && i == 0) { SSLfatal(s, ssl_x509err2alert(s->verify_result), SSL_R_CERTIFICATE_VERIFY_FAILED); return WORK_ERROR; diff --git a/deps/openssl/openssl/ssl/statem/statem_lib.c b/deps/openssl/openssl/ssl/statem/statem_lib.c index 10754b4f6be181..b8bbe765847371 100644 --- a/deps/openssl/openssl/ssl/statem/statem_lib.c +++ b/deps/openssl/openssl/ssl/statem/statem_lib.c @@ -2415,6 +2415,8 @@ int tls13_save_handshake_digest_for_pha(SSL *s) if (!EVP_MD_CTX_copy_ex(s->pha_dgst, s->s3.handshake_dgst)) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); + EVP_MD_CTX_free(s->pha_dgst); + s->pha_dgst = NULL; return 0; } } diff --git a/deps/openssl/openssl/ssl/statem/statem_srvr.c b/deps/openssl/openssl/ssl/statem/statem_srvr.c index 61ef8a55fea0bd..90f3a99b1c32ab 100644 --- a/deps/openssl/openssl/ssl/statem/statem_srvr.c +++ b/deps/openssl/openssl/ssl/statem/statem_srvr.c @@ -1566,6 +1566,15 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) goto err; } } +#ifndef OPENSSL_NO_QUIC + if (SSL_IS_QUIC(s)) { + /* Any other QUIC checks on ClientHello here */ + if (clienthello->session_id_len > 0) { + SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_LENGTH_MISMATCH); + goto err; + } + } +#endif } if (!PACKET_copy_all(&compression, clienthello->compressions, diff --git a/deps/openssl/openssl/ssl/t1_lib.c b/deps/openssl/openssl/ssl/t1_lib.c index 9345838f6ab1ac..fc32bb35567fdd 100644 --- a/deps/openssl/openssl/ssl/t1_lib.c +++ b/deps/openssl/openssl/ssl/t1_lib.c @@ -1267,6 +1267,8 @@ static const SIGALG_LOOKUP *tls1_get_legacy_sigalg(const SSL *s, int idx) for (i = 0; i < SSL_PKEY_NUM; i++) { const SSL_CERT_LOOKUP *clu = ssl_cert_lookup_by_idx(i); + if (clu == NULL) + continue; if (clu->amask & s->s3.tmp.new_cipher->algorithm_auth) { idx = i; break; diff --git a/deps/openssl/openssl/ssl/tls_depr.c b/deps/openssl/openssl/ssl/tls_depr.c index 0b21ff766969c5..1761ba1d8ef1fd 100644 --- a/deps/openssl/openssl/ssl/tls_depr.c +++ b/deps/openssl/openssl/ssl/tls_depr.c @@ -27,6 +27,7 @@ void tls_engine_finish(ENGINE *e) const EVP_CIPHER *tls_get_cipher_from_engine(int nid) { + const EVP_CIPHER *ret = NULL; #ifndef OPENSSL_NO_ENGINE ENGINE *eng; @@ -36,15 +37,16 @@ const EVP_CIPHER *tls_get_cipher_from_engine(int nid) */ eng = ENGINE_get_cipher_engine(nid); if (eng != NULL) { + ret = ENGINE_get_cipher(eng, nid); ENGINE_finish(eng); - return EVP_get_cipherbynid(nid); } #endif - return NULL; + return ret; } const EVP_MD *tls_get_digest_from_engine(int nid) { + const EVP_MD *ret = NULL; #ifndef OPENSSL_NO_ENGINE ENGINE *eng; @@ -54,11 +56,11 @@ const EVP_MD *tls_get_digest_from_engine(int nid) */ eng = ENGINE_get_digest_engine(nid); if (eng != NULL) { + ret = ENGINE_get_digest(eng, nid); ENGINE_finish(eng); - return EVP_get_digestbynid(nid); } #endif - return NULL; + return ret; } #ifndef OPENSSL_NO_ENGINE diff --git a/deps/openssl/openssl/test/acvp_test.c b/deps/openssl/openssl/test/acvp_test.c index 0e2d54dab6b117..d8425f0d2071cb 100644 --- a/deps/openssl/openssl/test/acvp_test.c +++ b/deps/openssl/openssl/test/acvp_test.c @@ -71,7 +71,7 @@ static int pkey_get_bn_bytes(EVP_PKEY *pkey, const char *name, buf = OPENSSL_zalloc(sz); if (buf == NULL) goto err; - if (!BN_bn2binpad(bn, buf, sz)) + if (BN_bn2binpad(bn, buf, sz) <= 0) goto err; *out_len = sz; @@ -94,6 +94,7 @@ static int sig_gen(EVP_PKEY *pkey, OSSL_PARAM *params, const char *digest_name, size_t sig_len; size_t sz = EVP_PKEY_get_size(pkey); + sig_len = sz; if (!TEST_ptr(sig = OPENSSL_malloc(sz)) || !TEST_ptr(md_ctx = EVP_MD_CTX_new()) || !TEST_int_eq(EVP_DigestSignInit_ex(md_ctx, NULL, digest_name, libctx, @@ -164,7 +165,7 @@ static int ecdsa_create_pkey(EVP_PKEY **pkey, const char *curve_name, pub, pub_len) > 0) || !TEST_ptr(params = OSSL_PARAM_BLD_to_param(bld)) || !TEST_ptr(ctx = EVP_PKEY_CTX_new_from_name(libctx, "EC", NULL)) - || !TEST_true(EVP_PKEY_fromdata_init(ctx)) + || !TEST_int_eq(EVP_PKEY_fromdata_init(ctx), 1) || !TEST_int_eq(EVP_PKEY_fromdata(ctx, pkey, EVP_PKEY_PUBLIC_KEY, params), expected)) goto err; @@ -339,7 +340,7 @@ static EVP_PKEY *dsa_paramgen(int L, int N) EVP_PKEY *param_key = NULL; if (!TEST_ptr(paramgen_ctx = EVP_PKEY_CTX_new_from_name(libctx, "DSA", NULL)) - || !TEST_true(EVP_PKEY_paramgen_init(paramgen_ctx)) + || !TEST_int_gt(EVP_PKEY_paramgen_init(paramgen_ctx), 0) || !TEST_true(EVP_PKEY_CTX_set_dsa_paramgen_bits(paramgen_ctx, L)) || !TEST_true(EVP_PKEY_CTX_set_dsa_paramgen_q_bits(paramgen_ctx, N)) || !TEST_true(EVP_PKEY_paramgen(paramgen_ctx, ¶m_key))) @@ -415,7 +416,7 @@ static int dsa_paramgen_test(int id) const struct dsa_paramgen_st *tst = &dsa_paramgen_data[id]; if (!TEST_ptr(paramgen_ctx = EVP_PKEY_CTX_new_from_name(libctx, "DSA", NULL)) - || !TEST_true(EVP_PKEY_paramgen_init(paramgen_ctx)) + || !TEST_int_gt(EVP_PKEY_paramgen_init(paramgen_ctx), 0) || !TEST_true(EVP_PKEY_CTX_set_dsa_paramgen_bits(paramgen_ctx, tst->L)) || !TEST_true(EVP_PKEY_CTX_set_dsa_paramgen_q_bits(paramgen_ctx, tst->N)) || !TEST_true(EVP_PKEY_paramgen(paramgen_ctx, ¶m_key)) @@ -503,8 +504,9 @@ static int dsa_create_pkey(EVP_PKEY **pkey, } if (!TEST_ptr(params = OSSL_PARAM_BLD_to_param(bld)) || !TEST_ptr(ctx = EVP_PKEY_CTX_new_from_name(libctx, "DSA", NULL)) - || !TEST_true(EVP_PKEY_fromdata_init(ctx)) - || !TEST_true(EVP_PKEY_fromdata(ctx, pkey, EVP_PKEY_PUBLIC_KEY, params))) + || !TEST_int_eq(EVP_PKEY_fromdata_init(ctx), 1) + || !TEST_int_eq(EVP_PKEY_fromdata(ctx, pkey, EVP_PKEY_PUBLIC_KEY, + params), 1)) goto err; ret = 1; @@ -924,7 +926,7 @@ static int dh_create_pkey(EVP_PKEY **pkey, const char *group_name, if (!TEST_ptr(params = OSSL_PARAM_BLD_to_param(bld)) || !TEST_ptr(ctx = EVP_PKEY_CTX_new_from_name(libctx, "DH", NULL)) - || !TEST_true(EVP_PKEY_fromdata_init(ctx)) + || !TEST_int_eq(EVP_PKEY_fromdata_init(ctx), 1) || !TEST_int_eq(EVP_PKEY_fromdata(ctx, pkey, EVP_PKEY_KEYPAIR, params), pass)) goto err; @@ -1033,8 +1035,9 @@ static int rsa_create_pkey(EVP_PKEY **pkey, } if (!TEST_ptr(params = OSSL_PARAM_BLD_to_param(bld)) || !TEST_ptr(ctx = EVP_PKEY_CTX_new_from_name(libctx, "RSA", NULL)) - || !TEST_true(EVP_PKEY_fromdata_init(ctx)) - || !TEST_true(EVP_PKEY_fromdata(ctx, pkey, EVP_PKEY_KEYPAIR, params))) + || !TEST_int_eq(EVP_PKEY_fromdata_init(ctx), 1) + || !TEST_int_eq(EVP_PKEY_fromdata(ctx, pkey, EVP_PKEY_KEYPAIR, params), + 1)) goto err; ret = 1; @@ -1258,7 +1261,7 @@ static int rsa_decryption_primitive_test(int id) test_output_memory("n", n, n_len); test_output_memory("e", e, e_len); - if (!EVP_PKEY_decrypt(ctx, pt, &pt_len, tst->ct, tst->ct_len)) + if (EVP_PKEY_decrypt(ctx, pt, &pt_len, tst->ct, tst->ct_len) <= 0) TEST_note("Decryption Failed"); else test_output_memory("pt", pt, pt_len); diff --git a/deps/openssl/openssl/test/afalgtest.c b/deps/openssl/openssl/test/afalgtest.c index f0bdb262710020..02947c1ed3655f 100644 --- a/deps/openssl/openssl/test/afalgtest.c +++ b/deps/openssl/openssl/test/afalgtest.c @@ -24,26 +24,7 @@ #ifndef OPENSSL_NO_ENGINE static ENGINE *e; -#endif - -#ifndef OPENSSL_NO_AFALGENG -# include -# define K_MAJ 4 -# define K_MIN1 1 -# define K_MIN2 0 -# if LINUX_VERSION_CODE < KERNEL_VERSION(K_MAJ, K_MIN1, K_MIN2) -/* - * If we get here then it looks like there is a mismatch between the linux - * headers and the actual kernel version, so we have tried to compile with - * afalg support, but then skipped it in e_afalg.c. As far as this test is - * concerned we behave as if we had been configured without support - */ -# define OPENSSL_NO_AFALGENG -# endif -#endif - -#ifndef OPENSSL_NO_AFALGENG static int test_afalg_aes_cbc(int keysize_idx) { EVP_CIPHER_CTX *ctx; @@ -127,9 +108,25 @@ static int test_afalg_aes_cbc(int keysize_idx) EVP_CIPHER_CTX_free(ctx); return ret; } -#endif -#ifndef OPENSSL_NO_ENGINE +static int test_pr16743(void) +{ + int ret = 0; + const EVP_CIPHER * cipher; + EVP_CIPHER_CTX *ctx; + + if (!TEST_true(ENGINE_init(e))) + return 0; + cipher = ENGINE_get_cipher(e, NID_aes_128_cbc); + ctx = EVP_CIPHER_CTX_new(); + if (cipher != NULL && ctx != NULL) + ret = EVP_EncryptInit_ex(ctx, cipher, e, NULL, NULL); + TEST_true(ret); + EVP_CIPHER_CTX_free(ctx); + ENGINE_finish(e); + return ret; +} + int global_init(void) { ENGINE_load_builtin_engines(); @@ -147,9 +144,8 @@ int setup_tests(void) /* Probably a platform env issue, not a test failure. */ TEST_info("Can't load AFALG engine"); } else { -# ifndef OPENSSL_NO_AFALGENG ADD_ALL_TESTS(test_afalg_aes_cbc, 3); -# endif + ADD_TEST(test_pr16743); } #endif diff --git a/deps/openssl/openssl/test/algorithmid_test.c b/deps/openssl/openssl/test/algorithmid_test.c index ce5fbffc2230a2..0104425c1d4af3 100644 --- a/deps/openssl/openssl/test/algorithmid_test.c +++ b/deps/openssl/openssl/test/algorithmid_test.c @@ -48,7 +48,7 @@ static int test_spki_aid(X509_PUBKEY *pubkey, const char *filename) goto end; X509_ALGOR_get0(&oid, NULL, NULL, alg); - if (!TEST_true(OBJ_obj2txt(name, sizeof(name), oid, 0))) + if (!TEST_int_gt(OBJ_obj2txt(name, sizeof(name), oid, 0), 0)) goto end; /* diff --git a/deps/openssl/openssl/test/bio_enc_test.c b/deps/openssl/openssl/test/bio_enc_test.c index aeca062f3f0c39..b383cdce1c53ff 100644 --- a/deps/openssl/openssl/test/bio_enc_test.c +++ b/deps/openssl/openssl/test/bio_enc_test.c @@ -1,5 +1,5 @@ /* - * Copyright 2016-2017 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -51,6 +51,8 @@ static int do_bio_cipher(const EVP_CIPHER* cipher, const unsigned char* key, /* reference output for single-chunk operation */ b = BIO_new(BIO_f_cipher()); + if (!TEST_ptr(b)) + return 0; if (!TEST_true(BIO_set_cipher(b, cipher, key, iv, ENCRYPT))) return 0; BIO_push(b, BIO_new_mem_buf(inp, DATA_SIZE)); @@ -60,6 +62,8 @@ static int do_bio_cipher(const EVP_CIPHER* cipher, const unsigned char* key, /* perform split operations and compare to reference */ for (i = 1; i < lref; i++) { b = BIO_new(BIO_f_cipher()); + if (!TEST_ptr(b)) + return 0; if (!TEST_true(BIO_set_cipher(b, cipher, key, iv, ENCRYPT))) { TEST_info("Split encrypt failed @ operation %d", i); return 0; @@ -87,6 +91,8 @@ static int do_bio_cipher(const EVP_CIPHER* cipher, const unsigned char* key, int delta; b = BIO_new(BIO_f_cipher()); + if (!TEST_ptr(b)) + return 0; if (!TEST_true(BIO_set_cipher(b, cipher, key, iv, ENCRYPT))) { TEST_info("Small chunk encrypt failed @ operation %d", i); return 0; @@ -108,6 +114,8 @@ static int do_bio_cipher(const EVP_CIPHER* cipher, const unsigned char* key, /* reference output for single-chunk operation */ b = BIO_new(BIO_f_cipher()); + if (!TEST_ptr(b)) + return 0; if (!TEST_true(BIO_set_cipher(b, cipher, key, iv, DECRYPT))) return 0; /* Use original reference output as input */ @@ -123,6 +131,8 @@ static int do_bio_cipher(const EVP_CIPHER* cipher, const unsigned char* key, /* perform split operations and compare to reference */ for (i = 1; i < lref; i++) { b = BIO_new(BIO_f_cipher()); + if (!TEST_ptr(b)) + return 0; if (!TEST_true(BIO_set_cipher(b, cipher, key, iv, DECRYPT))) { TEST_info("Split decrypt failed @ operation %d", i); return 0; @@ -150,6 +160,8 @@ static int do_bio_cipher(const EVP_CIPHER* cipher, const unsigned char* key, int delta; b = BIO_new(BIO_f_cipher()); + if (!TEST_ptr(b)) + return 0; if (!TEST_true(BIO_set_cipher(b, cipher, key, iv, DECRYPT))) { TEST_info("Small chunk decrypt failed @ operation %d", i); return 0; diff --git a/deps/openssl/openssl/test/bio_prefix_text.c b/deps/openssl/openssl/test/bio_prefix_text.c index 4fc468a97687f5..d31b71b4ce0848 100644 --- a/deps/openssl/openssl/test/bio_prefix_text.c +++ b/deps/openssl/openssl/test/bio_prefix_text.c @@ -1,5 +1,5 @@ /* - * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -211,7 +211,7 @@ static int setup(void) progname, idx, amount - 1); return 0; } - if (!BIO_set_indent(chain[idx], (long)indent)) { + if (BIO_set_indent(chain[idx], (long)indent) <= 0) { BIO_printf(bio_err, "%s: failed setting indentation: %s", progname, arg); return 0; @@ -242,7 +242,7 @@ static int setup(void) progname, idx, amount - 1); return 0; } - if (!BIO_set_prefix(chain[idx], colon)) { + if (BIO_set_prefix(chain[idx], colon) <= 0) { BIO_printf(bio_err, "%s: failed setting prefix: %s", progname, arg); return 0; diff --git a/deps/openssl/openssl/test/bntest.c b/deps/openssl/openssl/test/bntest.c index 86fa163c6e1590..fa9fc07ceff924 100644 --- a/deps/openssl/openssl/test/bntest.c +++ b/deps/openssl/openssl/test/bntest.c @@ -30,7 +30,6 @@ /* * Things in boring, not in openssl. */ -#define HAVE_BN_PADDED 0 #define HAVE_BN_SQRT 0 typedef struct filetest_st { @@ -631,6 +630,51 @@ static int test_modexp_mont5(void) if (!TEST_BN_eq(c, d)) goto err; + /* + * Regression test for overflow bug in bn_sqr_comba4/8 for + * mips-linux-gnu and mipsel-linux-gnu 32bit targets. + */ + { + static const char *ehex[] = { + "95564994a96c45954227b845a1e99cb939d5a1da99ee91acc962396ae999a9ee", + "38603790448f2f7694c242a875f0cad0aae658eba085f312d2febbbd128dd2b5", + "8f7d1149f03724215d704344d0d62c587ae3c5939cba4b9b5f3dc5e8e911ef9a", + "5ce1a5a749a4989d0d8368f6e1f8cdf3a362a6c97fb02047ff152b480a4ad985", + "2d45efdf0770542992afca6a0590d52930434bba96017afbc9f99e112950a8b1", + "a359473ec376f329bdae6a19f503be6d4be7393c4e43468831234e27e3838680", + "b949390d2e416a3f9759e5349ab4c253f6f29f819a6fe4cbfd27ada34903300e", + "da021f62839f5878a36f1bc3085375b00fd5fa3e68d316c0fdace87a97558465", + NULL}; + static const char *phex[] = { + "f95dc0f980fbd22e90caa5a387cc4a369f3f830d50dd321c40db8c09a7e1a241", + "a536e096622d3280c0c1ba849c1f4a79bf490f60006d081e8cf69960189f0d31", + "2cd9e17073a3fba7881b21474a13b334116cb2f5dbf3189a6de3515d0840f053", + "c776d3982d391b6d04d642dda5cc6d1640174c09875addb70595658f89efb439", + "dc6fbd55f903aadd307982d3f659207f265e1ec6271b274521b7a5e28e8fd7a5", + "5df089292820477802a43cf5b6b94e999e8c9944ddebb0d0e95a60f88cb7e813", + "ba110d20e1024774107dd02949031864923b3cb8c3f7250d6d1287b0a40db6a4", + "7bd5a469518eb65aa207ddc47d8c6e5fc8e0c105be8fc1d4b57b2e27540471d5", + NULL}; + static const char *mhex[] = { + "fef15d5ce4625f1bccfbba49fc8439c72bf8202af039a2259678941b60bb4a8f", + "2987e965d58fd8cf86a856674d519763d0e1211cc9f8596971050d56d9b35db3", + "785866cfbca17cfdbed6060be3629d894f924a89fdc1efc624f80d41a22f1900", + "9503fcc3824ef62ccb9208430c26f2d8ceb2c63488ec4c07437aa4c96c43dd8b", + "9289ed00a712ff66ee195dc71f5e4ead02172b63c543d69baf495f5fd63ba7bc", + "c633bd309c016e37736da92129d0b053d4ab28d21ad7d8b6fab2a8bbdc8ee647", + "d2fbcf2cf426cf892e6f5639e0252993965dfb73ccd277407014ea784aaa280c", + "b7b03972bc8b0baa72360bdb44b82415b86b2f260f877791cd33ba8f2d65229b", + NULL}; + + if (!TEST_true(parse_bigBN(&e, ehex)) + || !TEST_true(parse_bigBN(&p, phex)) + || !TEST_true(parse_bigBN(&m, mhex)) + || !TEST_true(BN_mod_exp_mont_consttime(d, e, p, m, ctx, NULL)) + || !TEST_true(BN_mod_exp_simple(a, e, p, m, ctx)) + || !TEST_BN_eq(a, d)) + goto err; + } + /* Zero input */ if (!TEST_true(BN_bntest_rand(p, 1024, 0, 0))) goto err; @@ -1734,52 +1778,52 @@ static int file_gcd(STANZA *s) static int test_bn2padded(void) { -#if HAVE_BN_PADDED uint8_t zeros[256], out[256], reference[128]; - BIGNUM *n = BN_new(); + size_t bytes; + BIGNUM *n; int st = 0; /* Test edge case at 0. */ - if (n == NULL) + if (!TEST_ptr((n = BN_new()))) goto err; - if (!TEST_true(BN_bn2bin_padded(NULL, 0, n))) + if (!TEST_int_eq(BN_bn2binpad(n, NULL, 0), 0)) goto err; memset(out, -1, sizeof(out)); - if (!TEST_true(BN_bn2bin_padded(out, sizeof(out)), n)) + if (!TEST_int_eq(BN_bn2binpad(n, out, sizeof(out)), sizeof(out))) goto err; memset(zeros, 0, sizeof(zeros)); if (!TEST_mem_eq(zeros, sizeof(zeros), out, sizeof(out))) goto err; /* Test a random numbers at various byte lengths. */ - for (size_t bytes = 128 - 7; bytes <= 128; bytes++) { + for (bytes = 128 - 7; bytes <= 128; bytes++) { # define TOP_BIT_ON 0 # define BOTTOM_BIT_NOTOUCH 0 if (!TEST_true(BN_rand(n, bytes * 8, TOP_BIT_ON, BOTTOM_BIT_NOTOUCH))) goto err; - if (!TEST_int_eq(BN_num_bytes(n),A) bytes - || TEST_int_eq(BN_bn2bin(n, reference), bytes)) + if (!TEST_int_eq(BN_num_bytes(n), bytes) + || !TEST_int_eq(BN_bn2bin(n, reference), bytes)) goto err; /* Empty buffer should fail. */ - if (!TEST_int_eq(BN_bn2bin_padded(NULL, 0, n)), 0) + if (!TEST_int_eq(BN_bn2binpad(n, NULL, 0), -1)) goto err; /* One byte short should fail. */ - if (BN_bn2bin_padded(out, bytes - 1, n)) + if (!TEST_int_eq(BN_bn2binpad(n, out, bytes - 1), -1)) goto err; /* Exactly right size should encode. */ - if (!TEST_true(BN_bn2bin_padded(out, bytes, n)) - || TEST_mem_eq(out, bytes, reference, bytes)) + if (!TEST_int_eq(BN_bn2binpad(n, out, bytes), bytes) + || !TEST_mem_eq(out, bytes, reference, bytes)) goto err; /* Pad up one byte extra. */ - if (!TEST_true(BN_bn2bin_padded(out, bytes + 1, n)) + if (!TEST_int_eq(BN_bn2binpad(n, out, bytes + 1), bytes + 1) || !TEST_mem_eq(out + 1, bytes, reference, bytes) || !TEST_mem_eq(out, 1, zeros, 1)) goto err; /* Pad up to 256. */ - if (!TEST_true(BN_bn2bin_padded(out, sizeof(out)), n) + if (!TEST_int_eq(BN_bn2binpad(n, out, sizeof(out)), sizeof(out)) || !TEST_mem_eq(out + sizeof(out) - bytes, bytes, reference, bytes) - || !TEST_mem_eq(out, sizseof(out) - bytes, + || !TEST_mem_eq(out, sizeof(out) - bytes, zeros, sizeof(out) - bytes)) goto err; } @@ -1788,9 +1832,6 @@ static int test_bn2padded(void) err: BN_free(n); return st; -#else - return ctx != NULL; -#endif } static int test_dec2bn(void) diff --git a/deps/openssl/openssl/test/build.info b/deps/openssl/openssl/test/build.info index 2e209b45c7e338..0f379e11e222fb 100644 --- a/deps/openssl/openssl/test/build.info +++ b/deps/openssl/openssl/test/build.info @@ -62,7 +62,7 @@ IF[{- !$disabled{tests} -}] context_internal_test aesgcmtest params_test evp_pkey_dparams_test \ keymgmt_internal_test hexstr_test provider_status_test defltfips_test \ bio_readbuffer_test user_property_test pkcs7_test upcallstest \ - provfetchtest prov_config_test + provfetchtest prov_config_test rand_test IF[{- !$disabled{'deprecated-3.0'} -}] PROGRAMS{noinst}=enginetest @@ -84,6 +84,10 @@ IF[{- !$disabled{tests} -}] INCLUDE[sanitytest]=../include ../apps/include DEPEND[sanitytest]=../libcrypto libtestutil.a + SOURCE[rand_test]=rand_test.c + INCLUDE[rand_test]=../include ../apps/include + DEPEND[rand_test]=../libcrypto libtestutil.a + SOURCE[rsa_complex]=rsa_complex.c INCLUDE[rsa_complex]=../include ../apps/include @@ -840,6 +844,11 @@ IF[{- !$disabled{tests} -}] INCLUDE[provider_fallback_test]=../include ../apps/include DEPEND[provider_fallback_test]=../libcrypto libtestutil.a + PROGRAMS{noinst}=provider_pkey_test + SOURCE[provider_pkey_test]=provider_pkey_test.c fake_rsaprov.c + INCLUDE[provider_pkey_test]=../include ../apps/include + DEPEND[provider_pkey_test]=../libcrypto libtestutil.a + PROGRAMS{noinst}=params_test SOURCE[params_test]=params_test.c INCLUDE[params_test]=.. ../include ../apps/include diff --git a/deps/openssl/openssl/test/certs/cross-key.pem b/deps/openssl/openssl/test/certs/cross-key.pem new file mode 100644 index 00000000000000..93cd467ac7021f --- /dev/null +++ b/deps/openssl/openssl/test/certs/cross-key.pem @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCSkfwkYXTJFL4I +ICRQFXji6eX9I1NI97GBu2Yk8ejwctMttcJTlBLYpYRFQnZgsLwVEhA25KKlSNPz +PPrEVipT5Ll5J6uhWEBGLHETh8Qx4sI508B2zUP+2tnDapYtk5MNSVdQZXVt6wJu +sXY8vd58nHPLo4zr61MTwrj3Ld0lU18YHtxnGSMMYPPTxecE0mjYU038ELxZMdlT ++VSC0KOBJddj64+kXRdiDtQGVWE58MtX5/18LgSY3J/hvNhmcWuY611pgXcmwDPr +Sn1fDeRqG87Qs8KniS1dtWHDCVW/5KZOQeLcK6VTaEdnwdPYQ7BiJp4+3ypKmErd +T9TYBs8XAgMBAAECggEABIxdeGpm8DjGRgSQLjLg88CNPWG89sBrQk0SbvQ1HJfq +dJXRDxgMFtBsFTfX6kla3xfyHpQ/dY4qJZvmQNBXIQ/oiqumw9Ah153qlGJJmXdG +PEQDEz7+2lExawwmjgk6Uvs58LMHmCNUibUdzHgsdZcwudq8R6FWZ8lvIIo6GOJg +1gOoPbeAQtNAx8LPr+eDvpXoWJrCKJKuZCSRLV2CDmEH/+KH123cD4Lg+MsPNBJd +DsOitnVczlqnKDf5gSUXy3cwQlKFtOBa/0pN9wZvZDEWa30RmJmXI2bLo/h6GxGB +JXK57mTJG3UboWFIgNBU9IudPOdzDfJE1ul/Jon/AQKBgQC7/mmZg31a/8zlPLji +oWoEEutyNu0O28BCbBrw9t1SqtPFLm53AzIzB4RFVjn9i5dnxljh618KQiY4FbKM +mz1Yuzf7zCV7n8c1NakGwmW9Ezl8ZoLE44Nu7Pccukorl6uEY7kZa2vGa7krmIcI +6kFbvVbl4scbXlDL88hGHezhoQKBgQDHl3O8kOvOhIwfVH6qIjIO+0oR57Tqtwaw +A3oq6Ppdp65GK9G4f+/5L0z/Ay69MyauBLRA6+9LlW6SmAACSK69juvPMK6gd5uS +yWQ8imh6l304BAryjOHiNXHtpnmiaPAGNgFZKPsPbWlOo4ZexTEBq23i4JM1TUph +xpCmGY1ltwKBgEuYyPo0iAo55zkfq/Fmm2079nYdZEKfV7beJg9UFjgR/crDGyS8 +okkm8qe3PuaYZbATcNaYgcVsSFYxU3V7T7YIw0B8HW6TF9Zr16aiMatQucMurdNi +8g1/OPfSadURzqUUPPDd458M3o+LbHHHUbUEdJdJFGwLB06cn6KikglBAoGAMz8M +xV7EXOsleynbt9090yDsPLqsdhN2UR0jcf8NwZw7H+NCXsfimq1tbJCpoISQqt+k +VIL/lv2QPW1vmyaET0FyBGmwfJ0ZQdAZv32eI9Pfn9FR6kMIAGfOj8FNu8iL0Fxv +bjAafjSOdFWCO7UPxyj39ufIhEgLEB3GqA8pgfMCgYEAn/1Ov1Lu4MWq+72LygqG +78rxk6rIGGET64grG1CSjkylQ9mo14jG6O1lM4fwTjlbGQrKGtzQtL785dW+t5uH +zC2lDRDp8of+ErC31e+N4YDMdUHWeRBgHDYgsx4EgI0jNb02/UlziL1eARBpnfz6 +tw1erVdMmlA3LRBR5Mj+xso= +-----END PRIVATE KEY----- diff --git a/deps/openssl/openssl/test/certs/cross-root.pem b/deps/openssl/openssl/test/certs/cross-root.pem new file mode 100644 index 00000000000000..dca5b10b91fa68 --- /dev/null +++ b/deps/openssl/openssl/test/certs/cross-root.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC+jCCAeKgAwIBAgIBATANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDDApDcm9z +cyBSb290MCAXDTIxMDgzMDE4MzMyNloYDzIxMjEwODMxMTgzMzI2WjAVMRMwEQYD +VQQDDApDcm9zcyBSb290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA +kpH8JGF0yRS+CCAkUBV44unl/SNTSPexgbtmJPHo8HLTLbXCU5QS2KWERUJ2YLC8 +FRIQNuSipUjT8zz6xFYqU+S5eSeroVhARixxE4fEMeLCOdPAds1D/trZw2qWLZOT +DUlXUGV1besCbrF2PL3efJxzy6OM6+tTE8K49y3dJVNfGB7cZxkjDGDz08XnBNJo +2FNN/BC8WTHZU/lUgtCjgSXXY+uPpF0XYg7UBlVhOfDLV+f9fC4EmNyf4bzYZnFr +mOtdaYF3JsAz60p9Xw3kahvO0LPCp4ktXbVhwwlVv+SmTkHi3CulU2hHZ8HT2EOw +YiaePt8qSphK3U/U2AbPFwIDAQABo1MwUTAdBgNVHQ4EFgQUL16/ihJvr2w9I5k6 +3jjZ13SPW20wHwYDVR0jBBgwFoAUL16/ihJvr2w9I5k63jjZ13SPW20wDwYDVR0T +AQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAUiqf8oQaPX3aW6I+dcRhsq5g +bpYF0X5jePk6UqWu86YcmpoRtGLH7e5aHGJYqrVrkOoo0q4eTL3Pm1/sB3omPRMb +ey/i7Z70wwd5yI8iz/WBmQDahYxq5wSDsUSdZDL0kSyoU2jCwXUPtuC6F1kMZBFI +uUeaFcF8oKVGuOHvZgj/FMBpT7tyjdPpDG4uo6AT04AKGhf5xO5UY2N+uqmEsXHK +HsKAEMrVhdeU5mbrfifvSkMYcYgJOX1KFP+t4U+ogqCHy1/Nfhq+WG1XN5GwhtuO +ze25NqI6ZvA2og4AoeIzvJ/+Nfl5PNtClm0IjbGvR77oOBMs71lO4GjUYj9eiw== +-----END CERTIFICATE----- diff --git a/deps/openssl/openssl/test/certs/goodcn2-cert.pem b/deps/openssl/openssl/test/certs/goodcn2-cert.pem new file mode 100644 index 00000000000000..d22f899636e704 --- /dev/null +++ b/deps/openssl/openssl/test/certs/goodcn2-cert.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDHTCCAgWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADAXMRUwEwYDVQQDDAxUZXN0 +IE5DIENBIDEwIBcNMjExMjAyMTcyNTAyWhgPMjEyMTEyMDMxNzI1MDJaMDwxIzAh +BgNVBAoMGkdvb2QgTkMgVGVzdCBDZXJ0aWZpY2F0ZSAxMRUwEwYDVQQDDAx3d3cu +Z29vZC5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDqx1t7HiPe +kRAWdiGUt4pklKGZ7338An6R7/y0e/8Grx2jeUfyc19BAB7MW1p8L+zdMjbclNE0 +UZ6RZZNexfgMksNI/nW+4Lzu8qu2wFx1MjbTpMT8w/vnsGBMthxLu6+2wdnpdD1B +0led8xu7PSBgVULqyHcUvoLeRGEsB14yGx7dbIsokYxno1nr4u3BK5ic9KTTSxJR +Ig93qwo2pAZR7mfnOo33B9alhzvSwmEKJ9v7pERDnIP5ED0HaWFAeXl7GFgoH2y9 +QDyJVuwWsoSWIx4Mr8UIr0IbVJU6KsqEiqqc5P5rX/y4tYMkpHZd9U1EONd2uwmX +dwSp0LEmQb/DAgMBAAGjTTBLMB0GA1UdDgQWBBSfJPZqs1tk+xjjDrovr13ORDWn +ojAfBgNVHSMEGDAWgBQI0Zv55tVkcKDxaxqe7VLa3fVQQzAJBgNVHRMEAjAAMA0G +CSqGSIb3DQEBCwUAA4IBAQAEKXs56hB4DOO1vJe7pByfCHU33ij/ux7u68BdkDQ8 +S9SNaoD7h1XNSmC8kKULvpoKctJzJxh1IH4wtvGGGXsUt1By0a6Y5SnKW9/mG4NM +D4fGea0G2AeI8BHFs6vl8voYK9wgx9Ygus3Kj/8h6V7t2zB8ZhhVqpZkAQEjj0C2 +1IV273wD0VdZl7uB+MEKk+7eTjNMeo6JzlBBf5GhtA1WbLNdszMfI0ljo7HAX+9L +yco0xKSKkZQ+v7VdJBfC6odp+epPMZqfyHrkFzUr8XRJfriP1lydPK7AbXLVrLJg +fIXCvUdxQx4B1LaclUDORL5r2tRhRYdAEKtUz7RpQzJK +-----END CERTIFICATE----- diff --git a/deps/openssl/openssl/test/certs/goodcn2-chain.pem b/deps/openssl/openssl/test/certs/goodcn2-chain.pem new file mode 100644 index 00000000000000..01b7f47f7d65c2 --- /dev/null +++ b/deps/openssl/openssl/test/certs/goodcn2-chain.pem @@ -0,0 +1,40 @@ +-----BEGIN CERTIFICATE----- +MIIDHTCCAgWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADAXMRUwEwYDVQQDDAxUZXN0 +IE5DIENBIDEwIBcNMjExMjAyMTcyNTAyWhgPMjEyMTEyMDMxNzI1MDJaMDwxIzAh +BgNVBAoMGkdvb2QgTkMgVGVzdCBDZXJ0aWZpY2F0ZSAxMRUwEwYDVQQDDAx3d3cu +Z29vZC5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDqx1t7HiPe +kRAWdiGUt4pklKGZ7338An6R7/y0e/8Grx2jeUfyc19BAB7MW1p8L+zdMjbclNE0 +UZ6RZZNexfgMksNI/nW+4Lzu8qu2wFx1MjbTpMT8w/vnsGBMthxLu6+2wdnpdD1B +0led8xu7PSBgVULqyHcUvoLeRGEsB14yGx7dbIsokYxno1nr4u3BK5ic9KTTSxJR +Ig93qwo2pAZR7mfnOo33B9alhzvSwmEKJ9v7pERDnIP5ED0HaWFAeXl7GFgoH2y9 +QDyJVuwWsoSWIx4Mr8UIr0IbVJU6KsqEiqqc5P5rX/y4tYMkpHZd9U1EONd2uwmX +dwSp0LEmQb/DAgMBAAGjTTBLMB0GA1UdDgQWBBSfJPZqs1tk+xjjDrovr13ORDWn +ojAfBgNVHSMEGDAWgBQI0Zv55tVkcKDxaxqe7VLa3fVQQzAJBgNVHRMEAjAAMA0G +CSqGSIb3DQEBCwUAA4IBAQAEKXs56hB4DOO1vJe7pByfCHU33ij/ux7u68BdkDQ8 +S9SNaoD7h1XNSmC8kKULvpoKctJzJxh1IH4wtvGGGXsUt1By0a6Y5SnKW9/mG4NM +D4fGea0G2AeI8BHFs6vl8voYK9wgx9Ygus3Kj/8h6V7t2zB8ZhhVqpZkAQEjj0C2 +1IV273wD0VdZl7uB+MEKk+7eTjNMeo6JzlBBf5GhtA1WbLNdszMfI0ljo7HAX+9L +yco0xKSKkZQ+v7VdJBfC6odp+epPMZqfyHrkFzUr8XRJfriP1lydPK7AbXLVrLJg +fIXCvUdxQx4B1LaclUDORL5r2tRhRYdAEKtUz7RpQzJK +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDZjCCAk6gAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290 +IENBMCAXDTIwMTIxMjIwMTk0NFoYDzIxMjAxMjEzMjAxOTQ0WjAXMRUwEwYDVQQD +DAxUZXN0IE5DIENBIDEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDC +XjL5JEImsGFW5whlXCfDTeqjZAVb+rSXAhZQ25bP9YvhsbmPVYe8A61zwGStl2rF +mChzN9/+LA40/lh0mjCV82mfNp1XLRPhE9sPGXwfLgJGCy/d6pp/8yGuFmkWPus9 +bhxlOk7ADw4e3R3kVdwn9I3O3mIrI+I45ywZpzrbs/NGFiqhRxXbZTAKyI4INxgB +VZfkoxqesnjD1j36fq7qEVas6gVm27YA9b+31ofFLM7WN811LQELwTdWiF0/xXiO +XawU1QnkrNPxCSPWyeaM4tN50ZPRQA/ArV4I7szKhKskRzGwFgdaxorYn8c+2gTq +fedLPvNw1WPryAumidqTAgMBAAGjgb8wgbwwDwYDVR0TAQH/BAUwAwEB/zALBgNV +HQ8EBAMCAQYwHQYDVR0OBBYEFAjRm/nm1WRwoPFrGp7tUtrd9VBDMB8GA1UdIwQY +MBaAFI71Ja8em2uEPXyAmslTnE1y96NSMFwGA1UdHgRVMFOgUTAOggx3d3cuZ29v +ZC5vcmcwCoIIZ29vZC5jb20wD4ENZ29vZEBnb29kLm9yZzAKgQhnb29kLmNvbTAK +hwh/AAAB/////zAKhwjAqAAA//8AADANBgkqhkiG9w0BAQsFAAOCAQEAVyRsB6B8 +iCYZxBTOO10Bor+Q4xxgs0udVR90/tM57P8GHd10e8suaW2Dtg9stxZJ3cmsn3zd ++QNxNIQuwHTNtVU0OSqKv6puj6ZQETSya4jDAmRqY47R866MHkSwLUYDMFtuM1Wy +gnoD5m1/Uy1K/Wvbnp1Zq4jtTB6su8TmIdJgtpEmte7tIQu5kPXsuJrz/x5a1TfR +hu7h4LJYwKlQtd/LRINnHKd241YSE7PVdG8SPxyrX11hJSC+1Z5Epxc6BCVDVN1E +fyVDdLXvKf30Nlbg2hZfO/cGTmwOt7RImygzhV/s41v4wtMW0EPuVanGQusRgHFm +3JC//UMgfkkwAA== +-----END CERTIFICATE----- diff --git a/deps/openssl/openssl/test/certs/goodcn2-key.pem b/deps/openssl/openssl/test/certs/goodcn2-key.pem new file mode 100644 index 00000000000000..09337552a7fa13 --- /dev/null +++ b/deps/openssl/openssl/test/certs/goodcn2-key.pem @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDqx1t7HiPekRAW +diGUt4pklKGZ7338An6R7/y0e/8Grx2jeUfyc19BAB7MW1p8L+zdMjbclNE0UZ6R +ZZNexfgMksNI/nW+4Lzu8qu2wFx1MjbTpMT8w/vnsGBMthxLu6+2wdnpdD1B0led +8xu7PSBgVULqyHcUvoLeRGEsB14yGx7dbIsokYxno1nr4u3BK5ic9KTTSxJRIg93 +qwo2pAZR7mfnOo33B9alhzvSwmEKJ9v7pERDnIP5ED0HaWFAeXl7GFgoH2y9QDyJ +VuwWsoSWIx4Mr8UIr0IbVJU6KsqEiqqc5P5rX/y4tYMkpHZd9U1EONd2uwmXdwSp +0LEmQb/DAgMBAAECggEAIdXrXDoCx1+2ptYNjuZIvqghBhNa38foP9YLYGOCZI82 +QUoIUWvJLY/74E3GI6GwjExhVbbo05ZzuNafv4fecMlx9YIerAytje5RSvw8FvPO +rP/RF/CSzFhB+KxCNbPt5fPYGOoUrfjHgc74jyqHEPsYsseDSe0O5UOLkZHaRHQX +bOhj/lXCN1KKsK+UXscRO55T5SRmHAe4RWaXX3Z4H6FGabKY+AVkT5GWq814PIFU +amoch4TwAKgAY8h7kpkfVgLNe3hLddLU0roakfM1cZdpf9n0EGGi21KluNvSa09a +tiDifv5WDkIQ/Ca2fUvE27atMb1gm4bUzp5OoTWhoQKBgQDrfuxqvouVvM3AyxUY +e6r7vegg5NiODjpBlT/QUqJjhqTSw6Tq4/f5VWnLy3bzipwvzxFQ8E2LjQMtl2Su +aQ8jSb9jwpmmWCoOecRExWgboYPzpczhnXpF4DIYhyomBKTBVbk9EI0wJ/tx9F1B +XCHhA3z8tJvkPTM+QAGGJxdcEQKBgQD/OHN4ujRZ5NgXZp4L9VDosMREvRUbwz+4 +7fgQ70JKdWIVbKFa5/TVIObspLZoRI0jaa4OaaE3v6rqF/yxdPsaPAXW7URR7K52 +HbI41skH0bcflISDdeTpqmlIRAzHG7MeAobV/ARmCnLpa7Lt4p8wT+zAzuY+ncv3 +DabNjePCkwKBgQDoVH/Jj9MGFw6mdbSKQvedBO5OBXfgLgkrSqN6UwwCRIO3q2y4 +j8/FHI8Tj9f6zXTpddAPmgPm+Wd5QzMBHoTgu5EmSoZrpe9X+Km5b0gWenJDnf9T +Vpma9mR17mOWvl4MnxXxOLMSH1/iPMMECHEkHNziMwzZT8eOUncucsKJAQKBgEnp +62c3ZhnysLJ2Qads8HWzW+QcbpSPw1CneoRNBoHR5QoXX9OYAcwHr1kxirI/yDBN +Vt9NsCcZF0Kcl8489svuPjK0nGithwkmKItViPr+vW4j8QyxhA44EC2hp6GyX/l8 ++dfXGN8Ef6siSbujOj8fpo1gXkYcJQnzpi85vJCJAoGAdheX12Afx94YbljuaCdT +T/E+t6xHHnDCpETHmsLh53H03Kv91JCrANMu+BZzKUXI+FW06GJB43S26hF5s+k5 +ZAjJKpgbVC1Jo4Zq5SjlCQhiOvwJ9rt2/6g7qzHZsQMjY/FZKd+8PMgPxWkvjeI7 +lAagooTJyC/VDf6LB05mitg= +-----END PRIVATE KEY----- diff --git a/deps/openssl/openssl/test/certs/mkcert.sh b/deps/openssl/openssl/test/certs/mkcert.sh index 8ccf7bc6e376f2..c3f7ac14b5e329 100755 --- a/deps/openssl/openssl/test/certs/mkcert.sh +++ b/deps/openssl/openssl/test/certs/mkcert.sh @@ -195,6 +195,23 @@ genpc() { -set_serial 2 -days "${DAYS}" } +geneeconfig() { + local key=$1; shift + local cert=$1; shift + local cakey=$1; shift + local ca=$1; shift + local conf=$1; shift + + exts=$(printf "%s\n%s\n%s\n%s\n" \ + "subjectKeyIdentifier = hash" \ + "authorityKeyIdentifier = keyid" \ + "basicConstraints = CA:false"; \ + echo "$conf") + + cert "$cert" "$exts" -CA "${ca}.pem" -CAkey "${cakey}.pem" \ + -set_serial 2 -days "${DAYS}" +} + # Usage: $0 geneealt keyname certname cakeyname cacertname alt1 alt2 ... # # Note: takes csr on stdin, so must be used with $0 req like this: @@ -206,15 +223,11 @@ geneealt() { local cakey=$1; shift local ca=$1; shift - exts=$(printf "%s\n%s\n%s\n%s\n" \ - "subjectKeyIdentifier = hash" \ - "authorityKeyIdentifier = keyid" \ - "basicConstraints = CA:false" \ - "subjectAltName = @alts"; + conf=$(echo "subjectAltName = @alts" echo "[alts]"; - for x in "$@"; do echo $x; done) - cert "$cert" "$exts" -CA "${ca}.pem" -CAkey "${cakey}.pem" \ - -set_serial 2 -days "${DAYS}" + for x in "$@"; do echo "$x"; done) + + geneeconfig $key $cert $cakey $ca "$conf" } genee() { diff --git a/deps/openssl/openssl/test/certs/root-cross-cert.pem b/deps/openssl/openssl/test/certs/root-cross-cert.pem new file mode 100644 index 00000000000000..1339c328733e29 --- /dev/null +++ b/deps/openssl/openssl/test/certs/root-cross-cert.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC9zCCAd+gAwIBAgIBAjANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDDApDcm9z +cyBSb290MCAXDTIxMDgzMDE4MzYzOFoYDzIxMjEwODMxMTgzNjM4WjASMRAwDgYD +VQQDDAdSb290IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4eYA +9Qa8oEY4eQ8/HnEZE20C3yubdmv8rLAh7daRCEI7pWM17FJboKJKxdYAlAOXWj25 +ZyjSfeMhXKTtxjyNjoTRnVTDPdl0opZ2Z3H5xhpQd7P9eO5b4OOMiSPCmiLsPtQ3 +ngfNwCtVERc6NEIcaQ06GLDtFZRexv2eh8Yc55QaksBfBcFzQ+UD3gmRySTO2I6L +fi7gMUjRhipqVSZ66As2Tpex4KTJ2lxpSwOACFaDox+yKrjBTP7FsU3UwAGq7b7O +Jb3uaa32B81uK6GJVPVo65gJ7clgZsszYkoDsGjWDqtfwTVVfv1G7rrr3Laio+2F +f3fftWgiQ35mJCOvxQIDAQABo1MwUTAdBgNVHQ4EFgQUjvUlrx6ba4Q9fICayVOc +TXL3o1IwHwYDVR0jBBgwFoAUL16/ihJvr2w9I5k63jjZ13SPW20wDwYDVR0TAQH/ +BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAHi+qdZF/jJrR/F3L60JVLOOUhTpi +LxFFBksZPVaiVf+6R8pSMy0WtDEkzGT430ji6V4i8O/70HXIG9n9pCye8sLsOl6D +exXj/MkwwSd3J0Y58zd8ZwMrK9m/jyFrk9TlWokfIFL/eC8VFsu7qmSSRLIjMuxc +YPPisgR5+WPcus7Jf8auqcYw8eW0GPc1ugJobwucs5e/TinksMfwQrzEydmOPoWI +Pfur7MjPr5IQXROtQv+CihMigPIHvi73YzSe5zdPCw8JcuZ5vBi2pwquvzvGLtMM +Btln/SwonyQMks5WV4dOk6NOB73mCMywCir4ybp9ElJMaUGEF9nLO+h8Fg== +-----END CERTIFICATE----- diff --git a/deps/openssl/openssl/test/certs/setup.sh b/deps/openssl/openssl/test/certs/setup.sh index c4a6f28fc9c2f8..21f9355b8ba33f 100755 --- a/deps/openssl/openssl/test/certs/setup.sh +++ b/deps/openssl/openssl/test/certs/setup.sh @@ -7,6 +7,9 @@ ./mkcert.sh genroot "Root CA" root-key2 root-cert2 ./mkcert.sh genroot "Root Cert 2" root-key root-name2 DAYS=-1 ./mkcert.sh genroot "Root CA" root-key root-expired +# cross root and root cross cert +./mkcert.sh genroot "Cross Root" cross-key cross-root +./mkcert.sh genca "Root CA" root-key root-cross-cert cross-key cross-root # trust variants: +serverAuth -serverAuth +clientAuth -clientAuth, openssl x509 -in root-cert.pem -trustout \ -addtrust serverAuth -out root+serverAuth.pem @@ -279,6 +282,12 @@ NC=$NC ./mkcert.sh genca "Test NC sub CA" ncca3-key ncca3-cert \ ./mkcert.sh geneealt goodcn1-key goodcn1-cert ncca1-key ncca1-cert \ "IP = 127.0.0.1" "IP = 192.168.0.1" +# all DNS-like CNs allowed by CA1, no SANs + +./mkcert.sh req goodcn2-key "O = Good NC Test Certificate 1" \ + "CN=www.good.org" | \ + ./mkcert.sh geneeconfig goodcn2-key goodcn2-cert ncca1-key ncca1-cert + # Some DNS-like CNs not permitted by CA1, no DNS SANs. ./mkcert.sh req badcn1-key "O = Good NC Test Certificate 1" \ diff --git a/deps/openssl/openssl/test/dane-cross.in b/deps/openssl/openssl/test/dane-cross.in new file mode 100644 index 00000000000000..81252a110e9669 --- /dev/null +++ b/deps/openssl/openssl/test/dane-cross.in @@ -0,0 +1,113 @@ +# Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the OpenSSL license (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html +# +# Blank and comment lines ignored. +# +# The first line in each block takes the form: +# +# +# +# It is followed by lines of the form: +# +# +# +# and finally, by certificates. + +# 1 +# Ensure TLSA with direct root works when peer chain provides a +# cross-cert. +1 4 0 0 2 +2 0 0 308202f1308201d9a003020102020101300d06092a864886f70d01010b050030123110300e06035504030c07526f6f742043413020170d3136303131353038313934395a180f32313136303131363038313934395a30123110300e06035504030c07526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e1e600f506bca04638790f3f1e7119136d02df2b9b766bfcacb021edd69108423ba56335ec525ba0a24ac5d6009403975a3db96728d27de3215ca4edc63c8d8e84d19d54c33dd974a296766771f9c61a5077b3fd78ee5be0e38c8923c29a22ec3ed4379e07cdc02b5511173a34421c690d3a18b0ed15945ec6fd9e87c61ce7941a92c05f05c17343e503de0991c924ced88e8b7e2ee03148d1862a6a55267ae80b364e97b1e0a4c9da5c694b0380085683a31fb22ab8c14cfec5b14dd4c001aaedbece25bdee69adf607cd6e2ba18954f568eb9809edc96066cb33624a03b068d60eab5fc135557efd46eebaebdcb6a2a3ed857f77dfb56822437e662423afc50203010001a350304e301d0603551d0e041604148ef525af1e9b6b843d7c809ac9539c4d72f7a352301f0603551d230418301680148ef525af1e9b6b843d7c809ac9539c4d72f7a352300c0603551d13040530030101ff300d06092a864886f70d01010b05000382010100c91449c76ed660ea203d76693df00cb7ca6d6a9affba02d618b9706f32b24a8c8ba68576fd8340bd300607dd2216aeb1fee8e3acae35fc44b4a77bf7f3f41fbb1a36e2071981cfe860b57652a47eb860b1ebca763962d872d06c011b5858e1203e11c56fd695c5c3902b2647b62bc35f4c0b197fa7a99a075fd21899cd2c6e944144ccf146c0a16f30f9adef6467936b8248c0e8327b8d88761a2b4e33aa085370ddf7ea64ddb084905520472f6a37f93e0327aa1f541c6f92d4f8c4e6970f1b9b2ce630e05981d7a0b4ee07b2170130ed39e0a481dd649f04f0ce6c4859d2f9bf970eb74c68bcf3220cb65926714da0d112a979023de86e907aa1f2285de9f0 +subject=CN = server.example +issuer=CN = CA +notBefore=Jan 15 08:19:49 2016 GMT +notAfter=Jan 16 08:19:49 2116 GMT +-----BEGIN CERTIFICATE----- +MIIDIDCCAgigAwIBAgIBAjANBgkqhkiG9w0BAQsFADANMQswCQYDVQQDDAJDQTAg +Fw0xNjAxMTUwODE5NDlaGA8yMTE2MDExNjA4MTk0OVowGTEXMBUGA1UEAwwOc2Vy +dmVyLmV4YW1wbGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCo/4lY +YYWu3tssD9Vz++K3qBt6dWAr1H08c3a1rt6TL38kkG3JHPSKOM2fooAWVsu0LLuT +5Rcf/w3GQ/4xNPgo2HXpo7uIgu+jcuJTYgVFTeAxl++qnRDSWA2eBp4yuxsIVl1l +Dz9mjsI2oBH/wFk1/Ukc3RxCMwZ4rgQ4I+XndWfTlK1aqUAfrFkQ9QzBZK1KxMY1 +U7OWaoIbFYvRmavknm+UqtKW5Vf7jJFkijwkFsbSGb6CYBM7YrDtPh2zyvlr3zG5 +ep5LR2inKcc/SuIiJ7TvkGPX79ByST5brbkb1Ctvhmjd1XMSuEPJ3EEPoqNGT4tn +iIQPYf55NB9KiR+3AgMBAAGjfTB7MB0GA1UdDgQWBBTnm+IqrYpsOst2UeWOB5gi +l+FzojAfBgNVHSMEGDAWgBS0ETPx1+Je91OeICIQT4YGvx/JXjAJBgNVHRMEAjAA +MBMGA1UdJQQMMAoGCCsGAQUFBwMBMBkGA1UdEQQSMBCCDnNlcnZlci5leGFtcGxl +MA0GCSqGSIb3DQEBCwUAA4IBAQBBtDxPYULl5b7VFC7/U0NgV8vTJk4zpPnUMMQ4 +QF2AWDFAek8oLKrz18KQ8M/DEhDxgkaoeXEMLT6BJUEVNYuFEYHEDGarl0nMDRXL +xOgAExfz3Tf/pjsLaha5aWH7NyCSKWC+lYkIOJ/Kb/m/6QsDJoXsEC8AhrPfqJhz +UzsCoxIlaDWqawH4+S8bdeX0tvs2VtJk/WOJHxMqXra6kgI4fAgyvr2kIZHinQ3y +cgX40uAC38bwpE95kJ7FhSfQlE1Rt7sOspUj098Dd0RNDn2uKyOTxEqIELHfw4AX +O3XAzt8qDyho8nEd/xiQ6qgsQnvXa+hSRJw42g3/czVskxRx +-----END CERTIFICATE----- +subject=CN = CA +issuer=CN = Root CA +notBefore=Jan 15 08:19:49 2016 GMT +notAfter=Jan 16 08:19:49 2116 GMT +-----BEGIN CERTIFICATE----- +MIIC7DCCAdSgAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290 +IENBMCAXDTE2MDExNTA4MTk0OVoYDzIxMTYwMTE2MDgxOTQ5WjANMQswCQYDVQQD +DAJDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJadpD0ASxxfxsvd +j9IxsogVzMSGLFziaYuE9KejU9+R479RifvwfBANO62sNWJ19X//9G5UjwWmkiOz +n1k50DkYsBBA3mJzik6wjt/c58lBIlSEgAgpvDU8ht8w3t20JP9+YqXAeugqFj/W +l9rFQtsvaWSRywjXVlp5fxuEQelNnXcJEKhsKTNExsBUZebo4/J1BWpklWzA9P0l +YW5INvDAAwcF1nzlEf0Y6Eot03IMNyg2MTE4hehxjdgCSci8GYnFirE/ojXqqpAc +ZGh7r2dqWgZUD1Dh+bT2vjrUzj8eTH3GdzI+oljt29102JIUaqj3yzRYkah8FLF9 +CLNNsUcCAwEAAaNQME4wHQYDVR0OBBYEFLQRM/HX4l73U54gIhBPhga/H8leMB8G +A1UdIwQYMBaAFI71Ja8em2uEPXyAmslTnE1y96NSMAwGA1UdEwQFMAMBAf8wDQYJ +KoZIhvcNAQELBQADggEBADnZ9uXGAdwfNC3xuERIlBwgLROeBRGgcfHWdXZB/tWk +IM9ox88wYKWynanPbra4n0zhepooKt+naeY2HLR8UgwT6sTi0Yfld9mjytA8/DP6 +AcqtIDDf60vNI00sgxjgZqofVayA9KShzIPzjBec4zI1sg5YzoSNyH28VXFstEpi +8CVtmRYQHhc2gDI9MGge4sHRYwaIFkegzpwcEUnp6tTVe9ZvHawgsXF/rCGfH4M6 +uNO0D+9Md1bdW7382yOtWbkyibsugqnfBYCUH6hAhDlfYzpba2Smb0roc6Crq7HR +5HpEYY6qEir9wFMkD5MZsWrNRGRuzd5am82J+aaHz/4= +-----END CERTIFICATE----- +subject=CN = Root CA +issuer=CN = Cross Root +notBefore=Aug 30 18:36:38 2021 GMT +notAfter=Aug 31 18:36:38 2121 GMT +-----BEGIN CERTIFICATE----- +MIIC9zCCAd+gAwIBAgIBAjANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDDApDcm9z +cyBSb290MCAXDTIxMDgzMDE4MzYzOFoYDzIxMjEwODMxMTgzNjM4WjASMRAwDgYD +VQQDDAdSb290IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4eYA +9Qa8oEY4eQ8/HnEZE20C3yubdmv8rLAh7daRCEI7pWM17FJboKJKxdYAlAOXWj25 +ZyjSfeMhXKTtxjyNjoTRnVTDPdl0opZ2Z3H5xhpQd7P9eO5b4OOMiSPCmiLsPtQ3 +ngfNwCtVERc6NEIcaQ06GLDtFZRexv2eh8Yc55QaksBfBcFzQ+UD3gmRySTO2I6L +fi7gMUjRhipqVSZ66As2Tpex4KTJ2lxpSwOACFaDox+yKrjBTP7FsU3UwAGq7b7O +Jb3uaa32B81uK6GJVPVo65gJ7clgZsszYkoDsGjWDqtfwTVVfv1G7rrr3Laio+2F +f3fftWgiQ35mJCOvxQIDAQABo1MwUTAdBgNVHQ4EFgQUjvUlrx6ba4Q9fICayVOc +TXL3o1IwHwYDVR0jBBgwFoAUL16/ihJvr2w9I5k63jjZ13SPW20wDwYDVR0TAQH/ +BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAHi+qdZF/jJrR/F3L60JVLOOUhTpi +LxFFBksZPVaiVf+6R8pSMy0WtDEkzGT430ji6V4i8O/70HXIG9n9pCye8sLsOl6D +exXj/MkwwSd3J0Y58zd8ZwMrK9m/jyFrk9TlWokfIFL/eC8VFsu7qmSSRLIjMuxc +YPPisgR5+WPcus7Jf8auqcYw8eW0GPc1ugJobwucs5e/TinksMfwQrzEydmOPoWI +Pfur7MjPr5IQXROtQv+CihMigPIHvi73YzSe5zdPCw8JcuZ5vBi2pwquvzvGLtMM +Btln/SwonyQMks5WV4dOk6NOB73mCMywCir4ybp9ElJMaUGEF9nLO+h8Fg== +-----END CERTIFICATE----- +subject=CN = Cross Root +issuer=CN = Cross Root +notBefore=Aug 30 18:33:26 2021 GMT +notAfter=Aug 31 18:33:26 2121 GMT +-----BEGIN CERTIFICATE----- +MIIC+jCCAeKgAwIBAgIBATANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDDApDcm9z +cyBSb290MCAXDTIxMDgzMDE4MzMyNloYDzIxMjEwODMxMTgzMzI2WjAVMRMwEQYD +VQQDDApDcm9zcyBSb290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA +kpH8JGF0yRS+CCAkUBV44unl/SNTSPexgbtmJPHo8HLTLbXCU5QS2KWERUJ2YLC8 +FRIQNuSipUjT8zz6xFYqU+S5eSeroVhARixxE4fEMeLCOdPAds1D/trZw2qWLZOT +DUlXUGV1besCbrF2PL3efJxzy6OM6+tTE8K49y3dJVNfGB7cZxkjDGDz08XnBNJo +2FNN/BC8WTHZU/lUgtCjgSXXY+uPpF0XYg7UBlVhOfDLV+f9fC4EmNyf4bzYZnFr +mOtdaYF3JsAz60p9Xw3kahvO0LPCp4ktXbVhwwlVv+SmTkHi3CulU2hHZ8HT2EOw +YiaePt8qSphK3U/U2AbPFwIDAQABo1MwUTAdBgNVHQ4EFgQUL16/ihJvr2w9I5k6 +3jjZ13SPW20wHwYDVR0jBBgwFoAUL16/ihJvr2w9I5k63jjZ13SPW20wDwYDVR0T +AQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAUiqf8oQaPX3aW6I+dcRhsq5g +bpYF0X5jePk6UqWu86YcmpoRtGLH7e5aHGJYqrVrkOoo0q4eTL3Pm1/sB3omPRMb +ey/i7Z70wwd5yI8iz/WBmQDahYxq5wSDsUSdZDL0kSyoU2jCwXUPtuC6F1kMZBFI +uUeaFcF8oKVGuOHvZgj/FMBpT7tyjdPpDG4uo6AT04AKGhf5xO5UY2N+uqmEsXHK +HsKAEMrVhdeU5mbrfifvSkMYcYgJOX1KFP+t4U+ogqCHy1/Nfhq+WG1XN5GwhtuO +ze25NqI6ZvA2og4AoeIzvJ/+Nfl5PNtClm0IjbGvR77oOBMs71lO4GjUYj9eiw== +-----END CERTIFICATE----- diff --git a/deps/openssl/openssl/test/danetest.c b/deps/openssl/openssl/test/danetest.c index 6217e5470dc857..0ed460039d4819 100644 --- a/deps/openssl/openssl/test/danetest.c +++ b/deps/openssl/openssl/test/danetest.c @@ -149,10 +149,10 @@ static STACK_OF(X509) *load_chain(BIO *fp, int nelem) static char *read_to_eol(BIO *f) { - static char buf[1024]; + static char buf[4096]; int n; - if (!BIO_gets(f, buf, sizeof(buf))) + if (BIO_gets(f, buf, sizeof(buf)) <= 0) return NULL; n = strlen(buf); diff --git a/deps/openssl/openssl/test/destest.c b/deps/openssl/openssl/test/destest.c index ee5a70db27d795..e0c4b30f9087ab 100644 --- a/deps/openssl/openssl/test/destest.c +++ b/deps/openssl/openssl/test/destest.c @@ -771,6 +771,73 @@ static int test_des_key_wrap(int idx) EVP_CIPHER_CTX_free(ctx); return res; } + +/*- + * Weak and semi weak keys as taken from + * %A D.W. Davies + * %A W.L. Price + * %T Security for Computer Networks + * %I John Wiley & Sons + * %D 1984 + */ +static struct { + const DES_cblock key; + int expect; +} weak_keys[] = { + /* weak keys */ + {{0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01}, 1 }, + {{0xFE, 0xFE, 0xFE, 0xFE, 0xFE, 0xFE, 0xFE, 0xFE}, 1 }, + {{0x1F, 0x1F, 0x1F, 0x1F, 0x0E, 0x0E, 0x0E, 0x0E}, 1 }, + {{0xE0, 0xE0, 0xE0, 0xE0, 0xF1, 0xF1, 0xF1, 0xF1}, 1 }, + /* semi-weak keys */ + {{0x01, 0xFE, 0x01, 0xFE, 0x01, 0xFE, 0x01, 0xFE}, 1 }, + {{0xFE, 0x01, 0xFE, 0x01, 0xFE, 0x01, 0xFE, 0x01}, 1 }, + {{0x1F, 0xE0, 0x1F, 0xE0, 0x0E, 0xF1, 0x0E, 0xF1}, 1 }, + {{0xE0, 0x1F, 0xE0, 0x1F, 0xF1, 0x0E, 0xF1, 0x0E}, 1 }, + {{0x01, 0xE0, 0x01, 0xE0, 0x01, 0xF1, 0x01, 0xF1}, 1 }, + {{0xE0, 0x01, 0xE0, 0x01, 0xF1, 0x01, 0xF1, 0x01}, 1 }, + {{0x1F, 0xFE, 0x1F, 0xFE, 0x0E, 0xFE, 0x0E, 0xFE}, 1 }, + {{0xFE, 0x1F, 0xFE, 0x1F, 0xFE, 0x0E, 0xFE, 0x0E}, 1 }, + {{0x01, 0x1F, 0x01, 0x1F, 0x01, 0x0E, 0x01, 0x0E}, 1 }, + {{0x1F, 0x01, 0x1F, 0x01, 0x0E, 0x01, 0x0E, 0x01}, 1 }, + {{0xE0, 0xFE, 0xE0, 0xFE, 0xF1, 0xFE, 0xF1, 0xFE}, 1 }, + {{0xFE, 0xE0, 0xFE, 0xE0, 0xFE, 0xF1, 0xFE, 0xF1}, 1 }, + /* good key */ + {{0x49, 0xE9, 0x5D, 0x6D, 0x4C, 0xA2, 0x29, 0xBF}, 0 } +}; + +static int test_des_weak_keys(int n) +{ + const_DES_cblock *key = (unsigned char (*)[8])weak_keys[n].key; + + return TEST_int_eq(DES_is_weak_key(key), weak_keys[n].expect); +} + +static struct { + const DES_cblock key; + int expect; +} bad_parity_keys[] = { + {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, 0 }, + {{0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF}, 0 }, + /* Perturb each byte in turn to create even parity */ + {{0x48, 0xE9, 0x5D, 0x6D, 0x4C, 0xA2, 0x29, 0xBF}, 0 }, + {{0x49, 0xE8, 0x5D, 0x6D, 0x4C, 0xA2, 0x29, 0xBF}, 0 }, + {{0x49, 0xE9, 0x5C, 0x6D, 0x4C, 0xA2, 0x29, 0xBF}, 0 }, + {{0x49, 0xE9, 0x5D, 0x7D, 0x4C, 0xA2, 0x29, 0xBF}, 0 }, + {{0x49, 0xE9, 0x5D, 0x6D, 0x5C, 0xA2, 0x29, 0xBF}, 0 }, + {{0x49, 0xE9, 0x5D, 0x6D, 0x4C, 0xA3, 0x29, 0xBF}, 0 }, + {{0x49, 0xE9, 0x5D, 0x6D, 0x4C, 0xA2, 0x39, 0xBF}, 0 }, + {{0x49, 0xE9, 0x5D, 0x6D, 0x4C, 0xA2, 0x29, 0xBE}, 0 }, + /* Odd parity version of above */ + {{0x49, 0xE9, 0x5D, 0x6D, 0x4C, 0xA2, 0x29, 0xBF}, 1 } +}; + +static int test_des_check_bad_parity(int n) +{ + const_DES_cblock *key = (unsigned char (*)[8])bad_parity_keys[n].key; + + return TEST_int_eq(DES_check_key_parity(key), bad_parity_keys[n].expect); +} #endif int setup_tests(void) @@ -797,6 +864,8 @@ int setup_tests(void) ADD_ALL_TESTS(test_input_align, 4); ADD_ALL_TESTS(test_output_align, 4); ADD_ALL_TESTS(test_des_key_wrap, OSSL_NELEM(test_des_key_wrap_sizes)); + ADD_ALL_TESTS(test_des_weak_keys, OSSL_NELEM(weak_keys)); + ADD_ALL_TESTS(test_des_check_bad_parity, OSSL_NELEM(bad_parity_keys)); #endif return 1; } diff --git a/deps/openssl/openssl/test/dhtest.c b/deps/openssl/openssl/test/dhtest.c index cb8d9a7de48d76..71c95b186f2c5e 100644 --- a/deps/openssl/openssl/test/dhtest.c +++ b/deps/openssl/openssl/test/dhtest.c @@ -730,6 +730,27 @@ static int dh_test_prime_groups(int index) return ok; } +static int dh_rfc5114_fix_nid_test(void) +{ + int ok = 0; + EVP_PKEY_CTX *paramgen_ctx; + + /* Run the test. Success is any time the test does not cause a SIGSEGV interrupt */ + paramgen_ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_DHX, 0); + if (!TEST_ptr(paramgen_ctx)) + goto err; + if (!TEST_int_eq(EVP_PKEY_paramgen_init(paramgen_ctx), 1)) + goto err; + /* Tested function is called here */ + if (!TEST_int_eq(EVP_PKEY_CTX_set_dhx_rfc5114(paramgen_ctx, 3), 1)) + goto err; + /* If we're still running then the test passed. */ + ok = 1; +err: + EVP_PKEY_CTX_free(paramgen_ctx); + return ok; +} + static int dh_get_nid(void) { int ok = 0; @@ -876,6 +897,7 @@ int setup_tests(void) ADD_ALL_TESTS(dh_test_prime_groups, OSSL_NELEM(prime_groups)); ADD_TEST(dh_get_nid); ADD_TEST(dh_load_pkcs3_namedgroup_privlen_test); + ADD_TEST(dh_rfc5114_fix_nid_test); #endif return 1; } diff --git a/deps/openssl/openssl/test/ecdsatest.c b/deps/openssl/openssl/test/ecdsatest.c index c94d7d8dabf5bb..282b9660d315ff 100644 --- a/deps/openssl/openssl/test/ecdsatest.c +++ b/deps/openssl/openssl/test/ecdsatest.c @@ -46,7 +46,7 @@ static int fbytes(unsigned char *buf, size_t num, ossl_unused const char *name, || !TEST_true(BN_hex2bn(&tmp, numbers[fbytes_counter])) /* tmp might need leading zeros so pad it out */ || !TEST_int_le(BN_num_bytes(tmp), num) - || !TEST_true(BN_bn2binpad(tmp, buf, num))) + || !TEST_int_gt(BN_bn2binpad(tmp, buf, num), 0)) goto err; fbytes_counter = (fbytes_counter + 1) % OSSL_NELEM(numbers); diff --git a/deps/openssl/openssl/test/ectest.c b/deps/openssl/openssl/test/ectest.c index c08b14be452777..38772ba16f4b83 100644 --- a/deps/openssl/openssl/test/ectest.c +++ b/deps/openssl/openssl/test/ectest.c @@ -2919,11 +2919,11 @@ static int custom_params_test(int id) /* create two new provider-native `EVP_PKEY`s */ EVP_PKEY_CTX_free(pctx2); if (!TEST_ptr(pctx2 = EVP_PKEY_CTX_new_from_name(NULL, "EC", NULL)) - || !TEST_true(EVP_PKEY_fromdata_init(pctx2)) - || !TEST_true(EVP_PKEY_fromdata(pctx2, &pkey1, EVP_PKEY_KEYPAIR, - params1)) - || !TEST_true(EVP_PKEY_fromdata(pctx2, &pkey2, EVP_PKEY_PUBLIC_KEY, - params2))) + || !TEST_int_eq(EVP_PKEY_fromdata_init(pctx2), 1) + || !TEST_int_eq(EVP_PKEY_fromdata(pctx2, &pkey1, EVP_PKEY_KEYPAIR, + params1), 1) + || !TEST_int_eq(EVP_PKEY_fromdata(pctx2, &pkey2, EVP_PKEY_PUBLIC_KEY, + params2), 1)) goto err; /* compute keyexchange once more using the provider keys */ @@ -2966,6 +2966,47 @@ static int custom_params_test(int id) return ret; } +static int ec_d2i_publickey_test(void) +{ + unsigned char buf[1000]; + unsigned char *pubkey_enc = buf; + const unsigned char *pk_enc = pubkey_enc; + EVP_PKEY *gen_key = NULL, *decoded_key = NULL; + EVP_PKEY_CTX *pctx = NULL; + int pklen, ret = 0; + OSSL_PARAM params[2]; + + if (!TEST_ptr(gen_key = EVP_EC_gen("P-256"))) + goto err; + + if (!TEST_int_gt(pklen = i2d_PublicKey(gen_key, &pubkey_enc), 0)) + goto err; + + params[0] = OSSL_PARAM_construct_utf8_string(OSSL_PKEY_PARAM_GROUP_NAME, + "P-256", 0); + params[1] = OSSL_PARAM_construct_end(); + + if (!TEST_ptr(pctx = EVP_PKEY_CTX_new_from_name(NULL, "EC", NULL)) + || !TEST_true(EVP_PKEY_fromdata_init(pctx)) + || !TEST_true(EVP_PKEY_fromdata(pctx, &decoded_key, + OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS, + params)) + || !TEST_ptr(decoded_key) + || !TEST_ptr(decoded_key = d2i_PublicKey(EVP_PKEY_EC, &decoded_key, + &pk_enc, pklen))) + goto err; + + if (!TEST_true(EVP_PKEY_eq(gen_key, decoded_key))) + goto err; + ret = 1; + + err: + EVP_PKEY_CTX_free(pctx); + EVP_PKEY_free(gen_key); + EVP_PKEY_free(decoded_key); + return ret; +} + int setup_tests(void) { crv_len = EC_get_builtin_curves(NULL, 0); @@ -2993,6 +3034,7 @@ int setup_tests(void) ADD_ALL_TESTS(ec_point_hex2point_test, crv_len); ADD_ALL_TESTS(custom_generator_test, crv_len); ADD_ALL_TESTS(custom_params_test, crv_len); + ADD_TEST(ec_d2i_publickey_test); return 1; } diff --git a/deps/openssl/openssl/test/enginetest.c b/deps/openssl/openssl/test/enginetest.c index 4c4aeb9b8d4004..04e61743a1b05a 100644 --- a/deps/openssl/openssl/test/enginetest.c +++ b/deps/openssl/openssl/test/enginetest.c @@ -23,6 +23,7 @@ # include # include # include +# include static void display_engine_list(void) { @@ -352,6 +353,80 @@ static int test_redirect(void) OPENSSL_free(tmp); return to_return; } + +static int test_x509_dup_w_engine(void) +{ + ENGINE *e = NULL; + X509 *cert = NULL, *dupcert = NULL; + X509_PUBKEY *pubkey, *duppubkey = NULL; + int ret = 0; + BIO *b = NULL; + RSA_METHOD *rsameth = NULL; + + if (!TEST_ptr(b = BIO_new_file(test_get_argument(0), "r")) + || !TEST_ptr(cert = PEM_read_bio_X509(b, NULL, NULL, NULL))) + goto err; + + /* Dup without an engine */ + if (!TEST_ptr(dupcert = X509_dup(cert))) + goto err; + X509_free(dupcert); + dupcert = NULL; + + if (!TEST_ptr(pubkey = X509_get_X509_PUBKEY(cert)) + || !TEST_ptr(duppubkey = X509_PUBKEY_dup(pubkey)) + || !TEST_ptr_ne(duppubkey, pubkey) + || !TEST_ptr_ne(X509_PUBKEY_get0(duppubkey), X509_PUBKEY_get0(pubkey))) + goto err; + + X509_PUBKEY_free(duppubkey); + duppubkey = NULL; + + X509_free(cert); + cert = NULL; + + /* Create a test ENGINE */ + if (!TEST_ptr(e = ENGINE_new()) + || !TEST_true(ENGINE_set_id(e, "Test dummy engine")) + || !TEST_true(ENGINE_set_name(e, "Test dummy engine"))) + goto err; + + if (!TEST_ptr(rsameth = RSA_meth_dup(RSA_get_default_method()))) + goto err; + + ENGINE_set_RSA(e, rsameth); + + if (!TEST_true(ENGINE_set_default_RSA(e))) + goto err; + + if (!TEST_int_ge(BIO_seek(b, 0), 0) + || !TEST_ptr(cert = PEM_read_bio_X509(b, NULL, NULL, NULL))) + goto err; + + /* Dup with an engine set on the key */ + if (!TEST_ptr(dupcert = X509_dup(cert))) + goto err; + + if (!TEST_ptr(pubkey = X509_get_X509_PUBKEY(cert)) + || !TEST_ptr(duppubkey = X509_PUBKEY_dup(pubkey)) + || !TEST_ptr_ne(duppubkey, pubkey) + || !TEST_ptr_ne(X509_PUBKEY_get0(duppubkey), X509_PUBKEY_get0(pubkey))) + goto err; + + ret = 1; + + err: + X509_free(cert); + X509_free(dupcert); + X509_PUBKEY_free(duppubkey); + if (e != NULL) { + ENGINE_unregister_RSA(e); + ENGINE_free(e); + } + RSA_meth_free(rsameth); + BIO_free(b); + return ret; +} #endif int global_init(void) @@ -363,13 +438,27 @@ int global_init(void) return OPENSSL_init_crypto(OPENSSL_INIT_NO_LOAD_CONFIG, NULL); } +OPT_TEST_DECLARE_USAGE("certfile\n") + int setup_tests(void) { #ifdef OPENSSL_NO_ENGINE TEST_note("No ENGINE support"); #else + int n; + + if (!test_skip_common_options()) { + TEST_error("Error parsing test options\n"); + return 0; + } + + n = test_get_argument_count(); + if (n == 0) + return 0; + ADD_TEST(test_engines); ADD_TEST(test_redirect); + ADD_TEST(test_x509_dup_w_engine); #endif return 1; } diff --git a/deps/openssl/openssl/test/evp_extra_test.c b/deps/openssl/openssl/test/evp_extra_test.c index 83f8902d2482d2..47ef35ca679991 100644 --- a/deps/openssl/openssl/test/evp_extra_test.c +++ b/deps/openssl/openssl/test/evp_extra_test.c @@ -30,6 +30,7 @@ #include #include #include +#include #include "testutil.h" #include "internal/nelem.h" #include "internal/sizes.h" @@ -599,6 +600,14 @@ static EVP_PKEY *load_example_dsa_key(void) } #endif +#ifndef OPENSSL_NO_EC +static EVP_PKEY *load_example_ec_key(void) +{ + return load_example_key("EC", kExampleECKeyDER, + sizeof(kExampleECKeyDER)); +} +#endif + #ifndef OPENSSL_NO_DEPRECATED_3_0 # ifndef OPENSSL_NO_DH static EVP_PKEY *load_example_dh_key(void) @@ -609,12 +618,6 @@ static EVP_PKEY *load_example_dh_key(void) # endif # ifndef OPENSSL_NO_EC -static EVP_PKEY *load_example_ec_key(void) -{ - return load_example_key("EC", kExampleECKeyDER, - sizeof(kExampleECKeyDER)); -} - static EVP_PKEY *load_example_ed25519_key(void) { return load_example_key("ED25519", kExampleED25519KeyDER, @@ -676,26 +679,56 @@ static int test_EVP_set_default_properties(void) } #if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_DSA) || !defined(OPENSSL_NO_EC) -static int test_fromdata(char *keytype, OSSL_PARAM *params) +static EVP_PKEY *make_key_fromdata(char *keytype, OSSL_PARAM *params) { EVP_PKEY_CTX *pctx = NULL; - EVP_PKEY *pkey = NULL; - int testresult = 0; + EVP_PKEY *tmp_pkey = NULL, *pkey = NULL; if (!TEST_ptr(pctx = EVP_PKEY_CTX_new_from_name(testctx, keytype, testpropq))) goto err; if (!TEST_int_gt(EVP_PKEY_fromdata_init(pctx), 0) - || !TEST_int_gt(EVP_PKEY_fromdata(pctx, &pkey, EVP_PKEY_KEYPAIR, + || !TEST_int_gt(EVP_PKEY_fromdata(pctx, &tmp_pkey, EVP_PKEY_KEYPAIR, params), 0)) goto err; - if (!TEST_ptr(pkey)) + if (!TEST_ptr(tmp_pkey)) goto err; - testresult = 1; + pkey = tmp_pkey; + tmp_pkey = NULL; err: - EVP_PKEY_free(pkey); + EVP_PKEY_free(tmp_pkey); EVP_PKEY_CTX_free(pctx); + return pkey; +} + +static int test_selection(EVP_PKEY *pkey, int selection) +{ + int testresult = 0; + int ret; + BIO *bio = BIO_new(BIO_s_mem()); + + ret = PEM_write_bio_PUBKEY(bio, pkey); + if ((selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) != 0) { + if (!TEST_true(ret)) + goto err; + } else { + if (!TEST_false(ret)) + goto err; + } + ret = PEM_write_bio_PrivateKey_ex(bio, pkey, NULL, NULL, 0, NULL, NULL, + testctx, NULL); + if ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0) { + if (!TEST_true(ret)) + goto err; + } else { + if (!TEST_false(ret)) + goto err; + } + + testresult = 1; + err: + BIO_free(bio); return testresult; } @@ -710,6 +743,10 @@ static int test_EVP_PKEY_ffc_priv_pub(char *keytype) { OSSL_PARAM_BLD *bld = NULL; OSSL_PARAM *params = NULL; + EVP_PKEY *just_params = NULL; + EVP_PKEY *params_and_priv = NULL; + EVP_PKEY *params_and_pub = NULL; + EVP_PKEY *params_and_keypair = NULL; BIGNUM *p = NULL, *q = NULL, *g = NULL, *pub = NULL, *priv = NULL; int ret = 0; @@ -730,14 +767,18 @@ static int test_EVP_PKEY_ffc_priv_pub(char *keytype) || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_FFC_Q, q)) || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_FFC_G, g))) goto err; - if (!TEST_ptr(params = OSSL_PARAM_BLD_to_param(bld))) + if (!TEST_ptr(params = OSSL_PARAM_BLD_to_param(bld)) + || !TEST_ptr(just_params = make_key_fromdata(keytype, params))) goto err; - if (!test_fromdata(keytype, params)) - goto err; OSSL_PARAM_free(params); - params = NULL; OSSL_PARAM_BLD_free(bld); + params = NULL; + bld = NULL; + + if (!test_selection(just_params, OSSL_KEYMGMT_SELECT_ALL_PARAMETERS) + || test_selection(just_params, OSSL_KEYMGMT_SELECT_KEYPAIR)) + goto err; /* Test priv and !pub */ if (!TEST_ptr(bld = OSSL_PARAM_BLD_new()) @@ -747,14 +788,18 @@ static int test_EVP_PKEY_ffc_priv_pub(char *keytype) || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_PRIV_KEY, priv))) goto err; - if (!TEST_ptr(params = OSSL_PARAM_BLD_to_param(bld))) + if (!TEST_ptr(params = OSSL_PARAM_BLD_to_param(bld)) + || !TEST_ptr(params_and_priv = make_key_fromdata(keytype, params))) goto err; - if (!test_fromdata(keytype, params)) - goto err; OSSL_PARAM_free(params); - params = NULL; OSSL_PARAM_BLD_free(bld); + params = NULL; + bld = NULL; + + if (!test_selection(params_and_priv, OSSL_KEYMGMT_SELECT_PRIVATE_KEY) + || test_selection(params_and_priv, OSSL_KEYMGMT_SELECT_PUBLIC_KEY)) + goto err; /* Test !priv and pub */ if (!TEST_ptr(bld = OSSL_PARAM_BLD_new()) @@ -764,14 +809,18 @@ static int test_EVP_PKEY_ffc_priv_pub(char *keytype) || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_PUB_KEY, pub))) goto err; - if (!TEST_ptr(params = OSSL_PARAM_BLD_to_param(bld))) + if (!TEST_ptr(params = OSSL_PARAM_BLD_to_param(bld)) + || !TEST_ptr(params_and_pub = make_key_fromdata(keytype, params))) goto err; - if (!test_fromdata(keytype, params)) - goto err; OSSL_PARAM_free(params); - params = NULL; OSSL_PARAM_BLD_free(bld); + params = NULL; + bld = NULL; + + if (!test_selection(params_and_pub, OSSL_KEYMGMT_SELECT_PUBLIC_KEY) + || test_selection(params_and_pub, OSSL_KEYMGMT_SELECT_PRIVATE_KEY)) + goto err; /* Test priv and pub */ if (!TEST_ptr(bld = OSSL_PARAM_BLD_new()) @@ -783,16 +832,21 @@ static int test_EVP_PKEY_ffc_priv_pub(char *keytype) || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_PRIV_KEY, priv))) goto err; - if (!TEST_ptr(params = OSSL_PARAM_BLD_to_param(bld))) + if (!TEST_ptr(params = OSSL_PARAM_BLD_to_param(bld)) + || !TEST_ptr(params_and_keypair = make_key_fromdata(keytype, params))) goto err; - if (!test_fromdata(keytype, params)) + if (!test_selection(params_and_keypair, EVP_PKEY_KEYPAIR)) goto err; ret = 1; err: OSSL_PARAM_free(params); OSSL_PARAM_BLD_free(bld); + EVP_PKEY_free(just_params); + EVP_PKEY_free(params_and_priv); + EVP_PKEY_free(params_and_pub); + EVP_PKEY_free(params_and_keypair); BN_free(p); BN_free(q); BN_free(g); @@ -826,6 +880,10 @@ static int test_EC_priv_pub(void) { OSSL_PARAM_BLD *bld = NULL; OSSL_PARAM *params = NULL; + EVP_PKEY *just_params = NULL; + EVP_PKEY *params_and_priv = NULL; + EVP_PKEY *params_and_pub = NULL; + EVP_PKEY *params_and_keypair = NULL; BIGNUM *priv = NULL; int ret = 0; @@ -842,14 +900,18 @@ static int test_EC_priv_pub(void) OSSL_PKEY_PARAM_GROUP_NAME, "P-256", 0))) goto err; - if (!TEST_ptr(params = OSSL_PARAM_BLD_to_param(bld))) + if (!TEST_ptr(params = OSSL_PARAM_BLD_to_param(bld)) + || !TEST_ptr(just_params = make_key_fromdata("EC", params))) goto err; - if (!test_fromdata("EC", params)) - goto err; OSSL_PARAM_free(params); - params = NULL; OSSL_PARAM_BLD_free(bld); + params = NULL; + bld = NULL; + + if (!test_selection(just_params, OSSL_KEYMGMT_SELECT_ALL_PARAMETERS) + || test_selection(just_params, OSSL_KEYMGMT_SELECT_KEYPAIR)) + goto err; /* Test priv and !pub */ if (!TEST_ptr(bld = OSSL_PARAM_BLD_new()) @@ -859,14 +921,24 @@ static int test_EC_priv_pub(void) || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_PRIV_KEY, priv))) goto err; - if (!TEST_ptr(params = OSSL_PARAM_BLD_to_param(bld))) + if (!TEST_ptr(params = OSSL_PARAM_BLD_to_param(bld)) + || !TEST_ptr(params_and_priv = make_key_fromdata("EC", params))) goto err; - if (!test_fromdata("EC", params)) - goto err; OSSL_PARAM_free(params); - params = NULL; OSSL_PARAM_BLD_free(bld); + params = NULL; + bld = NULL; + + /* + * We indicate only parameters here, in spite of having built a key that + * has a private part, because the PEM_write_bio_PrivateKey_ex call is + * expected to fail because it does not support exporting a private EC + * key without a corresponding public key + */ + if (!test_selection(params_and_priv, OSSL_KEYMGMT_SELECT_ALL_PARAMETERS) + || test_selection(params_and_priv, OSSL_KEYMGMT_SELECT_PUBLIC_KEY)) + goto err; /* Test !priv and pub */ if (!TEST_ptr(bld = OSSL_PARAM_BLD_new()) @@ -877,14 +949,18 @@ static int test_EC_priv_pub(void) OSSL_PKEY_PARAM_PUB_KEY, ec_pub, sizeof(ec_pub)))) goto err; - if (!TEST_ptr(params = OSSL_PARAM_BLD_to_param(bld))) + if (!TEST_ptr(params = OSSL_PARAM_BLD_to_param(bld)) + || !TEST_ptr(params_and_pub = make_key_fromdata("EC", params))) goto err; - if (!test_fromdata("EC", params)) - goto err; OSSL_PARAM_free(params); - params = NULL; OSSL_PARAM_BLD_free(bld); + params = NULL; + bld = NULL; + + if (!test_selection(params_and_pub, OSSL_KEYMGMT_SELECT_PUBLIC_KEY) + || test_selection(params_and_pub, OSSL_KEYMGMT_SELECT_PRIVATE_KEY)) + goto err; /* Test priv and pub */ if (!TEST_ptr(bld = OSSL_PARAM_BLD_new()) @@ -897,16 +973,35 @@ static int test_EC_priv_pub(void) || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_PRIV_KEY, priv))) goto err; - if (!TEST_ptr(params = OSSL_PARAM_BLD_to_param(bld))) + if (!TEST_ptr(params = OSSL_PARAM_BLD_to_param(bld)) + || !TEST_ptr(params_and_keypair = make_key_fromdata("EC", params))) + goto err; + + if (!test_selection(params_and_keypair, EVP_PKEY_KEYPAIR)) goto err; - if (!test_fromdata("EC", params)) + /* Try key equality */ + if (!TEST_int_gt(EVP_PKEY_parameters_eq(just_params, just_params), 0) + || !TEST_int_gt(EVP_PKEY_parameters_eq(just_params, params_and_pub), + 0) + || !TEST_int_gt(EVP_PKEY_parameters_eq(just_params, params_and_priv), + 0) + || !TEST_int_gt(EVP_PKEY_parameters_eq(just_params, params_and_keypair), + 0) + || !TEST_int_gt(EVP_PKEY_eq(params_and_pub, params_and_pub), 0) + || !TEST_int_gt(EVP_PKEY_eq(params_and_priv, params_and_priv), 0) + || !TEST_int_gt(EVP_PKEY_eq(params_and_keypair, params_and_pub), 0) + || !TEST_int_gt(EVP_PKEY_eq(params_and_keypair, params_and_priv), 0)) goto err; ret = 1; err: OSSL_PARAM_free(params); OSSL_PARAM_BLD_free(bld); + EVP_PKEY_free(just_params); + EVP_PKEY_free(params_and_priv); + EVP_PKEY_free(params_and_pub); + EVP_PKEY_free(params_and_keypair); BN_free(priv); return ret; @@ -978,6 +1073,66 @@ static int test_EC_priv_only_legacy(void) # endif /* OPENSSL_NO_DEPRECATED_3_0 */ #endif /* OPENSSL_NO_EC */ +static int test_EVP_PKEY_sign(int tst) +{ + int ret = 0; + EVP_PKEY *pkey = NULL; + unsigned char *sig = NULL; + size_t sig_len = 0, shortsig_len = 1; + EVP_PKEY_CTX *ctx = NULL; + unsigned char tbs[] = { + 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, + 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13 + }; + + if (tst == 0 ) { + if (!TEST_ptr(pkey = load_example_rsa_key())) + goto out; + } else if (tst == 1) { +#ifndef OPENSSL_NO_DSA + if (!TEST_ptr(pkey = load_example_dsa_key())) + goto out; +#else + ret = 1; + goto out; +#endif + } else { +#ifndef OPENSSL_NO_EC + if (!TEST_ptr(pkey = load_example_ec_key())) + goto out; +#else + ret = 1; + goto out; +#endif + } + + ctx = EVP_PKEY_CTX_new_from_pkey(testctx, pkey, NULL); + if (!TEST_ptr(ctx) + || !TEST_int_gt(EVP_PKEY_sign_init(ctx), 0) + || !TEST_int_gt(EVP_PKEY_sign(ctx, NULL, &sig_len, tbs, + sizeof(tbs)), 0)) + goto out; + sig = OPENSSL_malloc(sig_len); + if (!TEST_ptr(sig) + /* Test sending a signature buffer that is too short is rejected */ + || !TEST_int_le(EVP_PKEY_sign(ctx, sig, &shortsig_len, tbs, + sizeof(tbs)), 0) + || !TEST_int_gt(EVP_PKEY_sign(ctx, sig, &sig_len, tbs, sizeof(tbs)), + 0) + /* Test the signature round-trips */ + || !TEST_int_gt(EVP_PKEY_verify_init(ctx), 0) + || !TEST_int_gt(EVP_PKEY_verify(ctx, sig, sig_len, tbs, sizeof(tbs)), + 0)) + goto out; + + ret = 1; + out: + EVP_PKEY_CTX_free(ctx); + OPENSSL_free(sig); + EVP_PKEY_free(pkey); + return ret; +} + /* * n = 0 => test using legacy cipher * n = 1 => test using fetched cipher @@ -1046,24 +1201,37 @@ static int test_EVP_Enveloped(int n) * Test 6: Use an MD BIO to do the Update calls instead (RSA) * Test 7: Use an MD BIO to do the Update calls instead (DSA) * Test 8: Use an MD BIO to do the Update calls instead (HMAC) + * Test 9: Use EVP_DigestSign (Implicit fetch digest, RSA, short sig) + * Test 10: Use EVP_DigestSign (Implicit fetch digest, DSA, short sig) + * Test 11: Use EVP_DigestSign (Implicit fetch digest, HMAC, short sig) + * Test 12: Use EVP_DigestSign (Implicit fetch digest, RSA) + * Test 13: Use EVP_DigestSign (Implicit fetch digest, DSA) + * Test 14: Use EVP_DigestSign (Implicit fetch digest, HMAC) + * Test 15-29: Same as above with reinitialization */ static int test_EVP_DigestSignInit(int tst) { int ret = 0; EVP_PKEY *pkey = NULL; unsigned char *sig = NULL, *sig2 = NULL; - size_t sig_len = 0, sig2_len = 0; + size_t sig_len = 0, sig2_len = 0, shortsig_len = 1; EVP_MD_CTX *md_ctx = NULL, *md_ctx_verify = NULL; EVP_MD_CTX *a_md_ctx = NULL, *a_md_ctx_verify = NULL; BIO *mdbio = NULL, *membio = NULL; size_t written; const EVP_MD *md; EVP_MD *mdexp = NULL; + int reinit = 0; if (nullprov != NULL) return TEST_skip("Test does not support a non-default library context"); - if (tst >= 6) { + if (tst >= 15) { + reinit = 1; + tst -= 15; + } + + if (tst >= 6 && tst <= 8) { membio = BIO_new(BIO_s_mem()); mdbio = BIO_new(BIO_f_md()); if (!TEST_ptr(membio) || !TEST_ptr(mdbio)) @@ -1077,10 +1245,10 @@ static int test_EVP_DigestSignInit(int tst) goto out; } - if (tst == 0 || tst == 3 || tst == 6) { + if (tst % 3 == 0) { if (!TEST_ptr(pkey = load_example_rsa_key())) goto out; - } else if (tst == 1 || tst == 4 || tst == 7) { + } else if (tst % 3 == 1) { #ifndef OPENSSL_NO_DSA if (!TEST_ptr(pkey = load_example_dsa_key())) goto out; @@ -1101,26 +1269,57 @@ static int test_EVP_DigestSignInit(int tst) if (!TEST_true(EVP_DigestSignInit(md_ctx, NULL, md, NULL, pkey))) goto out; - if (tst >= 6) { + if (reinit && !TEST_true(EVP_DigestSignInit(md_ctx, NULL, NULL, NULL, NULL))) + goto out; + + if (tst >= 6 && tst <= 8) { if (!BIO_write_ex(mdbio, kMsg, sizeof(kMsg), &written)) goto out; - } else { + } else if (tst < 6) { if (!TEST_true(EVP_DigestSignUpdate(md_ctx, kMsg, sizeof(kMsg)))) goto out; } - /* Determine the size of the signature. */ - if (!TEST_true(EVP_DigestSignFinal(md_ctx, NULL, &sig_len)) - || !TEST_ptr(sig = OPENSSL_malloc(sig_len)) - || !TEST_true(EVP_DigestSignFinal(md_ctx, sig, &sig_len))) - goto out; + if (tst >= 9) { + /* Determine the size of the signature. */ + if (!TEST_true(EVP_DigestSign(md_ctx, NULL, &sig_len, kMsg, + sizeof(kMsg))) + || !TEST_ptr(sig = OPENSSL_malloc(sig_len))) + goto out; + if (tst <= 11) { + /* Test that supply a short sig buffer fails */ + if (!TEST_false(EVP_DigestSign(md_ctx, sig, &shortsig_len, kMsg, + sizeof(kMsg)))) + goto out; + /* + * We end here because once EVP_DigestSign() has failed you should + * not call it again without re-initing the ctx + */ + ret = 1; + goto out; + } + if (!TEST_true(EVP_DigestSign(md_ctx, sig, &sig_len, kMsg, + sizeof(kMsg)))) + goto out; + } else { + /* Determine the size of the signature. */ + if (!TEST_true(EVP_DigestSignFinal(md_ctx, NULL, &sig_len)) + || !TEST_ptr(sig = OPENSSL_malloc(sig_len)) + /* + * Trying to create a signature with a deliberately short + * buffer should fail. + */ + || !TEST_false(EVP_DigestSignFinal(md_ctx, sig, &shortsig_len)) + || !TEST_true(EVP_DigestSignFinal(md_ctx, sig, &sig_len))) + goto out; + } /* * Ensure that the signature round-trips (Verification isn't supported for * HMAC via EVP_DigestVerify*) */ - if (tst != 2 && tst != 5 && tst != 8) { - if (tst >= 6) { + if (tst % 3 != 2) { + if (tst >= 6 && tst <= 8) { if (!TEST_int_gt(BIO_reset(mdbio), 0) || !TEST_int_gt(BIO_get_md_ctx(mdbio, &md_ctx_verify), 0)) goto out; @@ -1130,7 +1329,7 @@ static int test_EVP_DigestSignInit(int tst) NULL, pkey))) goto out; - if (tst >= 6) { + if (tst >= 6 && tst <= 8) { if (!TEST_true(BIO_write_ex(mdbio, kMsg, sizeof(kMsg), &written))) goto out; } else { @@ -1138,11 +1337,11 @@ static int test_EVP_DigestSignInit(int tst) sizeof(kMsg)))) goto out; } - if (!TEST_true(EVP_DigestVerifyFinal(md_ctx_verify, sig, sig_len))) + if (!TEST_int_gt(EVP_DigestVerifyFinal(md_ctx_verify, sig, sig_len), 0)) goto out; /* Multiple calls to EVP_DigestVerifyFinal should work */ - if (!TEST_true(EVP_DigestVerifyFinal(md_ctx_verify, sig, sig_len))) + if (!TEST_int_gt(EVP_DigestVerifyFinal(md_ctx_verify, sig, sig_len), 0)) goto out; } else { /* @@ -1188,8 +1387,15 @@ static int test_EVP_DigestVerifyInit(void) if (!TEST_true(EVP_DigestVerifyInit(md_ctx, NULL, EVP_sha256(), NULL, pkey)) || !TEST_true(EVP_DigestVerifyUpdate(md_ctx, kMsg, sizeof(kMsg))) - || !TEST_true(EVP_DigestVerifyFinal(md_ctx, kSignature, - sizeof(kSignature)))) + || !TEST_int_gt(EVP_DigestVerifyFinal(md_ctx, kSignature, + sizeof(kSignature)), 0)) + goto out; + + /* test with reinitialization */ + if (!TEST_true(EVP_DigestVerifyInit(md_ctx, NULL, NULL, NULL, NULL)) + || !TEST_true(EVP_DigestVerifyUpdate(md_ctx, kMsg, sizeof(kMsg))) + || !TEST_int_gt(EVP_DigestVerifyFinal(md_ctx, kSignature, + sizeof(kSignature)), 0)) goto out; ret = 1; @@ -1199,6 +1405,57 @@ static int test_EVP_DigestVerifyInit(void) return ret; } +#ifndef OPENSSL_NO_SIPHASH +/* test SIPHASH MAC via EVP_PKEY with non-default parameters and reinit */ +static int test_siphash_digestsign(void) +{ + unsigned char key[16]; + unsigned char buf[8], digest[8]; + unsigned char expected[8] = { + 0x6d, 0x3e, 0x54, 0xc2, 0x2f, 0xf1, 0xfe, 0xe2 + }; + EVP_PKEY *pkey = NULL; + EVP_MD_CTX *mdctx = NULL; + EVP_PKEY_CTX *ctx = NULL; + int ret = 0; + size_t len = 8; + + if (nullprov != NULL) + return TEST_skip("Test does not support a non-default library context"); + + memset(buf, 0, 8); + memset(key, 1, 16); + if (!TEST_ptr(pkey = EVP_PKEY_new_raw_private_key(EVP_PKEY_SIPHASH, NULL, + key, 16))) + goto out; + + if (!TEST_ptr(mdctx = EVP_MD_CTX_create())) + goto out; + + if (!TEST_true(EVP_DigestSignInit(mdctx, &ctx, NULL, NULL, pkey))) + goto out; + if (!TEST_int_eq(EVP_PKEY_CTX_ctrl(ctx, -1, EVP_PKEY_OP_SIGNCTX, + EVP_PKEY_CTRL_SET_DIGEST_SIZE, + 8, NULL), 1)) + goto out; + /* reinitialize */ + if (!TEST_true(EVP_DigestSignInit(mdctx, NULL, NULL, NULL, NULL))) + goto out; + if (!TEST_true(EVP_DigestSignUpdate(mdctx, buf, 8))) + goto out; + if (!TEST_true(EVP_DigestSignFinal(mdctx, digest, &len))) + goto out; + if (!TEST_mem_eq(digest, len, expected, sizeof(expected))) + goto out; + + ret = 1; + out: + EVP_PKEY_free(pkey); + EVP_MD_CTX_free(mdctx); + return ret; +} +#endif + /* * Test corner cases of EVP_DigestInit/Update/Final API call behavior. */ @@ -1252,6 +1509,35 @@ static int test_EVP_Digest(void) return ret; } +static int test_EVP_md_null(void) +{ + int ret = 0; + EVP_MD_CTX *md_ctx = NULL; + const EVP_MD *md_null = EVP_md_null(); + unsigned char md_value[EVP_MAX_MD_SIZE]; + unsigned int md_len = sizeof(md_value); + + if (nullprov != NULL) + return TEST_skip("Test does not support a non-default library context"); + + if (!TEST_ptr(md_null) + || !TEST_ptr(md_ctx = EVP_MD_CTX_new())) + goto out; + + if (!TEST_true(EVP_DigestInit_ex(md_ctx, md_null, NULL)) + || !TEST_true(EVP_DigestUpdate(md_ctx, "test", 4)) + || !TEST_true(EVP_DigestFinal_ex(md_ctx, md_value, &md_len))) + goto out; + + if (!TEST_uint_eq(md_len, 0)) + goto out; + + ret = 1; + out: + EVP_MD_CTX_free(md_ctx); + return ret; +} + static int test_d2i_AutoPrivateKey(int i) { int ret = 0; @@ -1473,7 +1759,7 @@ static int test_EC_keygen_with_enc(int idx) /* Create key parameters */ if (!TEST_ptr(pctx = EVP_PKEY_CTX_new_from_name(testctx, "EC", NULL)) - || !TEST_true(EVP_PKEY_paramgen_init(pctx)) + || !TEST_int_gt(EVP_PKEY_paramgen_init(pctx), 0) || !TEST_true(EVP_PKEY_CTX_set_group_name(pctx, "P-256")) || !TEST_true(EVP_PKEY_CTX_set_ec_param_enc(pctx, enc)) || !TEST_true(EVP_PKEY_paramgen(pctx, ¶ms)) @@ -1482,7 +1768,7 @@ static int test_EC_keygen_with_enc(int idx) /* Create key */ if (!TEST_ptr(kctx = EVP_PKEY_CTX_new_from_pkey(testctx, params, NULL)) - || !TEST_true(EVP_PKEY_keygen_init(kctx)) + || !TEST_int_gt(EVP_PKEY_keygen_init(kctx), 0) || !TEST_true(EVP_PKEY_keygen(kctx, &key)) || !TEST_ptr(key)) goto done; @@ -1564,7 +1850,7 @@ static int test_EVP_SM2_verify(void) if (!TEST_true(EVP_DigestVerifyUpdate(mctx, msg, strlen(msg)))) goto done; - if (!TEST_true(EVP_DigestVerifyFinal(mctx, signature, sizeof(signature)))) + if (!TEST_int_gt(EVP_DigestVerifyFinal(mctx, signature, sizeof(signature)), 0)) goto done; rc = 1; @@ -1622,7 +1908,7 @@ static int test_EVP_SM2(void) pkeyparams, testpropq))) goto done; - if (!TEST_true(EVP_PKEY_keygen_init(kctx))) + if (!TEST_int_gt(EVP_PKEY_keygen_init(kctx), 0)) goto done; if (!TEST_true(EVP_PKEY_keygen(kctx, &pkey))) @@ -1674,7 +1960,7 @@ static int test_EVP_SM2(void) if (!TEST_true(EVP_DigestVerifyUpdate(md_ctx_verify, kMsg, sizeof(kMsg)))) goto done; - if (!TEST_true(EVP_DigestVerifyFinal(md_ctx_verify, sig, sig_len))) + if (!TEST_int_gt(EVP_DigestVerifyFinal(md_ctx_verify, sig, sig_len), 0)) goto done; /* now check encryption/decryption */ @@ -1718,8 +2004,8 @@ static int test_EVP_SM2(void) if (!TEST_true(EVP_PKEY_CTX_set_params(cctx, sparams))) goto done; - if (!TEST_true(EVP_PKEY_decrypt(cctx, plaintext, &ptext_len, ciphertext, - ctext_len))) + if (!TEST_int_gt(EVP_PKEY_decrypt(cctx, plaintext, &ptext_len, ciphertext, + ctext_len), 0)) goto done; if (!TEST_true(EVP_PKEY_CTX_get_params(cctx, gparams))) @@ -1805,7 +2091,7 @@ static int test_set_get_raw_keys_int(int tst, int pub, int uselibctx) int ret = 0; unsigned char buf[80]; unsigned char *in; - size_t inlen, len = 0; + size_t inlen, len = 0, shortlen = 1; EVP_PKEY *pkey; /* Check if this algorithm supports public keys */ @@ -1855,8 +2141,20 @@ static int test_set_get_raw_keys_int(int tst, int pub, int uselibctx) || !TEST_int_eq(EVP_PKEY_eq(pkey, pkey), 1) || (!pub && !TEST_true(EVP_PKEY_get_raw_private_key(pkey, NULL, &len))) || (pub && !TEST_true(EVP_PKEY_get_raw_public_key(pkey, NULL, &len))) - || !TEST_true(len == inlen) - || (!pub && !TEST_true(EVP_PKEY_get_raw_private_key(pkey, buf, &len))) + || !TEST_true(len == inlen)) + goto done; + if (tst != 1) { + /* + * Test that supplying a buffer that is too small fails. Doesn't apply + * to HMAC with a zero length key + */ + if ((!pub && !TEST_false(EVP_PKEY_get_raw_private_key(pkey, buf, + &shortlen))) + || (pub && !TEST_false(EVP_PKEY_get_raw_public_key(pkey, buf, + &shortlen)))) + goto done; + } + if ((!pub && !TEST_true(EVP_PKEY_get_raw_private_key(pkey, buf, &len))) || (pub && !TEST_true(EVP_PKEY_get_raw_public_key(pkey, buf, &len))) || !TEST_mem_eq(in, inlen, buf, len)) goto done; @@ -1961,7 +2259,7 @@ static int get_cmac_val(EVP_PKEY *pkey, unsigned char *mac) { EVP_MD_CTX *mdctx = EVP_MD_CTX_new(); const char msg[] = "Hello World"; - size_t maclen; + size_t maclen = AES_BLOCK_SIZE; int ret = 1; if (!TEST_ptr(mdctx) @@ -2169,7 +2467,7 @@ static int test_X509_PUBKEY_dup(void) if (!TEST_ptr(X509_PUBKEY_get0(xq)) || !TEST_ptr(X509_PUBKEY_get0(xp)) - || !TEST_ptr_eq(X509_PUBKEY_get0(xq), X509_PUBKEY_get0(xp))) + || !TEST_ptr_ne(X509_PUBKEY_get0(xq), X509_PUBKEY_get0(xp))) goto done; X509_PUBKEY_free(xq); @@ -2984,7 +3282,7 @@ static int test_ecpub(int idx) ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_EC, NULL); if (!TEST_ptr(ctx) - || !TEST_true(EVP_PKEY_keygen_init(ctx)) + || !TEST_int_gt(EVP_PKEY_keygen_init(ctx), 0) || !TEST_true(EVP_PKEY_CTX_set_ec_paramgen_curve_nid(ctx, nid)) || !TEST_true(EVP_PKEY_keygen(ctx, &pkey))) goto done; @@ -3038,7 +3336,7 @@ static int test_EVP_rsa_pss_with_keygen_bits(void) md = EVP_MD_fetch(testctx, "sha256", testpropq); ret = TEST_ptr(md) && TEST_ptr((ctx = EVP_PKEY_CTX_new_from_name(testctx, "RSA", testpropq))) - && TEST_true(EVP_PKEY_keygen_init(ctx)) + && TEST_int_gt(EVP_PKEY_keygen_init(ctx), 0) && TEST_int_gt(EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, 512), 0) && TEST_true(EVP_PKEY_CTX_set_rsa_pss_keygen_md(ctx, md)) && TEST_true(EVP_PKEY_keygen(ctx, &pkey)); @@ -3049,6 +3347,32 @@ static int test_EVP_rsa_pss_with_keygen_bits(void) return ret; } +static int test_EVP_rsa_pss_set_saltlen(void) +{ + int ret = 0; + EVP_PKEY *pkey = NULL; + EVP_PKEY_CTX *pkey_ctx = NULL; + EVP_MD *sha256 = NULL; + EVP_MD_CTX *sha256_ctx = NULL; + int saltlen = 9999; /* buggy EVP_PKEY_CTX_get_rsa_pss_saltlen() didn't update this */ + const int test_value = 32; + + ret = TEST_ptr(pkey = load_example_rsa_key()) + && TEST_ptr(sha256 = EVP_MD_fetch(testctx, "sha256", NULL)) + && TEST_ptr(sha256_ctx = EVP_MD_CTX_new()) + && TEST_true(EVP_DigestSignInit(sha256_ctx, &pkey_ctx, sha256, NULL, pkey)) + && TEST_true(EVP_PKEY_CTX_set_rsa_padding(pkey_ctx, RSA_PKCS1_PSS_PADDING)) + && TEST_true(EVP_PKEY_CTX_set_rsa_pss_saltlen(pkey_ctx, test_value)) + && TEST_true(EVP_PKEY_CTX_get_rsa_pss_saltlen(pkey_ctx, &saltlen)) + && TEST_int_eq(saltlen, test_value); + + EVP_MD_CTX_free(sha256_ctx); + EVP_PKEY_free(pkey); + EVP_MD_free(sha256); + + return ret; +} + static int success = 1; static void md_names(const char *name, void *vctx) { @@ -3854,8 +4178,171 @@ static int test_evp_md_cipher_meth(void) return testresult; } + +# ifndef OPENSSL_NO_DYNAMIC_ENGINE +/* Test we can create a signature keys with an associated ENGINE */ +static int test_signatures_with_engine(int tst) +{ + ENGINE *e; + const char *engine_id = "dasync"; + EVP_PKEY *pkey = NULL; + const unsigned char badcmackey[] = { 0x00, 0x01 }; + const unsigned char cmackey[] = { + 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, + 0x0c, 0x0d, 0x0e, 0x0f + }; + const unsigned char ed25519key[] = { + 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, + 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, + 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f + }; + const unsigned char msg[] = { 0x00, 0x01, 0x02, 0x03 }; + int testresult = 0; + EVP_MD_CTX *ctx = NULL; + unsigned char *mac = NULL; + size_t maclen = 0; + int ret; + +# ifdef OPENSSL_NO_CMAC + /* Skip CMAC tests in a no-cmac build */ + if (tst <= 1) + return 1; +# endif + + if (!TEST_ptr(e = ENGINE_by_id(engine_id))) + return 0; + + if (!TEST_true(ENGINE_init(e))) { + ENGINE_free(e); + return 0; + } + + switch (tst) { + case 0: + pkey = EVP_PKEY_new_CMAC_key(e, cmackey, sizeof(cmackey), + EVP_aes_128_cbc()); + break; + case 1: + pkey = EVP_PKEY_new_CMAC_key(e, badcmackey, sizeof(badcmackey), + EVP_aes_128_cbc()); + break; + case 2: + pkey = EVP_PKEY_new_raw_private_key(EVP_PKEY_ED25519, e, ed25519key, + sizeof(ed25519key)); + break; + default: + TEST_error("Invalid test case"); + goto err; + } + if (!TEST_ptr(pkey)) + goto err; + + if (!TEST_ptr(ctx = EVP_MD_CTX_new())) + goto err; + + ret = EVP_DigestSignInit(ctx, NULL, tst == 2 ? NULL : EVP_sha256(), NULL, + pkey); + if (tst == 0) { + if (!TEST_true(ret)) + goto err; + + if (!TEST_true(EVP_DigestSignUpdate(ctx, msg, sizeof(msg))) + || !TEST_true(EVP_DigestSignFinal(ctx, NULL, &maclen))) + goto err; + + if (!TEST_ptr(mac = OPENSSL_malloc(maclen))) + goto err; + + if (!TEST_true(EVP_DigestSignFinal(ctx, mac, &maclen))) + goto err; + } else { + /* We used a bad key. We expect a failure here */ + if (!TEST_false(ret)) + goto err; + } + + testresult = 1; + err: + EVP_MD_CTX_free(ctx); + OPENSSL_free(mac); + EVP_PKEY_free(pkey); + ENGINE_finish(e); + ENGINE_free(e); + + return testresult; +} + +static int test_cipher_with_engine(void) +{ + ENGINE *e; + const char *engine_id = "dasync"; + const unsigned char keyiv[] = { + 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, + 0x0c, 0x0d, 0x0e, 0x0f + }; + const unsigned char msg[] = { 0x00, 0x01, 0x02, 0x03 }; + int testresult = 0; + EVP_CIPHER_CTX *ctx = NULL, *ctx2 = NULL; + unsigned char buf[AES_BLOCK_SIZE]; + int len = 0; + + if (!TEST_ptr(e = ENGINE_by_id(engine_id))) + return 0; + + if (!TEST_true(ENGINE_init(e))) { + ENGINE_free(e); + return 0; + } + + if (!TEST_ptr(ctx = EVP_CIPHER_CTX_new()) + || !TEST_ptr(ctx2 = EVP_CIPHER_CTX_new())) + goto err; + + if (!TEST_true(EVP_EncryptInit_ex(ctx, EVP_aes_128_cbc(), e, keyiv, keyiv))) + goto err; + + /* Copy the ctx, and complete the operation with the new ctx */ + if (!TEST_true(EVP_CIPHER_CTX_copy(ctx2, ctx))) + goto err; + + if (!TEST_true(EVP_EncryptUpdate(ctx2, buf, &len, msg, sizeof(msg))) + || !TEST_true(EVP_EncryptFinal_ex(ctx2, buf + len, &len))) + goto err; + + testresult = 1; + err: + EVP_CIPHER_CTX_free(ctx); + EVP_CIPHER_CTX_free(ctx2); + ENGINE_finish(e); + ENGINE_free(e); + + return testresult; +} +# endif /* OPENSSL_NO_DYNAMIC_ENGINE */ #endif /* OPENSSL_NO_DEPRECATED_3_0 */ +static int ecxnids[] = { + NID_X25519, + NID_X448, + NID_ED25519, + NID_ED448 +}; + +/* Test that creating ECX keys with a short private key fails as expected */ +static int test_ecx_short_keys(int tst) +{ + unsigned char ecxkeydata = 1; + EVP_PKEY *pkey; + + + pkey = EVP_PKEY_new_raw_private_key(ecxnids[tst], NULL, &ecxkeydata, 1); + if (!TEST_ptr_null(pkey)) { + EVP_PKEY_free(pkey); + return 0; + } + return 1; +} + typedef enum OPTION_choice { OPT_ERR = -1, OPT_EOF = 0, @@ -3897,9 +4384,14 @@ int setup_tests(void) } ADD_TEST(test_EVP_set_default_properties); - ADD_ALL_TESTS(test_EVP_DigestSignInit, 9); + ADD_ALL_TESTS(test_EVP_DigestSignInit, 30); ADD_TEST(test_EVP_DigestVerifyInit); +#ifndef OPENSSL_NO_SIPHASH + ADD_TEST(test_siphash_digestsign); +#endif ADD_TEST(test_EVP_Digest); + ADD_TEST(test_EVP_md_null); + ADD_ALL_TESTS(test_EVP_PKEY_sign, 3); ADD_ALL_TESTS(test_EVP_Enveloped, 2); ADD_ALL_TESTS(test_d2i_AutoPrivateKey, OSSL_NELEM(keydata)); ADD_TEST(test_privatekey_to_pkcs8); @@ -3966,6 +4458,7 @@ int setup_tests(void) ADD_ALL_TESTS(test_evp_iv_des, 6); #endif ADD_TEST(test_EVP_rsa_pss_with_keygen_bits); + ADD_TEST(test_EVP_rsa_pss_set_saltlen); #ifndef OPENSSL_NO_EC ADD_ALL_TESTS(test_ecpub, OSSL_NELEM(ecpub_nids)); #endif @@ -3980,8 +4473,22 @@ int setup_tests(void) #ifndef OPENSSL_NO_DEPRECATED_3_0 ADD_ALL_TESTS(test_custom_pmeth, 12); ADD_TEST(test_evp_md_cipher_meth); + +# ifndef OPENSSL_NO_DYNAMIC_ENGINE + /* Tests only support the default libctx */ + if (testctx == NULL) { +# ifndef OPENSSL_NO_EC + ADD_ALL_TESTS(test_signatures_with_engine, 3); +# else + ADD_ALL_TESTS(test_signatures_with_engine, 2); +# endif + ADD_TEST(test_cipher_with_engine); + } +# endif #endif + ADD_ALL_TESTS(test_ecx_short_keys, OSSL_NELEM(ecxnids)); + return 1; } diff --git a/deps/openssl/openssl/test/evp_extra_test2.c b/deps/openssl/openssl/test/evp_extra_test2.c index d932b73dd728bf..b70c168d9db14b 100644 --- a/deps/openssl/openssl/test/evp_extra_test2.c +++ b/deps/openssl/openssl/test/evp_extra_test2.c @@ -20,9 +20,7 @@ #include #include #include -#ifndef OPENSSL_NO_DEPRECATED_3_0 -# include -#endif +#include #include #include "testutil.h" #include "internal/nelem.h" @@ -818,6 +816,59 @@ static int test_pkey_export(void) return ret; } +static int test_rsa_pss_sign(void) +{ + EVP_PKEY *pkey = NULL; + EVP_PKEY_CTX *pctx = NULL; + int ret = 0; + const unsigned char *pdata = keydata[0].kder; + const char *mdname = "SHA2-256"; + OSSL_PARAM sig_params[3]; + unsigned char mdbuf[256 / 8] = { 0 }; + int padding = RSA_PKCS1_PSS_PADDING; + unsigned char *sig = NULL; + size_t sig_len = 0; + + sig_params[0] = OSSL_PARAM_construct_int(OSSL_PKEY_PARAM_PAD_MODE, + &padding); + sig_params[1] = OSSL_PARAM_construct_utf8_string(OSSL_SIGNATURE_PARAM_DIGEST, + (char *)mdname, 0); + sig_params[2] = OSSL_PARAM_construct_end(); + + ret = TEST_ptr(pkey = d2i_AutoPrivateKey_ex(NULL, &pdata, keydata[0].size, + mainctx, NULL)) + && TEST_ptr(pctx = EVP_PKEY_CTX_new_from_pkey(mainctx, pkey, NULL)) + && TEST_int_gt(EVP_PKEY_sign_init_ex(pctx, sig_params), 0) + && TEST_int_gt(EVP_PKEY_sign(pctx, NULL, &sig_len, mdbuf, + sizeof(mdbuf)), 0) + && TEST_int_gt(sig_len, 0) + && TEST_ptr(sig = OPENSSL_malloc(sig_len)) + && TEST_int_gt(EVP_PKEY_sign(pctx, sig, &sig_len, mdbuf, + sizeof(mdbuf)), 0); + + EVP_PKEY_CTX_free(pctx); + OPENSSL_free(sig); + EVP_PKEY_free(pkey); + + return ret; +} + +static int test_evp_md_ctx_copy(void) +{ + EVP_MD_CTX *mdctx = NULL; + EVP_MD_CTX *copyctx = NULL; + int ret; + + /* test copying freshly initialized context */ + ret = TEST_ptr(mdctx = EVP_MD_CTX_new()) + && TEST_ptr(copyctx = EVP_MD_CTX_new()) + && TEST_true(EVP_MD_CTX_copy_ex(copyctx, mdctx)); + + EVP_MD_CTX_free(mdctx); + EVP_MD_CTX_free(copyctx); + return ret; +} + int setup_tests(void) { if (!test_get_libctx(&mainctx, &nullprov, NULL, NULL, NULL)) { @@ -843,6 +894,8 @@ int setup_tests(void) ADD_TEST(test_pkcs8key_nid_bio); #endif ADD_ALL_TESTS(test_PEM_read_bio_negative, OSSL_NELEM(keydata)); + ADD_TEST(test_rsa_pss_sign); + ADD_TEST(test_evp_md_ctx_copy); return 1; } diff --git a/deps/openssl/openssl/test/evp_fetch_prov_test.c b/deps/openssl/openssl/test/evp_fetch_prov_test.c index fc10bdad5729bd..d237082bdcc0a8 100644 --- a/deps/openssl/openssl/test/evp_fetch_prov_test.c +++ b/deps/openssl/openssl/test/evp_fetch_prov_test.c @@ -220,11 +220,11 @@ static int test_explicit_EVP_MD_fetch_by_X509_ALGOR(int idx) X509_ALGOR_get0(&obj, NULL, NULL, algor); switch (idx) { case 0: - if (!TEST_true(OBJ_obj2txt(id, sizeof(id), obj, 0))) + if (!TEST_int_gt(OBJ_obj2txt(id, sizeof(id), obj, 0), 0)) goto end; break; case 1: - if (!TEST_true(OBJ_obj2txt(id, sizeof(id), obj, 1))) + if (!TEST_int_gt(OBJ_obj2txt(id, sizeof(id), obj, 1), 0)) goto end; break; } @@ -336,11 +336,11 @@ static int test_explicit_EVP_CIPHER_fetch_by_X509_ALGOR(int idx) X509_ALGOR_get0(&obj, NULL, NULL, algor); switch (idx) { case 0: - if (!TEST_true(OBJ_obj2txt(id, sizeof(id), obj, 0))) + if (!TEST_int_gt(OBJ_obj2txt(id, sizeof(id), obj, 0), 0)) goto end; break; case 1: - if (!TEST_true(OBJ_obj2txt(id, sizeof(id), obj, 1))) + if (!TEST_int_gt(OBJ_obj2txt(id, sizeof(id), obj, 1), 0)) goto end; break; } diff --git a/deps/openssl/openssl/test/evp_kdf_test.c b/deps/openssl/openssl/test/evp_kdf_test.c index 4b3df38b5f42e5..145e64fbdb4f29 100644 --- a/deps/openssl/openssl/test/evp_kdf_test.c +++ b/deps/openssl/openssl/test/evp_kdf_test.c @@ -502,7 +502,8 @@ static int test_kdf_pbkdf1(void) unsigned int iterations = 4096; OSSL_LIB_CTX *libctx = NULL; OSSL_PARAM *params = NULL; - OSSL_PROVIDER *prov = NULL; + OSSL_PROVIDER *legacyprov = NULL; + OSSL_PROVIDER *defprov = NULL; const unsigned char expected[sizeof(out)] = { 0xfb, 0x83, 0x4d, 0x36, 0x6d, 0xbc, 0x53, 0x87, 0x35, 0x1b, 0x34, 0x75, 0x95, 0x88, 0x32, 0x4f, 0x3e, 0x82, 0x81, 0x01, 0x21, 0x93, 0x64, 0x00, @@ -513,12 +514,15 @@ static int test_kdf_pbkdf1(void) goto err; /* PBKDF1 only available in the legacy provider */ - prov = OSSL_PROVIDER_load(libctx, "legacy"); - if (prov == NULL) { + legacyprov = OSSL_PROVIDER_load(libctx, "legacy"); + if (legacyprov == NULL) { OSSL_LIB_CTX_free(libctx); return TEST_skip("PBKDF1 only available in legacy provider"); } + if (!TEST_ptr(defprov = OSSL_PROVIDER_load(libctx, "default"))) + goto err; + params = construct_pbkdf1_params("passwordPASSWORDpassword", "sha256", "saltSALTsaltSALTsaltSALTsaltSALTsalt", &iterations); @@ -534,7 +538,8 @@ static int test_kdf_pbkdf1(void) err: EVP_KDF_CTX_free(kctx); OPENSSL_free(params); - OSSL_PROVIDER_unload(prov); + OSSL_PROVIDER_unload(defprov); + OSSL_PROVIDER_unload(legacyprov); OSSL_LIB_CTX_free(libctx); return ret; } diff --git a/deps/openssl/openssl/test/evp_libctx_test.c b/deps/openssl/openssl/test/evp_libctx_test.c index e3eac8a06818be..e2663dc029987d 100644 --- a/deps/openssl/openssl/test/evp_libctx_test.c +++ b/deps/openssl/openssl/test/evp_libctx_test.c @@ -669,7 +669,7 @@ static EVP_PKEY *gen_dh_key(void) params[1] = OSSL_PARAM_construct_end(); if (!TEST_ptr(gctx = EVP_PKEY_CTX_new_from_name(libctx, "DH", NULL)) - || !TEST_true(EVP_PKEY_keygen_init(gctx)) + || !TEST_int_gt(EVP_PKEY_keygen_init(gctx), 0) || !TEST_true(EVP_PKEY_CTX_set_params(gctx, params)) || !TEST_true(EVP_PKEY_keygen(gctx, &pkey))) goto err; diff --git a/deps/openssl/openssl/test/evp_pkey_provided_test.c b/deps/openssl/openssl/test/evp_pkey_provided_test.c index 15c8ce77bb89a5..8b5c7b34577d51 100644 --- a/deps/openssl/openssl/test/evp_pkey_provided_test.c +++ b/deps/openssl/openssl/test/evp_pkey_provided_test.c @@ -141,7 +141,7 @@ static int test_print_key_using_pem(const char *alg, const EVP_PKEY *pk) (unsigned char *)"pass", 4, NULL, NULL)) /* Private key in text form */ - || !TEST_true(EVP_PKEY_print_private(membio, pk, 0, NULL)) + || !TEST_int_gt(EVP_PKEY_print_private(membio, pk, 0, NULL), 0) || !TEST_true(compare_with_file(alg, PRIV_TEXT, membio)) /* Public key in PEM form */ || !TEST_true(PEM_write_bio_PUBKEY(membio, pk)) @@ -340,9 +340,9 @@ static int test_fromdata_rsa(void) if (!TEST_ptr(ctx = EVP_PKEY_CTX_new_from_name(NULL, "RSA", NULL))) goto err; - if (!TEST_true(EVP_PKEY_fromdata_init(ctx)) - || !TEST_true(EVP_PKEY_fromdata(ctx, &pk, EVP_PKEY_KEYPAIR, - fromdata_params))) + if (!TEST_int_eq(EVP_PKEY_fromdata_init(ctx), 1) + || !TEST_int_eq(EVP_PKEY_fromdata(ctx, &pk, EVP_PKEY_KEYPAIR, + fromdata_params), 1)) goto err; while (dup_pk == NULL) { @@ -431,9 +431,9 @@ static int test_evp_pkey_get_bn_param_large(void) || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_RSA_D, d)) || !TEST_ptr(fromdata_params = OSSL_PARAM_BLD_to_param(bld)) || !TEST_ptr(ctx = EVP_PKEY_CTX_new_from_name(NULL, "RSA", NULL)) - || !TEST_true(EVP_PKEY_fromdata_init(ctx)) - || !TEST_true(EVP_PKEY_fromdata(ctx, &pk, EVP_PKEY_KEYPAIR, - fromdata_params)) + || !TEST_int_eq(EVP_PKEY_fromdata_init(ctx), 1) + || !TEST_int_eq(EVP_PKEY_fromdata(ctx, &pk, EVP_PKEY_KEYPAIR, + fromdata_params), 1) || !TEST_ptr(key_ctx = EVP_PKEY_CTX_new_from_pkey(NULL, pk, "")) || !TEST_true(EVP_PKEY_get_bn_param(pk, OSSL_PKEY_PARAM_RSA_N, &n_out)) || !TEST_BN_eq(n, n_out)) @@ -522,9 +522,9 @@ static int test_fromdata_dh_named_group(void) if (!TEST_ptr(ctx = EVP_PKEY_CTX_new_from_name(NULL, "DH", NULL))) goto err; - if (!TEST_true(EVP_PKEY_fromdata_init(ctx)) - || !TEST_true(EVP_PKEY_fromdata(ctx, &pk, EVP_PKEY_KEYPAIR, - fromdata_params))) + if (!TEST_int_eq(EVP_PKEY_fromdata_init(ctx), 1) + || !TEST_int_eq(EVP_PKEY_fromdata(ctx, &pk, EVP_PKEY_KEYPAIR, + fromdata_params), 1)) goto err; /* @@ -734,9 +734,9 @@ static int test_fromdata_dh_fips186_4(void) if (!TEST_ptr(ctx = EVP_PKEY_CTX_new_from_name(NULL, "DH", NULL))) goto err; - if (!TEST_true(EVP_PKEY_fromdata_init(ctx)) - || !TEST_true(EVP_PKEY_fromdata(ctx, &pk, EVP_PKEY_KEYPAIR, - fromdata_params))) + if (!TEST_int_eq(EVP_PKEY_fromdata_init(ctx), 1) + || !TEST_int_eq(EVP_PKEY_fromdata(ctx, &pk, EVP_PKEY_KEYPAIR, + fromdata_params), 1)) goto err; while (dup_pk == NULL) { @@ -1041,9 +1041,9 @@ static int test_fromdata_ecx(int tst) fromdata_params = params; } - if (!TEST_true(EVP_PKEY_fromdata_init(ctx)) - || !TEST_true(EVP_PKEY_fromdata(ctx, &pk, EVP_PKEY_KEYPAIR, - fromdata_params))) + if (!TEST_int_eq(EVP_PKEY_fromdata_init(ctx), 1) + || !TEST_int_eq(EVP_PKEY_fromdata(ctx, &pk, EVP_PKEY_KEYPAIR, + fromdata_params), 1)) goto err; while (dup_pk == NULL) { @@ -1179,9 +1179,9 @@ static int test_fromdata_ec(void) if (!TEST_ptr(ctx)) goto err; - if (!TEST_true(EVP_PKEY_fromdata_init(ctx)) - || !TEST_true(EVP_PKEY_fromdata(ctx, &pk, EVP_PKEY_KEYPAIR, - fromdata_params))) + if (!TEST_int_eq(EVP_PKEY_fromdata_init(ctx), 1) + || !TEST_int_eq(EVP_PKEY_fromdata(ctx, &pk, EVP_PKEY_KEYPAIR, + fromdata_params), 1)) goto err; while (dup_pk == NULL) { @@ -1484,9 +1484,9 @@ static int test_fromdata_dsa_fips186_4(void) if (!TEST_ptr(ctx = EVP_PKEY_CTX_new_from_name(NULL, "DSA", NULL))) goto err; - if (!TEST_true(EVP_PKEY_fromdata_init(ctx)) - || !TEST_true(EVP_PKEY_fromdata(ctx, &pk, EVP_PKEY_KEYPAIR, - fromdata_params))) + if (!TEST_int_eq(EVP_PKEY_fromdata_init(ctx), 1) + || !TEST_int_eq(EVP_PKEY_fromdata(ctx, &pk, EVP_PKEY_KEYPAIR, + fromdata_params), 1)) goto err; while (dup_pk == NULL) { diff --git a/deps/openssl/openssl/test/fake_rsaprov.c b/deps/openssl/openssl/test/fake_rsaprov.c new file mode 100644 index 00000000000000..e4833a6a996828 --- /dev/null +++ b/deps/openssl/openssl/test/fake_rsaprov.c @@ -0,0 +1,234 @@ +/* + * Copyright 2021 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * https://www.openssl.org/source/license.html + * or in the file LICENSE in the source distribution. + */ + +#include +#include +#include +#include +#include "testutil.h" +#include "fake_rsaprov.h" + +static OSSL_FUNC_keymgmt_new_fn fake_rsa_keymgmt_new; +static OSSL_FUNC_keymgmt_free_fn fake_rsa_keymgmt_free; +static OSSL_FUNC_keymgmt_has_fn fake_rsa_keymgmt_has; +static OSSL_FUNC_keymgmt_query_operation_name_fn fake_rsa_keymgmt_query; +static OSSL_FUNC_keymgmt_import_fn fake_rsa_keymgmt_import; +static OSSL_FUNC_keymgmt_import_types_fn fake_rsa_keymgmt_imptypes; + +static int has_selection; +static int imptypes_selection; +static int query_id; + +static void *fake_rsa_keymgmt_new(void *provctx) +{ + unsigned char *keydata = OPENSSL_zalloc(1); + + TEST_ptr(keydata); + + /* clear test globals */ + has_selection = 0; + imptypes_selection = 0; + query_id = 0; + + return keydata; +} + +static void fake_rsa_keymgmt_free(void *keydata) +{ + OPENSSL_free(keydata); +} + +static int fake_rsa_keymgmt_has(const void *key, int selection) +{ + /* record global for checking */ + has_selection = selection; + + return 1; +} + + +static const char *fake_rsa_keymgmt_query(int id) +{ + /* record global for checking */ + query_id = id; + + return "RSA"; +} + +static int fake_rsa_keymgmt_import(void *keydata, int selection, + const OSSL_PARAM *p) +{ + unsigned char *fake_rsa_key = keydata; + + /* key was imported */ + *fake_rsa_key = 1; + + return 1; +} + +static const OSSL_PARAM fake_rsa_import_key_types[] = { + OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_N, NULL, 0), + OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_E, NULL, 0), + OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_D, NULL, 0), + OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_FACTOR1, NULL, 0), + OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_FACTOR2, NULL, 0), + OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_EXPONENT1, NULL, 0), + OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_EXPONENT2, NULL, 0), + OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_COEFFICIENT1, NULL, 0), + OSSL_PARAM_END +}; + +static const OSSL_PARAM *fake_rsa_keymgmt_imptypes(int selection) +{ + /* record global for checking */ + imptypes_selection = selection; + + return fake_rsa_import_key_types; +} + +static const OSSL_DISPATCH fake_rsa_keymgmt_funcs[] = { + { OSSL_FUNC_KEYMGMT_NEW, (void (*)(void))fake_rsa_keymgmt_new }, + { OSSL_FUNC_KEYMGMT_FREE, (void (*)(void))fake_rsa_keymgmt_free} , + { OSSL_FUNC_KEYMGMT_HAS, (void (*)(void))fake_rsa_keymgmt_has }, + { OSSL_FUNC_KEYMGMT_QUERY_OPERATION_NAME, + (void (*)(void))fake_rsa_keymgmt_query }, + { OSSL_FUNC_KEYMGMT_IMPORT, (void (*)(void))fake_rsa_keymgmt_import }, + { OSSL_FUNC_KEYMGMT_IMPORT_TYPES, + (void (*)(void))fake_rsa_keymgmt_imptypes }, + { 0, NULL } +}; + +static const OSSL_ALGORITHM fake_rsa_keymgmt_algs[] = { + { "RSA:rsaEncryption", "provider=fake-rsa", fake_rsa_keymgmt_funcs, "Fake RSA Key Management" }, + { NULL, NULL, NULL, NULL } +}; + +static OSSL_FUNC_signature_newctx_fn fake_rsa_sig_newctx; +static OSSL_FUNC_signature_freectx_fn fake_rsa_sig_freectx; +static OSSL_FUNC_signature_sign_init_fn fake_rsa_sig_sign_init; +static OSSL_FUNC_signature_sign_fn fake_rsa_sig_sign; + +static void *fake_rsa_sig_newctx(void *provctx, const char *propq) +{ + unsigned char *sigctx = OPENSSL_zalloc(1); + + TEST_ptr(sigctx); + + return sigctx; +} + +static void fake_rsa_sig_freectx(void *sigctx) +{ + OPENSSL_free(sigctx); +} + +static int fake_rsa_sig_sign_init(void *ctx, void *provkey, + const OSSL_PARAM params[]) +{ + unsigned char *sigctx = ctx; + unsigned char *keydata = provkey; + + /* we must have a ctx */ + if (!TEST_ptr(sigctx)) + return 0; + + /* we must have some initialized key */ + if (!TEST_ptr(keydata) || !TEST_int_gt(keydata[0], 0)) + return 0; + + /* record that sign init was called */ + *sigctx = 1; + return 1; +} + +static int fake_rsa_sig_sign(void *ctx, unsigned char *sig, + size_t *siglen, size_t sigsize, + const unsigned char *tbs, size_t tbslen) +{ + unsigned char *sigctx = ctx; + + /* we must have a ctx and init was called upon it */ + if (!TEST_ptr(sigctx) || !TEST_int_eq(*sigctx, 1)) + return 0; + + *siglen = 256; + /* record that the real sign operation was called */ + if (sig != NULL) { + if (!TEST_int_ge(sigsize, *siglen)) + return 0; + *sigctx = 2; + /* produce a fake signature */ + memset(sig, 'a', *siglen); + } + + return 1; +} + +static const OSSL_DISPATCH fake_rsa_sig_funcs[] = { + { OSSL_FUNC_SIGNATURE_NEWCTX, (void (*)(void))fake_rsa_sig_newctx }, + { OSSL_FUNC_SIGNATURE_FREECTX, (void (*)(void))fake_rsa_sig_freectx }, + { OSSL_FUNC_SIGNATURE_SIGN_INIT, (void (*)(void))fake_rsa_sig_sign_init }, + { OSSL_FUNC_SIGNATURE_SIGN, (void (*)(void))fake_rsa_sig_sign }, + { 0, NULL } +}; + +static const OSSL_ALGORITHM fake_rsa_sig_algs[] = { + { "RSA:rsaEncryption", "provider=fake-rsa", fake_rsa_sig_funcs, "Fake RSA Signature" }, + { NULL, NULL, NULL, NULL } +}; + +static const OSSL_ALGORITHM *fake_rsa_query(void *provctx, + int operation_id, + int *no_cache) +{ + *no_cache = 0; + switch (operation_id) { + case OSSL_OP_SIGNATURE: + return fake_rsa_sig_algs; + + case OSSL_OP_KEYMGMT: + return fake_rsa_keymgmt_algs; + } + return NULL; +} + +/* Functions we provide to the core */ +static const OSSL_DISPATCH fake_rsa_method[] = { + { OSSL_FUNC_PROVIDER_TEARDOWN, (void (*)(void))OSSL_LIB_CTX_free }, + { OSSL_FUNC_PROVIDER_QUERY_OPERATION, (void (*)(void))fake_rsa_query }, + { 0, NULL } +}; + +static int fake_rsa_provider_init(const OSSL_CORE_HANDLE *handle, + const OSSL_DISPATCH *in, + const OSSL_DISPATCH **out, void **provctx) +{ + if (!TEST_ptr(*provctx = OSSL_LIB_CTX_new())) + return 0; + *out = fake_rsa_method; + return 1; +} + +OSSL_PROVIDER *fake_rsa_start(OSSL_LIB_CTX *libctx) +{ + OSSL_PROVIDER *p; + + if (!TEST_true(OSSL_PROVIDER_add_builtin(libctx, "fake-rsa", + fake_rsa_provider_init)) + || !TEST_ptr(p = OSSL_PROVIDER_try_load(libctx, "fake-rsa", 1))) + return NULL; + + return p; +} + +void fake_rsa_finish(OSSL_PROVIDER *p) +{ + OSSL_PROVIDER_unload(p); +} diff --git a/deps/openssl/openssl/test/fake_rsaprov.h b/deps/openssl/openssl/test/fake_rsaprov.h new file mode 100644 index 00000000000000..57de1ecf8dea53 --- /dev/null +++ b/deps/openssl/openssl/test/fake_rsaprov.h @@ -0,0 +1,14 @@ +/* + * Copyright 2021 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include + +/* Fake RSA provider implementation */ +OSSL_PROVIDER *fake_rsa_start(OSSL_LIB_CTX *libctx); +void fake_rsa_finish(OSSL_PROVIDER *p); diff --git a/deps/openssl/openssl/test/helpers/predefined_dhparams.c b/deps/openssl/openssl/test/helpers/predefined_dhparams.c index a6dd8c08a58601..ebb9c8891d326c 100644 --- a/deps/openssl/openssl/test/helpers/predefined_dhparams.c +++ b/deps/openssl/openssl/test/helpers/predefined_dhparams.c @@ -23,7 +23,7 @@ static EVP_PKEY *get_dh_from_pg_bn(OSSL_LIB_CTX *libctx, const char *type, OSSL_PARAM *params = NULL; EVP_PKEY *dhpkey = NULL; - if (pctx == NULL || !EVP_PKEY_fromdata_init(pctx)) + if (pctx == NULL || EVP_PKEY_fromdata_init(pctx) <= 0) goto err; if ((tmpl = OSSL_PARAM_BLD_new()) == NULL @@ -35,7 +35,7 @@ static EVP_PKEY *get_dh_from_pg_bn(OSSL_LIB_CTX *libctx, const char *type, params = OSSL_PARAM_BLD_to_param(tmpl); if (params == NULL - || !EVP_PKEY_fromdata(pctx, &dhpkey, EVP_PKEY_KEY_PARAMETERS, params)) + || EVP_PKEY_fromdata(pctx, &dhpkey, EVP_PKEY_KEY_PARAMETERS, params) <= 0) goto err; err: diff --git a/deps/openssl/openssl/test/helpers/ssltestlib.c b/deps/openssl/openssl/test/helpers/ssltestlib.c index 6e1c2d65a93ad3..2d992cde234c19 100644 --- a/deps/openssl/openssl/test/helpers/ssltestlib.c +++ b/deps/openssl/openssl/test/helpers/ssltestlib.c @@ -1030,11 +1030,6 @@ int create_ssl_connection(SSL *serverssl, SSL *clientssl, int want) if (!create_bare_ssl_connection(serverssl, clientssl, want, 1)) return 0; -#ifndef OPENSSL_NO_QUIC - /* QUIC does not support SSL_read_ex */ - if (SSL_is_quic(clientssl)) - return 1; -#endif /* * We attempt to read some data on the client side which we expect to fail. * This will ensure we have received the NewSessionTicket in TLSv1.3 where diff --git a/deps/openssl/openssl/test/keymgmt_internal_test.c b/deps/openssl/openssl/test/keymgmt_internal_test.c index 40fc464bc22c1f..dd0de2f599277b 100644 --- a/deps/openssl/openssl/test/keymgmt_internal_test.c +++ b/deps/openssl/openssl/test/keymgmt_internal_test.c @@ -88,7 +88,7 @@ static int get_ulong_via_BN(const OSSL_PARAM *p, unsigned long *goal) int ret = 1; /* Ever so hopeful */ if (!TEST_true(OSSL_PARAM_get_BN(p, &n)) - || !TEST_true(BN_bn2nativepad(n, (unsigned char *)goal, sizeof(*goal)))) + || !TEST_int_ge(BN_bn2nativepad(n, (unsigned char *)goal, sizeof(*goal)), 0)) ret = 0; BN_free(n); return ret; diff --git a/deps/openssl/openssl/test/packettest.c b/deps/openssl/openssl/test/packettest.c index 2d6c2a6ef99f5c..b82b9fb5022532 100644 --- a/deps/openssl/openssl/test/packettest.c +++ b/deps/openssl/openssl/test/packettest.c @@ -1,5 +1,5 @@ /* - * Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -302,7 +302,7 @@ static int test_PACKET_forward(void) static int test_PACKET_buf_init(void) { - unsigned char buf1[BUF_LEN]; + unsigned char buf1[BUF_LEN] = { 0 }; PACKET pkt; /* Also tests PACKET_remaining() */ diff --git a/deps/openssl/openssl/test/params_test.c b/deps/openssl/openssl/test/params_test.c index 13cfb9d19ecbf8..6a970feaa4591c 100644 --- a/deps/openssl/openssl/test/params_test.c +++ b/deps/openssl/openssl/test/params_test.c @@ -551,40 +551,64 @@ static int test_case(int i) */ static const OSSL_PARAM params_from_text[] = { + /* Fixed size buffer */ OSSL_PARAM_int32("int", NULL), OSSL_PARAM_DEFN("short", OSSL_PARAM_INTEGER, NULL, sizeof(int16_t)), OSSL_PARAM_DEFN("ushort", OSSL_PARAM_UNSIGNED_INTEGER, NULL, sizeof(uint16_t)), + /* Arbitrary size buffer. Make sure the result fits in a long */ + OSSL_PARAM_DEFN("num", OSSL_PARAM_INTEGER, NULL, 0), + OSSL_PARAM_DEFN("unum", OSSL_PARAM_UNSIGNED_INTEGER, NULL, 0), OSSL_PARAM_END, }; struct int_from_text_test_st { const char *argname; const char *strval; - long int intval; - int res; + long int expected_intval; + int expected_res; + size_t expected_bufsize; }; static struct int_from_text_test_st int_from_text_test_cases[] = { - { "int", "", 0, 0 }, - { "int", "0", 0, 1 }, - { "int", "101", 101, 1 }, - { "int", "-102", -102, 1 }, - { "int", "12A", 12, 1 }, /* incomplete */ - { "int", "0x12B", 0x12B, 1 }, - { "hexint", "12C", 0x12C, 1 }, - { "hexint", "0x12D", 0, 1 }, /* zero */ + { "int", "", 0, 0, 0 }, + { "int", "0", 0, 1, 4 }, + { "int", "101", 101, 1, 4 }, + { "int", "-102", -102, 1, 4 }, + { "int", "12A", 12, 1, 4 }, /* incomplete */ + { "int", "0x12B", 0x12B, 1, 4 }, + { "hexint", "12C", 0x12C, 1, 4 }, + { "hexint", "0x12D", 0, 1, 4 }, /* zero */ /* test check of the target buffer size */ - { "int", "0x7fffffff", INT32_MAX, 1 }, - { "int", "2147483647", INT32_MAX, 1 }, - { "int", "2147483648", 0, 0 }, /* too small buffer */ - { "int", "-2147483648", INT32_MIN, 1 }, - { "int", "-2147483649", 0, 0 }, /* too small buffer */ - { "short", "0x7fff", INT16_MAX, 1 }, - { "short", "32767", INT16_MAX, 1 }, - { "short", "32768", 0, 0 }, /* too small buffer */ - { "ushort", "0xffff", UINT16_MAX, 1 }, - { "ushort", "65535", UINT16_MAX, 1 }, - { "ushort", "65536", 0, 0 }, /* too small buffer */ + { "int", "0x7fffffff", INT32_MAX, 1, 4 }, + { "int", "2147483647", INT32_MAX, 1, 4 }, + { "int", "2147483648", 0, 0, 0 }, /* too small buffer */ + { "int", "-2147483648", INT32_MIN, 1, 4 }, + { "int", "-2147483649", 0, 0, 4 }, /* too small buffer */ + { "short", "0x7fff", INT16_MAX, 1, 2 }, + { "short", "32767", INT16_MAX, 1, 2 }, + { "short", "32768", 0, 0, 0 }, /* too small buffer */ + { "ushort", "0xffff", UINT16_MAX, 1, 2 }, + { "ushort", "65535", UINT16_MAX, 1, 2 }, + { "ushort", "65536", 0, 0, 0 }, /* too small buffer */ + /* test check of sign extension in arbitrary size results */ + { "num", "0", 0, 1, 1 }, + { "num", "0", 0, 1, 1 }, + { "num", "0xff", 0xff, 1, 2 }, /* sign extension */ + { "num", "-0xff", -0xff, 1, 2 }, /* sign extension */ + { "num", "0x7f", 0x7f, 1, 1 }, /* no sign extension */ + { "num", "-0x7f", -0x7f, 1, 1 }, /* no sign extension */ + { "num", "0x80", 0x80, 1, 2 }, /* sign extension */ + { "num", "-0x80", -0x80, 1, 1 }, /* no sign extension */ + { "num", "0x81", 0x81, 1, 2 }, /* sign extension */ + { "num", "-0x81", -0x81, 1, 2 }, /* sign extension */ + { "unum", "0xff", 0xff, 1, 1 }, + { "unum", "-0xff", -0xff, 0, 0 }, /* invalid neg number */ + { "unum", "0x7f", 0x7f, 1, 1 }, + { "unum", "-0x7f", -0x7f, 0, 0 }, /* invalid neg number */ + { "unum", "0x80", 0x80, 1, 1 }, + { "unum", "-0x80", -0x80, 0, 0 }, /* invalid neg number */ + { "unum", "0x81", 0x81, 1, 1 }, + { "unum", "-0x81", -0x81, 0, 0 }, /* invalid neg number */ }; static int check_int_from_text(const struct int_from_text_test_st a) @@ -595,21 +619,40 @@ static int check_int_from_text(const struct int_from_text_test_st a) if (!OSSL_PARAM_allocate_from_text(¶m, params_from_text, a.argname, a.strval, 0, NULL)) { - if (a.res) - TEST_error("errant %s param \"%s\"", a.argname, a.strval); - return !a.res; + if (a.expected_res) + TEST_error("unexpected OSSL_PARAM_allocate_from_text() return for %s \"%s\"", + a.argname, a.strval); + return !a.expected_res; } + /* For data size zero, OSSL_PARAM_get_long() may crash */ + if (param.data_size == 0) { + OPENSSL_free(param.data); + TEST_error("unexpected zero size for %s \"%s\"", + a.argname, a.strval); + return 0; + } res = OSSL_PARAM_get_long(¶m, &val); OPENSSL_free(param.data); - if (res ^ a.res || val != a.intval) { - TEST_error("errant %s \"%s\" %li != %li", - a.argname, a.strval, a.intval, val); + if (res ^ a.expected_res) { + TEST_error("unexpected OSSL_PARAM_get_long() return for %s \"%s\": " + "%d != %d", a.argname, a.strval, a.expected_res, res); + return 0; + } + if (val != a.expected_intval) { + TEST_error("unexpected result for %s \"%s\": %li != %li", + a.argname, a.strval, a.expected_intval, val); + return 0; + } + if (param.data_size != a.expected_bufsize) { + TEST_error("unexpected size for %s \"%s\": %d != %d", + a.argname, a.strval, + (int)a.expected_bufsize, (int)param.data_size); return 0; } - return a.res; + return a.expected_res; } static int test_allocate_from_text(int i) diff --git a/deps/openssl/openssl/test/property_test.c b/deps/openssl/openssl/test/property_test.c index 6cc8eec138ab49..ad44cf15130845 100644 --- a/deps/openssl/openssl/test/property_test.c +++ b/deps/openssl/openssl/test/property_test.c @@ -15,6 +15,16 @@ #include "internal/property.h" #include "../crypto/property/property_local.h" +/* + * We make our OSSL_PROVIDER for testing purposes. All we really need is + * a pointer. We know that as long as we don't try to use the method + * cache flush functions, the provider pointer is merely a pointer being + * passed around, and used as a tag of sorts. + */ +struct ossl_provider_st { + int x; +}; + static int add_property_names(const char *n, ...) { va_list args; @@ -145,6 +155,52 @@ static int test_property_query_value_create(void) return r; } +static const struct { + int query; + const char *ps; +} parse_error_tests[] = { + { 0, "n=1, n=1" }, /* duplicate name */ + { 0, "n=1, a=hi, n=1" }, /* duplicate name */ + { 1, "n=1, a=bye, ?n=0" }, /* duplicate name */ + { 0, "a=abc,#@!, n=1" }, /* non-ASCII character located */ + { 1, "a='Hello" }, /* Unterminated string */ + { 0, "a=\"World" }, /* Unterminated string */ + { 1, "a=2, n=012345678" }, /* Bad octal digit */ + { 0, "n=0x28FG, a=3" }, /* Bad hex digit */ + { 0, "n=145d, a=2" }, /* Bad decimal digit */ + { 1, "@='hello'" }, /* Invalid name */ + { 1, "n0123456789012345678901234567890123456789" + "0123456789012345678901234567890123456789" + "0123456789012345678901234567890123456789" + "0123456789012345678901234567890123456789=yes" }, /* Name too long */ + { 0, ".n=3" }, /* Invalid name */ + { 1, "fnord.fnord.=3" } /* Invalid name */ +}; + +static int test_property_parse_error(int n) +{ + OSSL_METHOD_STORE *store; + OSSL_PROPERTY_LIST *p = NULL; + int r = 0; + const char *ps; + + if (!TEST_ptr(store = ossl_method_store_new(NULL)) + || !add_property_names("a", "n", NULL)) + goto err; + ps = parse_error_tests[n].ps; + if (parse_error_tests[n].query) { + if (!TEST_ptr_null(p = ossl_parse_query(NULL, ps, 1))) + goto err; + } else if (!TEST_ptr_null(p = ossl_parse_property(NULL, ps))) { + goto err; + } + r = 1; + err: + ossl_property_free(p); + ossl_method_store_free(store); + return r; +} + static const struct { const char *q_global; const char *q_local; @@ -267,13 +323,14 @@ static int test_register_deregister(void) size_t i; int ret = 0; OSSL_METHOD_STORE *store; + OSSL_PROVIDER prov = { 1 }; if (!TEST_ptr(store = ossl_method_store_new(NULL)) || !add_property_names("position", NULL)) goto err; for (i = 0; i < OSSL_NELEM(impls); i++) - if (!TEST_true(ossl_method_store_add(store, NULL, impls[i].nid, + if (!TEST_true(ossl_method_store_add(store, &prov, impls[i].nid, impls[i].prop, impls[i].impl, &up_ref, &down_ref))) { TEST_note("iteration %zd", i + 1); @@ -302,34 +359,40 @@ static int test_register_deregister(void) static int test_property(void) { + static OSSL_PROVIDER fake_provider1 = { 1 }; + static OSSL_PROVIDER fake_provider2 = { 2 }; + static const OSSL_PROVIDER *fake_prov1 = &fake_provider1; + static const OSSL_PROVIDER *fake_prov2 = &fake_provider2; static const struct { + const OSSL_PROVIDER **prov; int nid; const char *prop; char *impl; } impls[] = { - { 1, "fast=no, colour=green", "a" }, - { 1, "fast, colour=blue", "b" }, - { 1, "", "-" }, - { 9, "sky=blue, furry", "c" }, - { 3, NULL, "d" }, - { 6, "sky.colour=blue, sky=green, old.data", "e" }, + { &fake_prov1, 1, "fast=no, colour=green", "a" }, + { &fake_prov1, 1, "fast, colour=blue", "b" }, + { &fake_prov1, 1, "", "-" }, + { &fake_prov2, 9, "sky=blue, furry", "c" }, + { &fake_prov2, 3, NULL, "d" }, + { &fake_prov2, 6, "sky.colour=blue, sky=green, old.data", "e" }, }; static struct { + const OSSL_PROVIDER **prov; int nid; const char *prop; char *expected; } queries[] = { - { 1, "fast", "b" }, - { 1, "fast=yes", "b" }, - { 1, "fast=no, colour=green", "a" }, - { 1, "colour=blue, fast", "b" }, - { 1, "colour=blue", "b" }, - { 9, "furry", "c" }, - { 6, "sky.colour=blue", "e" }, - { 6, "old.data", "e" }, - { 9, "furry=yes, sky=blue", "c" }, - { 1, "", "a" }, - { 3, "", "d" }, + { &fake_prov1, 1, "fast", "b" }, + { &fake_prov1, 1, "fast=yes", "b" }, + { &fake_prov1, 1, "fast=no, colour=green", "a" }, + { &fake_prov1, 1, "colour=blue, fast", "b" }, + { &fake_prov1, 1, "colour=blue", "b" }, + { &fake_prov2, 9, "furry", "c" }, + { &fake_prov2, 6, "sky.colour=blue", "e" }, + { &fake_prov2, 6, "old.data", "e" }, + { &fake_prov2, 9, "furry=yes, sky=blue", "c" }, + { &fake_prov1, 1, "", "a" }, + { &fake_prov2, 3, "", "d" }, }; OSSL_METHOD_STORE *store; size_t i; @@ -341,17 +404,24 @@ static int test_property(void) goto err; for (i = 0; i < OSSL_NELEM(impls); i++) - if (!TEST_true(ossl_method_store_add(store, NULL, impls[i].nid, - impls[i].prop, impls[i].impl, + if (!TEST_true(ossl_method_store_add(store, *impls[i].prov, + impls[i].nid, impls[i].prop, + impls[i].impl, &up_ref, &down_ref))) { TEST_note("iteration %zd", i + 1); goto err; } + /* + * The first check of queries is with NULL given as provider. All + * queries are expected to succeed. + */ for (i = 0; i < OSSL_NELEM(queries); i++) { + const OSSL_PROVIDER *nullprov = NULL; OSSL_PROPERTY_LIST *pq = NULL; - if (!TEST_true(ossl_method_store_fetch(store, queries[i].nid, - queries[i].prop, &result)) + if (!TEST_true(ossl_method_store_fetch(store, + queries[i].nid, queries[i].prop, + &nullprov, &result)) || !TEST_str_eq((char *)result, queries[i].expected)) { TEST_note("iteration %zd", i + 1); ossl_property_free(pq); @@ -359,6 +429,70 @@ static int test_property(void) } ossl_property_free(pq); } + /* + * The second check of queries is with &address1 given as provider. + */ + for (i = 0; i < OSSL_NELEM(queries); i++) { + OSSL_PROPERTY_LIST *pq = NULL; + + result = NULL; + if (queries[i].prov == &fake_prov1) { + if (!TEST_true(ossl_method_store_fetch(store, + queries[i].nid, + queries[i].prop, + &fake_prov1, &result)) + || !TEST_ptr_eq(fake_prov1, &fake_provider1) + || !TEST_str_eq((char *)result, queries[i].expected)) { + TEST_note("iteration %zd", i + 1); + ossl_property_free(pq); + goto err; + } + } else { + if (!TEST_false(ossl_method_store_fetch(store, + queries[i].nid, + queries[i].prop, + &fake_prov1, &result)) + || !TEST_ptr_eq(fake_prov1, &fake_provider1) + || !TEST_ptr_null(result)) { + TEST_note("iteration %zd", i + 1); + ossl_property_free(pq); + goto err; + } + } + ossl_property_free(pq); + } + /* + * The third check of queries is with &address2 given as provider. + */ + for (i = 0; i < OSSL_NELEM(queries); i++) { + OSSL_PROPERTY_LIST *pq = NULL; + + result = NULL; + if (queries[i].prov == &fake_prov2) { + if (!TEST_true(ossl_method_store_fetch(store, + queries[i].nid, + queries[i].prop, + &fake_prov2, &result)) + || !TEST_ptr_eq(fake_prov2, &fake_provider2) + || !TEST_str_eq((char *)result, queries[i].expected)) { + TEST_note("iteration %zd", i + 1); + ossl_property_free(pq); + goto err; + } + } else { + if (!TEST_false(ossl_method_store_fetch(store, + queries[i].nid, + queries[i].prop, + &fake_prov2, &result)) + || !TEST_ptr_eq(fake_prov2, &fake_provider2) + || !TEST_ptr_null(result)) { + TEST_note("iteration %zd", i + 1); + ossl_property_free(pq); + goto err; + } + } + ossl_property_free(pq); + } ret = 1; err: ossl_method_store_free(store); @@ -374,6 +508,7 @@ static int test_query_cache_stochastic(void) void *result; int errors = 0; int v[10001]; + OSSL_PROVIDER prov = { 1 }; if (!TEST_ptr(store = ossl_method_store_new(NULL)) || !add_property_names("n", NULL)) @@ -382,20 +517,21 @@ static int test_query_cache_stochastic(void) for (i = 1; i <= max; i++) { v[i] = 2 * i; BIO_snprintf(buf, sizeof(buf), "n=%d\n", i); - if (!TEST_true(ossl_method_store_add(store, NULL, i, buf, "abc", + if (!TEST_true(ossl_method_store_add(store, &prov, i, buf, "abc", &up_ref, &down_ref)) - || !TEST_true(ossl_method_store_cache_set(store, i, buf, v + i, + || !TEST_true(ossl_method_store_cache_set(store, &prov, i, + buf, v + i, &up_ref, &down_ref)) - || !TEST_true(ossl_method_store_cache_set(store, i, "n=1234", - "miss", &up_ref, - &down_ref))) { + || !TEST_true(ossl_method_store_cache_set(store, &prov, i, + "n=1234", "miss", + &up_ref, &down_ref))) { TEST_note("iteration %d", i); goto err; } } for (i = 1; i <= max; i++) { BIO_snprintf(buf, sizeof(buf), "n=%d\n", i); - if (!ossl_method_store_cache_get(store, i, buf, &result) + if (!ossl_method_store_cache_get(store, NULL, i, buf, &result) || result != v + i) errors++; } @@ -493,6 +629,7 @@ int setup_tests(void) ADD_TEST(test_property_string); ADD_TEST(test_property_query_value_create); ADD_ALL_TESTS(test_property_parse, OSSL_NELEM(parser_tests)); + ADD_ALL_TESTS(test_property_parse_error, OSSL_NELEM(parse_error_tests)); ADD_ALL_TESTS(test_property_merge, OSSL_NELEM(merge_tests)); ADD_TEST(test_property_defn_cache); ADD_ALL_TESTS(test_definition_compares, OSSL_NELEM(definition_tests)); diff --git a/deps/openssl/openssl/test/provfetchtest.c b/deps/openssl/openssl/test/provfetchtest.c index ca154dd463c7aa..95ae87910e6189 100644 --- a/deps/openssl/openssl/test/provfetchtest.c +++ b/deps/openssl/openssl/test/provfetchtest.c @@ -213,7 +213,7 @@ static int dummy_provider_init(const OSSL_CORE_HANDLE *handle, * Do some work using the child libctx, to make sure this is possible from * inside the init function. */ - if (!RAND_bytes_ex(libctx, buf, sizeof(buf), 0)) + if (RAND_bytes_ex(libctx, buf, sizeof(buf), 0) <= 0) return 0; return 1; diff --git a/deps/openssl/openssl/test/provider_internal_test.c b/deps/openssl/openssl/test/provider_internal_test.c index d9cc68d59dc9b3..cb7d5efcf54889 100644 --- a/deps/openssl/openssl/test/provider_internal_test.c +++ b/deps/openssl/openssl/test/provider_internal_test.c @@ -31,7 +31,7 @@ static int test_provider(OSSL_PROVIDER *prov, const char *expected_greeting) && TEST_ptr(greeting = greeting_request[0].data) && TEST_size_t_gt(greeting_request[0].data_size, 0) && TEST_str_eq(greeting, expected_greeting) - && TEST_true(ossl_provider_deactivate(prov)); + && TEST_true(ossl_provider_deactivate(prov, 1)); TEST_info("Got this greeting: %s\n", greeting); ossl_provider_free(prov); diff --git a/deps/openssl/openssl/test/provider_pkey_test.c b/deps/openssl/openssl/test/provider_pkey_test.c new file mode 100644 index 00000000000000..d360c0cf3047e1 --- /dev/null +++ b/deps/openssl/openssl/test/provider_pkey_test.c @@ -0,0 +1,132 @@ +/* + * Copyright 2021 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include +#include +#include +#include +#include +#include +#include "testutil.h" +#include "fake_rsaprov.h" + +static OSSL_LIB_CTX *libctx = NULL; + +/* Fetch SIGNATURE method using a libctx and propq */ +static int fetch_sig(OSSL_LIB_CTX *ctx, const char *alg, const char *propq, + OSSL_PROVIDER *expected_prov) +{ + OSSL_PROVIDER *prov; + EVP_SIGNATURE *sig = EVP_SIGNATURE_fetch(ctx, "RSA", propq); + int ret = 0; + + if (!TEST_ptr(sig)) + return 0; + + if (!TEST_ptr(prov = EVP_SIGNATURE_get0_provider(sig))) + goto end; + + if (!TEST_ptr_eq(prov, expected_prov)) { + TEST_info("Fetched provider: %s, Expected provider: %s", + OSSL_PROVIDER_get0_name(prov), + OSSL_PROVIDER_get0_name(expected_prov)); + goto end; + } + + ret = 1; +end: + EVP_SIGNATURE_free(sig); + return ret; +} + + +static int test_pkey_sig(void) +{ + OSSL_PROVIDER *deflt = NULL; + OSSL_PROVIDER *fake_rsa = NULL; + int i, ret = 0; + EVP_PKEY *pkey = NULL; + EVP_PKEY_CTX *ctx = NULL; + + if (!TEST_ptr(fake_rsa = fake_rsa_start(libctx))) + return 0; + + if (!TEST_ptr(deflt = OSSL_PROVIDER_load(libctx, "default"))) + goto end; + + /* Do a direct fetch to see it works */ + if (!TEST_true(fetch_sig(libctx, "RSA", "provider=fake-rsa", fake_rsa)) + || !TEST_true(fetch_sig(libctx, "RSA", "?provider=fake-rsa", fake_rsa))) + goto end; + + /* Construct a pkey using precise propq to use our provider */ + if (!TEST_ptr(ctx = EVP_PKEY_CTX_new_from_name(libctx, "RSA", + "provider=fake-rsa")) + || !TEST_true(EVP_PKEY_fromdata_init(ctx)) + || !TEST_true(EVP_PKEY_fromdata(ctx, &pkey, EVP_PKEY_KEYPAIR, NULL)) + || !TEST_ptr(pkey)) + goto end; + + EVP_PKEY_CTX_free(ctx); + ctx = NULL; + + /* try exercising signature_init ops a few times */ + for (i = 0; i < 3; i++) { + size_t siglen; + + /* + * Create a signing context for our pkey with optional propq. + * The sign init should pick both keymgmt and signature from + * fake-rsa as the key is not exportable. + */ + if (!TEST_ptr(ctx = EVP_PKEY_CTX_new_from_pkey(libctx, pkey, + "?provider=default"))) + goto end; + + /* + * If this picks the wrong signature without realizing it + * we can get a segfault or some internal error. At least watch + * whether fake-rsa sign_init is is exercised by calling sign. + */ + if (!TEST_int_eq(EVP_PKEY_sign_init(ctx), 1)) + goto end; + + if (!TEST_int_eq(EVP_PKEY_sign(ctx, NULL, &siglen, NULL, 0), 1) + || !TEST_size_t_eq(siglen, 256)) + goto end; + + EVP_PKEY_CTX_free(ctx); + ctx = NULL; + } + + ret = 1; + +end: + fake_rsa_finish(fake_rsa); + OSSL_PROVIDER_unload(deflt); + EVP_PKEY_CTX_free(ctx); + EVP_PKEY_free(pkey); + return ret; +} + +int setup_tests(void) +{ + libctx = OSSL_LIB_CTX_new(); + if (libctx == NULL) + return 0; + + ADD_TEST(test_pkey_sig); + + return 1; +} + +void cleanup_tests(void) +{ + OSSL_LIB_CTX_free(libctx); +} diff --git a/deps/openssl/openssl/test/rand_test.c b/deps/openssl/openssl/test/rand_test.c new file mode 100644 index 00000000000000..c6cf32610eb360 --- /dev/null +++ b/deps/openssl/openssl/test/rand_test.c @@ -0,0 +1,53 @@ +/* + * Copyright 2021 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the >License>). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include +#include +#include +#include +#include "testutil.h" + +static int test_rand(void) +{ + EVP_RAND_CTX *privctx; + OSSL_PARAM params[2], *p = params; + unsigned char entropy1[] = { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05 }; + unsigned char entropy2[] = { 0xff, 0xfe, 0xfd }; + unsigned char outbuf[3]; + + *p++ = OSSL_PARAM_construct_octet_string(OSSL_RAND_PARAM_TEST_ENTROPY, + entropy1, sizeof(entropy1)); + *p = OSSL_PARAM_construct_end(); + + if (!TEST_ptr(privctx = RAND_get0_private(NULL)) + || !TEST_true(EVP_RAND_CTX_set_params(privctx, params)) + || !TEST_int_gt(RAND_priv_bytes(outbuf, sizeof(outbuf)), 0) + || !TEST_mem_eq(outbuf, sizeof(outbuf), entropy1, sizeof(outbuf)) + || !TEST_int_le(RAND_priv_bytes(outbuf, sizeof(outbuf) + 1), 0) + || !TEST_int_gt(RAND_priv_bytes(outbuf, sizeof(outbuf)), 0) + || !TEST_mem_eq(outbuf, sizeof(outbuf), + entropy1 + sizeof(outbuf), sizeof(outbuf))) + return 0; + + *params = OSSL_PARAM_construct_octet_string(OSSL_RAND_PARAM_TEST_ENTROPY, + entropy2, sizeof(entropy2)); + if (!TEST_true(EVP_RAND_CTX_set_params(privctx, params)) + || !TEST_int_gt(RAND_priv_bytes(outbuf, sizeof(outbuf)), 0) + || !TEST_mem_eq(outbuf, sizeof(outbuf), entropy2, sizeof(outbuf))) + return 0; + return 1; +} + +int setup_tests(void) +{ + if (!TEST_true(RAND_set_DRBG_type(NULL, "TEST-RAND", NULL, NULL, NULL))) + return 0; + ADD_TEST(test_rand); + return 1; +} diff --git a/deps/openssl/openssl/test/recipes/01-test_symbol_presence.t b/deps/openssl/openssl/test/recipes/01-test_symbol_presence.t index 4271ac32a3ce40..efe0760c25227e 100644 --- a/deps/openssl/openssl/test/recipes/01-test_symbol_presence.t +++ b/deps/openssl/openssl/test/recipes/01-test_symbol_presence.t @@ -23,7 +23,8 @@ use platform; plan skip_all => "Test is disabled on NonStop" if config('target') =~ m|^nonstop|; # MacOS arranges symbol names differently plan skip_all => "Test is disabled on MacOS" if config('target') =~ m|^darwin|; -plan skip_all => "Test is disabled on MinGW" if config('target') =~ m|^mingw|; +plan skip_all => "This is unsupported on MSYS, MinGW or MSWin32" + if $^O eq 'msys' or $^O eq 'MSWin32' or config('target') =~ m|^mingw|; plan skip_all => "Only useful when building shared libraries" if disabled("shared"); @@ -48,12 +49,12 @@ foreach my $libname (@libnames) { *OSTDOUT = *STDOUT; open STDERR, ">", devnull(); open STDOUT, ">", devnull(); - my @nm_lines = map { s|\R$||; $_ } `nm -Pg $shlibpath 2> /dev/null`; + my @nm_lines = map { s|\R$||; $_ } `nm -DPg $shlibpath 2> /dev/null`; close STDERR; close STDOUT; *STDERR = *OSTDERR; *STDOUT = *OSTDOUT; - skip "Can't run 'nm -Pg $shlibpath' => $?... ignoring", 2 + skip "Can't run 'nm -DPg $shlibpath' => $?... ignoring", 2 unless $? == 0; my $bldtop = bldtop_dir(); @@ -69,7 +70,17 @@ foreach my $libname (@libnames) { note "Number of lines in \@def_lines before massaging: ", scalar @def_lines; # Massage the nm output to only contain defined symbols - @nm_lines = sort map { s| .*||; $_ } grep(m|.* [BCDST] .*|, @nm_lines); + @nm_lines = + sort + map { + # Drop the first space and everything following it + s| .*||; + # Drop OpenSSL dynamic version information if there is any + s|\@\@OPENSSL_[0-9._]+[a-z]?$||; + # Return the result + $_ + } + grep(m|.* [BCDST] .*|, @nm_lines); # Massage the mkdef.pl output to only contain global symbols # The output we got is in Unix .map format, which has a global diff --git a/deps/openssl/openssl/test/recipes/02-test_errstr.t b/deps/openssl/openssl/test/recipes/02-test_errstr.t index 9427601292d830..396d2731761cda 100644 --- a/deps/openssl/openssl/test/recipes/02-test_errstr.t +++ b/deps/openssl/openssl/test/recipes/02-test_errstr.t @@ -139,7 +139,7 @@ sub match_opensslerr_reason { $reason =~ s|\R$||; $reason = ( split_error($reason) )[3]; - return match_any($reason, $errcode, @strings); + return match_any($reason, $errcode_hex, @strings); } sub match_syserr_reason { diff --git a/deps/openssl/openssl/test/recipes/04-test_provider_pkey.t b/deps/openssl/openssl/test/recipes/04-test_provider_pkey.t new file mode 100644 index 00000000000000..f593ac5725020b --- /dev/null +++ b/deps/openssl/openssl/test/recipes/04-test_provider_pkey.t @@ -0,0 +1,18 @@ +#! /usr/bin/env perl +# Copyright 2021 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the Apache License 2.0 (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + +use strict; +use File::Spec; +use OpenSSL::Test::Simple; + +# We must ensure that OPENSSL_CONF points at an empty file. Otherwise, we +# risk that the configuration file contains statements that load providers, +# which defeats the purpose of this test. The NUL device is good enough. +$ENV{OPENSSL_CONF} = File::Spec->devnull(); + +simple_test("test_provider_pkey", "provider_pkey_test"); diff --git a/deps/openssl/openssl/test/recipes/05-test_rand.t b/deps/openssl/openssl/test/recipes/05-test_rand.t index 750b1a28e81c0b..4da1e64cb6da0f 100644 --- a/deps/openssl/openssl/test/recipes/05-test_rand.t +++ b/deps/openssl/openssl/test/recipes/05-test_rand.t @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2015-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -11,8 +11,9 @@ use warnings; use OpenSSL::Test; use OpenSSL::Test::Utils; -plan tests => 2; +plan tests => 3; setup("test_rand"); +ok(run(test(["rand_test"]))); ok(run(test(["drbgtest"]))); ok(run(test(["rand_status_test"]))); diff --git a/deps/openssl/openssl/test/recipes/15-test_rsa.t b/deps/openssl/openssl/test/recipes/15-test_rsa.t index 301368b69bfa74..420a57f8c10d56 100644 --- a/deps/openssl/openssl/test/recipes/15-test_rsa.t +++ b/deps/openssl/openssl/test/recipes/15-test_rsa.t @@ -16,7 +16,7 @@ use OpenSSL::Test::Utils; setup("test_rsa"); -plan tests => 10; +plan tests => 12; require_ok(srctop_file('test', 'recipes', 'tconversion.pl')); @@ -32,7 +32,7 @@ sub run_rsa_tests { ok(run(app([ 'openssl', $cmd, '-check', '-in', srctop_file('test', 'testrsa.pem'), '-noout'])), "$cmd -check" ); - SKIP: { + SKIP: { skip "Skipping $cmd conversion test", 3 if disabled("rsa"); @@ -47,7 +47,7 @@ sub run_rsa_tests { }; } - SKIP: { + SKIP: { skip "Skipping msblob conversion test", 1 if disabled($cmd) || $cmd eq 'pkey'; @@ -57,4 +57,18 @@ sub run_rsa_tests { -args => ["rsa", "-pubin", "-pubout"] ); }; } + SKIP: { + skip "Skipping PVK conversion test", 1 + if disabled($cmd) || $cmd eq 'pkey' || disabled("rc4") + || disabled ("legacy"); + + subtest "$cmd conversions -- private key" => sub { + tconversion( -type => 'pvk', -prefix => "$cmd-pvk", + -in => srctop_file("test", "testrsa.pem"), + -args => ["rsa", "-passin", "pass:testpass", + "-passout", "pass:testpass", + "-provider", "default", + "-provider", "legacy"] ); + }; + } } diff --git a/deps/openssl/openssl/test/recipes/20-test_dgst.t b/deps/openssl/openssl/test/recipes/20-test_dgst.t index 5af74aec2acc2d..e72038d8529f68 100644 --- a/deps/openssl/openssl/test/recipes/20-test_dgst.t +++ b/deps/openssl/openssl/test/recipes/20-test_dgst.t @@ -12,12 +12,12 @@ use warnings; use File::Spec; use File::Basename; -use OpenSSL::Test qw/:DEFAULT with srctop_file/; +use OpenSSL::Test qw/:DEFAULT with srctop_file bldtop_file/; use OpenSSL::Test::Utils; setup("test_dgst"); -plan tests => 9; +plan tests => 10; sub tsignverify { my $testtext = shift; @@ -103,6 +103,25 @@ SKIP: { }; } +SKIP: { + skip "dgst with engine is not supported by this OpenSSL build", 1 + if disabled("engine") || disabled("dynamic-engine"); + + subtest "SHA1 generation by engine with `dgst` CLI" => sub { + plan tests => 1; + + my $testdata = srctop_file('test', 'data.bin'); + # intentionally using -engine twice, please do not remove the duplicate line + my @macdata = run(app(['openssl', 'dgst', '-sha1', + '-engine', $^O eq 'linux' ? bldtop_file("engines", "ossltest.so") : "ossltest", + '-engine', $^O eq 'linux' ? bldtop_file("engines", "ossltest.so") : "ossltest", + $testdata]), capture => 1); + chomp(@macdata); + my $expected = qr/SHA1\(\Q$testdata\E\)= 000102030405060708090a0b0c0d0e0f10111213/; + ok($macdata[0] =~ $expected, "SHA1: Check HASH value is as expected ($macdata[0]) vs ($expected)"); + } +} + subtest "HMAC generation with `dgst` CLI" => sub { plan tests => 2; diff --git a/deps/openssl/openssl/test/recipes/25-test_req.t b/deps/openssl/openssl/test/recipes/25-test_req.t index a405810ae20a9b..235b53c61c8602 100644 --- a/deps/openssl/openssl/test/recipes/25-test_req.t +++ b/deps/openssl/openssl/test/recipes/25-test_req.t @@ -433,7 +433,7 @@ cert_ext_has_n_different_lines($cert, 0, $SKID_AKID); # no SKID and no AKID $cert = "self-signed_v3_CA_both_KIDs.pem"; generate_cert($cert, @v3_ca, "-addext", "subjectKeyIdentifier = hash", - "-addext", "authorityKeyIdentifier = keyid"); + "-addext", "authorityKeyIdentifier = keyid:always"); cert_ext_has_n_different_lines($cert, 3, $SKID_AKID); # SKID == AKID strict_verify($cert, 1); diff --git a/deps/openssl/openssl/test/recipes/25-test_verify.t b/deps/openssl/openssl/test/recipes/25-test_verify.t index bcd823bcfb0aed..700bbd849c9539 100644 --- a/deps/openssl/openssl/test/recipes/25-test_verify.t +++ b/deps/openssl/openssl/test/recipes/25-test_verify.t @@ -29,7 +29,7 @@ sub verify { run(app([@args])); } -plan tests => 159; +plan tests => 160; # Canonical success ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"]), @@ -337,6 +337,9 @@ ok(verify("alt3-cert", "", ["root-cert"], ["ncca1-cert", "ncca3-cert"], ), ok(verify("goodcn1-cert", "", ["root-cert"], ["ncca1-cert"], ), "Name Constraints CNs permitted"); +ok(verify("goodcn2-cert", "", ["root-cert"], ["ncca1-cert"], ), + "Name Constraints CNs permitted - no SAN extension"); + ok(!verify("badcn1-cert", "", ["root-cert"], ["ncca1-cert"], ), "Name Constraints CNs not permitted"); diff --git a/deps/openssl/openssl/test/recipes/30-test_engine.t b/deps/openssl/openssl/test/recipes/30-test_engine.t index 57a2479b04267a..d66c8b60c8782f 100644 --- a/deps/openssl/openssl/test/recipes/30-test_engine.t +++ b/deps/openssl/openssl/test/recipes/30-test_engine.t @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2015-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -10,13 +10,16 @@ use strict; use warnings; -use OpenSSL::Test; +use OpenSSL::Test qw/:DEFAULT srctop_file/; use OpenSSL::Test::Utils; setup("test_engine"); +my @path = qw(test certs); + plan skip_all => "engines are deprecated" if disabled('deprecated-3.0'); plan tests => 1; -ok(run(test(["enginetest"])), "running enginetest"); +ok(run(test(["enginetest", srctop_file(@path, "root-cert.pem")])), + "running enginetest"); diff --git a/deps/openssl/openssl/test/recipes/80-test_cmp_http.t b/deps/openssl/openssl/test/recipes/80-test_cmp_http.t index 7bd95337e83f15..92f11e8ac8a53c 100644 --- a/deps/openssl/openssl/test/recipes/80-test_cmp_http.t +++ b/deps/openssl/openssl/test/recipes/80-test_cmp_http.t @@ -42,8 +42,8 @@ sub chop_dblquot { # chop any leading and trailing '"' (needed for Windows) return $str; } -my $proxy = ""; -$proxy = chop_dblquot($ENV{http_proxy} // $ENV{HTTP_PROXY} // $proxy); +my $proxy = chop_dblquot($ENV{http_proxy} // $ENV{HTTP_PROXY} // ""); +$proxy = "" if $proxy eq ""; $proxy =~ s{^https?://}{}i; my $no_proxy = $ENV{no_proxy} // $ENV{NO_PROXY}; diff --git a/deps/openssl/openssl/test/recipes/80-test_cmp_http_data/Mock/server.cnf b/deps/openssl/openssl/test/recipes/80-test_cmp_http_data/Mock/server.cnf index 633dc9230b553f..774b34a7f513f1 100644 --- a/deps/openssl/openssl/test/recipes/80-test_cmp_http_data/Mock/server.cnf +++ b/deps/openssl/openssl/test/recipes/80-test_cmp_http_data/Mock/server.cnf @@ -12,3 +12,5 @@ srv_trusted = signer_root.crt rsp_cert = signer_only.crt rsp_capubs = signer_root.crt rsp_extracerts = signer_issuing.crt + +verbosity = 7 diff --git a/deps/openssl/openssl/test/recipes/80-test_cmp_http_data/test_commands.csv b/deps/openssl/openssl/test/recipes/80-test_cmp_http_data/test_commands.csv index 0bf1111a6c23d8..7395b427919531 100644 --- a/deps/openssl/openssl/test/recipes/80-test_cmp_http_data/test_commands.csv +++ b/deps/openssl/openssl/test/recipes/80-test_cmp_http_data/test_commands.csv @@ -53,3 +53,7 @@ expected,description, -section,val, -cmd,val,val2, -cacertsout,val,val2, -infoty 0,geninfo bad syntax: missing ':', -section,, -cmd,cr,, -cert,signer.crt, -key,signer.p12, -keypass,pass:12345,BLANK,, -geninfo,1.2.3:int987,,,, 0,geninfo bad syntax: double ':', -section,, -cmd,cr,, -cert,signer.crt, -key,signer.p12, -keypass,pass:12345,BLANK,, -geninfo,1.2.3:int::987,,,, 0,geninfo bad syntax: missing ':int', -section,, -cmd,cr,, -cert,signer.crt, -key,signer.p12, -keypass,pass:12345,BLANK,, -geninfo,1.2.3,,,, +,,,,,,,,,,,,,,,,,,, +1,reqout+rspout, -section,, -cmd,ir,,-reqout,_RESULT_DIR/req1.der _RESULT_DIR/req2.der,,-rspout,_RESULT_DIR/rsp1.der _RESULT_DIR/rsp2.der,,BLANK,,BLANK, +1,reqin, -section,, -cmd,ir,,-reqin,_RESULT_DIR/req1.der _RESULT_DIR/req2.der,,BLANK,,,BLANK,,BLANK, +1,rspin, -section,, -cmd,ir,,BLANK,,,-rspin,_RESULT_DIR/rsp1.der _RESULT_DIR/rsp2.der,,BLANK,,BLANK, diff --git a/deps/openssl/openssl/test/recipes/80-test_dane.t b/deps/openssl/openssl/test/recipes/80-test_dane.t index 7c415aa9e25477..3191f964dc16c7 100644 --- a/deps/openssl/openssl/test/recipes/80-test_dane.t +++ b/deps/openssl/openssl/test/recipes/80-test_dane.t @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -17,8 +17,12 @@ setup("test_dane"); plan skip_all => "test_dane uses ec which is not supported by this OpenSSL build" if disabled("ec"); -plan tests => 1; # The number of tests being performed +plan tests => 2; # The number of tests being performed ok(run(test(["danetest", "example.com", srctop_file("test", "danetest.pem"), srctop_file("test", "danetest.in")])), "dane tests"); + +ok(run(test(["danetest", "server.example", + srctop_file("test", "certs", "cross-root.pem"), + srctop_file("test", "dane-cross.in")])), "dane cross CA test"); diff --git a/deps/openssl/openssl/test/recipes/90-test_fipsload.t b/deps/openssl/openssl/test/recipes/90-test_fipsload.t index 9aa39da0e4b921..7537e2cb75ff03 100644 --- a/deps/openssl/openssl/test/recipes/90-test_fipsload.t +++ b/deps/openssl/openssl/test/recipes/90-test_fipsload.t @@ -6,7 +6,7 @@ # in the file LICENSE in the source distribution or at # https://www.openssl.org/source/license.html -use OpenSSL::Test qw/:DEFAULT srctop_dir bldtop_dir/; +use OpenSSL::Test qw/:DEFAULT srctop_dir bldtop_dir bldtop_file/; use OpenSSL::Test::Utils; BEGIN { @@ -25,7 +25,7 @@ plan skip_all => 'Test is disabled in an address sanitizer build' unless disable plan tests => 1; -my $fips = bldtop_dir('providers', platform->dso('fips')); +my $fips = bldtop_file('providers', platform->dso('fips')); ok(run(test(['moduleloadtest', $fips, 'OSSL_provider_init'])), "trying to load $fips in its own"); diff --git a/deps/openssl/openssl/test/recipes/tconversion.pl b/deps/openssl/openssl/test/recipes/tconversion.pl index 87b037b34d1954..78be03178c323e 100644 --- a/deps/openssl/openssl/test/recipes/tconversion.pl +++ b/deps/openssl/openssl/test/recipes/tconversion.pl @@ -19,6 +19,7 @@ # specific test types as key. "*" => [ "d", "p" ], "msb" => [ "d", "p", "msblob" ], + "pvk" => [ "d", "p", "pvk" ], ); sub tconversion { my %opts = @_; @@ -45,8 +46,9 @@ sub tconversion { + $n # initial conversions from p to all forms (A) + $n*$n # conversion from result of A to all forms (B) + 1 # comparing original test file to p form of A - + $n*($n-1); # comparing first conversion to each fom in A with B + + $n*($n-1); # comparing first conversion to each form in A with B $totaltests-- if ($testtype eq "p7d"); # no comparison of original test file + $totaltests -= $n if ($testtype eq "pvk"); # no comparisons of the pvk form plan tests => $totaltests; my @cmd = ("openssl", @openssl_args); @@ -91,7 +93,7 @@ sub tconversion { } foreach my $to (@conversionforms) { - next if $to eq "d"; + next if $to eq "d" or $to eq "pvk"; foreach my $from (@conversionforms) { is(cmp_text("$prefix-f.$to", "$prefix-ff.$from$to"), 0, "comparing $to to $from$to"); diff --git a/deps/openssl/openssl/test/sm2_internal_test.c b/deps/openssl/openssl/test/sm2_internal_test.c index 22d23b6c5c7e42..4899d5e21313c1 100644 --- a/deps/openssl/openssl/test/sm2_internal_test.c +++ b/deps/openssl/openssl/test/sm2_internal_test.c @@ -209,6 +209,7 @@ static int test_sm2_crypt(const EC_GROUP *group, static int sm2_crypt_test(void) { int testresult = 0; + EC_GROUP *gm_group = NULL; EC_GROUP *test_group = create_EC_group ("8542D69E4C044F18E8B92435BF6FF7DE457283915C45517D722EDB8B08F1DFC3", @@ -251,9 +252,49 @@ static int sm2_crypt_test(void) "88E3C5AAFC0413229E6C9AEE2BB92CAD649FE2C035689785DA33")) goto done; + /* From Annex C in both GM/T0003.5-2012 and GB/T 32918.5-2016.*/ + gm_group = create_EC_group( + "fffffffeffffffffffffffffffffffffffffffff00000000ffffffffffffffff", + "fffffffeffffffffffffffffffffffffffffffff00000000fffffffffffffffc", + "28e9fa9e9d9f5e344d5a9e4bcf6509a7f39789f515ab8f92ddbcbd414d940e93", + "32c4ae2c1f1981195f9904466a39c9948fe30bbff2660be1715a4589334c74c7", + "bc3736a2f4f6779c59bdcee36b692153d0a9877cc62a474002df32e52139f0a0", + "fffffffeffffffffffffffffffffffff7203df6b21c6052b53bbf40939d54123", + "1"); + + if (!TEST_ptr(gm_group)) + goto done; + + if (!test_sm2_crypt( + gm_group, + EVP_sm3(), + /* privkey (from which the encrypting public key is derived) */ + "3945208F7B2144B13F36E38AC6D39F95889393692860B51A42FB81EF4DF7C5B8", + /* plaintext message */ + "encryption standard", + /* ephemeral nonce k */ + "59276E27D506861A16680F3AD9C02DCCEF3CC1FA3CDBE4CE6D54B80DEAC1BC21", + /* + * expected ciphertext, the field values are from GM/T 0003.5-2012 + * (Annex C), but serialized following the ASN.1 format specified + * in GM/T 0009-2012 (Sec. 7.2). + */ + "307C" /* SEQUENCE, 0x7c bytes */ + "0220" /* INTEGER, 0x20 bytes */ + "04EBFC718E8D1798620432268E77FEB6415E2EDE0E073C0F4F640ECD2E149A73" + "0221" /* INTEGER, 0x21 bytes */ + "00" /* leading 00 due to DER for pos. int with topmost bit set */ + "E858F9D81E5430A57B36DAAB8F950A3C64E6EE6A63094D99283AFF767E124DF0" + "0420" /* OCTET STRING, 0x20 bytes */ + "59983C18F809E262923C53AEC295D30383B54E39D609D160AFCB1908D0BD8766" + "0413" /* OCTET STRING, 0x13 bytes */ + "21886CA989CA9C7D58087307CA93092D651EFA")) + goto done; + testresult = 1; done: EC_GROUP_free(test_group); + EC_GROUP_free(gm_group); return testresult; } diff --git a/deps/openssl/openssl/test/ssl-tests/01-simple.cnf b/deps/openssl/openssl/test/ssl-tests/01-simple.cnf index 7fc23f0b69d493..dfdd3ee3378d6a 100644 --- a/deps/openssl/openssl/test/ssl-tests/01-simple.cnf +++ b/deps/openssl/openssl/test/ssl-tests/01-simple.cnf @@ -1,10 +1,11 @@ # Generated with generate_ssl_tests.pl -num_tests = 3 +num_tests = 4 test-0 = 0-default test-1 = 1-Server signature algorithms bug test-2 = 2-verify-cert +test-3 = 3-name-constraints-no-san-in-ee # =========================================================== [0-default] @@ -76,3 +77,26 @@ ExpectedClientAlert = UnknownCA ExpectedResult = ClientFail +# =========================================================== + +[3-name-constraints-no-san-in-ee] +ssl_conf = 3-name-constraints-no-san-in-ee-ssl + +[3-name-constraints-no-san-in-ee-ssl] +server = 3-name-constraints-no-san-in-ee-server +client = 3-name-constraints-no-san-in-ee-client + +[3-name-constraints-no-san-in-ee-server] +Certificate = ${ENV::TEST_CERTS_DIR}/goodcn2-chain.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/goodcn2-key.pem + +[3-name-constraints-no-san-in-ee-client] +CipherString = DEFAULT +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem +VerifyMode = Peer + +[test-3] +ExpectedResult = Success + + diff --git a/deps/openssl/openssl/test/ssl-tests/01-simple.cnf.in b/deps/openssl/openssl/test/ssl-tests/01-simple.cnf.in index 645b11382cd7a5..bcd41e3065be3e 100644 --- a/deps/openssl/openssl/test/ssl-tests/01-simple.cnf.in +++ b/deps/openssl/openssl/test/ssl-tests/01-simple.cnf.in @@ -1,5 +1,5 @@ # -*- mode: perl; -*- -# Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -39,4 +39,16 @@ our @tests = ( "ExpectedClientAlert" => "UnknownCA", }, }, + + { + name => "name-constraints-no-san-in-ee", + server => { + "Certificate" => test_pem("goodcn2-chain.pem"), + "PrivateKey" => test_pem("goodcn2-key.pem"), + }, + client => { + "VerifyCAFile" => test_pem("root-cert.pem"), + }, + test => { "ExpectedResult" => "Success" }, + }, ); diff --git a/deps/openssl/openssl/test/ssl_old_test.c b/deps/openssl/openssl/test/ssl_old_test.c index 60a275a014a221..6a206d595e3691 100644 --- a/deps/openssl/openssl/test/ssl_old_test.c +++ b/deps/openssl/openssl/test/ssl_old_test.c @@ -829,12 +829,14 @@ static SSL_SESSION *read_session(const char *filename) static int write_session(const char *filename, SSL_SESSION *sess) { - BIO *f = BIO_new_file(filename, "w"); + BIO *f; if (sess == NULL) { BIO_printf(bio_err, "No session information\n"); return 0; } + + f = BIO_new_file(filename, "w"); if (f == NULL) { BIO_printf(bio_err, "Can't open session file %s\n", filename); ERR_print_errors(bio_err); @@ -1894,9 +1896,9 @@ int doit_localhost(SSL *s_ssl, SSL *c_ssl, int family, long count, BIO_snprintf(addr_str, sizeof(addr_str), ":%s", BIO_get_accept_port(acpt)); client = BIO_new_connect(addr_str); - BIO_set_conn_ip_family(client, family); if (!client) goto err; + BIO_set_conn_ip_family(client, family); if (BIO_set_nbio(client, 1) <= 0) goto err; diff --git a/deps/openssl/openssl/test/sslapitest.c b/deps/openssl/openssl/test/sslapitest.c index 1a3ce939f22867..c760f04f228894 100644 --- a/deps/openssl/openssl/test/sslapitest.c +++ b/deps/openssl/openssl/test/sslapitest.c @@ -1158,6 +1158,11 @@ static int execute_test_ktls(int cis_ktls, int sis_ktls, goto end; } + if (is_fips && strstr(cipher, "CHACHA") != NULL) { + testresult = TEST_skip("CHACHA is not supported in FIPS"); + goto end; + } + /* Create a session based on SHA-256 */ if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(), @@ -1292,6 +1297,11 @@ static int execute_test_ktls_sendfile(int tls_version, const char *cipher) goto end; } + if (is_fips && strstr(cipher, "CHACHA") != NULL) { + testresult = TEST_skip("CHACHA is not supported in FIPS"); + goto end; + } + /* Create a session based on SHA-256 */ if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(), @@ -1327,7 +1337,7 @@ static int execute_test_ktls_sendfile(int tls_version, const char *cipher) goto end; } - if (!TEST_true(RAND_bytes_ex(libctx, buf, SENDFILE_SZ, 0))) + if (!TEST_int_gt(RAND_bytes_ex(libctx, buf, SENDFILE_SZ, 0), 0)) goto end; out = BIO_new_file(tmpfilename, "wb"); @@ -5534,6 +5544,11 @@ static int sni_cb(SSL *s, int *al, void *arg) return SSL_TLSEXT_ERR_OK; } +static int verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx) +{ + return 1; +} + /* * Custom call back tests. * Test 0: Old style callbacks in TLSv1.2 @@ -5541,6 +5556,7 @@ static int sni_cb(SSL *s, int *al, void *arg) * Test 2: New style callbacks in TLSv1.2 with SNI * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST + * Test 5: New style callbacks in TLSv1.3. Extensions in CR + Client Cert */ static int test_custom_exts(int tst) { @@ -5582,7 +5598,19 @@ static int test_custom_exts(int tst) SSL_CTX_set_options(sctx2, SSL_OP_NO_TLSv1_3); } - if (tst == 4) { + if (tst == 5) { + context = SSL_EXT_TLS1_3_CERTIFICATE_REQUEST + | SSL_EXT_TLS1_3_CERTIFICATE; + SSL_CTX_set_verify(sctx, + SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, + verify_cb); + if (!TEST_int_eq(SSL_CTX_use_certificate_file(cctx, cert, + SSL_FILETYPE_PEM), 1) + || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(cctx, privkey, + SSL_FILETYPE_PEM), 1) + || !TEST_int_eq(SSL_CTX_check_private_key(cctx), 1)) + goto end; + } else if (tst == 4) { context = SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO | SSL_EXT_TLS1_3_SERVER_HELLO @@ -5678,6 +5706,12 @@ static int test_custom_exts(int tst) || (tst != 2 && snicb != 0) || (tst == 2 && snicb != 1)) goto end; + } else if (tst == 5) { + if (clntaddnewcb != 1 + || clntparsenewcb != 1 + || srvaddnewcb != 1 + || srvparsenewcb != 1) + goto end; } else { /* In this case there 2 NewSessionTicket messages created */ if (clntaddnewcb != 1 @@ -5694,8 +5728,8 @@ static int test_custom_exts(int tst) SSL_free(clientssl); serverssl = clientssl = NULL; - if (tst == 3) { - /* We don't bother with the resumption aspects for this test */ + if (tst == 3 || tst == 5) { + /* We don't bother with the resumption aspects for these tests */ testresult = 1; goto end; } @@ -6752,7 +6786,7 @@ static int create_new_vfile(char *userid, char *password, const char *filename) row = NULL; - if (!TXT_DB_write(out, db)) + if (TXT_DB_write(out, db) <= 0) goto end; ret = 1; @@ -7944,7 +7978,7 @@ static int cert_cb(SSL *s, void *arg) if (!TEST_ptr(chain)) goto out; if (!TEST_ptr(in = BIO_new(BIO_s_file())) - || !TEST_int_ge(BIO_read_filename(in, rootfile), 0) + || !TEST_int_gt(BIO_read_filename(in, rootfile), 0) || !TEST_ptr(rootx = X509_new_ex(libctx, NULL)) || !TEST_ptr(PEM_read_bio_X509(in, &rootx, NULL, NULL)) || !TEST_true(sk_X509_push(chain, rootx))) @@ -7952,13 +7986,13 @@ static int cert_cb(SSL *s, void *arg) rootx = NULL; BIO_free(in); if (!TEST_ptr(in = BIO_new(BIO_s_file())) - || !TEST_int_ge(BIO_read_filename(in, ecdsacert), 0) + || !TEST_int_gt(BIO_read_filename(in, ecdsacert), 0) || !TEST_ptr(x509 = X509_new_ex(libctx, NULL)) || !TEST_ptr(PEM_read_bio_X509(in, &x509, NULL, NULL))) goto out; BIO_free(in); if (!TEST_ptr(in = BIO_new(BIO_s_file())) - || !TEST_int_ge(BIO_read_filename(in, ecdsakey), 0) + || !TEST_int_gt(BIO_read_filename(in, ecdsakey), 0) || !TEST_ptr(pkey = PEM_read_bio_PrivateKey_ex(in, NULL, NULL, NULL, libctx, NULL))) @@ -8124,11 +8158,6 @@ static int client_cert_cb(SSL *ssl, X509 **x509, EVP_PKEY **pkey) return 0; } -static int verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx) -{ - return 1; -} - static int test_client_cert_cb(int tst) { SSL_CTX *cctx = NULL, *sctx = NULL; @@ -8985,7 +9014,7 @@ static EVP_PKEY *get_tmp_dh_params(void) pctx = EVP_PKEY_CTX_new_from_name(libctx, "DH", NULL); if (!TEST_ptr(pctx) - || !TEST_true(EVP_PKEY_fromdata_init(pctx))) + || !TEST_int_eq(EVP_PKEY_fromdata_init(pctx), 1)) goto end; tmpl = OSSL_PARAM_BLD_new(); @@ -9000,8 +9029,9 @@ static EVP_PKEY *get_tmp_dh_params(void) params = OSSL_PARAM_BLD_to_param(tmpl); if (!TEST_ptr(params) - || !TEST_true(EVP_PKEY_fromdata(pctx, &dhpkey, - EVP_PKEY_KEY_PARAMETERS, params))) + || !TEST_int_eq(EVP_PKEY_fromdata(pctx, &dhpkey, + EVP_PKEY_KEY_PARAMETERS, + params), 1)) goto end; tmp_dh_params = dhpkey; @@ -9532,8 +9562,8 @@ static int test_quic_api_version(int clnt, int srvr) || !TEST_true(SSL_set_app_data(clientssl, serverssl)) || !TEST_true(test_quic_api_set_versions(clientssl, clnt)) || !TEST_true(test_quic_api_set_versions(serverssl, srvr)) - || !TEST_true(create_ssl_connection(serverssl, clientssl, - SSL_ERROR_NONE)) + || !TEST_true(create_bare_ssl_connection(serverssl, clientssl, + SSL_ERROR_NONE, 0)) || !TEST_true(SSL_version(serverssl) == TLS1_3_VERSION) || !TEST_true(SSL_version(clientssl) == TLS1_3_VERSION) || !(TEST_int_eq(SSL_quic_read_level(clientssl), ssl_encryption_application)) @@ -9737,8 +9767,8 @@ static int quic_setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, if (sess == NULL) return 1; - if (!TEST_true(create_ssl_connection(*serverssl, *clientssl, - SSL_ERROR_NONE))) + if (!TEST_true(create_bare_ssl_connection(*serverssl, *clientssl, + SSL_ERROR_NONE, 0))) return 0; /* Deal with two NewSessionTickets */ @@ -9782,7 +9812,7 @@ static int test_quic_early_data(int tst) &serverssl, &sess, tst))) goto end; - if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)) + if (!TEST_true(create_bare_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE, 0)) || !TEST_true(SSL_get_early_data_status(serverssl))) goto end; @@ -10008,7 +10038,7 @@ int setup_tests(void) /* Test with only TLSv1.3 versions */ ADD_ALL_TESTS(test_key_exchange, 12); # endif - ADD_ALL_TESTS(test_custom_exts, 5); + ADD_ALL_TESTS(test_custom_exts, 6); ADD_TEST(test_stateless); ADD_TEST(test_pha_key_update); #else diff --git a/deps/openssl/openssl/test/testutil/tests.c b/deps/openssl/openssl/test/testutil/tests.c index cb3f77f14a1b07..ef7e224cd119c3 100644 --- a/deps/openssl/openssl/test/testutil/tests.c +++ b/deps/openssl/openssl/test/testutil/tests.c @@ -1,5 +1,5 @@ /* - * Copyright 2017-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2017-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -417,8 +417,8 @@ int test_BN_eq_word(const char *file, int line, const char *bns, const char *ws, if (a != NULL && BN_is_word(a, w)) return 1; - bw = BN_new(); - BN_set_word(bw, w); + if ((bw = BN_new()) != NULL) + BN_set_word(bw, w); test_fail_bignum_message(NULL, file, line, "BIGNUM", bns, ws, "==", a, bw); BN_free(bw); return 0; @@ -431,10 +431,10 @@ int test_BN_abs_eq_word(const char *file, int line, const char *bns, if (a != NULL && BN_abs_is_word(a, w)) return 1; - bw = BN_new(); - aa = BN_dup(a); - BN_set_negative(aa, 0); - BN_set_word(bw, w); + if ((aa = BN_dup(a)) != NULL) + BN_set_negative(aa, 0); + if ((bw = BN_new()) != NULL) + BN_set_word(bw, w); test_fail_bignum_message(NULL, file, line, "BIGNUM", bns, ws, "abs==", aa, bw); BN_free(bw); diff --git a/deps/openssl/openssl/test/testutil/testutil_init.c b/deps/openssl/openssl/test/testutil/testutil_init.c index a91b0e4ba351c1..87013694c29e47 100644 --- a/deps/openssl/openssl/test/testutil/testutil_init.c +++ b/deps/openssl/openssl/test/testutil/testutil_init.c @@ -1,5 +1,5 @@ /* - * Copyright 2017-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2017-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -71,15 +71,18 @@ static void setup_trace_category(int category) { BIO *channel; tracedata *trace_data; + BIO *bio = NULL; if (OSSL_trace_enabled(category)) return; - channel = BIO_push(BIO_new(BIO_f_prefix()), + bio = BIO_new(BIO_f_prefix()); + channel = BIO_push(bio, BIO_new_fp(stderr, BIO_NOCLOSE | BIO_FP_TEXT)); trace_data = OPENSSL_zalloc(sizeof(*trace_data)); if (trace_data == NULL + || bio == NULL || (trace_data->bio = channel) == NULL || OSSL_trace_set_callback(category, internal_trace_cb, trace_data) == 0 diff --git a/deps/openssl/openssl/test/threadstest.c b/deps/openssl/openssl/test/threadstest.c index 3160d9e334c603..b7e781fb6b1ee1 100644 --- a/deps/openssl/openssl/test/threadstest.c +++ b/deps/openssl/openssl/test/threadstest.c @@ -293,7 +293,7 @@ static void thread_shared_evp_pkey(void) char *msg = "Hello World"; unsigned char ctbuf[256]; unsigned char ptbuf[256]; - size_t ptlen = sizeof(ptbuf), ctlen = sizeof(ctbuf); + size_t ptlen, ctlen = sizeof(ctbuf); EVP_PKEY_CTX *ctx = NULL; int success = 0; int i; @@ -319,8 +319,9 @@ static void thread_shared_evp_pkey(void) if (!TEST_ptr(ctx)) goto err; + ptlen = sizeof(ptbuf); if (!TEST_int_ge(EVP_PKEY_decrypt_init(ctx), 0) - || !TEST_int_ge(EVP_PKEY_decrypt(ctx, ptbuf, &ptlen, ctbuf, ctlen), + || !TEST_int_gt(EVP_PKEY_decrypt(ctx, ptbuf, &ptlen, ctbuf, ctlen), 0) || !TEST_mem_eq(msg, strlen(msg), ptbuf, ptlen)) goto err; @@ -464,18 +465,20 @@ static int test_multi(int idx) return testresult; } +static char *multi_load_provider = "legacy"; /* * This test attempts to load several providers at the same time, and if * run with a thread sanitizer, should crash if the core provider code * doesn't synchronize well enough. */ -#define MULTI_LOAD_THREADS 3 +#define MULTI_LOAD_THREADS 10 static void test_multi_load_worker(void) { OSSL_PROVIDER *prov; - (void)TEST_ptr(prov = OSSL_PROVIDER_load(NULL, "default")); - (void)TEST_true(OSSL_PROVIDER_unload(prov)); + if (!TEST_ptr(prov = OSSL_PROVIDER_load(NULL, multi_load_provider)) + || !TEST_true(OSSL_PROVIDER_unload(prov))) + multi_success = 0; } static int test_multi_default(void) @@ -519,6 +522,7 @@ static int test_multi_load(void) { thread_t threads[MULTI_LOAD_THREADS]; int i, res = 1; + OSSL_PROVIDER *prov; /* The multidefault test must run prior to this test */ if (!multidefault_run) { @@ -526,13 +530,27 @@ static int test_multi_load(void) res = test_multi_default(); } + /* + * We use the legacy provider in test_multi_load_worker because it uses a + * child libctx that might hit more codepaths that might be sensitive to + * threading issues. But in a no-legacy build that won't be loadable so + * we use the default provider instead. + */ + prov = OSSL_PROVIDER_load(NULL, "legacy"); + if (prov == NULL) { + TEST_info("Cannot load legacy provider - assuming this is a no-legacy build"); + multi_load_provider = "default"; + } + OSSL_PROVIDER_unload(prov); + + multi_success = 1; for (i = 0; i < MULTI_LOAD_THREADS; i++) (void)TEST_true(run_thread(&threads[i], test_multi_load_worker)); for (i = 0; i < MULTI_LOAD_THREADS; i++) (void)TEST_true(wait_for_thread(threads[i])); - return res; + return res && multi_success; } typedef enum OPTION_choice { diff --git a/deps/openssl/openssl/test/tls-provider.c b/deps/openssl/openssl/test/tls-provider.c index f8eeaeb363b403..9ac1db51b3915a 100644 --- a/deps/openssl/openssl/test/tls-provider.c +++ b/deps/openssl/openssl/test/tls-provider.c @@ -813,7 +813,7 @@ unsigned int randomize_tls_group_id(OSSL_LIB_CTX *libctx) int i; retry: - if (!RAND_bytes_ex(libctx, (unsigned char *)&group_id, sizeof(group_id), 0)) + if (RAND_bytes_ex(libctx, (unsigned char *)&group_id, sizeof(group_id), 0) <= 0) return 0; /* * Ensure group_id is within the IANA Reserved for private use range diff --git a/deps/openssl/openssl/tools/c_rehash.in b/deps/openssl/openssl/tools/c_rehash.in index 54cad6138b7bcc..d51d8856d709cd 100644 --- a/deps/openssl/openssl/tools/c_rehash.in +++ b/deps/openssl/openssl/tools/c_rehash.in @@ -28,35 +28,35 @@ while ( $ARGV[0] =~ /^-/ ) { my $flag = shift @ARGV; last if ( $flag eq '--'); if ( $flag eq '-old') { - $x509hash = "-subject_hash_old"; - $crlhash = "-hash_old"; + $x509hash = "-subject_hash_old"; + $crlhash = "-hash_old"; } elsif ( $flag eq '-h' || $flag eq '-help' ) { - help(); + help(); } elsif ( $flag eq '-n' ) { - $removelinks = 0; + $removelinks = 0; } elsif ( $flag eq '-v' ) { - $verbose++; + $verbose++; } else { - print STDERR "Usage error; try -h.\n"; - exit 1; + print STDERR "Usage error; try -h.\n"; + exit 1; } } sub help { - print "Usage: c_rehash [-old] [-h] [-help] [-v] [dirs...]\n"; - print " -old use old-style digest\n"; - print " -h or -help print this help text\n"; - print " -v print files removed and linked\n"; - exit 0; + print "Usage: c_rehash [-old] [-h] [-help] [-v] [dirs...]\n"; + print " -old use old-style digest\n"; + print " -h or -help print this help text\n"; + print " -v print files removed and linked\n"; + exit 0; } eval "require Cwd"; if (defined(&Cwd::getcwd)) { - $pwd=Cwd::getcwd(); + $pwd=Cwd::getcwd(); } else { - $pwd=`pwd`; - chomp($pwd); + $pwd=`pwd`; + chomp($pwd); } # DOS/Win32 or Unix delimiter? Prefix our installdir, then search. @@ -64,92 +64,92 @@ my $path_delim = ($pwd =~ /^[a-z]\:/i) ? ';' : ':'; $ENV{PATH} = "$prefix/bin" . ($ENV{PATH} ? $path_delim . $ENV{PATH} : ""); if (! -x $openssl) { - my $found = 0; - foreach (split /$path_delim/, $ENV{PATH}) { - if (-x "$_/$openssl") { - $found = 1; - $openssl = "$_/$openssl"; - last; - } - } - if ($found == 0) { - print STDERR "c_rehash: rehashing skipped ('openssl' program not available)\n"; - exit 0; - } + my $found = 0; + foreach (split /$path_delim/, $ENV{PATH}) { + if (-x "$_/$openssl") { + $found = 1; + $openssl = "$_/$openssl"; + last; + } + } + if ($found == 0) { + print STDERR "c_rehash: rehashing skipped ('openssl' program not available)\n"; + exit 0; + } } if (@ARGV) { - @dirlist = @ARGV; + @dirlist = @ARGV; } elsif ($ENV{SSL_CERT_DIR}) { - @dirlist = split /$path_delim/, $ENV{SSL_CERT_DIR}; + @dirlist = split /$path_delim/, $ENV{SSL_CERT_DIR}; } else { - $dirlist[0] = "$dir/certs"; + $dirlist[0] = "$dir/certs"; } if (-d $dirlist[0]) { - chdir $dirlist[0]; - $openssl="$pwd/$openssl" if (!-x $openssl); - chdir $pwd; + chdir $dirlist[0]; + $openssl="$pwd/$openssl" if (!-x $openssl); + chdir $pwd; } foreach (@dirlist) { - if (-d $_ ) { - if ( -w $_) { - hash_dir($_); - } else { - print "Skipping $_, can't write\n"; - $errorcount++; - } - } + if (-d $_ ) { + if ( -w $_) { + hash_dir($_); + } else { + print "Skipping $_, can't write\n"; + $errorcount++; + } + } } exit($errorcount); sub hash_dir { - my %hashlist; - print "Doing $_[0]\n"; - chdir $_[0]; - opendir(DIR, "."); - my @flist = sort readdir(DIR); - closedir DIR; - if ( $removelinks ) { - # Delete any existing symbolic links - foreach (grep {/^[\da-f]+\.r{0,1}\d+$/} @flist) { - if (-l $_) { - print "unlink $_" if $verbose; - unlink $_ || warn "Can't unlink $_, $!\n"; - } - } - } - FILE: foreach $fname (grep {/\.(pem)|(crt)|(cer)|(crl)$/} @flist) { - # Check to see if certificates and/or CRLs present. - my ($cert, $crl) = check_file($fname); - if (!$cert && !$crl) { - print STDERR "WARNING: $fname does not contain a certificate or CRL: skipping\n"; - next; - } - link_hash_cert($fname) if ($cert); - link_hash_crl($fname) if ($crl); - } + my %hashlist; + print "Doing $_[0]\n"; + chdir $_[0]; + opendir(DIR, "."); + my @flist = sort readdir(DIR); + closedir DIR; + if ( $removelinks ) { + # Delete any existing symbolic links + foreach (grep {/^[\da-f]+\.r{0,1}\d+$/} @flist) { + if (-l $_) { + print "unlink $_" if $verbose; + unlink $_ || warn "Can't unlink $_, $!\n"; + } + } + } + FILE: foreach $fname (grep {/\.(pem)|(crt)|(cer)|(crl)$/} @flist) { + # Check to see if certificates and/or CRLs present. + my ($cert, $crl) = check_file($fname); + if (!$cert && !$crl) { + print STDERR "WARNING: $fname does not contain a certificate or CRL: skipping\n"; + next; + } + link_hash_cert($fname) if ($cert); + link_hash_crl($fname) if ($crl); + } } sub check_file { - my ($is_cert, $is_crl) = (0,0); - my $fname = $_[0]; - open IN, $fname; - while() { - if (/^-----BEGIN (.*)-----/) { - my $hdr = $1; - if ($hdr =~ /^(X509 |TRUSTED |)CERTIFICATE$/) { - $is_cert = 1; - last if ($is_crl); - } elsif ($hdr eq "X509 CRL") { - $is_crl = 1; - last if ($is_cert); - } - } - } - close IN; - return ($is_cert, $is_crl); + my ($is_cert, $is_crl) = (0,0); + my $fname = $_[0]; + open IN, $fname; + while() { + if (/^-----BEGIN (.*)-----/) { + my $hdr = $1; + if ($hdr =~ /^(X509 |TRUSTED |)CERTIFICATE$/) { + $is_cert = 1; + last if ($is_crl); + } elsif ($hdr eq "X509 CRL") { + $is_crl = 1; + last if ($is_cert); + } + } + } + close IN; + return ($is_cert, $is_crl); } @@ -160,72 +160,72 @@ sub check_file { # certificate fingerprints sub link_hash_cert { - my $fname = $_[0]; - $fname =~ s/\"/\\\"/g; - my ($hash, $fprint) = `"$openssl" x509 $x509hash -fingerprint -noout -in "$fname"`; - chomp $hash; - chomp $fprint; - $fprint =~ s/^.*=//; - $fprint =~ tr/://d; - my $suffix = 0; - # Search for an unused hash filename - while(exists $hashlist{"$hash.$suffix"}) { - # Hash matches: if fingerprint matches its a duplicate cert - if ($hashlist{"$hash.$suffix"} eq $fprint) { - print STDERR "WARNING: Skipping duplicate certificate $fname\n"; - return; - } - $suffix++; - } - $hash .= ".$suffix"; - if ($symlink_exists) { - print "link $fname -> $hash\n" if $verbose; - symlink $fname, $hash || warn "Can't symlink, $!"; - } else { - print "copy $fname -> $hash\n" if $verbose; - if (open($in, "<", $fname)) { - if (open($out,">", $hash)) { - print $out $_ while (<$in>); - close $out; - } else { - warn "can't open $hash for write, $!"; - } - close $in; - } else { - warn "can't open $fname for read, $!"; - } - } - $hashlist{$hash} = $fprint; + my $fname = $_[0]; + $fname =~ s/\"/\\\"/g; + my ($hash, $fprint) = `"$openssl" x509 $x509hash -fingerprint -noout -in "$fname"`; + chomp $hash; + chomp $fprint; + $fprint =~ s/^.*=//; + $fprint =~ tr/://d; + my $suffix = 0; + # Search for an unused hash filename + while(exists $hashlist{"$hash.$suffix"}) { + # Hash matches: if fingerprint matches its a duplicate cert + if ($hashlist{"$hash.$suffix"} eq $fprint) { + print STDERR "WARNING: Skipping duplicate certificate $fname\n"; + return; + } + $suffix++; + } + $hash .= ".$suffix"; + if ($symlink_exists) { + print "link $fname -> $hash\n" if $verbose; + symlink $fname, $hash || warn "Can't symlink, $!"; + } else { + print "copy $fname -> $hash\n" if $verbose; + if (open($in, "<", $fname)) { + if (open($out,">", $hash)) { + print $out $_ while (<$in>); + close $out; + } else { + warn "can't open $hash for write, $!"; + } + close $in; + } else { + warn "can't open $fname for read, $!"; + } + } + $hashlist{$hash} = $fprint; } # Same as above except for a CRL. CRL links are of the form .r sub link_hash_crl { - my $fname = $_[0]; - $fname =~ s/'/'\\''/g; - my ($hash, $fprint) = `"$openssl" crl $crlhash -fingerprint -noout -in '$fname'`; - chomp $hash; - chomp $fprint; - $fprint =~ s/^.*=//; - $fprint =~ tr/://d; - my $suffix = 0; - # Search for an unused hash filename - while(exists $hashlist{"$hash.r$suffix"}) { - # Hash matches: if fingerprint matches its a duplicate cert - if ($hashlist{"$hash.r$suffix"} eq $fprint) { - print STDERR "WARNING: Skipping duplicate CRL $fname\n"; - return; - } - $suffix++; - } - $hash .= ".r$suffix"; - if ($symlink_exists) { - print "link $fname -> $hash\n" if $verbose; - symlink $fname, $hash || warn "Can't symlink, $!"; - } else { - print "cp $fname -> $hash\n" if $verbose; - system ("cp", $fname, $hash); - warn "Can't copy, $!" if ($? >> 8) != 0; - } - $hashlist{$hash} = $fprint; + my $fname = $_[0]; + $fname =~ s/'/'\\''/g; + my ($hash, $fprint) = `"$openssl" crl $crlhash -fingerprint -noout -in '$fname'`; + chomp $hash; + chomp $fprint; + $fprint =~ s/^.*=//; + $fprint =~ tr/://d; + my $suffix = 0; + # Search for an unused hash filename + while(exists $hashlist{"$hash.r$suffix"}) { + # Hash matches: if fingerprint matches its a duplicate cert + if ($hashlist{"$hash.r$suffix"} eq $fprint) { + print STDERR "WARNING: Skipping duplicate CRL $fname\n"; + return; + } + $suffix++; + } + $hash .= ".r$suffix"; + if ($symlink_exists) { + print "link $fname -> $hash\n" if $verbose; + symlink $fname, $hash || warn "Can't symlink, $!"; + } else { + print "cp $fname -> $hash\n" if $verbose; + system ("cp", $fname, $hash); + warn "Can't copy, $!" if ($? >> 8) != 0; + } + $hashlist{$hash} = $fprint; } diff --git a/deps/openssl/openssl/util/missingcrypto.txt b/deps/openssl/openssl/util/missingcrypto.txt index f01b47162d892a..f883219f6c10f2 100644 --- a/deps/openssl/openssl/util/missingcrypto.txt +++ b/deps/openssl/openssl/util/missingcrypto.txt @@ -1413,8 +1413,6 @@ b2i_PublicKey_bio(3) conf_ssl_get(3) conf_ssl_get_cmd(3) conf_ssl_name_find(3) -d2i_X509_bio(3) -d2i_X509_fp(3) err_free_strings_int(3) i2a_ACCESS_DESCRIPTION(3) i2a_ASN1_ENUMERATED(3) @@ -1423,8 +1421,6 @@ i2a_ASN1_OBJECT(3) i2a_ASN1_STRING(3) i2b_PrivateKey_bio(3) i2b_PublicKey_bio(3) -i2d_X509_bio(3) -i2d_X509_fp(3) i2o_ECPublicKey(3) i2v_ASN1_BIT_STRING(3) i2v_GENERAL_NAME(3) diff --git a/deps/openssl/openssl/util/missingcrypto111.txt b/deps/openssl/openssl/util/missingcrypto111.txt index 76dde23a3d55d5..0386701ad1e329 100644 --- a/deps/openssl/openssl/util/missingcrypto111.txt +++ b/deps/openssl/openssl/util/missingcrypto111.txt @@ -1713,8 +1713,6 @@ b2i_PublicKey_bio(3) conf_ssl_get(3) conf_ssl_get_cmd(3) conf_ssl_name_find(3) -d2i_X509_bio(3) -d2i_X509_fp(3) err_free_strings_int(3) i2a_ACCESS_DESCRIPTION(3) i2a_ASN1_ENUMERATED(3) @@ -1726,8 +1724,6 @@ i2b_PrivateKey_bio(3) i2b_PublicKey_bio(3) i2d_PrivateKey_bio(3) i2d_PrivateKey_fp(3) -i2d_X509_bio(3) -i2d_X509_fp(3) i2o_ECPublicKey(3) i2s_ASN1_ENUMERATED(3) i2s_ASN1_ENUMERATED_TABLE(3) diff --git a/deps/openssl/openssl/util/mkpod2html.pl b/deps/openssl/openssl/util/mkpod2html.pl index 2df4b22b412c20..cc2ab9d32a61ee 100755 --- a/deps/openssl/openssl/util/mkpod2html.pl +++ b/deps/openssl/openssl/util/mkpod2html.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -12,6 +12,7 @@ use lib "."; use Getopt::Std; use Pod::Html; +use File::Spec::Functions qw(:DEFAULT rel2abs); # Options. our($opt_i); # -i INFILE @@ -25,6 +26,14 @@ die "-t flag missing" unless $opt_t; die "-r flag missing" unless $opt_r; +# We originally used realpath() here, but the Windows implementation appears +# to require that the directory or file exist to be able to process the input, +# so we use rel2abs() instead, which only processes the string without +# looking further. +$opt_i = rel2abs($opt_i) or die "Can't convert to real path: $!"; +$opt_o = rel2abs($opt_o) or die "Can't convert to real path: $!"; +$opt_r = rel2abs($opt_r) or die "Can't convert to real path: $!"; + pod2html "--infile=$opt_i", "--outfile=$opt_o", diff --git a/deps/openssl/openssl/util/other.syms b/deps/openssl/openssl/util/other.syms index df1a6c7c289220..e1af8deef94354 100644 --- a/deps/openssl/openssl/util/other.syms +++ b/deps/openssl/openssl/util/other.syms @@ -51,6 +51,7 @@ EVP_PKEY_METHOD datatype EVP_PKEY_ASN1_METHOD datatype EVP_RAND datatype EVP_RAND_CTX datatype +EVP_SIGNATURE datatype GEN_SESSION_CB datatype OPENSSL_Applink external OSSL_LIB_CTX datatype diff --git a/deps/openssl/openssl/util/perl/OpenSSL/Ordinals.pm b/deps/openssl/openssl/util/perl/OpenSSL/Ordinals.pm index fa2302032f754c..f6c63d14c471fa 100644 --- a/deps/openssl/openssl/util/perl/OpenSSL/Ordinals.pm +++ b/deps/openssl/openssl/util/perl/OpenSSL/Ordinals.pm @@ -623,10 +623,6 @@ sub set_version { my $version = shift // '*'; my $baseversion = shift // '*'; - $version =~ s|-.*||g; - # Remove anything past the '+' (i.e. BUILD_METADATA from VERSION.dat) - $version =~ s|\+.*||g; - if ($baseversion eq '*') { $baseversion = $version; if ($baseversion ne '*') { diff --git a/deps/openssl/openssl/util/perl/OpenSSL/ParseC.pm b/deps/openssl/openssl/util/perl/OpenSSL/ParseC.pm index ee127e88c80f19..e3cfe078276318 100644 --- a/deps/openssl/openssl/util/perl/OpenSSL/ParseC.pm +++ b/deps/openssl/openssl/util/perl/OpenSSL/ParseC.pm @@ -610,6 +610,12 @@ EOF }, }, + # OpenSSL's declaration of externs with possible export linkage + # (really only relevant on Windows) + { regexp => qr/OPENSSL_(?:EXPORT|EXTERN)/, + massager => sub { return ("extern"); } + }, + # Spurious stuff found in the OpenSSL headers # Usually, these are just macros that expand to, well, something { regexp => qr/__NDK_FPABI__/,