Index: /trunk/src/libs/openssl-3.1.7/Config.kmk =================================================================== --- /trunk/src/libs/openssl-3.1.7/Config.kmk (revision 105948) +++ /trunk/src/libs/openssl-3.1.7/Config.kmk (revision 105949) @@ -56,5 +56,5 @@ VBOX_PATH_CRYPTO_DES := $(VBOX_PATH_CRYPTO)/des VBOX_PATH_CRYPTO_CAMELLIA := $(VBOX_PATH_CRYPTO)/camellia -VBOX_INST_CRYPTO_HEADERS := obj/$(if-expr "$(CURSUBDIR)" == ".",,$(CURSUBDIR)/)crypto-3.1.5-headers/include/openssl/ +VBOX_INST_CRYPTO_HEADERS := obj/$(if-expr "$(CURSUBDIR)" == ".",,$(CURSUBDIR)/)crypto-3.1.7-headers/include/openssl/ VBOX_PATH_CRYPTO_HEADERS := $(abspath $(PATH_OUT))/$(patsubst %/,%,$(VBOX_INST_CRYPTO_HEADERS)) VBOX_PATH_CRYPTO_PROVIDERS := $(VBOX_PATH_OPENSSL)/providers Index: /trunk/src/libs/openssl-3.1.7/NOTES-NONSTOP.md =================================================================== --- /trunk/src/libs/openssl-3.1.7/NOTES-NONSTOP.md (revision 105948) +++ /trunk/src/libs/openssl-3.1.7/NOTES-NONSTOP.md (revision 105949) @@ -57,8 +57,5 @@ components. -It is possible to configure the build with `no-atexit` to avoid the SIGSEGV. -Preferably, you can explicitly call `OPENSSL_cleanup()` from your application. -It is not mandatory as it just deallocates various global data structures -OpenSSL allocated. +A resolution to this situation is under investigation. About Prefix and OpenSSLDir Index: /trunk/src/libs/openssl-3.1.7/crypto/aes/asm/aesp8-ppc.pl =================================================================== --- /trunk/src/libs/openssl-3.1.7/crypto/aes/asm/aesp8-ppc.pl (revision 105948) +++ /trunk/src/libs/openssl-3.1.7/crypto/aes/asm/aesp8-ppc.pl (revision 105949) @@ -1,4 +1,4 @@ #! /usr/bin/env perl -# Copyright 2014-2024 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2014-2020 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use @@ -100,10 +100,9 @@ .long 0x0d0e0f0c, 0x0d0e0f0c, 0x0d0e0f0c, 0x0d0e0f0c ?rev .long 0,0,0,0 ?asis -.long 0x0f102132, 0x43546576, 0x8798a9ba, 0xcbdcedfe Lconsts: mflr r0 bcl 20,31,\$+4 mflr $ptr #vvvvv "distance between . and rcon - addi $ptr,$ptr,-0x58 + addi $ptr,$ptr,-0x48 mtlr r0 blr @@ -2407,5 +2406,5 @@ my ($x00,$x10,$x20,$x30,$x40,$x50,$x60,$x70)=map("r$_",(0,3,26..31)); $x00=0 if ($flavour =~ /osx/); -my ($in0, $in1, $in2, $in3, $in4, $in5)=map("v$_",(0..5)); +my ($in0, $in1, $in2, $in3, $in4, $in5 )=map("v$_",(0..5)); my ($out0, $out1, $out2, $out3, $out4, $out5)=map("v$_",(7,12..16)); my ($twk0, $twk1, $twk2, $twk3, $twk4, $twk5)=map("v$_",(17..22)); @@ -2462,16 +2461,4 @@ mtspr 256,r0 - # Reverse eighty7 to 0x010101..87 - xxlor 2, 32+$eighty7, 32+$eighty7 - vsldoi $eighty7,$tmp,$eighty7,1 # 0x010101..87 - xxlor 1, 32+$eighty7, 32+$eighty7 - - # Load XOR contents. 0xf102132435465768798a9bacbdcedfe - mr $x70, r6 - bl Lconsts - lxvw4x 0, $x40, r6 # load XOR contents - mr r6, $x70 - li $x70,0x70 - subi $rounds,$rounds,3 # -4 in total @@ -2516,12 +2503,4 @@ lvx v25,$x10,$key_ # pre-load round[2] - # Switch to use the following codes with 0x010101..87 to generate tweak. - # eighty7 = 0x010101..87 - # vsrab tmp, tweak, seven # next tweak value, right shift 7 bits - # vand tmp, tmp, eighty7 # last byte with carry - # vaddubm tweak, tweak, tweak # left shift 1 bit (x2) - # xxlor vsx, 0, 0 - # vpermxor tweak, tweak, tmp, vsx - vperm $in0,$inout,$inptail,$inpperm subi $inp,$inp,31 # undo "caller" @@ -2529,8 +2508,8 @@ vsrab $tmp,$tweak,$seven # next tweak value vaddubm $tweak,$tweak,$tweak + vsldoi $tmp,$tmp,$tmp,15 vand $tmp,$tmp,$eighty7 vxor $out0,$in0,$twk0 - xxlor 32+$in1, 0, 0 - vpermxor $tweak, $tweak, $tmp, $in1 + vxor $tweak,$tweak,$tmp lvx_u $in1,$x10,$inp @@ -2538,9 +2517,9 @@ vsrab $tmp,$tweak,$seven # next tweak value vaddubm $tweak,$tweak,$tweak + vsldoi $tmp,$tmp,$tmp,15 le?vperm $in1,$in1,$in1,$leperm vand $tmp,$tmp,$eighty7 vxor $out1,$in1,$twk1 - xxlor 32+$in2, 0, 0 - vpermxor $tweak, $tweak, $tmp, $in2 + vxor $tweak,$tweak,$tmp lvx_u $in2,$x20,$inp @@ -2549,9 +2528,9 @@ vsrab $tmp,$tweak,$seven # next tweak value vaddubm $tweak,$tweak,$tweak + vsldoi $tmp,$tmp,$tmp,15 le?vperm $in2,$in2,$in2,$leperm vand $tmp,$tmp,$eighty7 vxor $out2,$in2,$twk2 - xxlor 32+$in3, 0, 0 - vpermxor $tweak, $tweak, $tmp, $in3 + vxor $tweak,$tweak,$tmp lvx_u $in3,$x30,$inp @@ -2560,9 +2539,9 @@ vsrab $tmp,$tweak,$seven # next tweak value vaddubm $tweak,$tweak,$tweak + vsldoi $tmp,$tmp,$tmp,15 le?vperm $in3,$in3,$in3,$leperm vand $tmp,$tmp,$eighty7 vxor $out3,$in3,$twk3 - xxlor 32+$in4, 0, 0 - vpermxor $tweak, $tweak, $tmp, $in4 + vxor $tweak,$tweak,$tmp lvx_u $in4,$x40,$inp @@ -2571,9 +2550,9 @@ vsrab $tmp,$tweak,$seven # next tweak value vaddubm $tweak,$tweak,$tweak + vsldoi $tmp,$tmp,$tmp,15 le?vperm $in4,$in4,$in4,$leperm vand $tmp,$tmp,$eighty7 vxor $out4,$in4,$twk4 - xxlor 32+$in5, 0, 0 - vpermxor $tweak, $tweak, $tmp, $in5 + vxor $tweak,$tweak,$tmp lvx_u $in5,$x50,$inp @@ -2582,9 +2561,9 @@ vsrab $tmp,$tweak,$seven # next tweak value vaddubm $tweak,$tweak,$tweak + vsldoi $tmp,$tmp,$tmp,15 le?vperm $in5,$in5,$in5,$leperm vand $tmp,$tmp,$eighty7 vxor $out5,$in5,$twk5 - xxlor 32+$in0, 0, 0 - vpermxor $tweak, $tweak, $tmp, $in0 + vxor $tweak,$tweak,$tmp vxor v31,v31,$rndkey0 @@ -2612,6 +2591,4 @@ bdnz Loop_xts_enc6x - xxlor 32+$eighty7, 1, 1 # 0x010101..87 - subic $len,$len,96 # $len-=96 vxor $in0,$twk0,v31 # xor with last round key @@ -2623,4 +2600,5 @@ vcipher $out2,$out2,v24 vcipher $out3,$out3,v24 + vsldoi $tmp,$tmp,$tmp,15 vcipher $out4,$out4,v24 vcipher $out5,$out5,v24 @@ -2630,6 +2608,5 @@ vcipher $out0,$out0,v25 vcipher $out1,$out1,v25 - xxlor 32+$in1, 0, 0 - vpermxor $tweak, $tweak, $tmp, $in1 + vxor $tweak,$tweak,$tmp vcipher $out2,$out2,v25 vcipher $out3,$out3,v25 @@ -2642,4 +2619,5 @@ and r0,r0,$len vaddubm $tweak,$tweak,$tweak + vsldoi $tmp,$tmp,$tmp,15 vcipher $out0,$out0,v26 vcipher $out1,$out1,v26 @@ -2647,6 +2625,5 @@ vcipher $out2,$out2,v26 vcipher $out3,$out3,v26 - xxlor 32+$in2, 0, 0 - vpermxor $tweak, $tweak, $tmp, $in2 + vxor $tweak,$tweak,$tmp vcipher $out4,$out4,v26 vcipher $out5,$out5,v26 @@ -2662,4 +2639,5 @@ vcipher $out0,$out0,v27 vcipher $out1,$out1,v27 + vsldoi $tmp,$tmp,$tmp,15 vcipher $out2,$out2,v27 vcipher $out3,$out3,v27 @@ -2669,6 +2647,5 @@ addi $key_,$sp,$FRAME+15 # rewind $key_ - xxlor 32+$in3, 0, 0 - vpermxor $tweak, $tweak, $tmp, $in3 + vxor $tweak,$tweak,$tmp vcipher $out0,$out0,v28 vcipher $out1,$out1,v28 @@ -2679,4 +2656,5 @@ vcipher $out3,$out3,v28 vaddubm $tweak,$tweak,$tweak + vsldoi $tmp,$tmp,$tmp,15 vcipher $out4,$out4,v28 vcipher $out5,$out5,v28 @@ -2686,6 +2664,5 @@ vcipher $out0,$out0,v29 vcipher $out1,$out1,v29 - xxlor 32+$in4, 0, 0 - vpermxor $tweak, $tweak, $tmp, $in4 + vxor $tweak,$tweak,$tmp vcipher $out2,$out2,v29 vcipher $out3,$out3,v29 @@ -2697,4 +2674,5 @@ lvx v25,$x10,$key_ # re-pre-load round[2] vaddubm $tweak,$tweak,$tweak + vsldoi $tmp,$tmp,$tmp,15 vcipher $out0,$out0,v30 @@ -2703,6 +2681,5 @@ vcipher $out2,$out2,v30 vcipher $out3,$out3,v30 - xxlor 32+$in5, 0, 0 - vpermxor $tweak, $tweak, $tmp, $in5 + vxor $tweak,$tweak,$tmp vcipher $out4,$out4,v30 vcipher $out5,$out5,v30 @@ -2714,4 +2691,5 @@ lvx_u $in0,$x00,$inp # load next input block vaddubm $tweak,$tweak,$tweak + vsldoi $tmp,$tmp,$tmp,15 vcipherlast $out1,$out1,$in1 lvx_u $in1,$x10,$inp @@ -2726,8 +2704,5 @@ le?vperm $in2,$in2,$in2,$leperm lvx_u $in4,$x40,$inp - xxlor 10, 32+$in0, 32+$in0 - xxlor 32+$in0, 0, 0 - vpermxor $tweak, $tweak, $tmp, $in0 - xxlor 32+$in0, 10, 10 + vxor $tweak,$tweak,$tmp vcipherlast $tmp,$out5,$in5 # last block might be needed # in stealing mode @@ -2761,6 +2736,4 @@ mtctr $rounds beq Loop_xts_enc6x # did $len-=96 borrow? - - xxlor 32+$eighty7, 2, 2 # 0x870101..01 addic. $len,$len,0x60 @@ -3140,16 +3113,4 @@ mtspr 256,r0 - # Reverse eighty7 to 0x010101..87 - xxlor 2, 32+$eighty7, 32+$eighty7 - vsldoi $eighty7,$tmp,$eighty7,1 # 0x010101..87 - xxlor 1, 32+$eighty7, 32+$eighty7 - - # Load XOR contents. 0xf102132435465768798a9bacbdcedfe - mr $x70, r6 - bl Lconsts - lxvw4x 0, $x40, r6 # load XOR contents - mr r6, $x70 - li $x70,0x70 - subi $rounds,$rounds,3 # -4 in total @@ -3199,8 +3160,8 @@ vsrab $tmp,$tweak,$seven # next tweak value vaddubm $tweak,$tweak,$tweak + vsldoi $tmp,$tmp,$tmp,15 vand $tmp,$tmp,$eighty7 vxor $out0,$in0,$twk0 - xxlor 32+$in1, 0, 0 - vpermxor $tweak, $tweak, $tmp, $in1 + vxor $tweak,$tweak,$tmp lvx_u $in1,$x10,$inp @@ -3208,9 +3169,9 @@ vsrab $tmp,$tweak,$seven # next tweak value vaddubm $tweak,$tweak,$tweak + vsldoi $tmp,$tmp,$tmp,15 le?vperm $in1,$in1,$in1,$leperm vand $tmp,$tmp,$eighty7 vxor $out1,$in1,$twk1 - xxlor 32+$in2, 0, 0 - vpermxor $tweak, $tweak, $tmp, $in2 + vxor $tweak,$tweak,$tmp lvx_u $in2,$x20,$inp @@ -3219,9 +3180,9 @@ vsrab $tmp,$tweak,$seven # next tweak value vaddubm $tweak,$tweak,$tweak + vsldoi $tmp,$tmp,$tmp,15 le?vperm $in2,$in2,$in2,$leperm vand $tmp,$tmp,$eighty7 vxor $out2,$in2,$twk2 - xxlor 32+$in3, 0, 0 - vpermxor $tweak, $tweak, $tmp, $in3 + vxor $tweak,$tweak,$tmp lvx_u $in3,$x30,$inp @@ -3230,9 +3191,9 @@ vsrab $tmp,$tweak,$seven # next tweak value vaddubm $tweak,$tweak,$tweak + vsldoi $tmp,$tmp,$tmp,15 le?vperm $in3,$in3,$in3,$leperm vand $tmp,$tmp,$eighty7 vxor $out3,$in3,$twk3 - xxlor 32+$in4, 0, 0 - vpermxor $tweak, $tweak, $tmp, $in4 + vxor $tweak,$tweak,$tmp lvx_u $in4,$x40,$inp @@ -3241,9 +3202,9 @@ vsrab $tmp,$tweak,$seven # next tweak value vaddubm $tweak,$tweak,$tweak + vsldoi $tmp,$tmp,$tmp,15 le?vperm $in4,$in4,$in4,$leperm vand $tmp,$tmp,$eighty7 vxor $out4,$in4,$twk4 - xxlor 32+$in5, 0, 0 - vpermxor $tweak, $tweak, $tmp, $in5 + vxor $tweak,$tweak,$tmp lvx_u $in5,$x50,$inp @@ -3252,9 +3213,9 @@ vsrab $tmp,$tweak,$seven # next tweak value vaddubm $tweak,$tweak,$tweak + vsldoi $tmp,$tmp,$tmp,15 le?vperm $in5,$in5,$in5,$leperm vand $tmp,$tmp,$eighty7 vxor $out5,$in5,$twk5 - xxlor 32+$in0, 0, 0 - vpermxor $tweak, $tweak, $tmp, $in0 + vxor $tweak,$tweak,$tmp vxor v31,v31,$rndkey0 @@ -3282,6 +3243,4 @@ bdnz Loop_xts_dec6x - xxlor 32+$eighty7, 1, 1 - subic $len,$len,96 # $len-=96 vxor $in0,$twk0,v31 # xor with last round key @@ -3293,4 +3252,5 @@ vncipher $out2,$out2,v24 vncipher $out3,$out3,v24 + vsldoi $tmp,$tmp,$tmp,15 vncipher $out4,$out4,v24 vncipher $out5,$out5,v24 @@ -3300,6 +3260,5 @@ vncipher $out0,$out0,v25 vncipher $out1,$out1,v25 - xxlor 32+$in1, 0, 0 - vpermxor $tweak, $tweak, $tmp, $in1 + vxor $tweak,$tweak,$tmp vncipher $out2,$out2,v25 vncipher $out3,$out3,v25 @@ -3312,4 +3271,5 @@ and r0,r0,$len vaddubm $tweak,$tweak,$tweak + vsldoi $tmp,$tmp,$tmp,15 vncipher $out0,$out0,v26 vncipher $out1,$out1,v26 @@ -3317,6 +3277,5 @@ vncipher $out2,$out2,v26 vncipher $out3,$out3,v26 - xxlor 32+$in2, 0, 0 - vpermxor $tweak, $tweak, $tmp, $in2 + vxor $tweak,$tweak,$tmp vncipher $out4,$out4,v26 vncipher $out5,$out5,v26 @@ -3332,4 +3291,5 @@ vncipher $out0,$out0,v27 vncipher $out1,$out1,v27 + vsldoi $tmp,$tmp,$tmp,15 vncipher $out2,$out2,v27 vncipher $out3,$out3,v27 @@ -3339,6 +3299,5 @@ addi $key_,$sp,$FRAME+15 # rewind $key_ - xxlor 32+$in3, 0, 0 - vpermxor $tweak, $tweak, $tmp, $in3 + vxor $tweak,$tweak,$tmp vncipher $out0,$out0,v28 vncipher $out1,$out1,v28 @@ -3349,4 +3308,5 @@ vncipher $out3,$out3,v28 vaddubm $tweak,$tweak,$tweak + vsldoi $tmp,$tmp,$tmp,15 vncipher $out4,$out4,v28 vncipher $out5,$out5,v28 @@ -3356,6 +3316,5 @@ vncipher $out0,$out0,v29 vncipher $out1,$out1,v29 - xxlor 32+$in4, 0, 0 - vpermxor $tweak, $tweak, $tmp, $in4 + vxor $tweak,$tweak,$tmp vncipher $out2,$out2,v29 vncipher $out3,$out3,v29 @@ -3367,4 +3326,5 @@ lvx v25,$x10,$key_ # re-pre-load round[2] vaddubm $tweak,$tweak,$tweak + vsldoi $tmp,$tmp,$tmp,15 vncipher $out0,$out0,v30 @@ -3373,6 +3333,5 @@ vncipher $out2,$out2,v30 vncipher $out3,$out3,v30 - xxlor 32+$in5, 0, 0 - vpermxor $tweak, $tweak, $tmp, $in5 + vxor $tweak,$tweak,$tmp vncipher $out4,$out4,v30 vncipher $out5,$out5,v30 @@ -3384,4 +3343,5 @@ lvx_u $in0,$x00,$inp # load next input block vaddubm $tweak,$tweak,$tweak + vsldoi $tmp,$tmp,$tmp,15 vncipherlast $out1,$out1,$in1 lvx_u $in1,$x10,$inp @@ -3396,8 +3356,5 @@ le?vperm $in2,$in2,$in2,$leperm lvx_u $in4,$x40,$inp - xxlor 10, 32+$in0, 32+$in0 - xxlor 32+$in0, 0, 0 - vpermxor $tweak, $tweak, $tmp, $in0 - xxlor 32+$in0, 10, 10 + vxor $tweak,$tweak,$tmp vncipherlast $out5,$out5,$in5 le?vperm $in3,$in3,$in3,$leperm @@ -3430,6 +3387,4 @@ beq Loop_xts_dec6x # did $len-=96 borrow? - xxlor 32+$eighty7, 2, 2 - addic. $len,$len,0x60 beq Lxts_dec6x_zero Index: /trunk/src/libs/openssl-3.1.7/crypto/aes/build.info =================================================================== --- /trunk/src/libs/openssl-3.1.7/crypto/aes/build.info (revision 105948) +++ /trunk/src/libs/openssl-3.1.7/crypto/aes/build.info (revision 105949) @@ -39,9 +39,5 @@ $AESDEF_parisc20_64=$AESDEF_parisc11 - IF[{- $target{sys_id} ne "MACOSX" -}] $AESASM_ppc32=aes_core.c aes_cbc.c aes-ppc.s vpaes-ppc.s aesp8-ppc.s - ELSE - $AESASM_ppc32=aes_core.c aes_cbc.c aes-ppc.s vpaes-ppc.s - ENDIF $AESDEF_ppc32=AES_ASM VPAES_ASM $AESASM_ppc64=$AESASM_ppc32 @@ -88,5 +84,5 @@ # added again. IF[{- !$disabled{module} && !$disabled{shared} -}] - DEFINE[../../providers/liblegacy.a]=$AESDEF + DEFINE[../providers/liblegacy.a]=$AESDEF ENDIF Index: /trunk/src/libs/openssl-3.1.7/crypto/asn1/a_d2i_fp.c =================================================================== --- /trunk/src/libs/openssl-3.1.7/crypto/asn1/a_d2i_fp.c (revision 105948) +++ /trunk/src/libs/openssl-3.1.7/crypto/asn1/a_d2i_fp.c (revision 105949) @@ -1,4 +1,4 @@ /* - * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use @@ -149,7 +149,4 @@ } len += i; - if ((size_t)i < want) - continue; - } } Index: /trunk/src/libs/openssl-3.1.7/crypto/asn1/a_mbstr.c =================================================================== --- /trunk/src/libs/openssl-3.1.7/crypto/asn1/a_mbstr.c (revision 105948) +++ /trunk/src/libs/openssl-3.1.7/crypto/asn1/a_mbstr.c (revision 105949) @@ -1,4 +1,4 @@ /* - * Copyright 1999-2024 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use @@ -140,5 +140,7 @@ free_out = 0; dest = *out; - ASN1_STRING_set0(dest, NULL, 0); + OPENSSL_free(dest->data); + dest->data = NULL; + dest->length = 0; dest->type = str_type; } else { @@ -154,8 +156,4 @@ if (inform == outform) { if (!ASN1_STRING_set(dest, in, len)) { - if (free_out) { - ASN1_STRING_free(dest); - *out = NULL; - } ERR_raise(ERR_LIB_ASN1, ERR_R_MALLOC_FAILURE); return -1; @@ -188,8 +186,6 @@ } if ((p = OPENSSL_malloc(outlen + 1)) == NULL) { - if (free_out) { + if (free_out) ASN1_STRING_free(dest); - *out = NULL; - } ERR_raise(ERR_LIB_ASN1, ERR_R_MALLOC_FAILURE); return -1; Index: /trunk/src/libs/openssl-3.1.7/crypto/asn1/a_strex.c =================================================================== --- /trunk/src/libs/openssl-3.1.7/crypto/asn1/a_strex.c (revision 105948) +++ /trunk/src/libs/openssl-3.1.7/crypto/asn1/a_strex.c (revision 105949) @@ -1,4 +1,4 @@ /* - * Copyright 2000-2024 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use @@ -11,5 +11,4 @@ #include #include "internal/cryptlib.h" -#include "internal/sizes.h" #include "crypto/asn1.h" #include @@ -347,8 +346,6 @@ if (lflags & ASN1_STRFLGS_SHOW_TYPE) { const char *tagname; - tagname = ASN1_tag2str(type); - /* We can directly cast here as tagname will never be too large. */ - outlen += (int)strlen(tagname); + outlen += strlen(tagname); if (!io_ch(arg, tagname, outlen) || !io_ch(arg, ":", 1)) return -1; @@ -376,5 +373,5 @@ if (type == -1) { len = do_dump(lflags, io_ch, arg, str); - if (len < 0 || len > INT_MAX - outlen) + if (len < 0) return -1; outlen += len; @@ -395,5 +392,5 @@ len = do_buf(str->data, str->length, type, flags, "es, io_ch, NULL); - if (len < 0 || len > INT_MAX - 2 - outlen) + if (len < 0) return -1; outlen += len; Index: /trunk/src/libs/openssl-3.1.7/crypto/asn1/a_verify.c =================================================================== --- /trunk/src/libs/openssl-3.1.7/crypto/asn1/a_verify.c (revision 105948) +++ /trunk/src/libs/openssl-3.1.7/crypto/asn1/a_verify.c (revision 105949) @@ -1,4 +1,4 @@ /* - * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use @@ -204,10 +204,8 @@ if (inl <= 0) { ERR_raise(ERR_LIB_ASN1, ERR_R_INTERNAL_ERROR); - ret = -1; goto err; } if (buf_in == NULL) { ERR_raise(ERR_LIB_ASN1, ERR_R_MALLOC_FAILURE); - ret = -1; goto err; } Index: /trunk/src/libs/openssl-3.1.7/crypto/asn1/tasn_fre.c =================================================================== --- /trunk/src/libs/openssl-3.1.7/crypto/asn1/tasn_fre.c (revision 105948) +++ /trunk/src/libs/openssl-3.1.7/crypto/asn1/tasn_fre.c (revision 105949) @@ -1,4 +1,4 @@ /* - * Copyright 2000-2024 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use @@ -86,10 +86,6 @@ case ASN1_ITYPE_NDEF_SEQUENCE: case ASN1_ITYPE_SEQUENCE: - if (ossl_asn1_do_lock(pval, -1, it) != 0) { - /* if error or ref-counter > 0 */ - OPENSSL_assert(embed == 0); - *pval = NULL; - return; - } + if (ossl_asn1_do_lock(pval, -1, it) != 0) /* if error or ref-counter > 0 */ + return; if (asn1_cb) { i = asn1_cb(ASN1_OP_FREE_PRE, pval, it, NULL); Index: /trunk/src/libs/openssl-3.1.7/crypto/bio/bf_readbuff.c =================================================================== --- /trunk/src/libs/openssl-3.1.7/crypto/bio/bf_readbuff.c (revision 105948) +++ /trunk/src/libs/openssl-3.1.7/crypto/bio/bf_readbuff.c (revision 105949) @@ -1,4 +1,4 @@ /* - * Copyright 2021-2024 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use @@ -223,11 +223,8 @@ int i, j; - if (buf == NULL || size == 0) + if (size == 0) return 0; --size; /* the passed in size includes the terminator - so remove it here */ ctx = (BIO_F_BUFFER_CTX *)b->ptr; - - if (ctx == NULL || b->next_bio == NULL) - return 0; BIO_clear_retry_flags(b); Index: /trunk/src/libs/openssl-3.1.7/crypto/bio/bio_addr.c =================================================================== --- /trunk/src/libs/openssl-3.1.7/crypto/bio/bio_addr.c (revision 105948) +++ /trunk/src/libs/openssl-3.1.7/crypto/bio/bio_addr.c (revision 105949) @@ -1,4 +1,4 @@ /* - * Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use @@ -779,10 +779,12 @@ if (!RUN_ONCE(&bio_lookup_init, do_bio_lookup_init)) { ERR_raise(ERR_LIB_BIO, ERR_R_MALLOC_FAILURE); - return 0; - } - - if (!CRYPTO_THREAD_write_lock(bio_lookup_lock)) - return 0; - + ret = 0; + goto err; + } + + if (!CRYPTO_THREAD_write_lock(bio_lookup_lock)) { + ret = 0; + goto err; + } he_fallback_address = INADDR_ANY; if (host == NULL) { Index: /trunk/src/libs/openssl-3.1.7/crypto/bio/bio_lib.c =================================================================== --- /trunk/src/libs/openssl-3.1.7/crypto/bio/bio_lib.c (revision 105948) +++ /trunk/src/libs/openssl-3.1.7/crypto/bio/bio_lib.c (revision 105949) @@ -1,4 +1,4 @@ /* - * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use @@ -870,10 +870,6 @@ #ifndef OPENSSL_NO_SOCK - if (BIO_get_fd(bio, &fd) > 0) { - int ret = BIO_socket_wait(fd, BIO_should_read(bio), max_time); - - if (ret != -1) - return ret; - } + if (BIO_get_fd(bio, &fd) > 0 && fd < FD_SETSIZE) + return BIO_socket_wait(fd, BIO_should_read(bio), max_time); #endif /* fall back to polling since no sockets are available */ Index: /trunk/src/libs/openssl-3.1.7/crypto/bio/bio_sock.c =================================================================== --- /trunk/src/libs/openssl-3.1.7/crypto/bio/bio_sock.c (revision 105948) +++ /trunk/src/libs/openssl-3.1.7/crypto/bio/bio_sock.c (revision 105949) @@ -1,4 +1,4 @@ /* - * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use @@ -397,9 +397,5 @@ time_t now; -#ifdef _WIN32 - if ((SOCKET)fd == INVALID_SOCKET) -#else if (fd < 0 || fd >= FD_SETSIZE) -#endif return -1; if (max_time == 0) Index: /trunk/src/libs/openssl-3.1.7/crypto/bn/bn_lib.c =================================================================== --- /trunk/src/libs/openssl-3.1.7/crypto/bn/bn_lib.c (revision 105948) +++ /trunk/src/libs/openssl-3.1.7/crypto/bn/bn_lib.c (revision 105949) @@ -1,4 +1,4 @@ /* - * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use @@ -619,20 +619,4 @@ BN_ULONG t1, t2, *ap, *bp; - ap = a->d; - bp = b->d; - - if (BN_get_flags(a, BN_FLG_CONSTTIME) - && a->top == b->top) { - int res = 0; - - for (i = 0; i < b->top; i++) { - res = constant_time_select_int(constant_time_lt_bn(ap[i], bp[i]), - -1, res); - res = constant_time_select_int(constant_time_lt_bn(bp[i], ap[i]), - 1, res); - } - return res; - } - bn_check_top(a); bn_check_top(b); @@ -641,5 +625,6 @@ if (i != 0) return i; - + ap = a->d; + bp = b->d; for (i = a->top - 1; i >= 0; i--) { t1 = ap[i]; @@ -753,8 +738,9 @@ } -int ossl_bn_mask_bits_fixed_top(BIGNUM *a, int n) +int BN_mask_bits(BIGNUM *a, int n) { int b, w; + bn_check_top(a); if (n < 0) return 0; @@ -770,17 +756,6 @@ a->d[w] &= ~(BN_MASK2 << b); } - a->flags |= BN_FLG_FIXED_TOP; + bn_correct_top(a); return 1; -} - -int BN_mask_bits(BIGNUM *a, int n) -{ - int ret; - - bn_check_top(a); - ret = ossl_bn_mask_bits_fixed_top(a, n); - if (ret) - bn_correct_top(a); - return ret; } @@ -958,20 +933,4 @@ } -int ossl_bn_is_word_fixed_top(const BIGNUM *a, BN_ULONG w) -{ - int res, i; - const BN_ULONG *ap = a->d; - - if (a->neg || a->top == 0) - return 0; - - res = constant_time_select_int(constant_time_eq_bn(ap[0], w), 1, 0); - - for (i = 1; i < a->top; i++) - res = constant_time_select_int(constant_time_is_zero_bn(ap[i]), - res, 0); - return res; -} - int BN_is_odd(const BIGNUM *a) { Index: /trunk/src/libs/openssl-3.1.7/crypto/bn/bn_rand.c =================================================================== --- /trunk/src/libs/openssl-3.1.7/crypto/bn/bn_rand.c (revision 105948) +++ /trunk/src/libs/openssl-3.1.7/crypto/bn/bn_rand.c (revision 105949) @@ -1,4 +1,4 @@ /* - * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use @@ -187,6 +187,6 @@ do { /* range = 11..._2 or range = 101..._2 */ - if (!bnrand(flag, r, n, BN_RAND_TOP_ANY, BN_RAND_BOTTOM_ANY, - strength, ctx)) + if (!bnrand(flag, r, n, BN_RAND_TOP_ANY, BN_RAND_BOTTOM_ANY, 0, + ctx)) return 0; @@ -241,61 +241,15 @@ #endif -int ossl_bn_priv_rand_range_fixed_top(BIGNUM *r, const BIGNUM *range, - unsigned int strength, BN_CTX *ctx) -{ - int n; - int count = 100; - - if (r == NULL) { - ERR_raise(ERR_LIB_BN, ERR_R_PASSED_NULL_PARAMETER); - return 0; - } - - if (range->neg || BN_is_zero(range)) { - ERR_raise(ERR_LIB_BN, BN_R_INVALID_RANGE); - return 0; - } - - n = BN_num_bits(range); /* n > 0 */ - - /* BN_is_bit_set(range, n - 1) always holds */ - - if (n == 1) { - BN_zero(r); - } else { - BN_set_flags(r, BN_FLG_CONSTTIME); - do { - if (!bnrand(PRIVATE, r, n + 1, BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ANY, - strength, ctx)) - return 0; - - if (!--count) { - ERR_raise(ERR_LIB_BN, BN_R_TOO_MANY_ITERATIONS); - return 0; - } - ossl_bn_mask_bits_fixed_top(r, n); - } - while (BN_ucmp(r, range) >= 0); -#ifdef BN_DEBUG - /* With BN_DEBUG on a fixed top number cannot be returned */ - bn_correct_top(r); -#endif - } - - return 1; -} - /* - * ossl_bn_gen_dsa_nonce_fixed_top generates a random number 0 <= out < range. - * Unlike BN_rand_range, it also includes the contents of |priv| and |message| - * in the generation so that an RNG failure isn't fatal as long as |priv| + * BN_generate_dsa_nonce generates a random number 0 <= out < range. Unlike + * BN_rand_range, it also includes the contents of |priv| and |message| in + * the generation so that an RNG failure isn't fatal as long as |priv| * remains secret. This is intended for use in DSA and ECDSA where an RNG * weakness leads directly to private key exposure unless this function is * used. */ -int ossl_bn_gen_dsa_nonce_fixed_top(BIGNUM *out, const BIGNUM *range, - const BIGNUM *priv, - const unsigned char *message, - size_t message_len, BN_CTX *ctx) +int BN_generate_dsa_nonce(BIGNUM *out, const BIGNUM *range, + const BIGNUM *priv, const unsigned char *message, + size_t message_len, BN_CTX *ctx) { EVP_MD_CTX *mdctx = EVP_MD_CTX_new(); @@ -307,10 +261,8 @@ unsigned char digest[SHA512_DIGEST_LENGTH]; unsigned done, todo; - /* We generate |range|+1 bytes of random output. */ - const unsigned num_k_bytes = BN_num_bytes(range) + 1; + /* We generate |range|+8 bytes of random output. */ + const unsigned num_k_bytes = BN_num_bytes(range) + 8; unsigned char private_bytes[96]; unsigned char *k_bytes = NULL; - const int max_n = 64; /* Pr(failure to generate) < 2^max_n */ - int n; int ret = 0; EVP_MD *md = NULL; @@ -318,11 +270,9 @@ if (mdctx == NULL) - goto end; + goto err; k_bytes = OPENSSL_malloc(num_k_bytes); if (k_bytes == NULL) - goto end; - /* Ensure top byte is set to avoid non-constant time in bin2bn */ - k_bytes[0] = 0xff; + goto err; /* We copy |priv| into a local buffer to avoid exposing its length. */ @@ -334,5 +284,5 @@ */ ERR_raise(ERR_LIB_BN, BN_R_PRIVATE_KEY_TOO_LARGE); - goto end; + goto err; } @@ -340,52 +290,33 @@ if (md == NULL) { ERR_raise(ERR_LIB_BN, BN_R_NO_SUITABLE_DIGEST); - goto end; - } - for (n = 0; n < max_n; n++) { - unsigned char i = 0; - - for (done = 1; done < num_k_bytes;) { - if (RAND_priv_bytes_ex(libctx, random_bytes, sizeof(random_bytes), - 0) <= 0) - goto end; - - if (!EVP_DigestInit_ex(mdctx, md, NULL) - || !EVP_DigestUpdate(mdctx, &i, sizeof(i)) - || !EVP_DigestUpdate(mdctx, private_bytes, - sizeof(private_bytes)) - || !EVP_DigestUpdate(mdctx, message, message_len) - || !EVP_DigestUpdate(mdctx, random_bytes, - sizeof(random_bytes)) - || !EVP_DigestFinal_ex(mdctx, digest, NULL)) - goto end; - - todo = num_k_bytes - done; - if (todo > SHA512_DIGEST_LENGTH) - todo = SHA512_DIGEST_LENGTH; - memcpy(k_bytes + done, digest, todo); - done += todo; - ++i; - } - - if (!BN_bin2bn(k_bytes, num_k_bytes, out)) - goto end; - - /* Clear out the top bits and rejection filter into range */ - BN_set_flags(out, BN_FLG_CONSTTIME); - ossl_bn_mask_bits_fixed_top(out, BN_num_bits(range)); - - if (BN_ucmp(out, range) < 0) { - ret = 1; -#ifdef BN_DEBUG - /* With BN_DEBUG on a fixed top number cannot be returned */ - bn_correct_top(out); -#endif - goto end; - } - } - /* Failed to generate anything */ - ERR_raise(ERR_LIB_BN, ERR_R_INTERNAL_ERROR); - - end: + goto err; + } + for (done = 0; done < num_k_bytes;) { + if (RAND_priv_bytes_ex(libctx, random_bytes, sizeof(random_bytes), 0) <= 0) + goto err; + + if (!EVP_DigestInit_ex(mdctx, md, NULL) + || !EVP_DigestUpdate(mdctx, &done, sizeof(done)) + || !EVP_DigestUpdate(mdctx, private_bytes, + sizeof(private_bytes)) + || !EVP_DigestUpdate(mdctx, message, message_len) + || !EVP_DigestUpdate(mdctx, random_bytes, sizeof(random_bytes)) + || !EVP_DigestFinal_ex(mdctx, digest, NULL)) + goto err; + + todo = num_k_bytes - done; + if (todo > SHA512_DIGEST_LENGTH) + todo = SHA512_DIGEST_LENGTH; + memcpy(k_bytes + done, digest, todo); + done += todo; + } + + if (!BN_bin2bn(k_bytes, num_k_bytes, out)) + goto err; + if (BN_mod(out, out, range, ctx) != 1) + goto err; + ret = 1; + + err: EVP_MD_CTX_free(mdctx); EVP_MD_free(md); @@ -396,19 +327,2 @@ return ret; } - -int BN_generate_dsa_nonce(BIGNUM *out, const BIGNUM *range, - const BIGNUM *priv, const unsigned char *message, - size_t message_len, BN_CTX *ctx) -{ - int ret; - - ret = ossl_bn_gen_dsa_nonce_fixed_top(out, range, priv, message, - message_len, ctx); - /* - * This call makes the BN_generate_dsa_nonce non-const-time, thus we - * do not use it internally. But fixed_top BNs currently cannot be returned - * from public API calls. - */ - bn_correct_top(out); - return ret; -} Index: /trunk/src/libs/openssl-3.1.7/crypto/bn/bn_shift.c =================================================================== --- /trunk/src/libs/openssl-3.1.7/crypto/bn/bn_shift.c (revision 105948) +++ /trunk/src/libs/openssl-3.1.7/crypto/bn/bn_shift.c (revision 105949) @@ -1,4 +1,4 @@ /* - * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use @@ -157,7 +157,4 @@ } - bn_check_top(r); - bn_check_top(a); - ret = bn_rshift_fixed_top(r, a, n); @@ -181,4 +178,7 @@ BN_ULONG l, m, mask; + bn_check_top(r); + bn_check_top(a); + assert(n >= 0); Index: /trunk/src/libs/openssl-3.1.7/crypto/conf/conf_def.c =================================================================== --- /trunk/src/libs/openssl-3.1.7/crypto/conf/conf_def.c (revision 105948) +++ /trunk/src/libs/openssl-3.1.7/crypto/conf/conf_def.c (revision 105949) @@ -1,4 +1,4 @@ /* - * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use @@ -333,5 +333,5 @@ v = NULL; /* check for line continuation */ - if (!again && bufnum >= 1) { + if (bufnum >= 1) { /* * If we have bytes and the last char '\\' and second last char Index: /trunk/src/libs/openssl-3.1.7/crypto/conf/conf_lib.c =================================================================== --- /trunk/src/libs/openssl-3.1.7/crypto/conf/conf_lib.c (revision 105948) +++ /trunk/src/libs/openssl-3.1.7/crypto/conf/conf_lib.c (revision 105949) @@ -1,4 +1,4 @@ /* - * Copyright 2000-2024 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use @@ -465,7 +465,4 @@ void OPENSSL_INIT_free(OPENSSL_INIT_SETTINGS *settings) { - if (settings == NULL) - return; - free(settings->filename); free(settings->appname); Index: /trunk/src/libs/openssl-3.1.7/crypto/conf/conf_sap.c =================================================================== --- /trunk/src/libs/openssl-3.1.7/crypto/conf/conf_sap.c (revision 105948) +++ /trunk/src/libs/openssl-3.1.7/crypto/conf/conf_sap.c (revision 105949) @@ -1,4 +1,4 @@ /* - * Copyright 2002-2024 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2002-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use @@ -39,6 +39,4 @@ settings.flags = DEFAULT_CONF_MFLAGS; OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, &settings); - - free(settings.appname); } #endif Index: /trunk/src/libs/openssl-3.1.7/crypto/context.c =================================================================== --- /trunk/src/libs/openssl-3.1.7/crypto/context.c (revision 105948) +++ /trunk/src/libs/openssl-3.1.7/crypto/context.c (revision 105949) @@ -1,4 +1,4 @@ /* - * Copyright 2019-2024 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use @@ -440,5 +440,5 @@ void OSSL_LIB_CTX_free(OSSL_LIB_CTX *ctx) { - if (ctx == NULL || ossl_lib_ctx_is_default(ctx)) + if (ossl_lib_ctx_is_default(ctx)) return; Index: /trunk/src/libs/openssl-3.1.7/crypto/dsa/dsa_check.c =================================================================== --- /trunk/src/libs/openssl-3.1.7/crypto/dsa/dsa_check.c (revision 105948) +++ /trunk/src/libs/openssl-3.1.7/crypto/dsa/dsa_check.c (revision 105949) @@ -1,4 +1,4 @@ /* - * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use @@ -20,32 +20,6 @@ #include "crypto/dsa.h" -static int dsa_precheck_params(const DSA *dsa, int *ret) -{ - if (dsa->params.p == NULL || dsa->params.q == NULL) { - ERR_raise(ERR_LIB_DSA, DSA_R_BAD_FFC_PARAMETERS); - *ret = FFC_CHECK_INVALID_PQ; - return 0; - } - - if (BN_num_bits(dsa->params.p) > OPENSSL_DSA_MAX_MODULUS_BITS) { - ERR_raise(ERR_LIB_DSA, DSA_R_MODULUS_TOO_LARGE); - *ret = FFC_CHECK_INVALID_PQ; - return 0; - } - - if (BN_num_bits(dsa->params.q) >= BN_num_bits(dsa->params.p)) { - ERR_raise(ERR_LIB_DSA, DSA_R_BAD_Q_VALUE); - *ret = FFC_CHECK_INVALID_PQ; - return 0; - } - - return 1; -} - int ossl_dsa_check_params(const DSA *dsa, int checktype, int *ret) { - if (!dsa_precheck_params(dsa, ret)) - return 0; - if (checktype == OSSL_KEYMGMT_VALIDATE_QUICK_CHECK) return ossl_ffc_params_simple_validate(dsa->libctx, &dsa->params, @@ -66,7 +40,4 @@ int ossl_dsa_check_pub_key(const DSA *dsa, const BIGNUM *pub_key, int *ret) { - if (!dsa_precheck_params(dsa, ret)) - return 0; - return ossl_ffc_validate_public_key(&dsa->params, pub_key, ret) && *ret == 0; @@ -80,7 +51,4 @@ int ossl_dsa_check_pub_key_partial(const DSA *dsa, const BIGNUM *pub_key, int *ret) { - if (!dsa_precheck_params(dsa, ret)) - return 0; - return ossl_ffc_validate_public_key_partial(&dsa->params, pub_key, ret) && *ret == 0; @@ -91,8 +59,6 @@ *ret = 0; - if (!dsa_precheck_params(dsa, ret)) - return 0; - - return ossl_ffc_validate_private_key(dsa->params.q, priv_key, ret); + return (dsa->params.q != NULL + && ossl_ffc_validate_private_key(dsa->params.q, priv_key, ret)); } @@ -107,8 +73,6 @@ BIGNUM *pub_key = NULL; - if (!dsa_precheck_params(dsa, &ret)) - return 0; - - if (dsa->params.g == NULL + if (dsa->params.p == NULL + || dsa->params.g == NULL || dsa->priv_key == NULL || dsa->pub_key == NULL) Index: /trunk/src/libs/openssl-3.1.7/crypto/dsa/dsa_ossl.c =================================================================== --- /trunk/src/libs/openssl-3.1.7/crypto/dsa/dsa_ossl.c (revision 105948) +++ /trunk/src/libs/openssl-3.1.7/crypto/dsa/dsa_ossl.c (revision 105949) @@ -1,4 +1,4 @@ /* - * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use @@ -263,11 +263,10 @@ * This protects the private key from a weak PRNG. */ - if (!ossl_bn_gen_dsa_nonce_fixed_top(k, dsa->params.q, - dsa->priv_key, dgst, - dlen, ctx)) + if (!BN_generate_dsa_nonce(k, dsa->params.q, dsa->priv_key, dgst, + dlen, ctx)) goto err; - } else if (!ossl_bn_priv_rand_range_fixed_top(k, dsa->params.q, 0, ctx)) - goto err; - } while (ossl_bn_is_word_fixed_top(k, 0)); + } else if (!BN_priv_rand_range_ex(k, dsa->params.q, 0, ctx)) + goto err; + } while (BN_is_zero(k)); BN_set_flags(k, BN_FLG_CONSTTIME); Index: /trunk/src/libs/openssl-3.1.7/crypto/dsa/dsa_sign.c =================================================================== --- /trunk/src/libs/openssl-3.1.7/crypto/dsa/dsa_sign.c (revision 105948) +++ /trunk/src/libs/openssl-3.1.7/crypto/dsa/dsa_sign.c (revision 105949) @@ -1,4 +1,4 @@ /* - * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use @@ -157,9 +157,4 @@ DSA_SIG *s; - if (sig == NULL) { - *siglen = DSA_size(dsa); - return 1; - } - /* legacy case uses the method table */ if (dsa->libctx == NULL || dsa->meth != DSA_get_default_method()) @@ -171,5 +166,5 @@ return 0; } - *siglen = i2d_DSA_SIG(s, &sig); + *siglen = i2d_DSA_SIG(s, sig != NULL ? &sig : NULL); DSA_SIG_free(s); return 1; Index: /trunk/src/libs/openssl-3.1.7/crypto/ec/build.info =================================================================== --- /trunk/src/libs/openssl-3.1.7/crypto/ec/build.info (revision 105948) +++ /trunk/src/libs/openssl-3.1.7/crypto/ec/build.info (revision 105949) @@ -78,5 +78,5 @@ # has, and doesn't need it added again. IF[{- !$disabled{module} && !$disabled{shared} -}] - DEFINE[../../providers/liblegacy.a]=$ECDEF + DEFINE[../providers/liblegacy.a]=$ECDEF ENDIF Index: /trunk/src/libs/openssl-3.1.7/crypto/ec/curve448/arch_64/f_impl64.c =================================================================== --- /trunk/src/libs/openssl-3.1.7/crypto/ec/curve448/arch_64/f_impl64.c (revision 105948) +++ /trunk/src/libs/openssl-3.1.7/crypto/ec/curve448/arch_64/f_impl64.c (revision 105949) @@ -1,4 +1,4 @@ /* - * Copyright 2017-2024 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2017-2022 The OpenSSL Project Authors. All Rights Reserved. * Copyright 2014 Cryptography Research, Inc. * @@ -46,7 +46,7 @@ } for (; j < 4; j++) { - accum2 += widemul(a[j], b[i + 8 - j]); - accum1 += widemul(aa[j], bbb[i + 4 - j]); - accum0 += widemul(a[j + 4], bb[i + 4 - j]); + accum2 += widemul(a[j], b[i - j + 8]); + accum1 += widemul(aa[j], bbb[i - j + 4]); + accum0 += widemul(a[j + 4], bb[i - j + 4]); } Index: /trunk/src/libs/openssl-3.1.7/crypto/ec/ecdsa_ossl.c =================================================================== --- /trunk/src/libs/openssl-3.1.7/crypto/ec/ecdsa_ossl.c (revision 105948) +++ /trunk/src/libs/openssl-3.1.7/crypto/ec/ecdsa_ossl.c (revision 105949) @@ -1,4 +1,4 @@ /* - * Copyright 2002-2024 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2002-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use @@ -71,9 +71,4 @@ ECDSA_SIG *s; - if (sig == NULL && (kinv == NULL || r == NULL)) { - *siglen = ECDSA_size(eckey); - return 1; - } - s = ECDSA_do_sign_ex(dgst, dlen, kinv, r, eckey); if (s == NULL) { @@ -131,9 +126,5 @@ goto err; } - - if ((order = EC_GROUP_get0_order(group)) == NULL) { - ERR_raise(ERR_LIB_EC, ERR_R_EC_LIB); - goto err; - } + order = EC_GROUP_get0_order(group); /* Preallocate space */ @@ -150,16 +141,16 @@ do { if (dgst != NULL) { - if (!ossl_bn_gen_dsa_nonce_fixed_top(k, order, priv_key, - dgst, dlen, ctx)) { + if (!BN_generate_dsa_nonce(k, order, priv_key, + dgst, dlen, ctx)) { ERR_raise(ERR_LIB_EC, EC_R_RANDOM_NUMBER_GENERATION_FAILED); goto err; } } else { - if (!ossl_bn_priv_rand_range_fixed_top(k, order, 0, ctx)) { + if (!BN_priv_rand_range_ex(k, order, 0, ctx)) { ERR_raise(ERR_LIB_EC, EC_R_RANDOM_NUMBER_GENERATION_FAILED); goto err; } } - } while (ossl_bn_is_word_fixed_top(k, 0)); + } while (BN_is_zero(k)); /* compute r the x-coordinate of generator * k */ @@ -260,9 +251,5 @@ } - if ((order = EC_GROUP_get0_order(group)) == NULL) { - ERR_raise(ERR_LIB_EC, ERR_R_EC_LIB); - goto err; - } - + order = EC_GROUP_get0_order(group); i = BN_num_bits(order); /* Index: /trunk/src/libs/openssl-3.1.7/crypto/encode_decode/encoder_lib.c =================================================================== --- /trunk/src/libs/openssl-3.1.7/crypto/encode_decode/encoder_lib.c (revision 105948) +++ /trunk/src/libs/openssl-3.1.7/crypto/encode_decode/encoder_lib.c (revision 105949) @@ -1,4 +1,4 @@ /* - * Copyright 2019-2024 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use @@ -57,9 +57,4 @@ "at least one of the default or base providers " "available. Did you forget to load them?"); - return 0; - } - - if (ctx->cleanup == NULL || ctx->construct == NULL) { - ERR_raise(ERR_LIB_OSSL_ENCODER, ERR_R_INIT_FAIL); return 0; } Index: /trunk/src/libs/openssl-3.1.7/crypto/engine/eng_pkey.c =================================================================== --- /trunk/src/libs/openssl-3.1.7/crypto/engine/eng_pkey.c (revision 105948) +++ /trunk/src/libs/openssl-3.1.7/crypto/engine/eng_pkey.c (revision 105949) @@ -1,4 +1,4 @@ /* - * Copyright 2001-2024 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2001-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use @@ -81,4 +81,46 @@ return NULL; } + /* We enforce check for legacy key */ + switch (EVP_PKEY_get_id(pkey)) { + case EVP_PKEY_RSA: + { + RSA *rsa = EVP_PKEY_get1_RSA(pkey); + EVP_PKEY_set1_RSA(pkey, rsa); + RSA_free(rsa); + } + break; +# ifndef OPENSSL_NO_EC + case EVP_PKEY_SM2: + case EVP_PKEY_EC: + { + EC_KEY *ec = EVP_PKEY_get1_EC_KEY(pkey); + EVP_PKEY_set1_EC_KEY(pkey, ec); + EC_KEY_free(ec); + } + break; +# endif +# ifndef OPENSSL_NO_DSA + case EVP_PKEY_DSA: + { + DSA *dsa = EVP_PKEY_get1_DSA(pkey); + EVP_PKEY_set1_DSA(pkey, dsa); + DSA_free(dsa); + } + break; +#endif +# ifndef OPENSSL_NO_DH + case EVP_PKEY_DH: + { + DH *dh = EVP_PKEY_get1_DH(pkey); + EVP_PKEY_set1_DH(pkey, dh); + DH_free(dh); + } + break; +#endif + default: + /*Do nothing */ + break; + } + return pkey; } Index: /trunk/src/libs/openssl-3.1.7/crypto/engine/eng_table.c =================================================================== --- /trunk/src/libs/openssl-3.1.7/crypto/engine/eng_table.c (revision 105948) +++ /trunk/src/libs/openssl-3.1.7/crypto/engine/eng_table.c (revision 105949) @@ -1,4 +1,4 @@ /* - * Copyright 2001-2024 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2001-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use @@ -216,9 +216,7 @@ return NULL; } - + ERR_set_mark(); if (!CRYPTO_THREAD_write_lock(global_engine_lock)) - return NULL; - - ERR_set_mark(); + goto end; /* * Check again inside the lock otherwise we could race against cleanup Index: /trunk/src/libs/openssl-3.1.7/crypto/err/openssl.ec =================================================================== --- /trunk/src/libs/openssl-3.1.7/crypto/err/openssl.ec (revision 105948) +++ /trunk/src/libs/openssl-3.1.7/crypto/err/openssl.ec (revision 105949) @@ -77,5 +77,5 @@ R SSL_R_TLSV1_BAD_CERTIFICATE_STATUS_RESPONSE 1113 R SSL_R_TLSV1_BAD_CERTIFICATE_HASH_VALUE 1114 -R SSL_R_TLSV1_ALERT_UNKNOWN_PSK_IDENTITY 1115 +R TLS1_AD_UNKNOWN_PSK_IDENTITY 1115 R SSL_R_TLSV13_ALERT_CERTIFICATE_REQUIRED 1116 -R SSL_R_TLSV1_ALERT_NO_APPLICATION_PROTOCOL 1120 +R TLS1_AD_NO_APPLICATION_PROTOCOL 1120 Index: /trunk/src/libs/openssl-3.1.7/crypto/ess/ess_lib.c =================================================================== --- /trunk/src/libs/openssl-3.1.7/crypto/ess/ess_lib.c (revision 105948) +++ /trunk/src/libs/openssl-3.1.7/crypto/ess/ess_lib.c (revision 105949) @@ -1,4 +1,4 @@ /* - * Copyright 2019-2024 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use @@ -294,5 +294,5 @@ if (require_signing_cert && ss == NULL && ssv2 == NULL) { - ERR_raise(ERR_LIB_ESS, ESS_R_MISSING_SIGNING_CERTIFICATE_ATTRIBUTE); + ERR_raise(ERR_LIB_CMS, ESS_R_MISSING_SIGNING_CERTIFICATE_ATTRIBUTE); return -1; } Index: /trunk/src/libs/openssl-3.1.7/crypto/evp/ctrl_params_translate.c =================================================================== --- /trunk/src/libs/openssl-3.1.7/crypto/evp/ctrl_params_translate.c (revision 105948) +++ /trunk/src/libs/openssl-3.1.7/crypto/evp/ctrl_params_translate.c (revision 105949) @@ -1,4 +1,4 @@ /* - * Copyright 2021-2024 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2021-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use @@ -2778,5 +2778,5 @@ int ret; - ctx.action_type = tmpl.action_type = action_type; + tmpl.action_type = action_type; tmpl.keytype1 = tmpl.keytype2 = keytype; tmpl.optype = optype; @@ -2787,4 +2787,5 @@ if (translation->fixup_args != NULL) fixup = translation->fixup_args; + ctx.action_type = translation->action_type; ctx.ctrl_cmd = translation->ctrl_num; } Index: /trunk/src/libs/openssl-3.1.7/crypto/evp/digest.c =================================================================== --- /trunk/src/libs/openssl-3.1.7/crypto/evp/digest.c (revision 105948) +++ /trunk/src/libs/openssl-3.1.7/crypto/evp/digest.c (revision 105949) @@ -1,4 +1,4 @@ /* - * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use @@ -423,5 +423,5 @@ /* Code below to be removed when legacy support is dropped. */ legacy: - return ctx->update != NULL ? ctx->update(ctx, data, count) : 0; + return ctx->update(ctx, data, count); } Index: /trunk/src/libs/openssl-3.1.7/crypto/evp/keymgmt_lib.c =================================================================== --- /trunk/src/libs/openssl-3.1.7/crypto/evp/keymgmt_lib.c (revision 105948) +++ /trunk/src/libs/openssl-3.1.7/crypto/evp/keymgmt_lib.c (revision 105949) @@ -1,4 +1,4 @@ /* - * Copyright 2019-2024 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use @@ -244,13 +244,8 @@ * A comparison and sk_P_CACHE_ELEM_find() are avoided to not cause * problems when we've only a read lock. - * A keymgmt is a match if the |keymgmt| pointers are identical or if the - * provider and the name ID match */ for (i = 0; i < end; i++) { p = sk_OP_CACHE_ELEM_value(pk->operation_cache, i); - if ((p->selection & selection) == selection - && (keymgmt == p->keymgmt - || (keymgmt->name_id == p->keymgmt->name_id - && keymgmt->prov == p->keymgmt->prov))) + if (keymgmt == p->keymgmt && (p->selection & selection) == selection) return p; } Index: /trunk/src/libs/openssl-3.1.7/crypto/evp/names.c =================================================================== --- /trunk/src/libs/openssl-3.1.7/crypto/evp/names.c (revision 105948) +++ /trunk/src/libs/openssl-3.1.7/crypto/evp/names.c (revision 105949) @@ -1,4 +1,4 @@ /* - * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use @@ -79,5 +79,4 @@ OSSL_NAMEMAP *namemap; int id; - int do_retry = 1; if (!OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_CIPHERS, NULL)) @@ -96,19 +95,7 @@ namemap = ossl_namemap_stored(libctx); - retry: id = ossl_namemap_name2num(namemap, name); - if (id == 0) { - EVP_CIPHER *fetched_cipher; - - /* Try to fetch it because the name might not be known yet. */ - if (!do_retry) - return NULL; - do_retry = 0; - ERR_set_mark(); - fetched_cipher = EVP_CIPHER_fetch(libctx, name, NULL); - EVP_CIPHER_free(fetched_cipher); - ERR_pop_to_mark(); - goto retry; - } + if (id == 0) + return NULL; if (!ossl_namemap_doall_names(namemap, id, cipher_from_name, &cp)) @@ -138,5 +125,4 @@ OSSL_NAMEMAP *namemap; int id; - int do_retry = 1; if (!OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_DIGESTS, NULL)) @@ -155,19 +141,7 @@ namemap = ossl_namemap_stored(libctx); - retry: id = ossl_namemap_name2num(namemap, name); - if (id == 0) { - EVP_MD *fetched_md; - - /* Try to fetch it because the name might not be known yet. */ - if (!do_retry) - return NULL; - do_retry = 0; - ERR_set_mark(); - fetched_md = EVP_MD_fetch(libctx, name, NULL); - EVP_MD_free(fetched_md); - ERR_pop_to_mark(); - goto retry; - } + if (id == 0) + return NULL; if (!ossl_namemap_doall_names(namemap, id, digest_from_name, &dp)) Index: /trunk/src/libs/openssl-3.1.7/crypto/evp/p_lib.c =================================================================== --- /trunk/src/libs/openssl-3.1.7/crypto/evp/p_lib.c (revision 105948) +++ /trunk/src/libs/openssl-3.1.7/crypto/evp/p_lib.c (revision 105949) @@ -1,4 +1,4 @@ /* - * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use @@ -1903,13 +1903,5 @@ * that export doesn't need to be redone. In that case, we take * token copies of the cached pointers, to have token success - * values to return. It is possible (e.g. in a no-cached-fetch - * build), for op->keymgmt to be a different pointer to tmp_keymgmt - * even though the name/provider must be the same. In other words - * the keymgmt instance may be different but still equivalent, i.e. - * same algorithm/provider instance - but we make the simplifying - * assumption that the keydata can be used with either keymgmt - * instance. Not doing so introduces significant complexity and - * probably requires refactoring - since we would have to ripple - * the change in keymgmt instance up the call chain. + * values to return. */ if (op != NULL && op->keymgmt != NULL) { Index: /trunk/src/libs/openssl-3.1.7/crypto/evp/pmeth_lib.c =================================================================== --- /trunk/src/libs/openssl-3.1.7/crypto/evp/pmeth_lib.c (revision 105948) +++ /trunk/src/libs/openssl-3.1.7/crypto/evp/pmeth_lib.c (revision 105949) @@ -1,4 +1,4 @@ /* - * Copyright 2006-2024 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2006-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use @@ -1029,76 +1029,4 @@ } -static int evp_pkey_ctx_add1_octet_string(EVP_PKEY_CTX *ctx, int fallback, - const char *param, int op, int ctrl, - const unsigned char *data, - int datalen) -{ - OSSL_PARAM os_params[2]; - const OSSL_PARAM *gettables; - unsigned char *info = NULL; - size_t info_len = 0; - size_t info_alloc = 0; - int ret = 0; - - if (ctx == NULL || (ctx->operation & op) == 0) { - ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED); - /* Uses the same return values as EVP_PKEY_CTX_ctrl */ - return -2; - } - - /* Code below to be removed when legacy support is dropped. */ - if (fallback) - return EVP_PKEY_CTX_ctrl(ctx, -1, op, ctrl, datalen, (void *)(data)); - /* end of legacy support */ - - if (datalen < 0) { - ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_LENGTH); - return 0; - } else if (datalen == 0) { - return 1; - } - - /* Check for older provider that doesn't support getting this parameter */ - gettables = EVP_PKEY_CTX_gettable_params(ctx); - if (gettables == NULL || OSSL_PARAM_locate_const(gettables, param) == NULL) - return evp_pkey_ctx_set1_octet_string(ctx, fallback, param, op, ctrl, - data, datalen); - - /* Get the original value length */ - os_params[0] = OSSL_PARAM_construct_octet_string(param, NULL, 0); - os_params[1] = OSSL_PARAM_construct_end(); - - if (!EVP_PKEY_CTX_get_params(ctx, os_params)) - return 0; - - /* This should not happen but check to be sure. */ - if (os_params[0].return_size == OSSL_PARAM_UNMODIFIED) - return 0; - - info_alloc = os_params[0].return_size + datalen; - if (info_alloc == 0) - return 0; - info = OPENSSL_zalloc(info_alloc); - if (info == NULL) - return 0; - info_len = os_params[0].return_size; - - os_params[0] = OSSL_PARAM_construct_octet_string(param, info, info_alloc); - - /* if we have data, then go get it */ - if (info_len > 0) { - if (!EVP_PKEY_CTX_get_params(ctx, os_params)) - goto error; - } - - /* Copy the input data */ - memcpy(&info[info_len], data, datalen); - ret = EVP_PKEY_CTX_set_params(ctx, os_params); - - error: - OPENSSL_clear_free(info, info_alloc); - return ret; -} - int EVP_PKEY_CTX_set1_tls1_prf_secret(EVP_PKEY_CTX *ctx, const unsigned char *sec, int seclen) @@ -1151,5 +1079,5 @@ const unsigned char *info, int infolen) { - return evp_pkey_ctx_add1_octet_string(ctx, ctx->op.kex.algctx == NULL, + return evp_pkey_ctx_set1_octet_string(ctx, ctx->op.kex.algctx == NULL, OSSL_KDF_PARAM_INFO, EVP_PKEY_OP_DERIVE, Index: /trunk/src/libs/openssl-3.1.7/crypto/evp/signature.c =================================================================== --- /trunk/src/libs/openssl-3.1.7/crypto/evp/signature.c (revision 105948) +++ /trunk/src/libs/openssl-3.1.7/crypto/evp/signature.c (revision 105949) @@ -1,4 +1,4 @@ /* - * Copyright 2006-2024 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2006-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use @@ -404,6 +404,6 @@ if (ctx == NULL) { - ERR_raise(ERR_LIB_EVP, ERR_R_PASSED_NULL_PARAMETER); - return -1; + ERR_raise(ERR_LIB_EVP, EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE); + return -2; } @@ -635,6 +635,6 @@ if (ctx == NULL) { - ERR_raise(ERR_LIB_EVP, ERR_R_PASSED_NULL_PARAMETER); - return -1; + ERR_raise(ERR_LIB_EVP, EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE); + return -2; } @@ -647,9 +647,4 @@ goto legacy; - if (ctx->op.sig.signature->sign == NULL) { - ERR_raise(ERR_LIB_EVP, EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE); - return -2; - } - ret = ctx->op.sig.signature->sign(ctx->op.sig.algctx, sig, siglen, (sig == NULL) ? 0 : *siglen, tbs, tbslen); @@ -684,6 +679,6 @@ if (ctx == NULL) { - ERR_raise(ERR_LIB_EVP, ERR_R_PASSED_NULL_PARAMETER); - return -1; + ERR_raise(ERR_LIB_EVP, EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE); + return -2; } @@ -695,9 +690,4 @@ if (ctx->op.sig.algctx == NULL) goto legacy; - - if (ctx->op.sig.signature->verify == NULL) { - ERR_raise(ERR_LIB_EVP, EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE); - return -2; - } ret = ctx->op.sig.signature->verify(ctx->op.sig.algctx, sig, siglen, @@ -732,6 +722,6 @@ if (ctx == NULL) { - ERR_raise(ERR_LIB_EVP, ERR_R_PASSED_NULL_PARAMETER); - return -1; + ERR_raise(ERR_LIB_EVP, EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE); + return -2; } @@ -743,9 +733,4 @@ if (ctx->op.sig.algctx == NULL) goto legacy; - - if (ctx->op.sig.signature->verify_recover == NULL) { - ERR_raise(ERR_LIB_EVP, EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE); - return -2; - } ret = ctx->op.sig.signature->verify_recover(ctx->op.sig.algctx, rout, Index: /trunk/src/libs/openssl-3.1.7/crypto/init.c =================================================================== --- /trunk/src/libs/openssl-3.1.7/crypto/init.c (revision 105948) +++ /trunk/src/libs/openssl-3.1.7/crypto/init.c (revision 105949) @@ -1,4 +1,4 @@ /* - * Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use @@ -98,17 +98,15 @@ DEFINE_RUN_ONCE_STATIC(ossl_init_register_atexit) { -#ifndef OPENSSL_NO_ATEXIT -# ifdef OPENSSL_INIT_DEBUG +#ifdef OPENSSL_INIT_DEBUG fprintf(stderr, "OPENSSL_INIT: ossl_init_register_atexit()\n"); -# endif -# ifndef OPENSSL_SYS_UEFI -# if defined(_WIN32) && !defined(__BORLANDC__) +#endif +#ifndef OPENSSL_SYS_UEFI +# if defined(_WIN32) && !defined(__BORLANDC__) /* We use _onexit() in preference because it gets called on DLL unload */ if (_onexit(win32atexit) == NULL) return 0; -# else +# else if (atexit(OPENSSL_cleanup) != 0) return 0; -# endif # endif #endif Index: /trunk/src/libs/openssl-3.1.7/crypto/o_str.c =================================================================== --- /trunk/src/libs/openssl-3.1.7/crypto/o_str.c (revision 105948) +++ /trunk/src/libs/openssl-3.1.7/crypto/o_str.c (revision 105949) @@ -1,4 +1,4 @@ /* - * Copyright 2003-2024 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2003-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use @@ -230,6 +230,4 @@ size_t len = has_sep ? buflen * 3 : 1 + buflen * 2; - if (len == 0) - ++len; if (strlength != NULL) *strlength = len; @@ -237,5 +235,5 @@ return 1; - if (str_n < len) { + if (str_n < (unsigned long)len) { ERR_raise(ERR_LIB_CRYPTO, CRYPTO_R_TOO_SMALL_BUFFER); return 0; @@ -249,10 +247,10 @@ *q++ = sep; } - if (has_sep && buflen > 0) + if (has_sep) --q; *q = CH_ZERO; #ifdef CHARSET_EBCDIC - ebcdic2ascii(str, str, q - str); + ebcdic2ascii(str, str, q - str - 1); #endif return 1; Index: /trunk/src/libs/openssl-3.1.7/crypto/objects/obj_dat.c =================================================================== --- /trunk/src/libs/openssl-3.1.7/crypto/objects/obj_dat.c (revision 105948) +++ /trunk/src/libs/openssl-3.1.7/crypto/objects/obj_dat.c (revision 105949) @@ -274,5 +274,5 @@ { ASN1_OBJECT *o = NULL; - ADDED_OBJ *ao[4] = { NULL, NULL, NULL, NULL }, *aop[4]; + ADDED_OBJ *ao[4] = { NULL, NULL, NULL, NULL }, *aop; int i; @@ -307,19 +307,7 @@ ao[i]->type = i; ao[i]->obj = o; - aop[i] = lh_ADDED_OBJ_retrieve(added, ao[i]); - if (aop[i] != NULL) - aop[i]->type = -1; - (void)lh_ADDED_OBJ_insert(added, ao[i]); - if (lh_ADDED_OBJ_error(added)) { - if (aop[i] != NULL) - aop[i]->type = i; - while (i-- > ADDED_DATA) { - lh_ADDED_OBJ_delete(added, ao[i]); - if (aop[i] != NULL) - aop[i]->type = i; - } - ERR_raise(ERR_LIB_OBJ, ERR_R_CRYPTO_LIB); - goto err; - } + aop = lh_ADDED_OBJ_insert(added, ao[i]); + /* memory leak, but should not normally matter */ + OPENSSL_free(aop); } } Index: /trunk/src/libs/openssl-3.1.7/crypto/pkcs12/p12_crt.c =================================================================== --- /trunk/src/libs/openssl-3.1.7/crypto/pkcs12/p12_crt.c (revision 105948) +++ /trunk/src/libs/openssl-3.1.7/crypto/pkcs12/p12_crt.c (revision 105949) @@ -1,4 +1,4 @@ /* - * Copyright 1999-2024 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1999-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use @@ -214,17 +214,14 @@ goto err; if (nid_key != -1) { - /* This call does not take ownership of p8 */ bag = PKCS12_SAFEBAG_create_pkcs8_encrypt_ex(nid_key, pass, -1, NULL, 0, iter, p8, ctx, propq); - } else { + PKCS8_PRIV_KEY_INFO_free(p8); + } else bag = PKCS12_SAFEBAG_create0_p8inf(p8); - if (bag != NULL) - p8 = NULL; /* bag takes ownership of p8 */ - } - /* This does not need to be in the error path */ - if (p8 != NULL) - PKCS8_PRIV_KEY_INFO_free(p8); - - if (bag == NULL || !pkcs12_add_bag(pbags, bag)) + + if (!bag) + goto err; + + if (!pkcs12_add_bag(pbags, bag)) goto err; Index: /trunk/src/libs/openssl-3.1.7/crypto/pkcs7/pk7_doit.c =================================================================== --- /trunk/src/libs/openssl-3.1.7/crypto/pkcs7/pk7_doit.c (revision 105948) +++ /trunk/src/libs/openssl-3.1.7/crypto/pkcs7/pk7_doit.c (revision 105949) @@ -1,4 +1,4 @@ /* - * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use @@ -1240,28 +1240,35 @@ { X509_ATTRIBUTE *attr = NULL; - int i, n; if (*sk == NULL) { if ((*sk = sk_X509_ATTRIBUTE_new_null()) == NULL) return 0; - } - n = sk_X509_ATTRIBUTE_num(*sk); - for (i = 0; i < n; i++) { - attr = sk_X509_ATTRIBUTE_value(*sk, i); - if (OBJ_obj2nid(X509_ATTRIBUTE_get0_object(attr)) == nid) - goto end; - } - if (!sk_X509_ATTRIBUTE_push(*sk, NULL)) - return 0; - + new_attrib: + if ((attr = X509_ATTRIBUTE_create(nid, atrtype, value)) == NULL) + return 0; + if (!sk_X509_ATTRIBUTE_push(*sk, attr)) { + X509_ATTRIBUTE_free(attr); + return 0; + } + } else { + int i; + + for (i = 0; i < sk_X509_ATTRIBUTE_num(*sk); i++) { + attr = sk_X509_ATTRIBUTE_value(*sk, i); + if (OBJ_obj2nid(X509_ATTRIBUTE_get0_object(attr)) == nid) { + X509_ATTRIBUTE_free(attr); + attr = X509_ATTRIBUTE_create(nid, atrtype, value); + if (attr == NULL) + return 0; + if (!sk_X509_ATTRIBUTE_set(*sk, i, attr)) { + X509_ATTRIBUTE_free(attr); + return 0; + } + goto end; + } + } + goto new_attrib; + } end: - attr = X509_ATTRIBUTE_create(nid, atrtype, value); - if (attr == NULL) { - if (i == n) - sk_X509_ATTRIBUTE_pop(*sk); - return 0; - } - X509_ATTRIBUTE_free(sk_X509_ATTRIBUTE_value(*sk, i)); - (void) sk_X509_ATTRIBUTE_set(*sk, i, attr); return 1; } Index: /trunk/src/libs/openssl-3.1.7/crypto/property/property.c =================================================================== --- /trunk/src/libs/openssl-3.1.7/crypto/property/property.c (revision 105948) +++ /trunk/src/libs/openssl-3.1.7/crypto/property/property.c (revision 105949) @@ -1,4 +1,4 @@ /* - * Copyright 2019-2024 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2019, Oracle and/or its affiliates. All rights reserved. * @@ -97,6 +97,4 @@ DEFINE_SPARSE_ARRAY_OF(ALGORITHM); -DEFINE_STACK_OF(ALGORITHM) - typedef struct ossl_global_properties_st { OSSL_PROPERTY_LIST *list; @@ -464,9 +462,19 @@ } -static void alg_copy(ossl_uintmax_t idx, ALGORITHM *alg, void *arg) -{ - STACK_OF(ALGORITHM) *newalg = arg; - - (void)sk_ALGORITHM_push(newalg, alg); +struct alg_do_each_data_st { + void (*fn)(int id, void *method, void *fnarg); + void *fnarg; +}; + +static void alg_do_each(ossl_uintmax_t idx, ALGORITHM *alg, void *arg) +{ + struct alg_do_each_data_st *data = arg; + int i, end = sk_IMPLEMENTATION_num(alg->impls); + + for (i = 0; i < end; i++) { + IMPLEMENTATION *impl = sk_IMPLEMENTATION_value(alg->impls, i); + + alg_do_one(alg, impl, data->fn, data->fnarg); + } } @@ -475,32 +483,10 @@ void *fnarg) { - int i, j; - int numalgs, numimps; - STACK_OF(ALGORITHM) *tmpalgs; - ALGORITHM *alg; - - if (store != NULL) { - - if (!ossl_property_read_lock(store)) - return; - - tmpalgs = sk_ALGORITHM_new_reserve(NULL, - ossl_sa_ALGORITHM_num(store->algs)); - if (tmpalgs == NULL) { - ossl_property_unlock(store); - return; - } - - ossl_sa_ALGORITHM_doall_arg(store->algs, alg_copy, tmpalgs); - ossl_property_unlock(store); - numalgs = sk_ALGORITHM_num(tmpalgs); - for (i = 0; i < numalgs; i++) { - alg = sk_ALGORITHM_value(tmpalgs, i); - numimps = sk_IMPLEMENTATION_num(alg->impls); - for (j = 0; j < numimps; j++) - alg_do_one(alg, sk_IMPLEMENTATION_value(alg->impls, j), fn, fnarg); - } - sk_ALGORITHM_free(tmpalgs); - } + struct alg_do_each_data_st data; + + data.fn = fn; + data.fnarg = fnarg; + if (store != NULL) + ossl_sa_ALGORITHM_doall_arg(store->algs, alg_do_each, &data); } @@ -658,11 +644,8 @@ { IMPL_CACHE_FLUSH *state = (IMPL_CACHE_FLUSH *)v; - unsigned long orig_down_load = lh_QUERY_get_down_load(alg->cache); state->cache = alg->cache; - lh_QUERY_set_down_load(alg->cache, 0); lh_QUERY_doall_IMPL_CACHE_FLUSH(state->cache, &impl_cache_flush_cache, state); - lh_QUERY_set_down_load(alg->cache, orig_down_load); } Index: /trunk/src/libs/openssl-3.1.7/crypto/property/property_parse.c =================================================================== --- /trunk/src/libs/openssl-3.1.7/crypto/property/property_parse.c (revision 105948) +++ /trunk/src/libs/openssl-3.1.7/crypto/property/property_parse.c (revision 105949) @@ -1,4 +1,4 @@ /* - * Copyright 2019-2024 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2019, Oracle and/or its affiliates. All rights reserved. * @@ -15,5 +15,4 @@ #include "internal/propertyerr.h" #include "internal/property.h" -#include "internal/numbers.h" #include "crypto/ctype.h" #include "internal/nelem.h" Index: /trunk/src/libs/openssl-3.1.7/crypto/provider_core.c =================================================================== --- /trunk/src/libs/openssl-3.1.7/crypto/provider_core.c (revision 105948) +++ /trunk/src/libs/openssl-3.1.7/crypto/provider_core.c (revision 105949) @@ -1,4 +1,4 @@ /* - * Copyright 2019-2024 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use @@ -560,13 +560,6 @@ /* provider_new() generates an error, so no need here */ - prov = provider_new(name, template.init, template.parameters); - - if (prov == NULL) + if ((prov = provider_new(name, template.init, template.parameters)) == NULL) return NULL; - - if (!ossl_provider_set_module_path(prov, template.path)) { - ossl_provider_free(prov); - return NULL; - } prov->libctx = libctx; Index: /trunk/src/libs/openssl-3.1.7/crypto/rand/randfile.c =================================================================== --- /trunk/src/libs/openssl-3.1.7/crypto/rand/randfile.c (revision 105948) +++ /trunk/src/libs/openssl-3.1.7/crypto/rand/randfile.c (revision 105949) @@ -1,4 +1,4 @@ /* - * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use @@ -17,5 +17,4 @@ #endif -#include "internal/e_os.h" #include "internal/cryptlib.h" @@ -214,14 +213,6 @@ */ int fd = open(file, O_WRONLY | O_CREAT | O_BINARY, 0600); - - if (fd != -1) { + if (fd != -1) out = fdopen(fd, "wb"); - if (out == NULL) { - close(fd); - ERR_raise_data(ERR_LIB_RAND, RAND_R_CANNOT_OPEN_FILE, - "Filename=%s", file); - return -1; - } - } } #endif Index: /trunk/src/libs/openssl-3.1.7/crypto/rsa/rsa_oaep.c =================================================================== --- /trunk/src/libs/openssl-3.1.7/crypto/rsa/rsa_oaep.c (revision 105948) +++ /trunk/src/libs/openssl-3.1.7/crypto/rsa/rsa_oaep.c (revision 105949) @@ -1,4 +1,4 @@ /* - * Copyright 1999-2024 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use @@ -187,5 +187,5 @@ mdlen = EVP_MD_get_size(md); - if (tlen <= 0 || flen <= 0 || mdlen <= 0) + if (tlen <= 0 || flen <= 0) return -1; /* Index: /trunk/src/libs/openssl-3.1.7/crypto/sha/build.info =================================================================== --- /trunk/src/libs/openssl-3.1.7/crypto/sha/build.info (revision 105948) +++ /trunk/src/libs/openssl-3.1.7/crypto/sha/build.info (revision 105949) @@ -89,5 +89,5 @@ # the static libcrypto.a has, and doesn't need it added again. IF[{- !$disabled{module} && !$disabled{shared} -}] - DEFINE[../../providers/liblegacy.a]=$SHA1DEF $KECCAK1600DEF + DEFINE[../providers/liblegacy.a]=$SHA1DEF $KECCAK1600DEF ENDIF Index: /trunk/src/libs/openssl-3.1.7/crypto/sm2/sm2_crypt.c =================================================================== --- /trunk/src/libs/openssl-3.1.7/crypto/sm2/sm2_crypt.c (revision 105948) +++ /trunk/src/libs/openssl-3.1.7/crypto/sm2/sm2_crypt.c (revision 105949) @@ -1,4 +1,4 @@ /* - * Copyright 2017-2024 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2017-2021 The OpenSSL Project Authors. All Rights Reserved. * Copyright 2017 Ribose Inc. All Rights Reserved. * Ported from Ribose contributions from Botan. @@ -66,16 +66,4 @@ return field_size; -} - -static int is_all_zeros(const unsigned char *msg, size_t msglen) -{ - unsigned char re = 0; - size_t i; - - for (i = 0; i < msglen; i++) { - re |= msg[i]; - } - - return re == 0 ? 1 : 0; } @@ -192,11 +180,4 @@ memset(ciphertext_buf, 0, *ciphertext_len); - msg_mask = OPENSSL_zalloc(msg_len); - if (msg_mask == NULL) { - ERR_raise(ERR_LIB_SM2, ERR_R_MALLOC_FAILURE); - goto done; - } - -again: if (!BN_priv_rand_range_ex(k, order, 0, ctx)) { ERR_raise(ERR_LIB_SM2, ERR_R_INTERNAL_ERROR); @@ -218,4 +199,10 @@ } + msg_mask = OPENSSL_zalloc(msg_len); + if (msg_mask == NULL) { + ERR_raise(ERR_LIB_SM2, ERR_R_MALLOC_FAILURE); + goto done; + } + /* X9.63 with no salt happens to match the KDF used in SM2 */ if (!ossl_ecdh_kdf_X9_63(msg_mask, msg_len, x2y2, 2 * field_size, NULL, 0, @@ -223,9 +210,4 @@ ERR_raise(ERR_LIB_SM2, ERR_R_EVP_LIB); goto done; - } - - if (is_all_zeros(msg_mask, msg_len)) { - memset(x2y2, 0, 2 * field_size); - goto again; } @@ -383,9 +365,4 @@ } - if (is_all_zeros(msg_mask, msg_len)) { - ERR_raise(ERR_LIB_SM2, SM2_R_INVALID_ENCODING); - goto done; - } - for (i = 0; i != msg_len; ++i) ptext_buf[i] = C2[i] ^ msg_mask[i]; Index: /trunk/src/libs/openssl-3.1.7/crypto/sm2/sm2_sign.c =================================================================== --- /trunk/src/libs/openssl-3.1.7/crypto/sm2/sm2_sign.c (revision 105948) +++ /trunk/src/libs/openssl-3.1.7/crypto/sm2/sm2_sign.c (revision 105949) @@ -1,4 +1,4 @@ /* - * Copyright 2017-2024 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright 2017 Ribose Inc. All Rights Reserved. * Ported from Ribose contributions from Botan. @@ -29,5 +29,4 @@ int rc = 0; const EC_GROUP *group = EC_KEY_get0_group(key); - const EC_POINT *pubkey = EC_KEY_get0_public_key(key); BN_CTX *ctx = NULL; EVP_MD_CTX *hash = NULL; @@ -44,10 +43,4 @@ uint8_t e_byte = 0; - /* SM2 Signatures require a public key, check for it */ - if (pubkey == NULL) { - ERR_raise(ERR_LIB_SM2, ERR_R_PASSED_NULL_PARAMETER); - goto done; - } - hash = EVP_MD_CTX_new(); ctx = BN_CTX_new_ex(ossl_ec_key_get_libctx(key)); @@ -125,5 +118,5 @@ || !EVP_DigestUpdate(hash, buf, p_bytes) || !EC_POINT_get_affine_coordinates(group, - pubkey, + EC_KEY_get0_public_key(key), xA, yA, ctx) || BN_bn2binpad(xA, buf, p_bytes) < 0 @@ -449,9 +442,4 @@ int ret = -1; - if (sig == NULL) { - ERR_raise(ERR_LIB_SM2, ERR_R_PASSED_NULL_PARAMETER); - goto done; - } - e = BN_bin2bn(dgst, dgstlen, NULL); if (e == NULL) { @@ -466,5 +454,5 @@ } - sigleni = i2d_ECDSA_SIG(s, &sig); + sigleni = i2d_ECDSA_SIG(s, sig != NULL ? &sig : NULL); if (sigleni < 0) { ERR_raise(ERR_LIB_SM2, ERR_R_INTERNAL_ERROR); Index: /trunk/src/libs/openssl-3.1.7/crypto/sm4/build.info =================================================================== --- /trunk/src/libs/openssl-3.1.7/crypto/sm4/build.info (revision 105948) +++ /trunk/src/libs/openssl-3.1.7/crypto/sm4/build.info (revision 105949) @@ -26,5 +26,5 @@ # added again. IF[{- !$disabled{module} && !$disabled{shared} -}] - DEFINE[../../providers/liblegacy.a]=$SM4DEF + DEFINE[../providers/liblegacy.a]=$SM4DEF ENDIF Index: /trunk/src/libs/openssl-3.1.7/crypto/x509/v3_addr.c =================================================================== --- /trunk/src/libs/openssl-3.1.7/crypto/x509/v3_addr.c (revision 105948) +++ /trunk/src/libs/openssl-3.1.7/crypto/x509/v3_addr.c (revision 105949) @@ -398,9 +398,9 @@ { int bytelen = (prefixlen + 7) / 8, bitlen = prefixlen % 8; - IPAddressOrRange *aor; + IPAddressOrRange *aor = IPAddressOrRange_new(); if (prefixlen < 0 || prefixlen > (afilen * 8)) return 0; - if ((aor = IPAddressOrRange_new()) == NULL) + if (aor == NULL) return 0; aor->type = IPAddressOrRange_addressPrefix; Index: /trunk/src/libs/openssl-3.1.7/crypto/x509/v3_utl.c =================================================================== --- /trunk/src/libs/openssl-3.1.7/crypto/x509/v3_utl.c (revision 105948) +++ /trunk/src/libs/openssl-3.1.7/crypto/x509/v3_utl.c (revision 105949) @@ -1,4 +1,4 @@ /* - * Copyright 1999-2024 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1999-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use @@ -917,62 +917,34 @@ gen = sk_GENERAL_NAME_value(gens, i); - switch (gen->type) { - default: - continue; - case GEN_OTHERNAME: - switch (OBJ_obj2nid(gen->d.otherName->type_id)) { - default: + if ((gen->type == GEN_OTHERNAME) && (check_type == GEN_EMAIL)) { + if (OBJ_obj2nid(gen->d.otherName->type_id) == + NID_id_on_SmtpUTF8Mailbox) { + san_present = 1; + + /* + * If it is not a UTF8String then that is unexpected and we + * treat it as no match + */ + if (gen->d.otherName->value->type == V_ASN1_UTF8STRING) { + cstr = gen->d.otherName->value->value.utf8string; + + /* Positive on success, negative on error! */ + if ((rv = do_check_string(cstr, 0, equal, flags, + chk, chklen, peername)) != 0) + break; + } + } else continue; - case NID_id_on_SmtpUTF8Mailbox: - /*- - * https://datatracker.ietf.org/doc/html/rfc8398#section-3 - * - * Due to name constraint compatibility reasons described - * in Section 6, SmtpUTF8Mailbox subjectAltName MUST NOT - * be used unless the local-part of the email address - * contains non-ASCII characters. When the local-part is - * ASCII, rfc822Name subjectAltName MUST be used instead - * of SmtpUTF8Mailbox. This is compatible with legacy - * software that supports only rfc822Name (and not - * SmtpUTF8Mailbox). [...] - * - * SmtpUTF8Mailbox is encoded as UTF8String. - * - * If it is not a UTF8String then that is unexpected, and - * we ignore the invalid SAN (neither set san_present nor - * consider it a candidate for equality). This does mean - * that the subject CN may be considered, as would be the - * case when the malformed SmtpUtf8Mailbox SAN is instead - * simply absent. - * - * When CN-ID matching is not desirable, applications can - * choose to turn it off, doing so is at this time a best - * practice. - */ - if (check_type != GEN_EMAIL - || gen->d.otherName->value->type != V_ASN1_UTF8STRING) - continue; - alt_type = 0; - cstr = gen->d.otherName->value->value.utf8string; - break; - } - break; - case GEN_EMAIL: - if (check_type != GEN_EMAIL) + } else { + if ((gen->type != check_type) && (gen->type != GEN_OTHERNAME)) continue; - cstr = gen->d.rfc822Name; - break; - case GEN_DNS: - if (check_type != GEN_DNS) - continue; - cstr = gen->d.dNSName; - break; - case GEN_IPADD: - if (check_type != GEN_IPADD) - continue; - cstr = gen->d.iPAddress; - break; } san_present = 1; + if (check_type == GEN_EMAIL) + cstr = gen->d.rfc822Name; + else if (check_type == GEN_DNS) + cstr = gen->d.dNSName; + else + cstr = gen->d.iPAddress; /* Positive on success, negative on error! */ if ((rv = do_check_string(cstr, alt_type, equal, flags, Index: /trunk/src/libs/openssl-3.1.7/crypto/x509/x_name.c =================================================================== --- /trunk/src/libs/openssl-3.1.7/crypto/x509/x_name.c (revision 105948) +++ /trunk/src/libs/openssl-3.1.7/crypto/x509/x_name.c (revision 105949) @@ -1,4 +1,4 @@ /* - * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use @@ -477,6 +477,6 @@ ltmp = ASN1_item_ex_i2d(&v, in, ASN1_ITEM_rptr(X509_NAME_ENTRIES), -1, -1); - if (ltmp < 0 || len > INT_MAX - ltmp) - return -1; + if (ltmp < 0) + return ltmp; len += ltmp; } Index: /trunk/src/libs/openssl-3.1.7/test/bad_dtls_test.c =================================================================== --- /trunk/src/libs/openssl-3.1.7/test/bad_dtls_test.c (revision 105948) +++ /trunk/src/libs/openssl-3.1.7/test/bad_dtls_test.c (revision 105949) @@ -1,4 +1,4 @@ /* - * Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use @@ -505,4 +505,5 @@ || !TEST_true(SSL_set_session(con, sess))) goto end; + SSL_SESSION_free(sess); rbio = BIO_new(BIO_s_mem()); @@ -592,5 +593,4 @@ end: - SSL_SESSION_free(sess); BIO_free(rbio); BIO_free(wbio); Index: /trunk/src/libs/openssl-3.1.7/test/build.info =================================================================== --- /trunk/src/libs/openssl-3.1.7/test/build.info (revision 105948) +++ /trunk/src/libs/openssl-3.1.7/test/build.info (revision 105949) @@ -41,5 +41,5 @@ evp_pkey_provided_test evp_test evp_extra_test evp_extra_test2 \ evp_fetch_prov_test evp_libctx_test ossl_store_test \ - v3nametest v3ext punycode_test evp_byname_test \ + v3nametest v3ext punycode_test \ crltest danetest bad_dtls_test lhash_test sparse_array_test \ conf_include_test params_api_test params_conversion_test \ @@ -306,8 +306,4 @@ DEPEND[punycode_test]=../libcrypto.a libtestutil.a - SOURCE[evp_byname_test]=evp_byname_test.c - INCLUDE[evp_byname_test]=../include ../apps/include - DEPEND[evp_byname_test]=../libcrypto libtestutil.a - SOURCE[stack_test]=stack_test.c INCLUDE[stack_test]=../include ../apps/include @@ -879,5 +875,4 @@ IF[{- $disabled{module} || !$target{dso_scheme} -}] DEFINE[provider_test]=NO_PROVIDER_MODULE - DEFINE[prov_config_test]=NO_PROVIDER_MODULE DEFINE[provider_internal_test]=NO_PROVIDER_MODULE ENDIF Index: /trunk/src/libs/openssl-3.1.7/test/cmp_hdr_test.c =================================================================== --- /trunk/src/libs/openssl-3.1.7/test/cmp_hdr_test.c (revision 105948) +++ /trunk/src/libs/openssl-3.1.7/test/cmp_hdr_test.c (revision 105949) @@ -1,4 +1,4 @@ /* - * Copyright 2007-2024 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2007-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright Nokia 2007-2019 * Copyright Siemens AG 2015-2019 @@ -72,28 +72,23 @@ static int execute_HDR_get0_senderNonce_test(CMP_HDR_TEST_FIXTURE *fixture) { - int res = 0; X509_NAME *sender = X509_NAME_new(); ASN1_OCTET_STRING *sn; if (!TEST_ptr(sender)) - goto err; + return 0; X509_NAME_ADD(sender, "CN", "A common sender name"); if (!TEST_int_eq(OSSL_CMP_CTX_set1_subjectName(fixture->cmp_ctx, sender), 1)) - goto err; + return 0; if (!TEST_int_eq(ossl_cmp_hdr_init(fixture->cmp_ctx, fixture->hdr), 1)) - goto err; + return 0; sn = ossl_cmp_hdr_get0_senderNonce(fixture->hdr); if (!TEST_int_eq(ASN1_OCTET_STRING_cmp(fixture->cmp_ctx->senderNonce, sn), 0)) - goto err; - - res = 1; -err: + return 0; X509_NAME_free(sender); - - return res; + return 1; } @@ -108,26 +103,21 @@ static int execute_HDR_set1_sender_test(CMP_HDR_TEST_FIXTURE *fixture) { - int res = 0; X509_NAME *x509name = X509_NAME_new(); if (!TEST_ptr(x509name)) - goto err; + return 0; X509_NAME_ADD(x509name, "CN", "A common sender name"); if (!TEST_int_eq(ossl_cmp_hdr_set1_sender(fixture->hdr, x509name), 1)) - goto err; - + return 0; if (!TEST_int_eq(fixture->hdr->sender->type, GEN_DIRNAME)) - goto err; + return 0; if (!TEST_int_eq(X509_NAME_cmp(fixture->hdr->sender->d.directoryName, x509name), 0)) - goto err; - - res = 1; -err: + return 0; + X509_NAME_free(x509name); - - return res; + return 1; } @@ -142,26 +132,22 @@ static int execute_HDR_set1_recipient_test(CMP_HDR_TEST_FIXTURE *fixture) { - int res = 0; X509_NAME *x509name = X509_NAME_new(); if (!TEST_ptr(x509name)) - goto err; + return 0; X509_NAME_ADD(x509name, "CN", "A common recipient name"); if (!TEST_int_eq(ossl_cmp_hdr_set1_recipient(fixture->hdr, x509name), 1)) - goto err; + return 0; if (!TEST_int_eq(fixture->hdr->recipient->type, GEN_DIRNAME)) - goto err; + return 0; if (!TEST_int_eq(X509_NAME_cmp(fixture->hdr->recipient->d.directoryName, x509name), 0)) - goto err; - - res = 1; -err: + return 0; + X509_NAME_free(x509name); - - return res; + return 1; } @@ -218,5 +204,5 @@ if (!TEST_ptr(senderKID)) - goto err; + return 0; if (!TEST_int_eq(ASN1_OCTET_STRING_set(senderKID, rand_data, @@ -280,5 +266,5 @@ if (!TEST_ptr(text)) - goto err; + return 0; if (!ASN1_STRING_set(text, "A free text", -1)) @@ -295,5 +281,4 @@ err: ASN1_UTF8STRING_free(text); - return res; } Index: /trunk/src/libs/openssl-3.1.7/test/crltest.c =================================================================== --- /trunk/src/libs/openssl-3.1.7/test/crltest.c (revision 105948) +++ /trunk/src/libs/openssl-3.1.7/test/crltest.c (revision 105949) @@ -1,4 +1,4 @@ /* - * Copyright 2015-2024 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2015-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use @@ -102,11 +102,4 @@ }; -static const char *kInvalidCRL[] = { - "-----BEGIN X509 CRL-----\n", - "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\n", - "-----END X509 CRL-----\n", - NULL -}; - static const char *kBadIssuerCRL[] = { "-----BEGIN X509 CRL-----\n", @@ -379,56 +372,22 @@ } -static int test_reuse_crl(int idx) -{ - X509_CRL *result, *reused_crl = CRL_from_strings(kBasicCRL); - X509_CRL *addref_crl = NULL; - char *p = NULL; - BIO *b = NULL; - int r = 0; - - if (!TEST_ptr(reused_crl)) - goto err; - - if (idx & 1) { - if (!TEST_true(X509_CRL_up_ref(reused_crl))) - goto err; - addref_crl = reused_crl; +static int test_reuse_crl(void) +{ + X509_CRL *reused_crl = CRL_from_strings(kBasicCRL); + char *p; + BIO *b = glue2bio(kRevokedCRL, &p); + + if (b == NULL) { + OPENSSL_free(p); + X509_CRL_free(reused_crl); + return 0; } - idx >>= 1; - b = glue2bio(idx == 2 ? kRevokedCRL : kInvalidCRL + idx, &p); - - if (!TEST_ptr(b)) - goto err; - - result = PEM_read_bio_X509_CRL(b, &reused_crl, NULL, NULL); - - switch (idx) { - case 0: /* valid PEM + invalid DER */ - if (!TEST_ptr_null(result) - || !TEST_ptr_null(reused_crl)) - goto err; - break; - case 1: /* invalid PEM */ - if (!TEST_ptr_null(result) - || !TEST_ptr(reused_crl)) - goto err; - break; - case 2: - if (!TEST_ptr(result) - || !TEST_ptr(reused_crl) - || !TEST_ptr_eq(result, reused_crl)) - goto err; - break; - } - - r = 1; - - err: + reused_crl = PEM_read_bio_X509_CRL(b, &reused_crl, NULL, NULL); + OPENSSL_free(p); BIO_free(b); X509_CRL_free(reused_crl); - X509_CRL_free(addref_crl); - return r; + return 1; } @@ -444,5 +403,5 @@ ADD_TEST(test_known_critical_crl); ADD_ALL_TESTS(test_unknown_critical_crl, OSSL_NELEM(unknown_critical_crls)); - ADD_ALL_TESTS(test_reuse_crl, 6); + ADD_TEST(test_reuse_crl); return 1; } Index: /trunk/src/libs/openssl-3.1.7/test/ct_test.c =================================================================== --- /trunk/src/libs/openssl-3.1.7/test/ct_test.c (revision 105948) +++ /trunk/src/libs/openssl-3.1.7/test/ct_test.c (revision 105949) @@ -1,4 +1,4 @@ /* - * Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use @@ -451,16 +451,11 @@ fixture->sct_list = sk_SCT_new_null(); if (fixture->sct_list == NULL) - { - tear_down(fixture); - return 0; - } + return 0; if (!TEST_ptr(sct = SCT_new_from_base64(SCT_VERSION_V1, log_id, CT_LOG_ENTRY_TYPE_X509, timestamp, extensions, signature))) - { - tear_down(fixture); + return 0; - } sk_SCT_push(fixture->sct_list, sct); Index: /trunk/src/libs/openssl-3.1.7/test/dsatest.c =================================================================== --- /trunk/src/libs/openssl-3.1.7/test/dsatest.c (revision 105948) +++ /trunk/src/libs/openssl-3.1.7/test/dsatest.c (revision 105949) @@ -1,4 +1,4 @@ /* - * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use @@ -333,5 +333,4 @@ BIGNUM *badq = NULL, *badpriv = NULL; const unsigned char msg[] = { 0x00 }; - unsigned int signature_len0; unsigned int signature_len; unsigned char signature[64]; @@ -377,11 +376,8 @@ /* Test passing signature as NULL */ - if (!TEST_true(DSA_sign(0, msg, sizeof(msg), NULL, &signature_len0, dsa)) - || !TEST_int_gt(signature_len0, 0)) - goto err; - - if (!TEST_true(DSA_sign(0, msg, sizeof(msg), signature, &signature_len, dsa)) - || !TEST_int_gt(signature_len, 0) - || !TEST_int_le(signature_len, signature_len0)) + if (!TEST_true(DSA_sign(0, msg, sizeof(msg), NULL, &signature_len, dsa))) + goto err; + + if (!TEST_true(DSA_sign(0, msg, sizeof(msg), signature, &signature_len, dsa))) goto err; Index: /trunk/src/libs/openssl-3.1.7/test/ecdsatest.c =================================================================== --- /trunk/src/libs/openssl-3.1.7/test/ecdsatest.c (revision 105948) +++ /trunk/src/libs/openssl-3.1.7/test/ecdsatest.c (revision 105949) @@ -1,4 +1,4 @@ /* - * Copyright 2002-2024 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2002-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved * @@ -351,37 +351,13 @@ { int ret; - unsigned int siglen0; unsigned int siglen; unsigned char dgst[128] = { 0 }; EC_KEY *eckey = NULL; - unsigned char *sig = NULL; - BIGNUM *kinv = NULL, *rp = NULL; ret = TEST_ptr(eckey = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1)) && TEST_int_eq(EC_KEY_generate_key(eckey), 1) - && TEST_int_eq(ECDSA_sign(0, dgst, sizeof(dgst), NULL, &siglen0, - eckey), 1) - && TEST_int_gt(siglen0, 0) - && TEST_ptr(sig = OPENSSL_malloc(siglen0)) - && TEST_int_eq(ECDSA_sign(0, dgst, sizeof(dgst), sig, &siglen, - eckey), 1) - && TEST_int_gt(siglen, 0) - && TEST_int_le(siglen, siglen0) - && TEST_int_eq(ECDSA_verify(0, dgst, sizeof(dgst), sig, siglen, - eckey), 1) - && TEST_int_eq(ECDSA_sign_setup(eckey, NULL, &kinv, &rp), 1) - && TEST_int_eq(ECDSA_sign_ex(0, dgst, sizeof(dgst), NULL, &siglen, - kinv, rp, eckey), 1) - && TEST_int_gt(siglen, 0) - && TEST_int_le(siglen, siglen0) - && TEST_int_eq(ECDSA_sign_ex(0, dgst, sizeof(dgst), sig, &siglen0, - kinv, rp, eckey), 1) - && TEST_int_eq(siglen, siglen0) - && TEST_int_eq(ECDSA_verify(0, dgst, sizeof(dgst), sig, siglen, - eckey), 1); + && TEST_int_eq(ECDSA_sign(0, dgst, sizeof(dgst), NULL, &siglen, eckey), 1) + && TEST_int_gt(siglen, 0); EC_KEY_free(eckey); - OPENSSL_free(sig); - BN_free(kinv); - BN_free(rp); return ret; } Index: /trunk/src/libs/openssl-3.1.7/test/ecstresstest.c =================================================================== --- /trunk/src/libs/openssl-3.1.7/test/ecstresstest.c (revision 105948) +++ /trunk/src/libs/openssl-3.1.7/test/ecstresstest.c (revision 105949) @@ -1,4 +1,4 @@ /* - * Copyright 2017-2024 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2017-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"); @@ -80,5 +80,5 @@ group)) || !TEST_ptr(result = walk_curve(group, point, num_repeats))) - goto err; + return 0; if (print_mode) { Index: /trunk/src/libs/openssl-3.1.7/test/endecode_test.c =================================================================== --- /trunk/src/libs/openssl-3.1.7/test/endecode_test.c (revision 105948) +++ /trunk/src/libs/openssl-3.1.7/test/endecode_test.c (revision 105949) @@ -1,4 +1,4 @@ /* - * Copyright 2020-2024 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use @@ -1033,8 +1033,4 @@ IMPLEMENT_TEST_SUITE_LEGACY(ECExplicitTri2G, "EC") # endif -# ifndef OPENSSL_NO_SM2 -KEYS(SM2); -IMPLEMENT_TEST_SUITE(SM2, "SM2", 0) -# endif KEYS(ED25519); IMPLEMENT_TEST_SUITE(ED25519, "ED25519", 1) @@ -1342,5 +1338,7 @@ /* FIPS(3.0.0): provider imports explicit params but they won't work #17998 */ - is_fips_3_0_0 = is_fips && fips_provider_version_eq(testctx, 3, 0, 0); + is_fips_3_0_0 = fips_provider_version_eq(testctx, 3, 0, 0); + if (is_fips_3_0_0 < 0) + return 0; #ifdef STATIC_LEGACY @@ -1400,7 +1398,4 @@ MAKE_DOMAIN_KEYS(ECExplicitTri2G, "EC", ec_explicit_tri_params_explicit); # endif -# ifndef OPENSSL_NO_SM2 - MAKE_KEYS(SM2, "SM2", NULL); -# endif MAKE_KEYS(ED25519, "ED25519", NULL); MAKE_KEYS(ED448, "ED448", NULL); @@ -1449,10 +1444,4 @@ ADD_TEST_SUITE_LEGACY(ECExplicitTri2G); # endif -# ifndef OPENSSL_NO_SM2 - if (!is_fips_3_0_0) { - /* 3.0.0 FIPS provider imports explicit EC params and then fails. */ - ADD_TEST_SUITE(SM2); - } -# endif ADD_TEST_SUITE(ED25519); ADD_TEST_SUITE(ED448); @@ -1512,7 +1501,4 @@ FREE_DOMAIN_KEYS(ECExplicitTri2G); # endif -# ifndef OPENSSL_NO_SM2 - FREE_KEYS(SM2); -# endif FREE_KEYS(ED25519); FREE_KEYS(ED448); Index: /trunk/src/libs/openssl-3.1.7/test/evp_extra_test.c =================================================================== --- /trunk/src/libs/openssl-3.1.7/test/evp_extra_test.c (revision 105948) +++ /trunk/src/libs/openssl-3.1.7/test/evp_extra_test.c (revision 105949) @@ -1101,5 +1101,5 @@ eckey = NULL; - for (;;) { + while (dup_pk == NULL) { ret = 0; ctx = EVP_MD_CTX_new(); @@ -1117,7 +1117,4 @@ ctx = NULL; - if (dup_pk != NULL) - break; - if (!TEST_ptr(dup_pk = EVP_PKEY_dup(pkey))) goto err; @@ -1129,5 +1126,4 @@ goto err; } - ret = 1; err: @@ -2559,45 +2555,4 @@ 0x68, 0x81, 0xa5, 0x3e, 0x5b, 0x9c, 0x7b, 0x6f, 0x2e, 0xec, 0xc8, 0x47, 0x7c, 0xfa, 0x47, 0x35, 0x66, 0x82, 0x15, 0x30 - }; - size_t expectedlen = sizeof(expected); - - if (!TEST_ptr(pctx = EVP_PKEY_CTX_new_from_name(testctx, "HKDF", testpropq))) - goto done; - - outlen = sizeof(out); - memset(out, 0, outlen); - - if (!TEST_int_gt(EVP_PKEY_derive_init(pctx), 0) - || !TEST_int_gt(EVP_PKEY_CTX_set_hkdf_md(pctx, EVP_sha256()), 0) - || !TEST_int_gt(EVP_PKEY_CTX_set1_hkdf_salt(pctx, salt, - sizeof(salt) - 1), 0) - || !TEST_int_gt(EVP_PKEY_CTX_set1_hkdf_key(pctx, key, - sizeof(key) - 1), 0) - || !TEST_int_gt(EVP_PKEY_CTX_add1_hkdf_info(pctx, info, - sizeof(info) - 1), 0) - || !TEST_int_gt(EVP_PKEY_derive(pctx, out, &outlen), 0) - || !TEST_mem_eq(out, outlen, expected, expectedlen)) - goto done; - - ret = 1; - - done: - EVP_PKEY_CTX_free(pctx); - - return ret; -} - -static int test_empty_salt_info_HKDF(void) -{ - EVP_PKEY_CTX *pctx; - unsigned char out[20]; - size_t outlen; - int ret = 0; - unsigned char salt[] = ""; - unsigned char key[] = "012345678901234567890123456789"; - unsigned char info[] = ""; - const unsigned char expected[] = { - 0x67, 0x12, 0xf9, 0x27, 0x8a, 0x8a, 0x3a, 0x8f, 0x7d, 0x2c, 0xa3, 0x6a, - 0xaa, 0xe9, 0xb3, 0xb9, 0x52, 0x5f, 0xe0, 0x06, }; size_t expectedlen = sizeof(expected); @@ -4721,5 +4676,4 @@ static int test_custom_md_meth(void) { - ASN1_OBJECT *o = NULL; EVP_MD_CTX *mdctx = NULL; EVP_MD *tmp = NULL; @@ -4767,19 +4721,6 @@ goto err; - if (!TEST_int_eq(OBJ_create("1.3.6.1.4.1.16604.998866.1", - "custom-md", "custom-md"), NID_undef) - || !TEST_int_eq(ERR_GET_LIB(ERR_peek_error()), ERR_LIB_OBJ) - || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), OBJ_R_OID_EXISTS)) - goto err; - - o = ASN1_OBJECT_create(nid, (unsigned char *) - "\53\6\1\4\1\201\201\134\274\373\122\1", 12, - "custom-md", "custom-md"); - if (!TEST_int_eq(OBJ_add_object(o), nid)) - goto err; - testresult = 1; err: - ASN1_OBJECT_free(o); EVP_MD_CTX_free(mdctx); EVP_MD_meth_free(tmp); @@ -5366,23 +5307,4 @@ #endif -static int test_invalid_ctx_for_digest(void) -{ - int ret; - EVP_MD_CTX *mdctx; - - mdctx = EVP_MD_CTX_new(); - if (!TEST_ptr(mdctx)) - return 0; - - if (!TEST_int_eq(EVP_DigestUpdate(mdctx, "test", sizeof("test") - 1), 0)) - ret = 0; - else - ret = 1; - - EVP_MD_CTX_free(mdctx); - - return ret; -} - int setup_tests(void) { @@ -5462,5 +5384,4 @@ ADD_TEST(test_HKDF); ADD_TEST(test_emptyikm_HKDF); - ADD_TEST(test_empty_salt_info_HKDF); #ifndef OPENSSL_NO_EC ADD_TEST(test_X509_PUBKEY_inplace); @@ -5550,6 +5471,4 @@ #endif - ADD_TEST(test_invalid_ctx_for_digest); - return 1; } Index: /trunk/src/libs/openssl-3.1.7/test/evp_kdf_test.c =================================================================== --- /trunk/src/libs/openssl-3.1.7/test/evp_kdf_test.c (revision 105948) +++ /trunk/src/libs/openssl-3.1.7/test/evp_kdf_test.c (revision 105949) @@ -1859,62 +1859,4 @@ } -/* Test that changing the KBKDF algorithm from KMAC to HMAC works correctly */ -static int test_kbkdf_mac_change(void) -{ - int ret = 0; - EVP_KDF_CTX *kctx = NULL; - OSSL_PARAM params[9], *p = params; - /* Test data taken from the evptest corpus */ - int l = 0, sep = 0, r = 8; - static /* const */ unsigned char key[] = { - 0x3e, 0xdc, 0x6b, 0x5b, 0x8f, 0x7a, 0xad, 0xbd, - 0x71, 0x37, 0x32, 0xb4, 0x82, 0xb8, 0xf9, 0x79, - 0x28, 0x6e, 0x1e, 0xa3, 0xb8, 0xf8, 0xf9, 0x9c, - 0x30, 0xc8, 0x84, 0xcf, 0xe3, 0x34, 0x9b, 0x83 - }; - static /* const */ unsigned char info[] = { - 0x98, 0xe9, 0x98, 0x8b, 0xb4, 0xcc, 0x8b, 0x34, - 0xd7, 0x92, 0x2e, 0x1c, 0x68, 0xad, 0x69, 0x2b, - 0xa2, 0xa1, 0xd9, 0xae, 0x15, 0x14, 0x95, 0x71, - 0x67, 0x5f, 0x17, 0xa7, 0x7a, 0xd4, 0x9e, 0x80, - 0xc8, 0xd2, 0xa8, 0x5e, 0x83, 0x1a, 0x26, 0x44, - 0x5b, 0x1f, 0x0f, 0xf4, 0x4d, 0x70, 0x84, 0xa1, - 0x72, 0x06, 0xb4, 0x89, 0x6c, 0x81, 0x12, 0xda, - 0xad, 0x18, 0x60, 0x5a - }; - static const unsigned char output[] = { - 0x6c, 0x03, 0x76, 0x52, 0x99, 0x06, 0x74, 0xa0, - 0x78, 0x44, 0x73, 0x2d, 0x0a, 0xd9, 0x85, 0xf9 - }; - unsigned char out[sizeof(output)]; - - params[0] = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_MAC, - OSSL_MAC_NAME_KMAC128, 0); - params[1] = OSSL_PARAM_construct_end(); - if (!TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_KBKDF)) - || !TEST_true(EVP_KDF_CTX_set_params(kctx, params))) - goto err; - - *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_MODE, "COUNTER", 0); - *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_MAC, "HMAC", 0); - *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST, "SHA256", 0); - *p++ = OSSL_PARAM_construct_int(OSSL_KDF_PARAM_KBKDF_USE_L, &l); - *p++ = OSSL_PARAM_construct_int(OSSL_KDF_PARAM_KBKDF_USE_SEPARATOR, &sep); - *p++ = OSSL_PARAM_construct_int(OSSL_KDF_PARAM_KBKDF_R, &r); - *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY, - key, sizeof(key)); - *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_INFO, - info, sizeof(info)); - *p = OSSL_PARAM_construct_end(); - if (!TEST_true(EVP_KDF_derive(kctx, out, sizeof(out), params)) - || !TEST_mem_eq(out, sizeof(out), output, sizeof(output))) - goto err; - - ret = 1; -err: - EVP_KDF_CTX_free(kctx); - return ret; -} - int setup_tests(void) { @@ -1978,5 +1920,4 @@ #endif ADD_TEST(test_kdf_krb5kdf); - ADD_TEST(test_kbkdf_mac_change); return 1; } Index: /trunk/src/libs/openssl-3.1.7/test/evp_pkey_provided_test.c =================================================================== --- /trunk/src/libs/openssl-3.1.7/test/evp_pkey_provided_test.c (revision 105948) +++ /trunk/src/libs/openssl-3.1.7/test/evp_pkey_provided_test.c (revision 105949) @@ -390,5 +390,5 @@ goto err; - for (;;) { + while (dup_pk == NULL) { ret = 0; if (!TEST_int_eq(EVP_PKEY_get_bits(pk), 32) @@ -418,8 +418,5 @@ && test_print_key_using_encoder("RSA", pk); - if (!ret || dup_pk != NULL) - break; - - if (!TEST_ptr(dup_pk = EVP_PKEY_dup(pk))) + if (!ret || !TEST_ptr(dup_pk = EVP_PKEY_dup(pk))) goto err; ret = ret && TEST_int_eq(EVP_PKEY_eq(pk, dup_pk), 1); @@ -606,5 +603,5 @@ goto err; - for (;;) { + while (dup_pk == NULL) { ret = 0; if (!TEST_int_eq(EVP_PKEY_get_bits(pk), 2048) @@ -686,8 +683,5 @@ && test_print_key_using_encoder("DH", pk); - if (!ret || dup_pk != NULL) - break; - - if (!TEST_ptr(dup_pk = EVP_PKEY_dup(pk))) + if (!ret || !TEST_ptr(dup_pk = EVP_PKEY_dup(pk))) goto err; ret = ret && TEST_int_eq(EVP_PKEY_eq(pk, dup_pk), 1); @@ -790,5 +784,5 @@ goto err; - for (;;) { + while (dup_pk == NULL) { ret = 0; if (!TEST_int_eq(EVP_PKEY_get_bits(pk), 2048) @@ -864,8 +858,5 @@ && test_print_key_using_encoder("DH", pk); - if (!ret || dup_pk != NULL) - break; - - if (!TEST_ptr(dup_pk = EVP_PKEY_dup(pk))) + if (!ret || !TEST_ptr(dup_pk = EVP_PKEY_dup(pk))) goto err; ret = ret && TEST_int_eq(EVP_PKEY_eq(pk, dup_pk), 1); @@ -1100,5 +1091,5 @@ goto err; - for (;;) { + while (dup_pk == NULL) { ret = 0; if (!TEST_int_eq(EVP_PKEY_get_bits(pk), bits) @@ -1155,8 +1146,5 @@ && test_print_key_using_encoder(alg, pk); - if (!ret || dup_pk != NULL) - break; - - if (!TEST_ptr(dup_pk = EVP_PKEY_dup(pk))) + if (!ret || !TEST_ptr(dup_pk = EVP_PKEY_dup(pk))) goto err; ret = ret && TEST_int_eq(EVP_PKEY_eq(pk, dup_pk), 1); @@ -1275,5 +1263,5 @@ goto err; - for (;;) { + while (dup_pk == NULL) { ret = 0; if (!TEST_int_eq(EVP_PKEY_get_bits(pk), 256) @@ -1313,13 +1301,4 @@ || !TEST_BN_eq(group_b, b)) goto err; - - EC_GROUP_free(group); - group = NULL; - BN_free(group_p); - group_p = NULL; - BN_free(group_a); - group_a = NULL; - BN_free(group_b); - group_b = NULL; if (!EVP_PKEY_get_utf8_string_param(pk, OSSL_PKEY_PARAM_GROUP_NAME, @@ -1351,8 +1330,5 @@ && test_print_key_using_encoder(alg, pk); - if (!ret || dup_pk != NULL) - break; - - if (!TEST_ptr(dup_pk = EVP_PKEY_dup(pk))) + if (!ret || !TEST_ptr(dup_pk = EVP_PKEY_dup(pk))) goto err; ret = ret && TEST_int_eq(EVP_PKEY_eq(pk, dup_pk), 1); @@ -1600,5 +1576,5 @@ goto err; - for (;;) { + while (dup_pk == NULL) { ret = 0; if (!TEST_int_eq(EVP_PKEY_get_bits(pk), 2048) @@ -1649,10 +1625,10 @@ || !TEST_int_eq(pcounter, pcounter_out)) goto err; - BN_free(p_out); - p_out = NULL; - BN_free(q_out); - q_out = NULL; - BN_free(g_out); - g_out = NULL; + BN_free(p); + p = NULL; + BN_free(q); + q = NULL; + BN_free(g); + g = NULL; BN_free(j_out); j_out = NULL; @@ -1682,8 +1658,5 @@ && test_print_key_using_encoder("DSA", pk); - if (!ret || dup_pk != NULL) - break; - - if (!TEST_ptr(dup_pk = EVP_PKEY_dup(pk))) + if (!ret || !TEST_ptr(dup_pk = EVP_PKEY_dup(pk))) goto err; ret = ret && TEST_int_eq(EVP_PKEY_eq(pk, dup_pk), 1); Index: /trunk/src/libs/openssl-3.1.7/test/evp_test.c =================================================================== --- /trunk/src/libs/openssl-3.1.7/test/evp_test.c (revision 105948) +++ /trunk/src/libs/openssl-3.1.7/test/evp_test.c (revision 105949) @@ -2791,7 +2791,5 @@ return 0; p = strchr(name, ':'); - if (p == NULL) - p = ""; - else + if (p != NULL) *p++ = '\0'; @@ -2804,5 +2802,5 @@ rv = OSSL_PARAM_allocate_from_text(kdata->p, defs, name, p, - strlen(p), NULL); + p != NULL ? strlen(p) : 0, NULL); *++kdata->p = OSSL_PARAM_construct_end(); if (!rv) { @@ -2811,5 +2809,5 @@ return 0; } - if (strcmp(name, "digest") == 0) { + if (p != NULL && strcmp(name, "digest") == 0) { if (is_digest_disabled(p)) { TEST_info("skipping, '%s' is disabled", p); @@ -2818,7 +2816,7 @@ goto end; } - - if ((strcmp(name, "cipher") == 0 - || strcmp(name, "cekalg") == 0) + if (p != NULL + && (strcmp(name, "cipher") == 0 + || strcmp(name, "cekalg") == 0) && is_cipher_disabled(p)) { TEST_info("skipping, '%s' is disabled", p); @@ -2826,5 +2824,6 @@ goto end; } - if ((strcmp(name, "mac") == 0) + if (p != NULL + && (strcmp(name, "mac") == 0) && is_mac_disabled(p)) { TEST_info("skipping, '%s' is disabled", p); Index: /trunk/src/libs/openssl-3.1.7/test/helpers/handshake.c =================================================================== --- /trunk/src/libs/openssl-3.1.7/test/helpers/handshake.c (revision 105948) +++ /trunk/src/libs/openssl-3.1.7/test/helpers/handshake.c (revision 105949) @@ -1,4 +1,4 @@ /* - * Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use @@ -348,10 +348,4 @@ len = strlen(protos); - - if (len == 0) { - *out = NULL; - *outlen = 0; - return 1; - } /* Should never have reuse. */ Index: /trunk/src/libs/openssl-3.1.7/test/helpers/ssltestlib.c =================================================================== --- /trunk/src/libs/openssl-3.1.7/test/helpers/ssltestlib.c (revision 105948) +++ /trunk/src/libs/openssl-3.1.7/test/helpers/ssltestlib.c (revision 105949) @@ -1,4 +1,4 @@ /* - * Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use @@ -8,15 +8,6 @@ */ -/* - * We need access to the deprecated low level ENGINE APIs for legacy purposes - * when the deprecated calls are not hidden - */ -#ifndef OPENSSL_NO_DEPRECATED_3_0 -# define OPENSSL_SUPPRESS_DEPRECATED -#endif - #include -#include #include "internal/nelem.h" #include "ssltestlib.h" @@ -1192,26 +1183,2 @@ SSL_free(clientssl); } - -ENGINE *load_dasync(void) -{ -#if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DYNAMIC_ENGINE) - ENGINE *e; - - if (!TEST_ptr(e = ENGINE_by_id("dasync"))) - return NULL; - - if (!TEST_true(ENGINE_init(e))) { - ENGINE_free(e); - return NULL; - } - - if (!TEST_true(ENGINE_register_ciphers(e))) { - ENGINE_free(e); - return NULL; - } - - return e; -#else - return NULL; -#endif -} Index: /trunk/src/libs/openssl-3.1.7/test/helpers/ssltestlib.h =================================================================== --- /trunk/src/libs/openssl-3.1.7/test/helpers/ssltestlib.h (revision 105948) +++ /trunk/src/libs/openssl-3.1.7/test/helpers/ssltestlib.h (revision 105949) @@ -1,4 +1,4 @@ /* - * Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use @@ -60,4 +60,3 @@ DEFINE_STACK_OF(MEMPACKET) -ENGINE *load_dasync(void); #endif /* OSSL_TEST_SSLTESTLIB_H */ Index: /trunk/src/libs/openssl-3.1.7/test/hexstr_test.c =================================================================== --- /trunk/src/libs/openssl-3.1.7/test/hexstr_test.c (revision 105948) +++ /trunk/src/libs/openssl-3.1.7/test/hexstr_test.c (revision 105949) @@ -1,4 +1,4 @@ /* - * Copyright 2020-2024 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"); @@ -121,12 +121,7 @@ return TEST_true(OPENSSL_hexstr2buf_ex(buf, sizeof(buf), &len, test->in, ':')) && TEST_mem_eq(buf, len, test->expected, test->expected_len) - && TEST_false(OPENSSL_buf2hexstr_ex(out, 3 * len - 1, NULL, buf, len, - ':')) && TEST_true(OPENSSL_buf2hexstr_ex(out, sizeof(out), NULL, buf, len, - ':')) - && TEST_str_eq(out, test->in) - && TEST_true(OPENSSL_buf2hexstr_ex(out, sizeof(out), NULL, buf, 0, - ':')) - && TEST_size_t_eq(strlen(out), 0); + ':')) + && TEST_str_eq(out, test->in); } Index: /trunk/src/libs/openssl-3.1.7/test/keymgmt_internal_test.c =================================================================== --- /trunk/src/libs/openssl-3.1.7/test/keymgmt_internal_test.c (revision 105948) +++ /trunk/src/libs/openssl-3.1.7/test/keymgmt_internal_test.c (revision 105949) @@ -1,4 +1,4 @@ /* - * Copyright 2019-2024 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use @@ -225,5 +225,5 @@ goto err; - for (;;) { + while (dup_pk == NULL) { ret = 0; km = km3; @@ -256,9 +256,5 @@ ret = (ret == OSSL_NELEM(expected)); - - if (!ret || dup_pk != NULL) - break; - - if (!TEST_ptr(dup_pk = EVP_PKEY_dup(pk))) + if (!ret || !TEST_ptr(dup_pk = EVP_PKEY_dup(pk))) goto err; Index: /trunk/src/libs/openssl-3.1.7/test/pkey_meth_kdf_test.c =================================================================== --- /trunk/src/libs/openssl-3.1.7/test/pkey_meth_kdf_test.c (revision 105948) +++ /trunk/src/libs/openssl-3.1.7/test/pkey_meth_kdf_test.c (revision 105949) @@ -1,4 +1,4 @@ /* - * Copyright 2017-2024 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2017-2020 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use @@ -17,5 +17,5 @@ #include "testutil.h" -static int test_kdf_tls1_prf(int index) +static int test_kdf_tls1_prf(void) { int ret = 0; @@ -41,21 +41,8 @@ goto err; } - if (index == 0) { - if (EVP_PKEY_CTX_add1_tls1_prf_seed(pctx, - (unsigned char *)"seed", 4) <= 0) { - TEST_error("EVP_PKEY_CTX_add1_tls1_prf_seed"); - goto err; - } - } else { - if (EVP_PKEY_CTX_add1_tls1_prf_seed(pctx, - (unsigned char *)"se", 2) <= 0) { - TEST_error("EVP_PKEY_CTX_add1_tls1_prf_seed"); - goto err; - } - if (EVP_PKEY_CTX_add1_tls1_prf_seed(pctx, - (unsigned char *)"ed", 2) <= 0) { - TEST_error("EVP_PKEY_CTX_add1_tls1_prf_seed"); - goto err; - } + if (EVP_PKEY_CTX_add1_tls1_prf_seed(pctx, + (unsigned char *)"seed", 4) <= 0) { + TEST_error("EVP_PKEY_CTX_add1_tls1_prf_seed"); + goto err; } if (EVP_PKEY_derive(pctx, out, &outlen) <= 0) { @@ -79,5 +66,5 @@ } -static int test_kdf_hkdf(int index) +static int test_kdf_hkdf(void) { int ret = 0; @@ -108,21 +95,8 @@ goto err; } - if (index == 0) { - if (EVP_PKEY_CTX_add1_hkdf_info(pctx, (const unsigned char *)"label", 5) + if (EVP_PKEY_CTX_add1_hkdf_info(pctx, (const unsigned char *)"label", 5) <= 0) { - TEST_error("EVP_PKEY_CTX_add1_hkdf_info"); - goto err; - } - } else { - if (EVP_PKEY_CTX_add1_hkdf_info(pctx, (const unsigned char *)"lab", 3) - <= 0) { - TEST_error("EVP_PKEY_CTX_add1_hkdf_info"); - goto err; - } - if (EVP_PKEY_CTX_add1_hkdf_info(pctx, (const unsigned char *)"el", 2) - <= 0) { - TEST_error("EVP_PKEY_CTX_add1_hkdf_info"); - goto err; - } + TEST_error("EVP_PKEY_CTX_set1_hkdf_info"); + goto err; } if (EVP_PKEY_derive(pctx, out, &outlen) <= 0) { @@ -222,11 +196,6 @@ int setup_tests(void) { - int tests = 1; - - if (fips_provider_version_ge(NULL, 3, 3, 1)) - tests = 2; - - ADD_ALL_TESTS(test_kdf_tls1_prf, tests); - ADD_ALL_TESTS(test_kdf_hkdf, tests); + ADD_TEST(test_kdf_tls1_prf); + ADD_TEST(test_kdf_hkdf); #ifndef OPENSSL_NO_SCRYPT ADD_TEST(test_kdf_scrypt); Index: /trunk/src/libs/openssl-3.1.7/test/prov_config_test.c =================================================================== --- /trunk/src/libs/openssl-3.1.7/test/prov_config_test.c (revision 105948) +++ /trunk/src/libs/openssl-3.1.7/test/prov_config_test.c (revision 105949) @@ -1,4 +1,4 @@ /* - * Copyright 2021-2024 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use @@ -8,5 +8,4 @@ */ -#include #include #include @@ -15,5 +14,4 @@ static char *configfile = NULL; static char *recurseconfigfile = NULL; -static char *pathedconfig = NULL; /* @@ -27,11 +25,13 @@ EVP_MD *sha256 = NULL; + if (!TEST_ptr(configfile)) + return 0; if (!TEST_ptr(ctx)) return 0; if (!TEST_true(OSSL_LIB_CTX_load_config(ctx, configfile))) - goto err; + return 0; if (!TEST_true(OSSL_LIB_CTX_load_config(ctx, configfile))) - goto err; + return 0; /* Check we can actually fetch something */ @@ -53,4 +53,7 @@ unsigned long err; + if (!TEST_ptr(recurseconfigfile)) + goto err; + if (!TEST_ptr(ctx)) goto err; @@ -63,52 +66,4 @@ if (ERR_GET_REASON(err) == CONF_R_RECURSIVE_SECTION_REFERENCE) testresult = 1; - err: - OSSL_LIB_CTX_free(ctx); - return testresult; -} - -#define P_TEST_PATH "/../test/p_test.so" -static int test_path_config(void) -{ - OSSL_LIB_CTX *ctx = NULL; - OSSL_PROVIDER *prov; - int testresult = 0; - struct stat sbuf; - char *module_path = getenv("OPENSSL_MODULES"); - char *full_path = NULL; - int rc; - - if (!TEST_ptr(module_path)) - return 0; - - full_path = OPENSSL_zalloc(strlen(module_path) + strlen(P_TEST_PATH) + 1); - if (!TEST_ptr(full_path)) - return 0; - - strcpy(full_path, module_path); - full_path = strcat(full_path, P_TEST_PATH); - TEST_info("full path is %s", full_path); - rc = stat(full_path, &sbuf); - OPENSSL_free(full_path); - if (rc == -1) - return TEST_skip("Skipping modulepath test as provider not present"); - - if (!TEST_ptr(pathedconfig)) - return 0; - - ctx = OSSL_LIB_CTX_new(); - if (!TEST_ptr(ctx)) - return 0; - - if (!TEST_true(OSSL_LIB_CTX_load_config(ctx, pathedconfig))) - goto err; - - /* attempt to manually load the test provider */ - if (!TEST_ptr(prov = OSSL_PROVIDER_load(ctx, "test"))) - goto err; - - OSSL_PROVIDER_unload(prov); - - testresult = 1; err: OSSL_LIB_CTX_free(ctx); @@ -131,10 +86,6 @@ return 0; - if (!TEST_ptr(pathedconfig = test_get_argument(2))) - return 0; - ADD_TEST(test_recursive_config); ADD_TEST(test_double_config); - ADD_TEST(test_path_config); return 1; } Index: /trunk/src/libs/openssl-3.1.7/test/provider_fallback_test.c =================================================================== --- /trunk/src/libs/openssl-3.1.7/test/provider_fallback_test.c (revision 105948) +++ /trunk/src/libs/openssl-3.1.7/test/provider_fallback_test.c (revision 105949) @@ -1,4 +1,4 @@ /* - * Copyright 2020-2024 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use @@ -40,13 +40,7 @@ ok = TEST_ptr(ctx = OSSL_LIB_CTX_new()) - && TEST_ptr(prov = OSSL_PROVIDER_load(ctx, "default")); - - if (ok) { - ok = test_provider(ctx); - if (ok) - ok = TEST_true(OSSL_PROVIDER_unload(prov)); - else - OSSL_PROVIDER_unload(prov); - } + && TEST_ptr(prov = OSSL_PROVIDER_load(ctx, "default")) + && test_provider(ctx) + && TEST_true(OSSL_PROVIDER_unload(prov)); OSSL_LIB_CTX_free(ctx); Index: /trunk/src/libs/openssl-3.1.7/test/provider_internal_test.c =================================================================== --- /trunk/src/libs/openssl-3.1.7/test/provider_internal_test.c (revision 105948) +++ /trunk/src/libs/openssl-3.1.7/test/provider_internal_test.c (revision 105949) @@ -1,4 +1,4 @@ /* - * Copyright 2019-2024 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use @@ -23,5 +23,5 @@ static int test_provider(OSSL_PROVIDER *prov, const char *expected_greeting) { - const char *greeting = "no greeting received"; + const char *greeting = NULL; int ret = 0; Index: /trunk/src/libs/openssl-3.1.7/test/provider_status_test.c =================================================================== --- /trunk/src/libs/openssl-3.1.7/test/provider_status_test.c (revision 105948) +++ /trunk/src/libs/openssl-3.1.7/test/provider_status_test.c (revision 105949) @@ -1,4 +1,4 @@ /* - * Copyright 2020-2024 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use @@ -15,5 +15,4 @@ #include #include -#include #include "testutil.h" @@ -149,6 +148,4 @@ OSSL_PARAM params[2]; EVP_MD *fetch = NULL; - EVP_PKEY_CTX *pctx = NULL; - EVP_PKEY *pkey = NULL; if (!TEST_ptr(prov = OSSL_PROVIDER_load(libctx, provider_name))) @@ -167,14 +164,4 @@ EVP_MD_free(fetch); fetch = NULL; - /* Use RNG before triggering on-demand self tests */ - if (!TEST_ptr((pctx = EVP_PKEY_CTX_new_from_name(libctx, "RSA", NULL))) - || !TEST_int_gt(EVP_PKEY_keygen_init(pctx), 0) - || !TEST_int_gt(EVP_PKEY_CTX_set_rsa_keygen_bits(pctx, 2048), 0) - || !TEST_int_gt(EVP_PKEY_keygen(pctx, &pkey), 0)) - goto err; - EVP_PKEY_free(pkey); - EVP_PKEY_CTX_free(pctx); - pkey = NULL; - pctx = NULL; /* Test that the provider self test is ok */ Index: /trunk/src/libs/openssl-3.1.7/test/provider_test.c =================================================================== --- /trunk/src/libs/openssl-3.1.7/test/provider_test.c (revision 105948) +++ /trunk/src/libs/openssl-3.1.7/test/provider_test.c (revision 105949) @@ -1,4 +1,4 @@ /* - * Copyright 2019-2024 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use @@ -198,5 +198,4 @@ if (!TEST_true(OSSL_PROVIDER_add_builtin(libctx, name, PROVIDER_INIT_FUNCTION_NAME))) { - OSSL_PROVIDER_unload(legacy); OSSL_LIB_CTX_free(libctx); return 0; Index: /trunk/src/libs/openssl-3.1.7/test/recipes/03-test_fipsinstall.t =================================================================== --- /trunk/src/libs/openssl-3.1.7/test/recipes/03-test_fipsinstall.t (revision 105948) +++ /trunk/src/libs/openssl-3.1.7/test/recipes/03-test_fipsinstall.t (revision 105949) @@ -1,4 +1,4 @@ #! /usr/bin/env perl -# Copyright 2019-2024 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use @@ -207,5 +207,5 @@ '-provider_name', 'fips', '-mac_name', 'HMAC', '-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey", - '-section_name', 'fips_sect', '-corrupt_desc', 'SHA2'])), + '-section_name', 'fips_sect', '-corrupt_desc', 'SHA1'])), "fipsinstall fails when the digest result is corrupted"); Index: /trunk/src/libs/openssl-3.1.7/test/recipes/04-test_conf.t =================================================================== --- /trunk/src/libs/openssl-3.1.7/test/recipes/04-test_conf.t (revision 105948) +++ /trunk/src/libs/openssl-3.1.7/test/recipes/04-test_conf.t (revision 105949) @@ -1,4 +1,4 @@ #! /usr/bin/env perl -# Copyright 2017-2024 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2017-2021 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use @@ -19,5 +19,4 @@ 'dollarid_on.cnf' => 'dollarid_on.txt', 'dollarid_off.cnf' => 'dollarid_off.txt', - 'oversized_line.cnf' => 'oversized_line.txt', ); Index: /trunk/src/libs/openssl-3.1.7/test/recipes/25-test_eai_data.t =================================================================== --- /trunk/src/libs/openssl-3.1.7/test/recipes/25-test_eai_data.t (revision 105948) +++ /trunk/src/libs/openssl-3.1.7/test/recipes/25-test_eai_data.t (revision 105949) @@ -1,4 +1,4 @@ #! /usr/bin/env perl -# Copyright 2019-2024 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use @@ -22,5 +22,5 @@ #./util/wrap.pl apps/openssl verify -nameopt utf8 -no_check_time -CAfile test/recipes/25-test_eai_data/ascii_chain.pem test/recipes/25-test_eai_data/utf8_leaf.pem -plan tests => 16; +plan tests => 12; require_ok(srctop_file('test','recipes','tconversion.pl')); @@ -29,9 +29,7 @@ my $ascii_pem = srctop_file($folder, "ascii_leaf.pem"); my $utf8_pem = srctop_file($folder, "utf8_leaf.pem"); -my $kdc_pem = srctop_file($folder, "kdc-cert.pem"); my $ascii_chain_pem = srctop_file($folder, "ascii_chain.pem"); my $utf8_chain_pem = srctop_file($folder, "utf8_chain.pem"); -my $kdc_chain_pem = srctop_file($folder, "kdc-root-cert.pem"); my $out; @@ -59,15 +57,7 @@ ok(run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-CAfile", $ascii_chain_pem, $ascii_pem]))); ok(run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-CAfile", $utf8_chain_pem, $utf8_pem]))); -ok(run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-CAfile", $kdc_chain_pem, $kdc_pem]))); ok(!run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-CAfile", $ascii_chain_pem, $utf8_pem]))); ok(!run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-CAfile", $utf8_chain_pem, $ascii_pem]))); - -# Check an otherName does not get misparsed as an DNS name, (should trigger ASAN errors if violated). -ok(run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-verify_hostname", 'mx1.example.com', "-CAfile", $kdc_chain_pem, $kdc_pem]))); -# Check an otherName does not get misparsed as an email address, (should trigger ASAN errors if violated). -ok(run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-verify_email", 'joe@example.com', "-CAfile", $kdc_chain_pem, $kdc_pem]))); -# We expect SmtpUTF8Mailbox to be a UTF8 String, not an IA5String. -ok(!run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-verify_email", 'moe@example.com', "-CAfile", $kdc_chain_pem, $kdc_pem]))); #Check that we get the expected failure return code Index: /trunk/src/libs/openssl-3.1.7/test/recipes/25-test_req.t =================================================================== --- /trunk/src/libs/openssl-3.1.7/test/recipes/25-test_req.t (revision 105948) +++ /trunk/src/libs/openssl-3.1.7/test/recipes/25-test_req.t (revision 105949) @@ -16,5 +16,5 @@ setup("test_req"); -plan tests => 50; +plan tests => 49; require_ok(srctop_file('test', 'recipes', 'tconversion.pl')); @@ -54,5 +54,4 @@ ok(!run(app([@addext_args, "-addext", $val2, "-addext", $val3]))); ok(run(app([@addext_args, "-addext", "SXNetID=1:one, 2:two, 3:three"]))); -ok(run(app([@addext_args, "-addext", "subjectAltName=dirName:dirname_sec"]))); # If a CSR is provided with neither of -key or -CA/-CAkey, this should fail. Index: /trunk/src/libs/openssl-3.1.7/test/recipes/30-test_evp_data/evppkey_dsa.txt =================================================================== --- /trunk/src/libs/openssl-3.1.7/test/recipes/30-test_evp_data/evppkey_dsa.txt (revision 105948) +++ /trunk/src/libs/openssl-3.1.7/test/recipes/30-test_evp_data/evppkey_dsa.txt (revision 105949) @@ -1,4 +1,4 @@ # -# Copyright 2001-2024 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2001-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use @@ -271,5 +271,4 @@ # Test sign with a 2048 bit key with N == 160 is not allowed in fips mode Availablein = fips -FIPSversion = <3.4.0 DigestSign = SHA256 Key = DSA-2048-160 @@ -326,5 +325,4 @@ # Test sign with a 1024 bit key is not allowed in fips mode Availablein = fips -FIPSversion = <3.4.0 DigestSign = SHA256 Securitycheck = 1 @@ -343,5 +341,4 @@ # Test sign with a 3072 bit key with N == 224 is not allowed in fips mode Availablein = fips -FIPSversion = <3.4.0 DigestSign = SHA256 Securitycheck = 1 @@ -352,5 +349,4 @@ # Test sign with a 4096 bit key is not allowed in fips mode Availablein = fips -FIPSversion = <3.4.0 DigestSign = SHA256 Securitycheck = 1 Index: /trunk/src/libs/openssl-3.1.7/test/recipes/30-test_evp_data/evppkey_ecdsa.txt =================================================================== --- /trunk/src/libs/openssl-3.1.7/test/recipes/30-test_evp_data/evppkey_ecdsa.txt (revision 105948) +++ /trunk/src/libs/openssl-3.1.7/test/recipes/30-test_evp_data/evppkey_ecdsa.txt (revision 105949) @@ -1,4 +1,4 @@ # -# Copyright 2001-2024 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2001-2022 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use @@ -217,5 +217,4 @@ # Test that SHA1 is not allowed in fips mode for signing Availablein = fips -FIPSversion = <3.4.0 Sign = P-256 Securitycheck = 1 Index: /trunk/src/libs/openssl-3.1.7/test/recipes/30-test_evp_data/evppkey_rsa_common.txt =================================================================== --- /trunk/src/libs/openssl-3.1.7/test/recipes/30-test_evp_data/evppkey_rsa_common.txt (revision 105948) +++ /trunk/src/libs/openssl-3.1.7/test/recipes/30-test_evp_data/evppkey_rsa_common.txt (revision 105949) @@ -1,4 +1,4 @@ # -# Copyright 2001-2024 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2001-2022 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use @@ -1345,5 +1345,4 @@ # Signing with SHA1 is not allowed in fips mode Availablein = fips -FIPSversion = <3.4.0 DigestSign = SHA1 Securitycheck = 1 Index: /trunk/src/libs/openssl-3.1.7/test/recipes/30-test_prov_config.t =================================================================== --- /trunk/src/libs/openssl-3.1.7/test/recipes/30-test_prov_config.t (revision 105948) +++ /trunk/src/libs/openssl-3.1.7/test/recipes/30-test_prov_config.t (revision 105949) @@ -1,4 +1,4 @@ #! /usr/bin/env perl -# Copyright 2021-2024 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2021 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use @@ -24,6 +24,5 @@ ok(run(test(["prov_config_test", srctop_file("test", "default.cnf"), - srctop_file("test", "recursive.cnf"), - srctop_file("test", "pathed.cnf")])), + srctop_file("test", "recursive.cnf")])), "running prov_config_test default.cnf"); @@ -32,6 +31,5 @@ ok(run(test(["prov_config_test", srctop_file("test", "fips.cnf"), - srctop_file("test", "recursive.cnf"), - srctop_file("test", "pathed.cnf")])), + srctop_file("test", "recursive.cnf")])), "running prov_config_test fips.cnf"); } Index: /trunk/src/libs/openssl-3.1.7/test/recipes/80-test_pkcs12.t =================================================================== --- /trunk/src/libs/openssl-3.1.7/test/recipes/80-test_pkcs12.t (revision 105948) +++ /trunk/src/libs/openssl-3.1.7/test/recipes/80-test_pkcs12.t (revision 105949) @@ -55,5 +55,5 @@ $ENV{OPENSSL_WIN32_UTF8}=1; -plan tests => 20; +plan tests => 17; # Test different PKCS#12 formats @@ -163,21 +163,9 @@ "test bad pkcs12 file 1 (nomacver)"); - ok(run(app(["openssl", "pkcs12", "-in", $bad1, "-password", "pass:", - "-info"])), - "test bad pkcs12 file 1 (info)"); - ok(run(app(["openssl", "pkcs12", "-in", $bad2, "-password", "pass:"])), "test bad pkcs12 file 2"); - ok(run(app(["openssl", "pkcs12", "-in", $bad2, "-password", "pass:", - "-info"])), - "test bad pkcs12 file 2 (info)"); - ok(run(app(["openssl", "pkcs12", "-in", $bad3, "-password", "pass:"])), "test bad pkcs12 file 3"); - - ok(run(app(["openssl", "pkcs12", "-in", $bad3, "-password", "pass:", - "-info"])), - "test bad pkcs12 file 3 (info)"); }); Index: /trunk/src/libs/openssl-3.1.7/test/recipes/90-test_shlibload.t =================================================================== --- /trunk/src/libs/openssl-3.1.7/test/recipes/90-test_shlibload.t (revision 105948) +++ /trunk/src/libs/openssl-3.1.7/test/recipes/90-test_shlibload.t (revision 105949) @@ -1,4 +1,4 @@ #! /usr/bin/env perl -# Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use @@ -24,5 +24,4 @@ plan skip_all => "Test only supported in a dso build" if disabled("dso"); plan skip_all => "Test is disabled in an address sanitizer build" unless disabled("asan"); -plan skip_all => "Test is disabled in no-atexit build" if disabled("atexit"); plan tests => 10; Index: /trunk/src/libs/openssl-3.1.7/test/recipes/90-test_sslapi.t =================================================================== --- /trunk/src/libs/openssl-3.1.7/test/recipes/90-test_sslapi.t (revision 105948) +++ /trunk/src/libs/openssl-3.1.7/test/recipes/90-test_sslapi.t (revision 105949) @@ -1,4 +1,4 @@ #! /usr/bin/env perl -# Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use @@ -8,5 +8,5 @@ use OpenSSL::Test::Utils; -use OpenSSL::Test qw/:DEFAULT srctop_file srctop_dir bldtop_dir bldtop_file result_dir result_file/; +use OpenSSL::Test qw/:DEFAULT srctop_file srctop_dir bldtop_dir bldtop_file/; use File::Temp qw(tempfile); @@ -14,4 +14,7 @@ setup("test_sslapi"); } + +use lib srctop_dir('Configurations'); +use lib bldtop_dir('.'); my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0); @@ -23,8 +26,8 @@ # A modified copy of "fipsmodule.cnf" my $fipsmodcfgnew_filename = "fipsmodule_mod.cnf"; -my $fipsmodcfgnew = result_file($fipsmodcfgnew_filename); +my $fipsmodcfgnew = bldtop_file("test", $fipsmodcfgnew_filename); # A modified copy of "fips-and-base.cnf" -my $provconfnew = result_file("fips-and-base-temp.cnf"); +my $provconfnew = bldtop_file("test", "temp.cnf"); plan skip_all => "No TLS/SSL protocols are supported by this OpenSSL build" @@ -49,7 +52,4 @@ if $no_fips; - # NOTE that because by default we setup fips provider in pedantic mode, - # with >= 3.1.0 this just runs test_no_ems() to check that the connection - # fails if ems is not used and the fips check is enabled. ok(run(test(["sslapitest", srctop_dir("test", "certs"), srctop_file("test", "recipes", "90-test_sslapi_data", @@ -60,5 +60,5 @@ "90-test_sslapi_data", "dhparams.pem")])), - "running sslapitest with default fips config"); + "running sslapitest"); run(test(["fips_version_test", "-config", $provconf, ">=3.1.0"]), @@ -71,5 +71,5 @@ # value in $repl and output to a new file $outfile. sub replace_line_file_internal { - + my ($infile, $srch, $repl, $outfile) = @_; my $msg; @@ -86,5 +86,5 @@ return 1; } - + # Read in the text input file $infile # and replace a single Key = Value line with a new value in $value. @@ -103,5 +103,5 @@ return replace_line_file_internal($infile, $srch, $rep, $outfile); } - + # Read in the text $input file # and search for the $key and replace with $newkey @@ -115,11 +115,11 @@ } - # The default fipsmodule.cnf in tests is set with -pedantic. - # In order to enable the tls1-prf-ems-check=0 in a fips config file + # In order to enable the tls1-prf-ems-check=1 in a fips config file # copy the existing fipsmodule.cnf and modify it. # Then copy fips-and-base.cfg to make a file that includes the changed file - $ENV{OPENSSL_CONF_INCLUDE} = result_dir(); + # NOTE that this just runs test_no_ems() to check that the connection + # fails if ems is not used and the fips check is enabled. ok(replace_kv_file($fipsmodcfg, - 'tls1-prf-ems-check', '0', + 'tls1-prf-ems-check', '1', $fipsmodcfgnew) && replace_line_file($provconf, @@ -135,5 +135,8 @@ "90-test_sslapi_data", "dhparams.pem")])), - "running sslapitest with modified fips config"); + "running sslapitest"); + + unlink $fipsmodcfgnew; + unlink $provconfnew; } Index: /trunk/src/libs/openssl-3.1.7/test/sm2_internal_test.c =================================================================== --- /trunk/src/libs/openssl-3.1.7/test/sm2_internal_test.c (revision 105948) +++ /trunk/src/libs/openssl-3.1.7/test/sm2_internal_test.c (revision 105949) @@ -1,4 +1,4 @@ /* - * Copyright 2017-2024 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2017-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use @@ -306,6 +306,5 @@ const char *k_hex, const char *r_hex, - const char *s_hex, - int omit_pubkey) + const char *s_hex) { const size_t msg_len = strlen(message); @@ -329,11 +328,9 @@ goto done; - if (omit_pubkey == 0) { - pt = EC_POINT_new(group); - if (!TEST_ptr(pt) - || !TEST_true(EC_POINT_mul(group, pt, priv, NULL, NULL, NULL)) - || !TEST_true(EC_KEY_set_public_key(key, pt))) - goto done; - } + pt = EC_POINT_new(group); + if (!TEST_ptr(pt) + || !TEST_true(EC_POINT_mul(group, pt, priv, NULL, NULL, NULL)) + || !TEST_true(EC_KEY_set_public_key(key, pt))) + goto done; start_fake_rand(k_hex); @@ -396,23 +393,5 @@ "007c47811054c6f99613a578eb8453706ccb96384fe7df5c171671e760bfa8be3a", "40F1EC59F793D9F49E09DCEF49130D4194F79FB1EED2CAA55BACDB49C4E755D1", - "6FC6DAC32C5D5CF10C77DFB20F7C2EB667A457872FB09EC56327A67EC7DEEBE7", 0))) - goto done; - - /* Make sure we fail if we omit the public portion of the key */ - if (!TEST_false(test_sm2_sign( - test_group, - /* the default ID specified in GM/T 0009-2012 (Sec. 10).*/ - SM2_DEFAULT_USERID, - /* privkey */ - "3945208F7B2144B13F36E38AC6D39F95889393692860B51A42FB81EF4DF7C5B8", - /* plaintext message */ - "message digest", - /* ephemeral nonce k */ - "59276E27D506861A16680F3AD9C02DCCEF3CC1FA3CDBE4CE6D54B80DEAC1BC21", - /* expected signature, */ - /* signature R, 0x20 bytes */ - "F5A03B0648D2C4630EEAC513E1BB81A15944DA3827D5B74143AC7EACEEE720B3", - /* signature S, 0x20 bytes */ - "B1B6AA29DF212FD8763182BC0D421CA1BB9038FD1F7F42D4840B69C485BBC1AA", 1))) + "6FC6DAC32C5D5CF10C77DFB20F7C2EB667A457872FB09EC56327A67EC7DEEBE7"))) goto done; Index: /trunk/src/libs/openssl-3.1.7/test/ssl-tests/08-npn.cnf =================================================================== --- /trunk/src/libs/openssl-3.1.7/test/ssl-tests/08-npn.cnf (revision 105948) +++ /trunk/src/libs/openssl-3.1.7/test/ssl-tests/08-npn.cnf (revision 105949) @@ -1,5 +1,5 @@ # Generated with generate_ssl_tests.pl -num_tests = 22 +num_tests = 20 test-0 = 0-npn-simple @@ -9,20 +9,18 @@ test-4 = 4-npn-no-server-support test-5 = 5-npn-no-client-support -test-6 = 6-npn-empty-client-list -test-7 = 7-npn-empty-server-list -test-8 = 8-npn-with-sni-no-context-switch -test-9 = 9-npn-with-sni-context-switch -test-10 = 10-npn-selected-sni-server-supports-npn -test-11 = 11-npn-selected-sni-server-does-not-support-npn -test-12 = 12-alpn-preferred-over-npn -test-13 = 13-sni-npn-preferred-over-alpn -test-14 = 14-npn-simple-resumption -test-15 = 15-npn-server-switch-resumption -test-16 = 16-npn-client-switch-resumption -test-17 = 17-npn-client-first-pref-on-mismatch-resumption -test-18 = 18-npn-no-server-support-resumption -test-19 = 19-npn-no-client-support-resumption -test-20 = 20-alpn-preferred-over-npn-resumption -test-21 = 21-npn-used-if-alpn-not-supported-resumption +test-6 = 6-npn-with-sni-no-context-switch +test-7 = 7-npn-with-sni-context-switch +test-8 = 8-npn-selected-sni-server-supports-npn +test-9 = 9-npn-selected-sni-server-does-not-support-npn +test-10 = 10-alpn-preferred-over-npn +test-11 = 11-sni-npn-preferred-over-alpn +test-12 = 12-npn-simple-resumption +test-13 = 13-npn-server-switch-resumption +test-14 = 14-npn-client-switch-resumption +test-15 = 15-npn-client-first-pref-on-mismatch-resumption +test-16 = 16-npn-no-server-support-resumption +test-17 = 17-npn-no-client-support-resumption +test-18 = 18-alpn-preferred-over-npn-resumption +test-19 = 19-npn-used-if-alpn-not-supported-resumption # =========================================================== @@ -209,17 +207,23 @@ # =========================================================== -[6-npn-empty-client-list] -ssl_conf = 6-npn-empty-client-list-ssl - -[6-npn-empty-client-list-ssl] -server = 6-npn-empty-client-list-server -client = 6-npn-empty-client-list-client - -[6-npn-empty-client-list-server] -Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem -CipherString = DEFAULT -PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem - -[6-npn-empty-client-list-client] +[6-npn-with-sni-no-context-switch] +ssl_conf = 6-npn-with-sni-no-context-switch-ssl + +[6-npn-with-sni-no-context-switch-ssl] +server = 6-npn-with-sni-no-context-switch-server +client = 6-npn-with-sni-no-context-switch-client +server2 = 6-npn-with-sni-no-context-switch-server2 + +[6-npn-with-sni-no-context-switch-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[6-npn-with-sni-no-context-switch-server2] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[6-npn-with-sni-no-context-switch-client] CipherString = DEFAULT MaxProtocol = TLSv1.2 @@ -228,89 +232,18 @@ [test-6] -ExpectedClientAlert = HandshakeFailure -ExpectedResult = ClientFail -server = 6-npn-empty-client-list-server-extra -client = 6-npn-empty-client-list-client-extra - -[6-npn-empty-client-list-server-extra] -NPNProtocols = foo - -[6-npn-empty-client-list-client-extra] -NPNProtocols = - - -# =========================================================== - -[7-npn-empty-server-list] -ssl_conf = 7-npn-empty-server-list-ssl - -[7-npn-empty-server-list-ssl] -server = 7-npn-empty-server-list-server -client = 7-npn-empty-server-list-client - -[7-npn-empty-server-list-server] -Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem -CipherString = DEFAULT -PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem - -[7-npn-empty-server-list-client] -CipherString = DEFAULT -MaxProtocol = TLSv1.2 -VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem -VerifyMode = Peer - -[test-7] -ExpectedNPNProtocol = foo -server = 7-npn-empty-server-list-server-extra -client = 7-npn-empty-server-list-client-extra - -[7-npn-empty-server-list-server-extra] -NPNProtocols = - -[7-npn-empty-server-list-client-extra] -NPNProtocols = foo - - -# =========================================================== - -[8-npn-with-sni-no-context-switch] -ssl_conf = 8-npn-with-sni-no-context-switch-ssl - -[8-npn-with-sni-no-context-switch-ssl] -server = 8-npn-with-sni-no-context-switch-server -client = 8-npn-with-sni-no-context-switch-client -server2 = 8-npn-with-sni-no-context-switch-server2 - -[8-npn-with-sni-no-context-switch-server] -Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem -CipherString = DEFAULT -PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem - -[8-npn-with-sni-no-context-switch-server2] -Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem -CipherString = DEFAULT -PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem - -[8-npn-with-sni-no-context-switch-client] -CipherString = DEFAULT -MaxProtocol = TLSv1.2 -VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem -VerifyMode = Peer - -[test-8] ExpectedNPNProtocol = foo ExpectedServerName = server1 -server = 8-npn-with-sni-no-context-switch-server-extra -server2 = 8-npn-with-sni-no-context-switch-server2-extra -client = 8-npn-with-sni-no-context-switch-client-extra - -[8-npn-with-sni-no-context-switch-server-extra] +server = 6-npn-with-sni-no-context-switch-server-extra +server2 = 6-npn-with-sni-no-context-switch-server2-extra +client = 6-npn-with-sni-no-context-switch-client-extra + +[6-npn-with-sni-no-context-switch-server-extra] NPNProtocols = foo ServerNameCallback = IgnoreMismatch -[8-npn-with-sni-no-context-switch-server2-extra] -NPNProtocols = bar - -[8-npn-with-sni-no-context-switch-client-extra] +[6-npn-with-sni-no-context-switch-server2-extra] +NPNProtocols = bar + +[6-npn-with-sni-no-context-switch-client-extra] NPNProtocols = foo,bar ServerName = server1 @@ -319,43 +252,43 @@ # =========================================================== -[9-npn-with-sni-context-switch] -ssl_conf = 9-npn-with-sni-context-switch-ssl - -[9-npn-with-sni-context-switch-ssl] -server = 9-npn-with-sni-context-switch-server -client = 9-npn-with-sni-context-switch-client -server2 = 9-npn-with-sni-context-switch-server2 - -[9-npn-with-sni-context-switch-server] -Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem -CipherString = DEFAULT -PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem - -[9-npn-with-sni-context-switch-server2] -Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem -CipherString = DEFAULT -PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem - -[9-npn-with-sni-context-switch-client] -CipherString = DEFAULT -MaxProtocol = TLSv1.2 -VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem -VerifyMode = Peer - -[test-9] +[7-npn-with-sni-context-switch] +ssl_conf = 7-npn-with-sni-context-switch-ssl + +[7-npn-with-sni-context-switch-ssl] +server = 7-npn-with-sni-context-switch-server +client = 7-npn-with-sni-context-switch-client +server2 = 7-npn-with-sni-context-switch-server2 + +[7-npn-with-sni-context-switch-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[7-npn-with-sni-context-switch-server2] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[7-npn-with-sni-context-switch-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-7] ExpectedNPNProtocol = bar ExpectedServerName = server2 -server = 9-npn-with-sni-context-switch-server-extra -server2 = 9-npn-with-sni-context-switch-server2-extra -client = 9-npn-with-sni-context-switch-client-extra - -[9-npn-with-sni-context-switch-server-extra] +server = 7-npn-with-sni-context-switch-server-extra +server2 = 7-npn-with-sni-context-switch-server2-extra +client = 7-npn-with-sni-context-switch-client-extra + +[7-npn-with-sni-context-switch-server-extra] NPNProtocols = foo ServerNameCallback = IgnoreMismatch -[9-npn-with-sni-context-switch-server2-extra] -NPNProtocols = bar - -[9-npn-with-sni-context-switch-client-extra] +[7-npn-with-sni-context-switch-server2-extra] +NPNProtocols = bar + +[7-npn-with-sni-context-switch-client-extra] NPNProtocols = foo,bar ServerName = server2 @@ -364,42 +297,42 @@ # =========================================================== -[10-npn-selected-sni-server-supports-npn] -ssl_conf = 10-npn-selected-sni-server-supports-npn-ssl - -[10-npn-selected-sni-server-supports-npn-ssl] -server = 10-npn-selected-sni-server-supports-npn-server -client = 10-npn-selected-sni-server-supports-npn-client -server2 = 10-npn-selected-sni-server-supports-npn-server2 - -[10-npn-selected-sni-server-supports-npn-server] -Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem -CipherString = DEFAULT -PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem - -[10-npn-selected-sni-server-supports-npn-server2] -Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem -CipherString = DEFAULT -PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem - -[10-npn-selected-sni-server-supports-npn-client] -CipherString = DEFAULT -MaxProtocol = TLSv1.2 -VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem -VerifyMode = Peer - -[test-10] +[8-npn-selected-sni-server-supports-npn] +ssl_conf = 8-npn-selected-sni-server-supports-npn-ssl + +[8-npn-selected-sni-server-supports-npn-ssl] +server = 8-npn-selected-sni-server-supports-npn-server +client = 8-npn-selected-sni-server-supports-npn-client +server2 = 8-npn-selected-sni-server-supports-npn-server2 + +[8-npn-selected-sni-server-supports-npn-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[8-npn-selected-sni-server-supports-npn-server2] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[8-npn-selected-sni-server-supports-npn-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-8] ExpectedNPNProtocol = bar ExpectedServerName = server2 -server = 10-npn-selected-sni-server-supports-npn-server-extra -server2 = 10-npn-selected-sni-server-supports-npn-server2-extra -client = 10-npn-selected-sni-server-supports-npn-client-extra - -[10-npn-selected-sni-server-supports-npn-server-extra] +server = 8-npn-selected-sni-server-supports-npn-server-extra +server2 = 8-npn-selected-sni-server-supports-npn-server2-extra +client = 8-npn-selected-sni-server-supports-npn-client-extra + +[8-npn-selected-sni-server-supports-npn-server-extra] ServerNameCallback = IgnoreMismatch -[10-npn-selected-sni-server-supports-npn-server2-extra] -NPNProtocols = bar - -[10-npn-selected-sni-server-supports-npn-client-extra] +[8-npn-selected-sni-server-supports-npn-server2-extra] +NPNProtocols = bar + +[8-npn-selected-sni-server-supports-npn-client-extra] NPNProtocols = foo,bar ServerName = server2 @@ -408,38 +341,38 @@ # =========================================================== -[11-npn-selected-sni-server-does-not-support-npn] -ssl_conf = 11-npn-selected-sni-server-does-not-support-npn-ssl - -[11-npn-selected-sni-server-does-not-support-npn-ssl] -server = 11-npn-selected-sni-server-does-not-support-npn-server -client = 11-npn-selected-sni-server-does-not-support-npn-client -server2 = 11-npn-selected-sni-server-does-not-support-npn-server2 - -[11-npn-selected-sni-server-does-not-support-npn-server] -Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem -CipherString = DEFAULT -PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem - -[11-npn-selected-sni-server-does-not-support-npn-server2] -Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem -CipherString = DEFAULT -PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem - -[11-npn-selected-sni-server-does-not-support-npn-client] -CipherString = DEFAULT -MaxProtocol = TLSv1.2 -VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem -VerifyMode = Peer - -[test-11] +[9-npn-selected-sni-server-does-not-support-npn] +ssl_conf = 9-npn-selected-sni-server-does-not-support-npn-ssl + +[9-npn-selected-sni-server-does-not-support-npn-ssl] +server = 9-npn-selected-sni-server-does-not-support-npn-server +client = 9-npn-selected-sni-server-does-not-support-npn-client +server2 = 9-npn-selected-sni-server-does-not-support-npn-server2 + +[9-npn-selected-sni-server-does-not-support-npn-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[9-npn-selected-sni-server-does-not-support-npn-server2] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[9-npn-selected-sni-server-does-not-support-npn-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-9] ExpectedServerName = server2 -server = 11-npn-selected-sni-server-does-not-support-npn-server-extra -client = 11-npn-selected-sni-server-does-not-support-npn-client-extra - -[11-npn-selected-sni-server-does-not-support-npn-server-extra] +server = 9-npn-selected-sni-server-does-not-support-npn-server-extra +client = 9-npn-selected-sni-server-does-not-support-npn-client-extra + +[9-npn-selected-sni-server-does-not-support-npn-server-extra] NPNProtocols = bar ServerNameCallback = IgnoreMismatch -[11-npn-selected-sni-server-does-not-support-npn-client-extra] +[9-npn-selected-sni-server-does-not-support-npn-client-extra] NPNProtocols = foo,bar ServerName = server2 @@ -448,32 +381,32 @@ # =========================================================== -[12-alpn-preferred-over-npn] -ssl_conf = 12-alpn-preferred-over-npn-ssl - -[12-alpn-preferred-over-npn-ssl] -server = 12-alpn-preferred-over-npn-server -client = 12-alpn-preferred-over-npn-client - -[12-alpn-preferred-over-npn-server] -Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem -CipherString = DEFAULT -PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem - -[12-alpn-preferred-over-npn-client] -CipherString = DEFAULT -MaxProtocol = TLSv1.2 -VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem -VerifyMode = Peer - -[test-12] +[10-alpn-preferred-over-npn] +ssl_conf = 10-alpn-preferred-over-npn-ssl + +[10-alpn-preferred-over-npn-ssl] +server = 10-alpn-preferred-over-npn-server +client = 10-alpn-preferred-over-npn-client + +[10-alpn-preferred-over-npn-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[10-alpn-preferred-over-npn-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-10] ExpectedALPNProtocol = foo -server = 12-alpn-preferred-over-npn-server-extra -client = 12-alpn-preferred-over-npn-client-extra - -[12-alpn-preferred-over-npn-server-extra] +server = 10-alpn-preferred-over-npn-server-extra +client = 10-alpn-preferred-over-npn-client-extra + +[10-alpn-preferred-over-npn-server-extra] ALPNProtocols = foo NPNProtocols = bar -[12-alpn-preferred-over-npn-client-extra] +[10-alpn-preferred-over-npn-client-extra] ALPNProtocols = foo NPNProtocols = bar @@ -482,43 +415,43 @@ # =========================================================== -[13-sni-npn-preferred-over-alpn] -ssl_conf = 13-sni-npn-preferred-over-alpn-ssl - -[13-sni-npn-preferred-over-alpn-ssl] -server = 13-sni-npn-preferred-over-alpn-server -client = 13-sni-npn-preferred-over-alpn-client -server2 = 13-sni-npn-preferred-over-alpn-server2 - -[13-sni-npn-preferred-over-alpn-server] -Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem -CipherString = DEFAULT -PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem - -[13-sni-npn-preferred-over-alpn-server2] -Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem -CipherString = DEFAULT -PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem - -[13-sni-npn-preferred-over-alpn-client] -CipherString = DEFAULT -MaxProtocol = TLSv1.2 -VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem -VerifyMode = Peer - -[test-13] +[11-sni-npn-preferred-over-alpn] +ssl_conf = 11-sni-npn-preferred-over-alpn-ssl + +[11-sni-npn-preferred-over-alpn-ssl] +server = 11-sni-npn-preferred-over-alpn-server +client = 11-sni-npn-preferred-over-alpn-client +server2 = 11-sni-npn-preferred-over-alpn-server2 + +[11-sni-npn-preferred-over-alpn-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[11-sni-npn-preferred-over-alpn-server2] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[11-sni-npn-preferred-over-alpn-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-11] ExpectedNPNProtocol = bar ExpectedServerName = server2 -server = 13-sni-npn-preferred-over-alpn-server-extra -server2 = 13-sni-npn-preferred-over-alpn-server2-extra -client = 13-sni-npn-preferred-over-alpn-client-extra - -[13-sni-npn-preferred-over-alpn-server-extra] +server = 11-sni-npn-preferred-over-alpn-server-extra +server2 = 11-sni-npn-preferred-over-alpn-server2-extra +client = 11-sni-npn-preferred-over-alpn-client-extra + +[11-sni-npn-preferred-over-alpn-server-extra] ALPNProtocols = foo ServerNameCallback = IgnoreMismatch -[13-sni-npn-preferred-over-alpn-server2-extra] -NPNProtocols = bar - -[13-sni-npn-preferred-over-alpn-client-extra] +[11-sni-npn-preferred-over-alpn-server2-extra] +NPNProtocols = bar + +[11-sni-npn-preferred-over-alpn-client-extra] ALPNProtocols = foo NPNProtocols = bar @@ -528,83 +461,83 @@ # =========================================================== -[14-npn-simple-resumption] -ssl_conf = 14-npn-simple-resumption-ssl - -[14-npn-simple-resumption-ssl] -server = 14-npn-simple-resumption-server -client = 14-npn-simple-resumption-client -resume-server = 14-npn-simple-resumption-server -resume-client = 14-npn-simple-resumption-client - -[14-npn-simple-resumption-server] -Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem -CipherString = DEFAULT -PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem - -[14-npn-simple-resumption-client] -CipherString = DEFAULT -MaxProtocol = TLSv1.2 -VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem -VerifyMode = Peer - -[test-14] +[12-npn-simple-resumption] +ssl_conf = 12-npn-simple-resumption-ssl + +[12-npn-simple-resumption-ssl] +server = 12-npn-simple-resumption-server +client = 12-npn-simple-resumption-client +resume-server = 12-npn-simple-resumption-server +resume-client = 12-npn-simple-resumption-client + +[12-npn-simple-resumption-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[12-npn-simple-resumption-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-12] ExpectedNPNProtocol = foo HandshakeMode = Resume ResumptionExpected = Yes -server = 14-npn-simple-resumption-server-extra -resume-server = 14-npn-simple-resumption-server-extra -client = 14-npn-simple-resumption-client-extra -resume-client = 14-npn-simple-resumption-client-extra - -[14-npn-simple-resumption-server-extra] -NPNProtocols = foo - -[14-npn-simple-resumption-client-extra] -NPNProtocols = foo - - -# =========================================================== - -[15-npn-server-switch-resumption] -ssl_conf = 15-npn-server-switch-resumption-ssl - -[15-npn-server-switch-resumption-ssl] -server = 15-npn-server-switch-resumption-server -client = 15-npn-server-switch-resumption-client -resume-server = 15-npn-server-switch-resumption-resume-server -resume-client = 15-npn-server-switch-resumption-client - -[15-npn-server-switch-resumption-server] -Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem -CipherString = DEFAULT -PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem - -[15-npn-server-switch-resumption-resume-server] -Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem -CipherString = DEFAULT -PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem - -[15-npn-server-switch-resumption-client] -CipherString = DEFAULT -MaxProtocol = TLSv1.2 -VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem -VerifyMode = Peer - -[test-15] +server = 12-npn-simple-resumption-server-extra +resume-server = 12-npn-simple-resumption-server-extra +client = 12-npn-simple-resumption-client-extra +resume-client = 12-npn-simple-resumption-client-extra + +[12-npn-simple-resumption-server-extra] +NPNProtocols = foo + +[12-npn-simple-resumption-client-extra] +NPNProtocols = foo + + +# =========================================================== + +[13-npn-server-switch-resumption] +ssl_conf = 13-npn-server-switch-resumption-ssl + +[13-npn-server-switch-resumption-ssl] +server = 13-npn-server-switch-resumption-server +client = 13-npn-server-switch-resumption-client +resume-server = 13-npn-server-switch-resumption-resume-server +resume-client = 13-npn-server-switch-resumption-client + +[13-npn-server-switch-resumption-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[13-npn-server-switch-resumption-resume-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[13-npn-server-switch-resumption-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-13] ExpectedNPNProtocol = baz HandshakeMode = Resume ResumptionExpected = Yes -server = 15-npn-server-switch-resumption-server-extra -resume-server = 15-npn-server-switch-resumption-resume-server-extra -client = 15-npn-server-switch-resumption-client-extra -resume-client = 15-npn-server-switch-resumption-client-extra - -[15-npn-server-switch-resumption-server-extra] +server = 13-npn-server-switch-resumption-server-extra +resume-server = 13-npn-server-switch-resumption-resume-server-extra +client = 13-npn-server-switch-resumption-client-extra +resume-client = 13-npn-server-switch-resumption-client-extra + +[13-npn-server-switch-resumption-server-extra] NPNProtocols = bar,foo -[15-npn-server-switch-resumption-resume-server-extra] +[13-npn-server-switch-resumption-resume-server-extra] NPNProtocols = baz,foo -[15-npn-server-switch-resumption-client-extra] +[13-npn-server-switch-resumption-client-extra] NPNProtocols = foo,bar,baz @@ -612,46 +545,46 @@ # =========================================================== -[16-npn-client-switch-resumption] -ssl_conf = 16-npn-client-switch-resumption-ssl - -[16-npn-client-switch-resumption-ssl] -server = 16-npn-client-switch-resumption-server -client = 16-npn-client-switch-resumption-client -resume-server = 16-npn-client-switch-resumption-server -resume-client = 16-npn-client-switch-resumption-resume-client - -[16-npn-client-switch-resumption-server] -Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem -CipherString = DEFAULT -PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem - -[16-npn-client-switch-resumption-client] -CipherString = DEFAULT -MaxProtocol = TLSv1.2 -VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem -VerifyMode = Peer - -[16-npn-client-switch-resumption-resume-client] -CipherString = DEFAULT -MaxProtocol = TLSv1.2 -VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem -VerifyMode = Peer - -[test-16] +[14-npn-client-switch-resumption] +ssl_conf = 14-npn-client-switch-resumption-ssl + +[14-npn-client-switch-resumption-ssl] +server = 14-npn-client-switch-resumption-server +client = 14-npn-client-switch-resumption-client +resume-server = 14-npn-client-switch-resumption-server +resume-client = 14-npn-client-switch-resumption-resume-client + +[14-npn-client-switch-resumption-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[14-npn-client-switch-resumption-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[14-npn-client-switch-resumption-resume-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-14] ExpectedNPNProtocol = bar HandshakeMode = Resume ResumptionExpected = Yes -server = 16-npn-client-switch-resumption-server-extra -resume-server = 16-npn-client-switch-resumption-server-extra -client = 16-npn-client-switch-resumption-client-extra -resume-client = 16-npn-client-switch-resumption-resume-client-extra - -[16-npn-client-switch-resumption-server-extra] +server = 14-npn-client-switch-resumption-server-extra +resume-server = 14-npn-client-switch-resumption-server-extra +client = 14-npn-client-switch-resumption-client-extra +resume-client = 14-npn-client-switch-resumption-resume-client-extra + +[14-npn-client-switch-resumption-server-extra] NPNProtocols = foo,bar,baz -[16-npn-client-switch-resumption-client-extra] +[14-npn-client-switch-resumption-client-extra] NPNProtocols = foo,baz -[16-npn-client-switch-resumption-resume-client-extra] +[14-npn-client-switch-resumption-resume-client-extra] NPNProtocols = bar,baz @@ -659,45 +592,45 @@ # =========================================================== -[17-npn-client-first-pref-on-mismatch-resumption] -ssl_conf = 17-npn-client-first-pref-on-mismatch-resumption-ssl - -[17-npn-client-first-pref-on-mismatch-resumption-ssl] -server = 17-npn-client-first-pref-on-mismatch-resumption-server -client = 17-npn-client-first-pref-on-mismatch-resumption-client -resume-server = 17-npn-client-first-pref-on-mismatch-resumption-resume-server -resume-client = 17-npn-client-first-pref-on-mismatch-resumption-client - -[17-npn-client-first-pref-on-mismatch-resumption-server] -Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem -CipherString = DEFAULT -PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem - -[17-npn-client-first-pref-on-mismatch-resumption-resume-server] -Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem -CipherString = DEFAULT -PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem - -[17-npn-client-first-pref-on-mismatch-resumption-client] -CipherString = DEFAULT -MaxProtocol = TLSv1.2 -VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem -VerifyMode = Peer - -[test-17] +[15-npn-client-first-pref-on-mismatch-resumption] +ssl_conf = 15-npn-client-first-pref-on-mismatch-resumption-ssl + +[15-npn-client-first-pref-on-mismatch-resumption-ssl] +server = 15-npn-client-first-pref-on-mismatch-resumption-server +client = 15-npn-client-first-pref-on-mismatch-resumption-client +resume-server = 15-npn-client-first-pref-on-mismatch-resumption-resume-server +resume-client = 15-npn-client-first-pref-on-mismatch-resumption-client + +[15-npn-client-first-pref-on-mismatch-resumption-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[15-npn-client-first-pref-on-mismatch-resumption-resume-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[15-npn-client-first-pref-on-mismatch-resumption-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-15] ExpectedNPNProtocol = foo HandshakeMode = Resume ResumptionExpected = Yes -server = 17-npn-client-first-pref-on-mismatch-resumption-server-extra -resume-server = 17-npn-client-first-pref-on-mismatch-resumption-resume-server-extra -client = 17-npn-client-first-pref-on-mismatch-resumption-client-extra -resume-client = 17-npn-client-first-pref-on-mismatch-resumption-client-extra - -[17-npn-client-first-pref-on-mismatch-resumption-server-extra] -NPNProtocols = bar - -[17-npn-client-first-pref-on-mismatch-resumption-resume-server-extra] +server = 15-npn-client-first-pref-on-mismatch-resumption-server-extra +resume-server = 15-npn-client-first-pref-on-mismatch-resumption-resume-server-extra +client = 15-npn-client-first-pref-on-mismatch-resumption-client-extra +resume-client = 15-npn-client-first-pref-on-mismatch-resumption-client-extra + +[15-npn-client-first-pref-on-mismatch-resumption-server-extra] +NPNProtocols = bar + +[15-npn-client-first-pref-on-mismatch-resumption-resume-server-extra] NPNProtocols = baz -[17-npn-client-first-pref-on-mismatch-resumption-client-extra] +[15-npn-client-first-pref-on-mismatch-resumption-client-extra] NPNProtocols = foo,bar @@ -705,129 +638,129 @@ # =========================================================== -[18-npn-no-server-support-resumption] -ssl_conf = 18-npn-no-server-support-resumption-ssl - -[18-npn-no-server-support-resumption-ssl] -server = 18-npn-no-server-support-resumption-server -client = 18-npn-no-server-support-resumption-client -resume-server = 18-npn-no-server-support-resumption-resume-server -resume-client = 18-npn-no-server-support-resumption-client - -[18-npn-no-server-support-resumption-server] -Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem -CipherString = DEFAULT -PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem - -[18-npn-no-server-support-resumption-resume-server] -Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem -CipherString = DEFAULT -PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem - -[18-npn-no-server-support-resumption-client] -CipherString = DEFAULT -MaxProtocol = TLSv1.2 -VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem -VerifyMode = Peer - -[test-18] +[16-npn-no-server-support-resumption] +ssl_conf = 16-npn-no-server-support-resumption-ssl + +[16-npn-no-server-support-resumption-ssl] +server = 16-npn-no-server-support-resumption-server +client = 16-npn-no-server-support-resumption-client +resume-server = 16-npn-no-server-support-resumption-resume-server +resume-client = 16-npn-no-server-support-resumption-client + +[16-npn-no-server-support-resumption-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[16-npn-no-server-support-resumption-resume-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[16-npn-no-server-support-resumption-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-16] HandshakeMode = Resume ResumptionExpected = Yes -server = 18-npn-no-server-support-resumption-server-extra -client = 18-npn-no-server-support-resumption-client-extra -resume-client = 18-npn-no-server-support-resumption-client-extra - -[18-npn-no-server-support-resumption-server-extra] -NPNProtocols = foo - -[18-npn-no-server-support-resumption-client-extra] -NPNProtocols = foo - - -# =========================================================== - -[19-npn-no-client-support-resumption] -ssl_conf = 19-npn-no-client-support-resumption-ssl - -[19-npn-no-client-support-resumption-ssl] -server = 19-npn-no-client-support-resumption-server -client = 19-npn-no-client-support-resumption-client -resume-server = 19-npn-no-client-support-resumption-server -resume-client = 19-npn-no-client-support-resumption-resume-client - -[19-npn-no-client-support-resumption-server] -Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem -CipherString = DEFAULT -PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem - -[19-npn-no-client-support-resumption-client] -CipherString = DEFAULT -MaxProtocol = TLSv1.2 -VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem -VerifyMode = Peer - -[19-npn-no-client-support-resumption-resume-client] -CipherString = DEFAULT -MaxProtocol = TLSv1.2 -VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem -VerifyMode = Peer - -[test-19] +server = 16-npn-no-server-support-resumption-server-extra +client = 16-npn-no-server-support-resumption-client-extra +resume-client = 16-npn-no-server-support-resumption-client-extra + +[16-npn-no-server-support-resumption-server-extra] +NPNProtocols = foo + +[16-npn-no-server-support-resumption-client-extra] +NPNProtocols = foo + + +# =========================================================== + +[17-npn-no-client-support-resumption] +ssl_conf = 17-npn-no-client-support-resumption-ssl + +[17-npn-no-client-support-resumption-ssl] +server = 17-npn-no-client-support-resumption-server +client = 17-npn-no-client-support-resumption-client +resume-server = 17-npn-no-client-support-resumption-server +resume-client = 17-npn-no-client-support-resumption-resume-client + +[17-npn-no-client-support-resumption-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[17-npn-no-client-support-resumption-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[17-npn-no-client-support-resumption-resume-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-17] HandshakeMode = Resume ResumptionExpected = Yes -server = 19-npn-no-client-support-resumption-server-extra -resume-server = 19-npn-no-client-support-resumption-server-extra -client = 19-npn-no-client-support-resumption-client-extra - -[19-npn-no-client-support-resumption-server-extra] -NPNProtocols = foo - -[19-npn-no-client-support-resumption-client-extra] -NPNProtocols = foo - - -# =========================================================== - -[20-alpn-preferred-over-npn-resumption] -ssl_conf = 20-alpn-preferred-over-npn-resumption-ssl - -[20-alpn-preferred-over-npn-resumption-ssl] -server = 20-alpn-preferred-over-npn-resumption-server -client = 20-alpn-preferred-over-npn-resumption-client -resume-server = 20-alpn-preferred-over-npn-resumption-resume-server -resume-client = 20-alpn-preferred-over-npn-resumption-client - -[20-alpn-preferred-over-npn-resumption-server] -Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem -CipherString = DEFAULT -PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem - -[20-alpn-preferred-over-npn-resumption-resume-server] -Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem -CipherString = DEFAULT -PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem - -[20-alpn-preferred-over-npn-resumption-client] -CipherString = DEFAULT -MaxProtocol = TLSv1.2 -VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem -VerifyMode = Peer - -[test-20] +server = 17-npn-no-client-support-resumption-server-extra +resume-server = 17-npn-no-client-support-resumption-server-extra +client = 17-npn-no-client-support-resumption-client-extra + +[17-npn-no-client-support-resumption-server-extra] +NPNProtocols = foo + +[17-npn-no-client-support-resumption-client-extra] +NPNProtocols = foo + + +# =========================================================== + +[18-alpn-preferred-over-npn-resumption] +ssl_conf = 18-alpn-preferred-over-npn-resumption-ssl + +[18-alpn-preferred-over-npn-resumption-ssl] +server = 18-alpn-preferred-over-npn-resumption-server +client = 18-alpn-preferred-over-npn-resumption-client +resume-server = 18-alpn-preferred-over-npn-resumption-resume-server +resume-client = 18-alpn-preferred-over-npn-resumption-client + +[18-alpn-preferred-over-npn-resumption-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[18-alpn-preferred-over-npn-resumption-resume-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[18-alpn-preferred-over-npn-resumption-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-18] ExpectedALPNProtocol = foo HandshakeMode = Resume ResumptionExpected = Yes -server = 20-alpn-preferred-over-npn-resumption-server-extra -resume-server = 20-alpn-preferred-over-npn-resumption-resume-server-extra -client = 20-alpn-preferred-over-npn-resumption-client-extra -resume-client = 20-alpn-preferred-over-npn-resumption-client-extra - -[20-alpn-preferred-over-npn-resumption-server-extra] -NPNProtocols = bar - -[20-alpn-preferred-over-npn-resumption-resume-server-extra] +server = 18-alpn-preferred-over-npn-resumption-server-extra +resume-server = 18-alpn-preferred-over-npn-resumption-resume-server-extra +client = 18-alpn-preferred-over-npn-resumption-client-extra +resume-client = 18-alpn-preferred-over-npn-resumption-client-extra + +[18-alpn-preferred-over-npn-resumption-server-extra] +NPNProtocols = bar + +[18-alpn-preferred-over-npn-resumption-resume-server-extra] ALPNProtocols = foo NPNProtocols = baz -[20-alpn-preferred-over-npn-resumption-client-extra] +[18-alpn-preferred-over-npn-resumption-client-extra] ALPNProtocols = foo NPNProtocols = bar,baz @@ -836,46 +769,46 @@ # =========================================================== -[21-npn-used-if-alpn-not-supported-resumption] -ssl_conf = 21-npn-used-if-alpn-not-supported-resumption-ssl - -[21-npn-used-if-alpn-not-supported-resumption-ssl] -server = 21-npn-used-if-alpn-not-supported-resumption-server -client = 21-npn-used-if-alpn-not-supported-resumption-client -resume-server = 21-npn-used-if-alpn-not-supported-resumption-resume-server -resume-client = 21-npn-used-if-alpn-not-supported-resumption-client - -[21-npn-used-if-alpn-not-supported-resumption-server] -Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem -CipherString = DEFAULT -PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem - -[21-npn-used-if-alpn-not-supported-resumption-resume-server] -Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem -CipherString = DEFAULT -PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem - -[21-npn-used-if-alpn-not-supported-resumption-client] -CipherString = DEFAULT -MaxProtocol = TLSv1.2 -VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem -VerifyMode = Peer - -[test-21] +[19-npn-used-if-alpn-not-supported-resumption] +ssl_conf = 19-npn-used-if-alpn-not-supported-resumption-ssl + +[19-npn-used-if-alpn-not-supported-resumption-ssl] +server = 19-npn-used-if-alpn-not-supported-resumption-server +client = 19-npn-used-if-alpn-not-supported-resumption-client +resume-server = 19-npn-used-if-alpn-not-supported-resumption-resume-server +resume-client = 19-npn-used-if-alpn-not-supported-resumption-client + +[19-npn-used-if-alpn-not-supported-resumption-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[19-npn-used-if-alpn-not-supported-resumption-resume-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[19-npn-used-if-alpn-not-supported-resumption-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-19] ExpectedNPNProtocol = baz HandshakeMode = Resume ResumptionExpected = Yes -server = 21-npn-used-if-alpn-not-supported-resumption-server-extra -resume-server = 21-npn-used-if-alpn-not-supported-resumption-resume-server-extra -client = 21-npn-used-if-alpn-not-supported-resumption-client-extra -resume-client = 21-npn-used-if-alpn-not-supported-resumption-client-extra - -[21-npn-used-if-alpn-not-supported-resumption-server-extra] +server = 19-npn-used-if-alpn-not-supported-resumption-server-extra +resume-server = 19-npn-used-if-alpn-not-supported-resumption-resume-server-extra +client = 19-npn-used-if-alpn-not-supported-resumption-client-extra +resume-client = 19-npn-used-if-alpn-not-supported-resumption-client-extra + +[19-npn-used-if-alpn-not-supported-resumption-server-extra] ALPNProtocols = foo NPNProtocols = bar -[21-npn-used-if-alpn-not-supported-resumption-resume-server-extra] +[19-npn-used-if-alpn-not-supported-resumption-resume-server-extra] NPNProtocols = baz -[21-npn-used-if-alpn-not-supported-resumption-client-extra] +[19-npn-used-if-alpn-not-supported-resumption-client-extra] ALPNProtocols = foo NPNProtocols = bar,baz Index: /trunk/src/libs/openssl-3.1.7/test/ssl-tests/08-npn.cnf.in =================================================================== --- /trunk/src/libs/openssl-3.1.7/test/ssl-tests/08-npn.cnf.in (revision 105948) +++ /trunk/src/libs/openssl-3.1.7/test/ssl-tests/08-npn.cnf.in (revision 105949) @@ -1,4 +1,4 @@ # -*- mode: perl; -*- -# Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use @@ -112,39 +112,4 @@ }, { - name => "npn-empty-client-list", - server => { - extra => { - "NPNProtocols" => "foo", - }, - }, - client => { - extra => { - "NPNProtocols" => "", - }, - "MaxProtocol" => "TLSv1.2" - }, - test => { - "ExpectedResult" => "ClientFail", - "ExpectedClientAlert" => "HandshakeFailure" - }, - }, - { - name => "npn-empty-server-list", - server => { - extra => { - "NPNProtocols" => "", - }, - }, - client => { - extra => { - "NPNProtocols" => "foo", - }, - "MaxProtocol" => "TLSv1.2" - }, - test => { - "ExpectedNPNProtocol" => "foo" - }, - }, - { name => "npn-with-sni-no-context-switch", server => { Index: /trunk/src/libs/openssl-3.1.7/test/ssl-tests/09-alpn.cnf =================================================================== --- /trunk/src/libs/openssl-3.1.7/test/ssl-tests/09-alpn.cnf (revision 105948) +++ /trunk/src/libs/openssl-3.1.7/test/ssl-tests/09-alpn.cnf (revision 105949) @@ -1,5 +1,5 @@ # Generated with generate_ssl_tests.pl -num_tests = 18 +num_tests = 16 test-0 = 0-alpn-simple @@ -19,6 +19,4 @@ test-14 = 14-alpn-no-server-support-resumption test-15 = 15-alpn-no-client-support-resumption -test-16 = 16-alpn-empty-client-list -test-17 = 17-alpn-empty-server-list # =========================================================== @@ -620,64 +618,2 @@ -# =========================================================== - -[16-alpn-empty-client-list] -ssl_conf = 16-alpn-empty-client-list-ssl - -[16-alpn-empty-client-list-ssl] -server = 16-alpn-empty-client-list-server -client = 16-alpn-empty-client-list-client - -[16-alpn-empty-client-list-server] -Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem -CipherString = DEFAULT -PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem - -[16-alpn-empty-client-list-client] -CipherString = DEFAULT -VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem -VerifyMode = Peer - -[test-16] -server = 16-alpn-empty-client-list-server-extra -client = 16-alpn-empty-client-list-client-extra - -[16-alpn-empty-client-list-server-extra] -ALPNProtocols = foo - -[16-alpn-empty-client-list-client-extra] -ALPNProtocols = - - -# =========================================================== - -[17-alpn-empty-server-list] -ssl_conf = 17-alpn-empty-server-list-ssl - -[17-alpn-empty-server-list-ssl] -server = 17-alpn-empty-server-list-server -client = 17-alpn-empty-server-list-client - -[17-alpn-empty-server-list-server] -Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem -CipherString = DEFAULT -PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem - -[17-alpn-empty-server-list-client] -CipherString = DEFAULT -VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem -VerifyMode = Peer - -[test-17] -ExpectedResult = ServerFail -ExpectedServerAlert = NoApplicationProtocol -server = 17-alpn-empty-server-list-server-extra -client = 17-alpn-empty-server-list-client-extra - -[17-alpn-empty-server-list-server-extra] -ALPNProtocols = - -[17-alpn-empty-server-list-client-extra] -ALPNProtocols = foo - - Index: /trunk/src/libs/openssl-3.1.7/test/ssl-tests/09-alpn.cnf.in =================================================================== --- /trunk/src/libs/openssl-3.1.7/test/ssl-tests/09-alpn.cnf.in (revision 105948) +++ /trunk/src/libs/openssl-3.1.7/test/ssl-tests/09-alpn.cnf.in (revision 105949) @@ -1,4 +1,4 @@ # -*- mode: perl; -*- -# Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use @@ -323,36 +323,3 @@ }, }, - { - name => "alpn-empty-client-list", - server => { - extra => { - "ALPNProtocols" => "foo", - }, - }, - client => { - extra => { - "ALPNProtocols" => "", - }, - }, - test => { - "ExpectedALPNProtocol" => undef, - }, - }, - { - name => "alpn-empty-server-list", - server => { - extra => { - "ALPNProtocols" => "", - }, - }, - client => { - extra => { - "ALPNProtocols" => "foo", - }, - }, - test => { - "ExpectedResult" => "ServerFail", - "ExpectedServerAlert" => "NoApplicationProtocol", - }, - }, ); Index: /trunk/src/libs/openssl-3.1.7/test/ssl-tests/14-curves.cnf.in =================================================================== --- /trunk/src/libs/openssl-3.1.7/test/ssl-tests/14-curves.cnf.in (revision 105948) +++ /trunk/src/libs/openssl-3.1.7/test/ssl-tests/14-curves.cnf.in (revision 105949) @@ -13,9 +13,6 @@ our $fips_mode; -my @curves = ("prime256v1", "secp384r1", "secp521r1"); - -my @curves_no_fips = ("X25519", "X448"); - -push @curves, @curves_no_fips if !$fips_mode; +my @curves = ("prime256v1", "secp384r1", "secp521r1", "X25519", + "X448"); #Curves *only* suitable for use in TLSv1.3 Index: /trunk/src/libs/openssl-3.1.7/test/ssl-tests/20-cert-select.cnf =================================================================== --- /trunk/src/libs/openssl-3.1.7/test/ssl-tests/20-cert-select.cnf (revision 105948) +++ /trunk/src/libs/openssl-3.1.7/test/ssl-tests/20-cert-select.cnf (revision 105949) @@ -20,10 +20,10 @@ test-15 = 15-Ed25519 CipherString and Signature Algorithm Selection test-16 = 16-Ed448 CipherString and Signature Algorithm Selection -test-17 = 17-TLS 1.2 Ed25519 Client Auth -test-18 = 18-TLS 1.2 Ed448 Client Auth -test-19 = 19-ECDSA Signature Algorithm Selection SHA1 -test-20 = 20-ECDSA with brainpool -test-21 = 21-Ed25519 CipherString and Curves Selection -test-22 = 22-Ed448 CipherString and Curves Selection +test-17 = 17-Ed25519 CipherString and Curves Selection +test-18 = 18-Ed448 CipherString and Curves Selection +test-19 = 19-TLS 1.2 Ed25519 Client Auth +test-20 = 20-TLS 1.2 Ed448 Client Auth +test-21 = 21-ECDSA Signature Algorithm Selection SHA1 +test-22 = 22-ECDSA with brainpool test-23 = 23-RSA-PSS Certificate CipherString Selection test-24 = 24-RSA-PSS Certificate Legacy Signature Algorithm Selection @@ -603,12 +603,82 @@ # =========================================================== -[17-TLS 1.2 Ed25519 Client Auth] -ssl_conf = 17-TLS 1.2 Ed25519 Client Auth-ssl - -[17-TLS 1.2 Ed25519 Client Auth-ssl] -server = 17-TLS 1.2 Ed25519 Client Auth-server -client = 17-TLS 1.2 Ed25519 Client Auth-client - -[17-TLS 1.2 Ed25519 Client Auth-server] +[17-Ed25519 CipherString and Curves Selection] +ssl_conf = 17-Ed25519 CipherString and Curves Selection-ssl + +[17-Ed25519 CipherString and Curves Selection-ssl] +server = 17-Ed25519 CipherString and Curves Selection-server +client = 17-Ed25519 CipherString and Curves Selection-client + +[17-Ed25519 CipherString and Curves Selection-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem +ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem +Ed25519.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed25519-cert.pem +Ed25519.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed25519-key.pem +Ed448.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed448-cert.pem +Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem +MaxProtocol = TLSv1.2 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[17-Ed25519 CipherString and Curves Selection-client] +CipherString = aECDSA +Curves = X25519 +MaxProtocol = TLSv1.2 +SignatureAlgorithms = ECDSA+SHA256:ed25519 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-17] +ExpectedResult = Success +ExpectedServerCertType = Ed25519 +ExpectedServerSignType = Ed25519 + + +# =========================================================== + +[18-Ed448 CipherString and Curves Selection] +ssl_conf = 18-Ed448 CipherString and Curves Selection-ssl + +[18-Ed448 CipherString and Curves Selection-ssl] +server = 18-Ed448 CipherString and Curves Selection-server +client = 18-Ed448 CipherString and Curves Selection-client + +[18-Ed448 CipherString and Curves Selection-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem +ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem +Ed25519.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed25519-cert.pem +Ed25519.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed25519-key.pem +Ed448.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed448-cert.pem +Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem +MaxProtocol = TLSv1.2 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[18-Ed448 CipherString and Curves Selection-client] +CipherString = aECDSA +Curves = X448 +MaxProtocol = TLSv1.2 +SignatureAlgorithms = ECDSA+SHA256:ed448 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-ed448-cert.pem +VerifyMode = Peer + +[test-18] +ExpectedResult = Success +ExpectedServerCertType = Ed448 +ExpectedServerSignType = Ed448 + + +# =========================================================== + +[19-TLS 1.2 Ed25519 Client Auth] +ssl_conf = 19-TLS 1.2 Ed25519 Client Auth-ssl + +[19-TLS 1.2 Ed25519 Client Auth-ssl] +server = 19-TLS 1.2 Ed25519 Client Auth-server +client = 19-TLS 1.2 Ed25519 Client Auth-client + +[19-TLS 1.2 Ed25519 Client Auth-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT @@ -617,5 +687,5 @@ VerifyMode = Require -[17-TLS 1.2 Ed25519 Client Auth-client] +[19-TLS 1.2 Ed25519 Client Auth-client] CipherString = DEFAULT Ed25519.Certificate = ${ENV::TEST_CERTS_DIR}/client-ed25519-cert.pem @@ -626,5 +696,5 @@ VerifyMode = Peer -[test-17] +[test-19] ExpectedClientCertType = Ed25519 ExpectedClientSignType = Ed25519 @@ -634,12 +704,12 @@ # =========================================================== -[18-TLS 1.2 Ed448 Client Auth] -ssl_conf = 18-TLS 1.2 Ed448 Client Auth-ssl - -[18-TLS 1.2 Ed448 Client Auth-ssl] -server = 18-TLS 1.2 Ed448 Client Auth-server -client = 18-TLS 1.2 Ed448 Client Auth-client - -[18-TLS 1.2 Ed448 Client Auth-server] +[20-TLS 1.2 Ed448 Client Auth] +ssl_conf = 20-TLS 1.2 Ed448 Client Auth-ssl + +[20-TLS 1.2 Ed448 Client Auth-ssl] +server = 20-TLS 1.2 Ed448 Client Auth-server +client = 20-TLS 1.2 Ed448 Client Auth-client + +[20-TLS 1.2 Ed448 Client Auth-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT @@ -648,5 +718,5 @@ VerifyMode = Require -[18-TLS 1.2 Ed448 Client Auth-client] +[20-TLS 1.2 Ed448 Client Auth-client] CipherString = DEFAULT Ed448.Certificate = ${ENV::TEST_CERTS_DIR}/client-ed448-cert.pem @@ -657,5 +727,5 @@ VerifyMode = Peer -[test-18] +[test-20] ExpectedClientCertType = Ed448 ExpectedClientSignType = Ed448 @@ -665,12 +735,12 @@ # =========================================================== -[19-ECDSA Signature Algorithm Selection SHA1] -ssl_conf = 19-ECDSA Signature Algorithm Selection SHA1-ssl - -[19-ECDSA Signature Algorithm Selection SHA1-ssl] -server = 19-ECDSA Signature Algorithm Selection SHA1-server -client = 19-ECDSA Signature Algorithm Selection SHA1-client - -[19-ECDSA Signature Algorithm Selection SHA1-server] +[21-ECDSA Signature Algorithm Selection SHA1] +ssl_conf = 21-ECDSA Signature Algorithm Selection SHA1-ssl + +[21-ECDSA Signature Algorithm Selection SHA1-ssl] +server = 21-ECDSA Signature Algorithm Selection SHA1-server +client = 21-ECDSA Signature Algorithm Selection SHA1-client + +[21-ECDSA Signature Algorithm Selection SHA1-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT:@SECLEVEL=0 @@ -684,5 +754,5 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[19-ECDSA Signature Algorithm Selection SHA1-client] +[21-ECDSA Signature Algorithm Selection SHA1-client] CipherString = DEFAULT:@SECLEVEL=0 SignatureAlgorithms = ECDSA+SHA1 @@ -690,5 +760,5 @@ VerifyMode = Peer -[test-19] +[test-21] ExpectedResult = Success ExpectedServerCertType = P-256 @@ -699,12 +769,12 @@ # =========================================================== -[20-ECDSA with brainpool] -ssl_conf = 20-ECDSA with brainpool-ssl - -[20-ECDSA with brainpool-ssl] -server = 20-ECDSA with brainpool-server -client = 20-ECDSA with brainpool-client - -[20-ECDSA with brainpool-server] +[22-ECDSA with brainpool] +ssl_conf = 22-ECDSA with brainpool-ssl + +[22-ECDSA with brainpool-ssl] +server = 22-ECDSA with brainpool-server +client = 22-ECDSA with brainpool-client + +[22-ECDSA with brainpool-server] Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-brainpoolP256r1-cert.pem CipherString = DEFAULT @@ -712,5 +782,5 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-brainpoolP256r1-key.pem -[20-ECDSA with brainpool-client] +[22-ECDSA with brainpool-client] CipherString = aECDSA Groups = brainpoolP256r1 @@ -720,79 +790,9 @@ VerifyMode = Peer -[test-20] +[test-22] ExpectedResult = Success ExpectedServerCANames = empty ExpectedServerCertType = brainpoolP256r1 ExpectedServerSignType = EC - - -# =========================================================== - -[21-Ed25519 CipherString and Curves Selection] -ssl_conf = 21-Ed25519 CipherString and Curves Selection-ssl - -[21-Ed25519 CipherString and Curves Selection-ssl] -server = 21-Ed25519 CipherString and Curves Selection-server -client = 21-Ed25519 CipherString and Curves Selection-client - -[21-Ed25519 CipherString and Curves Selection-server] -Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem -CipherString = DEFAULT -ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem -ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem -Ed25519.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed25519-cert.pem -Ed25519.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed25519-key.pem -Ed448.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed448-cert.pem -Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem -MaxProtocol = TLSv1.2 -PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem - -[21-Ed25519 CipherString and Curves Selection-client] -CipherString = aECDSA -Curves = X25519 -MaxProtocol = TLSv1.2 -SignatureAlgorithms = ECDSA+SHA256:ed25519 -VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem -VerifyMode = Peer - -[test-21] -ExpectedResult = Success -ExpectedServerCertType = Ed25519 -ExpectedServerSignType = Ed25519 - - -# =========================================================== - -[22-Ed448 CipherString and Curves Selection] -ssl_conf = 22-Ed448 CipherString and Curves Selection-ssl - -[22-Ed448 CipherString and Curves Selection-ssl] -server = 22-Ed448 CipherString and Curves Selection-server -client = 22-Ed448 CipherString and Curves Selection-client - -[22-Ed448 CipherString and Curves Selection-server] -Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem -CipherString = DEFAULT -ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem -ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem -Ed25519.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed25519-cert.pem -Ed25519.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed25519-key.pem -Ed448.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed448-cert.pem -Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem -MaxProtocol = TLSv1.2 -PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem - -[22-Ed448 CipherString and Curves Selection-client] -CipherString = aECDSA -Curves = X448 -MaxProtocol = TLSv1.2 -SignatureAlgorithms = ECDSA+SHA256:ed448 -VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-ed448-cert.pem -VerifyMode = Peer - -[test-22] -ExpectedResult = Success -ExpectedServerCertType = Ed448 -ExpectedServerSignType = Ed448 Index: /trunk/src/libs/openssl-3.1.7/test/ssl-tests/20-cert-select.cnf.in =================================================================== --- /trunk/src/libs/openssl-3.1.7/test/ssl-tests/20-cert-select.cnf.in (revision 105948) +++ /trunk/src/libs/openssl-3.1.7/test/ssl-tests/20-cert-select.cnf.in (revision 105949) @@ -330,4 +330,39 @@ }, { + name => "Ed25519 CipherString and Curves Selection", + server => $server, + client => { + "CipherString" => "aECDSA", + "MaxProtocol" => "TLSv1.2", + "SignatureAlgorithms" => "ECDSA+SHA256:ed25519", + # Excluding P-256 from the supported curves list means server + # certificate should be Ed25519 and not P-256 + "Curves" => "X25519" + }, + test => { + "ExpectedServerCertType" =>, "Ed25519", + "ExpectedServerSignType" =>, "Ed25519", + "ExpectedResult" => "Success" + }, + }, + { + name => "Ed448 CipherString and Curves Selection", + server => $server, + client => { + "CipherString" => "aECDSA", + "MaxProtocol" => "TLSv1.2", + "SignatureAlgorithms" => "ECDSA+SHA256:ed448", + "VerifyCAFile" => test_pem("root-ed448-cert.pem"), + # Excluding P-256 from the supported curves list means server + # certificate should be Ed25519 and not P-256 + "Curves" => "X448" + }, + test => { + "ExpectedServerCertType" =>, "Ed448", + "ExpectedServerSignType" =>, "Ed448", + "ExpectedResult" => "Success" + }, + }, + { name => "TLS 1.2 Ed25519 Client Auth", server => { @@ -409,39 +444,4 @@ # Note: certificate_authorities not sent for TLS < 1.3 "ExpectedServerCANames" =>, "empty", - "ExpectedResult" => "Success" - }, - }, - { - name => "Ed25519 CipherString and Curves Selection", - server => $server, - client => { - "CipherString" => "aECDSA", - "MaxProtocol" => "TLSv1.2", - "SignatureAlgorithms" => "ECDSA+SHA256:ed25519", - # Excluding P-256 from the supported curves list means server - # certificate should be Ed25519 and not P-256 - "Curves" => "X25519" - }, - test => { - "ExpectedServerCertType" =>, "Ed25519", - "ExpectedServerSignType" =>, "Ed25519", - "ExpectedResult" => "Success" - }, - }, - { - name => "Ed448 CipherString and Curves Selection", - server => $server, - client => { - "CipherString" => "aECDSA", - "MaxProtocol" => "TLSv1.2", - "SignatureAlgorithms" => "ECDSA+SHA256:ed448", - "VerifyCAFile" => test_pem("root-ed448-cert.pem"), - # Excluding P-256 from the supported curves list means server - # certificate should be Ed25519 and not P-256 - "Curves" => "X448" - }, - test => { - "ExpectedServerCertType" =>, "Ed448", - "ExpectedServerSignType" =>, "Ed448", "ExpectedResult" => "Success" }, Index: /trunk/src/libs/openssl-3.1.7/test/ssl-tests/28-seclevel.cnf.in =================================================================== --- /trunk/src/libs/openssl-3.1.7/test/ssl-tests/28-seclevel.cnf.in (revision 105948) +++ /trunk/src/libs/openssl-3.1.7/test/ssl-tests/28-seclevel.cnf.in (revision 105949) @@ -1,4 +1,4 @@ # -*- mode: perl; -*- -# Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use @@ -57,8 +57,5 @@ "VerifyCAFile" => test_pem("root-ed448-cert.pem") }, test => { "ExpectedResult" => "ServerFail" }, - } -); - -our @tests_ec_non_fips = ( + }, { name => "SECLEVEL 3 with P-384 key, X25519 ECDHE", @@ -85,5 +82,4 @@ ); -push @tests_ec, @tests_ec_non_fips unless $fips_mode; push @tests, @tests_ec unless disabled("ec"); push @tests, @tests_tls1_2 unless disabled("tls1_2") || disabled("ec"); Index: /trunk/src/libs/openssl-3.1.7/test/sslapitest.c =================================================================== --- /trunk/src/libs/openssl-3.1.7/test/sslapitest.c (revision 105948) +++ /trunk/src/libs/openssl-3.1.7/test/sslapitest.c (revision 105949) @@ -1,4 +1,4 @@ /* - * Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use @@ -2410,4 +2410,5 @@ } + #ifndef OSSL_NO_USABLE_TLS1_3 static SSL_SESSION *sesscache[6]; @@ -3497,23 +3498,4 @@ } -static int check_early_data_timeout(time_t timer) -{ - int res = 0; - - /* - * Early data is time sensitive. We have an approx 8 second allowance - * between writing the early data and reading it. If we exceed that time - * then this test will fail. This can sometimes (rarely) occur in normal CI - * operation. We can try and detect this and just ignore the result of this - * test if it has taken too long. We assume anything over 7 seconds is too - * long - */ - timer = time(NULL) - timer; - if (timer >= 7) - res = TEST_skip("Test took too long, ignoring result"); - - return res; -} - static int test_early_data_read_write(int idx) { @@ -3525,5 +3507,4 @@ size_t readbytes, written, eoedlen, rawread, rawwritten; BIO *rbio; - time_t timer; if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, @@ -3533,18 +3514,11 @@ /* Write and read some early data */ - timer = time(NULL); if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1), &written)) - || !TEST_size_t_eq(written, strlen(MSG1))) - goto end; - - if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf), - &readbytes), - SSL_READ_EARLY_DATA_SUCCESS)) { - testresult = check_early_data_timeout(timer); - goto end; - } - - if (!TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1)) + || !TEST_size_t_eq(written, strlen(MSG1)) + || !TEST_int_eq(SSL_read_early_data(serverssl, buf, + sizeof(buf), &readbytes), + SSL_READ_EARLY_DATA_SUCCESS) + || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1)) || !TEST_int_eq(SSL_get_early_data_status(serverssl), SSL_EARLY_DATA_ACCEPTED)) @@ -3763,5 +3737,4 @@ size_t readbytes, written; unsigned char buf[20]; - time_t timer; allow_ed_cb_called = 0; @@ -3818,5 +3791,4 @@ /* Write and read some early data */ - timer = time(NULL); if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1), &written)) @@ -3839,9 +3811,6 @@ if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf), &readbytes), - SSL_READ_EARLY_DATA_SUCCESS)) { - testresult = check_early_data_timeout(timer); - goto end; - } - if (!TEST_mem_eq(MSG1, strlen(MSG1), buf, readbytes) + SSL_READ_EARLY_DATA_SUCCESS) + || !TEST_mem_eq(MSG1, strlen(MSG1), buf, readbytes) /* * Server will have sent its flight so client can now send @@ -3946,5 +3915,5 @@ goto end; #else - if (!TEST_true(SSL_set1_groups_list(serverssl, "P-384"))) + if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256"))) goto end; #endif @@ -4360,6 +4329,4 @@ goto end; } else { - time_t timer = time(NULL); - if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1), &written))) @@ -4367,10 +4334,6 @@ if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf), - &readbytes), readearlyres)) { - testresult = check_early_data_timeout(timer); - goto end; - } - - if ((readearlyres == SSL_READ_EARLY_DATA_SUCCESS + &readbytes), readearlyres) + || (readearlyres == SSL_READ_EARLY_DATA_SUCCESS && !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))) || !TEST_int_eq(SSL_get_early_data_status(serverssl), edstatus) @@ -4410,5 +4373,4 @@ size_t readbytes, written; const SSL_CIPHER *cipher; - time_t timer; const char *cipher_str[] = { TLS1_3_RFC_AES_128_GCM_SHA256, @@ -4462,5 +4424,4 @@ SSL_set_connect_state(clientssl); - timer = time(NULL); if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1), &written))) @@ -4469,10 +4430,6 @@ if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf), &readbytes), - SSL_READ_EARLY_DATA_SUCCESS)) { - testresult = check_early_data_timeout(timer); - goto end; - } - - if (!TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)) + SSL_READ_EARLY_DATA_SUCCESS) + || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)) || !TEST_int_eq(SSL_get_early_data_status(serverssl), SSL_EARLY_DATA_ACCEPTED) @@ -4915,12 +4872,8 @@ break; case 4: - if (is_fips) - return TEST_skip("X25519 might not be supported by fips provider."); kexch_alg = NID_X25519; kexch_name0 = "x25519"; break; case 5: - if (is_fips) - return TEST_skip("X448 might not be supported by fips provider."); kexch_alg = NID_X448; kexch_name0 = "x448"; @@ -5137,7 +5090,4 @@ expectednid = kexch_alg; - if (is_fips && (kexch_alg == NID_X25519 || kexch_alg == NID_X448)) - return TEST_skip("X25519 and X448 might not be available in fips provider."); - if (!istls13) max_version = TLS1_2_VERSION; @@ -5561,5 +5511,5 @@ goto end; #else - if (!TEST_true(SSL_set1_groups_list(serverssl, "P-384"))) + if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256"))) goto end; #endif @@ -7525,5 +7475,4 @@ size_t written, readbytes; unsigned char buf[80]; - time_t timer; /* early_data tests */ @@ -7540,18 +7489,11 @@ /* Write and read some early data and then complete the connection */ - timer = time(NULL); if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1), &written)) - || !TEST_size_t_eq(written, strlen(MSG1))) - goto end; - - if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, - sizeof(buf), &readbytes), - SSL_READ_EARLY_DATA_SUCCESS)) { - testresult = check_early_data_timeout(timer); - goto end; - } - - if (!TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1)) + || !TEST_size_t_eq(written, strlen(MSG1)) + || !TEST_int_eq(SSL_read_early_data(serverssl, buf, + sizeof(buf), &readbytes), + SSL_READ_EARLY_DATA_SUCCESS) + || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1)) || !TEST_int_eq(SSL_get_early_data_status(serverssl), SSL_EARLY_DATA_ACCEPTED) @@ -9021,124 +8963,4 @@ /* - * Test that a session cache overflow works as expected - * Test 0: TLSv1.3, timeout on new session later than old session - * Test 1: TLSv1.2, timeout on new session later than old session - * Test 2: TLSv1.3, timeout on new session earlier than old session - * Test 3: TLSv1.2, timeout on new session earlier than old session - */ -#if !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) -static int test_session_cache_overflow(int idx) -{ - SSL_CTX *sctx = NULL, *cctx = NULL; - SSL *serverssl = NULL, *clientssl = NULL; - int testresult = 0; - SSL_SESSION *sess = NULL; - -#ifdef OSSL_NO_USABLE_TLS1_3 - /* If no TLSv1.3 available then do nothing in this case */ - if (idx % 2 == 0) - return TEST_skip("No TLSv1.3 available"); -#endif -#ifdef OPENSSL_NO_TLS1_2 - /* If no TLSv1.2 available then do nothing in this case */ - if (idx % 2 == 1) - return TEST_skip("No TLSv1.2 available"); -#endif - - if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), - TLS_client_method(), TLS1_VERSION, - (idx % 2 == 0) ? TLS1_3_VERSION - : TLS1_2_VERSION, - &sctx, &cctx, cert, privkey)) - || !TEST_true(SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET))) - goto end; - - SSL_CTX_sess_set_get_cb(sctx, get_session_cb); - get_sess_val = NULL; - - SSL_CTX_sess_set_cache_size(sctx, 1); - - if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, - NULL, NULL))) - goto end; - - if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))) - goto end; - - if (idx > 1) { - sess = SSL_get_session(serverssl); - if (!TEST_ptr(sess)) - goto end; - - /* - * Cause this session to have a longer timeout than the next session to - * be added. - */ - if (!TEST_true(SSL_SESSION_set_timeout(sess, LONG_MAX / 2))) { - sess = NULL; - goto end; - } - sess = NULL; - } - - SSL_shutdown(serverssl); - SSL_shutdown(clientssl); - SSL_free(serverssl); - SSL_free(clientssl); - serverssl = clientssl = NULL; - - /* - * Session cache size is 1 and we already populated the cache with a session - * so the next connection should cause an overflow. - */ - - if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, - NULL, NULL))) - goto end; - - if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))) - goto end; - - /* - * The session we just negotiated may have been already removed from the - * internal cache - but we will return it anyway from our external cache. - */ - get_sess_val = SSL_get_session(serverssl); - if (!TEST_ptr(get_sess_val)) - goto end; - sess = SSL_get1_session(clientssl); - if (!TEST_ptr(sess)) - goto end; - - SSL_shutdown(serverssl); - SSL_shutdown(clientssl); - SSL_free(serverssl); - SSL_free(clientssl); - serverssl = clientssl = NULL; - - if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, - NULL, NULL))) - goto end; - - if (!TEST_true(SSL_set_session(clientssl, sess))) - goto end; - - if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))) - goto end; - - testresult = 1; - - end: - SSL_free(serverssl); - SSL_free(clientssl); - SSL_CTX_free(sctx); - SSL_CTX_free(cctx); - SSL_SESSION_free(sess); - - return testresult; -} -#endif /* !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */ - -/* * Test 0: Client sets servername and server acknowledges it (TLSv1.2) * Test 1: Client sets servername and server does not acknowledge it (TLSv1.2) @@ -9455,8 +9277,17 @@ /* Check that we are not impacted by a provider without any groups */ OSSL_PROVIDER *legacyprov = OSSL_PROVIDER_load(libctx, "legacy"); - const char *group_name = idx == 0 ? "xorkemgroup" : "xorgroup"; + const char *group_name = idx == 0 ? "xorgroup" : "xorkemgroup"; if (!TEST_ptr(tlsprov)) goto end; + + if (legacyprov == NULL) { + /* + * In this case we assume we've been built with "no-legacy" and skip + * this test (there is no OPENSSL_NO_LEGACY) + */ + testresult = 1; + goto end; + } if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), @@ -9469,7 +9300,5 @@ goto end; - /* ensure GROUPLIST_INCREMENT (=40) logic triggers: */ - if (!TEST_true(SSL_set1_groups_list(serverssl, "xorgroup:xorkemgroup:dummy1:dummy2:dummy3:dummy4:dummy5:dummy6:dummy7:dummy8:dummy9:dummy10:dummy11:dummy12:dummy13:dummy14:dummy15:dummy16:dummy17:dummy18:dummy19:dummy20:dummy21:dummy22:dummy23:dummy24:dummy25:dummy26:dummy27:dummy28:dummy29:dummy30:dummy31:dummy32:dummy33:dummy34:dummy35:dummy36:dummy37:dummy38:dummy39:dummy40:dummy41:dummy42:dummy43")) - /* removing a single algorithm from the list makes the test pass */ + if (!TEST_true(SSL_set1_groups_list(serverssl, group_name)) || !TEST_true(SSL_set1_groups_list(clientssl, group_name))) goto end; @@ -10494,4 +10323,25 @@ #if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DYNAMIC_ENGINE) + +static ENGINE *load_dasync(void) +{ + ENGINE *e; + + if (!TEST_ptr(e = ENGINE_by_id("dasync"))) + return NULL; + + if (!TEST_true(ENGINE_init(e))) { + ENGINE_free(e); + return NULL; + } + + if (!TEST_true(ENGINE_register_ciphers(e))) { + ENGINE_free(e); + return NULL; + } + + return e; +} + /* * Test TLSv1.2 with a pipeline capable cipher. TLSv1.3 and DTLS do not @@ -10785,537 +10635,4 @@ BIO_free(tmp); set_always_retry_err_val(-1); - return testresult; -} - -struct resume_servername_cb_data { - int i; - SSL_CTX *cctx; - SSL_CTX *sctx; - SSL_SESSION *sess; - int recurse; -}; - -/* - * Servername callback. We use it here to run another complete handshake using - * the same session - and mark the session as not_resuamble at the end - */ -static int resume_servername_cb(SSL *s, int *ad, void *arg) -{ - struct resume_servername_cb_data *cbdata = arg; - SSL *serverssl = NULL, *clientssl = NULL; - int ret = SSL_TLSEXT_ERR_ALERT_FATAL; - - if (cbdata->recurse) - return SSL_TLSEXT_ERR_ALERT_FATAL; - - if ((cbdata->i % 3) != 1) - return SSL_TLSEXT_ERR_OK; - - cbdata->recurse = 1; - - if (!TEST_true(create_ssl_objects(cbdata->sctx, cbdata->cctx, &serverssl, - &clientssl, NULL, NULL)) - || !TEST_true(SSL_set_session(clientssl, cbdata->sess))) - goto end; - - ERR_set_mark(); - /* - * We expect this to fail - because the servername cb will fail. This will - * mark the session as not_resumable. - */ - if (!TEST_false(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))) { - ERR_clear_last_mark(); - goto end; - } - ERR_pop_to_mark(); - - ret = SSL_TLSEXT_ERR_OK; - end: - SSL_free(serverssl); - SSL_free(clientssl); - cbdata->recurse = 0; - return ret; -} - -/* - * Test multiple resumptions and cache size handling - * Test 0: TLSv1.3 (max_early_data set) - * Test 1: TLSv1.3 (SSL_OP_NO_TICKET set) - * Test 2: TLSv1.3 (max_early_data and SSL_OP_NO_TICKET set) - * Test 3: TLSv1.3 (SSL_OP_NO_TICKET, simultaneous resumes) - * Test 4: TLSv1.2 - */ -static int test_multi_resume(int idx) -{ - SSL_CTX *sctx = NULL, *cctx = NULL; - SSL *serverssl = NULL, *clientssl = NULL; - SSL_SESSION *sess = NULL; - int max_version = TLS1_3_VERSION; - int i, testresult = 0; - struct resume_servername_cb_data cbdata; - -#if defined(OPENSSL_NO_TLS1_2) - if (idx == 4) - return TEST_skip("TLSv1.2 is disabled in this build"); -#else - if (idx == 4) - max_version = TLS1_2_VERSION; -#endif -#if defined(OSSL_NO_USABLE_TLS1_3) - if (idx != 4) - return TEST_skip("No usable TLSv1.3 in this build"); -#endif - - if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), - TLS_client_method(), TLS1_VERSION, - max_version, &sctx, &cctx, cert, - privkey))) - goto end; - - /* - * TLSv1.3 only uses a session cache if either max_early_data > 0 (used for - * replay protection), or if SSL_OP_NO_TICKET is in use - */ - if (idx == 0 || idx == 2) { - if (!TEST_true(SSL_CTX_set_max_early_data(sctx, 1024))) - goto end; - } - if (idx == 1 || idx == 2 || idx == 3) - SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET); - - SSL_CTX_sess_set_cache_size(sctx, 5); - - if (idx == 3) { - SSL_CTX_set_tlsext_servername_callback(sctx, resume_servername_cb); - SSL_CTX_set_tlsext_servername_arg(sctx, &cbdata); - cbdata.cctx = cctx; - cbdata.sctx = sctx; - cbdata.recurse = 0; - } - - for (i = 0; i < 30; i++) { - if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, - NULL, NULL)) - || !TEST_true(SSL_set_session(clientssl, sess))) - goto end; - - /* - * Check simultaneous resumes. We pause the connection part way through - * the handshake by (mis)using the servername_cb. The pause occurs after - * session resumption has already occurred, but before any session - * tickets have been issued. While paused we run another complete - * handshake resuming the same session. - */ - if (idx == 3) { - cbdata.i = i; - cbdata.sess = sess; - } - - /* - * Recreate a bug where dynamically changing the max_early_data value - * can cause sessions in the session cache which cannot be deleted. - */ - if ((idx == 0 || idx == 2) && (i % 3) == 2) - SSL_set_max_early_data(serverssl, 0); - - if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))) - goto end; - - if (sess == NULL || (idx == 0 && (i % 3) == 2)) { - if (!TEST_false(SSL_session_reused(clientssl))) - goto end; - } else { - if (!TEST_true(SSL_session_reused(clientssl))) - goto end; - } - SSL_SESSION_free(sess); - - /* Do a full handshake, followed by two resumptions */ - if ((i % 3) == 2) { - sess = NULL; - } else { - if (!TEST_ptr((sess = SSL_get1_session(clientssl)))) - goto end; - } - - SSL_shutdown(clientssl); - SSL_shutdown(serverssl); - SSL_free(serverssl); - SSL_free(clientssl); - serverssl = clientssl = NULL; - } - - /* We should never exceed the session cache size limit */ - if (!TEST_long_le(SSL_CTX_sess_number(sctx), 5)) - goto end; - - testresult = 1; - end: - SSL_free(serverssl); - SSL_free(clientssl); - SSL_CTX_free(sctx); - SSL_CTX_free(cctx); - SSL_SESSION_free(sess); - return testresult; -} - -static struct next_proto_st { - int serverlen; - unsigned char server[40]; - int clientlen; - unsigned char client[40]; - int expected_ret; - size_t selectedlen; - unsigned char selected[40]; -} next_proto_tests[] = { - { - 4, { 3, 'a', 'b', 'c' }, - 4, { 3, 'a', 'b', 'c' }, - OPENSSL_NPN_NEGOTIATED, - 3, { 'a', 'b', 'c' } - }, - { - 7, { 3, 'a', 'b', 'c', 2, 'a', 'b' }, - 4, { 3, 'a', 'b', 'c' }, - OPENSSL_NPN_NEGOTIATED, - 3, { 'a', 'b', 'c' } - }, - { - 7, { 2, 'a', 'b', 3, 'a', 'b', 'c', }, - 4, { 3, 'a', 'b', 'c' }, - OPENSSL_NPN_NEGOTIATED, - 3, { 'a', 'b', 'c' } - }, - { - 4, { 3, 'a', 'b', 'c' }, - 7, { 3, 'a', 'b', 'c', 2, 'a', 'b', }, - OPENSSL_NPN_NEGOTIATED, - 3, { 'a', 'b', 'c' } - }, - { - 4, { 3, 'a', 'b', 'c' }, - 7, { 2, 'a', 'b', 3, 'a', 'b', 'c'}, - OPENSSL_NPN_NEGOTIATED, - 3, { 'a', 'b', 'c' } - }, - { - 7, { 2, 'b', 'c', 3, 'a', 'b', 'c' }, - 7, { 2, 'a', 'b', 3, 'a', 'b', 'c'}, - OPENSSL_NPN_NEGOTIATED, - 3, { 'a', 'b', 'c' } - }, - { - 10, { 2, 'b', 'c', 3, 'a', 'b', 'c', 2, 'a', 'b' }, - 7, { 2, 'a', 'b', 3, 'a', 'b', 'c'}, - OPENSSL_NPN_NEGOTIATED, - 3, { 'a', 'b', 'c' } - }, - { - 4, { 3, 'b', 'c', 'd' }, - 4, { 3, 'a', 'b', 'c' }, - OPENSSL_NPN_NO_OVERLAP, - 3, { 'a', 'b', 'c' } - }, - { - 0, { 0 }, - 4, { 3, 'a', 'b', 'c' }, - OPENSSL_NPN_NO_OVERLAP, - 3, { 'a', 'b', 'c' } - }, - { - -1, { 0 }, - 4, { 3, 'a', 'b', 'c' }, - OPENSSL_NPN_NO_OVERLAP, - 3, { 'a', 'b', 'c' } - }, - { - 4, { 3, 'a', 'b', 'c' }, - 0, { 0 }, - OPENSSL_NPN_NO_OVERLAP, - 0, { 0 } - }, - { - 4, { 3, 'a', 'b', 'c' }, - -1, { 0 }, - OPENSSL_NPN_NO_OVERLAP, - 0, { 0 } - }, - { - 3, { 3, 'a', 'b', 'c' }, - 4, { 3, 'a', 'b', 'c' }, - OPENSSL_NPN_NO_OVERLAP, - 3, { 'a', 'b', 'c' } - }, - { - 4, { 3, 'a', 'b', 'c' }, - 3, { 3, 'a', 'b', 'c' }, - OPENSSL_NPN_NO_OVERLAP, - 0, { 0 } - } -}; - -static int test_select_next_proto(int idx) -{ - struct next_proto_st *np = &next_proto_tests[idx]; - int ret = 0; - unsigned char *out, *client, *server; - unsigned char outlen; - unsigned int clientlen, serverlen; - - if (np->clientlen == -1) { - client = NULL; - clientlen = 0; - } else { - client = np->client; - clientlen = (unsigned int)np->clientlen; - } - if (np->serverlen == -1) { - server = NULL; - serverlen = 0; - } else { - server = np->server; - serverlen = (unsigned int)np->serverlen; - } - - if (!TEST_int_eq(SSL_select_next_proto(&out, &outlen, server, serverlen, - client, clientlen), - np->expected_ret)) - goto err; - - if (np->selectedlen == 0) { - if (!TEST_ptr_null(out) || !TEST_uchar_eq(outlen, 0)) - goto err; - } else { - if (!TEST_mem_eq(out, outlen, np->selected, np->selectedlen)) - goto err; - } - - ret = 1; - err: - return ret; -} - -static const unsigned char fooprot[] = {3, 'f', 'o', 'o' }; -static const unsigned char barprot[] = {3, 'b', 'a', 'r' }; - -#if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_NEXTPROTONEG) -static int npn_advert_cb(SSL *ssl, const unsigned char **out, - unsigned int *outlen, void *arg) -{ - int *idx = (int *)arg; - - switch (*idx) { - default: - case 0: - *out = fooprot; - *outlen = sizeof(fooprot); - return SSL_TLSEXT_ERR_OK; - - case 1: - *outlen = 0; - return SSL_TLSEXT_ERR_OK; - - case 2: - return SSL_TLSEXT_ERR_NOACK; - } -} - -static int npn_select_cb(SSL *s, unsigned char **out, unsigned char *outlen, - const unsigned char *in, unsigned int inlen, void *arg) -{ - int *idx = (int *)arg; - - switch (*idx) { - case 0: - case 1: - *out = (unsigned char *)(fooprot + 1); - *outlen = *fooprot; - return SSL_TLSEXT_ERR_OK; - - case 3: - *out = (unsigned char *)(barprot + 1); - *outlen = *barprot; - return SSL_TLSEXT_ERR_OK; - - case 4: - *outlen = 0; - return SSL_TLSEXT_ERR_OK; - - default: - case 2: - return SSL_TLSEXT_ERR_ALERT_FATAL; - } -} - -/* - * Test the NPN callbacks - * Test 0: advert = foo, select = foo - * Test 1: advert = , select = foo - * Test 2: no advert - * Test 3: advert = foo, select = bar - * Test 4: advert = foo, select = (should fail) - */ -static int test_npn(int idx) -{ - SSL_CTX *sctx = NULL, *cctx = NULL; - SSL *serverssl = NULL, *clientssl = NULL; - int testresult = 0; - - if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), - TLS_client_method(), 0, TLS1_2_VERSION, - &sctx, &cctx, cert, privkey))) - goto end; - - SSL_CTX_set_next_protos_advertised_cb(sctx, npn_advert_cb, &idx); - SSL_CTX_set_next_proto_select_cb(cctx, npn_select_cb, &idx); - - if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, - NULL))) - goto end; - - if (idx == 4) { - /* We don't allow empty selection of NPN, so this should fail */ - if (!TEST_false(create_ssl_connection(serverssl, clientssl, - SSL_ERROR_NONE))) - goto end; - } else { - const unsigned char *prot; - unsigned int protlen; - - if (!TEST_true(create_ssl_connection(serverssl, clientssl, - SSL_ERROR_NONE))) - goto end; - - SSL_get0_next_proto_negotiated(serverssl, &prot, &protlen); - switch (idx) { - case 0: - case 1: - if (!TEST_mem_eq(prot, protlen, fooprot + 1, *fooprot)) - goto end; - break; - case 2: - if (!TEST_uint_eq(protlen, 0)) - goto end; - break; - case 3: - if (!TEST_mem_eq(prot, protlen, barprot + 1, *barprot)) - goto end; - break; - default: - TEST_error("Should not get here"); - goto end; - } - } - - testresult = 1; - end: - SSL_free(serverssl); - SSL_free(clientssl); - SSL_CTX_free(sctx); - SSL_CTX_free(cctx); - - return testresult; -} -#endif /* !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_NEXTPROTONEG) */ - -static int alpn_select_cb2(SSL *ssl, const unsigned char **out, - unsigned char *outlen, const unsigned char *in, - unsigned int inlen, void *arg) -{ - int *idx = (int *)arg; - - switch (*idx) { - case 0: - *out = (unsigned char *)(fooprot + 1); - *outlen = *fooprot; - return SSL_TLSEXT_ERR_OK; - - case 2: - *out = (unsigned char *)(barprot + 1); - *outlen = *barprot; - return SSL_TLSEXT_ERR_OK; - - case 3: - *outlen = 0; - return SSL_TLSEXT_ERR_OK; - - default: - case 1: - return SSL_TLSEXT_ERR_ALERT_FATAL; - } - return 0; -} - -/* - * Test the ALPN callbacks - * Test 0: client = foo, select = foo - * Test 1: client = , select = none - * Test 2: client = foo, select = bar (should fail) - * Test 3: client = foo, select = (should fail) - */ -static int test_alpn(int idx) -{ - SSL_CTX *sctx = NULL, *cctx = NULL; - SSL *serverssl = NULL, *clientssl = NULL; - int testresult = 0; - const unsigned char *prots = fooprot; - unsigned int protslen = sizeof(fooprot); - - if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), - TLS_client_method(), 0, 0, - &sctx, &cctx, cert, privkey))) - goto end; - - SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb2, &idx); - - if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, - NULL))) - goto end; - - if (idx == 1) { - prots = NULL; - protslen = 0; - } - - /* SSL_set_alpn_protos returns 0 for success! */ - if (!TEST_false(SSL_set_alpn_protos(clientssl, prots, protslen))) - goto end; - - if (idx == 2 || idx == 3) { - /* We don't allow empty selection of NPN, so this should fail */ - if (!TEST_false(create_ssl_connection(serverssl, clientssl, - SSL_ERROR_NONE))) - goto end; - } else { - const unsigned char *prot; - unsigned int protlen; - - if (!TEST_true(create_ssl_connection(serverssl, clientssl, - SSL_ERROR_NONE))) - goto end; - - SSL_get0_alpn_selected(clientssl, &prot, &protlen); - switch (idx) { - case 0: - if (!TEST_mem_eq(prot, protlen, fooprot + 1, *fooprot)) - goto end; - break; - case 1: - if (!TEST_uint_eq(protlen, 0)) - goto end; - break; - default: - TEST_error("Should not get here"); - goto end; - } - } - - testresult = 1; - end: - SSL_free(serverssl); - SSL_free(clientssl); - SSL_CTX_free(sctx); - SSL_CTX_free(cctx); - return testresult; } @@ -11606,7 +10923,4 @@ ADD_TEST(test_set_verify_cert_store_ssl); ADD_ALL_TESTS(test_session_timeout, 1); -#if !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) - ADD_ALL_TESTS(test_session_cache_overflow, 4); -#endif ADD_TEST(test_load_dhfile); #ifndef OSSL_NO_USABLE_TLS1_3 @@ -11621,10 +10935,4 @@ #endif ADD_ALL_TESTS(test_handshake_retry, 16); - ADD_ALL_TESTS(test_multi_resume, 5); - ADD_ALL_TESTS(test_select_next_proto, OSSL_NELEM(next_proto_tests)); -#if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_NEXTPROTONEG) - ADD_ALL_TESTS(test_npn, 5); -#endif - ADD_ALL_TESTS(test_alpn, 4); return 1; Index: /trunk/src/libs/openssl-3.1.7/test/sslbuffertest.c =================================================================== --- /trunk/src/libs/openssl-3.1.7/test/sslbuffertest.c (revision 105948) +++ /trunk/src/libs/openssl-3.1.7/test/sslbuffertest.c (revision 105949) @@ -1,4 +1,4 @@ /* - * Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"); @@ -9,17 +9,8 @@ */ -/* - * We need access to the deprecated low level Engine APIs for legacy purposes - * when the deprecated calls are not hidden - */ -#ifndef OPENSSL_NO_DEPRECATED_3_0 -# define OPENSSL_SUPPRESS_DEPRECATED -#endif - #include #include #include #include -#include #include "internal/packet.h" @@ -160,164 +151,4 @@ } -/* - * Test that attempting to free the buffers at points where they cannot be freed - * works as expected - * Test 0: Attempt to free buffers after a full record has been processed, but - * the application has only performed a partial read - * Test 1: Attempt to free buffers after only a partial record header has been - * received - * Test 2: Attempt to free buffers after a full record header but no record body - * Test 3: Attempt to free buffers after a full record hedaer and partial record - * body - * Test 4-7: We repeat tests 0-3 but including data from a second pipelined - * record - */ -static int test_free_buffers(int test) -{ - int result = 0; - SSL *serverssl = NULL, *clientssl = NULL; - const char testdata[] = "Test data"; - char buf[120]; - size_t written, readbytes; - int i, pipeline = test > 3; - ENGINE *e = NULL; - - if (pipeline) { - e = load_dasync(); - if (e == NULL) - goto end; - test -= 4; - } - - if (!TEST_true(create_ssl_objects(serverctx, clientctx, &serverssl, - &clientssl, NULL, NULL))) - goto end; - - if (pipeline) { - if (!TEST_true(SSL_set_cipher_list(serverssl, "AES128-SHA")) - || !TEST_true(SSL_set_max_proto_version(serverssl, - TLS1_2_VERSION)) - || !TEST_true(SSL_set_max_pipelines(serverssl, 2))) - goto end; - } - - if (!TEST_true(create_ssl_connection(serverssl, clientssl, - SSL_ERROR_NONE))) - goto end; - - /* - * For the non-pipeline case we write one record. For pipelining we write - * two records. - */ - for (i = 0; i <= pipeline; i++) { - if (!TEST_true(SSL_write_ex(clientssl, testdata, strlen(testdata), - &written))) - goto end; - } - - if (test == 0) { - size_t readlen = 1; - - /* - * Deliberately only read the first byte - so the remaining bytes are - * still buffered. In the pipelining case we read as far as the first - * byte from the second record. - */ - if (pipeline) - readlen += strlen(testdata); - - if (!TEST_true(SSL_read_ex(serverssl, buf, readlen, &readbytes)) - || !TEST_size_t_eq(readlen, readbytes)) - goto end; - } else { - BIO *tmp; - size_t partial_len; - - /* Remove all the data that is pending for read by the server */ - tmp = SSL_get_rbio(serverssl); - if (!TEST_true(BIO_read_ex(tmp, buf, sizeof(buf), &readbytes)) - || !TEST_size_t_lt(readbytes, sizeof(buf)) - || !TEST_size_t_gt(readbytes, SSL3_RT_HEADER_LENGTH)) - goto end; - - switch(test) { - case 1: - partial_len = SSL3_RT_HEADER_LENGTH - 1; - break; - case 2: - partial_len = SSL3_RT_HEADER_LENGTH; - break; - case 3: - partial_len = readbytes - 1; - break; - default: - TEST_error("Invalid test index"); - goto end; - } - - if (pipeline) { - /* We happen to know the first record is 57 bytes long */ - const size_t first_rec_len = 57; - - if (test != 3) - partial_len += first_rec_len; - - /* - * Sanity check. If we got the record len right then this should - * never fail. - */ - if (!TEST_int_eq(buf[first_rec_len], SSL3_RT_APPLICATION_DATA)) - goto end; - } - - /* - * Put back just the partial record (plus the whole initial record in - * the pipelining case) - */ - if (!TEST_true(BIO_write_ex(tmp, buf, partial_len, &written))) - goto end; - - if (pipeline) { - /* - * Attempt a read. This should pass but only return data from the - * first record. Only a partial record is available for the second - * record. - */ - if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), - &readbytes)) - || !TEST_size_t_eq(readbytes, strlen(testdata))) - goto end; - } else { - /* - * Attempt a read. This should fail because only a partial record is - * available. - */ - if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), - &readbytes))) - goto end; - } - } - - /* - * Attempting to free the buffers at this point should fail because they are - * still in use - */ - if (!TEST_false(SSL_free_buffers(serverssl))) - goto end; - - result = 1; - end: - SSL_free(clientssl); - SSL_free(serverssl); -#ifndef OPENSSL_NO_DYNAMIC_ENGINE - if (e != NULL) { - ENGINE_unregister_ciphers(e); - ENGINE_finish(e); - ENGINE_free(e); - } -#endif - return result; -} - OPT_TEST_DECLARE_USAGE("certfile privkeyfile\n") @@ -343,9 +174,4 @@ ADD_ALL_TESTS(test_func, 9); -#if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DYNAMIC_ENGINE) - ADD_ALL_TESTS(test_free_buffers, 8); -#else - ADD_ALL_TESTS(test_free_buffers, 4); -#endif return 1; } Index: /trunk/src/libs/openssl-3.1.7/test/test.cnf =================================================================== --- /trunk/src/libs/openssl-3.1.7/test/test.cnf (revision 105948) +++ /trunk/src/libs/openssl-3.1.7/test/test.cnf (revision 105949) @@ -73,8 +73,2 @@ emailAddress = email field emailAddress_value = eay@mincom.oz.au - -[ dirname_sec ] -C = UK -O = My Organization -OU = My Unit -CN = My Name Index: /trunk/src/libs/openssl-3.1.7/test/tls-provider.c =================================================================== --- /trunk/src/libs/openssl-3.1.7/test/tls-provider.c (revision 105948) +++ /trunk/src/libs/openssl-3.1.7/test/tls-provider.c (revision 105949) @@ -1,4 +1,4 @@ /* - * Copyright 2019-2024 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use @@ -186,6 +186,4 @@ /* Register our 2 groups */ - OPENSSL_assert(xor_group.group_id >= 65024 - && xor_group.group_id < 65279 - NUM_DUMMY_GROUPS); ret = cb(xor_group_params, arg); ret &= cb(xor_kemgroup_params, arg); @@ -199,5 +197,4 @@ for (i = 0; i < NUM_DUMMY_GROUPS; i++) { OSSL_PARAM dummygroup[OSSL_NELEM(xor_group_params)]; - unsigned int dummygroup_id; memcpy(dummygroup, xor_group_params, sizeof(xor_group_params)); @@ -214,7 +211,4 @@ dummygroup[0].data = dummy_group_names[i]; dummygroup[0].data_size = strlen(dummy_group_names[i]) + 1; - /* assign unique group IDs also to dummy groups for registration */ - dummygroup_id = 65279 - NUM_DUMMY_GROUPS + i; - dummygroup[3].data = (unsigned char*)&dummygroup_id; ret &= cb(dummygroup, arg); } @@ -824,8 +818,7 @@ /* * Ensure group_id is within the IANA Reserved for private use range - * (65024-65279). - * Carve out NUM_DUMMY_GROUPS ids for properly registering those. + * (65024-65279) */ - group_id %= 65279 - NUM_DUMMY_GROUPS - 65024; + group_id %= 65279 - 65024; group_id += 65024; Index: /trunk/src/libs/openssl-3.1.7/test/v3ext.c =================================================================== --- /trunk/src/libs/openssl-3.1.7/test/v3ext.c (revision 105948) +++ /trunk/src/libs/openssl-3.1.7/test/v3ext.c (revision 105949) @@ -1,4 +1,4 @@ /* - * Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use @@ -270,9 +270,6 @@ if (!ASN1_OCTET_STRING_set(f1->addressFamily, key, keylen)) goto end; - - /* Push and transfer memory ownership to stack */ if (!sk_IPAddressFamily_push(addr, f1)) goto end; - f1 = NULL; /* Shouldn't be able to canonize this as the len is > 3*/ @@ -280,8 +277,8 @@ goto end; - /* Pop and free the new stack element */ - IPAddressFamily_free(sk_IPAddressFamily_pop(addr)); - - /* Create a well-formed IPAddressFamily */ + /* Create a well formed IPAddressFamily */ + f1 = sk_IPAddressFamily_pop(addr); + IPAddressFamily_free(f1); + key[0] = (afi >> 8) & 0xFF; key[1] = afi & 0xFF; @@ -301,9 +298,6 @@ /* Mark this as inheritance so we skip some of the is_canonize checks */ f1->ipAddressChoice->type = IPAddressChoice_inherit; - - /* Push and transfer memory ownership to stack */ if (!sk_IPAddressFamily_push(addr, f1)) goto end; - f1 = NULL; /* Should be able to canonize now */ @@ -313,8 +307,5 @@ testresult = 1; end: - /* Free stack and any memory owned by detached element */ - IPAddressFamily_free(f1); sk_IPAddressFamily_pop_free(addr, IPAddressFamily_free); - ASN1_OCTET_STRING_free(ip1); ASN1_OCTET_STRING_free(ip2);