[openssl] master update

[tomas]

The branch master has been updated
   via  2e3b82926a8cdae5a1bfbf3ac47a6012c270391b (commit)
  from  c37ebbd6f97d23b291c49c4ae2b94c27d732de30 (commit)


- Log -
commit 2e3b82926a8cdae5a1bfbf3ac47a6012c270391b
Author: Tianjia Zhang 
Date:   Wed Dec 8 15:53:49 2021 +0800

apps/s_server: Correct s_server to return the correct file path

When s_server responds to a file data with the -WWW parameter, it
always gets a path named "GET". In this case, we need to skip the
"GET /" character to get the correct file path.

Signed-off-by: Tianjia Zhang 

Reviewed-by: Paul Yang 
Reviewed-by: Tomas Mraz 
(Merged from https://github.com/openssl/openssl/pull/17231)

---

Summary of changes:
 apps/s_server.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/apps/s_server.c b/apps/s_server.c
index 6b0e013ca7..e0a52287ee 100644
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -3220,7 +3220,7 @@ static int www_body(int s, int stype, int prot, unsigned 
char *context)
 }
 BIO_puts(io, "\r\n\r\n");
 break;
-} else if ((www == 2 || www == 3) && HAS_PREFIX(p, "GET /")) {
+} else if ((www == 2 || www == 3) && CHECK_AND_SKIP_PREFIX(p, "GET 
/")) {
 BIO *file;
 char *e;
 static const char *text =

[openssl] OpenSSL_1_1_1-stable update

[tomas]

The branch OpenSSL_1_1_1-stable has been updated
   via  f560b4cda1d3d8f8d7f5355a1f797699241a3ae8 (commit)
  from  ca607d6e94e11f5332abcc8fa4a4ccb967347efa (commit)


- Log -
commit f560b4cda1d3d8f8d7f5355a1f797699241a3ae8
Author: Tomas Mraz 
Date:   Mon Dec 6 12:38:48 2021 +0100

CI: Replace windows-2016 with windows-2022

Windows 2016 environment is going to be discontinued.

We also replace windows-latest with windows-2019 so
there aren't two identical builds done once windows-latest
is switched to mean windows-2022.

Fixes #17177

Reviewed-by: Paul Dale 
(Merged from https://github.com/openssl/openssl/pull/17211)

---

Summary of changes:
 .github/workflows/windows.yml | 15 +--
 1 file changed, 9 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/windows.yml b/.github/workflows/windows.yml
index c11242a56f..6f1b50552e 100644
--- a/.github/workflows/windows.yml
+++ b/.github/workflows/windows.yml
@@ -9,8 +9,8 @@ jobs:
 strategy:
   matrix:
 os:
-- windows-latest
-- windows-2016
+- windows-2019
+- windows-2022
 platform:
 - arch: win64
   config: VC-WIN64A
@@ -25,6 +25,7 @@ jobs:
 - uses: ilammy/setup-nasm@v1
   with:
 platform: ${{ matrix.platform.arch }}
+- uses: shogo82148/actions-setup-perl@v1
 - name: prepare the build directory
   run: mkdir _build
 - name: config
@@ -49,12 +50,13 @@ jobs:
 strategy:
   matrix:
 os:
-- windows-latest
-- windows-2016
+- windows-2019
+- windows-2022
 runs-on: ${{matrix.os}}
 steps:
 - uses: actions/checkout@v2
 - uses: ilammy/msvc-dev-cmd@v1
+- uses: shogo82148/actions-setup-perl@v1
 - name: prepare the build directory
   run: mkdir _build
 - name: config
@@ -72,12 +74,13 @@ jobs:
 strategy:
   matrix:
 os:
-- windows-latest
-- windows-2016
+- windows-2019
+- windows-2022
 runs-on: ${{matrix.os}}
 steps:
 - uses: actions/checkout@v2
 - uses: ilammy/msvc-dev-cmd@v1
+- uses: shogo82148/actions-setup-perl@v1
 - name: prepare the build directory
   run: mkdir _build
 - name: config

[openssl] openssl-3.0 update

[tomas]

The branch openssl-3.0 has been updated
   via  7174656d82b724a36948b2ac30a3c6f7e4cc12e4 (commit)
  from  075b1b4dcd33259ece3fe2cdc1847af190105c84 (commit)


- Log -
commit 7174656d82b724a36948b2ac30a3c6f7e4cc12e4
Author: Tomas Mraz 
Date:   Wed Dec 8 12:54:52 2021 +0100

Windows CI: explicitly use windows-2019 instead of using windows-latest

Reviewed-by: Shane Lontis 
(Merged from https://github.com/openssl/openssl/pull/17234)

(cherry picked from commit c37ebbd6f97d23b291c49c4ae2b94c27d732de30)

---

Summary of changes:
 .github/workflows/windows.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/windows.yml b/.github/workflows/windows.yml
index 553e0c3650..c530ba0780 100644
--- a/.github/workflows/windows.yml
+++ b/.github/workflows/windows.yml
@@ -15,7 +15,7 @@ jobs:
 strategy:
   matrix:
 os:
-  - windows-latest
+  - windows-2019
   - windows-2022
 platform:
   - arch: win64
@@ -56,7 +56,7 @@ jobs:
 strategy:
   matrix:
 os:
-  - windows-latest
+  - windows-2019
   - windows-2022
 runs-on: ${{matrix.os}}
 steps:
@@ -80,7 +80,7 @@ jobs:
 strategy:
   matrix:
 os:
-  - windows-latest
+  - windows-2019
   - windows-2022
 runs-on: ${{matrix.os}}
 steps:

[openssl] master update

[tomas]

The branch master has been updated
   via  c37ebbd6f97d23b291c49c4ae2b94c27d732de30 (commit)
  from  ecf60b9e27c041e7c95669b52a399fc2f20fd0fe (commit)


- Log -
commit c37ebbd6f97d23b291c49c4ae2b94c27d732de30
Author: Tomas Mraz 
Date:   Wed Dec 8 12:54:52 2021 +0100

Windows CI: explicitly use windows-2019 instead of using windows-latest

Reviewed-by: Shane Lontis 
(Merged from https://github.com/openssl/openssl/pull/17234)

---

Summary of changes:
 .github/workflows/windows.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/windows.yml b/.github/workflows/windows.yml
index 553e0c3650..c530ba0780 100644
--- a/.github/workflows/windows.yml
+++ b/.github/workflows/windows.yml
@@ -15,7 +15,7 @@ jobs:
 strategy:
   matrix:
 os:
-  - windows-latest
+  - windows-2019
   - windows-2022
 platform:
   - arch: win64
@@ -56,7 +56,7 @@ jobs:
 strategy:
   matrix:
 os:
-  - windows-latest
+  - windows-2019
   - windows-2022
 runs-on: ${{matrix.os}}
 steps:
@@ -80,7 +80,7 @@ jobs:
 strategy:
   matrix:
 os:
-  - windows-latest
+  - windows-2019
   - windows-2022
 runs-on: ${{matrix.os}}
 steps:

[openssl] master update

[Dr . Paul Dale]

The branch master has been updated
   via  ecf60b9e27c041e7c95669b52a399fc2f20fd0fe (commit)
   via  318e97997a514b16ca497cedb49730bc75764a05 (commit)
  from  44fde441937fc8db8ea6a7ac2e7c683ad9d5f8e0 (commit)


- Log -
commit ecf60b9e27c041e7c95669b52a399fc2f20fd0fe
Author: x2018 
Date:   Wed Dec 1 16:15:44 2021 +0800

remove redundant ERR_raise

Reviewed-by: Shane Lontis 
Reviewed-by: Tomas Mraz 
Reviewed-by: Paul Dale 
(Merged from https://github.com/openssl/openssl/pull/17175)

commit 318e97997a514b16ca497cedb49730bc75764a05
Author: x2018 
Date:   Wed Dec 1 14:29:58 2021 +0800

check the return value of BIO_new() in t_x509.c:471 & cmp_vfy.c:36

Reviewed-by: Shane Lontis 
Reviewed-by: Tomas Mraz 
Reviewed-by: Paul Dale 
(Merged from https://github.com/openssl/openssl/pull/17175)

---

Summary of changes:
 crypto/cmp/cmp_vfy.c | 3 ++-
 crypto/x509/t_x509.c | 2 ++
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/crypto/cmp/cmp_vfy.c b/crypto/cmp/cmp_vfy.c
index d3d9cca0d4..cdfad0a631 100644
--- a/crypto/cmp/cmp_vfy.c
+++ b/crypto/cmp/cmp_vfy.c
@@ -34,7 +34,8 @@ static int verify_signature(const OSSL_CMP_CTX *cmp_ctx,
 return 0;
 
 bio = BIO_new(BIO_s_mem()); /* may be NULL */
-
+if (bio == NULL)
+return 0;
 /* verify that keyUsage, if present, contains digitalSignature */
 if (!cmp_ctx->ignore_keyusage
 && (X509_get_key_usage(cert) & X509v3_KU_DIGITAL_SIGNATURE) == 0) {
diff --git a/crypto/x509/t_x509.c b/crypto/x509/t_x509.c
index 95ee5f519f..13ccb35508 100644
--- a/crypto/x509/t_x509.c
+++ b/crypto/x509/t_x509.c
@@ -470,6 +470,8 @@ int X509_STORE_CTX_print_verify_cb(int ok, X509_STORE_CTX 
*ctx)
 int cert_error = X509_STORE_CTX_get_error(ctx);
 BIO *bio = BIO_new(BIO_s_mem()); /* may be NULL */
 
+if (bio == NULL)
+return 0;
 BIO_printf(bio, "%s at depth = %d error = %d (%s)\n",
X509_STORE_CTX_get0_parent_ctx(ctx) != NULL
? "CRL path validation"

[openssl] openssl-3.0 update

[Dr . Paul Dale]

The branch openssl-3.0 has been updated
   via  075b1b4dcd33259ece3fe2cdc1847af190105c84 (commit)
  from  f2499f5378d92bf90fdcc16831ebf1f08069ef7a (commit)


- Log -
commit 075b1b4dcd33259ece3fe2cdc1847af190105c84
Author: Sam Eaton 
Date:   Fri Dec 3 14:47:26 2021 -0800

changes opensssl typos to openssl

CLA: trivial

Reviewed-by: Shane Lontis 
Reviewed-by: Paul Dale 
(Merged from https://github.com/openssl/openssl/pull/17191)

(cherry picked from commit 44fde441937fc8db8ea6a7ac2e7c683ad9d5f8e0)

---

Summary of changes:
 NOTES-VALGRIND.md   | 2 +-
 doc/man1/openssl-mac.pod.in | 2 +-
 include/openssl/macros.h| 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/NOTES-VALGRIND.md b/NOTES-VALGRIND.md
index a37e323e23..2700324efa 100644
--- a/NOTES-VALGRIND.md
+++ b/NOTES-VALGRIND.md
@@ -16,7 +16,7 @@ Requirements
See 
 2. Valgrind installed on the platform
See 
-3. OpensSSL compiled
+3. OpenSSL compiled
See [INSTALL.md](INSTALL.md)
 
 Running Tests
diff --git a/doc/man1/openssl-mac.pod.in b/doc/man1/openssl-mac.pod.in
index b368b79bc7..e76e185e08 100644
--- a/doc/man1/openssl-mac.pod.in
+++ b/doc/man1/openssl-mac.pod.in
@@ -116,7 +116,7 @@ This option is identical to the B<-cipher> option.
 =item I
 
 Specifies the name of a supported MAC algorithm which will be used.
-To see the list of supported MAC's use the command C.
 
 =back
diff --git a/include/openssl/macros.h b/include/openssl/macros.h
index 7d37798560..a6bc3f1feb 100644
--- a/include/openssl/macros.h
+++ b/include/openssl/macros.h
@@ -20,7 +20,7 @@
 # define OPENSSL_MSTR(x) OPENSSL_MSTR_HELPER(x)
 
 /*
- * Sometimes OPENSSSL_NO_xxx ends up with an empty file and some compilers
+ * Sometimes OPENSSL_NO_xxx ends up with an empty file and some compilers
  * don't like that.  This will hopefully silence them.
  */
 # define NON_EMPTY_TRANSLATION_UNIT static void *dummy = &dummy;

[openssl] master update

[Dr . Paul Dale]

The branch master has been updated
   via  44fde441937fc8db8ea6a7ac2e7c683ad9d5f8e0 (commit)
  from  f0fc3c10d0617821a476b34aba1ee77d47a2a64a (commit)


- Log -
commit 44fde441937fc8db8ea6a7ac2e7c683ad9d5f8e0
Author: Sam Eaton 
Date:   Fri Dec 3 14:47:26 2021 -0800

changes opensssl typos to openssl

CLA: trivial

Reviewed-by: Shane Lontis 
Reviewed-by: Paul Dale 
(Merged from https://github.com/openssl/openssl/pull/17191)

---

Summary of changes:
 NOTES-VALGRIND.md   | 2 +-
 doc/man1/openssl-mac.pod.in | 2 +-
 include/openssl/macros.h| 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/NOTES-VALGRIND.md b/NOTES-VALGRIND.md
index a37e323e23..2700324efa 100644
--- a/NOTES-VALGRIND.md
+++ b/NOTES-VALGRIND.md
@@ -16,7 +16,7 @@ Requirements
See 
 2. Valgrind installed on the platform
See 
-3. OpensSSL compiled
+3. OpenSSL compiled
See [INSTALL.md](INSTALL.md)
 
 Running Tests
diff --git a/doc/man1/openssl-mac.pod.in b/doc/man1/openssl-mac.pod.in
index b368b79bc7..e76e185e08 100644
--- a/doc/man1/openssl-mac.pod.in
+++ b/doc/man1/openssl-mac.pod.in
@@ -116,7 +116,7 @@ This option is identical to the B<-cipher> option.
 =item I
 
 Specifies the name of a supported MAC algorithm which will be used.
-To see the list of supported MAC's use the command C.
 
 =back
diff --git a/include/openssl/macros.h b/include/openssl/macros.h
index 7d37798560..a6bc3f1feb 100644
--- a/include/openssl/macros.h
+++ b/include/openssl/macros.h
@@ -20,7 +20,7 @@
 # define OPENSSL_MSTR(x) OPENSSL_MSTR_HELPER(x)
 
 /*
- * Sometimes OPENSSSL_NO_xxx ends up with an empty file and some compilers
+ * Sometimes OPENSSL_NO_xxx ends up with an empty file and some compilers
  * don't like that.  This will hopefully silence them.
  */
 # define NON_EMPTY_TRANSLATION_UNIT static void *dummy = &dummy;

Coverity Scan: Analysis completed for openssl/openssl

[scan-admin]

Your request for analysis of openssl/openssl has been completed 
successfully.
The results are available at 
https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoN-2BQSVjTtaSz8wS4wOr7HlekBtV1P4YRtWclMVkCdvAA-3D-3DvIN-_MulOTlHne1IxTRELXXnGni8d68xSVF-2BUCe3a7Ux-2BjeGvCPPlrl6ToYIzX308bdGh4-2Bqd3UbmBuxt4EfCMRwYadd9nbkhHBRxOPo-2Bras8XXKNlI9ikYg4yWfpagsctI5hHZkLHFVljxkPvUOJSEwuWYUoJrWkMYqWEn5vJmnMHMpclQ9z4mgATuUB6PD17aHRoyX8OksYq8tfyHAy2jlC4uwHO-2FYwW8gkR63FwQ35Dxs-3D

Build ID: 422792

Analysis Summary:
   New defects found: 0
   Defects eliminated: 1

[openssl] master update

[Dr . Paul Dale]

The branch master has been updated
   via  f0fc3c10d0617821a476b34aba1ee77d47a2a64a (commit)
  from  83b424c3f60a4401fa3e6e41ff7f08e85ee9df94 (commit)


- Log -
commit f0fc3c10d0617821a476b34aba1ee77d47a2a64a
Author: Pauli 
Date:   Wed Dec 8 12:16:42 2021 +1100

fix Coverity 1494649: dead code

Reviewed-by: Tomas Mraz 
(Merged from https://github.com/openssl/openssl/pull/17230)

---

Summary of changes:
 apps/lib/opt.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/apps/lib/opt.c b/apps/lib/opt.c
index 3925ec96c3..7967fa7956 100644
--- a/apps/lib/opt.c
+++ b/apps/lib/opt.c
@@ -1036,14 +1036,14 @@ int opt_check_rest_arg(const char *expected)
 return 1;
 opt_printf_stderr("%s: Missing argument: %s\n", prog, expected);
 return 0;
-} else if (expected != NULL) {
-return 1;
 }
+if (expected != NULL)
+return 1;
 if (opt_unknown() == NULL)
 opt_printf_stderr("%s: Extra option: \"%s\"\n", prog, opt);
 else
 opt_printf_stderr("%s: Extra (unknown) options: \"%s\" \"%s\"\n",
-  prog, opt_unknown(), opt != NULL ? opt : "");
+  prog, opt_unknown(), opt);
 return 0;
 }
 

[openssl] openssl-3.0 update

[dev]

The branch openssl-3.0 has been updated
   via  f2499f5378d92bf90fdcc16831ebf1f08069ef7a (commit)
  from  907b966981a1d6f1e1fcbf0ab752e040a49f1475 (commit)


- Log -
commit f2499f5378d92bf90fdcc16831ebf1f08069ef7a
Author: Dr. David von Oheimb 
Date:   Tue Dec 7 07:32:12 2021 +0100

APPS/cmp: Fix use of OPENSSL_NO_SOCK: options like -server do not make 
sense with no-sock

Reviewed-by: Tomas Mraz 
(Merged from https://github.com/openssl/openssl/pull/17226)

(cherry picked from commit 83b424c3f60a4401fa3e6e41ff7f08e85ee9df94)

---

Summary of changes:
 apps/cmp.c  | 127 +---
 doc/man1/openssl-cmp.pod.in |  12 ++---
 2 files changed, 102 insertions(+), 37 deletions(-)

diff --git a/apps/cmp.c b/apps/cmp.c
index d0f127d3ea..01a437fe48 100644
--- a/apps/cmp.c
+++ b/apps/cmp.c
@@ -9,6 +9,8 @@
  * https://www.openssl.org/source/license.html
  */
 
+/* This app is disabled when OPENSSL_NO_CMP is defined. */
+
 #include 
 #include 
 
@@ -66,12 +68,13 @@ typedef enum {
 } cmp_cmd_t;
 
 /* message transfer */
+#ifndef OPENSSL_NO_SOCK
 static char *opt_server = NULL;
-static char server_port[32] = { '\0' };
-static char *opt_path = NULL;
 static char *opt_proxy = NULL;
 static char *opt_no_proxy = NULL;
+#endif
 static char *opt_recipient = NULL;
+static char *opt_path = NULL;
 static int opt_keep_alive = 1;
 static int opt_msg_timeout = -1;
 static int opt_total_timeout = -1;
@@ -137,6 +140,7 @@ static int opt_keyform = FORMAT_UNDEF;
 static char *opt_otherpass = NULL;
 static char *opt_engine = NULL;
 
+#ifndef OPENSSL_NO_SOCK
 /* TLS connection */
 static int opt_tls_used = 0;
 static char *opt_tls_cert = NULL;
@@ -145,6 +149,7 @@ static char *opt_tls_keypass = NULL;
 static char *opt_tls_extra = NULL;
 static char *opt_tls_trusted = NULL;
 static char *opt_tls_host = NULL;
+#endif
 
 /* client-side debugging */
 static int opt_batch = 0;
@@ -157,9 +162,10 @@ static char *opt_rspout = NULL;
 static int opt_use_mock_srv = 0;
 
 /* server-side debugging */
+#ifndef OPENSSL_NO_SOCK
 static char *opt_port = NULL;
 static int opt_max_msgs = 0;
-
+#endif
 static char *opt_srv_ref = NULL;
 static char *opt_srv_secret = NULL;
 static char *opt_srv_cert = NULL;
@@ -204,8 +210,10 @@ typedef enum OPTION_choice {
 
 OPT_OLDCERT, OPT_REVREASON,
 
-OPT_SERVER, OPT_PATH, OPT_PROXY, OPT_NO_PROXY,
-OPT_RECIPIENT,
+#ifndef OPENSSL_NO_SOCK
+OPT_SERVER, OPT_PROXY, OPT_NO_PROXY,
+#endif
+OPT_RECIPIENT, OPT_PATH,
 OPT_KEEP_ALIVE, OPT_MSG_TIMEOUT, OPT_TOTAL_TIMEOUT,
 
 OPT_TRUSTED, OPT_UNTRUSTED, OPT_SRVCERT,
@@ -225,15 +233,19 @@ typedef enum OPTION_choice {
 OPT_PROV_ENUM,
 OPT_R_ENUM,
 
+#ifndef OPENSSL_NO_SOCK
 OPT_TLS_USED, OPT_TLS_CERT, OPT_TLS_KEY,
 OPT_TLS_KEYPASS,
 OPT_TLS_EXTRA, OPT_TLS_TRUSTED, OPT_TLS_HOST,
+#endif
 
 OPT_BATCH, OPT_REPEAT,
 OPT_REQIN, OPT_REQIN_NEW_TID, OPT_REQOUT, OPT_RSPIN, OPT_RSPOUT,
 OPT_USE_MOCK_SRV,
 
+#ifndef OPENSSL_NO_SOCK
 OPT_PORT, OPT_MAX_MSGS,
+#endif
 OPT_SRV_REF, OPT_SRV_SECRET,
 OPT_SRV_CERT, OPT_SRV_KEY, OPT_SRV_KEYPASS,
 OPT_SRV_TRUSTED, OPT_SRV_UNTRUSTED,
@@ -331,20 +343,25 @@ const OPTIONS cmp_options[] = {
  "0..6, 8..10 (see RFC5280, 5.3.1) or -1. Default -1 = none included"},
 
 OPT_SECTION("Message transfer"),
+#ifdef OPENSSL_NO_SOCK
+{OPT_MORE_STR, 0, 0,
+ "NOTE: -server, -proxy, and -no_proxy not supported due to no-sock 
build"},
+#else
 {"server", OPT_SERVER, 's',
  "[http[s]://]address[:port][/path] of CMP server. Default port 80 or 
443."},
 {OPT_MORE_STR, 0, 0,
  "address may be a DNS name or an IP address; path can be overridden by 
-path"},
-{"path", OPT_PATH, 's',
- "HTTP path (aka CMP alias) at the CMP server. Default from -server, else 
\"/\""},
 {"proxy", OPT_PROXY, 's',
  "[http[s]://]address[:port][/path] of HTTP(S) proxy to use; path is 
ignored"},
 {"no_proxy", OPT_NO_PROXY, 's',
  "List of addresses of servers not to use HTTP(S) proxy for"},
 {OPT_MORE_STR, 0, 0,
  "Default from environment variable 'no_proxy', else 'NO_PROXY', else 
none"},
+#endif
 {"recipient", OPT_RECIPIENT, 's',
  "DN of CA. Default: subject of -srvcert, -issuer, issuer of -oldcert or 
-cert"},
+{"path", OPT_PATH, 's',
+ "HTTP path (aka CMP alias) at the CMP server. Default from -server, else 
\"/\""},
 {"keep_alive", OPT_KEEP_ALIVE, 'N',
  "Persistent HTTP connections. 0: no, 1 (the default): request, 2: 
require"},
 {"msg_timeout", OPT_MSG_TIMEOUT, 'N',
@@ -419,6 +436,10 @@ const OPTIONS cmp_options[] = {
 OPT_R_OPTIONS,
 
 OPT_SECTION("TLS connection"),
+#ifdef OPENSSL_NO_SOCK
+{OPT_MORE_STR, 0, 0,
+ "NOTE: -tls_used and all other TLS options not supported due to no-sock 
build"},
+#else
 {"

[openssl] master update

[dev]

The branch master has been updated
   via  83b424c3f60a4401fa3e6e41ff7f08e85ee9df94 (commit)
  from  c50bf14450f3cd242f2211ca7e500191053d8050 (commit)


- Log -
commit 83b424c3f60a4401fa3e6e41ff7f08e85ee9df94
Author: Dr. David von Oheimb 
Date:   Tue Dec 7 07:32:12 2021 +0100

APPS/cmp: Fix use of OPENSSL_NO_SOCK: options like -server do not make 
sense with no-sock

Reviewed-by: Tomas Mraz 
(Merged from https://github.com/openssl/openssl/pull/17226)

---

Summary of changes:
 apps/cmp.c  | 127 +---
 doc/man1/openssl-cmp.pod.in |  12 ++---
 2 files changed, 102 insertions(+), 37 deletions(-)

diff --git a/apps/cmp.c b/apps/cmp.c
index 3082d7d8f6..e35626ebb2 100644
--- a/apps/cmp.c
+++ b/apps/cmp.c
@@ -9,6 +9,8 @@
  * https://www.openssl.org/source/license.html
  */
 
+/* This app is disabled when OPENSSL_NO_CMP is defined. */
+
 #include 
 #include 
 
@@ -66,12 +68,13 @@ typedef enum {
 } cmp_cmd_t;
 
 /* message transfer */
+#ifndef OPENSSL_NO_SOCK
 static char *opt_server = NULL;
-static char server_port[32] = { '\0' };
-static char *opt_path = NULL;
 static char *opt_proxy = NULL;
 static char *opt_no_proxy = NULL;
+#endif
 static char *opt_recipient = NULL;
+static char *opt_path = NULL;
 static int opt_keep_alive = 1;
 static int opt_msg_timeout = -1;
 static int opt_total_timeout = -1;
@@ -137,6 +140,7 @@ static int opt_keyform = FORMAT_UNDEF;
 static char *opt_otherpass = NULL;
 static char *opt_engine = NULL;
 
+#ifndef OPENSSL_NO_SOCK
 /* TLS connection */
 static int opt_tls_used = 0;
 static char *opt_tls_cert = NULL;
@@ -145,6 +149,7 @@ static char *opt_tls_keypass = NULL;
 static char *opt_tls_extra = NULL;
 static char *opt_tls_trusted = NULL;
 static char *opt_tls_host = NULL;
+#endif
 
 /* client-side debugging */
 static int opt_batch = 0;
@@ -157,9 +162,10 @@ static char *opt_rspout = NULL;
 static int opt_use_mock_srv = 0;
 
 /* server-side debugging */
+#ifndef OPENSSL_NO_SOCK
 static char *opt_port = NULL;
 static int opt_max_msgs = 0;
-
+#endif
 static char *opt_srv_ref = NULL;
 static char *opt_srv_secret = NULL;
 static char *opt_srv_cert = NULL;
@@ -204,8 +210,10 @@ typedef enum OPTION_choice {
 
 OPT_OLDCERT, OPT_REVREASON,
 
-OPT_SERVER, OPT_PATH, OPT_PROXY, OPT_NO_PROXY,
-OPT_RECIPIENT,
+#ifndef OPENSSL_NO_SOCK
+OPT_SERVER, OPT_PROXY, OPT_NO_PROXY,
+#endif
+OPT_RECIPIENT, OPT_PATH,
 OPT_KEEP_ALIVE, OPT_MSG_TIMEOUT, OPT_TOTAL_TIMEOUT,
 
 OPT_TRUSTED, OPT_UNTRUSTED, OPT_SRVCERT,
@@ -225,15 +233,19 @@ typedef enum OPTION_choice {
 OPT_PROV_ENUM,
 OPT_R_ENUM,
 
+#ifndef OPENSSL_NO_SOCK
 OPT_TLS_USED, OPT_TLS_CERT, OPT_TLS_KEY,
 OPT_TLS_KEYPASS,
 OPT_TLS_EXTRA, OPT_TLS_TRUSTED, OPT_TLS_HOST,
+#endif
 
 OPT_BATCH, OPT_REPEAT,
 OPT_REQIN, OPT_REQIN_NEW_TID, OPT_REQOUT, OPT_RSPIN, OPT_RSPOUT,
 OPT_USE_MOCK_SRV,
 
+#ifndef OPENSSL_NO_SOCK
 OPT_PORT, OPT_MAX_MSGS,
+#endif
 OPT_SRV_REF, OPT_SRV_SECRET,
 OPT_SRV_CERT, OPT_SRV_KEY, OPT_SRV_KEYPASS,
 OPT_SRV_TRUSTED, OPT_SRV_UNTRUSTED,
@@ -331,20 +343,25 @@ const OPTIONS cmp_options[] = {
  "0..6, 8..10 (see RFC5280, 5.3.1) or -1. Default -1 = none included"},
 
 OPT_SECTION("Message transfer"),
+#ifdef OPENSSL_NO_SOCK
+{OPT_MORE_STR, 0, 0,
+ "NOTE: -server, -proxy, and -no_proxy not supported due to no-sock 
build"},
+#else
 {"server", OPT_SERVER, 's',
  "[http[s]://]address[:port][/path] of CMP server. Default port 80 or 
443."},
 {OPT_MORE_STR, 0, 0,
  "address may be a DNS name or an IP address; path can be overridden by 
-path"},
-{"path", OPT_PATH, 's',
- "HTTP path (aka CMP alias) at the CMP server. Default from -server, else 
\"/\""},
 {"proxy", OPT_PROXY, 's',
  "[http[s]://]address[:port][/path] of HTTP(S) proxy to use; path is 
ignored"},
 {"no_proxy", OPT_NO_PROXY, 's',
  "List of addresses of servers not to use HTTP(S) proxy for"},
 {OPT_MORE_STR, 0, 0,
  "Default from environment variable 'no_proxy', else 'NO_PROXY', else 
none"},
+#endif
 {"recipient", OPT_RECIPIENT, 's',
  "DN of CA. Default: subject of -srvcert, -issuer, issuer of -oldcert or 
-cert"},
+{"path", OPT_PATH, 's',
+ "HTTP path (aka CMP alias) at the CMP server. Default from -server, else 
\"/\""},
 {"keep_alive", OPT_KEEP_ALIVE, 'N',
  "Persistent HTTP connections. 0: no, 1 (the default): request, 2: 
require"},
 {"msg_timeout", OPT_MSG_TIMEOUT, 'N',
@@ -419,6 +436,10 @@ const OPTIONS cmp_options[] = {
 OPT_R_OPTIONS,
 
 OPT_SECTION("TLS connection"),
+#ifdef OPENSSL_NO_SOCK
+{OPT_MORE_STR, 0, 0,
+ "NOTE: -tls_used and all other TLS options not supported due to no-sock 
build"},
+#else
 {"tls_used", OPT_TLS_USED, '-',
  "Enable using TLS (also when other TLS options 

[openssl] OpenSSL_1_1_1-stable update

[bernd . edlinger]

The branch OpenSSL_1_1_1-stable has been updated
   via  ca607d6e94e11f5332abcc8fa4a4ccb967347efa (commit)
  from  7a045a4e5ad97f7e123ea33f1f188d2f1a03974b (commit)


- Log -
commit ca607d6e94e11f5332abcc8fa4a4ccb967347efa
Author: Bernd Edlinger 
Date:   Wed Dec 8 14:14:48 2021 +0100

Fix a deadlock in OBJ_NAME_add

This happened after an out of memory error:
CRYPTO_THREAD_write_lock may hang in OBJ_NAME_add.

Reviewed-by: Tomas Mraz 
Reviewed-by: Matt Caswell 
Reviewed-by: Paul Dale 
(Merged from https://github.com/openssl/openssl/pull/17236)

---

Summary of changes:
 crypto/objects/o_names.c | 14 +-
 1 file changed, 9 insertions(+), 5 deletions(-)

diff --git a/crypto/objects/o_names.c b/crypto/objects/o_names.c
index 979d83577c..15639d6778 100644
--- a/crypto/objects/o_names.c
+++ b/crypto/objects/o_names.c
@@ -67,8 +67,14 @@ static CRYPTO_ONCE init = CRYPTO_ONCE_STATIC_INIT;
 DEFINE_RUN_ONCE_STATIC(o_names_init)
 {
 CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_DISABLE);
-names_lh = lh_OBJ_NAME_new(obj_name_hash, obj_name_cmp);
+names_lh = NULL;
 obj_lock = CRYPTO_THREAD_lock_new();
+if (obj_lock != NULL)
+names_lh = lh_OBJ_NAME_new(obj_name_hash, obj_name_cmp);
+if (names_lh == NULL) {
+CRYPTO_THREAD_lock_free(obj_lock);
+obj_lock = NULL;
+}
 CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ENABLE);
 return names_lh != NULL && obj_lock != NULL;
 }
@@ -217,10 +223,8 @@ int OBJ_NAME_add(const char *name, int type, const char 
*data)
 type &= ~OBJ_NAME_ALIAS;
 
 onp = OPENSSL_malloc(sizeof(*onp));
-if (onp == NULL) {
-/* ERROR */
-goto unlock;
-}
+if (onp == NULL)
+return 0;
 
 onp->name = name;
 onp->alias = alias;

[openssl] openssl-3.0 update

[bernd . edlinger]

The branch openssl-3.0 has been updated
   via  907b966981a1d6f1e1fcbf0ab752e040a49f1475 (commit)
  from  93838762b406efe3aad9c807a0fd1f48e6efe3ab (commit)


- Log -
commit 907b966981a1d6f1e1fcbf0ab752e040a49f1475
Author: Bernd Edlinger 
Date:   Wed Dec 8 14:14:48 2021 +0100

Minor code cleanup in o_names_init

This might result in a small memory leak.

Reviewed-by: Tomas Mraz 
Reviewed-by: Matt Caswell 
Reviewed-by: Paul Dale 
(Merged from https://github.com/openssl/openssl/pull/17238)

(cherry picked from commit c50bf14450f3cd242f2211ca7e500191053d8050)

---

Summary of changes:
 crypto/objects/o_names.c | 8 +++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/crypto/objects/o_names.c b/crypto/objects/o_names.c
index 05aa8c44aa..92152eeb66 100644
--- a/crypto/objects/o_names.c
+++ b/crypto/objects/o_names.c
@@ -66,8 +66,14 @@ static int obj_name_cmp(const OBJ_NAME *a, const OBJ_NAME 
*b);
 static CRYPTO_ONCE init = CRYPTO_ONCE_STATIC_INIT;
 DEFINE_RUN_ONCE_STATIC(o_names_init)
 {
-names_lh = lh_OBJ_NAME_new(obj_name_hash, obj_name_cmp);
+names_lh = NULL;
 obj_lock = CRYPTO_THREAD_lock_new();
+if (obj_lock != NULL)
+names_lh = lh_OBJ_NAME_new(obj_name_hash, obj_name_cmp);
+if (names_lh == NULL) {
+CRYPTO_THREAD_lock_free(obj_lock);
+obj_lock = NULL;
+}
 return names_lh != NULL && obj_lock != NULL;
 }
 

[openssl] master update

[bernd . edlinger]

The branch master has been updated
   via  c50bf14450f3cd242f2211ca7e500191053d8050 (commit)
  from  f0d5a3b6ea1bbe4e5dac5b69d853c015db635621 (commit)


- Log -
commit c50bf14450f3cd242f2211ca7e500191053d8050
Author: Bernd Edlinger 
Date:   Wed Dec 8 14:14:48 2021 +0100

Minor code cleanup in o_names_init

This might result in a small memory leak.

Reviewed-by: Tomas Mraz 
Reviewed-by: Matt Caswell 
Reviewed-by: Paul Dale 
(Merged from https://github.com/openssl/openssl/pull/17238)

---

Summary of changes:
 crypto/objects/o_names.c | 8 +++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/crypto/objects/o_names.c b/crypto/objects/o_names.c
index 05aa8c44aa..92152eeb66 100644
--- a/crypto/objects/o_names.c
+++ b/crypto/objects/o_names.c
@@ -66,8 +66,14 @@ static int obj_name_cmp(const OBJ_NAME *a, const OBJ_NAME 
*b);
 static CRYPTO_ONCE init = CRYPTO_ONCE_STATIC_INIT;
 DEFINE_RUN_ONCE_STATIC(o_names_init)
 {
-names_lh = lh_OBJ_NAME_new(obj_name_hash, obj_name_cmp);
+names_lh = NULL;
 obj_lock = CRYPTO_THREAD_lock_new();
+if (obj_lock != NULL)
+names_lh = lh_OBJ_NAME_new(obj_name_hash, obj_name_cmp);
+if (names_lh == NULL) {
+CRYPTO_THREAD_lock_free(obj_lock);
+obj_lock = NULL;
+}
 return names_lh != NULL && obj_lock != NULL;
 }
 

[openssl] openssl-3.0 update

[dev]

The branch openssl-3.0 has been updated
   via  93838762b406efe3aad9c807a0fd1f48e6efe3ab (commit)
  from  f2f2ac88499ad58546f9c5b19ebc0b6eddf0b49f (commit)


- Log -
commit 93838762b406efe3aad9c807a0fd1f48e6efe3ab
Author: Dr. David von Oheimb 
Date:   Mon Nov 29 10:07:08 2021 +0100

OSSL_HTTP_get(): Fix timeout handling on redirection

Reviewed-by: Paul Dale 
Reviewed-by: Tomas Mraz 
(Merged from https://github.com/openssl/openssl/pull/17190)

(cherry picked from commit f0d5a3b6ea1bbe4e5dac5b69d853c015db635621)

---

Summary of changes:
 crypto/err/openssl.txt|  1 +
 crypto/http/http_client.c | 19 ++-
 crypto/http/http_err.c|  1 +
 include/openssl/httperr.h |  1 +
 4 files changed, 21 insertions(+), 1 deletion(-)

diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt
index 777a0de19d..6e75af9b8b 100644
--- a/crypto/err/openssl.txt
+++ b/crypto/err/openssl.txt
@@ -779,6 +779,7 @@ HTTP_R_REDIRECTION_FROM_HTTPS_TO_HTTP:112:redirection from 
https to http
 HTTP_R_REDIRECTION_NOT_ENABLED:116:redirection not enabled
 HTTP_R_RESPONSE_LINE_TOO_LONG:113:response line too long
 HTTP_R_RESPONSE_PARSE_ERROR:104:response parse error
+HTTP_R_RETRY_TIMEOUT:129:retry timeout
 HTTP_R_SERVER_CANCELED_CONNECTION:127:server canceled connection
 HTTP_R_SOCK_NOT_SUPPORTED:122:sock not supported
 HTTP_R_STATUS_CODE_UNSUPPORTED:114:status code unsupported
diff --git a/crypto/http/http_client.c b/crypto/http/http_client.c
index 23677ca12f..7f8d8fc8d7 100644
--- a/crypto/http/http_client.c
+++ b/crypto/http/http_client.c
@@ -464,6 +464,21 @@ static int check_set_resp_len(OSSL_HTTP_REQ_CTX *rctx, 
size_t len)
 return 1;
 }
 
+static int may_still_retry(time_t max_time, int *ptimeout)
+{
+time_t time_diff, now = time(NULL);
+
+if (max_time != 0) {
+if (max_time < now) {
+ERR_raise(ERR_LIB_HTTP, HTTP_R_RETRY_TIMEOUT);
+return 0;
+}
+time_diff = max_time - now;
+*ptimeout = time_diff > INT_MAX ? INT_MAX : (int)time_diff;
+}
+return 1;
+}
+
 /*
  * Try exchanging request and response via HTTP on (non-)blocking BIO in rctx.
  * Returns 1 on success, 0 on error or redirection, -1 on BIO_should_retry.
@@ -1081,6 +1096,7 @@ BIO *OSSL_HTTP_get(const char *url, const char *proxy, 
const char *no_proxy,
 int use_ssl;
 OSSL_HTTP_REQ_CTX *rctx;
 BIO *resp = NULL;
+time_t max_time = timeout > 0 ? time(NULL) + timeout : 0;
 
 if (url == NULL) {
 ERR_raise(ERR_LIB_HTTP, ERR_R_PASSED_NULL_PARAMETER);
@@ -,7 +1127,8 @@ BIO *OSSL_HTTP_get(const char *url, const char *proxy, 
const char *no_proxy,
 }
 OPENSSL_free(path);
 if (resp == NULL && redirection_url != NULL) {
-if (redirection_ok(++n_redirs, current_url, redirection_url)) {
+if (redirection_ok(++n_redirs, current_url, redirection_url)
+&& may_still_retry(max_time, &timeout)) {
 (void)BIO_reset(bio);
 OPENSSL_free(current_url);
 current_url = redirection_url;
diff --git a/crypto/http/http_err.c b/crypto/http/http_err.c
index b2f2cfb187..332ad926d3 100644
--- a/crypto/http/http_err.c
+++ b/crypto/http/http_err.c
@@ -55,6 +55,7 @@ static const ERR_STRING_DATA HTTP_str_reasons[] = {
 "response line too long"},
 {ERR_PACK(ERR_LIB_HTTP, 0, HTTP_R_RESPONSE_PARSE_ERROR),
 "response parse error"},
+{ERR_PACK(ERR_LIB_HTTP, 0, HTTP_R_RETRY_TIMEOUT), "retry timeout"},
 {ERR_PACK(ERR_LIB_HTTP, 0, HTTP_R_SERVER_CANCELED_CONNECTION),
 "server canceled connection"},
 {ERR_PACK(ERR_LIB_HTTP, 0, HTTP_R_SOCK_NOT_SUPPORTED),
diff --git a/include/openssl/httperr.h b/include/openssl/httperr.h
index b639ef0051..ee08959203 100644
--- a/include/openssl/httperr.h
+++ b/include/openssl/httperr.h
@@ -44,6 +44,7 @@
 # define HTTP_R_REDIRECTION_NOT_ENABLED   116
 # define HTTP_R_RESPONSE_LINE_TOO_LONG113
 # define HTTP_R_RESPONSE_PARSE_ERROR  104
+# define HTTP_R_RETRY_TIMEOUT 129
 # define HTTP_R_SERVER_CANCELED_CONNECTION127
 # define HTTP_R_SOCK_NOT_SUPPORTED122
 # define HTTP_R_STATUS_CODE_UNSUPPORTED   114

[openssl] master update

[dev]

The branch master has been updated
   via  f0d5a3b6ea1bbe4e5dac5b69d853c015db635621 (commit)
  from  a3ea35c2936acbe6a53b1d52d2d7addbfb6bbd5a (commit)


- Log -
commit f0d5a3b6ea1bbe4e5dac5b69d853c015db635621
Author: Dr. David von Oheimb 
Date:   Mon Nov 29 10:07:08 2021 +0100

OSSL_HTTP_get(): Fix timeout handling on redirection

Reviewed-by: Paul Dale 
Reviewed-by: Tomas Mraz 
(Merged from https://github.com/openssl/openssl/pull/17190)

---

Summary of changes:
 crypto/err/openssl.txt|  1 +
 crypto/http/http_client.c | 19 ++-
 crypto/http/http_err.c|  1 +
 include/openssl/httperr.h |  1 +
 4 files changed, 21 insertions(+), 1 deletion(-)

diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt
index 777a0de19d..6e75af9b8b 100644
--- a/crypto/err/openssl.txt
+++ b/crypto/err/openssl.txt
@@ -779,6 +779,7 @@ HTTP_R_REDIRECTION_FROM_HTTPS_TO_HTTP:112:redirection from 
https to http
 HTTP_R_REDIRECTION_NOT_ENABLED:116:redirection not enabled
 HTTP_R_RESPONSE_LINE_TOO_LONG:113:response line too long
 HTTP_R_RESPONSE_PARSE_ERROR:104:response parse error
+HTTP_R_RETRY_TIMEOUT:129:retry timeout
 HTTP_R_SERVER_CANCELED_CONNECTION:127:server canceled connection
 HTTP_R_SOCK_NOT_SUPPORTED:122:sock not supported
 HTTP_R_STATUS_CODE_UNSUPPORTED:114:status code unsupported
diff --git a/crypto/http/http_client.c b/crypto/http/http_client.c
index d8e54c03a9..a85bfcec42 100644
--- a/crypto/http/http_client.c
+++ b/crypto/http/http_client.c
@@ -463,6 +463,21 @@ static int check_set_resp_len(OSSL_HTTP_REQ_CTX *rctx, 
size_t len)
 return 1;
 }
 
+static int may_still_retry(time_t max_time, int *ptimeout)
+{
+time_t time_diff, now = time(NULL);
+
+if (max_time != 0) {
+if (max_time < now) {
+ERR_raise(ERR_LIB_HTTP, HTTP_R_RETRY_TIMEOUT);
+return 0;
+}
+time_diff = max_time - now;
+*ptimeout = time_diff > INT_MAX ? INT_MAX : (int)time_diff;
+}
+return 1;
+}
+
 /*
  * Try exchanging request and response via HTTP on (non-)blocking BIO in rctx.
  * Returns 1 on success, 0 on error or redirection, -1 on BIO_should_retry.
@@ -1071,6 +1086,7 @@ BIO *OSSL_HTTP_get(const char *url, const char *proxy, 
const char *no_proxy,
 int use_ssl;
 OSSL_HTTP_REQ_CTX *rctx;
 BIO *resp = NULL;
+time_t max_time = timeout > 0 ? time(NULL) + timeout : 0;
 
 if (url == NULL) {
 ERR_raise(ERR_LIB_HTTP, ERR_R_PASSED_NULL_PARAMETER);
@@ -1101,7 +1117,8 @@ BIO *OSSL_HTTP_get(const char *url, const char *proxy, 
const char *no_proxy,
 }
 OPENSSL_free(path);
 if (resp == NULL && redirection_url != NULL) {
-if (redirection_ok(++n_redirs, current_url, redirection_url)) {
+if (redirection_ok(++n_redirs, current_url, redirection_url)
+&& may_still_retry(max_time, &timeout)) {
 (void)BIO_reset(bio);
 OPENSSL_free(current_url);
 current_url = redirection_url;
diff --git a/crypto/http/http_err.c b/crypto/http/http_err.c
index b2f2cfb187..332ad926d3 100644
--- a/crypto/http/http_err.c
+++ b/crypto/http/http_err.c
@@ -55,6 +55,7 @@ static const ERR_STRING_DATA HTTP_str_reasons[] = {
 "response line too long"},
 {ERR_PACK(ERR_LIB_HTTP, 0, HTTP_R_RESPONSE_PARSE_ERROR),
 "response parse error"},
+{ERR_PACK(ERR_LIB_HTTP, 0, HTTP_R_RETRY_TIMEOUT), "retry timeout"},
 {ERR_PACK(ERR_LIB_HTTP, 0, HTTP_R_SERVER_CANCELED_CONNECTION),
 "server canceled connection"},
 {ERR_PACK(ERR_LIB_HTTP, 0, HTTP_R_SOCK_NOT_SUPPORTED),
diff --git a/include/openssl/httperr.h b/include/openssl/httperr.h
index b639ef0051..ee08959203 100644
--- a/include/openssl/httperr.h
+++ b/include/openssl/httperr.h
@@ -44,6 +44,7 @@
 # define HTTP_R_REDIRECTION_NOT_ENABLED   116
 # define HTTP_R_RESPONSE_LINE_TOO_LONG113
 # define HTTP_R_RESPONSE_PARSE_ERROR  104
+# define HTTP_R_RETRY_TIMEOUT 129
 # define HTTP_R_SERVER_CANCELED_CONNECTION127
 # define HTTP_R_SOCK_NOT_SUPPORTED122
 # define HTTP_R_STATUS_CODE_UNSUPPORTED   114

[openssl] OpenSSL_1_1_1-stable update

[dev]

The branch OpenSSL_1_1_1-stable has been updated
   via  7a045a4e5ad97f7e123ea33f1f188d2f1a03974b (commit)
  from  b1553c89285cb05a28d185423bc3df9b505db92a (commit)


- Log -
commit 7a045a4e5ad97f7e123ea33f1f188d2f1a03974b
Author: Dr. David von Oheimb 
Date:   Tue Dec 7 14:01:32 2021 +0100

OBJ_nid2obj.pod: Replace remaining 'B<' by 'I<' were appropriate

Reviewed-by: Tomas Mraz 
(Merged from https://github.com/openssl/openssl/pull/17221)

---

Summary of changes:
 doc/man3/OBJ_nid2obj.pod | 28 ++--
 1 file changed, 14 insertions(+), 14 deletions(-)

diff --git a/doc/man3/OBJ_nid2obj.pod b/doc/man3/OBJ_nid2obj.pod
index f84d5b1eb3..7705b6c763 100644
--- a/doc/man3/OBJ_nid2obj.pod
+++ b/doc/man3/OBJ_nid2obj.pod
@@ -46,26 +46,26 @@ Deprecated:
 The ASN1 object utility functions process ASN1_OBJECT structures which are
 a representation of the ASN1 OBJECT IDENTIFIER (OID) type.
 For convenience, OIDs are usually represented in source code as numeric
-identifiers, or Bs.  OpenSSL has an internal table of OIDs that
+identifiers, or Is.  OpenSSL has an internal table of OIDs that
 are generated when the library is built, and their corresponding NIDs
 are available as defined constants.  For the functions below, application
 code should treat all returned values -- OIDs, NIDs, or names -- as
 constants.
 
-OBJ_nid2obj(), OBJ_nid2ln() and OBJ_nid2sn() convert the NID B to
+OBJ_nid2obj(), OBJ_nid2ln() and OBJ_nid2sn() convert the NID I to
 an ASN1_OBJECT structure, its long name and its short name respectively,
 or B if an error occurred.
 
 OBJ_obj2nid(), OBJ_ln2nid(), OBJ_sn2nid() return the corresponding NID
-for the object B, the long name  or the short name  respectively
+for the object I, the long name  or the short name  respectively
 or NID_undef if an error occurred.
 
-OBJ_txt2nid() returns NID corresponding to text string . B can be
+OBJ_txt2nid() returns NID corresponding to text string I. I can be
 a long name, a short name or the numerical representation of an object.
 
-OBJ_txt2obj() converts the text string B into an ASN1_OBJECT structure.
-If B is 0 then long names and short names will be interpreted
-as well as numerical forms. If B is 1 only the numerical form
+OBJ_txt2obj() converts the text string I into an ASN1_OBJECT structure.
+If I is 0 then long names and short names will be interpreted
+as well as numerical forms. If I is 1 only the numerical form
 is acceptable.
 
 OBJ_obj2txt() converts the B B into a textual representation.
@@ -76,20 +76,20 @@ if the object has a long or short name then that will be 
used, otherwise
 the numerical form will be used. If B is 1 then the numerical
 form will always be used.
 
-i2t_ASN1_OBJECT() is the same as OBJ_obj2txt() with the B set to zero.
+i2t_ASN1_OBJECT() is the same as OBJ_obj2txt() with the I set to zero.
 
-OBJ_cmp() compares B to B. If the two are identical 0 is returned.
+OBJ_cmp() compares I to I. If the two are identical 0 is returned.
 
-OBJ_dup() returns a copy of B.
+OBJ_dup() returns a copy of I.
 
-OBJ_create() adds a new object to the internal table. B is the
-numerical form of the object, B the short name and B the
+OBJ_create() adds a new object to the internal table. I is the
+numerical form of the object, I the short name and I the
 long name. A new NID is returned for the created object in case of
 success and NID_undef in case of failure.
 
-OBJ_length() returns the size of the content octets of B.
+OBJ_length() returns the size of the content octets of I.
 
-OBJ_get0_data() returns a pointer to the content octets of B.
+OBJ_get0_data() returns a pointer to the content octets of I.
 The returned pointer is an internal pointer which B be freed.
 
 OBJ_cleanup() releases any resources allocated by creating new objects.

[openssl] master update

[dev]

The branch master has been updated
   via  a3ea35c2936acbe6a53b1d52d2d7addbfb6bbd5a (commit)
   via  5adda344c2268eced63151a62358ffaefbdfed50 (commit)
  from  7ee0954a086ee3b4e0a8c6736600e3d6362485c0 (commit)


- Log -
commit a3ea35c2936acbe6a53b1d52d2d7addbfb6bbd5a
Author: Dr. David von Oheimb 
Date:   Tue Dec 7 13:11:27 2021 +0100

CMP check_msg_find_cert(): improve diagnostics on transactionID mismatch

On this occasion, make use of i2s_ASN1_OCTET_STRING() wherever possible

Reviewed-by: Paul Dale 
(Merged from https://github.com/openssl/openssl/pull/17224)

commit 5adda344c2268eced63151a62358ffaefbdfed50
Author: Dr. David von Oheimb 
Date:   Tue Dec 7 12:41:13 2021 +0100

80-test_cmp_http_data/test_commands.csv: fix minor glitch in column 
alignment

Reviewed-by: Paul Dale 
(Merged from https://github.com/openssl/openssl/pull/17224)

---

Summary of changes:
 crypto/cmp/cmp_hdr.c |  3 +--
 crypto/cmp/cmp_server.c  |  4 +---
 crypto/cmp/cmp_vfy.c | 19 ++-
 crypto/x509/v3_akid.c|  4 ++--
 test/recipes/80-test_cmp_http_data/test_commands.csv |  2 +-
 5 files changed, 19 insertions(+), 13 deletions(-)

diff --git a/crypto/cmp/cmp_hdr.c b/crypto/cmp/cmp_hdr.c
index 8c553af61a..e970e6cbd7 100644
--- a/crypto/cmp/cmp_hdr.c
+++ b/crypto/cmp/cmp_hdr.c
@@ -276,8 +276,7 @@ int ossl_cmp_hdr_set_transactionID(OSSL_CMP_CTX *ctx, 
OSSL_CMP_PKIHEADER *hdr)
 if (!set_random(&ctx->transactionID, ctx,
 OSSL_CMP_TRANSACTIONID_LENGTH))
 return 0;
-tid = OPENSSL_buf2hexstr(ctx->transactionID->data,
- ctx->transactionID->length);
+tid = i2s_ASN1_OCTET_STRING(NULL, ctx->transactionID);
 if (tid != NULL)
 ossl_cmp_log1(DEBUG, ctx,
   "Starting new transaction with ID=%s", tid);
diff --git a/crypto/cmp/cmp_server.c b/crypto/cmp/cmp_server.c
index 7ce4662aee..c32737d0e3 100644
--- a/crypto/cmp/cmp_server.c
+++ b/crypto/cmp/cmp_server.c
@@ -481,10 +481,8 @@ OSSL_CMP_MSG 
*OSSL_CMP_SRV_process_request(OSSL_CMP_SRV_CTX *srv_ctx,
 case OSSL_CMP_PKIBODY_GENM:
 case OSSL_CMP_PKIBODY_ERROR:
 if (ctx->transactionID != NULL) {
-char *tid;
+char *tid = i2s_ASN1_OCTET_STRING(NULL, ctx->transactionID);
 
-tid = OPENSSL_buf2hexstr(ctx->transactionID->data,
- ctx->transactionID->length);
 if (tid != NULL)
 ossl_cmp_log1(WARN, ctx,
   "Assuming that last transaction with ID=%s got 
aborted",
diff --git a/crypto/cmp/cmp_vfy.c b/crypto/cmp/cmp_vfy.c
index b9d6fc2bdd..d3d9cca0d4 100644
--- a/crypto/cmp/cmp_vfy.c
+++ b/crypto/cmp/cmp_vfy.c
@@ -186,7 +186,7 @@ static int check_kid(const OSSL_CMP_CTX *ctx,
 ossl_cmp_warn(ctx, "missing Subject Key Identifier in certificate");
 return 0;
 }
-str = OPENSSL_buf2hexstr(ckid->data, ckid->length);
+str = i2s_ASN1_OCTET_STRING(NULL, ckid);
 if (ASN1_OCTET_STRING_cmp(ckid, skid) == 0) {
 if (str != NULL)
 ossl_cmp_log1(INFO, ctx, " subjectKID matches senderKID: %s", str);
@@ -197,7 +197,7 @@ static int check_kid(const OSSL_CMP_CTX *ctx,
 if (str != NULL)
 ossl_cmp_log1(INFO, ctx, " cert Subject Key Identifier = %s", str);
 OPENSSL_free(str);
-if ((str = OPENSSL_buf2hexstr(skid->data, skid->length)) != NULL)
+if ((str = i2s_ASN1_OCTET_STRING(NULL, skid)) != NULL)
 ossl_cmp_log1(INFO, ctx, " does not match senderKID= %s", str);
 OPENSSL_free(str);
 return 0;
@@ -500,8 +500,7 @@ static int check_msg_find_cert(OSSL_CMP_CTX *ctx, const 
OSSL_CMP_MSG *msg)
 (void)ERR_clear_last_mark();
 
 sname = X509_NAME_oneline(sender->d.directoryName, NULL, 0);
-skid_str = skid == NULL ? NULL
-: OPENSSL_buf2hexstr(skid->data, skid->length);
+skid_str = skid == NULL ? NULL : i2s_ASN1_OCTET_STRING(NULL, skid);
 if (ctx->log_cb != NULL) {
 ossl_cmp_info(ctx, "trying to verify msg signature with a valid cert 
that..");
 if (sname != NULL)
@@ -747,7 +746,17 @@ int ossl_cmp_msg_check_update(OSSL_CMP_CTX *ctx, const 
OSSL_CMP_MSG *msg,
 || ASN1_OCTET_STRING_cmp(ctx->transactionID,
  hdr->transactionID) != 0)) {
 #ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
-ERR_raise(ERR_LIB_CMP, CMP_R_TRANSACTIONID_UNMATCHED);
+char *ctx_str, *hdr_str;
+
+ctx_str = i2s_ASN1_OCTET_STRING(NULL, ctx->transactionID);
+hdr_str = hdr->transactionID == NULL ? "(none)"
+: i2s_ASN1_OCTET_STRING(NULL, hdr->t