[openssl/openssl] f15d23: Replace "a RSA" with "an RSA"
Branch: refs/heads/openssl-3.0 Home: https://github.com/openssl/openssl Commit: f15d23e2f9ec10a0c6ccd76317c0c8aeb5378a33 https://github.com/openssl/openssl/commit/f15d23e2f9ec10a0c6ccd76317c0c8aeb5378a33 Author: Daniel Fiala Date: 2022-12-07 (Wed, 07 Dec 2022) Changed paths: M CHANGES.md M crypto/rsa/rsa_mp.c A demos/encode/rsa_encode.c M doc/HOWTO/certificates.txt M doc/HOWTO/keys.txt M doc/man3/SSL_CTX_set_cipher_list.pod M doc/man3/SSL_CTX_use_certificate.pod M doc/man3/SSL_CTX_use_serverinfo.pod M test/keymgmt_internal_test.c M test/sslapitest.c Log Message: --- Replace "a RSA" with "an RSA" Fixes openssl#19771 Reviewed-by: Tomas Mraz Reviewed-by: Matthias St. Pierre Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/19787) (cherry picked from commit a63fa5f711f1f97e623348656b42717d6904ee3e) (cherry picked from commit f3e9308fe1b692c424feaa256fbecce958cef1f4)
[openssl/openssl] f3e930: Replace "a RSA" with "an RSA"
Branch: refs/heads/openssl-3.1 Home: https://github.com/openssl/openssl Commit: f3e9308fe1b692c424feaa256fbecce958cef1f4 https://github.com/openssl/openssl/commit/f3e9308fe1b692c424feaa256fbecce958cef1f4 Author: Daniel Fiala Date: 2022-12-07 (Wed, 07 Dec 2022) Changed paths: M CHANGES.md M crypto/rsa/rsa_mp.c M demos/encode/rsa_encode.c M doc/HOWTO/certificates.txt M doc/HOWTO/keys.txt M doc/man3/SSL_CTX_set_cipher_list.pod M doc/man3/SSL_CTX_use_certificate.pod M doc/man3/SSL_CTX_use_serverinfo.pod M test/keymgmt_internal_test.c M test/sslapitest.c Log Message: --- Replace "a RSA" with "an RSA" Fixes openssl#19771 Reviewed-by: Tomas Mraz Reviewed-by: Matthias St. Pierre Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/19787) (cherry picked from commit a63fa5f711f1f97e623348656b42717d6904ee3e)
[openssl/openssl] a63fa5: Replace "a RSA" with "an RSA"
Branch: refs/heads/master Home: https://github.com/openssl/openssl Commit: a63fa5f711f1f97e623348656b42717d6904ee3e https://github.com/openssl/openssl/commit/a63fa5f711f1f97e623348656b42717d6904ee3e Author: Daniel Fiala Date: 2022-12-07 (Wed, 07 Dec 2022) Changed paths: M CHANGES.md M crypto/rsa/rsa_mp.c M demos/encode/rsa_encode.c M doc/HOWTO/certificates.txt M doc/HOWTO/keys.txt M doc/man3/SSL_CTX_set_cipher_list.pod M doc/man3/SSL_CTX_use_certificate.pod M doc/man3/SSL_CTX_use_serverinfo.pod M test/keymgmt_internal_test.c M test/sslapitest.c Log Message: --- Replace "a RSA" with "an RSA" Fixes openssl#19771 Reviewed-by: Tomas Mraz Reviewed-by: Matthias St. Pierre Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/19787)
[openssl/openssl] 18af4d: Make parsing of piped data in `speed.c` more robust
Branch: refs/heads/master Home: https://github.com/openssl/openssl Commit: 18af4d154cc563a5b02409215a576276caece0f4 https://github.com/openssl/openssl/commit/18af4d154cc563a5b02409215a576276caece0f4 Author: Daniel Fiala Date: 2022-11-24 (Thu, 24 Nov 2022) Changed paths: M apps/speed.c Log Message: --- Make parsing of piped data in `speed.c` more robust Fixes openssl#19050 Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/19238)
[openssl/openssl] e4d8ea: Add an EVP signature demo using DSA
Branch: refs/heads/openssl-3.1 Home: https://github.com/openssl/openssl Commit: e4d8eaac7e2af4719adfc58397b7c7115d45b0bb https://github.com/openssl/openssl/commit/e4d8eaac7e2af4719adfc58397b7c7115d45b0bb Author: Daniel Fiala Date: 2022-11-22 (Tue, 22 Nov 2022) Changed paths: A demos/signature/EVP_DSA_Signature_demo.c A demos/signature/EVP_EC_Signature_demo.c A demos/signature/EVP_EC_Signature_demo.h R demos/signature/EVP_Signature_demo.c R demos/signature/EVP_Signature_demo.h M demos/signature/Makefile Log Message: --- Add an EVP signature demo using DSA Fixes openssl#14114 Reviewed-by: Paul Dale Reviewed-by: Shane Lontis Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/19492) (cherry picked from commit 858b5d12b85b0639519d21206c9da7e1bb976a00)
[openssl/openssl] 858b5d: Add an EVP signature demo using DSA
Branch: refs/heads/master Home: https://github.com/openssl/openssl Commit: 858b5d12b85b0639519d21206c9da7e1bb976a00 https://github.com/openssl/openssl/commit/858b5d12b85b0639519d21206c9da7e1bb976a00 Author: Daniel Fiala Date: 2022-11-22 (Tue, 22 Nov 2022) Changed paths: A demos/signature/EVP_DSA_Signature_demo.c A demos/signature/EVP_EC_Signature_demo.c A demos/signature/EVP_EC_Signature_demo.h R demos/signature/EVP_Signature_demo.c R demos/signature/EVP_Signature_demo.h M demos/signature/Makefile Log Message: --- Add an EVP signature demo using DSA Fixes openssl#14114 Reviewed-by: Paul Dale Reviewed-by: Shane Lontis Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/19492)
[openssl/openssl] 2eb752: openssl list: Fix help text about -cipher-algorith...
Branch: refs/heads/master Home: https://github.com/openssl/openssl Commit: 2eb75291c1357cdaf852e0da613edc14f3d5ae4f https://github.com/openssl/openssl/commit/2eb75291c1357cdaf852e0da613edc14f3d5ae4f Author: Daniel Fiala Date: 2022-10-24 (Mon, 24 Oct 2022) Changed paths: M apps/list.c M doc/man1/openssl-list.pod.in Log Message: --- openssl list: Fix help text about -cipher-algorithms option Fixes openssl#19133 Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell Reviewed-by: Paul Dale Reviewed-by: Hugo Landau (Merged from https://github.com/openssl/openssl/pull/19370)
[openssl/openssl] b0ef84: openssl list: Fix help text about -cipher-algorith...
Branch: refs/heads/openssl-3.0 Home: https://github.com/openssl/openssl Commit: b0ef844283ff123281b89c5fca3421fd01188274 https://github.com/openssl/openssl/commit/b0ef844283ff123281b89c5fca3421fd01188274 Author: Daniel Fiala Date: 2022-10-24 (Mon, 24 Oct 2022) Changed paths: M apps/list.c M doc/man1/openssl-list.pod.in Log Message: --- openssl list: Fix help text about -cipher-algorithms option Fixes openssl#19133 Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell Reviewed-by: Paul Dale Reviewed-by: Hugo Landau (Merged from https://github.com/openssl/openssl/pull/19370) (cherry picked from commit 2eb75291c1357cdaf852e0da613edc14f3d5ae4f)
[openssl/openssl] 7ccccb: Fix coverity 1516101 deadcode
Branch: refs/heads/master Home: https://github.com/openssl/openssl Commit: 7b26d6de39eced5b16ffce6040c9547bfe74 https://github.com/openssl/openssl/commit/7b26d6de39eced5b16ffce6040c9547bfe74 Author: Daniel Fiala Date: 2022-10-24 (Mon, 24 Oct 2022) Changed paths: M ssl/d1_lib.c Log Message: --- Fix coverity 1516101 deadcode Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/19464)
[openssl/openssl] ec1d59: openssl list: add an empty row at the end of each ...
Branch: refs/heads/master Home: https://github.com/openssl/openssl Commit: ec1d5970be596daed15a3fa723cfa2ac726b0dba https://github.com/openssl/openssl/commit/ec1d5970be596daed15a3fa723cfa2ac726b0dba Author: Daniel Fiala Date: 2022-10-21 (Fri, 21 Oct 2022) Changed paths: M apps/list.c Log Message: --- openssl list: add an empty row at the end of each printed list of commands and algorithms Fixes openssl#19140 Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/19372)
[openssl/openssl] af6379: Fix typo in PKCS12_SAFEBAG_set0_attrs
Branch: refs/heads/master Home: https://github.com/openssl/openssl Commit: af6379368f81025808689e843a5d86c6402a63a7 https://github.com/openssl/openssl/commit/af6379368f81025808689e843a5d86c6402a63a7 Author: Daniel Fiala Date: 2022-10-13 (Thu, 13 Oct 2022) Changed paths: M crypto/pkcs12/p12_attr.c Log Message: --- Fix typo in PKCS12_SAFEBAG_set0_attrs Reviewed-by: Matt Caswell Reviewed-by: Tomas Mraz Reviewed-by: Hugo Landau (Merged from https://github.com/openssl/openssl/pull/19359) Commit: 9eaf07ffe39e76aca2dfb8e22b8060c75fcbd8e0 https://github.com/openssl/openssl/commit/9eaf07ffe39e76aca2dfb8e22b8060c75fcbd8e0 Author: Daniel Fiala Date: 2022-10-13 (Thu, 13 Oct 2022) Changed paths: M crypto/pkcs12/p12_attr.c M doc/man3/PKCS12_SAFEBAG_set0_attrs.pod M include/openssl/pkcs12.h.in Log Message: --- PKCS12_SAFEBAG_set0_attrs: Remove const from function signature Reviewed-by: Matt Caswell Reviewed-by: Tomas Mraz Reviewed-by: Hugo Landau (Merged from https://github.com/openssl/openssl/pull/19359) Compare: https://github.com/openssl/openssl/compare/704e8090b4a7...9eaf07ffe39e
[openssl/openssl] 214bb8: Disable printf format checking on MinGW
Branch: refs/heads/openssl-3.0 Home: https://github.com/openssl/openssl Commit: 214bb8f6db52e4a79454fafdf4865f57f2af4053 https://github.com/openssl/openssl/commit/214bb8f6db52e4a79454fafdf4865f57f2af4053 Author: Daniel Fiala Date: 2022-10-04 (Tue, 04 Oct 2022) Changed paths: M include/openssl/bio.h.in M test/testutil.h M test/testutil/output.h Log Message: --- Disable printf format checking on MinGW Fixes openssl#19185 Reviewed-by: Richard Levitte Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale Reviewed-by: Hugo Landau (Merged from https://github.com/openssl/openssl/pull/19292) (cherry picked from commit a1de5eb88479515535e5de090ded800455c3d4a7)
[openssl/openssl] a1de5e: Disable printf format checking on MinGW
Branch: refs/heads/master Home: https://github.com/openssl/openssl Commit: a1de5eb88479515535e5de090ded800455c3d4a7 https://github.com/openssl/openssl/commit/a1de5eb88479515535e5de090ded800455c3d4a7 Author: Daniel Fiala Date: 2022-10-04 (Tue, 04 Oct 2022) Changed paths: M include/openssl/bio.h.in M test/testutil.h M test/testutil/output.h Log Message: --- Disable printf format checking on MinGW Fixes openssl#19185 Reviewed-by: Richard Levitte Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale Reviewed-by: Hugo Landau (Merged from https://github.com/openssl/openssl/pull/19292)
[openssl/openssl] 47cd0e: Fix examples related to BIO_do_accept
Branch: refs/heads/master Home: https://github.com/openssl/openssl Commit: 47cd0e5b1f98fb88d6d8337f7ec0e16bb83cea32 https://github.com/openssl/openssl/commit/47cd0e5b1f98fb88d6d8337f7ec0e16bb83cea32 Author: Daniel Fiala Date: 2022-10-04 (Tue, 04 Oct 2022) Changed paths: M doc/man3/BIO_f_ssl.pod M doc/man3/BIO_s_accept.pod Log Message: --- Fix examples related to BIO_do_accept Fixes openssl#8825 Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/19329)
[openssl/openssl] 8447b5: Fix examples related to BIO_do_accept
Branch: refs/heads/openssl-3.0 Home: https://github.com/openssl/openssl Commit: 8447b5680c2211ad359346fb2f02a5830efc8c5e https://github.com/openssl/openssl/commit/8447b5680c2211ad359346fb2f02a5830efc8c5e Author: Daniel Fiala Date: 2022-10-04 (Tue, 04 Oct 2022) Changed paths: M doc/man3/BIO_f_ssl.pod M doc/man3/BIO_s_accept.pod Log Message: --- Fix examples related to BIO_do_accept Fixes openssl#8825 Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/19329) (cherry picked from commit 47cd0e5b1f98fb88d6d8337f7ec0e16bb83cea32)
[openssl/openssl] 678b48: Clear incorrectly reported errors in d2i_CMS_Conte...
Branch: refs/heads/master Home: https://github.com/openssl/openssl Commit: 678b489a2ae8af289cef939a538235686b448c0e https://github.com/openssl/openssl/commit/678b489a2ae8af289cef939a538235686b448c0e Author: Daniel Fiala Date: 2022-09-23 (Fri, 23 Sep 2022) Changed paths: M crypto/cms/cms_lib.c M test/cmsapitest.c Log Message: --- Clear incorrectly reported errors in d2i_CMS_ContentInfo Fixes openssl#19003 Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/19255)
[openssl/openssl] d40de2: Clear incorrectly reported errors in d2i_CMS_Conte...
Branch: refs/heads/openssl-3.0 Home: https://github.com/openssl/openssl Commit: d40de2cc04b9a1b1adf42d9f2218a224e4d14de4 https://github.com/openssl/openssl/commit/d40de2cc04b9a1b1adf42d9f2218a224e4d14de4 Author: Daniel Fiala Date: 2022-09-23 (Fri, 23 Sep 2022) Changed paths: M crypto/cms/cms_lib.c M test/cmsapitest.c Log Message: --- Clear incorrectly reported errors in d2i_CMS_ContentInfo Fixes openssl#19003 Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/19255) (cherry picked from commit 678b489a2ae8af289cef939a538235686b448c0e)
[openssl/openssl] 630d31: Check that sk_SSL_CIPHER_value returns non-NULL va...
Branch: refs/heads/master Home: https://github.com/openssl/openssl Commit: 630d31219b343d2654ab03d2e2c7884e764936ab https://github.com/openssl/openssl/commit/630d31219b343d2654ab03d2e2c7884e764936ab Author: Daniel Fiala Date: 2022-09-20 (Tue, 20 Sep 2022) Changed paths: M apps/ciphers.c Log Message: --- Check that sk_SSL_CIPHER_value returns non-NULL value. Fixes openssl#19162. Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/19233)
[openssl/openssl] 67f58e: Check that sk_SSL_CIPHER_value returns non-NULL va...
Branch: refs/heads/openssl-3.0 Home: https://github.com/openssl/openssl Commit: 67f58eaac17d16020da8503493dbbe77c80698f5 https://github.com/openssl/openssl/commit/67f58eaac17d16020da8503493dbbe77c80698f5 Author: Daniel Fiala Date: 2022-09-20 (Tue, 20 Sep 2022) Changed paths: M apps/ciphers.c Log Message: --- Check that sk_SSL_CIPHER_value returns non-NULL value. Fixes openssl#19162. Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/19233) (cherry picked from commit 630d31219b343d2654ab03d2e2c7884e764936ab)
[openssl/openssl] bebc6c: Add an EVP demo for AES key wrap
Branch: refs/heads/master Home: https://github.com/openssl/openssl Commit: bebc6c899943cc3f519501aee221c9d0eb10fcfd https://github.com/openssl/openssl/commit/bebc6c899943cc3f519501aee221c9d0eb10fcfd Author: Daniel Fiala Date: 2022-09-19 (Mon, 19 Sep 2022) Changed paths: M demos/cipher/Makefile A demos/cipher/aeskeywrap.c Log Message: --- Add an EVP demo for AES key wrap Fixes openssl#14119 Reviewed-by: Shane Lontis Reviewed-by: Tomas Mraz Reviewed-by: Hugo Landau Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/19141)
[openssl/openssl] 6edcad: Add an EVP demo for AES key wrap
Branch: refs/heads/openssl-3.0 Home: https://github.com/openssl/openssl Commit: 6edcada219316133e871b7805ef8645c590640ae https://github.com/openssl/openssl/commit/6edcada219316133e871b7805ef8645c590640ae Author: Daniel Fiala Date: 2022-09-19 (Mon, 19 Sep 2022) Changed paths: M demos/cipher/Makefile A demos/cipher/aeskeywrap.c Log Message: --- Add an EVP demo for AES key wrap Fixes openssl#14119 Reviewed-by: Shane Lontis Reviewed-by: Tomas Mraz Reviewed-by: Hugo Landau Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/19141) (cherry picked from commit bebc6c899943cc3f519501aee221c9d0eb10fcfd)
[openssl/openssl] fcff5b: Add tests for trace_api.
Branch: refs/heads/master Home: https://github.com/openssl/openssl Commit: fcff5bd43c85418cc4aa8052e3dc3dba344d763e https://github.com/openssl/openssl/commit/fcff5bd43c85418cc4aa8052e3dc3dba344d763e Author: Daniel Fiala Date: 2022-09-16 (Fri, 16 Sep 2022) Changed paths: M crypto/trace.c M test/build.info A test/recipes/90-test_traceapi.t A test/trace_api_test.c Log Message: --- Add tests for trace_api. Fixes openssl#17422 Reviewed-by: Richard Levitte Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/19096)
[openssl/openssl] 9f4cea: Add documentation and test for EVP_PBE_alg_add
Branch: refs/heads/openssl-3.0 Home: https://github.com/openssl/openssl Commit: 9f4cea9559c853bcda29f8b30d4c634574099e16 https://github.com/openssl/openssl/commit/9f4cea9559c853bcda29f8b30d4c634574099e16 Author: Daniel Fiala Date: 2022-09-16 (Fri, 16 Sep 2022) Changed paths: M doc/man3/EVP_PBE_CipherInit.pod M test/evp_extra_test2.c M util/missingcrypto.txt Log Message: --- Add documentation and test for EVP_PBE_alg_add Fixes openssl#18687 Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/19157) (cherry picked from commit 181167b6d0e5cd896847f7538adf28878b81b0b2)
[openssl/openssl] 181167: Add documentation and test for EVP_PBE_alg_add
Branch: refs/heads/master Home: https://github.com/openssl/openssl Commit: 181167b6d0e5cd896847f7538adf28878b81b0b2 https://github.com/openssl/openssl/commit/181167b6d0e5cd896847f7538adf28878b81b0b2 Author: Daniel Fiala Date: 2022-09-16 (Fri, 16 Sep 2022) Changed paths: M doc/man3/EVP_PBE_CipherInit.pod M test/evp_extra_test2.c M util/missingcrypto.txt Log Message: --- Add documentation and test for EVP_PBE_alg_add Fixes openssl#18687 Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/19157)
[openssl/openssl] 6e6aad: Convert serverinfo in SSL_CTX_use_serverinfo() to v2.
Branch: refs/heads/OpenSSL_1_1_1-stable Home: https://github.com/openssl/openssl Commit: 6e6aad333f26694ff39aba1e59b358e3f25a9a1d https://github.com/openssl/openssl/commit/6e6aad333f26694ff39aba1e59b358e3f25a9a1d Author: Daniel Fiala Date: 2022-09-09 (Fri, 09 Sep 2022) Changed paths: M ssl/ssl_rsa.c M test/sslapitest.c Log Message: --- Convert serverinfo in SSL_CTX_use_serverinfo() to v2. Fixes #18183. Reviewed-by: Matt Caswell Reviewed-by: Paul Dale Reviewed-by: Hugo Landau (Merged from https://github.com/openssl/openssl/pull/19081)
[openssl/openssl] b4934a: Add an EVP demo for key encoding using EC
Branch: refs/heads/openssl-3.0 Home: https://github.com/openssl/openssl Commit: b4934a9533a1cf290f7f967edf5cfc028967778d https://github.com/openssl/openssl/commit/b4934a9533a1cf290f7f967edf5cfc028967778d Author: Daniel Fiala Date: 2022-09-09 (Fri, 09 Sep 2022) Changed paths: A demos/encode/Makefile A demos/encode/ec_encode.c Log Message: --- Add an EVP demo for key encoding using EC Fixes openssl#14117 Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/19143) (cherry picked from commit a4b7136ebfd154636f607c50aaeec778a75b2d26)
[openssl/openssl] a4b713: Add an EVP demo for key encoding using EC
Branch: refs/heads/master Home: https://github.com/openssl/openssl Commit: a4b7136ebfd154636f607c50aaeec778a75b2d26 https://github.com/openssl/openssl/commit/a4b7136ebfd154636f607c50aaeec778a75b2d26 Author: Daniel Fiala Date: 2022-09-09 (Fri, 09 Sep 2022) Changed paths: M demos/encode/Makefile A demos/encode/ec_encode.c Log Message: --- Add an EVP demo for key encoding using EC Fixes openssl#14117 Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/19143)
[openssl/openssl] f127b8: Convert serverinfo in SSL_CTX_use_serverinfo() to v2.
Branch: refs/heads/openssl-3.0 Home: https://github.com/openssl/openssl Commit: f127b8aa28b7602a6572ae26e45b5b7ebe36d8d3 https://github.com/openssl/openssl/commit/f127b8aa28b7602a6572ae26e45b5b7ebe36d8d3 Author: Daniel Fiala Date: 2022-08-26 (Fri, 26 Aug 2022) Changed paths: M ssl/ssl_rsa.c M test/sslapitest.c Log Message: --- Convert serverinfo in SSL_CTX_use_serverinfo() to v2. Fixes openssl#18183. Reviewed-by: Matt Caswell Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/18614) (cherry picked from commit 555dd9390ba56f1c400d3f067a2dfe7b00fbf7d3)
[openssl/openssl] 555dd9: Convert serverinfo in SSL_CTX_use_serverinfo() to v2.
Branch: refs/heads/master Home: https://github.com/openssl/openssl Commit: 555dd9390ba56f1c400d3f067a2dfe7b00fbf7d3 https://github.com/openssl/openssl/commit/555dd9390ba56f1c400d3f067a2dfe7b00fbf7d3 Author: Daniel Fiala Date: 2022-08-26 (Fri, 26 Aug 2022) Changed paths: M ssl/ssl_rsa.c M test/sslapitest.c Log Message: --- Convert serverinfo in SSL_CTX_use_serverinfo() to v2. Fixes openssl#18183. Reviewed-by: Matt Caswell Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/18614)
[openssl] master update
The branch master has been updated
via a044af49c43ec8fe099deeb5d06501ddf70abf7a (commit)
via 2455a21f4ef9826b465ba68fd96f26ea25b80b10 (commit)
from cd7ec0bca00ceb6e8d4af46a57c6c096a7ed8947 (commit)
- Log -
commit a044af49c43ec8fe099deeb5d06501ddf70abf7a
Author: Dr. David von Oheimb
Date: Fri Feb 18 09:36:00 2022 +0100
X509V3_get_d2i.pod: use I<> for arguments and remove B<> around NULL
Reviewed-by: Tomas Mraz
Reviewed-by: Matt Caswell
(Merged from https://github.com/openssl/openssl/pull/17724)
commit 2455a21f4ef9826b465ba68fd96f26ea25b80b10
Author: Dr. David von Oheimb
Date: Thu Feb 17 19:43:55 2022 +0100
X509V3_get_d2i.pod: Fix glitch on X509V3_get{,_ext}_d2i and align order
Reviewed-by: Tomas Mraz
Reviewed-by: Matt Caswell
(Merged from https://github.com/openssl/openssl/pull/17724)
---
Summary of changes:
doc/man3/X509V3_get_d2i.pod | 66 +++--
1 file changed, 34 insertions(+), 32 deletions(-)
diff --git a/doc/man3/X509V3_get_d2i.pod b/doc/man3/X509V3_get_d2i.pod
index 981eab14b8..a94e92191d 100644
--- a/doc/man3/X509V3_get_d2i.pod
+++ b/doc/man3/X509V3_get_d2i.pod
@@ -2,11 +2,12 @@
=head1 NAME
-X509_get0_extensions, X509_CRL_get0_extensions, X509_REVOKED_get0_extensions,
X509V3_get_d2i, X509V3_add1_i2d, X509V3_EXT_d2i, X509V3_EXT_i2d,
-X509_get_ext_d2i, X509_add1_ext_i2d, X509_CRL_get_ext_d2i,
-X509_CRL_add1_ext_i2d, X509_REVOKED_get_ext_d2i,
-X509_REVOKED_add1_ext_i2d - X509 extension decode and encode functions
+X509_get_ext_d2i, X509_add1_ext_i2d,
+X509_CRL_get_ext_d2i, X509_CRL_add1_ext_i2d,
+X509_REVOKED_get_ext_d2i, X509_REVOKED_add1_ext_i2d,
+X509_get0_extensions, X509_CRL_get0_extensions,
+X509_REVOKED_get0_extensions - X509 extension decode and encode functions
=head1 SYNOPSIS
@@ -38,37 +39,37 @@ X509_REVOKED_add1_ext_i2d - X509 extension decode and
encode functions
=head1 DESCRIPTION
-X509V3_get_ext_d2i() looks for an extension with OID B in the extensions
-B and, if found, decodes it. If B is B then only one
+X509V3_get_d2i() looks for an extension with OID I in the extensions
+I and, if found, decodes it. If I is NULL then only one
occurrence of an extension is permissible otherwise the first extension after
-index B<*idx> is returned and B<*idx> updated to the location of the extension.
-If B is not B then B<*crit> is set to a status value: -2 if the
-extension occurs multiple times (this is only returned if B is B),
+index I<*idx> is returned and I<*idx> updated to the location of the extension.
+If I is not NULL then I<*crit> is set to a status value: -2 if the
+extension occurs multiple times (this is only returned if I is NULL),
-1 if the extension could not be found, 0 if the extension is found and is
not critical and 1 if critical. A pointer to an extension specific structure
-or B is returned.
+or NULL is returned.
-X509V3_add1_i2d() adds extension B to STACK B<*x> (allocating a new
-STACK if necessary) using OID B and criticality B according
-to B.
+X509V3_add1_i2d() adds extension I to STACK I<*x> (allocating a new
+STACK if necessary) using OID I and criticality I according
+to I.
X509V3_EXT_d2i() attempts to decode the ASN.1 data contained in extension
-B and returns a pointer to an extension specific structure or B
+I and returns a pointer to an extension specific structure or NULL
if the extension could not be decoded (invalid syntax or not supported).
-X509V3_EXT_i2d() encodes the extension specific structure B
-with OID B and criticality B.
+X509V3_EXT_i2d() encodes the extension specific structure I
+with OID I and criticality I.
X509_get_ext_d2i() and X509_add1_ext_i2d() operate on the extensions of
-certificate B, they are otherwise identical to X509V3_get_d2i() and
+certificate I, they are otherwise identical to X509V3_get_d2i() and
X509V3_add_i2d().
X509_CRL_get_ext_d2i() and X509_CRL_add1_ext_i2d() operate on the extensions
-of CRL B, they are otherwise identical to X509V3_get_d2i() and
+of CRL I, they are otherwise identical to X509V3_get_d2i() and
X509V3_add_i2d().
X509_REVOKED_get_ext_d2i() and X509_REVOKED_add1_ext_i2d() operate on the
-extensions of B structure B (i.e for CRL entry extensions),
+extensions of B structure I (i.e for CRL entry extensions),
they are otherwise identical to X509V3_get_d2i() and X509V3_add_i2d().
X509_get0_extensions(), X509_CRL_get0_extensions() and
@@ -78,9 +79,9 @@ of a certificate a CRL or a CRL entry respectively.
=head1 NOTES
In almost all cases an extension can occur at most once and multiple
-occurrences is an error. Therefore, the B parameter is usually B.
+occurrences is an error. Therefore, the I parameter is usually NULL.
-The B parameter may be one of the following values.
+The I parameter may be one of the following values.
[openssl] openssl-3.0 update
The branch openssl-3.0 has been updated
via ad910cc482c8e06d04a141a9f5f79172a6e56f66 (commit)
via 3138402278b3fc3ce67edc01e6198b9840ca7d9b (commit)
from 5675a5aaf6a2e489022bcfc18330dae9263e598e (commit)
- Log -
commit ad910cc482c8e06d04a141a9f5f79172a6e56f66
Author: Dr. David von Oheimb
Date: Fri Feb 18 09:36:00 2022 +0100
X509V3_get_d2i.pod: use I<> for arguments and remove B<> around NULL
Reviewed-by: Tomas Mraz
Reviewed-by: Matt Caswell
(Merged from https://github.com/openssl/openssl/pull/17724)
(cherry picked from commit a044af49c43ec8fe099deeb5d06501ddf70abf7a)
commit 3138402278b3fc3ce67edc01e6198b9840ca7d9b
Author: Dr. David von Oheimb
Date: Thu Feb 17 19:43:55 2022 +0100
X509V3_get_d2i.pod: Fix glitch on X509V3_get{,_ext}_d2i and align order
Reviewed-by: Tomas Mraz
Reviewed-by: Matt Caswell
(Merged from https://github.com/openssl/openssl/pull/17724)
(cherry picked from commit 2455a21f4ef9826b465ba68fd96f26ea25b80b10)
---
Summary of changes:
doc/man3/X509V3_get_d2i.pod | 66 +++--
1 file changed, 34 insertions(+), 32 deletions(-)
diff --git a/doc/man3/X509V3_get_d2i.pod b/doc/man3/X509V3_get_d2i.pod
index 981eab14b8..a94e92191d 100644
--- a/doc/man3/X509V3_get_d2i.pod
+++ b/doc/man3/X509V3_get_d2i.pod
@@ -2,11 +2,12 @@
=head1 NAME
-X509_get0_extensions, X509_CRL_get0_extensions, X509_REVOKED_get0_extensions,
X509V3_get_d2i, X509V3_add1_i2d, X509V3_EXT_d2i, X509V3_EXT_i2d,
-X509_get_ext_d2i, X509_add1_ext_i2d, X509_CRL_get_ext_d2i,
-X509_CRL_add1_ext_i2d, X509_REVOKED_get_ext_d2i,
-X509_REVOKED_add1_ext_i2d - X509 extension decode and encode functions
+X509_get_ext_d2i, X509_add1_ext_i2d,
+X509_CRL_get_ext_d2i, X509_CRL_add1_ext_i2d,
+X509_REVOKED_get_ext_d2i, X509_REVOKED_add1_ext_i2d,
+X509_get0_extensions, X509_CRL_get0_extensions,
+X509_REVOKED_get0_extensions - X509 extension decode and encode functions
=head1 SYNOPSIS
@@ -38,37 +39,37 @@ X509_REVOKED_add1_ext_i2d - X509 extension decode and
encode functions
=head1 DESCRIPTION
-X509V3_get_ext_d2i() looks for an extension with OID B in the extensions
-B and, if found, decodes it. If B is B then only one
+X509V3_get_d2i() looks for an extension with OID I in the extensions
+I and, if found, decodes it. If I is NULL then only one
occurrence of an extension is permissible otherwise the first extension after
-index B<*idx> is returned and B<*idx> updated to the location of the extension.
-If B is not B then B<*crit> is set to a status value: -2 if the
-extension occurs multiple times (this is only returned if B is B),
+index I<*idx> is returned and I<*idx> updated to the location of the extension.
+If I is not NULL then I<*crit> is set to a status value: -2 if the
+extension occurs multiple times (this is only returned if I is NULL),
-1 if the extension could not be found, 0 if the extension is found and is
not critical and 1 if critical. A pointer to an extension specific structure
-or B is returned.
+or NULL is returned.
-X509V3_add1_i2d() adds extension B to STACK B<*x> (allocating a new
-STACK if necessary) using OID B and criticality B according
-to B.
+X509V3_add1_i2d() adds extension I to STACK I<*x> (allocating a new
+STACK if necessary) using OID I and criticality I according
+to I.
X509V3_EXT_d2i() attempts to decode the ASN.1 data contained in extension
-B and returns a pointer to an extension specific structure or B
+I and returns a pointer to an extension specific structure or NULL
if the extension could not be decoded (invalid syntax or not supported).
-X509V3_EXT_i2d() encodes the extension specific structure B
-with OID B and criticality B.
+X509V3_EXT_i2d() encodes the extension specific structure I
+with OID I and criticality I.
X509_get_ext_d2i() and X509_add1_ext_i2d() operate on the extensions of
-certificate B, they are otherwise identical to X509V3_get_d2i() and
+certificate I, they are otherwise identical to X509V3_get_d2i() and
X509V3_add_i2d().
X509_CRL_get_ext_d2i() and X509_CRL_add1_ext_i2d() operate on the extensions
-of CRL B, they are otherwise identical to X509V3_get_d2i() and
+of CRL I, they are otherwise identical to X509V3_get_d2i() and
X509V3_add_i2d().
X509_REVOKED_get_ext_d2i() and X509_REVOKED_add1_ext_i2d() operate on the
-extensions of B structure B (i.e for CRL entry extensions),
+extensions of B structure I (i.e for CRL entry extensions),
they are otherwise identical to X509V3_get_d2i() and X509V3_add_i2d().
X509_get0_extensions(), X509_CRL_get0_extensions() and
@@ -78,9 +79,9 @@ of a certificate a CRL or a CRL entry respectively.
=head1 NOTES
In almost all cases an extension can occur at most once and multiple
-occurrences is an error. Therefore, the B parameter is usually B.
+occurrences is
[openssl] master update
The branch master has been updated via cd7ec0bca00ceb6e8d4af46a57c6c096a7ed8947 (commit) from f596bbe4da779b56eea34d96168b557d78e1149a (commit) - Log - commit cd7ec0bca00ceb6e8d4af46a57c6c096a7ed8947 Author: Dr. David von Oheimb Date: Thu Feb 17 19:46:29 2022 +0100 CMP: add subject of any provided CSR as default message sender Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/17723) --- Summary of changes: crypto/cmp/cmp_hdr.c | 3 ++- doc/man1/openssl-cmp.pod.in | 4 +++- doc/man3/OSSL_CMP_CTX_new.pod | 3 ++- 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/crypto/cmp/cmp_hdr.c b/crypto/cmp/cmp_hdr.c index e970e6cbd7..86966c3195 100644 --- a/crypto/cmp/cmp_hdr.c +++ b/crypto/cmp/cmp_hdr.c @@ -301,11 +301,12 @@ int ossl_cmp_hdr_init(OSSL_CMP_CTX *ctx, OSSL_CMP_PKIHEADER *hdr) return 0; /* - * If neither protection cert nor oldCert nor subject are given, + * If no protection cert nor oldCert nor CSR nor subject is given, * sender name is not known to the client and thus set to NULL-DN */ sender = ctx->cert != NULL ? X509_get_subject_name(ctx->cert) : ctx->oldCert != NULL ? X509_get_subject_name(ctx->oldCert) : +ctx->p10CSR != NULL ? X509_REQ_get_subject_name(ctx->p10CSR) : ctx->subjectName; if (!ossl_cmp_hdr_set1_sender(hdr, sender)) return 0; diff --git a/doc/man1/openssl-cmp.pod.in b/doc/man1/openssl-cmp.pod.in index 705baf1dd6..5a111a39eb 100644 --- a/doc/man1/openssl-cmp.pod.in +++ b/doc/man1/openssl-cmp.pod.in @@ -273,7 +273,7 @@ or of the reference certificate (see B<-oldcert>) if provided. This default is used for IR and CR only if no SANs are set. If the NULL-DN (C<"/">) is given then no subject is placed in the template. -If provided and neither B<-cert> nor B<-oldcert> is given, +If provided and neither of B<-cert>, B<-oldcert>, or B<-csr> is given, the subject DN is used as fallback sender of outgoing CMP messages. The argument must be formatted as I. @@ -360,6 +360,8 @@ When used with B<-cmd> I, I, or I, it is transformed into the respective regular CMP request. It may also be used with B<-cmd> I to specify the certificate to be revoked via the included subject name and public key. +Its subject is used as fallback sender in CMP message headers +if B<-cert> and B<-oldcert> are not given. =item B<-out_trusted> I|I diff --git a/doc/man3/OSSL_CMP_CTX_new.pod b/doc/man3/OSSL_CMP_CTX_new.pod index d739f7f6f7..883bda8b69 100644 --- a/doc/man3/OSSL_CMP_CTX_new.pod +++ b/doc/man3/OSSL_CMP_CTX_new.pod @@ -457,7 +457,8 @@ When using signature-based protection of CMP request messages this CMP signer certificate will be included first in the extraCerts field. It serves as fallback reference certificate, see OSSL_CMP_CTX_set1_oldCert(). The subject of this I will be used as the sender field of outgoing -messages, while the subject of any cert set via OSSL_CMP_CTX_set1_oldCert() +messages, while the subject of any cert set via OSSL_CMP_CTX_set1_oldCert(), +the subject of any PKCS#10 CSR set via OSSL_CMP_CTX_set1_p10CSR(), and any value set via OSSL_CMP_CTX_set1_subjectName() are used as fallback. The I argument may be NULL to clear the entry.
[openssl] master update
The branch master has been updated
via 04bc3c1277b8b20dc29f96933f7be592c0535aa8 (commit)
from 37b850738cbab74413d41033b2a4df1d69e1fa4a (commit)
- Log -
commit 04bc3c1277b8b20dc29f96933f7be592c0535aa8
Author: Dr. David von Oheimb
Date: Fri Aug 6 12:11:13 2021 +0200
Fix malloc failure handling of X509_ALGOR_set0()
Also update and slightly extend the respective documentation and simplify
some code.
Reviewed-by: Tomas Mraz
(Merged from https://github.com/openssl/openssl/pull/16251)
---
Summary of changes:
crypto/asn1/a_sign.c| 18 --
crypto/asn1/x_algor.c | 31 ---
crypto/cms/cms_cd.c | 5 +++--
crypto/cms/cms_dh.c | 12 ++--
crypto/cms/cms_ec.c | 14 +++---
crypto/cms/cms_env.c| 4 ++--
crypto/cms/cms_rsa.c| 28
crypto/cms/cms_sd.c | 9 ++---
crypto/ec/ecx_meth.c| 25 +
crypto/pkcs7/pk7_lib.c | 26 ++
crypto/rsa/rsa_ameth.c | 28 +---
doc/man3/X509_ALGOR_dup.pod | 28
12 files changed, 116 insertions(+), 112 deletions(-)
diff --git a/crypto/asn1/a_sign.c b/crypto/asn1/a_sign.c
index 302045cfcd..df251719f6 100644
--- a/crypto/asn1/a_sign.c
+++ b/crypto/asn1/a_sign.c
@@ -247,16 +247,14 @@ int ASN1_item_sign_ctx(const ASN1_ITEM *it, X509_ALGOR
*algor1,
goto err;
}
-if (pkey->ameth->pkey_flags & ASN1_PKEY_SIGPARAM_NULL)
-paramtype = V_ASN1_NULL;
-else
-paramtype = V_ASN1_UNDEF;
-
-if (algor1)
-X509_ALGOR_set0(algor1, OBJ_nid2obj(signid), paramtype, NULL);
-if (algor2)
-X509_ALGOR_set0(algor2, OBJ_nid2obj(signid), paramtype, NULL);
-
+paramtype = pkey->ameth->pkey_flags & ASN1_PKEY_SIGPARAM_NULL ?
+V_ASN1_NULL : V_ASN1_UNDEF;
+if (algor1 != NULL
+&& !X509_ALGOR_set0(algor1, OBJ_nid2obj(signid), paramtype, NULL))
+goto err;
+if (algor2 != NULL
+&& !X509_ALGOR_set0(algor2, OBJ_nid2obj(signid), paramtype, NULL))
+goto err;
}
buf_len = ASN1_item_i2d(data, _in, it);
diff --git a/crypto/asn1/x_algor.c b/crypto/asn1/x_algor.c
index f56ec92f65..e78cf7a68b 100644
--- a/crypto/asn1/x_algor.c
+++ b/crypto/asn1/x_algor.c
@@ -33,12 +33,9 @@ int X509_ALGOR_set0(X509_ALGOR *alg, ASN1_OBJECT *aobj, int
ptype, void *pval)
if (alg == NULL)
return 0;
-if (ptype != V_ASN1_UNDEF) {
-if (alg->parameter == NULL)
-alg->parameter = ASN1_TYPE_new();
-if (alg->parameter == NULL)
-return 0;
-}
+if (ptype != V_ASN1_UNDEF && alg->parameter == NULL
+&& (alg->parameter = ASN1_TYPE_new()) == NULL)
+return 0;
ASN1_OBJECT_free(alg->algorithm);
alg->algorithm = aobj;
@@ -68,7 +65,7 @@ X509_ALGOR *ossl_X509_ALGOR_from_nid(int nid, int ptype, void
*pval)
err:
X509_ALGOR_free(alg);
-ASN1_OBJECT_free(algo);
+/* ASN1_OBJECT_free(algo) is not needed due to OBJ_nid2obj() */
return NULL;
}
@@ -89,18 +86,12 @@ void X509_ALGOR_get0(const ASN1_OBJECT **paobj, int *pptype,
}
/* Set up an X509_ALGOR DigestAlgorithmIdentifier from an EVP_MD */
-
void X509_ALGOR_set_md(X509_ALGOR *alg, const EVP_MD *md)
{
-int param_type;
-
-if (md->flags & EVP_MD_FLAG_DIGALGID_ABSENT)
-param_type = V_ASN1_UNDEF;
-else
-param_type = V_ASN1_NULL;
-
-X509_ALGOR_set0(alg, OBJ_nid2obj(EVP_MD_get_type(md)), param_type, NULL);
+int type = md->flags & EVP_MD_FLAG_DIGALGID_ABSENT ? V_ASN1_UNDEF
+ : V_ASN1_NULL;
+(void)X509_ALGOR_set0(alg, OBJ_nid2obj(EVP_MD_get_type(md)), type, NULL);
}
int X509_ALGOR_cmp(const X509_ALGOR *a, const X509_ALGOR *b)
@@ -150,13 +141,15 @@ int X509_ALGOR_copy(X509_ALGOR *dest, const X509_ALGOR
*src)
/* allocate and set algorithm ID from EVP_MD, default SHA1 */
int ossl_x509_algor_new_from_md(X509_ALGOR **palg, const EVP_MD *md)
{
+X509_ALGOR *alg;
+
/* Default is SHA1 so no need to create it - still success */
if (md == NULL || EVP_MD_is_a(md, "SHA1"))
return 1;
-*palg = X509_ALGOR_new();
-if (*palg == NULL)
+if ((alg = X509_ALGOR_new()) == NULL)
return 0;
-X509_ALGOR_set_md(*palg, md);
+X509_ALGOR_set_md(alg, md);
+*palg = alg;
return 1;
}
diff --git a/crypto/cms/cms_cd.c b/crypto/cms/cms_cd.c
index 6de6d55e58..a7f47a6a3d 100644
--- a/crypto/cms/cms_cd.c
+++ b/crypto/cms/cms_cd.c
@@ -50,8 +50,9 @@ CMS_ContentInfo *ossl_cms_CompressedData_create(int comp_nid,
cd->version = 0;
-
[openssl] master update
The branch master has been updated
via 2c2724476ef50b8926b033f009bdfc85ac3f1816 (commit)
via 870871e5df4f47611c38e81d3f50e38cbf362082 (commit)
from 7ee992a5d931ab5ad9df00d2d8e47e1b7a72d7ac (commit)
- Log -
commit 2c2724476ef50b8926b033f009bdfc85ac3f1816
Author: Dr. David von Oheimb
Date: Tue Aug 24 12:03:12 2021 +0200
APPS: Add check for multiple 'unknown' options
Reviewed-by: Dmitry Belyavskiy
(Merged from https://github.com/openssl/openssl/pull/16416)
commit 870871e5df4f47611c38e81d3f50e38cbf362082
Author: Dr. David von Oheimb
Date: Tue Aug 24 12:27:12 2021 +0200
PKCS12 app: Improve readability w.r.t. enc_flag, renamed to enc_name
Reviewed-by: Dmitry Belyavskiy
(Merged from https://github.com/openssl/openssl/pull/16416)
---
Summary of changes:
apps/cms.c | 1 +
apps/crl.c | 1 +
apps/dgst.c | 1 +
apps/dsa.c | 1 +
apps/ec.c| 1 +
apps/enc.c | 1 +
apps/gendsa.c| 1 +
apps/genpkey.c | 1 +
apps/genrsa.c| 1 +
apps/include/opt.h | 2 ++
apps/lib/opt.c | 19 ++-
apps/ocsp.c | 9 +++--
apps/pkcs12.c| 12 ++--
apps/pkey.c | 1 +
apps/req.c | 1 +
apps/rsa.c | 1 +
apps/smime.c | 1 +
apps/storeutl.c | 4 +++-
apps/ts.c| 1 +
apps/x509.c | 2 +-
doc/man1/openssl-ocsp.pod.in | 11 ++-
21 files changed, 57 insertions(+), 16 deletions(-)
diff --git a/apps/cms.c b/apps/cms.c
index b49d1e3a68..575f8b3625 100644
--- a/apps/cms.c
+++ b/apps/cms.c
@@ -314,6 +314,7 @@ int cms_main(int argc, char **argv)
if (encerts == NULL || vpm == NULL)
goto end;
+opt_set_unknown_name("cipher");
prog = opt_init(argc, argv, cms_options);
while ((o = opt_next()) != OPT_EOF) {
switch (o) {
diff --git a/apps/crl.c b/apps/crl.c
index 8d353ff2af..c8f0981ee7 100644
--- a/apps/crl.c
+++ b/apps/crl.c
@@ -98,6 +98,7 @@ int crl_main(int argc, char **argv)
int hash_old = 0;
#endif
+opt_set_unknown_name("digest");
prog = opt_init(argc, argv, crl_options);
while ((o = opt_next()) != OPT_EOF) {
switch (o) {
diff --git a/apps/dgst.c b/apps/dgst.c
index e75dd72521..18ba3d41c5 100644
--- a/apps/dgst.c
+++ b/apps/dgst.c
@@ -115,6 +115,7 @@ int dgst_main(int argc, char **argv)
buf = app_malloc(BUFSIZE, "I/O buffer");
md = (EVP_MD *)EVP_get_digestbyname(argv[0]);
+opt_set_unknown_name("digest");
prog = opt_init(argc, argv, dgst_options);
while ((o = opt_next()) != OPT_EOF) {
switch (o) {
diff --git a/apps/dsa.c b/apps/dsa.c
index 9605ed81e7..fae277b8a2 100644
--- a/apps/dsa.c
+++ b/apps/dsa.c
@@ -92,6 +92,7 @@ int dsa_main(int argc, char **argv)
int selection = 0;
OSSL_ENCODER_CTX *ectx = NULL;
+opt_set_unknown_name("cipher");
prog = opt_init(argc, argv, dsa_options);
while ((o = opt_next()) != OPT_EOF) {
switch (o) {
diff --git a/apps/ec.c b/apps/ec.c
index 4573300a5e..2c350ff0b4 100644
--- a/apps/ec.c
+++ b/apps/ec.c
@@ -80,6 +80,7 @@ int ec_main(int argc, char **argv)
char *point_format = NULL;
int no_public = 0;
+opt_set_unknown_name("cipher");
prog = opt_init(argc, argv, ec_options);
while ((o = opt_next()) != OPT_EOF) {
switch (o) {
diff --git a/apps/enc.c b/apps/enc.c
index e71453c3c4..b14129d9b0 100644
--- a/apps/enc.c
+++ b/apps/enc.c
@@ -143,6 +143,7 @@ int enc_main(int argc, char **argv)
else if (strcmp(argv[0], "enc") != 0)
ciphername = argv[0];
+opt_set_unknown_name("cipher");
prog = opt_init(argc, argv, enc_options);
while ((o = opt_next()) != OPT_EOF) {
switch (o) {
diff --git a/apps/gendsa.c b/apps/gendsa.c
index b9bc2f502b..c4070c9e1a 100644
--- a/apps/gendsa.c
+++ b/apps/gendsa.c
@@ -62,6 +62,7 @@ int gendsa_main(int argc, char **argv)
OPTION_CHOICE o;
int ret = 1, private = 0, verbose = 0, nbits;
+opt_set_unknown_name("cipher");
prog = opt_init(argc, argv, gendsa_options);
while ((o = opt_next()) != OPT_EOF) {
switch (o) {
diff --git a/apps/genpkey.c b/apps/genpkey.c
index 7f70a6baa2..f4c8f92c34 100644
--- a/apps/genpkey.c
+++ b/apps/genpkey.c
@@ -74,6 +74,7 @@ int genpkey_main(int argc, char **argv)
OSSL_LIB_CTX *libctx = app_get0_libctx();
STACK_OF(OPENSSL_STRING) *keyopt = NULL;
+opt_set_unknown_name("cipher");
prog = opt_init(argc, argv, genpkey_options);
keyopt = sk_OPENSSL_STRING_new_null();
if (keyopt == NULL)
diff --git a/apps/genrsa.c b/apps/genrsa.c
index
[openssl] master update
The branch master has been updated
via 81b741f68984b2620166d0d6271fbd946bab9e7f (commit)
from 8cdb993d8b1ad9fd58fb5f41cc43df97014f00c9 (commit)
- Log -
commit 81b741f68984b2620166d0d6271fbd946bab9e7f
Author: Kan
Date: Tue Nov 30 14:39:49 2021 +0800
Update alert to common protocol
Reviewed-by: Paul Dale
Reviewed-by: David von Oheimb
(Merged from https://github.com/openssl/openssl/pull/17161)
---
Summary of changes:
ssl/ssl_err.c | 22 +++---
1 file changed, 11 insertions(+), 11 deletions(-)
diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c
index 014eda06b1..c28885d630 100644
--- a/ssl/ssl_err.c
+++ b/ssl/ssl_err.c
@@ -386,27 +386,27 @@ static const ERR_STRING_DATA SSL_str_reasons[] = {
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSL3_SESSION_ID_TOO_LONG),
"ssl3 session id too long"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSLV3_ALERT_BAD_CERTIFICATE),
-"sslv3 alert bad certificate"},
+"ssl/tls alert bad certificate"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSLV3_ALERT_BAD_RECORD_MAC),
-"sslv3 alert bad record mac"},
+"ssl/tls alert bad record mac"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSLV3_ALERT_CERTIFICATE_EXPIRED),
-"sslv3 alert certificate expired"},
+"ssl/tls alert certificate expired"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSLV3_ALERT_CERTIFICATE_REVOKED),
-"sslv3 alert certificate revoked"},
+"ssl/tls alert certificate revoked"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSLV3_ALERT_CERTIFICATE_UNKNOWN),
-"sslv3 alert certificate unknown"},
+"ssl/tls alert certificate unknown"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSLV3_ALERT_DECOMPRESSION_FAILURE),
-"sslv3 alert decompression failure"},
+"ssl/tls alert decompression failure"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSLV3_ALERT_HANDSHAKE_FAILURE),
-"sslv3 alert handshake failure"},
+"ssl/tls alert handshake failure"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSLV3_ALERT_ILLEGAL_PARAMETER),
-"sslv3 alert illegal parameter"},
+"ssl/tls alert illegal parameter"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSLV3_ALERT_NO_CERTIFICATE),
-"sslv3 alert no certificate"},
+"ssl/tls alert no certificate"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSLV3_ALERT_UNEXPECTED_MESSAGE),
-"sslv3 alert unexpected message"},
+"ssl/tls alert unexpected message"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSLV3_ALERT_UNSUPPORTED_CERTIFICATE),
-"sslv3 alert unsupported certificate"},
+"ssl/tls alert unsupported certificate"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSL_COMMAND_SECTION_EMPTY),
"ssl command section empty"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSL_COMMAND_SECTION_NOT_FOUND),
[openssl] master update
The branch master has been updated
via 8cdb993d8b1ad9fd58fb5f41cc43df97014f00c9 (commit)
from 10481d33844218694929a7bad57314411a33ab74 (commit)
- Log -
commit 8cdb993d8b1ad9fd58fb5f41cc43df97014f00c9
Author: Dr. David von Oheimb
Date: Thu Jan 6 23:26:04 2022 +0100
apps.c: fix various coding style nits found by check-format.pl
Reviewed-by: Paul Dale
(Merged from https://github.com/openssl/openssl/pull/17435)
---
Summary of changes:
apps/lib/apps.c | 264 +++-
1 file changed, 127 insertions(+), 137 deletions(-)
diff --git a/apps/lib/apps.c b/apps/lib/apps.c
index 6c3f3aee00..7ca30ef590 100644
--- a/apps/lib/apps.c
+++ b/apps/lib/apps.c
@@ -51,7 +51,7 @@
#ifdef _WIN32
static int WIN32_rename(const char *from, const char *to);
-# define rename(from,to) WIN32_rename((from),(to))
+# define rename(from, to) WIN32_rename((from), (to))
#endif
#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS)
@@ -102,6 +102,7 @@ int chopup_args(ARGS *arg, char *buf)
/* The start of something good :-) */
if (arg->argc >= arg->size) {
char **tmp;
+
arg->size += 20;
tmp = OPENSSL_realloc(arg->argv, sizeof(*arg->argv) * arg->size);
if (tmp == NULL)
@@ -188,7 +189,8 @@ int set_nameopt(const char *arg)
unsigned long get_nameopt(void)
{
-return (nmflag_set) ? nmflag : XN_FLAG_SEP_CPLUS_SPC |
ASN1_STRFLGS_UTF8_CONVERT;
+return
+nmflag_set ? nmflag : XN_FLAG_SEP_CPLUS_SPC |
ASN1_STRFLGS_UTF8_CONVERT;
}
void dump_cert_text(BIO *out, X509 *x)
@@ -202,7 +204,6 @@ int wrap_password_callback(char *buf, int bufsiz, int
verify, void *userdata)
return password_callback(buf, bufsiz, verify, (PW_CB_DATA *)userdata);
}
-
static char *app_get_pass(const char *arg, int keepbio);
char *get_passwd(const char *pass, const char *desc)
@@ -218,7 +219,8 @@ char *get_passwd(const char *pass, const char *desc)
"Trying plain input string (better precede with
'pass:')\n");
result = OPENSSL_strdup(pass);
if (result == NULL)
-BIO_printf(bio_err, "Out of memory getting password for %s\n",
desc);
+BIO_printf(bio_err,
+ "Out of memory getting password for %s\n", desc);
}
return result;
}
@@ -279,6 +281,7 @@ static char *app_get_pass(const char *arg, int keepbio)
*/
} else if (CHECK_AND_SKIP_PREFIX(arg, "fd:")) {
BIO *btmp;
+
i = atoi(arg);
if (i >= 0)
pwdbio = BIO_new_fd(i, BIO_NOCLOSE);
@@ -568,8 +571,8 @@ EVP_PKEY *load_pubkey(const char *uri, int format, int
maybe_stdin,
}
EVP_PKEY *load_keyparams_suppress(const char *uri, int format, int maybe_stdin,
- const char *keytype, const char *desc,
- int suppress_decode_errors)
+ const char *keytype, const char *desc,
+ int suppress_decode_errors)
{
EVP_PKEY *params = NULL;
BIO *bio_bak = bio_err;
@@ -829,7 +832,18 @@ static const char *format2string(int format)
}
/* Set type expectation, but clear it if objects of different types expected.
*/
-#define SET_EXPECT(expect, val) ((expect) = (expect) < 0 ? (val) : ((expect)
== (val) ? (val) : 0))
+#define SET_EXPECT(val) \
+(expect = expect < 0 ? (val) : (expect == (val) ? (val) : 0))
+#define SET_EXPECT1(pvar, val) \
+if ((pvar) != NULL) { \
+*(pvar) = NULL; \
+SET_EXPECT(val); \
+}
+#define FAIL_NAME \
+(ppkey != NULL ? "key etc." : ppubkey != NULL ? "public key etc." : \
+ pparams != NULL ? "params etc." : \
+ pcert != NULL ? "cert etc." : pcerts != NULL ? "certs etc." : \
+ pcrl != NULL ? "CRL etc." : pcrls != NULL ? "CRLs etc." : NULL)
/*
* Load those types of credentials for which the result pointer is not NULL.
* Reads from stdio if uri is NULL and maybe_stdin is nonzero.
@@ -844,9 +858,8 @@ static const char *format2string(int format)
* of *pcerts and *pcrls (as far as they are not NULL).
*/
int load_key_certs_crls(const char *uri, int format, int maybe_stdin,
-const char *pass, const char *desc,
-EVP_PKEY **ppkey, EVP_PKEY **ppubkey,
-EVP_PKEY **pparams,
+const char *pass, const char *desc, EVP_PKEY **ppkey,
+EVP_PKEY **ppubkey, EVP_PKEY **pparams,
X509 **pcert, STACK_OF(X509) **pcerts,
X509_CRL **pcrl, STACK_OF(X509_CRL) **pcrls)
{
@@ -854,75 +867,47 @@ int load_key_certs_crls(const char *uri, int format, int
maybe_stdin,
[openssl] master update
The branch master has been updated
via 6e98b7f153fcf9dfad1053fbb3a592166837c6fc (commit)
from fd989c734dc3f9e15d700ff9ced15125a23d4359 (commit)
- Log -
commit 6e98b7f153fcf9dfad1053fbb3a592166837c6fc
Author: Dr. David von Oheimb
Date: Tue Aug 17 19:12:55 2021 +0200
v2i_AUTHORITY_KEYID(): Improve error reporting on parsing config
values/options
Reviewed-by: Paul Dale
(Merged from https://github.com/openssl/openssl/pull/16345)
---
Summary of changes:
crypto/err/openssl.txt | 3 +++
crypto/x509/v3_akid.c | 33 ++---
crypto/x509/v3err.c | 3 +++
doc/man5/x509v3_config.pod | 4 ++--
include/openssl/x509v3err.h | 3 +++
5 files changed, 33 insertions(+), 13 deletions(-)
diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt
index 6e75af9b8b..3c59fce96c 100644
--- a/crypto/err/openssl.txt
+++ b/crypto/err/openssl.txt
@@ -1585,6 +1585,8 @@ UI_R_UNKNOWN_TTYGET_ERRNO_VALUE:108:unknown ttyget errno
value
UI_R_USER_DATA_DUPLICATION_UNSUPPORTED:112:user data duplication unsupported
X509V3_R_BAD_IP_ADDRESS:118:bad ip address
X509V3_R_BAD_OBJECT:119:bad object
+X509V3_R_BAD_OPTION:170:bad option
+X509V3_R_BAD_VALUE:171:bad value
X509V3_R_BN_DEC2BN_ERROR:100:bn dec2bn error
X509V3_R_BN_TO_ASN1_INTEGER_ERROR:101:bn to asn1 integer error
X509V3_R_DIRNAME_ERROR:149:dirname error
@@ -1651,6 +1653,7 @@ X509V3_R_UNKNOWN_BIT_STRING_ARGUMENT:111:unknown bit
string argument
X509V3_R_UNKNOWN_EXTENSION:129:unknown extension
X509V3_R_UNKNOWN_EXTENSION_NAME:130:unknown extension name
X509V3_R_UNKNOWN_OPTION:120:unknown option
+X509V3_R_UNKNOWN_VALUE:172:unknown value
X509V3_R_UNSUPPORTED_OPTION:117:unsupported option
X509V3_R_UNSUPPORTED_TYPE:167:unsupported type
X509V3_R_USER_TOO_LONG:132:user too long
diff --git a/crypto/x509/v3_akid.c b/crypto/x509/v3_akid.c
index 2a993dd5bc..209f32cbf7 100644
--- a/crypto/x509/v3_akid.c
+++ b/crypto/x509/v3_akid.c
@@ -85,14 +85,14 @@ static STACK_OF(CONF_VALUE)
*i2v_AUTHORITY_KEYID(X509V3_EXT_METHOD *method,
}
/*-
- * Currently two options:
- * keyid: use the issuers subject keyid, the value 'always' means its is
- * an error if the issuer certificate doesn't have a key id.
- * issuer: use the issuers cert issuer and serial number. The default is
- * to only use this if keyid is not present. With the option 'always'
+ * Three explicit tags may be given, where 'keyid' and 'issuer' may be
combined:
+ * 'none': do not add any authority key identifier.
+ * 'keyid': use the issuer's subject keyid; the option 'always' means its is
+ * an error if the issuer certificate doesn't have a subject key id.
+ * 'issuer': use the issuer's cert issuer and serial number. The default is
+ * to only use this if 'keyid' is not present. With the option 'always'
* this is always included.
*/
-
static AUTHORITY_KEYID *v2i_AUTHORITY_KEYID(X509V3_EXT_METHOD *method,
X509V3_CTX *ctx,
STACK_OF(CONF_VALUE) *values)
@@ -119,16 +119,27 @@ static AUTHORITY_KEYID
*v2i_AUTHORITY_KEYID(X509V3_EXT_METHOD *method,
for (i = 0; i < n; i++) {
cnf = sk_CONF_VALUE_value(values, i);
-if (strcmp(cnf->name, "keyid") == 0) {
+if (cnf->value != NULL && strcmp(cnf->value, "always") != 0) {
+ERR_raise_data(ERR_LIB_X509V3, X509V3_R_UNKNOWN_OPTION,
+ "name=%s option=%s", cnf->name, cnf->value);
+goto err;
+}
+if (strcmp(cnf->name, "keyid") == 0 && keyid == 0) {
keyid = 1;
-if (cnf->value && strcmp(cnf->value, "always") == 0)
+if (cnf->value != NULL)
keyid = 2;
-} else if (strcmp(cnf->name, "issuer") == 0) {
+} else if (strcmp(cnf->name, "issuer") == 0 && issuer == 0) {
issuer = 1;
-if (cnf->value && strcmp(cnf->value, "always") == 0)
+if (cnf->value != NULL)
issuer = 2;
+} else if (strcmp(cnf->name, "none") == 0
+ || strcmp(cnf->name, "keyid") == 0
+ || strcmp(cnf->name, "issuer") == 0) {
+ERR_raise_data(ERR_LIB_X509V3, X509V3_R_BAD_VALUE,
+ "name=%s", cnf->name);
+goto err;
} else {
-ERR_raise_data(ERR_LIB_X509V3, X509V3_R_UNKNOWN_OPTION,
+ERR_raise_data(ERR_LIB_X509V3, X509V3_R_UNKNOWN_VALUE,
"name=%s", cnf->name);
goto err;
}
diff --git a/crypto/x509/v3err.c b/crypto/x509/v3err.c
index 6f38034c1a..b52f16f597 100644
--- a/crypto/x509/v3err.c
+++ b/crypto/x509/v3err.c
@@ -17,6 +17,8 @@
static const ERR_STRING_DATA X509V3_str_reasons[] = {
{ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_BAD_IP_ADDRESS), "bad ip
[openssl] master update
The branch master has been updated
via fd989c734dc3f9e15d700ff9ced15125a23d4359 (commit)
via 9944df112ffbe4b6855b6a9bf88720803277cc23 (commit)
from 6e2499474cb96b28a51df1da25cc72f1cf342fad (commit)
- Log -
commit fd989c734dc3f9e15d700ff9ced15125a23d4359
Author: Dr. David von Oheimb
Date: Tue Jan 4 10:48:32 2022 +0100
apps/cmp.c: fix coding style nits reported by check-format.pl
Reviewed-by: Paul Dale
(Merged from https://github.com/openssl/openssl/pull/17363)
commit 9944df112ffbe4b6855b6a9bf88720803277cc23
Author: Dr. David von Oheimb
Date: Fri Aug 6 12:11:13 2021 +0200
asn1/x_algor.c: add internal ossl_X509_ALGOR_from_nid() simplifying code
Reviewed-by: Paul Dale
(Merged from https://github.com/openssl/openssl/pull/17363)
---
Summary of changes:
apps/cmp.c | 30 --
crypto/asn1/p5_pbev2.c | 4 ++--
crypto/asn1/x_algor.c| 28 ++--
crypto/cmp/cmp_protect.c | 41 +
crypto/cms/cms_rsa.c | 12 +---
crypto/cms/cms_sd.c | 5 ++---
include/crypto/asn1.h| 1 +
7 files changed, 61 insertions(+), 60 deletions(-)
diff --git a/apps/cmp.c b/apps/cmp.c
index 830e4cb9c8..7e3e975aac 100644
--- a/apps/cmp.c
+++ b/apps/cmp.c
@@ -940,7 +940,6 @@ static int setup_certs(char *files, const char *desc, void
*ctx,
return ok;
}
-
/*
* parse and transform some options, checking their syntax.
* Returns 1 on success, 0 on error
@@ -1536,7 +1535,7 @@ static int setup_request_ctx(OSSL_CMP_CTX *ctx, ENGINE
*engine)
if (opt_subject != NULL) {
if (opt_ref == NULL && opt_cert == NULL) {
-/* use subject as default sender unless oldcert subject is
used */
+/* will use subject as sender unless oldcert subject is used */
if (!set_name(opt_subject, OSSL_CMP_CTX_set1_subjectName, ctx,
"subject"))
return 0;
} else {
@@ -1610,8 +1609,8 @@ static int setup_request_ctx(OSSL_CMP_CTX *ctx, ENGINE
*engine)
if (pkey == NULL) {
ERR_clear_error();
desc = opt_csr == NULL
-? "fallback public key for cert to be enrolled"
-: "public key for checking cert resulting from p10cr";
+? "fallback public key for cert to be enrolled"
+: "public key for checking cert resulting from p10cr";
pkey = load_pubkey(file, format, 0, pass, engine, desc);
priv = 0;
}
@@ -1811,7 +1810,6 @@ static int handle_opt_geninfo(OSSL_CMP_CTX *ctx)
return 0;
}
-
/*
* set up the client-side OSSL_CMP_CTX based on options from config file/CLI
* while parsing options and checking their consistency.
@@ -2166,9 +2164,9 @@ static int read_config(void)
|| !strcmp(opt->name, OPT_MORE_STR))
n_options--;
OPENSSL_assert(OSSL_NELEM(cmp_vars) == n_options
- + OPT_PROV__FIRST + 1 - OPT_PROV__LAST
- + OPT_R__FIRST + 1 - OPT_R__LAST
- + OPT_V__FIRST + 1 - OPT_V__LAST);
+ + OPT_PROV__FIRST + 1 - OPT_PROV__LAST
+ + OPT_R__FIRST + 1 - OPT_R__LAST
+ + OPT_V__FIRST + 1 - OPT_V__LAST);
for (opt = _options[start_opt], i = start_idx;
opt->name != NULL; i++, opt++) {
int provider_option = (OPT_PROV__FIRST <= opt->retval
@@ -2503,7 +2501,7 @@ static int get_opts(int argc, char **argv)
break;
case OPT_REVREASON:
opt_revreason = opt_int_arg();
-if (opt_revreason < CRL_REASON_NONE
+if (opt_revreason < CRL_REASON_NONE
|| opt_revreason > CRL_REASON_AA_COMPROMISE
|| opt_revreason == 7) {
CMP_err("invalid revreason. Valid values are -1 .. 6, 8 ..
10");
@@ -2648,7 +2646,8 @@ static int get_opts(int argc, char **argv)
}
#ifndef OPENSSL_NO_SOCK
-static int cmp_server(OSSL_CMP_CTX *srv_cmp_ctx) {
+static int cmp_server(OSSL_CMP_CTX *srv_cmp_ctx)
+{
BIO *acbio;
BIO *cbio = NULL;
int keep_alive = 0;
@@ -2713,7 +2712,7 @@ static int cmp_server(OSSL_CMP_CTX *srv_cmp_ctx) {
}
if (!ret || !keep_alive
|| OSSL_CMP_CTX_get_status(srv_cmp_ctx) == -1
- /* transaction closed by OSSL_CMP_CTX_server_perform() */) {
+/* transaction closed by OSSL_CMP_CTX_server_perform() */) {
BIO_free_all(cbio);
cbio = NULL;
}
@@ -2769,7 +2768,8 @@ int cmp_main(int argc, char **argv)
/* read default values for options from config file */
configfile = opt_config != NULL ? opt_config : default_config_file;
if (configfile != NULL && configfile[0] != '\0' /* non-empty
[openssl] master update
The branch master has been updated
via 6e2499474cb96b28a51df1da25cc72f1cf342fad (commit)
via 7c64ca71c2ceeb1d47e8499bd351de7d0078ce37 (commit)
from d4d8f163db1d32c98d8f956e6966263a7a22fac1 (commit)
- Log -
commit 6e2499474cb96b28a51df1da25cc72f1cf342fad
Author: Dr. David von Oheimb
Date: Fri Aug 27 18:36:38 2021 +0200
APPS load_key_certs_crls(): Make file access errors much more readable
This reverts part of commit ef0449135c4e4e7f using a less invasive
suppression.
Reviewed-by: Paul Dale
(Merged from https://github.com/openssl/openssl/pull/16452)
commit 7c64ca71c2ceeb1d47e8499bd351de7d0078ce37
Author: Dr. David von Oheimb
Date: Fri Aug 27 18:33:56 2021 +0200
OSSL_STORE_open_ex(): Prevent spurious error: unregistered scheme=file
Reviewed-by: Paul Dale
(Merged from https://github.com/openssl/openssl/pull/16452)
---
Summary of changes:
apps/lib/apps.c | 143 ++-
crypto/store/store_lib.c | 4 ++
2 files changed, 72 insertions(+), 75 deletions(-)
diff --git a/apps/lib/apps.c b/apps/lib/apps.c
index 3b0266f158..6c3f3aee00 100644
--- a/apps/lib/apps.c
+++ b/apps/lib/apps.c
@@ -79,15 +79,6 @@ static int set_table_opts(unsigned long *flags, const char
*arg,
const NAME_EX_TBL * in_tbl);
static int set_multi_opts(unsigned long *flags, const char *arg,
const NAME_EX_TBL * in_tbl);
-static
-int load_key_certs_crls_suppress(const char *uri, int format, int maybe_stdin,
- const char *pass, const char *desc,
- EVP_PKEY **ppkey, EVP_PKEY **ppubkey,
- EVP_PKEY **pparams,
- X509 **pcert, STACK_OF(X509) **pcerts,
- X509_CRL **pcrl, STACK_OF(X509_CRL) **pcrls,
- int suppress_decode_errors);
-
int app_init(long mesgwin);
int chopup_args(ARGS *arg, char *buf)
@@ -460,16 +451,17 @@ X509 *load_cert_pass(const char *uri, int format, int
maybe_stdin,
if (desc == NULL)
desc = "certificate";
-if (IS_HTTPS(uri))
+if (IS_HTTPS(uri)) {
BIO_printf(bio_err, "Loading %s over HTTPS is unsupported\n", desc);
-else if (IS_HTTP(uri))
+} else if (IS_HTTP(uri)) {
cert = X509_load_http(uri, NULL, NULL, 0 /* timeout */);
-else
+if (cert == NULL) {
+ERR_print_errors(bio_err);
+BIO_printf(bio_err, "Unable to load %s from %s\n", desc, uri);
+}
+} else {
(void)load_key_certs_crls(uri, format, maybe_stdin, pass, desc,
NULL, NULL, NULL, , NULL, NULL, NULL);
-if (cert == NULL) {
-BIO_printf(bio_err, "Unable to load %s\n", desc);
-ERR_print_errors(bio_err);
}
return cert;
}
@@ -481,16 +473,17 @@ X509_CRL *load_crl(const char *uri, int format, int
maybe_stdin,
if (desc == NULL)
desc = "CRL";
-if (IS_HTTPS(uri))
+if (IS_HTTPS(uri)) {
BIO_printf(bio_err, "Loading %s over HTTPS is unsupported\n", desc);
-else if (IS_HTTP(uri))
+} else if (IS_HTTP(uri)) {
crl = X509_CRL_load_http(uri, NULL, NULL, 0 /* timeout */);
-else
+if (crl == NULL) {
+ERR_print_errors(bio_err);
+BIO_printf(bio_err, "Unable to load %s from %s\n", desc, uri);
+}
+} else {
(void)load_key_certs_crls(uri, format, maybe_stdin, NULL, desc,
NULL, NULL, NULL, NULL, NULL, , NULL);
-if (crl == NULL) {
-BIO_printf(bio_err, "Unable to load %s\n", desc);
-ERR_print_errors(bio_err);
}
return crl;
}
@@ -517,8 +510,8 @@ X509_REQ *load_csr(const char *file, int format, const char
*desc)
end:
if (req == NULL) {
-BIO_printf(bio_err, "Unable to load %s\n", desc);
ERR_print_errors(bio_err);
+BIO_printf(bio_err, "Unable to load %s\n", desc);
}
BIO_free(in);
return req;
@@ -579,23 +572,23 @@ EVP_PKEY *load_keyparams_suppress(const char *uri, int
format, int maybe_stdin,
int suppress_decode_errors)
{
EVP_PKEY *params = NULL;
+BIO *bio_bak = bio_err;
if (desc == NULL)
desc = "key parameters";
-
-(void)load_key_certs_crls_suppress(uri, format, maybe_stdin, NULL, desc,
- NULL, NULL, , NULL, NULL, NULL,
- NULL, suppress_decode_errors);
+if (suppress_decode_errors)
+bio_err = NULL;
+(void)load_key_certs_crls(uri, format, maybe_stdin, NULL, desc,
+ NULL, NULL, , NULL, NULL, NULL, NULL);
if (params != NULL && keytype != NULL
[openssl] openssl-3.0 update
The branch openssl-3.0 has been updated
via 7a30610902d6d19cfd1698498d3d4129f308e285 (commit)
from f762f91f9506927ed036bca5f78f392e039911df (commit)
- Log -
commit 7a30610902d6d19cfd1698498d3d4129f308e285
Author: Dr. David von Oheimb
Date: Fri May 14 15:11:00 2021 +0200
OSSL_STORE: Prevent spurious error during loading private keys
Reviewed-by: Tomas Mraz
(Merged from https://github.com/openssl/openssl/pull/15283)
(cherry picked from commit da198adb9c5626f31c52613fe2ae59a7066c3366)
---
Summary of changes:
.../implementations/encode_decode/decode_der2key.c | 23 +-
1 file changed, 18 insertions(+), 5 deletions(-)
diff --git a/providers/implementations/encode_decode/decode_der2key.c
b/providers/implementations/encode_decode/decode_der2key.c
index 356e65b403..9e3b86b46e 100644
--- a/providers/implementations/encode_decode/decode_der2key.c
+++ b/providers/implementations/encode_decode/decode_der2key.c
@@ -204,19 +204,24 @@ static int der2key_decode(void *vctx, OSSL_CORE_BIO *cin,
int selection,
if (!ok)
goto next;
-ok = 0; /* Assume that we fail */
+ok = 0; /* Assume that we fail */
+ERR_set_mark();
if ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0) {
derp = der;
if (ctx->desc->d2i_PKCS8 != NULL) {
key = ctx->desc->d2i_PKCS8(NULL, , der_len, ctx);
-if (ctx->flag_fatal)
+if (ctx->flag_fatal) {
+ERR_clear_last_mark();
goto end;
+}
} else if (ctx->desc->d2i_private_key != NULL) {
key = ctx->desc->d2i_private_key(NULL, , der_len);
}
-if (key == NULL && ctx->selection != 0)
+if (key == NULL && ctx->selection != 0) {
+ERR_clear_last_mark();
goto next;
+}
}
if (key == NULL && (selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) != 0) {
derp = der;
@@ -224,16 +229,24 @@ static int der2key_decode(void *vctx, OSSL_CORE_BIO *cin,
int selection,
key = ctx->desc->d2i_PUBKEY(NULL, , der_len);
else
key = ctx->desc->d2i_public_key(NULL, , der_len);
-if (key == NULL && ctx->selection != 0)
+if (key == NULL && ctx->selection != 0) {
+ERR_clear_last_mark();
goto next;
+}
}
if (key == NULL && (selection & OSSL_KEYMGMT_SELECT_ALL_PARAMETERS) != 0) {
derp = der;
if (ctx->desc->d2i_key_params != NULL)
key = ctx->desc->d2i_key_params(NULL, , der_len);
-if (key == NULL && ctx->selection != 0)
+if (key == NULL && ctx->selection != 0) {
+ERR_clear_last_mark();
goto next;
+}
}
+if (key == NULL)
+ERR_clear_last_mark();
+else
+ERR_pop_to_mark();
/*
* Last minute check to see if this was the correct type of key. This
[openssl] master update
The branch master has been updated
via da198adb9c5626f31c52613fe2ae59a7066c3366 (commit)
from e304aa87b35fac5ea97c405dd3c21549faa45e78 (commit)
- Log -
commit da198adb9c5626f31c52613fe2ae59a7066c3366
Author: Dr. David von Oheimb
Date: Fri May 14 15:11:00 2021 +0200
OSSL_STORE: Prevent spurious error during loading private keys
Reviewed-by: Tomas Mraz
(Merged from https://github.com/openssl/openssl/pull/15283)
---
Summary of changes:
.../implementations/encode_decode/decode_der2key.c | 23 +-
1 file changed, 18 insertions(+), 5 deletions(-)
diff --git a/providers/implementations/encode_decode/decode_der2key.c
b/providers/implementations/encode_decode/decode_der2key.c
index 356e65b403..9e3b86b46e 100644
--- a/providers/implementations/encode_decode/decode_der2key.c
+++ b/providers/implementations/encode_decode/decode_der2key.c
@@ -204,19 +204,24 @@ static int der2key_decode(void *vctx, OSSL_CORE_BIO *cin,
int selection,
if (!ok)
goto next;
-ok = 0; /* Assume that we fail */
+ok = 0; /* Assume that we fail */
+ERR_set_mark();
if ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0) {
derp = der;
if (ctx->desc->d2i_PKCS8 != NULL) {
key = ctx->desc->d2i_PKCS8(NULL, , der_len, ctx);
-if (ctx->flag_fatal)
+if (ctx->flag_fatal) {
+ERR_clear_last_mark();
goto end;
+}
} else if (ctx->desc->d2i_private_key != NULL) {
key = ctx->desc->d2i_private_key(NULL, , der_len);
}
-if (key == NULL && ctx->selection != 0)
+if (key == NULL && ctx->selection != 0) {
+ERR_clear_last_mark();
goto next;
+}
}
if (key == NULL && (selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) != 0) {
derp = der;
@@ -224,16 +229,24 @@ static int der2key_decode(void *vctx, OSSL_CORE_BIO *cin,
int selection,
key = ctx->desc->d2i_PUBKEY(NULL, , der_len);
else
key = ctx->desc->d2i_public_key(NULL, , der_len);
-if (key == NULL && ctx->selection != 0)
+if (key == NULL && ctx->selection != 0) {
+ERR_clear_last_mark();
goto next;
+}
}
if (key == NULL && (selection & OSSL_KEYMGMT_SELECT_ALL_PARAMETERS) != 0) {
derp = der;
if (ctx->desc->d2i_key_params != NULL)
key = ctx->desc->d2i_key_params(NULL, , der_len);
-if (key == NULL && ctx->selection != 0)
+if (key == NULL && ctx->selection != 0) {
+ERR_clear_last_mark();
goto next;
+}
}
+if (key == NULL)
+ERR_clear_last_mark();
+else
+ERR_pop_to_mark();
/*
* Last minute check to see if this was the correct type of key. This
[openssl] OpenSSL_1_1_1-stable update
The branch OpenSSL_1_1_1-stable has been updated via 692520a1fede55001dbce23618f992b4042ebbae (commit) from 4623700d4eaaa250b49032768be2e97a147f3a1e (commit) - Log - commit 692520a1fede55001dbce23618f992b4042ebbae Author: Dr. David von Oheimb Date: Mon Jan 3 13:40:55 2022 +0100 Update troublesome copyright years of auto-generated files to 2022 Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/17401) --- Summary of changes: crypto/asn1/charmap.h | 2 +- crypto/bn/bn_prime.h | 2 +- crypto/conf/conf_def.h| 2 +- crypto/objects/obj_dat.h | 2 +- crypto/objects/obj_xref.h | 2 +- include/openssl/obj_mac.h | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/crypto/asn1/charmap.h b/crypto/asn1/charmap.h index e234c9e615..5630291bd5 100644 --- a/crypto/asn1/charmap.h +++ b/crypto/asn1/charmap.h @@ -2,7 +2,7 @@ * WARNING: do not edit! * Generated by crypto/asn1/charmap.pl * - * Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/bn/bn_prime.h b/crypto/bn/bn_prime.h index 1a25c28577..8f2d7e995a 100644 --- a/crypto/bn/bn_prime.h +++ b/crypto/bn/bn_prime.h @@ -2,7 +2,7 @@ * WARNING: do not edit! * Generated by crypto/bn/bn_prime.pl * - * Copyright 1998-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1998-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/conf/conf_def.h b/crypto/conf/conf_def.h index 1e4a03e10b..0490236287 100644 --- a/crypto/conf/conf_def.h +++ b/crypto/conf/conf_def.h @@ -2,7 +2,7 @@ * WARNING: do not edit! * Generated by crypto/conf/keysets.pl * - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy * in the file LICENSE in the source distribution or at diff --git a/crypto/objects/obj_dat.h b/crypto/objects/obj_dat.h index 24b49a2df2..63bf69e443 100644 --- a/crypto/objects/obj_dat.h +++ b/crypto/objects/obj_dat.h @@ -2,7 +2,7 @@ * WARNING: do not edit! * Generated by crypto/objects/obj_dat.pl * - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy * in the file LICENSE in the source distribution or at diff --git a/crypto/objects/obj_xref.h b/crypto/objects/obj_xref.h index 5c3561ab7d..5ef094bbfd 100644 --- a/crypto/objects/obj_xref.h +++ b/crypto/objects/obj_xref.h @@ -2,7 +2,7 @@ * WARNING: do not edit! * Generated by objxref.pl * - * Copyright 1998-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1998-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/openssl/obj_mac.h b/include/openssl/obj_mac.h index eb812ed18d..53516a06c6 100644 --- a/include/openssl/obj_mac.h +++ b/include/openssl/obj_mac.h @@ -2,7 +2,7 @@ * WARNING: do not edit! * Generated by crypto/objects/objects.pl * - * Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved. * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy * in the file LICENSE in the source distribution or at
[openssl] master update
The branch master has been updated
via b971d4198def0b29654e8fbf7987f7157741aed2 (commit)
via acef3b2f84b22c7cdb3cbc02fc8fc7b76cbb6ea7 (commit)
from 97b8c859c64bc60fcf5bb27ed51489c81fde41b3 (commit)
- Log -
commit b971d4198def0b29654e8fbf7987f7157741aed2
Author: Dr. David von Oheimb
Date: Mon Jul 12 15:34:20 2021 +0200
CMP mock server: add -ref_cert option and corresponding
ossl_cmp_mock_srv_set1_refCert()
Fixes #16041
Reviewed-by: Tomas Mraz
(Merged from https://github.com/openssl/openssl/pull/16050)
commit acef3b2f84b22c7cdb3cbc02fc8fc7b76cbb6ea7
Author: Dr. David von Oheimb
Date: Mon Jul 12 15:32:49 2021 +0200
X509_cmp.pod: Point out that the X509_NAME_cmp() arguments may be NULL
Reviewed-by: Tomas Mraz
(Merged from https://github.com/openssl/openssl/pull/16050)
---
Summary of changes:
apps/cmp.c | 23 ++--
apps/include/cmp_mock_srv.h| 1 +
apps/lib/cmp_mock_srv.c| 63 +++---
doc/internal/man3/ossl_cmp_mock_srv_new.pod| 10 +++-
doc/man1/openssl-cmp.pod.in| 5 ++
doc/man3/X509_cmp.pod | 3 +-
test/cmp_client_test.c | 1 +
test/recipes/80-test_cmp_http_data/Mock/server.cnf | 1 +
8 files changed, 82 insertions(+), 25 deletions(-)
diff --git a/apps/cmp.c b/apps/cmp.c
index 5167446cde..2e4867b0db 100644
--- a/apps/cmp.c
+++ b/apps/cmp.c
@@ -174,6 +174,7 @@ static char *opt_srv_keypass = NULL;
static char *opt_srv_trusted = NULL;
static char *opt_srv_untrusted = NULL;
+static char *opt_ref_cert = NULL;
static char *opt_rsp_cert = NULL;
static char *opt_rsp_extracerts = NULL;
static char *opt_rsp_capubs = NULL;
@@ -249,7 +250,7 @@ typedef enum OPTION_choice {
OPT_SRV_REF, OPT_SRV_SECRET,
OPT_SRV_CERT, OPT_SRV_KEY, OPT_SRV_KEYPASS,
OPT_SRV_TRUSTED, OPT_SRV_UNTRUSTED,
-OPT_RSP_CERT, OPT_RSP_EXTRACERTS, OPT_RSP_CAPUBS,
+OPT_REF_CERT, OPT_RSP_CERT, OPT_RSP_EXTRACERTS, OPT_RSP_CAPUBS,
OPT_POLL_COUNT, OPT_CHECK_AFTER,
OPT_GRANT_IMPLICITCONF,
OPT_PKISTATUS, OPT_FAILURE,
@@ -498,6 +499,8 @@ const OPTIONS cmp_options[] = {
"Trusted certificates for client authentication"},
{"srv_untrusted", OPT_SRV_UNTRUSTED, 's',
"Intermediate certs that may be useful for verifying CMP protection"},
+{"ref_cert", OPT_RSP_CERT, 's',
+ "Certificate to be expected for rr and any oldCertID in kur messages"},
{"rsp_cert", OPT_RSP_CERT, 's',
"Certificate to be returned as mock enrollment result"},
{"rsp_extracerts", OPT_RSP_EXTRACERTS, 's',
@@ -600,7 +603,7 @@ static varref cmp_vars[] = { /* must be in same order as
enumerated above! */
{_srv_ref}, {_srv_secret},
{_srv_cert}, {_srv_key}, {_srv_keypass},
{_srv_trusted}, {_srv_untrusted},
-{_rsp_cert}, {_rsp_extracerts}, {_rsp_capubs},
+{_ref_cert}, {_rsp_cert}, {_rsp_extracerts}, {_rsp_capubs},
{(char **)_poll_count}, {(char **)_check_after},
{(char **)_grant_implicitconf},
{(char **)_pkistatus}, {(char **)_failure},
@@ -1074,6 +1077,18 @@ static OSSL_CMP_SRV_CTX *setup_srv_ctx(ENGINE *engine)
(add_X509_stack_fn_t)OSSL_CMP_CTX_set1_untrusted))
goto err;
+if (opt_ref_cert != NULL) {
+X509 *cert = load_cert_pwd(opt_ref_cert, opt_keypass,
+ "reference cert to be expected by the mock
server");
+
+if (cert == NULL)
+goto err;
+if (!ossl_cmp_mock_srv_set1_refCert(srv_ctx, cert)) {
+X509_free(cert);
+goto err;
+}
+X509_free(cert);
+}
if (opt_rsp_cert == NULL) {
CMP_warn("no -rsp_cert given for mock server");
} else {
@@ -1082,7 +1097,6 @@ static OSSL_CMP_SRV_CTX *setup_srv_ctx(ENGINE *engine)
if (cert == NULL)
goto err;
-/* from server perspective the server is the client */
if (!ossl_cmp_mock_srv_set1_certOut(srv_ctx, cert)) {
X509_free(cert);
goto err;
@@ -2573,6 +2587,9 @@ static int get_opts(int argc, char **argv)
case OPT_SRV_UNTRUSTED:
opt_srv_untrusted = opt_str();
break;
+case OPT_REF_CERT:
+opt_ref_cert = opt_str();
+break;
case OPT_RSP_CERT:
opt_rsp_cert = opt_str();
break;
diff --git a/apps/include/cmp_mock_srv.h b/apps/include/cmp_mock_srv.h
index 6beba14735..f3edc1b01b 100644
--- a/apps/include/cmp_mock_srv.h
+++ b/apps/include/cmp_mock_srv.h
@@ -20,6 +20,7 @@ OSSL_CMP_SRV_CTX *ossl_cmp_mock_srv_new(OSSL_LIB_CTX *libctx,
const char *propq);
void
[openssl] openssl-3.0 update
The branch openssl-3.0 has been updated
via c245cc1be1acb47b1f983dea3bbb0caf36a33712 (commit)
from 46ee414f64a846a6a7606b1fba47a084dea172eb (commit)
- Log -
commit c245cc1be1acb47b1f983dea3bbb0caf36a33712
Author: Dr. David von Oheimb
Date: Mon Jan 3 17:03:13 2022 +0100
app_http_tls_cb: Fix double-free in case TLS not used
Reviewed-by: Tomas Mraz
Reviewed-by: Paul Dale
(Merged from https://github.com/openssl/openssl/pull/17400)
(cherry picked from commit 97b8c859c64bc60fcf5bb27ed51489c81fde41b3)
---
Summary of changes:
apps/lib/apps.c | 19 +++
1 file changed, 11 insertions(+), 8 deletions(-)
diff --git a/apps/lib/apps.c b/apps/lib/apps.c
index 2d3641ea8e..25a6b6bcc3 100644
--- a/apps/lib/apps.c
+++ b/apps/lib/apps.c
@@ -2444,9 +2444,10 @@ static const char *tls_error_hint(void)
/* HTTP callback function that supports TLS connection also via HTTPS proxy */
BIO *app_http_tls_cb(BIO *bio, void *arg, int connect, int detail)
{
+APP_HTTP_TLS_INFO *info = (APP_HTTP_TLS_INFO *)arg;
+SSL_CTX *ssl_ctx = info->ssl_ctx;
+
if (connect && detail) { /* connecting with TLS */
-APP_HTTP_TLS_INFO *info = (APP_HTTP_TLS_INFO *)arg;
-SSL_CTX *ssl_ctx = info->ssl_ctx;
SSL *ssl;
BIO *sbio = NULL;
@@ -2480,12 +2481,14 @@ BIO *app_http_tls_cb(BIO *bio, void *arg, int connect,
int detail)
if (hint != NULL)
ERR_add_error_data(2, " : ", hint);
}
-(void)ERR_set_mark();
-BIO_ssl_shutdown(bio);
-cbio = BIO_pop(bio); /* connect+HTTP BIO */
-BIO_free(bio); /* SSL BIO */
-(void)ERR_pop_to_mark(); /* hide SSL_R_READ_BIO_NOT_SET etc. */
-bio = cbio;
+if (ssl_ctx != NULL) {
+(void)ERR_set_mark();
+BIO_ssl_shutdown(bio);
+cbio = BIO_pop(bio); /* connect+HTTP BIO */
+BIO_free(bio); /* SSL BIO */
+(void)ERR_pop_to_mark(); /* hide SSL_R_READ_BIO_NOT_SET etc. */
+bio = cbio;
+}
}
return bio;
}
[openssl] master update
The branch master has been updated
via 97b8c859c64bc60fcf5bb27ed51489c81fde41b3 (commit)
from 2e6afe1079c6993868c5d8a813605d16980e8e10 (commit)
- Log -
commit 97b8c859c64bc60fcf5bb27ed51489c81fde41b3
Author: Dr. David von Oheimb
Date: Mon Jan 3 17:03:13 2022 +0100
app_http_tls_cb: Fix double-free in case TLS not used
Reviewed-by: Tomas Mraz
Reviewed-by: Paul Dale
(Merged from https://github.com/openssl/openssl/pull/17400)
---
Summary of changes:
apps/lib/apps.c | 19 +++
1 file changed, 11 insertions(+), 8 deletions(-)
diff --git a/apps/lib/apps.c b/apps/lib/apps.c
index 328b0addb4..3b0266f158 100644
--- a/apps/lib/apps.c
+++ b/apps/lib/apps.c
@@ -2464,9 +2464,10 @@ static const char *tls_error_hint(void)
/* HTTP callback function that supports TLS connection also via HTTPS proxy */
BIO *app_http_tls_cb(BIO *bio, void *arg, int connect, int detail)
{
+APP_HTTP_TLS_INFO *info = (APP_HTTP_TLS_INFO *)arg;
+SSL_CTX *ssl_ctx = info->ssl_ctx;
+
if (connect && detail) { /* connecting with TLS */
-APP_HTTP_TLS_INFO *info = (APP_HTTP_TLS_INFO *)arg;
-SSL_CTX *ssl_ctx = info->ssl_ctx;
SSL *ssl;
BIO *sbio = NULL;
@@ -2500,12 +2501,14 @@ BIO *app_http_tls_cb(BIO *bio, void *arg, int connect,
int detail)
if (hint != NULL)
ERR_add_error_data(2, " : ", hint);
}
-(void)ERR_set_mark();
-BIO_ssl_shutdown(bio);
-cbio = BIO_pop(bio); /* connect+HTTP BIO */
-BIO_free(bio); /* SSL BIO */
-(void)ERR_pop_to_mark(); /* hide SSL_R_READ_BIO_NOT_SET etc. */
-bio = cbio;
+if (ssl_ctx != NULL) {
+(void)ERR_set_mark();
+BIO_ssl_shutdown(bio);
+cbio = BIO_pop(bio); /* connect+HTTP BIO */
+BIO_free(bio); /* SSL BIO */
+(void)ERR_pop_to_mark(); /* hide SSL_R_READ_BIO_NOT_SET etc. */
+bio = cbio;
+}
}
return bio;
}
[openssl] master update
The branch master has been updated
via 2e6afe1079c6993868c5d8a813605d16980e8e10 (commit)
from 068549f8db6d792a88bb888118001c4582f79074 (commit)
- Log -
commit 2e6afe1079c6993868c5d8a813605d16980e8e10
Author: Dr. David von Oheimb
Date: Fri Nov 12 12:14:45 2021 +0100
check-format.pl: Fix report on constant on LHS of comparison or assignment
Reviewed-by: Tomas Mraz
Reviewed-by: Paul Dale
(Merged from https://github.com/openssl/openssl/pull/17396)
---
Summary of changes:
util/check-format.pl | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/util/check-format.pl b/util/check-format.pl
index 62471e3c68..09bd6b6270 100755
--- a/util/check-format.pl
+++ b/util/check-format.pl
@@ -858,7 +858,7 @@ while (<>) { # loop over all lines of all input files
report("single-letter name '$2'") if (m/(^|.*\W)([IO])(\W.*|$)/); #
single-letter name 'I' or 'O' # maybe re-add 'l'?
# constant on LHS of comparison or assignment, e.g., NULL != x or 'a' < c,
but not a + 1 == b
-report("constant on LHS of '$2'")
+report("constant on LHS of '$3'")
if
(m/(['"]|([\+\-\*\/\/%\&\|\^<>]\s*)?\W[0-9]+L?|NULL)\s*([\!<>=]=|[<=>][^<>])/
&& $2 eq "");
# TODO report #if 0 and #if 1
[openssl] openssl-3.0 update
The branch openssl-3.0 has been updated
via 46ee414f64a846a6a7606b1fba47a084dea172eb (commit)
from d65b3db98022257cbf83d7d164bc0a8a9b92c101 (commit)
- Log -
commit 46ee414f64a846a6a7606b1fba47a084dea172eb
Author: Dr. David von Oheimb
Date: Fri Nov 26 16:46:13 2021 +0100
HTTP client: Work around HTTPS proxy use bug due to callback design flaw
See discussion in #17088, where the real solution was postponed to 4.0.
This preliminarily fixes the issue that the HTTP(S) proxy environment vars
were neglected when determining whether a proxy should be used for HTTPS.
Reviewed-by: Tomas Mraz
(Merged from https://github.com/openssl/openssl/pull/17310)
(cherry picked from commit 068549f8db6d792a88bb888118001c4582f79074)
---
Summary of changes:
apps/cmp.c| 5 -
apps/lib/apps.c | 14 ++
crypto/http/http_client.c | 1 +
3 files changed, 15 insertions(+), 5 deletions(-)
diff --git a/apps/cmp.c b/apps/cmp.c
index 985d7339a0..6f7e51e9ee 100644
--- a/apps/cmp.c
+++ b/apps/cmp.c
@@ -1919,15 +1919,18 @@ static int setup_client_ctx(OSSL_CMP_CTX *ctx, ENGINE
*engine)
goto err;
}
}
+
if ((info = OPENSSL_zalloc(sizeof(*info))) == NULL)
goto err;
(void)OSSL_CMP_CTX_set_http_cb_arg(ctx, info);
/* info will be freed along with CMP ctx */
info->server = opt_server;
info->port = server_port;
-info->use_proxy = opt_proxy != NULL;
+/* workaround for callback design flaw, see #17088: */
+info->use_proxy = proxy_host != NULL;
info->timeout = OSSL_CMP_CTX_get_option(ctx, OSSL_CMP_OPT_MSG_TIMEOUT);
info->ssl_ctx = setup_ssl_ctx(ctx, host, engine);
+
if (info->ssl_ctx == NULL)
goto err;
(void)OSSL_CMP_CTX_set_http_cb(ctx, app_http_tls_cb);
diff --git a/apps/lib/apps.c b/apps/lib/apps.c
index 6a762b7668..2d3641ea8e 100644
--- a/apps/lib/apps.c
+++ b/apps/lib/apps.c
@@ -2450,6 +2450,7 @@ BIO *app_http_tls_cb(BIO *bio, void *arg, int connect,
int detail)
SSL *ssl;
BIO *sbio = NULL;
+/* adapt after fixing callback design flaw, see #17088 */
if ((info->use_proxy
&& !OSSL_HTTP_proxy_connect(bio, info->server, info->port,
NULL, NULL, /* no proxy credentials */
@@ -2462,7 +2463,8 @@ BIO *app_http_tls_cb(BIO *bio, void *arg, int connect,
int detail)
return NULL;
}
-SSL_set_tlsext_host_name(ssl, info->server);
+/* adapt after fixing callback design flaw, see #17088 */
+SSL_set_tlsext_host_name(ssl, info->server); /* not critical to do */
SSL_set_connect_state(ssl);
BIO_set_ssl(sbio, ssl, BIO_CLOSE);
@@ -2525,7 +2527,8 @@ ASN1_VALUE *app_http_get_asn1(const char *url, const char
*proxy,
info.server = server;
info.port = port;
-info.use_proxy = proxy != NULL;
+info.use_proxy = /* workaround for callback design flaw, see #17088 */
+OSSL_HTTP_adapt_proxy(proxy, no_proxy, server, use_ssl) != NULL;
info.timeout = timeout;
info.ssl_ctx = ssl_ctx;
mem = OSSL_HTTP_get(url, proxy, no_proxy, NULL /* bio */, NULL /* rbio */,
@@ -2551,18 +2554,21 @@ ASN1_VALUE *app_http_post_asn1(const char *host, const
char *port,
const char *expected_content_type,
long timeout, const ASN1_ITEM *rsp_it)
{
+int use_ssl = ssl_ctx != NULL;
APP_HTTP_TLS_INFO info;
BIO *rsp, *req_mem = ASN1_item_i2d_mem_bio(req_it, req);
ASN1_VALUE *res;
if (req_mem == NULL)
return NULL;
+
info.server = host;
info.port = port;
-info.use_proxy = proxy != NULL;
+info.use_proxy = /* workaround for callback design flaw, see #17088 */
+OSSL_HTTP_adapt_proxy(proxy, no_proxy, host, use_ssl) != NULL;
info.timeout = timeout;
info.ssl_ctx = ssl_ctx;
-rsp = OSSL_HTTP_transfer(NULL, host, port, path, ssl_ctx != NULL,
+rsp = OSSL_HTTP_transfer(NULL, host, port, path, use_ssl,
proxy, no_proxy, NULL /* bio */, NULL /* rbio */,
app_http_tls_cb, ,
0 /* buf_size */, headers, content_type, req_mem,
diff --git a/crypto/http/http_client.c b/crypto/http/http_client.c
index c80d4fe519..4e34d0d3d1 100644
--- a/crypto/http/http_client.c
+++ b/crypto/http/http_client.c
@@ -947,6 +947,7 @@ OSSL_HTTP_REQ_CTX *OSSL_HTTP_open(const char *server, const
char *port,
}
/* now overall_timeout is guaranteed to be >= 0 */
+/* adapt in order to fix callback design flaw, see #17088 */
/* callback can be used to wrap or prepend TLS session */
if (bio_update_fn !=
[openssl] master update
The branch master has been updated
via 068549f8db6d792a88bb888118001c4582f79074 (commit)
from a8251a32a0dc449fc39f44a1768e091fcc077227 (commit)
- Log -
commit 068549f8db6d792a88bb888118001c4582f79074
Author: Dr. David von Oheimb
Date: Fri Nov 26 16:46:13 2021 +0100
HTTP client: Work around HTTPS proxy use bug due to callback design flaw
See discussion in #17088, where the real solution was postponed to 4.0.
This preliminarily fixes the issue that the HTTP(S) proxy environment vars
were neglected when determining whether a proxy should be used for HTTPS.
Reviewed-by: Tomas Mraz
(Merged from https://github.com/openssl/openssl/pull/17310)
---
Summary of changes:
apps/cmp.c| 5 -
apps/lib/apps.c | 14 ++
crypto/http/http_client.c | 1 +
3 files changed, 15 insertions(+), 5 deletions(-)
diff --git a/apps/cmp.c b/apps/cmp.c
index 9d0b113998..5167446cde 100644
--- a/apps/cmp.c
+++ b/apps/cmp.c
@@ -1926,15 +1926,18 @@ static int setup_client_ctx(OSSL_CMP_CTX *ctx, ENGINE
*engine)
goto err;
}
}
+
if ((info = OPENSSL_zalloc(sizeof(*info))) == NULL)
goto err;
(void)OSSL_CMP_CTX_set_http_cb_arg(ctx, info);
/* info will be freed along with CMP ctx */
info->server = opt_server;
info->port = server_port;
-info->use_proxy = opt_proxy != NULL;
+/* workaround for callback design flaw, see #17088: */
+info->use_proxy = proxy_host != NULL;
info->timeout = OSSL_CMP_CTX_get_option(ctx, OSSL_CMP_OPT_MSG_TIMEOUT);
info->ssl_ctx = setup_ssl_ctx(ctx, host, engine);
+
if (info->ssl_ctx == NULL)
goto err;
(void)OSSL_CMP_CTX_set_http_cb(ctx, app_http_tls_cb);
diff --git a/apps/lib/apps.c b/apps/lib/apps.c
index 034fd45c4b..328b0addb4 100644
--- a/apps/lib/apps.c
+++ b/apps/lib/apps.c
@@ -2470,6 +2470,7 @@ BIO *app_http_tls_cb(BIO *bio, void *arg, int connect,
int detail)
SSL *ssl;
BIO *sbio = NULL;
+/* adapt after fixing callback design flaw, see #17088 */
if ((info->use_proxy
&& !OSSL_HTTP_proxy_connect(bio, info->server, info->port,
NULL, NULL, /* no proxy credentials */
@@ -2482,7 +2483,8 @@ BIO *app_http_tls_cb(BIO *bio, void *arg, int connect,
int detail)
return NULL;
}
-SSL_set_tlsext_host_name(ssl, info->server);
+/* adapt after fixing callback design flaw, see #17088 */
+SSL_set_tlsext_host_name(ssl, info->server); /* not critical to do */
SSL_set_connect_state(ssl);
BIO_set_ssl(sbio, ssl, BIO_CLOSE);
@@ -2545,7 +2547,8 @@ ASN1_VALUE *app_http_get_asn1(const char *url, const char
*proxy,
info.server = server;
info.port = port;
-info.use_proxy = proxy != NULL;
+info.use_proxy = /* workaround for callback design flaw, see #17088 */
+OSSL_HTTP_adapt_proxy(proxy, no_proxy, server, use_ssl) != NULL;
info.timeout = timeout;
info.ssl_ctx = ssl_ctx;
mem = OSSL_HTTP_get(url, proxy, no_proxy, NULL /* bio */, NULL /* rbio */,
@@ -2571,18 +2574,21 @@ ASN1_VALUE *app_http_post_asn1(const char *host, const
char *port,
const char *expected_content_type,
long timeout, const ASN1_ITEM *rsp_it)
{
+int use_ssl = ssl_ctx != NULL;
APP_HTTP_TLS_INFO info;
BIO *rsp, *req_mem = ASN1_item_i2d_mem_bio(req_it, req);
ASN1_VALUE *res;
if (req_mem == NULL)
return NULL;
+
info.server = host;
info.port = port;
-info.use_proxy = proxy != NULL;
+info.use_proxy = /* workaround for callback design flaw, see #17088 */
+OSSL_HTTP_adapt_proxy(proxy, no_proxy, host, use_ssl) != NULL;
info.timeout = timeout;
info.ssl_ctx = ssl_ctx;
-rsp = OSSL_HTTP_transfer(NULL, host, port, path, ssl_ctx != NULL,
+rsp = OSSL_HTTP_transfer(NULL, host, port, path, use_ssl,
proxy, no_proxy, NULL /* bio */, NULL /* rbio */,
app_http_tls_cb, ,
0 /* buf_size */, headers, content_type, req_mem,
diff --git a/crypto/http/http_client.c b/crypto/http/http_client.c
index f786f831bf..14c2cbf2b5 100644
--- a/crypto/http/http_client.c
+++ b/crypto/http/http_client.c
@@ -946,6 +946,7 @@ OSSL_HTTP_REQ_CTX *OSSL_HTTP_open(const char *server, const
char *port,
}
/* now overall_timeout is guaranteed to be >= 0 */
+/* adapt in order to fix callback design flaw, see #17088 */
/* callback can be used to wrap or prepend TLS session */
if (bio_update_fn != NULL) {
BIO *orig_bio = cbio;
[openssl] OpenSSL_1_1_1-stable update
The branch OpenSSL_1_1_1-stable has been updated
via 4623700d4eaaa250b49032768be2e97a147f3a1e (commit)
from e5050aa1bbce84e359bfd35de60dd745627e8d41 (commit)
- Log -
commit 4623700d4eaaa250b49032768be2e97a147f3a1e
Author: Dr. David von Oheimb
Date: Fri Dec 3 15:18:07 2021 +0100
OBJ_obj2txt(): fix off-by-one documentation of the result
This backports the doc improvements of #17188.
Reviewed-by: Tomas Mraz
(cherry picked from commit e36d10925396b6519e1abd338e1ef62cd5b1c9e6)
---
Summary of changes:
doc/man3/OBJ_nid2obj.pod | 32
1 file changed, 16 insertions(+), 16 deletions(-)
diff --git a/doc/man3/OBJ_nid2obj.pod b/doc/man3/OBJ_nid2obj.pod
index 74379ad817..81e57154f1 100644
--- a/doc/man3/OBJ_nid2obj.pod
+++ b/doc/man3/OBJ_nid2obj.pod
@@ -68,13 +68,15 @@ If I is 0 then long names and short names will be
interpreted
as well as numerical forms. If I is 1 only the numerical form
is acceptable.
-OBJ_obj2txt() converts the B B into a textual representation.
-The representation is written as a null terminated string to B
-at most B bytes are written, truncating the result if necessary.
-The total amount of space required is returned. If B is 0 then
-if the object has a long or short name then that will be used, otherwise
-the numerical form will be used. If B is 1 then the numerical
-form will always be used.
+OBJ_obj2txt() converts the B I into a textual representation.
+Unless I is NULL,
+the representation is written as a NUL-terminated string to I, where
+at most I bytes are written, truncating the result if necessary.
+In any case it returns the total string length, excluding the NUL character,
+required for non-truncated representation, or -1 on error.
+If I is 0 then if the object has a long or short name
+then that will be used, otherwise the numerical form will be used.
+If I is 1 then the numerical form will always be used.
i2t_ASN1_OBJECT() is the same as OBJ_obj2txt() with the I set to zero.
@@ -141,6 +143,13 @@ on error.
OBJ_obj2nid(), OBJ_ln2nid(), OBJ_sn2nid() and OBJ_txt2nid() return
a NID or B on error.
+OBJ_add_sigid() returns 1 on success or 0 on error.
+
+i2t_ASN1_OBJECT() an OBJ_obj2txt() return -1 on error.
+On success, they return the length of the string written to I if I is
+not NULL and I is big enough, otherwise the total string length.
+Note that this does not count the trailing NUL character.
+
=head1 EXAMPLES
Create an object for B:
@@ -161,15 +170,6 @@ Create a new object directly:
obj = OBJ_txt2obj("1.2.3.4", 1);
-=head1 BUGS
-
-OBJ_obj2txt() is awkward and messy to use: it doesn't follow the
-convention of other OpenSSL functions where the buffer can be set
-to B to determine the amount of data that should be written.
-Instead B must point to a valid buffer and B should
-be set to a positive value. A buffer length of 80 should be more
-than enough to handle any OID encountered in practice.
-
=head1 SEE ALSO
L
[openssl] openssl-3.0 update
The branch openssl-3.0 has been updated via 5135551613f134d39fe34442d08b38d5221175b9 (commit) from 5f0b3ef025e13522572c65f683ea5b649b0142b9 (commit) - Log - commit 5135551613f134d39fe34442d08b38d5221175b9 Author: Dr. David von Oheimb Date: Mon Jan 3 13:40:55 2022 +0100 Update troublesome copyright years of auto-generated files to 2022 Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/17398) (cherry picked from commit 0088ef48c3e7d9c68e5b3c75cb077da601d22f37) --- Summary of changes: crypto/asn1/charmap.h | 2 +- crypto/bn/bn_prime.h | 2 +- crypto/conf/conf_def.h| 2 +- crypto/objects/obj_dat.h | 2 +- crypto/objects/obj_xref.h | 2 +- fuzz/oids.txt | 2 +- include/openssl/obj_mac.h | 2 +- 7 files changed, 7 insertions(+), 7 deletions(-) diff --git a/crypto/asn1/charmap.h b/crypto/asn1/charmap.h index ac1eb076cc..95928ca663 100644 --- a/crypto/asn1/charmap.h +++ b/crypto/asn1/charmap.h @@ -2,7 +2,7 @@ * WARNING: do not edit! * Generated by crypto/asn1/charmap.pl * - * Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/bn/bn_prime.h b/crypto/bn/bn_prime.h index 8a859ac02e..d92f6dfa69 100644 --- a/crypto/bn/bn_prime.h +++ b/crypto/bn/bn_prime.h @@ -2,7 +2,7 @@ * WARNING: do not edit! * Generated by crypto/bn/bn_prime.pl * - * Copyright 1998-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1998-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/conf/conf_def.h b/crypto/conf/conf_def.h index 1f66a58e09..e5321bd30d 100644 --- a/crypto/conf/conf_def.h +++ b/crypto/conf/conf_def.h @@ -2,7 +2,7 @@ * WARNING: do not edit! * Generated by crypto/conf/keysets.pl * - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy * in the file LICENSE in the source distribution or at diff --git a/crypto/objects/obj_dat.h b/crypto/objects/obj_dat.h index 5d638fb05d..59d156117a 100644 --- a/crypto/objects/obj_dat.h +++ b/crypto/objects/obj_dat.h @@ -2,7 +2,7 @@ * WARNING: do not edit! * Generated by crypto/objects/obj_dat.pl * - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy * in the file LICENSE in the source distribution or at diff --git a/crypto/objects/obj_xref.h b/crypto/objects/obj_xref.h index 21a193ee98..c08b5fc2ab 100644 --- a/crypto/objects/obj_xref.h +++ b/crypto/objects/obj_xref.h @@ -2,7 +2,7 @@ * WARNING: do not edit! * Generated by objxref.pl * - * Copyright 1998-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1998-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/fuzz/oids.txt b/fuzz/oids.txt index f0dbc30fc3..36c79212bb 100644 --- a/fuzz/oids.txt +++ b/fuzz/oids.txt @@ -1,7 +1,7 @@ # WARNING: do not edit! # Generated by fuzz/mkfuzzoids.pl # -# Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/include/openssl/obj_mac.h b/include/openssl/obj_mac.h index 0e86027667..edbd98b152 100644 --- a/include/openssl/obj_mac.h +++ b/include/openssl/obj_mac.h @@ -2,7 +2,7 @@ * WARNING: do not edit! * Generated by crypto/objects/objects.pl * - * Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved. * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy * in the file LICENSE in the source distribution or at
[openssl] master update
The branch master has been updated via 0088ef48c3e7d9c68e5b3c75cb077da601d22f37 (commit) from b6144bb8c1be63935ae09e1992c04fbe6e0f88a8 (commit) - Log - commit 0088ef48c3e7d9c68e5b3c75cb077da601d22f37 Author: Dr. David von Oheimb Date: Mon Jan 3 13:40:55 2022 +0100 Update troublesome copyright years of auto-generated files to 2022 Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/17398) --- Summary of changes: crypto/asn1/charmap.h | 2 +- crypto/bn/bn_prime.h | 2 +- crypto/conf/conf_def.h| 2 +- crypto/objects/obj_dat.h | 2 +- crypto/objects/obj_xref.h | 2 +- fuzz/oids.txt | 2 +- include/openssl/obj_mac.h | 2 +- 7 files changed, 7 insertions(+), 7 deletions(-) diff --git a/crypto/asn1/charmap.h b/crypto/asn1/charmap.h index ac1eb076cc..95928ca663 100644 --- a/crypto/asn1/charmap.h +++ b/crypto/asn1/charmap.h @@ -2,7 +2,7 @@ * WARNING: do not edit! * Generated by crypto/asn1/charmap.pl * - * Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/bn/bn_prime.h b/crypto/bn/bn_prime.h index 8a859ac02e..d92f6dfa69 100644 --- a/crypto/bn/bn_prime.h +++ b/crypto/bn/bn_prime.h @@ -2,7 +2,7 @@ * WARNING: do not edit! * Generated by crypto/bn/bn_prime.pl * - * Copyright 1998-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1998-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/conf/conf_def.h b/crypto/conf/conf_def.h index 1f66a58e09..e5321bd30d 100644 --- a/crypto/conf/conf_def.h +++ b/crypto/conf/conf_def.h @@ -2,7 +2,7 @@ * WARNING: do not edit! * Generated by crypto/conf/keysets.pl * - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy * in the file LICENSE in the source distribution or at diff --git a/crypto/objects/obj_dat.h b/crypto/objects/obj_dat.h index 643646be19..3810b307d2 100644 --- a/crypto/objects/obj_dat.h +++ b/crypto/objects/obj_dat.h @@ -2,7 +2,7 @@ * WARNING: do not edit! * Generated by crypto/objects/obj_dat.pl * - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy * in the file LICENSE in the source distribution or at diff --git a/crypto/objects/obj_xref.h b/crypto/objects/obj_xref.h index 21a193ee98..c08b5fc2ab 100644 --- a/crypto/objects/obj_xref.h +++ b/crypto/objects/obj_xref.h @@ -2,7 +2,7 @@ * WARNING: do not edit! * Generated by objxref.pl * - * Copyright 1998-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1998-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/fuzz/oids.txt b/fuzz/oids.txt index 0f2489ac5f..2d35718ef9 100644 --- a/fuzz/oids.txt +++ b/fuzz/oids.txt @@ -1,7 +1,7 @@ # WARNING: do not edit! # Generated by fuzz/mkfuzzoids.pl # -# Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/include/openssl/obj_mac.h b/include/openssl/obj_mac.h index a9e51d7b38..fb788d43d5 100644 --- a/include/openssl/obj_mac.h +++ b/include/openssl/obj_mac.h @@ -2,7 +2,7 @@ * WARNING: do not edit! * Generated by crypto/objects/objects.pl * - * Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved. * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy * in the file LICENSE in the source distribution or at
[openssl] master update
The branch master has been updated via b6144bb8c1be63935ae09e1992c04fbe6e0f88a8 (commit) from 1d8f18dce1c8ba99693dfaeb1696d625d9f4b7e0 (commit) - Log - commit b6144bb8c1be63935ae09e1992c04fbe6e0f88a8 Author: Dr. David von Oheimb Date: Mon Dec 27 19:14:03 2021 +0100 X509V3_set_ctx(): Improve documentation Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/17358) --- Summary of changes: doc/man3/X509V3_set_ctx.pod | 27 +++ 1 file changed, 15 insertions(+), 12 deletions(-) diff --git a/doc/man3/X509V3_set_ctx.pod b/doc/man3/X509V3_set_ctx.pod index 8287802e41..e86ade211d 100644 --- a/doc/man3/X509V3_set_ctx.pod +++ b/doc/man3/X509V3_set_ctx.pod @@ -16,29 +16,32 @@ X509V3_set_issuer_pkey - X.509 v3 extension generation utilities =head1 DESCRIPTION X509V3_set_ctx() fills in the basic fields of I of type B, -providing details potentially needed by functions producing X509 v3 extensions, -e.g., to look up values for filling in authority key identifiers. -Any of I, I, or I may be provided, pointing to a certificate, -certification request, or certificate revocation list, respectively. +providing details potentially needed by functions producing X509 v3 extensions. +These may make use of fields of the certificate I, the certification +request I, or the certificate revocation list I. +At most one of these three parameters can be non-NULL. When constructing the subject key identifier of a certificate by computing a hash value of its public key, the public key is taken from I or I. Similarly, when constructing subject alternative names from any email addresses contained in a subject DN, the subject DN is taken from I or I. -If I or I is provided, I should point to its issuer, -for instance to help generating an authority key identifier extension. -Note that if I is provided, I may be the same as I, -which means that I is self-issued (or even self-signed). +If I or I is provided, I should point to its issuer, for +instance as a reference for generating the authority key identifier extension. +I may be the same pointer value as I (which usually is an +indication that the I certificate is self-issued or even self-signed). +In this case the fallback source for generating the authority key identifier +extension will be taken from any value provided using X509V3_set_issuer_pkey(). I may be 0 or contain B, which means that just the syntax of -extension definitions is to be checked without actually producing an extension, +extension definitions is to be checked without actually producing any extension, or B, which means that each X.509v3 extension added as defined in some configuration section shall replace any already existing extension with the same OID. X509V3_set_issuer_pkey() explicitly sets the issuer private key of -the certificate that has been provided in I. -This should be done for self-issued certificates (which may be self-signed -or not) to provide fallback data for the authority key identifier extension. +the subject certificate that has been provided in I. +This should be done in case the I and I arguments to +X509V3_set_ctx() have the same pointer value +to provide fallback data for the authority key identifier extension. =head1 RETURN VALUES
[openssl] openssl-3.0 update
The branch openssl-3.0 has been updated
via 5f0b3ef025e13522572c65f683ea5b649b0142b9 (commit)
from e09648323645031c16fdd9eb3e900e2db259e0d0 (commit)
- Log -
commit 5f0b3ef025e13522572c65f683ea5b649b0142b9
Author: Dr. David von Oheimb
Date: Thu Dec 30 09:30:18 2021 +0100
ec.h: Explain use of strstr() for EVP_EC_gen() and add #include
Fixes #17362
Reviewed-by: Matt Caswell
Reviewed-by: Paul Dale
(Merged from https://github.com/openssl/openssl/pull/17380)
(cherry picked from commit 1d8f18dce1c8ba99693dfaeb1696d625d9f4b7e0)
---
Summary of changes:
include/openssl/ec.h | 3 +++
1 file changed, 3 insertions(+)
diff --git a/include/openssl/ec.h b/include/openssl/ec.h
index f59b4f9288..4e65d84c45 100644
--- a/include/openssl/ec.h
+++ b/include/openssl/ec.h
@@ -20,6 +20,8 @@
# include
# include
+# include
+
# ifdef __cplusplus
extern "C" {
# endif
@@ -1548,6 +1550,7 @@ OSSL_DEPRECATEDIN_3_0 void EC_KEY_METHOD_get_verify
# define EVP_EC_gen(curve) \
EVP_PKEY_Q_keygen(NULL, NULL, "EC", (char *)(strstr(curve, "")))
+/* strstr is used to enable type checking for the variadic string arg */
# define ECParameters_dup(x) ASN1_dup_of(EC_KEY, i2d_ECParameters, \
d2i_ECParameters, x)
[openssl] master update
The branch master has been updated
via 1d8f18dce1c8ba99693dfaeb1696d625d9f4b7e0 (commit)
from 352a0bcaab8eda18cce786d2871e8d4ec6f9cbfe (commit)
- Log -
commit 1d8f18dce1c8ba99693dfaeb1696d625d9f4b7e0
Author: Dr. David von Oheimb
Date: Thu Dec 30 09:30:18 2021 +0100
ec.h: Explain use of strstr() for EVP_EC_gen() and add #include
Fixes #17362
Reviewed-by: Matt Caswell
Reviewed-by: Paul Dale
(Merged from https://github.com/openssl/openssl/pull/17380)
---
Summary of changes:
include/openssl/ec.h | 3 +++
1 file changed, 3 insertions(+)
diff --git a/include/openssl/ec.h b/include/openssl/ec.h
index f59b4f9288..4e65d84c45 100644
--- a/include/openssl/ec.h
+++ b/include/openssl/ec.h
@@ -20,6 +20,8 @@
# include
# include
+# include
+
# ifdef __cplusplus
extern "C" {
# endif
@@ -1548,6 +1550,7 @@ OSSL_DEPRECATEDIN_3_0 void EC_KEY_METHOD_get_verify
# define EVP_EC_gen(curve) \
EVP_PKEY_Q_keygen(NULL, NULL, "EC", (char *)(strstr(curve, "")))
+/* strstr is used to enable type checking for the variadic string arg */
# define ECParameters_dup(x) ASN1_dup_of(EC_KEY, i2d_ECParameters, \
d2i_ECParameters, x)
[openssl] master update
The branch master has been updated
via ad1a1d715dcab875dafd6e792b8eb65eb84d6b9f (commit)
from 6be83cc655af819be0e3f2701c726a2550357953 (commit)
- Log -
commit ad1a1d715dcab875dafd6e792b8eb65eb84d6b9f
Author: Dr. David von Oheimb
Date: Mon Dec 6 14:18:27 2021 +0100
APPS/cmp: improve diagnostics for presence of TLS options
Reviewed-by: Tomas Mraz
Reviewed-by: Paul Dale
(Merged from https://github.com/openssl/openssl/pull/16747)
---
Summary of changes:
apps/cmp.c | 44 +++-
doc/man1/openssl-cmp.pod.in | 14 --
2 files changed, 35 insertions(+), 23 deletions(-)
diff --git a/apps/cmp.c b/apps/cmp.c
index 9d6d940beb..9d0b113998 100644
--- a/apps/cmp.c
+++ b/apps/cmp.c
@@ -452,9 +452,9 @@ const OPTIONS cmp_options[] = {
"Extra certificates to provide to TLS server during TLS handshake"},
{"tls_trusted", OPT_TLS_TRUSTED, 's',
"Trusted certificates to use for verifying the TLS server certificate;"},
-{OPT_MORE_STR, 0, 0, "this implies host name validation"},
+{OPT_MORE_STR, 0, 0, "this implies hostname validation"},
{"tls_host", OPT_TLS_HOST, 's',
- "Address to be checked (rather than -server) during TLS host name
validation"},
+ "Address to be checked (rather than -server) during TLS hostname
validation"},
#endif
OPT_SECTION("Client-side debugging"),
@@ -713,12 +713,12 @@ static X509_REQ *load_csr_autofmt(const char *infile,
const char *desc)
return csr;
}
-/* set expected host name/IP addr and clears the email addr in the given ts */
+/* set expected hostname/IP addr and clears the email addr in the given ts */
static int truststore_set_host_etc(X509_STORE *ts, const char *host)
{
X509_VERIFY_PARAM *ts_vpm = X509_STORE_get0_param(ts);
-/* first clear any host names, IP, and email addresses */
+/* first clear any hostnames, IP, and email addresses */
if (!X509_VERIFY_PARAM_set1_host(ts_vpm, NULL, 0)
|| !X509_VERIFY_PARAM_set1_ip(ts_vpm, NULL, 0)
|| !X509_VERIFY_PARAM_set1_email(ts_vpm, NULL, 0))
@@ -1239,6 +1239,9 @@ static SSL_CTX *setup_ssl_ctx(OSSL_CMP_CTX *ctx, const
char *host,
if (trust_store == NULL)
goto err;
SSL_CTX_set_cert_store(ssl_ctx, trust_store);
+SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_PEER, NULL);
+} else {
+CMP_warn("-tls_used given without -tls_trusted; will not authenticate
the TLS server");
}
if (opt_tls_cert != NULL && opt_tls_key != NULL) {
@@ -1347,13 +1350,18 @@ static SSL_CTX *setup_ssl_ctx(OSSL_CMP_CTX *ctx, const
char *host,
goto err;
}
EVP_PKEY_free(pkey); /* we do not need the handle any more */
+} else {
+CMP_warn("-tls_used given without -tls_key; cannot authenticate to the
TLS server");
}
-if (opt_tls_trusted != NULL) {
-/* enable and parameterize server hostname/IP address check */
+if (trust_store != NULL) {
+/*
+ * Enable and parameterize server hostname/IP address check.
+ * If we did this before checking our own TLS cert
+ * the expected hostname would mislead the check.
+ */
if (!truststore_set_host_etc(trust_store,
opt_tls_host != NULL ? opt_tls_host :
host))
goto err;
-SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_PEER, NULL);
}
return ssl_ctx;
err:
@@ -1801,7 +1809,7 @@ static int setup_client_ctx(OSSL_CMP_CTX *ctx, ENGINE
*engine)
int ret = 0;
char *host = NULL, *port = NULL, *path = NULL, *used_path = opt_path;
#ifndef OPENSSL_NO_SOCK
-int portnum, ssl;
+int portnum, use_ssl;
static char server_port[32] = { '\0' };
const char *proxy_host = NULL;
#endif
@@ -1831,13 +1839,13 @@ static int setup_client_ctx(OSSL_CMP_CTX *ctx, ENGINE
*engine)
}
goto set_path;
}
-if (!OSSL_HTTP_parse_url(opt_server, , NULL /* user */, , ,
+if (!OSSL_HTTP_parse_url(opt_server, _ssl, NULL /* user */, ,
,
, , NULL /* q */, NULL /* frag */)) {
CMP_err1("cannot parse -server URL: %s", opt_server);
goto err;
}
-if (ssl && !opt_tls_used) {
-CMP_err("missing -tls_used option since -server URL indicates https");
+if (use_ssl && !opt_tls_used) {
+CMP_err("missing -tls_used option since -server URL indicates HTTPS");
goto err;
}
@@ -1855,7 +1863,7 @@ static int setup_client_ctx(OSSL_CMP_CTX *ctx, ENGINE
*engine)
opt_tls_used ? "s" : "", host, port,
*used_path == '/' ? used_path + 1 : used_path);
-proxy_host = OSSL_HTTP_adapt_proxy(opt_proxy, opt_no_proxy, host, ssl);
+proxy_host =
[openssl] master update
The branch master has been updated
via 6be83cc655af819be0e3f2701c726a2550357953 (commit)
from ea24196ef224d3aa3aaecb804bb7a0a100a2 (commit)
- Log -
commit 6be83cc655af819be0e3f2701c726a2550357953
Author: Dr. David von Oheimb
Date: Wed Dec 15 20:28:34 2021 +0100
OSSL_CMP_CTX: rename get/set function for trustedStore
This makes the naming more consistent, in a backward-compatible way
Reviewed-by: Tomas Mraz
(Merged from https://github.com/openssl/openssl/pull/17277)
---
Summary of changes:
apps/cmp.c | 4 ++--
crypto/cmp/cmp_ctx.c| 4 ++--
doc/internal/man3/ossl_cmp_msg_check_update.pod | 2 +-
doc/man3/OSSL_CMP_CTX_new.pod | 23 ++-
doc/man3/OSSL_CMP_validate_msg.pod | 4 ++--
include/openssl/cmp.h.in| 2 ++
test/cmp_ctx_test.c | 5 +++--
test/cmp_vfy_test.c | 10 +-
util/other.syms | 2 ++
9 files changed, 37 insertions(+), 19 deletions(-)
diff --git a/apps/cmp.c b/apps/cmp.c
index 0f810129b3..9d6d940beb 100644
--- a/apps/cmp.c
+++ b/apps/cmp.c
@@ -1062,7 +1062,7 @@ static OSSL_CMP_SRV_CTX *setup_srv_ctx(ENGINE *engine)
X509_STORE *ts =
load_trusted(opt_srv_trusted, 0, "certs trusted by mock server");
-if (ts == NULL || !OSSL_CMP_CTX_set0_trustedStore(ctx, ts)) {
+if (ts == NULL || !OSSL_CMP_CTX_set0_trusted(ctx, ts)) {
X509_STORE_free(ts);
goto err;
}
@@ -1179,7 +1179,7 @@ static int setup_verification_ctx(OSSL_CMP_CTX *ctx)
*/
ts = load_trusted(opt_trusted, 0, "certs trusted by client");
-if (ts == NULL || !OSSL_CMP_CTX_set0_trustedStore(ctx, ts)) {
+if (ts == NULL || !OSSL_CMP_CTX_set0_trusted(ctx, ts)) {
X509_STORE_free(ts);
return 0;
}
diff --git a/crypto/cmp/cmp_ctx.c b/crypto/cmp/cmp_ctx.c
index 75418a60b8..207f65430c 100644
--- a/crypto/cmp/cmp_ctx.c
+++ b/crypto/cmp/cmp_ctx.c
@@ -35,7 +35,7 @@ TYPE *OSSL_CMP_CTX_get0_##NAME(const OSSL_CMP_CTX *ctx) \
/*
* Get current certificate store containing trusted root CA certs
*/
-DEFINE_OSSL_CMP_CTX_get0_NAME(trustedStore, trusted, X509_STORE)
+DEFINE_OSSL_CMP_CTX_get0_NAME(trusted, trusted, X509_STORE)
#define DEFINE_OSSL_set0(PREFIX, FIELD, TYPE) \
DEFINE_OSSL_set0_NAME(PREFIX, FIELD, FIELD, TYPE)
@@ -56,7 +56,7 @@ int PREFIX##_set0##_##NAME(OSSL_CMP_CTX *ctx, TYPE *val) \
* and a cert verification callback function used for CMP server
authentication.
* Any already existing store entry is freed. Given NULL, the entry is reset.
*/
-DEFINE_OSSL_set0_NAME(OSSL_CMP_CTX, trustedStore, trusted, X509_STORE)
+DEFINE_OSSL_set0_NAME(OSSL_CMP_CTX, trusted, trusted, X509_STORE)
/* Get current list of non-trusted intermediate certs */
DEFINE_OSSL_CMP_CTX_get0(untrusted, STACK_OF(X509))
diff --git a/doc/internal/man3/ossl_cmp_msg_check_update.pod
b/doc/internal/man3/ossl_cmp_msg_check_update.pod
index 4e7a9224af..763de8452a 100644
--- a/doc/internal/man3/ossl_cmp_msg_check_update.pod
+++ b/doc/internal/man3/ossl_cmp_msg_check_update.pod
@@ -66,7 +66,7 @@ and learns the transaction ID if none is currently present in
B.
Moreover, according to RFC 4210 section 5.3.2, if the message protection is
PBM-based then any certificates in the caPubs field are added to the list of
-trusted certificates (if set via L).
+trusted certificates (if set via L).
This way these certs are available for validating subsequent messages in the
same context and could apply to any Polling Response (pollRep), error, or PKI
Confirmation (PKIConf) messages following in the same or future transactions.
diff --git a/doc/man3/OSSL_CMP_CTX_new.pod b/doc/man3/OSSL_CMP_CTX_new.pod
index 51ac68d1a7..d739f7f6f7 100644
--- a/doc/man3/OSSL_CMP_CTX_new.pod
+++ b/doc/man3/OSSL_CMP_CTX_new.pod
@@ -24,7 +24,9 @@ OSSL_CMP_CTX_set_transfer_cb_arg,
OSSL_CMP_CTX_get_transfer_cb_arg,
OSSL_CMP_CTX_set1_srvCert,
OSSL_CMP_CTX_set1_expected_sender,
+OSSL_CMP_CTX_set0_trusted,
OSSL_CMP_CTX_set0_trustedStore,
+OSSL_CMP_CTX_get0_trusted,
OSSL_CMP_CTX_get0_trustedStore,
OSSL_CMP_CTX_set1_untrusted,
OSSL_CMP_CTX_get0_untrusted,
@@ -98,7 +100,9 @@ OSSL_CMP_CTX_set1_senderNonce
int OSSL_CMP_CTX_set1_srvCert(OSSL_CMP_CTX *ctx, X509 *cert);
int OSSL_CMP_CTX_set1_expected_sender(OSSL_CMP_CTX *ctx,
const X509_NAME *name);
+ #define OSSL_CMP_CTX_set0_trusted OSSL_CMP_CTX_set0_trustedStore
int OSSL_CMP_CTX_set0_trustedStore(OSSL_CMP_CTX *ctx, X509_STORE *store);
+ #define OSSL_CMP_CTX_get0_trusted OSSL_CMP_CTX_get0_trustedStore
X509_STORE
[openssl] openssl-3.0 update
The branch openssl-3.0 has been updated
via e0314df5f21dd537602d4ea8d9272a21aac66356 (commit)
from fbadef597c906711d82d8bfd9c4d5276ea981db7 (commit)
- Log -
commit e0314df5f21dd537602d4ea8d9272a21aac66356
Author: Dr. David von Oheimb
Date: Sun Nov 21 20:55:35 2021 +0100
HTTP client: Fix cleanup of TLS BIO via 'bio_update_fn' callback function
Make app_http_tls_cb() tidy up on disconnect the SSL BIO it pushes on
connect.
Make OSSL_HTTP_close() respect this.
Reviewed-by: Paul Dale
(Merged from https://github.com/openssl/openssl/pull/17318)
(cherry picked from commit cdaf072f90399efb9e8e19ee4f387d1425f12274)
---
Summary of changes:
apps/lib/apps.c | 33 -
crypto/http/http_client.c | 12 +---
doc/man3/OSSL_HTTP_transfer.pod | 18 +-
3 files changed, 42 insertions(+), 21 deletions(-)
diff --git a/apps/lib/apps.c b/apps/lib/apps.c
index e01633c5b5..6a762b7668 100644
--- a/apps/lib/apps.c
+++ b/apps/lib/apps.c
@@ -2442,7 +2442,7 @@ static const char *tls_error_hint(void)
}
/* HTTP callback function that supports TLS connection also via HTTPS proxy */
-BIO *app_http_tls_cb(BIO *hbio, void *arg, int connect, int detail)
+BIO *app_http_tls_cb(BIO *bio, void *arg, int connect, int detail)
{
if (connect && detail) { /* connecting with TLS */
APP_HTTP_TLS_INFO *info = (APP_HTTP_TLS_INFO *)arg;
@@ -2451,7 +2451,7 @@ BIO *app_http_tls_cb(BIO *hbio, void *arg, int connect,
int detail)
BIO *sbio = NULL;
if ((info->use_proxy
- && !OSSL_HTTP_proxy_connect(hbio, info->server, info->port,
+ && !OSSL_HTTP_proxy_connect(bio, info->server, info->port,
NULL, NULL, /* no proxy credentials */
info->timeout, bio_err,
opt_getprog()))
|| (sbio = BIO_new(BIO_f_ssl())) == NULL) {
@@ -2467,18 +2467,25 @@ BIO *app_http_tls_cb(BIO *hbio, void *arg, int connect,
int detail)
SSL_set_connect_state(ssl);
BIO_set_ssl(sbio, ssl, BIO_CLOSE);
-hbio = BIO_push(sbio, hbio);
-} else if (!connect && !detail) { /* disconnecting after error */
-const char *hint = tls_error_hint();
-
-if (hint != NULL)
-ERR_add_error_data(2, " : ", hint);
-/*
- * If we pop sbio and BIO_free() it this may lead to libssl double
free.
- * Rely on BIO_free_all() done by OSSL_HTTP_transfer() in http_client.c
- */
+bio = BIO_push(sbio, bio);
}
-return hbio;
+if (!connect) {
+const char *hint;
+BIO *cbio;
+
+if (!detail) { /* disconnecting after error */
+hint = tls_error_hint();
+if (hint != NULL)
+ERR_add_error_data(2, " : ", hint);
+}
+(void)ERR_set_mark();
+BIO_ssl_shutdown(bio);
+cbio = BIO_pop(bio); /* connect+HTTP BIO */
+BIO_free(bio); /* SSL BIO */
+(void)ERR_pop_to_mark(); /* hide SSL_R_READ_BIO_NOT_SET etc. */
+bio = cbio;
+}
+return bio;
}
void APP_HTTP_TLS_INFO_free(APP_HTTP_TLS_INFO *info)
diff --git a/crypto/http/http_client.c b/crypto/http/http_client.c
index 7f8d8fc8d7..c80d4fe519 100644
--- a/crypto/http/http_client.c
+++ b/crypto/http/http_client.c
@@ -1197,11 +1197,17 @@ BIO *OSSL_HTTP_transfer(OSSL_HTTP_REQ_CTX **prctx,
int OSSL_HTTP_close(OSSL_HTTP_REQ_CTX *rctx, int ok)
{
+BIO *wbio;
int ret = 1;
-/* callback can be used to clean up TLS session on disconnect */
-if (rctx != NULL && rctx->upd_fn != NULL)
-ret = (*rctx->upd_fn)(rctx->wbio, rctx->upd_arg, 0, ok) != NULL;
+/* callback can be used to finish TLS session and free its BIO */
+if (rctx != NULL && rctx->upd_fn != NULL) {
+wbio = (*rctx->upd_fn)(rctx->wbio, rctx->upd_arg,
+ 0 /* disconnect */, ok);
+ret = wbio != NULL;
+if (ret)
+rctx->wbio = wbio;
+}
OSSL_HTTP_REQ_CTX_free(rctx);
return ret;
}
diff --git a/doc/man3/OSSL_HTTP_transfer.pod b/doc/man3/OSSL_HTTP_transfer.pod
index 7fcd71dbe0..7e823db3ea 100644
--- a/doc/man3/OSSL_HTTP_transfer.pod
+++ b/doc/man3/OSSL_HTTP_transfer.pod
@@ -113,17 +113,25 @@ or NULL to indicate failure, in which case it should not
modify the BIO.
Here is a simple example that supports TLS connections (but not via a proxy):
- BIO *http_tls_cb(BIO *hbio, void *arg, int connect, int detail)
+ BIO *http_tls_cb(BIO *bio, void *arg, int connect, int detail)
{
if (connect && detail) { /* connecting with TLS */
SSL_CTX *ctx = (SSL_CTX *)arg;
BIO *sbio = BIO_new_ssl(ctx, 1);
- hbio = sbio != NULL ? BIO_push(sbio, hbio) : NULL;
- } else if
[openssl] master update
The branch master has been updated
via cdaf072f90399efb9e8e19ee4f387d1425f12274 (commit)
from c2d1ad0e048dd3bfa60e6aa0b5ee343cc6d97a15 (commit)
- Log -
commit cdaf072f90399efb9e8e19ee4f387d1425f12274
Author: Dr. David von Oheimb
Date: Sun Nov 21 20:55:35 2021 +0100
HTTP client: Fix cleanup of TLS BIO via 'bio_update_fn' callback function
Make app_http_tls_cb() tidy up on disconnect the SSL BIO it pushes on
connect.
Make OSSL_HTTP_close() respect this.
Reviewed-by: Paul Dale
(Merged from https://github.com/openssl/openssl/pull/17318)
---
Summary of changes:
apps/lib/apps.c | 33 -
crypto/http/http_client.c | 12 +---
doc/man3/OSSL_HTTP_transfer.pod | 18 +-
3 files changed, 42 insertions(+), 21 deletions(-)
diff --git a/apps/lib/apps.c b/apps/lib/apps.c
index 88c4f7b97a..034fd45c4b 100644
--- a/apps/lib/apps.c
+++ b/apps/lib/apps.c
@@ -2462,7 +2462,7 @@ static const char *tls_error_hint(void)
}
/* HTTP callback function that supports TLS connection also via HTTPS proxy */
-BIO *app_http_tls_cb(BIO *hbio, void *arg, int connect, int detail)
+BIO *app_http_tls_cb(BIO *bio, void *arg, int connect, int detail)
{
if (connect && detail) { /* connecting with TLS */
APP_HTTP_TLS_INFO *info = (APP_HTTP_TLS_INFO *)arg;
@@ -2471,7 +2471,7 @@ BIO *app_http_tls_cb(BIO *hbio, void *arg, int connect,
int detail)
BIO *sbio = NULL;
if ((info->use_proxy
- && !OSSL_HTTP_proxy_connect(hbio, info->server, info->port,
+ && !OSSL_HTTP_proxy_connect(bio, info->server, info->port,
NULL, NULL, /* no proxy credentials */
info->timeout, bio_err,
opt_getprog()))
|| (sbio = BIO_new(BIO_f_ssl())) == NULL) {
@@ -2487,18 +2487,25 @@ BIO *app_http_tls_cb(BIO *hbio, void *arg, int connect,
int detail)
SSL_set_connect_state(ssl);
BIO_set_ssl(sbio, ssl, BIO_CLOSE);
-hbio = BIO_push(sbio, hbio);
-} else if (!connect && !detail) { /* disconnecting after error */
-const char *hint = tls_error_hint();
-
-if (hint != NULL)
-ERR_add_error_data(2, " : ", hint);
-/*
- * If we pop sbio and BIO_free() it this may lead to libssl double
free.
- * Rely on BIO_free_all() done by OSSL_HTTP_transfer() in http_client.c
- */
+bio = BIO_push(sbio, bio);
}
-return hbio;
+if (!connect) {
+const char *hint;
+BIO *cbio;
+
+if (!detail) { /* disconnecting after error */
+hint = tls_error_hint();
+if (hint != NULL)
+ERR_add_error_data(2, " : ", hint);
+}
+(void)ERR_set_mark();
+BIO_ssl_shutdown(bio);
+cbio = BIO_pop(bio); /* connect+HTTP BIO */
+BIO_free(bio); /* SSL BIO */
+(void)ERR_pop_to_mark(); /* hide SSL_R_READ_BIO_NOT_SET etc. */
+bio = cbio;
+}
+return bio;
}
void APP_HTTP_TLS_INFO_free(APP_HTTP_TLS_INFO *info)
diff --git a/crypto/http/http_client.c b/crypto/http/http_client.c
index ef0114240b..f786f831bf 100644
--- a/crypto/http/http_client.c
+++ b/crypto/http/http_client.c
@@ -1196,11 +1196,17 @@ BIO *OSSL_HTTP_transfer(OSSL_HTTP_REQ_CTX **prctx,
int OSSL_HTTP_close(OSSL_HTTP_REQ_CTX *rctx, int ok)
{
+BIO *wbio;
int ret = 1;
-/* callback can be used to clean up TLS session on disconnect */
-if (rctx != NULL && rctx->upd_fn != NULL)
-ret = (*rctx->upd_fn)(rctx->wbio, rctx->upd_arg, 0, ok) != NULL;
+/* callback can be used to finish TLS session and free its BIO */
+if (rctx != NULL && rctx->upd_fn != NULL) {
+wbio = (*rctx->upd_fn)(rctx->wbio, rctx->upd_arg,
+ 0 /* disconnect */, ok);
+ret = wbio != NULL;
+if (ret)
+rctx->wbio = wbio;
+}
OSSL_HTTP_REQ_CTX_free(rctx);
return ret;
}
diff --git a/doc/man3/OSSL_HTTP_transfer.pod b/doc/man3/OSSL_HTTP_transfer.pod
index 7fcd71dbe0..7e823db3ea 100644
--- a/doc/man3/OSSL_HTTP_transfer.pod
+++ b/doc/man3/OSSL_HTTP_transfer.pod
@@ -113,17 +113,25 @@ or NULL to indicate failure, in which case it should not
modify the BIO.
Here is a simple example that supports TLS connections (but not via a proxy):
- BIO *http_tls_cb(BIO *hbio, void *arg, int connect, int detail)
+ BIO *http_tls_cb(BIO *bio, void *arg, int connect, int detail)
{
if (connect && detail) { /* connecting with TLS */
SSL_CTX *ctx = (SSL_CTX *)arg;
BIO *sbio = BIO_new_ssl(ctx, 1);
- hbio = sbio != NULL ? BIO_push(sbio, hbio) : NULL;
- } else if (!connect && !detail) { /* disconnecting after error */
- /* optionally add
[openssl] master update
The branch master has been updated
via 606c79e29bbc26c27c3b85cc52fe7d72051184de (commit)
from a497a90213b50c499f2a385e63e1fa6e13ef283a (commit)
- Log -
commit 606c79e29bbc26c27c3b85cc52fe7d72051184de
Author: Dr. David von Oheimb
Date: Thu Nov 18 20:43:06 2021 +0100
HTTP client: Work around the 'gets' method not being supported by SSL BIOs
It turned out that loading non-ASN.1 contents using the HTTP client
fails over TLS because SSL BIOs do not support the gets method.
This PR provides a workaround by using the less efficient BIO_get_line()
function
in case BIO_gets() returns -2, which means that it is not supported by the
BIO.
Reviewed-by: Tomas Mraz
(Merged from https://github.com/openssl/openssl/pull/17317)
---
Summary of changes:
crypto/http/http_client.c | 23 ---
1 file changed, 16 insertions(+), 7 deletions(-)
diff --git a/crypto/http/http_client.c b/crypto/http/http_client.c
index b4d42f2eb0..ef0114240b 100644
--- a/crypto/http/http_client.c
+++ b/crypto/http/http_client.c
@@ -488,7 +488,7 @@ int OSSL_HTTP_REQ_CTX_nbio(OSSL_HTTP_REQ_CTX *rctx)
long n;
size_t resp_len;
const unsigned char *p;
-char *key, *value, *line_end = NULL;
+char *buf, *key, *value, *line_end = NULL;
if (rctx == NULL) {
ERR_raise(ERR_LIB_HTTP, ERR_R_PASSED_NULL_PARAMETER);
@@ -501,11 +501,20 @@ int OSSL_HTTP_REQ_CTX_nbio(OSSL_HTTP_REQ_CTX *rctx)
rctx->redirection_url = NULL;
next_io:
+buf = (char *)rctx->buf;
if ((rctx->state & OHS_NOREAD) == 0) {
-if (rctx->expect_asn1)
+if (rctx->expect_asn1) {
n = BIO_read(rctx->rbio, rctx->buf, rctx->buf_size);
-else
-n = BIO_gets(rctx->rbio, (char *)rctx->buf, rctx->buf_size);
+} else {
+(void)ERR_set_mark();
+n = BIO_gets(rctx->rbio, buf, rctx->buf_size);
+if (n == -2) { /* some BIOs, such as SSL, do not support "gets" */
+(void)ERR_pop_to_mark();
+n = BIO_get_line(rctx->rbio, buf, rctx->buf_size);
+} else {
+(void)ERR_clear_last_mark();
+}
+}
if (n <= 0) {
if (BIO_should_retry(rctx->rbio))
return -1;
@@ -606,7 +615,7 @@ int OSSL_HTTP_REQ_CTX_nbio(OSSL_HTTP_REQ_CTX *rctx)
}
goto next_io;
}
-n = BIO_gets(rctx->mem, (char *)rctx->buf, rctx->buf_size);
+n = BIO_gets(rctx->mem, buf, rctx->buf_size);
if (n <= 0) {
if (BIO_should_retry(rctx->mem))
@@ -624,7 +633,7 @@ int OSSL_HTTP_REQ_CTX_nbio(OSSL_HTTP_REQ_CTX *rctx)
/* First line */
if (rctx->state == OHS_FIRSTLINE) {
-switch (parse_http_line1((char *)rctx->buf, _keep_alive)) {
+switch (parse_http_line1(buf, _keep_alive)) {
case HTTP_STATUS_CODE_OK:
rctx->state = OHS_HEADERS;
goto next_line;
@@ -642,7 +651,7 @@ int OSSL_HTTP_REQ_CTX_nbio(OSSL_HTTP_REQ_CTX *rctx)
goto next_line;
}
}
-key = (char *)rctx->buf;
+key = buf;
value = strchr(key, ':');
if (value != NULL) {
*(value++) = '\0';
[openssl] master update
The branch master has been updated
via a497a90213b50c499f2a385e63e1fa6e13ef283a (commit)
from 79b2a2f2eedb9d6b24a3f6748332328cf54568fb (commit)
- Log -
commit a497a90213b50c499f2a385e63e1fa6e13ef283a
Author: Dr. David von Oheimb
Date: Sat Dec 18 16:48:31 2021 +0100
http_test.c: Simplify constant init of 'server_args' struct for gcc-4.8.x
Reviewed-by: Ben Kaduk
Reviewed-by: Paul Dale
(Merged from https://github.com/openssl/openssl/pull/17308)
---
Summary of changes:
test/http_test.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/test/http_test.c b/test/http_test.c
index d684c5eb18..49e770cd88 100644
--- a/test/http_test.c
+++ b/test/http_test.c
@@ -208,13 +208,14 @@ static int test_http_keep_alive(char version, int
keep_alive, int kept_alive)
BIO *rbio = BIO_new(BIO_s_mem());
BIO *rsp;
const char *const content_type = "application/x-x509-ca-cert";
-server_args mock_args = { NULL, content_type, NULL, '0', 0 };
+server_args mock_args = { NULL, NULL, NULL, '0', 0 };
OSSL_HTTP_REQ_CTX *rctx = NULL;
int i, res = 0;
if (wbio == NULL || rbio == NULL)
goto err;
mock_args.out = rbio;
+mock_args.content_type = content_type;
mock_args.version = version;
mock_args.keep_alive = kept_alive;
BIO_set_callback_ex(wbio, http_bio_cb_ex);
[openssl] master update
The branch master has been updated
via 79b2a2f2eedb9d6b24a3f6748332328cf54568fb (commit)
from 0d4c52320d245be80bd69346fdda4b12b4961eae (commit)
- Log -
commit 79b2a2f2eedb9d6b24a3f6748332328cf54568fb
Author: Dr. David von Oheimb
Date: Sat Dec 18 16:15:49 2021 +0100
add OSSL_STACK_OF_X509_free() for commonly used pattern
Reviewed-by: Paul Dale
(Merged from https://github.com/openssl/openssl/pull/17307)
---
Summary of changes:
apps/ca.c | 2 +-
apps/cmp.c| 8
apps/cms.c| 6 +++---
apps/lib/apps.c | 12 ++--
apps/lib/cmp_mock_srv.c | 12 ++--
apps/lib/s_cb.c | 2 +-
apps/ocsp.c | 8
apps/pkcs12.c | 6 +++---
apps/s_client.c | 2 +-
apps/s_server.c | 4 ++--
apps/smime.c | 4 ++--
apps/verify.c | 6 +++---
crypto/cmp/cmp_client.c | 2 +-
crypto/cmp/cmp_ctx.c | 21 +
crypto/cmp/cmp_server.c | 4 ++--
crypto/cmp/cmp_vfy.c | 2 +-
crypto/cms/cms_lib.c | 2 +-
crypto/cms/cms_smime.c| 4 ++--
crypto/ocsp/ocsp_vfy.c| 2 +-
crypto/pkcs12/p12_kiss.c | 2 +-
crypto/store/store_result.c | 2 +-
crypto/ts/ts_conf.c | 4 ++--
crypto/ts/ts_rsp_sign.c | 4 ++--
crypto/ts/ts_rsp_verify.c | 2 +-
crypto/ts/ts_verify_ctx.c | 2 +-
crypto/x509/t_x509.c | 7 ++-
crypto/x509/x509_lu.c | 4 ++--
crypto/x509/x509_vfy.c| 8
demos/cms/cms_denc.c | 6 +++---
demos/cms/cms_enc.c | 6 +++---
demos/pkcs12/pkread.c | 2 +-
demos/smime/smenc.c | 6 +++---
doc/man3/X509_STORE_CTX_get_error.pod | 2 +-
doc/man3/X509_new.pod | 14 --
engines/e_loader_attic.c | 2 +-
include/openssl/x509.h.in | 1 +
ssl/s3_lib.c | 2 +-
ssl/ssl_cert.c| 12 ++--
ssl/ssl_lib.c | 6 +++---
ssl/ssl_rsa.c | 2 +-
ssl/ssl_sess.c| 2 +-
ssl/statem/statem_clnt.c | 2 +-
ssl/statem/statem_srvr.c | 4 ++--
test/cmp_client_test.c| 2 +-
test/cmp_ctx_test.c | 2 +-
test/cmp_protect_test.c | 6 +++---
test/crltest.c| 2 +-
test/danetest.c | 4 ++--
test/sslapitest.c | 2 +-
test/testutil/load.c | 2 +-
test/verify_extra_test.c | 2 +-
util/libcrypto.num| 1 +
52 files changed, 125 insertions(+), 111 deletions(-)
diff --git a/apps/ca.c b/apps/ca.c
index 1e77bf50c5..a9d6c5c1a6 100644
--- a/apps/ca.c
+++ b/apps/ca.c
@@ -1325,7 +1325,7 @@ end_of_options:
BIO_free_all(Sout);
BIO_free_all(out);
BIO_free_all(in);
-sk_X509_pop_free(cert_sk, X509_free);
+OSSL_STACK_OF_X509_free(cert_sk);
cleanse(passin);
if (free_passin)
diff --git a/apps/cmp.c b/apps/cmp.c
index f994b83b18..0f810129b3 100644
--- a/apps/cmp.c
+++ b/apps/cmp.c
@@ -933,7 +933,7 @@ static int setup_certs(char *files, const char *desc, void
*ctx,
if ((certs = load_certs_multifile(files, opt_otherpass, desc, vpm)) ==
NULL)
return 0;
ok = (*set1_fn)(ctx, certs);
-sk_X509_pop_free(certs, X509_free);
+OSSL_STACK_OF_X509_free(certs);
return ok;
}
@@ -1262,7 +1262,7 @@ static SSL_CTX *setup_ssl_ctx(OSSL_CMP_CTX *ctx, const
char *host,
if (!ok || !SSL_CTX_set0_chain(ssl_ctx, certs)) {
CMP_err1("unable to use client TLS certificate file '%s'",
opt_tls_cert);
-sk_X509_pop_free(certs, X509_free);
+OSSL_STACK_OF_X509_free(certs);
goto err;
}
for (i = 0; i < sk_X509_num(untrusted); i++) {
@@ -1441,7 +1441,7 @@ static int setup_protection_ctx(OSSL_CMP_CTX *ctx, ENGINE
*engine)
ok = ok && OSSL_CMP_CTX_build_cert_chain(ctx, own_trusted, certs);
}
X509_STORE_free(own_trusted);
-sk_X509_pop_free(certs, X509_free);
+OSSL_STACK_OF_X509_free(certs);
if (!ok)
return 0;
} else if (opt_own_trusted != NULL) {
@@ -2020,7 +2020,7 @@ static int save_free_certs(OSSL_CMP_CTX *ctx,
end:
BIO_free(bio);
-sk_X509_pop_free(certs, X509_free);
+
[openssl] master update
The branch master has been updated
via 08dfbe0798f57ac9e9793fdfcaff54cfdf6b3359 (commit)
from 2437832be1d0e11e6a601c19a18d7247aff22f0e (commit)
- Log -
commit 08dfbe0798f57ac9e9793fdfcaff54cfdf6b3359
Author: Dr. David von Oheimb
Date: Wed Dec 15 08:37:49 2021 +0100
cmp_ctx.c: Remove redundancy form the defs of many getters and setters
Reviewed-by: Paul Dale
(Merged from https://github.com/openssl/openssl/pull/17284)
---
Summary of changes:
crypto/cmp/cmp_ctx.c | 429 +--
1 file changed, 141 insertions(+), 288 deletions(-)
diff --git a/crypto/cmp/cmp_ctx.c b/crypto/cmp/cmp_ctx.c
index f514ab27e0..8b53a8a237 100644
--- a/crypto/cmp/cmp_ctx.c
+++ b/crypto/cmp/cmp_ctx.c
@@ -20,16 +20,35 @@
#include
#include
+#define DEFINE_OSSL_CMP_CTX_get0(FIELD, TYPE) \
+DEFINE_OSSL_CMP_CTX_get0_NAME(FIELD, FIELD, TYPE)
+#define DEFINE_OSSL_CMP_CTX_get0_NAME(NAME, FIELD, TYPE) \
+TYPE *OSSL_CMP_CTX_get0_##NAME(const OSSL_CMP_CTX *ctx) \
+{ \
+if (ctx == NULL) { \
+ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT); \
+return NULL; \
+} \
+return ctx->FIELD; \
+}
+
/*
* Get current certificate store containing trusted root CA certs
*/
-X509_STORE *OSSL_CMP_CTX_get0_trustedStore(const OSSL_CMP_CTX *ctx)
-{
-if (ctx == NULL) {
-ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
-return NULL;
-}
-return ctx->trusted;
+DEFINE_OSSL_CMP_CTX_get0_NAME(trustedStore, trusted, X509_STORE)
+
+#define DEFINE_OSSL_set0(PREFIX, FIELD, TYPE) \
+DEFINE_OSSL_set0_NAME(PREFIX, FIELD, FIELD, TYPE)
+#define DEFINE_OSSL_set0_NAME(PREFIX, NAME, FIELD, TYPE) \
+int PREFIX##_set0##_##NAME(OSSL_CMP_CTX *ctx, TYPE *val) \
+{ \
+if (ctx == NULL) { \
+ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT); \
+return 0; \
+} \
+TYPE##_free(ctx->FIELD); \
+ctx->FIELD = val; \
+return 1; \
}
/*
@@ -37,26 +56,13 @@ X509_STORE *OSSL_CMP_CTX_get0_trustedStore(const
OSSL_CMP_CTX *ctx)
* and a cert verification callback function used for CMP server
authentication.
* Any already existing store entry is freed. Given NULL, the entry is reset.
*/
-int OSSL_CMP_CTX_set0_trustedStore(OSSL_CMP_CTX *ctx, X509_STORE *store)
-{
-if (ctx == NULL) {
-ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
-return 0;
-}
-X509_STORE_free(ctx->trusted);
-ctx->trusted = store;
-return 1;
-}
+DEFINE_OSSL_set0_NAME(OSSL_CMP_CTX, trustedStore, trusted, X509_STORE)
/* Get current list of non-trusted intermediate certs */
-STACK_OF(X509) *OSSL_CMP_CTX_get0_untrusted(const OSSL_CMP_CTX *ctx)
-{
-if (ctx == NULL) {
-ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
-return NULL;
-}
-return ctx->untrusted;
-}
+DEFINE_OSSL_CMP_CTX_get0(untrusted, STACK_OF(X509))
+
+#define X509_STACK_free(certs) \
+sk_X509_pop_free(certs, X509_free)
/*
* Set untrusted certificates for path construction in authentication of
@@ -73,11 +79,11 @@ int OSSL_CMP_CTX_set1_untrusted(OSSL_CMP_CTX *ctx,
STACK_OF(X509) *certs)
if (!ossl_x509_add_certs_new(, certs,
X509_ADD_FLAG_UP_REF | X509_ADD_FLAG_NO_DUP))
goto err;
-sk_X509_pop_free(ctx->untrusted, X509_free);
+X509_STACK_free(ctx->untrusted);
ctx->untrusted = untrusted;
return 1;
err:
-sk_X509_pop_free(untrusted, X509_free);
+X509_STACK_free(untrusted);
return 0;
}
@@ -169,6 +175,13 @@ int OSSL_CMP_CTX_reinit(OSSL_CMP_CTX *ctx)
&& ossl_cmp_ctx_set1_recipNonce(ctx, NULL);
}
+#define OSSL_CMP_ITAVs_free(itavs) \
+sk_OSSL_CMP_ITAV_pop_free(itavs, OSSL_CMP_ITAV_free);
+#define X509_EXTENSIONS_free(exts) \
+sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free)
+#define OSSL_CMP_PKIFREETEXT_free(text) \
+sk_ASN1_UTF8STRING_pop_free(text, ASN1_UTF8STRING_free)
+
/* Frees OSSL_CMP_CTX variables allocated in OSSL_CMP_CTX_new() */
void OSSL_CMP_CTX_free(OSSL_CMP_CTX *ctx)
{
@@ -189,10 +202,10 @@ void OSSL_CMP_CTX_free(OSSL_CMP_CTX *ctx)
X509_free(ctx->validatedSrvCert);
X509_NAME_free(ctx->expected_sender);
X509_STORE_free(ctx->trusted);
-sk_X509_pop_free(ctx->untrusted, X509_free);
+X509_STACK_free(ctx->untrusted);
X509_free(ctx->cert);
-sk_X509_pop_free(ctx->chain, X509_free);
+X509_STACK_free(ctx->chain);
EVP_PKEY_free(ctx->pkey);
ASN1_OCTET_STRING_free(ctx->referenceValue);
if (ctx->secretValue != NULL)
@@ -205,72 +218,65 @@ void OSSL_CMP_CTX_free(OSSL_CMP_CTX *ctx)
ASN1_OCTET_STRING_free(ctx->transactionID);
ASN1_OCTET_STRING_free(ctx->senderNonce);
ASN1_OCTET_STRING_free(ctx->recipNonce);
-sk_OSSL_CMP_ITAV_pop_free(ctx->geninfo_ITAVs, OSSL_CMP_ITAV_free);
-sk_X509_pop_free(ctx->extraCertsOut,
[openssl] openssl-3.0 update
The branch openssl-3.0 has been updated
via bfbeb31d6d0dfed4029c91a416857e5e0f35fa93 (commit)
from b11183f68658cf625a3befd6d245923d588638f5 (commit)
- Log -
commit bfbeb31d6d0dfed4029c91a416857e5e0f35fa93
Author: Dr. David von Oheimb
Date: Tue Dec 7 19:07:43 2021 +0100
APPS/cmp: Fix logic and doc of mutually exclusive
-server/-use_mock_srv/-port/-rspin options
Ignore -server with -rspin and exclude all of -use_mock_srv/-port/-rspin.
On the other hand, -server is required if no -use_mock_srv/-port/-rspin is
given.
Ignore -tls_used with -use_mock_srv and -rspin; it is not supported with
-port.
If -server is not given, ignore -proxy, -no_proxy, and -tls_used.
Also slightly improve the documentation of the two mock server variants.
Reviewed-by: Paul Dale
(Merged from https://github.com/openssl/openssl/pull/17254)
(cherry picked from commit a56bb5d64e7599140117f935eeeb34ba94c83aea)
---
Summary of changes:
apps/cmp.c | 138 +---
doc/man1/openssl-cmp.pod.in | 22 +--
2 files changed, 96 insertions(+), 64 deletions(-)
diff --git a/apps/cmp.c b/apps/cmp.c
index 01a437fe48..985d7339a0 100644
--- a/apps/cmp.c
+++ b/apps/cmp.c
@@ -161,7 +161,7 @@ static char *opt_rspin = NULL;
static char *opt_rspout = NULL;
static int opt_use_mock_srv = 0;
-/* server-side debugging */
+/* mock server */
#ifndef OPENSSL_NO_SOCK
static char *opt_port = NULL;
static int opt_max_msgs = 0;
@@ -287,7 +287,7 @@ const OPTIONS cmp_options[] = {
{"subject", OPT_SUBJECT, 's',
"Distinguished Name (DN) of subject to use in the requested cert
template"},
{OPT_MORE_STR, 0, 0,
- "For kur, default is subject of -csr arg or else of reference cert (see
-oldcert)"},
+ "For kur, default is subject of -csr arg or reference cert (see
-oldcert)"},
{OPT_MORE_STR, 0, 0,
"this default is used for ir and cr only if no Subject Alt Names are
set"},
{"issuer", OPT_ISSUER, 's',
@@ -336,7 +336,7 @@ const OPTIONS cmp_options[] = {
{OPT_MORE_STR, 0, 0,
"also used as reference (defaulting to -cert) for subject DN and SANs."},
{OPT_MORE_STR, 0, 0,
- "Its issuer is used as recipient unless -recipient, -srvcert, or -issuer
given"},
+ "Issuer is used as recipient unless -recipient, -srvcert, or -issuer
given"},
{"revreason", OPT_REVREASON, 'n',
"Reason code to include in revocation request (rr); possible values:"},
{OPT_MORE_STR, 0, 0,
@@ -470,14 +470,16 @@ const OPTIONS cmp_options[] = {
"Process sequence of CMP responses provided in file(s), skipping server"},
{"rspout", OPT_RSPOUT, 's', "Save sequence of CMP responses to file(s)"},
-{"use_mock_srv", OPT_USE_MOCK_SRV, '-', "Use mock server at API level,
bypassing HTTP"},
+{"use_mock_srv", OPT_USE_MOCK_SRV, '-',
+ "Use internal mock server at API level, bypassing socket-based HTTP"},
OPT_SECTION("Mock server"),
#ifdef OPENSSL_NO_SOCK
{OPT_MORE_STR, 0, 0,
"NOTE: -port and -max_msgs not supported due to no-sock build"},
#else
-{"port", OPT_PORT, 's', "Act as HTTP mock server listening on given port"},
+{"port", OPT_PORT, 's',
+ "Act as HTTP-based mock server listening on given port"},
{"max_msgs", OPT_MAX_MSGS, 'N',
"max number of messages handled by HTTP mock server. Default: 0 =
unlimited"},
#endif
@@ -1000,7 +1002,7 @@ static OSSL_CMP_SRV_CTX *setup_srv_ctx(ENGINE *engine)
if (opt_srv_ref == NULL) {
if (opt_srv_cert == NULL) {
/* opt_srv_cert should determine the sender */
-CMP_err("must give -srv_ref for server if no -srv_cert given");
+CMP_err("must give -srv_ref for mock server if no -srv_cert
given");
goto err;
}
} else {
@@ -1011,7 +1013,7 @@ static OSSL_CMP_SRV_CTX *setup_srv_ctx(ENGINE *engine)
if (opt_srv_secret != NULL) {
int res;
-char *pass_str = get_passwd(opt_srv_secret, "PBMAC secret of server");
+char *pass_str = get_passwd(opt_srv_secret, "PBMAC secret of mock
server");
if (pass_str != NULL) {
cleanse(opt_srv_secret);
@@ -1022,10 +1024,10 @@ static OSSL_CMP_SRV_CTX *setup_srv_ctx(ENGINE *engine)
goto err;
}
} else if (opt_srv_cert == NULL) {
-CMP_err("server credentials must be given if -use_mock_srv or -port is
used");
+CMP_err("mock server credentials must be given if -use_mock_srv or
-port is used");
goto err;
} else {
-CMP_warn("server will not be able to handle PBM-protected requests
since -srv_secret is not given");
+CMP_warn("mock server will not be able to handle PBM-protected
requests since -srv_secret is not given");
}
if (opt_srv_secret ==
[openssl] master update
The branch master has been updated
via a56bb5d64e7599140117f935eeeb34ba94c83aea (commit)
from 1f8ca9e3d3fa674da4ab6694cef2f266e6ab0f20 (commit)
- Log -
commit a56bb5d64e7599140117f935eeeb34ba94c83aea
Author: Dr. David von Oheimb
Date: Tue Dec 7 19:07:43 2021 +0100
APPS/cmp: Fix logic and doc of mutually exclusive
-server/-use_mock_srv/-port/-rspin options
Ignore -server with -rspin and exclude all of -use_mock_srv/-port/-rspin.
On the other hand, -server is required if no -use_mock_srv/-port/-rspin is
given.
Ignore -tls_used with -use_mock_srv and -rspin; it is not supported with
-port.
If -server is not given, ignore -proxy, -no_proxy, and -tls_used.
Also slightly improve the documentation of the two mock server variants.
Reviewed-by: Paul Dale
(Merged from https://github.com/openssl/openssl/pull/17254)
---
Summary of changes:
apps/cmp.c | 138 +---
doc/man1/openssl-cmp.pod.in | 22 +--
2 files changed, 96 insertions(+), 64 deletions(-)
diff --git a/apps/cmp.c b/apps/cmp.c
index d6ab2a249b..f994b83b18 100644
--- a/apps/cmp.c
+++ b/apps/cmp.c
@@ -161,7 +161,7 @@ static char *opt_rspin = NULL;
static char *opt_rspout = NULL;
static int opt_use_mock_srv = 0;
-/* server-side debugging */
+/* mock server */
#ifndef OPENSSL_NO_SOCK
static char *opt_port = NULL;
static int opt_max_msgs = 0;
@@ -287,7 +287,7 @@ const OPTIONS cmp_options[] = {
{"subject", OPT_SUBJECT, 's',
"Distinguished Name (DN) of subject to use in the requested cert
template"},
{OPT_MORE_STR, 0, 0,
- "For kur, default is subject of -csr arg or else of reference cert (see
-oldcert)"},
+ "For kur, default is subject of -csr arg or reference cert (see
-oldcert)"},
{OPT_MORE_STR, 0, 0,
"this default is used for ir and cr only if no Subject Alt Names are
set"},
{"issuer", OPT_ISSUER, 's',
@@ -336,7 +336,7 @@ const OPTIONS cmp_options[] = {
{OPT_MORE_STR, 0, 0,
"also used as reference (defaulting to -cert) for subject DN and SANs."},
{OPT_MORE_STR, 0, 0,
- "Its issuer is used as recipient unless -recipient, -srvcert, or -issuer
given"},
+ "Issuer is used as recipient unless -recipient, -srvcert, or -issuer
given"},
{"revreason", OPT_REVREASON, 'n',
"Reason code to include in revocation request (rr); possible values:"},
{OPT_MORE_STR, 0, 0,
@@ -470,14 +470,16 @@ const OPTIONS cmp_options[] = {
"Process sequence of CMP responses provided in file(s), skipping server"},
{"rspout", OPT_RSPOUT, 's', "Save sequence of CMP responses to file(s)"},
-{"use_mock_srv", OPT_USE_MOCK_SRV, '-', "Use mock server at API level,
bypassing HTTP"},
+{"use_mock_srv", OPT_USE_MOCK_SRV, '-',
+ "Use internal mock server at API level, bypassing socket-based HTTP"},
OPT_SECTION("Mock server"),
#ifdef OPENSSL_NO_SOCK
{OPT_MORE_STR, 0, 0,
"NOTE: -port and -max_msgs not supported due to no-sock build"},
#else
-{"port", OPT_PORT, 's', "Act as HTTP mock server listening on given port"},
+{"port", OPT_PORT, 's',
+ "Act as HTTP-based mock server listening on given port"},
{"max_msgs", OPT_MAX_MSGS, 'N',
"max number of messages handled by HTTP mock server. Default: 0 =
unlimited"},
#endif
@@ -1000,7 +1002,7 @@ static OSSL_CMP_SRV_CTX *setup_srv_ctx(ENGINE *engine)
if (opt_srv_ref == NULL) {
if (opt_srv_cert == NULL) {
/* opt_srv_cert should determine the sender */
-CMP_err("must give -srv_ref for server if no -srv_cert given");
+CMP_err("must give -srv_ref for mock server if no -srv_cert
given");
goto err;
}
} else {
@@ -1011,7 +1013,7 @@ static OSSL_CMP_SRV_CTX *setup_srv_ctx(ENGINE *engine)
if (opt_srv_secret != NULL) {
int res;
-char *pass_str = get_passwd(opt_srv_secret, "PBMAC secret of server");
+char *pass_str = get_passwd(opt_srv_secret, "PBMAC secret of mock
server");
if (pass_str != NULL) {
cleanse(opt_srv_secret);
@@ -1022,10 +1024,10 @@ static OSSL_CMP_SRV_CTX *setup_srv_ctx(ENGINE *engine)
goto err;
}
} else if (opt_srv_cert == NULL) {
-CMP_err("server credentials must be given if -use_mock_srv or -port is
used");
+CMP_err("mock server credentials must be given if -use_mock_srv or
-port is used");
goto err;
} else {
-CMP_warn("server will not be able to handle PBM-protected requests
since -srv_secret is not given");
+CMP_warn("mock server will not be able to handle PBM-protected
requests since -srv_secret is not given");
}
if (opt_srv_secret == NULL
@@ -1035,7 +1037,7 @@ static OSSL_CMP_SRV_CTX *setup_srv_ctx(ENGINE *engine)
[openssl] master update
The branch master has been updated
via 2490d10d5cca0163cad8045857248b175bdf83e7 (commit)
from 858d5ac16d256db24f78b8c84e723b7d34c8b1ea (commit)
- Log -
commit 2490d10d5cca0163cad8045857248b175bdf83e7
Author: Dr. David von Oheimb
Date: Sun Nov 21 11:51:09 2021 +0100
OSSL_HTTP_proxy_connect(): Fix glitch in response HTTP header parsing
Fixes #17247
Reviewed-by: Paul Dale
Reviewed-by: Tomas Mraz
(Merged from https://github.com/openssl/openssl/pull/17250)
---
Summary of changes:
crypto/http/http_client.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/crypto/http/http_client.c b/crypto/http/http_client.c
index a85bfcec42..b4d42f2eb0 100644
--- a/crypto/http/http_client.c
+++ b/crypto/http/http_client.c
@@ -1317,7 +1317,7 @@ int OSSL_HTTP_proxy_connect(BIO *bio, const char *server,
const char *port,
/* Check for HTTP/1.x */
mbufp = mbuf;
-if (!HAS_PREFIX(mbufp, HTTP_PREFIX)) {
+if (!CHECK_AND_SKIP_PREFIX(mbufp, HTTP_PREFIX)) {
ERR_raise(ERR_LIB_HTTP, HTTP_R_HEADER_PARSE_ERROR);
BIO_printf(bio_err, "%s: HTTP CONNECT failed, non-HTTP response\n",
prog);
@@ -1335,6 +1335,8 @@ int OSSL_HTTP_proxy_connect(BIO *bio, const char *server,
const char *port,
/* RFC 7231 4.3.6: any 2xx status code is valid */
if (!HAS_PREFIX(mbufp, " 2")) {
+if (ossl_isspace(*mbufp))
+mbufp++;
/* chop any trailing whitespace */
while (read_len > 0 && ossl_isspace(mbuf[read_len - 1]))
read_len--;
[openssl] master update
The branch master has been updated via 20b0579cbfd1986d00ad8eb2167bc865519f23cd (commit) via 22dd3f8b273b18fc20f0650b5a19166eda1950ee (commit) via 7e5be5c3267dc90a77d243d900448c3a62c0b1c9 (commit) from edc8566f475d63278d5f85cd25f324cf2fe9aaf9 (commit) - Log - commit 20b0579cbfd1986d00ad8eb2167bc865519f23cd Author: Dr. David von Oheimb Date: Thu Dec 9 20:28:08 2021 +0100 CMP test_commands.csv: improve test for -reqin, adding -reqin_new_tid Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/17252) commit 22dd3f8b273b18fc20f0650b5a19166eda1950ee Author: Dr. David von Oheimb Date: Thu Dec 9 20:25:19 2021 +0100 CMP test_verification.csv: add missing test case for -untrusted with non-matching cert Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/17252) commit 7e5be5c3267dc90a77d243d900448c3a62c0b1c9 Author: Dr. David von Oheimb Date: Thu Dec 9 12:40:08 2021 +0100 CMP test_enrollment.csv: clean up test cases regarding (non-existing) directories Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/17252) --- Summary of changes: test/recipes/80-test_cmp_http_data/test_commands.csv | 4 ++-- test/recipes/80-test_cmp_http_data/test_enrollment.csv | 8 test/recipes/80-test_cmp_http_data/test_verification.csv | 1 + 3 files changed, 7 insertions(+), 6 deletions(-) diff --git a/test/recipes/80-test_cmp_http_data/test_commands.csv b/test/recipes/80-test_cmp_http_data/test_commands.csv index ce12de4a8b..0a9ad1a5f5 100644 --- a/test/recipes/80-test_cmp_http_data/test_commands.csv +++ b/test/recipes/80-test_cmp_http_data/test_commands.csv @@ -1,4 +1,4 @@ -expected,description, -section,val, -cmd,val,val2, -cacertsout,val,val2, -infotype,val,, -oldcert,val, -revreason,int, -geninfo,val +expected,description, -section,val, -cmd,val,val2, -cacertsout,val,val2, -infotype,val,, -oldcert,val, -revreason,int, -geninfo,val,-reqin_new_tid ,Generic,message options:Misc,request options:,, , 1,minimum options, -section,, -cmd,ir,,BLANK,,,BLANK,,,BLANK,,BLANK, @@ -55,5 +55,5 @@ expected,description, -section,val, -cmd,val,val2, -cacertsout,val,val2, -infoty 0,geninfo bad syntax: missing ':int', -section,, -cmd,cr,, -cert,signer.crt, -key,signer.p12, -keypass,pass:12345,BLANK,, -geninfo,1.2.3 ,,, 1,reqout+rspout, -section,, -cmd,ir,,-reqout,_RESULT_DIR/req1.der _RESULT_DIR/req2.der,,-rspout,_RESULT_DIR/rsp1.der _RESULT_DIR/rsp2.der,,BLANK,,BLANK, -1,reqin, -section,, -cmd,ir,,-reqin,_RESULT_DIR/req1.der _RESULT_DIR/req2.der,,BLANK,,,BLANK,,BLANK, +1,reqin, -section,, -cmd,ir,,-reqin,_RESULT_DIR/req1.der _RESULT_DIR/req2.der,,BLANK,,,BLANK,,BLANK,-reqin_new_tid 1,rspin, -section,, -cmd,ir,,BLANK,,,-rspin,_RESULT_DIR/rsp1.der _RESULT_DIR/rsp2.der,,BLANK,,BLANK, diff --git a/test/recipes/80-test_cmp_http_data/test_enrollment.csv b/test/recipes/80-test_cmp_http_data/test_enrollment.csv index 358521de28..53bb162b9e 100644 --- a/test/recipes/80-test_cmp_http_data/test_enrollment.csv +++ b/test/recipes/80-test_cmp_http_data/test_enrollment.csv @@ -3,7 +3,7 @@ expected,description, -section,val, -cmd,val, -newkey,val,val, -newkeypass,val, , 1,newkey, -section,, -cmd,ir, -newkey,new.key,, -newkeypass,pass:,,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,, -certout,_RESULT_DIR/test.certout_newkey.pem,, -out_trusted,root.crt,,BLANK,,BLANK,,, 0,newkey missing arg, -section,, -cmd,ir, -newkey,,, -newkeypass,pass:,,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,, -certout,_RESULT_DIR/test.certout_newkey1.pem,, -out_trusted,root.crt,,BLANK,,BLANK,,, -0,newkey is directory, -section,, -cmd,ir, -newkey,dir/,, -newkeypass,pass:,,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,, -certout,_RESULT_DIR/test.certout_newkey2.pem,, -out_trusted,root.crt,,BLANK,,BLANK,,, +0,newkey is non-existing directory and file, -section,, -cmd,ir, -newkey,idontexist/idontexist,, -newkeypass,pass:,,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,, -certout,_RESULT_DIR/test.certout_newkey2.pem,, -out_trusted,root.crt,,BLANK,,BLANK,,, 0,newkey too many parameters, -section,, -cmd,ir, -newkey,abc,def, -newkeypass,pass:,,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,, -certout,_RESULT_DIR/test.certout_newkey3.pem,, -out_trusted,root.crt,,BLANK,,BLANK,,, 0,newkey is an RSA key, -section,, -cmd,ir, -newkey,test.RSA2048.pem,, -newkeypass,pass:,,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,, -certout,_RESULT_DIR/test.certout_newkey4.pem,, -out_trusted,root.crt,,BLANK,,BLANK,,,
[openssl] master update
The branch master has been updated
via 61fa00a4d03f6808389bc1847937f72d184f0627 (commit)
via e46997111af3a11632df411b01d62fd39cc3faaf (commit)
from 20b0579cbfd1986d00ad8eb2167bc865519f23cd (commit)
- Log -
commit 61fa00a4d03f6808389bc1847937f72d184f0627
Author: Dr. David von Oheimb
Date: Tue Dec 7 18:02:19 2021 +0100
APPS/cmp: Simplify read_write_req_resp() - 'req' arg must not be NULL anyway
Reviewed-by: Paul Dale
(Merged from https://github.com/openssl/openssl/pull/17251)
commit e46997111af3a11632df411b01d62fd39cc3faaf
Author: Dr. David von Oheimb
Date: Thu Dec 9 20:52:59 2021 +0100
ossl_cmp_msg_check_update(): align recipNone check with improved
transactionID check
Reviewed-by: Paul Dale
(Merged from https://github.com/openssl/openssl/pull/17251)
---
Summary of changes:
apps/cmp.c | 3 +--
crypto/cmp/cmp_vfy.c | 52 ++--
2 files changed, 27 insertions(+), 28 deletions(-)
diff --git a/apps/cmp.c b/apps/cmp.c
index e35626ebb2..d6ab2a249b 100644
--- a/apps/cmp.c
+++ b/apps/cmp.c
@@ -789,8 +789,7 @@ static OSSL_CMP_MSG *read_write_req_resp(OSSL_CMP_CTX *ctx,
OSSL_CMP_PKIHEADER *hdr;
const char *prev_opt_rspin = opt_rspin;
-if (req != NULL && opt_reqout != NULL
-&& !write_PKIMESSAGE(req, _reqout))
+if (opt_reqout != NULL && !write_PKIMESSAGE(req, _reqout))
goto err;
if (opt_reqin != NULL && opt_rspin == NULL) {
if ((req_new = read_PKIMESSAGE(_reqin)) == NULL)
diff --git a/crypto/cmp/cmp_vfy.c b/crypto/cmp/cmp_vfy.c
index cdfad0a631..bea7e506b6 100644
--- a/crypto/cmp/cmp_vfy.c
+++ b/crypto/cmp/cmp_vfy.c
@@ -640,6 +640,28 @@ int OSSL_CMP_validate_msg(OSSL_CMP_CTX *ctx, const
OSSL_CMP_MSG *msg)
return 0;
}
+static int check_transactionID_or_nonce(ASN1_OCTET_STRING *expected,
+ASN1_OCTET_STRING *actual, int reason)
+{
+if (expected != NULL
+&& (actual == NULL || ASN1_OCTET_STRING_cmp(expected, actual) != 0)) {
+#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
+char *expected_str, *actual_str;
+
+expected_str = i2s_ASN1_OCTET_STRING(NULL, expected);
+actual_str = actual == NULL ? "(none)"
+: i2s_ASN1_OCTET_STRING(NULL, actual);
+ERR_raise_data(ERR_LIB_CMP, CMP_R_TRANSACTIONID_UNMATCHED,
+ "expected = %s, actual = %s",
+ expected_str == NULL ? "?" : expected_str,
+ actual_str == NULL ? "?" : actual_str);
+OPENSSL_free(expected_str);
+OPENSSL_free(actual_str);
+return 0;
+#endif
+}
+return 1;
+}
/*-
* Check received message (i.e., response by server or request from client)
@@ -742,36 +764,14 @@ int ossl_cmp_msg_check_update(OSSL_CMP_CTX *ctx, const
OSSL_CMP_MSG *msg,
}
/* compare received transactionID with the expected one in previous msg */
-if (ctx->transactionID != NULL
-&& (hdr->transactionID == NULL
-|| ASN1_OCTET_STRING_cmp(ctx->transactionID,
- hdr->transactionID) != 0)) {
-#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
-char *ctx_str, *hdr_str;
-
-ctx_str = i2s_ASN1_OCTET_STRING(NULL, ctx->transactionID);
-hdr_str = hdr->transactionID == NULL ? "(none)"
-: i2s_ASN1_OCTET_STRING(NULL, hdr->transactionID);
-ERR_raise_data(ERR_LIB_CMP, CMP_R_TRANSACTIONID_UNMATCHED,
- "expected = %s, actual = %s",
- ctx_str == NULL ? "?" : ctx_str,
- hdr_str == NULL ? "?" : hdr_str);
-OPENSSL_free(ctx_str);
-OPENSSL_free(hdr_str);
+if (!check_transactionID_or_nonce(ctx->transactionID, hdr->transactionID,
+ CMP_R_TRANSACTIONID_UNMATCHED))
return 0;
-#endif
-}
/* compare received nonce with the one we sent */
-if (ctx->senderNonce != NULL
-&& (msg->header->recipNonce == NULL
-|| ASN1_OCTET_STRING_cmp(ctx->senderNonce,
- hdr->recipNonce) != 0)) {
-#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
-ERR_raise(ERR_LIB_CMP, CMP_R_RECIPNONCE_UNMATCHED);
+if (!check_transactionID_or_nonce(ctx->senderNonce, hdr->recipNonce,
+ CMP_R_RECIPNONCE_UNMATCHED))
return 0;
-#endif
-}
/*
* RFC 4210 section 5.1.1 states: the recipNonce is copied from
[openssl] openssl-3.0 update
The branch openssl-3.0 has been updated
via f2499f5378d92bf90fdcc16831ebf1f08069ef7a (commit)
from 907b966981a1d6f1e1fcbf0ab752e040a49f1475 (commit)
- Log -
commit f2499f5378d92bf90fdcc16831ebf1f08069ef7a
Author: Dr. David von Oheimb
Date: Tue Dec 7 07:32:12 2021 +0100
APPS/cmp: Fix use of OPENSSL_NO_SOCK: options like -server do not make
sense with no-sock
Reviewed-by: Tomas Mraz
(Merged from https://github.com/openssl/openssl/pull/17226)
(cherry picked from commit 83b424c3f60a4401fa3e6e41ff7f08e85ee9df94)
---
Summary of changes:
apps/cmp.c | 127 +---
doc/man1/openssl-cmp.pod.in | 12 ++---
2 files changed, 102 insertions(+), 37 deletions(-)
diff --git a/apps/cmp.c b/apps/cmp.c
index d0f127d3ea..01a437fe48 100644
--- a/apps/cmp.c
+++ b/apps/cmp.c
@@ -9,6 +9,8 @@
* https://www.openssl.org/source/license.html
*/
+/* This app is disabled when OPENSSL_NO_CMP is defined. */
+
#include
#include
@@ -66,12 +68,13 @@ typedef enum {
} cmp_cmd_t;
/* message transfer */
+#ifndef OPENSSL_NO_SOCK
static char *opt_server = NULL;
-static char server_port[32] = { '\0' };
-static char *opt_path = NULL;
static char *opt_proxy = NULL;
static char *opt_no_proxy = NULL;
+#endif
static char *opt_recipient = NULL;
+static char *opt_path = NULL;
static int opt_keep_alive = 1;
static int opt_msg_timeout = -1;
static int opt_total_timeout = -1;
@@ -137,6 +140,7 @@ static int opt_keyform = FORMAT_UNDEF;
static char *opt_otherpass = NULL;
static char *opt_engine = NULL;
+#ifndef OPENSSL_NO_SOCK
/* TLS connection */
static int opt_tls_used = 0;
static char *opt_tls_cert = NULL;
@@ -145,6 +149,7 @@ static char *opt_tls_keypass = NULL;
static char *opt_tls_extra = NULL;
static char *opt_tls_trusted = NULL;
static char *opt_tls_host = NULL;
+#endif
/* client-side debugging */
static int opt_batch = 0;
@@ -157,9 +162,10 @@ static char *opt_rspout = NULL;
static int opt_use_mock_srv = 0;
/* server-side debugging */
+#ifndef OPENSSL_NO_SOCK
static char *opt_port = NULL;
static int opt_max_msgs = 0;
-
+#endif
static char *opt_srv_ref = NULL;
static char *opt_srv_secret = NULL;
static char *opt_srv_cert = NULL;
@@ -204,8 +210,10 @@ typedef enum OPTION_choice {
OPT_OLDCERT, OPT_REVREASON,
-OPT_SERVER, OPT_PATH, OPT_PROXY, OPT_NO_PROXY,
-OPT_RECIPIENT,
+#ifndef OPENSSL_NO_SOCK
+OPT_SERVER, OPT_PROXY, OPT_NO_PROXY,
+#endif
+OPT_RECIPIENT, OPT_PATH,
OPT_KEEP_ALIVE, OPT_MSG_TIMEOUT, OPT_TOTAL_TIMEOUT,
OPT_TRUSTED, OPT_UNTRUSTED, OPT_SRVCERT,
@@ -225,15 +233,19 @@ typedef enum OPTION_choice {
OPT_PROV_ENUM,
OPT_R_ENUM,
+#ifndef OPENSSL_NO_SOCK
OPT_TLS_USED, OPT_TLS_CERT, OPT_TLS_KEY,
OPT_TLS_KEYPASS,
OPT_TLS_EXTRA, OPT_TLS_TRUSTED, OPT_TLS_HOST,
+#endif
OPT_BATCH, OPT_REPEAT,
OPT_REQIN, OPT_REQIN_NEW_TID, OPT_REQOUT, OPT_RSPIN, OPT_RSPOUT,
OPT_USE_MOCK_SRV,
+#ifndef OPENSSL_NO_SOCK
OPT_PORT, OPT_MAX_MSGS,
+#endif
OPT_SRV_REF, OPT_SRV_SECRET,
OPT_SRV_CERT, OPT_SRV_KEY, OPT_SRV_KEYPASS,
OPT_SRV_TRUSTED, OPT_SRV_UNTRUSTED,
@@ -331,20 +343,25 @@ const OPTIONS cmp_options[] = {
"0..6, 8..10 (see RFC5280, 5.3.1) or -1. Default -1 = none included"},
OPT_SECTION("Message transfer"),
+#ifdef OPENSSL_NO_SOCK
+{OPT_MORE_STR, 0, 0,
+ "NOTE: -server, -proxy, and -no_proxy not supported due to no-sock
build"},
+#else
{"server", OPT_SERVER, 's',
"[http[s]://]address[:port][/path] of CMP server. Default port 80 or
443."},
{OPT_MORE_STR, 0, 0,
"address may be a DNS name or an IP address; path can be overridden by
-path"},
-{"path", OPT_PATH, 's',
- "HTTP path (aka CMP alias) at the CMP server. Default from -server, else
\"/\""},
{"proxy", OPT_PROXY, 's',
"[http[s]://]address[:port][/path] of HTTP(S) proxy to use; path is
ignored"},
{"no_proxy", OPT_NO_PROXY, 's',
"List of addresses of servers not to use HTTP(S) proxy for"},
{OPT_MORE_STR, 0, 0,
"Default from environment variable 'no_proxy', else 'NO_PROXY', else
none"},
+#endif
{"recipient", OPT_RECIPIENT, 's',
"DN of CA. Default: subject of -srvcert, -issuer, issuer of -oldcert or
-cert"},
+{"path", OPT_PATH, 's',
+ "HTTP path (aka CMP alias) at the CMP server. Default from -server, else
\"/\""},
{"keep_alive", OPT_KEEP_ALIVE, 'N',
"Persistent HTTP connections. 0: no, 1 (the default): request, 2:
require"},
{"msg_timeout", OPT_MSG_TIMEOUT, 'N',
@@ -419,6 +436,10 @@ const OPTIONS cmp_options[] = {
OPT_R_OPTIONS,
OPT_SECTION("TLS connection"),
+#ifdef OPENSSL_NO_SOCK
+{OPT_MORE_STR, 0, 0,
+ "NOTE: -tls_used and all other TLS options not supported due to no-sock
build"},
+#else
[openssl] master update
The branch master has been updated
via 83b424c3f60a4401fa3e6e41ff7f08e85ee9df94 (commit)
from c50bf14450f3cd242f2211ca7e500191053d8050 (commit)
- Log -
commit 83b424c3f60a4401fa3e6e41ff7f08e85ee9df94
Author: Dr. David von Oheimb
Date: Tue Dec 7 07:32:12 2021 +0100
APPS/cmp: Fix use of OPENSSL_NO_SOCK: options like -server do not make
sense with no-sock
Reviewed-by: Tomas Mraz
(Merged from https://github.com/openssl/openssl/pull/17226)
---
Summary of changes:
apps/cmp.c | 127 +---
doc/man1/openssl-cmp.pod.in | 12 ++---
2 files changed, 102 insertions(+), 37 deletions(-)
diff --git a/apps/cmp.c b/apps/cmp.c
index 3082d7d8f6..e35626ebb2 100644
--- a/apps/cmp.c
+++ b/apps/cmp.c
@@ -9,6 +9,8 @@
* https://www.openssl.org/source/license.html
*/
+/* This app is disabled when OPENSSL_NO_CMP is defined. */
+
#include
#include
@@ -66,12 +68,13 @@ typedef enum {
} cmp_cmd_t;
/* message transfer */
+#ifndef OPENSSL_NO_SOCK
static char *opt_server = NULL;
-static char server_port[32] = { '\0' };
-static char *opt_path = NULL;
static char *opt_proxy = NULL;
static char *opt_no_proxy = NULL;
+#endif
static char *opt_recipient = NULL;
+static char *opt_path = NULL;
static int opt_keep_alive = 1;
static int opt_msg_timeout = -1;
static int opt_total_timeout = -1;
@@ -137,6 +140,7 @@ static int opt_keyform = FORMAT_UNDEF;
static char *opt_otherpass = NULL;
static char *opt_engine = NULL;
+#ifndef OPENSSL_NO_SOCK
/* TLS connection */
static int opt_tls_used = 0;
static char *opt_tls_cert = NULL;
@@ -145,6 +149,7 @@ static char *opt_tls_keypass = NULL;
static char *opt_tls_extra = NULL;
static char *opt_tls_trusted = NULL;
static char *opt_tls_host = NULL;
+#endif
/* client-side debugging */
static int opt_batch = 0;
@@ -157,9 +162,10 @@ static char *opt_rspout = NULL;
static int opt_use_mock_srv = 0;
/* server-side debugging */
+#ifndef OPENSSL_NO_SOCK
static char *opt_port = NULL;
static int opt_max_msgs = 0;
-
+#endif
static char *opt_srv_ref = NULL;
static char *opt_srv_secret = NULL;
static char *opt_srv_cert = NULL;
@@ -204,8 +210,10 @@ typedef enum OPTION_choice {
OPT_OLDCERT, OPT_REVREASON,
-OPT_SERVER, OPT_PATH, OPT_PROXY, OPT_NO_PROXY,
-OPT_RECIPIENT,
+#ifndef OPENSSL_NO_SOCK
+OPT_SERVER, OPT_PROXY, OPT_NO_PROXY,
+#endif
+OPT_RECIPIENT, OPT_PATH,
OPT_KEEP_ALIVE, OPT_MSG_TIMEOUT, OPT_TOTAL_TIMEOUT,
OPT_TRUSTED, OPT_UNTRUSTED, OPT_SRVCERT,
@@ -225,15 +233,19 @@ typedef enum OPTION_choice {
OPT_PROV_ENUM,
OPT_R_ENUM,
+#ifndef OPENSSL_NO_SOCK
OPT_TLS_USED, OPT_TLS_CERT, OPT_TLS_KEY,
OPT_TLS_KEYPASS,
OPT_TLS_EXTRA, OPT_TLS_TRUSTED, OPT_TLS_HOST,
+#endif
OPT_BATCH, OPT_REPEAT,
OPT_REQIN, OPT_REQIN_NEW_TID, OPT_REQOUT, OPT_RSPIN, OPT_RSPOUT,
OPT_USE_MOCK_SRV,
+#ifndef OPENSSL_NO_SOCK
OPT_PORT, OPT_MAX_MSGS,
+#endif
OPT_SRV_REF, OPT_SRV_SECRET,
OPT_SRV_CERT, OPT_SRV_KEY, OPT_SRV_KEYPASS,
OPT_SRV_TRUSTED, OPT_SRV_UNTRUSTED,
@@ -331,20 +343,25 @@ const OPTIONS cmp_options[] = {
"0..6, 8..10 (see RFC5280, 5.3.1) or -1. Default -1 = none included"},
OPT_SECTION("Message transfer"),
+#ifdef OPENSSL_NO_SOCK
+{OPT_MORE_STR, 0, 0,
+ "NOTE: -server, -proxy, and -no_proxy not supported due to no-sock
build"},
+#else
{"server", OPT_SERVER, 's',
"[http[s]://]address[:port][/path] of CMP server. Default port 80 or
443."},
{OPT_MORE_STR, 0, 0,
"address may be a DNS name or an IP address; path can be overridden by
-path"},
-{"path", OPT_PATH, 's',
- "HTTP path (aka CMP alias) at the CMP server. Default from -server, else
\"/\""},
{"proxy", OPT_PROXY, 's',
"[http[s]://]address[:port][/path] of HTTP(S) proxy to use; path is
ignored"},
{"no_proxy", OPT_NO_PROXY, 's',
"List of addresses of servers not to use HTTP(S) proxy for"},
{OPT_MORE_STR, 0, 0,
"Default from environment variable 'no_proxy', else 'NO_PROXY', else
none"},
+#endif
{"recipient", OPT_RECIPIENT, 's',
"DN of CA. Default: subject of -srvcert, -issuer, issuer of -oldcert or
-cert"},
+{"path", OPT_PATH, 's',
+ "HTTP path (aka CMP alias) at the CMP server. Default from -server, else
\"/\""},
{"keep_alive", OPT_KEEP_ALIVE, 'N',
"Persistent HTTP connections. 0: no, 1 (the default): request, 2:
require"},
{"msg_timeout", OPT_MSG_TIMEOUT, 'N',
@@ -419,6 +436,10 @@ const OPTIONS cmp_options[] = {
OPT_R_OPTIONS,
OPT_SECTION("TLS connection"),
+#ifdef OPENSSL_NO_SOCK
+{OPT_MORE_STR, 0, 0,
+ "NOTE: -tls_used and all other TLS options not supported due to no-sock
build"},
+#else
{"tls_used", OPT_TLS_USED, '-',
"Enable using TLS (also when other TLS options
[openssl] openssl-3.0 update
The branch openssl-3.0 has been updated
via 93838762b406efe3aad9c807a0fd1f48e6efe3ab (commit)
from f2f2ac88499ad58546f9c5b19ebc0b6eddf0b49f (commit)
- Log -
commit 93838762b406efe3aad9c807a0fd1f48e6efe3ab
Author: Dr. David von Oheimb
Date: Mon Nov 29 10:07:08 2021 +0100
OSSL_HTTP_get(): Fix timeout handling on redirection
Reviewed-by: Paul Dale
Reviewed-by: Tomas Mraz
(Merged from https://github.com/openssl/openssl/pull/17190)
(cherry picked from commit f0d5a3b6ea1bbe4e5dac5b69d853c015db635621)
---
Summary of changes:
crypto/err/openssl.txt| 1 +
crypto/http/http_client.c | 19 ++-
crypto/http/http_err.c| 1 +
include/openssl/httperr.h | 1 +
4 files changed, 21 insertions(+), 1 deletion(-)
diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt
index 777a0de19d..6e75af9b8b 100644
--- a/crypto/err/openssl.txt
+++ b/crypto/err/openssl.txt
@@ -779,6 +779,7 @@ HTTP_R_REDIRECTION_FROM_HTTPS_TO_HTTP:112:redirection from
https to http
HTTP_R_REDIRECTION_NOT_ENABLED:116:redirection not enabled
HTTP_R_RESPONSE_LINE_TOO_LONG:113:response line too long
HTTP_R_RESPONSE_PARSE_ERROR:104:response parse error
+HTTP_R_RETRY_TIMEOUT:129:retry timeout
HTTP_R_SERVER_CANCELED_CONNECTION:127:server canceled connection
HTTP_R_SOCK_NOT_SUPPORTED:122:sock not supported
HTTP_R_STATUS_CODE_UNSUPPORTED:114:status code unsupported
diff --git a/crypto/http/http_client.c b/crypto/http/http_client.c
index 23677ca12f..7f8d8fc8d7 100644
--- a/crypto/http/http_client.c
+++ b/crypto/http/http_client.c
@@ -464,6 +464,21 @@ static int check_set_resp_len(OSSL_HTTP_REQ_CTX *rctx,
size_t len)
return 1;
}
+static int may_still_retry(time_t max_time, int *ptimeout)
+{
+time_t time_diff, now = time(NULL);
+
+if (max_time != 0) {
+if (max_time < now) {
+ERR_raise(ERR_LIB_HTTP, HTTP_R_RETRY_TIMEOUT);
+return 0;
+}
+time_diff = max_time - now;
+*ptimeout = time_diff > INT_MAX ? INT_MAX : (int)time_diff;
+}
+return 1;
+}
+
/*
* Try exchanging request and response via HTTP on (non-)blocking BIO in rctx.
* Returns 1 on success, 0 on error or redirection, -1 on BIO_should_retry.
@@ -1081,6 +1096,7 @@ BIO *OSSL_HTTP_get(const char *url, const char *proxy,
const char *no_proxy,
int use_ssl;
OSSL_HTTP_REQ_CTX *rctx;
BIO *resp = NULL;
+time_t max_time = timeout > 0 ? time(NULL) + timeout : 0;
if (url == NULL) {
ERR_raise(ERR_LIB_HTTP, ERR_R_PASSED_NULL_PARAMETER);
@@ -,7 +1127,8 @@ BIO *OSSL_HTTP_get(const char *url, const char *proxy,
const char *no_proxy,
}
OPENSSL_free(path);
if (resp == NULL && redirection_url != NULL) {
-if (redirection_ok(++n_redirs, current_url, redirection_url)) {
+if (redirection_ok(++n_redirs, current_url, redirection_url)
+&& may_still_retry(max_time, )) {
(void)BIO_reset(bio);
OPENSSL_free(current_url);
current_url = redirection_url;
diff --git a/crypto/http/http_err.c b/crypto/http/http_err.c
index b2f2cfb187..332ad926d3 100644
--- a/crypto/http/http_err.c
+++ b/crypto/http/http_err.c
@@ -55,6 +55,7 @@ static const ERR_STRING_DATA HTTP_str_reasons[] = {
"response line too long"},
{ERR_PACK(ERR_LIB_HTTP, 0, HTTP_R_RESPONSE_PARSE_ERROR),
"response parse error"},
+{ERR_PACK(ERR_LIB_HTTP, 0, HTTP_R_RETRY_TIMEOUT), "retry timeout"},
{ERR_PACK(ERR_LIB_HTTP, 0, HTTP_R_SERVER_CANCELED_CONNECTION),
"server canceled connection"},
{ERR_PACK(ERR_LIB_HTTP, 0, HTTP_R_SOCK_NOT_SUPPORTED),
diff --git a/include/openssl/httperr.h b/include/openssl/httperr.h
index b639ef0051..ee08959203 100644
--- a/include/openssl/httperr.h
+++ b/include/openssl/httperr.h
@@ -44,6 +44,7 @@
# define HTTP_R_REDIRECTION_NOT_ENABLED 116
# define HTTP_R_RESPONSE_LINE_TOO_LONG113
# define HTTP_R_RESPONSE_PARSE_ERROR 104
+# define HTTP_R_RETRY_TIMEOUT 129
# define HTTP_R_SERVER_CANCELED_CONNECTION127
# define HTTP_R_SOCK_NOT_SUPPORTED122
# define HTTP_R_STATUS_CODE_UNSUPPORTED 114
[openssl] master update
The branch master has been updated
via f0d5a3b6ea1bbe4e5dac5b69d853c015db635621 (commit)
from a3ea35c2936acbe6a53b1d52d2d7addbfb6bbd5a (commit)
- Log -
commit f0d5a3b6ea1bbe4e5dac5b69d853c015db635621
Author: Dr. David von Oheimb
Date: Mon Nov 29 10:07:08 2021 +0100
OSSL_HTTP_get(): Fix timeout handling on redirection
Reviewed-by: Paul Dale
Reviewed-by: Tomas Mraz
(Merged from https://github.com/openssl/openssl/pull/17190)
---
Summary of changes:
crypto/err/openssl.txt| 1 +
crypto/http/http_client.c | 19 ++-
crypto/http/http_err.c| 1 +
include/openssl/httperr.h | 1 +
4 files changed, 21 insertions(+), 1 deletion(-)
diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt
index 777a0de19d..6e75af9b8b 100644
--- a/crypto/err/openssl.txt
+++ b/crypto/err/openssl.txt
@@ -779,6 +779,7 @@ HTTP_R_REDIRECTION_FROM_HTTPS_TO_HTTP:112:redirection from
https to http
HTTP_R_REDIRECTION_NOT_ENABLED:116:redirection not enabled
HTTP_R_RESPONSE_LINE_TOO_LONG:113:response line too long
HTTP_R_RESPONSE_PARSE_ERROR:104:response parse error
+HTTP_R_RETRY_TIMEOUT:129:retry timeout
HTTP_R_SERVER_CANCELED_CONNECTION:127:server canceled connection
HTTP_R_SOCK_NOT_SUPPORTED:122:sock not supported
HTTP_R_STATUS_CODE_UNSUPPORTED:114:status code unsupported
diff --git a/crypto/http/http_client.c b/crypto/http/http_client.c
index d8e54c03a9..a85bfcec42 100644
--- a/crypto/http/http_client.c
+++ b/crypto/http/http_client.c
@@ -463,6 +463,21 @@ static int check_set_resp_len(OSSL_HTTP_REQ_CTX *rctx,
size_t len)
return 1;
}
+static int may_still_retry(time_t max_time, int *ptimeout)
+{
+time_t time_diff, now = time(NULL);
+
+if (max_time != 0) {
+if (max_time < now) {
+ERR_raise(ERR_LIB_HTTP, HTTP_R_RETRY_TIMEOUT);
+return 0;
+}
+time_diff = max_time - now;
+*ptimeout = time_diff > INT_MAX ? INT_MAX : (int)time_diff;
+}
+return 1;
+}
+
/*
* Try exchanging request and response via HTTP on (non-)blocking BIO in rctx.
* Returns 1 on success, 0 on error or redirection, -1 on BIO_should_retry.
@@ -1071,6 +1086,7 @@ BIO *OSSL_HTTP_get(const char *url, const char *proxy,
const char *no_proxy,
int use_ssl;
OSSL_HTTP_REQ_CTX *rctx;
BIO *resp = NULL;
+time_t max_time = timeout > 0 ? time(NULL) + timeout : 0;
if (url == NULL) {
ERR_raise(ERR_LIB_HTTP, ERR_R_PASSED_NULL_PARAMETER);
@@ -1101,7 +1117,8 @@ BIO *OSSL_HTTP_get(const char *url, const char *proxy,
const char *no_proxy,
}
OPENSSL_free(path);
if (resp == NULL && redirection_url != NULL) {
-if (redirection_ok(++n_redirs, current_url, redirection_url)) {
+if (redirection_ok(++n_redirs, current_url, redirection_url)
+&& may_still_retry(max_time, )) {
(void)BIO_reset(bio);
OPENSSL_free(current_url);
current_url = redirection_url;
diff --git a/crypto/http/http_err.c b/crypto/http/http_err.c
index b2f2cfb187..332ad926d3 100644
--- a/crypto/http/http_err.c
+++ b/crypto/http/http_err.c
@@ -55,6 +55,7 @@ static const ERR_STRING_DATA HTTP_str_reasons[] = {
"response line too long"},
{ERR_PACK(ERR_LIB_HTTP, 0, HTTP_R_RESPONSE_PARSE_ERROR),
"response parse error"},
+{ERR_PACK(ERR_LIB_HTTP, 0, HTTP_R_RETRY_TIMEOUT), "retry timeout"},
{ERR_PACK(ERR_LIB_HTTP, 0, HTTP_R_SERVER_CANCELED_CONNECTION),
"server canceled connection"},
{ERR_PACK(ERR_LIB_HTTP, 0, HTTP_R_SOCK_NOT_SUPPORTED),
diff --git a/include/openssl/httperr.h b/include/openssl/httperr.h
index b639ef0051..ee08959203 100644
--- a/include/openssl/httperr.h
+++ b/include/openssl/httperr.h
@@ -44,6 +44,7 @@
# define HTTP_R_REDIRECTION_NOT_ENABLED 116
# define HTTP_R_RESPONSE_LINE_TOO_LONG113
# define HTTP_R_RESPONSE_PARSE_ERROR 104
+# define HTTP_R_RETRY_TIMEOUT 129
# define HTTP_R_SERVER_CANCELED_CONNECTION127
# define HTTP_R_SOCK_NOT_SUPPORTED122
# define HTTP_R_STATUS_CODE_UNSUPPORTED 114
[openssl] OpenSSL_1_1_1-stable update
The branch OpenSSL_1_1_1-stable has been updated via 7a045a4e5ad97f7e123ea33f1f188d2f1a03974b (commit) from b1553c89285cb05a28d185423bc3df9b505db92a (commit) - Log - commit 7a045a4e5ad97f7e123ea33f1f188d2f1a03974b Author: Dr. David von Oheimb Date: Tue Dec 7 14:01:32 2021 +0100 OBJ_nid2obj.pod: Replace remaining 'B<' by 'I<' were appropriate Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/17221) --- Summary of changes: doc/man3/OBJ_nid2obj.pod | 28 ++-- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/doc/man3/OBJ_nid2obj.pod b/doc/man3/OBJ_nid2obj.pod index f84d5b1eb3..7705b6c763 100644 --- a/doc/man3/OBJ_nid2obj.pod +++ b/doc/man3/OBJ_nid2obj.pod @@ -46,26 +46,26 @@ Deprecated: The ASN1 object utility functions process ASN1_OBJECT structures which are a representation of the ASN1 OBJECT IDENTIFIER (OID) type. For convenience, OIDs are usually represented in source code as numeric -identifiers, or Bs. OpenSSL has an internal table of OIDs that +identifiers, or Is. OpenSSL has an internal table of OIDs that are generated when the library is built, and their corresponding NIDs are available as defined constants. For the functions below, application code should treat all returned values -- OIDs, NIDs, or names -- as constants. -OBJ_nid2obj(), OBJ_nid2ln() and OBJ_nid2sn() convert the NID B to +OBJ_nid2obj(), OBJ_nid2ln() and OBJ_nid2sn() convert the NID I to an ASN1_OBJECT structure, its long name and its short name respectively, or B if an error occurred. OBJ_obj2nid(), OBJ_ln2nid(), OBJ_sn2nid() return the corresponding NID -for the object B, the long name or the short name respectively +for the object I, the long name or the short name respectively or NID_undef if an error occurred. -OBJ_txt2nid() returns NID corresponding to text string . B can be +OBJ_txt2nid() returns NID corresponding to text string I. I can be a long name, a short name or the numerical representation of an object. -OBJ_txt2obj() converts the text string B into an ASN1_OBJECT structure. -If B is 0 then long names and short names will be interpreted -as well as numerical forms. If B is 1 only the numerical form +OBJ_txt2obj() converts the text string I into an ASN1_OBJECT structure. +If I is 0 then long names and short names will be interpreted +as well as numerical forms. If I is 1 only the numerical form is acceptable. OBJ_obj2txt() converts the B B into a textual representation. @@ -76,20 +76,20 @@ if the object has a long or short name then that will be used, otherwise the numerical form will be used. If B is 1 then the numerical form will always be used. -i2t_ASN1_OBJECT() is the same as OBJ_obj2txt() with the B set to zero. +i2t_ASN1_OBJECT() is the same as OBJ_obj2txt() with the I set to zero. -OBJ_cmp() compares B to B. If the two are identical 0 is returned. +OBJ_cmp() compares I to I. If the two are identical 0 is returned. -OBJ_dup() returns a copy of B. +OBJ_dup() returns a copy of I. -OBJ_create() adds a new object to the internal table. B is the -numerical form of the object, B the short name and B the +OBJ_create() adds a new object to the internal table. I is the +numerical form of the object, I the short name and I the long name. A new NID is returned for the created object in case of success and NID_undef in case of failure. -OBJ_length() returns the size of the content octets of B. +OBJ_length() returns the size of the content octets of I. -OBJ_get0_data() returns a pointer to the content octets of B. +OBJ_get0_data() returns a pointer to the content octets of I. The returned pointer is an internal pointer which B be freed. OBJ_cleanup() releases any resources allocated by creating new objects.
[openssl] master update
The branch master has been updated
via a3ea35c2936acbe6a53b1d52d2d7addbfb6bbd5a (commit)
via 5adda344c2268eced63151a62358ffaefbdfed50 (commit)
from 7ee0954a086ee3b4e0a8c6736600e3d6362485c0 (commit)
- Log -
commit a3ea35c2936acbe6a53b1d52d2d7addbfb6bbd5a
Author: Dr. David von Oheimb
Date: Tue Dec 7 13:11:27 2021 +0100
CMP check_msg_find_cert(): improve diagnostics on transactionID mismatch
On this occasion, make use of i2s_ASN1_OCTET_STRING() wherever possible
Reviewed-by: Paul Dale
(Merged from https://github.com/openssl/openssl/pull/17224)
commit 5adda344c2268eced63151a62358ffaefbdfed50
Author: Dr. David von Oheimb
Date: Tue Dec 7 12:41:13 2021 +0100
80-test_cmp_http_data/test_commands.csv: fix minor glitch in column
alignment
Reviewed-by: Paul Dale
(Merged from https://github.com/openssl/openssl/pull/17224)
---
Summary of changes:
crypto/cmp/cmp_hdr.c | 3 +--
crypto/cmp/cmp_server.c | 4 +---
crypto/cmp/cmp_vfy.c | 19 ++-
crypto/x509/v3_akid.c| 4 ++--
test/recipes/80-test_cmp_http_data/test_commands.csv | 2 +-
5 files changed, 19 insertions(+), 13 deletions(-)
diff --git a/crypto/cmp/cmp_hdr.c b/crypto/cmp/cmp_hdr.c
index 8c553af61a..e970e6cbd7 100644
--- a/crypto/cmp/cmp_hdr.c
+++ b/crypto/cmp/cmp_hdr.c
@@ -276,8 +276,7 @@ int ossl_cmp_hdr_set_transactionID(OSSL_CMP_CTX *ctx,
OSSL_CMP_PKIHEADER *hdr)
if (!set_random(>transactionID, ctx,
OSSL_CMP_TRANSACTIONID_LENGTH))
return 0;
-tid = OPENSSL_buf2hexstr(ctx->transactionID->data,
- ctx->transactionID->length);
+tid = i2s_ASN1_OCTET_STRING(NULL, ctx->transactionID);
if (tid != NULL)
ossl_cmp_log1(DEBUG, ctx,
"Starting new transaction with ID=%s", tid);
diff --git a/crypto/cmp/cmp_server.c b/crypto/cmp/cmp_server.c
index 7ce4662aee..c32737d0e3 100644
--- a/crypto/cmp/cmp_server.c
+++ b/crypto/cmp/cmp_server.c
@@ -481,10 +481,8 @@ OSSL_CMP_MSG
*OSSL_CMP_SRV_process_request(OSSL_CMP_SRV_CTX *srv_ctx,
case OSSL_CMP_PKIBODY_GENM:
case OSSL_CMP_PKIBODY_ERROR:
if (ctx->transactionID != NULL) {
-char *tid;
+char *tid = i2s_ASN1_OCTET_STRING(NULL, ctx->transactionID);
-tid = OPENSSL_buf2hexstr(ctx->transactionID->data,
- ctx->transactionID->length);
if (tid != NULL)
ossl_cmp_log1(WARN, ctx,
"Assuming that last transaction with ID=%s got
aborted",
diff --git a/crypto/cmp/cmp_vfy.c b/crypto/cmp/cmp_vfy.c
index b9d6fc2bdd..d3d9cca0d4 100644
--- a/crypto/cmp/cmp_vfy.c
+++ b/crypto/cmp/cmp_vfy.c
@@ -186,7 +186,7 @@ static int check_kid(const OSSL_CMP_CTX *ctx,
ossl_cmp_warn(ctx, "missing Subject Key Identifier in certificate");
return 0;
}
-str = OPENSSL_buf2hexstr(ckid->data, ckid->length);
+str = i2s_ASN1_OCTET_STRING(NULL, ckid);
if (ASN1_OCTET_STRING_cmp(ckid, skid) == 0) {
if (str != NULL)
ossl_cmp_log1(INFO, ctx, " subjectKID matches senderKID: %s", str);
@@ -197,7 +197,7 @@ static int check_kid(const OSSL_CMP_CTX *ctx,
if (str != NULL)
ossl_cmp_log1(INFO, ctx, " cert Subject Key Identifier = %s", str);
OPENSSL_free(str);
-if ((str = OPENSSL_buf2hexstr(skid->data, skid->length)) != NULL)
+if ((str = i2s_ASN1_OCTET_STRING(NULL, skid)) != NULL)
ossl_cmp_log1(INFO, ctx, " does not match senderKID= %s", str);
OPENSSL_free(str);
return 0;
@@ -500,8 +500,7 @@ static int check_msg_find_cert(OSSL_CMP_CTX *ctx, const
OSSL_CMP_MSG *msg)
(void)ERR_clear_last_mark();
sname = X509_NAME_oneline(sender->d.directoryName, NULL, 0);
-skid_str = skid == NULL ? NULL
-: OPENSSL_buf2hexstr(skid->data, skid->length);
+skid_str = skid == NULL ? NULL : i2s_ASN1_OCTET_STRING(NULL, skid);
if (ctx->log_cb != NULL) {
ossl_cmp_info(ctx, "trying to verify msg signature with a valid cert
that..");
if (sname != NULL)
@@ -747,7 +746,17 @@ int ossl_cmp_msg_check_update(OSSL_CMP_CTX *ctx, const
OSSL_CMP_MSG *msg,
|| ASN1_OCTET_STRING_cmp(ctx->transactionID,
hdr->transactionID) != 0)) {
#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
-ERR_raise(ERR_LIB_CMP, CMP_R_TRANSACTIONID_UNMATCHED);
+char *ctx_str, *hdr_str;
+
+ctx_str = i2s_ASN1_OCTET_STRING(NULL, ctx->transactionID);
+hdr_str = hdr->transactionID == NULL ? "(none)"
+: i2s_ASN1_OCTET_STRING(NULL,
[openssl] openssl-3.0 update
The branch openssl-3.0 has been updated
via f2f2ac88499ad58546f9c5b19ebc0b6eddf0b49f (commit)
from 4ed2db591a42fb99401f9b0ff17f6644797ae743 (commit)
- Log -
commit f2f2ac88499ad58546f9c5b19ebc0b6eddf0b49f
Author: Dr. David von Oheimb
Date: Tue Dec 7 11:35:42 2021 +0100
APPS/cmp: fix -rspin option such that it works again without -reqin
Reviewed-by: Tomas Mraz
(Merged from https://github.com/openssl/openssl/pull/17222)
(cherry picked from commit 7ee0954a086ee3b4e0a8c6736600e3d6362485c0)
---
Summary of changes:
apps/cmp.c | 3 ++-
test/recipes/80-test_cmp_http_data/test_commands.csv | 4
2 files changed, 6 insertions(+), 1 deletion(-)
diff --git a/apps/cmp.c b/apps/cmp.c
index 119419c5ef..d0f127d3ea 100644
--- a/apps/cmp.c
+++ b/apps/cmp.c
@@ -753,6 +753,7 @@ static OSSL_CMP_MSG *read_write_req_resp(OSSL_CMP_CTX *ctx,
OSSL_CMP_MSG *req_new = NULL;
OSSL_CMP_MSG *res = NULL;
OSSL_CMP_PKIHEADER *hdr;
+const char *prev_opt_rspin = opt_rspin;
if (req != NULL && opt_reqout != NULL
&& !write_PKIMESSAGE(req, _reqout))
@@ -782,7 +783,7 @@ static OSSL_CMP_MSG *read_write_req_resp(OSSL_CMP_CTX *ctx,
if (res == NULL)
goto err;
-if (opt_reqin != NULL || opt_rspin != NULL) {
+if (opt_reqin != NULL || prev_opt_rspin != NULL) {
/* need to satisfy nonce and transactionID checks */
ASN1_OCTET_STRING *nonce;
ASN1_OCTET_STRING *tid;
diff --git a/test/recipes/80-test_cmp_http_data/test_commands.csv
b/test/recipes/80-test_cmp_http_data/test_commands.csv
index 0bfa6c..7395b42791 100644
--- a/test/recipes/80-test_cmp_http_data/test_commands.csv
+++ b/test/recipes/80-test_cmp_http_data/test_commands.csv
@@ -53,3 +53,7 @@ expected,description, -section,val, -cmd,val,val2,
-cacertsout,val,val2, -infoty
0,geninfo bad syntax: missing ':', -section,, -cmd,cr,, -cert,signer.crt,
-key,signer.p12, -keypass,pass:12345,BLANK,, -geninfo,1.2.3:int987
0,geninfo bad syntax: double ':', -section,, -cmd,cr,, -cert,signer.crt,
-key,signer.p12, -keypass,pass:12345,BLANK,, -geninfo,1.2.3:int::987
0,geninfo bad syntax: missing ':int', -section,, -cmd,cr,, -cert,signer.crt,
-key,signer.p12, -keypass,pass:12345,BLANK,, -geninfo,1.2.3
+,,,
+1,reqout+rspout, -section,, -cmd,ir,,-reqout,_RESULT_DIR/req1.der
_RESULT_DIR/req2.der,,-rspout,_RESULT_DIR/rsp1.der
_RESULT_DIR/rsp2.der,,BLANK,,BLANK,
+1,reqin, -section,, -cmd,ir,,-reqin,_RESULT_DIR/req1.der
_RESULT_DIR/req2.der,,BLANK,,,BLANK,,BLANK,
+1,rspin, -section,, -cmd,ir,,BLANK,,,-rspin,_RESULT_DIR/rsp1.der
_RESULT_DIR/rsp2.der,,BLANK,,BLANK,
[openssl] master update
The branch master has been updated
via 7ee0954a086ee3b4e0a8c6736600e3d6362485c0 (commit)
from d580c2790f9f304533a3eda2a9cf6b8eb22830c3 (commit)
- Log -
commit 7ee0954a086ee3b4e0a8c6736600e3d6362485c0
Author: Dr. David von Oheimb
Date: Tue Dec 7 11:35:42 2021 +0100
APPS/cmp: fix -rspin option such that it works again without -reqin
Reviewed-by: Tomas Mraz
(Merged from https://github.com/openssl/openssl/pull/17222)
---
Summary of changes:
apps/cmp.c | 3 ++-
test/recipes/80-test_cmp_http_data/test_commands.csv | 4
2 files changed, 6 insertions(+), 1 deletion(-)
diff --git a/apps/cmp.c b/apps/cmp.c
index 5056d841d1..3082d7d8f6 100644
--- a/apps/cmp.c
+++ b/apps/cmp.c
@@ -753,6 +753,7 @@ static OSSL_CMP_MSG *read_write_req_resp(OSSL_CMP_CTX *ctx,
OSSL_CMP_MSG *req_new = NULL;
OSSL_CMP_MSG *res = NULL;
OSSL_CMP_PKIHEADER *hdr;
+const char *prev_opt_rspin = opt_rspin;
if (req != NULL && opt_reqout != NULL
&& !write_PKIMESSAGE(req, _reqout))
@@ -782,7 +783,7 @@ static OSSL_CMP_MSG *read_write_req_resp(OSSL_CMP_CTX *ctx,
if (res == NULL)
goto err;
-if (opt_reqin != NULL || opt_rspin != NULL) {
+if (opt_reqin != NULL || prev_opt_rspin != NULL) {
/* need to satisfy nonce and transactionID checks */
ASN1_OCTET_STRING *nonce;
ASN1_OCTET_STRING *tid;
diff --git a/test/recipes/80-test_cmp_http_data/test_commands.csv
b/test/recipes/80-test_cmp_http_data/test_commands.csv
index 0bfa6c..7395b42791 100644
--- a/test/recipes/80-test_cmp_http_data/test_commands.csv
+++ b/test/recipes/80-test_cmp_http_data/test_commands.csv
@@ -53,3 +53,7 @@ expected,description, -section,val, -cmd,val,val2,
-cacertsout,val,val2, -infoty
0,geninfo bad syntax: missing ':', -section,, -cmd,cr,, -cert,signer.crt,
-key,signer.p12, -keypass,pass:12345,BLANK,, -geninfo,1.2.3:int987
0,geninfo bad syntax: double ':', -section,, -cmd,cr,, -cert,signer.crt,
-key,signer.p12, -keypass,pass:12345,BLANK,, -geninfo,1.2.3:int::987
0,geninfo bad syntax: missing ':int', -section,, -cmd,cr,, -cert,signer.crt,
-key,signer.p12, -keypass,pass:12345,BLANK,, -geninfo,1.2.3
+,,,
+1,reqout+rspout, -section,, -cmd,ir,,-reqout,_RESULT_DIR/req1.der
_RESULT_DIR/req2.der,,-rspout,_RESULT_DIR/rsp1.der
_RESULT_DIR/rsp2.der,,BLANK,,BLANK,
+1,reqin, -section,, -cmd,ir,,-reqin,_RESULT_DIR/req1.der
_RESULT_DIR/req2.der,,BLANK,,,BLANK,,BLANK,
+1,rspin, -section,, -cmd,ir,,BLANK,,,-rspin,_RESULT_DIR/rsp1.der
_RESULT_DIR/rsp2.der,,BLANK,,BLANK,
[openssl] openssl-3.0 update
The branch openssl-3.0 has been updated
via 4ed2db591a42fb99401f9b0ff17f6644797ae743 (commit)
from 35f45ae0078f9972a4ea887f59670a7e8f346f94 (commit)
- Log -
commit 4ed2db591a42fb99401f9b0ff17f6644797ae743
Author: Dr. David von Oheimb
Date: Tue Dec 7 17:49:05 2021 +0100
OSSL_CMP_MSG_read(): Fix mem leak on file read error
Reviewed-by: Paul Dale
Reviewed-by: Tomas Mraz
(Merged from https://github.com/openssl/openssl/pull/17225)
(cherry picked from commit d580c2790f9f304533a3eda2a9cf6b8eb22830c3)
---
Summary of changes:
crypto/cmp/cmp_msg.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/crypto/cmp/cmp_msg.c b/crypto/cmp/cmp_msg.c
index 10ef4cd922..84a272fe2b 100644
--- a/crypto/cmp/cmp_msg.c
+++ b/crypto/cmp/cmp_msg.c
@@ -1100,9 +1100,8 @@ OSSL_CMP_MSG *OSSL_CMP_MSG_read(const char *file,
OSSL_LIB_CTX *libctx,
return NULL;
}
-if ((bio = BIO_new_file(file, "rb")) == NULL)
-return NULL;
-if (d2i_OSSL_CMP_MSG_bio(bio, ) == NULL) {
+if ((bio = BIO_new_file(file, "rb")) == NULL
+|| d2i_OSSL_CMP_MSG_bio(bio, ) == NULL) {
OSSL_CMP_MSG_free(msg);
msg = NULL;
}
[openssl] master update
The branch master has been updated
via d580c2790f9f304533a3eda2a9cf6b8eb22830c3 (commit)
from f5485b97b6c9977c0d39c7669b9f97a879312447 (commit)
- Log -
commit d580c2790f9f304533a3eda2a9cf6b8eb22830c3
Author: Dr. David von Oheimb
Date: Tue Dec 7 17:49:05 2021 +0100
OSSL_CMP_MSG_read(): Fix mem leak on file read error
Reviewed-by: Paul Dale
Reviewed-by: Tomas Mraz
(Merged from https://github.com/openssl/openssl/pull/17225)
---
Summary of changes:
crypto/cmp/cmp_msg.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/crypto/cmp/cmp_msg.c b/crypto/cmp/cmp_msg.c
index 51b0998bdc..0497155e09 100644
--- a/crypto/cmp/cmp_msg.c
+++ b/crypto/cmp/cmp_msg.c
@@ -1100,9 +1100,8 @@ OSSL_CMP_MSG *OSSL_CMP_MSG_read(const char *file,
OSSL_LIB_CTX *libctx,
return NULL;
}
-if ((bio = BIO_new_file(file, "rb")) == NULL)
-return NULL;
-if (d2i_OSSL_CMP_MSG_bio(bio, ) == NULL) {
+if ((bio = BIO_new_file(file, "rb")) == NULL
+|| d2i_OSSL_CMP_MSG_bio(bio, ) == NULL) {
OSSL_CMP_MSG_free(msg);
msg = NULL;
}
[openssl] master update
The branch master has been updated
via d9f073575fdb07b486cd1b38974cd177687ccc1e (commit)
from b0be101326f369f0dd547556d2f3eb3ef5ed0e33 (commit)
- Log -
commit d9f073575fdb07b486cd1b38974cd177687ccc1e
Author: Dr. David von Oheimb
Date: Fri Aug 27 15:33:18 2021 +0200
APPS: Improve diagnostics on missing/extra args and unknown cipher/digest
Reviewed-by: Paul Dale
(Merged from https://github.com/openssl/openssl/pull/16450)
---
Summary of changes:
apps/asn1parse.c | 3 +--
apps/ciphers.c | 5 ++---
apps/cmp.c | 4 +---
apps/cms.c | 6 ++
apps/crl.c | 9 +++--
apps/crl2pkcs7.c | 3 +--
apps/dhparam.c | 2 +-
apps/dsa.c | 9 +++--
apps/dsaparam.c| 2 +-
apps/ec.c | 9 +++--
apps/ecparam.c | 3 +--
apps/enc.c | 9 +++--
apps/fipsinstall.c | 7 +--
apps/gendsa.c | 11 ---
apps/genpkey.c | 12 +++-
apps/genrsa.c | 9 +++--
apps/include/opt.h | 2 ++
apps/info.c| 2 +-
apps/lib/opt.c | 40 +---
apps/list.c| 2 +-
apps/mac.c | 5 ++---
apps/nseq.c| 3 +--
apps/ocsp.c| 3 +--
apps/openssl.c | 2 +-
apps/pkcs12.c | 9 +++--
apps/pkcs7.c | 3 +--
apps/pkcs8.c | 3 +--
apps/pkey.c| 9 +++--
apps/pkeyparam.c | 3 +--
apps/pkeyutl.c | 3 +--
apps/prime.c | 8
apps/rand.c| 2 +-
apps/req.c | 9 ++---
apps/rsa.c | 9 +++--
apps/rsautl.c | 3 +--
apps/s_client.c| 5 ++---
apps/s_server.c| 3 +--
apps/s_time.c | 3 +--
apps/sess_id.c | 3 +--
apps/smime.c | 4 +---
apps/spkac.c | 3 +--
apps/storeutl.c| 11 ---
apps/ts.c | 17 ++---
apps/version.c | 3 +--
apps/x509.c| 6 --
45 files changed, 134 insertions(+), 147 deletions(-)
diff --git a/apps/asn1parse.c b/apps/asn1parse.c
index f0bfd1d45f..b456f13d94 100644
--- a/apps/asn1parse.c
+++ b/apps/asn1parse.c
@@ -159,8 +159,7 @@ int asn1parse_main(int argc, char **argv)
}
/* No extra args. */
-argc = opt_num_rest();
-if (argc != 0)
+if (!opt_check_rest_arg(NULL))
goto opthelp;
if (oidfile != NULL) {
diff --git a/apps/ciphers.c b/apps/ciphers.c
index 9c494224a1..dcf0d3fa1e 100644
--- a/apps/ciphers.c
+++ b/apps/ciphers.c
@@ -174,10 +174,9 @@ int ciphers_main(int argc, char **argv)
/* Optional arg is cipher name. */
argv = opt_rest();
-argc = opt_num_rest();
-if (argc == 1)
+if (opt_num_rest() == 1)
ciphers = argv[0];
-else if (argc != 0)
+else if (!opt_check_rest_arg(NULL))
goto opthelp;
if (convert != NULL) {
diff --git a/apps/cmp.c b/apps/cmp.c
index f646e3f7bc..5056d841d1 100644
--- a/apps/cmp.c
+++ b/apps/cmp.c
@@ -2552,9 +2552,7 @@ static int get_opts(int argc, char **argv)
}
/* No extra args. */
-argc = opt_num_rest();
-argv = opt_rest();
-if (argc != 0)
+if (!opt_check_rest_arg(NULL))
goto opthelp;
return 1;
}
diff --git a/apps/cms.c b/apps/cms.c
index 76c7896719..18671fdc30 100644
--- a/apps/cms.c
+++ b/apps/cms.c
@@ -697,10 +697,8 @@ int cms_main(int argc, char **argv)
if (!opt_md(digestname, _md))
goto end;
}
-if (ciphername != NULL) {
-if (!opt_cipher_any(ciphername, ))
-goto end;
-}
+if (!opt_cipher_any(ciphername, ))
+goto end;
if (wrapname != NULL) {
if (!opt_cipher_any(wrapname, _cipher))
goto end;
diff --git a/apps/crl.c b/apps/crl.c
index 2158a107e5..8d353ff2af 100644
--- a/apps/crl.c
+++ b/apps/crl.c
@@ -209,14 +209,11 @@ int crl_main(int argc, char **argv)
}
/* No remaining args. */
-argc = opt_num_rest();
-if (argc != 0)
+if (!opt_check_rest_arg(NULL))
goto opthelp;
-if (digestname != NULL) {
-if (!opt_md(digestname, ))
-goto opthelp;
-}
+if (!opt_md(digestname, ))
+goto opthelp;
x = load_crl(infile, informat, 1, "CRL");
if (x == NULL)
goto end;
diff --git a/apps/crl2pkcs7.c b/apps/crl2pkcs7.c
index fe59e65427..681c60285f 100644
--- a/apps/crl2pkcs7.c
+++ b/apps/crl2pkcs7.c
@@ -104,8 +104,7 @@ int crl2pkcs7_main(int argc, char **argv)
}
/* No remaining args. */
-argc = opt_num_rest();
-if (argc != 0)
+if (!opt_check_rest_arg(NULL))
goto opthelp;
if (!nocrl) {
diff --git a/apps/dhparam.c b/apps/dhparam.c
index 0e90698cd6..9fe0eedfc2 100644
--- a/apps/dhparam.c
+++ b/apps/dhparam.c
@@ -155,7 +155,7 @@ int dhparam_main(int argc, char **argv)
if (argc == 1) {
if (!opt_int(argv[0], ) || num <= 0)
[openssl] openssl-3.0 update
The branch openssl-3.0 has been updated
via ab3311576e3ab1a1e876061fcd885c9c09daddd8 (commit)
via eff06fe5a02cf35782c626231aba43e79f34a87a (commit)
from bf17b7b18d11d4005c0ff760405744c3e7da2e0d (commit)
- Log -
commit ab3311576e3ab1a1e876061fcd885c9c09daddd8
Author: Dr. David von Oheimb
Date: Wed Nov 10 09:39:55 2021 +0100
X509V3_set_ctx(): Clarify subject/req parameter for constructing SAN email
addresses from subject DN
Also slightly improve the style of the respective code in
crypto/x509/v3_san.c.
Reviewed-by: Tomas Mraz
(Merged from https://github.com/openssl/openssl/pull/17145)
(cherry picked from commit 317acac5cc0a2cb31bc4b91353c2b752a3989d8a)
commit eff06fe5a02cf35782c626231aba43e79f34a87a
Author: Dr. David von Oheimb
Date: Wed Nov 10 09:31:11 2021 +0100
X509V3_set_ctx(): Clarify use of subject/req parameter for constructing
SKID by hash of pubkey
This does not change the semantics of expected usage because only either
one may be given.
Reviewed-by: Tomas Mraz
(Merged from https://github.com/openssl/openssl/pull/17145)
(cherry picked from commit 15ac84e603678140ba32832c288e5f1745a258f8)
---
Summary of changes:
crypto/x509/v3_san.c| 11 +--
crypto/x509/v3_skid.c | 6 +++---
doc/man3/X509V3_set_ctx.pod | 12
doc/man5/x509v3_config.pod | 8 +---
4 files changed, 21 insertions(+), 16 deletions(-)
diff --git a/crypto/x509/v3_san.c b/crypto/x509/v3_san.c
index 26708aefae..c081f02e19 100644
--- a/crypto/x509/v3_san.c
+++ b/crypto/x509/v3_san.c
@@ -393,11 +393,11 @@ static GENERAL_NAMES *v2i_subject_alt(X509V3_EXT_METHOD
*method,
for (i = 0; i < num; i++) {
cnf = sk_CONF_VALUE_value(nval, i);
-if (!ossl_v3_name_cmp(cnf->name, "email")
+if (ossl_v3_name_cmp(cnf->name, "email") == 0
&& cnf->value && strcmp(cnf->value, "copy") == 0) {
if (!copy_email(ctx, gens, 0))
goto err;
-} else if (!ossl_v3_name_cmp(cnf->name, "email")
+} else if (ossl_v3_name_cmp(cnf->name, "email") == 0
&& cnf->value && strcmp(cnf->value, "move") == 0) {
if (!copy_email(ctx, gens, 1))
goto err;
@@ -434,10 +434,9 @@ static int copy_email(X509V3_CTX *ctx, GENERAL_NAMES
*gens, int move_p)
return 0;
}
/* Find the subject name */
-if (ctx->subject_cert)
-nm = X509_get_subject_name(ctx->subject_cert);
-else
-nm = X509_REQ_get_subject_name(ctx->subject_req);
+nm = ctx->subject_cert != NULL ?
+X509_get_subject_name(ctx->subject_cert) :
+X509_REQ_get_subject_name(ctx->subject_req);
/* Now add any email address(es) to STACK */
while ((i = X509_NAME_get_index_by_NID(nm,
diff --git a/crypto/x509/v3_skid.c b/crypto/x509/v3_skid.c
index bab88898e6..18223f2ef4 100644
--- a/crypto/x509/v3_skid.c
+++ b/crypto/x509/v3_skid.c
@@ -105,7 +105,7 @@ static ASN1_OCTET_STRING *s2i_skey_id(X509V3_EXT_METHOD
*method,
return NULL;
}
-return ossl_x509_pubkey_hash(ctx->subject_req != NULL ?
- ctx->subject_req->req_info.pubkey :
- ctx->subject_cert->cert_info.key);
+return ossl_x509_pubkey_hash(ctx->subject_cert != NULL ?
+ ctx->subject_cert->cert_info.key :
+ ctx->subject_req->req_info.pubkey);
}
diff --git a/doc/man3/X509V3_set_ctx.pod b/doc/man3/X509V3_set_ctx.pod
index 1fc5111de4..8287802e41 100644
--- a/doc/man3/X509V3_set_ctx.pod
+++ b/doc/man3/X509V3_set_ctx.pod
@@ -18,12 +18,16 @@ X509V3_set_issuer_pkey - X.509 v3 extension generation
utilities
X509V3_set_ctx() fills in the basic fields of I of type B,
providing details potentially needed by functions producing X509 v3 extensions,
e.g., to look up values for filling in authority key identifiers.
-Any of I, I, or I may be provided, pointing to a certificate,
+Any of I, I, or I may be provided, pointing to a
certificate,
certification request, or certificate revocation list, respectively.
-If I or I is provided, I should point to its issuer,
+When constructing the subject key identifier of a certificate by computing a
+hash value of its public key, the public key is taken from I or
I.
+Similarly, when constructing subject alternative names from any email addresses
+contained in a subject DN, the subject DN is taken from I or I.
+If I or I is provided, I should point to its issuer,
for instance to help generating an authority key identifier extension.
-Note that if I is provided, I may be the same as I,
-which means that I is self-issued (or even self-signed).
+Note that if I is provided, I may be the same as I,
+which means that I is self-issued (or even
[openssl] master update
The branch master has been updated
via 317acac5cc0a2cb31bc4b91353c2b752a3989d8a (commit)
via 15ac84e603678140ba32832c288e5f1745a258f8 (commit)
from e819b5727312477f8c1f56bf928e611ad7e78315 (commit)
- Log -
commit 317acac5cc0a2cb31bc4b91353c2b752a3989d8a
Author: Dr. David von Oheimb
Date: Wed Nov 10 09:39:55 2021 +0100
X509V3_set_ctx(): Clarify subject/req parameter for constructing SAN email
addresses from subject DN
Also slightly improve the style of the respective code in
crypto/x509/v3_san.c.
Reviewed-by: Tomas Mraz
(Merged from https://github.com/openssl/openssl/pull/17145)
commit 15ac84e603678140ba32832c288e5f1745a258f8
Author: Dr. David von Oheimb
Date: Wed Nov 10 09:31:11 2021 +0100
X509V3_set_ctx(): Clarify use of subject/req parameter for constructing
SKID by hash of pubkey
This does not change the semantics of expected usage because only either
one may be given.
Reviewed-by: Tomas Mraz
(Merged from https://github.com/openssl/openssl/pull/17145)
---
Summary of changes:
crypto/x509/v3_san.c| 11 +--
crypto/x509/v3_skid.c | 6 +++---
doc/man3/X509V3_set_ctx.pod | 12
doc/man5/x509v3_config.pod | 8 +---
4 files changed, 21 insertions(+), 16 deletions(-)
diff --git a/crypto/x509/v3_san.c b/crypto/x509/v3_san.c
index 26708aefae..c081f02e19 100644
--- a/crypto/x509/v3_san.c
+++ b/crypto/x509/v3_san.c
@@ -393,11 +393,11 @@ static GENERAL_NAMES *v2i_subject_alt(X509V3_EXT_METHOD
*method,
for (i = 0; i < num; i++) {
cnf = sk_CONF_VALUE_value(nval, i);
-if (!ossl_v3_name_cmp(cnf->name, "email")
+if (ossl_v3_name_cmp(cnf->name, "email") == 0
&& cnf->value && strcmp(cnf->value, "copy") == 0) {
if (!copy_email(ctx, gens, 0))
goto err;
-} else if (!ossl_v3_name_cmp(cnf->name, "email")
+} else if (ossl_v3_name_cmp(cnf->name, "email") == 0
&& cnf->value && strcmp(cnf->value, "move") == 0) {
if (!copy_email(ctx, gens, 1))
goto err;
@@ -434,10 +434,9 @@ static int copy_email(X509V3_CTX *ctx, GENERAL_NAMES
*gens, int move_p)
return 0;
}
/* Find the subject name */
-if (ctx->subject_cert)
-nm = X509_get_subject_name(ctx->subject_cert);
-else
-nm = X509_REQ_get_subject_name(ctx->subject_req);
+nm = ctx->subject_cert != NULL ?
+X509_get_subject_name(ctx->subject_cert) :
+X509_REQ_get_subject_name(ctx->subject_req);
/* Now add any email address(es) to STACK */
while ((i = X509_NAME_get_index_by_NID(nm,
diff --git a/crypto/x509/v3_skid.c b/crypto/x509/v3_skid.c
index bab88898e6..18223f2ef4 100644
--- a/crypto/x509/v3_skid.c
+++ b/crypto/x509/v3_skid.c
@@ -105,7 +105,7 @@ static ASN1_OCTET_STRING *s2i_skey_id(X509V3_EXT_METHOD
*method,
return NULL;
}
-return ossl_x509_pubkey_hash(ctx->subject_req != NULL ?
- ctx->subject_req->req_info.pubkey :
- ctx->subject_cert->cert_info.key);
+return ossl_x509_pubkey_hash(ctx->subject_cert != NULL ?
+ ctx->subject_cert->cert_info.key :
+ ctx->subject_req->req_info.pubkey);
}
diff --git a/doc/man3/X509V3_set_ctx.pod b/doc/man3/X509V3_set_ctx.pod
index 1fc5111de4..8287802e41 100644
--- a/doc/man3/X509V3_set_ctx.pod
+++ b/doc/man3/X509V3_set_ctx.pod
@@ -18,12 +18,16 @@ X509V3_set_issuer_pkey - X.509 v3 extension generation
utilities
X509V3_set_ctx() fills in the basic fields of I of type B,
providing details potentially needed by functions producing X509 v3 extensions,
e.g., to look up values for filling in authority key identifiers.
-Any of I, I, or I may be provided, pointing to a certificate,
+Any of I, I, or I may be provided, pointing to a
certificate,
certification request, or certificate revocation list, respectively.
-If I or I is provided, I should point to its issuer,
+When constructing the subject key identifier of a certificate by computing a
+hash value of its public key, the public key is taken from I or
I.
+Similarly, when constructing subject alternative names from any email addresses
+contained in a subject DN, the subject DN is taken from I or I.
+If I or I is provided, I should point to its issuer,
for instance to help generating an authority key identifier extension.
-Note that if I is provided, I may be the same as I,
-which means that I is self-issued (or even self-signed).
+Note that if I is provided, I may be the same as I,
+which means that I is self-issued (or even self-signed).
I may be 0
or contain B, which means that just the syntax of
extension definitions is to be checked without actually producing an extension,
[openssl] openssl-3.0 update
The branch openssl-3.0 has been updated
via 17f5c1d9bab0127260ec212c55fc7193fea099a5 (commit)
via 1cafe4fc33c1dae7dd5024f600475fa96637b128 (commit)
from acf1651de1ba36e79176d9df0943698ed5bcee9c (commit)
- Log -
commit 17f5c1d9bab0127260ec212c55fc7193fea099a5
Author: Dr. David von Oheimb
Date: Tue Nov 30 16:44:59 2021 +0100
OSSL_HTTP_REQ_CTX_nbio(): Fix parsing of responses with status code != 200
This way keep-alive is not (needlessly) cancelled on error.
Reviewed-by: Tomas Mraz
(Merged from https://github.com/openssl/openssl/pull/17171)
(cherry picked from commit 38288f424faa0cf61bd705c497bb1a1657611da1)
commit 1cafe4fc33c1dae7dd5024f600475fa96637b128
Author: Dr. David von Oheimb
Date: Tue Nov 30 16:20:26 2021 +0100
parse_http_line1(): Fix diagnostic output on error and return code
Reviewed-by: Tomas Mraz
(Merged from https://github.com/openssl/openssl/pull/17171)
(cherry picked from commit e2b7dc353b353efccd1d228f743baa7c2d2f9f49)
---
Summary of changes:
crypto/http/http_client.c | 39 +--
1 file changed, 21 insertions(+), 18 deletions(-)
diff --git a/crypto/http/http_client.c b/crypto/http/http_client.c
index e5c8bcd33d..6a8149ba59 100644
--- a/crypto/http/http_client.c
+++ b/crypto/http/http_client.c
@@ -369,12 +369,13 @@ static OSSL_HTTP_REQ_CTX *http_req_ctx_new(int free_wbio,
BIO *wbio, BIO *rbio,
/*
* Parse first HTTP response line. This should be like this: "HTTP/1.0 200 OK".
- * We need to obtain the numeric code and (optional) informational message.
+ * We need to obtain the status code and (optional) informational message.
+ * Return any received HTTP response status code, or 0 on fatal error.
*/
static int parse_http_line1(char *line, int *found_keep_alive)
{
-int i, retcode;
+int i, retcode, err;
char *code, *reason, *end;
if (!HAS_PREFIX(line, HTTP_PREFIX_VERSION))
@@ -430,22 +431,21 @@ static int parse_http_line1(char *line, int
*found_keep_alive)
case HTTP_STATUS_CODE_FOUND:
return retcode;
default:
+err = HTTP_R_RECEIVED_ERROR;
if (retcode < 400)
-retcode = HTTP_R_STATUS_CODE_UNSUPPORTED;
-else
-retcode = HTTP_R_RECEIVED_ERROR;
+err = HTTP_R_STATUS_CODE_UNSUPPORTED;
if (*reason == '\0')
-ERR_raise_data(ERR_LIB_HTTP, retcode, "code=%s", code);
+ERR_raise_data(ERR_LIB_HTTP, err, "code=%s", code);
else
-ERR_raise_data(ERR_LIB_HTTP, retcode,
- "code=%s, reason=%s", code, reason);
-return 0;
+ERR_raise_data(ERR_LIB_HTTP, err, "code=%s, reason=%s", code,
+ reason);
+return retcode;
}
err:
-i = 0;
-while (i < 60 && ossl_isprint(line[i]))
-i++;
+for (i = 0; i < 60 && line[i] != '\0'; i++)
+if (!ossl_isprint(line[i]))
+line[i] = ' ';
line[i] = '\0';
ERR_raise_data(ERR_LIB_HTTP, HTTP_R_HEADER_PARSE_ERROR, "content=%s",
line);
return 0;
@@ -634,7 +634,7 @@ int OSSL_HTTP_REQ_CTX_nbio(OSSL_HTTP_REQ_CTX *rctx)
/* fall through */
default:
rctx->state = OHS_ERROR;
-return 0;
+goto next_line;
}
}
key = buf;
@@ -693,11 +693,6 @@ int OSSL_HTTP_REQ_CTX_nbio(OSSL_HTTP_REQ_CTX *rctx)
if (*p != '\0') /* not end of headers */
goto next_line;
-if (rctx->expected_ct != NULL && !found_expected_ct) {
-ERR_raise_data(ERR_LIB_HTTP, HTTP_R_MISSING_CONTENT_TYPE,
- "expected=%s", rctx->expected_ct);
-return 0;
-}
if (rctx->keep_alive != 0 /* do not let server initiate keep_alive */
&& !found_keep_alive /* otherwise there is no change */) {
if (rctx->keep_alive == 2) {
@@ -708,6 +703,14 @@ int OSSL_HTTP_REQ_CTX_nbio(OSSL_HTTP_REQ_CTX *rctx)
rctx->keep_alive = 0;
}
+if (rctx->state == OHS_ERROR)
+return 0;
+
+if (rctx->expected_ct != NULL && !found_expected_ct) {
+ERR_raise_data(ERR_LIB_HTTP, HTTP_R_MISSING_CONTENT_TYPE,
+ "expected=%s", rctx->expected_ct);
+return 0;
+}
if (rctx->state == OHS_REDIRECT) {
/* http status code indicated redirect but there was no Location */
ERR_raise(ERR_LIB_HTTP, HTTP_R_MISSING_REDIRECT_LOCATION);
[openssl] master update
The branch master has been updated
via 38288f424faa0cf61bd705c497bb1a1657611da1 (commit)
via e2b7dc353b353efccd1d228f743baa7c2d2f9f49 (commit)
from 2080134ee98a6b23f7456c17901e7b06e4a42ed5 (commit)
- Log -
commit 38288f424faa0cf61bd705c497bb1a1657611da1
Author: Dr. David von Oheimb
Date: Tue Nov 30 16:44:59 2021 +0100
OSSL_HTTP_REQ_CTX_nbio(): Fix parsing of responses with status code != 200
This way keep-alive is not (needlessly) cancelled on error.
Reviewed-by: Tomas Mraz
(Merged from https://github.com/openssl/openssl/pull/17171)
commit e2b7dc353b353efccd1d228f743baa7c2d2f9f49
Author: Dr. David von Oheimb
Date: Tue Nov 30 16:20:26 2021 +0100
parse_http_line1(): Fix diagnostic output on error and return code
Reviewed-by: Tomas Mraz
(Merged from https://github.com/openssl/openssl/pull/17171)
---
Summary of changes:
crypto/http/http_client.c | 39 +--
1 file changed, 21 insertions(+), 18 deletions(-)
diff --git a/crypto/http/http_client.c b/crypto/http/http_client.c
index 6be3e642e1..45e92cd7fd 100644
--- a/crypto/http/http_client.c
+++ b/crypto/http/http_client.c
@@ -368,12 +368,13 @@ static OSSL_HTTP_REQ_CTX *http_req_ctx_new(int free_wbio,
BIO *wbio, BIO *rbio,
/*
* Parse first HTTP response line. This should be like this: "HTTP/1.0 200 OK".
- * We need to obtain the numeric code and (optional) informational message.
+ * We need to obtain the status code and (optional) informational message.
+ * Return any received HTTP response status code, or 0 on fatal error.
*/
static int parse_http_line1(char *line, int *found_keep_alive)
{
-int i, retcode;
+int i, retcode, err;
char *code, *reason, *end;
if (!CHECK_AND_SKIP_PREFIX(line, HTTP_PREFIX_VERSION))
@@ -429,22 +430,21 @@ static int parse_http_line1(char *line, int
*found_keep_alive)
case HTTP_STATUS_CODE_FOUND:
return retcode;
default:
+err = HTTP_R_RECEIVED_ERROR;
if (retcode < 400)
-retcode = HTTP_R_STATUS_CODE_UNSUPPORTED;
-else
-retcode = HTTP_R_RECEIVED_ERROR;
+err = HTTP_R_STATUS_CODE_UNSUPPORTED;
if (*reason == '\0')
-ERR_raise_data(ERR_LIB_HTTP, retcode, "code=%s", code);
+ERR_raise_data(ERR_LIB_HTTP, err, "code=%s", code);
else
-ERR_raise_data(ERR_LIB_HTTP, retcode,
- "code=%s, reason=%s", code, reason);
-return 0;
+ERR_raise_data(ERR_LIB_HTTP, err, "code=%s, reason=%s", code,
+ reason);
+return retcode;
}
err:
-i = 0;
-while (i < 60 && ossl_isprint(line[i]))
-i++;
+for (i = 0; i < 60 && line[i] != '\0'; i++)
+if (!ossl_isprint(line[i]))
+line[i] = ' ';
line[i] = '\0';
ERR_raise_data(ERR_LIB_HTTP, HTTP_R_HEADER_PARSE_ERROR, "content=%s",
line);
return 0;
@@ -624,7 +624,7 @@ int OSSL_HTTP_REQ_CTX_nbio(OSSL_HTTP_REQ_CTX *rctx)
/* fall through */
default:
rctx->state = OHS_ERROR;
-return 0;
+goto next_line;
}
}
key = (char *)rctx->buf;
@@ -683,11 +683,6 @@ int OSSL_HTTP_REQ_CTX_nbio(OSSL_HTTP_REQ_CTX *rctx)
if (*p != '\0') /* not end of headers */
goto next_line;
-if (rctx->expected_ct != NULL && !found_expected_ct) {
-ERR_raise_data(ERR_LIB_HTTP, HTTP_R_MISSING_CONTENT_TYPE,
- "expected=%s", rctx->expected_ct);
-return 0;
-}
if (rctx->keep_alive != 0 /* do not let server initiate keep_alive */
&& !found_keep_alive /* otherwise there is no change */) {
if (rctx->keep_alive == 2) {
@@ -698,6 +693,14 @@ int OSSL_HTTP_REQ_CTX_nbio(OSSL_HTTP_REQ_CTX *rctx)
rctx->keep_alive = 0;
}
+if (rctx->state == OHS_ERROR)
+return 0;
+
+if (rctx->expected_ct != NULL && !found_expected_ct) {
+ERR_raise_data(ERR_LIB_HTTP, HTTP_R_MISSING_CONTENT_TYPE,
+ "expected=%s", rctx->expected_ct);
+return 0;
+}
if (rctx->state == OHS_REDIRECT) {
/* http status code indicated redirect but there was no Location */
ERR_raise(ERR_LIB_HTTP, HTTP_R_MISSING_REDIRECT_LOCATION);
[openssl] openssl-3.0 update
The branch openssl-3.0 has been updated via acf1651de1ba36e79176d9df0943698ed5bcee9c (commit) via 8df298918f8cdc527a0799d0e9bc767cb6b6a76d (commit) via 7e424b54b7d164149a65660013bd1943592ac4e6 (commit) from f43654438c6abd414633778dcfcd2e8f666c1794 (commit) - Log - commit acf1651de1ba36e79176d9df0943698ed5bcee9c Author: Dr. David von Oheimb Date: Mon Nov 29 08:36:14 2021 +0100 OSSL_HTTP_transfer.pod: Some clarifications on the BIO connect/disconnect callback function Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/17160) (cherry picked from commit 2080134ee98a6b23f7456c17901e7b06e4a42ed5) commit 8df298918f8cdc527a0799d0e9bc767cb6b6a76d Author: Dr. David von Oheimb Date: Mon Nov 22 11:29:25 2021 +0100 OSSL_HTTP_transfer.pod: Fix omission documenting the 'ok' parameter of OSSL_HTTP_close() Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/17160) (cherry picked from commit 4ee464cf8e0b8dc39970306bfbb49a6e06863e1c) commit 7e424b54b7d164149a65660013bd1943592ac4e6 Author: Dr. David von Oheimb Date: Fri Nov 19 20:38:27 2021 +0100 BIO_push.pod: fix confusing text and add details on corner cases Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/17086) (cherry picked from commit 7a37fd09a8f3607ed8acf55e03479861595be069) --- Summary of changes: doc/man3/BIO_push.pod | 53 - doc/man3/OSSL_HTTP_transfer.pod | 18 -- 2 files changed, 42 insertions(+), 29 deletions(-) diff --git a/doc/man3/BIO_push.pod b/doc/man3/BIO_push.pod index a9a1f84b5d..84ce3f042d 100644 --- a/doc/man3/BIO_push.pod +++ b/doc/man3/BIO_push.pod @@ -8,22 +8,27 @@ BIO_push, BIO_pop, BIO_set_next - add and remove BIOs from a chain #include - BIO *BIO_push(BIO *b, BIO *append); + BIO *BIO_push(BIO *b, BIO *next); BIO *BIO_pop(BIO *b); void BIO_set_next(BIO *b, BIO *next); =head1 DESCRIPTION -The BIO_push() function appends the BIO B to B, it returns -B. +BIO_push() pushes I on I. +If I is NULL the function does nothing and returns I. +Otherwise it prepends I, which may be a single BIO or a chain of BIOs, +to I (unless I is NULL). +It then makes a control call on I and returns I. -BIO_pop() removes the BIO B from a chain and returns the next BIO -in the chain, or NULL if there is no next BIO. The removed BIO then -becomes a single BIO with no association with the original chain, -it can thus be freed or attached to a different chain. +BIO_pop() removes the BIO I from any chain is is part of. +If I is NULL the function does nothing and returns NULL. +Otherwise it makes a control call on I and +returns the next BIO in the chain, or NULL if there is no next BIO. +The removed BIO becomes a single BIO with no association with +the original chain, it can thus be freed or be made part of a different chain. BIO_set_next() replaces the existing next BIO in a chain with the BIO pointed to -by B. The new chain may include some of the same BIOs from the old chain +by I. The new chain may include some of the same BIOs from the old chain or it may be completely different. =head1 NOTES @@ -33,41 +38,45 @@ joins two BIO chains whereas BIO_pop() deletes a single BIO from a chain, the deleted BIO does not need to be at the end of a chain. The process of calling BIO_push() and BIO_pop() on a BIO may have additional -consequences (a control call is made to the affected BIOs) any effects will -be noted in the descriptions of individual BIOs. +consequences (a control call is made to the affected BIOs). +Any effects will be noted in the descriptions of individual BIOs. =head1 RETURN VALUES -BIO_push() returns the end of the chain, B. +BIO_push() returns the head of the chain, +which usually is I, or I if I is NULL. -BIO_pop() returns the next BIO in the chain, or NULL if there is no next -BIO. +BIO_pop() returns the next BIO in the chain, +or NULL if there is no next BIO. =head1 EXAMPLES -For these examples suppose B and B are digest BIOs, B is -a base64 BIO and B is a file BIO. +For these examples suppose I and I are digest BIOs, +I is a base64 BIO and I is a file BIO. If the call: BIO_push(b64, f); -is made then the new chain will be B. After making the calls +is made then the new chain will be I. After making the calls BIO_push(md2, b64); BIO_push(md1, md2); -the new chain is B. Data written to B will be digested -by B and B, B encoded and written to B. +the new chain is I. Data written to I will be digested +by I and I, base64 encoded, and finally written to I. It should be noted that reading causes data to pass in the reverse -direction, that is data is read from B, B decoded and
[openssl] master update
The branch master has been updated via 2080134ee98a6b23f7456c17901e7b06e4a42ed5 (commit) via 4ee464cf8e0b8dc39970306bfbb49a6e06863e1c (commit) from 5fae09f3d8da7c182c6cfb6a295dcfd15ae828ae (commit) - Log - commit 2080134ee98a6b23f7456c17901e7b06e4a42ed5 Author: Dr. David von Oheimb Date: Mon Nov 29 08:36:14 2021 +0100 OSSL_HTTP_transfer.pod: Some clarifications on the BIO connect/disconnect callback function Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/17160) commit 4ee464cf8e0b8dc39970306bfbb49a6e06863e1c Author: Dr. David von Oheimb Date: Mon Nov 22 11:29:25 2021 +0100 OSSL_HTTP_transfer.pod: Fix omission documenting the 'ok' parameter of OSSL_HTTP_close() Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/17160) --- Summary of changes: doc/man3/OSSL_HTTP_transfer.pod | 18 +++--- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/doc/man3/OSSL_HTTP_transfer.pod b/doc/man3/OSSL_HTTP_transfer.pod index ff29c79837..2aef3a5347 100644 --- a/doc/man3/OSSL_HTTP_transfer.pod +++ b/doc/man3/OSSL_HTTP_transfer.pod @@ -95,16 +95,19 @@ I is a BIO connect/disconnect callback function with prototype BIO *(*OSSL_HTTP_bio_cb_t)(BIO *bio, void *arg, int connect, int detail) -The callback may modify the HTTP BIO provided in the I argument, +The callback function may modify the BIO provided in the I argument, whereby it may make use of a custom defined argument I, -which may for instance refer to an I structure. -During connection establishment, just after calling BIO_do_connect_retry(), -the function is invoked with the I argument being 1 and the I +which may for instance point to an B structure. +During connection establishment, just after calling BIO_do_connect_retry(), the +callback function is invoked with the I argument being 1 and the I argument being 1 if HTTPS is requested, i.e., SSL/TLS should be enabled, else 0. On disconnect I is 0 and I is 1 if no error occurred, else 0. -For instance, on connect the function may prepend a TLS BIO to implement HTTPS; -after disconnect it may do some diagnostic output and/or specific cleanup. -The function should return NULL to indicate failure. +For instance, on connect the callback may push an SSL BIO to implement HTTPS; +after disconnect it may do some diagnostic output and pop and free the SSL BIO. + +The callback function must return either the potentially modified BIO I. +or NULL to indicate failure, in which case it should not modify the BIO. + Here is a simple example that supports TLS connections (but not via a proxy): BIO *http_tls_cb(BIO *hbio, void *arg, int connect, int detail) @@ -220,6 +223,7 @@ The caller is responsible for freeing the BIO pointer obtained. OSSL_HTTP_close() closes the connection and releases I. The I parameter is passed to any BIO update function given during setup as described above for OSSL_HTTP_open(). +It must be 1 if no error occurred during the HTTP transfer and 0 otherwise. =head1 NOTES
[openssl] OpenSSL_1_1_1-stable update
The branch OpenSSL_1_1_1-stable has been updated
via 54c358382e917a6adc912ee0958989609c8ee136 (commit)
via f623a68efad0b00c698b3e10963f51971f55ffba (commit)
from 76eb12aa278cb30a495bcee3fdc176d0a6c35052 (commit)
- Log -
commit 54c358382e917a6adc912ee0958989609c8ee136
Author: Dr. David von Oheimb
Date: Thu Sep 30 11:12:49 2021 +0200
BIO_f_ssl.pod: Make clear where an SSL BIOs are expected as an argument
Reviewed-by: Paul Dale
(Merged from https://github.com/openssl/openssl/pull/17135)
commit f623a68efad0b00c698b3e10963f51971f55ffba
Author: Dr. David von Oheimb
Date: Mon Sep 27 14:22:40 2021 +0200
Fix ssl_free() and thus BIO_free() to respect BIO_NOCLOSE
Reviewed-by: Paul Dale
(Merged from https://github.com/openssl/openssl/pull/17135)
---
Summary of changes:
doc/man3/BIO_f_ssl.pod | 17 -
ssl/bio_ssl.c | 7 +++
2 files changed, 11 insertions(+), 13 deletions(-)
diff --git a/doc/man3/BIO_f_ssl.pod b/doc/man3/BIO_f_ssl.pod
index 641ee2329e..8866785cfe 100644
--- a/doc/man3/BIO_f_ssl.pod
+++ b/doc/man3/BIO_f_ssl.pod
@@ -54,26 +54,26 @@ The SSL BIO is then reset to the initial accept or connect
state.
If the close flag is set when an SSL BIO is freed then the internal
SSL structure is also freed using SSL_free().
-BIO_set_ssl() sets the internal SSL pointer of BIO B to B using
+BIO_set_ssl() sets the internal SSL pointer of SSL BIO B to B using
the close flag B.
-BIO_get_ssl() retrieves the SSL pointer of BIO B, it can then be
+BIO_get_ssl() retrieves the SSL pointer of SSL BIO B, it can then be
manipulated using the standard SSL library functions.
BIO_set_ssl_mode() sets the SSL BIO mode to B. If B
is 1 client mode is set. If B is 0 server mode is set.
-BIO_set_ssl_renegotiate_bytes() sets the renegotiate byte count
+BIO_set_ssl_renegotiate_bytes() sets the renegotiate byte count of SSL BIO B
to B. When set after every B bytes of I/O (read and write)
the SSL session is automatically renegotiated. B must be at
least 512 bytes.
-BIO_set_ssl_renegotiate_timeout() sets the renegotiate timeout to
-B. When the renegotiate timeout elapses the session is
-automatically renegotiated.
+BIO_set_ssl_renegotiate_timeout() sets the renegotiate timeout of SSL BIO B
+to B.
+When the renegotiate timeout elapses the session is automatically renegotiated.
BIO_get_num_renegotiates() returns the total number of session
-renegotiations due to I/O or timeout.
+renegotiations due to I/O or timeout of SSL BIO B.
BIO_new_ssl() allocates an SSL BIO using SSL_CTX B and using
client mode if B is non zero.
@@ -82,8 +82,7 @@ BIO_new_ssl_connect() creates a new BIO chain consisting of an
SSL BIO (using B) followed by a connect BIO.
BIO_new_buffer_ssl_connect() creates a new BIO chain consisting
-of a buffering BIO, an SSL BIO (using B) and a connect
-BIO.
+of a buffering BIO, an SSL BIO (using B), and a connect BIO.
BIO_ssl_copy_session_id() copies an SSL session id between
BIO chains B and B. It does this by locating the
diff --git a/ssl/bio_ssl.c b/ssl/bio_ssl.c
index c4239345b6..67097d5cca 100644
--- a/ssl/bio_ssl.c
+++ b/ssl/bio_ssl.c
@@ -76,13 +76,12 @@ static int ssl_free(BIO *a)
if (a == NULL)
return 0;
bs = BIO_get_data(a);
-if (bs->ssl != NULL)
-SSL_shutdown(bs->ssl);
if (BIO_get_shutdown(a)) {
+if (bs->ssl != NULL)
+SSL_shutdown(bs->ssl);
if (BIO_get_init(a))
SSL_free(bs->ssl);
-/* Clear all flags */
-BIO_clear_flags(a, ~0);
+BIO_clear_flags(a, ~0); /* Clear all flags */
BIO_set_init(a, 0);
}
OPENSSL_free(bs);
[openssl] OpenSSL_1_1_1-stable update
The branch OpenSSL_1_1_1-stable has been updated via 791bfd91bcb02ee51bf16b195293daeeccc3d84c (commit) from 5f422920c171077d8e8d49ad69632711f1ac7e5a (commit) - Log - commit 791bfd91bcb02ee51bf16b195293daeeccc3d84c Author: Dr. David von Oheimb Date: Fri Nov 19 20:38:27 2021 +0100 BIO_push.pod: fix confusing text and add details on corner cases Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/17086) (cherry picked from commit 7a37fd09a8f3607ed8acf55e03479861595be069) --- Summary of changes: doc/man3/BIO_push.pod | 53 ++- 1 file changed, 31 insertions(+), 22 deletions(-) diff --git a/doc/man3/BIO_push.pod b/doc/man3/BIO_push.pod index 8b98bee498..e16daafe88 100644 --- a/doc/man3/BIO_push.pod +++ b/doc/man3/BIO_push.pod @@ -8,22 +8,27 @@ BIO_push, BIO_pop, BIO_set_next - add and remove BIOs from a chain #include - BIO *BIO_push(BIO *b, BIO *append); + BIO *BIO_push(BIO *b, BIO *next); BIO *BIO_pop(BIO *b); void BIO_set_next(BIO *b, BIO *next); =head1 DESCRIPTION -The BIO_push() function appends the BIO B to B, it returns -B. +BIO_push() pushes I on I. +If I is NULL the function does nothing and returns I. +Otherwise it prepends I, which may be a single BIO or a chain of BIOs, +to I (unless I is NULL). +It then makes a control call on I and returns I. -BIO_pop() removes the BIO B from a chain and returns the next BIO -in the chain, or NULL if there is no next BIO. The removed BIO then -becomes a single BIO with no association with the original chain, -it can thus be freed or attached to a different chain. +BIO_pop() removes the BIO I from any chain is is part of. +If I is NULL the function does nothing and returns NULL. +Otherwise it makes a control call on I and +returns the next BIO in the chain, or NULL if there is no next BIO. +The removed BIO becomes a single BIO with no association with +the original chain, it can thus be freed or be made part of a different chain. BIO_set_next() replaces the existing next BIO in a chain with the BIO pointed to -by B. The new chain may include some of the same BIOs from the old chain +by I. The new chain may include some of the same BIOs from the old chain or it may be completely different. =head1 NOTES @@ -33,41 +38,45 @@ joins two BIO chains whereas BIO_pop() deletes a single BIO from a chain, the deleted BIO does not need to be at the end of a chain. The process of calling BIO_push() and BIO_pop() on a BIO may have additional -consequences (a control call is made to the affected BIOs) any effects will -be noted in the descriptions of individual BIOs. +consequences (a control call is made to the affected BIOs). +Any effects will be noted in the descriptions of individual BIOs. =head1 RETURN VALUES -BIO_push() returns the end of the chain, B. +BIO_push() returns the head of the chain, +which usually is I, or I if I is NULL. -BIO_pop() returns the next BIO in the chain, or NULL if there is no next -BIO. +BIO_pop() returns the next BIO in the chain, +or NULL if there is no next BIO. =head1 EXAMPLES -For these examples suppose B and B are digest BIOs, B is -a base64 BIO and B is a file BIO. +For these examples suppose I and I are digest BIOs, +I is a base64 BIO and I is a file BIO. If the call: BIO_push(b64, f); -is made then the new chain will be B. After making the calls +is made then the new chain will be I. After making the calls BIO_push(md2, b64); BIO_push(md1, md2); -the new chain is B. Data written to B will be digested -by B and B, B encoded and written to B. +the new chain is I. Data written to I will be digested +by I and I, base64 encoded, and finally written to I. It should be noted that reading causes data to pass in the reverse -direction, that is data is read from B, B decoded and digested -by B and B. If the call: +direction, that is data is read from I, base64 decoded, +and digested by I and then I. + +The call: BIO_pop(md2); -The call will return B and the new chain will be B data can -be written to B as before. +will return I and the new chain will be I. +Data can be written to and read from I as before, +except that I will no more be applied. =head1 SEE ALSO
[openssl] master update
The branch master has been updated via 7a37fd09a8f3607ed8acf55e03479861595be069 (commit) from 0a10825a009c830125fef94c81d34e41300a24a5 (commit) - Log - commit 7a37fd09a8f3607ed8acf55e03479861595be069 Author: Dr. David von Oheimb Date: Fri Nov 19 20:38:27 2021 +0100 BIO_push.pod: fix confusing text and add details on corner cases Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/17086) --- Summary of changes: doc/man3/BIO_push.pod | 53 ++- 1 file changed, 31 insertions(+), 22 deletions(-) diff --git a/doc/man3/BIO_push.pod b/doc/man3/BIO_push.pod index a9a1f84b5d..84ce3f042d 100644 --- a/doc/man3/BIO_push.pod +++ b/doc/man3/BIO_push.pod @@ -8,22 +8,27 @@ BIO_push, BIO_pop, BIO_set_next - add and remove BIOs from a chain #include - BIO *BIO_push(BIO *b, BIO *append); + BIO *BIO_push(BIO *b, BIO *next); BIO *BIO_pop(BIO *b); void BIO_set_next(BIO *b, BIO *next); =head1 DESCRIPTION -The BIO_push() function appends the BIO B to B, it returns -B. +BIO_push() pushes I on I. +If I is NULL the function does nothing and returns I. +Otherwise it prepends I, which may be a single BIO or a chain of BIOs, +to I (unless I is NULL). +It then makes a control call on I and returns I. -BIO_pop() removes the BIO B from a chain and returns the next BIO -in the chain, or NULL if there is no next BIO. The removed BIO then -becomes a single BIO with no association with the original chain, -it can thus be freed or attached to a different chain. +BIO_pop() removes the BIO I from any chain is is part of. +If I is NULL the function does nothing and returns NULL. +Otherwise it makes a control call on I and +returns the next BIO in the chain, or NULL if there is no next BIO. +The removed BIO becomes a single BIO with no association with +the original chain, it can thus be freed or be made part of a different chain. BIO_set_next() replaces the existing next BIO in a chain with the BIO pointed to -by B. The new chain may include some of the same BIOs from the old chain +by I. The new chain may include some of the same BIOs from the old chain or it may be completely different. =head1 NOTES @@ -33,41 +38,45 @@ joins two BIO chains whereas BIO_pop() deletes a single BIO from a chain, the deleted BIO does not need to be at the end of a chain. The process of calling BIO_push() and BIO_pop() on a BIO may have additional -consequences (a control call is made to the affected BIOs) any effects will -be noted in the descriptions of individual BIOs. +consequences (a control call is made to the affected BIOs). +Any effects will be noted in the descriptions of individual BIOs. =head1 RETURN VALUES -BIO_push() returns the end of the chain, B. +BIO_push() returns the head of the chain, +which usually is I, or I if I is NULL. -BIO_pop() returns the next BIO in the chain, or NULL if there is no next -BIO. +BIO_pop() returns the next BIO in the chain, +or NULL if there is no next BIO. =head1 EXAMPLES -For these examples suppose B and B are digest BIOs, B is -a base64 BIO and B is a file BIO. +For these examples suppose I and I are digest BIOs, +I is a base64 BIO and I is a file BIO. If the call: BIO_push(b64, f); -is made then the new chain will be B. After making the calls +is made then the new chain will be I. After making the calls BIO_push(md2, b64); BIO_push(md1, md2); -the new chain is B. Data written to B will be digested -by B and B, B encoded and written to B. +the new chain is I. Data written to I will be digested +by I and I, base64 encoded, and finally written to I. It should be noted that reading causes data to pass in the reverse -direction, that is data is read from B, B decoded and digested -by B and B. If the call: +direction, that is data is read from I, base64 decoded, +and digested by I and then I. + +The call: BIO_pop(md2); -The call will return B and the new chain will be B data can -be written to B as before. +will return I and the new chain will be I. +Data can be written to and read from I as before, +except that I will no more be applied. =head1 SEE ALSO
[openssl] OpenSSL_1_1_1-stable update
The branch OpenSSL_1_1_1-stable has been updated
via 79ef18759a4f89af0b1e015766a73fa289095673 (commit)
from 9b06ebb1edfddffea083ba36090af7eb7cad207b (commit)
- Log -
commit 79ef18759a4f89af0b1e015766a73fa289095673
Author: Richard Levitte
Date: Fri Nov 19 07:37:29 2021 +0100
ERR: Add a missing common reason string
There was no string present for ERR_R_PASSED_INVALID_ARGUMENT
Reviewed-by: David von Oheimb
(Merged from https://github.com/openssl/openssl/pull/17069)
---
Summary of changes:
crypto/err/err.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/crypto/err/err.c b/crypto/err/err.c
index 1372d52f80..70a4cd402c 100644
--- a/crypto/err/err.c
+++ b/crypto/err/err.c
@@ -129,6 +129,7 @@ static ERR_STRING_DATA ERR_str_reasons[] = {
{ERR_R_INTERNAL_ERROR, "internal error"},
{ERR_R_DISABLED, "called a function that was disabled at compile-time"},
{ERR_R_INIT_FAIL, "init fail"},
+{ERR_R_PASSED_INVALID_ARGUMENT, "passed invalid argument"},
{ERR_R_OPERATION_FAIL, "operation fail"},
{0, NULL},
[openssl] master update
The branch master has been updated
via 4599ea9fe31953c0c50738ed4b91ade76a693356 (commit)
from 40649e36c4c0c9438f62e1bf2ccb983f6854c662 (commit)
- Log -
commit 4599ea9fe31953c0c50738ed4b91ade76a693356
Author: Dr. David von Oheimb
Date: Tue Jul 13 10:20:38 2021 +0200
Fix HTTP server port output and allow dynamic verbosity setting
Reviewed-by: Paul Dale
(Merged from https://github.com/openssl/openssl/pull/16061)
---
Summary of changes:
apps/cmp.c | 4 ++--
apps/include/http_server.h | 29 +++--
apps/include/s_apps.h | 1 +
apps/lib/http_server.c | 32 +---
apps/lib/s_socket.c| 39 ++-
apps/ocsp.c| 10 +-
6 files changed, 74 insertions(+), 41 deletions(-)
diff --git a/apps/cmp.c b/apps/cmp.c
index 589cce1266..f646e3f7bc 100644
--- a/apps/cmp.c
+++ b/apps/cmp.c
@@ -2568,7 +2568,7 @@ static int cmp_server(OSSL_CMP_CTX *srv_cmp_ctx) {
int retry = 1;
int ret = 1;
-if ((acbio = http_server_init_bio(prog, opt_port)) == NULL)
+if ((acbio = http_server_init(prog, opt_port, opt_verbosity)) == NULL)
return 0;
while (opt_max_msgs <= 0 || msgs < opt_max_msgs) {
char *path = NULL;
@@ -2578,7 +2578,7 @@ static int cmp_server(OSSL_CMP_CTX *srv_cmp_ctx) {
ret = http_server_get_asn1_req(ASN1_ITEM_rptr(OSSL_CMP_MSG),
(ASN1_VALUE **), ,
, acbio, _alive,
- prog, opt_port, 0, 0);
+ prog, 0, 0);
if (ret == 0) { /* no request yet */
if (retry) {
ossl_sleep(1000);
diff --git a/apps/include/http_server.h b/apps/include/http_server.h
index 8c339660a6..3a81cbb140 100644
--- a/apps/include/http_server.h
+++ b/apps/include/http_server.h
@@ -34,17 +34,19 @@
# include
# include
# define MAXERRLEN 1000 /* limit error text sent to syslog to 1000 bytes */
-# else
-# undef LOG_DEBUG
-# undef LOG_INFO
-# undef LOG_WARNING
-# undef LOG_ERR
-# define LOG_DEBUG 7
-# define LOG_INFO 6
-# define LOG_WARNING 4
-# define LOG_ERR 3
# endif
+# undef LOG_TRACE
+# undef LOG_DEBUG
+# undef LOG_INFO
+# undef LOG_WARNING
+# undef LOG_ERR
+# define LOG_TRACE 8
+# define LOG_DEBUG 7
+# define LOG_INFO 6
+# define LOG_WARNING 4
+# define LOG_ERR 3
+
/*-
* Log a message to syslog if multi-threaded HTTP_DAEMON, else to bio_err
* prog: the name of the current app
@@ -56,12 +58,13 @@ void log_message(const char *prog, int level, const char
*fmt, ...);
# ifndef OPENSSL_NO_SOCK
/*-
- * Initialize an HTTP server by setting up its listening BIO
+ * Initialize an HTTP server, setting up its listening BIO
* prog: the name of the current app
* port: the port to listen on
+ * verbosity: the level of verbosity to use, or -1 for default: LOG_INFO
* returns a BIO for accepting requests, NULL on error
*/
-BIO *http_server_init_bio(const char *prog, const char *port);
+BIO *http_server_init(const char *prog, const char *port, int verbosity);
/*-
* Accept an ASN.1-formatted HTTP request
@@ -72,7 +75,6 @@ BIO *http_server_init_bio(const char *prog, const char *port);
* acbio: the listening bio (typically as returned by http_server_init_bio())
* found_keep_alive: for returning flag if client requests persistent
connection
* prog: the name of the current app, for diagnostics only
- * port: the local port listening to, for diagnostics only
* accept_get: whether to accept GET requests (in addition to POST requests)
* timeout: connection timeout (in seconds), or 0 for none/infinite
* returns 0 in case caller should retry, then *preq == *ppath == *pcbio ==
NULL
@@ -86,8 +88,7 @@ BIO *http_server_init_bio(const char *prog, const char *port);
int http_server_get_asn1_req(const ASN1_ITEM *it, ASN1_VALUE **preq,
char **ppath, BIO **pcbio, BIO *acbio,
int *found_keep_alive,
- const char *prog, const char *port,
- int accept_get, int timeout);
+ const char *prog, int accept_get, int timeout);
/*-
* Send an ASN.1-formatted HTTP response
diff --git a/apps/include/s_apps.h b/apps/include/s_apps.h
index 194ea746ed..5b188b9892 100644
--- a/apps/include/s_apps.h
+++ b/apps/include/s_apps.h
@@ -19,6 +19,7 @@
(SSL_is_dtls(s) || (SSL_version(s) < TLS1_3_VERSION))
typedef int (*do_server_cb)(int s, int stype, int prot, unsigned char
*context);
+void get_sock_info_address(int asock, char **hostname, char **service);
int report_server_accept(BIO *out, int asock, int with_address, int with_pid);
[openssl] openssl-3.0 update
The branch openssl-3.0 has been updated
via 301c525ee90bfc04f04ccf3241c8b141af0bb46d (commit)
via 2f03ee20093b2fb3526289e9453f58627453c744 (commit)
from f4664e5d40f8736d301763b3e98d2ab0061e3a02 (commit)
- Log -
commit 301c525ee90bfc04f04ccf3241c8b141af0bb46d
Author: Dr. David von Oheimb
Date: Fri Nov 19 11:12:09 2021 +0100
02-test_errstr.t: print errorcodes in hex (rather than decimal) format
Reviewed-by: Richard Levitte
Reviewed-by: Tomas Mraz
Reviewed-by: Paul Dale
(Merged from https://github.com/openssl/openssl/pull/17056)
commit 2f03ee20093b2fb3526289e9453f58627453c744
Author: Dr. David von Oheimb
Date: Wed Nov 17 19:05:21 2021 +0100
Make ERR_str_reasons in err.c consistent again with err.h
Fixes printing generic reason strings, e.g., 'reason(524550)' vs. 'passed
an invalid argument'
Reviewed-by: Richard Levitte
Reviewed-by: Tomas Mraz
Reviewed-by: Paul Dale
(Merged from https://github.com/openssl/openssl/pull/17056)
---
Summary of changes:
crypto/err/err.c | 16 ++--
test/recipes/02-test_errstr.t | 2 +-
2 files changed, 11 insertions(+), 7 deletions(-)
diff --git a/crypto/err/err.c b/crypto/err/err.c
index 60a9b02d19..c605c21f01 100644
--- a/crypto/err/err.c
+++ b/crypto/err/err.c
@@ -80,6 +80,10 @@ static ERR_STRING_DATA ERR_str_libraries[] = {
{0, NULL},
};
+/*
+ * Should make sure that all ERR_R_ reasons defined in include/openssl/err.h.in
+ * are listed. For maintainability, please keep all reasons in the same order.
+ */
static ERR_STRING_DATA ERR_str_reasons[] = {
{ERR_R_SYS_LIB, "system lib"},
{ERR_R_BN_LIB, "BN lib"},
@@ -92,17 +96,16 @@ static ERR_STRING_DATA ERR_str_reasons[] = {
{ERR_R_DSA_LIB, "DSA lib"},
{ERR_R_X509_LIB, "X509 lib"},
{ERR_R_ASN1_LIB, "ASN1 lib"},
+{ERR_R_CRYPTO_LIB, "CRYPTO lib"},
{ERR_R_EC_LIB, "EC lib"},
{ERR_R_BIO_LIB, "BIO lib"},
{ERR_R_PKCS7_LIB, "PKCS7 lib"},
{ERR_R_X509V3_LIB, "X509V3 lib"},
{ERR_R_ENGINE_LIB, "ENGINE lib"},
{ERR_R_UI_LIB, "UI lib"},
-{ERR_R_OSSL_STORE_LIB, "STORE lib"},
{ERR_R_ECDSA_LIB, "ECDSA lib"},
-
-{ERR_R_NESTED_ASN1_ERROR, "nested asn1 error"},
-{ERR_R_MISSING_ASN1_EOS, "missing asn1 eos"},
+{ERR_R_OSSL_STORE_LIB, "OSSL_STORE lib"},
+{ERR_R_OSSL_DECODER_LIB, "OSSL_DECODER lib"},
{ERR_R_FATAL, "fatal"},
{ERR_R_MALLOC_FAILURE, "malloc failure"},
@@ -112,10 +115,12 @@ static ERR_STRING_DATA ERR_str_reasons[] = {
{ERR_R_INTERNAL_ERROR, "internal error"},
{ERR_R_DISABLED, "called a function that was disabled at compile-time"},
{ERR_R_INIT_FAIL, "init fail"},
+{ERR_R_PASSED_INVALID_ARGUMENT, "passed invalid argument"},
{ERR_R_OPERATION_FAIL, "operation fail"},
{ERR_R_INVALID_PROVIDER_FUNCTIONS, "invalid provider functions"},
{ERR_R_INTERRUPTED_OR_CANCELLED, "interrupted or cancelled"},
-
+{ERR_R_NESTED_ASN1_ERROR, "nested asn1 error"},
+{ERR_R_MISSING_ASN1_EOS, "missing asn1 eos"},
/*
* Something is unsupported, exactly what is expressed with additional data
*/
@@ -125,7 +130,6 @@ static ERR_STRING_DATA ERR_str_reasons[] = {
* unsupported.
*/
{ERR_R_FETCH_FAILED, "fetch failed"},
-
{ERR_R_INVALID_PROPERTY_DEFINITION, "invalid property definition"},
{ERR_R_UNABLE_TO_GET_READ_LOCK, "unable to get read lock"},
{ERR_R_UNABLE_TO_GET_WRITE_LOCK, "unable to get write lock"},
diff --git a/test/recipes/02-test_errstr.t b/test/recipes/02-test_errstr.t
index 9427601292..396d273176 100644
--- a/test/recipes/02-test_errstr.t
+++ b/test/recipes/02-test_errstr.t
@@ -139,7 +139,7 @@ sub match_opensslerr_reason {
$reason =~ s|\R$||;
$reason = ( split_error($reason) )[3];
-return match_any($reason, $errcode, @strings);
+return match_any($reason, $errcode_hex, @strings);
}
sub match_syserr_reason {
[openssl] master update
The branch master has been updated
via e7313323cc420e8dca2526578ae8a4a4d4d390be (commit)
via 3ae55288387a3ff9cf9b1cba2da22bd1aafbc66e (commit)
from 9350aaa41db8fcb0b55dadbd5fbe807ef5288557 (commit)
- Log -
commit e7313323cc420e8dca2526578ae8a4a4d4d390be
Author: Dr. David von Oheimb
Date: Fri Nov 19 11:12:09 2021 +0100
02-test_errstr.t: print errorcodes in hex (rather than decimal) format
Reviewed-by: Richard Levitte
(Merged from https://github.com/openssl/openssl/pull/17056)
commit 3ae55288387a3ff9cf9b1cba2da22bd1aafbc66e
Author: Dr. David von Oheimb
Date: Wed Nov 17 19:05:21 2021 +0100
Make ERR_str_reasons in err.c consistent again with err.h
Fixes printing generic reason strings, e.g., 'reason(524550)' vs. 'passed
an invalid argument'
Reviewed-by: Richard Levitte
(Merged from https://github.com/openssl/openssl/pull/17056)
---
Summary of changes:
crypto/err/err.c | 16 ++--
test/recipes/02-test_errstr.t | 2 +-
2 files changed, 11 insertions(+), 7 deletions(-)
diff --git a/crypto/err/err.c b/crypto/err/err.c
index 0f584fdf80..59ca4114db 100644
--- a/crypto/err/err.c
+++ b/crypto/err/err.c
@@ -80,6 +80,10 @@ static ERR_STRING_DATA ERR_str_libraries[] = {
{0, NULL},
};
+/*
+ * Should make sure that all ERR_R_ reasons defined in include/openssl/err.h.in
+ * are listed. For maintainability, please keep all reasons in the same order.
+ */
static ERR_STRING_DATA ERR_str_reasons[] = {
{ERR_R_SYS_LIB, "system lib"},
{ERR_R_BN_LIB, "BN lib"},
@@ -92,17 +96,16 @@ static ERR_STRING_DATA ERR_str_reasons[] = {
{ERR_R_DSA_LIB, "DSA lib"},
{ERR_R_X509_LIB, "X509 lib"},
{ERR_R_ASN1_LIB, "ASN1 lib"},
+{ERR_R_CRYPTO_LIB, "CRYPTO lib"},
{ERR_R_EC_LIB, "EC lib"},
{ERR_R_BIO_LIB, "BIO lib"},
{ERR_R_PKCS7_LIB, "PKCS7 lib"},
{ERR_R_X509V3_LIB, "X509V3 lib"},
{ERR_R_ENGINE_LIB, "ENGINE lib"},
{ERR_R_UI_LIB, "UI lib"},
-{ERR_R_OSSL_STORE_LIB, "STORE lib"},
{ERR_R_ECDSA_LIB, "ECDSA lib"},
-
-{ERR_R_NESTED_ASN1_ERROR, "nested asn1 error"},
-{ERR_R_MISSING_ASN1_EOS, "missing asn1 eos"},
+{ERR_R_OSSL_STORE_LIB, "OSSL_STORE lib"},
+{ERR_R_OSSL_DECODER_LIB, "OSSL_DECODER lib"},
{ERR_R_FATAL, "fatal"},
{ERR_R_MALLOC_FAILURE, "malloc failure"},
@@ -112,10 +115,12 @@ static ERR_STRING_DATA ERR_str_reasons[] = {
{ERR_R_INTERNAL_ERROR, "internal error"},
{ERR_R_DISABLED, "called a function that was disabled at compile-time"},
{ERR_R_INIT_FAIL, "init fail"},
+{ERR_R_PASSED_INVALID_ARGUMENT, "passed invalid argument"},
{ERR_R_OPERATION_FAIL, "operation fail"},
{ERR_R_INVALID_PROVIDER_FUNCTIONS, "invalid provider functions"},
{ERR_R_INTERRUPTED_OR_CANCELLED, "interrupted or cancelled"},
-
+{ERR_R_NESTED_ASN1_ERROR, "nested asn1 error"},
+{ERR_R_MISSING_ASN1_EOS, "missing asn1 eos"},
/*
* Something is unsupported, exactly what is expressed with additional data
*/
@@ -125,7 +130,6 @@ static ERR_STRING_DATA ERR_str_reasons[] = {
* unsupported.
*/
{ERR_R_FETCH_FAILED, "fetch failed"},
-
{ERR_R_INVALID_PROPERTY_DEFINITION, "invalid property definition"},
{ERR_R_UNABLE_TO_GET_READ_LOCK, "unable to get read lock"},
{ERR_R_UNABLE_TO_GET_WRITE_LOCK, "unable to get write lock"},
diff --git a/test/recipes/02-test_errstr.t b/test/recipes/02-test_errstr.t
index 9427601292..396d273176 100644
--- a/test/recipes/02-test_errstr.t
+++ b/test/recipes/02-test_errstr.t
@@ -139,7 +139,7 @@ sub match_opensslerr_reason {
$reason =~ s|\R$||;
$reason = ( split_error($reason) )[3];
-return match_any($reason, $errcode, @strings);
+return match_any($reason, $errcode_hex, @strings);
}
sub match_syserr_reason {
[openssl] master update
The branch master has been updated
via 9350aaa41db8fcb0b55dadbd5fbe807ef5288557 (commit)
from 2349d7ba57c9327290df6f7bc18b7f0c3976ca9e (commit)
- Log -
commit 9350aaa41db8fcb0b55dadbd5fbe807ef5288557
Author: Dr. David von Oheimb
Date: Fri Nov 19 11:58:40 2021 +0100
ERR: exempt flags from fallback decimal reason code printing
Reviewed-by: Dmitry Belyavskiy
(Merged from https://github.com/openssl/openssl/pull/17072)
---
Summary of changes:
crypto/err/err.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/crypto/err/err.c b/crypto/err/err.c
index 60a9b02d19..0f584fdf80 100644
--- a/crypto/err/err.c
+++ b/crypto/err/err.c
@@ -527,7 +527,8 @@ void ossl_err_string_int(unsigned long e, const char *func,
}
#endif
if (rs == NULL) {
-BIO_snprintf(rsbuf, sizeof(rsbuf), "reason(%lu)", r);
+BIO_snprintf(rsbuf, sizeof(rsbuf), "reason(%lu)",
+ r & ~(ERR_RFLAGS_MASK << ERR_RFLAGS_OFFSET));
rs = rsbuf;
}
[openssl] openssl-3.0 update
The branch openssl-3.0 has been updated
via f4664e5d40f8736d301763b3e98d2ab0061e3a02 (commit)
from 24ba865cfc7c04fba813ecb86ac7c1b329e3305f (commit)
- Log -
commit f4664e5d40f8736d301763b3e98d2ab0061e3a02
Author: Dr. David von Oheimb
Date: Thu Nov 18 20:38:55 2021 +0100
HTTP client: workaround for #16028 (BIO_gets not supported by connect and
SSL BIOs)
Reviewed-by: Tomas Mraz
(Merged from https://github.com/openssl/openssl/pull/17066)
---
Summary of changes:
crypto/http/http_client.c | 23 ---
1 file changed, 16 insertions(+), 7 deletions(-)
diff --git a/crypto/http/http_client.c b/crypto/http/http_client.c
index bb80836cd1..e5c8bcd33d 100644
--- a/crypto/http/http_client.c
+++ b/crypto/http/http_client.c
@@ -474,7 +474,7 @@ int OSSL_HTTP_REQ_CTX_nbio(OSSL_HTTP_REQ_CTX *rctx)
long n;
size_t resp_len;
const unsigned char *p;
-char *key, *value, *line_end = NULL;
+char *buf, *key, *value, *line_end = NULL;
if (rctx == NULL) {
ERR_raise(ERR_LIB_HTTP, ERR_R_PASSED_NULL_PARAMETER);
@@ -487,11 +487,20 @@ int OSSL_HTTP_REQ_CTX_nbio(OSSL_HTTP_REQ_CTX *rctx)
rctx->redirection_url = NULL;
next_io:
+buf = (char *)rctx->buf;
if ((rctx->state & OHS_NOREAD) == 0) {
-if (rctx->expect_asn1)
+if (rctx->expect_asn1) {
n = BIO_read(rctx->rbio, rctx->buf, rctx->buf_size);
-else
-n = BIO_gets(rctx->rbio, (char *)rctx->buf, rctx->buf_size);
+} else {
+(void)ERR_set_mark();
+n = BIO_gets(rctx->rbio, buf, rctx->buf_size);
+if (n == -2) { /* unsupported method */
+(void)ERR_pop_to_mark();
+n = BIO_get_line(rctx->rbio, buf, rctx->buf_size);
+} else {
+(void)ERR_clear_last_mark();
+}
+}
if (n <= 0) {
if (BIO_should_retry(rctx->rbio))
return -1;
@@ -592,7 +601,7 @@ int OSSL_HTTP_REQ_CTX_nbio(OSSL_HTTP_REQ_CTX *rctx)
}
goto next_io;
}
-n = BIO_gets(rctx->mem, (char *)rctx->buf, rctx->buf_size);
+n = BIO_gets(rctx->mem, buf, rctx->buf_size);
if (n <= 0) {
if (BIO_should_retry(rctx->mem))
@@ -610,7 +619,7 @@ int OSSL_HTTP_REQ_CTX_nbio(OSSL_HTTP_REQ_CTX *rctx)
/* First line */
if (rctx->state == OHS_FIRSTLINE) {
-switch (parse_http_line1((char *)rctx->buf, _keep_alive)) {
+switch (parse_http_line1(buf, _keep_alive)) {
case HTTP_STATUS_CODE_OK:
rctx->state = OHS_HEADERS;
goto next_line;
@@ -628,7 +637,7 @@ int OSSL_HTTP_REQ_CTX_nbio(OSSL_HTTP_REQ_CTX *rctx)
return 0;
}
}
-key = (char *)rctx->buf;
+key = buf;
value = strchr(key, ':');
if (value != NULL) {
*(value++) = '\0';
[openssl] master update
uot;file:", 5) == 0) {
+} else if (CHECK_AND_SKIP_PREFIX(valp, "file:")) {
unsigned char buf[2048];
int n;
-BIO *b = BIO_new_file(val->value + 5, "r");
+BIO *b = BIO_new_file(valp, "r");
if (!b) {
ERR_raise(ERR_LIB_X509V3, ERR_R_BIO_LIB);
X509V3_conf_err(val);
@@ -194,8 +195,8 @@ static int process_pci_value(CONF_VALUE *val,
X509V3_conf_err(val);
goto err;
}
-} else if (strncmp(val->value, "text:", 5) == 0) {
-val_len = strlen(val->value + 5);
+} else if (CHECK_AND_SKIP_PREFIX(valp, "text:")) {
+val_len = strlen(valp);
tmp_data = OPENSSL_realloc((*policy)->data,
(*policy)->length + val_len + 1);
if (tmp_data) {
diff --git a/crypto/x509/v3_utl.c b/crypto/x509/v3_utl.c
index a70917a39b..5704820e50 100644
--- a/crypto/x509/v3_utl.c
+++ b/crypto/x509/v3_utl.c
@@ -704,7 +704,7 @@ static int wildcard_match(const unsigned char *prefix,
size_t prefix_len,
}
/* IDNA labels cannot match partial wildcards */
if (!allow_idna &&
-subject_len >= 4 && strncasecmp((char *)subject, "xn--", 4) == 0)
+subject_len >= 4 && HAS_CASE_PREFIX((const char *)subject, "xn--"))
return 0;
/* The wildcard may match a literal '*' */
if (wildcard_end == wildcard_start + 1 && *wildcard_start == '*')
@@ -764,7 +764,7 @@ static const unsigned char *valid_star(const unsigned char
*p, size_t len,
|| ('A' <= p[i] && p[i] <= 'Z')
|| ('0' <= p[i] && p[i] <= '9')) {
if ((state & LABEL_START) != 0
-&& len - i >= 4 && strncasecmp((char *)[i], "xn--", 4) == 0)
+&& len - i >= 4 && HAS_CASE_PREFIX((const char *)[i],
"xn--"))
state |= LABEL_IDNA;
state &= ~(LABEL_HYPHEN | LABEL_START);
} else if (p[i] == '.') {
diff --git a/engines/e_loader_attic.c b/engines/e_loader_attic.c
index 74f297400b..59f19d329f 100644
--- a/engines/e_loader_attic.c
+++ b/engines/e_loader_attic.c
@@ -14,7 +14,7 @@
/* We need to use some engine deprecated APIs */
#define OPENSSL_SUPPRESS_DEPRECATED
-/* #include "e_os.h" */
+#include "../e_os.h" /* for stat and strncasecmp */
#include
#include
#include
@@ -42,11 +42,6 @@
DEFINE_STACK_OF(OSSL_STORE_INFO)
-#ifdef _WIN32
-# define stat _stat
-# define strncasecmp _strnicmp
-#endif
-
#ifndef S_ISDIR
# define S_ISDIR(a) (((a) & S_IFMT) == S_IFDIR)
#endif
@@ -957,7 +952,7 @@ static OSSL_STORE_LOADER_CTX *file_open_ex
unsigned int check_absolute:1;
} path_data[2];
size_t path_data_n = 0, i;
-const char *path;
+const char *path, *p = uri, *q;
/*
* First step, just take the URI as is.
@@ -966,20 +961,18 @@ static OSSL_STORE_LOADER_CTX *file_open_ex
path_data[path_data_n++].path = uri;
/*
- * Second step, if the URI appears to start with the 'file' scheme,
+ * Second step, if the URI appears to start with the "file" scheme,
* extract the path and make that the second path to check.
* There's a special case if the URI also contains an authority, then
* the full URI shouldn't be used as a path anywhere.
*/
-if (strncasecmp(uri, "file:", 5) == 0) {
-const char *p = [5];
-
-if (strncmp([5], "//", 2) == 0) {
+if (CHECK_AND_SKIP_CASE_PREFIX(p, "file:")) {
+q = p;
+if (CHECK_AND_SKIP_PREFIX(q, "//")) {
path_data_n--; /* Invalidate using the full URI */
-if (strncasecmp([7], "localhost/", 10) == 0) {
-p = [16];
-} else if (uri[7] == '/') {
-p = [7];
+if (CHECK_AND_SKIP_CASE_PREFIX(q, "localhost/")
+|| CHECK_AND_SKIP_PREFIX(q, "/")) {
+p = q - 1;
} else {
ATTICerr(0, ATTIC_R_URI_AUTHORITY_UNSUPPORTED);
return NULL;
@@ -988,7 +981,7 @@ static OSSL_STORE_LOADER_CTX *file_open_ex
path_data[path_data_n].check_absolute = 1;
#ifdef _WIN32
-/* Windows file: URIs with a drive letter start with a / */
+/* Windows "file:" URIs with a drive letter start with a '/' */
if (p[0] == '/' && p[2] == ':' && p[3] == '/') {
char c = tolower(p[1]);
diff --git a/engines/e_ossltest.c b/engines/e_ossltest.c
index df0805b197..19dda64d1f 100644
--- a/engines/e_ossltest.c
+++ b/engines/e_ossltest.c
@@ -27,6 +27,7 @@
#include
#include
+#inc
[openssl] openssl-3.0 update
The branch openssl-3.0 has been updated
via 4bf976565294b883c980244c36fac326897fc261 (commit)
via 60665a68512d73a9ee3ef1914bf4f70808775479 (commit)
via 98501abe7315128068a7673fc72ac9b5a5032e1e (commit)
from 9723c07d94cd1e4eedfbfb86245360be57c3cf39 (commit)
- Log -
commit 4bf976565294b883c980244c36fac326897fc261
Author: Dr. David von Oheimb
Date: Fri Nov 12 12:51:44 2021 +0100
80-test_cmp_http: Make server diagnostics more verbose to aid debugging
Reviewed-by: Paul Dale
(Merged from https://github.com/openssl/openssl/pull/16051)
commit 60665a68512d73a9ee3ef1914bf4f70808775479
Author: Dr. David von Oheimb
Date: Fri Nov 12 12:48:29 2021 +0100
cmp_server.c: Log received request type before checking details
Reviewed-by: Paul Dale
(Merged from https://github.com/openssl/openssl/pull/16051)
commit 98501abe7315128068a7673fc72ac9b5a5032e1e
Author: Dr. David von Oheimb
Date: Mon Jul 12 14:17:04 2021 +0200
Fix verbosity of CMP client diagnostics
Reviewed-by: Paul Dale
(Merged from https://github.com/openssl/openssl/pull/16051)
---
Summary of changes:
apps/cmp.c | 29 +++---
crypto/cmp/cmp_server.c| 6 ++---
test/recipes/80-test_cmp_http_data/Mock/server.cnf | 2 ++
3 files changed, 25 insertions(+), 12 deletions(-)
diff --git a/apps/cmp.c b/apps/cmp.c
index b6e88e64f6..119419c5ef 100644
--- a/apps/cmp.c
+++ b/apps/cmp.c
@@ -613,6 +613,12 @@ static int print_to_bio_out(const char *func, const char
*file, int line,
return OSSL_CMP_print_to_bio(bio_out, func, file, line, level, msg);
}
+static int print_to_bio_err(const char *func, const char *file, int line,
+OSSL_CMP_severity level, const char *msg)
+{
+return OSSL_CMP_print_to_bio(bio_err, func, file, line, level, msg);
+}
+
static int set_verbosity(int level)
{
if (level < OSSL_CMP_LOG_EMERG || level > OSSL_CMP_LOG_MAX) {
@@ -2067,16 +2073,16 @@ static int read_config(void)
long num = 0;
char *txt = NULL;
const OPTIONS *opt;
-int start = OPT_VERBOSITY;
+int start_opt = OPT_VERBOSITY - OPT_HELP;
+int start_idx = OPT_VERBOSITY - 2;
/*
* starting with offset OPT_VERBOSITY because OPT_CONFIG and OPT_SECTION
* would not make sense within the config file.
- * Moreover, these two options and OPT_VERBOSITY have already been handled.
*/
int n_options = OSSL_NELEM(cmp_options) - 1;
-for (i = start - OPT_HELP, opt = _options[start];
- opt->name; i++, opt++)
+for (opt = _options[start_opt], i = start_idx;
+ opt->name != NULL; i++, opt++)
if (!strcmp(opt->name, OPT_SECTION_STR)
|| !strcmp(opt->name, OPT_MORE_STR))
n_options--;
@@ -2084,8 +2090,8 @@ static int read_config(void)
+ OPT_PROV__FIRST + 1 - OPT_PROV__LAST
+ OPT_R__FIRST + 1 - OPT_R__LAST
+ OPT_V__FIRST + 1 - OPT_V__LAST);
-for (i = start - OPT_HELP, opt = _options[start];
- opt->name; i++, opt++) {
+for (opt = _options[start_opt], i = start_idx;
+ opt->name != NULL; i++, opt++) {
int provider_option = (OPT_PROV__FIRST <= opt->retval
&& opt->retval < OPT_PROV__LAST);
int rand_state_option = (OPT_R__FIRST <= opt->retval
@@ -2115,7 +2121,7 @@ static int read_config(void)
num, opt->name);
return -1;
}
-if (opt->valtype == 'N' && num <= 0) {
+if (opt->valtype == 'N' && num < 0) {
opt_printf_stderr("Negative number \"%ld\" for config option
-%s\n",
num, opt->name);
return -1;
@@ -2225,7 +2231,10 @@ static int get_opts(int argc, char **argv)
return -1;
case OPT_CONFIG: /* has already been handled */
case OPT_SECTION: /* has already been handled */
-case OPT_VERBOSITY: /* has already been handled */
+break;
+case OPT_VERBOSITY:
+if (!set_verbosity(opt_int_arg()))
+goto opthelp;
break;
case OPT_SERVER:
opt_server = opt_str();
@@ -2696,6 +2705,8 @@ int cmp_main(int argc, char **argv)
}
}
ret = read_config();
+if (!set_verbosity(opt_verbosity)) /* just for checking range */
+ret = -1;
if (ret <= 0) {
if (ret == -1)
BIO_printf(bio_err, "Use -help for summary.\n");
@@ -2749,7 +2760,7 @@ int cmp_main(int argc, char **argv)
goto err;
srv_cmp_ctx = OSSL_CMP_SRV_CTX_get0_cmp_ctx(srv_ctx);
[openssl] master update
The branch master has been updated
via a6838c8d52087f2b0494bbab8486e10944aff7f7 (commit)
via ae8ff109c1d80399a6a1c9f50aa37381bc3a1c5f (commit)
via 92df52119eb33ea980e8f02f9cdfe194ad6c04e1 (commit)
from 7f6496275157f8e40f544f75a223c2c0dc6b389e (commit)
- Log -
commit a6838c8d52087f2b0494bbab8486e10944aff7f7
Author: Dr. David von Oheimb
Date: Fri Nov 12 12:51:44 2021 +0100
80-test_cmp_http: Make server diagnostics more verbose to aid debugging
Reviewed-by: Paul Dale
(Merged from https://github.com/openssl/openssl/pull/16051)
commit ae8ff109c1d80399a6a1c9f50aa37381bc3a1c5f
Author: Dr. David von Oheimb
Date: Fri Nov 12 12:48:29 2021 +0100
cmp_server.c: Log received request type before checking details
Reviewed-by: Paul Dale
(Merged from https://github.com/openssl/openssl/pull/16051)
commit 92df52119eb33ea980e8f02f9cdfe194ad6c04e1
Author: Dr. David von Oheimb
Date: Mon Jul 12 14:17:04 2021 +0200
Fix verbosity of CMP client diagnostics
Reviewed-by: Paul Dale
(Merged from https://github.com/openssl/openssl/pull/16051)
---
Summary of changes:
apps/cmp.c | 29 +++---
crypto/cmp/cmp_server.c| 6 ++---
test/recipes/80-test_cmp_http_data/Mock/server.cnf | 2 ++
3 files changed, 25 insertions(+), 12 deletions(-)
diff --git a/apps/cmp.c b/apps/cmp.c
index 1c97075531..ae3488553a 100644
--- a/apps/cmp.c
+++ b/apps/cmp.c
@@ -613,6 +613,12 @@ static int print_to_bio_out(const char *func, const char
*file, int line,
return OSSL_CMP_print_to_bio(bio_out, func, file, line, level, msg);
}
+static int print_to_bio_err(const char *func, const char *file, int line,
+OSSL_CMP_severity level, const char *msg)
+{
+return OSSL_CMP_print_to_bio(bio_err, func, file, line, level, msg);
+}
+
static int set_verbosity(int level)
{
if (level < OSSL_CMP_LOG_EMERG || level > OSSL_CMP_LOG_MAX) {
@@ -2068,16 +2074,16 @@ static int read_config(void)
long num = 0;
char *txt = NULL;
const OPTIONS *opt;
-int start = OPT_VERBOSITY;
+int start_opt = OPT_VERBOSITY - OPT_HELP;
+int start_idx = OPT_VERBOSITY - 2;
/*
* starting with offset OPT_VERBOSITY because OPT_CONFIG and OPT_SECTION
* would not make sense within the config file.
- * Moreover, these two options and OPT_VERBOSITY have already been handled.
*/
int n_options = OSSL_NELEM(cmp_options) - 1;
-for (i = start - OPT_HELP, opt = _options[start];
- opt->name; i++, opt++)
+for (opt = _options[start_opt], i = start_idx;
+ opt->name != NULL; i++, opt++)
if (!strcmp(opt->name, OPT_SECTION_STR)
|| !strcmp(opt->name, OPT_MORE_STR))
n_options--;
@@ -2085,8 +2091,8 @@ static int read_config(void)
+ OPT_PROV__FIRST + 1 - OPT_PROV__LAST
+ OPT_R__FIRST + 1 - OPT_R__LAST
+ OPT_V__FIRST + 1 - OPT_V__LAST);
-for (i = start - OPT_HELP, opt = _options[start];
- opt->name; i++, opt++) {
+for (opt = _options[start_opt], i = start_idx;
+ opt->name != NULL; i++, opt++) {
int provider_option = (OPT_PROV__FIRST <= opt->retval
&& opt->retval < OPT_PROV__LAST);
int rand_state_option = (OPT_R__FIRST <= opt->retval
@@ -2116,7 +2122,7 @@ static int read_config(void)
num, opt->name);
return -1;
}
-if (opt->valtype == 'N' && num <= 0) {
+if (opt->valtype == 'N' && num < 0) {
opt_printf_stderr("Negative number \"%ld\" for config option
-%s\n",
num, opt->name);
return -1;
@@ -2226,7 +2232,10 @@ static int get_opts(int argc, char **argv)
return -1;
case OPT_CONFIG: /* has already been handled */
case OPT_SECTION: /* has already been handled */
-case OPT_VERBOSITY: /* has already been handled */
+break;
+case OPT_VERBOSITY:
+if (!set_verbosity(opt_int_arg()))
+goto opthelp;
break;
case OPT_SERVER:
opt_server = opt_str();
@@ -2697,6 +2706,8 @@ int cmp_main(int argc, char **argv)
}
}
ret = read_config();
+if (!set_verbosity(opt_verbosity)) /* just for checking range */
+ret = -1;
if (ret <= 0) {
if (ret == -1)
BIO_printf(bio_err, "Use -help for summary.\n");
@@ -2750,7 +2761,7 @@ int cmp_main(int argc, char **argv)
goto err;
srv_cmp_ctx = OSSL_CMP_SRV_CTX_get0_cmp_ctx(srv_ctx);
[openssl] master update
The branch master has been updated
via 00cf3a2d30fc7642bf9f816a7c545115985a8c0c (commit)
via adbd77f6d7cc4efb7b4bde483036fab8e48ce870 (commit)
from b0c1214e1e82bc4c98eadd11d368b4ba9ffa202c (commit)
- Log -
commit 00cf3a2d30fc7642bf9f816a7c545115985a8c0c
Author: Dr. David von Oheimb
Date: Tue Aug 24 09:31:53 2021 +0200
25-test_req.t: Add systematic SKID+AKID tests for self-issued (incl.
self-signed) certs
Reviewed-by: Viktor Dukhovni
Reviewed-by: Tomas Mraz
Reviewed-by: Dmitry Belyavskiy
(Merged from https://github.com/openssl/openssl/pull/16342)
commit adbd77f6d7cc4efb7b4bde483036fab8e48ce870
Author: Dr. David von Oheimb
Date: Tue Aug 17 23:13:28 2021 +0200
X509: Fix handling of AKID and SKID extensions according to configuration
Fixes #16300
Reviewed-by: Viktor Dukhovni
Reviewed-by: Tomas Mraz
Reviewed-by: Dmitry Belyavskiy
(Merged from https://github.com/openssl/openssl/pull/16342)
---
Summary of changes:
apps/ca.c | 11 +++-
apps/include/apps.h | 1 +
apps/lib/apps.c | 20 --
apps/pkcs12.c | 2 +-
apps/req.c | 4 +-
apps/x509.c | 4 ++
crypto/x509/v3_akid.c | 13 ++--
crypto/x509/v3_conf.c | 18 -
doc/man5/x509v3_config.pod | 1 +
test/certs/ext-check.csr| 23 ++-
test/recipes/25-test_req.t | 157 +---
test/recipes/tconversion.pl | 3 +-
12 files changed, 199 insertions(+), 58 deletions(-)
diff --git a/apps/ca.c b/apps/ca.c
index 24883615ed..1e77bf50c5 100644
--- a/apps/ca.c
+++ b/apps/ca.c
@@ -1709,7 +1709,16 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509
*x509,
/* Initialize the context structure */
X509V3_set_ctx(_ctx, selfsign ? ret : x509,
- ret, req, NULL, X509V3_CTX_REPLACE);
+ ret, NULL /* no need to give req, needed info is in ret */,
+ NULL, X509V3_CTX_REPLACE);
+/* prepare fallback for AKID, but only if issuer cert equals subject cert
*/
+if (selfsign) {
+if (!X509V3_set_issuer_pkey(_ctx, pkey))
+goto end;
+if (!cert_matches_key(ret, pkey))
+BIO_printf(bio_err,
+ "Warning: Signature key and public key of cert do not
match\n");
+}
/* Lets add the extensions, if there are any */
if (ext_sect) {
diff --git a/apps/include/apps.h b/apps/include/apps.h
index 9d5db16600..6018a83ca4 100644
--- a/apps/include/apps.h
+++ b/apps/include/apps.h
@@ -247,6 +247,7 @@ int x509_req_ctrl_string(X509_REQ *x, const char *value);
int init_gen_str(EVP_PKEY_CTX **pctx,
const char *algname, ENGINE *e, int do_param,
OSSL_LIB_CTX *libctx, const char *propq);
+int cert_matches_key(const X509 *cert, const EVP_PKEY *pkey);
int do_X509_sign(X509 *x, EVP_PKEY *pkey, const char *md,
STACK_OF(OPENSSL_STRING) *sigopts, X509V3_CTX *ext_ctx);
int do_X509_verify(X509 *x, EVP_PKEY *pkey, STACK_OF(OPENSSL_STRING) *vfyopts);
diff --git a/apps/lib/apps.c b/apps/lib/apps.c
index b15abac857..82eeaea249 100644
--- a/apps/lib/apps.c
+++ b/apps/lib/apps.c
@@ -2224,8 +2224,8 @@ static int adapt_keyid_ext(X509 *cert, X509V3_CTX
*ext_ctx,
idx = X509v3_get_ext_by_OBJ(exts, X509_EXTENSION_get_object(new_ext), -1);
if (idx >= 0) {
X509_EXTENSION *found_ext = X509v3_get_ext(exts, idx);
-ASN1_OCTET_STRING *data = X509_EXTENSION_get_data(found_ext);
-int disabled = ASN1_STRING_length(data) <= 2; /* config said "none" */
+ASN1_OCTET_STRING *encoded = X509_EXTENSION_get_data(found_ext);
+int disabled = ASN1_STRING_length(encoded) <= 2; /* indicating "none"
*/
if (disabled) {
X509_delete_ext(cert, idx);
@@ -2239,6 +2239,16 @@ static int adapt_keyid_ext(X509 *cert, X509V3_CTX
*ext_ctx,
return rv;
}
+int cert_matches_key(const X509 *cert, const EVP_PKEY *pkey)
+{
+int match;
+
+ERR_set_mark();
+match = X509_check_private_key(cert, pkey);
+ERR_pop_to_mark();
+return match;
+}
+
/* Ensure RFC 5280 compliance, adapt keyIDs as needed, and sign the cert info
*/
int do_X509_sign(X509 *cert, EVP_PKEY *pkey, const char *md,
STACK_OF(OPENSSL_STRING) *sigopts, X509V3_CTX *ext_ctx)
@@ -2254,16 +2264,14 @@ int do_X509_sign(X509 *cert, EVP_PKEY *pkey, const char
*md,
goto end;
/*
- * Add default SKID before such that default AKID can make use of it
+ * Add default SKID before AKID such that AKID can make use of it
* in case the certificate is self-signed
*/
/* Prevent X509_V_ERR_MISSING_SUBJECT_KEY_IDENTIFIER */
if (!adapt_keyid_ext(cert,
[openssl] openssl-3.0 update
The branch openssl-3.0 has been updated
via f6d4ab9295a173c81e6fe4185ec62533d91b0c6d (commit)
from a075c882641782a6ee94a9123c72b47891a8cf28 (commit)
- Log -
commit f6d4ab9295a173c81e6fe4185ec62533d91b0c6d
Author: Dr. David von Oheimb
Date: Fri Aug 27 11:34:23 2021 +0200
APPS/x509: Fix generation of AKID via v2i_AUTHORITY_KEYID()
Fixes #16300
Reviewed-by: Tomas Mraz
(Merged from https://github.com/openssl/openssl/pull/16442)
(cherry picked from commit 9bf1061c44c81059102cd4749f6078b6ce71da9d)
---
Summary of changes:
apps/x509.c| 7 ++-
crypto/x509/v3_akid.c | 25 +++--
doc/man5/x509v3_config.pod | 11 +++
test/recipes/25-test_req.t | 2 +-
4 files changed, 33 insertions(+), 12 deletions(-)
diff --git a/apps/x509.c b/apps/x509.c
index 203ce919ba..2880ae792a 100644
--- a/apps/x509.c
+++ b/apps/x509.c
@@ -816,7 +816,12 @@ int x509_main(int argc, char **argv)
goto end;
}
-X509V3_set_ctx(_ctx, issuer_cert, x, req, NULL, X509V3_CTX_REPLACE);
+X509V3_set_ctx(_ctx, issuer_cert, x, NULL, NULL, X509V3_CTX_REPLACE);
+/* prepare fallback for AKID, but only if issuer cert equals subject cert
*/
+if (CAfile == NULL) {
+if (!X509V3_set_issuer_pkey(_ctx, privkey))
+goto end;
+}
if (extconf != NULL && !x509toreq) {
X509V3_set_nconf(_ctx, extconf);
if (!X509V3_EXT_add_nconf(extconf, _ctx, extsect, x)) {
diff --git a/crypto/x509/v3_akid.c b/crypto/x509/v3_akid.c
index 5abd35d644..43b515f50c 100644
--- a/crypto/x509/v3_akid.c
+++ b/crypto/x509/v3_akid.c
@@ -107,6 +107,7 @@ static AUTHORITY_KEYID
*v2i_AUTHORITY_KEYID(X509V3_EXT_METHOD *method,
ASN1_INTEGER *serial = NULL;
X509_EXTENSION *ext;
X509 *issuer_cert;
+int same_issuer, ss;
AUTHORITY_KEYID *akeyid = AUTHORITY_KEYID_new();
if (akeyid == NULL)
@@ -144,14 +145,26 @@ static AUTHORITY_KEYID
*v2i_AUTHORITY_KEYID(X509V3_EXT_METHOD *method,
ERR_raise(ERR_LIB_X509V3, X509V3_R_NO_ISSUER_CERTIFICATE);
goto err;
}
-
-if (keyid != 0) {
-/* prefer any pre-existing subject key identifier of the issuer cert */
+same_issuer = ctx->subject_cert == ctx->issuer_cert;
+ERR_set_mark();
+if (ctx->issuer_pkey != NULL)
+ss = X509_check_private_key(ctx->subject_cert, ctx->issuer_pkey);
+else
+ss = same_issuer;
+ERR_pop_to_mark();
+
+/* unless forced with "always", AKID is suppressed for self-signed certs */
+if (keyid == 2 || (keyid == 1 && !ss)) {
+/*
+ * prefer any pre-existing subject key identifier of the issuer cert
+ * except issuer cert is same as subject cert and is not self-signed
+ */
i = X509_get_ext_by_NID(issuer_cert, NID_subject_key_identifier, -1);
-if (i >= 0 && (ext = X509_get_ext(issuer_cert, i)) != NULL)
+if (i >= 0 && (ext = X509_get_ext(issuer_cert, i)) != NULL
+&& !(same_issuer && !ss))
ikeyid = X509V3_EXT_d2i(ext);
-if (ikeyid == NULL && ctx->issuer_pkey != NULL) { /* fallback */
-/* generate AKID from scratch, emulating s2i_skey_id(..., "hash")
*/
+if (ikeyid == NULL && same_issuer && ctx->issuer_pkey != NULL) {
+/* generate fallback AKID, emulating s2i_skey_id(..., "hash") */
X509_PUBKEY *pubkey = NULL;
if (X509_PUBKEY_set(, ctx->issuer_pkey))
diff --git a/doc/man5/x509v3_config.pod b/doc/man5/x509v3_config.pod
index 1d4c4dc3ae..2a3afee27f 100644
--- a/doc/man5/x509v3_config.pod
+++ b/doc/man5/x509v3_config.pod
@@ -194,13 +194,16 @@ Otherwise it may have the value B or B
or both of them, separated by C<,>.
Either or both can have the option B,
indicated by putting a colon C<:> between the value and this option.
+For self-signed certificates the AKID is suppressed unless B is
present.
By default the B, B, and B apps behave as if
"none" was given for self-signed certificates and "keyid, issuer" otherwise.
-If B is present, an attempt is made to compute the hash of the public
key
-corresponding to the signing key in case the certificate is self-signed,
-or else to copy the subject key identifier (SKID) from the issuer certificate.
-If this fails and the option B is present, an error is returned.
+If B is present, an attempt is made to
+copy the subject key identifier (SKID) from the issuer certificate except if
+the issuer certificate is the same as the current one and it is not
self-signed.
+The hash of the public key related to the signing key is taken as fallback
+if the issuer certificate is the same as the current certificate.
+If B is present but no value can be obtained, an error is returned.
If B is present, and in addition it has the option B specified
or B is not
[openssl] master update
The branch master has been updated
via 9bf1061c44c81059102cd4749f6078b6ce71da9d (commit)
from 03ee2e5b1ecd1832d99d07fc459ecf62f5a0b168 (commit)
- Log -
commit 9bf1061c44c81059102cd4749f6078b6ce71da9d
Author: Dr. David von Oheimb
Date: Fri Aug 27 11:34:23 2021 +0200
APPS/x509: Fix generation of AKID via v2i_AUTHORITY_KEYID()
Fixes #16300
Reviewed-by: Tomas Mraz
(Merged from https://github.com/openssl/openssl/pull/16442)
---
Summary of changes:
apps/x509.c| 7 ++-
crypto/x509/v3_akid.c | 25 +++--
doc/man5/x509v3_config.pod | 11 +++
test/recipes/25-test_req.t | 2 +-
4 files changed, 33 insertions(+), 12 deletions(-)
diff --git a/apps/x509.c b/apps/x509.c
index 1f8a157c0e..b88fb4f5ea 100644
--- a/apps/x509.c
+++ b/apps/x509.c
@@ -822,7 +822,12 @@ int x509_main(int argc, char **argv)
goto end;
}
-X509V3_set_ctx(_ctx, issuer_cert, x, req, NULL, X509V3_CTX_REPLACE);
+X509V3_set_ctx(_ctx, issuer_cert, x, NULL, NULL, X509V3_CTX_REPLACE);
+/* prepare fallback for AKID, but only if issuer cert equals subject cert
*/
+if (CAfile == NULL) {
+if (!X509V3_set_issuer_pkey(_ctx, privkey))
+goto end;
+}
if (extconf != NULL && !x509toreq) {
X509V3_set_nconf(_ctx, extconf);
if (!X509V3_EXT_add_nconf(extconf, _ctx, extsect, x)) {
diff --git a/crypto/x509/v3_akid.c b/crypto/x509/v3_akid.c
index 5abd35d644..43b515f50c 100644
--- a/crypto/x509/v3_akid.c
+++ b/crypto/x509/v3_akid.c
@@ -107,6 +107,7 @@ static AUTHORITY_KEYID
*v2i_AUTHORITY_KEYID(X509V3_EXT_METHOD *method,
ASN1_INTEGER *serial = NULL;
X509_EXTENSION *ext;
X509 *issuer_cert;
+int same_issuer, ss;
AUTHORITY_KEYID *akeyid = AUTHORITY_KEYID_new();
if (akeyid == NULL)
@@ -144,14 +145,26 @@ static AUTHORITY_KEYID
*v2i_AUTHORITY_KEYID(X509V3_EXT_METHOD *method,
ERR_raise(ERR_LIB_X509V3, X509V3_R_NO_ISSUER_CERTIFICATE);
goto err;
}
-
-if (keyid != 0) {
-/* prefer any pre-existing subject key identifier of the issuer cert */
+same_issuer = ctx->subject_cert == ctx->issuer_cert;
+ERR_set_mark();
+if (ctx->issuer_pkey != NULL)
+ss = X509_check_private_key(ctx->subject_cert, ctx->issuer_pkey);
+else
+ss = same_issuer;
+ERR_pop_to_mark();
+
+/* unless forced with "always", AKID is suppressed for self-signed certs */
+if (keyid == 2 || (keyid == 1 && !ss)) {
+/*
+ * prefer any pre-existing subject key identifier of the issuer cert
+ * except issuer cert is same as subject cert and is not self-signed
+ */
i = X509_get_ext_by_NID(issuer_cert, NID_subject_key_identifier, -1);
-if (i >= 0 && (ext = X509_get_ext(issuer_cert, i)) != NULL)
+if (i >= 0 && (ext = X509_get_ext(issuer_cert, i)) != NULL
+&& !(same_issuer && !ss))
ikeyid = X509V3_EXT_d2i(ext);
-if (ikeyid == NULL && ctx->issuer_pkey != NULL) { /* fallback */
-/* generate AKID from scratch, emulating s2i_skey_id(..., "hash")
*/
+if (ikeyid == NULL && same_issuer && ctx->issuer_pkey != NULL) {
+/* generate fallback AKID, emulating s2i_skey_id(..., "hash") */
X509_PUBKEY *pubkey = NULL;
if (X509_PUBKEY_set(, ctx->issuer_pkey))
diff --git a/doc/man5/x509v3_config.pod b/doc/man5/x509v3_config.pod
index 1d4c4dc3ae..2a3afee27f 100644
--- a/doc/man5/x509v3_config.pod
+++ b/doc/man5/x509v3_config.pod
@@ -194,13 +194,16 @@ Otherwise it may have the value B or B
or both of them, separated by C<,>.
Either or both can have the option B,
indicated by putting a colon C<:> between the value and this option.
+For self-signed certificates the AKID is suppressed unless B is
present.
By default the B, B, and B apps behave as if
"none" was given for self-signed certificates and "keyid, issuer" otherwise.
-If B is present, an attempt is made to compute the hash of the public
key
-corresponding to the signing key in case the certificate is self-signed,
-or else to copy the subject key identifier (SKID) from the issuer certificate.
-If this fails and the option B is present, an error is returned.
+If B is present, an attempt is made to
+copy the subject key identifier (SKID) from the issuer certificate except if
+the issuer certificate is the same as the current one and it is not
self-signed.
+The hash of the public key related to the signing key is taken as fallback
+if the issuer certificate is the same as the current certificate.
+If B is present but no value can be obtained, an error is returned.
If B is present, and in addition it has the option B specified
or B is not present,
diff --git a/test/recipes/25-test_req.t b/test/recipes/25-test_req.t
index
[openssl] master update
The branch master has been updated via 03ee2e5b1ecd1832d99d07fc459ecf62f5a0b168 (commit) from 4ce64ed79d301939c7f2844a9e5e5fdd2033605f (commit) - Log - commit 03ee2e5b1ecd1832d99d07fc459ecf62f5a0b168 Author: Dr. David von Oheimb Date: Wed Nov 3 18:41:07 2021 +0100 APPS/cmp: make the -sans option support email addresses (type rfc822Name) Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/16960) --- Summary of changes: apps/cmp.c | 3 ++- doc/man1/openssl-cmp.pod.in | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/apps/cmp.c b/apps/cmp.c index b6e88e64f6..1c97075531 100644 --- a/apps/cmp.c +++ b/apps/cmp.c @@ -836,11 +836,12 @@ static int set_gennames(OSSL_CMP_CTX *ctx, char *names, const char *desc) continue; } -/* try IP address first, then URI or domain name */ +/* try IP address first, then email/URI/domain name */ (void)ERR_set_mark(); n = a2i_GENERAL_NAME(NULL, NULL, NULL, GEN_IPADD, names, 0); if (n == NULL) n = a2i_GENERAL_NAME(NULL, NULL, NULL, + strchr(names, '@') != NULL ? GEN_EMAIL : strchr(names, ':') != NULL ? GEN_URI : GEN_DNS, names, 0); (void)ERR_pop_to_mark(); diff --git a/doc/man1/openssl-cmp.pod.in b/doc/man1/openssl-cmp.pod.in index b4c3c82255..58e9bd7dda 100644 --- a/doc/man1/openssl-cmp.pod.in +++ b/doc/man1/openssl-cmp.pod.in @@ -312,7 +312,8 @@ contained the given PKCS#10 CSR, overriding any extensions with same OIDs. =item B<-sans> I -One or more IP addresses, DNS names, or URIs separated by commas or whitespace +One or more IP addresses, email addresses, DNS names, or URIs +separated by commas or whitespace (where in the latter case the whole argument must be enclosed in "...") to add as Subject Alternative Name(s) (SAN) certificate request extension. If the special element "critical" is given the SANs are flagged as critical.
