Package: release.debian.org
Control: affects -1 + src:openssl
X-Debbugs-Cc: open...@packages.debian.org
User: release.debian....@packages.debian.org
Usertags: pu
Tags: bookworm
X-Debbugs-Cc: sebast...@breakpoint.cc
Severity: normal
This is an update of the openssl package to the 3.0.11 version, a patch
release (bug and security fixes). This version contains no security
updates.
The 3.0.11 version is since 2023-09-19 in unstable. The migration to
testing was delayed due to a "bug" in a testsuite of another package
which led to CI failures. Once this was fixed, the both packages
migrated. The package causing the delay is not part of bookworm. I am
not aware of any other fallout.
Sebastian
diff -Nru openssl-3.0.10/apps/cmp.c openssl-3.0.11/apps/cmp.c
--- openssl-3.0.10/apps/cmp.c 2023-08-01 15:47:24.000000000 +0200
+++ openssl-3.0.11/apps/cmp.c 2023-09-19 15:02:31.000000000 +0200
@@ -2512,7 +2512,7 @@
}
break;
case OPT_CSR:
- opt_csr = opt_arg();
+ opt_csr = opt_str();
break;
case OPT_OUT_TRUSTED:
opt_out_trusted = opt_str();
diff -Nru openssl-3.0.10/apps/lib/apps.c openssl-3.0.11/apps/lib/apps.c
--- openssl-3.0.10/apps/lib/apps.c 2023-08-01 15:47:24.000000000 +0200
+++ openssl-3.0.11/apps/lib/apps.c 2023-09-19 15:02:31.000000000 +0200
@@ -944,7 +944,7 @@
BIO *bio;
if (!maybe_stdin) {
- BIO_printf(bio_err, "No filename or uri specified for loading");
+ BIO_printf(bio_err, "No filename or uri specified for loading\n");
goto end;
}
uri = "<stdin>";
@@ -960,10 +960,8 @@
ctx = OSSL_STORE_open_ex(uri, libctx, propq, get_ui_method(), &uidata,
params, NULL, NULL);
}
- if (ctx == NULL) {
- BIO_printf(bio_err, "Could not open file or uri for loading");
+ if (ctx == NULL)
goto end;
- }
if (expect > 0 && !OSSL_STORE_expect(ctx, expect))
goto end;
@@ -1948,16 +1946,17 @@
nid = OBJ_txt2nid(typestr);
if (nid == NID_undef) {
BIO_printf(bio_err,
- "%s: Skipping unknown %s name attribute \"%s\"\n",
+ "%s warning: Skipping unknown %s name attribute \"%s\"\n",
opt_getprog(), desc, typestr);
if (ismulti)
BIO_printf(bio_err,
- "Hint: a '+' in a value string needs be escaped using '\\' else a new member of a multi-valued RDN is expected\n");
+ "%s hint: a '+' in a value string needs be escaped using '\\' else a new member of a multi-valued RDN is expected\n",
+ opt_getprog());
continue;
}
if (*valstr == '\0') {
BIO_printf(bio_err,
- "%s: No value provided for %s name attribute \"%s\", skipped\n",
+ "%s warning: No value provided for %s name attribute \"%s\", skipped\n",
opt_getprog(), desc, typestr);
continue;
}
diff -Nru openssl-3.0.10/apps/req.c openssl-3.0.11/apps/req.c
--- openssl-3.0.10/apps/req.c 2023-08-01 15:47:24.000000000 +0200
+++ openssl-3.0.11/apps/req.c 2023-09-19 15:02:31.000000000 +0200
@@ -990,10 +990,10 @@
else
tpubkey = X509_REQ_get0_pubkey(req);
if (tpubkey == NULL) {
- fprintf(stdout, "Modulus is unavailable\n");
+ BIO_puts(bio_err, "Modulus is unavailable\n");
goto end;
}
- fprintf(stdout, "Modulus=");
+ BIO_puts(out, "Modulus=");
if (EVP_PKEY_is_a(tpubkey, "RSA") || EVP_PKEY_is_a(tpubkey, "RSA-PSS")) {
BIGNUM *n = NULL;
@@ -1002,9 +1002,9 @@
BN_print(out, n);
BN_free(n);
} else {
- fprintf(stdout, "Wrong Algorithm type");
+ BIO_puts(out, "Wrong Algorithm type");
}
- fprintf(stdout, "\n");
+ BIO_puts(out, "\n");
}
if (!noout && !gen_x509) {
diff -Nru openssl-3.0.10/apps/s_server.c openssl-3.0.11/apps/s_server.c
--- openssl-3.0.10/apps/s_server.c 2023-08-01 15:47:24.000000000 +0200
+++ openssl-3.0.11/apps/s_server.c 2023-09-19 15:02:31.000000000 +0200
@@ -789,7 +789,7 @@
"second server certificate chain file in PEM format"},
{"dkey", OPT_DKEY, '<',
"Second private key file to use (usually for DSA)"},
- {"dkeyform", OPT_DKEYFORM, 'F',
+ {"dkeyform", OPT_DKEYFORM, 'f',
"Second key file format (ENGINE, other values ignored)"},
{"dpass", OPT_DPASS, 's',
"Second private key and cert file pass phrase source"},
diff -Nru openssl-3.0.10/appveyor.yml openssl-3.0.11/appveyor.yml
--- openssl-3.0.10/appveyor.yml 2023-08-01 15:47:24.000000000 +0200
+++ openssl-3.0.11/appveyor.yml 1970-01-01 01:00:00.000000000 +0100
@@ -1,82 +0,0 @@
-image:
- - Visual Studio 2017
-
-platform:
- - x64
- - x86
-
-environment:
- fast_finish: true
- matrix:
- - VSVER: 15
-
-configuration:
- - shared
- - minimal
-
-for:
- -
- branches:
- only:
- - master
- configuration:
- - shared
- - plain
- - minimal
-
-before_build:
- - ps: >-
- Install-Module VSSetup -Scope CurrentUser
- - ps: >-
- Get-VSSetupInstance -All
- - ps: >-
- If ($env:Platform -Match "x86") {
- $env:VCVARS_PLATFORM="x86"
- $env:TARGET="VC-WIN32 no-asm --strict-warnings"
- } Else {
- $env:VCVARS_PLATFORM="amd64"
- $env:TARGET="VC-WIN64A-masm"
- }
- - ps: >-
- If ($env:Configuration -Match "shared") {
- $env:CONFIG_OPTS="enable-fips"
- } ElseIf ($env:Configuration -Match "minimal") {
- $env:CONFIG_OPTS="no-bulk no-asm -DOPENSSL_SMALL_FOOTPRINT"
- } Else {
- $env:CONFIG_OPTS="no-fips no-shared"
- }
- - call "C:\Program Files (x86)\Microsoft Visual Studio\2017\Community\VC\Auxiliary\Build\vcvarsall.bat" %VCVARS_PLATFORM%
- - mkdir _build
- - cd _build
- - perl ..\Configure %TARGET% no-makedepend %CONFIG_OPTS%
- - perl configdata.pm --dump
- - cd ..
- - ps: >-
- If ($env:BUILDONLY -or $env:MAKEVERBOSE) {
- $env:NMAKE="nmake"
- } Else {
- $env:NMAKE="nmake /S"
- }
- - ps: >-
- gci env:* | sort-object name
-
-build_script:
- - cd _build
- - "%NMAKE% build_all_generated"
- - "%NMAKE% PERL=no-perl"
- - cd ..
-
-test_script:
- - cd _build
- - ps: >-
- if ($env:Configuration -Match "plain") {
- cmd /c "%NMAKE% test VERBOSE_FAILURE=yes 2>&1"
- } Else {
- cmd /c "%NMAKE% test VERBOSE_FAILURE=yes TESTS=-test_fuzz 2>&1"
- }
- - ps: >-
- if ($env:Configuration -Match "shared") {
- mkdir ..\_install
- cmd /c "%NMAKE% install DESTDIR=..\_install 2>&1"
- }
- - cd ..
diff -Nru openssl-3.0.10/CHANGES.md openssl-3.0.11/CHANGES.md
--- openssl-3.0.10/CHANGES.md 2023-08-01 15:47:24.000000000 +0200
+++ openssl-3.0.11/CHANGES.md 2023-09-19 15:02:31.000000000 +0200
@@ -28,6 +28,30 @@
[Migration guide]: https://github.com/openssl/openssl/tree/master/doc/man7/migration_guide.pod
+### Changes between 3.0.10 and 3.0.11 [19 Sep 2023]
+
+ * Fix POLY1305 MAC implementation corrupting XMM registers on Windows.
+
+ The POLY1305 MAC (message authentication code) implementation in OpenSSL
+ does not save the contents of non-volatile XMM registers on Windows 64
+ platform when calculating the MAC of data larger than 64 bytes. Before
+ returning to the caller all the XMM registers are set to zero rather than
+ restoring their previous content. The vulnerable code is used only on newer
+ x86_64 processors supporting the AVX512-IFMA instructions.
+
+ The consequences of this kind of internal application state corruption can
+ be various - from no consequences, if the calling application does not
+ depend on the contents of non-volatile XMM registers at all, to the worst
+ consequences, where the attacker could get complete control of the
+ application process. However given the contents of the registers are just
+ zeroized so the attacker cannot put arbitrary values inside, the most likely
+ consequence, if any, would be an incorrect result of some application
+ dependent calculations or a crash leading to a denial of service.
+
+ ([CVE-2023-4807])
+
+ *Bernd Edlinger*
+
### Changes between 3.0.9 and 3.0.10 [1 Aug 2023]
* Fix excessive time spent checking DH q parameter value.
@@ -19708,6 +19732,7 @@
<!-- Links -->
+[CVE-2023-4807]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-4807
[CVE-2023-3817]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-3817
[CVE-2023-3446]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-3446
[CVE-2023-2975]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-2975
diff -Nru openssl-3.0.10/Configurations/10-main.conf openssl-3.0.11/Configurations/10-main.conf
--- openssl-3.0.10/Configurations/10-main.conf 2023-08-01 15:47:24.000000000 +0200
+++ openssl-3.0.11/Configurations/10-main.conf 2023-09-19 15:02:31.000000000 +0200
@@ -9,19 +9,22 @@
$vc_win64a_info = { AS => "nasm",
ASFLAGS => "-g",
asflags => "-Ox -f win64 -DNEAR",
- asoutflag => "-o " };
+ asoutflag => "-o ",
+ perlasm_scheme => "nasm" };
} elsif ($disabled{asm}) {
# assembler is still used to compile uplink shim
$vc_win64a_info = { AS => "ml64",
ASFLAGS => "/nologo /Zi",
asflags => "/c /Cp /Cx",
- asoutflag => "/Fo" };
+ asoutflag => "/Fo",
+ perlasm_scheme => "masm" };
} else {
$die->("NASM not found - make sure it's installed and available on %PATH%\n");
$vc_win64a_info = { AS => "{unknown}",
ASFLAGS => "",
asflags => "",
- asoutflag => "" };
+ asoutflag => "",
+ perlasm_scheme => "auto" };
}
}
return $vc_win64a_info;
@@ -1416,7 +1419,7 @@
sys_id => "WIN64A",
uplink_arch => 'x86_64',
asm_arch => 'x86_64',
- perlasm_scheme => "auto",
+ perlasm_scheme => sub { vc_win64a_info()->{perlasm_scheme} },
multilib => "-x64",
},
"VC-WIN32" => {
diff -Nru openssl-3.0.10/Configurations/README.md openssl-3.0.11/Configurations/README.md
--- openssl-3.0.10/Configurations/README.md 2023-08-01 15:47:24.000000000 +0200
+++ openssl-3.0.11/Configurations/README.md 2023-09-19 15:02:31.000000000 +0200
@@ -233,8 +233,14 @@
is ILP32;
RC4_CHAR RC4 key schedule is made
up of 'unsigned char's;
+ Note: should not be used
+ for new configuration
+ targets
RC4_INT RC4 key schedule is made
up of 'unsigned int's;
+ Note: should not be used
+ for new configuration
+ targets
[1] as part of the target configuration, one can have a key called
`inherit_from` that indicates what other configurations to inherit
diff -Nru openssl-3.0.10/crypto/asn1/asn1_gen.c openssl-3.0.11/crypto/asn1/asn1_gen.c
--- openssl-3.0.10/crypto/asn1/asn1_gen.c 2023-08-01 15:47:24.000000000 +0200
+++ openssl-3.0.11/crypto/asn1/asn1_gen.c 2023-09-19 15:02:31.000000000 +0200
@@ -1,5 +1,5 @@
/*
- * Copyright 2002-2022 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2002-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -698,9 +698,12 @@
atmp->value.asn1_string->data = rdata;
atmp->value.asn1_string->length = rdlen;
atmp->value.asn1_string->type = utype;
- } else if (format == ASN1_GEN_FORMAT_ASCII)
- ASN1_STRING_set(atmp->value.asn1_string, str, -1);
- else if ((format == ASN1_GEN_FORMAT_BITLIST)
+ } else if (format == ASN1_GEN_FORMAT_ASCII) {
+ if (!ASN1_STRING_set(atmp->value.asn1_string, str, -1)) {
+ ERR_raise(ERR_LIB_ASN1, ERR_R_MALLOC_FAILURE);
+ goto bad_str;
+ }
+ } else if ((format == ASN1_GEN_FORMAT_BITLIST)
&& (utype == V_ASN1_BIT_STRING)) {
if (!CONF_parse_list
(str, ',', 1, bitstr_cb, atmp->value.bit_string)) {
diff -Nru openssl-3.0.10/crypto/asn1/a_strnid.c openssl-3.0.11/crypto/asn1/a_strnid.c
--- openssl-3.0.10/crypto/asn1/a_strnid.c 2023-08-01 15:47:24.000000000 +0200
+++ openssl-3.0.11/crypto/asn1/a_strnid.c 2023-09-19 15:02:31.000000000 +0200
@@ -1,5 +1,5 @@
/*
- * Copyright 1999-2020 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1999-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -129,8 +129,10 @@
int idx;
ASN1_STRING_TABLE fnd;
+#ifndef OPENSSL_NO_AUTOLOAD_CONFIG
/* "stable" can be impacted by config, so load the config file first */
OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL);
+#endif
fnd.nid = nid;
if (stable) {
diff -Nru openssl-3.0.10/crypto/chacha/asm/chacha-ia64.pl openssl-3.0.11/crypto/chacha/asm/chacha-ia64.pl
--- openssl-3.0.10/crypto/chacha/asm/chacha-ia64.pl 2023-08-01 15:47:24.000000000 +0200
+++ openssl-3.0.11/crypto/chacha/asm/chacha-ia64.pl 2023-09-19 15:02:31.000000000 +0200
@@ -46,6 +46,8 @@
ADDP @k[11]=4,$key
.save ar.lc,r3
mov r3=ar.lc }
+{ .mmi; ADDP $out=0,$out
+ ADDP $inp=0,$inp }
{ .mmi; ADDP $key=0,$key
ADDP $counter=0,$counter
.save pr,r14
diff -Nru openssl-3.0.10/crypto/cmp/cmp_asn.c openssl-3.0.11/crypto/cmp/cmp_asn.c
--- openssl-3.0.10/crypto/cmp/cmp_asn.c 2023-08-01 15:47:24.000000000 +0200
+++ openssl-3.0.11/crypto/cmp/cmp_asn.c 2023-09-19 15:02:31.000000000 +0200
@@ -1,5 +1,5 @@
/*
- * Copyright 2007-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2007-2023 The OpenSSL Project Authors. All Rights Reserved.
* Copyright Nokia 2007-2019
* Copyright Siemens AG 2015-2019
*
@@ -188,22 +188,22 @@
return 0;
}
-/* get ASN.1 encoded integer, return -1 on error */
+/* get ASN.1 encoded integer, return -2 on error; -1 is valid for certReqId */
int ossl_cmp_asn1_get_int(const ASN1_INTEGER *a)
{
int64_t res;
if (!ASN1_INTEGER_get_int64(&res, a)) {
ERR_raise(ERR_LIB_CMP, ASN1_R_INVALID_NUMBER);
- return -1;
+ return -2;
}
if (res < INT_MIN) {
ERR_raise(ERR_LIB_CMP, ASN1_R_TOO_SMALL);
- return -1;
+ return -2;
}
if (res > INT_MAX) {
ERR_raise(ERR_LIB_CMP, ASN1_R_TOO_LARGE);
- return -1;
+ return -2;
}
return (int)res;
}
diff -Nru openssl-3.0.10/crypto/cmp/cmp_client.c openssl-3.0.11/crypto/cmp/cmp_client.c
--- openssl-3.0.10/crypto/cmp/cmp_client.c 2023-08-01 15:47:24.000000000 +0200
+++ openssl-3.0.11/crypto/cmp/cmp_client.c 2023-09-19 15:02:31.000000000 +0200
@@ -584,7 +584,7 @@
return 0;
if (rid == OSSL_CMP_CERTREQID_NONE) { /* used for OSSL_CMP_PKIBODY_P10CR */
rid = ossl_cmp_asn1_get_int(crep->certReqId);
- if (rid != OSSL_CMP_CERTREQID_NONE) {
+ if (rid < OSSL_CMP_CERTREQID_NONE) {
ERR_raise(ERR_LIB_CMP, CMP_R_BAD_REQUEST_ID);
return 0;
}
diff -Nru openssl-3.0.10/crypto/cmp/cmp_status.c openssl-3.0.11/crypto/cmp/cmp_status.c
--- openssl-3.0.10/crypto/cmp/cmp_status.c 2023-08-01 15:47:24.000000000 +0200
+++ openssl-3.0.11/crypto/cmp/cmp_status.c 2023-09-19 15:02:31.000000000 +0200
@@ -1,5 +1,5 @@
/*
- * Copyright 2007-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2007-2023 The OpenSSL Project Authors. All Rights Reserved.
* Copyright Nokia 2007-2019
* Copyright Siemens AG 2015-2019
*
@@ -30,9 +30,12 @@
int ossl_cmp_pkisi_get_status(const OSSL_CMP_PKISI *si)
{
+ int res ;
+
if (!ossl_assert(si != NULL && si->status != NULL))
return -1;
- return ossl_cmp_asn1_get_int(si->status);
+ res = ossl_cmp_asn1_get_int(si->status);
+ return res == -2 ? -1 : res;
}
const char *ossl_cmp_PKIStatus_to_string(int status)
diff -Nru openssl-3.0.10/crypto/cms/cms_env.c openssl-3.0.11/crypto/cms/cms_env.c
--- openssl-3.0.10/crypto/cms/cms_env.c 2023-08-01 15:47:24.000000000 +0200
+++ openssl-3.0.11/crypto/cms/cms_env.c 2023-09-19 15:02:31.000000000 +0200
@@ -26,7 +26,7 @@
#define CMS_ENVELOPED_STANDARD 1
#define CMS_ENVELOPED_AUTH 2
-static int cms_get_enveloped_type(const CMS_ContentInfo *cms)
+static int cms_get_enveloped_type_simple(const CMS_ContentInfo *cms)
{
int nid = OBJ_obj2nid(cms->contentType);
@@ -38,11 +38,28 @@
return CMS_ENVELOPED_AUTH;
default:
- ERR_raise(ERR_LIB_CMS, CMS_R_CONTENT_TYPE_NOT_ENVELOPED_DATA);
return 0;
}
}
+static int cms_get_enveloped_type(const CMS_ContentInfo *cms)
+{
+ int ret = cms_get_enveloped_type_simple(cms);
+
+ if (ret == 0)
+ ERR_raise(ERR_LIB_CMS, CMS_R_CONTENT_TYPE_NOT_ENVELOPED_DATA);
+ return ret;
+}
+
+void ossl_cms_env_enc_content_free(const CMS_ContentInfo *cinf)
+{
+ if (cms_get_enveloped_type_simple(cinf) != 0) {
+ CMS_EncryptedContentInfo *ec = ossl_cms_get0_env_enc_content(cinf);
+ if (ec != NULL)
+ OPENSSL_clear_free(ec->key, ec->keylen);
+ }
+}
+
CMS_EnvelopedData *ossl_cms_get0_enveloped(CMS_ContentInfo *cms)
{
if (OBJ_obj2nid(cms->contentType) != NID_pkcs7_enveloped) {
diff -Nru openssl-3.0.10/crypto/cms/cms_lib.c openssl-3.0.11/crypto/cms/cms_lib.c
--- openssl-3.0.10/crypto/cms/cms_lib.c 2023-08-01 15:47:24.000000000 +0200
+++ openssl-3.0.11/crypto/cms/cms_lib.c 2023-09-19 15:02:31.000000000 +0200
@@ -76,10 +76,7 @@
void CMS_ContentInfo_free(CMS_ContentInfo *cms)
{
if (cms != NULL) {
- CMS_EncryptedContentInfo *ec = ossl_cms_get0_env_enc_content(cms);
-
- if (ec != NULL)
- OPENSSL_clear_free(ec->key, ec->keylen);
+ ossl_cms_env_enc_content_free(cms);
OPENSSL_free(cms->ctx.propq);
ASN1_item_free((ASN1_VALUE *)cms, ASN1_ITEM_rptr(CMS_ContentInfo));
}
diff -Nru openssl-3.0.10/crypto/cms/cms_local.h openssl-3.0.11/crypto/cms/cms_local.h
--- openssl-3.0.10/crypto/cms/cms_local.h 2023-08-01 15:47:24.000000000 +0200
+++ openssl-3.0.11/crypto/cms/cms_local.h 2023-09-19 15:02:31.000000000 +0200
@@ -1,5 +1,5 @@
/*
- * Copyright 2008-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2008-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -444,6 +444,7 @@
int ossl_cms_EnvelopedData_final(CMS_ContentInfo *cms, BIO *chain);
BIO *ossl_cms_AuthEnvelopedData_init_bio(CMS_ContentInfo *cms);
int ossl_cms_AuthEnvelopedData_final(CMS_ContentInfo *cms, BIO *cmsbio);
+void ossl_cms_env_enc_content_free(const CMS_ContentInfo *cinf);
CMS_EnvelopedData *ossl_cms_get0_enveloped(CMS_ContentInfo *cms);
CMS_AuthEnvelopedData *ossl_cms_get0_auth_enveloped(CMS_ContentInfo *cms);
CMS_EncryptedContentInfo *ossl_cms_get0_env_enc_content(const CMS_ContentInfo *cms);
diff -Nru openssl-3.0.10/crypto/cms/cms_sd.c openssl-3.0.11/crypto/cms/cms_sd.c
--- openssl-3.0.10/crypto/cms/cms_sd.c 2023-08-01 15:47:24.000000000 +0200
+++ openssl-3.0.11/crypto/cms/cms_sd.c 2023-09-19 15:02:31.000000000 +0200
@@ -1,5 +1,5 @@
/*
- * Copyright 2008-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2008-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -233,9 +233,9 @@
int i;
if (EVP_PKEY_is_a(pkey, "DSA") || EVP_PKEY_is_a(pkey, "EC"))
- return ossl_cms_ecdsa_dsa_sign(si, cmd);
+ return ossl_cms_ecdsa_dsa_sign(si, cmd) > 0;
else if (EVP_PKEY_is_a(pkey, "RSA") || EVP_PKEY_is_a(pkey, "RSA-PSS"))
- return ossl_cms_rsa_sign(si, cmd);
+ return ossl_cms_rsa_sign(si, cmd) > 0;
/* Something else? We'll give engines etc a chance to handle this */
if (pkey->ameth == NULL || pkey->ameth->pkey_ctrl == NULL)
diff -Nru openssl-3.0.10/crypto/conf/conf_sap.c openssl-3.0.11/crypto/conf/conf_sap.c
--- openssl-3.0.10/crypto/conf/conf_sap.c 2023-08-01 15:47:24.000000000 +0200
+++ openssl-3.0.11/crypto/conf/conf_sap.c 2023-09-19 15:02:31.000000000 +0200
@@ -65,7 +65,8 @@
#endif
#ifndef OPENSSL_SYS_UEFI
- ret = CONF_modules_load_file(filename, appname, flags);
+ ret = CONF_modules_load_file_ex(OSSL_LIB_CTX_get0_global_default(),
+ filename, appname, flags);
#else
ret = 1;
#endif
diff -Nru openssl-3.0.10/crypto/encode_decode/decoder_lib.c openssl-3.0.11/crypto/encode_decode/decoder_lib.c
--- openssl-3.0.10/crypto/encode_decode/decoder_lib.c 2023-08-01 15:47:24.000000000 +0200
+++ openssl-3.0.11/crypto/encode_decode/decoder_lib.c 2023-09-19 15:02:31.000000000 +0200
@@ -1,5 +1,5 @@
/*
- * Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -743,10 +743,11 @@
(void *)new_data.ctx, LEVEL, rv);
} OSSL_TRACE_END(DECODER);
- data->flag_construct_called = 1;
ok = (rv > 0);
- if (ok)
+ if (ok) {
+ data->flag_construct_called = 1;
goto end;
+ }
}
/* The constructor didn't return success */
diff -Nru openssl-3.0.10/crypto/encode_decode/decoder_pkey.c openssl-3.0.11/crypto/encode_decode/decoder_pkey.c
--- openssl-3.0.10/crypto/encode_decode/decoder_pkey.c 2023-08-01 15:47:24.000000000 +0200
+++ openssl-3.0.11/crypto/encode_decode/decoder_pkey.c 2023-09-19 15:02:31.000000000 +0200
@@ -1,5 +1,5 @@
/*
- * Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -150,7 +150,11 @@
import_data.keymgmt = keymgmt;
import_data.keydata = NULL;
- import_data.selection = data->selection;
+ if (data->selection == 0)
+ /* import/export functions do not tolerate 0 selection */
+ import_data.selection = OSSL_KEYMGMT_SELECT_ALL;
+ else
+ import_data.selection = data->selection;
/*
* No need to check for errors here, the value of
diff -Nru openssl-3.0.10/crypto/engine/eng_lib.c openssl-3.0.11/crypto/engine/eng_lib.c
--- openssl-3.0.10/crypto/engine/eng_lib.c 2023-08-01 15:47:24.000000000 +0200
+++ openssl-3.0.11/crypto/engine/eng_lib.c 2023-09-19 15:02:31.000000000 +0200
@@ -133,28 +133,34 @@
return item;
}
-void engine_cleanup_add_first(ENGINE_CLEANUP_CB *cb)
+int engine_cleanup_add_first(ENGINE_CLEANUP_CB *cb)
{
ENGINE_CLEANUP_ITEM *item;
if (!int_cleanup_check(1))
- return;
+ return 0;
item = int_cleanup_item(cb);
- if (item != NULL)
- if (sk_ENGINE_CLEANUP_ITEM_insert(cleanup_stack, item, 0) <= 0)
- OPENSSL_free(item);
+ if (item != NULL) {
+ if (sk_ENGINE_CLEANUP_ITEM_insert(cleanup_stack, item, 0))
+ return 1;
+ OPENSSL_free(item);
+ }
+ return 0;
}
-void engine_cleanup_add_last(ENGINE_CLEANUP_CB *cb)
+int engine_cleanup_add_last(ENGINE_CLEANUP_CB *cb)
{
ENGINE_CLEANUP_ITEM *item;
+
if (!int_cleanup_check(1))
- return;
+ return 0;
item = int_cleanup_item(cb);
if (item != NULL) {
- if (sk_ENGINE_CLEANUP_ITEM_push(cleanup_stack, item) <= 0)
- OPENSSL_free(item);
+ if (sk_ENGINE_CLEANUP_ITEM_push(cleanup_stack, item) > 0)
+ return 1;
+ OPENSSL_free(item);
}
+ return 0;
}
/* The API function that performs all cleanup */
diff -Nru openssl-3.0.10/crypto/engine/eng_list.c openssl-3.0.11/crypto/engine/eng_list.c
--- openssl-3.0.10/crypto/engine/eng_list.c 2023-08-01 15:47:24.000000000 +0200
+++ openssl-3.0.11/crypto/engine/eng_list.c 2023-09-19 15:02:31.000000000 +0200
@@ -1,5 +1,5 @@
/*
- * Copyright 2001-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2001-2023 The OpenSSL Project Authors. All Rights Reserved.
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
@@ -78,12 +78,15 @@
ERR_raise(ERR_LIB_ENGINE, ENGINE_R_INTERNAL_LIST_ERROR);
return 0;
}
- engine_list_head = e;
- e->prev = NULL;
/*
* The first time the list allocates, we should register the cleanup.
*/
- engine_cleanup_add_last(engine_list_cleanup);
+ if (!engine_cleanup_add_last(engine_list_cleanup)) {
+ ERR_raise(ERR_LIB_ENGINE, ENGINE_R_INTERNAL_LIST_ERROR);
+ return 0;
+ }
+ engine_list_head = e;
+ e->prev = NULL;
} else {
/* We are adding to the tail of an existing list. */
if ((engine_list_tail == NULL) || (engine_list_tail->next != NULL)) {
diff -Nru openssl-3.0.10/crypto/engine/eng_local.h openssl-3.0.11/crypto/engine/eng_local.h
--- openssl-3.0.10/crypto/engine/eng_local.h 2023-08-01 15:47:24.000000000 +0200
+++ openssl-3.0.11/crypto/engine/eng_local.h 2023-09-19 15:02:31.000000000 +0200
@@ -1,5 +1,5 @@
/*
- * Copyright 2001-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2001-2023 The OpenSSL Project Authors. All Rights Reserved.
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
@@ -46,8 +46,8 @@
ENGINE_CLEANUP_CB *cb;
} ENGINE_CLEANUP_ITEM;
DEFINE_STACK_OF(ENGINE_CLEANUP_ITEM)
-void engine_cleanup_add_first(ENGINE_CLEANUP_CB *cb);
-void engine_cleanup_add_last(ENGINE_CLEANUP_CB *cb);
+int engine_cleanup_add_first(ENGINE_CLEANUP_CB *cb);
+int engine_cleanup_add_last(ENGINE_CLEANUP_CB *cb);
/* We need stacks of ENGINEs for use in eng_table.c */
DEFINE_STACK_OF(ENGINE)
diff -Nru openssl-3.0.10/crypto/engine/eng_table.c openssl-3.0.11/crypto/engine/eng_table.c
--- openssl-3.0.10/crypto/engine/eng_table.c 2023-08-01 15:47:24.000000000 +0200
+++ openssl-3.0.11/crypto/engine/eng_table.c 2023-09-19 15:02:31.000000000 +0200
@@ -1,5 +1,5 @@
/*
- * Copyright 2001-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2001-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -93,9 +93,11 @@
added = 1;
if (!int_table_check(table, 1))
goto end;
- if (added)
- /* The cleanup callback needs to be added */
- engine_cleanup_add_first(cleanup);
+ /* The cleanup callback needs to be added */
+ if (added && !engine_cleanup_add_first(cleanup)) {
+ lh_ENGINE_PILE_free(&(*table)->piles);
+ *table = NULL;
+ }
while (num_nids--) {
tmplate.nid = *nids;
fnd = lh_ENGINE_PILE_retrieve(&(*table)->piles, &tmplate);
@@ -201,8 +203,10 @@
ENGINE_PILE tmplate, *fnd = NULL;
int initres, loop = 0;
+#ifndef OPENSSL_NO_AUTOLOAD_CONFIG
/* Load the config before trying to check if engines are available */
OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL);
+#endif
if (!(*table)) {
OSSL_TRACE3(ENGINE_TABLE,
diff -Nru openssl-3.0.10/crypto/evp/ctrl_params_translate.c openssl-3.0.11/crypto/evp/ctrl_params_translate.c
--- openssl-3.0.10/crypto/evp/ctrl_params_translate.c 2023-08-01 15:47:24.000000000 +0200
+++ openssl-3.0.11/crypto/evp/ctrl_params_translate.c 2023-09-19 15:02:31.000000000 +0200
@@ -1786,7 +1786,8 @@
{
const BIGNUM *bn = NULL;
- if (EVP_PKEY_get_base_id(ctx->p2) != EVP_PKEY_RSA)
+ if (EVP_PKEY_get_base_id(ctx->p2) != EVP_PKEY_RSA
+ && EVP_PKEY_get_base_id(ctx->p2) != EVP_PKEY_RSA_PSS)
return 0;
bn = RSA_get0_n(EVP_PKEY_get0_RSA(ctx->p2));
@@ -1799,7 +1800,8 @@
{
const BIGNUM *bn = NULL;
- if (EVP_PKEY_get_base_id(ctx->p2) != EVP_PKEY_RSA)
+ if (EVP_PKEY_get_base_id(ctx->p2) != EVP_PKEY_RSA
+ && EVP_PKEY_get_base_id(ctx->p2) != EVP_PKEY_RSA_PSS)
return 0;
bn = RSA_get0_e(EVP_PKEY_get0_RSA(ctx->p2));
@@ -1812,7 +1814,8 @@
{
const BIGNUM *bn = NULL;
- if (EVP_PKEY_get_base_id(ctx->p2) != EVP_PKEY_RSA)
+ if (EVP_PKEY_get_base_id(ctx->p2) != EVP_PKEY_RSA
+ && EVP_PKEY_get_base_id(ctx->p2) != EVP_PKEY_RSA_PSS)
return 0;
bn = RSA_get0_d(EVP_PKEY_get0_RSA(ctx->p2));
@@ -1912,7 +1915,8 @@
const struct translation_st *translation, \
struct translation_ctx_st *ctx) \
{ \
- if (EVP_PKEY_get_base_id(ctx->p2) != EVP_PKEY_RSA) \
+ if (EVP_PKEY_get_base_id(ctx->p2) != EVP_PKEY_RSA \
+ && EVP_PKEY_get_base_id(ctx->p2) != EVP_PKEY_RSA_PSS) \
return 0; \
return get_rsa_payload_factor(state, translation, ctx, n - 1); \
}
@@ -1923,7 +1927,8 @@
const struct translation_st *translation, \
struct translation_ctx_st *ctx) \
{ \
- if (EVP_PKEY_get_base_id(ctx->p2) != EVP_PKEY_RSA) \
+ if (EVP_PKEY_get_base_id(ctx->p2) != EVP_PKEY_RSA \
+ && EVP_PKEY_get_base_id(ctx->p2) != EVP_PKEY_RSA_PSS) \
return 0; \
return get_rsa_payload_exponent(state, translation, ctx, \
n - 1); \
@@ -1935,7 +1940,8 @@
const struct translation_st *translation, \
struct translation_ctx_st *ctx) \
{ \
- if (EVP_PKEY_get_base_id(ctx->p2) != EVP_PKEY_RSA) \
+ if (EVP_PKEY_get_base_id(ctx->p2) != EVP_PKEY_RSA \
+ && EVP_PKEY_get_base_id(ctx->p2) != EVP_PKEY_RSA_PSS) \
return 0; \
return get_rsa_payload_coefficient(state, translation, ctx, \
n - 1); \
@@ -2271,10 +2277,10 @@
{ SET, EVP_PKEY_RSA, EVP_PKEY_RSA_PSS, EVP_PKEY_OP_KEYGEN,
EVP_PKEY_CTRL_RSA_KEYGEN_BITS, "rsa_keygen_bits", NULL,
OSSL_PKEY_PARAM_RSA_BITS, OSSL_PARAM_UNSIGNED_INTEGER, NULL },
- { SET, EVP_PKEY_RSA, 0, EVP_PKEY_OP_KEYGEN,
+ { SET, EVP_PKEY_RSA, EVP_PKEY_RSA_PSS, EVP_PKEY_OP_KEYGEN,
EVP_PKEY_CTRL_RSA_KEYGEN_PUBEXP, "rsa_keygen_pubexp", NULL,
OSSL_PKEY_PARAM_RSA_E, OSSL_PARAM_UNSIGNED_INTEGER, NULL },
- { SET, EVP_PKEY_RSA, 0, EVP_PKEY_OP_KEYGEN,
+ { SET, EVP_PKEY_RSA, EVP_PKEY_RSA_PSS, EVP_PKEY_OP_KEYGEN,
EVP_PKEY_CTRL_RSA_KEYGEN_PRIMES, "rsa_keygen_primes", NULL,
OSSL_PKEY_PARAM_RSA_PRIMES, OSSL_PARAM_UNSIGNED_INTEGER, NULL },
diff -Nru openssl-3.0.10/crypto/evp/p_lib.c openssl-3.0.11/crypto/evp/p_lib.c
--- openssl-3.0.10/crypto/evp/p_lib.c 2023-08-01 15:47:24.000000000 +0200
+++ openssl-3.0.11/crypto/evp/p_lib.c 2023-09-19 15:02:31.000000000 +0200
@@ -717,6 +717,7 @@
{
switch (pkey->type) {
case EVP_PKEY_RSA:
+ case EVP_PKEY_RSA_PSS:
pkey->foreign = pkey->pkey.rsa != NULL
&& ossl_rsa_is_foreign(pkey->pkey.rsa);
break;
@@ -1075,6 +1076,7 @@
if (pkey->keymgmt == NULL) {
switch (EVP_PKEY_get_base_id(pkey)) {
case EVP_PKEY_RSA:
+ case EVP_PKEY_RSA_PSS:
return 1;
# ifndef OPENSSL_NO_DSA
case EVP_PKEY_DSA:
diff -Nru openssl-3.0.10/crypto/http/http_client.c openssl-3.0.11/crypto/http/http_client.c
--- openssl-3.0.10/crypto/http/http_client.c 2023-08-01 15:47:24.000000000 +0200
+++ openssl-3.0.11/crypto/http/http_client.c 2023-09-19 15:02:31.000000000 +0200
@@ -164,7 +164,8 @@
/*
* Create request line using |rctx| and |path| (or "/" in case |path| is NULL).
- * Server name (and port) must be given if and only if plain HTTP proxy is used.
+ * Server name (and optional port) must be given if and only if
+ * a plain HTTP proxy is used and |path| does not begin with 'http://'.
*/
int OSSL_HTTP_REQ_CTX_set_request_line(OSSL_HTTP_REQ_CTX *rctx, int method_POST,
const char *server, const char *port,
@@ -193,11 +194,17 @@
return 0;
}
- /* Make sure path includes a forward slash */
- if (path == NULL)
+ /* Make sure path includes a forward slash (abs_path) */
+ if (path == NULL) {
path = "/";
- if (path[0] != '/' && BIO_printf(rctx->mem, "/") <= 0)
+ } else if (HAS_PREFIX(path, "http://";)) { /* absoluteURI for proxy use */
+ if (server != NULL) {
+ ERR_raise(ERR_LIB_HTTP, ERR_R_PASSED_INVALID_ARGUMENT);
+ return 0;
+ }
+ } else if (path[0] != '/' && BIO_printf(rctx->mem, "/") <= 0) {
return 0;
+ }
/*
* Add (the rest of) the path and the HTTP version,
* which is fixed to 1.0 for straightforward implementation of keep-alive
diff -Nru openssl-3.0.10/crypto/mem.c openssl-3.0.11/crypto/mem.c
--- openssl-3.0.10/crypto/mem.c 2023-08-01 15:47:24.000000000 +0200
+++ openssl-3.0.11/crypto/mem.c 2023-09-19 15:02:31.000000000 +0200
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -195,7 +195,6 @@
void *ret;
ret = CRYPTO_malloc(num, file, line);
- FAILTEST();
if (ret != NULL)
memset(ret, 0, num);
@@ -208,7 +207,6 @@
if (realloc_impl != CRYPTO_realloc)
return realloc_impl(str, num, file, line);
- FAILTEST();
if (str == NULL)
return CRYPTO_malloc(num, file, line);
@@ -217,6 +215,7 @@
return NULL;
}
+ FAILTEST();
return realloc(str, num);
}
diff -Nru openssl-3.0.10/crypto/pem/pem_pkey.c openssl-3.0.11/crypto/pem/pem_pkey.c
--- openssl-3.0.10/crypto/pem/pem_pkey.c 2023-08-01 15:47:24.000000000 +0200
+++ openssl-3.0.11/crypto/pem/pem_pkey.c 2023-09-19 15:02:31.000000000 +0200
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -366,10 +366,19 @@
return ret;
}
+static int no_password_cb(char *buf, int num, int rwflag, void *userdata)
+{
+ return -1;
+}
+
EVP_PKEY *PEM_read_bio_Parameters_ex(BIO *bp, EVP_PKEY **x,
OSSL_LIB_CTX *libctx, const char *propq)
{
- return pem_read_bio_key(bp, x, NULL, NULL, libctx, propq,
+ /*
+ * PEM_read_bio_Parameters(_ex) should never ask for a password. Any attempt
+ * to get a password just fails.
+ */
+ return pem_read_bio_key(bp, x, no_password_cb, NULL, libctx, propq,
EVP_PKEY_KEY_PARAMETERS);
}
diff -Nru openssl-3.0.10/crypto/perlasm/arm-xlate.pl openssl-3.0.11/crypto/perlasm/arm-xlate.pl
--- openssl-3.0.10/crypto/perlasm/arm-xlate.pl 2023-08-01 15:47:24.000000000 +0200
+++ openssl-3.0.11/crypto/perlasm/arm-xlate.pl 2023-09-19 15:02:31.000000000 +0200
@@ -1,5 +1,5 @@
#! /usr/bin/env perl
-# Copyright 2015-2020 The OpenSSL Project Authors. All Rights Reserved.
+# Copyright 2015-2023 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the Apache License 2.0 (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
@@ -159,9 +159,8 @@
}
{
- $line =~ s|(^[\.\w]+)\:\s*||;
- my $label = $1;
- if ($label) {
+ if ($line =~ s|(^[\.\w]+)\:\s*||) {
+ my $label = $1;
printf "%s:",($GLOBALS{$label} or $label);
}
}
diff -Nru openssl-3.0.10/crypto/pkcs12/p12_crt.c openssl-3.0.11/crypto/pkcs12/p12_crt.c
--- openssl-3.0.10/crypto/pkcs12/p12_crt.c 2023-08-01 15:47:24.000000000 +0200
+++ openssl-3.0.11/crypto/pkcs12/p12_crt.c 2023-09-19 15:02:31.000000000 +0200
@@ -1,5 +1,5 @@
/*
- * Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1999-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -14,6 +14,12 @@
static int pkcs12_add_bag(STACK_OF(PKCS12_SAFEBAG) **pbags,
PKCS12_SAFEBAG *bag);
+static PKCS12_SAFEBAG *pkcs12_add_cert_bag(STACK_OF(PKCS12_SAFEBAG) **pbags,
+ X509 *cert,
+ const char *name,
+ int namelen,
+ unsigned char *keyid,
+ int keyidlen);
static int copy_bag_attr(PKCS12_SAFEBAG *bag, EVP_PKEY *pkey, int nid)
{
@@ -40,6 +46,9 @@
int i;
unsigned char keyid[EVP_MAX_MD_SIZE];
unsigned int keyidlen = 0;
+ int namelen = -1;
+ unsigned char *pkeyid = NULL;
+ int pkeyidlen = -1;
/* Set defaults */
if (nid_cert == NID_undef)
@@ -64,11 +73,16 @@
}
if (cert) {
- bag = PKCS12_add_cert(&bags, cert);
- if (name && !PKCS12_add_friendlyname(bag, name, -1))
- goto err;
- if (keyidlen && !PKCS12_add_localkeyid(bag, keyid, keyidlen))
- goto err;
+ if (name == NULL)
+ name = (char *)X509_alias_get0(cert, &namelen);
+ if (keyidlen > 0) {
+ pkeyid = keyid;
+ pkeyidlen = keyidlen;
+ } else {
+ pkeyid = X509_keyid_get0(cert, &pkeyidlen);
+ }
+
+ bag = pkcs12_add_cert_bag(&bags, cert, name, namelen, pkeyid, pkeyidlen);
}
/* Add all other certificates */
@@ -139,30 +153,23 @@
iter, mac_iter, keytype, NULL, NULL);
}
-PKCS12_SAFEBAG *PKCS12_add_cert(STACK_OF(PKCS12_SAFEBAG) **pbags, X509 *cert)
+static PKCS12_SAFEBAG *pkcs12_add_cert_bag(STACK_OF(PKCS12_SAFEBAG) **pbags,
+ X509 *cert,
+ const char *name,
+ int namelen,
+ unsigned char *keyid,
+ int keyidlen)
{
PKCS12_SAFEBAG *bag = NULL;
- char *name;
- int namelen = -1;
- unsigned char *keyid;
- int keyidlen = -1;
/* Add user certificate */
if ((bag = PKCS12_SAFEBAG_create_cert(cert)) == NULL)
goto err;
- /*
- * Use friendlyName and localKeyID in certificate. (if present)
- */
-
- name = (char *)X509_alias_get0(cert, &namelen);
-
- if (name && !PKCS12_add_friendlyname(bag, name, namelen))
+ if (name != NULL && !PKCS12_add_friendlyname(bag, name, namelen))
goto err;
- keyid = X509_keyid_get0(cert, &keyidlen);
-
- if (keyid && !PKCS12_add_localkeyid(bag, keyid, keyidlen))
+ if (keyid != NULL && !PKCS12_add_localkeyid(bag, keyid, keyidlen))
goto err;
if (!pkcs12_add_bag(pbags, bag))
@@ -173,7 +180,22 @@
err:
PKCS12_SAFEBAG_free(bag);
return NULL;
+}
+
+PKCS12_SAFEBAG *PKCS12_add_cert(STACK_OF(PKCS12_SAFEBAG) **pbags, X509 *cert)
+{
+ char *name = NULL;
+ int namelen = -1;
+ unsigned char *keyid = NULL;
+ int keyidlen = -1;
+
+ /*
+ * Use friendlyName and localKeyID in certificate. (if present)
+ */
+ name = (char *)X509_alias_get0(cert, &namelen);
+ keyid = X509_keyid_get0(cert, &keyidlen);
+ return pkcs12_add_cert_bag(pbags, cert, name, namelen, keyid, keyidlen);
}
PKCS12_SAFEBAG *PKCS12_add_key_ex(STACK_OF(PKCS12_SAFEBAG) **pbags,
diff -Nru openssl-3.0.10/crypto/poly1305/asm/poly1305-x86_64.pl openssl-3.0.11/crypto/poly1305/asm/poly1305-x86_64.pl
--- openssl-3.0.10/crypto/poly1305/asm/poly1305-x86_64.pl 2023-08-01 15:47:24.000000000 +0200
+++ openssl-3.0.11/crypto/poly1305/asm/poly1305-x86_64.pl 2023-09-19 15:02:31.000000000 +0200
@@ -1,5 +1,5 @@
#! /usr/bin/env perl
-# Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
+# Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the Apache License 2.0 (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
@@ -195,7 +195,7 @@
bt \$`5+32`,%r9 # AVX2?
cmovc %rax,%r10
___
-$code.=<<___ if ($avx>3);
+$code.=<<___ if ($avx>3 && !$win64);
mov \$`(1<<31|1<<21|1<<16)`,%rax
shr \$32,%r9
and %rax,%r9
@@ -2724,7 +2724,7 @@
.cfi_endproc
.size poly1305_blocks_avx512,.-poly1305_blocks_avx512
___
-if ($avx>3) {
+if ($avx>3 && !$win64) {
########################################################################
# VPMADD52 version using 2^44 radix.
#
diff -Nru openssl-3.0.10/crypto/property/property.c openssl-3.0.11/crypto/property/property.c
--- openssl-3.0.10/crypto/property/property.c 2023-08-01 15:47:24.000000000 +0200
+++ openssl-3.0.11/crypto/property/property.c 2023-09-19 15:02:31.000000000 +0200
@@ -129,11 +129,11 @@
};
OSSL_PROPERTY_LIST **ossl_ctx_global_properties(OSSL_LIB_CTX *libctx,
- int loadconfig)
+ ossl_unused int loadconfig)
{
OSSL_GLOBAL_PROPERTIES *globp;
-#ifndef FIPS_MODULE
+#if !defined(FIPS_MODULE) && !defined(OPENSSL_NO_AUTOLOAD_CONFIG)
if (loadconfig && !OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL))
return NULL;
#endif
@@ -513,7 +513,7 @@
if (nid <= 0 || method == NULL || store == NULL)
return 0;
-#ifndef FIPS_MODULE
+#if !defined(FIPS_MODULE) && !defined(OPENSSL_NO_AUTOLOAD_CONFIG)
if (ossl_lib_ctx_is_default(store->ctx)
&& !OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL))
return 0;
diff -Nru openssl-3.0.10/crypto/provider_core.c openssl-3.0.11/crypto/provider_core.c
--- openssl-3.0.10/crypto/provider_core.c 2023-08-01 15:47:24.000000000 +0200
+++ openssl-3.0.11/crypto/provider_core.c 2023-09-19 15:02:31.000000000 +0200
@@ -1,5 +1,5 @@
/*
- * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -408,7 +408,7 @@
}
OSSL_PROVIDER *ossl_provider_find(OSSL_LIB_CTX *libctx, const char *name,
- int noconfig)
+ ossl_unused int noconfig)
{
struct provider_store_st *store = NULL;
OSSL_PROVIDER *prov = NULL;
@@ -417,7 +417,7 @@
OSSL_PROVIDER tmpl = { 0, };
int i;
-#ifndef FIPS_MODULE
+#if !defined(FIPS_MODULE) && !defined(OPENSSL_NO_AUTOLOAD_CONFIG)
/*
* Make sure any providers are loaded from config before we try to find
* them.
@@ -1356,7 +1356,7 @@
struct provider_store_st *store = get_provider_store(ctx);
STACK_OF(OSSL_PROVIDER) *provs = NULL;
-#ifndef FIPS_MODULE
+#if !defined(FIPS_MODULE) && !defined(OPENSSL_NO_AUTOLOAD_CONFIG)
/*
* Make sure any providers are loaded from config before we try to use
* them.
diff -Nru openssl-3.0.10/crypto/rsa/rsa_ameth.c openssl-3.0.11/crypto/rsa/rsa_ameth.c
--- openssl-3.0.10/crypto/rsa/rsa_ameth.c 2023-08-01 15:47:24.000000000 +0200
+++ openssl-3.0.11/crypto/rsa/rsa_ameth.c 2023-09-19 15:02:31.000000000 +0200
@@ -60,13 +60,16 @@
if (!rsa_param_encode(pkey, &str, &strtype))
return 0;
penclen = i2d_RSAPublicKey(pkey->pkey.rsa, &penc);
- if (penclen <= 0)
+ if (penclen <= 0) {
+ ASN1_STRING_free(str);
return 0;
+ }
if (X509_PUBKEY_set0_param(pk, OBJ_nid2obj(pkey->ameth->pkey_id),
strtype, str, penc, penclen))
return 1;
OPENSSL_free(penc);
+ ASN1_STRING_free(str);
return 0;
}
diff -Nru openssl-3.0.10/crypto/srp/srp_vfy.c openssl-3.0.11/crypto/srp/srp_vfy.c
--- openssl-3.0.10/crypto/srp/srp_vfy.c 2023-08-01 15:47:24.000000000 +0200
+++ openssl-3.0.11/crypto/srp/srp_vfy.c 2023-09-19 15:02:31.000000000 +0200
@@ -1,5 +1,5 @@
/*
- * Copyright 2004-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2004-2023 The OpenSSL Project Authors. All Rights Reserved.
* Copyright (c) 2004, EdelKey Project. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
@@ -283,6 +283,7 @@
return NULL;
if ((vb->users_pwd = sk_SRP_user_pwd_new_null()) == NULL
|| (vb->gN_cache = sk_SRP_gN_cache_new_null()) == NULL) {
+ sk_SRP_user_pwd_free(vb->users_pwd);
OPENSSL_free(vb);
return NULL;
}
diff -Nru openssl-3.0.10/crypto/store/store_lib.c openssl-3.0.11/crypto/store/store_lib.c
--- openssl-3.0.10/crypto/store/store_lib.c 2023-08-01 15:47:24.000000000 +0200
+++ openssl-3.0.11/crypto/store/store_lib.c 2023-09-19 15:02:31.000000000 +0200
@@ -1,5 +1,5 @@
/*
- * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -424,14 +424,14 @@
load_data.v = NULL;
load_data.ctx = ctx;
+ ctx->error_flag = 0;
if (!ctx->fetched_loader->p_load(ctx->loader_ctx,
ossl_store_handle_load_result,
&load_data,
ossl_pw_passphrase_callback_dec,
&ctx->pwdata)) {
- if (!OSSL_STORE_eof(ctx))
- ctx->error_flag = 1;
+ ctx->error_flag = 1;
return NULL;
}
v = load_data.v;
diff -Nru openssl-3.0.10/crypto/threads_pthread.c openssl-3.0.11/crypto/threads_pthread.c
--- openssl-3.0.10/crypto/threads_pthread.c 2023-08-01 15:47:24.000000000 +0200
+++ openssl-3.0.11/crypto/threads_pthread.c 2023-09-19 15:02:31.000000000 +0200
@@ -1,5 +1,5 @@
/*
- * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -72,8 +72,6 @@
# if !defined (__TANDEM) && !defined (_SPT_MODEL_)
# if !defined(NDEBUG) && !defined(OPENSSL_NO_MUTEX_ERRORCHECK)
pthread_mutexattr_settype(&attr, PTHREAD_MUTEX_ERRORCHECK);
-# else
- pthread_mutexattr_settype(&attr, PTHREAD_MUTEX_NORMAL);
# endif
# else
/* The SPT Thread Library does not define MUTEX attributes. */
diff -Nru openssl-3.0.10/crypto/x509/v3_ist.c openssl-3.0.11/crypto/x509/v3_ist.c
--- openssl-3.0.10/crypto/x509/v3_ist.c 2023-08-01 15:47:24.000000000 +0200
+++ openssl-3.0.11/crypto/x509/v3_ist.c 2023-09-19 15:02:31.000000000 +0200
@@ -51,25 +51,25 @@
if (strcmp(cnf->name, "signTool") == 0) {
ist->signTool = ASN1_UTF8STRING_new();
if (ist->signTool == NULL || !ASN1_STRING_set(ist->signTool, cnf->value, strlen(cnf->value))) {
- ERR_raise(ERR_LIB_X509V3, ERR_R_ASN1_LIB);
+ ERR_raise(ERR_LIB_X509V3, ERR_R_MALLOC_FAILURE);
goto err;
}
} else if (strcmp(cnf->name, "cATool") == 0) {
ist->cATool = ASN1_UTF8STRING_new();
if (ist->cATool == NULL || !ASN1_STRING_set(ist->cATool, cnf->value, strlen(cnf->value))) {
- ERR_raise(ERR_LIB_X509V3, ERR_R_ASN1_LIB);
+ ERR_raise(ERR_LIB_X509V3, ERR_R_MALLOC_FAILURE);
goto err;
}
} else if (strcmp(cnf->name, "signToolCert") == 0) {
ist->signToolCert = ASN1_UTF8STRING_new();
if (ist->signToolCert == NULL || !ASN1_STRING_set(ist->signToolCert, cnf->value, strlen(cnf->value))) {
- ERR_raise(ERR_LIB_X509V3, ERR_R_ASN1_LIB);
+ ERR_raise(ERR_LIB_X509V3, ERR_R_MALLOC_FAILURE);
goto err;
}
} else if (strcmp(cnf->name, "cAToolCert") == 0) {
ist->cAToolCert = ASN1_UTF8STRING_new();
if (ist->cAToolCert == NULL || !ASN1_STRING_set(ist->cAToolCert, cnf->value, strlen(cnf->value))) {
- ERR_raise(ERR_LIB_X509V3, ERR_R_ASN1_LIB);
+ ERR_raise(ERR_LIB_X509V3, ERR_R_MALLOC_FAILURE);
goto err;
}
} else {
diff -Nru openssl-3.0.10/crypto/x509/x509_cmp.c openssl-3.0.11/crypto/x509/x509_cmp.c
--- openssl-3.0.10/crypto/x509/x509_cmp.c 2023-08-01 15:47:24.000000000 +0200
+++ openssl-3.0.11/crypto/x509/x509_cmp.c 2023-09-19 15:02:31.000000000 +0200
@@ -292,12 +292,13 @@
unsigned long ret = 0;
unsigned char md[SHA_DIGEST_LENGTH];
EVP_MD *sha1 = EVP_MD_fetch(libctx, "SHA1", propq);
+ int i2d_ret;
/* Make sure X509_NAME structure contains valid cached encoding */
- i2d_X509_NAME(x, NULL);
+ i2d_ret = i2d_X509_NAME(x, NULL);
if (ok != NULL)
*ok = 0;
- if (sha1 != NULL
+ if (i2d_ret >= 0 && sha1 != NULL
&& EVP_Digest(x->canon_enc, x->canon_enclen, md, NULL, sha1, NULL)) {
ret = (((unsigned long)md[0]) | ((unsigned long)md[1] << 8L) |
((unsigned long)md[2] << 16L) | ((unsigned long)md[3] << 24L)
@@ -325,7 +326,9 @@
goto end;
/* Make sure X509_NAME structure contains valid cached encoding */
- i2d_X509_NAME(x, NULL);
+ if (i2d_X509_NAME(x, NULL) < 0)
+ goto end;
+
if (EVP_DigestInit_ex(md_ctx, md5, NULL)
&& EVP_DigestUpdate(md_ctx, x->bytes->data, x->bytes->length)
&& EVP_DigestFinal_ex(md_ctx, md, NULL))
diff -Nru openssl-3.0.10/debian/changelog openssl-3.0.11/debian/changelog
--- openssl-3.0.10/debian/changelog 2023-08-26 11:29:40.000000000 +0200
+++ openssl-3.0.11/debian/changelog 2023-09-26 21:08:42.000000000 +0200
@@ -1,3 +1,9 @@
+openssl (3.0.11-1~deb12u1) bookworm; urgency=medium
+
+ * Import 3.0.11
+
+ -- Sebastian Andrzej Siewior <sebast...@breakpoint.cc> Tue, 26 Sep 2023 21:08:42 +0200
+
openssl (3.0.10-1~deb12u1) bookworm; urgency=medium
* Import 3.0.10
diff -Nru openssl-3.0.10/debian/patches/Configure-allow-to-enable-ktls-if-target-does-not-start-w.patch openssl-3.0.11/debian/patches/Configure-allow-to-enable-ktls-if-target-does-not-start-w.patch
--- openssl-3.0.10/debian/patches/Configure-allow-to-enable-ktls-if-target-does-not-start-w.patch 2023-08-26 11:29:40.000000000 +0200
+++ openssl-3.0.11/debian/patches/Configure-allow-to-enable-ktls-if-target-does-not-start-w.patch 2023-09-26 21:05:23.000000000 +0200
@@ -23,10 +23,10 @@
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/Configurations/10-main.conf b/Configurations/10-main.conf
-index 8010087b46dc..228af3f90cfc 100644
+index 280a75b213f2..7cc7e661b39c 100644
--- a/Configurations/10-main.conf
+++ b/Configurations/10-main.conf
-@@ -697,7 +697,7 @@ my %targets = (
+@@ -700,7 +700,7 @@ my %targets = (
shared_target => "linux-shared",
shared_cflag => "-fPIC",
shared_ldflag => sub { $disabled{pinshared} ? () : "-Wl,-znodelete" },
diff -Nru openssl-3.0.10/debian/patches/Fix-tests-for-new-default-security-level.patch openssl-3.0.11/debian/patches/Fix-tests-for-new-default-security-level.patch
--- openssl-3.0.10/debian/patches/Fix-tests-for-new-default-security-level.patch 2023-08-26 11:29:40.000000000 +0200
+++ openssl-3.0.11/debian/patches/Fix-tests-for-new-default-security-level.patch 2023-09-26 21:05:23.000000000 +0200
@@ -1407,10 +1407,10 @@
},
test => {
diff --git a/test/sslapitest.c b/test/sslapitest.c
-index a27f5b881c47..5d40a747dfcb 100644
+index 2191b297d09a..0f750efb1a38 100644
--- a/test/sslapitest.c
+++ b/test/sslapitest.c
-@@ -9587,7 +9587,8 @@ static int test_set_tmp_dh(int idx)
+@@ -9591,7 +9591,8 @@ static int test_set_tmp_dh(int idx)
*/
static int test_dh_auto(int idx)
{
@@ -1420,7 +1420,7 @@
SSL *clientssl = NULL, *serverssl = NULL;
int testresult = 0;
EVP_PKEY *tmpkey = NULL;
-@@ -9595,14 +9596,21 @@ static int test_dh_auto(int idx)
+@@ -9599,14 +9600,21 @@ static int test_dh_auto(int idx)
size_t expdhsize = 0;
const char *ciphersuite = "DHE-RSA-AES128-SHA";
@@ -1444,7 +1444,7 @@
break;
case 1:
/* 2048 bit prime */
-@@ -9628,8 +9636,10 @@ static int test_dh_auto(int idx)
+@@ -9632,8 +9640,10 @@ static int test_dh_auto(int idx)
/* No certificate cases */
case 5:
/* The FIPS provider doesn't support this DH size - so we ignore it */
@@ -1457,7 +1457,7 @@
ciphersuite = "ADH-AES128-SHA256:@SECLEVEL=0";
expdhsize = 1024;
break;
-@@ -9642,8 +9652,8 @@ static int test_dh_auto(int idx)
+@@ -9646,8 +9656,8 @@ static int test_dh_auto(int idx)
goto end;
}
diff -Nru openssl-3.0.10/doc/man1/openssl-cmp.pod.in openssl-3.0.11/doc/man1/openssl-cmp.pod.in
--- openssl-3.0.10/doc/man1/openssl-cmp.pod.in 2023-08-01 15:47:24.000000000 +0200
+++ openssl-3.0.11/doc/man1/openssl-cmp.pod.in 2023-09-19 15:02:31.000000000 +0200
@@ -659,11 +659,12 @@
=item B<-secret> I<arg>
-Prefer PBM-based message protection with given source of a secret value.
-The secret is used for creating PBM-based protection of outgoing messages
-and (as far as needed) for validating PBM-based protection of incoming messages.
-PBM stands for Password-Based Message Authentication Code.
+Provides the source of a secret value to use with MAC-based message protection.
This takes precedence over the B<-cert> and B<-key> options.
+The secret is used for creating MAC-based protection of outgoing messages
+and for validating incoming messages that have MAC-based protection.
+The algorithm used by default is Password-Based Message Authentication Code (PBM)
+as defined in RFC 4210 section 5.1.3.1.
For more information about the format of I<arg> see
L<openssl-passphrase-options(1)>.
@@ -682,7 +683,8 @@
The issuer of this certificate is used as one of the recipient fallback values
and as fallback issuer entry in the certificate template of IR/CR/KUR messages.
-When using signature-based message protection, this "protection certificate"
+When performing signature-based message protection,
+this "protection certificate", also called "signer certificate",
will be included first in the extraCerts field of outgoing messages
and the signature is done with the corresponding key.
In Initialization Request (IR) messages this can be used for authenticating
@@ -713,8 +715,8 @@
The corresponding private key file for the client's current certificate given in
the B<-cert> option.
-This will be used for signature-based message protection unless
-the B<-secret> option indicating PBM or B<-unprotected_requests> is given.
+This will be used for signature-based message protection unless the B<-secret>
+option indicating MAC-based protection or B<-unprotected_requests> is given.
It is also used as a fallback for the B<-newkey> option with IR/CR/KUR messages.
@@ -730,7 +732,7 @@
=item B<-digest> I<name>
Specifies name of supported digest to use in RFC 4210's MSG_SIG_ALG
-and as the one-way function (OWF) in MSG_MAC_ALG.
+and as the one-way function (OWF) in C<MSG_MAC_ALG>.
If applicable, this is used for message protection and
proof-of-possession (POPO) signatures.
To see the list of supported digests, use C<openssl list -digest-commands>.
@@ -738,7 +740,7 @@
=item B<-mac> I<name>
-Specifies the name of the MAC algorithm in MSG_MAC_ALG.
+Specifies the name of the MAC algorithm in C<MSG_MAC_ALG>.
To get the names of supported MAC algorithms use C<openssl list -mac-algorithms>
and possibly combine such a name with the name of a supported digest algorithm,
e.g., hmacWithSHA256.
@@ -1097,6 +1099,13 @@
=head1 NOTES
+When a client obtains from a CMP server CA certificates that it is going to
+trust, for instance via the C<caPubs> field of a certificate response,
+authentication of the CMP server is particularly critical.
+So special care must be taken setting up server authentication
+using B<-trusted> and related options for certificate-based authentication
+or B<-secret> for MAC-based protection.
+
When setting up CMP configurations and experimenting with enrollment options
typically various errors occur until the configuration is correct and complete.
When the CMP server reports an error the client will by default
@@ -1166,7 +1175,7 @@
openssl cmp -section insta,kur
-using with PBM-based protection or
+using MAC-based protection with PBM or
openssl cmp -section insta,kur,signature
@@ -1225,7 +1234,7 @@
-newkey cl_key_new.pem -certout cl_cert.pem
cp cl_key_new.pem cl_key.pem
-This command sequence can be repated as often as needed.
+This command sequence can be repeated as often as needed.
=head2 Requesting information from CMP server
diff -Nru openssl-3.0.10/doc/man1/openssl-cms.pod.in openssl-3.0.11/doc/man1/openssl-cms.pod.in
--- openssl-3.0.10/doc/man1/openssl-cms.pod.in 2023-08-01 15:47:24.000000000 +0200
+++ openssl-3.0.11/doc/man1/openssl-cms.pod.in 2023-09-19 15:02:31.000000000 +0200
@@ -391,7 +391,7 @@
=item I<recipient-cert> ...
This is an alternative to using the B<-recip> option when encrypting a message.
-One or more certificate filennames may be given.
+One or more certificate filenames may be given.
=item B<-I<cipher>>
@@ -902,7 +902,7 @@
=head1 COPYRIGHT
-Copyright 2008-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2008-2023 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff -Nru openssl-3.0.10/doc/man1/openssl-ts.pod.in openssl-3.0.11/doc/man1/openssl-ts.pod.in
--- openssl-3.0.10/doc/man1/openssl-ts.pod.in 2023-08-01 15:47:24.000000000 +0200
+++ openssl-3.0.11/doc/man1/openssl-ts.pod.in 2023-09-19 15:02:31.000000000 +0200
@@ -490,7 +490,7 @@
=item B<ess_cert_id_alg>
This option specifies the hash function to be used to calculate the TSA's
-public key certificate identifier. Default is sha256. (Optional)
+public key certificate identifier. Default is sha1. (Optional)
=back
@@ -652,7 +652,7 @@
=head1 COPYRIGHT
-Copyright 2006-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2006-2023 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff -Nru openssl-3.0.10/doc/man3/BIO_s_mem.pod openssl-3.0.11/doc/man3/BIO_s_mem.pod
--- openssl-3.0.10/doc/man3/BIO_s_mem.pod 2023-08-01 15:47:24.000000000 +0200
+++ openssl-3.0.11/doc/man3/BIO_s_mem.pod 2023-09-19 15:02:31.000000000 +0200
@@ -59,6 +59,8 @@
BIO_get_mem_data() sets *B<pp> to a pointer to the start of the memory BIOs data
and returns the total amount of data available. It is implemented as a macro.
+Note the pointer returned by this call is informative, no transfer of ownership
+of this memory is implied. See notes on BIO_set_close().
BIO_set_mem_buf() sets the internal BUF_MEM structure to B<bm> and sets the
close flag to B<c>, that is B<c> should be either BIO_CLOSE or BIO_NOCLOSE.
@@ -114,6 +116,10 @@
Calling BIO_get_mem_ptr() prior to a BIO_reset() call with
BIO_FLAGS_NONCLEAR_RST set has the same effect as a write operation.
+Calling BIO_set_close() with BIO_NOCLOSE orphans the BUF_MEM internal to the
+BIO, _not_ its actual data buffer. See the examples section for the proper
+method for claiming ownership of the data pointer for a deferred free operation.
+
=head1 BUGS
There should be an option to set the maximum size of a memory BIO.
@@ -151,10 +157,24 @@
BIO_set_close(mem, BIO_NOCLOSE); /* So BIO_free() leaves BUF_MEM alone */
BIO_free(mem);
+Extract the BUF_MEM ptr, claim ownership of the internal data and free the BIO
+and BUF_MEM structure:
+
+ BUF_MEM *bptr;
+ char *data;
+
+ BIO_get_mem_data(bio, &data);
+ BIO_get_mem_ptr(bio, &bptr);
+ BIO_set_close(mem, BIO_NOCLOSE); /* So BIO_free orphans BUF_MEM */
+ BIO_free(bio);
+ bptr->data = NULL; /* Tell BUF_MEM to orphan data */
+ BUF_MEM_free(bptr);
+ ...
+ free(data);
=head1 COPYRIGHT
-Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff -Nru openssl-3.0.10/doc/man3/CMS_sign.pod openssl-3.0.11/doc/man3/CMS_sign.pod
--- openssl-3.0.10/doc/man3/CMS_sign.pod 2023-08-01 15:47:24.000000000 +0200
+++ openssl-3.0.11/doc/man3/CMS_sign.pod 2023-09-19 15:02:31.000000000 +0200
@@ -105,7 +105,7 @@
suitable for many purposes. For finer control of the output format the
B<certs>, B<signcert> and B<pkey> parameters can all be B<NULL> and the
B<CMS_PARTIAL> flag set. Then one or more signers can be added using the
-function CMS_sign_add1_signer(), non default digests can be used and custom
+function CMS_add1_signer(), non default digests can be used and custom
attributes added. CMS_final() must then be called to finalize the
structure if streaming is not enabled.
@@ -132,7 +132,7 @@
=head1 COPYRIGHT
-Copyright 2008-2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2008-2023 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff -Nru openssl-3.0.10/doc/man3/d2i_RSAPrivateKey.pod openssl-3.0.11/doc/man3/d2i_RSAPrivateKey.pod
--- openssl-3.0.10/doc/man3/d2i_RSAPrivateKey.pod 2023-08-01 15:47:24.000000000 +0200
+++ openssl-3.0.11/doc/man3/d2i_RSAPrivateKey.pod 2023-09-19 15:02:31.000000000 +0200
@@ -28,7 +28,6 @@
d2i_DHparams,
d2i_DHparams_bio,
d2i_DHparams_fp,
-d2i_ECPKParameters,
d2i_ECParameters,
d2i_ECPrivateKey,
d2i_ECPrivateKey_bio,
@@ -56,7 +55,6 @@
i2d_DSA_PUBKEY_bio,
i2d_DSA_PUBKEY_fp,
i2d_DSAparams,
-i2d_ECPKParameters,
i2d_ECParameters,
i2d_ECPrivateKey,
i2d_ECPrivateKey_bio,
@@ -205,7 +203,7 @@
=item B<i2d_I<TYPE>PrivateKey>() translates into:
- int selection = EVP_PKEY_PRIVATE_KEY;
+ int selection = EVP_PKEY_KEYPAIR;
const char *structure = "type-specific";
=item B<i2d_I<TYPE>PublicKey>() translates into:
@@ -309,7 +307,7 @@
=head1 COPYRIGHT
-Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff -Nru openssl-3.0.10/doc/man3/d2i_X509.pod openssl-3.0.11/doc/man3/d2i_X509.pod
--- openssl-3.0.10/doc/man3/d2i_X509.pod 2023-08-01 15:47:24.000000000 +0200
+++ openssl-3.0.11/doc/man3/d2i_X509.pod 2023-09-19 15:02:31.000000000 +0200
@@ -53,6 +53,7 @@
d2i_DIST_POINT_NAME,
d2i_DSA_SIG,
d2i_ECDSA_SIG,
+d2i_ECPKParameters,
d2i_EDIPARTYNAME,
d2i_ESS_CERT_ID,
d2i_ESS_CERT_ID_V2,
@@ -223,6 +224,7 @@
i2d_DIST_POINT_NAME,
i2d_DSA_SIG,
i2d_ECDSA_SIG,
+i2d_ECPKParameters,
i2d_EDIPARTYNAME,
i2d_ESS_CERT_ID,
i2d_ESS_CERT_ID_V2,
diff -Nru openssl-3.0.10/doc/man3/EVP_MAC.pod openssl-3.0.11/doc/man3/EVP_MAC.pod
--- openssl-3.0.10/doc/man3/EVP_MAC.pod 2023-08-01 15:47:24.000000000 +0200
+++ openssl-3.0.11/doc/man3/EVP_MAC.pod 2023-09-19 15:02:31.000000000 +0200
@@ -181,7 +181,7 @@
context, given a context I<ctx>.
The set of parameters given with I<params> determine exactly what
parameters are passed down.
-If I<params> are NULL, the unterlying context should do nothing and return 1.
+If I<params> are NULL, the underlying context should do nothing and return 1.
Note that a parameter that is unknown in the underlying context is
simply ignored.
Also, what happens when a needed parameter isn't passed down is
@@ -481,7 +481,7 @@
=head1 COPYRIGHT
-Copyright 2018-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2018-2023 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff -Nru openssl-3.0.10/doc/man3/EVP_SIGNATURE.pod openssl-3.0.11/doc/man3/EVP_SIGNATURE.pod
--- openssl-3.0.10/doc/man3/EVP_SIGNATURE.pod 2023-08-01 15:47:24.000000000 +0200
+++ openssl-3.0.11/doc/man3/EVP_SIGNATURE.pod 2023-09-19 15:02:31.000000000 +0200
@@ -61,7 +61,7 @@
fetched from.
EVP_SIGNATURE_do_all_provided() traverses all SIGNATURE implemented by all
-activated roviders in the given library context I<libctx>, and for each of the
+activated providers in the given library context I<libctx>, and for each of the
implementations, calls the given function I<fn> with the implementation method
and the given I<arg> as argument.
@@ -106,7 +106,7 @@
=head1 COPYRIGHT
-Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff -Nru openssl-3.0.10/doc/man3/OSSL_CMP_CTX_new.pod openssl-3.0.11/doc/man3/OSSL_CMP_CTX_new.pod
--- openssl-3.0.10/doc/man3/OSSL_CMP_CTX_new.pod 2023-08-01 15:47:24.000000000 +0200
+++ openssl-3.0.11/doc/man3/OSSL_CMP_CTX_new.pod 2023-09-19 15:02:31.000000000 +0200
@@ -182,7 +182,7 @@
and any previous results (newCert, newChain, caPubs, and extraCertsIn)
from the last executed transaction.
It also clears any ITAVs that were added by OSSL_CMP_CTX_push0_genm_ITAV().
-All other field values (i.e., CMP options) are retained for potential re-use.
+All other field values (i.e., CMP options) are retained for potential reuse.
OSSL_CMP_CTX_set_option() sets the given value for the given option
(e.g., OSSL_CMP_OPT_IMPLICIT_CONFIRM) in the given OSSL_CMP_CTX structure.
@@ -260,12 +260,12 @@
=item B<OSSL_CMP_OPT_OWF_ALGNID>
The NID of the digest algorithm to be used as one-way function (OWF)
- in RFC 4210's MSG_MAC_ALG for PBM-based message protection.
+ for MAC-based message protection with password-based MAC (PBM).
+ See RFC 4210 section 5.1.3.1 for details.
Default is SHA256.
=item B<OSSL_CMP_OPT_MAC_ALGNID>
- The NID of the MAC algorithm to be used in RFC 4210's MSG_MAC_ALG
- for PBM-based message protection.
+ The NID of the MAC algorithm to be used for message protection with PBM.
Default is HMAC-SHA1 as per RFC 4210.
=item B<OSSL_CMP_OPT_REVOCATION_REASON>
@@ -450,8 +450,8 @@
OSSL_CMP_CTX_get0_untrusted(OSSL_CMP_CTX *ctx) returns a pointer to the
list of untrusted certs, which may be empty if unset.
-OSSL_CMP_CTX_set1_cert() sets the CMP signer certificate
-related to the private key used for CMP message protection.
+OSSL_CMP_CTX_set1_cert() sets the CMP signer certificate, also called protection
+certificate, related to the private key for signature-based message protection.
Therefore the public key of this I<cert> must correspond to
the private key set before or thereafter via OSSL_CMP_CTX_set1_pkey().
When using signature-based protection of CMP request messages
@@ -481,15 +481,15 @@
CMP signer certificate set via OSSL_CMP_CTX_set1_cert().
This key is used create signature-based protection (protectionAlg = MSG_SIG_ALG)
of outgoing messages
-unless a PBM secret has been set via OSSL_CMP_CTX_set1_secretValue().
+unless a symmetric secret has been set via OSSL_CMP_CTX_set1_secretValue().
The I<pkey> argument may be NULL to clear the entry.
-OSSL_CMP_CTX_set1_secretValue() sets the byte string I<sec> with length I<len>
-as PBM secret in the given I<ctx> or clears it if the I<sec> argument is NULL.
-If present, this secret is used to create PBM-based protection of outgoing
-messages and to verify any PBM-based protection of incoming messages
-(protectionAlg = MSG_MAC_ALG). PBM stands for Password-Based MAC.
-PBM-based protection takes precedence over signature-based protection.
+OSSL_CMP_CTX_set1_secretValue() sets in I<ctx> the byte string I<sec> of length
+I<len> to use as pre-shared secret, or clears it if the I<sec> argument is NULL.
+If present, this secret is used to create MAC-based authentication and integrity
+protection (rather than applying signature-based protection)
+of outgoing messages and to verify authenticity and integrity of incoming
+messages that have MAC-based protection (protectionAlg = C<MSG_MAC_ALG>).
OSSL_CMP_CTX_set1_referenceValue() sets the given referenceValue I<ref> with
length I<len> in the given I<ctx> or clears it if the I<ref> argument is NULL.
@@ -500,7 +500,7 @@
and the senderKID field of the CMP message header must be set.
When signature-based protection is used the senderKID will be set to
the subjectKeyIdentifier of the CMP signer certificate as far as present.
-If not present or when PBM-based protection is used
+If not present or when MAC-based protection is used
the I<ref> value is taken as the fallback value for the senderKID.
OSSL_CMP_CTX_set1_recipient() sets the recipient name that will be used in the
@@ -731,7 +731,7 @@
OSSL_CMP_CTX_set1_serverPath(cmp_ctx, path_or_alias);
OSSL_CMP_CTX_set0_trustedStore(cmp_ctx, ts);
-Set up client credentials for password-based protection (PBM):
+Set up symmetric credentials for MAC-based message protection such as PBM:
OSSL_CMP_CTX_set1_referenceValue(cmp_ctx, ref, ref_len);
OSSL_CMP_CTX_set1_secretValue(cmp_ctx, sec, sec_len);
diff -Nru openssl-3.0.10/doc/man3/OSSL_CMP_exec_certreq.pod openssl-3.0.11/doc/man3/OSSL_CMP_exec_certreq.pod
--- openssl-3.0.10/doc/man3/OSSL_CMP_exec_certreq.pod 2023-08-01 15:47:24.000000000 +0200
+++ openssl-3.0.11/doc/man3/OSSL_CMP_exec_certreq.pod 2023-09-19 15:02:31.000000000 +0200
@@ -42,7 +42,7 @@
All functions take a populated OSSL_CMP_CTX structure as their first argument.
Usually the server name, port, and path ("CMP alias") need to be set, as well as
-credentials the client can use for authenticating itself to the client.
+credentials the client can use for authenticating itself to the server.
In order to authenticate the server the client typically needs a trust store.
The functions return their respective main results directly, while there are
also accessor functions for retrieving various results and status information
@@ -72,7 +72,7 @@
L<OSSL_CMP_CTX_set0_newPkey(3)>, L<OSSL_CMP_CTX_set1_oldCert(3)>, etc.
For P10CR, L<OSSL_CMP_CTX_set1_p10CSR(3)> needs to be used instead.
The enrollment session may be blocked by sleeping until the addressed
-CA (or an intermedate PKI component) can fully process and answer the request.
+CA (or an intermediate PKI component) can fully process and answer the request.
OSSL_CMP_try_certreq() is an alternative to the above functions that is
more flexible regarding what to do after receiving a checkAfter value.
@@ -119,9 +119,17 @@
CMP is defined in RFC 4210 (and CRMF in RFC 4211).
-So far the CMP client implementation is limited to one request per CMP message
+The CMP client implementation is limited to one request per CMP message
(and consequently to at most one response component per CMP message).
+When a client obtains from a CMP server CA certificates that it is going to
+trust, for instance via the caPubs field of a certificate response,
+authentication of the CMP server is particularly critical.
+So special care must be taken setting up server authentication in I<ctx>
+using functions such as
+L<OSSL_CMP_CTX_set0_trustedStore(3)> (for certificate-based authentication) or
+L<OSSL_CMP_CTX_set1_secretValue(3)> (for MAC-based protection).
+
=head1 RETURN VALUES
OSSL_CMP_exec_certreq(), OSSL_CMP_exec_IR_ses(), OSSL_CMP_exec_CR_ses(),
@@ -163,7 +171,7 @@
=head1 COPYRIGHT
-Copyright 2007-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2007-2023 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff -Nru openssl-3.0.10/doc/man3/OSSL_HTTP_REQ_CTX.pod openssl-3.0.11/doc/man3/OSSL_HTTP_REQ_CTX.pod
--- openssl-3.0.10/doc/man3/OSSL_HTTP_REQ_CTX.pod 2023-08-01 15:47:24.000000000 +0200
+++ openssl-3.0.11/doc/man3/OSSL_HTTP_REQ_CTX.pod 2023-09-19 15:02:31.000000000 +0200
@@ -72,12 +72,16 @@
OSSL_HTTP_REQ_CTX_free() frees up the HTTP request context I<rctx>.
The I<rbio> is not free'd, I<wbio> will be free'd if I<free_wbio> is set.
-OSSL_HTTP_REQ_CTX_set_request_line() adds the HTTP request line to the context.
+OSSL_HTTP_REQ_CTX_set_request_line() adds the 1st HTTP request line to I<rctx>.
The HTTP method is determined by I<method_POST>,
which should be 1 to indicate C<POST> or 0 to indicate C<GET>.
-I<server> and I<port> may be set to indicate a proxy server and port
-that the request should go through, otherwise they should be left NULL.
-I<path> is the HTTP request path; if left NULL, C</> is used.
+I<server> and I<port> may be set to give the server and the optional port that
+an HTTP proxy shall forward the request to, otherwise they must be left NULL.
+I<path> provides the HTTP request path; if left NULL, C</> is used.
+For backward compatibility, I<path> may begin with C<http://> and thus convey
+an absoluteURI. In this case it indicates HTTP proxy use and provides also the
+server (and optionally the port) that the proxy shall forward the request to.
+In this case the I<server> and I<port> arguments must be NULL.
OSSL_HTTP_REQ_CTX_add1_header() adds header I<name> with value I<value> to the
context I<rctx>. It can be called more than once to add multiple header lines.
diff -Nru openssl-3.0.10/doc/man3/OSSL_HTTP_transfer.pod openssl-3.0.11/doc/man3/OSSL_HTTP_transfer.pod
--- openssl-3.0.10/doc/man3/OSSL_HTTP_transfer.pod 2023-08-01 15:47:24.000000000 +0200
+++ openssl-3.0.11/doc/man3/OSSL_HTTP_transfer.pod 2023-09-19 15:02:31.000000000 +0200
@@ -161,8 +161,11 @@
OSSL_HTTP_set1_request() sets up in I<rctx> the request header and content data
and expectations on the response using the following parameters.
-If <rctx> indicates using a proxy for HTTP (but not HTTPS), the server hostname
-(and optionally port) needs to be placed in the header and thus must be present.
+If <rctx> indicates using a proxy for HTTP (but not HTTPS), the server host
+(and optionally port) needs to be placed in the header; thus it must be present
+in I<rctx>.
+For backward compatibility, the server (and optional port) may also be given in
+the I<path> argument beginning with C<http://> (thus giving an absoluteURI).
If I<path> is NULL it defaults to "/".
If I<req> is NULL the HTTP GET method will be used to send the request
else HTTP POST with the contents of I<req> and optional I<content_type>, where
@@ -274,7 +277,7 @@
=head1 COPYRIGHT
-Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff -Nru openssl-3.0.10/doc/man3/PKCS12_create.pod openssl-3.0.11/doc/man3/PKCS12_create.pod
--- openssl-3.0.10/doc/man3/PKCS12_create.pod 2023-08-01 15:47:24.000000000 +0200
+++ openssl-3.0.11/doc/man3/PKCS12_create.pod 2023-09-19 15:02:31.000000000 +0200
@@ -42,7 +42,8 @@
These defaults are: AES password based encryption (PBES2 with PBKDF2 and
AES-256-CBC) for private keys and certificates, the PBKDF2 and MAC key
derivation iteration count of B<PKCS12_DEFAULT_ITER> (currently 2048), and
-MAC algorithm HMAC with SHA2-256.
+MAC algorithm HMAC with SHA2-256. The MAC key derivation algorithm used
+for the outer PKCS#12 structure is PKCS12KDF.
The default MAC iteration count is 1 in order to retain compatibility with
old software which did not interpret MAC iteration counts. If such compatibility
@@ -68,6 +69,8 @@
should be used.
I<mac_iter> can be set to -1 and the MAC will then be omitted entirely.
+This can be useful when running with the FIPS provider as the PKCS12KDF
+is not a FIPS approvable algorithm.
PKCS12_create() makes assumptions regarding the encoding of the given pass
phrase.
@@ -83,7 +86,9 @@
=head1 SEE ALSO
+L<EVP_KDF-PKCS12KDF(7)>,
L<d2i_PKCS12(3)>,
+L<OSSL_PROVIDER-FIPS(7)>,
L<passphrase-encoding(7)>
=head1 HISTORY
@@ -96,7 +101,7 @@
=head1 COPYRIGHT
-Copyright 2002-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2002-2023 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff -Nru openssl-3.0.10/doc/man3/PKCS12_gen_mac.pod openssl-3.0.11/doc/man3/PKCS12_gen_mac.pod
--- openssl-3.0.10/doc/man3/PKCS12_gen_mac.pod 2023-08-01 15:47:24.000000000 +0200
+++ openssl-3.0.11/doc/man3/PKCS12_gen_mac.pod 2023-09-19 15:02:31.000000000 +0200
@@ -22,6 +22,7 @@
PKCS12_gen_mac() generates an HMAC over the entire PKCS#12 object using the
supplied password along with a set of already configured parameters.
+The default key generation mechanism used is PKCS12KDF.
PKCS12_verify_mac() verifies the PKCS#12 object's HMAC using the supplied
password.
@@ -57,6 +58,7 @@
=head1 SEE ALSO
L<d2i_PKCS12(3)>,
+L<EVP_KDF-PKCS12KDF(7)>,
L<PKCS12_create(3)>,
L<passphrase-encoding(7)>
diff -Nru openssl-3.0.10/doc/man3/SSL_new.pod openssl-3.0.11/doc/man3/SSL_new.pod
--- openssl-3.0.10/doc/man3/SSL_new.pod 2023-08-01 15:47:24.000000000 +0200
+++ openssl-3.0.11/doc/man3/SSL_new.pod 2023-09-19 15:02:31.000000000 +0200
@@ -35,7 +35,7 @@
their initial state SSL_dup() just increments an internal
reference count and returns the I<same> handle. It may be possible to
use L<SSL_clear(3)> to recycle an SSL handle that is not in its initial
-state for re-use, but this is best avoided. Instead, save and restore
+state for reuse, but this is best avoided. Instead, save and restore
the session, if desired, and construct a fresh handle for each connection.
The subset of settings in I<s> that are duplicated are:
@@ -124,7 +124,7 @@
=head1 COPYRIGHT
-Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff -Nru openssl-3.0.10/doc/man5/x509v3_config.pod openssl-3.0.11/doc/man5/x509v3_config.pod
--- openssl-3.0.10/doc/man5/x509v3_config.pod 2023-08-01 15:47:24.000000000 +0200
+++ openssl-3.0.11/doc/man5/x509v3_config.pod 2023-09-19 15:02:31.000000000 +0200
@@ -93,7 +93,7 @@
email.2 = st...@example.org
The syntax of raw extensions is defined by the source code that parses
-the extension but should be documened.
+the extension but should be documented.
See L</Certificate Policies> for an example of a raw extension.
If an extension type is unsupported, then the I<arbitrary> extension syntax
@@ -590,7 +590,7 @@
=head1 COPYRIGHT
-Copyright 2004-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2004-2023 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff -Nru openssl-3.0.10/doc/man7/EVP_KDF-PKCS12KDF.pod openssl-3.0.11/doc/man7/EVP_KDF-PKCS12KDF.pod
--- openssl-3.0.10/doc/man7/EVP_KDF-PKCS12KDF.pod 2023-08-01 15:47:24.000000000 +0200
+++ openssl-3.0.11/doc/man7/EVP_KDF-PKCS12KDF.pod 2023-09-19 15:02:31.000000000 +0200
@@ -46,6 +46,9 @@
=head1 NOTES
+This algorithm is not available in the FIPS provider as it is not FIPS
+approvable.
+
A typical application of this algorithm is to derive keying material for an
encryption algorithm from a password in the "pass", a salt in "salt",
and an iteration count.
@@ -68,7 +71,8 @@
L<EVP_KDF_CTX_free(3)>,
L<EVP_KDF_CTX_set_params(3)>,
L<EVP_KDF_derive(3)>,
-L<EVP_KDF(3)/PARAMETERS>
+L<EVP_KDF(3)/PARAMETERS>,
+L<OSSL_PROVIDER-FIPS(7)>
=head1 HISTORY
@@ -76,7 +80,7 @@
=head1 COPYRIGHT
-Copyright 2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff -Nru openssl-3.0.10/doc/man7/migration_guide.pod openssl-3.0.11/doc/man7/migration_guide.pod
--- openssl-3.0.10/doc/man7/migration_guide.pod 2023-08-01 15:47:24.000000000 +0200
+++ openssl-3.0.11/doc/man7/migration_guide.pod 2023-09-19 15:02:31.000000000 +0200
@@ -306,6 +306,15 @@
derivation function which supports these parameters. This includes
L<EVP_PBE_CipherInit_ex(3)>, L<EVP_PBE_find_ex(3)> and L<EVP_PBE_scrypt_ex(3)>.
+=head4 PKCS#12 KDF versus FIPS
+
+Unlike in 1.x.y, the PKCS12KDF algorithm used when a PKCS#12 structure
+is created with a MAC that does not work with the FIPS provider as the PKCS12KDF
+is not a FIPS approvable mechanism.
+
+See L<EVP_KDF-PKCS12KDF(7)>, L<PKCS12_create(3)>, L<openssl-pkcs12(1)>,
+L<OSSL_PROVIDER-FIPS(7)>.
+
=head4 Windows thread synchronization changes
Windows thread synchronization uses read/write primitives (SRWLock) when
diff -Nru openssl-3.0.10/fuzz/build.info openssl-3.0.11/fuzz/build.info
--- openssl-3.0.10/fuzz/build.info 2023-08-01 15:47:24.000000000 +0200
+++ openssl-3.0.11/fuzz/build.info 2023-09-19 15:02:31.000000000 +0200
@@ -9,7 +9,7 @@
-}
IF[{- !$disabled{"fuzz-afl"} || !$disabled{"fuzz-libfuzzer"} -}]
- PROGRAMS{noinst}=asn1 asn1parse bignum bndiv client conf crl server x509
+ PROGRAMS{noinst}=asn1 asn1parse bignum bndiv client conf crl server
IF[{- !$disabled{"cmp"} -}]
PROGRAMS{noinst}=cmp
@@ -23,6 +23,10 @@
PROGRAMS{noinst}=ct
ENDIF
+ IF[{- !$disabled{"ocsp"} -}]
+ PROGRAMS{noinst}=x509
+ ENDIF
+
SOURCE[asn1]=asn1.c driver.c fuzz_rand.c
INCLUDE[asn1]=../include {- $ex_inc -}
DEPEND[asn1]=../libcrypto ../libssl {- $ex_lib -}
@@ -73,7 +77,7 @@
ENDIF
IF[{- !$disabled{tests} -}]
- PROGRAMS{noinst}=asn1-test asn1parse-test bignum-test bndiv-test client-test conf-test crl-test server-test x509-test
+ PROGRAMS{noinst}=asn1-test asn1parse-test bignum-test bndiv-test client-test conf-test crl-test server-test
IF[{- !$disabled{"cmp"} -}]
PROGRAMS{noinst}=cmp-test
@@ -87,6 +91,10 @@
PROGRAMS{noinst}=ct-test
ENDIF
+ IF[{- !$disabled{"ocsp"} -}]
+ PROGRAMS{noinst}=x509-test
+ ENDIF
+
SOURCE[asn1-test]=asn1.c test-corpus.c fuzz_rand.c
INCLUDE[asn1-test]=../include
DEPEND[asn1-test]=../libcrypto ../libssl
diff -Nru openssl-3.0.10/fuzz/x509.c openssl-3.0.11/fuzz/x509.c
--- openssl-3.0.10/fuzz/x509.c 2023-08-01 15:47:24.000000000 +0200
+++ openssl-3.0.11/fuzz/x509.c 2023-09-19 15:02:31.000000000 +0200
@@ -1,5 +1,5 @@
/*
- * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -9,6 +9,7 @@
*/
#include <openssl/x509.h>
+#include <openssl/ocsp.h>
#include <openssl/bio.h>
#include <openssl/err.h>
#include <openssl/rand.h>
@@ -17,31 +18,131 @@
int FuzzerInitialize(int *argc, char ***argv)
{
FuzzerSetRand();
- OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL);
+ OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CRYPTO_STRINGS
+ | OPENSSL_INIT_ADD_ALL_CIPHERS | OPENSSL_INIT_ADD_ALL_DIGESTS, NULL);
ERR_clear_error();
CRYPTO_free_ex_index(0, -1);
return 1;
}
+static int cb(int ok, X509_STORE_CTX *ctx)
+{
+ return 1;
+}
+
int FuzzerTestOneInput(const uint8_t *buf, size_t len)
{
const unsigned char *p = buf;
+ size_t orig_len = len;
unsigned char *der = NULL;
+ BIO *bio = NULL;
+ X509 *x509_1 = NULL, *x509_2 = NULL;
+ X509_STORE *store = NULL;
+ X509_VERIFY_PARAM *param = NULL;
+ X509_STORE_CTX *ctx = NULL;
+ X509_CRL *crl = NULL;
+ STACK_OF(X509_CRL) *crls = NULL;
+ STACK_OF(X509) *certs = NULL;
+ OCSP_RESPONSE *resp = NULL;
+ OCSP_BASICRESP *bs = NULL;
+ OCSP_CERTID *id = NULL;
+
+ x509_1 = d2i_X509(NULL, &p, len);
+ if (x509_1 == NULL)
+ goto err;
+
+ bio = BIO_new(BIO_s_null());
+ if (bio == NULL)
+ goto err;
+
+ /* This will load and print the public key as well as extensions */
+ X509_print(bio, x509_1);
+ BIO_free(bio);
+
+ X509_issuer_and_serial_hash(x509_1);
+
+ i2d_X509(x509_1, &der);
+ OPENSSL_free(der);
+
+ len = orig_len - (p - buf);
+ x509_2 = d2i_X509(NULL, &p, len);
+ if (x509_2 == NULL)
+ goto err;
+
+ len = orig_len - (p - buf);
+ crl = d2i_X509_CRL(NULL, &p, len);
+ if (crl == NULL)
+ goto err;
+
+ len = orig_len - (p - buf);
+ resp = d2i_OCSP_RESPONSE(NULL, &p, len);
+
+ store = X509_STORE_new();
+ X509_STORE_add_cert(store, x509_2);
+
+ param = X509_VERIFY_PARAM_new();
+ X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_NO_CHECK_TIME);
+ X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_X509_STRICT);
+ X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_PARTIAL_CHAIN);
+ X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_CRL_CHECK);
+
+ X509_STORE_set1_param(store, param);
+
+ X509_STORE_set_verify_cb(store, cb);
+
+ ctx = X509_STORE_CTX_new();
+ if (ctx == NULL)
+ goto err;
+
+ X509_STORE_CTX_init(ctx, store, x509_1, NULL);
+
+ if (crl != NULL) {
+ crls = sk_X509_CRL_new_null();
+ if (crls == NULL)
+ goto err;
+
+ sk_X509_CRL_push(crls, crl);
+ X509_STORE_CTX_set0_crls(ctx, crls);
+ }
- X509 *x509 = d2i_X509(NULL, &p, len);
- if (x509 != NULL) {
- BIO *bio = BIO_new(BIO_s_null());
- /* This will load and print the public key as well as extensions */
- X509_print(bio, x509);
- BIO_free(bio);
+ X509_verify_cert(ctx);
- X509_issuer_and_serial_hash(x509);
+ if (resp != NULL)
+ bs = OCSP_response_get1_basic(resp);
- i2d_X509(x509, &der);
- OPENSSL_free(der);
+ if (bs != NULL) {
+ int status, reason;
+ ASN1_GENERALIZEDTIME *revtime, *thisupd, *nextupd;
- X509_free(x509);
+ certs = sk_X509_new_null();
+ if (certs == NULL)
+ goto err;
+
+ sk_X509_push(certs, x509_1);
+ sk_X509_push(certs, x509_2);
+
+ OCSP_basic_verify(bs, certs, store, OCSP_PARTIAL_CHAIN);
+
+ id = OCSP_cert_to_id(NULL, x509_1, x509_2);
+ if (id == NULL)
+ goto err;
+ OCSP_resp_find_status(bs, id, &status, &reason, &revtime, &thisupd,
+ &nextupd);
}
+
+err:
+ X509_STORE_CTX_free(ctx);
+ X509_VERIFY_PARAM_free(param);
+ X509_STORE_free(store);
+ X509_free(x509_1);
+ X509_free(x509_2);
+ X509_CRL_free(crl);
+ OCSP_CERTID_free(id);
+ OCSP_BASICRESP_free(bs);
+ OCSP_RESPONSE_free(resp);
+ sk_X509_CRL_free(crls);
+ sk_X509_free(certs);
+
ERR_clear_error();
return 0;
}
diff -Nru openssl-3.0.10/NEWS.md openssl-3.0.11/NEWS.md
--- openssl-3.0.10/NEWS.md 2023-08-01 15:47:24.000000000 +0200
+++ openssl-3.0.11/NEWS.md 2023-09-19 15:02:31.000000000 +0200
@@ -18,6 +18,11 @@
OpenSSL 3.0
-----------
+### Major changes between OpenSSL 3.0.10 and OpenSSL 3.0.11 [19 Sep 2023]
+
+ * Fix POLY1305 MAC implementation corrupting XMM registers on Windows
+ ([CVE-2023-4807])
+
### Major changes between OpenSSL 3.0.9 and OpenSSL 3.0.10 [1 Aug 2023]
* Fix excessive time spent checking DH q parameter value ([CVE-2023-3817])
@@ -1448,6 +1453,7 @@
<!-- Links -->
+[CVE-2023-4807]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-4807
[CVE-2023-3817]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-3817
[CVE-2023-3446]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-3446
[CVE-2023-2975]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-2975
diff -Nru openssl-3.0.10/providers/fips.checksum openssl-3.0.11/providers/fips.checksum
--- openssl-3.0.10/providers/fips.checksum 2023-08-01 15:47:24.000000000 +0200
+++ openssl-3.0.11/providers/fips.checksum 2023-09-19 15:02:31.000000000 +0200
@@ -1 +1 @@
-f07990ec634ec6ea3c8c42a664768debcf92a1b0c39bde7041c24df33dd7f052 providers/fips-sources.checksums
+8d97c837eeb1288f74788f0e48cb0cbc8498d4cf7ddc25c89344df7d5309ffc8 providers/fips-sources.checksums
diff -Nru openssl-3.0.10/providers/fips-sources.checksums openssl-3.0.11/providers/fips-sources.checksums
--- openssl-3.0.10/providers/fips-sources.checksums 2023-08-01 15:47:24.000000000 +0200
+++ openssl-3.0.11/providers/fips-sources.checksums 2023-09-19 15:02:31.000000000 +0200
@@ -259,12 +259,12 @@
97cb7414dc2f165d5849ee3b46cdfff0afb067729435d9c01a747e0ca41e230c crypto/ppccap.c
3ca43596a7528dec8ff9d1a3cd0d68b62640f84b1d6a8b5e4842cfd0be1133ad crypto/ppccpuid.pl
b4d34272a0bd1fbe6562022bf7ea6259b6a5a021a48222d415be47ef5ef2a905 crypto/property/defn_cache.c
-7da6ae864beb1a4daa4be31eb41d48141a3a7eb7a263a4937a6889e05656a595 crypto/property/property.c
+3c4ade2fed4605e374d85ec1134a98da34e7124f89f44b81a754e8cfe81f14ba crypto/property/property.c
66da4f28d408133fb544b14aeb9ad4913e7c5c67e2826e53f0dc5bf4d8fada26 crypto/property/property_local.h
921305e62749aec22da4843738bee3448b61e7e30d5309beddc7141ad07a8004 crypto/property/property_parse.c
a7cefda6a117550e2c76e0f307565ce1e11640b11ba10c80e469a837fd1212a3 crypto/property/property_query.c
065698c8d88a5facc0cbc02a3bd0c642c94687a8c5dd79901c942138b406067d crypto/property/property_string.c
-9653ec9c1476350a94b9cc7f8be3d99961fd803870c9ac03315298d2909a6a8e crypto/provider_core.c
+0ba5d0297837940c972224c97cbbf3ea4a723c1eed9ce1112538c9bb26208639 crypto/provider_core.c
d0af10d4091b2032aac1b7db80f8c2e14fa7176592716b25b9437ab6b53c0a89 crypto/provider_local.h
5ba2e1c74ddcd0453d02e32612299d1eef18eff8493a7606c15d0dc3738ad1d9 crypto/provider_predefined.c
a5a4472636b8b0095ad8d4acd37e275ad79da1a67ecff7b7b5c3e46c9ebc65b7 crypto/rand/rand_lib.c
@@ -344,7 +344,7 @@
8da78169fa8c09dc3c29c9bf1602b22e88c5eac4815e274ba1864c166e31584b crypto/stack/stack.c
7b4efa594d8d1f3ecbf4605cf54f72fb296a3b1d951bdc69e415aaa08f34e5c8 crypto/threads_lib.c
a41ae93a755e2ec89b3cb5b4932e2b508fdda92ace2e025a2650a6da0e9e972c crypto/threads_none.c
-2637a8727dee790812b000f2e02b336f7907949df633dda72938bbaafdb204fe crypto/threads_pthread.c
+3729e2bd36f945808b578e0d89fac0fcb3114e4fc9381614bcbd8a9869991716 crypto/threads_pthread.c
88423960f0414f6fd41fba4f4c67f9f7260c2741e4788adcd52493e895ec8027 crypto/threads_win.c
fd6c27cf7c6b5449b17f2b725f4203c4c10207f1973db09fd41571efe5de08fd crypto/x86_64cpuid.pl
bbec287bb9bf35379885f8f8998b7fd9e8fc22efee9e1b299109af0f33a7ee16 crypto/x86cpuid.pl
@@ -567,13 +567,13 @@
589f6133799da80760e8bc3ab0191a341ab6d4d2706e92e6eb4a24b0250fefa6 providers/implementations/kdfs/tls1_prf.c
4d4a6d9a562d2dcfec941d3f113a544663b5ac2fbe4accd89ec70c1cc11751d0 providers/implementations/kdfs/x942kdf.c
6b6c776b12664164f3cb54c21df61e1c4477c7855d89431a16fb338cdae58d43 providers/implementations/kem/rsa_kem.c
-37120f8a420de0e44b7dc1f31b50d59520e5318cf546e83684e0c3de5c7b76c5 providers/implementations/keymgmt/dh_kmgmt.c
-2a4493c9e68f41d37d7ec69c272005c6df7b1a34db2d49663f52e836e4fd888c providers/implementations/keymgmt/dsa_kmgmt.c
+9d5eb7e056e790b1b4292ec7af03fbf0b26e34625c70eb36643451965bcfc696 providers/implementations/keymgmt/dh_kmgmt.c
+a329f57cb041cd03907e9d996fbc2f378ee116c7f8d7fbf1ea08b7a5df7e0304 providers/implementations/keymgmt/dsa_kmgmt.c
9bc88451d3ae110c7a108ee73d3b3b6bda801ec3494d2dfb9c9970b85c2d34fe providers/implementations/keymgmt/ec_kmgmt.c
258ae17bb2dd87ed1511a8eb3fe99eed9b77f5c2f757215ff6b3d0e8791fc251 providers/implementations/keymgmt/ec_kmgmt_imexport.inc
-d77ece2494e6b12a6201a2806ee5fb24a6dc2fa3e1891a46012a870e0b781ab1 providers/implementations/keymgmt/ecx_kmgmt.c
+011c36aad6834729043f23eacab417732541ee23916d9afa5bb9164862be00bb providers/implementations/keymgmt/ecx_kmgmt.c
053a2be39a87f50b877ebdbbf799cf5faf8b2de33b04311d819d212ee1ea329b providers/implementations/keymgmt/kdf_legacy_kmgmt.c
-e30357311e4a3e1c78266af6315fd1fc99584bfb09f4a7cd0ddc7261cf1e17e1 providers/implementations/keymgmt/mac_legacy_kmgmt.c
+1646b477fa231dd0f6c22444c99098f9b447cab0d39ff69b811262469d4dbe09 providers/implementations/keymgmt/mac_legacy_kmgmt.c
19f22fc70a6321441e56d5bd4aab3d01d52d17069d4e4b5cefce0f411ecece75 providers/implementations/keymgmt/rsa_kmgmt.c
aeb42590728ca87b916b8a3d337351b1c82ee0747213e5ce740c2350b3db7185 providers/implementations/macs/cmac_prov.c
e69aa06f8f3c6f5a26702b9f44a844b8589b99dc0ee590953a29e8b9ef10acbe providers/implementations/macs/gmac_prov.c
diff -Nru openssl-3.0.10/providers/implementations/ciphers/cipher_chacha20.c openssl-3.0.11/providers/implementations/ciphers/cipher_chacha20.c
--- openssl-3.0.10/providers/implementations/ciphers/cipher_chacha20.c 2023-08-01 15:47:24.000000000 +0200
+++ openssl-3.0.11/providers/implementations/ciphers/cipher_chacha20.c 2023-09-19 15:02:31.000000000 +0200
@@ -1,5 +1,5 @@
/*
- * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -21,6 +21,7 @@
static OSSL_FUNC_cipher_newctx_fn chacha20_newctx;
static OSSL_FUNC_cipher_freectx_fn chacha20_freectx;
+static OSSL_FUNC_cipher_dupctx_fn chacha20_dupctx;
static OSSL_FUNC_cipher_get_params_fn chacha20_get_params;
static OSSL_FUNC_cipher_get_ctx_params_fn chacha20_get_ctx_params;
static OSSL_FUNC_cipher_set_ctx_params_fn chacha20_set_ctx_params;
@@ -64,6 +65,25 @@
}
}
+static void *chacha20_dupctx(void *vctx)
+{
+ PROV_CHACHA20_CTX *ctx = (PROV_CHACHA20_CTX *)vctx;
+ PROV_CHACHA20_CTX *dupctx = NULL;
+
+ if (ctx != NULL) {
+ dupctx = OPENSSL_memdup(ctx, sizeof(*dupctx));
+ if (dupctx != NULL && dupctx->base.tlsmac != NULL && dupctx->base.alloced) {
+ dupctx->base.tlsmac = OPENSSL_memdup(dupctx->base.tlsmac,
+ dupctx->base.tlsmacsize);
+ if (dupctx->base.tlsmac == NULL) {
+ OPENSSL_free(dupctx);
+ dupctx = NULL;
+ }
+ }
+ }
+ return dupctx;
+}
+
static int chacha20_get_params(OSSL_PARAM params[])
{
return ossl_cipher_generic_get_params(params, 0, CHACHA20_FLAGS,
@@ -187,6 +207,7 @@
const OSSL_DISPATCH ossl_chacha20_functions[] = {
{ OSSL_FUNC_CIPHER_NEWCTX, (void (*)(void))chacha20_newctx },
{ OSSL_FUNC_CIPHER_FREECTX, (void (*)(void))chacha20_freectx },
+ { OSSL_FUNC_CIPHER_DUPCTX, (void (*)(void))chacha20_dupctx },
{ OSSL_FUNC_CIPHER_ENCRYPT_INIT, (void (*)(void))ossl_chacha20_einit },
{ OSSL_FUNC_CIPHER_DECRYPT_INIT, (void (*)(void))ossl_chacha20_dinit },
{ OSSL_FUNC_CIPHER_UPDATE, (void (*)(void))chacha20_update },
diff -Nru openssl-3.0.10/providers/implementations/encode_decode/decode_der2key.c openssl-3.0.11/providers/implementations/encode_decode/decode_der2key.c
--- openssl-3.0.10/providers/implementations/encode_decode/decode_der2key.c 2023-08-01 15:47:24.000000000 +0200
+++ openssl-3.0.11/providers/implementations/encode_decode/decode_der2key.c 2023-09-19 15:02:31.000000000 +0200
@@ -316,10 +316,14 @@
void *keydata;
if (reference_sz == sizeof(keydata) && export != NULL) {
+ int selection = ctx->selection;
+
+ if (selection == 0)
+ selection = OSSL_KEYMGMT_SELECT_ALL;
/* The contents of the reference is the address to our object */
keydata = *(void **)reference;
- return export(keydata, ctx->selection, export_cb, export_cbarg);
+ return export(keydata, selection, export_cb, export_cbarg);
}
return 0;
}
diff -Nru openssl-3.0.10/providers/implementations/encode_decode/decode_msblob2key.c openssl-3.0.11/providers/implementations/encode_decode/decode_msblob2key.c
--- openssl-3.0.10/providers/implementations/encode_decode/decode_msblob2key.c 2023-08-01 15:47:24.000000000 +0200
+++ openssl-3.0.11/providers/implementations/encode_decode/decode_msblob2key.c 2023-09-19 15:02:31.000000000 +0200
@@ -1,5 +1,5 @@
/*
- * Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -79,6 +79,18 @@
OPENSSL_free(ctx);
}
+static int msblob2key_does_selection(void *provctx, int selection)
+{
+ if (selection == 0)
+ return 1;
+
+ if ((selection & (OSSL_KEYMGMT_SELECT_PRIVATE_KEY
+ | OSSL_KEYMGMT_SELECT_PUBLIC_KEY)) != 0)
+ return 1;
+
+ return 0;
+}
+
static int msblob2key_decode(void *vctx, OSSL_CORE_BIO *cin, int selection,
OSSL_CALLBACK *data_cb, void *data_cbarg,
OSSL_PASSPHRASE_CALLBACK *pw_cb, void *pw_cbarg)
@@ -211,10 +223,14 @@
void *keydata;
if (reference_sz == sizeof(keydata) && export != NULL) {
+ int selection = ctx->selection;
+
+ if (selection == 0)
+ selection = OSSL_KEYMGMT_SELECT_ALL;
/* The contents of the reference is the address to our object */
keydata = *(void **)reference;
- return export(keydata, ctx->selection, export_cb, export_cbarg);
+ return export(keydata, selection, export_cb, export_cbarg);
}
return 0;
}
@@ -260,6 +276,8 @@
(void (*)(void))msblob2##keytype##_newctx }, \
{ OSSL_FUNC_DECODER_FREECTX, \
(void (*)(void))msblob2key_freectx }, \
+ { OSSL_FUNC_DECODER_DOES_SELECTION, \
+ (void (*)(void))msblob2key_does_selection }, \
{ OSSL_FUNC_DECODER_DECODE, \
(void (*)(void))msblob2key_decode }, \
{ OSSL_FUNC_DECODER_EXPORT_OBJECT, \
diff -Nru openssl-3.0.10/providers/implementations/encode_decode/decode_pvk2key.c openssl-3.0.11/providers/implementations/encode_decode/decode_pvk2key.c
--- openssl-3.0.10/providers/implementations/encode_decode/decode_pvk2key.c 2023-08-01 15:47:24.000000000 +0200
+++ openssl-3.0.11/providers/implementations/encode_decode/decode_pvk2key.c 2023-09-19 15:02:31.000000000 +0200
@@ -1,5 +1,5 @@
/*
- * Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -79,6 +79,17 @@
OPENSSL_free(ctx);
}
+static int pvk2key_does_selection(void *provctx, int selection)
+{
+ if (selection == 0)
+ return 1;
+
+ if ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0)
+ return 1;
+
+ return 0;
+}
+
static int pvk2key_decode(void *vctx, OSSL_CORE_BIO *cin, int selection,
OSSL_CALLBACK *data_cb, void *data_cbarg,
OSSL_PASSPHRASE_CALLBACK *pw_cb, void *pw_cbarg)
@@ -179,10 +190,14 @@
void *keydata;
if (reference_sz == sizeof(keydata) && export != NULL) {
+ int selection = ctx->selection;
+
+ if (selection == 0)
+ selection = OSSL_KEYMGMT_SELECT_ALL;
/* The contents of the reference is the address to our object */
keydata = *(void **)reference;
- return export(keydata, ctx->selection, export_cb, export_cbarg);
+ return export(keydata, selection, export_cb, export_cbarg);
}
return 0;
}
@@ -226,6 +241,8 @@
(void (*)(void))pvk2##keytype##_newctx }, \
{ OSSL_FUNC_DECODER_FREECTX, \
(void (*)(void))pvk2key_freectx }, \
+ { OSSL_FUNC_DECODER_DOES_SELECTION, \
+ (void (*)(void))pvk2key_does_selection }, \
{ OSSL_FUNC_DECODER_DECODE, \
(void (*)(void))pvk2key_decode }, \
{ OSSL_FUNC_DECODER_EXPORT_OBJECT, \
diff -Nru openssl-3.0.10/providers/implementations/encode_decode/encode_key2any.c openssl-3.0.11/providers/implementations/encode_decode/encode_key2any.c
--- openssl-3.0.10/providers/implementations/encode_decode/encode_key2any.c 2023-08-01 15:47:24.000000000 +0200
+++ openssl-3.0.11/providers/implementations/encode_decode/encode_key2any.c 2023-09-19 15:02:31.000000000 +0200
@@ -1,5 +1,5 @@
/*
- * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -858,14 +858,17 @@
case 1:
if ((str = OPENSSL_malloc(str_sz)) == NULL
|| !WPACKET_init_der(&pkt, str, str_sz)) {
+ WPACKET_cleanup(&pkt);
goto err;
}
break;
}
if (!ossl_DER_w_RSASSA_PSS_params(&pkt, -1, pss)
|| !WPACKET_finish(&pkt)
- || !WPACKET_get_total_written(&pkt, &str_sz))
+ || !WPACKET_get_total_written(&pkt, &str_sz)) {
+ WPACKET_cleanup(&pkt);
goto err;
+ }
WPACKET_cleanup(&pkt);
/*
diff -Nru openssl-3.0.10/providers/implementations/keymgmt/dh_kmgmt.c openssl-3.0.11/providers/implementations/keymgmt/dh_kmgmt.c
--- openssl-3.0.10/providers/implementations/keymgmt/dh_kmgmt.c 2023-08-01 15:47:24.000000000 +0200
+++ openssl-3.0.11/providers/implementations/keymgmt/dh_kmgmt.c 2023-09-19 15:02:31.000000000 +0200
@@ -222,6 +222,9 @@
if (!ossl_prov_is_running() || dh == NULL)
return 0;
+ if ((selection & DH_POSSIBLE_SELECTIONS) == 0)
+ return 0;
+
tmpl = OSSL_PARAM_BLD_new();
if (tmpl == NULL)
return 0;
diff -Nru openssl-3.0.10/providers/implementations/keymgmt/dsa_kmgmt.c openssl-3.0.11/providers/implementations/keymgmt/dsa_kmgmt.c
--- openssl-3.0.10/providers/implementations/keymgmt/dsa_kmgmt.c 2023-08-01 15:47:24.000000000 +0200
+++ openssl-3.0.11/providers/implementations/keymgmt/dsa_kmgmt.c 2023-09-19 15:02:31.000000000 +0200
@@ -223,6 +223,9 @@
if (!ossl_prov_is_running() || dsa == NULL)
return 0;
+ if ((selection & DSA_POSSIBLE_SELECTIONS) == 0)
+ return 0;
+
tmpl = OSSL_PARAM_BLD_new();
if (tmpl == NULL)
return 0;
diff -Nru openssl-3.0.10/providers/implementations/keymgmt/ecx_kmgmt.c openssl-3.0.11/providers/implementations/keymgmt/ecx_kmgmt.c
--- openssl-3.0.10/providers/implementations/keymgmt/ecx_kmgmt.c 2023-08-01 15:47:24.000000000 +0200
+++ openssl-3.0.11/providers/implementations/keymgmt/ecx_kmgmt.c 2023-09-19 15:02:31.000000000 +0200
@@ -1,5 +1,5 @@
/*
- * Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -238,6 +238,9 @@
if (!ossl_prov_is_running() || key == NULL)
return 0;
+ if ((selection & OSSL_KEYMGMT_SELECT_KEYPAIR) == 0)
+ return 0;
+
tmpl = OSSL_PARAM_BLD_new();
if (tmpl == NULL)
return 0;
diff -Nru openssl-3.0.10/providers/implementations/keymgmt/mac_legacy_kmgmt.c openssl-3.0.11/providers/implementations/keymgmt/mac_legacy_kmgmt.c
--- openssl-3.0.10/providers/implementations/keymgmt/mac_legacy_kmgmt.c 2023-08-01 15:47:24.000000000 +0200
+++ openssl-3.0.11/providers/implementations/keymgmt/mac_legacy_kmgmt.c 2023-09-19 15:02:31.000000000 +0200
@@ -1,5 +1,5 @@
/*
- * Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -281,6 +281,9 @@
if (!ossl_prov_is_running() || key == NULL)
return 0;
+ if ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) == 0)
+ return 0;
+
tmpl = OSSL_PARAM_BLD_new();
if (tmpl == NULL)
return 0;
diff -Nru openssl-3.0.10/README.md openssl-3.0.11/README.md
--- openssl-3.0.10/README.md 2023-08-01 15:47:24.000000000 +0200
+++ openssl-3.0.11/README.md 2023-09-19 15:02:31.000000000 +0200
@@ -166,7 +166,7 @@
Copyright
=========
-Copyright (c) 1998-2022 The OpenSSL Project
+Copyright (c) 1998-2023 The OpenSSL Project
Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
diff -Nru openssl-3.0.10/ssl/ssl_lib.c openssl-3.0.11/ssl/ssl_lib.c
--- openssl-3.0.10/ssl/ssl_lib.c 2023-08-01 15:47:24.000000000 +0200
+++ openssl-3.0.11/ssl/ssl_lib.c 2023-09-19 15:02:31.000000000 +0200
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
* Copyright 2005 Nokia. All rights reserved.
*
@@ -582,7 +582,7 @@
OPENSSL_free(s->psksession_id);
s->psksession_id = NULL;
s->psksession_id_len = 0;
- s->hello_retry_request = 0;
+ s->hello_retry_request = SSL_HRR_NONE;
s->sent_tickets = 0;
s->error = 0;
@@ -2809,14 +2809,14 @@
if (sk_SSL_CIPHER_find(srvrsk, c) < 0)
continue;
- n = strlen(c->name);
- if (n + 1 > size) {
+ n = OPENSSL_strnlen(c->name, size);
+ if (n >= size) {
if (p != buf)
--p;
*p = '\0';
return buf;
}
- strcpy(p, c->name);
+ memcpy(p, c->name, n);
p += n;
*(p++) = ':';
size -= n + 1;
diff -Nru openssl-3.0.10/ssl/ssl_sess.c openssl-3.0.11/ssl/ssl_sess.c
--- openssl-3.0.10/ssl/ssl_sess.c 2023-08-01 15:47:24.000000000 +0200
+++ openssl-3.0.11/ssl/ssl_sess.c 2023-09-19 15:02:31.000000000 +0200
@@ -198,8 +198,11 @@
dest->references = 1;
dest->lock = CRYPTO_THREAD_lock_new();
- if (dest->lock == NULL)
+ if (dest->lock == NULL) {
+ OPENSSL_free(dest);
+ dest = NULL;
goto err;
+ }
if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL_SESSION, dest, &dest->ex_data))
goto err;
diff -Nru openssl-3.0.10/ssl/statem/extensions_srvr.c openssl-3.0.11/ssl/statem/extensions_srvr.c
--- openssl-3.0.10/ssl/statem/extensions_srvr.c 2023-08-01 15:47:24.000000000 +0200
+++ openssl-3.0.11/ssl/statem/extensions_srvr.c 2023-09-19 15:02:31.000000000 +0200
@@ -1,5 +1,5 @@
/*
- * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -883,7 +883,7 @@
}
/* Act as if this ClientHello came after a HelloRetryRequest */
- s->hello_retry_request = 1;
+ s->hello_retry_request = SSL_HRR_PENDING;
s->ext.cookieok = 1;
#endif
diff -Nru openssl-3.0.10/test/chacha_internal_test.c openssl-3.0.11/test/chacha_internal_test.c
--- openssl-3.0.10/test/chacha_internal_test.c 2023-08-01 15:47:24.000000000 +0200
+++ openssl-3.0.11/test/chacha_internal_test.c 2023-09-19 15:02:31.000000000 +0200
@@ -1,5 +1,5 @@
/*
- * Copyright 2017 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -181,7 +181,7 @@
int setup_tests(void)
{
-#ifdef CPUID_OBJ
+#ifdef OPENSSL_CPUID_OBJ
OPENSSL_cpuid_setup();
#endif
diff -Nru openssl-3.0.10/test/cmp_asn_test.c openssl-3.0.11/test/cmp_asn_test.c
--- openssl-3.0.10/test/cmp_asn_test.c 2023-08-01 15:47:24.000000000 +0200
+++ openssl-3.0.11/test/cmp_asn_test.c 2023-09-19 15:02:31.000000000 +0200
@@ -42,16 +42,28 @@
static int execute_cmp_asn1_get_int_test(CMP_ASN_TEST_FIXTURE *fixture)
{
- int res;
+ int res = 0;
ASN1_INTEGER *asn1integer = ASN1_INTEGER_new();
+ const int good_int = 77;
+ const int64_t max_int = INT_MAX;
if (!TEST_ptr(asn1integer))
- return 0;
- if (!TEST_true(ASN1_INTEGER_set(asn1integer, 77))) {
+ return res;
+
+ if (!TEST_true(ASN1_INTEGER_set(asn1integer, good_int))) {
ASN1_INTEGER_free(asn1integer);
return 0;
}
- res = TEST_int_eq(77, ossl_cmp_asn1_get_int(asn1integer));
+ res = TEST_int_eq(good_int, ossl_cmp_asn1_get_int(asn1integer));
+ if (res == 0)
+ goto err;
+
+ res = 0;
+ if (!TEST_true(ASN1_INTEGER_set_int64(asn1integer, max_int + 1)))
+ goto err;
+ res = TEST_int_eq(-2, ossl_cmp_asn1_get_int(asn1integer));
+
+ err:
ASN1_INTEGER_free(asn1integer);
return res;
}
diff -Nru openssl-3.0.10/test/cmsapitest.c openssl-3.0.11/test/cmsapitest.c
--- openssl-3.0.10/test/cmsapitest.c 2023-08-01 15:47:24.000000000 +0200
+++ openssl-3.0.11/test/cmsapitest.c 2023-09-19 15:02:31.000000000 +0200
@@ -1,5 +1,5 @@
/*
- * Copyright 2018-2022 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2018-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -56,7 +56,7 @@
BIO_free(outmsgbio);
CMS_ContentInfo_free(content);
- return testresult;
+ return testresult && TEST_int_eq(ERR_peek_error(), 0);
}
static int test_encrypt_decrypt_aes_cbc(void)
@@ -286,7 +286,7 @@
CMS_NO_SIGNER_CERT_VERIFY));
CMS_ContentInfo_free(cms);
BIO_free(bio);
- return ret;
+ return ret && TEST_int_eq(ERR_peek_error(), 0);
}
static unsigned char *read_all(BIO *bio, long *p_len)
diff -Nru openssl-3.0.10/test/endecode_test.c openssl-3.0.11/test/endecode_test.c
--- openssl-3.0.10/test/endecode_test.c 2023-08-01 15:47:24.000000000 +0200
+++ openssl-3.0.11/test/endecode_test.c 2023-09-19 15:02:31.000000000 +0200
@@ -1,5 +1,5 @@
/*
- * Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -158,6 +158,7 @@
void *encoded = NULL;
long encoded_len = 0;
EVP_PKEY *pkey2 = NULL;
+ EVP_PKEY *pkey3 = NULL;
void *encoded2 = NULL;
long encoded2_len = 0;
int ok = 0;
@@ -185,15 +186,25 @@
output_type, output_structure,
(flags & FLAG_DECODE_WITH_TYPE ? type : NULL),
selection, pass))
+ || ((output_structure == NULL
+ || strcmp(output_structure, "type-specific") != 0)
+ && !TEST_true(decode_cb(file, line, (void **)&pkey3, encoded, encoded_len,
+ output_type, output_structure,
+ (flags & FLAG_DECODE_WITH_TYPE ? type : NULL),
+ 0, pass)))
|| !TEST_true(encode_cb(file, line, &encoded2, &encoded2_len, pkey2, selection,
output_type, output_structure, pass, pcipher)))
goto end;
if (selection == OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS) {
- if (!TEST_int_eq(EVP_PKEY_parameters_eq(pkey, pkey2), 1))
+ if (!TEST_int_eq(EVP_PKEY_parameters_eq(pkey, pkey2), 1)
+ || (pkey3 != NULL
+ && !TEST_int_eq(EVP_PKEY_parameters_eq(pkey, pkey3), 1)))
goto end;
} else {
- if (!TEST_int_eq(EVP_PKEY_eq(pkey, pkey2), 1))
+ if (!TEST_int_eq(EVP_PKEY_eq(pkey, pkey2), 1)
+ || (pkey3 != NULL
+ && !TEST_int_eq(EVP_PKEY_eq(pkey, pkey3), 1)))
goto end;
}
@@ -218,6 +229,7 @@
OPENSSL_free(encoded);
OPENSSL_free(encoded2);
EVP_PKEY_free(pkey2);
+ EVP_PKEY_free(pkey3);
return ok;
}
diff -Nru openssl-3.0.10/test/pbetest.c openssl-3.0.11/test/pbetest.c
--- openssl-3.0.10/test/pbetest.c 2023-08-01 15:47:24.000000000 +0200
+++ openssl-3.0.11/test/pbetest.c 2023-09-19 15:02:31.000000000 +0200
@@ -1,5 +1,5 @@
/*
- * Copyright 2021-2022 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2021-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -15,6 +15,8 @@
#include <openssl/x509.h>
#include <openssl/rc4.h>
#include <openssl/md5.h>
+#include <openssl/configuration.h>
+#include <openssl/provider.h>
#if !defined OPENSSL_NO_RC4 && !defined OPENSSL_NO_MD5 \
|| !defined OPENSSL_NO_DES && !defined OPENSSL_NO_SHA1
@@ -123,8 +125,27 @@
}
#endif
+#ifdef OPENSSL_NO_AUTOLOAD_CONFIG
+/*
+ * For configurations where we are not autoloading configuration, we need
+ * to access the legacy provider. The easiest way is to load both the
+ * legacy and default providers directly and unload them on termination.
+ */
+static OSSL_PROVIDER *legacy, *dflt;
+#endif
+
int setup_tests(void)
{
+#ifdef OPENSSL_NO_AUTOLOAD_CONFIG
+ /* Load required providers if not done via configuration */
+ legacy = OSSL_PROVIDER_load(NULL, "legacy");
+ dflt = OSSL_PROVIDER_load(NULL, "default");
+ if (!TEST_ptr(legacy) || !TEST_ptr(dflt)) {
+ cleanup_tests();
+ return -1;
+ }
+#endif
+
#if !defined OPENSSL_NO_RC4 && !defined OPENSSL_NO_MD5
ADD_TEST(test_pkcs5_pbe_rc4_md5);
#endif
@@ -134,3 +155,13 @@
return 1;
}
+
+#ifdef OPENSSL_NO_AUTOLOAD_CONFIG
+void cleanup_tests(void)
+{
+ /* Dispose of providers */
+ OSSL_PROVIDER_unload(legacy);
+ OSSL_PROVIDER_unload(dflt);
+ legacy = dflt = NULL;
+}
+#endif
diff -Nru openssl-3.0.10/test/pemtest.c openssl-3.0.11/test/pemtest.c
--- openssl-3.0.10/test/pemtest.c 2023-08-01 15:47:24.000000000 +0200
+++ openssl-3.0.11/test/pemtest.c 2023-09-19 15:02:31.000000000 +0200
@@ -125,6 +125,35 @@
return ret;
}
+static int test_protected_params(void)
+{
+ BIO *b;
+ static char *protectedpay =
+ "-----BEGIN RSA PRIVATE KEY-----\n"
+ "Proc-Type: 4,ENCRYPTED\n"
+ "DEK-Info: AES-256-CBC,4A44448ED28992710556549B35100CEA\n"
+ "\n"
+ "Xw3INxKeH+rUUF57mjATpvj6zknVhedwrlRmRvnwlLv5wqIy5Ae4UVLPh7SUswfC\n"
+ "-----END RSA PRIVATE KEY-----\n";
+ EVP_PKEY *pkey = NULL;
+ int ret = 0;
+
+ b = BIO_new_mem_buf(protectedpay, strlen(protectedpay));
+ if (!TEST_ptr(b))
+ return 0;
+
+ /* Expected to fail because we cannot decrypt protected PEM files */
+ pkey = PEM_read_bio_Parameters(b, NULL);
+ if (!TEST_ptr_null(pkey))
+ goto err;
+
+ ret = 1;
+ err:
+ EVP_PKEY_free(pkey);
+ BIO_free(b);
+ return ret;
+}
+
int setup_tests(void)
{
if (!TEST_ptr(pemfile = test_get_argument(0)))
@@ -133,5 +162,6 @@
ADD_TEST(test_invalid);
ADD_TEST(test_cert_key_cert);
ADD_TEST(test_empty_payload);
+ ADD_TEST(test_protected_params);
return 1;
}
diff -Nru openssl-3.0.10/test/pkcs12_format_test.c openssl-3.0.11/test/pkcs12_format_test.c
--- openssl-3.0.10/test/pkcs12_format_test.c 2023-08-01 15:47:24.000000000 +0200
+++ openssl-3.0.11/test/pkcs12_format_test.c 2023-09-19 15:02:31.000000000 +0200
@@ -1,5 +1,5 @@
/*
- * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -792,6 +792,70 @@
}
#endif
+static int pkcs12_recreate_test(void)
+{
+ int ret = 0;
+ X509 *cert = NULL;
+ X509 *cert_parsed = NULL;
+ EVP_PKEY *pkey = NULL;
+ EVP_PKEY *pkey_parsed = NULL;
+ PKCS12 *p12 = NULL;
+ PKCS12 *p12_parsed = NULL;
+ PKCS12 *p12_recreated = NULL;
+ const unsigned char *cert_bytes = CERT1;
+ const unsigned char *key_bytes = KEY1;
+ BIO *bio = NULL;
+
+ cert = d2i_X509(NULL, &cert_bytes, sizeof(CERT1));
+ if (!TEST_ptr(cert))
+ goto err;
+ pkey = d2i_AutoPrivateKey(NULL, &key_bytes, sizeof(KEY1));
+ if (!TEST_ptr(pkey))
+ goto err;
+ p12 = PKCS12_create("pass", NULL, pkey, cert, NULL, NID_aes_256_cbc,
+ NID_aes_256_cbc, 2, 1, 0);
+ if (!TEST_ptr(p12))
+ goto err;
+ if (!TEST_int_eq(ERR_peek_error(), 0))
+ goto err;
+
+ bio = BIO_new(BIO_s_mem());
+ if (!TEST_ptr(bio))
+ goto err;
+ if (!TEST_int_eq(i2d_PKCS12_bio(bio, p12), 1))
+ goto err;
+ p12_parsed = PKCS12_init_ex(NID_pkcs7_data, testctx, NULL);
+ if (!TEST_ptr(p12_parsed))
+ goto err;
+ p12_parsed = d2i_PKCS12_bio(bio, &p12_parsed);
+ if (!TEST_ptr(p12_parsed))
+ goto err;
+ if (!TEST_int_eq(PKCS12_parse(p12_parsed, "pass", &pkey_parsed,
+ &cert_parsed, NULL), 1))
+ goto err;
+
+ /* cert_parsed also contains auxiliary data */
+ p12_recreated = PKCS12_create("new_pass", NULL, pkey_parsed, cert_parsed,
+ NULL, NID_aes_256_cbc, NID_aes_256_cbc,
+ 2, 1, 0);
+ if (!TEST_ptr(p12_recreated))
+ goto err;
+ if (!TEST_int_eq(ERR_peek_error(), 0))
+ goto err;
+
+ ret = 1;
+err:
+ BIO_free(bio);
+ PKCS12_free(p12);
+ PKCS12_free(p12_parsed);
+ PKCS12_free(p12_recreated);
+ EVP_PKEY_free(pkey);
+ EVP_PKEY_free(pkey_parsed);
+ X509_free(cert);
+ X509_free(cert_parsed);
+ return ret;
+}
+
typedef enum OPTION_choice {
OPT_ERR = -1,
OPT_EOF = 0,
@@ -873,6 +937,8 @@
if (default_libctx)
ADD_TEST(pkcs12_create_test);
#endif
+ if (default_libctx)
+ ADD_TEST(pkcs12_recreate_test);
ADD_ALL_TESTS(test_single_key_enc_pass, OSSL_NELEM(passwords));
ADD_ALL_TESTS(test_single_key_enc_iter, OSSL_NELEM(iters));
ADD_TEST(test_single_key_with_attrs);
diff -Nru openssl-3.0.10/test/provider_internal_test.c openssl-3.0.11/test/provider_internal_test.c
--- openssl-3.0.10/test/provider_internal_test.c 2023-08-01 15:47:24.000000000 +0200
+++ openssl-3.0.11/test/provider_internal_test.c 2023-09-19 15:02:31.000000000 +0200
@@ -1,5 +1,5 @@
/*
- * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -83,6 +83,7 @@
&& test_provider(prov, expected_greeting1(name));
}
+# ifndef OPENSSL_NO_AUTOLOAD_CONFIG
static int test_configured_provider(void)
{
const char *name = "p_test_configured";
@@ -95,6 +96,7 @@
TEST_ptr(prov = ossl_provider_find(NULL, name, 0))
&& test_provider(prov, expected_greeting);
}
+# endif
#endif
static int test_cache_flushes(void)
@@ -139,7 +141,9 @@
ADD_TEST(test_builtin_provider);
#ifndef NO_PROVIDER_MODULE
ADD_TEST(test_loaded_provider);
+# ifndef OPENSSL_NO_AUTOLOAD_CONFIG
ADD_TEST(test_configured_provider);
+# endif
#endif
ADD_TEST(test_cache_flushes);
return 1;
diff -Nru openssl-3.0.10/test/README-dev.md openssl-3.0.11/test/README-dev.md
--- openssl-3.0.10/test/README-dev.md 2023-08-01 15:47:24.000000000 +0200
+++ openssl-3.0.11/test/README-dev.md 2023-09-19 15:02:31.000000000 +0200
@@ -130,7 +130,11 @@
int setup_tests(void)
{
ADD_TEST(my_test); /* Add each test separately */
- return 1; /* Indicate success */
+ return 1; /* Indicates success. Return 0 */
+ /* to produce an error with a */
+ /* usage message and -1 for */
+ /* failure to set up with no */
+ /* usage message. */
}
You should use the `TEST_xxx` macros provided by `testutil.h` to test all failure
diff -Nru openssl-3.0.10/test/recipes/15-test_rsapss.t openssl-3.0.11/test/recipes/15-test_rsapss.t
--- openssl-3.0.10/test/recipes/15-test_rsapss.t 2023-08-01 15:47:24.000000000 +0200
+++ openssl-3.0.11/test/recipes/15-test_rsapss.t 2023-09-19 15:02:31.000000000 +0200
@@ -1,5 +1,5 @@
#! /usr/bin/env perl
-# Copyright 2017-2022 The OpenSSL Project Authors. All Rights Reserved.
+# Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the Apache License 2.0 (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
@@ -16,7 +16,7 @@
setup("test_rsapss");
-plan tests => 11;
+plan tests => 13;
#using test/testrsa.pem which happens to be a 512 bit RSA
ok(run(app(['openssl', 'dgst', '-sign', srctop_file('test', 'testrsa.pem'), '-sha1',
@@ -79,6 +79,8 @@
my $rsapss = "rsapss.key";
ok(run(app(['openssl', 'genpkey', '-algorithm', 'RSA-PSS',
'-pkeyopt', 'rsa_keygen_bits:1024',
+ '-pkeyopt', 'rsa_keygen_pubexp:65537',
+ '-pkeyopt', 'rsa_keygen_primes:2',
'--out', $rsapss])));
ok(run(app(['openssl', 'rsa', '-check',
'-in', $rsapss])));
@@ -87,3 +89,11 @@
ok(!run(app([ 'openssl', 'rsa',
'-in' => data_file('negativesaltlen.pem')],
'-out' => 'badout')));
+
+ok(run(app(['openssl', 'genpkey', '-algorithm', 'RSA-PSS', '-pkeyopt', 'rsa_keygen_bits:1024',
+ '-pkeyopt', 'rsa_pss_keygen_md:SHA256', '-pkeyopt', 'rsa_pss_keygen_saltlen:10',
+ '-out', 'testrsapss.pem'])),
+ "openssl genpkey RSA-PSS with pss parameters");
+ok(run(app(['openssl', 'pkey', '-in', 'testrsapss.pem', '-pubout', '-text'])),
+ "openssl pkey, execute rsa_pub_encode with pss parameters");
+unlink 'testrsapss.pem';
diff -Nru openssl-3.0.10/test/recipes/25-test_req.t openssl-3.0.11/test/recipes/25-test_req.t
--- openssl-3.0.10/test/recipes/25-test_req.t 2023-08-01 15:47:24.000000000 +0200
+++ openssl-3.0.11/test/recipes/25-test_req.t 2023-09-19 15:02:31.000000000 +0200
@@ -1,5 +1,5 @@
#! /usr/bin/env perl
-# Copyright 2015-2022 The OpenSSL Project Authors. All Rights Reserved.
+# Copyright 2015-2023 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the Apache License 2.0 (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
@@ -15,7 +15,7 @@
setup("test_req");
-plan tests => 44;
+plan tests => 46;
require_ok(srctop_file('test', 'recipes', 'tconversion.pl'));
@@ -473,3 +473,14 @@
generate_cert($cert, "-in", srctop_file(@certs, "ext-check.csr"),
"-copy_extensions", "copy");
has_keyUsage($cert, 1);
+
+# Generate cert using req with '-modulus'
+ok(run(app(["openssl", "req", "-x509", "-new", "-days", "365",
+ "-key", srctop_file("test", "testrsa.pem"),
+ "-config", srctop_file('test', 'test.cnf'),
+ "-out", "testreq-cert.pem",
+ "-modulus"])), "cert req creation - with -modulus");
+
+# Verify cert
+ok(run(app(["openssl", "x509", "-in", "testreq-cert.pem",
+ "-noout", "-text"])), "cert verification");
diff -Nru openssl-3.0.10/test/recipes/30-test_defltfips.t openssl-3.0.11/test/recipes/30-test_defltfips.t
--- openssl-3.0.10/test/recipes/30-test_defltfips.t 2023-08-01 15:47:24.000000000 +0200
+++ openssl-3.0.11/test/recipes/30-test_defltfips.t 2023-09-19 15:02:31.000000000 +0200
@@ -1,5 +1,5 @@
#! /usr/bin/env perl
-# Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved.
+# Copyright 2015-2023 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the Apache License 2.0 (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
@@ -21,6 +21,9 @@
use lib srctop_dir('Configurations');
use lib bldtop_dir('.');
+plan skip_all => "Configuration loading is turned off"
+ if disabled("autoload-config");
+
my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0);
plan tests =>
diff -Nru openssl-3.0.10/test/recipes/30-test_evp.t openssl-3.0.11/test/recipes/30-test_evp.t
--- openssl-3.0.10/test/recipes/30-test_evp.t 2023-08-01 15:47:24.000000000 +0200
+++ openssl-3.0.11/test/recipes/30-test_evp.t 2023-09-19 15:02:31.000000000 +0200
@@ -1,5 +1,5 @@
#! /usr/bin/env perl
-# Copyright 2015-2022 The OpenSSL Project Authors. All Rights Reserved.
+# Copyright 2015-2023 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the Apache License 2.0 (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
@@ -173,7 +173,8 @@
}
SKIP: {
- skip "DSA not disabled", 2 if !disabled("dsa");
+ skip "DSA not disabled or ERR disabled", 2
+ if !disabled("dsa") || disabled("err");
ok(test_errors(key => 'server-dsa-key.pem',
out => 'server-dsa-key.err'),
diff -Nru openssl-3.0.10/test/recipes/80-test_cms.t openssl-3.0.11/test/recipes/80-test_cms.t
--- openssl-3.0.10/test/recipes/80-test_cms.t 2023-08-01 15:47:24.000000000 +0200
+++ openssl-3.0.11/test/recipes/80-test_cms.t 2023-09-19 15:02:31.000000000 +0200
@@ -50,7 +50,7 @@
$no_rc2 = 1 if disabled("legacy");
-plan tests => 16;
+plan tests => 17;
ok(run(test(["pkcs7_test"])), "test pkcs7");
@@ -994,3 +994,13 @@
])),
"Check failure during BIO setup with -stream is handled correctly");
});
+
+# Test case for return value mis-check reported in #21986
+with({ exit_checker => sub { return shift == 3; } },
+ sub {
+ ok(run(app(['openssl', 'cms', '-sign',
+ '-in', srctop_file("test", "smcont.txt"),
+ '-signer', srctop_file("test/smime-certs", "smdsa1.pem"),
+ '-md', 'SHAKE256'])),
+ "issue#21986");
+ });
diff -Nru openssl-3.0.10/test/recipes/99-test_fuzz_x509.t openssl-3.0.11/test/recipes/99-test_fuzz_x509.t
--- openssl-3.0.10/test/recipes/99-test_fuzz_x509.t 2023-08-01 15:47:24.000000000 +0200
+++ openssl-3.0.11/test/recipes/99-test_fuzz_x509.t 2023-09-19 15:02:31.000000000 +0200
@@ -1,5 +1,5 @@
#!/usr/bin/env perl
-# Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
+# Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the Apache License 2.0 (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
@@ -15,6 +15,9 @@
my $fuzzer = "x509";
setup("test_fuzz_${fuzzer}");
+plan skip_all => "This test requires ocsp support"
+ if disabled("ocsp");
+
plan tests => 2; # one more due to below require_ok(...)
require_ok(srctop_file('test','recipes','fuzz.pl'));
diff -Nru openssl-3.0.10/test/sslapitest.c openssl-3.0.11/test/sslapitest.c
--- openssl-3.0.10/test/sslapitest.c 2023-08-01 15:47:24.000000000 +0200
+++ openssl-3.0.11/test/sslapitest.c 2023-09-19 15:02:31.000000000 +0200
@@ -1681,6 +1681,8 @@
return testresult;
}
+#if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3) \
+ || !defined(OPENSSL_NO_DTLS)
static int execute_cleanse_plaintext(const SSL_METHOD *smeth,
const SSL_METHOD *cmeth,
int min_version, int max_version)
@@ -1702,15 +1704,13 @@
privkey)))
goto end;
-#ifdef OPENSSL_NO_DTLS1_2
- if (smeth == DTLS_server_method()) {
# ifdef OPENSSL_NO_DTLS1_2
+ if (smeth == DTLS_server_method()) {
/* Not supported in the FIPS provider */
if (is_fips) {
testresult = 1;
goto end;
};
-# endif
/*
* Default sigalgs are SHA1 based in <DTLS1.2 which is in security
* level 0
@@ -1720,7 +1720,7 @@
"DEFAULT:@SECLEVEL=0")))
goto end;
}
-#endif
+# endif
if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
NULL, NULL)))
@@ -1784,6 +1784,10 @@
return testresult;
}
+#endif /*
+ * !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
+ * || !defined(OPENSSL_NO_DTLS)
+ */
static int test_cleanse_plaintext(void)
{
diff -Nru openssl-3.0.10/test/ssl_old_test.c openssl-3.0.11/test/ssl_old_test.c
--- openssl-3.0.10/test/ssl_old_test.c 2023-08-01 15:47:24.000000000 +0200
+++ openssl-3.0.11/test/ssl_old_test.c 2023-09-19 15:02:31.000000000 +0200
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
* Copyright 2005 Nokia. All rights reserved.
*
@@ -1525,8 +1525,10 @@
ERR_print_errors(bio_err);
goto end;
}
- SSL_CTX_set0_tmp_dh_pkey(s_ctx, dhpkey);
- SSL_CTX_set0_tmp_dh_pkey(s_ctx2, dhpkey);
+ if (!SSL_CTX_set0_tmp_dh_pkey(s_ctx, dhpkey))
+ EVP_PKEY_free(dhpkey);
+ if (!SSL_CTX_set0_tmp_dh_pkey(s_ctx2, dhpkey))
+ EVP_PKEY_free(dhpkey);
}
#endif
diff -Nru openssl-3.0.10/test/testutil/main.c openssl-3.0.11/test/testutil/main.c
--- openssl-3.0.10/test/testutil/main.c 2023-08-01 15:47:24.000000000 +0200
+++ openssl-3.0.11/test/testutil/main.c 2023-09-19 15:02:31.000000000 +0200
@@ -1,5 +1,5 @@
/*
- * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -15,6 +15,7 @@
int main(int argc, char *argv[])
{
int ret = EXIT_FAILURE;
+ int setup_res;
test_open_streams();
@@ -26,11 +27,11 @@
if (!setup_test_framework(argc, argv))
goto end;
- if (setup_tests()) {
+ if ((setup_res = setup_tests()) > 0) {
ret = run_tests(argv[0]);
cleanup_tests();
opt_check_usage();
- } else {
+ } else if (setup_res == 0) {
opt_help(test_get_options());
}
end:
diff -Nru openssl-3.0.10/VERSION.dat openssl-3.0.11/VERSION.dat
--- openssl-3.0.10/VERSION.dat 2023-08-01 15:47:24.000000000 +0200
+++ openssl-3.0.11/VERSION.dat 2023-09-19 15:02:31.000000000 +0200
@@ -1,7 +1,7 @@
MAJOR=3
MINOR=0
-PATCH=10
+PATCH=11
PRE_RELEASE_TAG=
BUILD_METADATA=
-RELEASE_DATE="1 Aug 2023"
+RELEASE_DATE="19 Sep 2023"
SHLIB_VERSION=3
